- /*
- * @(#)KeyStore.java 1.42 04/06/28
- *
- * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
- * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
- */
-
- package java.security;
-
- import java.io.*;
- import java.security.cert.Certificate;
- import java.security.cert.X509Certificate;
- import java.security.cert.CertificateException;
- import java.util.*;
- import javax.crypto.SecretKey;
-
- import javax.security.auth.callback.*;
-
- /**
- * This class represents a storage facility for cryptographic
- * keys and certificates.
- *
- * <p> A <code>KeyStore</code> manages different types of entries.
- * Each type of entry implements the <code>KeyStore.Entry</code> interface.
- * Three basic <code>KeyStore.Entry</code> implementations are provided:
- *
- * <ul>
- * <li><b>KeyStore.PrivateKeyEntry</b>
- * <p> This type of entry holds a cryptographic <code>PrivateKey</code>,
- * which is optionally stored in a protected format to prevent
- * unauthorized access. It is also accompanied by a certificate chain
- * for the corresponding public key.
- *
- * <p> Private keys and certificate chains are used by a given entity for
- * self-authentication. Applications for this authentication include software
- * distribution organizations which sign JAR files as part of releasing
- * and/or licensing software.
- *
- * <li><b>KeyStore.SecretKeyEntry</b>
- * <p> This type of entry holds a cryptographic <code>SecretKey</code>,
- * which is optionally stored in a protected format to prevent
- * unauthorized access.
- *
- * <li><b>KeyStore.TrustedCertificateEntry</b>
- * <p> This type of entry contains a single public key <code>Certificate</code>
- * belonging to another party. It is called a <i>trusted certificate</i>
- * because the keystore owner trusts that the public key in the certificate
- * indeed belongs to the identity identified by the <i>subject</i> (owner)
- * of the certificate.
- *
- * <p>This type of entry can be used to authenticate other parties.
- * </ul>
- *
- * <p> Each entry in a keystore is identified by an "alias" string. In the
- * case of private keys and their associated certificate chains, these strings
- * distinguish among the different ways in which the entity may authenticate
- * itself. For example, the entity may authenticate itself using different
- * certificate authorities, or using different public key algorithms.
- *
- * <p> Whether keystores are persistent, and the mechanisms used by the
- * keystore if it is persistent, are not specified here. This allows
- * use of a variety of techniques for protecting sensitive (e.g., private or
- * secret) keys. Smart cards or other integrated cryptographic engines
- * (SafeKeyper) are one option, and simpler mechanisms such as files may also
- * be used (in a variety of formats).
- *
- * <p> Typical ways to request a KeyStore object include
- * relying on the default type and providing a specific keystore type.
- *
- * <ul>
- * <li>To rely on the default type:
- * <pre>
- * KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
- * </pre>
- * The system will return a keystore implementation for the default type.
- * <p>
- *
- * <li>To provide a specific keystore type:
- * <pre>
- * KeyStore ks = KeyStore.getInstance("JKS");
- * </pre>
- * The system will return the most preferred implementation of the
- * specified keystore type available in the environment. <p>
- * </ul>
- *
- * <p> Before a keystore can be accessed, it must be
- * {@link #load(java.io.InputStream, char[]) loaded}.
- * <pre>
- * KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
- *
- * // get user password and file input stream
- * char[] password = getPassword();
- * java.io.FileInputStream fis =
- * new java.io.FileInputStream("keyStoreName");
- * ks.load(fis, password);
- * fis.close();
- * </pre>
- *
- * To create an empty keystore using the above <code>load</code> method,
- * pass <code>null</code> as the <code>InputStream</code> argument.
- *
- * <p> Once the keystore has been loaded, it is possible
- * to read existing entries from the keystore, or to write new entries
- * into the keystore:
- * <pre>
- * // get my private key
- * KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry)
- * ks.getEntry("privateKeyAlias", password);
- * PrivateKey myPrivateKey = pkEntry.getPrivateKey();
- *
- * // save my secret key
- * javax.crypto.SecretKey mySecretKey;
- * KeyStore.SecretKeyEntry skEntry =
- * new KeyStore.SecretKeyEntry(mySecretKey);
- * ks.setEntry("secretKeyAlias", skEntry, password);
- *
- * // store away the keystore
- * java.io.FileOutputStream fos =
- * new java.io.FileOutputStream("newKeyStoreName");
- * ks.store(fos, password);
- * fos.close();
- * </pre>
- *
- * Note that although the same password may be used to
- * load the keystore, to protect the private key entry,
- * to protect the secret key entry, and to store the keystore
- * (as is shown in the sample code above),
- * different passwords or other protection parameters
- * may also be used.
- *
- * @author Jan Luehe
- *
- * @version 1.42, 06/28/04
- *
- * @see java.security.PrivateKey
- * @see javax.crypto.SecretKey
- * @see java.security.cert.Certificate
- *
- * @since 1.2
- */
-
- public class KeyStore {
-
- /*
- * Constant to lookup in the Security properties file to determine
- * the default keystore type.
- * In the Security properties file, the default keystore type is given as:
- * <pre>
- * keystore.type=jks
- * </pre>
- */
- private static final String KEYSTORE_TYPE = "keystore.type";
-
- // The keystore type
- private String type;
-
- // The provider
- private Provider provider;
-
- // The provider implementation
- private KeyStoreSpi keyStoreSpi;
-
- // Has this keystore been initialized (loaded)?
- private boolean initialized = false;
-
- /**
- * A marker interface for <code>KeyStore</code>
- * {@link #load(KeyStore.LoadStoreParameter) load}
- * and
- * {@link #store(KeyStore.LoadStoreParameter) store}
- * parameters.
- *
- * @since 1.5
- */
- public static interface LoadStoreParameter {
- /**
- * Gets the parameter used to protect keystore data.
- *
- * @return the parameter used to protect keystore data, or null
- */
- public ProtectionParameter getProtectionParameter();
- }
-
- /**
- * A marker interface for keystore protection parameters.
- *
- * <p> The information stored in a <code>ProtectionParameter</code>
- * object protects the contents of a keystore.
- * For example, protection parameters may be used to check
- * the integrity of keystore data, or to protect the
- * confidentiality of sensitive keystore data
- * (such as a <code>PrivateKey</code>).
