com.entrust.toolkit.util

Class SecureUtils

java.lang.Object

com.entrust.toolkit.util.SecureUtils

public final class SecureUtils
extends java.lang.Object

Contains character array and byte array utilities that are secure.

The utilities in this class clear all temporary data from memory ensuring that only one copy exists at any time. This class is useful for handling sensitive data.

Method Summary

Modifier and Type	Method and Description
static byte[]	append(byte[] ba1, byte[] ba2) Securely appends one byte array to another.
static byte[]	append(byte[] ba1, byte[] ba2, int off, int len) Securely appends a section of one byte array to another.
static char[]	append(char[] ca1, char[] ca2) Securely appends one character array to another.
static char[]	append(char[] ca1, char[] ca2, int off, int len) Securely appends a section of one character array to another.
static byte[]	charToByte(char[] ca) Securely converts a character array to a byte array using the default encoding.
static byte[]	charToByte(char[] ca, int off, int len) Securely converts a section of a character array to a byte array using the default encoding.
static byte[]	charToByte(char[] ca, java.lang.String enc) Securely converts a section of a character array to a byte array using the specified encoding.
static byte[]	charToByte(char[] ca, java.lang.String enc, int off, int len) Securely converts part of a character array to a byte array using the specified encoding.
static java.security.AlgorithmParameters	getAlgorithmParameters(java.lang.String alg) Gets an instance just as AlgoriothmParameters.getInstance(String) does, except that it tries the "Entrust" and "IAIK" providers first, and falls through to any other provider only if those attempts fail.
static javax.crypto.Cipher	getCipher(java.lang.String transformation) Gets an instance just as Cipher.getInstance(String) does, except that it tries the "Entrust" and "IAIK" providers first, and falls through to any other provider only if those attempts fail.
static java.security.MessageDigest	getEntrustMessageDigest(java.lang.String alg) Requests an instance of the specified message digest algorithm from the Entrust JCA/JCE cryptographic service provider.
static java.security.Signature	getEntrustSignature(java.lang.String alg) Requests an instance of the specified digital signature algorithm from the Entrust JCA/JCE cryptographic service provider.
static javax.crypto.KeyAgreement	getKeyAgreement(java.lang.String alg) Gets an instance just as KeyAgreement.getInstance(String) does, except that it tries the "Entrust" and "IAIK" providers first, and falls through to any other provider only if those attempts fail.
static java.security.KeyFactory	getKeyFactory(java.lang.String alg) Gets an instance just as KeyFactory.getInstance(String) does, except that it tries the "Entrust" and "IAIK" providers first, and falls through to any other provider only if those attempts fail.
static javax.crypto.KeyGenerator	getKeyGenerator(java.lang.String alg) Gets an instance just as KeyGenerator.getInstance(String) does, except that it tries the "Entrust" and "IAIK" providers first, and falls through to any other provider only if those attempts fail.
static java.security.KeyPairGenerator	getKeyPairGenerator(java.lang.String alg) Gets an instance just as KeyPairGenerator.getInstance(String) does, except that it tries the "Entrust" and "IAIK" providers first, and falls through to any other provider only if those attempts fail.
static javax.crypto.Mac	getMac(java.lang.String alg) Gets an instance just as Mac.getInstance(String) does, except that it tries the "Entrust" and "IAIK" providers first, and falls through to any other provider only if those attempts fail.
static java.security.MessageDigest	getMessageDigest(java.lang.String alg) Gets an instance just as MessageDigest.getInstance(String) does, except that it tries the "Entrust" and "IAIK" providers first, and falls through to any other provider only if those attempts fail.
static javax.crypto.SecretKeyFactory	getSecretKeyFactory(java.lang.String alg) Gets an instance just as SecretKeyFactory.getInstance(String) does, except that it tries the "Entrust" and "IAIK" providers first, and falls through to any other provider only if those attempts fail.
static java.security.SecureRandom	getSecureRandom(java.lang.String alg) Gets an instance just as SecureRandom.getInstance(String) does, except that it tries the "Entrust" and "IAIK" providers first, and falls through to any other provider only if those attempts fail.
static java.security.Signature	getSignature(java.lang.String alg) Gets an instance just as Signature.getInstance(String) does, except that it tries the "Entrust" and "IAIK" providers first, and falls through to any other provider only if those attempts fail.
static void	wipe(byte[] ba) Wipes a byte array or clears the memory held by a byte array.
static void	wipe(char[] ca) Wipes a character array or clears the memory held by a character array.
static void	wipe(java.lang.StringBuffer sb) Wipes a StringBuffer or clears the memory held by a StringBuffer.
static void	wipe(java.lang.StringBuilder sb) Wipes a StringBuilder or clears the memory held by a StringBuilder.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

