1. /*

  2.  * @(#)KeyStoreLoginModule.java	1.13 03/01/23

  3.  *

  4.  * Copyright 2003 Sun Microsystems, Inc. All rights reserved.

  5.  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

  6.  */

  7. 

  8. package com.sun.security.auth.module;

  9. 

  10. import javax.security.auth.x500.X500Principal;

  11. import java.io.File;

  12. import java.io.IOException;

  13. import java.io.InputStream;

  14. import java.io.PushbackInputStream;

  15. import java.net.MalformedURLException;

  16. import java.net.URL;

  17. import java.security.GeneralSecurityException;

  18. import java.security.Key;

  19. import java.security.KeyStore;

  20. import java.security.KeyStoreException;

  21. import java.security.NoSuchAlgorithmException;

  22. import java.security.NoSuchProviderException;

  23. import java.security.Principal;

  24. import java.security.PrivateKey;

  25. import java.security.UnrecoverableKeyException;

  26. import java.security.cert.*;

  27. import java.security.cert.X509Certificate;

  28. import java.util.Arrays;

  29. import java.util.Iterator;

  30. import java.util.LinkedList;

  31. import java.util.Map;

  32. import java.util.ResourceBundle;

  33. import javax.security.auth.Destroyable;

  34. import javax.security.auth.DestroyFailedException;

  35. import javax.security.auth.Subject;

  36. import javax.security.auth.x500.*;

  37. import javax.security.auth.Subject;

  38. import javax.security.auth.x500.*;

  39. import javax.security.auth.callback.Callback;

  40. import javax.security.auth.callback.CallbackHandler;

  41. import javax.security.auth.callback.ConfirmationCallback;

  42. import javax.security.auth.callback.NameCallback;

  43. import javax.security.auth.callback.PasswordCallback;

  44. import javax.security.auth.callback.TextOutputCallback;

  45. import javax.security.auth.callback.UnsupportedCallbackException;

  46. import javax.security.auth.login.FailedLoginException;

  47. import javax.security.auth.login.LoginException;

  48. import javax.security.auth.spi.LoginModule;

  49. 

  50. import sun.security.util.AuthResources;

  51. 

  52. /**

  53.  * Provides a JAAS login module that prompts for a key store alias and

  54.  * populates the subject with the alias's principal and credentials. Stores

  55.  * an <code>X500Principal</code> for the subject distinguished name of the 

  56.  * first certificate in the alias's credentials in the subject's principals,

  57.  * the alias's certificate path in the subject's public credentials, and a

  58.  * <code>X500PrivateCredential</code> whose certificate is the first

  59.  * certificate in the alias's certificate path and whose private key is the

  60.  * alias's private key in the subject's private credentials. <p>

  61.  *

  62.  * Recognizes the following options in the JAAS authentication policy file:

  63.  * <dl>

  64.  *

  65.  * <dt> <code>keyStoreURL</code> </dt>

  66.  * <dd> A URL that specifies the location of the key store file.  Defaults to

  67.  *	the .keystore file in the directory specified by the

  68.  *	<code>java.home</code> system property. </dd>

  69.  *

  70.  * <dt> <code>keyStoreType</code> </dt>

  71.  * <dd> The key store type.  If not specified, defaults to the result of

  72.  *      calling <code>KeyStore.getDefaultType()</code>. </dd>

  73.  *

  74.  * <dt> <code>keyStoreProvider</code> </dt>

  75.  * <dd> The key store provider.  If not specified, uses the standard search

  76.  *      order to find the provider. </dd>

  77.  *

  78.  * <dt> <code>keyStoreAlias</code> </dt>

  79.  * <dd> The alias in the key store to login as.  Required when no callback

  80.  *	handler is provided.  No default value. </dd>

  81.  *

  82.  * <dt> <code>keyStorePasswordURL</code> </dt>

  83.  * <dd> A URL that specifies the location of the key store password.  Required

  84.  *	when no callback handler is provided.  No default value. </dd>

  85.  *

  86.  * <dt> <code>privateKeyPasswordURL</code> </dt>

  87.  * <dd> A URL that specifies the location of the specific private key password

  88.  *	needed to access the private key for this alias.  

