Example #1
0
  /**
   * Assigns the given certificate to the given alias.
   *
   * <p>If the given alias already exists in this keystore and identifies a <i>trusted certificate
   * entry</i>, the certificate associated with it is overridden by the given certificate.
   *
   * @param alias the alias name
   * @param cert the certificate
   * @exception KeyStoreException if the given alias already exists and does not identify a
   *     <i>trusted certificate entry</i>, or this operation fails for some other reason.
   */
  public void engineSetCertificateEntry(String alias, Certificate cert) throws KeyStoreException {
    permissionCheck();

    synchronized (entries) {
      Object entry = entries.get(alias.toLowerCase());
      if ((entry != null) && (entry instanceof KeyEntry)) {
        throw new KeyStoreException("Cannot overwrite key entry with certificate");
      }

      // This will be slow, but necessary.  Enumerate the values and then see if the cert matches
      // the one in the trusted cert entry.
      // Security framework doesn't support the same certificate twice in a keychain.
      Collection<Object> allValues = entries.values();

      for (Object value : allValues) {
        if (value instanceof TrustedCertEntry) {
          TrustedCertEntry tce = (TrustedCertEntry) value;
          if (tce.cert.equals(cert)) {
            throw new KeyStoreException(
                "Keychain does not support mulitple copies of same certificate.");
          }
        }
      }

      TrustedCertEntry trustedCertEntry = new TrustedCertEntry();
      trustedCertEntry.cert = cert;
      trustedCertEntry.date = new Date();
      String lowerAlias = alias.toLowerCase();
      if (entries.get(lowerAlias) != null) {
        deletedEntries.put(lowerAlias, entries.get(lowerAlias));
      }
      entries.put(lowerAlias, trustedCertEntry);
      addedEntries.put(lowerAlias, trustedCertEntry);
    }
  }
Example #2
0
  /**
   * Assigns the given key (that has already been protected) to the given alias.
   *
   * <p>If the protected key is of type <code>java.security.PrivateKey</code>, it must be
   * accompanied by a certificate chain certifying the corresponding public key. If the underlying
   * keystore implementation is of type <code>jks</code>, <code>key</code> must be encoded as an
   * <code>EncryptedPrivateKeyInfo</code> as defined in the PKCS #8 standard.
   *
   * <p>If the given alias already exists, the keystore information associated with it is overridden
   * by the given key (and possibly certificate chain).
   *
   * @param alias the alias name
   * @param key the key (in protected format) to be associated with the alias
   * @param chain the certificate chain for the corresponding public key (only useful if the
   *     protected key is of type <code>java.security.PrivateKey</code>).
   * @exception KeyStoreException if this operation fails.
   */
  public void engineSetKeyEntry(String alias, byte[] key, Certificate[] chain)
      throws KeyStoreException {
    permissionCheck();

    synchronized (entries) {
      // key must be encoded as EncryptedPrivateKeyInfo as defined in
      // PKCS#8
      KeyEntry entry = new KeyEntry();
      try {
        EncryptedPrivateKeyInfo privateKey = new EncryptedPrivateKeyInfo(key);
        entry.protectedPrivKey = privateKey.getEncoded();
      } catch (IOException ioe) {
        throw new KeyStoreException("key is not encoded as " + "EncryptedPrivateKeyInfo");
      }

      entry.date = new Date();

      if ((chain != null) && (chain.length != 0)) {
        entry.chain = chain.clone();
        entry.chainRefs = new long[entry.chain.length];
      }

      String lowerAlias = alias.toLowerCase();
      if (entries.get(lowerAlias) != null) {
        deletedEntries.put(lowerAlias, entries.get(alias));
      }
      entries.put(lowerAlias, entry);
      addedEntries.put(lowerAlias, entry);
    }
  }
Example #3
0
  /**
   * Callback method from _scanKeychain. If a trusted certificate is found, this method will be
   * called.
   */
  private void createTrustedCertEntry(
      String alias, long keychainItemRef, long creationDate, byte[] derStream) {
    TrustedCertEntry tce = new TrustedCertEntry();

    try {
      CertificateFactory cf = CertificateFactory.getInstance("X.509");
      InputStream input = new ByteArrayInputStream(derStream);
      X509Certificate cert = (X509Certificate) cf.generateCertificate(input);
      input.close();
      tce.cert = cert;
      tce.certRef = keychainItemRef;

