Package se.swedenconnect.security.credential.pkcs11

Class Pkcs11Credential

java.lang.Object

se.swedenconnect.security.credential.AbstractPkiCredential

se.swedenconnect.security.credential.AbstractReloadablePkiCredential

se.swedenconnect.security.credential.pkcs11.Pkcs11Credential

All Implemented Interfaces:

PkiCredential, ReloadablePkiCredential

public class Pkcs11Credential
extends AbstractReloadablePkiCredential

A PKCS#11 credential implementation of the PkiCredential and ReloadablePkiCredential interfaces.

Note: In all cases where the SunPKCS11 security provider is used, it is recommended to use the KeyStoreCredential implementation instead.

Author:

Martin Lindström (martin@idsec.se), Stefan Santesson (stefan@idsec.se)

Nested Class Summary

Nested classes/interfaces inherited from interface se.swedenconnect.security.credential.PkiCredential

PkiCredential.Metadata

Constructor Summary

Constructors

Constructor	Description
Pkcs11Credential(Pkcs11Configuration configuration, String alias, char[] pin, Pkcs11PrivateKeyAccessor privateKeyAccessor, List<X509Certificate> certificates)	Constructor that takes a list of X.509 certificates as an argument instead of a Pkcs11CertificatesAccessor.
Pkcs11Credential(Pkcs11Configuration configuration, String alias, char[] pin, Pkcs11PrivateKeyAccessor privateKeyAccessor, Pkcs11CertificatesAccessor certificatesAccessor)	Constructor.

Method Summary

Modifier and Type	Method	Description
void	destroy()	Clears the saved PIN code.
List<X509Certificate>	getCertificateChain()	Gets a certificate chain for the credential, where the first element is the entity certificate (PkiCredential.getCertificate()).
protected String	getDefaultName()	If the credential name property is not explicitly assigned using AbstractPkiCredential.setName(String) a name is calculated based on a credential's properties.
PrivateKey	getPrivateKey()	Gets the private key.
boolean	isHardwareCredential()	Returns true.
void	reload()	Is called if the connection to the device has been lost.

Methods inherited from class se.swedenconnect.security.credential.AbstractReloadablePkiCredential

getTestFunction, setTestFunction

Methods inherited from class se.swedenconnect.security.credential.AbstractPkiCredential

getMetadata, getName, getPublicKey, getStandalonePublicKey, setName, updateMetadataValidityProperties

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface se.swedenconnect.security.credential.PkiCredential

getCertificate, getMetadata, getName, getPublicKey, transform

Constructor Details

Pkcs11Credential

public Pkcs11Credential(@Nonnull
 Pkcs11Configuration configuration,
 @Nonnull
 String alias,
 @Nonnull
 char[] pin,
 @Nonnull
 Pkcs11PrivateKeyAccessor privateKeyAccessor,
 @Nonnull
 Pkcs11CertificatesAccessor certificatesAccessor)
                 throws Pkcs11ConfigurationException

Constructor.

Parameters:

configuration - the PKCS#11 configuration

alias - the token entry from where to load the private key and certificate

pin - the PIN to unlock the token

privateKeyAccessor - the Pkcs11PrivateKeyAccessor

certificatesAccessor - the Pkcs11CertificatesAccessor

Throws:

Pkcs11ConfigurationException - for configuration errors

Pkcs11Credential

public Pkcs11Credential(@Nonnull
 Pkcs11Configuration configuration,
 @Nonnull
 String alias,
 @Nonnull
 char[] pin,
 @Nonnull
 Pkcs11PrivateKeyAccessor privateKeyAccessor,
 @Nonnull
 List<X509Certificate> certificates)
                 throws Pkcs11ConfigurationException

Constructor that takes a list of X.509 certificates as an argument instead of a Pkcs11CertificatesAccessor. This constructor should be used if we know that the certificate chain is not placed on the device (only the private key).

Parameters:

configuration - the PKCS#11 configuration

alias - the token entry from where to load the private key and certificate

pin - the PIN to unlock the token

privateKeyAccessor - the Pkcs11PrivateKeyAccessor

certificates - the certificate chain (entity certificate placed first)

Throws:

Pkcs11ConfigurationException - for configuration errors

Method Details

getPrivateKey

@Nonnull
public PrivateKey getPrivateKey()

Gets the private key.

Returns:

the private key

getCertificateChain

@Nonnull
public List<X509Certificate> getCertificateChain()

Gets a certificate chain for the credential, where the first element is the entity certificate (PkiCredential.getCertificate()). If no certificate is configured for the credential an empty list is returned.

Returns:

a list of certificates, or an empty list

isHardwareCredential

public boolean isHardwareCredential()

Returns true.

Returns:

true if the credential resides in a hardware module and false otherwise

reload

public void reload()
            throws Exception

Is called if the connection to the device has been lost. In those cases we reload the private key.

Throws:

Exception - for reloading errors

destroy

@PreDestroy
public void destroy()

Clears the saved PIN code.

getDefaultName

@Nonnull
protected String getDefaultName()

If the credential name property is not explicitly assigned using AbstractPkiCredential.setName(String) a name is calculated based on a credential's properties.

Specified by:

getDefaultName in class AbstractPkiCredential

Returns:

the credential name