Top Description Inners Fields Constructors Methods
sun.security.pkcs12

public final Class PKCS12KeyStore

extends KeyStoreSpi
Class Inheritance
Imports
java.io.*, java.security.AccessController, .MessageDigest, .NoSuchAlgorithmException, .Key, .KeyFactory, .KeyStore, .KeyStoreSpi, .KeyStoreException, .PKCS12Attribute, .PrivateKey, .PrivilegedAction, .UnrecoverableEntryException, .UnrecoverableKeyException, .SecureRandom, .Security, .AlgorithmParameters, .InvalidAlgorithmParameterException, java.security.cert.Certificate, .CertificateFactory, .X509Certificate, .CertificateException, java.security.spec.AlgorithmParameterSpec, .InvalidParameterSpecException, .KeySpec, .PKCS8EncodedKeySpec, java.util.*, javax.crypto.spec.PBEParameterSpec, .PBEKeySpec, .SecretKeySpec, javax.crypto.SecretKeyFactory, .SecretKey, .Cipher, .Mac, javax.security.auth.DestroyFailedException, javax.security.auth.x500.X500Principal, jdk.internal.access.SharedSecrets, sun.security.action.GetPropertyAction, sun.security.tools.KeyStoreUtil, sun.security.util.*, sun.security.pkcs.ContentInfo, .EncryptedPrivateKeyInfo, sun.security.x509.AlgorithmId, .AuthorityKeyIdentifierExtension, sun.security.provider.JavaKeyStore.JKS
This class provides the keystore implementation referred to as "PKCS12". Implements the PKCS#12 PFX protected using the Password privacy mode. The contents are protected using Password integrity mode.

Note

In a PKCS12 keystore, entries are identified by the alias, and a localKeyId is required to match the private key with the certificate. Trusted certificate entries are identified by the presence of an trustedKeyUsage attribute.

Authors
Seema Malkani, Jeff Nisewanger, Jan Luehe
See Also
java.security.KeyStoreSpi

Nested and Inner Type Summary

Modifier and TypeClass and Description
private static class
PKCS12KeyStore.CertEntry

public static class
PKCS12KeyStore.DualFormatPKCS12

private static class
PKCS12KeyStore.Entry

private static class
PKCS12KeyStore.KeyEntry

private static class
PKCS12KeyStore.PrivateKeyEntry

private static interface
PKCS12KeyStore.RetryWithZero<
the return type
T>

Retries an action with password "\0" if "" fails.

private static class
PKCS12KeyStore.SecretKeyEntry

Field Summary

Modifier and TypeField and Description
private final List<X509Certificate>
allCerts

private static final ObjectIdentifier[]
AnyUsage

private static final ObjectIdentifier
CertBag_OID

private final ArrayList<PKCS12KeyStore.CertEntry>
certEntries

private int
certificateCount

private int
certPbeIterationCount

private String
certProtectionAlgorithm

private static final KnownOIDs[]
CORE_ATTRIBUTES

private int
counter

private static final Debug
debug

private static final String
DEFAULT_CERT_PBE_ALGORITHM

private static final int
DEFAULT_CERT_PBE_ITERATION_COUNT

private static final String
DEFAULT_KEY_PBE_ALGORITHM

private static final int
DEFAULT_KEY_PBE_ITERATION_COUNT

private static final String
DEFAULT_MAC_ALGORITHM

private static final int
DEFAULT_MAC_ITERATION_COUNT

private final Map<String, PKCS12KeyStore.Entry>
entries

Private keys and certificates are stored in a map.

private final ArrayList<PKCS12KeyStore.KeyEntry>
keyList

private static final String
LEGACY_CERT_PBE_ALGORITHM

private static final String
LEGACY_KEY_PBE_ALGORITHM

private static final String
LEGACY_MAC_ALGORITHM

private static final int
LEGACY_MAC_ITERATION_COUNT

private static final int
LEGACY_PBE_ITERATION_COUNT

private String
macAlgorithm

private int
macIterationCount

private static final int
MAX_ITERATION_COUNT

private static final ObjectIdentifier
pbes2_OID

private static final long[][]
PKCS12_HEADER_MASKS

private static final long[][]
PKCS12_HEADER_PATTERNS

private static final ObjectIdentifier
PKCS8ShroudedKeyBag_OID

private static final ObjectIdentifier
PKCS9CertType_OID

private static final ObjectIdentifier
PKCS9FriendlyName_OID

private static final ObjectIdentifier
PKCS9LocalKeyId_OID

private int
privateKeyCount

private SecureRandom
random

private static final int
SALT_LEN

private static final ObjectIdentifier
SecretBag_OID

private int
secretKeyCount

private static final ObjectIdentifier
TrustedKeyUsage_OID

private static final String
USE_LEGACY_PROP

public static final int
VERSION_3

Constructor Summary

AccessConstructor and Description
public
PKCS12KeyStore()

