| author | jjg |
| Mon, 15 Aug 2011 11:48:20 -0700 | |
| changeset 10336 | 0bb1999251f8 |
| parent 9508 | 310b4f6c8e61 |
| child 23582 | d5fa3327ab3a |
| permissions | -rw-r--r-- |
| 2 | 1 |
/* |
|
9508
310b4f6c8e61
6732372: Some MSCAPI native methods not returning correct exceptions.
vinnie
parents:
5506
diff
changeset
|
2 |
* Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved. |
| 2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
| 5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
| 2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
| 5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
| 2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
| 5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
| 2 | 24 |
*/ |
25 |
||
26 |
package sun.security.mscapi; |
|
27 |
||
28 |
import java.io.ByteArrayInputStream; |
|
29 |
import java.io.IOException; |
|
30 |
import java.io.InputStream; |
|
31 |
import java.io.OutputStream; |
|
32 |
import java.security.AccessController; |
|
|
9508
310b4f6c8e61
6732372: Some MSCAPI native methods not returning correct exceptions.
vinnie
parents:
5506
diff
changeset
|
33 |
import java.security.InvalidKeyException; |
| 2 | 34 |
import java.security.KeyStoreSpi; |
35 |
import java.security.KeyStoreException; |
|
36 |
import java.security.UnrecoverableKeyException; |
|
37 |
import java.security.NoSuchAlgorithmException; |
|
38 |
import java.security.SecurityPermission; |
|
39 |
import java.security.cert.X509Certificate; |
|
40 |
import java.security.cert.Certificate; |
|
41 |
import java.security.cert.CertificateException; |
|
42 |
import java.security.cert.CertificateFactory; |
|
43 |
import java.security.interfaces.RSAPrivateCrtKey; |
|
44 |
import java.util.ArrayList; |
|
45 |
import java.util.Collection; |
|
46 |
import java.util.Date; |
|
47 |
import java.util.Enumeration; |
|
48 |
import java.util.Iterator; |
|
49 |
import java.util.UUID; |
|
50 |
||
51 |
import sun.security.action.GetPropertyAction; |
|
52 |
||
53 |
/** |
|
54 |
* Implementation of key store for Windows using the Microsoft Crypto API. |
|
55 |
* |
|
56 |
* @since 1.6 |
|
57 |
*/ |
|
58 |
abstract class KeyStore extends KeyStoreSpi {
|
|
59 |
||
60 |
public static final class MY extends KeyStore {
|
|
61 |
public MY() {
|
|
62 |
super("MY");
|
|
63 |
} |
|
64 |
} |
|
65 |
||
66 |
public static final class ROOT extends KeyStore {
|
|
67 |
public ROOT() {
|
|
68 |
super("ROOT");
|
|
69 |
} |
|
70 |
} |
|
71 |
||
72 |
class KeyEntry |
|
73 |
{
|
|
74 |
private Key privateKey; |
|
75 |
private X509Certificate certChain[]; |
|
76 |
private String alias; |
|
77 |
||
78 |
KeyEntry(Key key, X509Certificate[] chain) {
|
|
79 |
this(null, key, chain); |
|
80 |
} |
|
81 |
||
82 |
KeyEntry(String alias, Key key, X509Certificate[] chain) {
|
|
83 |
this.privateKey = key; |
|
84 |
this.certChain = chain; |
|
85 |
/* |
|
86 |
* The default alias for both entry types is derived from a |
|
87 |
* hash value intrinsic to the first certificate in the chain. |
|
88 |
*/ |
|
89 |
if (alias == null) {
|
|
90 |
this.alias = Integer.toString(chain[0].hashCode()); |
|
91 |
} else {
|
|
92 |
this.alias = alias; |
|
93 |
} |
|
94 |
} |
|
95 |
||
96 |
/** |
|
97 |
* Gets the alias for the keystore entry. |
|
98 |
*/ |
|
99 |
String getAlias() |
|
100 |
{
|
|
101 |
return alias; |
|
102 |
} |
|
103 |
||
104 |
/** |
|
105 |
* Sets the alias for the keystore entry. |
|
106 |
*/ |
|
107 |
void setAlias(String alias) |
|
108 |
{
|
|
109 |
// TODO - set friendly name prop in cert store |
|
110 |
this.alias = alias; |
|
111 |
} |
|
112 |
||
113 |
/** |
|
114 |
* Gets the private key for the keystore entry. |
|
115 |
*/ |
|
116 |
Key getPrivateKey() |
|
117 |
{
|
|
118 |
return privateKey; |
|
119 |
} |
|
120 |
||
121 |
/** |
|
122 |
* Sets the private key for the keystore entry. |
|
123 |
*/ |
|
124 |
void setPrivateKey(RSAPrivateCrtKey key) |
|
|
9508
310b4f6c8e61
6732372: Some MSCAPI native methods not returning correct exceptions.