  89.  *      The keystore password

  90.  *	is used if this value is not specified. </dd>

  91.  * </dl>

  92.  */

  93. public class KeyStoreLoginModule implements LoginModule {

  94. 

  95.    static final java.util.ResourceBundle rb =

  96.         java.util.ResourceBundle.getBundle("sun.security.util.AuthResources");

  97. 

  98.     /* -- Fields -- */

  99. 

  100.     private static final int UNINITIALIZED = 0;

  101.     private static final int INITIALIZED = 1;

  102.     private static final int AUTHENTICATED = 2;

  103.     private static final int LOGGED_IN = 3;

  104. 

  105.     private Subject subject;

  106.     private CallbackHandler callbackHandler;

  107.     private Map sharedState;

  108.     private Map options;

  109. 

  110.     private char[] keyStorePassword;

  111.     private char[] privateKeyPassword;

  112. 

  113.     private String keyStoreURL;

  114.     private String keyStoreType;

  115.     private String keyStoreProvider;

  116.     private String keyStoreAlias;

  117.     private String keyStorePasswordURL;

  118.     private String privateKeyPasswordURL;

  119.     private boolean debug;

  120.     private javax.security.auth.x500.X500Principal principal;

  121.     private Certificate[] fromKeyStore;

  122.     private java.security.cert.CertPath certP = null;

  123.     private X500PrivateCredential privateCredential;

  124.     private int status = UNINITIALIZED;

  125. 

  126.     /* -- Methods -- */

  127.   

  128.     /**

  129.      * Initialize this <code>LoginModule</code>.

  130.      *

  131.      * <p>

  132.      *

  133.      * @param subject the <code>Subject</code> to be authenticated. <p>

  134.      *

  135.      * @param callbackHandler a <code>CallbackHandler</code> for communicating

  136.      *			with the end user (prompting for usernames and

  137.      *			passwords, for example). <p>

  138.      *

  139.      * @param sharedState shared <code>LoginModule</code> state. <p>

  140.      *

  141.      * @param options options specified in the login

  142.      *			<code>Configuration</code> for this particular

  143.      *			<code>LoginModule</code>.

  144.      */

  145. 

  146.     public void initialize(Subject subject,

  147. 			   CallbackHandler callbackHandler,

  148. 			   Map sharedState,

  149. 			   Map options)

  150.     {

  151.  	this.subject = subject;

  152. 	this.callbackHandler = callbackHandler;

  153. 	this.sharedState = sharedState;

  154. 	this.options = options;

  155. 

  156. 	processOptions();

  157. 	status = INITIALIZED;

  158.     }

  159. 

  160.     private void processOptions() {

  161. 	keyStoreURL = (String) options.get("keyStoreURL");

  162. 	if (keyStoreURL == null) {

  163. 	    keyStoreURL =

  164. 		"file:" +

  165. 		System.getProperty("user.home").replace(

  166. 		    File.separatorChar, '/') +

  167. 		'/' + ".keystore";

  168. 	}

  169. 	keyStoreType = (String) options.get("keyStoreType");

  170. 	if (keyStoreType == null) {

  171. 	    keyStoreType = KeyStore.getDefaultType();

  172. 	}

  173. 

  174. 	keyStoreProvider = (String) options.get("keyStoreProvider");

  175. 

  176. 	keyStoreAlias = (String) options.get("keyStoreAlias");

  177. 

  178. 	keyStorePasswordURL = (String) options.get("keyStorePasswordURL");

  179. 

  180. 	privateKeyPasswordURL = (String) options.get("privateKeyPasswordURL");

  181. 

  182. 	debug = "true".equalsIgnoreCase((String) options.get("debug"));

  183. 	if (debug)

  184. 	    debugPrint("keyStoreURL=" + keyStoreURL +

  185. 		   " keyStoreAlias=" + keyStoreAlias +

  186. 		   " keyStorePasswordURL=" + keyStorePasswordURL +

  187. 		   " privateKeyPasswordURL=" + privateKeyPasswordURL);

  188. 	

