Class Pkcs11Credential
java.lang.Object
se.swedenconnect.security.credential.AbstractPkiCredential
se.swedenconnect.security.credential.AbstractReloadablePkiCredential
se.swedenconnect.security.credential.Pkcs11Credential
- All Implemented Interfaces:
DisposableBean,InitializingBean,PkiCredential,ReloadablePkiCredential
A PKCS#11 credential implementation of the
PkiCredential and ReloadablePkiCredential interfaces.- Author:
- Martin Lindström (martin@idsec.se), Stefan Santesson (stefan@idsec.se)
-
Constructor Summary
ConstructorsConstructorDescriptionDefault constructor.Pkcs11Credential(Pkcs11Configuration configuration, String alias, char[] pin) Constructor.Pkcs11Credential(Pkcs11Configuration configuration, String alias, char[] pin, X509Certificate certificate) Constructor that takes a X.509 certificate as an argument.Pkcs11Credential(Pkcs11Configuration configuration, String alias, char[] pin, List<X509Certificate> certificates) Constructor that takes a list of X.509 certificates as an argument. -
Method Summary
Modifier and TypeMethodDescriptionvoidThe default implementation verfies that the public key and the private key is available.voiddestroy()Implementations that need to perform clean-up actions should override this method.Gets the certificate holding the public key of the key pair.Gets a certificate chain for the credential, where the first element is the entity certificate (PkiCredential.getCertificate()).protected StringIf the credentialnameproperty is not explicitly assigned usingAbstractPkiCredential.setName(String)a name is calculated based on a credential's properties.Gets the private key.Gets the public key.booleanReturnstrue.voidreload()Is called if the connection to the device has been lost.voidAssigns the alias of the key pair on the token.voidsetConfiguration(Pkcs11Configuration configuration) Assigns the PKCS#11 configuration for the token that holds this credential.voidsetConfigurationFile(String configurationFile) Assigns the PKCS#11 configuration file to use.voidsetPin(char[] pin) Assigns the PIN (key password) needed to unlock the token.voidsetPrivateKey(PrivateKey privateKey) Will throw anIllegalArgumentExceptionsince the private key will be read from the device.voidsetPublicKey(PublicKey publicKey) Will throw anIllegalArgumentExceptionsince the public key will be read from the certificate.Methods inherited from class se.swedenconnect.security.credential.AbstractReloadablePkiCredential
getTestFunction, setTestFunctionMethods inherited from class se.swedenconnect.security.credential.AbstractPkiCredential
getName, setCertificate, setCertificate, setCertificateChain, setName, setPrivateKey, setPrivateKeyMethods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface se.swedenconnect.security.credential.PkiCredential
getName, init, setCertificate, setCertificateChain
-
Constructor Details
-
Pkcs11Credential
public Pkcs11Credential()Default constructor. -
Pkcs11Credential
public Pkcs11Credential(Pkcs11Configuration configuration, String alias, char[] pin) throws IllegalArgumentException, SecurityException Constructor.- Parameters:
configuration- the PKCS#11 configurationalias- the token entry from where to load the private key and certificatepin- the PIN to unlock the token- Throws:
IllegalArgumentException- for missing parametersSecurityException- if loading of the private key and/or certificate fails
-
Pkcs11Credential
public Pkcs11Credential(Pkcs11Configuration configuration, String alias, char[] pin, X509Certificate certificate) Constructor that takes a X.509 certificate as an argument. This constructor should be used if we know that the certificate is not placed on the device (only the private key).- Parameters:
configuration- the PKCS#11 configurationalias- the token entry from where to load the private keypin- the PIN to unlock the tokencertificate- the certificate
-
Pkcs11Credential
public Pkcs11Credential(Pkcs11Configuration configuration, String alias, char[] pin, List<X509Certificate> certificates) Constructor that takes a list of X.509 certificates as an argument. This constructor should be used if we know that the certificate chain is not placed on the device (only the private key).- Parameters:
configuration- the PKCS#11 configurationalias- the token entry from where to load the private keypin- the PIN to unlock the tokencertificates- the certificate chain (entity certificate placed first)
-
-
Method Details
-
afterPropertiesSet
The default implementation verfies that the public key and the private key is available. Implementations that needs to be initialized (for example by loading the keys) should override this method.- Specified by:
afterPropertiesSetin interfaceInitializingBean- Overrides:
afterPropertiesSetin classAbstractPkiCredential- Throws:
Exception
-
destroy
public void destroy()Implementations that need to perform clean-up actions should override this method. The default implementation does nothing.- Specified by:
destroyin interfaceDisposableBean- Overrides:
destroyin classAbstractPkiCredential
-
isHardwareCredential
public boolean isHardwareCredential()Returnstrue.- Returns:
trueif the credential resides in a hardware module andfalseotherwise
-
getPrivateKey
Gets the private key.- Specified by:
getPrivateKeyin interfacePkiCredential- Overrides:
getPrivateKeyin classAbstractPkiCredential- Returns:
- the private key
-
setPrivateKey
Will throw anIllegalArgumentExceptionsince the private key will be read from the device.- Overrides:
setPrivateKeyin classAbstractPkiCredential- Parameters:
privateKey- the private key
-
getPublicKey
Gets the public key.- Specified by:
getPublicKeyin interfacePkiCredential- Overrides:
getPublicKeyin classAbstractPkiCredential- Returns:
- the public key
-
setPublicKey
Will throw anIllegalArgumentExceptionsince the public key will be read from the certificate.- Overrides:
setPublicKeyin classAbstractPkiCredential- Parameters:
publicKey- the public key.
-
getCertificate
Gets the certificate holding the public key of the key pair. May be null depending on whether certificates are handled by the implementing class.- Specified by:
getCertificatein interfacePkiCredential- Overrides:
getCertificatein classAbstractPkiCredential- Returns:
- the certificate, or null if no certificate is configured for the credential
-
getCertificateChain
Gets a certificate chain for the credential, where the first element is the entity certificate (PkiCredential.getCertificate()). If no certificate is configured for the credential an empty list is returned.- Specified by:
getCertificateChainin interfacePkiCredential- Overrides:
getCertificateChainin classAbstractPkiCredential- Returns:
- a list of certificates, or an empty list
-
setConfiguration
Assigns the PKCS#11 configuration for the token that holds this credential.- Parameters:
configuration- the configuration
-
setConfigurationFile
Assigns the PKCS#11 configuration file to use.Note: An instance of
DefaultPkcs11Configurationwill be created. This assumes the use of the SunPKCS11 security provider. If another provider is desired, use thesetConfiguration(Pkcs11Configuration)instead.- Parameters:
configurationFile- complete path to the PKCS#11 configuration file- Throws:
Pkcs11ConfigurationException- if the configuration file is invalid
-
setAlias
Assigns the alias of the key pair on the token.- Parameters:
alias- the alias
-
setPin
public void setPin(char[] pin) Assigns the PIN (key password) needed to unlock the token.- Parameters:
pin- the PIN
-
reload
Is called if the connection to the device has been lost. In those cases we reload the private key.- Throws:
Exception- for reloading errors
-
getDefaultName
If the credentialnameproperty is not explicitly assigned usingAbstractPkiCredential.setName(String)a name is calculated based on a credential's properties.Implementations must not assume that the object has been correctly initialized.
- Specified by:
getDefaultNamein classAbstractPkiCredential- Returns:
- the credential name
-