vinnie
parents:
5506
diff
changeset
|
125 |
throws InvalidKeyException, KeyStoreException |
| 2 | 126 |
{
|
127 |
byte[] modulusBytes = key.getModulus().toByteArray(); |
|
128 |
||
129 |
// Adjust key length due to sign bit |
|
130 |
int keyBitLength = (modulusBytes[0] == 0) |
|
131 |
? (modulusBytes.length - 1) * 8 |
|
132 |
: modulusBytes.length * 8; |
|
133 |
||
134 |
byte[] keyBlob = generatePrivateKeyBlob( |
|
135 |
keyBitLength, |
|
136 |
modulusBytes, |
|
137 |
key.getPublicExponent().toByteArray(), |
|
138 |
key.getPrivateExponent().toByteArray(), |
|
139 |
key.getPrimeP().toByteArray(), |
|
140 |
key.getPrimeQ().toByteArray(), |
|
141 |
key.getPrimeExponentP().toByteArray(), |
|
142 |
key.getPrimeExponentQ().toByteArray(), |
|
143 |
key.getCrtCoefficient().toByteArray()); |
|
144 |
||
145 |
privateKey = storePrivateKey(keyBlob, |
|
146 |
"{" + UUID.randomUUID().toString() + "}", keyBitLength);
|
|
147 |
} |
|
148 |
||
149 |
/** |
|
150 |
* Gets the certificate chain for the keystore entry. |
|
151 |
*/ |
|
152 |
X509Certificate[] getCertificateChain() |
|
153 |
{
|
|
154 |
return certChain; |
|
155 |
} |
|
156 |
||
157 |
/** |
|
158 |
* Sets the certificate chain for the keystore entry. |
|
159 |
*/ |
|
160 |
void setCertificateChain(X509Certificate[] chain) |
|
|
9508
310b4f6c8e61
6732372: Some MSCAPI native methods not returning correct exceptions.
vinnie
parents:
5506
diff
changeset
|
161 |
throws CertificateException, KeyStoreException |
| 2 | 162 |
{
|
163 |
for (int i = 0; i < chain.length; i++) {
|
|
164 |
byte[] encoding = chain[i].getEncoded(); |
|
165 |
if (i == 0 && privateKey != null) {
|
|
166 |
storeCertificate(getName(), alias, encoding, |
|
167 |
encoding.length, privateKey.getHCryptProvider(), |
|
168 |
privateKey.getHCryptKey()); |
|
169 |
||
170 |
} else {
|
|
171 |
storeCertificate(getName(), alias, encoding, |
|
172 |
encoding.length, 0L, 0L); // no private key to attach |
|
173 |
} |
|
174 |
} |
|
175 |
certChain = chain; |
|
176 |
} |
|
177 |
}; |
|
178 |
||
179 |
/* |
|
180 |
* An X.509 certificate factory. |
|
181 |
* Used to create an X.509 certificate from its DER-encoding. |
|
182 |
*/ |
|
183 |
private CertificateFactory certificateFactory = null; |
|
184 |
||
185 |
/* |
|
186 |
* Compatibility mode: for applications that assume keystores are |
|
187 |
* stream-based this mode tolerates (but ignores) a non-null stream |
|
188 |
* or password parameter when passed to the load or store methods. |
|
189 |
* The mode is enabled by default. |
|
190 |
*/ |
|
191 |
private static final String KEYSTORE_COMPATIBILITY_MODE_PROP = |
|
192 |
"sun.security.mscapi.keyStoreCompatibilityMode"; |
|
193 |
private final boolean keyStoreCompatibilityMode; |
|
194 |
||
195 |
/* |
|
196 |
* The keystore entries. |
|
197 |
*/ |
|
198 |
private Collection<KeyEntry> entries = new ArrayList<KeyEntry>(); |
|
199 |
||
200 |
/* |
|
201 |
* The keystore name. |
|
202 |
* Case is not significant. |
|
203 |
*/ |
|
204 |
private final String storeName; |
|
205 |
||
206 |
KeyStore(String storeName) {
|
|
207 |
// Get the compatibility mode |
|
208 |
String prop = |
|
209 |
AccessController.doPrivileged( |
|
210 |
new GetPropertyAction(KEYSTORE_COMPATIBILITY_MODE_PROP)); |
|
211 |
||
212 |
if ("false".equalsIgnoreCase(prop)) {
|
|
213 |
keyStoreCompatibilityMode = false; |
|
214 |
} else {
|
|
215 |
keyStoreCompatibilityMode = true; |
|
216 |
} |
|
217 |
||
218 |
this.storeName = storeName; |
|
219 |
} |
|
220 |
||
221 |
/** |
|
222 |
* Returns the key associated with the given alias. |
|
223 |
* <p> |
|
224 |
* A compatibility mode is supported for applications that assume |
|
225 |
* a password must be supplied. It permits (but ignores) a non-null |
|
226 |
* <code>password</code>. The mode is enabled by default. |
|
227 |
* Set the |
|
228 |
* <code>sun.security.mscapi.keyStoreCompatibilityMode</code> |
|
229 |
* system property to <code>false</code> to disable compatibility mode |
|
230 |
* and reject a non-null <code>password</code>. |
|
231 |
* |
|
232 |
* @param alias the alias name |
|
233 |
* @param password the password, which should be <code>null</code> |
|
234 |
* |
|
235 |
* @return the requested key, or null if the given alias does not exist |
|
236 |
* or does not identify a <i>key entry</i>. |
|
237 |
* |
|
238 |
* @exception NoSuchAlgorithmException if the algorithm for recovering the |
|
239 |
* key cannot be found, |
|
240 |
* or if compatibility mode is disabled and <code>password</code> is |
|
241 |
* non-null. |
|
242 |
* @exception UnrecoverableKeyException if the key cannot be recovered. |
|
243 |
*/ |
|
244 |
public java.security.Key engineGetKey(String alias, char[] password) |
|
245 |
throws NoSuchAlgorithmException, UnrecoverableKeyException |
|
246 |
{
|
|
247 |
if (alias == null) {
|
|
248 |
return null; |
|
249 |
} |
|
250 |
||
251 |
if (password != null && !keyStoreCompatibilityMode) {
|
|
252 |
throw new UnrecoverableKeyException("Password must be null");
|
|
253 |
} |
|
254 |
||
255 |
if (engineIsKeyEntry(alias) == false) |
|
256 |
return null; |
|
257 |
||
258 |
for (KeyEntry entry : entries) {
|
|
259 |
if (alias.equals(entry.getAlias())) {
|
|
260 |
return entry.getPrivateKey(); |
|
261 |
} |
|
262 |
} |
|
263 |
||
264 |
return null; |
|
265 |
} |
|
266 |
||
267 |
/** |
|
268 |
