/**
* Assigns the given certificate to the given alias.
*
* <p>If the given alias already exists in this keystore and identifies a <i>trusted certificate
* entry</i>, the certificate associated with it is overridden by the given certificate.
*
* @param alias the alias name
* @param cert the certificate
* @exception KeyStoreException if the given alias already exists and does not identify a
* <i>trusted certificate entry</i>, or this operation fails for some other reason.
*/
public void engineSetCertificateEntry(String alias, Certificate cert) throws KeyStoreException {
permissionCheck();
synchronized (entries) {
Object entry = entries.get(alias.toLowerCase());
if ((entry != null) && (entry instanceof KeyEntry)) {
throw new KeyStoreException("Cannot overwrite key entry with certificate");
}
// This will be slow, but necessary. Enumerate the values and then see if the cert matches
// the one in the trusted cert entry.
// Security framework doesn't support the same certificate twice in a keychain.
Collection<Object> allValues = entries.values();
for (Object value : allValues) {
if (value instanceof TrustedCertEntry) {
TrustedCertEntry tce = (TrustedCertEntry) value;
if (tce.cert.equals(cert)) {
throw new KeyStoreException(
"Keychain does not support mulitple copies of same certificate.");
}
}
}
TrustedCertEntry trustedCertEntry = new TrustedCertEntry();
trustedCertEntry.cert = cert;
trustedCertEntry.date = new Date();
String lowerAlias = alias.toLowerCase();
if (entries.get(lowerAlias) != null) {
deletedEntries.put(lowerAlias, entries.get(lowerAlias));
}
entries.put(lowerAlias, trustedCertEntry);
addedEntries.put(lowerAlias, trustedCertEntry);
}
}
/**
* Assigns the given key (that has already been protected) to the given alias.
*
* <p>If the protected key is of type <code>java.security.PrivateKey</code>, it must be
* accompanied by a certificate chain certifying the corresponding public key. If the underlying
* keystore implementation is of type <code>jks</code>, <code>key</code> must be encoded as an
* <code>EncryptedPrivateKeyInfo</code> as defined in the PKCS #8 standard.
*
* <p>If the given alias already exists, the keystore information associated with it is overridden
* by the given key (and possibly certificate chain).
*
* @param alias the alias name
* @param key the key (in protected format) to be associated with the alias
* @param chain the certificate chain for the corresponding public key (only useful if the
* protected key is of type <code>java.security.PrivateKey</code>).
* @exception KeyStoreException if this operation fails.
*/
public void engineSetKeyEntry(String alias, byte[] key, Certificate[] chain)
throws KeyStoreException {
permissionCheck();
synchronized (entries) {
// key must be encoded as EncryptedPrivateKeyInfo as defined in
// PKCS#8
KeyEntry entry = new KeyEntry();
try {
EncryptedPrivateKeyInfo privateKey = new EncryptedPrivateKeyInfo(key);
entry.protectedPrivKey = privateKey.getEncoded();
} catch (IOException ioe) {
throw new KeyStoreException("key is not encoded as " + "EncryptedPrivateKeyInfo");
}
entry.date = new Date();
if ((chain != null) && (chain.length != 0)) {
entry.chain = chain.clone();
entry.chainRefs = new long[entry.chain.length];
}
String lowerAlias = alias.toLowerCase();
if (entries.get(lowerAlias) != null) {
deletedEntries.put(lowerAlias, entries.get(alias));
}
entries.put(lowerAlias, entry);
addedEntries.put(lowerAlias, entry);
}
}
/**
* Callback method from _scanKeychain. If a trusted certificate is found, this method will be
* called.
*/
private void createTrustedCertEntry(
String alias, long keychainItemRef, long creationDate, byte[] derStream) {
TrustedCertEntry tce = new TrustedCertEntry();
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream input = new ByteArrayInputStream(derStream);
X509Certificate cert = (X509Certificate) cf.generateCertificate(input);
input.close();
tce.cert = cert;
tce.certRef = keychainItemRef;
// Make a creation date.
if (creationDate != 0) tce.date = new Date(creationDate);
else tce.date = new Date();
int uniqueVal = 1;
String originalAlias = alias;
while (entries.containsKey(alias.toLowerCase())) {
alias = originalAlias + " " + uniqueVal;
uniqueVal++;
}
entries.put(alias.toLowerCase(), tce);
} catch (Exception e) {
// The certificate will be skipped.
System.err.println("KeychainStore Ignored Exception: " + e);
}
}
/**
* Deletes the entry identified by the given alias from this keystore.
*
* @param alias the alias name
* @exception KeyStoreException if the entry cannot be removed.
