/* * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ package sun.security.provider; import java.io.*; import java.net.*; import java.security.*; import java.security.cert.Certificate; import java.security.cert.CertificateFactory; import java.security.cert.CertificateException; import java.util.*; import sun.security.pkcs.EncryptedPrivateKeyInfo; import sun.security.util.PolicyUtil; /** * This class provides the domain keystore type identified as "DKS". * DKS presents a collection of separate keystores as a single logical keystore. * The collection of keystores is specified in a domain configuration file which * is passed to DKS in a {@link DomainLoadStoreParameter}. *
* The following properties are supported: *
If the given alias name identifies a
* trusted certificate entry, the certificate associated with that
* entry is returned. If the given alias name identifies a
* key entry, the first element of the certificate chain of that
* entry is returned, or null if that entry does not have a certificate
* chain.
*
* @param alias the alias name
*
* @return the certificate, or null if the given alias does not exist or
* does not contain a certificate.
*/
public Certificate engineGetCertificate(String alias) {
AbstractMap.SimpleEntry The given java.security.PrivateKey If the given alias already exists, the keystore information
* associated with it is overridden by the given key and certificate
* chain.
*
* @param alias the alias name
* @param key the private key to be associated with the alias
* @param password the password to protect the key
* @param chain the certificate chain for the corresponding public
* key (only required if the given key is of type
* If the protected key is of type
* If the given alias already exists, the keystore information
* associated with it is overridden by the given key (and possibly
* certificate chain).
*
* @param alias the alias name
* @param key the key (in protected format) to be associated with the alias
* @param chain the certificate chain for the corresponding public
* key (only useful if the protected key is of type
* If the given alias already exists in this keystore and identifies a
* trusted certificate entry, the certificate associated with it is
* overridden by the given certificate.
*
* @param alias the alias name
* @param cert the certificate
*
* @exception KeyStoreException if the given alias already exists and does
* not identify a trusted certificate entry, or this operation
* fails for some other reason.
*/
public void engineSetCertificateEntry(String alias, Certificate cert)
throws KeyStoreException
{
AbstractMap.SimpleEntry This method attempts to match the given certificate with each
* keystore entry. If the entry being considered
* is a trusted certificate entry, the given certificate is
* compared to that entry's certificate. If the entry being considered is
* a key entry, the given certificate is compared to the first
* element of that entry's certificate chain (if a chain exists).
*
* @param cert the certificate to match with.
*
* @return the (alias) name of the first entry with matching certificate,
* or null if no such entry exists in this keystore.
*/
public String engineGetCertificateAlias(Certificate cert) {
try {
String alias = null;
for (KeyStore keystore : keystores.values()) {
if ((alias = keystore.getCertificateAlias(cert)) != null) {
break;
}
}
return alias;
} catch (KeyStoreException e) {
throw new IllegalStateException(e);
}
}
/**
* Stores this keystore to the given output stream, and protects its
* integrity with the given password.
*
* @param stream the output stream to which this keystore is written.
* @param password the password to generate the keystore integrity check
*
* @exception IOException if there was an I/O problem with data
* @exception NoSuchAlgorithmException if the appropriate data integrity
* algorithm could not be found
* @exception CertificateException if any of the certificates included in
* the keystore data could not be stored
*/
public void engineStore(OutputStream stream, char[] password)
throws IOException, NoSuchAlgorithmException, CertificateException
{
// Support storing to a stream only when a single keystore has been
// configured
try {
if (keystores.size() == 1) {
keystores.values().iterator().next().store(stream, password);
return;
}
} catch (KeyStoreException e) {
throw new IllegalStateException(e);
}
throw new UnsupportedOperationException(
"This keystore must be stored using a DomainLoadStoreParameter");
}
@Override
public void engineStore(KeyStore.LoadStoreParameter param)
throws IOException, NoSuchAlgorithmException, CertificateException
{
if (param instanceof DomainLoadStoreParameter) {
DomainLoadStoreParameter domainParameter =
(DomainLoadStoreParameter) param;
List If a password is given, it is used to check the integrity of the
* keystore data. Otherwise, the integrity of the keystore is not checked.
*
* @param stream the input stream from which the keystore is loaded
* @param password the (optional) password used to check the integrity of
* the keystore.
*
* @exception IOException if there is an I/O or format problem with the
* keystore data
* @exception NoSuchAlgorithmException if the algorithm used to check
* the integrity of the keystore cannot be found
* @exception CertificateException if any of the certificates in the
* keystore could not be loaded
*/
public void engineLoad(InputStream stream, char[] password)
throws IOException, NoSuchAlgorithmException, CertificateException
{
// Support loading from a stream only for a JKS or default type keystore
try {
KeyStore keystore = null;
try {
keystore = KeyStore.getInstance("JKS");
keystore.load(stream, password);
} catch (Exception e) {
// Retry
if (!"JKS".equalsIgnoreCase(DEFAULT_KEYSTORE_TYPE)) {
keystore = KeyStore.getInstance(DEFAULT_KEYSTORE_TYPE);
keystore.load(stream, password);
} else {
throw e;
}
}
String keystoreName = DEFAULT_STREAM_PREFIX + streamCounter++;
keystores.put(keystoreName, keystore);
} catch (Exception e) {
throw new UnsupportedOperationException(
"This keystore must be loaded using a " +
"DomainLoadStoreParameter");
}
}
@Override
public void engineLoad(KeyStore.LoadStoreParameter param)
throws IOException, NoSuchAlgorithmException, CertificateException
{
if (param instanceof DomainLoadStoreParameter) {
DomainLoadStoreParameter domainParameter =
(DomainLoadStoreParameter) param;
Listkey
must
* be accompanied by a certificate chain certifying the
* corresponding public key.
*
* java.security.PrivateKey
).
*
* @exception KeyStoreException if the given key is not a private key,
* cannot be protected, or this operation fails for some other reason
*/
public void engineSetKeyEntry(String alias, Key key, char[] password,
Certificate[] chain)
throws KeyStoreException
{
AbstractMap.SimpleEntryjava.security.PrivateKey
, it must be accompanied by a
* certificate chain certifying the corresponding public key. If the
* underlying keystore implementation is of type jks
,
* key
must be encoded as an
* EncryptedPrivateKeyInfo
as defined in the PKCS #8 standard.
*
* java.security.PrivateKey
).
*
* @exception KeyStoreException if this operation fails.
*/
public void engineSetKeyEntry(String alias, byte[] key,
Certificate[] chain)
throws KeyStoreException
{
AbstractMap.SimpleEntry