- *
- * @since 1.5
- */
- public static interface ProtectionParameter { }
-
- /**
- * A password-based implementation of <code>ProtectionParameter</code>.
- *
- * @since 1.5
- */
- public static class PasswordProtection implements
- ProtectionParameter, javax.security.auth.Destroyable {
-
- private final char[] password;
- private volatile boolean destroyed = false;
-
- /**
- * Creates a password parameter.
- *
- * <p> The specified <code>password</code> is cloned before it is stored
- * in the new <code>PasswordProtection</code> object.
- *
- * @param password the password, which may be <code>null</code>
- */
- public PasswordProtection(char[] password) {
- this.password = (password == null) ?
- null : (char[])password.clone();
- }
-
- /**
- * Gets the password.
- *
- * <p>Note that this method returns a reference to the password.
- * If a clone of the array is created it is the caller's
- * responsibility to zero out the password information
- * after it is no longer needed.
- *
- * @see #destroy()
- * @return the password, which may be <code>null</code>
- * @exception IllegalStateException if the password has
- * been cleared (destroyed)
- */
- public synchronized char[] getPassword() {
- if (destroyed) {
- throw new IllegalStateException("password has been cleared");
- }
- return password;
- }
-
- /**
- * Clears the password.
- *
- * @exception DestroyFailedException if this method was unable
- * to clear the password
- */
- public synchronized void destroy()
- throws javax.security.auth.DestroyFailedException {
- destroyed = true;
- if (password != null) {
- Arrays.fill(password, ' ');
- }
- }
-
- /**
- * Determines if password has been cleared.
- *
- * @return true if the password has been cleared, false otherwise
- */
- public synchronized boolean isDestroyed() {
- return destroyed;
- }
- }
-
- /**
- * A ProtectionParameter encapsulating a CallbackHandler.
- *
- * @since 1.5
- */
- public static class CallbackHandlerProtection
- implements ProtectionParameter {
-
- private final CallbackHandler handler;
-
- /**
- * Constructs a new CallbackHandlerProtection from a
- * CallbackHandler.
- *
- * @param handler the CallbackHandler
- * @exception NullPointerException if handler is null
- */
- public CallbackHandlerProtection(CallbackHandler handler) {
- if (handler == null) {
- throw new NullPointerException("handler must not be null");
- }
- this.handler = handler;
- }
-
- /**
- * Returns the CallbackHandler.
- *
- * @return the CallbackHandler.
- */
- public CallbackHandler getCallbackHandler() {
- return handler;
- }
-
- }
-
- /**
- * A marker interface for <code>KeyStore</code> entry types.
- *
- * @since 1.5
- */
- public static interface Entry { }
-
- /**
- * A <code>KeyStore</code> entry that holds a <code>PrivateKey</code>
- * and corresponding certificate chain.
- *
- * @since 1.5
- */
- public static final class PrivateKeyEntry implements Entry {
-
- private final PrivateKey privKey;
- private final Certificate[] chain;
-
- /**
- * Constructs a <code>PrivateKeyEntry</code> with a
- * <code>PrivateKey</code> and corresponding certificate chain.
- *
- * <p> The specified <code>chain</code> is cloned before it is stored
- * in the new <code>PrivateKeyEntry</code> object.
- *
- * @param privateKey the <code>PrivateKey</code>
- * @param chain an array of <code>Certificate</code>s
- * representing the certificate chain.
- * The chain must be ordered and contain a
- * <code>Certificate</code> at index 0
- * corresponding to the private key.
- *
- * @exception NullPointerException if
- * <code>privateKey</code> or <code>chain</code>
- * is <code>null</code>
- * @exception IllegalArgumentException if the specified chain has a
- * length of 0, if the specified chain does not contain
- * <code>Certificate</code>s of the same type,
- * or if the <code>PrivateKey</code> algorithm
- * does not match the algorithm of the <code>PublicKey</code>
- * in the end entity <code>Certificate</code> (at index 0)
- */
- public PrivateKeyEntry(PrivateKey privateKey, Certificate[] chain) {
- if (privateKey == null || chain == null) {
- throw new NullPointerException("invalid null input");
- }
- if (chain.length == 0) {
- throw new IllegalArgumentException
- ("invalid zero-length input chain");
- }
-
- Certificate[] clonedChain = (Certificate[])chain.clone();
- String certType = clonedChain[0].getType();
- for (int i = 1; i < clonedChain.length; i++) {
- if (!certType.equals(clonedChain[i].getType())) {
- throw new IllegalArgumentException
- ("chain does not contain certificates " +
- "of the same type");
- }
- }
- if (!privateKey.getAlgorithm().equals
- (clonedChain[0].getPublicKey().getAlgorithm())) {
- throw new IllegalArgumentException
- ("private key algorithm does not match " +
- "algorithm of public key in end entity " +
- "certificate (at index 0)");
- }
- this.privKey = privateKey;
-
- if (clonedChain[0] instanceof X509Certificate &&
- !(clonedChain instanceof X509Certificate[])) {
-
- this.chain = new X509Certificate[clonedChain.length];
- System.arraycopy(clonedChain, 0,
- this.chain, 0, clonedChain.length);
- } else {
- this.chain = clonedChain;
- }
- }
-
- /**
- * Gets the <code>PrivateKey</code> from this entry.
- *
- * @return the <code>PrivateKey</code> from this entry
- */
- public PrivateKey getPrivateKey() {
- return privKey;
- }
-
- /**
- * Gets the <code>Certificate</code> chain from this entry.
- *
- * <p> The stored chain is cloned before being returned.
- *
- * @return an array of <code>Certificate</code>s corresponding
- * to the certificate chain for the public key.
- * If the certificates are of type X.509,
- * the runtime type of the returned array is
- * <code>X509Certificate[]</code>.
- */
- public Certificate[] getCertificateChain() {
- return (Certificate[])chain.clone();
- }
-
- /**
- * Gets the end entity <code>Certificate</code>
- * from the certificate chain in this entry.
- *
- * @return the end entity <code>Certificate</code> (at index 0)
- * from the certificate chain in this entry.
- * If the certificate is of type X.509,
- * the runtime type of the returned certificate is
- * <code>X509Certificate</code>.
- */
- public Certificate getCertificate() {
- return chain[0];
- }
-
- /**
- * Returns a string representation of this PrivateKeyEntry.
