author | vinnie |
Mon, 15 Feb 2016 15:57:58 +0000 | |
changeset 35958 | 31866c4c84d3 |
parent 32634 | 614f8e5859aa |
child 40276 | 2217f830ca7b |
permissions | -rw-r--r-- |
2 | 1 |
/* |
35958
31866c4c84d3
8149411: PKCS12KeyStore cannot extract AES Secret Keys
vinnie
parents:
32634
diff
changeset
|
2 |
* Copyright (c) 1999, 2016, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package sun.security.pkcs12; |
|
27 |
||
28 |
import java.io.*; |
|
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
29 |
import java.security.AccessController; |
2 | 30 |
import java.security.MessageDigest; |
31 |
import java.security.NoSuchAlgorithmException; |
|
32 |
import java.security.Key; |
|
15298 | 33 |
import java.security.KeyFactory; |
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
34 |
import java.security.KeyStore; |
15298 | 35 |
import java.security.KeyStoreSpi; |
36 |
import java.security.KeyStoreException; |
|
37 |
import java.security.PKCS12Attribute; |
|
2 | 38 |
import java.security.PrivateKey; |
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
39 |
import java.security.PrivilegedAction; |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
40 |
import java.security.UnrecoverableEntryException; |
2 | 41 |
import java.security.UnrecoverableKeyException; |
15298 | 42 |
import java.security.SecureRandom; |
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
43 |
import java.security.Security; |
2 | 44 |
import java.security.cert.Certificate; |
45 |
import java.security.cert.CertificateFactory; |
|
46 |
import java.security.cert.X509Certificate; |
|
47 |
import java.security.cert.CertificateException; |
|
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
48 |
import java.security.spec.AlgorithmParameterSpec; |
15298 | 49 |
import java.security.spec.KeySpec; |
2 | 50 |
import java.security.spec.PKCS8EncodedKeySpec; |
51 |
import java.util.*; |
|
52 |
||
53 |
import java.security.AlgorithmParameters; |
|
32634
614f8e5859aa
8134232: KeyStore.load() throws an IOException with a wrong cause in case of wrong password
asmotrak
parents:
31695
diff
changeset
|
54 |
import java.security.InvalidAlgorithmParameterException; |
614f8e5859aa
8134232: KeyStore.load() throws an IOException with a wrong cause in case of wrong password
asmotrak
parents:
31695
diff
changeset
|
55 |
import java.security.InvalidKeyException; |
2 | 56 |
import javax.crypto.spec.PBEParameterSpec; |
57 |
import javax.crypto.spec.PBEKeySpec; |
|
15298 | 58 |
import javax.crypto.spec.SecretKeySpec; |
2 | 59 |
import javax.crypto.SecretKeyFactory; |
60 |
import javax.crypto.SecretKey; |
|
61 |
import javax.crypto.Cipher; |
|
62 |
import javax.crypto.Mac; |
|
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
63 |
import javax.security.auth.DestroyFailedException; |
2 | 64 |
import javax.security.auth.x500.X500Principal; |
65 |
||
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
66 |
import sun.security.util.Debug; |
2 | 67 |
import sun.security.util.DerInputStream; |
68 |
import sun.security.util.DerOutputStream; |
|
69 |
import sun.security.util.DerValue; |
|
70 |
import sun.security.util.ObjectIdentifier; |
|
71 |
import sun.security.pkcs.ContentInfo; |
|
72 |
import sun.security.x509.AlgorithmId; |
|
73 |
import sun.security.pkcs.EncryptedPrivateKeyInfo; |
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
74 |
import sun.security.provider.JavaKeyStore.JKS; |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
75 |
import sun.security.util.KeyStoreDelegator; |
2 | 76 |
|
77 |
||
78 |
/** |
|
79 |
* This class provides the keystore implementation referred to as "PKCS12". |
|
80 |
* Implements the PKCS#12 PFX protected using the Password privacy mode. |
|
81 |
* The contents are protected using Password integrity mode. |
|
82 |
* |
|
83 |
* Currently we support following PBE algorithms: |
|
84 |
* - pbeWithSHAAnd3KeyTripleDESCBC to encrypt private keys |
|
85 |
* - pbeWithSHAAnd40BitRC2CBC to encrypt certificates |
|
86 |
* |
|
87 |
* Supported encryption of various implementations : |
|
88 |
* |
|
89 |
* Software and mode. Certificate encryption Private key encryption |
|
90 |
* --------------------------------------------------------------------- |
|
91 |
* MSIE4 (domestic 40 bit RC2. 40 bit RC2 |
|
92 |
* and xport versions) |
|
93 |
* PKCS#12 export. |
|
94 |
* |
|
95 |
* MSIE4, 5 (domestic 40 bit RC2, 40 bit RC2, |
|
96 |
* and export versions) 3 key triple DES 3 key triple DES |
|
97 |
* PKCS#12 import. |
|
98 |
* |
|
99 |
* MSIE5 40 bit RC2 3 key triple DES, |
|
100 |
* PKCS#12 export. with SHA1 (168 bits) |
|
101 |
* |
|
102 |
* Netscape Communicator 40 bit RC2 3 key triple DES, |
|
103 |
* (domestic and export with SHA1 (168 bits) |
|
104 |
* versions) PKCS#12 export |
|
105 |
* |
|
106 |
* Netscape Communicator 40 bit ciphers only All. |
|
107 |
* (export version) |
|
108 |
* PKCS#12 import. |
|
109 |
* |
|
110 |
* Netscape Communicator All. All. |
|
111 |
* (domestic or fortified |
|
112 |
* version) PKCS#12 import. |
|
113 |
* |
|
114 |
* OpenSSL PKCS#12 code. All. All. |
|
115 |
* --------------------------------------------------------------------- |
|
116 |
* |
|
15298 | 117 |
* NOTE: PKCS12 KeyStore supports PrivateKeyEntry and TrustedCertficateEntry. |
2 | 118 |
* PKCS#12 is mainly used to deliver private keys with their associated |
119 |
* certificate chain and aliases. In a PKCS12 keystore, entries are |
|
120 |
* identified by the alias, and a localKeyId is required to match the |
|
15298 | 121 |
* private key with the certificate. Trusted certificate entries are identified |
122 |
* by the presence of an trustedKeyUsage attribute. |
|
2 | 123 |
* |
124 |
* @author Seema Malkani |
|
125 |
* @author Jeff Nisewanger |
|
126 |
* @author Jan Luehe |
|
127 |
* |
|
128 |
* @see KeyProtector |
|
129 |
* @see java.security.KeyStoreSpi |
|
130 |
* @see KeyTool |
|
131 |
* |
|
132 |
* |
|
133 |
*/ |
|
134 |
public final class PKCS12KeyStore extends KeyStoreSpi { |
|
135 |
||
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
136 |
// special PKCS12 keystore that supports PKCS12 and JKS file formats |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
137 |
public static final class DualFormatPKCS12 extends KeyStoreDelegator { |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
138 |
public DualFormatPKCS12() { |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
139 |
super("PKCS12", PKCS12KeyStore.class, "JKS", JKS.class); |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
140 |
} |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
141 |
} |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
142 |
|
2 | 143 |
public static final int VERSION_3 = 3; |
144 |
||
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
145 |
private static final String[] KEY_PROTECTION_ALGORITHM = { |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
146 |
"keystore.pkcs12.keyProtectionAlgorithm", |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
147 |
"keystore.PKCS12.keyProtectionAlgorithm" |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
148 |
}; |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
149 |
|
15308
55742a890b6c
8006951: Avoid storing duplicate PKCS12 attributes
vinnie
parents:
15307
diff
changeset
|
150 |
// friendlyName, localKeyId, trustedKeyUsage |
55742a890b6c
8006951: Avoid storing duplicate PKCS12 attributes
vinnie
parents:
15307
diff
changeset
|
151 |
private static final String[] CORE_ATTRIBUTES = { |
55742a890b6c
8006951: Avoid storing duplicate PKCS12 attributes
vinnie
parents:
15307
diff
changeset
|
152 |
"1.2.840.113549.1.9.20", |
55742a890b6c
8006951: Avoid storing duplicate PKCS12 attributes
vinnie
parents:
15307
diff
changeset
|
153 |
"1.2.840.113549.1.9.21", |
55742a890b6c
8006951: Avoid storing duplicate PKCS12 attributes
vinnie
parents:
15307
diff
changeset
|
154 |
"2.16.840.1.113894.746875.1.1" |
55742a890b6c
8006951: Avoid storing duplicate PKCS12 attributes
vinnie
parents:
15307
diff
changeset
|
155 |
}; |
55742a890b6c
8006951: Avoid storing duplicate PKCS12 attributes
vinnie
parents:
15307
diff
changeset
|
156 |
|
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
157 |
private static final Debug debug = Debug.getInstance("pkcs12"); |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
158 |
|
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
31426
diff
changeset
|
159 |
private static final int[] keyBag = {1, 2, 840, 113549, 1, 12, 10, 1, 2}; |
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
31426
diff
changeset
|
160 |
private static final int[] certBag = {1, 2, 840, 113549, 1, 12, 10, 1, 3}; |
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
31426
diff
changeset
|
161 |
private static final int[] secretBag = {1, 2, 840, 113549, 1, 12, 10, 1, 5}; |
2 | 162 |
|
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
31426
diff
changeset
|
163 |
private static final int[] pkcs9Name = {1, 2, 840, 113549, 1, 9, 20}; |
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
31426
diff
changeset
|
164 |
private static final int[] pkcs9KeyId = {1, 2, 840, 113549, 1, 9, 21}; |
2 | 165 |
|
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
31426
diff
changeset
|
166 |
private static final int[] pkcs9certType = {1, 2, 840, 113549, 1, 9, 22, 1}; |
2 | 167 |
|
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
31426
diff
changeset
|
168 |
private static final int[] pbeWithSHAAnd40BitRC2CBC = |
2 | 169 |
{1, 2, 840, 113549, 1, 12, 1, 6}; |
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
31426
diff
changeset
|
170 |
private static final int[] pbeWithSHAAnd3KeyTripleDESCBC = |
2 | 171 |
{1, 2, 840, 113549, 1, 12, 1, 3}; |
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
31426
diff
changeset
|
172 |
private static final int[] pbes2 = {1, 2, 840, 113549, 1, 5, 13}; |
15298 | 173 |
// TODO: temporary Oracle OID |
174 |
/* |
|
175 |
* { joint-iso-itu-t(2) country(16) us(840) organization(1) oracle(113894) |
|
176 |
* jdk(746875) crypto(1) id-at-trustedKeyUsage(1) } |
|
177 |
*/ |
|
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
31426
diff
changeset
|
178 |
private static final int[] TrustedKeyUsage = |
15298 | 179 |
{2, 16, 840, 1, 113894, 746875, 1, 1}; |
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
31426
diff
changeset
|
180 |
private static final int[] AnyExtendedKeyUsage = {2, 5, 29, 37, 0}; |
2 | 181 |
|
182 |
private static ObjectIdentifier PKCS8ShroudedKeyBag_OID; |
|
183 |
private static ObjectIdentifier CertBag_OID; |
|
15298 | 184 |
private static ObjectIdentifier SecretBag_OID; |
2 | 185 |
private static ObjectIdentifier PKCS9FriendlyName_OID; |
186 |
private static ObjectIdentifier PKCS9LocalKeyId_OID; |
|
187 |
private static ObjectIdentifier PKCS9CertType_OID; |
|
188 |
private static ObjectIdentifier pbeWithSHAAnd40BitRC2CBC_OID; |
|
189 |
private static ObjectIdentifier pbeWithSHAAnd3KeyTripleDESCBC_OID; |
|
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
190 |
private static ObjectIdentifier pbes2_OID; |
15298 | 191 |
private static ObjectIdentifier TrustedKeyUsage_OID; |
192 |
private static ObjectIdentifier[] AnyUsage; |
|
2 | 193 |
|
194 |
private int counter = 0; |
|
195 |
private static final int iterationCount = 1024; |
|
196 |
private static final int SALT_LEN = 20; |
|
197 |
||
198 |
// private key count |
|
199 |
// Note: This is a workaround to allow null localKeyID attribute |
|
200 |
// in pkcs12 with one private key entry and associated cert-chain |
|
201 |
private int privateKeyCount = 0; |
|
202 |
||
15298 | 203 |
// secret key count |
204 |
private int secretKeyCount = 0; |
|
205 |
||
206 |
// certificate count |
|
207 |
private int certificateCount = 0; |
|
208 |
||
2 | 209 |
// the source of randomness |
210 |
private SecureRandom random; |
|
211 |
||
212 |
static { |
|
213 |
try { |
|
214 |
PKCS8ShroudedKeyBag_OID = new ObjectIdentifier(keyBag); |
|
215 |
CertBag_OID = new ObjectIdentifier(certBag); |
|
15298 | 216 |
SecretBag_OID = new ObjectIdentifier(secretBag); |
2 | 217 |
PKCS9FriendlyName_OID = new ObjectIdentifier(pkcs9Name); |
218 |
PKCS9LocalKeyId_OID = new ObjectIdentifier(pkcs9KeyId); |
|
219 |
PKCS9CertType_OID = new ObjectIdentifier(pkcs9certType); |
|
220 |
pbeWithSHAAnd40BitRC2CBC_OID = |
|
221 |
new ObjectIdentifier(pbeWithSHAAnd40BitRC2CBC); |
|
222 |
pbeWithSHAAnd3KeyTripleDESCBC_OID = |
|
223 |
new ObjectIdentifier(pbeWithSHAAnd3KeyTripleDESCBC); |
|
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
224 |
pbes2_OID = new ObjectIdentifier(pbes2); |
15298 | 225 |
TrustedKeyUsage_OID = new ObjectIdentifier(TrustedKeyUsage); |
226 |
AnyUsage = new ObjectIdentifier[]{ |
|
227 |
new ObjectIdentifier(AnyExtendedKeyUsage)}; |
|
2 | 228 |
} catch (IOException ioe) { |
229 |
// should not happen |
|
230 |
} |
|
231 |
} |
|
232 |
||
15298 | 233 |
// A keystore entry and associated attributes |
234 |
private static class Entry { |
|
2 | 235 |
Date date; // the creation date of this entry |
15298 | 236 |
String alias; |
237 |
byte[] keyId; |
|
238 |
Set<KeyStore.Entry.Attribute> attributes; |
|
239 |
} |
|
240 |
||
241 |
// A key entry |
|
242 |
private static class KeyEntry extends Entry { |
|
243 |
} |
|
244 |
||
245 |
// A private key entry and its supporting certificate chain |
|
246 |
private static class PrivateKeyEntry extends KeyEntry { |
|
2 | 247 |
byte[] protectedPrivKey; |
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
31426
diff
changeset
|
248 |
Certificate[] chain; |
15298 | 249 |
}; |
250 |
||
251 |
// A secret key |
|
252 |
private static class SecretKeyEntry extends KeyEntry { |
|
253 |
byte[] protectedSecretKey; |
|
2 | 254 |
}; |
255 |
||
15298 | 256 |
// A certificate entry |
257 |
private static class CertEntry extends Entry { |
|
5973 | 258 |
final X509Certificate cert; |
15298 | 259 |
ObjectIdentifier[] trustedKeyUsage; |
260 |
||
5973 | 261 |
CertEntry(X509Certificate cert, byte[] keyId, String alias) { |
15298 | 262 |
this(cert, keyId, alias, null, null); |
263 |
} |
|
264 |
||
265 |
CertEntry(X509Certificate cert, byte[] keyId, String alias, |
|
266 |
ObjectIdentifier[] trustedKeyUsage, |
|
267 |
Set<? extends KeyStore.Entry.Attribute> attributes) { |
|
268 |
this.date = new Date(); |
|
5973 | 269 |
this.cert = cert; |
2 | 270 |
this.keyId = keyId; |
5973 | 271 |
this.alias = alias; |
15298 | 272 |
this.trustedKeyUsage = trustedKeyUsage; |
273 |
this.attributes = new HashSet<>(); |
|
274 |
if (attributes != null) { |
|
275 |
this.attributes.addAll(attributes); |
|
276 |
} |
|
2 | 277 |
} |
278 |
} |
|
279 |
||
280 |
/** |
|
15298 | 281 |
* Private keys and certificates are stored in a map. |
282 |
* Map entries are keyed by alias names. |
|
2 | 283 |
*/ |
15298 | 284 |
private Map<String, Entry> entries = |
285 |
Collections.synchronizedMap(new LinkedHashMap<String, Entry>()); |
|
2 | 286 |
|
287 |
private ArrayList<KeyEntry> keyList = new ArrayList<KeyEntry>(); |
|
5973 | 288 |
private LinkedHashMap<X500Principal, X509Certificate> certsMap = |
289 |
new LinkedHashMap<X500Principal, X509Certificate>(); |
|
290 |
private ArrayList<CertEntry> certEntries = new ArrayList<CertEntry>(); |
|
2 | 291 |
|
292 |
/** |
|
293 |
* Returns the key associated with the given alias, using the given |
|
294 |
* password to recover it. |
|
295 |
* |
|
296 |
* @param alias the alias name |
|
297 |
