/**
* Erases the specified id from the keystore.
*
* @param id The ID of the key or certificate to be deleted.
* @throws KeyStoreException When the wrong keystore password has been provided.
* @throws IOException For errors related to processing the keystore.
*/
public void erase(ID id) throws KeyStoreException, IOException {
String alias = id.toString();
synchronized (keystore_manager) {
KeyStore store = keystore_manager.loadKeyStore(keystore_password);
store.deleteEntry(alias);
keystore_manager.saveKeyStore(store, keystore_password);
}
}
/**
* Returns {@code true} if the PSE has been initialized (created). Some keystore formats may not
* require initialization and may always return {@code true}. {@code false} may also be returned
* if the keystore passphrase is incorrect.
*
* @return {@code true} if the PSE has been previously initialized otherwise {@code false}.
*/
public boolean isInitialized() {
try {
if (keystore_password != null) {
return keystore_manager.isInitialized(keystore_password);
} else {
return keystore_manager.isInitialized();
}
} catch (Exception ignored) {
return false;
}
}
/**
* Check if the provided passwords are correct for the specified identity.
*
* @param id The identity to be validated.
* @param store_password The passphrase used to unlock the keystore may be {@code null} for
* keystores with no passphrase.
* @param key_password The passphrase associated with the private key or {@code null} if the key
* has no passphrase.
* @return {@code true} if the passwords were valid for the given id otherwise {@code false}.
*/
boolean validPasswd(ID id, char[] store_password, char[] key_password) {
if (null == id) {
Logging.logCheckedFine(LOG, "null id");
return false;
}
Throwable failure;
try {
synchronized (keystore_manager) {
KeyStore store;
if (null != store_password) {
store = keystore_manager.loadKeyStore(store_password);
} else {
if (null != keystore_password) {
store = keystore_manager.loadKeyStore(keystore_password);
} else {
throw new UnrecoverableKeyException("KeyStore passphrase not initialized");
}
}
String alias = id.toString();
Key key = store.getKey(alias, key_password);
if (key == null) Logging.logCheckedFine(LOG, "Can't retrieve key for alias: ", alias);
return (null != key);
}
} catch (UnrecoverableKeyException failed) {
failure = failed;
} catch (NoSuchAlgorithmException failed) {
failure = failed;
} catch (KeyStoreException failed) {
failure = failed;
} catch (IOException failed) {
failure = failed;
}
Logging.logCheckedWarning(LOG, "Failure checking passphrase : \n", failure);
return false;
}
/**
* Adds a trusted certificate with the specified id to the key store. The certificate replaces any
* existing certificate or private key stored at this ID.
*
* @param id The ID under which the certificate will be stored.
* @param cert Certificate for the specified ID.
* @throws KeyStoreException When the wrong keystore has been provided.
* @throws IOException For errors related to processing the keystore.
*/
public void setTrustedCertificate(ID id, X509Certificate cert)
throws KeyStoreException, IOException {
String alias = id.toString();
synchronized (keystore_manager) {
KeyStore store = keystore_manager.loadKeyStore(keystore_password);
store.deleteEntry(alias);
store.setCertificateEntry(alias, cert);
keystore_manager.saveKeyStore(store, keystore_password);
}
}
/**
* Adds a private key to the PSE using the specified ID. The key replaces any existing certificate
* or private key stored at this ID. The key is stored using the provided key passphrase.
*
* @param id The ID under which the certificate chain and private key will be stored.
* @param certchain The certificate chain matching the private key.
* @param key The private key to be stored in the kestore.
* @param key_password The passphrase associated with the private key or {@code null} if the key
* has no passphrase.
* @throws KeyStoreException When the wrong keystore key has been provided.
* @throws IOException For errors related to processing the keystore.
*/
public void setKey(ID id, Certificate[] certchain, PrivateKey key, char[] key_password)
throws KeyStoreException, IOException {
String alias = id.toString();
synchronized (keystore_manager) {
KeyStore store = keystore_manager.loadKeyStore(keystore_password);
// Remove any existing entry.
if (store.isKeyEntry(alias)) store.deleteEntry(alias);
store.setKeyEntry(alias, key, key_password, certchain);
keystore_manager.saveKeyStore(store, keystore_password);
}
}
/**
* Returns the private key for the specified ID.
*
* @param id The ID of the requested private key.
* @param key_password The passphrase associated with the private key or {@code null} if the key
* has no passphrase.
* @return PrivateKey for the specified ID.
* @throws KeyStoreException When the wrong keystore has been provided.
* @throws IOException For errors related to processing the keystore.