Method Summary

Modifier and TypeMethod and Description
private byte[]
calculateMac(char[] passwd, byte[] data)

private static void
checkX509Certs(Certificate[] certs)

private byte[]
createSafeContent()

private static int
defaultCertPbeIterationCount()

private static String
defaultCertProtectionAlgorithm()

private static int
defaultKeyPbeIterationCount()

private static String
defaultKeyProtectionAlgorithm()

private static String
defaultMacAlgorithm()

private static int
defaultMacIterationCount()

private void
destroyPBEKey(SecretKey key)

private byte[]
encryptContent(byte[] data, char[] password)

private byte[]
encryptPrivateKey(byte[] data, KeyStore.PasswordProtection passwordProtection)

public Enumeration<String>

Returns:

enumeration of the alias names
engineAliases()

Implements abstract java.security.KeyStoreSpi.engineAliases.

Lists all the alias names of this keystore.

public boolean

Returns:

true if the alias exists, false otherwise
engineContainsAlias(String
the alias name
alias)

Implements abstract java.security.KeyStoreSpi.engineContainsAlias.

Checks if the given alias exists in this keystore.

public synchronized void
engineDeleteEntry(String
the alias name
alias)

Implements abstract java.security.KeyStoreSpi.engineDeleteEntry.

Deletes the entry identified by the given alias from this keystore.

public boolean

Returns:

true if the keystore Entry for the specified alias is an instance or subclass of the specified entryClass, false otherwise
engineEntryInstanceOf(String
the alias name
alias, Class<? extends KeyStore.Entry>
the entry class
entryClass)

Overrides java.security.KeyStoreSpi.engineEntryInstanceOf.

Determines if the keystore Entry for the specified alias is an instance or subclass of the specified entryClass.

public Set<KeyStore.Entry.Attribute>
engineGetAttributes(String
the alias name
alias)

Overrides java.security.KeyStoreSpi.engineGetAttributes.

Retrieves the attributes associated with the given alias.

public Certificate

Returns:

the certificate, or null if the given alias does not exist or does not contain a certificate.
engineGetCertificate(String
the alias name
alias)

Implements abstract java.security.KeyStoreSpi.engineGetCertificate.

Returns the certificate associated with the given alias.

public String

Returns:

the (alias) name of the first entry with matching certificate, or null if no such entry exists in this keystore.
engineGetCertificateAlias(Certificate
the certificate to match with.
cert)

Implements abstract java.security.KeyStoreSpi.engineGetCertificateAlias.

Returns the (alias) name of the first keystore entry whose certificate matches the given certificate.

public Certificate[]

Returns:

the certificate chain (ordered with the user's certificate first and the root certificate authority last), or null if the given alias does not exist or does not contain a certificate chain (i.e., the given alias identifies either a trusted certificate entry or a key entry without a certificate chain).
engineGetCertificateChain(String
the alias name
alias)

Implements abstract java.security.KeyStoreSpi.engineGetCertificateChain.

Returns the certificate chain associated with the given alias.

public Date

Returns:

the creation date of this entry, or null if the given alias does not exist
engineGetCreationDate(String
the alias name
alias)

Implements abstract java.security.KeyStoreSpi.engineGetCreationDate.

Returns the creation date of the entry identified by the given alias.

public KeyStore.Entry

Returns:

the KeyStore.Entry for the specified alias, or null if there is no such entry
engineGetEntry(String
get the KeyStore.Entry for this alias
alias, KeyStore.ProtectionParameter
the ProtectionParameter used to protect the Entry, which may be null
protParam)

Overrides java.security.KeyStoreSpi.engineGetEntry.

Gets a KeyStore.Entry for the specified alias with the specified protection parameter.

public Key

Returns:

the requested key, or null if the given alias does not exist or does not identify a key entry.
engineGetKey(String
the alias name
alias, char[]
the password for recovering the key
password)

Implements abstract java.security.KeyStoreSpi.engineGetKey.

Returns the key associated with the given alias, using the given password to recover it.

public boolean

Returns:

true if the entry identified by the given alias is a trusted certificate entry, false otherwise.
engineIsCertificateEntry(String
the alias for the keystore entry to be checked
alias)

Implements abstract java.security.KeyStoreSpi.engineIsCertificateEntry.

Returns true if the entry identified by the given alias is a trusted certificate entry, and false otherwise.

public boolean

Returns:

true if the entry identified by the given alias is a key entry, false otherwise.
engineIsKeyEntry(String
the alias for the keystore entry to be checked
alias)

Implements abstract java.security.KeyStoreSpi.engineIsKeyEntry.