append

public static byte[] append(byte[] ba1,
                            byte[] ba2)

Securely appends one byte array to another.

The byte array specified by ba2 is securely appended to ba1. This is done by creating a new byte array and copying the contents of ba1 into the first part of the new byte array, and the contents of ba2 into the remainder. Upon completion, the method wipes ba1 and ba2 so that only the new array exists in memory.

Parameters:

ba1 - the byte array to which ba2 will be appended

ba2 - the byte array that will be appended to ba1

Returns:

a byte array resulting from appending one byte array to another

append

public static byte[] append(byte[] ba1,
                            byte[] ba2,
                            int off,
                            int len)

Securely appends a section of one byte array to another.

A specified section of the byte array denoted by the argument ba2, is securely appended to ba1. This is done by creating a new byte array and copying the contents of ba1 into the first part of the new byte array, and the specified contents of ba2 into the remainder.

The specified contents of ba2 are the bytes starting at off and extending for len bytes. Upon completion, the method wipes ba1 and ba2 so that only the new array exists in memory.

Parameters:

ba1 - the byte array to which part of ba2 will be appended

ba2 - the byte array that will be appended to ba1

off - the location of the start of the data in ba2 that will be appended to ba1

len - the number of bytes from ba2 to append to ba1

Returns:

a byte array resulting from appending part of one byte array to another

append

public static char[] append(char[] ca1,
                            char[] ca2)

Securely appends one character array to another.

The character array specified by ca2 is securely appended to ca1. This is done by creating a new character array and copying the contents of ca1 into the first part of the new character array and the contents of ca2 into the remainder. Upon completion, the method wipes ca1 and* ca2 so that only the new array exists in memory.

Parameters:

ca1 - the character array to which ca2 will be appended

ca2 - the character array that will be appended to ca1

Returns:

a character array resulting from appending one character array to another

append

public static char[] append(char[] ca1,
                            char[] ca2,
                            int off,
                            int len)

Securely appends a section of one character array to another.

A specified section of the character array denoted by ca2 is securely appended to ca1. This is done by creating a new character array and copying the contents of ca1 into the first part of the new character array, and the specified contents of ca2 into the remainder.

The specified contents of ca2 are the bytes starting at off and extending for len bytes. Upon completion, the method wipes ca1 and ca2 so that only the new array exists in memory.

Parameters:

ca1 - the character array to which part of ca2 will be appended

ca2 - the character array that will be appended to ca1

off - the location of the start of the data in ca2 that will be appended to ca1

len - the number of characters from ca2 to append to ca1

Returns:

a character array resulting from appending part of one character array to another

charToByte

public static byte[] charToByte(char[] ca)

Securely converts a character array to a byte array using the default encoding.

Following this operation all temporary data and the original character array are wiped from memory, so that only the resulting byte array remains.

Character conversion is done using a String to convert each character individually. Although this creates copies of the data in memory, the data from sequential conversions is placed non-sequentially in memory. This technique provides no indication of order and makes it impossible to determine the original character array by examining memory. The use of String interning avoids the creation of duplicate String objects, so there will be just one instance per character in memory.

