@Test public void testRRNCertificate() throws Exception { // setup Security.addProvider(new BeIDProvider()); final KeyStore keyStore = KeyStore.getInstance("BeID"); keyStore.load(null); // operate assertTrue(keyStore.containsAlias("RRN")); Entry entry = keyStore.getEntry("RRN", null); assertNotNull(entry); assertTrue(entry instanceof TrustedCertificateEntry); TrustedCertificateEntry trustedCertificateEntry = (TrustedCertificateEntry) entry; assertNotNull(trustedCertificateEntry.getTrustedCertificate()); assertTrue(((X509Certificate) trustedCertificateEntry.getTrustedCertificate()).getSubjectX500Principal() .toString().contains("RRN")); assertNotNull(keyStore.getCertificate("RRN")); Certificate[] certificateChain = keyStore.getCertificateChain("RRN"); assertNotNull(certificateChain); assertEquals(2, certificateChain.length); LOGGER.debug("RRN subject: {}", ((X509Certificate) certificateChain[0]).getSubjectX500Principal()); LOGGER.debug("RRN issuer: {}", ((X509Certificate) certificateChain[0]).getIssuerX500Principal()); LOGGER.debug("root subject: {}", ((X509Certificate) certificateChain[1]).getSubjectX500Principal()); LOGGER.debug("root issuer: {}", ((X509Certificate) certificateChain[1]).getIssuerX500Principal()); }
@Test public void testGetEntry() throws Exception { Security.addProvider(new BeIDProvider()); final KeyStore keyStore = KeyStore.getInstance("BeID"); keyStore.load(null); PrivateKeyEntry privateKeyEntry = (PrivateKeyEntry) keyStore.getEntry("Authentication", null); assertNotNull(privateKeyEntry); assertTrue(privateKeyEntry.getPrivateKey() instanceof BeIDPrivateKey); TrustedCertificateEntry caEntry = (TrustedCertificateEntry) keyStore.getEntry("CA", null); assertNotNull(caEntry); LOGGER.debug("CA entry: {}", ((X509Certificate) caEntry.getTrustedCertificate()).getSubjectX500Principal()); TrustedCertificateEntry rootEntry = (TrustedCertificateEntry) keyStore.getEntry("Root", null); assertNotNull(rootEntry); LOGGER.debug("root entry: {}", ((X509Certificate) rootEntry.getTrustedCertificate()).getSubjectX500Principal()); }
@Override public Entry engineGetEntry(String alias, ProtectionParameter protParam) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableEntryException { LOGGER.debug("engineGetEntry: {}", alias); if ("Authentication".equals(alias) || "Signature".equals(alias)) { PrivateKey privateKey = (PrivateKey) engineGetKey(alias, null); Certificate[] chain = engineGetCertificateChain(alias); PrivateKeyEntry privateKeyEntry = new PrivateKeyEntry(privateKey, chain); return privateKeyEntry; } if ("CA".equals(alias) || "Root".equals(alias) || "RRN".equals(alias)) { Certificate certificate = engineGetCertificate(alias); TrustedCertificateEntry trustedCertificateEntry = new TrustedCertificateEntry(certificate); return trustedCertificateEntry; } return super.engineGetEntry(alias, protParam); }
private static KeyPair entry2Pair(Entry entry) { PublicKey pub = null; PrivateKey priv = null; if (entry instanceof PrivateKeyEntry) { PrivateKeyEntry pk = (PrivateKeyEntry) entry; if (pk.getCertificate() != null) { pub = pk.getCertificate().getPublicKey(); } priv = pk.getPrivateKey(); } else if (entry instanceof TrustedCertificateEntry) { TrustedCertificateEntry tc = (TrustedCertificateEntry) entry; pub = tc.getTrustedCertificate().getPublicKey(); } else { throw new IllegalArgumentException( "Only entry types PrivateKeyEntry and TrustedCertificateEntry are supported."); } return new KeyPair(pub, priv); }
/** * Return the issuing CA certificate of the given * certificate. Throws IllegalStateException if there are are more * or less than one. */ public static Certificate issuer(KeyStore keyStore, Certificate c) throws Exception { if (!(c instanceof X509Certificate)) { throw new IllegalStateException("issuer requires an X509Certificate, found " + c); } X509Certificate cert = (X509Certificate) c; Certificate found = null; for (String alias : Collections.list(keyStore.aliases())) { if (!keyStore.entryInstanceOf(alias, TrustedCertificateEntry.class)) { continue; } TrustedCertificateEntry certificateEntry = (TrustedCertificateEntry) keyStore.getEntry(alias, null); Certificate certificate = certificateEntry.getTrustedCertificate(); if (!(certificate instanceof X509Certificate)) { continue; } X509Certificate x = (X509Certificate) certificate; if (!cert.getIssuerDN().equals(x.getSubjectDN())) { continue; } if (found != null) { throw new IllegalStateException("KeyStore has more than one issuing CA for " + cert + "\nfirst: " + found + "\nsecond: " + certificate); } found = certificate; } if (found == null) { throw new IllegalStateException("KeyStore contained no issuing CA for " + cert); } return found; }