Returns true if the entry identified by the given alias is a key entry, and false otherwise.

public synchronized void
engineLoad(InputStream
the input stream from which the keystore is loaded
stream, char[]
the (optional) password used to check the integrity of the keystore.
password)

Implements abstract java.security.KeyStoreSpi.engineLoad.

Loads the keystore from the given input stream.

public boolean
engineProbe(InputStream
the keystore data to be probed
stream)

Overrides java.security.KeyStoreSpi.engineProbe.

Probe the first few bytes of the keystore data stream for a valid PKCS12 keystore encoding.

public synchronized void
engineSetCertificateEntry(String
the alias name
alias, Certificate
the certificate
cert)

Implements abstract java.security.KeyStoreSpi.engineSetCertificateEntry.

Assigns the given certificate to the given alias.

public synchronized void
engineSetEntry(String
save the KeyStore.Entry under this alias
alias, KeyStore.Entry
the Entry to save
entry, KeyStore.ProtectionParameter
the ProtectionParameter used to protect the Entry, which may be null
protParam)

Overrides java.security.KeyStoreSpi.engineSetEntry.

Saves a KeyStore.Entry under the specified alias.

public synchronized void
engineSetKeyEntry(String
the alias name
alias, Key
the key to be associated with the alias
key, char[]
the password to protect the key
password, Certificate[]
the certificate chain for the corresponding public key (only required if the given key is of type java.security.PrivateKey).
chain)

Implements abstract java.security.KeyStoreSpi.engineSetKeyEntry.

Assigns the given key to the given alias, protecting it with the given password.

public synchronized void
engineSetKeyEntry(String
the alias name
alias, byte[]
the key (in protected format) to be associated with the alias
key, Certificate[]
the certificate chain for the corresponding public key (only useful if the protected key is of type java.security.PrivateKey).
chain)

Implements abstract java.security.KeyStoreSpi.engineSetKeyEntry.

Assigns the given key (that has already been protected) to the given alias.

public int

Returns:

the number of entries in this keystore
engineSize()

Implements abstract java.security.KeyStoreSpi.engineSize.

Retrieves the number of entries in this keystore.

public synchronized void
engineStore(OutputStream
the output stream to which this keystore is written.
stream, char[]
the password to generate the keystore integrity check
password)

Implements abstract java.security.KeyStoreSpi.engineStore.

Stores this keystore to the given output stream, and protects its integrity with the given password.

private X509Certificate

Returns:

the isssuer, or null if none matches
findIssuer(X509Certificate
the input certificate
input)

Find the issuer of input in allCerts.

private X509Certificate

Returns:

a certificate, null if not found
findMatchedCertificate(PKCS12KeyStore.PrivateKeyEntry
the KeyEntry to match
entry)

Locates a matched CertEntry from certEntries, and returns its cert.

private byte[]
getBagAttributes(String alias, byte[] keyId, Set<KeyStore.Entry.Attribute> attributes)

private byte[]
getBagAttributes(String alias, byte[] keyId, ObjectIdentifier[] trustedUsage, Set<KeyStore.Entry.Attribute> attributes)

private byte[]
getCertificateData()

private AlgorithmParameters
getPBEAlgorithmParameters(String algorithm, int iterationCount)

private SecretKey
getPBEKey(char[] password)

private byte[]
getSalt()

private String
getUnfriendlyName()

private Certificate[]
internalGetCertificateChain(PKCS12KeyStore.Entry entry)

private Key
internalGetKey(PKCS12KeyStore.Entry entry, char[] password)

private boolean
internalIsCertificateEntry(PKCS12KeyStore.Entry entry)

private boolean
internalIsKeyEntry(PKCS12KeyStore.Entry entry)

public static boolean

Returns:

if it's password-less
isPasswordless(File
the pkcs12 file
f)

Returns if a pkcs12 file is password-less.

private void
loadSafeContents(DerInputStream stream)

private static ObjectIdentifier
mapPBEAlgorithmToOID(String algorithm)

private void
populateAttributes(PKCS12KeyStore.Entry entry)

private void
setCertEntry(String alias, Certificate cert, Set<KeyStore.Entry.Attribute> attributes)

private void
setKeyEntry(String alias, Key key, KeyStore.PasswordProtection passwordProtection, Certificate[] chain, Set<KeyStore.Entry.Attribute> attributes)

private static int
string2IC(String type, String value)

private static boolean
useLegacy()

private boolean
validateChain(Certificate[] certChain)

Inherited from java.security.KeyStoreSpi:
engineLoadengineStore