Class Pkcs11Credential
java.lang.Object
se.swedenconnect.security.credential.AbstractPkiCredential
se.swedenconnect.security.credential.AbstractReloadablePkiCredential
se.swedenconnect.security.credential.Pkcs11Credential
- All Implemented Interfaces:
DisposableBean
,InitializingBean
,PkiCredential
,ReloadablePkiCredential
A PKCS#11 credential implementation of the
PkiCredential
and ReloadablePkiCredential
interfaces.- Author:
- Martin Lindström (martin@idsec.se), Stefan Santesson (stefan@idsec.se)
-
Constructor Summary
ConstructorDescriptionDefault constructor.Pkcs11Credential
(Pkcs11Configuration configuration, String alias, char[] pin) Constructor.Pkcs11Credential
(Pkcs11Configuration configuration, String alias, char[] pin, X509Certificate certificate) Constructor that takes a X.509 certificate as an argument.Pkcs11Credential
(Pkcs11Configuration configuration, String alias, char[] pin, List<X509Certificate> certificates) Constructor that takes a list of X.509 certificates as an argument. -
Method Summary
Modifier and TypeMethodDescriptionvoid
The default implementation verfies that the public key and the private key is available.void
destroy()
Implementations that need to perform clean-up actions should override this method.Gets the certificate holding the public key of the key pair.Gets a certificate chain for the credential, where the first element is the entity certificate (PkiCredential.getCertificate()
).protected String
If the credentialname
property is not explicitly assigned usingAbstractPkiCredential.setName(String)
a name is calculated based on a credential's properties.Gets the private key.Gets the public key.boolean
Returnstrue
.void
reload()
Is called if the connection to the device has been lost.void
Assigns the alias of the key pair on the token.void
setConfiguration
(Pkcs11Configuration configuration) Assigns the PKCS#11 configuration for the token that holds this credential.void
setConfigurationFile
(String configurationFile) Assigns the PKCS#11 configuration file to use.void
setPin
(char[] pin) Assigns the PIN (key password) needed to unlock the token.void
setPrivateKey
(PrivateKey privateKey) Will throw anIllegalArgumentException
since the private key will be read from the device.void
setPublicKey
(PublicKey publicKey) Will throw anIllegalArgumentException
since the public key will be read from the certificate.Methods inherited from class se.swedenconnect.security.credential.AbstractReloadablePkiCredential
getTestFunction, setTestFunction
Methods inherited from class se.swedenconnect.security.credential.AbstractPkiCredential
getName, setCertificate, setCertificate, setCertificateChain, setName, setPrivateKey, setPrivateKey
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface se.swedenconnect.security.credential.PkiCredential
getName, init, setCertificate, setCertificateChain
-
Constructor Details
-
Pkcs11Credential
public Pkcs11Credential()Default constructor. -
Pkcs11Credential
public Pkcs11Credential(Pkcs11Configuration configuration, String alias, char[] pin) throws IllegalArgumentException, SecurityException Constructor.- Parameters:
configuration
- the PKCS#11 configurationalias
- the token entry from where to load the private key and certificatepin
- the PIN to unlock the token- Throws:
IllegalArgumentException
- for missing parametersSecurityException
- if loading of the private key and/or certificate fails
-
Pkcs11Credential
public Pkcs11Credential(Pkcs11Configuration configuration, String alias, char[] pin, X509Certificate certificate) Constructor that takes a X.509 certificate as an argument. This constructor should be used if we know that the certificate is not placed on the device (only the private key).- Parameters:
configuration
- the PKCS#11 configurationalias
- the token entry from where to load the private keypin
- the PIN to unlock the tokencertificate
- the certificate
-
Pkcs11Credential
public Pkcs11Credential(Pkcs11Configuration configuration, String alias, char[] pin, List<X509Certificate> certificates) Constructor that takes a list of X.509 certificates as an argument. This constructor should be used if we know that the certificate chain is not placed on the device (only the private key).- Parameters:
configuration
- the PKCS#11 configurationalias
- the token entry from where to load the private keypin
- the PIN to unlock the tokencertificates
- the certificate chain (entity certificate placed first)
-
-
Method Details
-
afterPropertiesSet
The default implementation verfies that the public key and the private key is available. Implementations that needs to be initialized (for example by loading the keys) should override this method.- Specified by:
afterPropertiesSet
in interfaceInitializingBean
- Overrides:
afterPropertiesSet
in classAbstractPkiCredential
- Throws:
Exception
-
destroy
public void destroy()Implementations that need to perform clean-up actions should override this method. The default implementation does nothing.- Specified by:
destroy
in interfaceDisposableBean
- Overrides:
destroy
in classAbstractPkiCredential
-
isHardwareCredential
public boolean isHardwareCredential()Returnstrue
.- Returns:
true
if the credential resides in a hardware module andfalse
otherwise
-
getPrivateKey
Gets the private key.- Specified by:
getPrivateKey
in interfacePkiCredential
- Overrides:
getPrivateKey
in classAbstractPkiCredential
- Returns:
- the private key
-
setPrivateKey
Will throw anIllegalArgumentException
since the private key will be read from the device.- Overrides:
setPrivateKey
in classAbstractPkiCredential
- Parameters:
privateKey
- the private key
-
getPublicKey
Gets the public key.- Specified by:
getPublicKey
in interfacePkiCredential
- Overrides:
getPublicKey
in classAbstractPkiCredential
- Returns:
- the public key
-
setPublicKey
Will throw anIllegalArgumentException
since the public key will be read from the certificate.- Overrides:
setPublicKey
in classAbstractPkiCredential
- Parameters:
publicKey
- the public key.
-
getCertificate
Gets the certificate holding the public key of the key pair. May be null depending on whether certificates are handled by the implementing class.- Specified by:
getCertificate
in interfacePkiCredential
- Overrides:
getCertificate
in classAbstractPkiCredential
- Returns:
- the certificate, or null if no certificate is configured for the credential
-
getCertificateChain
Gets a certificate chain for the credential, where the first element is the entity certificate (PkiCredential.getCertificate()
). If no certificate is configured for the credential an empty list is returned.- Specified by:
getCertificateChain
in interfacePkiCredential
- Overrides:
getCertificateChain
in classAbstractPkiCredential
- Returns:
- a list of certificates, or an empty list
-
setConfiguration
Assigns the PKCS#11 configuration for the token that holds this credential.- Parameters:
configuration
- the configuration
-
setConfigurationFile
Assigns the PKCS#11 configuration file to use.Note: An instance of
DefaultPkcs11Configuration
will be created. This assumes the use of the SunPKCS11 security provider. If another provider is desired, use thesetConfiguration(Pkcs11Configuration)
instead.- Parameters:
configurationFile
- complete path to the PKCS#11 configuration file- Throws:
Pkcs11ConfigurationException
- if the configuration file is invalid
-
setAlias
Assigns the alias of the key pair on the token.- Parameters:
alias
- the alias
-
setPin
public void setPin(char[] pin) Assigns the PIN (key password) needed to unlock the token.- Parameters:
pin
- the PIN
-
reload
Is called if the connection to the device has been lost. In those cases we reload the private key.- Throws:
Exception
- for reloading errors
-
getDefaultName
If the credentialname
property is not explicitly assigned usingAbstractPkiCredential.setName(String)
a name is calculated based on a credential's properties.Implementations must not assume that the object has been correctly initialized.
- Specified by:
getDefaultName
in classAbstractPkiCredential
- Returns:
- the credential name
-