Package org.certificateservices.messages

Class PKCS11MessageSecurityProvider

java.lang.Object

org.certificateservices.messages.PKCS11MessageSecurityProvider

All Implemented Interfaces:

ContextMessageSecurityProvider, MessageSecurityProvider

public class PKCS11MessageSecurityProvider
extends java.lang.Object
implements ContextMessageSecurityProvider

Nested Class Summary

Nested classes/interfaces inherited from interface org.certificateservices.messages.ContextMessageSecurityProvider

ContextMessageSecurityProvider.Context

Field Summary

Fields

Modifier and Type	Field	Description
static java.lang.String	SETTING_PREFIX
static java.lang.String	SETTING_TRUSTSTORE_PASSWORD	Setting indicating the password to the trust JKS key store (required)
static java.lang.String	SETTING_TRUSTSTORE_PATH	Setting indicating the path to the trust JKS key store (required)
protected TruststoreHelper	truststoreHelper

Fields inherited from interface org.certificateservices.messages.ContextMessageSecurityProvider

DEFAULT_CONTEXT

Fields inherited from interface org.certificateservices.messages.MessageSecurityProvider

DEFAULT_DECRYPTIONKEY

Constructor Summary

Constructors

Constructor	Description
PKCS11MessageSecurityProvider(java.util.Properties config)
PKCS11MessageSecurityProvider(java.util.Properties config, PKCS11ProviderManager providerManager)

Method Summary

Modifier and Type	Method	Description
java.security.cert.X509Certificate	getDecryptionCertificate(java.lang.String keyId)	Fetches the decryption certificate of related key id.
java.security.cert.X509Certificate	getDecryptionCertificate(ContextMessageSecurityProvider.Context context, java.lang.String keyId)	Fetches the decryption certificate of related key id.
java.security.cert.X509Certificate[]	getDecryptionCertificateChain(java.lang.String keyId)	Fetches the decryption certificate chain of related key id can be one or more in size..
java.security.cert.X509Certificate[]	getDecryptionCertificateChain(ContextMessageSecurityProvider.Context context, java.lang.String keyId)	Fetches the decryption certificate chain of related key id can be one or more in size.
java.security.PrivateKey	getDecryptionKey(java.lang.String keyId)	Fetches a private key given it's unique identifier.
java.security.PrivateKey	getDecryptionKey(ContextMessageSecurityProvider.Context context, java.lang.String keyId)	Fetches a private key given it's unique identifier.
java.util.Set<java.lang.String>	getDecryptionKeyIds()	Returns key identifiers of all available decryption keys.
java.util.Set<java.lang.String>	getDecryptionKeyIds(ContextMessageSecurityProvider.Context context)	Returns key identifiers of all available decryption keys.
EncryptionAlgorithmScheme	getEncryptionAlgorithmScheme()	Method to fetch the EncryptionAlgorithmScheme to use when encrypting messages.
EncryptionAlgorithmScheme	getEncryptionAlgorithmScheme(ContextMessageSecurityProvider.Context context)	Method to fetch the EncryptionAlgorithmScheme to use when encrypting messages.
protected java.security.KeyStore	getPKCS11Keystore(java.lang.String pkcs11Library, int slot, java.lang.String slotPassword)	Create Sun PKCS#11 keystore with given parameters.
java.lang.String	getPKCS11Provider()	Deprecated.
java.lang.String	getProvider()	Method to retrieve JCE provider that should be used with keys provided by this provider.
java.lang.String	getProvider(ContextMessageSecurityProvider.Context context)	Method to retrieve JCE provider that should be used with keys provided by this provider.
SigningAlgorithmScheme	getSigningAlgorithmScheme()	Method to fetch the SigningAlgorithmScheme to use when signing messages.
SigningAlgorithmScheme	getSigningAlgorithmScheme(ContextMessageSecurityProvider.Context context)	Method to fetch the SigningAlgorithmScheme to use when signing messages.
java.security.cert.X509Certificate	getSigningCertificate()	Fetches the signing certificate used to create the digital signatures of the XML file.
java.security.cert.X509Certificate	getSigningCertificate(ContextMessageSecurityProvider.Context context)	Fetches the signing certificate used to create the digital signatures of the XML file.
java.security.PrivateKey	getSigningKey()	Fetches the signing key used to create the digital signatures of the XML file.
java.security.PrivateKey	getSigningKey(ContextMessageSecurityProvider.Context context)	Fetches the signing key used to create the digital signatures of the XML file.
boolean	isValidAndAuthorized(java.security.cert.X509Certificate signCertificate, java.lang.String organisation)	Method that checks if a sign certificate is in the trust store, the certificate itself have to be imported and not just the CA certificate.
boolean	isValidAndAuthorized(ContextMessageSecurityProvider.Context context, java.security.cert.X509Certificate signCertificate, java.lang.String organisation)	Method in charge of validating a certificate used to sign a PKI message and also check if the certificate is authorized to generate messages.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SETTING_PREFIX