Parameters:

ca - the character array to convert

Returns:

the byte array representation

charToByte

public static byte[] charToByte(char[] ca,
                                int off,
                                int len)

Securely converts a section of a character array to a byte array using the default encoding.

The section of the character array that is converted by this method begins at off and continues for len bytes. Following this operation, all temporary data and the original character array are wiped from memory, so that only the resulting byte array remains.

Character conversion is done using a String to convert each character individually. Although this creates copies of the data in memory, the data from sequential conversions is placed non-sequentially in memory. This technique provides no indication of order and makes it impossible to determine the original character array by examining memory. The use of String interning avoids the creation of duplicate String objects, so there will be just one instance per character in memory.

Parameters:

ca - the character array to convert

off - the location of the start of the data to be converted in ca

len - the number of bytes to convert in ca

Returns:

the byte array representation

charToByte

public static byte[] charToByte(char[] ca,
                                java.lang.String enc)
                         throws java.io.UnsupportedEncodingException

Securely converts a section of a character array to a byte array using the specified encoding.

Following this operation all temporary data and the original character array are wiped from memory, so that only the resulting byte array remains.

Character conversion is done using a String to convert each character individually. Although this creates copies of the data in memory, the data from sequential conversions is placed non-sequentially in memory. This technique provides no indication of order and makes it impossible to determine the original character array by examining memory. The use of String interning avoids the creation of duplicate String objects, so there will be just one instance per character in memory.

Parameters:

ca - the character array to convert

enc - the character encoding to use for the conversion

Returns:

the byte array representation

Throws:

java.io.UnsupportedEncodingException - thrown if the specified encoding is not supported

charToByte

public static byte[] charToByte(char[] ca,
                                java.lang.String enc,
                                int off,
                                int len)
                         throws java.io.UnsupportedEncodingException

Securely converts part of a character array to a byte array using the specified encoding.

The section of the character array that is converted starts at off and continues for len bytes. Following this operation all temporary data and the original character array are wiped from memory, so that only the resulting byte array remains.

Character conversion is done using a String to convert each character individually. Although this creates copies of the data in memory, the data from sequential conversions is placed non-sequentially in memory. This technique provides no indication of order and makes it impossible to determine the original character array by examining memory. The use of String interning avoids the creation of duplicate String objects, so there will be just one instance per character in memory.

Parameters:

ca - the character array to convert

off - the location of the start of the data to be converted in ca

enc - the character encoding to use for the conversion

Returns:

the byte array representation

Throws:

java.io.UnsupportedEncodingException - thrown if the encoding is not supported

wipe

public static void wipe(byte[] ba)

Wipes a byte array or clears the memory held by a byte array.

This method overwrites the memory with bytes 0x00. The need for this arises from the fact that the Java garbage-collector does not guarantee that memory will be cleared immediately.

Parameters:

ba - the byte array to be wiped

wipe

public static void wipe(char[] ca)

Wipes a character array or clears the memory held by a character array.

This method overwrites the memory held by the character array with character ''. The need for this arises from the fact that the Java garbage-collector does not guarantee that memory will be cleared immediately.

Parameters:

ca - the character array to be wiped

wipe

public static void wipe(java.lang.StringBuffer sb)

Wipes a StringBuffer or clears the memory held by a StringBuffer.

This method overwrites the memory held by a StringBuffer with characters '', and sets the length to zero. The need for this arises from the fact that the Java garbage-collector does not guarantee that the memory will be cleared immediately.

Parameters:

sb - the StringBuffer to be wiped

wipe

public static void wipe(java.lang.StringBuilder sb)

Wipes a StringBuilder or clears the memory held by a StringBuilder.

This method overwrites the memory held by a StringBuilder with characters '', and sets the length to zero. The need for this arises from the fact that the Java garbage-collector does not guarantee that the memory will be cleared immediately.