- * @return a string representation of this PrivateKeyEntry.
- */
- public String toString() {
- StringBuilder sb = new StringBuilder();
- sb.append("Private key entry and certificate chain with "
- + chain.length + " elements:\r\n");
- for (Certificate cert : chain) {
- sb.append(cert);
- sb.append("\r\n");
- }
- return sb.toString();
- }
-
- }
-
- /**
- * A <code>KeyStore</code> entry that holds a <code>SecretKey</code>.
- *
- * @since 1.5
- */
- public static final class SecretKeyEntry implements Entry {
-
- private final SecretKey sKey;
-
- /**
- * Constructs a <code>SecretKeyEntry</code> with a
- * <code>SecretKey</code>.
- *
- * @param secretKey the <code>SecretKey</code>
- *
- * @exception NullPointerException if <code>secretKey</code>
- * is <code>null</code>
- */
- public SecretKeyEntry(SecretKey secretKey) {
- if (secretKey == null) {
- throw new NullPointerException("invalid null input");
- }
- this.sKey = secretKey;
- }
-
- /**
- * Gets the <code>SecretKey</code> from this entry.
- *
- * @return the <code>SecretKey</code> from this entry
- */
- public SecretKey getSecretKey() {
- return sKey;
- }
-
- /**
- * Returns a string representation of this SecretKeyEntry.
- * @return a string representation of this SecretKeyEntry.
- */
- public String toString() {
- return "Secret key entry with algorithm " + sKey.getAlgorithm();
- }
- }
-
- /**
- * A <code>KeyStore</code> entry that holds a trusted
- * <code>Certificate</code>.
- *
- * @since 1.5
- */
- public static final class TrustedCertificateEntry implements Entry {
-
- private final Certificate cert;
-
- /**
- * Constructs a <code>TrustedCertificateEntry</code> with a
- * trusted <code>Certificate</code>.
- *
- * @param trustedCert the trusted <code>Certificate</code>
- *
- * @exception NullPointerException if
- * <code>trustedCert</code> is <code>null</code>
- */
- public TrustedCertificateEntry(Certificate trustedCert) {
- if (trustedCert == null) {
- throw new NullPointerException("invalid null input");
- }
- this.cert = trustedCert;
- }
-
- /**
- * Gets the trusted <code>Certficate</code> from this entry.
- *
- * @return the trusted <code>Certificate</code> from this entry
- */
- public Certificate getTrustedCertificate() {
- return cert;
- }
-
- /**
- * Returns a string representation of this TrustedCertificateEntry.
- * @return a string representation of this TrustedCertificateEntry.
- */
- public String toString() {
- return "Trusted certificate entry:\r\n" + cert.toString();
- }
- }
-
- /**
- * Creates a KeyStore object of the given type, and encapsulates the given
- * provider implementation (SPI object) in it.
- *
- * @param keyStoreSpi the provider implementation.
- * @param provider the provider.
- * @param type the keystore type.
- */
- protected KeyStore(KeyStoreSpi keyStoreSpi, Provider provider, String type)
- {
- this.keyStoreSpi = keyStoreSpi;
- this.provider = provider;
- this.type = type;
- }
-
- /**
- * Generates a keystore object of the given type.
- *
- * <p>If the default provider package provides a keystore implementation
- * of the given type, an instance of <code>KeyStore</code> containing that
- * implementation is returned. If the requested keystore type is not
- * available in the default package, other packages are searched.
- *
- * @param type the type of keystore.
- * See Appendix A in the <a href=
- * "../../../guide/security/CryptoSpec.html#AppA">
- * Java Cryptography Architecture API Specification & Reference </a>
- * for information about standard keystore types.
- *
- * @return a keystore object of the specified type.
- *
- * @exception KeyStoreException if the requested keystore type is
- * not available in the default provider package or any of the other
- * provider packages that were searched.
- */
- public static KeyStore getInstance(String type)
- throws KeyStoreException
- {
- try {
- Object[] objs = Security.getImpl(type, "KeyStore", (String)null);
- return new KeyStore((KeyStoreSpi)objs[0], (Provider)objs[1], type);
- } catch (NoSuchAlgorithmException nsae) {
- throw new KeyStoreException(type + " not found");
- } catch (NoSuchProviderException nspe) {
- throw new KeyStoreException(type + " not found");
- }
- }
-
- /**
- * Generates a keystore object for the specified keystore
- * type from the specified provider.
- *
- * @param type the type of keystore.
- * See Appendix A in the <a href=
- * "../../../guide/security/CryptoSpec.html#AppA">
- * Java Cryptography Architecture API Specification & Reference </a>
- * for information about standard keystore types.
- *
- * @param provider the name of the provider.
- *
- * @return a keystore object of the specified type, as
- * supplied by the specified provider.
- *
- * @exception KeyStoreException if the requested keystore type is not
- * available from the provider.
- *
- * @exception NoSuchProviderException if the provider has not been
- * configured.
- *
- * @exception IllegalArgumentException if the provider name is null
- * or empty.
- *
- * @see Provider
- */
- public static KeyStore getInstance(String type, String provider)
- throws KeyStoreException, NoSuchProviderException
- {
- if (provider == null || provider.length() == 0)
- throw new IllegalArgumentException("missing provider");
- try {
- Object[] objs = Security.getImpl(type, "KeyStore", provider);
- return new KeyStore((KeyStoreSpi)objs[0], (Provider)objs[1], type);
- } catch (NoSuchAlgorithmException nsae) {
- throw new KeyStoreException(type + " not found");
- }
- }
-
- /**
- * Generates a keystore object for the specified keystore
- * type from the specified provider. Note: the <code>provider</code>
- * doesn't have to be registered.
- *
- * @param type the type of keystore.
- * See Appendix A in the <a href=
- * "../../../guide/security/CryptoSpec.html#AppA">
- * Java Cryptography Architecture API Specification & Reference </a>
- * for information about standard keystore types.
- *
- * @param provider the provider.
- *
- * @return a keystore object of the specified type, as
- * supplied by the specified provider.
- *
- * @exception KeyStoreException if the requested keystore type is not
- * available from the provider.
- *
- * @exception IllegalArgumentException if the <code>provider</code> is
- * null.
