/**
* Assigns the given key (that has already been protected) to the given alias.
*
* <p>If the protected key is of type <code>java.security.PrivateKey</code>, it must be
* accompanied by a certificate chain certifying the corresponding public key. If the underlying
* keystore implementation is of type <code>jks</code>, <code>key</code> must be encoded as an
* <code>EncryptedPrivateKeyInfo</code> as defined in the PKCS #8 standard.
*
* <p>If the given alias already exists, the keystore information associated with it is overridden
* by the given key (and possibly certificate chain).
*
* @param alias the alias name
* @param key the key (in protected format) to be associated with the alias
* @param chain the certificate chain for the corresponding public key (only useful if the
* protected key is of type <code>java.security.PrivateKey</code>).
* @exception KeyStoreException if this operation fails.
*/
public void engineSetKeyEntry(String alias, byte[] key, Certificate[] chain)
throws KeyStoreException {
permissionCheck();
synchronized (entries) {
// key must be encoded as EncryptedPrivateKeyInfo as defined in
// PKCS#8
KeyEntry entry = new KeyEntry();
try {
EncryptedPrivateKeyInfo privateKey = new EncryptedPrivateKeyInfo(key);
entry.protectedPrivKey = privateKey.getEncoded();
} catch (IOException ioe) {
throw new KeyStoreException("key is not encoded as " + "EncryptedPrivateKeyInfo");
}
entry.date = new Date();
if ((chain != null) && (chain.length != 0)) {
entry.chain = chain.clone();
entry.chainRefs = new long[entry.chain.length];
}
String lowerAlias = alias.toLowerCase();
if (entries.get(lowerAlias) != null) {
deletedEntries.put(lowerAlias, entries.get(alias));
}
entries.put(lowerAlias, entry);
addedEntries.put(lowerAlias, entry);
}
}
/*
* Encrypt private key using Password-based encryption (PBE)
* as defined in PKCS#5.
*
* NOTE: Currently pbeWithSHAAnd3-KeyTripleDES-CBC algorithmID is
* used to derive the key and IV.
*
* @return encrypted private key encoded as EncryptedPrivateKeyInfo
*/
private byte[] encryptPrivateKey(byte[] data, char[] password)
throws IOException, NoSuchAlgorithmException, UnrecoverableKeyException {
byte[] key = null;
try {
// create AlgorithmParameters
AlgorithmParameters algParams = getAlgorithmParameters("PBEWithSHA1AndDESede");
// Use JCE
SecretKey skey = getPBEKey(password);
Cipher cipher = Cipher.getInstance("PBEWithSHA1AndDESede");
cipher.init(Cipher.ENCRYPT_MODE, skey, algParams);
byte[] encryptedKey = cipher.doFinal(data);
// wrap encrypted private key in EncryptedPrivateKeyInfo
// as defined in PKCS#8
AlgorithmId algid = new AlgorithmId(pbeWithSHAAnd3KeyTripleDESCBC_OID, algParams);
EncryptedPrivateKeyInfo encrInfo = new EncryptedPrivateKeyInfo(algid, encryptedKey);
key = encrInfo.getEncoded();
} catch (Exception e) {
UnrecoverableKeyException uke =
new UnrecoverableKeyException("Encrypt Private Key failed: " + e.getMessage());
uke.initCause(e);
throw uke;
}
return key;
}