  189.     }

  190.     

  191.     /**

  192.      * Authenticate the user .

  193.      *

  194.      * <p> Prompt the user for the Keystore alias and the password. Retrieve

  195.      * the alias's principal and credentials from the Keystore.

  196.      *

  197.      * <p>

  198.      *

  199.      * @exception FailedLoginException if the authentication fails. <p>

  200.      *

  201.      * @return true in all cases (this <code>LoginModule</code>

  202.      *		should not be ignored).

  203.      */

  204. 

  205.     public boolean login() throws LoginException {

  206. 	switch (status) {

  207. 	case UNINITIALIZED:

  208. 	default:

  209. 	    throw new LoginException("The login module is not initialized");

  210. 	case INITIALIZED:

  211. 	case AUTHENTICATED:

  212. 	    getAliasAndPassword();

  213. 	    getKeyStoreInfo();

  214. 	    status = AUTHENTICATED;

  215. 	    return true;

  216. 	case LOGGED_IN:

  217. 	    return true;

  218. 	}

  219.     }

  220. 

  221.     /** Get the alias and passwords to use for looking up in the KeyStore. */

  222.     private void getAliasAndPassword() throws LoginException {

  223. 	if (callbackHandler == null) {

  224. 

  225. 	    /*

  226. 	     * No callback handler.  Check for alias and password files

  227. 	     * specified in the options.

  228. 	     */

  229. 	    if (keyStoreAlias == null) {

  230. 		throw new LoginException(

  231. 		    "Need to specify an alias option to use " +

  232. 		    "KeyStoreLoginModule non-interactively.");

  233. 	    }

  234. 	    if (keyStorePasswordURL == null) {

  235. 		throw new LoginException(

  236. 		    "Need to specify passwordFile option to use " +

  237. 		    "KeyStoreLoginModule non-interactively.");

  238. 	    }

  239. 	    try {

  240. 		InputStream in = new URL(keyStorePasswordURL).openStream();

  241. 		keyStorePassword = readPassword(in);

  242. 		in.close();

  243. 	    } catch (IOException e) {

  244. 		throw new LoginException(

  245. 		    "Problem accessing keystore password \"" +

  246. 		    keyStorePasswordURL + "\": " + e);

  247. 	    }

  248. 

  249. 	    if (privateKeyPasswordURL == null) {

  250. 		privateKeyPassword = keyStorePassword;

  251. 	    } else {

  252. 		try {

  253. 		    InputStream in =

  254. 			new URL(privateKeyPasswordURL).openStream();

  255. 		    privateKeyPassword = readPassword(in);

  256. 		    in.close();

  257. 		} catch (IOException e) {

  258. 		    throw new LoginException(

  259. 			"Problem accessing private key password \"" +

  260. 			privateKeyPasswordURL + "\": " + e);

  261. 		}

  262. 	    }

  263. 

  264. 

  265. 	} else {

  266. 	    TextOutputCallback bannerCallback =

  267. 		new TextOutputCallback(

  268. 		    TextOutputCallback.INFORMATION,

  269. 		    rb.getString("Please login to keystore"));

  270. 

  271. 	    NameCallback aliasCallback;

  272. 	    if (keyStoreAlias == null || keyStoreAlias.length() == 0) {

  273. 		aliasCallback = new NameCallback(

  274. 				        rb.getString("Keystore alias: "));

  275. 	    } else {

  276. 		aliasCallback =

  277. 		    new NameCallback(rb.getString("Keystore alias: "), 

  278. 				     keyStoreAlias);

  279. 	    }

  280. 	    PasswordCallback keyStorePasswordCallback =

  281. 		new PasswordCallback(rb.getString("Keystore password: "),

  282. 						 false);

  283. 

  284. 	    PasswordCallback privateKeyPasswordCallback =

  285. 		new PasswordCallback(

  286. 		    rb.getString("Private key password (optional): "), false);

  287. 

