OpenJDK 1.23 · sun.security.pkcs11.P11KeyStore · APIdia, the JavaDoc alternative

Modifier and Type	Class and Description
private static class	P11KeyStore.AliasInfo The underlying token may contain multiple certs belonging to the same "personality" (for example, a signing cert and encryption cert), all sharing the same CKA_LABEL.
private static class	P11KeyStore.PasswordCallbackHandler callback handler for passing password to Provider.login method
private static class	P11KeyStore.THandle getTokenObject return value.

Modifier and Type	Field and Description
private static final String	ALIAS_SEP
private HashMap<String, P11KeyStore.AliasInfo>	aliasMap
private static final CK_ATTRIBUTE	ATTR_CLASS_CERT
private static final CK_ATTRIBUTE	ATTR_CLASS_PKEY
private static final CK_ATTRIBUTE	ATTR_CLASS_SKEY
private static final CK_ATTRIBUTE	ATTR_PRIVATE_TRUE
private static CK_ATTRIBUTE	ATTR_SKEY_TOKEN_TRUE
private static final CK_ATTRIBUTE	ATTR_TOKEN_TRUE
private static final CK_ATTRIBUTE	ATTR_TRUSTED_TRUE
private static final CK_ATTRIBUTE	ATTR_X509_CERT_TYPE
private static boolean	CKA_TRUSTED_SUPPORTED
private static final Debug	debug
private static final long	FINDOBJECTS_MAX
private static final long[]	LONG0
private static final long	NO_HANDLE
private static final boolean	NSS_TEST
private Secmod.TrustType	nssTrustType
private final Token	token
private final boolean	useSecmodTrust
private boolean	writeDisabled

Access	Constructor and Description
pack-priv	P11KeyStore(Token token)

