A KeyStore manages different types of entries.
* Each type of entry implements the KeyStore.Entry interface.
* Three basic KeyStore.Entry implementations are provided:
*
*
This type of entry holds a cryptographic PrivateKey,
* which is optionally stored in a protected format to prevent
* unauthorized access. It is also accompanied by a certificate chain
* for the corresponding public key.
*
*
Private keys and certificate chains are used by a given entity for * self-authentication. Applications for this authentication include software * distribution organizations which sign JAR files as part of releasing * and/or licensing software. * *
This type of entry holds a cryptographic SecretKey,
* which is optionally stored in a protected format to prevent
* unauthorized access.
*
*
This type of entry contains a single public key Certificate
* belonging to another party. It is called a trusted certificate
* because the keystore owner trusts that the public key in the certificate
* indeed belongs to the identity identified by the subject (owner)
* of the certificate.
*
*
This type of entry can be used to authenticate other parties. *
Each entry in a keystore is identified by an "alias" string. In the * case of private keys and their associated certificate chains, these strings * distinguish among the different ways in which the entity may authenticate * itself. For example, the entity may authenticate itself using different * certificate authorities, or using different public key algorithms. * *
Whether keystores are persistent, and the mechanisms used by the * keystore if it is persistent, are not specified here. This allows * use of a variety of techniques for protecting sensitive (e.g., private or * secret) keys. Smart cards or other integrated cryptographic engines * (SafeKeyper) are one option, and simpler mechanisms such as files may also * be used (in a variety of formats). * *
Typical ways to request a KeyStore object include * relying on the default type and providing a specific keystore type. * *
* KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); ** The system will return a keystore implementation for the default type. *
* *
* KeyStore ks = KeyStore.getInstance("JKS");
*
* The system will return the most preferred implementation of the
* specified keystore type available in the environment. *
Before a keystore can be accessed, it must be * {@link #load(java.io.InputStream, char[]) loaded}. *
* KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
*
* // get user password and file input stream
* char[] password = getPassword();
* java.io.FileInputStream fis =
* new java.io.FileInputStream("keyStoreName");
* ks.load(fis, password);
* fis.close();
*
*
* To create an empty keystore using the above load method,
* pass null as the InputStream argument.
*
* Once the keystore has been loaded, it is possible * to read existing entries from the keystore, or to write new entries * into the keystore: *
* // get my private key
* KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry)
* ks.getEntry("privateKeyAlias", password);
* PrivateKey myPrivateKey = pkEntry.getPrivateKey();
*
* // save my secret key
* javax.crypto.SecretKey mySecretKey;
* KeyStore.SecretKeyEntry skEntry =
* new KeyStore.SecretKeyEntry(mySecretKey);
* ks.setEntry("secretKeyAlias", skEntry, password);
*
* // store away the keystore
* java.io.FileOutputStream fos =
* new java.io.FileOutputStream("newKeyStoreName");
* ks.store(fos, password);
* fos.close();
*
*
* Note that although the same password may be used to
* load the keystore, to protect the private key entry,
* to protect the secret key entry, and to store the keystore
* (as is shown in the sample code above),
* different passwords or other protection parameters
* may also be used.
*
* @author Jan Luehe
*
* @version 1.42, 06/28/04
*
* @see java.security.PrivateKey
* @see javax.crypto.SecretKey
* @see java.security.cert.Certificate
*
* @since 1.2
*/
public class KeyStore {
/*
* Constant to lookup in the Security properties file to determine
* the default keystore type.
* In the Security properties file, the default keystore type is given as:
*
* keystore.type=jks
*
*/
private static final String KEYSTORE_TYPE = "keystore.type";
// The keystore type
private String type;
// The provider
private Provider provider;
// The provider implementation
private KeyStoreSpi keyStoreSpi;
// Has this keystore been initialized (loaded)?
private boolean initialized = false;
/**
* A marker interface for KeyStore
* {@link #load(KeyStore.LoadStoreParameter) load}
* and
* {@link #store(KeyStore.LoadStoreParameter) store}
* parameters.
*
* @since 1.5
*/
public static interface LoadStoreParameter {
/**
* Gets the parameter used to protect keystore data.
*
* @return the parameter used to protect keystore data, or null
*/
public ProtectionParameter getProtectionParameter();
}
/**
* A marker interface for keystore protection parameters.
*
* The information stored in a ProtectionParameter
* object protects the contents of a keystore.
* For example, protection parameters may be used to check
* the integrity of keystore data, or to protect the
* confidentiality of sensitive keystore data
* (such as a PrivateKey).
*
* @since 1.5
*/
public static interface ProtectionParameter { }
/**
* A password-based implementation of ProtectionParameter.
*
* @since 1.5
*/
public static class PasswordProtection implements
ProtectionParameter, javax.security.auth.Destroyable {
private final char[] password;
private volatile boolean destroyed = false;
/**
* Creates a password parameter.
*
*
The specified password is cloned before it is stored
* in the new PasswordProtection object.