* Returns the certificate chain associated with the given alias. |
|
269 |
* |
|
270 |
* @param alias the alias name |
|
271 |
* |
|
272 |
* @return the certificate chain (ordered with the user's certificate first |
|
273 |
* and the root certificate authority last), or null if the given alias |
|
274 |
* does not exist or does not contain a certificate chain (i.e., the given |
|
275 |
* alias identifies either a <i>trusted certificate entry</i> or a |
|
276 |
* <i>key entry</i> without a certificate chain). |
|
277 |
*/ |
|
278 |
public Certificate[] engineGetCertificateChain(String alias) |
|
279 |
{
|
|
280 |
if (alias == null) {
|
|
281 |
return null; |
|
282 |
} |
|
283 |
||
284 |
for (KeyEntry entry : entries) {
|
|
285 |
if (alias.equals(entry.getAlias())) {
|
|
286 |
X509Certificate[] certChain = entry.getCertificateChain(); |
|
287 |
||
288 |
return certChain.clone(); |
|
289 |
} |
|
290 |
} |
|
291 |
||
292 |
return null; |
|
293 |
} |
|
294 |
||
295 |
/** |
|
296 |
* Returns the certificate associated with the given alias. |
|
297 |
* |
|
298 |
* <p>If the given alias name identifies a |
|
299 |
* <i>trusted certificate entry</i>, the certificate associated with that |
|
300 |
* entry is returned. If the given alias name identifies a |
|
301 |
* <i>key entry</i>, the first element of the certificate chain of that |
|
302 |
* entry is returned, or null if that entry does not have a certificate |
|
303 |
* chain. |
|
304 |
* |
|
305 |
* @param alias the alias name |
|
306 |
* |
|
307 |
* @return the certificate, or null if the given alias does not exist or |
|
308 |
* does not contain a certificate. |
|
309 |
*/ |
|
310 |
public Certificate engineGetCertificate(String alias) |
|
311 |
{
|
|
312 |
if (alias == null) {
|
|
313 |
return null; |
|
314 |
} |
|
315 |
||
316 |
for (KeyEntry entry : entries) {
|
|
317 |
if (alias.equals(entry.getAlias())) |
|
318 |
{
|
|
319 |
X509Certificate[] certChain = entry.getCertificateChain(); |
|
320 |
return certChain[0]; |
|
321 |
} |
|
322 |
} |
|
323 |
||
324 |
return null; |
|
325 |
} |
|
326 |
||
327 |
/** |
|
328 |
* Returns the creation date of the entry identified by the given alias. |
|
329 |
* |
|
330 |
* @param alias the alias name |
|
331 |
* |
|
332 |
* @return the creation date of this entry, or null if the given alias does |
|
333 |
* not exist |
|
334 |
*/ |
|
335 |
public Date engineGetCreationDate(String alias) {
|
|
336 |
if (alias == null) {
|
|
337 |
return null; |
|
338 |
} |
|
339 |
return new Date(); |
|
340 |
} |
|
341 |
||
342 |
/** |
|
343 |
* Stores the given private key and associated certificate chain in the |
|
344 |
* keystore. |
|
345 |
* |
|
346 |
* <p>The given java.security.PrivateKey <code>key</code> must |
|
347 |
* be accompanied by a certificate chain certifying the |
|
348 |
* corresponding public key. |
|
349 |
* |
|
350 |
* <p>If the given alias already exists, the keystore information |
|
351 |
* associated with it is overridden by the given key and certificate |
|
352 |
* chain. Otherwise, a new entry is created. |
|
353 |
* |
|
354 |
* <p> |
|
355 |
* A compatibility mode is supported for applications that assume |
|
356 |
* a password must be supplied. It permits (but ignores) a non-null |
|
357 |
* <code>password</code>. The mode is enabled by default. |
|
358 |
* Set the |
|
359 |
* <code>sun.security.mscapi.keyStoreCompatibilityMode</code> |
|
360 |
* system property to <code>false</code> to disable compatibility mode |
|
361 |
* and reject a non-null <code>password</code>. |
|
362 |
* |
|
363 |
* @param alias the alias name |
|
364 |
* @param key the private key to be associated with the alias |
|
365 |
* @param password the password, which should be <code>null</code> |
|
366 |
* @param chain the certificate chain for the corresponding public |
|
367 |
* key (only required if the given key is of type |
|
368 |
* <code>java.security.PrivateKey</code>). |
|
369 |
* |
|
370 |
* @exception KeyStoreException if the given key is not a private key, |
|
371 |
* cannot be protected, or if compatibility mode is disabled and |
|
372 |
* <code>password</code> is non-null, or if this operation fails for |
|
373 |
* some other reason. |
|
374 |
*/ |
|
375 |
public void engineSetKeyEntry(String alias, java.security.Key key, |
|
376 |
char[] password, Certificate[] chain) throws KeyStoreException |
|
377 |
{
|
|
378 |
if (alias == null) {
|
|
379 |
throw new KeyStoreException("alias must not be null");
|
|
380 |
} |
|
381 |
||
382 |
if (password != null && !keyStoreCompatibilityMode) {
|
|
383 |
throw new KeyStoreException("Password must be null");
|
|
384 |
} |
|
385 |
||
386 |
if (key instanceof RSAPrivateCrtKey) {
|
|
387 |
||
388 |
KeyEntry entry = null; |
|
389 |
boolean found = false; |
|
390 |
||
391 |
for (KeyEntry e : entries) {
|
|
392 |
if (alias.equals(e.getAlias())) {
|
|
393 |
found = true; |
|
394 |
entry = e; |
|
395 |
break; |
|
396 |
} |
|
397 |
} |
|
398 |
||
399 |
if (! found) {
|
|
400 |
entry = |
|
401 |
//TODO new KeyEntry(alias, key, (X509Certificate[]) chain); |
|
402 |
new KeyEntry(alias, null, (X509Certificate[]) chain); |
|
403 |
entries.add(entry); |
|
404 |
} |
|
405 |
||
406 |
entry.setAlias(alias); |
|
407 |
||
408 |
try {
|
|
|
9508
310b4f6c8e61
6732372: Some MSCAPI native methods not returning correct exceptions.
