- java.lang.Object
-
- java.security.KeyStoreSpi
-
public abstract class KeyStoreSpi extends Object
This class defines the Service Provider Interface (SPI) for theKeyStore
class. All the abstract methods in this class must be implemented by each cryptographic service provider who wishes to supply the implementation of a keystore for a particular keystore type.- Since:
- 1.2
- See Also:
KeyStore
-
-
Constructor Summary
Constructors Constructor Description KeyStoreSpi()
-
Method Summary
Modifier and Type Method Description abstract Enumeration<String>
engineAliases()
Lists all the alias names of this keystore.abstract boolean
engineContainsAlias(String alias)
Checks if the given alias exists in this keystore.abstract void
engineDeleteEntry(String alias)
Deletes the entry identified by the given alias from this keystore.boolean
engineEntryInstanceOf(String alias, Class<? extends KeyStore.Entry> entryClass)
Determines if the keystoreEntry
for the specifiedalias
is an instance or subclass of the specifiedentryClass
.abstract Certificate
engineGetCertificate(String alias)
Returns the certificate associated with the given alias.abstract String
engineGetCertificateAlias(Certificate cert)
Returns the (alias) name of the first keystore entry whose certificate matches the given certificate.abstract Certificate[]
engineGetCertificateChain(String alias)
Returns the certificate chain associated with the given alias.abstract Date
engineGetCreationDate(String alias)
Returns the creation date of the entry identified by the given alias.KeyStore.Entry
engineGetEntry(String alias, KeyStore.ProtectionParameter protParam)
Gets aKeyStore.Entry
for the specified alias with the specified protection parameter.abstract Key
engineGetKey(String alias, char[] password)
Returns the key associated with the given alias, using the given password to recover it.abstract boolean
engineIsCertificateEntry(String alias)
Returns true if the entry identified by the given alias was created by a call tosetCertificateEntry
, or created by a call tosetEntry
with aTrustedCertificateEntry
.abstract boolean
engineIsKeyEntry(String alias)
Returns true if the entry identified by the given alias was created by a call tosetKeyEntry
, or created by a call tosetEntry
with aPrivateKeyEntry
or aSecretKeyEntry
.abstract void
engineLoad(InputStream stream, char[] password)
Loads the keystore from the given input stream.void
engineLoad(KeyStore.LoadStoreParameter param)
Loads the keystore using the givenKeyStore.LoadStoreParameter
.boolean
engineProbe(InputStream stream)
Probes the specified input stream to determine whether it contains a keystore that is supported by this implementation, or not.abstract void
engineSetCertificateEntry(String alias, Certificate cert)
Assigns the given certificate to the given alias.void
engineSetEntry(String alias, KeyStore.Entry entry, KeyStore.ProtectionParameter protParam)
Saves aKeyStore.Entry
under the specified alias.abstract void
engineSetKeyEntry(String alias, byte[] key, Certificate[] chain)
Assigns the given key (that has already been protected) to the given alias.abstract void
engineSetKeyEntry(String alias, Key key, char[] password, Certificate[] chain)
Assigns the given key to the given alias, protecting it with the given password.abstract int
engineSize()
Retrieves the number of entries in this keystore.abstract void
engineStore(OutputStream stream, char[] password)
Stores this keystore to the given output stream, and protects its integrity with the given password.void
engineStore(KeyStore.LoadStoreParameter param)
Stores this keystore using the givenKeyStore.LoadStoreParmeter
.
-
-
-
Method Detail
-
engineGetKey
public abstract Key engineGetKey(String alias, char[] password) throws NoSuchAlgorithmException, UnrecoverableKeyException
Returns the key associated with the given alias, using the given password to recover it. The key must have been associated with the alias by a call tosetKeyEntry
, or by a call tosetEntry
with aPrivateKeyEntry
orSecretKeyEntry
.- Parameters:
alias
- the alias namepassword
- the password for recovering the key- Returns:
- the requested key, or null if the given alias does not exist or does not identify a key-related entry.
