private void updateCaCertsOfIdentity(P11Identity identity) { X509Certificate[] certchain = identity.certificateChain(); if (certchain == null || certchain.length == 0) { return; } X509Certificate[] newCertchain = buildCertPath(certchain[0]); if (!Arrays.equals(certchain, newCertchain)) { try { identity.setCertificates(newCertchain); } catch (P11TokenException ex) { LOG.warn("could not set certificates for identity {}", identity.getId()); } } }
public byte[] digestSecretKey(long mechanism) throws P11TokenException, XiSecurityException { slot.assertMechanismSupported(mechanism); if (LOG.isDebugEnabled()) { LOG.debug("digest secret with mechanism {}", Functions.getMechanismDescription(mechanism)); } return digestSecretKey0(mechanism); }
/** * Signs the content. * @param mechanism * the mechanism * @param parameters * the parameters. Could be {@code null}. * @param content * the content to be signed. * @return the signature. * @throws XiSecurityException * if security error happens * @throws P11TokenException * if token error happens. */ public byte[] sign(final long mechanism, final P11Params parameters, final byte[] content) throws XiSecurityException, P11TokenException { return p11CryptService.getIdentity(identityId).sign(mechanism, parameters, content); }
private void updateCaCertsOfIdentity(final P11Identity identity) { X509Certificate[] certchain = identity.certificateChain(); if (certchain == null || certchain.length == 0) { return; } X509Certificate[] newCertchain = buildCertPath(certchain[0]); if (!Arrays.equals(certchain, newCertchain)) { try { identity.setCertificates(newCertchain); } catch (P11TokenException ex) { LOG.warn("could not set certificates for identity {}", identity.identityId()); } } }
public byte[] sign(long mechanism, P11Params parameters, byte[] content) throws P11TokenException { Args.notNull(content, "content"); slot.assertMechanismSupported(mechanism); if (!supportsMechanism(mechanism, parameters)) { throw new P11UnsupportedMechanismException(mechanism, id); } if (LOG.isDebugEnabled()) { LOG.debug("sign with mechanism {}", Functions.getMechanismDescription(mechanism)); } return sign0(mechanism, parameters, content); }
/** * Removes the key (private key, public key, secret key, and certificates) associated with * the given identifier {@code objectId}. * * @param keyId * Key identifier. Must not be {@code null}. * @throws P11TokenException * if PKCS#11 token exception occurs. */ public void removeIdentityByKeyId(P11ObjectIdentifier keyId) throws P11TokenException { ParamUtil.requireNonNull("keyId", keyId); assertWritable("removeIdentityByKeyId"); P11IdentityId entityId = null; if (identities.containsKey(keyId)) { entityId = identities.get(keyId).getId(); if (entityId.getCertId() != null) { certificates.remove(entityId.getCertId()); } identities.get(keyId).setCertificates(null); identities.remove(keyId); updateCaCertsOfIdentities(); removeIdentity0(entityId); } }
X509Certificate signerCertInP11 = identity.getCertificate(); PublicKey publicKeyInP11 = (signerCertInP11 != null) ? signerCertInP11.getPublicKey() : identity.getPublicKey(); Certificate[] certsInKeystore = identity.certificateChain(); if (certsInKeystore != null && certsInKeystore.length > 1) { for (int i = 1; i < certsInKeystore.length; i++) {
sb.append("\t").append(i + 1).append(". ").append(label); sb.append(" (").append("id: ").append(keyId.getIdHex()); P11IdentityId identityId = identity.getId(); P11ObjectIdentifier certId = identityId.getCertId(); if (certId != null && !certId.equals(keyId)) { if (identity.getPublicKey() != null) { String algo = identity.getPublicKey().getAlgorithm(); sb.append("\t\tAlgorithm: ").append(algo).append("\n"); X509Certificate[] certs = identity.certificateChain(); if (certs == null || certs.length == 0) { sb.append("\t\tCertificate: NONE\n");