vinnie
parents:
5506
diff
changeset
|
409 |
entry.setPrivateKey((RSAPrivateCrtKey) key); |
| 2 | 410 |
entry.setCertificateChain((X509Certificate[]) chain); |
411 |
||
412 |
} catch (CertificateException ce) {
|
|
413 |
throw new KeyStoreException(ce); |
|
|
9508
310b4f6c8e61
6732372: Some MSCAPI native methods not returning correct exceptions.
vinnie
parents:
5506
diff
changeset
|
414 |
|
|
310b4f6c8e61
6732372: Some MSCAPI native methods not returning correct exceptions.
vinnie
parents:
5506
diff
changeset
|
415 |
} catch (InvalidKeyException ike) {
|
|
310b4f6c8e61
6732372: Some MSCAPI native methods not returning correct exceptions.
vinnie
parents:
5506
diff
changeset
|
416 |
throw new KeyStoreException(ike); |
| 2 | 417 |
} |
418 |
||
419 |
} else {
|
|
420 |
throw new UnsupportedOperationException( |
|
421 |
"Cannot assign the key to the given alias."); |
|
422 |
} |
|
423 |
} |
|
424 |
||
425 |
/** |
|
426 |
* Assigns the given key (that has already been protected) to the given |
|
427 |
* alias. |
|
428 |
* |
|
429 |
* <p>If the protected key is of type |
|
430 |
* <code>java.security.PrivateKey</code>, it must be accompanied by a |
|
431 |
* certificate chain certifying the corresponding public key. If the |
|
432 |
* underlying keystore implementation is of type <code>jks</code>, |
|
433 |
* <code>key</code> must be encoded as an |
|
434 |
* <code>EncryptedPrivateKeyInfo</code> as defined in the PKCS #8 standard. |
|
435 |
* |
|
436 |
* <p>If the given alias already exists, the keystore information |
|
437 |
* associated with it is overridden by the given key (and possibly |
|
438 |
* certificate chain). |
|
439 |
* |
|
440 |
* @param alias the alias name |
|
441 |
* @param key the key (in protected format) to be associated with the alias |
|
442 |
* @param chain the certificate chain for the corresponding public |
|
443 |
* key (only useful if the protected key is of type |
|
444 |
* <code>java.security.PrivateKey</code>). |
|
445 |
* |
|
446 |
* @exception KeyStoreException if this operation fails. |
|
447 |
*/ |
|
448 |
public void engineSetKeyEntry(String alias, byte[] key, |
|
449 |
Certificate[] chain) |
|
450 |
throws KeyStoreException |
|
451 |
{
|
|
452 |
throw new UnsupportedOperationException( |
|
453 |
"Cannot assign the encoded key to the given alias."); |
|
454 |
} |
|
455 |
||
456 |
/** |
|
457 |
* Assigns the given certificate to the given alias. |
|
458 |
* |
|
459 |
* <p>If the given alias already exists in this keystore and identifies a |
|
460 |
* <i>trusted certificate entry</i>, the certificate associated with it is |
|
461 |
* overridden by the given certificate. |
|
462 |
* |
|
463 |
* @param alias the alias name |
|
464 |
* @param cert the certificate |
|
465 |
* |
|
466 |
* @exception KeyStoreException if the given alias already exists and does |
|
467 |
* not identify a <i>trusted certificate entry</i>, or this operation |
|
468 |
* fails for some other reason. |
|
469 |
*/ |
|
470 |
public void engineSetCertificateEntry(String alias, Certificate cert) |
|
471 |
throws KeyStoreException |
|
472 |
{
|
|
473 |
if (alias == null) {
|
|
474 |
throw new KeyStoreException("alias must not be null");
|
|
475 |
} |
|
476 |
||
477 |
if (cert instanceof X509Certificate) {
|
|
478 |
||
479 |
// TODO - build CryptoAPI chain? |
|
480 |
X509Certificate[] chain = |
|
481 |
new X509Certificate[]{ (X509Certificate) cert };
|
|
482 |
KeyEntry entry = null; |
|
483 |
boolean found = false; |
|
484 |
||
485 |
for (KeyEntry e : entries) {
|
|
486 |
if (alias.equals(e.getAlias())) {
|
|
487 |
found = true; |
|
488 |
entry = e; |
|
489 |
break; |
|
490 |
} |
|
491 |
} |
|
492 |
||
493 |
if (! found) {
|
|
494 |
entry = |
|
495 |
new KeyEntry(alias, null, chain); |
|
496 |
entries.add(entry); |
|
497 |
||
498 |
} |
|
499 |
if (entry.getPrivateKey() == null) { // trusted-cert entry
|
|
500 |
entry.setAlias(alias); |
|
501 |
||
502 |
try {
|
|
503 |
entry.setCertificateChain(chain); |
|
504 |
||
505 |
} catch (CertificateException ce) {
|
|
506 |
throw new KeyStoreException(ce); |
|
507 |
} |
|
508 |
} |
|
509 |
||
510 |
} else {
|
|
511 |
throw new UnsupportedOperationException( |
|
512 |
"Cannot assign the certificate to the given alias."); |
|
513 |
} |
|
514 |
} |
|
515 |
||
516 |
/** |
|
517 |
* Deletes the entry identified by the given alias from this keystore. |
|
518 |
* |
|
519 |
* @param alias the alias name |
|
520 |
* |
|
521 |
* @exception KeyStoreException if the entry cannot be removed. |
|
522 |
*/ |
|
523 |
public void engineDeleteEntry(String alias) |
|
524 |
throws KeyStoreException |
|
525 |
{
|
|
526 |
if (alias == null) {
|
|