- *
- * @see Provider
- *
- * @since 1.4
- */
- public static KeyStore getInstance(String type, Provider provider)
- throws KeyStoreException
- {
- if (provider == null)
- throw new IllegalArgumentException("missing provider");
- try {
- Object[] objs = Security.getImpl(type, "KeyStore", provider);
- return new KeyStore((KeyStoreSpi)objs[0], (Provider)objs[1], type);
- } catch (NoSuchAlgorithmException nsae) {
- throw new KeyStoreException(type + " not found");
- }
- }
-
- /**
- * Returns the default keystore type as specified in the Java security
- * properties file, or the string
- * "jks" (acronym for "Java keystore")
- * if no such property exists.
- * The Java security properties file is located in the file named
- * <JAVA_HOME>/lib/security/java.security, where <JAVA_HOME>
- * refers to the directory where the JDK was installed.
- *
- * <p>The default keystore type can be used by applications that do not
- * want to use a hard-coded keystore type when calling one of the
- * <code>getInstance</code> methods, and want to provide a default keystore
- * type in case a user does not specify its own.
- *
- * <p>The default keystore type can be changed by setting the value of the
- * "keystore.type" security property (in the Java security properties
- * file) to the desired keystore type.
- *
- * @return the default keystore type as specified in the
- * Java security properties file, or the string "jks"
- * if no such property exists.
- */
- public final static String getDefaultType() {
- String kstype;
- kstype = (String)AccessController.doPrivileged(new PrivilegedAction() {
- public Object run() {
- return Security.getProperty(KEYSTORE_TYPE);
- }
- });
- if (kstype == null) {
- kstype = "jks";
- }
- return kstype;
- }
-
- /**
- * Returns the provider of this keystore.
- *
- * @return the provider of this keystore.
- */
- public final Provider getProvider()
- {
- return this.provider;
- }
-
- /**
- * Returns the type of this keystore.
- *
- * @return the type of this keystore.
- */
- public final String getType()
- {
- return this.type;
- }
-
- /**
- * Returns the key associated with the given alias, using the given
- * password to recover it. The key must have been associated with
- * the alias by a call to <code>setKeyEntry</code>,
- * or by a call to <code>setEntry</code> with a
- * <code>PrivateKeyEntry</code> or <code>SecretKeyEntry</code>.
- *
- * @param alias the alias name
- * @param password the password for recovering the key
- *
- * @return the requested key, or null if the given alias does not exist
- * or does not identify a key-related entry.
- *
- * @exception KeyStoreException if the keystore has not been initialized
- * (loaded).
- * @exception NoSuchAlgorithmException if the algorithm for recovering the
- * key cannot be found
- * @exception UnrecoverableKeyException if the key cannot be recovered
- * (e.g., the given password is wrong).
- */
- public final Key getKey(String alias, char[] password)
- throws KeyStoreException, NoSuchAlgorithmException,
- UnrecoverableKeyException
- {
- if (!initialized) {
- throw new KeyStoreException("Uninitialized keystore");
- }
- return keyStoreSpi.engineGetKey(alias, password);
- }
-
- /**
- * Returns the certificate chain associated with the given alias.
- * The certificate chain must have been associated with the alias
- * by a call to <code>setKeyEntry</code>,
- * or by a call to <code>setEntry</code> with a
- * <code>PrivateKeyEntry</code>.
- *
- * @param alias the alias name
- *
- * @return the certificate chain (ordered with the user's certificate first
- * and the root certificate authority last), or null if the given alias
- * does not exist or does not contain a certificate chain
- *
- * @exception KeyStoreException if the keystore has not been initialized
- * (loaded).
- */
- public final Certificate[] getCertificateChain(String alias)
- throws KeyStoreException
- {
- if (!initialized) {
- throw new KeyStoreException("Uninitialized keystore");
- }
- return keyStoreSpi.engineGetCertificateChain(alias);
- }
-
- /**
- * Returns the certificate associated with the given alias.
- *
- * <p> If the given alias name identifies an entry
- * created by a call to <code>setCertificateEntry</code>,
- * or created by a call to <code>setEntry</code> with a
- * <code>TrustedCertificateEntry</code>,
- * then the trusted certificate contained in that entry is returned.
- *
- * <p> If the given alias name identifies an entry
- * created by a call to <code>setKeyEntry</code>,
- * or created by a call to <code>setEntry</code> with a
- * <code>PrivateKeyEntry</code>,
- * then the first element of the certificate chain in that entry
- * is returned.
- *
- * @param alias the alias name
- *
- * @return the certificate, or null if the given alias does not exist or
- * does not contain a certificate.
- *
- * @exception KeyStoreException if the keystore has not been initialized
- * (loaded).
- */
- public final Certificate getCertificate(String alias)
- throws KeyStoreException
- {
- if (!initialized) {
- throw new KeyStoreException("Uninitialized keystore");
- }
- return keyStoreSpi.engineGetCertificate(alias);
- }
-
- /**
- * Returns the creation date of the entry identified by the given alias.
- *
- * @param alias the alias name
- *
- * @return the creation date of this entry, or null if the given alias does
- * not exist
- *
- * @exception KeyStoreException if the keystore has not been initialized
- * (loaded).
- */
- public final Date getCreationDate(String alias)
- throws KeyStoreException
- {
- if (!initialized) {
- throw new KeyStoreException("Uninitialized keystore");
- }
- return keyStoreSpi.engineGetCreationDate(alias);
- }
-
- /**
- * Assigns the given key to the given alias, protecting it with the given
- * password.
- *
- * <p>If the given key is of type <code>java.security.PrivateKey</code>,
- * it must be accompanied by a certificate chain certifying the
- * corresponding public key.
- *
- * <p>If the given alias already exists, the keystore information
- * associated with it is overridden by the given key (and possibly
- * certificate chain).
- *
- * @param alias the alias name
- * @param key the key to be associated with the alias
- * @param password the password to protect the key
- * @param chain the certificate chain for the corresponding public
- * key (only required if the given key is of type
- * <code>java.security.PrivateKey</code>).
- *
- * @exception KeyStoreException if the keystore has not been initialized
- * (loaded), the given key cannot be protected, or this operation fails
- * for some other reason
- */
- public final void setKeyEntry(String alias, Key key, char[] password,
- Certificate[] chain)
- throws KeyStoreException
- {
- if (!initialized) {
- throw new KeyStoreException("Uninitialized keystore");
- }
- if ((key instanceof PrivateKey) &&
- (chain == null || chain.length == 0)) {
- throw new IllegalArgumentException("Private key must be "
- + "accompanied by certificate "
- + "chain");
- }
- keyStoreSpi.engineSetKeyEntry(alias, key, password, chain);
- }
-
- /**
- * Assigns the given key (that has already been protected) to the given
- * alias.
