jenkins.security

Class HMACConfidentialKey

java.lang.Object

jenkins.security.ConfidentialKey

jenkins.security.HMACConfidentialKey

public class HMACConfidentialKey
extends ConfidentialKey

ConfidentialKey that's used for creating a token by hashing some information with secret (such as hash(msg|secret)).

This provides more secure version of it by using HMAC. See http://rdist.root.org/2009/10/29/stop-using-unsafe-keyed-hashes-use-hmac/ for background. This implementation also never leaks the secret value to outside, so it makes it impossible for the careless caller to misuse the key (thus protecting ourselves from our own stupidity!)

Since:

1.498

Author:

Kohsuke Kawaguchi

Constructor Summary

Constructors

Constructor and Description
HMACConfidentialKey(Class owner, String shortName)
HMACConfidentialKey(Class owner, String shortName, int length) Calls into HMACConfidentialKey(String, int) by combining the class name and the shortName as the ID.
HMACConfidentialKey(String id) Calls into HMACConfidentialKey(String, int) with the longest possible HMAC length.
HMACConfidentialKey(String id, int length)

Method Summary

Modifier and Type	Method and Description
boolean	checkMac(byte[] message, byte[] mac) Convenience method for verifying the MAC code.
boolean	checkMac(String message, String mac) Verifies MAC constructed from mac(String)
Mac	createMac() Creates a new Mac object.
byte[]	mac(byte[] message) Computes the message authentication code for the specified byte sequence.
String	mac(String message) Computes the message authentication code and return it as a string.

Methods inherited from class jenkins.security.ConfidentialKey

getId, load, store

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

HMACConfidentialKey

public HMACConfidentialKey(String id,
                           int length)

Parameters:

length - Byte length of the HMAC code. By default we use HMAC-SHA256, which produces 256bit (=32bytes) HMAC, but if different use cases requires a shorter HMAC, specify the desired length here. Note that when using mac(String), string encoding causes the length to double. So if you want to get 16-letter HMAC, you specify 8 here.

HMACConfidentialKey

public HMACConfidentialKey(String id)

Calls into HMACConfidentialKey(String, int) with the longest possible HMAC length.

HMACConfidentialKey

public HMACConfidentialKey(Class owner,
                           String shortName,
                           int length)

Calls into HMACConfidentialKey(String, int) by combining the class name and the shortName as the ID.

HMACConfidentialKey

public HMACConfidentialKey(Class owner,
                           String shortName)

Method Detail

mac

public byte[] mac(byte[] message)

Computes the message authentication code for the specified byte sequence.

checkMac

public boolean checkMac(byte[] message,
                        byte[] mac)

Convenience method for verifying the MAC code.

mac

public String mac(String message)

Computes the message authentication code and return it as a string. While redundant, often convenient.

checkMac

public boolean checkMac(String message,
                        String mac)

Verifies MAC constructed from mac(String)

createMac

public Mac createMac()

Creates a new Mac object.