527 |
throw new KeyStoreException("alias must not be null");
|
|
528 |
} |
|
529 |
||
530 |
for (KeyEntry entry : entries) {
|
|
531 |
if (alias.equals(entry.getAlias())) {
|
|
532 |
||
533 |
// Get end-entity certificate and remove from system cert store |
|
534 |
X509Certificate[] certChain = entry.getCertificateChain(); |
|
535 |
if (certChain != null) {
|
|
536 |
||
537 |
try {
|
|
538 |
||
539 |
byte[] encoding = certChain[0].getEncoded(); |
|
540 |
removeCertificate(getName(), alias, encoding, |
|
541 |
encoding.length); |
|
542 |
||
|
9508
310b4f6c8e61
6732372: Some MSCAPI native methods not returning correct exceptions.
vinnie
parents:
5506
diff
changeset
|
543 |
} catch (CertificateException e) {
|
| 2 | 544 |
throw new KeyStoreException("Cannot remove entry: " +
|
545 |
e); |
|
546 |
} |
|
547 |
} |
|
548 |
Key privateKey = entry.getPrivateKey(); |
|
549 |
if (privateKey != null) {
|
|
550 |
destroyKeyContainer( |
|
551 |
Key.getContainerName(privateKey.getHCryptProvider())); |
|
552 |
} |
|
553 |
||
554 |
entries.remove(entry); |
|
555 |
break; |
|
556 |
} |
|
557 |
} |
|
558 |
} |
|
559 |
||
560 |
/** |
|
561 |
* Lists all the alias names of this keystore. |
|
562 |
* |
|
563 |
* @return enumeration of the alias names |
|
564 |
*/ |
|
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9508
diff
changeset
|
565 |
public Enumeration<String> engineAliases() {
|
| 2 | 566 |
|
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9508
diff
changeset
|
567 |
final Iterator<KeyEntry> iter = entries.iterator(); |
| 2 | 568 |
|
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9508
diff
changeset
|
569 |
return new Enumeration<String>() |
| 2 | 570 |
{
|
571 |
public boolean hasMoreElements() |
|
572 |
{
|
|
573 |
return iter.hasNext(); |
|
574 |
} |
|
575 |
||
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9508
diff
changeset
|
576 |
public String nextElement() |
| 2 | 577 |
{
|
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9508
diff
changeset
|
578 |
KeyEntry entry = iter.next(); |
| 2 | 579 |
return entry.getAlias(); |
580 |
} |
|
581 |
}; |
|
582 |
} |
|
583 |
||
584 |
/** |
|
585 |
* Checks if the given alias exists in this keystore. |
|
586 |
* |
|
587 |
* @param alias the alias name |
|
588 |
* |
|
589 |
* @return true if the alias exists, false otherwise |
|
590 |
*/ |
|
591 |
public boolean engineContainsAlias(String alias) {
|
|
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9508
diff
changeset
|
592 |
for (Enumeration<String> enumerator = engineAliases(); |
| 2 | 593 |
enumerator.hasMoreElements();) |
594 |
{
|
|
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9508
diff
changeset
|
595 |
String a = enumerator.nextElement(); |
| 2 | 596 |
|
597 |
if (a.equals(alias)) |
|
598 |
return true; |
|
599 |
} |
|
600 |
return false; |
|
601 |
} |
|
602 |
||
603 |
/** |
|
604 |
* Retrieves the number of entries in this keystore. |
|
605 |
* |
|
606 |
* @return the number of entries in this keystore |
|
607 |
*/ |
|
608 |
public int engineSize() {
|
|
609 |
return entries.size(); |
|
610 |
} |
|
611 |
||
612 |
/** |
|
613 |
* Returns true if the entry identified by the given alias is a |
|
614 |
* <i>key entry</i>, and false otherwise. |
|
615 |
* |
|
616 |
* @return true if the entry identified by the given alias is a |
|
617 |
* <i>key entry</i>, false otherwise. |
|
618 |
*/ |
|
619 |
public boolean engineIsKeyEntry(String alias) {
|
|
620 |
||
621 |
if (alias == null) {
|
|
622 |
return false; |
|
623 |
} |
|
624 |
||
625 |
for (KeyEntry entry : entries) {
|
|
626 |
if (alias.equals(entry.getAlias())) {
|
|
627 |
return entry.getPrivateKey() != null; |
|
628 |
} |
|
629 |
} |
|
630 |
||
631 |
return false; |
|
632 |
} |
|
633 |
||
634 |
/** |
|
635 |
* Returns true if the entry identified by the given alias is a |
|
636 |
* <i>trusted certificate entry</i>, and false otherwise. |
|
637 |
* |
|
638 |
* @return true if the entry identified by the given alias is a |
|
639 |
* <i>trusted certificate entry</i>, false otherwise. |
|
640 |
*/ |
|
641 |
public boolean engineIsCertificateEntry(String alias) |
|
642 |
{
|
|
643 |
for (KeyEntry entry : entries) {
|
|
644 |
if (alias.equals(entry.getAlias())) {
|
|
645 |
return entry.getPrivateKey() == null; |
|
646 |
} |
|
647 |
} |
|
648 |
||
649 |
return false; |
|
650 |
} |
|
651 |
||
652 |
/** |
|
653 |
* Returns the (alias) name of the first keystore entry whose certificate |
|
654 |
* matches the given certificate. |
|
655 |
* |
|
656 |
* <p>This method attempts to match the given certificate with each |
|
657 |
* keystore entry. If the entry being considered |
|
658 |
