Path: blob/aarch64-shenandoah-jdk8u272-b10/jdk/src/share/classes/java/security/KeyStore.java
38829 views
/*1* Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation. Oracle designates this7* particular file as subject to the "Classpath" exception as provided8* by Oracle in the LICENSE file that accompanied this code.9*10* This code is distributed in the hope that it will be useful, but WITHOUT11* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or12* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License13* version 2 for more details (a copy is included in the LICENSE file that14* accompanied this code).15*16* You should have received a copy of the GNU General Public License version17* 2 along with this work; if not, write to the Free Software Foundation,18* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.19*20* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA21* or visit www.oracle.com if you need additional information or have any22* questions.23*/2425package java.security;2627import java.io.*;28import java.net.URI;29import java.security.cert.Certificate;30import java.security.cert.X509Certificate;31import java.security.cert.CertificateException;32import java.security.spec.AlgorithmParameterSpec;33import java.util.*;34import javax.crypto.SecretKey;3536import javax.security.auth.DestroyFailedException;37import javax.security.auth.callback.*;3839import sun.security.util.Debug;4041/**42* This class represents a storage facility for cryptographic43* keys and certificates.44*45* <p> A {@code KeyStore} manages different types of entries.46* Each type of entry implements the {@code KeyStore.Entry} interface.47* Three basic {@code KeyStore.Entry} implementations are provided:48*49* <ul>50* <li><b>KeyStore.PrivateKeyEntry</b>51* <p> This type of entry holds a cryptographic {@code PrivateKey},52* which is optionally stored in a protected format to prevent53* unauthorized access. It is also accompanied by a certificate chain54* for the corresponding public key.55*56* <p> Private keys and certificate chains are used by a given entity for57* self-authentication. Applications for this authentication include software58* distribution organizations which sign JAR files as part of releasing59* and/or licensing software.60*61* <li><b>KeyStore.SecretKeyEntry</b>62* <p> This type of entry holds a cryptographic {@code SecretKey},63* which is optionally stored in a protected format to prevent64* unauthorized access.65*66* <li><b>KeyStore.TrustedCertificateEntry</b>67* <p> This type of entry contains a single public key {@code Certificate}68* belonging to another party. It is called a <i>trusted certificate</i>69* because the keystore owner trusts that the public key in the certificate70* indeed belongs to the identity identified by the <i>subject</i> (owner)71* of the certificate.72*73* <p>This type of entry can be used to authenticate other parties.74* </ul>75*76* <p> Each entry in a keystore is identified by an "alias" string. In the77* case of private keys and their associated certificate chains, these strings78* distinguish among the different ways in which the entity may authenticate79* itself. For example, the entity may authenticate itself using different80* certificate authorities, or using different public key algorithms.81*82* <p> Whether aliases are case sensitive is implementation dependent. In order83* to avoid problems, it is recommended not to use aliases in a KeyStore that84* only differ in case.85*86* <p> Whether keystores are persistent, and the mechanisms used by the87* keystore if it is persistent, are not specified here. This allows88* use of a variety of techniques for protecting sensitive (e.g., private or89* secret) keys. Smart cards or other integrated cryptographic engines90* (SafeKeyper) are one option, and simpler mechanisms such as files may also91* be used (in a variety of formats).92*93* <p> Typical ways to request a KeyStore object include94* relying on the default type and providing a specific keystore type.95*96* <ul>97* <li>To rely on the default type:98* <pre>99* KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());100* </pre>101* The system will return a keystore implementation for the default type.102*103* <li>To provide a specific keystore type:104* <pre>105* KeyStore ks = KeyStore.getInstance("JKS");106* </pre>107* The system will return the most preferred implementation of the108* specified keystore type available in the environment. <p>109* </ul>110*111* <p> Before a keystore can be accessed, it must be112* {@link #load(java.io.InputStream, char[]) loaded}.113* <pre>114* KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());115*116* // get user password and file input stream117* char[] password = getPassword();118*119* try (FileInputStream fis = new FileInputStream("keyStoreName")) {120* ks.load(fis, password);121* }122* </pre>123*124* To create an empty keystore using the above {@code load} method,125* pass {@code null} as the {@code InputStream} argument.126*127* <p> Once the keystore has been loaded, it is possible128* to