* @param password the password for recovering the key |
|
298 |
* |
|
299 |
* @return the requested key, or null if the given alias does not exist |
|
300 |
* or does not identify a <i>key entry</i>. |
|
301 |
* |
|
302 |
* @exception NoSuchAlgorithmException if the algorithm for recovering the |
|
303 |
* key cannot be found |
|
304 |
* @exception UnrecoverableKeyException if the key cannot be recovered |
|
305 |
* (e.g., the given password is wrong). |
|
306 |
*/ |
|
307 |
public Key engineGetKey(String alias, char[] password) |
|
308 |
throws NoSuchAlgorithmException, UnrecoverableKeyException |
|
309 |
{ |
|
15298 | 310 |
Entry entry = entries.get(alias.toLowerCase(Locale.ENGLISH)); |
2 | 311 |
Key key = null; |
312 |
||
15298 | 313 |
if (entry == null || (!(entry instanceof KeyEntry))) { |
2 | 314 |
return null; |
315 |
} |
|
316 |
||
15298 | 317 |
// get the encoded private key or secret key |
318 |
byte[] encrBytes = null; |
|
319 |
if (entry instanceof PrivateKeyEntry) { |
|
320 |
encrBytes = ((PrivateKeyEntry) entry).protectedPrivKey; |
|
321 |
} else if (entry instanceof SecretKeyEntry) { |
|
322 |
encrBytes = ((SecretKeyEntry) entry).protectedSecretKey; |
|
323 |
} else { |
|
324 |
throw new UnrecoverableKeyException("Error locating key"); |
|
325 |
} |
|
2 | 326 |
|
327 |
byte[] encryptedKey; |
|
328 |
AlgorithmParameters algParams; |
|
329 |
ObjectIdentifier algOid; |
|
330 |
try { |
|
331 |
// get the encrypted private key |
|
332 |
EncryptedPrivateKeyInfo encrInfo = |
|
333 |
new EncryptedPrivateKeyInfo(encrBytes); |
|
334 |
encryptedKey = encrInfo.getEncryptedData(); |
|
335 |
||
336 |
// parse Algorithm parameters |
|
337 |
DerValue val = new DerValue(encrInfo.getAlgorithm().encode()); |
|
338 |
DerInputStream in = val.toDerInputStream(); |
|
339 |
algOid = in.getOID(); |
|
15661
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
340 |
algParams = parseAlgParameters(algOid, in); |
2 | 341 |
|
342 |
} catch (IOException ioe) { |
|
343 |
UnrecoverableKeyException uke = |
|
344 |
new UnrecoverableKeyException("Private key not stored as " |
|
345 |
+ "PKCS#8 EncryptedPrivateKeyInfo: " + ioe); |
|
346 |
uke.initCause(ioe); |
|
347 |
throw uke; |
|
348 |
} |
|
349 |
||
350 |
try { |
|
15298 | 351 |
byte[] keyInfo; |
11835
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
352 |
while (true) { |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
353 |
try { |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
354 |
// Use JCE |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
355 |
SecretKey skey = getPBEKey(password); |
15661
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
356 |
Cipher cipher = Cipher.getInstance( |
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
357 |
mapPBEParamsToAlgorithm(algOid, algParams)); |
11835
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
358 |
cipher.init(Cipher.DECRYPT_MODE, skey, algParams); |
15298 | 359 |
keyInfo = cipher.doFinal(encryptedKey); |
11835
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
360 |
break; |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
361 |
} catch (Exception e) { |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
362 |
if (password.length == 0) { |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
363 |
// Retry using an empty password |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
364 |
// without a NULL terminator. |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
365 |
password = new char[1]; |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
366 |
continue; |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
367 |
} |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
368 |
throw e; |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
369 |
} |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
370 |
} |
2 | 371 |
|
372 |
/* |
|
373 |
* Parse the key algorithm and then use a JCA key factory |
|
15298 | 374 |
* to re-create the key. |
2 | 375 |
*/ |
15298 | 376 |
DerValue val = new DerValue(keyInfo); |
2 | 377 |
DerInputStream in = val.toDerInputStream(); |
378 |
int i = in.getInteger(); |
|
379 |
DerValue[] value = in.getSequence(2); |
|
380 |
AlgorithmId algId = new AlgorithmId(value[0].getOID()); |
|
15298 | 381 |
String keyAlgo = algId.getName(); |
2 | 382 |
|
15298 | 383 |
// decode private key |
384 |
if (entry instanceof PrivateKeyEntry) { |
|
385 |
KeyFactory kfac = KeyFactory.getInstance(keyAlgo); |
|
386 |
PKCS8EncodedKeySpec kspec = new PKCS8EncodedKeySpec(keyInfo); |
|
387 |
key = kfac.generatePrivate(kspec); |
|
388 |
||
389 |
if (debug != null) { |
|
390 |
debug.println("Retrieved a protected private key (" + |
|
391 |
key.getClass().getName() + ") at alias '" + alias + |
|
392 |
"'"); |
|
393 |
} |
|
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
394 |
|
15298 | 395 |
// decode secret key |
396 |
} else { |
|
397 |
byte[] keyBytes = in.getOctetString(); |
|
398 |
SecretKeySpec secretKeySpec = |
|
399 |
new SecretKeySpec(keyBytes, keyAlgo); |
|
400 |
||
401 |
// Special handling required for PBE: needs a PBEKeySpec |
|
402 |
if (keyAlgo.startsWith("PBE")) { |
|
35958
31866c4c84d3
8149411: PKCS12KeyStore cannot extract AES Secret Keys
vinnie
parents:
32634
diff
changeset
|
403 |
SecretKeyFactory sKeyFactory = |
31866c4c84d3
8149411: PKCS12KeyStore cannot extract AES Secret Keys
vinnie
parents:
32634
diff
changeset
|
404 |
SecretKeyFactory.getInstance(keyAlgo); |
15298 | 405 |
KeySpec pbeKeySpec = |
406 |
sKeyFactory.getKeySpec(secretKeySpec, PBEKeySpec.class); |
|
407 |
key = sKeyFactory.generateSecret(pbeKeySpec); |
|
408 |
} else { |
|
35958
31866c4c84d3
8149411: PKCS12KeyStore cannot extract AES Secret Keys
vinnie
parents:
32634
diff
changeset
|
409 |
key = secretKeySpec; |
15298 | 410 |
} |
411 |
||
412 |
if (debug != null) { |
|
413 |
debug.println("Retrieved a protected secret key (" + |
|
414 |
key.getClass().getName() + ") at alias '" + alias + |
|
415 |
"'"); |
|
416 |
} |
|
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
417 |
} |
2 | 418 |
} catch (Exception e) { |
419 |
UnrecoverableKeyException uke = |
|
420 |
new UnrecoverableKeyException("Get Key failed: " + |
|
421 |
e.getMessage()); |
|
422 |
uke.initCause(e); |
|
423 |
throw uke; |
|
424 |
} |
|
425 |
return key; |
|
426 |
} |
|
427 |
||
428 |
/** |
|
429 |
* Returns the certificate chain associated with the given alias. |
|
430 |
* |
|
431 |
* @param alias the alias name |
|
432 |
* |
|
433 |
* @return the certificate chain (ordered with the user's certificate first |
|
434 |
* and the root certificate authority last), or null if the given alias |
|
435 |
* does not exist or does not contain a certificate chain (i.e., the given |
|
436 |
* alias identifies either a <i>trusted certificate entry</i> or a |
|
437 |
* <i>key entry</i> without a certificate chain). |
|
438 |
*/ |
|
439 |
public Certificate[] engineGetCertificateChain(String alias) { |
|
15298 | 440 |
Entry entry = entries.get(alias.toLowerCase(Locale.ENGLISH)); |
441 |
if (entry != null && entry instanceof PrivateKeyEntry) { |
|
442 |
if (((PrivateKeyEntry) entry).chain == null) { |
|
2 | 443 |
return null; |
444 |
} else { |
|
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
445 |
|
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
446 |
if (debug != null) { |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
447 |
debug.println("Retrieved a " + |
15298 | 448 |
((PrivateKeyEntry) entry).chain.length + |
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
449 |
"-certificate chain at alias '" + alias + "'"); |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
450 |
} |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
451 |
|
15298 | 452 |
return ((PrivateKeyEntry) entry).chain.clone(); |
2 | 453 |
} |
454 |
} else { |
|
455 |
return null; |
|
456 |
} |
|
457 |
} |
|
458 |
||
459 |
/** |
|
460 |
* Returns the certificate associated with the given alias. |
|
461 |
* |
|
462 |
* <p>If the given alias name identifies a |
|
463 |
* <i>trusted certificate entry</i>, the certificate associated with that |
|
464 |
* entry is returned. If the given alias name identifies a |
|
465 |
* <i>key entry</i>, the first element of the certificate chain of that |
|
466 |
* entry is returned, or null if that entry does not have a certificate |
|
467 |
* chain. |
|
468 |
* |
|
469 |
* @param alias the alias name |
|
470 |
* |
|
471 |
* @return the certificate, or null if the given alias does not exist or |
|
472 |
* does not contain a certificate. |
|
473 |
*/ |
|
474 |
public Certificate engineGetCertificate(String alias) { |
|
15298 | 475 |
Entry entry = entries.get(alias.toLowerCase(Locale.ENGLISH)); |
476 |
if (entry == null) { |
|
477 |
return null; |
|
478 |
} |
|
479 |
if (entry instanceof CertEntry && |
|
480 |
((CertEntry) entry).trustedKeyUsage != null) { |
|
481 |
||
482 |
if (debug != null) { |
|
483 |
if (Arrays.equals(AnyUsage, |
|
484 |
((CertEntry) entry).trustedKeyUsage)) { |
|
485 |
debug.println("Retrieved a certificate at alias '" + alias + |
|
486 |
"' (trusted for any purpose)"); |
|
487 |
} else { |
|
488 |
debug.println("Retrieved a certificate at alias '" + alias + |
|
489 |
"' (trusted for limited purposes)"); |
|
490 |
} |
|
491 |
} |
|
492 |
||
493 |
return ((CertEntry) entry).cert; |
|
494 |
||
495 |
} else if (entry instanceof PrivateKeyEntry) { |
|
496 |
if (((PrivateKeyEntry) entry).chain == null) { |
|
2 | 497 |
return null; |
498 |
} else { |
|
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
499 |
|
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
500 |
if (debug != null) { |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
501 |
debug.println("Retrieved a certificate at alias '" + alias + |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
502 |
"'"); |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
503 |
} |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
504 |
|
15298 | 505 |
return ((PrivateKeyEntry) entry).chain[0]; |
2 | 506 |
} |
15298 | 507 |
|
2 | 508 |
} else { |
509 |
return null; |
|
510 |
} |
|
511 |
} |
|
512 |
||
513 |
/** |
|
514 |
* Returns the creation date of the entry identified by the given alias. |
|
515 |
* |
|
516 |
* @param alias the alias name |
|
517 |
* |
|
518 |
* @return the creation date of this entry, or null if the given alias does |
|
519 |
* not exist |
|
520 |
*/ |
|
521 |
public Date engineGetCreationDate(String alias) { |
|
15298 | 522 |
Entry entry = entries.get(alias.toLowerCase(Locale.ENGLISH)); |
2 | 523 |
if (entry != null) { |
524 |
return new Date(entry.date.getTime()); |
|
525 |
} else { |
|
526 |
return null; |
|
527 |
} |
|
528 |
} |
|
529 |
||
530 |
/** |
|
531 |
* Assigns the given key to the given alias, protecting it with the given |
|
532 |
* password. |
|
533 |
* |
|
534 |
* <p>If the given key is of type <code>java.security.PrivateKey</code>, |
|
535 |
* it must be accompanied by a certificate chain certifying the |
|
536 |
* corresponding public key. |
|
537 |
* |
|
538 |
* <p>If the given alias already exists, the keystore information |
|
539 |
* associated with it is overridden by the given key (and possibly |
|
540 |
* certificate chain). |
|
541 |
* |
|
542 |
* @param alias the alias name |
|
543 |
* @param key the key to be associated with the alias |
|
544 |
* @param password the password to protect the key |
|
545 |
* @param chain the certificate chain for the corresponding public |
|
546 |
* key (only required if the given key is of type |
|
547 |
* <code>java.security.PrivateKey</code>). |
|
548 |
* |
|
549 |
* @exception KeyStoreException if the given key cannot be protected, or |
|
550 |
* this operation fails for some other reason |
|
551 |
*/ |
|
552 |
public synchronized void engineSetKeyEntry(String alias, Key key, |
|
553 |
char[] password, Certificate[] chain) |
|
554 |
throws KeyStoreException |
|
555 |
{ |
|
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
556 |
KeyStore.PasswordProtection passwordProtection = |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
557 |
new KeyStore.PasswordProtection(password); |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
558 |
|
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
559 |
try { |
15298 | 560 |
setKeyEntry(alias, key, passwordProtection, chain, null); |
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
561 |
|
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
562 |
} finally { |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
563 |
try { |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
564 |
passwordProtection.destroy(); |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
565 |
} catch (DestroyFailedException dfe) { |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
566 |
// ignore |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
567 |
} |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
568 |
} |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
569 |
} |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
570 |
|
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
571 |
/* |
15298 | 572 |
* Sets a key entry (with attributes, when present) |
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
573 |
*/ |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
574 |
private void setKeyEntry(String alias, Key key, |
15298 | 575 |
KeyStore.PasswordProtection passwordProtection, Certificate[] chain, |
576 |
Set<KeyStore.Entry.Attribute> attributes) |
|
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
577 |
throws KeyStoreException |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
578 |
{ |
2 | 579 |
try { |
15298 | 580 |
Entry entry; |
2 | 581 |
|
582 |
if (key instanceof PrivateKey) { |
|
15298 | 583 |
PrivateKeyEntry keyEntry = new PrivateKeyEntry(); |
584 |
keyEntry.date = new Date(); |
|
585 |
||
2 | 586 |
if ((key.getFormat().equals("PKCS#8")) || |
587 |
(key.getFormat().equals("PKCS8"))) { |
|
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
588 |
|
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
589 |
if (debug != null) { |
15298 | 590 |
debug.println("Setting a protected private key (" + |
591 |
key.getClass().getName() + ") at alias '" + alias + |
|
592 |
"'"); |
|
593 |
} |
|
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
594 |
|
15298 | 595 |
// Encrypt the private key |
596 |
keyEntry.protectedPrivKey = |
|
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
597 |
encryptPrivateKey(key.getEncoded(), passwordProtection); |
2 | 598 |
} else { |
599 |
throw new KeyStoreException("Private key is not encoded" + |
|
600 |
"as PKCS#8"); |
|
601 |
} |
|
15298 | 602 |
|
603 |
// clone the chain |
|
604 |
if (chain != null) { |
|
605 |
// validate cert-chain |
|
606 |
if ((chain.length > 1) && (!validateChain(chain))) |
|
607 |
throw new KeyStoreException("Certificate chain is " + |
|
608 |
"not valid"); |
|
609 |
keyEntry.chain = chain.clone(); |
|
610 |
certificateCount += chain.length; |
|
611 |
||
612 |
if (debug != null) { |
|
613 |
debug.println("Setting a " + chain.length + |
|
614 |
"-certificate chain at alias '" + alias + "'"); |
|
615 |
} |
|
616 |
} |
|
617 |
privateKeyCount++; |
|
618 |
entry = keyEntry; |
|
619 |
||
620 |
} else if (key instanceof SecretKey) { |
|
621 |
SecretKeyEntry keyEntry = new SecretKeyEntry(); |
|
622 |
keyEntry.date = new Date(); |
|
623 |