Method Summary

Modifier and Type	Method and Description
private static CK_ATTRIBUTE[]	addAttribute(CK_ATTRIBUTE[] attrs, CK_ATTRIBUTE attr)
private void	checkWrite()
private boolean	deleteEntry(String alias) XXX - not sure whether to keep this
private boolean	destroyCert(byte[] cka_id) return true if cert destroyed
private boolean	destroyChain(byte[] cka_id) return true if chain destroyed
private boolean	destroyPkey(byte[] cka_id) return true if private key destroyed
private boolean	destroySkey(String alias) return true if secret key destroyed
private void	dumpTokenMap(Debug debug)
public synchronized Enumeration<String>	Returns: enumeration of the alias names engineAliases() Implements abstract java.security.KeyStoreSpi.engineAliases. Lists all the alias names of this keystore.
public synchronized boolean	Returns: true if the alias exists, false otherwise engineContainsAlias(String the alias name alias) Implements abstract java.security.KeyStoreSpi.engineContainsAlias. Checks if the given alias exists in this keystore.
public synchronized void	engineDeleteEntry(String the alias name alias) Implements abstract java.security.KeyStoreSpi.engineDeleteEntry. Deletes the entry identified by the given alias from this keystore.
public synchronized boolean	Returns: true if the keystore `Entry` for the specified `alias` is an instance or subclass of the specified `entryClass`, false otherwise engineEntryInstanceOf(String the alias name alias, Class<? extends KeyStore.Entry> the entry class entryClass) Overrides java.security.KeyStoreSpi.engineEntryInstanceOf. Determines if the keystore `Entry` for the specified `alias` is an instance or subclass of the specified `entryClass`.
public synchronized Certificate	Returns: the certificate, or null if the given alias does not exist or does not contain a certificate. engineGetCertificate(String the alias name alias) Implements abstract java.security.KeyStoreSpi.engineGetCertificate. Returns the certificate associated with the given alias.
public synchronized String	Returns: the alias name of the first entry with matching certificate, or null if no such entry exists in this keystore. engineGetCertificateAlias(Certificate the certificate to match with. cert) Implements abstract java.security.KeyStoreSpi.engineGetCertificateAlias. Returns the (alias) name of the first keystore entry whose certificate matches the given certificate.
public synchronized Certificate[]	Returns: the certificate chain (ordered with the user's certificate first and the root certificate authority last), or null if the given alias does not exist or does not contain a certificate chain engineGetCertificateChain(String the alias name alias) Implements abstract java.security.KeyStoreSpi.engineGetCertificateChain. Returns the certificate chain associated with the given alias.
public Date	Returns: the creation date of this entry, or null if the given alias does not exist engineGetCreationDate(String the alias name alias) Implements abstract java.security.KeyStoreSpi.engineGetCreationDate. Returns the creation date of the entry identified by the given alias.
public synchronized KeyStore.Entry	Returns: the `KeyStore.Entry` for the specified alias, or `null` if there is no such entry engineGetEntry(String get the `KeyStore.Entry` for this alias alias, KeyStore.ProtectionParameter this must be `null` protParam) Overrides java.security.KeyStoreSpi.engineGetEntry. Get a `KeyStore.Entry` for the specified alias
public synchronized Key	Returns: the requested key, or null if the given alias does not exist or does not identify a key-related entry. engineGetKey(String the alias name alias, char[] the password, which must be `null` password) Implements abstract java.security.KeyStoreSpi.engineGetKey. Returns the key associated with the given alias.
public synchronized boolean	Returns: true if the entry identified by the given alias contains a trusted certificate, false otherwise. engineIsCertificateEntry(String the alias for the keystore entry to be checked alias) Implements abstract java.security.KeyStoreSpi.engineIsCertificateEntry. Returns true if the entry identified by the given alias was created by a call to `setCertificateEntry`, or created by a call to `setEntry` with a `TrustedCertificateEntry`.
public synchronized boolean	Returns: true if the entry identified by the given alias is a key-related, false otherwise. engineIsKeyEntry(String the alias for the keystore entry to be checked alias) Implements abstract java.security.KeyStoreSpi.engineIsKeyEntry. Returns true if the entry identified by the given alias was created by a call to `setKeyEntry`, or created by a call to `setEntry` with a `PrivateKeyEntry` or a `SecretKeyEntry`.
public synchronized void	engineLoad(InputStream the input stream, which must be `null` stream, char[] the password used to unlock the keystore, or `null` if the token supports a CKF_PROTECTED_AUTHENTICATION_PATH password) Implements abstract java.security.KeyStoreSpi.engineLoad. Loads the keystore.
public synchronized void	engineLoad(KeyStore.LoadStoreParameter the `KeyStore.LoadStoreParameter` param) Overrides java.security.KeyStoreSpi.engineLoad. Loads the keystore using the given `KeyStore.LoadStoreParameter`.