*
* @param password the password, which may be null
*/
public PasswordProtection(char[] password) {
this.password = (password == null) ?
null : (char[])password.clone();
}
/**
* Gets the password.
*
*
Note that this method returns a reference to the password.
* If a clone of the array is created it is the caller's
* responsibility to zero out the password information
* after it is no longer needed.
*
* @see #destroy()
* @return the password, which may be null
* @exception IllegalStateException if the password has
* been cleared (destroyed)
*/
public synchronized char[] getPassword() {
if (destroyed) {
throw new IllegalStateException("password has been cleared");
}
return password;
}
/**
* Clears the password.
*
* @exception DestroyFailedException if this method was unable
* to clear the password
*/
public synchronized void destroy()
throws javax.security.auth.DestroyFailedException {
destroyed = true;
if (password != null) {
Arrays.fill(password, ' ');
}
}
/**
* Determines if password has been cleared.
*
* @return true if the password has been cleared, false otherwise
*/
public synchronized boolean isDestroyed() {
return destroyed;
}
}
/**
* A ProtectionParameter encapsulating a CallbackHandler.
*
* @since 1.5
*/
public static class CallbackHandlerProtection
implements ProtectionParameter {
private final CallbackHandler handler;
/**
* Constructs a new CallbackHandlerProtection from a
* CallbackHandler.
*
* @param handler the CallbackHandler
* @exception NullPointerException if handler is null
*/
public CallbackHandlerProtection(CallbackHandler handler) {
if (handler == null) {
throw new NullPointerException("handler must not be null");
}
this.handler = handler;
}
/**
* Returns the CallbackHandler.
*
* @return the CallbackHandler.
*/
public CallbackHandler getCallbackHandler() {
return handler;
}
}
/**
* A marker interface for KeyStore entry types.
*
* @since 1.5
*/
public static interface Entry { }
/**
* A KeyStore entry that holds a PrivateKey
* and corresponding certificate chain.
*
* @since 1.5
*/
public static final class PrivateKeyEntry implements Entry {
private final PrivateKey privKey;
private final Certificate[] chain;
/**
* Constructs a PrivateKeyEntry with a
* PrivateKey and corresponding certificate chain.
*
*
The specified chain is cloned before it is stored
* in the new PrivateKeyEntry object.
*
* @param privateKey the PrivateKey
* @param chain an array of Certificates
* representing the certificate chain.
* The chain must be ordered and contain a
* Certificate at index 0
* corresponding to the private key.
*
* @exception NullPointerException if
* privateKey or chain
* is null
* @exception IllegalArgumentException if the specified chain has a
* length of 0, if the specified chain does not contain
* Certificates of the same type,
* or if the PrivateKey algorithm
* does not match the algorithm of the PublicKey
* in the end entity Certificate (at index 0)
*/
public PrivateKeyEntry(PrivateKey privateKey, Certificate[] chain) {
if (privateKey == null || chain == null) {
throw new NullPointerException("invalid null input");
}
if (chain.length == 0) {
throw new IllegalArgumentException
("invalid zero-length input chain");
}
Certificate[] clonedChain = (Certificate[])chain.clone();
String certType = clonedChain[0].getType();
for (int i = 1; i < clonedChain.length; i++) {
if (!certType.equals(clonedChain[i].getType())) {
throw new IllegalArgumentException
("chain does not contain certificates " +
"of the same type");
}
}
if (!privateKey.getAlgorithm().equals
(clonedChain[0].getPublicKey().getAlgorithm())) {
throw new IllegalArgumentException
("private key algorithm does not match " +
"algorithm of public key in end entity " +
"certificate (at index 0)");
}
this.privKey = privateKey;
if (clonedChain[0] instanceof X509Certificate &&
!(clonedChain instanceof X509Certificate[])) {
this.chain = new X509Certificate[clonedChain.length];
System.arraycopy(clonedChain, 0,
this.chain, 0, clonedChain.length);
} else {
this.chain = clonedChain;
}
}
/**
* Gets the PrivateKey from this entry.
*
* @return the PrivateKey from this entry
*/
public PrivateKey getPrivateKey() {
return privKey;
}
/**
* Gets the Certificate chain from this entry.
*
*
The stored chain is cloned before being returned.
*
* @return an array of Certificates corresponding
* to the certificate chain for the public key.
* If the certificates are of type X.509,
* the runtime type of the returned array is
* X509Certificate[].
*/
public Certificate[] getCertificateChain() {
return (Certificate[])chain.clone();
}
/**
* Gets the end entity Certificate
* from the certificate chain in this entry.
*
* @return the end entity Certificate (at index 0)
* from the certificate chain in this entry.
* If the certificate is of type X.509,
* the runtime type of the returned certificate is
* X509Certificate.
*/
public Certificate getCertificate() {
return chain[0];
}
/**
* Returns a string representation of this PrivateKeyEntry.
* @return a string representation of this PrivateKeyEntry.