read existing entries from the keystore, or to write new entries129* into the keystore:130* <pre>131* KeyStore.ProtectionParameter protParam =132* new KeyStore.PasswordProtection(password);133*134* // get my private key135* KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry)136* ks.getEntry("privateKeyAlias", protParam);137* PrivateKey myPrivateKey = pkEntry.getPrivateKey();138*139* // save my secret key140* javax.crypto.SecretKey mySecretKey;141* KeyStore.SecretKeyEntry skEntry =142* new KeyStore.SecretKeyEntry(mySecretKey);143* ks.setEntry("secretKeyAlias", skEntry, protParam);144*145* // store away the keystore146* try (FileOutputStream fos = new FileOutputStream("newKeyStoreName")) {147* ks.store(fos, password);148* }149* </pre>150*151* Note that although the same password may be used to152* load the keystore, to protect the private key entry,153* to protect the secret key entry, and to store the keystore154* (as is shown in the sample code above),155* different passwords or other protection parameters156* may also be used.157*158* <p> Every implementation of the Java platform is required to support159* the following standard {@code KeyStore} type:160* <ul>161* <li>{@code PKCS12}</li>162* </ul>163* This type is described in the <a href=164* "{@docRoot}/../technotes/guides/security/StandardNames.html#KeyStore">165* KeyStore section</a> of the166* Java Cryptography Architecture Standard Algorithm Name Documentation.167* Consult the release documentation for your implementation to see if any168* other types are supported.169*170* @author Jan Luehe171*172* @see java.security.PrivateKey173* @see javax.crypto.SecretKey174* @see java.security.cert.Certificate175*176* @since 1.2177*/178179public class KeyStore {180181private static final Debug pdebug =182Debug.getInstance("provider", "Provider");183private static final boolean skipDebug =184Debug.isOn("engine=") && !Debug.isOn("keystore");185186/*187* Constant to lookup in the Security properties file to determine188* the default keystore type.189* In the Security properties file, the default keystore type is given as:190* <pre>191* keystore.type=jks192* </pre>193*/194private static final String KEYSTORE_TYPE = "keystore.type";195196// The keystore type197private String type;198199// The provider200private Provider provider;201202// The provider implementation203private KeyStoreSpi keyStoreSpi;204205// Has this keystore been initialized (loaded)?206private boolean initialized = false;207208/**209* A marker interface for {@code KeyStore}210* {@link #load(KeyStore.LoadStoreParameter) load}211* and212* {@link #store(KeyStore.LoadStoreParameter) store}213* parameters.214*215* @since 1.5216*/217public static interface LoadStoreParameter {218/**219* Gets the parameter used to protect keystore data.220*221* @return the parameter used to protect keystore data, or null222*/223public ProtectionParameter getProtectionParameter();224}225226/**227* A marker interface for keystore protection parameters.228*229* <p> The information stored in a {@code ProtectionParameter}230* object protects the contents of a keystore.231* For example, protection parameters may be used to check232* the integrity of keystore data, or to protect the233* confidentiality of sensitive keystore data234* (such as a {@code PrivateKey}).235*236* @since 1.5237*/238public static interface ProtectionParameter { }239240/**241* A password-based implementation of {@code ProtectionParameter}.242*243* @since 1.5244*/245public static class PasswordProtection implements246ProtectionParameter, javax.security.auth.Destroyable {247248private final char[] password;249private final String protectionAlgorithm;250private final AlgorithmParameterSpec protectionParameters;251private volatile boolean destroyed = false;252253/**254* Creates a password parameter.255*256* <p> The specified {@code password} is cloned before it is stored257* in the new {@code PasswordProtection} object.258*259* @param password the password, which may be {@code null}260*/261public PasswordProtection(char[] password) {262this.password = (password == null) ? null : password.clone();263this.protectionAlgorithm = null;264this.protectionParameters = null;265}266267/**268* Creates a password parameter and specifies the protection algorithm269* and associated parameters to use when encrypting a keystore entry.270* <p>271* The specified {@code password} is cloned before it is stored in the272* new {@code PasswordProtection} object.273*274* @param password the password, which may be {@code null}275* @param protectionAlgorithm the encryption algorithm name, for276* example, {@code PBEWithHmacSHA256AndAES_256}.277* See the Cipher section in the <a href=278* "{@docRoot}/../technotes/guides/security/StandardNames.html#Cipher">279* Java Cryptography Architecture Standard Algorithm Name280* Documentation</a>281* for information about standard encryption algorithm names.282* @param protectionParameters the encryption algorithm parameter283* specification, which may be {@code null}284* @exception NullPointerException if {@code protectionAlgorithm} is285* {@code null}286*287* @since 1.8288*/289public PasswordProtection(char[] password, String protectionAlgorithm,290AlgorithmParameterSpec protectionParameters) {291if (protectionAlgorithm == null) {292throw new NullPointerException("invalid null input");293}294this.password = (password == null) ? null : password.clone();295this.protectionAlgorithm = protectionAlgorithm;296this.protectionParameters = protectionParameters;297}298299/**300* Gets the name of the protection algorithm.301* If none was set then the keystore provider will use its default302* protection algorithm. The name of the default protection algorithm303* for a given keystore type is set using the304* {@code 'keystore.