public void addIdentity(P11Identity identity) { Args.notNull(identity, "identity"); this.identities.put(identity.getId().getKeyId(), identity); }
java.security.PublicKey pk = identity.getPublicKey(); java.security.PublicKey newPk = newCert.getPublicKey(); if (!pk.equals(newPk)) { P11IdentityId identityId = identity.getId(); identityId.setCertLabel(keyId.getLabel()); identity.setCertificates(new X509Certificate[]{newCert}); updateCaCertsOfIdentities(); LOG.info("updated certificate for key {}", keyId);
private void engineLoad(String moduleName) throws P11TokenException, XiSecurityException { P11CryptService p11Service = p11CryptServiceFactory.getP11CryptService(moduleName); P11Module module = p11Service.getModule(); List<P11SlotIdentifier> slotIds = module.getSlotIds(); for (P11SlotIdentifier slotId: slotIds) { P11Slot slot = module.getSlot(slotId); Set<P11ObjectIdentifier> identityIds = slot.getIdentityKeyIds(); for (P11ObjectIdentifier objId : identityIds) { P11Identity identity = slot.getIdentity(objId); X509Certificate[] chain = identity.certificateChain(); if (chain == null || chain.length == 0) { continue; } P11PrivateKey key = new P11PrivateKey(p11Service, identity.getId()); KeyCertEntry keyCertEntry = new KeyCertEntry(key, chain); keyCerts.put(moduleName + "#slotid-" + slotId.getId() + "#keyid-" + objId.getIdHex(), keyCertEntry); keyCerts.put(moduleName + "#slotid-" + slotId.getId() + "#keylabel-" + objId.getLabel(), keyCertEntry); keyCerts.put(moduleName + "#slotindex-" + slotId.getIndex() + "#keyid-" + objId.getIdHex(), keyCertEntry); keyCerts.put(moduleName + "#slotindex-" + slotId.getIndex() + "#keylabel-" + objId.getLabel(), keyCertEntry); } } } // method engineLoad
@Override public void removeIdentity(final P11ObjectIdentifier objectId) throws P11TokenException { ParamUtil.requireNonNull("objectId", objectId); assertWritable("removeIdentity"); if (identities.containsKey(objectId)) { certificates.remove(objectId); identities.get(objectId).setCertificates(null); identities.remove(objectId); updateCaCertsOfIdentities(); } removeIdentity0(objectId); }
X509Certificate signerCertInP11 = identity.certificate(); PublicKey publicKeyInP11 = (signerCertInP11 != null) ? signerCertInP11.getPublicKey() : identity.publicKey(); Certificate[] certsInKeystore = identity.certificateChain(); if (certsInKeystore != null && certsInKeystore.length > 1) { for (int i = 1; i < certsInKeystore.length; i++) {
java.security.PublicKey pk = identity.getPublicKey(); java.security.PublicKey newPk = newCert.getPublicKey(); if (!pk.equals(newPk)) { identity.setCertificates(new X509Certificate[]{newCert}); updateCaCertsOfIdentities(); LOG.info("updated certificate for key {}", keyId);
public static P11RSAKeyParameter getInstance(P11CryptService p11CryptService, P11IdentityId identityId) throws InvalidKeyException { ParamUtil.requireNonNull("p11CryptService", p11CryptService); ParamUtil.requireNonNull("identityId", identityId); RSAPublicKey key; try { key = (RSAPublicKey) p11CryptService.getIdentity(identityId).getPublicKey(); } catch (P11TokenException ex) { throw new InvalidKeyException(ex.getMessage(), ex); } BigInteger modulus = key.getModulus(); BigInteger publicExponent = key.getPublicExponent(); return new P11RSAKeyParameter(p11CryptService, identityId, modulus, publicExponent); }