public static final java.lang.String SETTING_PREFIX

See Also:

Constant Field Values

SETTING_TRUSTSTORE_PATH

public static final java.lang.String SETTING_TRUSTSTORE_PATH

Setting indicating the path to the trust JKS key store (required)

See Also:

Constant Field Values

SETTING_TRUSTSTORE_PASSWORD

public static final java.lang.String SETTING_TRUSTSTORE_PASSWORD

Setting indicating the password to the trust JKS key store (required)

See Also:

Constant Field Values

truststoreHelper

protected TruststoreHelper truststoreHelper

Constructor Detail

PKCS11MessageSecurityProvider

public PKCS11MessageSecurityProvider(java.util.Properties config)
                              throws MessageProcessingException

Throws:

MessageProcessingException

PKCS11MessageSecurityProvider

public PKCS11MessageSecurityProvider(java.util.Properties config,
                                     PKCS11ProviderManager providerManager)
                              throws MessageProcessingException

Throws:

MessageProcessingException

Method Detail

getSigningKey

public java.security.PrivateKey getSigningKey()
                                       throws MessageProcessingException

Fetches the signing key used to create the digital signatures of the XML file.

Specified by:

getSigningKey in interface MessageSecurityProvider

Returns:

the signing key used.

Throws:

MessageProcessingException - if key isn't accessible or activated.

getSigningKey

public java.security.PrivateKey getSigningKey(ContextMessageSecurityProvider.Context context)
                                       throws MessageProcessingException

Fetches the signing key used to create the digital signatures of the XML file.

Specified by:

getSigningKey in interface ContextMessageSecurityProvider

Parameters:

context - the related context, null for default context. (Parameter is currently ignored)

Returns:

the signing key used.

Throws:

MessageProcessingException - if key isn't accessible or activated.

getSigningCertificate

public java.security.cert.X509Certificate getSigningCertificate()
                                                         throws MessageProcessingException

Fetches the signing certificate used to create the digital signatures of the XML file.

Specified by:

getSigningCertificate in interface MessageSecurityProvider

Returns:

the signing certificate used.

Throws:

MessageProcessingException - if certificate isn't accessible.

getSigningCertificate

public java.security.cert.X509Certificate getSigningCertificate(ContextMessageSecurityProvider.Context context)
                                                         throws MessageProcessingException

Fetches the signing certificate used to create the digital signatures of the XML file.

Specified by:

getSigningCertificate in interface ContextMessageSecurityProvider

Parameters:

context - the related context, null for default context. (Parameter is currently ignored)

Returns:

the signing certificate used.

Throws:

MessageProcessingException - if certificate isn't accessible.

getDecryptionKey

public java.security.PrivateKey getDecryptionKey(java.lang.String keyId)
                                          throws MessageProcessingException

Fetches a private key given it's unique identifier.

Specified by:

getDecryptionKey in interface MessageSecurityProvider

Parameters:

keyId - unique identifier of the key, if null should a default key be retrieved

Returns:

the related decryption key.

Throws:

MessageProcessingException

getDecryptionKey

public java.security.PrivateKey getDecryptionKey(ContextMessageSecurityProvider.Context context,
                                                 java.lang.String keyId)
                                          throws MessageProcessingException

Fetches a private key given it's unique identifier.

Specified by:

getDecryptionKey in interface ContextMessageSecurityProvider

Parameters:

context - the related context, null for default context. (Parameter is currently ignored)

keyId - unique identifier of the key, if null should a default key be retrieved

Returns:

the related decryption key.