<type>.keyProtectionAlgorithm'} security property.305* For example, the306* {@code keystore.PKCS12.keyProtectionAlgorithm} property stores the307* name of the default key protection algorithm used for PKCS12308* keystores. If the security property is not set, an309* implementation-specific algorithm will be used.310*311* @return the algorithm name, or {@code null} if none was set312*313* @since 1.8314*/315public String getProtectionAlgorithm() {316return protectionAlgorithm;317}318319/**320* Gets the parameters supplied for the protection algorithm.321*322* @return the algorithm parameter specification, or {@code null},323* if none was set324*325* @since 1.8326*/327public AlgorithmParameterSpec getProtectionParameters() {328return protectionParameters;329}330331/**332* Gets the password.333*334* <p>Note that this method returns a reference to the password.335* If a clone of the array is created it is the caller's336* responsibility to zero out the password information337* after it is no longer needed.338*339* @see #destroy()340* @return the password, which may be {@code null}341* @exception IllegalStateException if the password has342* been cleared (destroyed)343*/344public synchronized char[] getPassword() {345if (destroyed) {346throw new IllegalStateException("password has been cleared");347}348return password;349}350351/**352* Clears the password.353*354* @exception DestroyFailedException if this method was unable355* to clear the password356*/357public synchronized void destroy() throws DestroyFailedException {358destroyed = true;359if (password != null) {360Arrays.fill(password, ' ');361}362}363364/**365* Determines if password has been cleared.366*367* @return true if the password has been cleared, false otherwise368*/369public synchronized boolean isDestroyed() {370return destroyed;371}372}373374/**375* A ProtectionParameter encapsulating a CallbackHandler.376*377* @since 1.5378*/379public static class CallbackHandlerProtection380implements ProtectionParameter {381382private final CallbackHandler handler;383384/**385* Constructs a new CallbackHandlerProtection from a386* CallbackHandler.387*388* @param handler the CallbackHandler389* @exception NullPointerException if handler is null390*/391public CallbackHandlerProtection(CallbackHandler handler) {392if (handler == null) {393throw new NullPointerException("handler must not be null");394}395this.handler = handler;396}397398/**399* Returns the CallbackHandler.400*401* @return the CallbackHandler.402*/403public CallbackHandler getCallbackHandler() {404return handler;405}406407}408409/**410* A marker interface for {@code KeyStore} entry types.411*412* @since 1.5413*/414public static interface Entry {415416/**417* Retrieves the attributes associated with an entry.418* <p>419* The default implementation returns an empty {@code Set}.420*421* @return an unmodifiable {@code Set} of attributes, possibly empty422*423* @since 1.8424*/425public default Set<Attribute> getAttributes() {426return Collections.<Attribute>emptySet();427}428429/**430* An attribute associated with a keystore entry.431* It comprises a name and one or more values.432*433* @since 1.8434*/435public interface Attribute {436/**437* Returns the attribute's name.438*439* @return the attribute name440*/441public String getName();442443/**444* Returns the attribute's value.445* Multi-valued attributes encode their values as a single string.446*447* @return the attribute value448*/449public String getValue();450}451}452453/**454* A {@code KeyStore} entry that holds a {@code PrivateKey}455* and corresponding certificate chain.456*457* @since 1.5458*/459public static final class PrivateKeyEntry implements Entry {460461private final PrivateKey privKey;462private final Certificate[] chain;463private final Set<Attribute> attributes;464465/**466* Constructs a {@code PrivateKeyEntry} with a467* {@code PrivateKey} and corresponding certificate chain.468*469* <p> The specified {@code chain} is cloned before it is stored470* in the new {@code PrivateKeyEntry} object.471*472* @param privateKey the {@code PrivateKey}473* @param chain an array of {@code Certificate}s474* representing the certificate chain.475* The chain must be ordered and contain a476* {@code Certificate} at index 0477* corresponding to the private key.478*479* @exception NullPointerException if480* {@code privateKey} or {@code chain}481* is {@code null}482* @exception IllegalArgumentException if the specified chain has a483* length of 0, if the specified chain does not contain484* {@code Certificate}s of the same type,485* or if the {@code PrivateKey} algorithm486* does not match the algorithm of the {@code PublicKey}487* in the end entity {@code Certificate} (at index 0)488*/489public PrivateKeyEntry(PrivateKey privateKey, Certificate[] chain) {490this(privateKey, chain, Collections.