* is a <i>trusted certificate entry</i>, the given certificate is |
|
659 |
* compared to that entry's certificate. If the entry being considered is |
|
660 |
* a <i>key entry</i>, the given certificate is compared to the first |
|
661 |
* element of that entry's certificate chain (if a chain exists). |
|
662 |
* |
|
663 |
* @param cert the certificate to match with. |
|
664 |
* |
|
665 |
* @return the (alias) name of the first entry with matching certificate, |
|
666 |
* or null if no such entry exists in this keystore. |
|
667 |
*/ |
|
668 |
public String engineGetCertificateAlias(Certificate cert) |
|
669 |
{
|
|
670 |
for (KeyEntry entry : entries) {
|
|
671 |
if (entry.certChain != null && entry.certChain[0].equals(cert)) {
|
|
672 |
return entry.getAlias(); |
|
673 |
} |
|
674 |
} |
|
675 |
||
676 |
return null; |
|
677 |
} |
|
678 |
||
679 |
/** |
|
680 |
* engineStore is currently a no-op. |
|
681 |
* Entries are stored during engineSetEntry. |
|
682 |
* |
|
683 |
* A compatibility mode is supported for applications that assume |
|
684 |
* keystores are stream-based. It permits (but ignores) a non-null |
|
685 |
* <code>stream</code> or <code>password</code>. |
|
686 |
* The mode is enabled by default. |
|
687 |
* Set the |
|
688 |
* <code>sun.security.mscapi.keyStoreCompatibilityMode</code> |
|
689 |
* system property to <code>false</code> to disable compatibility mode |
|
690 |
* and reject a non-null <code>stream</code> or <code>password</code>. |
|
691 |
* |
|
692 |
* @param stream the output stream, which should be <code>null</code> |
|
693 |
* @param password the password, which should be <code>null</code> |
|
694 |
* |
|
695 |
* @exception IOException if compatibility mode is disabled and either |
|
696 |
* parameter is non-null. |
|
697 |
*/ |
|
698 |
public void engineStore(OutputStream stream, char[] password) |
|
699 |
throws IOException, NoSuchAlgorithmException, CertificateException |
|
700 |
{
|
|
701 |
if (stream != null && !keyStoreCompatibilityMode) {
|
|
702 |
throw new IOException("Keystore output stream must be null");
|
|
703 |
} |
|
704 |
||
705 |
if (password != null && !keyStoreCompatibilityMode) {
|
|
706 |
throw new IOException("Keystore password must be null");
|
|
707 |
} |
|
708 |
} |
|
709 |
||
710 |
/** |
|
711 |
* Loads the keystore. |
|
712 |
* |
|
713 |
* A compatibility mode is supported for applications that assume |
|
714 |
* keystores are stream-based. It permits (but ignores) a non-null |
|
715 |
* <code>stream</code> or <code>password</code>. |
|
716 |
* The mode is enabled by default. |
|
717 |
* Set the |
|
718 |
* <code>sun.security.mscapi.keyStoreCompatibilityMode</code> |
|
719 |
* system property to <code>false</code> to disable compatibility mode |
|
720 |
* and reject a non-null <code>stream</code> or <code>password</code>. |
|
721 |
* |
|
722 |
* @param stream the input stream, which should be <code>null</code>. |
|
723 |
* @param password the password, which should be <code>null</code>. |
|
724 |
* |
|
725 |
* @exception IOException if there is an I/O or format problem with the |
|
726 |
* keystore data. Or if compatibility mode is disabled and either |
|
727 |
* parameter is non-null. |
|
728 |
* @exception NoSuchAlgorithmException if the algorithm used to check |
|
729 |
* the integrity of the keystore cannot be found |
|
730 |
* @exception CertificateException if any of the certificates in the |
|
731 |
* keystore could not be loaded |
|
732 |
* @exception SecurityException if the security check for |
|
733 |
* <code>SecurityPermission("authProvider.<i>name</i>")</code> does not
|
|
734 |
* pass, where <i>name</i> is the value returned by |
|
735 |
* this provider's <code>getName</code> method. |
|
736 |
*/ |
|
737 |
public void engineLoad(InputStream stream, char[] password) |
|
738 |
throws IOException, NoSuchAlgorithmException, CertificateException |
|
739 |
{
|
|
740 |
if (stream != null && !keyStoreCompatibilityMode) {
|
|
741 |
throw new IOException("Keystore input stream must be null");
|
|
742 |
} |
|
743 |
||
744 |
if (password != null && !keyStoreCompatibilityMode) {
|
|
745 |
throw new IOException("Keystore password must be null");
|
|
746 |
} |
|
747 |
||
748 |
/* |
|
749 |
* Use the same security check as AuthProvider.login |
|
750 |
*/ |
|
751 |
SecurityManager sm = System.getSecurityManager(); |
|
752 |
if (sm != null) {
|
|
753 |
sm.checkPermission(new SecurityPermission( |
|
754 |
"authProvider.SunMSCAPI")); |
|
755 |
} |
|
756 |
||
757 |
// Clear all key entries |
|
758 |
entries.clear(); |
|
759 |
||
|
9508
310b4f6c8e61
6732372: Some MSCAPI native methods not returning correct exceptions.