      // Make a creation date.
      if (creationDate != 0) tce.date = new Date(creationDate);
      else tce.date = new Date();

      int uniqueVal = 1;
      String originalAlias = alias;

      while (entries.containsKey(alias.toLowerCase())) {
        alias = originalAlias + " " + uniqueVal;
        uniqueVal++;
      }

      entries.put(alias.toLowerCase(), tce);
    } catch (Exception e) {
      // The certificate will be skipped.
      System.err.println("KeychainStore Ignored Exception: " + e);
    }
  }
Example #4
0
  /**
   * Deletes the entry identified by the given alias from this keystore.
   *
   * @param alias the alias name
   * @exception KeyStoreException if the entry cannot be removed.
   */
  public void engineDeleteEntry(String alias) throws KeyStoreException {
    permissionCheck();

    synchronized (entries) {
      Object entry = entries.remove(alias.toLowerCase());
      deletedEntries.put(alias.toLowerCase(), entry);
    }
  }
Example #5
0
  /**
   * Assigns the given key to the given alias, protecting it with the given password.
   *
   * <p>If the given key is of type <code>java.security.PrivateKey</code>, it must be accompanied by
   * a certificate chain certifying the corresponding public key.
   *
   * <p>If the given alias already exists, the keystore information associated with it is overridden
   * by the given key (and possibly certificate chain).
   *
   * @param alias the alias name
   * @param key the key to be associated with the alias
   * @param password the password to protect the key
   * @param chain the certificate chain for the corresponding public key (only required if the given
   *     key is of type <code>java.security.PrivateKey</code>).
   * @exception KeyStoreException if the given key cannot be protected, or this operation fails for
   *     some other reason
   */
  public void engineSetKeyEntry(String alias, Key key, char[] password, Certificate[] chain)
      throws KeyStoreException {
    permissionCheck();

    synchronized (entries) {
      try {
        KeyEntry entry = new KeyEntry();
        entry.date = new Date();

        if (key instanceof PrivateKey) {
          if ((key.getFormat().equals("PKCS#8")) || (key.getFormat().equals("PKCS8"))) {
            entry.protectedPrivKey = encryptPrivateKey(key.getEncoded(), password);
            entry.password = password.clone();
          } else {
            throw new KeyStoreException("Private key is not encoded as PKCS#8");
          }
        } else {
          throw new KeyStoreException("Key is not a PrivateKey");
        }

        // clone the chain
        if (chain != null) {
          if ((chain.length > 1) && !validateChain(chain)) {
            throw new KeyStoreException("Certificate chain does not validate");
          }

          entry.chain = chain.clone();
          entry.chainRefs = new long[entry.chain.length];
        }

        String lowerAlias = alias.toLowerCase();
        if (entries.get(lowerAlias) != null) {
          deletedEntries.put(lowerAlias, entries.get(lowerAlias));
        }

        entries.put(lowerAlias, entry);
        addedEntries.put(lowerAlias, entry);
      } catch (Exception nsae) {
        KeyStoreException ke = new KeyStoreException("Key protection algorithm not found: " + nsae);
        ke.initCause(nsae);
        throw ke;
      }
    }
  }
Example #6
0
  /**
   * Callback method from _scanKeychain. If an identity is found, this method will be called to
   * create Java certificate and private key objects from the keychain data.
   */
  private void createKeyEntry(
      String alias,
      long creationDate,
      long secKeyRef,
      long[] secCertificateRefs,
      byte[][] rawCertData)
      throws IOException, NoSuchAlgorithmException, UnrecoverableKeyException {
    KeyEntry ke = new KeyEntry();

    // First, store off the private key information.  This is the easy part.
    ke.protectedPrivKey = null;
    ke.keyRef = secKeyRef;

    // Make a creation date.
    if (creationDate != 0) ke.date = new Date(creationDate);
    else ke.date = new Date();

    // Next, create X.509 Certificate objects from the raw data.  This is complicated
    // because a certificate's public key may be too long for Java's default encryption strength.
    List<CertKeychainItemPair> createdCerts = new ArrayList<>();

    try {
      CertificateFactory cf = CertificateFactory.getInstance("X.509");

      for (int i = 0; i < rawCertData.length; i++) {
        try {
          InputStream input = new ByteArrayInputStream(rawCertData[i]);
          X509Certificate cert = (X509Certificate) cf.generateCertificate(input);
          input.close();

          // We successfully created the certificate, so track it and its corresponding
          // SecCertificateRef.
          createdCerts.add(new CertKeychainItemPair(secCertificateRefs[i], cert));
        } catch (CertificateException e) {
          // The certificate will be skipped.
          System.err.println("KeychainStore Ignored Exception: " + e);
        }
      }
    } catch (CertificateException e) {
      e.printStackTrace();
    } catch (IOException ioe) {
      ioe.printStackTrace(); // How would this happen?
    }

    // We have our certificates in the List, so now extract them into an array of
    // Certificates and SecCertificateRefs.
    CertKeychainItemPair[] objArray = createdCerts.toArray(new CertKeychainItemPair[0]);
    Certificate[] certArray = new Certificate[objArray.length];
    long[] certRefArray = new long[objArray.length];

    for (int i = 0; i < objArray.length; i++) {
      CertKeychainItemPair addedItem = objArray[i];
      certArray[i] = addedItem.mCert;
      certRefArray[i] = addedItem.mCertificateRef;
    }

    ke.chain = certArray;
    ke.chainRefs = certRefArray;

    // If we don't have already have an item with this item's alias
    // create a new one for it.
    int uniqueVal = 1;
    String originalAlias = alias;

    while (entries.containsKey(alias.toLowerCase())) {
      alias = originalAlias + " " + uniqueVal;
      uniqueVal++;
    }

    entries.put(alias.toLowerCase(), ke);
  }