- Throws:
NoSuchAlgorithmException
- if the algorithm for recovering the key cannot be foundUnrecoverableKeyException
- if the key cannot be recovered (e.g., the given password is wrong).
-
engineGetCertificateChain
public abstract Certificate[] engineGetCertificateChain(String alias)
Returns the certificate chain associated with the given alias. The certificate chain must have been associated with the alias by a call tosetKeyEntry
, or by a call tosetEntry
with aPrivateKeyEntry
.- Parameters:
alias
- the alias name- Returns:
- the certificate chain (ordered with the user's certificate first and the root certificate authority last), or null if the given alias does not exist or does not contain a certificate chain
-
engineGetCertificate
public abstract Certificate engineGetCertificate(String alias)
Returns the certificate associated with the given alias.If the given alias name identifies an entry created by a call to
setCertificateEntry
, or created by a call tosetEntry
with aTrustedCertificateEntry
, then the trusted certificate contained in that entry is returned.If the given alias name identifies an entry created by a call to
setKeyEntry
, or created by a call tosetEntry
with aPrivateKeyEntry
, then the first element of the certificate chain in that entry (if a chain exists) is returned.- Parameters:
alias
- the alias name- Returns:
- the certificate, or null if the given alias does not exist or does not contain a certificate.
-
engineGetCreationDate
public abstract Date engineGetCreationDate(String alias)
Returns the creation date of the entry identified by the given alias.- Parameters:
alias
- the alias name- Returns:
- the creation date of this entry, or null if the given alias does not exist
-
engineSetKeyEntry
public abstract void engineSetKeyEntry(String alias, Key key, char[] password, Certificate[] chain) throws KeyStoreException
Assigns the given key to the given alias, protecting it with the given password.If the given key is of type
java.security.PrivateKey
, it must be accompanied by a certificate chain certifying the corresponding public key.If the given alias already exists, the keystore information associated with it is overridden by the given key (and possibly certificate chain).
- Parameters:
alias
- the alias namekey
- the key to be associated with the aliaspassword
- the password to protect the keychain
- the certificate chain for the corresponding public key (only required if the given key is of typejava.security.PrivateKey
).- Throws:
KeyStoreException
- if the given key cannot be protected, or this operation fails for some other reason
-
engineSetKeyEntry
public abstract void engineSetKeyEntry(String alias, byte[] key, Certificate[] chain) throws KeyStoreException
Assigns the given key (that has already been protected) to the given alias.If the protected key is of type
java.security.PrivateKey
, it must be accompanied by a certificate chain certifying the corresponding public key.If the given alias already exists, the keystore information associated with it is overridden by the given key (and possibly certificate chain).
- Parameters:
alias
- the alias namekey
- the key (in protected format) to be associated with the aliaschain
- the certificate chain for the corresponding public key (only useful if the protected key is of typejava.security.PrivateKey
).- Throws:
KeyStoreException
- if this operation fails.
-
engineSetCertificateEntry
public abstract void engineSetCertificateEntry(String alias, Certificate cert) throws KeyStoreException
Assigns the given certificate to the given alias.If the given alias identifies an existing entry created by a call to
setCertificateEntry
, or created by a call tosetEntry
with aTrustedCertificateEntry
, the trusted certificate in the existing entry is overridden by the given certificate.- Parameters:
alias
- the alias namecert
- the certificate- Throws:
KeyStoreException
- if the given alias already exists and does not identify an entry containing a trusted certificate, or this operation fails for some other reason.
-
engineDeleteEntry
public abstract void engineDeleteEntry(String alias) throws KeyStoreException
Deletes the entry identified by the given alias from this keystore.- Parameters:
alias
- the alias name- Throws:
KeyStoreException
- if the entry cannot be removed.