*/
public String toString() {
StringBuilder sb = new StringBuilder();
sb.append("Private key entry and certificate chain with "
+ chain.length + " elements:\r\n");
for (Certificate cert : chain) {
sb.append(cert);
sb.append("\r\n");
}
return sb.toString();
}
}
/**
* A KeyStore entry that holds a SecretKey.
*
* @since 1.5
*/
public static final class SecretKeyEntry implements Entry {
private final SecretKey sKey;
/**
* Constructs a SecretKeyEntry with a
* SecretKey.
*
* @param secretKey the SecretKey
*
* @exception NullPointerException if secretKey
* is null
*/
public SecretKeyEntry(SecretKey secretKey) {
if (secretKey == null) {
throw new NullPointerException("invalid null input");
}
this.sKey = secretKey;
}
/**
* Gets the SecretKey from this entry.
*
* @return the SecretKey from this entry
*/
public SecretKey getSecretKey() {
return sKey;
}
/**
* Returns a string representation of this SecretKeyEntry.
* @return a string representation of this SecretKeyEntry.
*/
public String toString() {
return "Secret key entry with algorithm " + sKey.getAlgorithm();
}
}
/**
* A KeyStore entry that holds a trusted
* Certificate.
*
* @since 1.5
*/
public static final class TrustedCertificateEntry implements Entry {
private final Certificate cert;
/**
* Constructs a TrustedCertificateEntry with a
* trusted Certificate.
*
* @param trustedCert the trusted Certificate
*
* @exception NullPointerException if
* trustedCert is null
*/
public TrustedCertificateEntry(Certificate trustedCert) {
if (trustedCert == null) {
throw new NullPointerException("invalid null input");
}
this.cert = trustedCert;
}
/**
* Gets the trusted Certficate from this entry.
*
* @return the trusted Certificate from this entry
*/
public Certificate getTrustedCertificate() {
return cert;
}
/**
* Returns a string representation of this TrustedCertificateEntry.
* @return a string representation of this TrustedCertificateEntry.
*/
public String toString() {
return "Trusted certificate entry:\r\n" + cert.toString();
}
}
/**
* Creates a KeyStore object of the given type, and encapsulates the given
* provider implementation (SPI object) in it.
*
* @param keyStoreSpi the provider implementation.
* @param provider the provider.
* @param type the keystore type.
*/
protected KeyStore(KeyStoreSpi keyStoreSpi, Provider provider, String type)
{
this.keyStoreSpi = keyStoreSpi;
this.provider = provider;
this.type = type;
}
/**
* Generates a keystore object of the given type.
*
*
If the default provider package provides a keystore implementation
* of the given type, an instance of KeyStore containing that
* implementation is returned. If the requested keystore type is not
* available in the default package, other packages are searched.
*
* @param type the type of keystore.
* See Appendix A in the
* Java Cryptography Architecture API Specification & Reference
* for information about standard keystore types.
*
* @return a keystore object of the specified type.
*
* @exception KeyStoreException if the requested keystore type is
* not available in the default provider package or any of the other
* provider packages that were searched.
*/
public static KeyStore getInstance(String type)
throws KeyStoreException
{
try {
Object[] objs = Security.getImpl(type, "KeyStore", (String)null);
return new KeyStore((KeyStoreSpi)objs[0], (Provider)objs[1], type);
} catch (NoSuchAlgorithmException nsae) {
throw new KeyStoreException(type + " not found");
} catch (NoSuchProviderException nspe) {
throw new KeyStoreException(type + " not found");
}
}
/**
* Generates a keystore object for the specified keystore
* type from the specified provider.
*
* @param type the type of keystore.
* See Appendix A in the
* Java Cryptography Architecture API Specification & Reference
* for information about standard keystore types.
*
* @param provider the name of the provider.
*
* @return a keystore object of the specified type, as
* supplied by the specified provider.
*
* @exception KeyStoreException if the requested keystore type is not
* available from the provider.
*
* @exception NoSuchProviderException if the provider has not been
* configured.
*
* @exception IllegalArgumentException if the provider name is null
* or empty.
*
* @see Provider
*/
public static KeyStore getInstance(String type, String provider)
throws KeyStoreException, NoSuchProviderException
{
if (provider == null || provider.length() == 0)
throw new IllegalArgumentException("missing provider");
try {
Object[] objs = Security.getImpl(type, "KeyStore", provider);
return new KeyStore((KeyStoreSpi)objs[0], (Provider)objs[1], type);
} catch (NoSuchAlgorithmException nsae) {
throw new KeyStoreException(type + " not found");
}
}
/**
* Generates a keystore object for the specified keystore
* type from the specified provider. Note: the provider
* doesn't have to be registered.
*
* @param type the type of keystore.
* See Appendix A in the
* Java Cryptography Architecture API Specification & Reference
* for information about standard keystore types.
*
* @param provider the provider.
*
* @return a keystore object of the specified type, as
* supplied by the specified provider.
*
* @exception KeyStoreException if the requested keystore type is not
* available from the provider.
*
* @exception IllegalArgumentException if the provider is
* null.