||
624 |
// Encode secret key in a PKCS#8 |
|
625 |
DerOutputStream pkcs8 = new DerOutputStream(); |
|
626 |
DerOutputStream secretKeyInfo = new DerOutputStream(); |
|
627 |
secretKeyInfo.putInteger(0); |
|
628 |
AlgorithmId algId = AlgorithmId.get(key.getAlgorithm()); |
|
629 |
algId.encode(secretKeyInfo); |
|
630 |
secretKeyInfo.putOctetString(key.getEncoded()); |
|
631 |
pkcs8.write(DerValue.tag_Sequence, secretKeyInfo); |
|
632 |
||
633 |
// Encrypt the secret key (using same PBE as for private keys) |
|
634 |
keyEntry.protectedSecretKey = |
|
635 |
encryptPrivateKey(pkcs8.toByteArray(), passwordProtection); |
|
636 |
||
637 |
if (debug != null) { |
|
638 |
debug.println("Setting a protected secret key (" + |
|
639 |
key.getClass().getName() + ") at alias '" + alias + |
|
640 |
"'"); |
|
641 |
} |
|
642 |
secretKeyCount++; |
|
643 |
entry = keyEntry; |
|
644 |
||
2 | 645 |
} else { |
15298 | 646 |
throw new KeyStoreException("Unsupported Key type"); |
2 | 647 |
} |
648 |
||
15298 | 649 |
entry.attributes = new HashSet<>(); |
650 |
if (attributes != null) { |
|
651 |
entry.attributes.addAll(attributes); |
|
2 | 652 |
} |
653 |
// set the keyId to current date |
|
654 |
entry.keyId = ("Time " + (entry.date).getTime()).getBytes("UTF8"); |
|
655 |
// set the alias |
|
10369
e9d2e59e53f0
7059542: JNDI name operations should be locale independent
xuelei
parents:
10336
diff
changeset
|
656 |
entry.alias = alias.toLowerCase(Locale.ENGLISH); |
2 | 657 |
// add the entry |
10369
e9d2e59e53f0
7059542: JNDI name operations should be locale independent
xuelei
parents:
10336
diff
changeset
|
658 |
entries.put(alias.toLowerCase(Locale.ENGLISH), entry); |
15298 | 659 |
|
2 | 660 |
} catch (Exception nsae) { |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5973
diff
changeset
|
661 |
throw new KeyStoreException("Key protection " + |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5973
diff
changeset
|
662 |
" algorithm not found: " + nsae, nsae); |
2 | 663 |
} |
664 |
} |
|
665 |
||
666 |
/** |
|
667 |
* Assigns the given key (that has already been protected) to the given |
|
668 |
* alias. |
|
669 |
* |
|
670 |
* <p>If the protected key is of type |
|
671 |
* <code>java.security.PrivateKey</code>, it must be accompanied by a |
|
672 |
* certificate chain certifying the corresponding public key. If the |
|
673 |
* underlying keystore implementation is of type <code>jks</code>, |
|
674 |
* <code>key</code> must be encoded as an |
|
675 |
* <code>EncryptedPrivateKeyInfo</code> as defined in the PKCS #8 standard. |
|
676 |
* |
|
677 |
* <p>If the given alias already exists, the keystore information |
|
678 |
* associated with it is overridden by the given key (and possibly |
|
679 |
* certificate chain). |
|
680 |
* |
|
681 |
* @param alias the alias name |
|
682 |
* @param key the key (in protected format) to be associated with the alias |
|
683 |
* @param chain the certificate chain for the corresponding public |
|
684 |
* key (only useful if the protected key is of type |
|
685 |
* <code>java.security.PrivateKey</code>). |
|
686 |
* |
|
687 |
* @exception KeyStoreException if this operation fails. |
|
688 |
*/ |
|
689 |
public synchronized void engineSetKeyEntry(String alias, byte[] key, |
|
690 |
Certificate[] chain) |
|
691 |
throws KeyStoreException |
|
692 |
{ |
|
15298 | 693 |
// Private key must be encoded as EncryptedPrivateKeyInfo |
2 | 694 |
// as defined in PKCS#8 |
695 |
try { |
|
696 |
new EncryptedPrivateKeyInfo(key); |
|
697 |
} catch (IOException ioe) { |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5973
diff
changeset
|
698 |
throw new KeyStoreException("Private key is not stored" |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5973
diff
changeset
|
699 |
+ " as PKCS#8 EncryptedPrivateKeyInfo: " + ioe, ioe); |
2 | 700 |
} |
701 |
||
15298 | 702 |
PrivateKeyEntry entry = new PrivateKeyEntry(); |
2 | 703 |
entry.date = new Date(); |
704 |
||
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
705 |
if (debug != null) { |
15298 | 706 |
debug.println("Setting a protected private key at alias '" + |
707 |
alias + "'"); |
|
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
708 |
} |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
709 |
|
5973 | 710 |
try { |
711 |
// set the keyId to current date |
|
712 |
entry.keyId = ("Time " + (entry.date).getTime()).getBytes("UTF8"); |
|
713 |
} catch (UnsupportedEncodingException ex) { |
|
714 |
// Won't happen |
|
715 |
} |
|
716 |
// set the alias |
|
10369
e9d2e59e53f0
7059542: JNDI name operations should be locale independent
xuelei
parents:
10336
diff
changeset
|
717 |
entry.alias = alias.toLowerCase(Locale.ENGLISH); |
5973 | 718 |
|
2 | 719 |
entry.protectedPrivKey = key.clone(); |
720 |
if (chain != null) { |
|
29909 | 721 |
// validate cert-chain |
722 |
if ((chain.length > 1) && (!validateChain(chain))) { |
|
723 |
throw new KeyStoreException("Certificate chain is " |
|
724 |
+ "not valid"); |
|
725 |
} |
|
15298 | 726 |
entry.chain = chain.clone(); |
727 |
certificateCount += chain.length; |
|
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
728 |
|
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
729 |
if (debug != null) { |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
730 |
debug.println("Setting a " + entry.chain.length + |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
731 |
"-certificate chain at alias '" + alias + "'"); |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
732 |
} |
2 | 733 |
} |
734 |
||
735 |
// add the entry |
|
15298 | 736 |
privateKeyCount++; |
10369
e9d2e59e53f0
7059542: JNDI name operations should be locale independent
xuelei
parents:
10336
diff
changeset
|
737 |
entries.put(alias.toLowerCase(Locale.ENGLISH), entry); |
2 | 738 |
} |
739 |
||
740 |
||
741 |
/* |
|
742 |
* Generate random salt |
|
743 |
*/ |
|
744 |
private byte[] getSalt() |
|
745 |
{ |
|
746 |
// Generate a random salt. |
|
747 |
byte[] salt = new byte[SALT_LEN]; |
|
748 |
if (random == null) { |
|
749 |
random = new SecureRandom(); |
|
750 |
} |
|
751 |
random.nextBytes(salt); |
|
752 |
return salt; |
|
753 |
} |
|
754 |
||
755 |
/* |
|
756 |
* Generate PBE Algorithm Parameters |
|
757 |
*/ |
|
758 |
private AlgorithmParameters getAlgorithmParameters(String algorithm) |
|
759 |
throws IOException |
|
760 |
{ |
|
761 |
AlgorithmParameters algParams = null; |
|
762 |
||
763 |
// create PBE parameters from salt and iteration count |
|
764 |
PBEParameterSpec paramSpec = |
|
765 |
new PBEParameterSpec(getSalt(), iterationCount); |
|
766 |
try { |
|
767 |
algParams = AlgorithmParameters.getInstance(algorithm); |
|
768 |
algParams.init(paramSpec); |
|
769 |
} catch (Exception e) { |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5973
diff
changeset
|
770 |
throw new IOException("getAlgorithmParameters failed: " + |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5973
diff
changeset
|
771 |
e.getMessage(), e); |
2 | 772 |
} |
773 |
return algParams; |
|
774 |
} |
|
775 |
||
776 |
/* |
|
777 |
* parse Algorithm Parameters |
|
778 |
*/ |
|
15661
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
779 |
private AlgorithmParameters parseAlgParameters(ObjectIdentifier algorithm, |
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
780 |
DerInputStream in) throws IOException |
2 | 781 |
{ |
782 |
AlgorithmParameters algParams = null; |
|
783 |
try { |
|
784 |
DerValue params; |
|
785 |
if (in.available() == 0) { |
|
786 |
params = null; |
|
787 |
} else { |
|
788 |
params = in.getDerValue(); |
|
789 |
if (params.tag == DerValue.tag_Null) { |
|
790 |
params = null; |
|
791 |
} |
|
792 |
} |
|
793 |
if (params != null) { |
|
31426
9cd672654f97
8022444: Remove sun.security.util.ObjectIdentifier.equals(ObjectIdentifier other) method
juh
parents:
30368
diff
changeset
|
794 |
if (algorithm.equals(pbes2_OID)) { |
15661
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
795 |
algParams = AlgorithmParameters.getInstance("PBES2"); |
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
796 |
} else { |
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
797 |
algParams = AlgorithmParameters.getInstance("PBE"); |
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
798 |
} |
2 | 799 |
algParams.init(params.toByteArray()); |
800 |
} |
|
801 |
} catch (Exception e) { |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5973
diff
changeset
|
802 |
throw new IOException("parseAlgParameters failed: " + |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5973
diff
changeset
|
803 |
e.getMessage(), e); |
2 | 804 |
} |
805 |
return algParams; |
|
806 |
} |
|
807 |
||
808 |
/* |
|
809 |
* Generate PBE key |
|
810 |
*/ |
|
811 |
private SecretKey getPBEKey(char[] password) throws IOException |
|
812 |
{ |
|
813 |
SecretKey skey = null; |
|
814 |
||
815 |
try { |
|
816 |
PBEKeySpec keySpec = new PBEKeySpec(password); |
|
817 |
SecretKeyFactory skFac = SecretKeyFactory.getInstance("PBE"); |
|
818 |
skey = skFac.generateSecret(keySpec); |
|
15298 | 819 |
keySpec.clearPassword(); |
2 | 820 |
} catch (Exception e) { |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5973
diff
changeset
|
821 |
throw new IOException("getSecretKey failed: " + |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5973
diff
changeset
|
822 |
e.getMessage(), e); |
2 | 823 |
} |
824 |
return skey; |
|
825 |
} |
|
826 |
||
827 |
/* |
|
828 |
* Encrypt private key using Password-based encryption (PBE) |
|
829 |
* as defined in PKCS#5. |
|
830 |
* |
|
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
831 |
* NOTE: By default, pbeWithSHAAnd3-KeyTripleDES-CBC algorithmID is |
2 | 832 |
* used to derive the key and IV. |
833 |
* |
|
834 |
* @return encrypted private key encoded as EncryptedPrivateKeyInfo |
|
835 |
*/ |
|
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
836 |
private byte[] encryptPrivateKey(byte[] data, |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
837 |
KeyStore.PasswordProtection passwordProtection) |
2 | 838 |
throws IOException, NoSuchAlgorithmException, UnrecoverableKeyException |
839 |
{ |
|
840 |
byte[] key = null; |
|
841 |
||
842 |
try { |
|
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
843 |
String algorithm; |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
844 |
AlgorithmParameters algParams; |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
845 |
AlgorithmId algid; |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
846 |
|
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
847 |
// Initialize PBE algorithm and parameters |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
848 |
algorithm = passwordProtection.getProtectionAlgorithm(); |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
849 |
if (algorithm != null) { |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
850 |
AlgorithmParameterSpec algParamSpec = |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
851 |
passwordProtection.getProtectionParameters(); |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
852 |
if (algParamSpec != null) { |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
853 |
algParams = AlgorithmParameters.getInstance(algorithm); |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
854 |
algParams.init(algParamSpec); |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
855 |
} else { |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
856 |
algParams = getAlgorithmParameters(algorithm); |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
857 |
} |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
858 |
} else { |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
859 |
// Check default key protection algorithm for PKCS12 keystores |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
860 |
algorithm = AccessController.doPrivileged( |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
861 |
new PrivilegedAction<String>() { |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
862 |
public String run() { |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
863 |
String prop = |
15299 | 864 |
Security.getProperty( |
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
865 |
KEY_PROTECTION_ALGORITHM[0]); |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
866 |
if (prop == null) { |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
867 |
prop = Security.getProperty( |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
868 |
KEY_PROTECTION_ALGORITHM[1]); |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
869 |
} |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
870 |
return prop; |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
871 |
} |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
872 |
}); |
15661
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
873 |
if (algorithm == null || algorithm.isEmpty()) { |
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
874 |
algorithm = "PBEWithSHA1AndDESede"; |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
875 |
} |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
876 |
algParams = getAlgorithmParameters(algorithm); |
15661
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
877 |
} |
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
878 |
|
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
879 |
ObjectIdentifier pbeOID = mapPBEAlgorithmToOID(algorithm); |
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
880 |
if (pbeOID == null) { |
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
881 |
throw new IOException("PBE algorithm '" + algorithm + |
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
882 |
" 'is not supported for key entry protection"); |
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
883 |
} |
2 | 884 |
|
885 |
// Use JCE |
|
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
886 |
SecretKey skey = getPBEKey(passwordProtection.getPassword()); |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
887 |
Cipher cipher = Cipher.getInstance(algorithm); |
2 | 888 |
cipher.init(Cipher.ENCRYPT_MODE, skey, algParams); |
889 |
byte[] encryptedKey = cipher.doFinal(data); |
|
15661
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
890 |
algid = new AlgorithmId(pbeOID, cipher.getParameters()); |
2 | 891 |
|
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
892 |
if (debug != null) { |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
893 |
debug.println(" (Cipher algorithm: " + cipher.getAlgorithm() + |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
894 |
")"); |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
895 |
} |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
896 |
|
2 | 897 |
// wrap encrypted private key in EncryptedPrivateKeyInfo |
898 |
// as defined in PKCS#8 |
|
899 |
EncryptedPrivateKeyInfo encrInfo = |
|
900 |
new EncryptedPrivateKeyInfo(algid, encryptedKey); |
|
901 |
key = encrInfo.getEncoded(); |
|
902 |
} catch (Exception e) { |
|
903 |
UnrecoverableKeyException uke = |
|
904 |
new UnrecoverableKeyException("Encrypt Private Key failed: " |
|
905 |
+ e.getMessage()); |
|
906 |
uke.initCause(e); |
|
907 |
throw uke; |
|
908 |
} |
|
909 |
||
910 |
return key; |
|
911 |
} |
|
912 |
||
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
913 |
/* |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
914 |