- *
- * <p>If the protected key is of type
- * <code>java.security.PrivateKey</code>, it must be accompanied by a
- * certificate chain certifying the corresponding public key. If the
- * underlying keystore implementation is of type <code>jks</code>,
- * <code>key</code> must be encoded as an
- * <code>EncryptedPrivateKeyInfo</code> as defined in the PKCS #8 standard.
- *
- * <p>If the given alias already exists, the keystore information
- * associated with it is overridden by the given key (and possibly
- * certificate chain).
- *
- * @param alias the alias name
- * @param key the key (in protected format) to be associated with the alias
- * @param chain the certificate chain for the corresponding public
- * key (only useful if the protected key is of type
- * <code>java.security.PrivateKey</code>).
- *
- * @exception KeyStoreException if the keystore has not been initialized
- * (loaded), or if this operation fails for some other reason.
- */
- public final void setKeyEntry(String alias, byte[] key,
- Certificate[] chain)
- throws KeyStoreException
- {
- if (!initialized) {
- throw new KeyStoreException("Uninitialized keystore");
- }
- keyStoreSpi.engineSetKeyEntry(alias, key, chain);
- }
-
- /**
- * Assigns the given trusted certificate to the given alias.
- *
- * <p> If the given alias identifies an existing entry
- * created by a call to <code>setCertificateEntry</code>,
- * or created by a call to <code>setEntry</code> with a
- * <code>TrustedCertificateEntry</code>,
- * the trusted certificate in the existing entry
- * is overridden by the given certificate.
- *
- * @param alias the alias name
- * @param cert the certificate
- *
- * @exception KeyStoreException if the keystore has not been initialized,
- * or the given alias already exists and does not identify an
- * entry containing a trusted certificate,
- * or this operation fails for some other reason.
- */
- public final void setCertificateEntry(String alias, Certificate cert)
- throws KeyStoreException
- {
- if (!initialized) {
- throw new KeyStoreException("Uninitialized keystore");
- }
- keyStoreSpi.engineSetCertificateEntry(alias, cert);
- }
-
- /**
- * Deletes the entry identified by the given alias from this keystore.
- *
- * @param alias the alias name
- *
- * @exception KeyStoreException if the keystore has not been initialized,
- * or if the entry cannot be removed.
- */
- public final void deleteEntry(String alias)
- throws KeyStoreException
- {
- if (!initialized) {
- throw new KeyStoreException("Uninitialized keystore");
- }
- keyStoreSpi.engineDeleteEntry(alias);
- }
-
- /**
- * Lists all the alias names of this keystore.
- *
- * @return enumeration of the alias names
- *
- * @exception KeyStoreException if the keystore has not been initialized
- * (loaded).
- */
- public final Enumeration<String> aliases()
- throws KeyStoreException
- {
- if (!initialized) {
- throw new KeyStoreException("Uninitialized keystore");
- }
- return keyStoreSpi.engineAliases();
- }
-
- /**
- * Checks if the given alias exists in this keystore.
- *
- * @param alias the alias name
- *
- * @return true if the alias exists, false otherwise
- *
- * @exception KeyStoreException if the keystore has not been initialized
- * (loaded).
- */
- public final boolean containsAlias(String alias)
- throws KeyStoreException
- {
- if (!initialized) {
- throw new KeyStoreException("Uninitialized keystore");
- }
- return keyStoreSpi.engineContainsAlias(alias);
- }
-
- /**
- * Retrieves the number of entries in this keystore.
- *
- * @return the number of entries in this keystore
- *
- * @exception KeyStoreException if the keystore has not been initialized
- * (loaded).
- */
- public final int size()
- throws KeyStoreException
- {
- if (!initialized) {
- throw new KeyStoreException("Uninitialized keystore");
- }
- return keyStoreSpi.engineSize();
- }
-
- /**
- * Returns true if the entry identified by the given alias
- * was created by a call to <code>setKeyEntry</code>,
- * or created by a call to <code>setEntry</code> with a
- * <code>PrivateKeyEntry</code> or a <code>SecretKeyEntry</code>.
- *
- * @param alias the alias for the keystore entry to be checked
- *
- * @return true if the entry identified by the given alias is a
- * key-related entry, false otherwise.
- *
- * @exception KeyStoreException if the keystore has not been initialized
- * (loaded).
- */
- public final boolean isKeyEntry(String alias)
- throws KeyStoreException
- {
- if (!initialized) {
- throw new KeyStoreException("Uninitialized keystore");
- }
- return keyStoreSpi.engineIsKeyEntry(alias);
- }
-
- /**
- * Returns true if the entry identified by the given alias
- * was created by a call to <code>setCertificateEntry</code>,
- * or created by a call to <code>setEntry</code> with a
- * <code>TrustedCertificateEntry</code>.
- *
- * @param alias the alias for the keystore entry to be checked
- *
- * @return true if the entry identified by the given alias contains a
- * trusted certificate, false otherwise.
- *
- * @exception KeyStoreException if the keystore has not been initialized
- * (loaded).
- */
- public final boolean isCertificateEntry(String alias)
- throws KeyStoreException
- {
- if (!initialized) {
- throw new KeyStoreException("Uninitialized keystore");
- }
- return keyStoreSpi.engineIsCertificateEntry(alias);
- }
-
- /**
- * Returns the (alias) name of the first keystore entry whose certificate
- * matches the given certificate.
- *
- * <p> This method attempts to match the given certificate with each
- * keystore entry. If the entry being considered was
- * created by a call to <code>setCertificateEntry</code>,
- * or created by a call to <code>setEntry</code> with a
- * <code>TrustedCertificateEntry</code>,
- * then the given certificate is compared to that entry's certificate.
- *
- * <p> If the entry being considered was
- * created by a call to <code>setKeyEntry</code>,
- * or created by a call to <code>setEntry</code> with a
- * <code>PrivateKeyEntry</code>,
- * then the given certificate is compared to the first
- * element of that entry's certificate chain.