Throws:

MessageProcessingException

getDecryptionCertificate

public java.security.cert.X509Certificate getDecryptionCertificate(java.lang.String keyId)
                                                            throws MessageProcessingException

Fetches the decryption certificate of related key id.

Specified by:

getDecryptionCertificate in interface MessageSecurityProvider

Parameters:

keyId - unique identifier of the key, if null should a default key certificate be retrieved

Returns:

the related decryption certificate.

Throws:

MessageProcessingException - if certificate isn't accessible.

getDecryptionCertificate

public java.security.cert.X509Certificate getDecryptionCertificate(ContextMessageSecurityProvider.Context context,
                                                                   java.lang.String keyId)
                                                            throws MessageProcessingException

Fetches the decryption certificate of related key id.

Specified by:

getDecryptionCertificate in interface ContextMessageSecurityProvider

Parameters:

context - the related context, null for default context. (Parameter is currently ignored)

keyId - unique identifier of the key, if null should a default key certificate be retrieved

Returns:

the related decryption certificate.

Throws:

MessageProcessingException - if certificate isn't accessible.

getDecryptionCertificateChain

public java.security.cert.X509Certificate[] getDecryptionCertificateChain(java.lang.String keyId)
                                                                   throws MessageProcessingException

Fetches the decryption certificate chain of related key id can be one or more in size..

Specified by:

getDecryptionCertificateChain in interface MessageSecurityProvider

Parameters:

keyId - unique identifier of the key, if null should a default key certificate be retrieved

Returns:

the related decryption certificate chain

Throws:

MessageProcessingException - if certificate isn't accessible.

getDecryptionCertificateChain

public java.security.cert.X509Certificate[] getDecryptionCertificateChain(ContextMessageSecurityProvider.Context context,
                                                                          java.lang.String keyId)
                                                                   throws MessageProcessingException

Fetches the decryption certificate chain of related key id can be one or more in size.

Specified by:

getDecryptionCertificateChain in interface ContextMessageSecurityProvider

Parameters:

context - the related context, null for default context. (Parameter is currently ignored)

keyId - unique identifier of the key, if null should a default key certificate be retrieved

Returns:

the related decryption certificate chain

Throws:

MessageProcessingException - if certificate isn't accessible.

getDecryptionKeyIds

public java.util.Set<java.lang.String> getDecryptionKeyIds()
                                                    throws MessageProcessingException

Returns key identifiers of all available decryption keys.

Specified by:

getDecryptionKeyIds in interface MessageSecurityProvider

Returns:

key identifiers of all available decryption keys.

Throws:

MessageProcessingException

getDecryptionKeyIds

public java.util.Set<java.lang.String> getDecryptionKeyIds(ContextMessageSecurityProvider.Context context)
                                                    throws MessageProcessingException

Returns key identifiers of all available decryption keys.

Specified by:

getDecryptionKeyIds in interface ContextMessageSecurityProvider

Parameters:

context - the related context, null for default context. (Parameter is currently ignored)

Returns:

key identifiers of all available decryption keys.

Throws:

MessageProcessingException

isValidAndAuthorized

public boolean isValidAndAuthorized(java.security.cert.X509Certificate signCertificate,
                                    java.lang.String organisation)
                             throws java.lang.IllegalArgumentException,
                                    MessageProcessingException

Method that checks if a sign certificate is in the trust store, the certificate itself have to be imported and not just the CA certificate.

The certificate also have to have key usage digital signature

Organisation name is ignored

Specified by:

isValidAndAuthorized in interface MessageSecurityProvider

Parameters:

signCertificate - the certificate used to sign the message.

organisation - the related organisation to the message, null if no organisation lookup should be done.

Returns:

true if the sign certificate is valid and authorized to sign messages.

Throws:

java.lang.IllegalArgumentException - if arguments were invalid.

MessageProcessingException - if internal error occurred validating the certificate.

See Also:

MessageSecurityProvider.isValidAndAuthorized(java.security.cert.X509Certificate, java.lang.String)

isValidAndAuthorized

public boolean isValidAndAuthorized(ContextMessageSecurityProvider.Context context,
                                    java.security.cert.X509Certificate signCertificate,
                                    java.lang.String organisation)
                             throws java.lang.IllegalArgumentException,
                                    MessageProcessingException

Method in charge of validating a certificate used to sign a PKI message and also check if the certificate is authorized to generate messages.