Parameters:

sb - the StringBuilder to be wiped

getCipher

public static javax.crypto.Cipher getCipher(java.lang.String transformation)
                                     throws java.security.NoSuchAlgorithmException,
                                            javax.crypto.NoSuchPaddingException

Gets an instance just as Cipher.getInstance(String) does, except that it tries the "Entrust" and "IAIK" providers first, and falls through to any other provider only if those attempts fail.

Parameters:

transformation - the name of the transformation, e.g., DES/CBC/PKCS5Padding

Returns:

a Cipher that implements the requested transformation

Throws:

java.security.NoSuchAlgorithmException - thrown if a Cipher instance for the algorithm identifier is not recognized by any of the installed cryptographic providers

javax.crypto.NoSuchPaddingException

getMessageDigest

public static java.security.MessageDigest getMessageDigest(java.lang.String alg)
                                                    throws java.security.NoSuchAlgorithmException

Gets an instance just as MessageDigest.getInstance(String) does, except that it tries the "Entrust" and "IAIK" providers first, and falls through to any other provider only if those attempts fail.

Parameters:

alg - the name of the algorithm requested

Returns:

a MessageDigest object implementing the specified algorithm

Throws:

java.security.NoSuchAlgorithmException - thrown if a MessageDigest instance for the algorithm identifier is not recognized by any of the installed cryptographic providers

getEntrustMessageDigest

public static java.security.MessageDigest getEntrustMessageDigest(java.lang.String alg)
                                                           throws java.security.NoSuchAlgorithmException

Requests an instance of the specified message digest algorithm from the Entrust JCA/JCE cryptographic service provider.

This API is to be used by code that requires the Entrust provider to be installed; a runtime exception is thrown when the Entrust provider has not been installed.

Parameters:

alg - the name of the algorithm requested

Returns:

a MessageDigest object implementing the specified algorithm

Throws:

java.security.NoSuchAlgorithmException - if the Entrust provider does not support the message digest algorithm

java.lang.SecurityException - if the Entrust provider is not installed

Since:

7.2

getKeyPairGenerator

public static java.security.KeyPairGenerator getKeyPairGenerator(java.lang.String alg)
                                                          throws java.security.NoSuchAlgorithmException

Gets an instance just as KeyPairGenerator.getInstance(String) does, except that it tries the "Entrust" and "IAIK" providers first, and falls through to any other provider only if those attempts fail.

Parameters:

alg - the standard string name of the algorithm

Returns:

the new KeyPairGenerator object

Throws:

java.security.NoSuchAlgorithmException - thrown if a KeyPairGenerator instance for the algorithm identifier is not recognized by any of the installed cryptographic providers

getKeyGenerator

public static javax.crypto.KeyGenerator getKeyGenerator(java.lang.String alg)
                                                 throws java.security.NoSuchAlgorithmException

Gets an instance just as KeyGenerator.getInstance(String) does, except that it tries the "Entrust" and "IAIK" providers first, and falls through to any other provider only if those attempts fail.

Parameters:

alg - the standard name of the requested key algorithm

Returns:

the new KeyGenerator object

Throws:

java.security.NoSuchAlgorithmException - thrown if a KeyGenerator instance for the algorithm identifier is not recognized by any of the installed cryptographic providers

getSecretKeyFactory

public static javax.crypto.SecretKeyFactory getSecretKeyFactory(java.lang.String alg)
                                                         throws java.security.NoSuchAlgorithmException

Gets an instance just as SecretKeyFactory.getInstance(String) does, except that it tries the "Entrust" and "IAIK" providers first, and falls through to any other provider only if those attempts fail.

Parameters:

alg - the standard name of the requested secret-key algorithm

Returns:

a SecretKeyFactory object for the specified secret-key algorithm

Throws:

java.security.NoSuchAlgorithmException - thrown if a SecretKeyFactory instance for the algorithm identifier is not recognized by any of the installed cryptographic providers

getKeyFactory

public static java.security.KeyFactory getKeyFactory(java.lang.String alg)
                                              throws java.security.NoSuchAlgorithmException

Gets an instance just as KeyFactory.getInstance(String) does, except that it tries the "Entrust" and "IAIK" providers first, and falls through to any other provider only if those attempts fail.