<Attribute>emptySet());491}492493/**494* Constructs a {@code PrivateKeyEntry} with a {@code PrivateKey} and495* corresponding certificate chain and associated entry attributes.496*497* <p> The specified {@code chain} and {@code attributes} are cloned498* before they are stored in the new {@code PrivateKeyEntry} object.499*500* @param privateKey the {@code PrivateKey}501* @param chain an array of {@code Certificate}s502* representing the certificate chain.503* The chain must be ordered and contain a504* {@code Certificate} at index 0505* corresponding to the private key.506* @param attributes the attributes507*508* @exception NullPointerException if {@code privateKey}, {@code chain}509* or {@code attributes} is {@code null}510* @exception IllegalArgumentException if the specified chain has a511* length of 0, if the specified chain does not contain512* {@code Certificate}s of the same type,513* or if the {@code PrivateKey} algorithm514* does not match the algorithm of the {@code PublicKey}515* in the end entity {@code Certificate} (at index 0)516*517* @since 1.8518*/519public PrivateKeyEntry(PrivateKey privateKey, Certificate[] chain,520Set<Attribute> attributes) {521522if (privateKey == null || chain == null || attributes == null) {523throw new NullPointerException("invalid null input");524}525if (chain.length == 0) {526throw new IllegalArgumentException527("invalid zero-length input chain");528}529530Certificate[] clonedChain = chain.clone();531String certType = clonedChain[0].getType();532for (int i = 1; i < clonedChain.length; i++) {533if (!certType.equals(clonedChain[i].getType())) {534throw new IllegalArgumentException535("chain does not contain certificates " +536"of the same type");537}538}539if (!privateKey.getAlgorithm().equals540(clonedChain[0].getPublicKey().getAlgorithm())) {541throw new IllegalArgumentException542("private key algorithm does not match " +543"algorithm of public key in end entity " +544"certificate (at index 0)");545}546this.privKey = privateKey;547548if (clonedChain[0] instanceof X509Certificate &&549!(clonedChain instanceof X509Certificate[])) {550551this.chain = new X509Certificate[clonedChain.length];552System.arraycopy(clonedChain, 0,553this.chain, 0, clonedChain.length);554} else {555this.chain = clonedChain;556}557558this.attributes =559Collections.unmodifiableSet(new HashSet<>(attributes));560}561562/**563* Gets the {@code PrivateKey} from this entry.564*565* @return the {@code PrivateKey} from this entry566*/567public PrivateKey getPrivateKey() {568return privKey;569}570571/**572* Gets the {@code Certificate} chain from this entry.573*574* <p> The stored chain is cloned before being returned.575*576* @return an array of {@code Certificate}s corresponding577* to the certificate chain for the public key.578* If the certificates are of type X.509,579* the runtime type of the returned array is580* {@code X509Certificate[]}.581*/582public Certificate[] getCertificateChain() {583return chain.clone();584}585586/**587* Gets the end entity {@code Certificate}588* from the certificate chain in this entry.589*590* @return the end entity {@code Certificate} (at index 0)591* from the certificate chain in this entry.592* If the certificate is of type X.509,593* the runtime type of the returned certificate is594* {@code X509Certificate}.595*/596public Certificate getCertificate() {597return chain[0];598}599600/**601* Retrieves the attributes associated with an entry.602* <p>603*604* @return an unmodifiable {@code Set} of attributes, possibly empty605*606* @since 1.8607*/608@Override609public Set<Attribute> getAttributes() {610return attributes;611}612613/**614* Returns a string representation of this PrivateKeyEntry.615* @return a string representation of this PrivateKeyEntry.616*/617public String toString() {618StringBuilder sb = new StringBuilder();619sb.append("Private key entry and certificate chain with "620+ chain.length + " elements:\r\n");621for (Certificate cert : chain) {622sb.append(cert);623sb.append("\r\n");624}625return sb.toString();626}627628}629630/**631* A {@code KeyStore} entry that holds a {@code SecretKey}.632*633* @since 1.5634*/635public static final class SecretKeyEntry implements Entry {636637private final SecretKey sKey;638private final Set<Attribute> attributes;639640/**641* Constructs a {@code SecretKeyEntry} with a642* {@code SecretKey}.643*644* @param secretKey the {@code SecretKey}645*646* @exception NullPointerException if {@code secretKey}647* is {@code null}648*/649public SecretKeyEntry(SecretKey secretKey) {650if (secretKey == null) {651throw new NullPointerException("invalid null input");652}653this.sKey = secretKey;654this.attributes = Collections.