public class PKCS12KeyStoreSpi extends java.security.KeyStoreSpi implements PKCSObjectIdentifiers, X509ObjectIdentifiers, BCKeyStore
KeyStoreSpi for the PKCS#12 keystore family
(provider "BC", types PKCS12, PKCS12-DEF,
PKCS12-3DES-40RC2, PKCS12-3DES-3DES,
PKCS12-AES256-AES128 and the -DEF- aliases).
KeyStore.PrivateKeyEntry with a
non-empty certificate chain. Stored as a SafeBag of type
pkcs8ShroudedKeyBag per RFC 7292 sec. 4.2.2, with the
associated chain emitted as certBag entries.KeyStore.TrustedCertificateEntry.
Stored as a certBag per RFC 7292 sec. 4.2.3.KeyStore.SecretKeyEntry, accepted
since Bouncy Castle 1.85 (github #1807). Stored as a SafeBag of type
secretBag per RFC 7292 sec. 4.2.5: the inner
SecretBag carries the algorithm OID as
secretTypeId and the SecretKey.getEncoded() bytes as
a DER OCTET STRING secretValue, placed inside the
keystore's encrypted SafeContents block. Only algorithms with a
registered OID are supported — see
PKCS12Util.resolveSecretKeyOid(SecretKey) for the current set
(AES 128 / 192 / 256, DESede / TripleDES,
HmacSHA1 / SHA-224 / SHA-256 / SHA-384 / SHA-512 / SHA3-{224,256,384,512}).
Other algorithms are rejected at setKeyEntry-time with a
pointer at BCFKS.
SunJCE writes secret keys using a non-standard encoding: the SafeBag is
still secretBag, but the inner SecretBag.secretTypeId is
pkcs8ShroudedKeyBag and the secretValue wraps an
EncryptedPrivateKeyInfo whose decrypted PKCS#8 carries the raw
key bytes. Setting the system or security property
Properties.PKCS12_ALLOW_SUN_SECRET_KEYS
("org.bouncycastle.pkcs12.allow_sun_secret_keys") to true
lets BC additionally decode this form on load. BC always writes the
standards-compliant form regardless — i.e. files BC produces are not
readable by SunJCE's PKCS#12 keystore.
Properties.PKCS12_MAX_IT_COUNT — caps the PBE iteration count
accepted on load.Properties.PKCS12_IGNORE_USELESS_PASSWD — accepts a password
supplied where none is needed.Properties.PKCS12_ALLOW_SUN_SECRET_KEYS — opt-in SunJCE
secret-key interop, see above.Properties.PKCS12_ALLOW_SUN_SECRET_KEYS| Modifier and Type | Class and Description |
|---|---|
static class |
PKCS12KeyStoreSpi.BCPKCS12KeyStore |
static class |
PKCS12KeyStoreSpi.BCPKCS12KeyStore3DES |
static class |
PKCS12KeyStoreSpi.BCPKCS12KeyStoreAES256 |
static class |
PKCS12KeyStoreSpi.BCPKCS12KeyStoreAES256GCM |
static class |
PKCS12KeyStoreSpi.DefPKCS12KeyStore |
static class |
PKCS12KeyStoreSpi.DefPKCS12KeyStore3DES |
static class |
PKCS12KeyStoreSpi.DefPKCS12KeyStoreAES256 |
static class |
PKCS12KeyStoreSpi.DefPKCS12KeyStoreAES256GCM |
| Modifier and Type | Field and Description |
|---|---|
protected java.security.SecureRandom |
random |
bagtypes, canNotDecryptAny, certBag, certTypes, crlBag, crlTypes, data, des_EDE3_CBC, dhKeyAgreement, dhSinglePass_stdDH_hkdf_sha256_scheme, dhSinglePass_stdDH_hkdf_sha384_scheme, dhSinglePass_stdDH_hkdf_sha512_scheme, digestAlgorithm, digestedData, encryptedData, encryptionAlgorithm, envelopedData, id_aa, id_aa_asymmDecryptKeyID, id_aa_cmsAlgorithmProtect, id_aa_commitmentType, id_aa_communityIdentifiers, id_aa_contentHint, id_aa_contentIdentifier, id_aa_contentReference, id_aa_decryptKeyID, id_aa_encrypKeyPref, id_aa_estIdentityLinking, id_aa_ets_archiveTimestamp, id_aa_ets_certCRLTimestamp, id_aa_ets_certificateRefs, id_aa_ets_certValues, id_aa_ets_commitmentType, id_aa_ets_contentTimestamp, id_aa_ets_escTimeStamp, id_aa_ets_otherSigCert, id_aa_ets_revocationRefs, id_aa_ets_revocationValues, id_aa_ets_signerAttr, id_aa_ets_signerLocation, id_aa_ets_sigPolicyId, id_aa_implCompressAlgs, id_aa_implCryptoAlgs, id_aa_msgSigDigest, id_aa_otherSigCert, id_aa_otpChallenge, id_aa_receiptRequest, id_aa_relatedCertRequest, id_aa_revocationChallenge, id_aa_signatureTimeStampToken, id_aa_signerLocation, id_aa_signingCertificate, id_aa_signingCertificateV2, id_aa_sigPolicyId, id_alg, id_alg_AEADChaCha20Poly1305, id_alg_CMS3DESwrap, id_alg_CMSRC2wrap, id_alg_ESDH, id_alg_hkdf_with_sha256, id_alg_hkdf_with_sha384, id_alg_hkdf_with_sha512, id_alg_hss_lms_hashsig, id_alg_PWRI_KEK, id_alg_SSDH, id_alg_zlibCompress, id_ct, id_ct_authData, id_ct_authEnvelopedData, id_ct_compressedData, id_ct_timestampedData, id_ct_TSTInfo, id_cti, id_cti_ets_proofOfApproval, id_cti_ets_proofOfCreation, id_cti_ets_proofOfDelivery, id_cti_ets_proofOfOrigin, id_cti_ets_proofOfReceipt, id_cti_ets_proofOfSender, id_hmacWithSHA1, id_hmacWithSHA224, id_hmacWithSHA256, id_hmacWithSHA384, id_hmacWithSHA512, id_hmacWithSHA512_224, id_hmacWithSHA512_256, id_mgf1, id_mod_CMS_AEADChaCha20Poly1305, id_mod_cms_seed, id_mod_mts_hashsig_2013, id_PBES2, id_PBKDF2, id_PBMAC1, id_pSpecified, id_rsa_KEM, id_RSAES_OAEP, id_RSASSA_PSS, id_smime, id_spq, id_spq_ets_unotice, id_spq_ets_uri, id_spq_oid, keyBag, md2, md2WithRSAEncryption, md4, md4WithRSAEncryption, md5, md5WithRSAEncryption, pbeWithMD2AndDES_CBC, pbeWithMD2AndRC2_CBC, pbeWithMD5AndDES_CBC, pbeWithMD5AndRC2_CBC, pbeWithSHA1AndDES_CBC, pbeWithSHA1AndRC2_CBC, pbeWithSHAAnd128BitRC2_CBC, pbeWithSHAAnd128BitRC4, pbeWithSHAAnd2_KeyTripleDES_CBC, pbeWithSHAAnd3_KeyTripleDES_CBC, pbewithSHAAnd40BitRC2_CBC, pbeWithSHAAnd40BitRC2_CBC, pbeWithSHAAnd40BitRC4, pkcs_1, pkcs_12, pkcs_12PbeIds, pkcs_3, pkcs_5, pkcs_7, pkcs_9, pkcs_9_at_binarySigningTime, pkcs_9_at_challengePassword, pkcs_9_at_contentType, pkcs_9_at_counterSignature, pkcs_9_at_emailAddress, pkcs_9_at_extendedCertificateAttributes, pkcs_9_at_extensionRequest, pkcs_9_at_friendlyName, pkcs_9_at_localKeyId, pkcs_9_at_messageDigest, pkcs_9_at_signingDescription, pkcs_9_at_signingTime, pkcs_9_at_smimeCapabilities, pkcs_9_at_unstructuredAddress, pkcs_9_at_unstructuredName, pkcs8ShroudedKeyBag, preferSignedData, RC2_CBC, rc4, rsaEncryption, safeContentsBag, sdsiCertificate, secretBag, sha1WithRSAEncryption, sha224WithRSAEncryption, sha256WithRSAEncryption, sha384WithRSAEncryption, sha512_224WithRSAEncryption, sha512_256WithRSAEncryption, sha512WithRSAEncryption, signedAndEnvelopedData, signedData, smime_alg, sMIMECapabilitiesVersions, srsaOAEPEncryptionSET, x509Certificate, x509certType, x509CrlattributeType, commonName, countryName, crlAccessMethod, id_ad, id_ad_caIssuers, id_ad_ocsp, id_alg_noSignature, id_alg_unsigned, id_at_name, id_at_organizationIdentifier, id_at_telephoneNumber, id_ce, id_ce_ct_embeddedSCTList, id_ce_ct_precertPoison, id_ce_ct_transparencyInformation, id_ct, id_ct_precertificate, id_ea_rsa, id_ecdsa_with_shake128, id_ecdsa_with_shake256, id_kp_ct_precertSigning, id_ocsp_ct_sctList, id_PasswordBasedMac, id_pda, id_pe, id_pe_relatedCert, id_pkix, id_rsassa_pss_shake128, id_rsassa_pss_shake256, id_SHA1, localityName, ocspAccessMethod, organization, organizationalUnitName, pkix_algorithms, ripemd160, ripemd160WithRSAEncryption, stateOrProvinceName| Constructor and Description |