*
* @see Provider
*
* @since 1.4
*/
public static KeyStore getInstance(String type, Provider provider)
throws KeyStoreException
{
if (provider == null)
throw new IllegalArgumentException("missing provider");
try {
Object[] objs = Security.getImpl(type, "KeyStore", provider);
return new KeyStore((KeyStoreSpi)objs[0], (Provider)objs[1], type);
} catch (NoSuchAlgorithmException nsae) {
throw new KeyStoreException(type + " not found");
}
}
/**
* Returns the default keystore type as specified in the Java security
* properties file, or the string
* "jks" (acronym for "Java keystore")
* if no such property exists.
* The Java security properties file is located in the file named
* <JAVA_HOME>/lib/security/java.security, where <JAVA_HOME>
* refers to the directory where the JDK was installed.
*
*
The default keystore type can be used by applications that do not
* want to use a hard-coded keystore type when calling one of the
* getInstance methods, and want to provide a default keystore
* type in case a user does not specify its own.
*
*
The default keystore type can be changed by setting the value of the
* "keystore.type" security property (in the Java security properties
* file) to the desired keystore type.
*
* @return the default keystore type as specified in the
* Java security properties file, or the string "jks"
* if no such property exists.
*/
public final static String getDefaultType() {
String kstype;
kstype = (String)AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
return Security.getProperty(KEYSTORE_TYPE);
}
});
if (kstype == null) {
kstype = "jks";
}
return kstype;
}
/**
* Returns the provider of this keystore.
*
* @return the provider of this keystore.
*/
public final Provider getProvider()
{
return this.provider;
}
/**
* Returns the type of this keystore.
*
* @return the type of this keystore.
*/
public final String getType()
{
return this.type;
}
/**
* Returns the key associated with the given alias, using the given
* password to recover it. The key must have been associated with
* the alias by a call to setKeyEntry,
* or by a call to setEntry with a
* PrivateKeyEntry or SecretKeyEntry.
*
* @param alias the alias name
* @param password the password for recovering the key
*
* @return the requested key, or null if the given alias does not exist
* or does not identify a key-related entry.
*
* @exception KeyStoreException if the keystore has not been initialized
* (loaded).
* @exception NoSuchAlgorithmException if the algorithm for recovering the
* key cannot be found
* @exception UnrecoverableKeyException if the key cannot be recovered
* (e.g., the given password is wrong).
*/
public final Key getKey(String alias, char[] password)
throws KeyStoreException, NoSuchAlgorithmException,
UnrecoverableKeyException
{
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
return keyStoreSpi.engineGetKey(alias, password);
}
/**
* Returns the certificate chain associated with the given alias.
* The certificate chain must have been associated with the alias
* by a call to setKeyEntry,
* or by a call to setEntry with a
* PrivateKeyEntry.
*
* @param alias the alias name
*
* @return the certificate chain (ordered with the user's certificate first
* and the root certificate authority last), or null if the given alias
* does not exist or does not contain a certificate chain
*
* @exception KeyStoreException if the keystore has not been initialized
* (loaded).
*/
public final Certificate[] getCertificateChain(String alias)
throws KeyStoreException
{
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
return keyStoreSpi.engineGetCertificateChain(alias);
}
/**
* Returns the certificate associated with the given alias.
*
*
If the given alias name identifies an entry
* created by a call to setCertificateEntry,
* or created by a call to setEntry with a
* TrustedCertificateEntry,
* then the trusted certificate contained in that entry is returned.
*
*
If the given alias name identifies an entry
* created by a call to setKeyEntry,
* or created by a call to setEntry with a
* PrivateKeyEntry,
* then the first element of the certificate chain in that entry
* is returned.
*
* @param alias the alias name
*
* @return the certificate, or null if the given alias does not exist or
* does not contain a certificate.
*
* @exception KeyStoreException if the keystore has not been initialized
* (loaded).
*/
public final Certificate getCertificate(String alias)
throws KeyStoreException
{
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
return keyStoreSpi.engineGetCertificate(alias);
}
/**
* Returns the creation date of the entry identified by the given alias.
*
* @param alias the alias name
*
* @return the creation date of this entry, or null if the given alias does
* not exist
*
* @exception KeyStoreException if the keystore has not been initialized
* (loaded).
*/
public final Date getCreationDate(String alias)
throws KeyStoreException
{
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
return keyStoreSpi.engineGetCreationDate(alias);
}
/**
* Assigns the given key to the given alias, protecting it with the given
* password.
*
*
If the given key is of type java.security.PrivateKey,
* it must be accompanied by a certificate chain certifying the
* corresponding public key.
*
*
If the given alias already exists, the keystore information
* associated with it is overridden by the given key (and possibly
* certificate chain).
*
* @param alias the alias name
* @param key the key to be associated with the alias
* @param password the password to protect the key
* @param chain the certificate chain for the corresponding public
* key (only required if the given key is of type
* java.security.PrivateKey).