-
engineAliases
public abstract Enumeration<String> engineAliases()
Lists all the alias names of this keystore.- Returns:
- enumeration of the alias names
-
engineContainsAlias
public abstract boolean engineContainsAlias(String alias)
Checks if the given alias exists in this keystore.- Parameters:
alias
- the alias name- Returns:
- true if the alias exists, false otherwise
-
engineSize
public abstract int engineSize()
Retrieves the number of entries in this keystore.- Returns:
- the number of entries in this keystore
-
engineIsKeyEntry
public abstract boolean engineIsKeyEntry(String alias)
Returns true if the entry identified by the given alias was created by a call tosetKeyEntry
, or created by a call tosetEntry
with aPrivateKeyEntry
or aSecretKeyEntry
.- Parameters:
alias
- the alias for the keystore entry to be checked- Returns:
- true if the entry identified by the given alias is a key-related, false otherwise.
-
engineIsCertificateEntry
public abstract boolean engineIsCertificateEntry(String alias)
Returns true if the entry identified by the given alias was created by a call tosetCertificateEntry
, or created by a call tosetEntry
with aTrustedCertificateEntry
.- Parameters:
alias
- the alias for the keystore entry to be checked- Returns:
- true if the entry identified by the given alias contains a trusted certificate, false otherwise.
-
engineGetCertificateAlias
public abstract String engineGetCertificateAlias(Certificate cert)
Returns the (alias) name of the first keystore entry whose certificate matches the given certificate.This method attempts to match the given certificate with each keystore entry. If the entry being considered was created by a call to
setCertificateEntry
, or created by a call tosetEntry
with aTrustedCertificateEntry
, then the given certificate is compared to that entry's certificate.If the entry being considered was created by a call to
setKeyEntry
, or created by a call tosetEntry
with aPrivateKeyEntry
, then the given certificate is compared to the first element of that entry's certificate chain.- Parameters:
cert
- the certificate to match with.- Returns:
- the alias name of the first entry with matching certificate, or null if no such entry exists in this keystore.
-
engineStore
public abstract void engineStore(OutputStream stream, char[] password) throws IOException, NoSuchAlgorithmException, CertificateException
Stores this keystore to the given output stream, and protects its integrity with the given password.- Parameters:
stream
- the output stream to which this keystore is written.password
- the password to generate the keystore integrity check- Throws:
IOException
- if there was an I/O problem with dataNoSuchAlgorithmException
- if the appropriate data integrity algorithm could not be foundCertificateException
- if any of the certificates included in the keystore data could not be stored
-
engineStore
public void engineStore(KeyStore.LoadStoreParameter param) throws IOException, NoSuchAlgorithmException, CertificateException
Stores this keystore using the givenKeyStore.LoadStoreParmeter
.- Parameters:
param
- theKeyStore.LoadStoreParmeter
that specifies how to store the keystore, which may benull
- Throws:
IllegalArgumentException
- if the givenKeyStore.LoadStoreParmeter
input is not recognizedIOException
- if there was an I/O problem with dataNoSuchAlgorithmException
- if the appropriate data integrity algorithm could not be foundCertificateException
- if any of the certificates included in the keystore data could not be stored- Since:
- 1.5
-
engineLoad
public abstract void engineLoad(InputStream stream, char[] password) throws IOException, NoSuchAlgorithmException, CertificateException
Loads the keystore from the given input stream.A password may be given to unlock the keystore (e.g. the keystore resides on a hardware token device), or to check the integrity of the keystore data. If a password is not given for integrity checking, then integrity checking is not performed.
- Parameters:
stream
- the input stream from which the keystore is loaded, ornull
password
- the password used to check the integrity of the keystore, the password used to unlock the keystore, ornull
- Throws:
IOException
- if there is an I/O or format problem with the keystore data, if a password is required but not given, or if the given password was incorrect. If the error is due to a wrong password, thecause
of theIOException
should be anUnrecoverableKeyException
NoSuchAlgorithmException
- if the algorithm used to check the integrity of the keystore cannot be foundCertificateException
- if any of the certificates in the keystore could not be loaded
-
engineLoad
public void engineLoad(KeyStore.LoadStoreParameter param) throws IOException, NoSuchAlgorithmException, CertificateException
Loads the keystore using the givenKeyStore.LoadStoreParameter
.Note that if this KeyStore has already been loaded, it is reinitialized and loaded again from the given parameter.
