4632N/A * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved. 4632N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4632N/A * This code is free software; you can redistribute it and/or modify it 4632N/A * under the terms of the GNU General Public License version 2 only, as 5020N/A * published by the Free Software Foundation. Oracle designates this 5020N/A * particular file as subject to the "Classpath" exception as provided 5020N/A * by Oracle in the LICENSE file that accompanied this code. 4632N/A * This code is distributed in the hope that it will be useful, but WITHOUT 4632N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 4632N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 4632N/A * version 2 for more details (a copy is included in the LICENSE file that 4632N/A * You should have received a copy of the GNU General Public License version 4632N/A * 2 along with this work; if not, write to the Free Software Foundation, 4632N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 4632N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 4632N/A * or visit www.oracle.com if you need additional information or have any 4632N/A * Implementation of key store for Windows using the Microsoft Crypto API. 4632N/A * The default alias for both entry types is derived from a 4632N/A * hash value intrinsic to the first certificate in the chain. 4632N/A * Gets the alias for the keystore entry. 5318N/A * Sets the alias for the keystore entry. 5318N/A // TODO - set friendly name prop in cert store 4632N/A * Gets the private key for the keystore entry. 4632N/A * Sets the private key for the keystore entry. 4632N/A // Adjust key length due to sign bit 5318N/A * Gets the certificate chain for the keystore entry. 5318N/A * Sets the certificate chain for the keystore entry. 5318N/A * An X.509 certificate factory. 5318N/A * Used to create an X.509 certificate from its DER-encoding. 4632N/A * Compatibility mode: for applications that assume keystores are 4632N/A * stream-based this mode tolerates (but ignores) a non-null stream 4632N/A * or password parameter when passed to the load or store methods. 4632N/A * The mode is enabled by default. 4632N/A "sun.security.mscapi.keyStoreCompatibilityMode";
4632N/A // Get the compatibility mode * Returns the key associated with the given alias. * A compatibility mode is supported for applications that assume * a password must be supplied. It permits (but ignores) a non-null * <code>password</code>. The mode is enabled by default. * <code>sun.security.mscapi.keyStoreCompatibilityMode</code> * system property to <code>false</code> to disable compatibility mode * and reject a non-null <code>password</code>. * @param alias the alias name * @param password the password, which should be <code>null</code> * @return the requested key, or null if the given alias does not exist * or does not identify a <i>key entry</i>. * @exception NoSuchAlgorithmException if the algorithm for recovering the * or if compatibility mode is disabled and <code>password</code> is * @exception UnrecoverableKeyException if the key cannot be recovered. * Returns the certificate chain associated with the given alias. * @param alias the alias name * @return the certificate chain (ordered with the user's certificate first * and the root certificate authority last), or null if the given alias * does not exist or does not contain a certificate chain (i.e., the given * alias identifies either a <i>trusted certificate entry</i> or a * <i>key entry</i> without a certificate chain). * Returns the certificate associated with the given alias. * <p>If the given alias name identifies a * <i>trusted certificate entry</i>, the certificate associated with that * entry is returned. If the given alias name identifies a * <i>key entry</i>, the first element of the certificate chain of that * entry is returned, or null if that entry does not have a certificate * @param alias the alias name * @return the certificate, or null if the given alias does not exist or * does not contain a certificate. * Returns the creation date of the entry identified by the given alias. * @param alias the alias name * @return the creation date of this entry, or null if the given alias does * Stores the given private key and associated certificate chain in the * <p>The given java.security.PrivateKey <code>key</code> must * be accompanied by a certificate chain certifying the * corresponding public key. * <p>If the given alias already exists, the keystore information * associated with it is overridden by the given key and certificate * chain. Otherwise, a new entry is created. * A compatibility mode is supported for applications that assume * a password must be supplied. It permits (but ignores) a non-null * <code>password</code>. The mode is enabled by default. * <code>sun.security.mscapi.keyStoreCompatibilityMode</code> * system property to <code>false</code> to disable compatibility mode * and reject a non-null <code>password</code>. * @param alias the alias name * @param key the private key to be associated with the alias * @param password the password, which should be <code>null</code> * @param chain the certificate chain for the corresponding public * key (only required if the given key is of type * <code>java.security.PrivateKey</code>). * @exception KeyStoreException if the given key is not a private key, * cannot be protected, or if compatibility mode is disabled and * <code>password</code> is non-null, or if this operation fails for //TODO new KeyEntry(alias, key, (X509Certificate[]) chain); "Cannot assign the key to the given alias.");
* Assigns the given key (that has already been protected) to the given * <p>If the protected key is of type * <code>java.security.PrivateKey</code>, it must be accompanied by a * certificate chain certifying the corresponding public key. If the * underlying keystore implementation is of type <code>jks</code>, * <code>key</code> must be encoded as an * <code>EncryptedPrivateKeyInfo</code> as defined in the PKCS #8 standard. * <p>If the given alias already exists, the keystore information * associated with it is overridden by the given key (and possibly * @param alias the alias name * @param key the key (in protected format) to be associated with the alias * @param chain the certificate chain for the corresponding public * key (only useful if the protected key is of type * <code>java.security.PrivateKey</code>). * @exception KeyStoreException if this operation fails. "Cannot assign the encoded key to the given alias.");