Parameters:

alg - the name of the requested key algorithm

Returns:

a KeyFactory object for the specified algorithm

Throws:

java.security.NoSuchAlgorithmException - thrown if a KeyFactory instance for the algorithm identifier is not recognized by any of the installed cryptographic providers

getKeyAgreement

public static javax.crypto.KeyAgreement getKeyAgreement(java.lang.String alg)
                                                 throws java.security.NoSuchAlgorithmException

Gets an instance just as KeyAgreement.getInstance(String) does, except that it tries the "Entrust" and "IAIK" providers first, and falls through to any other provider only if those attempts fail.

Parameters:

alg - the standard name of the requested key agreement algorithm

Returns:

the new KeyAgreement object

Throws:

java.security.NoSuchAlgorithmException - thrown if a KeyAgreement instance for the algorithm identifier is not recognized by any of the installed cryptographic providers

getSignature

public static java.security.Signature getSignature(java.lang.String alg)
                                            throws java.security.NoSuchAlgorithmException

Gets an instance just as Signature.getInstance(String) does, except that it tries the "Entrust" and "IAIK" providers first, and falls through to any other provider only if those attempts fail.

Parameters:

alg - the standard name of the algorithm requested

Returns:

the new Signature object

Throws:

java.security.NoSuchAlgorithmException - thrown if a Signature instance for the algorithm identifier is not recognized by any of the installed cryptographic providers

getEntrustSignature

public static java.security.Signature getEntrustSignature(java.lang.String alg)
                                                   throws java.security.NoSuchAlgorithmException

Requests an instance of the specified digital signature algorithm from the Entrust JCA/JCE cryptographic service provider.

This API is to be used by code that requires the Entrust provider to be installed; a runtime exception is thrown when the Entrust provider has not been installed.

Parameters:

alg - the name of the algorithm requested

Returns:

a Signature object implementing the specified algorithm

Throws:

java.security.NoSuchAlgorithmException - if the Entrust provider does not support the digital signature algorithm

java.lang.SecurityException - if the Entrust provider is not installed

Since:

7.2

getAlgorithmParameters

public static java.security.AlgorithmParameters getAlgorithmParameters(java.lang.String alg)
                                                                throws java.security.NoSuchAlgorithmException

Gets an instance just as AlgoriothmParameters.getInstance(String) does, except that it tries the "Entrust" and "IAIK" providers first, and falls through to any other provider only if those attempts fail.

Parameters:

alg - the name of the algorithm requested

Returns:

the new AlgorithmParameters object

Throws:

java.security.NoSuchAlgorithmException - thrown if a AlgorithmParameters instance for the algorithm identifier is not recognized by any of the installed cryptographic providers

getSecureRandom

public static java.security.SecureRandom getSecureRandom(java.lang.String alg)
                                                  throws java.security.NoSuchAlgorithmException

Gets an instance just as SecureRandom.getInstance(String) does, except that it tries the "Entrust" and "IAIK" providers first, and falls through to any other provider only if those attempts fail.

Parameters:

alg - the name of the algorithm requested

Returns:

the new SecureRandom object

Throws:

java.security.NoSuchAlgorithmException - thrown if a SecureRandom instance for the algorithm identifier is not recognized by any of the installed cryptographic providers

Since:

7.2

getMac

public static javax.crypto.Mac getMac(java.lang.String alg)
                               throws java.security.NoSuchAlgorithmException

Gets an instance just as Mac.getInstance(String) does, except that it tries the "Entrust" and "IAIK" providers first, and falls through to any other provider only if those attempts fail.

Parameters:

alg - the name of the algorithm requested

Returns:

the new Mac object

Throws:

java.security.NoSuchAlgorithmException - thrown if a Mac instance for the algorithm identifier is not recognized by any of the installed cryptographic providers

Since:

7.2