  288. 	    ConfirmationCallback confirmationCallback =

  289. 		new ConfirmationCallback(

  290. 		    ConfirmationCallback.INFORMATION,

  291. 		    ConfirmationCallback.OK_CANCEL_OPTION,

  292. 		    ConfirmationCallback.OK);

  293. 

  294. 	    try {

  295. 		callbackHandler.handle(

  296. 		    new Callback[] {

  297. 			bannerCallback, aliasCallback,

  298. 			keyStorePasswordCallback, privateKeyPasswordCallback,

  299. 		        confirmationCallback

  300. 		    });

  301. 	    } catch (IOException e) {

  302. 		throw new LoginException(

  303. 		    "Exception while getting keystore alias and password: " +

  304. 		    e);

  305. 	    } catch (UnsupportedCallbackException e) {

  306. 		throw new LoginException(

  307. 		    "Error: " + e.getCallback().toString() +

  308. 		    " is not available to retrieve authentication " +

  309. 		    " information from the user");

  310. 	    }

  311. 

  312. 	    int confirmationResult = confirmationCallback.getSelectedIndex();

  313. 

  314. 	    if (confirmationResult == ConfirmationCallback.CANCEL) {

  315. 		throw new LoginException("Login cancelled");

  316. 	    }

  317. 

  318. 	    keyStoreAlias = aliasCallback.getName();

  319. 

  320. 	    char[] tmpPassword = keyStorePasswordCallback.getPassword();

  321. 	    if (tmpPassword == null) {

  322. 		/* Treat a NULL password as an empty password */

  323. 		tmpPassword = new char[0];

  324. 	    }

  325. 	    keyStorePassword = new char[tmpPassword.length];

  326. 	    System.arraycopy(tmpPassword, 0,

  327. 			     keyStorePassword, 0, tmpPassword.length);

  328. 	    keyStorePasswordCallback.clearPassword();

  329. 

  330. 	    tmpPassword = privateKeyPasswordCallback.getPassword();

  331. 	    if (tmpPassword == null

  332. 		|| tmpPassword.length == 0)

  333. 	    {

  334. 		/*

  335. 		 * Use keystore password if no private key password is

  336. 		 * specified.

  337. 		 */

  338. 		privateKeyPassword = keyStorePassword;

  339. 	    } else {

  340. 		privateKeyPassword = new char[tmpPassword.length];

  341. 		System.arraycopy(tmpPassword, 0,

  342. 				 privateKeyPassword, 0, tmpPassword.length);

  343. 		for (int i=0; i <tmpPassword.length ; i++)

  344. 		    tmpPassword[0] = ' ';

  345. 		tmpPassword=null;

  346. 		privateKeyPasswordCallback.clearPassword();

  347. 	    }

  348. 	    if (debug)

  349. 		debugPrint("alias=" + keyStoreAlias);

  350. 	}

  351.     }

  352. 

  353.     /** Get the credentials from the KeyStore. */

  354.     private void getKeyStoreInfo() throws LoginException {

  355. 

  356. 	/* Get KeyStore instance */

  357. 	KeyStore keyStore;

  358. 	try {

  359. 	    if (keyStoreProvider == null) {

  360. 		keyStore = KeyStore.getInstance(keyStoreType);

  361. 	    } else {

  362. 		keyStore =

  363. 		    KeyStore.getInstance(keyStoreType, keyStoreProvider);

  364. 	    }

  365. 	} catch (KeyStoreException e) {

  366. 	    throw new LoginException(

  367. 		"The specified keystore type was not available: " + e);

  368. 	} catch (NoSuchProviderException e) {

  369. 	    throw new LoginException(

  370. 		"The specified keystore provider was not available: " + e);

  371. 	}

  372. 

  373. 	/* Load KeyStore contents from file */

  374. 	try {

  375. 	    InputStream in = new URL(keyStoreURL).openStream();

  376. 	    keyStore.load(in, keyStorePassword);

  377. 	    in.close();

  378. 	} catch (MalformedURLException e) {

  379. 	    throw new LoginException("Incorrect keyStoreURL option: " + e);

  380. 	} catch (GeneralSecurityException e) {

  381. 	    throw new LoginException("Error initializing keystore: " + e);

  382. 	} catch (IOException e) {

  383. 	    throw new LoginException("Error initializing keystore: " + e);

  384. 	}

  385. 