Specified by:

isValidAndAuthorized in interface ContextMessageSecurityProvider

Parameters:

context - the related context, null for default context. (Parameter is currently ignored)

signCertificate - the certificate used to sign the message.

organisation - the related organisation to the message, null if no organisation lookup should be done.

Returns:

true if the sign certificate is valid and authorized to sign messages.

Throws:

java.lang.IllegalArgumentException - if arguments were invalid.

MessageProcessingException - if internal error occurred validating the certificate.

getEncryptionAlgorithmScheme

public EncryptionAlgorithmScheme getEncryptionAlgorithmScheme()
                                                       throws MessageProcessingException

Method to fetch the EncryptionAlgorithmScheme to use when encrypting messages.

Specified by:

getEncryptionAlgorithmScheme in interface MessageSecurityProvider

Returns:

Configured EncryptionAlgorithmScheme to use.

Throws:

MessageProcessingException - if internal error determining algorithm scheme to use

getEncryptionAlgorithmScheme

public EncryptionAlgorithmScheme getEncryptionAlgorithmScheme(ContextMessageSecurityProvider.Context context)
                                                       throws MessageProcessingException

Method to fetch the EncryptionAlgorithmScheme to use when encrypting messages.

Specified by:

getEncryptionAlgorithmScheme in interface ContextMessageSecurityProvider

Parameters:

context - (Parameter is currently ignored)

Returns:

Configured EncryptionAlgorithmScheme to use.

Throws:

MessageProcessingException - if internal error determining algorithm scheme to use

getSigningAlgorithmScheme

public SigningAlgorithmScheme getSigningAlgorithmScheme()
                                                 throws MessageProcessingException

Method to fetch the SigningAlgorithmScheme to use when signing messages.

Specified by:

getSigningAlgorithmScheme in interface MessageSecurityProvider

Returns:

Configured SigningAlgorithmScheme to use.

Throws:

MessageProcessingException - if internal error determining algorithm scheme to use

getProvider

public java.lang.String getProvider()

Method to retrieve JCE provider that should be used with keys provided by this provider.

Specified by:

getProvider in interface MessageSecurityProvider

Returns:

name of an JCE Provider that should be installed prior to usage of this MessageSecurityProvider if null should the JRE configured list of security providers be used.

getSigningAlgorithmScheme

public SigningAlgorithmScheme getSigningAlgorithmScheme(ContextMessageSecurityProvider.Context context)
                                                 throws MessageProcessingException

Method to fetch the SigningAlgorithmScheme to use when signing messages.

Specified by:

getSigningAlgorithmScheme in interface ContextMessageSecurityProvider

Parameters:

context - the related context, null for default context. (Parameter is currently ignored)

Returns:

Configured SigningAlgorithmScheme to use.

Throws:

MessageProcessingException - if internal error determining algorithm scheme to use

getProvider

public java.lang.String getProvider(ContextMessageSecurityProvider.Context context)

Method to retrieve JCE provider that should be used with keys provided by this provider.

Specified by:

getProvider in interface ContextMessageSecurityProvider

Returns:

name of an JCE Provider that should be installed prior to usage of this MessageSecurityProvider if null should the JRE configured list of security providers be used.

getPKCS11Keystore

protected java.security.KeyStore getPKCS11Keystore(java.lang.String pkcs11Library,
                                                   int slot,
                                                   java.lang.String slotPassword)
                                            throws java.io.IOException,
                                                   java.security.KeyStoreException,
                                                   java.security.NoSuchAlgorithmException,
                                                   java.security.cert.CertificateException

Create Sun PKCS#11 keystore with given parameters.

Parameters:

pkcs11Library - PKCS#11 library to use when accessing the token

slot - PKCS#11 Slot to use when accessing the token

slotPassword - Password that protects the slot

Returns:

PKCS#11 keystore instance.

Throws:

java.io.IOException - If library could not be found or could not be accessible due to invalid password

java.security.KeyStoreException - If there were problems creating the keystore

java.security.NoSuchAlgorithmException - If the algorithm used to check the integrity of the keystore cannot be found

java.security.cert.CertificateException - If any of the certificates in the keystore could not be loaded

getPKCS11Provider

@Deprecated
public java.lang.String getPKCS11Provider()

Deprecated.