Class KeyStoreCredential
- All Implemented Interfaces:
DisposableBean
,InitializingBean
,PkiCredential
,ReloadablePkiCredential
KeyStore
backed implementation of the PkiCredential
and ReloadablePkiCredential
interfaces.
A KeyStoreCredential
can be initialized in a number of ways:
- By loading a
KeyStore
from aResource
and then getting the certificate and private key. This is done either by using any of the constructorsKeyStoreCredential(Resource, char[], String, char[])
,KeyStoreCredential(Resource, String, char[], String, char[])
orKeyStoreCredential(Resource, String, String, char[], String, char[])
or by assigning all required properties using setter-methods. - By providing an already loaded
KeyStore
instance and giving the entry alias and key password. This is done either by using the constructorKeyStoreCredential(KeyStore, String, char[])
or by assigning all required properties using setter-methods.
This class also supports handling of PKCS#11 credentials. This requires using a security provider that supports
creating a KeyStore
based on an underlying PKCS#11 implementation (for example the SunPKCS11 provider). There
are three ways of creating a KeyStoreCredential
for use with PKCS#11:
Supplying an already existing PKCS#11 KeyStore
In some cases you may already have loaded a KeyStore
using a security provider configured for PKCS#11. In
these cases the initialization of the KeyStoreCredential
is identical with option number 2 above. You simply
create your KeyStoreCredential
instance by giving the KeyStore
instance, the entry alias and key
password either via the KeyStoreCredential(KeyStore, String, char[])
or by assigning all required properties
using setter-methods.
Supplying the provider name of a Security provider configured for your PKCS#11 device
Another possibility is to supply the provider name of a security provider configured for PKCS#11. This could
typically look something like:
// Create a SunPKCS11 provider instance using our PKCS#11 configuration ... Provider provider = Security.getProvider("SunPKCS11"); provider = provider.configure(pkcs11CfgFile); Security.addProvider(provider); // Create a credential ... KeyStoreCredential credential = new KeyStoreCredential(null, "PKCS11", provider.getName(), tokenPw, alias, null); credential.init();
Supplying the PKCS#11 configuration file
In the above example we created the SunPKCS11 provider instance manually. It is also to create a
KeyStoreCredential
instance by supplying the PKCS#11 configuration file.
KeyStoreCredential credential = new KeyStoreCredential(null, "PKCS11", "SunPKCS11", tokenPw, alias, null); credential.setPkcs11Configuration(pkcs11CfgFile); credential.init();
Note: As an alternative of using KeyStoreCredential
for PKCS#11 credentials see the
Pkcs11Credential
class.
- Author:
- Martin Lindström (martin@idsec.se), Stefan Santesson (stefan@idsec.se)
-
Constructor Summary
ConstructorDescriptionDefault constructor.KeyStoreCredential
(KeyStore keyStore, String alias, char[] keyPassword) Constructor accepting an already loadedKeyStore
.KeyStoreCredential
(Resource resource, char[] password, String alias, char[] keyPassword) A constructor that creates and loads aKeyStore
from the given resource.KeyStoreCredential
(Resource resource, String type, char[] password, String alias, char[] keyPassword) A constructor that creates and loads aKeyStore
of the given type from the given resource.KeyStoreCredential
(Resource resource, String type, String provider, char[] password, String alias, char[] keyPassword) A constructor that creates and loads aKeyStore
of the given type from the given resource using the given provider. -
Method Summary
Modifier and TypeMethodDescriptionvoid
The default implementation verfies that the public key and the private key is available.void
destroy()
Implementations that need to perform clean-up actions should override this method.Gets the certificate holding the public key of the key pair.Gets a certificate chain for the credential, where the first element is the entity certificate (PkiCredential.getCertificate()
).protected String
If the credentialname
property is not explicitly assigned usingAbstractPkiCredential.setName(String)
a name is calculated based on a credential's properties.Gets the private key.Gets the public key.boolean
Predicate that tells whether this credential resides in a hardware module.void
reload()
If theKeyStoreCredential
is of PKCS#11 type, the method will reload the private key.void
Assigns the alias of the KeyStore entry.void
setKeyPassword
(char[] keyPassword) Assigns the key password needed to unlock the key entry.void
setKeyStore
(KeyStore keyStore) Assigns the keystore to read the key pair from.void
setPassword
(char[] password) Assigns the password needed to load the KeyStore.void
setPkcs11Configuration
(String pkcs11Configuration) Assigns the PKCS#11 configuration file to use.void
setPrivateKey
(PrivateKey privateKey) Will throw anIllegalArgumentException
since the private key will be read from the keystore.void
setProvider
(String provider) Assigns the name of the security provider to use when loading the KeyStore.void
setPublicKey
(PublicKey publicKey) Will throw anIllegalArgumentException
since the public key will be read from the keystore.void
setResource
(Resource resource) Assigns the resource holding the KeyStore to load.void
Assigns the KeyStore type to use, ("JKS", "PKCS12", "PKCS11", ...).Methods inherited from class se.swedenconnect.security.credential.AbstractReloadablePkiCredential
getTestFunction, setTestFunction
Methods inherited from class se.swedenconnect.security.credential.AbstractPkiCredential
getName, setCertificate, setCertificate, setCertificateChain, setName, setPrivateKey, setPrivateKey
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface se.swedenconnect.security.credential.PkiCredential
getName, init, setCertificate, setCertificateChain
-
Constructor Details
-
KeyStoreCredential
public KeyStoreCredential()Default constructor. -
KeyStoreCredential
Constructor accepting an already loadedKeyStore
.- Parameters:
keyStore