- *
- * @param cert the certificate to match with.
- *
- * @return the alias name of the first entry with a matching certificate,
- * or null if no such entry exists in this keystore.
- *
- * @exception KeyStoreException if the keystore has not been initialized
- * (loaded).
- */
- public final String getCertificateAlias(Certificate cert)
- throws KeyStoreException
- {
- if (!initialized) {
- throw new KeyStoreException("Uninitialized keystore");
- }
- return keyStoreSpi.engineGetCertificateAlias(cert);
- }
-
- /**
- * Stores this keystore to the given output stream, and protects its
- * integrity with the given password.
- *
- * @param stream the output stream to which this keystore is written.
- * @param password the password to generate the keystore integrity check
- *
- * @exception KeyStoreException if the keystore has not been initialized
- * (loaded).
- * @exception IOException if there was an I/O problem with data
- * @exception NoSuchAlgorithmException if the appropriate data integrity
- * algorithm could not be found
- * @exception CertificateException if any of the certificates included in
- * the keystore data could not be stored
- */
- public final void store(OutputStream stream, char[] password)
- throws KeyStoreException, IOException, NoSuchAlgorithmException,
- CertificateException
- {
- if (!initialized) {
- throw new KeyStoreException("Uninitialized keystore");
- }
- keyStoreSpi.engineStore(stream, password);
- }
-
- /**
- * Stores this keystore using the given <code>LoadStoreParameter</code>.
- *
- * @param param the <code>LoadStoreParameter</code>
- * that specifies how to store the keystore,
- * which may be <code>null</code>
- *
- * @exception IllegalArgumentException if the given
- * <code>LoadStoreParameter</code>
- * input is not recognized
- * @exception KeyStoreException if the keystore has not been initialized
- * (loaded)
- * @exception IOException if there was an I/O problem with data
- * @exception NoSuchAlgorithmException if the appropriate data integrity
- * algorithm could not be found
- * @exception CertificateException if any of the certificates included in
- * the keystore data could not be stored
- *
- * @since 1.5
- */
- public final void store(LoadStoreParameter param)
- throws KeyStoreException, IOException,
- NoSuchAlgorithmException, CertificateException {
- if (!initialized) {
- throw new KeyStoreException("Uninitialized keystore");
- }
- keyStoreSpi.engineStore(param);
- }
-
- /**
- * Loads this KeyStore from the given input stream.
- *
- * <p>A password may be given to unlock the keystore
- * (e.g. the keystore resides on a hardware token device),
- * or to check the integrity of the keystore data.
- * If a password is not given for integrity checking,
- * then integrity checking is not performed.
- *
- * <p>In order to create an empty keystore, or if the keystore cannot
- * be initialized from a stream, pass <code>null</code>
- * as the <code>stream</code> argument.
- *
- * <p> Note that if this keystore has already been loaded, it is
- * reinitialized and loaded again from the given input stream.
- *
- * @param stream the input stream from which the keystore is loaded,
- * or <code>null</code>
- * @param password the password used to check the integrity of
- * the keystore, the password used to unlock the keystore,
- * or <code>null</code>
- *
- * @exception IOException if there is an I/O or format problem with the
- * keystore data, if a password is required but not given,
- * or if the given password was incorrect
- * @exception NoSuchAlgorithmException if the algorithm used to check
- * the integrity of the keystore cannot be found
- * @exception CertificateException if any of the certificates in the
- * keystore could not be loaded
- */
- public final void load(InputStream stream, char[] password)
- throws IOException, NoSuchAlgorithmException, CertificateException
- {
- keyStoreSpi.engineLoad(stream, password);
- initialized = true;
- }
-
- /**
- * Loads this keystore using the given <code>LoadStoreParameter</code>.
- *
- * <p> Note that if this KeyStore has already been loaded, it is
- * reinitialized and loaded again from the given parameter.
- *
- * @param param the <code>LoadStoreParameter</code>
- * that specifies how to load the keystore,
- * which may be <code>null</code>
- *
- * @exception IllegalArgumentException if the given
- * <code>LoadStoreParameter</code>
- * input is not recognized
- * @exception IOException if there is an I/O or format problem with the
- * keystore data
- * @exception NoSuchAlgorithmException if the algorithm used to check
- * the integrity of the keystore cannot be found
- * @exception CertificateException if any of the certificates in the
- * keystore could not be loaded
- *
- * @since 1.5
- */
- public final void load(LoadStoreParameter param)
- throws IOException, NoSuchAlgorithmException,
- CertificateException {
-
- keyStoreSpi.engineLoad(param);
- initialized = true;
- }
-
- /**
- * Gets a keystore <code>Entry</code> for the specified alias
- * with the specified protection parameter.
- *
- * @param alias get the keystore <code>Entry</code> for this alias
- * @param protParam the <code>ProtectionParameter</code>
- * used to protect the <code>Entry</code>,
- * which may be <code>null</code>
- *
- * @return the keystore <code>Entry</code> for the specified alias,
- * or <code>null</code> if there is no such entry
- *
- * @exception NullPointerException if
- * <code>alias</code> is <code>null</code>
- * @exception NoSuchAlgorithmException if the algorithm for recovering the
- * entry cannot be found
- * @exception UnrecoverableEntryException if the specified
- * <code>protParam</code> were insufficient or invalid
- * @exception KeyStoreException if the keystore has not been initialized
- * (loaded).
- * @see #setEntry(String, KeyStore.Entry, KeyStore.ProtectionParameter)
- *
- * @since 1.5
- */
- public final Entry getEntry(String alias, ProtectionParameter protParam)
- throws NoSuchAlgorithmException, UnrecoverableEntryException,
- KeyStoreException {
-
- if (alias == null) {
- throw new NullPointerException("invalid null input");
- }
- if (!initialized) {
- throw new KeyStoreException("Uninitialized keystore");
- }
- return keyStoreSpi.engineGetEntry(alias, protParam);
- }
-
- /**
- * Saves a keystore <code>Entry</code> under the specified alias.
- * The protection parameter is used to protect the
- * <code>Entry</code>.
- *
- * <p> If an entry already exists for the specified alias,
- * it is overridden.