*
* @exception KeyStoreException if the keystore has not been initialized
* (loaded), the given key cannot be protected, or this operation fails
* for some other reason
*/
public final void setKeyEntry(String alias, Key key, char[] password,
Certificate[] chain)
throws KeyStoreException
{
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
if ((key instanceof PrivateKey) &&
(chain == null || chain.length == 0)) {
throw new IllegalArgumentException("Private key must be "
+ "accompanied by certificate "
+ "chain");
}
keyStoreSpi.engineSetKeyEntry(alias, key, password, chain);
}
/**
* Assigns the given key (that has already been protected) to the given
* alias.
*
*
If the protected key is of type
* java.security.PrivateKey, it must be accompanied by a
* certificate chain certifying the corresponding public key. If the
* underlying keystore implementation is of type jks,
* key must be encoded as an
* EncryptedPrivateKeyInfo as defined in the PKCS #8 standard.
*
*
If the given alias already exists, the keystore information
* associated with it is overridden by the given key (and possibly
* certificate chain).
*
* @param alias the alias name
* @param key the key (in protected format) to be associated with the alias
* @param chain the certificate chain for the corresponding public
* key (only useful if the protected key is of type
* java.security.PrivateKey).
*
* @exception KeyStoreException if the keystore has not been initialized
* (loaded), or if this operation fails for some other reason.
*/
public final void setKeyEntry(String alias, byte[] key,
Certificate[] chain)
throws KeyStoreException
{
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
keyStoreSpi.engineSetKeyEntry(alias, key, chain);
}
/**
* Assigns the given trusted certificate to the given alias.
*
*
If the given alias identifies an existing entry
* created by a call to This method attempts to match the given certificate with each
* keystore entry. If the entry being considered was
* created by a call to If the entry being considered was
* created by a call to A password may be given to unlock the keystore
* (e.g. the keystore resides on a hardware token device),
* or to check the integrity of the keystore data.
* If a password is not given for integrity checking,
* then integrity checking is not performed.
*
* In order to create an empty keystore, or if the keystore cannot
* be initialized from a stream, pass Note that if this keystore has already been loaded, it is
* reinitialized and loaded again from the given input stream.
*
* @param stream the input stream from which the keystore is loaded,
* or Note that if this KeyStore has already been loaded, it is
* reinitialized and loaded again from the given parameter.
*
* @param param the If an entry already exists for the specified alias,
* it is overridden.
*
* @param alias save the keystore An instance of this class encapsulates the information needed to
* instantiate and initialize a KeyStore object. That process is
* triggered when the {@linkplain #getKeyStore} method is called.
*
* This makes it possible to decouple configuration from KeyStore
* object creation and e.g. delay a password prompt until it is
* needed.
*
* @see KeyStore
* @see javax.net.ssl.KeyStoreBuilderParameters
* @since 1.5
*/
public static abstract class Builder {
/**
* Construct a new Builder.
*/
protected Builder() {
// empty
}
/**
* Returns the KeyStore described by this object.
*
* @exception KeyStoreException if an error occured during the
* operation, for example if the KeyStore could not be
* instantiated or loaded
*/
public abstract KeyStore getKeyStore() throws KeyStoreException;
/**
* Returns the ProtectionParameters that should be used to obtain
* the {@link KeyStore.Entry Entry} with the given alias.
* The This is useful if an existing KeyStore object needs to be
* used with Builder-based APIs.
*
* @return a new Builder object
* @param keyStore the KeyStore to be encapsulated
* @param protectionParameter the ProtectionParameter used to
* protect the KeyStore entries
* @throws NullPointerException if keyStore or
* protectionParameters is null
* @throws IllegalArgumentException if the keyStore has not been
* initialized
*/
public static Builder newInstance(final KeyStore keyStore,
final ProtectionParameter protectionParameter) {
if ((keyStore == null) || (protectionParameter == null)) {
throw new NullPointerException();
}
if (keyStore.initialized == false) {
throw new IllegalArgumentException("KeyStore not initialized");
}
return new Builder() {
private volatile boolean getCalled;
public KeyStore getKeyStore() {
getCalled = true;
return keyStore;
}
public ProtectionParameter getProtectionParameter(String alias)
{
if (alias == null) {
throw new NullPointerException();
}
if (getCalled == false) {
throw new IllegalStateException
("getKeyStore() must be called first");
}
return protectionParameter;
}
};
}
/**
* Returns a new Builder object.
*
* The first call to the {@link #getKeyStore} method on the returned
* builder will create a KeyStore of type Subsequent calls to {@link #getKeyStore} return the same object
* as the initial call. If the initial call to failed with a
* KeyStoreException, subsequent calls also throw a
* KeyStoreException.
*
* The KeyStore is instantiated from Calls to {@link #getProtectionParameter getProtectionParameter()}
* will return a {@link KeyStore.PasswordProtection PasswordProtection}
* object encapsulating the password that was used to invoke the
* Note that the {@link #getKeyStore} method is executed
* within the {@link AccessControlContext} of the code invoking this
* method.