*/
public PrivateKey getKey(ID id, char[] key_password) throws KeyStoreException, IOException {
String alias = id.toString();
try {
synchronized (keystore_manager) {
KeyStore store = keystore_manager.loadKeyStore(keystore_password);
if (!store.containsAlias(alias) || !store.isKeyEntry(alias)) {
return null;
}
return (PrivateKey) store.getKey(alias, key_password);
}
} catch (NoSuchAlgorithmException failed) {
Logging.logCheckedSevere(LOG, "Something failed\n", failed);
KeyStoreException failure = new KeyStoreException("Something Failed");
failure.initCause(failed);
throw failure;
} catch (UnrecoverableKeyException failed) {
Logging.logCheckedSevere(LOG, "Key passphrase failure\n", failed);
KeyStoreException failure = new KeyStoreException("Key passphrase failure");
failure.initCause(failed);
throw failure;
}
}
/**
* Gets a copy of the KeyStore associated with this PSE instance. The returned KeyStore is a copy
* and not tied to the instance maintained by the PSE. Changing the returned keystore will not
* result in changes to the PSE.
*
* @param store_password The passphrase used to unlock the keystore may be {@code null} for
* keystores with no passphrase.
* @return The keystore.
* @throws KeyStoreException When the wrong keystore has been provided.
* @throws IOException For errors related to processing the keystore.
* @since JXTA 2.4
*/
public KeyStore getKeyStore(char[] store_password) throws KeyStoreException, IOException {
synchronized (keystore_manager) {
KeyStore store = keystore_manager.loadKeyStore(store_password);
return store;
}
}
/**
* Returns <tt>true</tt> if the specified id is associated with a private key.
*
* @param id The ID of the requested private key.
* @param store_password The passphrase used to unlock the keystore may be {@code null} for
* keystores with no passphrase.
* @return <tt>true</tt> if a private key with the specified ID is present otherwise
* <tt>false</tt>
* @throws KeyStoreException When the wrong keystore has been provided.
* @throws IOException For errors related to processing the keystore.
*/
public boolean isKey(ID id, char[] store_password) throws KeyStoreException, IOException {
String alias = id.toString();
synchronized (keystore_manager) {
KeyStore store = keystore_manager.loadKeyStore(store_password);
return store.containsAlias(alias) & store.isKeyEntry(alias);
}
}
@Override
public void onDestroy() {
storeConfig();
cleanupSocket();
if (keyStoreManager != null) {
keyStoreManager.store();
}
super.onDestroy();
}
/**
* Initializes the PSE environment.
*
* @throws KeyStoreException When the wrong keystore has been provided.
* @throws IOException For errors related to processing the keystore.
*/
public void initialize() throws KeyStoreException, IOException {
Logging.logCheckedInfo(LOG, "Initializing new PSE keystore...");
synchronized (keystore_manager) {
try {
if (keystore_manager.isInitialized(keystore_password)) return;
keystore_manager.createKeyStore(keystore_password);
} catch (KeyStoreException failed) {
Logging.logCheckedSevere(LOG, "Failure accessing or creating keystore.\n", failed);
keystore_manager.eraseKeyStore();
throw failed;
}
}
}
/**
* Returns the trusted cert for the specified id.
*
* @param id The id of the Certificate to retrieve.
* @param store_password The passphrase used to unlock the keystore may be {@code null} for
* keystores with no passphrase.
* @return Certificate for the specified ID or null if the store does not contain the specified
* certificate.
* @throws KeyStoreException When the wrong keystore has been provided.
* @throws IOException For errors related to processing the keystore.
*/
X509Certificate getTrustedCertificate(ID id, char[] store_password)
throws KeyStoreException, IOException {
String alias = id.toString();
synchronized (keystore_manager) {
KeyStore store = keystore_manager.loadKeyStore(store_password);
if (!store.containsAlias(alias)) {
return null;
}
return (X509Certificate) store.getCertificate(alias);
}
}
/**
* Returns the ID of the provided certificate or null if the certificate is not found in the
* keystore.
*
* @param cert The certificate who's ID is desired.
* @return The ID of the certificate or <tt>null</tt> if no matching Certificate was found.
* @throws KeyStoreException When the wrong keystore has been provided.
* @throws IOException For errors related to processing the keystore.
*/
public ID getTrustedCertificateID(X509Certificate cert) throws KeyStoreException, IOException {
String anAlias = null;
synchronized (keystore_manager) {
KeyStore store = keystore_manager.loadKeyStore(keystore_password);
anAlias = store.getCertificateAlias(cert);
}
// not found.
if (null == anAlias) {
return null;
}
try {
URI id = new URI(anAlias);
return IDFactory.fromURI(id);
} catch (URISyntaxException badID) {
return null;
}
}
/**
* Returns the trusted cert chain for the specified id.
*
* @param id The ID of the certificate who's certificate chain is desired.