/** * Return the only self-signed root certificate in a keystore for * the given algorithm. Throws IllegalStateException if there are * are more or less than one. */ public static X509Certificate rootCertificate(KeyStore keyStore, String algorithm) { try { X509Certificate found = null; for (String alias : Collections.list(keyStore.aliases())) { if (!keyStore.entryInstanceOf(alias, TrustedCertificateEntry.class)) { continue; } TrustedCertificateEntry certificateEntry = (TrustedCertificateEntry) keyStore.getEntry(alias, null); Certificate certificate = certificateEntry.getTrustedCertificate(); if (!certificate.getPublicKey().getAlgorithm().equals(algorithm)) { continue; } if (!(certificate instanceof X509Certificate)) { continue; } X509Certificate x = (X509Certificate) certificate; if (!x.getIssuerDN().equals(x.getSubjectDN())) { continue; } if (found != null) { throw new IllegalStateException("KeyStore has more than one root CA for " + algorithm + "\nfirst: " + found + "\nsecond: " + certificate); } found = x; } if (found == null) { throw new IllegalStateException("KeyStore contained no root CA for " + algorithm); } return found; } catch (Exception e) { throw new RuntimeException(e); } }
private JceMasterKey internalGetMasterKey(final String provider, final String keyId) { final Entry entry; try { entry = keystore_.getEntry(keyId, keystore_.isKeyEntry(keyId) ? protection_ : null); } catch (NoSuchAlgorithmException | UnrecoverableEntryException | KeyStoreException e) { throw new UnsupportedProviderException(e); } if (entry == null) { throw new NoSuchMasterKeyException(); } if (entry instanceof SecretKeyEntry) { final SecretKeyEntry skEntry = (SecretKeyEntry) entry; if (!skEntry.getSecretKey().getAlgorithm().equals(keyAlgorithm_)) { return null; } return JceMasterKey.getInstance(skEntry.getSecretKey(), provider, keyId, wrappingAlgorithm_); } else if (entry instanceof PrivateKeyEntry) { final PrivateKeyEntry pkEntry = (PrivateKeyEntry) entry; if (!pkEntry.getPrivateKey().getAlgorithm().equals(keyAlgorithm_)) { return null; } return JceMasterKey.getInstance(pkEntry.getCertificate().getPublicKey(), pkEntry.getPrivateKey(), provider, keyId, wrappingAlgorithm_); } else if (entry instanceof TrustedCertificateEntry) { final TrustedCertificateEntry certEntry = (TrustedCertificateEntry) entry; if (!certEntry.getTrustedCertificate().getPublicKey().getAlgorithm().equals(keyAlgorithm_)) { return null; } return JceMasterKey.getInstance(certEntry.getTrustedCertificate().getPublicKey(), null, provider, keyId, wrappingAlgorithm_); } else { throw new NoSuchMasterKeyException(); } }
public static void newCertificate(KeyStore keystore, TypedCertificate certificate) throws KeyStoreException { TrustedCertificateEntry certificateEntry = new TrustedCertificateEntry(certificate.getCert()); String alias = typeToPath(certificate.getType()) + certificate.getCert().getSubjectX500Principal().getName(); if (keystore.containsAlias(alias)) { keystore.deleteEntry(alias); } keystore.setEntry(alias, certificateEntry, null); }
public static void main(String[] args) throws Exception { if (initSecmod() == false) { return; } X509Certificate cert; try (InputStream in = new FileInputStream(BASE + SEP + "anchor.cer")) { CertificateFactory factory = CertificateFactory.getInstance("X.509"); cert = (X509Certificate)factory.generateCertificate(in); } String configName = BASE + SEP + "nss.cfg"; Provider p = getSunPKCS11(configName); System.out.println(p); Security.addProvider(p); if (args.length > 1 && "sm".equals(args[0])) { System.setProperty("java.security.policy", BASE + File.separator + args[1]); System.setSecurityManager(new SecurityManager()); } KeyStore ks = KeyStore.getInstance(PKCS11, p); ks.load(null, password); Collection<String> aliases = new TreeSet<>(Collections.list( ks.aliases())); System.out.println("entries: " + aliases.size()); System.out.println(aliases); int size1 = aliases.size(); String alias = "anchor"; if (ks.containsAlias(alias)) { throw new Exception("Alias exists: " + alias); } ks.setCertificateEntry(alias, cert); KeyStore.Entry first = ks.getEntry(alias, null); System.out.println("first entry = " + first); if (!ks.entryInstanceOf(alias, TrustedCertificateEntry.class)) { throw new Exception("Unexpected first entry type: " + first); } ks.setCertificateEntry(alias, cert); KeyStore.Entry second = ks.getEntry(alias, null); System.out.println("second entry = " + second); if (!ks.entryInstanceOf(alias, TrustedCertificateEntry.class)) { throw new Exception("Unexpected second entry type: " + second); } aliases = new TreeSet<>(Collections.list(ks.aliases())); System.out.println("entries: " + aliases.size()); System.out.println(aliases); int size2 = aliases.size(); if ((size2 != size1 + 1) || (aliases.contains(alias) == false)) { throw new Exception("Trusted cert not added"); } X509Certificate cert2 = (X509Certificate)ks.getCertificate(alias); if (cert.equals(cert2) == false) { throw new Exception("KeyStore returned incorrect certificate"); } ks.deleteEntry(alias); if (ks.containsAlias(alias)) { throw new Exception("Alias still exists: " + alias); } System.out.println("OK"); }
public static void assertCertificate(Entry actual) throws Exception { assertSame(TrustedCertificateEntry.class, actual.getClass()); assertEquals(PRIVATE_KEY.getCertificate(), ((TrustedCertificateEntry) actual).getTrustedCertificate()); }