*/
public void engineDeleteEntry(String alias) throws KeyStoreException {
permissionCheck();
synchronized (entries) {
Object entry = entries.remove(alias.toLowerCase());
deletedEntries.put(alias.toLowerCase(), entry);
}
}
/**
* Assigns the given key to the given alias, protecting it with the given password.
*
* <p>If the given key is of type <code>java.security.PrivateKey</code>, it must be accompanied by
* a certificate chain certifying the corresponding public key.
*
* <p>If the given alias already exists, the keystore information associated with it is overridden
* by the given key (and possibly certificate chain).
*
* @param alias the alias name
* @param key the key to be associated with the alias
* @param password the password to protect the key
* @param chain the certificate chain for the corresponding public key (only required if the given
* key is of type <code>java.security.PrivateKey</code>).
* @exception KeyStoreException if the given key cannot be protected, or this operation fails for
* some other reason
*/
public void engineSetKeyEntry(String alias, Key key, char[] password, Certificate[] chain)
throws KeyStoreException {
permissionCheck();
synchronized (entries) {
try {
KeyEntry entry = new KeyEntry();
entry.date = new Date();
if (key instanceof PrivateKey) {
if ((key.getFormat().equals("PKCS#8")) || (key.getFormat().equals("PKCS8"))) {
entry.protectedPrivKey = encryptPrivateKey(key.getEncoded(), password);
entry.password = password.clone();
} else {
throw new KeyStoreException("Private key is not encoded as PKCS#8");
}
} else {
throw new KeyStoreException("Key is not a PrivateKey");
}
// clone the chain
if (chain != null) {
if ((chain.length > 1) && !validateChain(chain)) {
throw new KeyStoreException("Certificate chain does not validate");
}
entry.chain = chain.clone();
entry.chainRefs = new long[entry.chain.length];
}
String lowerAlias = alias.toLowerCase();
if (entries.get(lowerAlias) != null) {
deletedEntries.put(lowerAlias, entries.get(lowerAlias));
}
entries.put(lowerAlias, entry);
addedEntries.put(lowerAlias, entry);
} catch (Exception nsae) {
KeyStoreException ke = new KeyStoreException("Key protection algorithm not found: " + nsae);
ke.initCause(nsae);
throw ke;
}
}
}
/**
* Callback method from _scanKeychain. If an identity is found, this method will be called to
* create Java certificate and private key objects from the keychain data.
*/
private void createKeyEntry(
String alias,
long creationDate,
long secKeyRef,
long[] secCertificateRefs,
byte[][] rawCertData)
throws IOException, NoSuchAlgorithmException, UnrecoverableKeyException {
KeyEntry ke = new KeyEntry();
// First, store off the private key information. This is the easy part.
ke.protectedPrivKey = null;
ke.keyRef = secKeyRef;
// Make a creation date.
if (creationDate != 0) ke.date = new Date(creationDate);
else ke.date = new Date();
// Next, create X.509 Certificate objects from the raw data. This is complicated
// because a certificate's public key may be too long for Java's default encryption strength.
List<CertKeychainItemPair> createdCerts = new ArrayList<>();
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
for (int i = 0; i < rawCertData.length; i++) {
try {
InputStream input = new ByteArrayInputStream(rawCertData[i]);
X509Certificate cert = (X509Certificate) cf.generateCertificate(input);
input.close();
// We successfully created the certificate, so track it and its corresponding
// SecCertificateRef.
createdCerts.add(new CertKeychainItemPair(secCertificateRefs[i], cert));
} catch (CertificateException e) {
// The certificate will be skipped.
System.err.println("KeychainStore Ignored Exception: " + e);
}
}
} catch (CertificateException e) {
e.printStackTrace();
} catch (IOException ioe) {
ioe.printStackTrace(); // How would this happen?
}
// We have our certificates in the List, so now extract them into an array of
// Certificates and SecCertificateRefs.
CertKeychainItemPair[] objArray = createdCerts.toArray(new CertKeychainItemPair[0]);
Certificate[] certArray = new Certificate[objArray.length];
long[] certRefArray = new long[objArray.length];
for (int i = 0; i < objArray.length; i++) {
CertKeychainItemPair addedItem = objArray[i];
certArray[i] = addedItem.mCert;
certRefArray[i] = addedItem.mCertificateRef;
}
ke.chain = certArray;
ke.chainRefs = certRefArray;
// If we don't have already have an item with this item's alias
// create a new one for it.
int uniqueVal = 1;
String originalAlias = alias;
while (entries.containsKey(alias.toLowerCase())) {
alias = originalAlias + " " + uniqueVal;
uniqueVal++;
}
entries.put(alias.toLowerCase(), ke);
}