* @return Certificate chain for the specified ID or null if the PSE does not contain the
* specified certificate.
* @throws KeyStoreException When the wrong keystore has been provided.
* @throws IOException For errors related to processing the keystore.
*/
public X509Certificate[] getTrustedCertificateChain(ID id) throws KeyStoreException, IOException {
String alias = id.toString();
synchronized (keystore_manager) {
KeyStore store = keystore_manager.loadKeyStore(keystore_password);
if (!store.containsAlias(alias)) {
return null;
}
Certificate certs[] = store.getCertificateChain(alias);
if (null == certs) {
return null;
}
X509Certificate x509certs[] = new X509Certificate[certs.length];
System.arraycopy(certs, 0, x509certs, 0, certs.length);
return x509certs;
}
}
/**
* Returns the list of root certificates for which there is an associated local private key.
*
* @param store_password The passphrase used to unlock the keystore may be {@code null} for
* keystores with no passphrase.
* @return an array of the available keys. May be an empty array.
* @throws KeyStoreException When the wrong keystore has been provided.
* @throws IOException For errors related to processing the keystore.
*/
ID[] getKeysList(char[] store_password) throws KeyStoreException, IOException {
List<ID> keyedRootsList = new ArrayList<ID>();
synchronized (keystore_manager) {
KeyStore store = keystore_manager.loadKeyStore(store_password);
Enumeration<String> eachAlias = store.aliases();
while (eachAlias.hasMoreElements()) {
String anAlias = eachAlias.nextElement();
if (store.isKeyEntry(anAlias)) {
try {
URI id = new URI(anAlias);
keyedRootsList.add(IDFactory.fromURI(id));
} catch (URISyntaxException badID) { // ignored
}
}
}
return keyedRootsList.toArray(new ID[keyedRootsList.size()]);
}
}
/**
* Removes an existing PSE enviroment.
*
* @throws IOException If the PSE cannot be successfully deleted.
*/
public void erase() throws IOException {
synchronized (keystore_manager) {
keystore_manager.eraseKeyStore();
}
}
private void enableEncryption(boolean tls) throws Exception {
SSLContext context = this.config.getCustomSSLContext();
KeyStore ks = null;
KeyManager[] kms = null;
PasswordCallback pcb = null;
if (config.getCallbackHandler() == null) {
ks = null;
} else if (context == null) {
// System.out.println("Keystore type: "+configuration.getKeystoreType());
if (config.getKeystoreType().equals("NONE")) {
ks = null;
pcb = null;
} else if (config.getKeystoreType().equals("PKCS11")) {
try {
Constructor c =
Class.forName("sun.security.pkcs11.SunPKCS11").getConstructor(InputStream.class);
String pkcs11Config = "name = SmartCard\nlibrary = " + config.getPKCS11Library();
ByteArrayInputStream config = new ByteArrayInputStream(pkcs11Config.getBytes());
Provider p = (Provider) c.newInstance(config);
Security.addProvider(p);
ks = KeyStore.getInstance("PKCS11", p);
pcb = new PasswordCallback("PKCS11 Password: "******"Apple")) {
ks = KeyStore.getInstance("KeychainStore", "Apple");
ks.load(null, null);
// pcb = new PasswordCallback("Apple Keychain",false);
// pcb.setPassword(null);
} else {
ks = KeyStore.getInstance(config.getKeystoreType());
try {
pcb = new PasswordCallback("Keystore Password: "******"SunX509");
try {
if (pcb == null) {
kmf.init(ks, null);
} else {
kmf.init(ks, pcb.getPassword());
pcb.clearPassword();
}
kms = kmf.getKeyManagers();
} catch (NullPointerException npe) {
kms = null;
}
}
// Verify certificate presented by the server
if (context == null) {
context = SSLContext.getInstance("TLS");
boolean chainCheck = config.isVerifyChainEnabled();
boolean domainCheck = config.isNotMatchingDomainCheckEnabled();
boolean allowSelfSigned = config.isSelfSignedCertificateEnabled();
if (config.isExpiredCertificatesCheckEnabled() != chainCheck
|| config.isVerifyRootCAEnabled() != chainCheck) throw new IllegalStateException();
context.init(
kms,
new TrustManager[] {
new XMPPTrustManager(
KeyStoreManager.getOrCreateKeyStore(config),
getServiceName(),
config.getCertificateListener(),
chainCheck,
domainCheck,
allowSelfSigned)
},
SECURE_RANDOM);
}
Socket plain = socket;
// Secure the plain connection
socket =
context
.getSocketFactory()
.createSocket(plain, plain.getInetAddress().getHostAddress(), plain.getPort(), true);
// socket.setSoTimeout(0);
// socket.setKeepAlive(true);
}
