se.swedenconnect.opensaml.pkcs11.credential

Class PKCS11Credential

java.lang.Object

org.opensaml.security.credential.AbstractCredential

org.opensaml.security.credential.BasicCredential

org.opensaml.security.x509.BasicX509Credential

se.swedenconnect.opensaml.pkcs11.credential.PKCS11Credential

All Implemented Interfaces:

Credential, MutableCredential, X509Credential

Direct Known Subclasses:

PKCS11NoTestCredential

public class PKCS11Credential
extends BasicX509Credential

This credential class extends the OpenSAML BasicX509Credential and provides an auto-reloadable credential for PKCS#11 keys.

The class stores the necessary data to reload the key in case the connection to the key in the PKCS"11 token has been disrupted or lost.

Each time the private key is read from this credential, the private key reference is tested. If the private key can not be used, an attempt to reload the key is made.

Author:

Stefan Santesson (stefan@idsec.se), Martin Lindström (martin@idsec.se)

Field Summary

Fields

Modifier and Type	Field and Description
protected Map<String,PrivateKey>	privateKeyMap

Constructor Summary

Constructors

Constructor and Description
PKCS11Credential(X509Certificate entityCertificate, List<String> providerNameList, String alias, CustomKeyExtractor customKeyExtractor) Initializes the PKCS#11 credential.
PKCS11Credential(X509Certificate entityCertificate, List<String> providerNameList, String alias, String pin) Initializes the PKCS#11 credential.

Method Summary

Modifier and Type	Method and Description
String	getCurrentKeyProvider() Get the provider of the most recently selected private key.
PrivateKey	getPrivateKey() Overrides the default method to get the private key and adds a key test before the private key is extracted and returned.
protected String	getRandomProviderFromPool()

Methods inherited from class org.opensaml.security.x509.BasicX509Credential

getCredentialType, getCRLs, getEntityCertificate, getEntityCertificateChain, getPublicKey, getSecretKey, setCRLs, setEntityCertificate, setEntityCertificateChain, setPublicKey, setSecretKey

Methods inherited from class org.opensaml.security.credential.BasicCredential

setEntityId, setPrivateKey, setUsageType

Methods inherited from class org.opensaml.security.credential.AbstractCredential

getCredentialContextSet, getEntityId, getKeyNames, getUsageType

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.opensaml.security.credential.Credential

getCredentialContextSet, getEntityId, getKeyNames, getUsageType

Field Detail

privateKeyMap

protected Map<String,PrivateKey> privateKeyMap

Constructor Detail

PKCS11Credential

public PKCS11Credential(X509Certificate entityCertificate,
                        List<String> providerNameList,
                        String alias,
                        CustomKeyExtractor customKeyExtractor)
                 throws Exception

Initializes the PKCS#11 credential.

Parameters:

entityCertificate - The entity certificate for this credential

providerNameList - The name of the security provider holding the private key object

customKeyExtractor - A custom function for extracting the private key from the provider

Throws:

UnrecoverableKeyException - if the private key can not be recovered

NoSuchAlgorithmException - if the selected algorithm is not supported

KeyStoreException - general keystore exception

NoSuchProviderException - if no provider for PKCS11 is available

IOException - general IO errors

Exception

PKCS11Credential

public PKCS11Credential(X509Certificate entityCertificate,
                        List<String> providerNameList,
                        String alias,
                        String pin)
                 throws Exception

Initializes the PKCS#11 credential.

Parameters:

entityCertificate - The entity certificate for this credential

providerNameList - The name of the security provider holding the private key object

alias - The alias of the private key

pin - The pin for the private key

Throws:

UnrecoverableKeyException - if the private key can not be recovered

NoSuchAlgorithmException - if the selected algorithm is not supported

KeyStoreException - general keystore exception

NoSuchProviderException - if no provider for PKCS11 is available

IOException - general IO errors

Exception

Method Detail

getRandomProviderFromPool

protected String getRandomProviderFromPool()

getPrivateKey

public PrivateKey getPrivateKey()

Overrides the default method to get the private key and adds a key test before the private key is extracted and returned. This allows an attempt to reload the key in case the connection to the key was lost.

Specified by:

getPrivateKey in interface Credential

Overrides:

getPrivateKey in class AbstractCredential

Returns:

The tested (and possibly reloaded) private key

getCurrentKeyProvider

public String getCurrentKeyProvider()

Get the provider of the most recently selected private key.

Note: This method is mainly intended for logging purposes. It may not be thread safe to rely on this method unless it is called from within a synchronized method after loading the private key.

Returns:

the name of the provider of the most recently loaded private key