|---|
PKCS12KeyStoreSpi(JcaJceHelper helper,
ASN1ObjectIdentifier keyAlgorithm,
ASN1ObjectIdentifier certAlgorithm) |
| Modifier and Type | Method and Description |
|---|---|
protected byte[] |
cryptData(boolean forEncryption,
AlgorithmIdentifier algId,
char[] password,
boolean wrongPKCS12Zero,
byte[] data) |
java.util.Enumeration |
engineAliases() |
boolean |
engineContainsAlias(java.lang.String alias) |
void |
engineDeleteEntry(java.lang.String alias)
this is not quite complete - we should follow up on the chain, a bit
tricky if a certificate appears in more than one chain... the store method
now prunes out unused certificates from the chain map if they are present.
|
java.security.cert.Certificate |
engineGetCertificate(java.lang.String alias)
simply return the cert for the private key
|
java.lang.String |
engineGetCertificateAlias(java.security.cert.Certificate cert) |
java.security.cert.Certificate[] |
engineGetCertificateChain(java.lang.String alias) |
java.util.Date |
engineGetCreationDate(java.lang.String alias) |
java.security.Key |
engineGetKey(java.lang.String alias,
char[] password) |
boolean |
engineIsCertificateEntry(java.lang.String alias) |
boolean |
engineIsKeyEntry(java.lang.String alias) |
void |
engineLoad(java.io.InputStream stream,
char[] password) |
void |
engineLoad(java.security.KeyStore.LoadStoreParameter loadStoreParameter) |
boolean |
engineProbe(java.io.InputStream stream) |
void |
engineSetCertificateEntry(java.lang.String alias,
java.security.cert.Certificate cert) |
void |
engineSetKeyEntry(java.lang.String alias,
byte[] key,
java.security.cert.Certificate[] chain) |
void |
engineSetKeyEntry(java.lang.String alias,
java.security.Key key,
char[] password,
java.security.cert.Certificate[] chain) |
int |
engineSize() |
void |
engineStore(java.security.KeyStore.LoadStoreParameter param) |
void |
engineStore(java.io.OutputStream stream,
char[] password) |
void |
setRandom(java.security.SecureRandom rand)
set the random source for the key store
|
protected java.security.PrivateKey |
unwrapKey(AlgorithmIdentifier algId,
byte[] data,
char[] password,
boolean wrongPKCS12Zero) |
protected byte[] |
wrapKey(EncryptionScheme encAlgId,
java.security.Key key,
PBKDF2Params pbeParams,
char[] password) |
protected byte[] |
wrapKey(java.lang.String algorithm,
java.security.Key key,
PKCS12PBEParams pbeParams,
char[] password) |
public PKCS12KeyStoreSpi(JcaJceHelper helper, ASN1ObjectIdentifier keyAlgorithm, ASN1ObjectIdentifier certAlgorithm)
public void setRandom(java.security.SecureRandom rand)
BCKeyStoresetRandom in interface BCKeyStorepublic boolean engineProbe(java.io.InputStream stream)
throws java.io.IOException
java.io.IOExceptionpublic java.util.Enumeration engineAliases()
engineAliases in class java.security.KeyStoreSpipublic boolean engineContainsAlias(java.lang.String alias)
engineContainsAlias in class java.security.KeyStoreSpipublic void engineDeleteEntry(java.lang.String alias)
throws java.security.KeyStoreException
engineDeleteEntry in class java.security.KeyStoreSpijava.security.KeyStoreExceptionpublic java.security.cert.Certificate engineGetCertificate(java.lang.String alias)
engineGetCertificate in class java.security.KeyStoreSpipublic java.lang.String engineGetCertificateAlias(java.security.cert.Certificate cert)