<Attribute>emptySet();655}656657/**658* Constructs a {@code SecretKeyEntry} with a {@code SecretKey} and659* associated entry attributes.660*661* <p> The specified {@code attributes} is cloned before it is stored662* in the new {@code SecretKeyEntry} object.663*664* @param secretKey the {@code SecretKey}665* @param attributes the attributes666*667* @exception NullPointerException if {@code secretKey} or668* {@code attributes} is {@code null}669*670* @since 1.8671*/672public SecretKeyEntry(SecretKey secretKey, Set<Attribute> attributes) {673674if (secretKey == null || attributes == null) {675throw new NullPointerException("invalid null input");676}677this.sKey = secretKey;678this.attributes =679Collections.unmodifiableSet(new HashSet<>(attributes));680}681682/**683* Gets the {@code SecretKey} from this entry.684*685* @return the {@code SecretKey} from this entry686*/687public SecretKey getSecretKey() {688return sKey;689}690691/**692* Retrieves the attributes associated with an entry.693* <p>694*695* @return an unmodifiable {@code Set} of attributes, possibly empty696*697* @since 1.8698*/699@Override700public Set<Attribute> getAttributes() {701return attributes;702}703704/**705* Returns a string representation of this SecretKeyEntry.706* @return a string representation of this SecretKeyEntry.707*/708public String toString() {709return "Secret key entry with algorithm " + sKey.getAlgorithm();710}711}712713/**714* A {@code KeyStore} entry that holds a trusted715* {@code Certificate}.716*717* @since 1.5718*/719public static final class TrustedCertificateEntry implements Entry {720721private final Certificate cert;722private final Set<Attribute> attributes;723724/**725* Constructs a {@code TrustedCertificateEntry} with a726* trusted {@code Certificate}.727*728* @param trustedCert the trusted {@code Certificate}729*730* @exception NullPointerException if731* {@code trustedCert} is {@code null}732*/733public TrustedCertificateEntry(Certificate trustedCert) {734if (trustedCert == null) {735throw new NullPointerException("invalid null input");736}737this.cert = trustedCert;738this.attributes = Collections.<Attribute>emptySet();739}740741/**742* Constructs a {@code TrustedCertificateEntry} with a743* trusted {@code Certificate} and associated entry attributes.744*745* <p> The specified {@code attributes} is cloned before it is stored746* in the new {@code TrustedCertificateEntry} object.747*748* @param trustedCert the trusted {@code Certificate}749* @param attributes the attributes750*751* @exception NullPointerException if {@code trustedCert} or752* {@code attributes} is {@code null}753*754* @since 1.8755*/756public TrustedCertificateEntry(Certificate trustedCert,757Set<Attribute> attributes) {758if (trustedCert == null || attributes == null) {759throw new NullPointerException("invalid null input");760}761this.cert = trustedCert;762this.attributes =763Collections.unmodifiableSet(new HashSet<>(attributes));764}765766/**767* Gets the trusted {@code Certficate} from this entry.768*769* @return the trusted {@code Certificate} from this entry770*/771public Certificate getTrustedCertificate() {772return cert;773}774775/**776* Retrieves the attributes associated with an entry.777* <p>778*779* @return an unmodifiable {@code Set} of attributes, possibly empty780*781* @since 1.8782*/783@Override784public Set<Attribute> getAttributes() {785return attributes;786}787788/**789* Returns a string representation of this TrustedCertificateEntry.790* @return a string representation of this TrustedCertificateEntry.791*/792public String toString() {793return "Trusted certificate entry:\r\n" + cert.toString();794}795}796797/**798* Creates a KeyStore object of the given type, and encapsulates the given799* provider implementation (SPI object) in it.800*801* @param keyStoreSpi the provider implementation.802* @param provider the provider.803* @param type the keystore type.804*/805protected KeyStore(KeyStoreSpi keyStoreSpi, Provider provider, String type)806{807this.keyStoreSpi = keyStoreSpi;808this.provider = provider;809this.type = type;810811if (!skipDebug && pdebug != null) {812pdebug.println("KeyStore." + type.toUpperCase() + " type from: " +813this.provider.getName());814}815}816817/**818* Returns a keystore object of the specified type.819*820* <p> This method traverses the list of registered security Providers,821* starting with the most preferred Provider.822* A new KeyStore object encapsulating the823* KeyStoreSpi implementation from the first824* Provider that supports the specified type is returned.825*826* <p> Note that the list of registered providers may be retrieved via827* the {@link Security#getProviders() Security.getProviders()} method.828*829* @param type the type of keystore.830* See the KeyStore section in the <a href=831* "{@docRoot}/../technotes/guides/security/StandardNames.html#KeyStore">832* Java Cryptography Architecture Standard Algorithm Name Documentation</a>833* for