*
* @return a new Builder object
* @param type the type of KeyStore to be constructed
* @param provider the provider from which the KeyStore is to
* be instantiated (or null)
* @param file the File that contains the KeyStore data
* @param protection the ProtectionParameter securing the KeyStore data
* @throws NullPointerException if type, file or protection is null
* @throws IllegalArgumentException if protection is not an instance
* of either PasswordProtection or CallbackHandlerProtection; or
* if file does not exist or does not refer to a normal file
*/
public static Builder newInstance(String type, Provider provider,
File file, ProtectionParameter protection) {
if ((type == null) || (file == null) || (protection == null)) {
throw new NullPointerException();
}
if ((protection instanceof PasswordProtection == false) &&
(protection instanceof CallbackHandlerProtection == false)) {
throw new IllegalArgumentException
("Protection must be PasswordProtection or " +
"CallbackHandlerProtection");
}
if (file.isFile() == false) {
throw new IllegalArgumentException
("File does not exist or it does not refer " +
"to a normal file: " + file);
}
return new FileBuilder(type, provider, file, protection,
AccessController.getContext());
}
private static final class FileBuilder extends Builder {
private final String type;
private final Provider provider;
private final File file;
private ProtectionParameter protection;
private final AccessControlContext context;
private KeyStore keyStore;
private Throwable oldException;
FileBuilder(String type, Provider provider, File file,
ProtectionParameter protection,
AccessControlContext context) {
this.type = type;
this.provider = provider;
this.file = file;
this.protection = protection;
this.context = context;
}
public synchronized KeyStore getKeyStore() throws KeyStoreException
{
if (keyStore != null) {
return keyStore;
}
if (oldException != null) {
throw new KeyStoreException
("Previous KeyStore instantiation failed",
oldException);
}
PrivilegedExceptionAction action =
new PrivilegedExceptionAction() {
public Object run() throws Exception {
KeyStore ks;
if (provider == null) {
ks = KeyStore.getInstance(type);
} else {
ks = KeyStore.getInstance(type, provider);
}
InputStream in = null;
char[] password = null;
try {
in = new FileInputStream(file);
if (protection instanceof PasswordProtection) {
password =
((PasswordProtection)protection).getPassword();
} else {
CallbackHandler handler =
((CallbackHandlerProtection)protection)
.getCallbackHandler();
PasswordCallback callback = new PasswordCallback
("Password for keystore " + file.getName(),
false);
handler.handle(new Callback[] {callback});
password = callback.getPassword();
if (password == null) {
throw new KeyStoreException("No password" +
" provided");
}
callback.clearPassword();
protection = new PasswordProtection(password);
}
ks.load(in, password);
return ks;
} finally {
if (in != null) {
in.close();
}
}
}
};
try {
keyStore = (KeyStore)AccessController.doPrivileged
(action, context);
return keyStore;
} catch (PrivilegedActionException e) {
oldException = e.getCause();
throw new KeyStoreException
("KeyStore instantiation failed", oldException);
}
}
public synchronized ProtectionParameter
getProtectionParameter(String alias) {
if (alias == null) {
throw new NullPointerException();
}
if (keyStore == null) {
throw new IllegalStateException
("getKeyStore() must be called first");
}
return protection;
}
}
/**
* Returns a new Builder object.
*
* Each call to the {@link #getKeyStore} method on the returned
* builder will return a new KeyStore object of type The KeyStore is instantiated from Calls to {@link #getProtectionParameter getProtectionParameter()}
* will return Note that the {@link #getKeyStore} method is executed
* within the {@link AccessControlContext} of the code invoking this
* method.
*
* @return a new Builder object
* @param type the type of KeyStore to be constructed
* @param provider the provider from which the KeyStore is to
* be instantiated (or null)
* @param protection the ProtectionParameter securing the Keystore
* @throws NullPointerException if type or protection is null
*/
public static Builder newInstance(final String type,
final Provider provider, final ProtectionParameter protection) {
if ((type == null) || (protection == null)) {
throw new NullPointerException();
}
final AccessControlContext context = AccessController.getContext();
return new Builder() {
private volatile boolean getCalled;
private final PrivilegedExceptionAction action
= new PrivilegedExceptionAction() {
public Object run() throws Exception {
KeyStore ks;
if (provider == null) {
ks = KeyStore.getInstance(type);
} else {
ks = KeyStore.getInstance(type, provider);
}
ks.load(new SimpleLoadStoreParameter(protection));
getCalled = true;
return ks;
}
};
public synchronized KeyStore getKeyStore()
throws KeyStoreException {
try {
return (KeyStore)AccessController.doPrivileged(action);
} catch (PrivilegedActionException e) {
Throwable cause = e.getCause();
throw new KeyStoreException
("KeyStore instantiation failed", cause);
}
}
public ProtectionParameter getProtectionParameter(String alias)
{
if (alias == null) {
throw new NullPointerException();
}
if (getCalled == false) {
throw new IllegalStateException
("getKeyStore() must be called first");
}
return protection;
}
};
}
}
static class SimpleLoadStoreParameter implements LoadStoreParameter {
private final ProtectionParameter protection;
SimpleLoadStoreParameter(ProtectionParameter protection) {
this.protection = protection;
}
public ProtectionParameter getProtectionParameter() {
return protection;
}
}
}
setCertificateEntry,
* or created by a call to setEntry with a
* TrustedCertificateEntry,
* the trusted certificate in the existing entry
* is overridden by the given certificate.