- the keystore to read the key pair fromalias
- the alias to the entry holding the key pairkeyPassword
- the password to unlock the key pair
-
KeyStoreCredential
A constructor that creates and loads aKeyStore
from the given resource. The default KeyStore type is used and the first security provider that can create such a KeyStore is used.- Parameters:
resource
- the resource to load theKeyStore
frompassword
- the password needed to load the KeyStorealias
- the entry alias for the certificate and private keykeyPassword
- the password needed to unlock the certificate and private key (if null, the same value as given for password is used)
-
KeyStoreCredential
public KeyStoreCredential(Resource resource, String type, char[] password, String alias, char[] keyPassword) A constructor that creates and loads aKeyStore
of the given type from the given resource. The first security provider that can create such a KeyStore is used.- Parameters:
resource
- the resource to load theKeyStore
fromtype
- the KeyStore typepassword
- the password needed to load the KeyStorealias
- the entry alias for the certificate and private keykeyPassword
- the password needed to unlock the certificate and private key (if null, the same value as given for password is used)
-
KeyStoreCredential
public KeyStoreCredential(Resource resource, String type, String provider, char[] password, String alias, char[] keyPassword) A constructor that creates and loads aKeyStore
of the given type from the given resource using the given provider.- Parameters:
resource
- the resource to load theKeyStore
fromtype
- the KeyStore typeprovider
- the security provider to use when creating the KeyStorepassword
- the password needed to load the KeyStorealias
- the entry alias for the certificate and private keykeyPassword
- the password needed to unlock the certificate and private key (if null, the same value as given for password is used)
-
-
Method Details
-
afterPropertiesSet
The default implementation verfies that the public key and the private key is available. Implementations that needs to be initialized (for example by loading the keys) should override this method.- Specified by:
afterPropertiesSet
in interfaceInitializingBean
- Overrides:
afterPropertiesSet
in classAbstractPkiCredential
- Throws:
Exception
-
destroy
public void destroy()Implementations that need to perform clean-up actions should override this method. The default implementation does nothing.- Specified by:
destroy
in interfaceDisposableBean
- Overrides:
destroy
in classAbstractPkiCredential
-
isHardwareCredential
public boolean isHardwareCredential()Predicate that tells whether this credential resides in a hardware module.- Returns:
true
if the credential resides in a hardware module andfalse
otherwise
-
setResource
Assigns the resource holding the KeyStore to load.- Parameters:
resource
- KeyStore resource
-
setType
Assigns the KeyStore type to use, ("JKS", "PKCS12", "PKCS11", ...). If no type is configuredKeyStore.getDefaultType()
is assumed.- Parameters:
type
- the KeyStore type
-
setProvider
Assigns the name of the security provider to use when loading the KeyStore. If no provider is assigned, the first provider that can create a KeyStore according to the given type is used.- Parameters:
provider
- the provider name to use
-
setPkcs11Configuration
Assigns the PKCS#11 configuration file to use.The type (
setType(String)
) must be "PKCS11" and the provider name must be set to the base signature provider to use (e.g. "SunPKCS11").- Parameters:
pkcs11Configuration
- the complete path to the PKCS#11 configuration file
-
setPassword
public void setPassword(char[] password) Assigns the password needed to load the KeyStore.- Parameters:
password
- the password
-
setKeyStore
Assigns the keystore to read the key pair from.- Parameters:
keyStore
- the keystore
-
setAlias
Assigns the alias of the KeyStore entry.- Parameters:
alias
- the KeyStore alias
-
setKeyPassword
public void setKeyPassword(char[] keyPassword) Assigns the key password needed to unlock the key entry.- Parameters:
keyPassword
- the key password
-
getPublicKey
Gets the public key.- Specified by:
getPublicKey
in interfacePkiCredential
- Overrides:
getPublicKey
in classAbstractPkiCredential
- Returns:
- the public key
-
setPublicKey
Will throw anIllegalArgumentException
since the public key will be read from the keystore.- Overrides:
setPublicKey
in classAbstractPkiCredential
- Parameters:
publicKey
- the public key.
-
getCertificate
Gets the certificate holding the public key of the key pair. May be null depending on whether certificates are handled by the implementing class.- Specified by:
getCertificate
in interfacePkiCredential
- Overrides:
getCertificate
in classAbstractPkiCredential
- Returns:
- the certificate, or null if no certificate is configured for the credential
-
getCertificateChain
Gets a certificate chain for the credential, where the first element is the entity certificate (PkiCredential.getCertificate()
). If no certificate is configured for the credential an empty list is returned.- Specified by:
getCertificateChain
in interfacePkiCredential
- Overrides:
getCertificateChain
in classAbstractPkiCredential
- Returns:
- a list of certificates, or an empty list
-
getPrivateKey
Gets the private key.- Specified by:
getPrivateKey
in interfacePkiCredential
- Overrides:
getPrivateKey
in classAbstractPkiCredential
- Returns:
- the private key
-
setPrivateKey
Will throw anIllegalArgumentException
since the private key will be read from the keystore.- Overrides:
setPrivateKey
in classAbstractPkiCredential
- Parameters:
privateKey
- the private key
-
reload
If theKeyStoreCredential
is of PKCS#11 type, the method will reload the private key.- Throws:
Exception
- for reloading errors
-
getDefaultName
If the credentialname
property is not explicitly assigned usingAbstractPkiCredential.setName(String)
a name is calculated based on a credential's properties.Implementations must not assume that the object has been correctly initialized.
- Specified by:
getDefaultName
in classAbstractPkiCredential
- Returns:
- the credential name
-