* Assigns the given certificate to the given alias. * <p>If the given alias already exists in this keystore and identifies a * <i>trusted certificate entry</i>, the certificate associated with it is * overridden by the given certificate. * @param alias the alias name * @param cert the certificate * @exception KeyStoreException if the given alias already exists and does * not identify a <i>trusted certificate entry</i>, or this operation * fails for some other reason. // TODO - build CryptoAPI chain? "Cannot assign the certificate to the given alias.");
* Deletes the entry identified by the given alias from this keystore. * @param alias the alias name * @exception KeyStoreException if the entry cannot be removed. // Get end-entity certificate and remove from system cert store * Lists all the alias names of this keystore. * @return enumeration of the alias names * Checks if the given alias exists in this keystore. * @param alias the alias name * @return true if the alias exists, false otherwise * Retrieves the number of entries in this keystore. * @return the number of entries in this keystore * Returns true if the entry identified by the given alias is a * <i>key entry</i>, and false otherwise. * @return true if the entry identified by the given alias is a * <i>key entry</i>, false otherwise. * Returns true if the entry identified by the given alias is a * <i>trusted certificate entry</i>, and false otherwise. * @return true if the entry identified by the given alias is a * <i>trusted certificate entry</i>, false otherwise. * Returns the (alias) name of the first keystore entry whose certificate * matches the given certificate. * <p>This method attempts to match the given certificate with each * keystore entry. If the entry being considered * is a <i>trusted certificate entry</i>, the given certificate is * compared to that entry's certificate. If the entry being considered is * a <i>key entry</i>, the given certificate is compared to the first * element of that entry's certificate chain (if a chain exists). * @param cert the certificate to match with. * @return the (alias) name of the first entry with matching certificate, * or null if no such entry exists in this keystore. * engineStore is currently a no-op. * Entries are stored during engineSetEntry. * A compatibility mode is supported for applications that assume * keystores are stream-based. It permits (but ignores) a non-null * <code>stream</code> or <code>password</code>. * The mode is enabled by default. * <code>sun.security.mscapi.keyStoreCompatibilityMode</code> * system property to <code>false</code> to disable compatibility mode * and reject a non-null <code>stream</code> or <code>password</code>. * @param stream the output stream, which should be <code>null</code> * @param password the password, which should be <code>null</code> * @exception IOException if compatibility mode is disabled and either throw new IOException(
"Keystore output stream must be null");
throw new IOException(
"Keystore password must be null");
* A compatibility mode is supported for applications that assume * keystores are stream-based. It permits (but ignores) a non-null * <code>stream</code> or <code>password</code>. * The mode is enabled by default. * <code>sun.security.mscapi.keyStoreCompatibilityMode</code> * system property to <code>false</code> to disable compatibility mode * and reject a non-null <code>stream</code> or <code>password</code>. * @param stream the input stream, which should be <code>null</code>. * @param password the password, which should be <code>null</code>. * @exception IOException if there is an I/O or format problem with the * keystore data. Or if compatibility mode is disabled and either * @exception NoSuchAlgorithmException if the algorithm used to check * the integrity of the keystore cannot be found * @exception CertificateException if any of the certificates in the * keystore could not be loaded * @exception SecurityException if the security check for * <code>SecurityPermission("authProvider.<i>name</i>")</code> does not * pass, where <i>name</i> is the value returned by * this provider's <code>getName</code> method. throw new IOException(
"Keystore input stream must be null");
throw new IOException(
"Keystore password must be null");
* Use the same security check as AuthProvider.login "authProvider.SunMSCAPI"));
// Load keys and/or certificate chains * Generates a certificate chain from the collection of * certificates and stores the result into a key entry. // Ignore the exception and skip this entry // TODO - throw CertificateException? * Generates RSA key and certificate chain from the private key handle, * collection of certificates and stores the result into key entries. // Ignore the exception and skip this entry // TODO - throw CertificateException? * Generates certificates from byte data and stores into cert collection. * @param certCollection Collection of certificates. // Obtain certificate factory // Ignore the exception and skip this certificate // TODO - throw CertificateException? // Ignore the exception and skip this certificate // TODO - throw CertificateException? * Returns the name of the keystore. * Load keys and/or certificates from keystore into Collection. * @param name Name of keystore. * Stores a DER-encoded certificate into the certificate store * @param name Name of the keystore. * @param alias Name of the certificate. * @param encoding DER-encoded certificate. * Removes the certificate from the certificate store * @param name Name of the keystore. * @param alias Name of the certificate. * @param encoding DER-encoded certificate. * Destroys the key container. * @param keyContainerName The name of the key container. * Generates a private-key BLOB from a key's components.