/**
* Assigns the given key (that has already been protected) to the given alias.
*
* <p>If the protected key is of type <code>java.security.PrivateKey</code>, it must be
* accompanied by a certificate chain certifying the corresponding public key. If the underlying
* keystore implementation is of type <code>jks</code>, <code>key</code> must be encoded as an
* <code>EncryptedPrivateKeyInfo</code> as defined in the PKCS #8 standard.
*
* <p>If the given alias already exists, the keystore information associated with it is overridden
* by the given key (and possibly certificate chain).
*
* @param alias the alias name
* @param key the key (in protected format) to be associated with the alias
* @param chain the certificate chain for the corresponding public key (only useful if the
* protected key is of type <code>java.security.PrivateKey</code>).
* @exception KeyStoreException if this operation fails.
*/
public void engineSetKeyEntry(String alias, byte[] key, Certificate[] chain)
throws KeyStoreException {
permissionCheck();
synchronized (entries) {
// key must be encoded as EncryptedPrivateKeyInfo as defined in
// PKCS#8
KeyEntry entry = new KeyEntry();
try {
EncryptedPrivateKeyInfo privateKey = new EncryptedPrivateKeyInfo(key);
entry.protectedPrivKey = privateKey.getEncoded();
} catch (IOException ioe) {
throw new KeyStoreException("key is not encoded as " + "EncryptedPrivateKeyInfo");
}
entry.date = new Date();
if ((chain != null) && (chain.length != 0)) {
entry.chain = chain.clone();
entry.chainRefs = new long[entry.chain.length];
}
String lowerAlias = alias.toLowerCase();
if (entries.get(lowerAlias) != null) {
deletedEntries.put(lowerAlias, entries.get(alias));
}
entries.put(lowerAlias, entry);
addedEntries.put(lowerAlias, entry);
}
}
/**
* Assigns the given key to the given alias, protecting it with the given password.
*
* <p>If the given key is of type <code>java.security.PrivateKey</code>, it must be accompanied by
* a certificate chain certifying the corresponding public key.
*
* <p>If the given alias already exists, the keystore information associated with it is overridden
* by the given key (and possibly certificate chain).
*
* @param alias the alias name
* @param key the key to be associated with the alias
* @param password the password to protect the key
* @param chain the certificate chain for the corresponding public key (only required if the given
* key is of type <code>java.security.PrivateKey</code>).
* @exception KeyStoreException if the given key cannot be protected, or this operation fails for
* some other reason
*/
public void engineSetKeyEntry(String alias, Key key, char[] password, Certificate[] chain)
throws KeyStoreException {
permissionCheck();
synchronized (entries) {
try {
KeyEntry entry = new KeyEntry();
entry.date = new Date();
if (key instanceof PrivateKey) {
if ((key.getFormat().equals("PKCS#8")) || (key.getFormat().equals("PKCS8"))) {
entry.protectedPrivKey = encryptPrivateKey(key.getEncoded(), password);
entry.password = password.clone();
} else {
throw new KeyStoreException("Private key is not encoded as PKCS#8");
}
} else {
throw new KeyStoreException("Key is not a PrivateKey");
}
// clone the chain
if (chain != null) {
if ((chain.length > 1) && !validateChain(chain)) {
throw new KeyStoreException("Certificate chain does not validate");
}
entry.chain = chain.clone();
entry.chainRefs = new long[entry.chain.length];
}
String lowerAlias = alias.toLowerCase();
if (entries.get(lowerAlias) != null) {
deletedEntries.put(lowerAlias, entries.get(lowerAlias));
}
entries.put(lowerAlias, entry);
addedEntries.put(lowerAlias, entry);
} catch (Exception nsae) {
KeyStoreException ke = new KeyStoreException("Key protection algorithm not found: " + nsae);
ke.initCause(nsae);
throw ke;
}
}
}
/**
* Callback method from _scanKeychain. If an identity is found, this method will be called to
* create Java certificate and private key objects from the keychain data.
*/
private void createKeyEntry(
String alias,
long creationDate,
long secKeyRef,
long[] secCertificateRefs,
byte[][] rawCertData)
throws IOException, NoSuchAlgorithmException, UnrecoverableKeyException {
KeyEntry ke = new KeyEntry();
// First, store off the private key information. This is the easy part.
ke.protectedPrivKey = null;
ke.keyRef = secKeyRef;
// Make a creation date.
if (creationDate != 0) ke.date = new Date(creationDate);
else ke.date = new Date();
// Next, create X.509 Certificate objects from the raw data. This is complicated
// because a certificate's public key may be too long for Java's default encryption strength.