  386. 	/* Get certificate chain and create a certificate path */

  387. 	try {

  388. 	    fromKeyStore =

  389. 		keyStore.getCertificateChain(keyStoreAlias);

  390. 	    if (fromKeyStore == null

  391. 		|| fromKeyStore.length == 0

  392. 		|| !(fromKeyStore[0] instanceof X509Certificate))

  393. 	    {

  394. 		throw new FailedLoginException(

  395. 		    "Unable to find X.509 certificate chain in keystore");

  396. 	    } else {

  397. 		LinkedList certList = new LinkedList();

  398. 		for (int i=0; i < fromKeyStore.length; i++) {

  399. 		    certList.add(fromKeyStore[i]);

  400. 		}

  401. 		CertificateFactory certF= 

  402. 		    CertificateFactory.getInstance("X.509");

  403. 		certP = 

  404. 		    certF.generateCertPath(certList);	

  405. 	    }

  406. 	} catch (KeyStoreException e) {

  407. 	    throw new LoginException("Error using keystore: " + e);

  408. 	} catch (CertificateException ce) {

  409. 	    throw new LoginException("Error: X.509 Certificate type unavailable: " + ce);

  410. 	}

  411. 

  412. 	/* Get principal and keys */

  413. 	try {

  414. 	    X509Certificate certificate = (X509Certificate)fromKeyStore[0];

  415. 	    principal = new javax.security.auth.x500.X500Principal

  416. 		(certificate.getSubjectDN().getName());

  417. 	    Key privateKey =

  418. 		keyStore.getKey(keyStoreAlias, privateKeyPassword);

  419. 	    if (privateKey == null

  420. 		|| !(privateKey instanceof PrivateKey))

  421. 	    {

  422. 		throw new FailedLoginException(

  423. 		    "Unable to recover key from keystore");

  424. 	    }

  425. 

  426. 	    privateCredential = new X500PrivateCredential(

  427. 		certificate, (PrivateKey) privateKey, keyStoreAlias);

  428. 	} catch (KeyStoreException e) {

  429. 	    throw new LoginException("Error using keystore: " + e);

  430. 	} catch (NoSuchAlgorithmException e) {

  431. 	    throw new LoginException("Error using keystore: " + e);

  432. 	} catch (UnrecoverableKeyException e) {

  433. 	    throw new FailedLoginException(

  434. 					   "Unable to recover key from " +

  435. 					   "keystore: " + e);

  436. 	}

  437. 	if (debug) {

  438. 	    debugPrint("principal=" + principal +

  439. 		       "\n certificate="

  440. 		       + privateCredential.getCertificate() +

  441. 		       "\n alias =" + privateCredential.getAlias());

  442. 	}

  443.     }

  444. 

  445.     /**

  446.      * Abstract method to commit the authentication process (phase 2).

  447.      *

  448.      * <p> This method is called if the LoginContext's

  449.      * overall authentication succeeded

  450.      * (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules

  451.      * succeeded).

  452.      *

  453.      * <p> If this LoginModule's own authentication attempt

  454.      * succeeded (checked by retrieving the private state saved by the

  455.      * <code>login</code> method), then this method associates a

  456.      * <code>X500Principal</code> for the subject distinguished name of the 

  457.      * first certificate in the alias's credentials in the subject's

  458.      * principals,the alias's certificate path in the subject's public 

  459.      * credentials, and a<code>X500PrivateCredential</code> whose certificate

  460.      * is the first  certificate in the alias's certificate path and whose

  461.      * private key is the alias's private key in the subject's private

  462.      * credentials.  If this LoginModule's own

  463.      * authentication attempted failed, then this method removes

  464.      * any state that was originally saved.

  465.      *

  466.      * <p>

  467.      *

  468.      * @exception LoginException if the commit fails

  469.      *

  470.      * @return true if this LoginModule's own login and commit

  471.      *		attempts succeeded, or false otherwise.