public synchronized void	engineSetCertificateEntry(String the alias name alias, Certificate the certificate cert) Implements abstract java.security.KeyStoreSpi.engineSetCertificateEntry. Assigns the given certificate to the given alias.
public synchronized void	engineSetEntry(String save the `KeyStore.Entry` under this alias alias, KeyStore.Entry the `Entry` to save entry, KeyStore.ProtectionParameter this must be `null` protParam) Overrides java.security.KeyStoreSpi.engineSetEntry. Save a `KeyStore.Entry` under the specified alias.
public synchronized void	engineSetKeyEntry(String the alias name alias, Key the key to be associated with the alias key, char[] the password to protect the key password, Certificate[] the certificate chain for the corresponding public key (only required if the given key is of type `java.security.PrivateKey`). chain) Implements abstract java.security.KeyStoreSpi.engineSetKeyEntry. Assigns the given key to the given alias, protecting it with the given password.
public void	engineSetKeyEntry(String the alias name alias, byte[] the key (in protected format) to be associated with the alias key, Certificate[] the certificate chain for the corresponding public key (only useful if the protected key is of type `java.security.PrivateKey`). chain) Implements abstract java.security.KeyStoreSpi.engineSetKeyEntry. Assigns the given key (that has already been protected) to the given alias.
public synchronized int	Returns: the number of entries in this keystore engineSize() Implements abstract java.security.KeyStoreSpi.engineSize. Retrieves the number of entries in this keystore.
public synchronized void	engineStore(OutputStream this must be `null` stream, char[] this must be `null` password) Implements abstract java.security.KeyStoreSpi.engineStore. engineStore currently is a No-op.
public synchronized void	engineStore(KeyStore.LoadStoreParameter this must be `null` param) Overrides java.security.KeyStoreSpi.engineStore. engineStore currently is a No-op.
private static long[]	findObjects(Session session, CK_ATTRIBUTE[] attrs)
private String	getID(String alias, X509Certificate cert) build [alias + issuer + serialNumber] string from a cert
private static String	getID(byte[] bytes) build CKA_ID string from bytes
private CK_ATTRIBUTE[]	getIdAttributes(PrivateKey privateKey, PublicKey publicKey, boolean id, boolean netscapeDb) Compute the CKA_ID and/or CKA_NETSCAPE_DB attributes that should be used for this private key.
private static String	getIDNullSafe(byte[] bytes) Null safe version of getID.
private CK_ATTRIBUTE[]	getRsaPrivKeyAttrs(String alias, RSAPrivateKey key, X500Principal subject)
private P11KeyStore.THandle	getTokenObject(Session session, CK_ATTRIBUTE either ATTR_CLASS_CERT, ATTR_CLASS_PKEY, or ATTR_CLASS_SKEY type, byte[] the CKA_ID if type is ATTR_CLASS_CERT or ATTR_CLASS_PKEY cka_id, String the CKA_LABEL if type is ATTR_CLASS_SKEY cka_label) find an object on the token
private X509Certificate	loadCert(Session session, long oHandle)
private X509Certificate[]	loadChain(Session session, X509Certificate endCert)
private PrivateKey	loadPkey(Session session, long oHandle)
private SecretKey	loadSkey(Session session, long oHandle)
private void	login(CallbackHandler handler)
private boolean	Returns: true if multiple certs found sharing the same CKA_LABEL mapCerts(ArrayList<P11KeyStore.AliasInfo> matchedCerts, HashMap<String, HashSet<P11KeyStore.AliasInfo>> certMap) for each cert not matched with a private key but is CKA_TRUSTED: if CKA_LABEL unique, map cert to CKA_LABEL.
private boolean	Returns: true if multiple certs found sharing the same CKA_LABEL (if so, write capabilities are disabled) mapLabels() Create a mapping of all key pairs, trusted certs, and secret keys on the token into logical KeyStore entries unambiguously accessible via an alias.
private ArrayList<P11KeyStore.AliasInfo>	Returns: a list of AliasInfo entries that represents all matches mapPrivateKeys(ArrayList<byte[]> pkeyIDs, HashMap<String, HashSet<P11KeyStore.AliasInfo>> certMap) for each private key CKA_ID, find corresponding cert with same CKA_ID.
private void	mapSecretKeys(HashMap<String, P11KeyStore.AliasInfo> sKeyMap) If the secret key shares a CKA_LABEL with another entry, throw an exception
private boolean	mapTrustedCert(String certLabel, P11KeyStore.AliasInfo aliasInfo, HashSet<P11KeyStore.AliasInfo> infoSet)
private void	storeCaCerts(X509Certificate[] chain, int start)
private void	storeCert(String alias, X509Certificate cert)
private void	storeChain(String alias, X509Certificate[] chain)
private void	storePkey(String alias, KeyStore.PrivateKeyEntry pke)
private void	storeSkey(String alias, KeyStore.SecretKeyEntry ske)
private void	updateP11Pkey(String alias, CK_ATTRIBUTE attribute, P11Key key)
private void	updatePkey(String alias, byte[] cka_id, X509Certificate[] chain, boolean if true, then caller is updating alias info for existing cert (only update CKA_ID/CKA_LABEL). if false, then caller is updating cert chain (delete old end cert and add new chain). replaceCert) XXX On ibutton, when you C_SetAttribute(CKA_ID) for a private key it not only changes the CKA_ID of the private key, it changes the CKA_ID of the corresponding cert too.

Inherited from java.security.KeyStoreSpi:: engineGetAttributes engineProbe

pack-priv final Class P11KeyStore

Nested and Inner Type Summary

Field Summary

Constructor Summary

Method Summary