* Map a PBE algorithm name onto its object identifier |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
915 |
*/ |
15661
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
916 |
private static ObjectIdentifier mapPBEAlgorithmToOID(String algorithm) |
15301
215128369cab
8006855: PKCS12 test failures due to unsupported algorithm
vinnie
parents:
15299
diff
changeset
|
917 |
throws NoSuchAlgorithmException { |
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
918 |
// Check for PBES2 algorithms |
25402
0c24d9aa8fb9
7065233: To interpret case-insensitive string locale independently
juh
parents:
19210
diff
changeset
|
919 |
if (algorithm.toLowerCase(Locale.ENGLISH).startsWith("pbewithhmacsha")) { |
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
920 |
return pbes2_OID; |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
921 |
} |
15301
215128369cab
8006855: PKCS12 test failures due to unsupported algorithm
vinnie
parents:
15299
diff
changeset
|
922 |
return AlgorithmId.get(algorithm).getOID(); |
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
923 |
} |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
924 |
|
15661
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
925 |
/* |
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
926 |
* Map a PBE algorithm parameters onto its algorithm name |
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
927 |
*/ |
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
928 |
private static String mapPBEParamsToAlgorithm(ObjectIdentifier algorithm, |
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
929 |
AlgorithmParameters algParams) throws NoSuchAlgorithmException { |
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
930 |
// Check for PBES2 algorithms |
31426
9cd672654f97
8022444: Remove sun.security.util.ObjectIdentifier.equals(ObjectIdentifier other) method
juh
parents:
30368
diff
changeset
|
931 |
if (algorithm.equals(pbes2_OID) && algParams != null) { |
15661
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
932 |
return algParams.toString(); |
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
933 |
} |
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
934 |
return algorithm.toString(); |
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
935 |
} |
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
936 |
|
2 | 937 |
/** |
938 |
* Assigns the given certificate to the given alias. |
|
939 |
* |
|
940 |
* <p>If the given alias already exists in this keystore and identifies a |
|
941 |
* <i>trusted certificate entry</i>, the certificate associated with it is |
|
942 |
* overridden by the given certificate. |
|
943 |
* |
|
944 |
* @param alias the alias name |
|
945 |
* @param cert the certificate |
|
946 |
* |
|
947 |
* @exception KeyStoreException if the given alias already exists and does |
|
15298 | 948 |
* not identify a <i>trusted certificate entry</i>, or this operation fails |
949 |
* for some other reason. |
|
2 | 950 |
*/ |
951 |
public synchronized void engineSetCertificateEntry(String alias, |
|
952 |
Certificate cert) throws KeyStoreException |
|
953 |
{ |
|
15298 | 954 |
setCertEntry(alias, cert, null); |
955 |
} |
|
956 |
||
957 |
/* |
|
958 |
* Sets a trusted cert entry (with attributes, when present) |
|
959 |
*/ |
|
960 |
private void setCertEntry(String alias, Certificate cert, |
|
961 |
Set<KeyStore.Entry.Attribute> attributes) throws KeyStoreException { |
|
962 |
||
963 |
Entry entry = entries.get(alias.toLowerCase(Locale.ENGLISH)); |
|
964 |
if (entry != null && entry instanceof KeyEntry) { |
|
2 | 965 |
throw new KeyStoreException("Cannot overwrite own certificate"); |
15298 | 966 |
} |
967 |
||
968 |
CertEntry certEntry = |
|
969 |
new CertEntry((X509Certificate) cert, null, alias, AnyUsage, |
|
970 |
attributes); |
|
971 |
certificateCount++; |
|
972 |
entries.put(alias, certEntry); |
|
973 |
||
974 |
if (debug != null) { |
|
975 |
debug.println("Setting a trusted certificate at alias '" + alias + |
|
976 |
"'"); |
|
977 |
} |
|
2 | 978 |
} |
979 |
||
980 |
/** |
|
981 |
* Deletes the entry identified by the given alias from this keystore. |
|
982 |
* |
|
983 |
* @param alias the alias name |
|
984 |
* |
|
985 |
* @exception KeyStoreException if the entry cannot be removed. |
|
986 |
*/ |
|
987 |
public synchronized void engineDeleteEntry(String alias) |
|
988 |
throws KeyStoreException |
|
989 |
{ |
|
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
990 |
if (debug != null) { |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
991 |
debug.println("Removing entry at alias '" + alias + "'"); |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
992 |
} |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
993 |
|
15298 | 994 |
Entry entry = entries.get(alias.toLowerCase(Locale.ENGLISH)); |
995 |
if (entry instanceof PrivateKeyEntry) { |
|
996 |
PrivateKeyEntry keyEntry = (PrivateKeyEntry) entry; |
|
997 |
if (keyEntry.chain != null) { |
|
998 |
certificateCount -= keyEntry.chain.length; |
|
999 |
} |
|
1000 |
privateKeyCount--; |
|
1001 |
} else if (entry instanceof CertEntry) { |
|
1002 |
certificateCount--; |
|
1003 |
} else if (entry instanceof SecretKeyEntry) { |
|
1004 |
secretKeyCount--; |
|
1005 |
} |
|
10369
e9d2e59e53f0
7059542: JNDI name operations should be locale independent
xuelei
parents:
10336
diff
changeset
|
1006 |
entries.remove(alias.toLowerCase(Locale.ENGLISH)); |
2 | 1007 |
} |
1008 |
||
1009 |
/** |
|
1010 |
* Lists all the alias names of this keystore. |
|
1011 |
* |
|
1012 |
* @return enumeration of the alias names |
|
1013 |
*/ |
|
1014 |
public Enumeration<String> engineAliases() { |
|
15298 | 1015 |
return Collections.enumeration(entries.keySet()); |
2 | 1016 |
} |
1017 |
||
1018 |
/** |
|
1019 |
* Checks if the given alias exists in this keystore. |
|
1020 |
* |
|
1021 |
* @param alias the alias name |
|
1022 |
* |
|
1023 |
* @return true if the alias exists, false otherwise |
|
1024 |
*/ |
|
1025 |
public boolean engineContainsAlias(String alias) { |
|
10369
e9d2e59e53f0
7059542: JNDI name operations should be locale independent
xuelei
parents:
10336
diff
changeset
|
1026 |
return entries.containsKey(alias.toLowerCase(Locale.ENGLISH)); |
2 | 1027 |
} |
1028 |
||
1029 |
/** |
|
1030 |
* Retrieves the number of entries in this keystore. |
|
1031 |
* |
|
1032 |
* @return the number of entries in this keystore |
|
1033 |
*/ |
|
1034 |
public int engineSize() { |
|
1035 |
return entries.size(); |
|
1036 |
} |
|
1037 |
||
1038 |
/** |
|
1039 |
* Returns true if the entry identified by the given alias is a |
|
1040 |
* <i>key entry</i>, and false otherwise. |
|
1041 |
* |
|
1042 |
* @return true if the entry identified by the given alias is a |
|
1043 |
* <i>key entry</i>, false otherwise. |
|
1044 |
*/ |
|
1045 |
public boolean engineIsKeyEntry(String alias) { |
|
15298 | 1046 |
Entry entry = entries.get(alias.toLowerCase(Locale.ENGLISH)); |
1047 |
if (entry != null && entry instanceof KeyEntry) { |
|
2 | 1048 |
return true; |
1049 |
} else { |
|
1050 |
return false; |
|
1051 |
} |
|
1052 |
} |
|
1053 |
||
1054 |
/** |
|
1055 |
* Returns true if the entry identified by the given alias is a |
|
1056 |
* <i>trusted certificate entry</i>, and false otherwise. |
|
1057 |
* |
|
1058 |
* @return true if the entry identified by the given alias is a |
|
1059 |
* <i>trusted certificate entry</i>, false otherwise. |
|
1060 |
*/ |
|
1061 |
public boolean engineIsCertificateEntry(String alias) { |
|
15298 | 1062 |
Entry entry = entries.get(alias.toLowerCase(Locale.ENGLISH)); |
1063 |
if (entry != null && entry instanceof CertEntry && |
|
1064 |
((CertEntry) entry).trustedKeyUsage != null) { |
|
1065 |
return true; |
|
1066 |
} else { |
|
1067 |
return false; |
|
1068 |
} |
|
2 | 1069 |
} |
1070 |
||
1071 |
/** |
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1072 |
* Determines if the keystore {@code Entry} for the specified |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1073 |
* {@code alias} is an instance or subclass of the specified |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1074 |
* {@code entryClass}. |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1075 |
* |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1076 |
* @param alias the alias name |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1077 |
* @param entryClass the entry class |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1078 |
* |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1079 |
* @return true if the keystore {@code Entry} for the specified |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1080 |
* {@code alias} is an instance or subclass of the |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1081 |
* specified {@code entryClass}, false otherwise |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1082 |
* |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1083 |
* @since 1.5 |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1084 |
*/ |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1085 |
@Override |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1086 |
public boolean |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1087 |
engineEntryInstanceOf(String alias, |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1088 |
Class<? extends KeyStore.Entry> entryClass) |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1089 |
{ |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1090 |
if (entryClass == KeyStore.TrustedCertificateEntry.class) { |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1091 |
return engineIsCertificateEntry(alias); |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1092 |
} |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1093 |
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1094 |
Entry entry = entries.get(alias.toLowerCase(Locale.ENGLISH)); |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1095 |
if (entryClass == KeyStore.PrivateKeyEntry.class) { |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1096 |
return (entry != null && entry instanceof PrivateKeyEntry); |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1097 |
} |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1098 |
if (entryClass == KeyStore.SecretKeyEntry.class) { |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1099 |
return (entry != null && entry instanceof SecretKeyEntry); |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1100 |
} |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1101 |
return false; |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1102 |
} |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1103 |
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1104 |
/** |
2 | 1105 |
* Returns the (alias) name of the first keystore entry whose certificate |
1106 |
* matches the given certificate. |
|
1107 |
* |
|
1108 |
* <p>This method attempts to match the given certificate with each |
|
1109 |
* keystore entry. If the entry being considered |
|
1110 |
* is a <i>trusted certificate entry</i>, the given certificate is |
|
1111 |
* compared to that entry's certificate. If the entry being considered is |
|
1112 |
* a <i>key entry</i>, the given certificate is compared to the first |
|
1113 |
* element of that entry's certificate chain (if a chain exists). |
|
1114 |
* |
|
1115 |
* @param cert the certificate to match with. |
|
1116 |
* |
|
1117 |
* @return the (alias) name of the first entry with matching certificate, |
|
1118 |
* or null if no such entry exists in this keystore. |
|
1119 |
*/ |
|
1120 |
public String engineGetCertificateAlias(Certificate cert) { |
|
1121 |
Certificate certElem = null; |
|
1122 |
||
15298 | 1123 |
for (Enumeration<String> e = engineAliases(); e.hasMoreElements(); ) { |
2 | 1124 |
String alias = e.nextElement(); |
15298 | 1125 |
Entry entry = entries.get(alias); |
1126 |
if (entry instanceof PrivateKeyEntry) { |
|
1127 |
if (((PrivateKeyEntry) entry).chain != null) { |
|
1128 |
certElem = ((PrivateKeyEntry) entry).chain[0]; |
|
1129 |
} |
|
1130 |
} else if (entry instanceof CertEntry && |
|
1131 |
((CertEntry) entry).trustedKeyUsage != null) { |
|
1132 |
certElem = ((CertEntry) entry).cert; |
|
1133 |
} else { |
|
1134 |
continue; |
|
2 | 1135 |
} |
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1136 |
if (certElem != null && certElem.equals(cert)) { |
2 | 1137 |
return alias; |
1138 |
} |
|
1139 |
} |
|
1140 |
return null; |
|
1141 |
} |
|
1142 |
||
1143 |
/** |
|
1144 |
* Stores this keystore to the given output stream, and protects its |
|
1145 |
* integrity with the given password. |
|
1146 |
* |
|
1147 |
* @param stream the output stream to which this keystore is written. |
|
1148 |
* @param password the password to generate the keystore integrity check |
|
1149 |
* |
|
1150 |
* @exception IOException if there was an I/O problem with data |
|
1151 |
* @exception NoSuchAlgorithmException if the appropriate data integrity |
|
1152 |
* algorithm could not be found |
|
1153 |
* @exception CertificateException if any of the certificates included in |
|
1154 |
* the keystore data could not be stored |
|
1155 |
*/ |
|
1156 |
public synchronized void engineStore(OutputStream stream, char[] password) |
|
1157 |
throws IOException, NoSuchAlgorithmException, CertificateException |
|
1158 |
{ |
|
1159 |
// password is mandatory when storing |
|
1160 |
if (password == null) { |
|
1161 |
throw new IllegalArgumentException("password can't be null"); |
|
1162 |
} |
|
1163 |
||
1164 |
// -- Create PFX |
|
1165 |
DerOutputStream pfx = new DerOutputStream(); |
|
1166 |
||
1167 |
// PFX version (always write the latest version) |
|
1168 |
DerOutputStream version = new DerOutputStream(); |
|
1169 |
version.putInteger(VERSION_3); |
|
1170 |
byte[] pfxVersion = version.toByteArray(); |
|
1171 |
pfx.write(pfxVersion); |
|
1172 |
||
1173 |
// -- Create AuthSafe |
|
1174 |
DerOutputStream authSafe = new DerOutputStream(); |
|
1175 |
||
1176 |
// -- Create ContentInfos |
|
1177 |
DerOutputStream authSafeContentInfo = new DerOutputStream(); |
|
1178 |
||
1179 |
// -- create safeContent Data ContentInfo |
|
15298 | 1180 |
if (privateKeyCount > 0 || secretKeyCount > 0) { |
1181 |
||
1182 |
if (debug != null) { |
|
15538
02e547c0b530
8007483: attributes are ignored when loading keys from a PKCS12 keystore
vinnie
parents:
15308
diff
changeset
|
1183 |
debug.println("Storing " + (privateKeyCount + secretKeyCount) + |
15298 | 1184 |
" protected key(s) in a PKCS#7 data content-type"); |
1185 |
} |
|
1186 |
||
1187 |
byte[] safeContentData = createSafeContent(); |
|
1188 |
ContentInfo dataContentInfo = new ContentInfo(safeContentData); |
|
1189 |
dataContentInfo.encode(authSafeContentInfo); |
|
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
1190 |
} |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
1191 |
|
2 | 1192 |
// -- create EncryptedContentInfo |
15298 | 1193 |
if (certificateCount > 0) { |
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
1194 |
|
15298 | 1195 |
if (debug != null) { |
1196 |
debug.println("Storing " + certificateCount + |
|
1197 |
" certificate(s) in a PKCS#7 encryptedData content-type"); |
|
1198 |
} |
|
1199 |
||
1200 |
byte[] encrData = createEncryptedData(password); |
|
1201 |
ContentInfo encrContentInfo = |
|
2 | 1202 |
new ContentInfo(ContentInfo.ENCRYPTED_DATA_OID, |
1203 |
new DerValue(encrData)); |