vinnie
parents:
5506
diff
changeset
|
760 |
try {
|
|
310b4f6c8e61
6732372: Some MSCAPI native methods not returning correct exceptions.
vinnie
parents:
5506
diff
changeset
|
761 |
|
|
310b4f6c8e61
6732372: Some MSCAPI native methods not returning correct exceptions.
vinnie
parents:
5506
diff
changeset
|
762 |
// Load keys and/or certificate chains |
|
310b4f6c8e61
6732372: Some MSCAPI native methods not returning correct exceptions.
vinnie
parents:
5506
diff
changeset
|
763 |
loadKeysOrCertificateChains(getName(), entries); |
|
310b4f6c8e61
6732372: Some MSCAPI native methods not returning correct exceptions.
vinnie
parents:
5506
diff
changeset
|
764 |
|
|
310b4f6c8e61
6732372: Some MSCAPI native methods not returning correct exceptions.
vinnie
parents:
5506
diff
changeset
|
765 |
} catch (KeyStoreException e) {
|
|
310b4f6c8e61
6732372: Some MSCAPI native methods not returning correct exceptions.
vinnie
parents:
5506
diff
changeset
|
766 |
throw new IOException(e); |
|
310b4f6c8e61
6732372: Some MSCAPI native methods not returning correct exceptions.
vinnie
parents:
5506
diff
changeset
|
767 |
} |
| 2 | 768 |
} |
769 |
||
770 |
/** |
|
771 |
* Generates a certificate chain from the collection of |
|
772 |
* certificates and stores the result into a key entry. |
|
773 |
*/ |
|
774 |
private void generateCertificateChain(String alias, |
|
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9508
diff
changeset
|
775 |
Collection<? extends Certificate> certCollection, |
|
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9508
diff
changeset
|
776 |
Collection<KeyEntry> entries) |
| 2 | 777 |
{
|
778 |
try |
|
779 |
{
|
|
780 |
X509Certificate[] certChain = |
|
781 |
new X509Certificate[certCollection.size()]; |
|
782 |
||
783 |
int i = 0; |
|
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9508
diff
changeset
|
784 |
for (Iterator<? extends Certificate> iter = |
|
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9508
diff
changeset
|
785 |
certCollection.iterator(); iter.hasNext(); i++) |
| 2 | 786 |
{
|
787 |
certChain[i] = (X509Certificate) iter.next(); |
|
788 |
} |
|
789 |
||
790 |
KeyEntry entry = new KeyEntry(alias, null, certChain); |
|
791 |
||
792 |
// Add cert chain |
|
793 |
entries.add(entry); |
|
794 |
} |
|
795 |
catch (Throwable e) |
|
796 |
{
|
|
797 |
// Ignore the exception and skip this entry |
|
798 |
// TODO - throw CertificateException? |
|
799 |
} |
|
800 |
} |
|
801 |
||
802 |
/** |
|
803 |
* Generates RSA key and certificate chain from the private key handle, |
|
804 |
* collection of certificates and stores the result into key entries. |
|
805 |
*/ |
|
806 |
private void generateRSAKeyAndCertificateChain(String alias, |
|
807 |
long hCryptProv, long hCryptKey, int keyLength, |
|
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9508
diff
changeset
|
808 |
Collection<? extends Certificate> certCollection, |
|
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9508
diff
changeset
|
809 |
Collection<KeyEntry> entries) |
| 2 | 810 |
{
|
811 |
try |
|
812 |
{
|
|
813 |
X509Certificate[] certChain = |
|
814 |
new X509Certificate[certCollection.size()]; |
|
815 |
||
816 |
int i = 0; |
|
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9508
diff
changeset
|
817 |
for (Iterator<? extends Certificate> iter = |
|
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9508
diff
changeset
|
818 |
certCollection.iterator(); iter.hasNext(); i++) |
| 2 | 819 |
{
|
820 |
certChain[i] = (X509Certificate) iter.next(); |
|
821 |
} |
|
822 |
||
823 |
KeyEntry entry = new KeyEntry(alias, new RSAPrivateKey(hCryptProv, |
|
824 |
hCryptKey, keyLength), certChain); |
|
825 |
||
826 |
// Add cert chain |
|
827 |
entries.add(entry); |
|
828 |
} |
|
829 |
catch (Throwable e) |
|
830 |
{
|
|
831 |
// Ignore the exception and skip this entry |
|
832 |
// TODO - throw CertificateException? |
|
833 |
} |
|
834 |
} |
|
835 |
||
836 |
/** |
|
837 |
* Generates certificates from byte data and stores into cert collection. |
|
838 |
* |
|
839 |
* @param data Byte data. |
|
840 |
* @param certCollection Collection of certificates. |
|
841 |
*/ |
|
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9508
diff
changeset
|
842 |
private void generateCertificate(byte[] data, |
|
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9508
diff
changeset
|
843 |