  472.      */

  473. 

  474.     public boolean commit() throws LoginException {

  475. 	switch (status) {

  476. 	case UNINITIALIZED:

  477. 	default:

  478. 	    throw new LoginException("The login module is not initialized");

  479. 	case INITIALIZED:

  480. 	    logoutInternal();

  481. 	    throw new LoginException("Authentication failed");

  482. 	case AUTHENTICATED:

  483. 	    if (commitInternal()) {

  484. 		return true;

  485. 	    } else {

  486. 		logoutInternal();

  487. 		throw new LoginException("Unable to retrieve certificates");

  488. 	    }

  489. 	case LOGGED_IN:

  490. 	    return true;

  491. 	}

  492.     }

  493. 

  494.     private boolean commitInternal() throws LoginException {

  495. 	/* If the subject is not readonly add to the principal and credentials

  496. 	 * set; otherwise just return true

  497. 	 */

  498. 	if (subject.isReadOnly()) {

  499. 	    throw new LoginException ("Subject is set readonly");

  500. 	} else {

  501. 	    subject.getPrincipals().add(principal);

  502. 	    subject.getPublicCredentials().add(certP);

  503. 	    subject.getPrivateCredentials().add(privateCredential);

  504. 	    status = LOGGED_IN;

  505. 	    return true;

  506. 	}

  507.     }

  508. 

  509.     /**

  510.      * <p> This method is called if the LoginContext's

  511.      * overall authentication failed.

  512.      * (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules

  513.      * did not succeed).

  514.      *

  515.      * <p> If this LoginModule's own authentication attempt

  516.      * succeeded (checked by retrieving the private state saved by the

  517.      * <code>login</code> and <code>commit</code> methods),

  518.      * then this method cleans up any state that was originally saved.

  519.      *

  520.      * <p>

  521.      *

  522.      * @exception LoginException if the abort fails.

  523.      *

  524.      * @return false if this LoginModule's own login and/or commit attempts

  525.      *		failed, and true otherwise.

  526.      */

  527. 	

  528.     public boolean abort() throws LoginException {

  529. 	switch (status) {

  530. 	case UNINITIALIZED:

  531. 	default:

  532. 	    return false;

  533. 	case INITIALIZED:

  534. 	    return false;

  535. 	case AUTHENTICATED:

  536. 	    logoutInternal();

  537. 	    return true;

  538. 	case LOGGED_IN:

  539. 	    logoutInternal();

  540. 	    return true;

  541. 	}

  542.     }

  543.     /**

  544.      * Logout a user.

  545.      *

  546.      * <p> This method removes the Principals, public credentials and the

  547.      * private credentials that were added by the <code>commit</code> method.

  548.      *

  549.      * <p>

  550.      *

  551.      * @exception LoginException if the logout fails.

  552.      *

  553.      * @return true in all cases since this <code>LoginModule</code>

  554.      *		should not be ignored.

  555.      */

  556. 

  557.     public boolean logout() throws LoginException {

  558. 	if (debug)

  559. 	    debugPrint("Entering logout " + status);

  560. 	switch (status) {

  561. 	case UNINITIALIZED:

  562. 	    throw new LoginException

  563. 		("The login module is not initialized");

  564. 	case INITIALIZED:

  565. 	case AUTHENTICATED:

  566. 	default:

  567. 	   // impossible for LoginModule to be in AUTHENTICATED 

  568. 	   // state

  569. 	   // assert status != AUTHENTICATED;

  570. 	    return false;

  571. 	case LOGGED_IN:

  572. 	    logoutInternal();

  573. 	    return true;

  574. 	}

  575.     }

  576. 