|
15298 | 1204 |
encrContentInfo.encode(authSafeContentInfo); |
1205 |
} |
|
2 | 1206 |
|
1207 |
// wrap as SequenceOf ContentInfos |
|
1208 |
DerOutputStream cInfo = new DerOutputStream(); |
|
1209 |
cInfo.write(DerValue.tag_SequenceOf, authSafeContentInfo); |
|
1210 |
byte[] authenticatedSafe = cInfo.toByteArray(); |
|
1211 |
||
1212 |
// Create Encapsulated ContentInfo |
|
1213 |
ContentInfo contentInfo = new ContentInfo(authenticatedSafe); |
|
1214 |
contentInfo.encode(authSafe); |
|
1215 |
byte[] authSafeData = authSafe.toByteArray(); |
|
1216 |
pfx.write(authSafeData); |
|
1217 |
||
1218 |
// -- MAC |
|
1219 |
byte[] macData = calculateMac(password, authenticatedSafe); |
|
1220 |
pfx.write(macData); |
|
1221 |
||
1222 |
// write PFX to output stream |
|
1223 |
DerOutputStream pfxout = new DerOutputStream(); |
|
1224 |
pfxout.write(DerValue.tag_Sequence, pfx); |
|
1225 |
byte[] pfxData = pfxout.toByteArray(); |
|
1226 |
stream.write(pfxData); |
|
1227 |
stream.flush(); |
|
1228 |
} |
|
1229 |
||
15298 | 1230 |
/** |
1231 |
* Gets a <code>KeyStore.Entry</code> for the specified alias |
|
1232 |
* with the specified protection parameter. |
|
1233 |
* |
|
1234 |
* @param alias get the <code>KeyStore.Entry</code> for this alias |
|
1235 |
* @param protParam the <code>ProtectionParameter</code> |
|
1236 |
* used to protect the <code>Entry</code>, |
|
1237 |
* which may be <code>null</code> |
|
1238 |
* |
|
1239 |
* @return the <code>KeyStore.Entry</code> for the specified alias, |
|
1240 |
* or <code>null</code> if there is no such entry |
|
1241 |
* |
|
1242 |
* @exception KeyStoreException if the operation failed |
|
1243 |
* @exception NoSuchAlgorithmException if the algorithm for recovering the |
|
1244 |
* entry cannot be found |
|
1245 |
* @exception UnrecoverableEntryException if the specified |
|
1246 |
* <code>protParam</code> were insufficient or invalid |
|
1247 |
* @exception UnrecoverableKeyException if the entry is a |
|
1248 |
* <code>PrivateKeyEntry</code> or <code>SecretKeyEntry</code> |
|
1249 |
* and the specified <code>protParam</code> does not contain |
|
1250 |
* the information needed to recover the key (e.g. wrong password) |
|
1251 |
* |
|
1252 |
* @since 1.5 |
|
1253 |
*/ |
|
1254 |
@Override |
|
1255 |
public KeyStore.Entry engineGetEntry(String alias, |
|
1256 |
KeyStore.ProtectionParameter protParam) |
|
1257 |
throws KeyStoreException, NoSuchAlgorithmException, |
|
1258 |
UnrecoverableEntryException { |
|
1259 |
||
1260 |
if (!engineContainsAlias(alias)) { |
|
1261 |
return null; |
|
1262 |
} |
|
1263 |
||
1264 |
Entry entry = entries.get(alias.toLowerCase(Locale.ENGLISH)); |
|
1265 |
if (protParam == null) { |
|
1266 |
if (engineIsCertificateEntry(alias)) { |
|
1267 |
if (entry instanceof CertEntry && |
|
1268 |
((CertEntry) entry).trustedKeyUsage != null) { |
|
1269 |
||
1270 |
if (debug != null) { |
|
1271 |
debug.println("Retrieved a trusted certificate at " + |
|
1272 |
"alias '" + alias + "'"); |
|
1273 |
} |
|
1274 |
||
1275 |
return new KeyStore.TrustedCertificateEntry( |
|
1276 |
((CertEntry)entry).cert, getAttributes(entry)); |
|
1277 |
} |
|
1278 |
} else { |
|
1279 |
throw new UnrecoverableKeyException |
|
1280 |
("requested entry requires a password"); |
|
1281 |
} |
|
1282 |
} |
|
1283 |
||
1284 |
if (protParam instanceof KeyStore.PasswordProtection) { |
|
1285 |
if (engineIsCertificateEntry(alias)) { |
|
1286 |
throw new UnsupportedOperationException |
|
1287 |
("trusted certificate entries are not password-protected"); |
|
1288 |
} else if (engineIsKeyEntry(alias)) { |
|
1289 |
KeyStore.PasswordProtection pp = |
|
1290 |
(KeyStore.PasswordProtection)protParam; |
|
1291 |
char[] password = pp.getPassword(); |
|
1292 |
||
1293 |
Key key = engineGetKey(alias, password); |
|
1294 |
if (key instanceof PrivateKey) { |
|
1295 |
Certificate[] chain = engineGetCertificateChain(alias); |
|
1296 |
||
1297 |
return new KeyStore.PrivateKeyEntry((PrivateKey)key, chain, |
|
1298 |
getAttributes(entry)); |
|
1299 |
||
1300 |
} else if (key instanceof SecretKey) { |
|
1301 |
||
1302 |
return new KeyStore.SecretKeyEntry((SecretKey)key, |
|
1303 |
getAttributes(entry)); |
|
1304 |
} |
|
1305 |
} else if (!engineIsKeyEntry(alias)) { |
|
1306 |
throw new UnsupportedOperationException |
|
1307 |
("untrusted certificate entries are not " + |
|
1308 |
"password-protected"); |
|
1309 |
} |
|
1310 |
} |
|
1311 |
||
1312 |
throw new UnsupportedOperationException(); |
|
1313 |
} |
|
1314 |
||
1315 |
/** |
|
1316 |
* Saves a <code>KeyStore.Entry</code> under the specified alias. |
|
1317 |
* The specified protection parameter is used to protect the |
|
1318 |
* <code>Entry</code>. |
|
1319 |
* |
|
1320 |
* <p> If an entry already exists for the specified alias, |
|
1321 |
* it is overridden. |
|
1322 |
* |
|
1323 |
* @param alias save the <code>KeyStore.Entry</code> under this alias |
|
1324 |
* @param entry the <code>Entry</code> to save |
|
1325 |
* @param protParam the <code>ProtectionParameter</code> |
|
1326 |
* used to protect the <code>Entry</code>, |
|
1327 |
* which may be <code>null</code> |
|
1328 |
* |
|
1329 |
* @exception KeyStoreException if this operation fails |
|
1330 |
* |
|
1331 |
* @since 1.5 |
|
1332 |
*/ |
|
1333 |
@Override |
|
1334 |
public synchronized void engineSetEntry(String alias, KeyStore.Entry entry, |
|
1335 |
KeyStore.ProtectionParameter protParam) throws KeyStoreException { |
|
1336 |
||
1337 |
// get password |
|
1338 |
if (protParam != null && |
|
1339 |
!(protParam instanceof KeyStore.PasswordProtection)) { |
|
1340 |
throw new KeyStoreException("unsupported protection parameter"); |
|
1341 |
} |
|
1342 |
KeyStore.PasswordProtection pProtect = null; |
|
1343 |
if (protParam != null) { |
|
1344 |
pProtect = (KeyStore.PasswordProtection)protParam; |
|
1345 |
} |
|
1346 |
||
1347 |
// set entry |
|
1348 |
if (entry instanceof KeyStore.TrustedCertificateEntry) { |
|
1349 |
if (protParam != null && pProtect.getPassword() != null) { |
|
1350 |
// pre-1.5 style setCertificateEntry did not allow password |
|
1351 |
throw new KeyStoreException |
|
1352 |
("trusted certificate entries are not password-protected"); |
|
1353 |
} else { |
|
1354 |
KeyStore.TrustedCertificateEntry tce = |
|
1355 |
(KeyStore.TrustedCertificateEntry)entry; |
|
1356 |
setCertEntry(alias, tce.getTrustedCertificate(), |
|
1357 |
tce.getAttributes()); |
|
1358 |
||
1359 |
return; |
|
1360 |
} |
|
1361 |
} else if (entry instanceof KeyStore.PrivateKeyEntry) { |
|
1362 |
if (pProtect == null || pProtect.getPassword() == null) { |
|
1363 |
// pre-1.5 style setKeyEntry required password |
|
1364 |
throw new KeyStoreException |
|
1365 |
("non-null password required to create PrivateKeyEntry"); |
|
1366 |
} else { |
|
1367 |
KeyStore.PrivateKeyEntry pke = (KeyStore.PrivateKeyEntry)entry; |
|
1368 |
setKeyEntry(alias, pke.getPrivateKey(), pProtect, |
|
1369 |
pke.getCertificateChain(), pke.getAttributes()); |
|
1370 |
||
1371 |
return; |
|
1372 |
} |
|
1373 |
} else if (entry instanceof KeyStore.SecretKeyEntry) { |
|
1374 |
if (pProtect == null || pProtect.getPassword() == null) { |
|
1375 |
// pre-1.5 style setKeyEntry required password |
|
1376 |
throw new KeyStoreException |
|
1377 |
("non-null password required to create SecretKeyEntry"); |
|
1378 |
} else { |
|
1379 |
KeyStore.SecretKeyEntry ske = (KeyStore.SecretKeyEntry)entry; |
|
1380 |
setKeyEntry(alias, ske.getSecretKey(), pProtect, |
|
1381 |
(Certificate[])null, ske.getAttributes()); |
|
1382 |
||
1383 |
return; |
|
1384 |
} |
|
1385 |
} |
|
1386 |
||
1387 |
throw new KeyStoreException |
|
1388 |
("unsupported entry type: " + entry.getClass().getName()); |
|
1389 |
} |
|
1390 |
||
1391 |
/* |
|
1392 |
* Assemble the entry attributes |
|
1393 |
*/ |
|
1394 |
private Set<KeyStore.Entry.Attribute> getAttributes(Entry entry) { |
|
1395 |
||
1396 |
if (entry.attributes == null) { |
|
1397 |
entry.attributes = new HashSet<>(); |
|
1398 |
} |
|
1399 |
||
1400 |
// friendlyName |
|
1401 |
entry.attributes.add(new PKCS12Attribute( |
|
1402 |
PKCS9FriendlyName_OID.toString(), entry.alias)); |
|
1403 |
||
1404 |
// localKeyID |
|
1405 |
byte[] keyIdValue = entry.keyId; |
|
1406 |
if (keyIdValue != null) { |
|
1407 |
entry.attributes.add(new PKCS12Attribute( |
|
1408 |
PKCS9LocalKeyId_OID.toString(), Debug.toString(keyIdValue))); |
|
1409 |
} |
|
1410 |
||
1411 |
// trustedKeyUsage |
|
1412 |
if (entry instanceof CertEntry) { |
|
1413 |
ObjectIdentifier[] trustedKeyUsageValue = |
|
1414 |
((CertEntry) entry).trustedKeyUsage; |
|
1415 |
if (trustedKeyUsageValue != null) { |
|
1416 |
if (trustedKeyUsageValue.length == 1) { // omit brackets |
|
1417 |
entry.attributes.add(new PKCS12Attribute( |
|
1418 |
TrustedKeyUsage_OID.toString(), |
|
1419 |
trustedKeyUsageValue[0].toString())); |
|
1420 |
} else { // multi-valued |
|
1421 |
entry.attributes.add(new PKCS12Attribute( |
|
1422 |
TrustedKeyUsage_OID.toString(), |
|
1423 |
Arrays.toString(trustedKeyUsageValue))); |
|
1424 |
} |
|
1425 |
} |
|
1426 |
} |
|
1427 |
||
1428 |
return entry.attributes; |
|
1429 |
} |
|
1430 |
||
2 | 1431 |
/* |
1432 |
* Generate Hash. |
|
1433 |
*/ |
|
1434 |
private byte[] generateHash(byte[] data) throws IOException |
|
1435 |
{ |
|
1436 |
byte[] digest = null; |
|
1437 |
||
1438 |
try { |
|
1439 |
MessageDigest md = MessageDigest.getInstance("SHA1"); |
|
1440 |
md.update(data); |
|
1441 |
digest = md.digest(); |
|
1442 |
} catch (Exception e) { |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5973
diff
changeset
|
1443 |
throw new IOException("generateHash failed: " + e, e); |
2 | 1444 |
} |
1445 |
return digest; |
|
1446 |
} |
|
1447 |
||
1448 |
||
1449 |
/* |
|
1450 |
* Calculate MAC using HMAC algorithm (required for password integrity) |
|
1451 |
* |
|
1452 |
* Hash-based MAC algorithm combines secret key with message digest to |
|
1453 |
* create a message authentication code (MAC) |
|
1454 |
*/ |
|
1455 |
private byte[] calculateMac(char[] passwd, byte[] data) |
|
1456 |
throws IOException |
|
1457 |
{ |
|
1458 |
byte[] mData = null; |
|
1459 |
String algName = "SHA1"; |
|
1460 |
||
1461 |
try { |
|
1462 |
// Generate a random salt. |
|
1463 |
byte[] salt = getSalt(); |
|
1464 |
||
1465 |
// generate MAC (MAC key is generated within JCE) |
|
1466 |
Mac m = Mac.getInstance("HmacPBESHA1"); |
|
1467 |
PBEParameterSpec params = |
|
1468 |
new PBEParameterSpec(salt, iterationCount); |
|
1469 |
SecretKey key = getPBEKey(passwd); |
|
1470 |
m.init(key, params); |
|
1471 |
m.update(data); |
|
1472 |
byte[] macResult = m.doFinal(); |
|
1473 |
||
1474 |
// encode as MacData |
|
1475 |
MacData macData = new MacData(algName, macResult, salt, |
|
1476 |
iterationCount); |
|
1477 |
DerOutputStream bytes = new DerOutputStream(); |
|
1478 |
bytes.write(macData.getEncoded()); |
|
1479 |
mData = bytes.toByteArray(); |
|
1480 |
} catch (Exception e) { |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5973
diff
changeset
|
1481 |
throw new IOException("calculateMac failed: " + e, e); |
2 | 1482 |
} |
1483 |
return mData; |
|
1484 |
} |
|
1485 |
||
1486 |
||
1487 |
/* |
|
1488 |
* Validate Certificate Chain |
|
1489 |
*/ |
|
1490 |
private boolean validateChain(Certificate[] certChain) |
|
1491 |
{ |
|
1492 |
for (int i = 0; i < certChain.length-1; i++) { |
|
1493 |
X500Principal issuerDN = |
|
1494 |
((X509Certificate)certChain[i]).getIssuerX500Principal(); |
|
1495 |
X500Principal subjectDN = |
|
1496 |
((X509Certificate)certChain[i+1]).getSubjectX500Principal(); |
|
1497 |
if (!(issuerDN.equals(subjectDN))) |
|
1498 |
return false; |
|
1499 |
} |
|
29909 | 1500 |
|
1501 |
// Check for loops in the chain. If there are repeated certs, |
|
1502 |
// the Set of certs in the chain will contain fewer certs than |
|
1503 |
// the chain |
|
1504 |
Set<Certificate> set = new HashSet<>(Arrays.asList(certChain)); |
|
1505 |
return set.size() == certChain.length; |
|
2 | 1506 |
} |
1507 |
||
1508 |
||
1509 |
/* |
|
15298 | 1510 |
* Create PKCS#12 Attributes, friendlyName, localKeyId and trustedKeyUsage. |
2 | 1511 |
* |
1512 |
* Although attributes are optional, they could be required. |
|
1513 |
* For e.g. localKeyId attribute is required to match the |
|
1514 |
* private key with the associated end-entity certificate. |
|
15298 | 1515 |
* The trustedKeyUsage attribute is used to denote a trusted certificate. |
2 | 1516 |
* |
1517 |
* PKCS8ShroudedKeyBags include unique localKeyID and friendlyName. |
|
1518 |
* CertBags may or may not include attributes depending on the type |
|
1519 |
* of Certificate. In end-entity certificates, localKeyID should be |
|
1520 |
* unique, and the corresponding private key should have the same |
|
1521 |
* localKeyID. For trusted CA certs in the cert-chain, localKeyID |
|
1522 |
* attribute is not required, hence most vendors don't include it. |
|
1523 |
* NSS/Netscape require it to be unique or null, where as IE/OpenSSL |
|
1524 |
* ignore it. |
|
1525 |
* |
|
1526 |
* Here is a list of pkcs12 attribute values in CertBags. |
|
1527 |
* |
|
1528 |
* PKCS12 Attribute NSS/Netscape IE OpenSSL J2SE |
|
1529 |
* -------------------------------------------------------------- |
|
1530 |
* LocalKeyId |
|
1531 |
* (In EE cert only, |
|
1532 |
* NULL in CA certs) true true true true |
|
1533 |
* |
|
1534 |
* friendlyName unique same/ same/ unique |
|
1535 |
* unique unique/ |
|
1536 |
* null |
|
15298 | 1537 |
* trustedKeyUsage - - - true |
2 | 1538 |
* |
1539 |
* Note: OpenSSL adds friendlyName for end-entity cert only, and |
|
1540 |
* removes the localKeyID and friendlyName for CA certs. |
|
1541 |
* If the CertBag did not have a friendlyName, most vendors will |
|
1542 |
* add it, and assign it to the DN of the cert. |
|
1543 |
*/ |
|
15298 | 1544 |
private byte[] getBagAttributes(String alias, byte[] keyId, |
1545 |
Set<KeyStore.Entry.Attribute> attributes) throws IOException { |
|
1546 |
return getBagAttributes(alias, keyId, null, attributes); |
|
1547 |
} |
|
1548 |
||
1549 |
private byte[] getBagAttributes(String alias, byte[] keyId, |
|
1550 |
ObjectIdentifier[] trustedUsage, |
|
1551 |
Set<KeyStore.Entry.Attribute> attributes) throws IOException { |
|
2 | 1552 |
|
1553 |
byte[] localKeyID = null; |
|
1554 |
byte[] friendlyName = null; |
|
15298 | 1555 |
byte[] trustedKeyUsage = null; |
2 | 1556 |
|
15298 | 1557 |
// return null if all three attributes are null |
1558 |
if ((alias == null) && (keyId == null) && (trustedKeyUsage == null)) { |
|
2 | 1559 |
return null; |
1560 |
} |
|
1561 |
||
1562 |
// SafeBag Attributes |
|
1563 |
DerOutputStream bagAttrs = new DerOutputStream(); |
|
1564 |
||
1565 |
// Encode the friendlyname oid. |
|
1566 |
if (alias != null) { |
|
1567 |
DerOutputStream bagAttr1 = new DerOutputStream(); |
|
1568 |
bagAttr1.putOID(PKCS9FriendlyName_OID); |
|
1569 |
DerOutputStream bagAttrContent1 = new DerOutputStream(); |
|
1570 |
DerOutputStream bagAttrValue1 = new DerOutputStream(); |
|
1571 |
bagAttrContent1.putBMPString(alias); |
|
1572 |
bagAttr1.write(DerValue.tag_Set, bagAttrContent1); |
|
1573 |
bagAttrValue1.write(DerValue.tag_Sequence, bagAttr1); |
|
1574 |
friendlyName = bagAttrValue1.toByteArray(); |
|
1575 |
} |
|
1576 |
||
1577 |
// Encode the localkeyId oid. |
|
1578 |
if (keyId != null) { |
|
1579 |
DerOutputStream bagAttr2 = new DerOutputStream(); |