information about standard keystore types.834*835* @return a keystore object of the specified type.836*837* @exception KeyStoreException if no Provider supports a838* KeyStoreSpi implementation for the839* specified type.840*841* @see Provider842*/843public static KeyStore getInstance(String type)844throws KeyStoreException845{846try {847Object[] objs = Security.getImpl(type, "KeyStore", (String)null);848return new KeyStore((KeyStoreSpi)objs[0], (Provider)objs[1], type);849} catch (NoSuchAlgorithmException nsae) {850throw new KeyStoreException(type + " not found", nsae);851} catch (NoSuchProviderException nspe) {852throw new KeyStoreException(type + " not found", nspe);853}854}855856/**857* Returns a keystore object of the specified type.858*859* <p> A new KeyStore object encapsulating the860* KeyStoreSpi implementation from the specified provider861* is returned. The specified provider must be registered862* in the security provider list.863*864* <p> Note that the list of registered providers may be retrieved via865* the {@link Security#getProviders() Security.getProviders()} method.866*867* @param type the type of keystore.868* See the KeyStore section in the <a href=869* "{@docRoot}/../technotes/guides/security/StandardNames.html#KeyStore">870* Java Cryptography Architecture Standard Algorithm Name Documentation</a>871* for information about standard keystore types.872*873* @param provider the name of the provider.874*875* @return a keystore object of the specified type.876*877* @exception KeyStoreException if a KeyStoreSpi878* implementation for the specified type is not879* available from the specified provider.880*881* @exception NoSuchProviderException if the specified provider is not882* registered in the security provider list.883*884* @exception IllegalArgumentException if the provider name is null885* or empty.886*887* @see Provider888*/889public static KeyStore getInstance(String type, String provider)890throws KeyStoreException, NoSuchProviderException891{892if (provider == null || provider.length() == 0)893throw new IllegalArgumentException("missing provider");894try {895Object[] objs = Security.getImpl(type, "KeyStore", provider);896return new KeyStore((KeyStoreSpi)objs[0], (Provider)objs[1], type);897} catch (NoSuchAlgorithmException nsae) {898throw new KeyStoreException(type + " not found", nsae);899}900}901902/**903* Returns a keystore object of the specified type.904*905* <p> A new KeyStore object encapsulating the906* KeyStoreSpi implementation from the specified Provider907* object is returned. Note that the specified Provider object908* does not have to be registered in the provider list.909*910* @param type the type of keystore.911* See the KeyStore section in the <a href=912* "{@docRoot}/../technotes/guides/security/StandardNames.html#KeyStore">913* Java Cryptography Architecture Standard Algorithm Name Documentation</a>914* for information about standard keystore types.915*916* @param provider the provider.917*918* @return a keystore object of the specified type.919*920* @exception KeyStoreException if KeyStoreSpi921* implementation for the specified type is not available922* from the specified Provider object.923*924* @exception IllegalArgumentException if the specified provider is null.925*926* @see Provider927*928* @since 1.4929*/930public static KeyStore getInstance(String type, Provider provider)931throws KeyStoreException932{933if (provider == null)934throw new IllegalArgumentException("missing provider");935try {936Object[] objs = Security.getImpl(type, "KeyStore", provider);937return new KeyStore((KeyStoreSpi)objs[0], (Provider)objs[1], type);938} catch (NoSuchAlgorithmException nsae) {939throw new KeyStoreException(type + " not found", nsae);940}941}942943/**944* Returns the default keystore type as specified by the945* {@code keystore.type} security property, or the string946* {@literal "jks"} (acronym for {@literal "Java keystore"})947* if no such property exists.948*949* <p>The default keystore type can be used by applications that do not950* want to use a hard-coded keystore type when calling one of the951* {@code getInstance} methods, and want to provide a default keystore952* type in case a user does not specify its own.953*954* <p>The default keystore type can be changed by setting the value of the955* {@code keystore.type} security property to the desired keystore type.956*957* @return the default keystore type as specified by the958* {@code keystore.type} security property, or the string {@literal "jks"}959* if no such property exists.960* @see java.security.Security security properties961*/962public final static String getDefaultType() {963String kstype;964kstype = AccessController.doPrivileged(new PrivilegedAction<String>() {965public String run() {966return Security.getProperty(KEYSTORE_TYPE);967}968});969if (kstype == null) {970kstype = "jks";971}972return kstype;973}974975/**976* Returns the provider of this keystore.977*978* @return the provider of this keystore.979*/980public final Provider getProvider()981{982return