*
* @param alias the alias name
* @param cert the certificate
*
* @exception KeyStoreException if the keystore has not been initialized,
* or the given alias already exists and does not identify an
* entry containing a trusted certificate,
* or this operation fails for some other reason.
*/
public final void setCertificateEntry(String alias, Certificate cert)
throws KeyStoreException
{
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
keyStoreSpi.engineSetCertificateEntry(alias, cert);
}
/**
* Deletes the entry identified by the given alias from this keystore.
*
* @param alias the alias name
*
* @exception KeyStoreException if the keystore has not been initialized,
* or if the entry cannot be removed.
*/
public final void deleteEntry(String alias)
throws KeyStoreException
{
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
keyStoreSpi.engineDeleteEntry(alias);
}
/**
* Lists all the alias names of this keystore.
*
* @return enumeration of the alias names
*
* @exception KeyStoreException if the keystore has not been initialized
* (loaded).
*/
public final EnumerationsetKeyEntry,
* or created by a call to setEntry with a
* PrivateKeyEntry or a SecretKeyEntry.
*
* @param alias the alias for the keystore entry to be checked
*
* @return true if the entry identified by the given alias is a
* key-related entry, false otherwise.
*
* @exception KeyStoreException if the keystore has not been initialized
* (loaded).
*/
public final boolean isKeyEntry(String alias)
throws KeyStoreException
{
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
return keyStoreSpi.engineIsKeyEntry(alias);
}
/**
* Returns true if the entry identified by the given alias
* was created by a call to setCertificateEntry,
* or created by a call to setEntry with a
* TrustedCertificateEntry.
*
* @param alias the alias for the keystore entry to be checked
*
* @return true if the entry identified by the given alias contains a
* trusted certificate, false otherwise.
*
* @exception KeyStoreException if the keystore has not been initialized
* (loaded).
*/
public final boolean isCertificateEntry(String alias)
throws KeyStoreException
{
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
return keyStoreSpi.engineIsCertificateEntry(alias);
}
/**
* Returns the (alias) name of the first keystore entry whose certificate
* matches the given certificate.
*
* setCertificateEntry,
* or created by a call to setEntry with a
* TrustedCertificateEntry,
* then the given certificate is compared to that entry's certificate.
*
* setKeyEntry,
* or created by a call to setEntry with a
* PrivateKeyEntry,
* then the given certificate is compared to the first
* element of that entry's certificate chain.
*
* @param cert the certificate to match with.
*
* @return the alias name of the first entry with a matching certificate,
* or null if no such entry exists in this keystore.
*
* @exception KeyStoreException if the keystore has not been initialized
* (loaded).
*/
public final String getCertificateAlias(Certificate cert)
throws KeyStoreException
{
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
return keyStoreSpi.engineGetCertificateAlias(cert);
}
/**
* Stores this keystore to the given output stream, and protects its
* integrity with the given password.
*
* @param stream the output stream to which this keystore is written.
* @param password the password to generate the keystore integrity check
*
* @exception KeyStoreException if the keystore has not been initialized
* (loaded).
* @exception IOException if there was an I/O problem with data
* @exception NoSuchAlgorithmException if the appropriate data integrity
* algorithm could not be found
* @exception CertificateException if any of the certificates included in
* the keystore data could not be stored
*/
public final void store(OutputStream stream, char[] password)
throws KeyStoreException, IOException, NoSuchAlgorithmException,
CertificateException
{
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
keyStoreSpi.engineStore(stream, password);
}
/**
* Stores this keystore using the given LoadStoreParameter.
*
* @param param the LoadStoreParameter
* that specifies how to store the keystore,
* which may be null
*
* @exception IllegalArgumentException if the given
* LoadStoreParameter
* input is not recognized
* @exception KeyStoreException if the keystore has not been initialized
* (loaded)
* @exception IOException if there was an I/O problem with data
* @exception NoSuchAlgorithmException if the appropriate data integrity
* algorithm could not be found
* @exception CertificateException if any of the certificates included in
* the keystore data could not be stored
*
* @since 1.5
*/
public final void store(LoadStoreParameter param)
throws KeyStoreException, IOException,
NoSuchAlgorithmException, CertificateException {
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
keyStoreSpi.engineStore(param);
}
/**
* Loads this KeyStore from the given input stream.
*
* null
* as the stream argument.
*
* null
* @param password the password used to check the integrity of
* the keystore, the password used to unlock the keystore,
* or null
*
* @exception IOException if there is an I/O or format problem with the
* keystore data, if a password is required but not given,
* or if the given password was incorrect
* @exception NoSuchAlgorithmException if the algorithm used to check
* the integrity of the keystore cannot be found
* @exception CertificateException if any of the certificates in the
* keystore could not be loaded
*/
public final void load(InputStream stream, char[] password)
throws IOException, NoSuchAlgorithmException, CertificateException
{
keyStoreSpi.engineLoad(stream, password);
initialized = true;
}
/**
* Loads this keystore using the given LoadStoreParameter.