|
1580 |
bagAttr2.putOID(PKCS9LocalKeyId_OID); |
|
1581 |
DerOutputStream bagAttrContent2 = new DerOutputStream(); |
|
1582 |
DerOutputStream bagAttrValue2 = new DerOutputStream(); |
|
1583 |
bagAttrContent2.putOctetString(keyId); |
|
1584 |
bagAttr2.write(DerValue.tag_Set, bagAttrContent2); |
|
1585 |
bagAttrValue2.write(DerValue.tag_Sequence, bagAttr2); |
|
1586 |
localKeyID = bagAttrValue2.toByteArray(); |
|
1587 |
} |
|
1588 |
||
15298 | 1589 |
// Encode the trustedKeyUsage oid. |
1590 |
if (trustedUsage != null) { |
|
1591 |
DerOutputStream bagAttr3 = new DerOutputStream(); |
|
1592 |
bagAttr3.putOID(TrustedKeyUsage_OID); |
|
1593 |
DerOutputStream bagAttrContent3 = new DerOutputStream(); |
|
1594 |
DerOutputStream bagAttrValue3 = new DerOutputStream(); |
|
1595 |
for (ObjectIdentifier usage : trustedUsage) { |
|
1596 |
bagAttrContent3.putOID(usage); |
|
1597 |
} |
|
1598 |
bagAttr3.write(DerValue.tag_Set, bagAttrContent3); |
|
1599 |
bagAttrValue3.write(DerValue.tag_Sequence, bagAttr3); |
|
1600 |
trustedKeyUsage = bagAttrValue3.toByteArray(); |
|
1601 |
} |
|
1602 |
||
2 | 1603 |
DerOutputStream attrs = new DerOutputStream(); |
1604 |
if (friendlyName != null) { |
|
1605 |
attrs.write(friendlyName); |
|
1606 |
} |
|
1607 |
if (localKeyID != null) { |
|
1608 |
attrs.write(localKeyID); |
|
1609 |
} |
|
15298 | 1610 |
if (trustedKeyUsage != null) { |
1611 |
attrs.write(trustedKeyUsage); |
|
1612 |
} |
|
1613 |
||
1614 |
if (attributes != null) { |
|
1615 |
for (KeyStore.Entry.Attribute attribute : attributes) { |
|
15308
55742a890b6c
8006951: Avoid storing duplicate PKCS12 attributes
vinnie
parents:
15307
diff
changeset
|
1616 |
String attributeName = attribute.getName(); |
55742a890b6c
8006951: Avoid storing duplicate PKCS12 attributes
vinnie
parents:
15307
diff
changeset
|
1617 |
// skip friendlyName, localKeyId and trustedKeyUsage |
55742a890b6c
8006951: Avoid storing duplicate PKCS12 attributes
vinnie
parents:
15307
diff
changeset
|
1618 |
if (CORE_ATTRIBUTES[0].equals(attributeName) || |
55742a890b6c
8006951: Avoid storing duplicate PKCS12 attributes
vinnie
parents:
15307
diff
changeset
|
1619 |
CORE_ATTRIBUTES[1].equals(attributeName) || |
55742a890b6c
8006951: Avoid storing duplicate PKCS12 attributes
vinnie
parents:
15307
diff
changeset
|
1620 |
CORE_ATTRIBUTES[2].equals(attributeName)) { |
55742a890b6c
8006951: Avoid storing duplicate PKCS12 attributes
vinnie
parents:
15307
diff
changeset
|
1621 |
continue; |
55742a890b6c
8006951: Avoid storing duplicate PKCS12 attributes
vinnie
parents:
15307
diff
changeset
|
1622 |
} |
15298 | 1623 |
attrs.write(((PKCS12Attribute) attribute).getEncoded()); |
1624 |
} |
|
1625 |
} |
|
1626 |
||
2 | 1627 |
bagAttrs.write(DerValue.tag_Set, attrs); |
1628 |
return bagAttrs.toByteArray(); |
|
1629 |
} |
|
1630 |
||
1631 |
/* |
|
1632 |
* Create EncryptedData content type, that contains EncryptedContentInfo. |
|
1633 |
* Includes certificates in individual SafeBags of type CertBag. |
|
1634 |
* Each CertBag may include pkcs12 attributes |
|
1635 |
* (see comments in getBagAttributes) |
|
1636 |
*/ |
|
1637 |
private byte[] createEncryptedData(char[] password) |
|
1638 |
throws CertificateException, IOException |
|
1639 |
{ |
|
1640 |
DerOutputStream out = new DerOutputStream(); |
|
15298 | 1641 |
for (Enumeration<String> e = engineAliases(); e.hasMoreElements(); ) { |
2 | 1642 |
|
1643 |
String alias = e.nextElement(); |
|
15298 | 1644 |
Entry entry = entries.get(alias); |
2 | 1645 |
|
1646 |
// certificate chain |
|
30368
60f02327d396
8079129: NullPointerException in PKCS#12 Keystore in PKCS12KeyStore.java
vinnie
parents:
29909
diff
changeset
|
1647 |
Certificate[] certs; |
15298 | 1648 |
|
1649 |
if (entry instanceof PrivateKeyEntry) { |
|
1650 |
PrivateKeyEntry keyEntry = (PrivateKeyEntry) entry; |
|
30368
60f02327d396
8079129: NullPointerException in PKCS#12 Keystore in PKCS12KeyStore.java
vinnie
parents:
29909
diff
changeset
|
1651 |
if (keyEntry.chain != null) { |
60f02327d396
8079129: NullPointerException in PKCS#12 Keystore in PKCS12KeyStore.java
vinnie
parents:
29909
diff
changeset
|
1652 |
certs = keyEntry.chain; |
60f02327d396
8079129: NullPointerException in PKCS#12 Keystore in PKCS12KeyStore.java
vinnie
parents:
29909
diff
changeset
|
1653 |
} else { |
60f02327d396
8079129: NullPointerException in PKCS#12 Keystore in PKCS12KeyStore.java
vinnie
parents:
29909
diff
changeset
|
1654 |
certs = new Certificate[0]; |
60f02327d396
8079129: NullPointerException in PKCS#12 Keystore in PKCS12KeyStore.java
vinnie
parents:
29909
diff
changeset
|
1655 |
} |
15298 | 1656 |
} else if (entry instanceof CertEntry) { |
30368
60f02327d396
8079129: NullPointerException in PKCS#12 Keystore in PKCS12KeyStore.java
vinnie
parents:
29909
diff
changeset
|
1657 |
certs = new Certificate[]{((CertEntry) entry).cert}; |
60f02327d396
8079129: NullPointerException in PKCS#12 Keystore in PKCS12KeyStore.java
vinnie
parents:
29909
diff
changeset
|
1658 |
} else { |
60f02327d396
8079129: NullPointerException in PKCS#12 Keystore in PKCS12KeyStore.java
vinnie
parents:
29909
diff
changeset
|
1659 |
certs = new Certificate[0]; |
2 | 1660 |
} |
1661 |
||
30368
60f02327d396
8079129: NullPointerException in PKCS#12 Keystore in PKCS12KeyStore.java
vinnie
parents:
29909
diff
changeset
|
1662 |
for (int i = 0; i < certs.length; i++) { |
2 | 1663 |
// create SafeBag of Type CertBag |
1664 |
DerOutputStream safeBag = new DerOutputStream(); |
|
1665 |
safeBag.putOID(CertBag_OID); |
|
1666 |
||
1667 |
// create a CertBag |
|
1668 |
DerOutputStream certBag = new DerOutputStream(); |
|
1669 |
certBag.putOID(PKCS9CertType_OID); |
|
1670 |
||
1671 |
// write encoded certs in a context-specific tag |
|
1672 |
DerOutputStream certValue = new DerOutputStream(); |
|
15298 | 1673 |
X509Certificate cert = (X509Certificate) certs[i]; |
2 | 1674 |
certValue.putOctetString(cert.getEncoded()); |
1675 |
certBag.write(DerValue.createTag(DerValue.TAG_CONTEXT, |
|
1676 |
true, (byte) 0), certValue); |
|
1677 |
||
1678 |
// wrap CertBag in a Sequence |
|
1679 |
DerOutputStream certout = new DerOutputStream(); |
|
1680 |
certout.write(DerValue.tag_Sequence, certBag); |
|
1681 |
byte[] certBagValue = certout.toByteArray(); |
|
1682 |
||
1683 |
// Wrap the CertBag encoding in a context-specific tag. |
|
1684 |
DerOutputStream bagValue = new DerOutputStream(); |
|
1685 |
bagValue.write(certBagValue); |
|
1686 |
// write SafeBag Value |
|
1687 |
safeBag.write(DerValue.createTag(DerValue.TAG_CONTEXT, |
|
1688 |
true, (byte) 0), bagValue); |
|
1689 |
||
1690 |
// write SafeBag Attributes |
|
1691 |
// All Certs should have a unique friendlyName. |
|
1692 |
// This change is made to meet NSS requirements. |
|
1693 |
byte[] bagAttrs = null; |
|
1694 |
if (i == 0) { |
|
1695 |
// Only End-Entity Cert should have a localKeyId. |
|
15298 | 1696 |
if (entry instanceof KeyEntry) { |
1697 |
KeyEntry keyEntry = (KeyEntry) entry; |
|
1698 |
bagAttrs = |
|
1699 |
getBagAttributes(keyEntry.alias, keyEntry.keyId, |
|
1700 |
keyEntry.attributes); |
|
1701 |
} else { |
|
1702 |
CertEntry certEntry = (CertEntry) entry; |
|
1703 |
bagAttrs = |
|
1704 |
getBagAttributes(certEntry.alias, certEntry.keyId, |
|
1705 |
certEntry.trustedKeyUsage, |
|
1706 |
certEntry.attributes); |
|
1707 |
} |
|
2 | 1708 |
} else { |
1709 |
// Trusted root CA certs and Intermediate CA certs do not |
|
1710 |
// need to have a localKeyId, and hence localKeyId is null |
|
1711 |
// This change is made to meet NSS/Netscape requirements. |
|
1712 |
// NSS pkcs12 library requires trusted CA certs in the |
|
1713 |
// certificate chain to have unique or null localKeyID. |
|
1714 |
// However, IE/OpenSSL do not impose this restriction. |
|
5973 | 1715 |
bagAttrs = getBagAttributes( |
15298 | 1716 |
cert.getSubjectX500Principal().getName(), null, |
1717 |
entry.attributes); |
|
2 | 1718 |
} |
1719 |
if (bagAttrs != null) { |
|
1720 |
safeBag.write(bagAttrs); |
|
1721 |
} |
|
1722 |
||
1723 |
// wrap as Sequence |
|
1724 |
out.write(DerValue.tag_Sequence, safeBag); |
|
1725 |
} // for cert-chain |
|
1726 |
} |
|
1727 |
||
1728 |
// wrap as SequenceOf SafeBag |
|
1729 |
DerOutputStream safeBagValue = new DerOutputStream(); |
|
1730 |
safeBagValue.write(DerValue.tag_SequenceOf, out); |
|
1731 |
byte[] safeBagData = safeBagValue.toByteArray(); |
|
1732 |
||
1733 |
// encrypt the content (EncryptedContentInfo) |
|
1734 |
byte[] encrContentInfo = encryptContent(safeBagData, password); |
|
1735 |
||
1736 |
// -- SEQUENCE of EncryptedData |
|
1737 |
DerOutputStream encrData = new DerOutputStream(); |
|
1738 |
DerOutputStream encrDataContent = new DerOutputStream(); |
|
1739 |
encrData.putInteger(0); |
|
1740 |
encrData.write(encrContentInfo); |
|
1741 |
encrDataContent.write(DerValue.tag_Sequence, encrData); |
|
1742 |
return encrDataContent.toByteArray(); |
|
1743 |
} |
|
1744 |
||
1745 |
/* |
|
1746 |
* Create SafeContent Data content type. |
|
15298 | 1747 |
* Includes encrypted secret key in a SafeBag of type SecretBag. |
2 | 1748 |
* Includes encrypted private key in a SafeBag of type PKCS8ShroudedKeyBag. |
1749 |
* Each PKCS8ShroudedKeyBag includes pkcs12 attributes |
|
1750 |
* (see comments in getBagAttributes) |
|
1751 |
*/ |
|
1752 |
private byte[] createSafeContent() |
|
1753 |
throws CertificateException, IOException { |
|
1754 |
||
1755 |
DerOutputStream out = new DerOutputStream(); |
|
15298 | 1756 |
for (Enumeration<String> e = engineAliases(); e.hasMoreElements(); ) { |
2 | 1757 |
|
1758 |
String alias = e.nextElement(); |
|
15298 | 1759 |
Entry entry = entries.get(alias); |
1760 |
if (entry == null || (!(entry instanceof KeyEntry))) { |
|
1761 |
continue; |
|
1762 |
} |
|
1763 |
DerOutputStream safeBag = new DerOutputStream(); |
|
1764 |
KeyEntry keyEntry = (KeyEntry) entry; |
|
1765 |
||
1766 |
// DER encode the private key |
|
1767 |
if (keyEntry instanceof PrivateKeyEntry) { |
|
1768 |
// Create SafeBag of type pkcs8ShroudedKeyBag |
|
1769 |
safeBag.putOID(PKCS8ShroudedKeyBag_OID); |
|
2 | 1770 |
|
15298 | 1771 |
// get the encrypted private key |
1772 |
byte[] encrBytes = ((PrivateKeyEntry)keyEntry).protectedPrivKey; |
|
1773 |
EncryptedPrivateKeyInfo encrInfo = null; |
|
1774 |
try { |
|
1775 |
encrInfo = new EncryptedPrivateKeyInfo(encrBytes); |
|
1776 |
||
1777 |
} catch (IOException ioe) { |
|
1778 |
throw new IOException("Private key not stored as " |
|
1779 |
+ "PKCS#8 EncryptedPrivateKeyInfo" |
|
1780 |
+ ioe.getMessage()); |
|
1781 |
} |
|
1782 |
||
1783 |
// Wrap the EncryptedPrivateKeyInfo in a context-specific tag. |
|
1784 |
DerOutputStream bagValue = new DerOutputStream(); |
|
1785 |
bagValue.write(encrInfo.getEncoded()); |
|
1786 |
safeBag.write(DerValue.createTag(DerValue.TAG_CONTEXT, |
|
1787 |
true, (byte) 0), bagValue); |
|
2 | 1788 |
|
15298 | 1789 |
// DER encode the secret key |
1790 |
} else if (keyEntry instanceof SecretKeyEntry) { |
|
1791 |
// Create SafeBag of type SecretBag |
|
1792 |
safeBag.putOID(SecretBag_OID); |
|
1793 |
||
1794 |
// Create a SecretBag |
|
1795 |
DerOutputStream secretBag = new DerOutputStream(); |
|
1796 |
secretBag.putOID(PKCS8ShroudedKeyBag_OID); |
|
1797 |
||
1798 |
// Write secret key in a context-specific tag |
|
1799 |
DerOutputStream secretKeyValue = new DerOutputStream(); |
|
1800 |
secretKeyValue.putOctetString( |
|
1801 |
((SecretKeyEntry) keyEntry).protectedSecretKey); |
|
1802 |
secretBag.write(DerValue.createTag(DerValue.TAG_CONTEXT, |
|
1803 |
true, (byte) 0), secretKeyValue); |
|
1804 |
||
1805 |
// Wrap SecretBag in a Sequence |
|
1806 |
DerOutputStream secretBagSeq = new DerOutputStream(); |
|
1807 |
secretBagSeq.write(DerValue.tag_Sequence, secretBag); |
|
1808 |
byte[] secretBagValue = secretBagSeq.toByteArray(); |
|
1809 |
||
1810 |
// Wrap the secret bag in a context-specific tag. |
|
1811 |
DerOutputStream bagValue = new DerOutputStream(); |
|
1812 |
bagValue.write(secretBagValue); |
|
1813 |
||
1814 |
// Write SafeBag value |
|
1815 |
safeBag.write(DerValue.createTag(DerValue.TAG_CONTEXT, |
|
1816 |
true, (byte) 0), bagValue); |
|
1817 |
} else { |
|
1818 |
continue; // skip this entry |
|
2 | 1819 |
} |
1820 |
||
1821 |
// write SafeBag Attributes |
|
15298 | 1822 |
byte[] bagAttrs = |
1823 |
getBagAttributes(alias, entry.keyId, entry.attributes); |
|
2 | 1824 |
safeBag.write(bagAttrs); |
1825 |
||
1826 |
// wrap as Sequence |
|
1827 |
out.write(DerValue.tag_Sequence, safeBag); |
|
1828 |
} |
|
1829 |
||
1830 |
// wrap as Sequence |
|
1831 |
DerOutputStream safeBagValue = new DerOutputStream(); |
|
1832 |
safeBagValue.write(DerValue.tag_Sequence, out); |
|
1833 |
return safeBagValue.toByteArray(); |
|
1834 |
} |
|
1835 |
||
1836 |
||
1837 |
/* |
|
1838 |
* Encrypt the contents using Password-based (PBE) encryption |
|
1839 |
* as defined in PKCS #5. |
|
1840 |
* |
|
1841 |
* NOTE: Currently pbeWithSHAAnd40BiteRC2-CBC algorithmID is used |
|
1842 |
* to derive the key and IV. |
|
1843 |
* |
|
1844 |
* @return encrypted contents encoded as EncryptedContentInfo |
|
1845 |
*/ |
|
1846 |
private byte[] encryptContent(byte[] data, char[] password) |
|
1847 |
throws IOException { |
|
1848 |
||
1849 |
byte[] encryptedData = null; |
|
1850 |
||
1851 |
// create AlgorithmParameters |
|
1852 |
AlgorithmParameters algParams = |
|
1853 |
getAlgorithmParameters("PBEWithSHA1AndRC2_40"); |
|
1854 |
DerOutputStream bytes = new DerOutputStream(); |
|
1855 |
AlgorithmId algId = |
|
1856 |
new AlgorithmId(pbeWithSHAAnd40BitRC2CBC_OID, algParams); |
|
1857 |
algId.encode(bytes); |
|
1858 |
byte[] encodedAlgId = bytes.toByteArray(); |
|
1859 |
||
1860 |
try { |
|
1861 |
// Use JCE |
|
1862 |
SecretKey skey = getPBEKey(password); |
|
1863 |
Cipher cipher = Cipher.getInstance("PBEWithSHA1AndRC2_40"); |
|
1864 |
cipher.init(Cipher.ENCRYPT_MODE, skey, algParams); |
|
1865 |
encryptedData = cipher.doFinal(data); |
|
1866 |
||
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
1867 |
if (debug != null) { |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
1868 |
debug.println(" (Cipher algorithm: " + cipher.getAlgorithm() + |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
1869 |
")"); |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
1870 |
} |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
1871 |
|
2 | 1872 |
} catch (Exception e) { |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5973
diff
changeset
|
1873 |
throw new IOException("Failed to encrypt" + |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5973
diff
changeset
|
1874 |
" safe contents entry: " + e, e); |
2 | 1875 |
} |
1876 |
||
1877 |
// create EncryptedContentInfo |
|
1878 |
DerOutputStream bytes2 = new DerOutputStream(); |
|
1879 |
bytes2.putOID(ContentInfo.DATA_OID); |
|
1880 |
bytes2.write(encodedAlgId); |
|
1881 |
||
1882 |
// Wrap encrypted data in a context-specific tag. |
|
1883 |
DerOutputStream tmpout2 = new DerOutputStream(); |
|
1884 |
tmpout2.putOctetString(encryptedData); |
|
1885 |
bytes2.writeImplicit(DerValue.createTag(DerValue.TAG_CONTEXT, |
|
1886 |
false, (byte)0), tmpout2); |
|
1887 |
||
1888 |
// wrap EncryptedContentInfo in a Sequence |
|
1889 |
DerOutputStream out = new DerOutputStream(); |
|
1890 |
out.write(DerValue.tag_Sequence, bytes2); |
|
1891 |
return out.toByteArray(); |
|
1892 |
} |
|
1893 |
||
1894 |
/** |
|
1895 |