this.provider;983}984985/**986* Returns the type of this keystore.987*988* @return the type of this keystore.989*/990public final String getType()991{992return this.type;993}994995/**996* Returns the key associated with the given alias, using the given997* password to recover it. The key must have been associated with998* the alias by a call to {@code setKeyEntry},999* or by a call to {@code setEntry} with a1000* {@code PrivateKeyEntry} or {@code SecretKeyEntry}.1001*1002* @param alias the alias name1003* @param password the password for recovering the key1004*1005* @return the requested key, or null if the given alias does not exist1006* or does not identify a key-related entry.1007*1008* @exception KeyStoreException if the keystore has not been initialized1009* (loaded).1010* @exception NoSuchAlgorithmException if the algorithm for recovering the1011* key cannot be found1012* @exception UnrecoverableKeyException if the key cannot be recovered1013* (e.g., the given password is wrong).1014*/1015public final Key getKey(String alias, char[] password)1016throws KeyStoreException, NoSuchAlgorithmException,1017UnrecoverableKeyException1018{1019if (!initialized) {1020throw new KeyStoreException("Uninitialized keystore");1021}1022return keyStoreSpi.engineGetKey(alias, password);1023}10241025/**1026* Returns the certificate chain associated with the given alias.1027* The certificate chain must have been associated with the alias1028* by a call to {@code setKeyEntry},1029* or by a call to {@code setEntry} with a1030* {@code PrivateKeyEntry}.1031*1032* @param alias the alias name1033*1034* @return the certificate chain (ordered with the user's certificate first1035* followed by zero or more certificate authorities), or null if the given alias1036* does not exist or does not contain a certificate chain1037*1038* @exception KeyStoreException if the keystore has not been initialized1039* (loaded).1040*/1041public final Certificate[] getCertificateChain(String alias)1042throws KeyStoreException1043{1044if (!initialized) {1045throw new KeyStoreException("Uninitialized keystore");1046}1047return keyStoreSpi.engineGetCertificateChain(alias);1048}10491050/**1051* Returns the certificate associated with the given alias.1052*1053* <p> If the given alias name identifies an entry1054* created by a call to {@code setCertificateEntry},1055* or created by a call to {@code setEntry} with a1056* {@code TrustedCertificateEntry},1057* then the trusted certificate contained in that entry is returned.1058*1059* <p> If the given alias name identifies an entry1060* created by a call to {@code setKeyEntry},1061* or created by a call to {@code setEntry} with a1062* {@code PrivateKeyEntry},1063* then the first element of the certificate chain in that entry1064* is returned.1065*1066* @param alias the alias name1067*1068* @return the certificate, or null if the given alias does not exist or1069* does not contain a certificate.1070*1071* @exception KeyStoreException if the keystore has not been initialized1072* (loaded).1073*/1074public final Certificate getCertificate(String alias)1075throws KeyStoreException1076{1077if (!initialized) {1078throw new KeyStoreException("Uninitialized keystore");1079}1080return keyStoreSpi.engineGetCertificate(alias);1081}10821083/**1084* Returns the creation date of the entry identified by the given alias.1085*1086* @param alias the alias name1087*1088* @return the creation date of this entry, or null if the given alias does1089* not exist1090*1091* @exception KeyStoreException if the keystore has not been initialized1092* (loaded).1093*/1094public final Date getCreationDate(String alias)1095throws KeyStoreException1096{1097if (!initialized) {1098throw new KeyStoreException("Uninitialized keystore");1099}1100return keyStoreSpi.engineGetCreationDate(alias);1101}11021103/**1104* Assigns the given key to the given alias, protecting it with the given1105* password.1106*1107* <p>If the given key is of type {@code java.security.PrivateKey},1108* it must be accompanied by a certificate chain certifying the1109* corresponding public key.1110*1111* <p>If the given alias already exists, the keystore information1112* associated with it is overridden by the given key (and possibly1113* certificate chain).1114*1115* @param alias the alias name1116* @param key the key to be associated with the alias1117* @param password the password to protect the key1118* @param chain the certificate chain for the corresponding public1119* key (only required if the given key is of type1120* {@code java.security.PrivateKey}).1121*1122* @exception KeyStoreException if the keystore has not been initialized1123* (loaded), the given key cannot be protected, or this operation fails1124* for some other reason1125*/1126public final void setKeyEntry(String alias, Key key, char[] password,1127Certificate[] chain)1128throws KeyStoreException1129{1130if (!initialized) {1131throw new KeyStoreException("Uninitialized keystore");1132}1133if ((key instanceof PrivateKey) &&1134(chain == null || chain.length == 0)) {1135throw new