  577.     private void logoutInternal() throws LoginException {

  578. 	if (debug)

  579. 	    debugPrint("Entering logoutInternal");

  580. 	Arrays.fill(keyStorePassword, '\0');

  581. 	keyStorePassword = null;

  582. 	Arrays.fill(privateKeyPassword, '\0');

  583. 	privateKeyPassword = null;

  584. 	if (subject.isReadOnly()) {

  585. 	    // attempt to destroy the private credential

  586. 	    // even if the Subject is read-only

  587. 	    principal = null;

  588. 	    certP = null;

  589. 	    status = INITIALIZED;

  590. 	    // destroy the private credential

  591. 	    Iterator it = subject.getPrivateCredentials().iterator();

  592. 	    while (it.hasNext()) {

  593. 		Object obj = it.next();

  594. 		if (privateCredential.equals(obj)) {

  595. 		    privateCredential = null;

  596. 		    try {

  597. 			((Destroyable)obj).destroy();

  598. 			if (debug)

  599. 			    debugPrint("Destroyed private credential, " +

  600. 				       obj.getClass().getName());

  601. 			break;

  602. 		    } catch (DestroyFailedException dfe) {

  603. 			throw new LoginException

  604. 			    ("Unable to destroy private credential, " 

  605. 			     + obj.getClass().getName()

  606. 			     + ": " + dfe.getMessage());

  607. 		    }

  608. 		}

  609. 	    }

  610. 	    

  611. 	    // throw an exception because we can not remove

  612. 	    // the principal and public credential from this

  613. 	    // read-only Subject

  614. 	    throw new LoginException

  615. 		("Unable to remove Principal (" 

  616. 		 + "X500Principal "

  617. 		 + ") and public credential (certificatepath) "

  618. 		 + "from read-only Subject");

  619. 	}

  620. 	if (principal != null) {

  621. 	    subject.getPrincipals().remove(principal);

  622. 	    principal = null;

  623. 	}

  624. 	if (certP != null) {

  625. 	    subject.getPublicCredentials().remove(certP);

  626. 	    certP = null;

  627. 	}

  628. 	if (privateCredential != null) {

  629. 	    subject.getPrivateCredentials().remove(privateCredential);

  630. 	    privateCredential = null;

  631. 	}

  632. 	status = INITIALIZED;

  633.     }

  634. 

  635.     /** Reads user password from given input stream. */

  636.     private char[] readPassword(InputStream in) throws IOException {

  637. 	char[] lineBuffer;

  638. 	char[] buf;

  639. 	int i;

  640. 

  641. 	buf = lineBuffer = new char[128];

  642. 

  643. 	int room = buf.length;

  644. 	int offset = 0;

  645. 	int c;

  646. 

  647. 	boolean done = false;

  648. 	while (!done) {

  649. 	    switch (c = in.read()) {

  650. 	      case -1: 

  651. 	      case '\n':

  652. 		  done = true;

  653. 		  break;

  654. 

  655. 	      case '\r':

  656. 		int c2 = in.read();

  657. 		if ((c2 != '\n') && (c2 != -1)) {

  658. 		    if (!(in instanceof PushbackInputStream)) {

  659. 			in = new PushbackInputStream(in);

  660. 		    }

  661. 		    ((PushbackInputStream)in).unread(c2);

  662. 		} else {

  663. 		    done = true;

  664. 		    break;

  665. 		}

  666. 

  667. 	      default:

  668. 		if (--room < 0) {

  669. 		    buf = new char[offset + 128];

  670. 		    room = buf.length - offset - 1;

  671. 		    System.arraycopy(lineBuffer, 0, buf, 0, offset);

  672. 		    Arrays.fill(lineBuffer, ' ');

  673. 		    lineBuffer = buf;

  674. 		}

  675. 		buf[offset++] = (char) c;

  676. 		break;

  677. 	    }

  678. 	}

  679. 

  680. 	if (offset == 0) {

  681. 	    return null;

  682. 	}

  683. 

  684. 	char[] ret = new char[offset];

  685. 	System.arraycopy(buf, 0, ret, 0, offset);

  686. 	Arrays.fill(buf, ' ');

  687. 

  688. 	return ret;

  689.     }

  690. 

  691.     private void debugPrint(String message) {

  692. 	// we should switch to logging API

  693. 	    System.err.println("Debug KeyStoreLoginModule: " + message);

  694.     }

  695. }