P11Identity identity = identities.get(objectId); sb.append("\t").append(objectId); if (identity.getPublicKey() != null) { sb.append(", algo=").append(identity.getPublicKey().getAlgorithm()); if (identity.getCertificate() != null) { String subject = X509Util.getRfc4519Name( identity.getCertificate().getSubjectX500Principal()); sb.append(", subject='").append(subject).append("'");
public ConcurrentContentSigner createSigner(AlgorithmIdentifier signatureAlgId, int parallelism) throws XiSecurityException, P11TokenException { Args.positive(parallelism, "parallelism"); List<XiContentSigner> signers = new ArrayList<>(parallelism); for (int i = 0; i < parallelism; i++) { XiContentSigner signer = new P11ContentSigner.Mac(cryptService, identityId, signatureAlgId); signers.add(signer); } // end for final boolean mac = true; DfltConcurrentContentSigner concurrentSigner; try { concurrentSigner = new DfltConcurrentContentSigner(mac, signers, null); } catch (NoSuchAlgorithmException ex) { throw new XiSecurityException(ex.getMessage(), ex); } try { byte[] sha1HashOfKey = cryptService.getIdentity(identityId).digestSecretKey( PKCS11Constants.CKM_SHA_1); concurrentSigner.setSha1DigestOfMacKey(sha1HashOfKey); } catch (P11TokenException | XiSecurityException ex) { LogUtil.warn(LOG, ex, "could not compute the digest of secret key " + identityId); } return concurrentSigner; } // method createSigner
sb.append(" (").append("id: ").append(objectId.idHex()).append(")\n"); P11Identity identity = identities.get(objectId); if (identity.publicKey() != null) { String algo = identity.publicKey().getAlgorithm(); sb.append("\t\tAlgorithm: ").append(algo).append("\n"); X509Certificate[] certs = identity.certificateChain(); if (certs == null || certs.length == 0) { sb.append("\t\tCertificate: NONE\n");
@Override public void updateCertificate(final P11ObjectIdentifier objectId, final X509Certificate newCert) throws P11TokenException, CertificateException { ParamUtil.requireNonNull("objectId", objectId); ParamUtil.requireNonNull("newCert", newCert); assertWritable("updateCertificate"); P11Identity identity = identities.get(objectId); if (identity == null) { throw new P11UnknownEntityException("could not find private key " + objectId); } java.security.PublicKey pk = identity.publicKey(); java.security.PublicKey newPk = newCert.getPublicKey(); if (!pk.equals(newPk)) { throw new P11TokenException("the given certificate is not for the key " + objectId); } updateCertificate0(objectId, newCert); identity.setCertificates(new X509Certificate[]{newCert}); updateCaCertsOfIdentities(); LOG.info("updated certificate {}", objectId); }
private void engineLoad(final String moduleName) throws P11TokenException, XiSecurityException { P11CryptService p11Service = p11CryptServiceFactory.getP11CryptService(moduleName); P11Module module = p11Service.module(); List<P11SlotIdentifier> slotIds = module.slotIdentifiers(); for (P11SlotIdentifier slotId: slotIds) { P11Slot slot = module.getSlot(slotId); Set<P11ObjectIdentifier> identityIds = slot.identityIdentifiers(); for (P11ObjectIdentifier objId : identityIds) { P11Identity identity = slot.getIdentity(objId); X509Certificate[] chain = identity.certificateChain(); if (chain == null || chain.length == 0) { continue; } P11PrivateKey key = new P11PrivateKey(p11Service, identity.identityId()); KeyCertEntry keyCertEntry = new KeyCertEntry(key, chain); keyCerts.put(moduleName + "#slotid-" + slotId.id() + "#keyid-" + objId.idHex(), keyCertEntry); keyCerts.put(moduleName + "#slotid-" + slotId.id() + "#keylabel-" + objId.label(), keyCertEntry); keyCerts.put(moduleName + "#slotindex-" + slotId.index() + "#keyid-" + objId.idHex(), keyCertEntry); keyCerts.put(moduleName + "#slotindex-" + slotId.index() + "#keylabel-" + objId.label(), keyCertEntry); } } } // method engineLoad