- *
- * @param alias save the keystore <code>Entry</code> under this alias
- * @param entry the <code>Entry</code> to save
- * @param protParam the <code>ProtectionParameter</code>
- * used to protect the <code>Entry</code>,
- * which may be <code>null</code>
- *
- * @exception NullPointerException if
- * <code>alias</code> or <code>entry</code>
- * is <code>null</code>
- * @exception KeyStoreException if the keystore has not been initialized
- * (loaded), or if this operation fails for some other reason
- *
- * @see #getEntry(String, KeyStore.ProtectionParameter)
- *
- * @since 1.5
- */
- public final void setEntry(String alias, Entry entry,
- ProtectionParameter protParam)
- throws KeyStoreException {
- if (alias == null || entry == null) {
- throw new NullPointerException("invalid null input");
- }
- if (!initialized) {
- throw new KeyStoreException("Uninitialized keystore");
- }
- keyStoreSpi.engineSetEntry(alias, entry, protParam);
- }
-
- /**
- * Determines if the keystore <code>Entry</code> for the specified
- * <code>alias</code> is an instance or subclass of the specified
- * <code>entryClass</code>.
- *
- * @param alias the alias name
- * @param entryClass the entry class
- *
- * @return true if the keystore <code>Entry</code> for the specified
- * <code>alias</code> is an instance or subclass of the
- * specified <code>entryClass</code>, false otherwise
- *
- * @exception NullPointerException if
- * <code>alias</code> or <code>entryClass</code>
- * is <code>null</code>
- * @exception KeyStoreException if the keystore has not been
- * initialized (loaded)
- *
- * @since 1.5
- */
- public final boolean
- entryInstanceOf(String alias,
- Class<? extends KeyStore.Entry> entryClass)
- throws KeyStoreException
- {
-
- if (alias == null || entryClass == null) {
- throw new NullPointerException("invalid null input");
- }
- if (!initialized) {
- throw new KeyStoreException("Uninitialized keystore");
- }
- return keyStoreSpi.engineEntryInstanceOf(alias, entryClass);
- }
-
- /**
- * A description of a to-be-instantiated KeyStore object.
- *
- * <p>An instance of this class encapsulates the information needed to
- * instantiate and initialize a KeyStore object. That process is
- * triggered when the {@linkplain #getKeyStore} method is called.
- *
- * <p>This makes it possible to decouple configuration from KeyStore
- * object creation and e.g. delay a password prompt until it is
- * needed.
- *
- * @see KeyStore
- * @see javax.net.ssl.KeyStoreBuilderParameters
- * @since 1.5
- */
- public static abstract class Builder {
-
- /**
- * Construct a new Builder.
- */
- protected Builder() {
- // empty
- }
-
- /**
- * Returns the KeyStore described by this object.
- *
- * @exception KeyStoreException if an error occured during the
- * operation, for example if the KeyStore could not be
- * instantiated or loaded
- */
- public abstract KeyStore getKeyStore() throws KeyStoreException;
-
- /**
- * Returns the ProtectionParameters that should be used to obtain
- * the {@link KeyStore.Entry Entry} with the given alias.
- * The <code>getKeyStore</code> method must be invoked before this
- * method may be called.
- *
- * @return the ProtectionParameters that should be used to obtain
- * the {@link KeyStore.Entry Entry} with the given alias.
- * @param alias the alias of the KeyStore entry
- * @throws NullPointerException if alias is null
- * @throws KeyStoreException if an error occured during the
- * operation
- * @throws IllegalStateException if the getKeyStore method has
- * not been invoked prior to calling this method
- */
- public abstract ProtectionParameter getProtectionParameter(String alias)
- throws KeyStoreException;
-
- /**
- * Returns a new Builder that encapsulates the given KeyStore.
- * The {@linkplain #getKeyStore} method of the returned object
- * will return <code>keyStore</code>, the {@linkplain
- * #getProtectionParameter getProtectionParameter()} method will
- * return <code>protectionParameters</code>.
- *
- * <p> This is useful if an existing KeyStore object needs to be
- * used with Builder-based APIs.
- *
- * @return a new Builder object
- * @param keyStore the KeyStore to be encapsulated
- * @param protectionParameter the ProtectionParameter used to
- * protect the KeyStore entries
- * @throws NullPointerException if keyStore or
- * protectionParameters is null
- * @throws IllegalArgumentException if the keyStore has not been
- * initialized
- */
- public static Builder newInstance(final KeyStore keyStore,
- final ProtectionParameter protectionParameter) {
- if ((keyStore == null) || (protectionParameter == null)) {
- throw new NullPointerException();
- }
- if (keyStore.initialized == false) {
- throw new IllegalArgumentException("KeyStore not initialized");
- }
- return new Builder() {
- private volatile boolean getCalled;
-
- public KeyStore getKeyStore() {
- getCalled = true;
- return keyStore;
- }
-
- public ProtectionParameter getProtectionParameter(String alias)
- {
- if (alias == null) {
- throw new NullPointerException();
- }
- if (getCalled == false) {
- throw new IllegalStateException
- ("getKeyStore() must be called first");
- }
- return protectionParameter;
- }
- };
- }
-
- /**
- * Returns a new Builder object.
- *
- * <p>The first call to the {@link #getKeyStore} method on the returned
- * builder will create a KeyStore of type <code>type</code> and call
- * its {@link KeyStore#load load()} method.
- * The <code>inputStream</code> argument is constructed from
- * <code>file</code>.
- * If <code>protection</code> is a
- * <code>PasswordProtection</code>, the password is obtained by
- * calling the <code>getPassword</code> method.
- * Otherwise, if <code>protection</code> is a
- * <code>CallbackHandlerProtection</code>, the password is obtained
- * by invoking the CallbackHandler.
- *
- * <p>Subsequent calls to {@link #getKeyStore} return the same object
- * as the initial call. If the initial call to failed with a
- * KeyStoreException, subsequent calls also throw a
- * KeyStoreException.
- *
- * <p>The KeyStore is instantiated from <code>provider</code> if
- * non-null. Otherwise, all installed providers are searched.
- *
- * <p>Calls to {@link #getProtectionParameter getProtectionParameter()}
- * will return a {@link KeyStore.PasswordProtection PasswordProtection}
- * object encapsulating the password that was used to invoke the
- * <code>load</code> method.
- *
- * <p><em>Note</em> that the {@link #getKeyStore} method is executed
- * within the {@link AccessControlContext} of the code invoking this
- * method.