Collection<Certificate> certCollection) {
|
| 2 | 844 |
try |
845 |
{
|
|
846 |
ByteArrayInputStream bis = new ByteArrayInputStream(data); |
|
847 |
||
848 |
// Obtain certificate factory |
|
849 |
if (certificateFactory == null) {
|
|
850 |
certificateFactory = CertificateFactory.getInstance("X.509");
|
|
851 |
} |
|
852 |
||
853 |
// Generate certificate |
|
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9508
diff
changeset
|
854 |
Collection<? extends Certificate> c = |
|
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9508
diff
changeset
|
855 |
certificateFactory.generateCertificates(bis); |
| 2 | 856 |
certCollection.addAll(c); |
857 |
} |
|
858 |
catch (CertificateException e) |
|
859 |
{
|
|
860 |
// Ignore the exception and skip this certificate |
|
861 |
// TODO - throw CertificateException? |
|
862 |
} |
|
863 |
catch (Throwable te) |
|
864 |
{
|
|
865 |
// Ignore the exception and skip this certificate |
|
866 |
// TODO - throw CertificateException? |
|
867 |
} |
|
868 |
} |
|
869 |
||
870 |
/** |
|
871 |
* Returns the name of the keystore. |
|
872 |
*/ |
|
873 |
private String getName() |
|
874 |
{
|
|
875 |
return storeName; |
|
876 |
} |
|
877 |
||
878 |
/** |
|
879 |
* Load keys and/or certificates from keystore into Collection. |
|
880 |
* |
|
881 |
* @param name Name of keystore. |
|
882 |
* @param entries Collection of key/certificate. |
|
883 |
*/ |
|
884 |
private native void loadKeysOrCertificateChains(String name, |
|
|
9508
310b4f6c8e61
6732372: Some MSCAPI native methods not returning correct exceptions.
vinnie
parents:
5506
diff
changeset
|
885 |
Collection<KeyEntry> entries) throws KeyStoreException; |
| 2 | 886 |
|
887 |
/** |
|
888 |
* Stores a DER-encoded certificate into the certificate store |
|
889 |
* |
|
890 |
* @param name Name of the keystore. |
|
891 |
* @param alias Name of the certificate. |
|
892 |
* @param encoding DER-encoded certificate. |
|
893 |
*/ |
|
894 |
private native void storeCertificate(String name, String alias, |
|
895 |
byte[] encoding, int encodingLength, long hCryptProvider, |
|
|
9508
310b4f6c8e61
6732372: Some MSCAPI native methods not returning correct exceptions.
vinnie
parents:
5506
diff
changeset
|
896 |
long hCryptKey) throws CertificateException, KeyStoreException; |
| 2 | 897 |
|
898 |
/** |
|
899 |
* Removes the certificate from the certificate store |
|
900 |
* |
|
901 |
* @param name Name of the keystore. |
|
902 |
* @param alias Name of the certificate. |
|
903 |
* @param encoding DER-encoded certificate. |
|
904 |
*/ |
|
905 |
private native void removeCertificate(String name, String alias, |
|
|
9508
310b4f6c8e61
6732372: Some MSCAPI native methods not returning correct exceptions.
vinnie
parents:
5506
diff
changeset
|
906 |
byte[] encoding, int encodingLength) |
|
310b4f6c8e61
6732372: Some MSCAPI native methods not returning correct exceptions.
vinnie
parents:
5506
diff
changeset
|
907 |
throws CertificateException, KeyStoreException; |
| 2 | 908 |
|
909 |
/** |
|
910 |
* Destroys the key container. |
|
911 |
* |
|
912 |
* @param keyContainerName The name of the key container. |
|
913 |
*/ |
|
|
9508
310b4f6c8e61
6732372: Some MSCAPI native methods not returning correct exceptions.
vinnie
parents:
5506
diff
changeset
|
914 |
private native void destroyKeyContainer(String keyContainerName) |
|
310b4f6c8e61
6732372: Some MSCAPI native methods not returning correct exceptions.
vinnie
parents:
5506
diff
changeset
|
915 |
throws KeyStoreException; |
| 2 | 916 |
|
917 |
/** |
|
918 |
* Generates a private-key BLOB from a key's components. |
|
919 |
*/ |
|
920 |
private native byte[] generatePrivateKeyBlob( |
|
921 |
int keyBitLength, |
|
922 |
byte[] modulus, |
|
923 |
byte[] publicExponent, |
|
924 |
byte[] privateExponent, |
|
925 |
byte[] primeP, |
|
926 |
byte[] primeQ, |
|
927 |
byte[] exponentP, |
|
928 |
byte[] exponentQ, |
|
|
9508
310b4f6c8e61
6732372: Some MSCAPI native methods not returning correct exceptions.
vinnie
parents:
5506
diff
changeset
|
929 |
byte[] crtCoefficient) throws InvalidKeyException; |
| 2 | 930 |
|
931 |
private native RSAPrivateKey storePrivateKey(byte[] keyBlob, |
|
|
9508
310b4f6c8e61
6732372: Some MSCAPI native methods not returning correct exceptions.
vinnie
parents:
5506
diff
changeset
|
932 |
String keyContainerName, int keySize) throws KeyStoreException; |
| 2 | 933 |
} |