* Loads the keystore from the given input stream. |
|
1896 |
* |
|
1897 |
* <p>If a password is given, it is used to check the integrity of the |
|
1898 |
* keystore data. Otherwise, the integrity of the keystore is not checked. |
|
1899 |
* |
|
1900 |
* @param stream the input stream from which the keystore is loaded |
|
1901 |
* @param password the (optional) password used to check the integrity of |
|
1902 |
* the keystore. |
|
1903 |
* |
|
1904 |
* @exception IOException if there is an I/O or format problem with the |
|
1905 |
* keystore data |
|
1906 |
* @exception NoSuchAlgorithmException if the algorithm used to check |
|
1907 |
* the integrity of the keystore cannot be found |
|
1908 |
* @exception CertificateException if any of the certificates in the |
|
1909 |
* keystore could not be loaded |
|
1910 |
*/ |
|
1911 |
public synchronized void engineLoad(InputStream stream, char[] password) |
|
1912 |
throws IOException, NoSuchAlgorithmException, CertificateException |
|
1913 |
{ |
|
1914 |
DataInputStream dis; |
|
1915 |
CertificateFactory cf = null; |
|
1916 |
ByteArrayInputStream bais = null; |
|
1917 |
byte[] encoded = null; |
|
1918 |
||
1919 |
if (stream == null) |
|
1920 |
return; |
|
1921 |
||
1922 |
// reset the counter |
|
1923 |
counter = 0; |
|
1924 |
||
1925 |
DerValue val = new DerValue(stream); |
|
1926 |
DerInputStream s = val.toDerInputStream(); |
|
1927 |
int version = s.getInteger(); |
|
1928 |
||
1929 |
if (version != VERSION_3) { |
|
1930 |
throw new IOException("PKCS12 keystore not in version 3 format"); |
|
1931 |
} |
|
1932 |
||
1933 |
entries.clear(); |
|
1934 |
||
1935 |
/* |
|
1936 |
* Read the authSafe. |
|
1937 |
*/ |
|
1938 |
byte[] authSafeData; |
|
1939 |
ContentInfo authSafe = new ContentInfo(s); |
|
1940 |
ObjectIdentifier contentType = authSafe.getContentType(); |
|
1941 |
||
31426
9cd672654f97
8022444: Remove sun.security.util.ObjectIdentifier.equals(ObjectIdentifier other) method
juh
parents:
30368
diff
changeset
|
1942 |
if (contentType.equals(ContentInfo.DATA_OID)) { |
2 | 1943 |
authSafeData = authSafe.getData(); |
1944 |
} else /* signed data */ { |
|
1945 |
throw new IOException("public key protected PKCS12 not supported"); |
|
1946 |
} |
|
1947 |
||
1948 |
DerInputStream as = new DerInputStream(authSafeData); |
|
1949 |
DerValue[] safeContentsArray = as.getSequence(2); |
|
1950 |
int count = safeContentsArray.length; |
|
1951 |
||
15298 | 1952 |
// reset the counters at the start |
2 | 1953 |
privateKeyCount = 0; |
15298 | 1954 |
secretKeyCount = 0; |
1955 |
certificateCount = 0; |
|
2 | 1956 |
|
1957 |
/* |
|
1958 |
* Spin over the ContentInfos. |
|
1959 |
*/ |
|
1960 |
for (int i = 0; i < count; i++) { |
|
1961 |
byte[] safeContentsData; |
|
1962 |
ContentInfo safeContents; |
|
1963 |
DerInputStream sci; |
|
1964 |
byte[] eAlgId = null; |
|
1965 |
||
1966 |
sci = new DerInputStream(safeContentsArray[i].toByteArray()); |
|
1967 |
safeContents = new ContentInfo(sci); |
|
1968 |
contentType = safeContents.getContentType(); |
|
1969 |
safeContentsData = null; |
|
31426
9cd672654f97
8022444: Remove sun.security.util.ObjectIdentifier.equals(ObjectIdentifier other) method
juh
parents:
30368
diff
changeset
|
1970 |
if (contentType.equals(ContentInfo.DATA_OID)) { |
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
1971 |
|
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
1972 |
if (debug != null) { |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
1973 |
debug.println("Loading PKCS#7 data content-type"); |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
1974 |
} |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
1975 |
|
2 | 1976 |
safeContentsData = safeContents.getData(); |
31426
9cd672654f97
8022444: Remove sun.security.util.ObjectIdentifier.equals(ObjectIdentifier other) method
juh
parents:
30368
diff
changeset
|
1977 |
} else if (contentType.equals(ContentInfo.ENCRYPTED_DATA_OID)) { |
2 | 1978 |
if (password == null) { |
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1979 |
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1980 |
if (debug != null) { |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1981 |
debug.println("Warning: skipping PKCS#7 encryptedData" + |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1982 |
" content-type - no password was supplied"); |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1983 |
} |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
1984 |
continue; |
2 | 1985 |
} |
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
1986 |
|
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
1987 |
if (debug != null) { |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
1988 |
debug.println("Loading PKCS#7 encryptedData content-type"); |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
1989 |
} |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
1990 |
|
2 | 1991 |
DerInputStream edi = |
1992 |
safeContents.getContent().toDerInputStream(); |
|
1993 |
int edVersion = edi.getInteger(); |
|
1994 |
DerValue[] seq = edi.getSequence(2); |
|
1995 |
ObjectIdentifier edContentType = seq[0].getOID(); |
|
1996 |
eAlgId = seq[1].toByteArray(); |
|
1997 |
if (!seq[2].isContextSpecific((byte)0)) { |
|
1998 |
throw new IOException("encrypted content not present!"); |
|
1999 |
} |
|
2000 |
byte newTag = DerValue.tag_OctetString; |
|
2001 |
if (seq[2].isConstructed()) |
|
2002 |
newTag |= 0x20; |
|
2003 |
seq[2].resetTag(newTag); |
|
2004 |
safeContentsData = seq[2].getOctetString(); |
|
2005 |
||
2006 |
// parse Algorithm parameters |
|
2007 |
DerInputStream in = seq[1].toDerInputStream(); |
|
2008 |
ObjectIdentifier algOid = in.getOID(); |
|
15661
282a9cfb26ca
8007934: algorithm parameters for PBE Scheme 2 not decoded correctly in PKCS12 keystore
vinnie
parents:
15538
diff
changeset
|
2009 |
AlgorithmParameters algParams = parseAlgParameters(algOid, in); |
2 | 2010 |
|
11835
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
2011 |
while (true) { |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
2012 |
try { |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
2013 |
// Use JCE |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
2014 |
SecretKey skey = getPBEKey(password); |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
2015 |
Cipher cipher = Cipher.getInstance(algOid.toString()); |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
2016 |
cipher.init(Cipher.DECRYPT_MODE, skey, algParams); |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
2017 |
safeContentsData = cipher.doFinal(safeContentsData); |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
2018 |
break; |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
2019 |
} catch (Exception e) { |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
2020 |
if (password.length == 0) { |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
2021 |
// Retry using an empty password |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
2022 |
// without a NULL terminator. |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
2023 |
password = new char[1]; |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
2024 |
continue; |
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
2025 |
} |
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2026 |
throw new IOException("keystore password was incorrect", |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2027 |
new UnrecoverableKeyException( |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2028 |
"failed to decrypt safe contents entry: " + e)); |
11835
c9e7cfc908b3
6879539: enable empty password support for pkcs12 keystore
weijun
parents:
10369
diff
changeset
|
2029 |
} |
2 | 2030 |
} |
2031 |
} else { |
|
2032 |
throw new IOException("public key protected PKCS12" + |
|
2033 |
" not supported"); |
|
2034 |
} |
|
2035 |
DerInputStream sc = new DerInputStream(safeContentsData); |
|
2036 |
loadSafeContents(sc, password); |
|
2037 |
} |
|
2038 |
||
2039 |
// The MacData is optional. |
|
2040 |
if (password != null && s.available() > 0) { |
|
2041 |
MacData macData = new MacData(s); |
|
2042 |
try { |
|
10369
e9d2e59e53f0
7059542: JNDI name operations should be locale independent
xuelei
parents:
10336
diff
changeset
|
2043 |
String algName = |
e9d2e59e53f0
7059542: JNDI name operations should be locale independent
xuelei
parents:
10336
diff
changeset
|
2044 |
macData.getDigestAlgName().toUpperCase(Locale.ENGLISH); |
13361
bda5c2354fc6
7180907: Jarsigner -verify fails if rsa file used sha-256 with authenticated attributes
weijun
parents:
11835
diff
changeset
|
2045 |
|
bda5c2354fc6
7180907: Jarsigner -verify fails if rsa file used sha-256 with authenticated attributes
weijun
parents:
11835
diff
changeset
|
2046 |
// Change SHA-1 to SHA1 |
bda5c2354fc6
7180907: Jarsigner -verify fails if rsa file used sha-256 with authenticated attributes
weijun
parents:
11835
diff
changeset
|
2047 |
algName = algName.replace("-", ""); |
2 | 2048 |
|
2049 |
// generate MAC (MAC key is created within JCE) |
|
2050 |
Mac m = Mac.getInstance("HmacPBE" + algName); |
|
2051 |
PBEParameterSpec params = |
|
2052 |
new PBEParameterSpec(macData.getSalt(), |
|
2053 |
macData.getIterations()); |
|
2054 |
SecretKey key = getPBEKey(password); |
|
2055 |
m.init(key, params); |
|
2056 |
m.update(authSafeData); |
|
2057 |
byte[] macResult = m.doFinal(); |
|
2058 |
||
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
2059 |
if (debug != null) { |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
2060 |
debug.println("Checking keystore integrity " + |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
2061 |
"(MAC algorithm: " + m.getAlgorithm() + ")"); |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
2062 |
} |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
2063 |
|
31695 | 2064 |
if (!MessageDigest.isEqual(macData.getDigest(), macResult)) { |
32634
614f8e5859aa
8134232: KeyStore.load() throws an IOException with a wrong cause in case of wrong password
asmotrak
parents:
31695
diff
changeset
|
2065 |
throw new UnrecoverableKeyException("Failed PKCS12" + |
2 | 2066 |
" integrity checking"); |
2067 |
} |
|
2068 |
} catch (Exception e) { |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5973
diff
changeset
|
2069 |
throw new IOException("Integrity check failed: " + e, e); |
2 | 2070 |
} |
2071 |
} |
|
2072 |
||
2073 |
/* |
|
2074 |
* Match up private keys with certificate chains. |
|
2075 |
*/ |
|
15298 | 2076 |
PrivateKeyEntry[] list = |
2077 |
keyList.toArray(new PrivateKeyEntry[keyList.size()]); |
|
2 | 2078 |
for (int m = 0; m < list.length; m++) { |
15298 | 2079 |
PrivateKeyEntry entry = list[m]; |
2 | 2080 |
if (entry.keyId != null) { |
2081 |
ArrayList<X509Certificate> chain = |
|
2082 |
new ArrayList<X509Certificate>(); |
|
5973 | 2083 |
X509Certificate cert = findMatchedCertificate(entry); |
29909 | 2084 |
|
2085 |
mainloop: |
|
2 | 2086 |
while (cert != null) { |
29909 | 2087 |
// Check for loops in the certificate chain |
2088 |
if (!chain.isEmpty()) { |
|
2089 |
for (X509Certificate chainCert : chain) { |
|
2090 |
if (cert.equals(chainCert)) { |
|
2091 |
if (debug != null) { |
|
2092 |
debug.println("Loop detected in " + |
|
2093 |
"certificate chain. Skip adding " + |
|
2094 |
"repeated cert to chain. Subject: " + |
|
2095 |
cert.getSubjectX500Principal() |
|
2096 |
.toString()); |
|
2097 |
} |
|
2098 |
break mainloop; |
|
2099 |
} |
|
2100 |
} |
|
2101 |
} |
|
2 | 2102 |
chain.add(cert); |
2103 |
X500Principal issuerDN = cert.getIssuerX500Principal(); |
|
2104 |
if (issuerDN.equals(cert.getSubjectX500Principal())) { |
|
2105 |
break; |
|
2106 |
} |
|
5973 | 2107 |
cert = certsMap.get(issuerDN); |
2 | 2108 |
} |
2109 |
/* Update existing KeyEntry in entries table */ |
|
2110 |
if (chain.size() > 0) |
|
2111 |
entry.chain = chain.toArray(new Certificate[chain.size()]); |
|
2112 |
} |
|
2113 |
} |
|
15298 | 2114 |
|
2115 |
if (debug != null) { |
|
2116 |
if (privateKeyCount > 0) { |
|
2117 |
debug.println("Loaded " + privateKeyCount + |
|
2118 |
" protected private key(s)"); |
|
2119 |
} |
|
2120 |
if (secretKeyCount > 0) { |
|
2121 |
debug.println("Loaded " + secretKeyCount + |
|
2122 |
" protected secret key(s)"); |
|
2123 |
} |
|
2124 |
if (certificateCount > 0) { |
|
2125 |
debug.println("Loaded " + certificateCount + |
|
2126 |
" certificate(s)"); |
|
2127 |
} |
|
2128 |
} |
|
2129 |
||
5973 | 2130 |
certEntries.clear(); |
2131 |
certsMap.clear(); |
|
2 | 2132 |
keyList.clear(); |
2133 |
} |
|
2134 |
||
5973 | 2135 |
/** |
2136 |
* Locates a matched CertEntry from certEntries, and returns its cert. |
|
2137 |
* @param entry the KeyEntry to match |
|
2138 |
* @return a certificate, null if not found |
|
2139 |
*/ |
|
15298 | 2140 |
private X509Certificate findMatchedCertificate(PrivateKeyEntry entry) { |
5973 | 2141 |
CertEntry keyIdMatch = null; |
2142 |
CertEntry aliasMatch = null; |
|
2143 |
for (CertEntry ce: certEntries) { |
|
2144 |
if (Arrays.equals(entry.keyId, ce.keyId)) { |
|
2145 |
keyIdMatch = ce; |
|
2146 |
if (entry.alias.equalsIgnoreCase(ce.alias)) { |
|
2147 |
// Full match! |
|
2148 |
return ce.cert; |
|
2149 |
} |
|
2150 |
} else if (entry.alias.equalsIgnoreCase(ce.alias)) { |
|
2151 |
aliasMatch = ce; |
|
2152 |
} |
|
2153 |
} |
|
2154 |
// keyId match first, for compatibility |
|
2155 |
if (keyIdMatch != null) return keyIdMatch.cert; |
|
2156 |
else if (aliasMatch != null) return aliasMatch.cert; |
|
2157 |
else return null; |
|
2158 |
} |
|
2 | 2159 |
|
2160 |
private void loadSafeContents(DerInputStream stream, char[] password) |
|
2161 |
throws IOException, NoSuchAlgorithmException, CertificateException |
|
2162 |
{ |
|
2163 |
DerValue[] safeBags = stream.getSequence(2); |
|
2164 |
int count = safeBags.length; |
|
2165 |
||
2166 |
/* |
|
2167 |
* Spin over the SafeBags. |
|
2168 |
*/ |
|
2169 |
for (int i = 0; i < count; i++) { |
|
2170 |
ObjectIdentifier bagId; |
|
2171 |
DerInputStream sbi; |
|
2172 |
DerValue bagValue; |
|
2173 |
Object bagItem = null; |
|
2174 |
||
2175 |
sbi = safeBags[i].toDerInputStream(); |
|
2176 |
bagId = sbi.getOID(); |
|
2177 |
bagValue = sbi.getDerValue(); |
|
2178 |
if (!bagValue.isContextSpecific((byte)0)) { |
|
2179 |
throw new IOException("unsupported PKCS12 bag value type " |
|
2180 |
+ bagValue.tag); |
|
2181 |
} |
|
2182 |
bagValue = bagValue.data.getDerValue(); |
|
31426
9cd672654f97
8022444: Remove sun.security.util.ObjectIdentifier.equals(ObjectIdentifier other) method
juh
parents:
30368
diff
changeset
|
2183 |
if (bagId.equals(PKCS8ShroudedKeyBag_OID)) { |
15298 | 2184 |
PrivateKeyEntry kEntry = new PrivateKeyEntry(); |
2 | 2185 |
kEntry.protectedPrivKey = bagValue.toByteArray(); |
2186 |
bagItem = kEntry; |
|
2187 |
privateKeyCount++; |
|
31426
9cd672654f97
8022444: Remove sun.security.util.ObjectIdentifier.equals(ObjectIdentifier other) method
juh
parents:
30368
diff
changeset
|
2188 |
} else if (bagId.equals(CertBag_OID)) { |
2 | 2189 |
DerInputStream cs = new DerInputStream(bagValue.toByteArray()); |
2190 |
DerValue[] certValues = cs.getSequence(2); |
|
2191 |
ObjectIdentifier certId = certValues[0].getOID(); |
|
2192 |
if (!certValues[1].isContextSpecific((byte)0)) { |
|
2193 |
throw new IOException("unsupported PKCS12 cert value type " |
|
2194 |
+ certValues[1].tag); |
|
2195 |
} |
|
2196 |
DerValue certValue = certValues[1].data.getDerValue(); |