List<CertKeychainItemPair> createdCerts = new ArrayList<>();
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
for (int i = 0; i < rawCertData.length; i++) {
try {
InputStream input = new ByteArrayInputStream(rawCertData[i]);
X509Certificate cert = (X509Certificate) cf.generateCertificate(input);
input.close();
// We successfully created the certificate, so track it and its corresponding
// SecCertificateRef.
createdCerts.add(new CertKeychainItemPair(secCertificateRefs[i], cert));
} catch (CertificateException e) {
// The certificate will be skipped.
System.err.println("KeychainStore Ignored Exception: " + e);
}
}
} catch (CertificateException e) {
e.printStackTrace();
} catch (IOException ioe) {
ioe.printStackTrace(); // How would this happen?
}
// We have our certificates in the List, so now extract them into an array of
// Certificates and SecCertificateRefs.
CertKeychainItemPair[] objArray = createdCerts.toArray(new CertKeychainItemPair[0]);
Certificate[] certArray = new Certificate[objArray.length];
long[] certRefArray = new long[objArray.length];
for (int i = 0; i < objArray.length; i++) {
CertKeychainItemPair addedItem = objArray[i];
certArray[i] = addedItem.mCert;
certRefArray[i] = addedItem.mCertificateRef;
}
ke.chain = certArray;
ke.chainRefs = certRefArray;
// If we don't have already have an item with this item's alias
// create a new one for it.
int uniqueVal = 1;
String originalAlias = alias;
while (entries.containsKey(alias.toLowerCase())) {
alias = originalAlias + " " + uniqueVal;
uniqueVal++;
}
entries.put(alias.toLowerCase(), ke);
}
/**
* Stores this keystore to the given output stream, and protects its integrity with the given
* password.
*
* @param stream Ignored. the output stream to which this keystore is written.
* @param password the password to generate the keystore integrity check
* @exception IOException if there was an I/O problem with data
* @exception NoSuchAlgorithmException if the appropriate data integrity algorithm could not be
* found
* @exception CertificateException if any of the certificates included in the keystore data could
* not be stored
*/
public void engineStore(OutputStream stream, char[] password)
throws IOException, NoSuchAlgorithmException, CertificateException {
permissionCheck();
// Delete items that do have a keychain item ref.
for (Enumeration<String> e = deletedEntries.keys(); e.hasMoreElements(); ) {
String alias = e.nextElement();
Object entry = deletedEntries.get(alias);
if (entry instanceof TrustedCertEntry) {
if (((TrustedCertEntry) entry).certRef != 0) {
_removeItemFromKeychain(((TrustedCertEntry) entry).certRef);
_releaseKeychainItemRef(((TrustedCertEntry) entry).certRef);
}
} else {
Certificate certElem;
KeyEntry keyEntry = (KeyEntry) entry;
if (keyEntry.chain != null) {
for (int i = 0; i < keyEntry.chain.length; i++) {
if (keyEntry.chainRefs[i] != 0) {
_removeItemFromKeychain(keyEntry.chainRefs[i]);
_releaseKeychainItemRef(keyEntry.chainRefs[i]);
}
}
if (keyEntry.keyRef != 0) {
_removeItemFromKeychain(keyEntry.keyRef);
_releaseKeychainItemRef(keyEntry.keyRef);
}
}
}
}
// Add all of the certs or keys in the added entries.
// No need to check for 0 refs, as they are in the added list.
for (Enumeration<String> e = addedEntries.keys(); e.hasMoreElements(); ) {
String alias = e.nextElement();
Object entry = addedEntries.get(alias);
if (entry instanceof TrustedCertEntry) {
TrustedCertEntry tce = (TrustedCertEntry) entry;
Certificate certElem;
certElem = tce.cert;
tce.certRef = addCertificateToKeychain(alias, certElem);
} else {
KeyEntry keyEntry = (KeyEntry) entry;
if (keyEntry.chain != null) {
for (int i = 0; i < keyEntry.chain.length; i++) {
keyEntry.chainRefs[i] = addCertificateToKeychain(alias, keyEntry.chain[i]);
}
keyEntry.keyRef =
_addItemToKeychain(alias, false, keyEntry.protectedPrivKey, keyEntry.password);
}
}
}
// Clear the added and deletedEntries hashtables here, now that we're done with the updates.
// For the deleted entries, we freed up the native references above.
deletedEntries.clear();
addedEntries.clear();
}