- *
- * @return a new Builder object
- * @param type the type of KeyStore to be constructed
- * @param provider the provider from which the KeyStore is to
- * be instantiated (or null)
- * @param file the File that contains the KeyStore data
- * @param protection the ProtectionParameter securing the KeyStore data
- * @throws NullPointerException if type, file or protection is null
- * @throws IllegalArgumentException if protection is not an instance
- * of either PasswordProtection or CallbackHandlerProtection; or
- * if file does not exist or does not refer to a normal file
- */
- public static Builder newInstance(String type, Provider provider,
- File file, ProtectionParameter protection) {
- if ((type == null) || (file == null) || (protection == null)) {
- throw new NullPointerException();
- }
- if ((protection instanceof PasswordProtection == false) &&
- (protection instanceof CallbackHandlerProtection == false)) {
- throw new IllegalArgumentException
- ("Protection must be PasswordProtection or " +
- "CallbackHandlerProtection");
- }
- if (file.isFile() == false) {
- throw new IllegalArgumentException
- ("File does not exist or it does not refer " +
- "to a normal file: " + file);
- }
- return new FileBuilder(type, provider, file, protection,
- AccessController.getContext());
- }
-
- private static final class FileBuilder extends Builder {
-
- private final String type;
- private final Provider provider;
- private final File file;
- private ProtectionParameter protection;
- private final AccessControlContext context;
-
- private KeyStore keyStore;
-
- private Throwable oldException;
-
- FileBuilder(String type, Provider provider, File file,
- ProtectionParameter protection,
- AccessControlContext context) {
- this.type = type;
- this.provider = provider;
- this.file = file;
- this.protection = protection;
- this.context = context;
- }
-
- public synchronized KeyStore getKeyStore() throws KeyStoreException
- {
- if (keyStore != null) {
- return keyStore;
- }
- if (oldException != null) {
- throw new KeyStoreException
- ("Previous KeyStore instantiation failed",
- oldException);
- }
- PrivilegedExceptionAction action =
- new PrivilegedExceptionAction() {
- public Object run() throws Exception {
- KeyStore ks;
- if (provider == null) {
- ks = KeyStore.getInstance(type);
- } else {
- ks = KeyStore.getInstance(type, provider);
- }
- InputStream in = null;
- char[] password = null;
- try {
- in = new FileInputStream(file);
- if (protection instanceof PasswordProtection) {
- password =
- ((PasswordProtection)protection).getPassword();
- } else {
- CallbackHandler handler =
- ((CallbackHandlerProtection)protection)
- .getCallbackHandler();
- PasswordCallback callback = new PasswordCallback
- ("Password for keystore " + file.getName(),
- false);
- handler.handle(new Callback[] {callback});
- password = callback.getPassword();
- if (password == null) {
- throw new KeyStoreException("No password" +
- " provided");
- }
- callback.clearPassword();
- protection = new PasswordProtection(password);
- }
- ks.load(in, password);
- return ks;
- } finally {
- if (in != null) {
- in.close();
- }
- }
- }
- };
- try {
- keyStore = (KeyStore)AccessController.doPrivileged
- (action, context);
- return keyStore;
- } catch (PrivilegedActionException e) {
- oldException = e.getCause();
- throw new KeyStoreException
- ("KeyStore instantiation failed", oldException);
- }
- }
-
- public synchronized ProtectionParameter
- getProtectionParameter(String alias) {
- if (alias == null) {
- throw new NullPointerException();
- }
- if (keyStore == null) {
- throw new IllegalStateException
- ("getKeyStore() must be called first");
- }
- return protection;
- }
- }
-
- /**
- * Returns a new Builder object.
- *
- * <p>Each call to the {@link #getKeyStore} method on the returned
- * builder will return a new KeyStore object of type <code>type</code>.
- * Its {@link KeyStore#load(KeyStore.LoadStoreParameter) load()}
- * method is invoked using a
- * <code>LoadStoreParameter</code> that encapsulates
- * <code>protection</code>.
- *
- * <p>The KeyStore is instantiated from <code>provider</code> if
- * non-null. Otherwise, all installed providers are searched.
- *
- * <p>Calls to {@link #getProtectionParameter getProtectionParameter()}
- * will return <code>protection</code>.
- *
- * <p><em>Note</em> that the {@link #getKeyStore} method is executed
- * within the {@link AccessControlContext} of the code invoking this
- * method.
- *
- * @return a new Builder object
- * @param type the type of KeyStore to be constructed
- * @param provider the provider from which the KeyStore is to
- * be instantiated (or null)
- * @param protection the ProtectionParameter securing the Keystore
- * @throws NullPointerException if type or protection is null
- */
- public static Builder newInstance(final String type,
- final Provider provider, final ProtectionParameter protection) {
- if ((type == null) || (protection == null)) {
- throw new NullPointerException();
- }
- final AccessControlContext context = AccessController.getContext();
- return new Builder() {
- private volatile boolean getCalled;
-
- private final PrivilegedExceptionAction action
- = new PrivilegedExceptionAction() {
-
- public Object run() throws Exception {
- KeyStore ks;
- if (provider == null) {
- ks = KeyStore.getInstance(type);
- } else {
- ks = KeyStore.getInstance(type, provider);
- }
- ks.load(new SimpleLoadStoreParameter(protection));
- getCalled = true;
- return ks;
- }
- };
-
- public synchronized KeyStore getKeyStore()
- throws KeyStoreException {
- try {
- return (KeyStore)AccessController.doPrivileged(action);
- } catch (PrivilegedActionException e) {
- Throwable cause = e.getCause();
- throw new KeyStoreException
- ("KeyStore instantiation failed", cause);
- }
- }
-
- public ProtectionParameter getProtectionParameter(String alias)
- {
- if (alias == null) {
- throw new NullPointerException();
- }
- if (getCalled == false) {
- throw new IllegalStateException
- ("getKeyStore() must be called first");
- }
- return protection;
- }
- };
- }
-
- }
-
- static class SimpleLoadStoreParameter implements LoadStoreParameter {
-
- private final ProtectionParameter protection;
-
- SimpleLoadStoreParameter(ProtectionParameter protection) {
- this.protection = protection;
- }
-
- public ProtectionParameter getProtectionParameter() {
- return protection;
- }
- }
-
- }
-