- Implementation Requirements:
- The default implementation examines
KeyStore.LoadStoreParameter
to extract its password and pass it toengineLoad(InputStream, char[])
along with anull
InputStream
.If
KeyStore.LoadStoreParameter
isnull
then the password parameter will also benull
. Otherwise theKeyStore.ProtectionParameter
ofKeyStore.LoadStoreParameter
must be either aKeyStore.PasswordProtection
or aKeyStore.CallbackHandlerProtection
that supportsPasswordCallback
so that the password parameter can be extracted. If theKeyStore.ProtectionParameter
is neither of those classes then aNoSuchAlgorithmException
is thrown. - Parameters:
param
- theKeyStore.LoadStoreParameter
that specifies how to load the keystore, which may benull
- Throws:
IllegalArgumentException
- if the givenKeyStore.LoadStoreParameter
input is not recognizedIOException
- if there is an I/O or format problem with the keystore data. If the error is due to an incorrectProtectionParameter
(e.g. wrong password) thecause
of theIOException
should be anUnrecoverableKeyException
NoSuchAlgorithmException
- if the algorithm used to check the integrity of the keystore cannot be foundCertificateException
- if any of the certificates in the keystore could not be loaded- Since:
- 1.5
-
engineGetEntry
public KeyStore.Entry engineGetEntry(String alias, KeyStore.ProtectionParameter protParam) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableEntryException
Gets aKeyStore.Entry
for the specified alias with the specified protection parameter.- Parameters:
alias
- get theKeyStore.Entry
for this aliasprotParam
- theProtectionParameter
used to protect theEntry
, which may benull
- Returns:
- the
KeyStore.Entry
for the specified alias, ornull
if there is no such entry - Throws:
KeyStoreException
- if the operation failedNoSuchAlgorithmException
- if the algorithm for recovering the entry cannot be foundUnrecoverableEntryException
- if the specifiedprotParam
were insufficient or invalidUnrecoverableKeyException
- if the entry is aPrivateKeyEntry
orSecretKeyEntry
and the specifiedprotParam
does not contain the information needed to recover the key (e.g. wrong password)- Since:
- 1.5
-
engineSetEntry
public void engineSetEntry(String alias, KeyStore.Entry entry, KeyStore.ProtectionParameter protParam) throws KeyStoreException
Saves aKeyStore.Entry
under the specified alias. The specified protection parameter is used to protect theEntry
.If an entry already exists for the specified alias, it is overridden.
- Parameters:
alias
- save theKeyStore.Entry
under this aliasentry
- theEntry
to saveprotParam
- theProtectionParameter
used to protect theEntry
, which may benull
- Throws:
KeyStoreException
- if this operation fails- Since:
- 1.5
-
engineEntryInstanceOf
public boolean engineEntryInstanceOf(String alias, Class<? extends KeyStore.Entry> entryClass)
Determines if the keystoreEntry
for the specifiedalias
is an instance or subclass of the specifiedentryClass
.- Parameters:
alias
- the alias nameentryClass
- the entry class- Returns:
- true if the keystore
Entry
for the specifiedalias
is an instance or subclass of the specifiedentryClass
, false otherwise - Since:
- 1.5
-
engineProbe
public boolean engineProbe(InputStream stream) throws IOException
Probes the specified input stream to determine whether it contains a keystore that is supported by this implementation, or not.- Implementation Requirements:
- This method returns false by default. Keystore implementations should override this method to peek at the data stream directly or to use other content detection mechanisms.
- Parameters:
stream
- the keystore data to be probed- Returns:
- true if the keystore data is supported, otherwise false
- Throws:
IOException
- if there is an I/O problem with the keystore data.NullPointerException
- if stream isnull
.- Since:
- 9
-
-