*
* LoadStoreParameter
* that specifies how to load the keystore,
* which may be null
*
* @exception IllegalArgumentException if the given
* LoadStoreParameter
* input is not recognized
* @exception IOException if there is an I/O or format problem with the
* keystore data
* @exception NoSuchAlgorithmException if the algorithm used to check
* the integrity of the keystore cannot be found
* @exception CertificateException if any of the certificates in the
* keystore could not be loaded
*
* @since 1.5
*/
public final void load(LoadStoreParameter param)
throws IOException, NoSuchAlgorithmException,
CertificateException {
keyStoreSpi.engineLoad(param);
initialized = true;
}
/**
* Gets a keystore Entry for the specified alias
* with the specified protection parameter.
*
* @param alias get the keystore Entry for this alias
* @param protParam the ProtectionParameter
* used to protect the Entry,
* which may be null
*
* @return the keystore Entry for the specified alias,
* or null if there is no such entry
*
* @exception NullPointerException if
* alias is null
* @exception NoSuchAlgorithmException if the algorithm for recovering the
* entry cannot be found
* @exception UnrecoverableEntryException if the specified
* protParam were insufficient or invalid
* @exception KeyStoreException if the keystore has not been initialized
* (loaded).
* @see #setEntry(String, KeyStore.Entry, KeyStore.ProtectionParameter)
*
* @since 1.5
*/
public final Entry getEntry(String alias, ProtectionParameter protParam)
throws NoSuchAlgorithmException, UnrecoverableEntryException,
KeyStoreException {
if (alias == null) {
throw new NullPointerException("invalid null input");
}
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
return keyStoreSpi.engineGetEntry(alias, protParam);
}
/**
* Saves a keystore Entry under the specified alias.
* The protection parameter is used to protect the
* Entry.
*
* Entry under this alias
* @param entry the Entry to save
* @param protParam the ProtectionParameter
* used to protect the Entry,
* which may be null
*
* @exception NullPointerException if
* alias or entry
* is null
* @exception KeyStoreException if the keystore has not been initialized
* (loaded), or if this operation fails for some other reason
*
* @see #getEntry(String, KeyStore.ProtectionParameter)
*
* @since 1.5
*/
public final void setEntry(String alias, Entry entry,
ProtectionParameter protParam)
throws KeyStoreException {
if (alias == null || entry == null) {
throw new NullPointerException("invalid null input");
}
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
keyStoreSpi.engineSetEntry(alias, entry, protParam);
}
/**
* Determines if the keystore Entry for the specified
* alias is an instance or subclass of the specified
* entryClass.
*
* @param alias the alias name
* @param entryClass the entry class
*
* @return true if the keystore Entry for the specified
* alias is an instance or subclass of the
* specified entryClass, false otherwise
*
* @exception NullPointerException if
* alias or entryClass
* is null
* @exception KeyStoreException if the keystore has not been
* initialized (loaded)
*
* @since 1.5
*/
public final boolean
entryInstanceOf(String alias,
Class entryClass)
throws KeyStoreException
{
if (alias == null || entryClass == null) {
throw new NullPointerException("invalid null input");
}
if (!initialized) {
throw new KeyStoreException("Uninitialized keystore");
}
return keyStoreSpi.engineEntryInstanceOf(alias, entryClass);
}
/**
* A description of a to-be-instantiated KeyStore object.
*
* getKeyStore method must be invoked before this
* method may be called.
*
* @return the ProtectionParameters that should be used to obtain
* the {@link KeyStore.Entry Entry} with the given alias.
* @param alias the alias of the KeyStore entry
* @throws NullPointerException if alias is null
* @throws KeyStoreException if an error occured during the
* operation
* @throws IllegalStateException if the getKeyStore method has
* not been invoked prior to calling this method
*/
public abstract ProtectionParameter getProtectionParameter(String alias)
throws KeyStoreException;
/**
* Returns a new Builder that encapsulates the given KeyStore.
* The {@linkplain #getKeyStore} method of the returned object
* will return keyStore, the {@linkplain
* #getProtectionParameter getProtectionParameter()} method will
* return protectionParameters.
*
* type and call
* its {@link KeyStore#load load()} method.
* The inputStream argument is constructed from
* file.
* If protection is a
* PasswordProtection, the password is obtained by
* calling the getPassword method.
* Otherwise, if protection is a
* CallbackHandlerProtection, the password is obtained
* by invoking the CallbackHandler.
*
* provider if
* non-null. Otherwise, all installed providers are searched.
*
* load method.
*
* type.
* Its {@link KeyStore#load(KeyStore.LoadStoreParameter) load()}
* method is invoked using a
* LoadStoreParameter that encapsulates
* protection.
*
* provider if
* non-null. Otherwise, all installed providers are searched.
*
* protection.
*
*