|
2197 |
CertificateFactory cf = CertificateFactory.getInstance("X509"); |
|
2198 |
X509Certificate cert; |
|
2199 |
cert = (X509Certificate)cf.generateCertificate |
|
2200 |
(new ByteArrayInputStream(certValue.getOctetString())); |
|
2201 |
bagItem = cert; |
|
15298 | 2202 |
certificateCount++; |
31426
9cd672654f97
8022444: Remove sun.security.util.ObjectIdentifier.equals(ObjectIdentifier other) method
juh
parents:
30368
diff
changeset
|
2203 |
} else if (bagId.equals(SecretBag_OID)) { |
15298 | 2204 |
DerInputStream ss = new DerInputStream(bagValue.toByteArray()); |
2205 |
DerValue[] secretValues = ss.getSequence(2); |
|
2206 |
ObjectIdentifier secretId = secretValues[0].getOID(); |
|
2207 |
if (!secretValues[1].isContextSpecific((byte)0)) { |
|
2208 |
throw new IOException( |
|
2209 |
"unsupported PKCS12 secret value type " |
|
2210 |
+ secretValues[1].tag); |
|
2211 |
} |
|
2212 |
DerValue secretValue = secretValues[1].data.getDerValue(); |
|
2213 |
SecretKeyEntry kEntry = new SecretKeyEntry(); |
|
2214 |
kEntry.protectedSecretKey = secretValue.getOctetString(); |
|
2215 |
bagItem = kEntry; |
|
15538
02e547c0b530
8007483: attributes are ignored when loading keys from a PKCS12 keystore
vinnie
parents:
15308
diff
changeset
|
2216 |
secretKeyCount++; |
2 | 2217 |
} else { |
15297
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
2218 |
|
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
2219 |
if (debug != null) { |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
2220 |
debug.println("Unsupported PKCS12 bag type: " + bagId); |
eb3d7b36b4c4
8006591: Protect keystore entries using stronger PBE algorithms
vinnie
parents:
14342
diff
changeset
|
2221 |
} |
2 | 2222 |
} |
2223 |
||
2224 |
DerValue[] attrSet; |
|
2225 |
try { |
|
15298 | 2226 |
attrSet = sbi.getSet(3); |
2 | 2227 |
} catch (IOException e) { |
2228 |
// entry does not have attributes |
|
2229 |
// Note: CA certs can have no attributes |
|
2230 |
// OpenSSL generates pkcs12 with no attr for CA certs. |
|
2231 |
attrSet = null; |
|
2232 |
} |
|
2233 |
||
2234 |
String alias = null; |
|
2235 |
byte[] keyId = null; |
|
15298 | 2236 |
ObjectIdentifier[] trustedKeyUsage = null; |
2237 |
Set<PKCS12Attribute> attributes = new HashSet<>(); |
|
2 | 2238 |
|
2239 |
if (attrSet != null) { |
|
2240 |
for (int j = 0; j < attrSet.length; j++) { |
|
15298 | 2241 |
byte[] encoded = attrSet[j].toByteArray(); |
2242 |
DerInputStream as = new DerInputStream(encoded); |
|
2 | 2243 |
DerValue[] attrSeq = as.getSequence(2); |
2244 |
ObjectIdentifier attrId = attrSeq[0].getOID(); |
|
2245 |
DerInputStream vs = |
|
2246 |
new DerInputStream(attrSeq[1].toByteArray()); |
|
2247 |
DerValue[] valSet; |
|
2248 |
try { |
|
2249 |
valSet = vs.getSet(1); |
|
2250 |
} catch (IOException e) { |
|
2251 |
throw new IOException("Attribute " + attrId + |
|
2252 |
" should have a value " + e.getMessage()); |
|
2253 |
} |
|
31426
9cd672654f97
8022444: Remove sun.security.util.ObjectIdentifier.equals(ObjectIdentifier other) method
juh
parents:
30368
diff
changeset
|
2254 |
if (attrId.equals(PKCS9FriendlyName_OID)) { |
2 | 2255 |
alias = valSet[0].getBMPString(); |
31426
9cd672654f97
8022444: Remove sun.security.util.ObjectIdentifier.equals(ObjectIdentifier other) method
juh
parents:
30368
diff
changeset
|
2256 |
} else if (attrId.equals(PKCS9LocalKeyId_OID)) { |
2 | 2257 |
keyId = valSet[0].getOctetString(); |
15298 | 2258 |
} else if |
31426
9cd672654f97
8022444: Remove sun.security.util.ObjectIdentifier.equals(ObjectIdentifier other) method
juh
parents:
30368
diff
changeset
|
2259 |
(attrId.equals(TrustedKeyUsage_OID)) { |
15298 | 2260 |
trustedKeyUsage = new ObjectIdentifier[valSet.length]; |
2261 |
for (int k = 0; k < valSet.length; k++) { |
|
2262 |
trustedKeyUsage[k] = valSet[k].getOID(); |
|
2263 |
} |
|
2 | 2264 |
} else { |
15298 | 2265 |
attributes.add(new PKCS12Attribute(encoded)); |
2 | 2266 |
} |
2267 |
} |
|
2268 |
} |
|
2269 |
||
2270 |
/* |
|
2271 |
* As per PKCS12 v1.0 friendlyname (alias) and localKeyId (keyId) |
|
2272 |
* are optional PKCS12 bagAttributes. But entries in the keyStore |
|
2273 |
* are identified by their alias. Hence we need to have an |
|
2274 |
* Unfriendlyname in the alias, if alias is null. The keyId |
|
2275 |
* attribute is required to match the private key with the |
|
2276 |
* certificate. If we get a bagItem of type KeyEntry with a |
|
2277 |
* null keyId, we should skip it entirely. |
|
2278 |
*/ |
|
2279 |
if (bagItem instanceof KeyEntry) { |
|
2280 |
KeyEntry entry = (KeyEntry)bagItem; |
|
15298 | 2281 |
|
2282 |
if (bagItem instanceof PrivateKeyEntry) { |
|
2283 |
if (keyId == null) { |
|
2284 |
// Insert a localKeyID for the privateKey |
|
2285 |
// Note: This is a workaround to allow null localKeyID |
|
2286 |
// attribute in pkcs12 with one private key entry and |
|
2287 |
// associated cert-chain |
|
2288 |
if (privateKeyCount == 1) { |
|
2289 |
keyId = "01".getBytes("UTF8"); |
|
2290 |
} else { |
|
2291 |
continue; |
|
2292 |
} |
|
2293 |
} |
|
2 | 2294 |
} |
2295 |
entry.keyId = keyId; |
|
2296 |
// restore date if it exists |
|
2297 |
String keyIdStr = new String(keyId, "UTF8"); |
|
2298 |
Date date = null; |
|
2299 |
if (keyIdStr.startsWith("Time ")) { |
|
2300 |
try { |
|
2301 |
date = new Date( |
|
2302 |
Long.parseLong(keyIdStr.substring(5))); |
|
2303 |
} catch (Exception e) { |
|
2304 |
date = null; |
|
2305 |
} |
|
2306 |
} |
|
2307 |
if (date == null) { |
|
2308 |
date = new Date(); |
|
2309 |
} |
|
2310 |
entry.date = date; |
|
15298 | 2311 |
|
2312 |
if (bagItem instanceof PrivateKeyEntry) { |
|
2313 |
keyList.add((PrivateKeyEntry) entry); |
|
2314 |
} |
|
15538
02e547c0b530
8007483: attributes are ignored when loading keys from a PKCS12 keystore
vinnie
parents:
15308
diff
changeset
|
2315 |
if (entry.attributes == null) { |
02e547c0b530
8007483: attributes are ignored when loading keys from a PKCS12 keystore
vinnie
parents:
15308
diff
changeset
|
2316 |
entry.attributes = new HashSet<>(); |
02e547c0b530
8007483: attributes are ignored when loading keys from a PKCS12 keystore
vinnie
parents:
15308
diff
changeset
|
2317 |
} |
02e547c0b530
8007483: attributes are ignored when loading keys from a PKCS12 keystore
vinnie
parents:
15308
diff
changeset
|
2318 |
entry.attributes.addAll(attributes); |
15298 | 2319 |
if (alias == null) { |
2 | 2320 |
alias = getUnfriendlyName(); |
15298 | 2321 |
} |
2 | 2322 |
entry.alias = alias; |
10369
e9d2e59e53f0
7059542: JNDI name operations should be locale independent
xuelei
parents:
10336
diff
changeset
|
2323 |
entries.put(alias.toLowerCase(Locale.ENGLISH), entry); |
15298 | 2324 |
|
2 | 2325 |
} else if (bagItem instanceof X509Certificate) { |
2326 |
X509Certificate cert = (X509Certificate)bagItem; |
|
2327 |
// Insert a localKeyID for the corresponding cert |
|
2328 |
// Note: This is a workaround to allow null localKeyID |
|
2329 |
// attribute in pkcs12 with one private key entry and |
|
2330 |
// associated cert-chain |
|
2331 |
if ((keyId == null) && (privateKeyCount == 1)) { |
|
2332 |
// insert localKeyID only for EE cert or self-signed cert |
|
2333 |
if (i == 0) { |
|
2334 |
keyId = "01".getBytes("UTF8"); |
|
2335 |
} |
|
2336 |
} |
|
15298 | 2337 |
// Trusted certificate |
2338 |
if (trustedKeyUsage != null) { |
|
15307
6c19bd915338
8006946: PKCS12 test failure due to incorrect alias name
vinnie
parents:
15301
diff
changeset
|
2339 |
if (alias == null) { |
6c19bd915338
8006946: PKCS12 test failure due to incorrect alias name
vinnie
parents:
15301
diff
changeset
|
2340 |
alias = getUnfriendlyName(); |
6c19bd915338
8006946: PKCS12 test failure due to incorrect alias name
vinnie
parents:
15301
diff
changeset
|
2341 |
} |
15298 | 2342 |
CertEntry certEntry = |
2343 |
new CertEntry(cert, keyId, alias, trustedKeyUsage, |
|
2344 |
attributes); |
|
2345 |
entries.put(alias.toLowerCase(Locale.ENGLISH), certEntry); |
|
2346 |
} else { |
|
2347 |
certEntries.add(new CertEntry(cert, keyId, alias)); |
|
2348 |
} |
|
2 | 2349 |
X500Principal subjectDN = cert.getSubjectX500Principal(); |
2350 |
if (subjectDN != null) { |
|
5973 | 2351 |
if (!certsMap.containsKey(subjectDN)) { |
2352 |
certsMap.put(subjectDN, cert); |
|
2353 |
} |
|
2 | 2354 |
} |
2355 |
} |
|
2356 |
} |
|
2357 |
} |
|
2358 |
||
2359 |
private String getUnfriendlyName() { |
|
2360 |
counter++; |
|
2361 |
return (String.valueOf(counter)); |
|
2362 |
} |
|
28243
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2363 |
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2364 |
/* |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2365 |
* PKCS12 permitted first 24 bytes: |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2366 |
* |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2367 |
* 30 82 -- -- 02 01 03 30 82 -- -- 06 09 2A 86 48 86 F7 0D 01 07 01 A0 8- |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2368 |
* 30 -- 02 01 03 30 -- 06 09 2A 86 48 86 F7 0D 01 07 01 A0 -- 04 -- -- -- |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2369 |
* 30 81 -- 02 01 03 30 81 -- 06 09 2A 86 48 86 F7 0D 01 07 01 A0 81 -- 04 |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2370 |
* 30 82 -- -- 02 01 03 30 81 -- 06 09 2A 86 48 86 F7 0D 01 07 01 A0 81 -- |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2371 |
* 30 83 -- -- -- 02 01 03 30 82 -- -- 06 09 2A 86 48 86 F7 0D 01 07 01 A0 |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2372 |
* 30 83 -- -- -- 02 01 03 30 83 -- -- -- 06 09 2A 86 48 86 F7 0D 01 07 01 |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2373 |
* 30 84 -- -- -- -- 02 01 03 30 83 -- -- -- 06 09 2A 86 48 86 F7 0D 01 07 |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2374 |
* 30 84 -- -- -- -- 02 01 03 30 84 -- -- -- -- 06 09 2A 86 48 86 F7 0D 01 |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2375 |
*/ |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2376 |
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2377 |
private static final long[][] PKCS12_HEADER_PATTERNS = { |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2378 |
{ 0x3082000002010330L, 0x82000006092A8648L, 0x86F70D010701A080L }, |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2379 |
{ 0x3000020103300006L, 0x092A864886F70D01L, 0x0701A00004000000L }, |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2380 |
{ 0x3081000201033081L, 0x0006092A864886F7L, 0x0D010701A0810004L }, |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2381 |
{ 0x3082000002010330L, 0x810006092A864886L, 0xF70D010701A08100L }, |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2382 |
{ 0x3083000000020103L, 0x3082000006092A86L, 0x4886F70D010701A0L }, |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2383 |
{ 0x3083000000020103L, 0x308200000006092AL, 0x864886F70D010701L }, |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2384 |
{ 0x3084000000000201L, 0x0330820000000609L, 0x2A864886F70D0107L }, |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2385 |
{ 0x3084000000000201L, 0x0330820000000006L, 0x092A864886F70D01L } |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2386 |
}; |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2387 |
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2388 |
private static final long[][] PKCS12_HEADER_MASKS = { |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2389 |
{ 0xFFFF0000FFFFFFFFL, 0xFF0000FFFFFFFFFFL, 0xFFFFFFFFFFFFFFF0L }, |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2390 |
{ 0xFF00FFFFFFFF00FFL, 0xFFFFFFFFFFFFFFFFL, 0xFFFFFF00FF000000L }, |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2391 |
{ 0xFFFF00FFFFFFFFFFL, 0x00FFFFFFFFFFFFFFL, 0xFFFFFFFFFFFF00FFL }, |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2392 |
{ 0xFFFF0000FFFFFFFFL, 0xFF00FFFFFFFFFFFFL, 0xFFFFFFFFFFFFFF00L }, |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2393 |
{ 0xFFFF000000FFFFFFL, 0xFFFF0000FFFFFFFFL, 0xFFFFFFFFFFFFFFFFL }, |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2394 |
{ 0xFFFF000000FFFFFFL, 0xFFFF000000FFFFFFL, 0xFFFFFFFFFFFFFFFFL }, |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2395 |
{ 0xFFFF00000000FFFFL, 0xFFFFFF000000FFFFL, 0xFFFFFFFFFFFFFFFFL }, |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2396 |
{ 0xFFFF00000000FFFFL, 0xFFFFFF00000000FFL, 0xFFFFFFFFFFFFFFFFL } |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2397 |
}; |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2398 |
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2399 |
/** |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2400 |
* Probe the first few bytes of the keystore data stream for a valid |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2401 |
* PKCS12 keystore encoding. |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2402 |
*/ |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2403 |
@Override |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2404 |
public boolean engineProbe(InputStream stream) throws IOException { |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2405 |
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2406 |
DataInputStream dataStream; |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2407 |
if (stream instanceof DataInputStream) { |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2408 |
dataStream = (DataInputStream)stream; |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2409 |
} else { |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2410 |
dataStream = new DataInputStream(stream); |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2411 |
} |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2412 |
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2413 |
long firstPeek = dataStream.readLong(); |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2414 |
long nextPeek = dataStream.readLong(); |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2415 |
long finalPeek = dataStream.readLong(); |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2416 |
boolean result = false; |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2417 |
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2418 |
for (int i = 0; i < PKCS12_HEADER_PATTERNS.length; i++) { |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2419 |
if (PKCS12_HEADER_PATTERNS[i][0] == |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2420 |
(firstPeek & PKCS12_HEADER_MASKS[i][0]) && |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2421 |
(PKCS12_HEADER_PATTERNS[i][1] == |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2422 |
(nextPeek & PKCS12_HEADER_MASKS[i][1])) && |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2423 |
(PKCS12_HEADER_PATTERNS[i][2] == |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2424 |
(finalPeek & PKCS12_HEADER_MASKS[i][2]))) { |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2425 |
result = true; |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2426 |
break; |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2427 |
} |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2428 |
} |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2429 |
|
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2430 |
return result; |
47080f9ae750
8044445: JEP 229: Create PKCS12 Keystores by Default
vinnie
parents:
25859
diff
changeset
|
2431 |
} |
2 | 2432 |
} |