engineGetCertificateAlias in class java.security.KeyStoreSpipublic java.security.cert.Certificate[] engineGetCertificateChain(java.lang.String alias)
engineGetCertificateChain in class java.security.KeyStoreSpipublic java.util.Date engineGetCreationDate(java.lang.String alias)
engineGetCreationDate in class java.security.KeyStoreSpipublic java.security.Key engineGetKey(java.lang.String alias,
char[] password)
throws java.security.NoSuchAlgorithmException,
java.security.UnrecoverableKeyException
engineGetKey in class java.security.KeyStoreSpijava.security.NoSuchAlgorithmExceptionjava.security.UnrecoverableKeyExceptionpublic boolean engineIsCertificateEntry(java.lang.String alias)
engineIsCertificateEntry in class java.security.KeyStoreSpipublic boolean engineIsKeyEntry(java.lang.String alias)
engineIsKeyEntry in class java.security.KeyStoreSpipublic void engineSetCertificateEntry(java.lang.String alias,
java.security.cert.Certificate cert)
throws java.security.KeyStoreException
engineSetCertificateEntry in class java.security.KeyStoreSpijava.security.KeyStoreExceptionpublic void engineSetKeyEntry(java.lang.String alias,
byte[] key,
java.security.cert.Certificate[] chain)
throws java.security.KeyStoreException
engineSetKeyEntry in class java.security.KeyStoreSpijava.security.KeyStoreExceptionpublic void engineSetKeyEntry(java.lang.String alias,
java.security.Key key,
char[] password,
java.security.cert.Certificate[] chain)
throws java.security.KeyStoreException
engineSetKeyEntry in class java.security.KeyStoreSpijava.security.KeyStoreExceptionpublic int engineSize()
engineSize in class java.security.KeyStoreSpiprotected java.security.PrivateKey unwrapKey(AlgorithmIdentifier algId, byte[] data, char[] password, boolean wrongPKCS12Zero) throws java.io.IOException
java.io.IOExceptionprotected byte[] wrapKey(java.lang.String algorithm,
java.security.Key key,
PKCS12PBEParams pbeParams,
char[] password)
throws java.io.IOException
java.io.IOExceptionprotected byte[] wrapKey(EncryptionScheme encAlgId, java.security.Key key, PBKDF2Params pbeParams, char[] password) throws java.io.IOException
java.io.IOExceptionprotected byte[] cryptData(boolean forEncryption,
AlgorithmIdentifier algId,
char[] password,
boolean wrongPKCS12Zero,
byte[] data)
throws java.io.IOException
java.io.IOExceptionpublic void engineLoad(java.security.KeyStore.LoadStoreParameter loadStoreParameter)
throws java.io.IOException,
java.security.NoSuchAlgorithmException,
java.security.cert.CertificateException
engineLoad in class java.security.KeyStoreSpijava.io.IOExceptionjava.security.NoSuchAlgorithmExceptionjava.security.cert.CertificateExceptionpublic void engineLoad(java.io.InputStream stream,
char[] password)
throws java.io.IOException
engineLoad in class java.security.KeyStoreSpijava.io.IOExceptionpublic void engineStore(java.security.KeyStore.LoadStoreParameter param)
throws java.io.IOException,
java.security.NoSuchAlgorithmException,
java.security.cert.CertificateException
engineStore in class java.security.KeyStoreSpijava.io.IOExceptionjava.security.NoSuchAlgorithmExceptionjava.security.cert.CertificateExceptionpublic void engineStore(java.io.OutputStream stream,
char[] password)
throws java.io.IOException
engineStore in class java.security.KeyStoreSpijava.io.IOException