IllegalArgumentException("Private key must be "1136+ "accompanied by certificate "1137+ "chain");1138}1139keyStoreSpi.engineSetKeyEntry(alias, key, password, chain);1140}11411142/**1143* Assigns the given key (that has already been protected) to the given1144* alias.1145*1146* <p>If the protected key is of type1147* {@code java.security.PrivateKey}, it must be accompanied by a1148* certificate chain certifying the corresponding public key. If the1149* underlying keystore implementation is of type {@code jks},1150* {@code key} must be encoded as an1151* {@code EncryptedPrivateKeyInfo} as defined in the PKCS #8 standard.1152*1153* <p>If the given alias already exists, the keystore information1154* associated with it is overridden by the given key (and possibly1155* certificate chain).1156*1157* @param alias the alias name1158* @param key the key (in protected format) to be associated with the alias1159* @param chain the certificate chain for the corresponding public1160* key (only useful if the protected key is of type1161* {@code java.security.PrivateKey}).1162*1163* @exception KeyStoreException if the keystore has not been initialized1164* (loaded), or if this operation fails for some other reason.1165*/1166public final void setKeyEntry(String alias, byte[] key,1167Certificate[] chain)1168throws KeyStoreException1169{1170if (!initialized) {1171throw new KeyStoreException("Uninitialized keystore");1172}1173keyStoreSpi.engineSetKeyEntry(alias, key, chain);1174}11751176/**1177* Assigns the given trusted certificate to the given alias.1178*1179* <p> If the given alias identifies an existing entry1180* created by a call to {@code setCertificateEntry},1181* or created by a call to {@code setEntry} with a1182* {@code TrustedCertificateEntry},1183* the trusted certificate in the existing entry1184* is overridden by the given certificate.1185*1186* @param alias the alias name1187* @param cert the certificate1188*1189* @exception KeyStoreException if the keystore has not been initialized,1190* or the given alias already exists and does not identify an1191* entry containing a trusted certificate,1192* or this operation fails for some other reason.1193*/1194public final void setCertificateEntry(String alias, Certificate cert)1195throws KeyStoreException1196{1197if (!initialized) {1198throw new KeyStoreException("Uninitialized keystore");1199}1200keyStoreSpi.engineSetCertificateEntry(alias, cert);1201}12021203/**1204* Deletes the entry identified by the given alias from this keystore.1205*1206* @param alias the alias name1207*1208* @exception KeyStoreException if the keystore has not been initialized,1209* or if the entry cannot be removed.1210*/1211public final void deleteEntry(String alias)1212throws KeyStoreException1213{1214if (!initialized) {1215throw new KeyStoreException("Uninitialized keystore");1216}1217keyStoreSpi.engineDeleteEntry(alias);1218}12191220/**1221* Lists all the alias names of this keystore.1222*1223* @return enumeration of the alias names1224*1225* @exception KeyStoreException if the keystore has not been initialized1226* (loaded).1227*/1228public final Enumeration<String> aliases()1229throws KeyStoreException1230{1231if (!initialized) {1232throw new KeyStoreException("Uninitialized keystore");1233}1234return keyStoreSpi.engineAliases();1235}12361237/**1238* Checks if the given alias exists in this keystore.1239*1240* @param alias the alias name1241*1242* @return true if the alias exists, false otherwise1243*1244* @exception KeyStoreException if the keystore has not been initialized1245* (loaded).1246*/1247public final boolean containsAlias(String alias)1248throws KeyStoreException1249{1250if (!initialized) {1251throw new KeyStoreException("Uninitialized keystore");1252}1253return keyStoreSpi.engineContainsAlias(alias);1254}12551256/**1257* Retrieves the number of entries in this keystore.1258*1259* @return the number of entries in this keystore1260*1261* @exception KeyStoreException if the keystore has not been initialized1262* (loaded).1263*/1264public final int size()1265throws KeyStoreException1266{1267if (!initialized) {1268throw new KeyStoreException("Uninitialized keystore");1269}1270return keyStoreSpi.engineSize();1271}12721273/**1274* Returns true if the entry identified by the given alias1275* was created by a call to {@code setKeyEntry},1276* or created by a call to {@code setEntry} with a1277* {@code PrivateKeyEntry} or a {@code SecretKeyEntry}.1278*1279* @param alias the alias for the keystore entry to be checked1280*1281* @return true if the entry identified by the given alias is a1282* key-related entry, false otherwise.1283*1284* @exception KeyStoreException if the keystore has not been initialized1285* (loaded).1286*/1287public final boolean isKeyEntry(String alias)1288throws KeyStoreException1289{1290if (!initialized) {1291throw new KeyStoreException("Uninitialized keystore");1292}1293return keyStoreSpi.engineIsKeyEntry(alias);1294}12951296/**1297* Returns true if the entry identified by the given alias1298* was created by a call to {@code setCertificateEntry},1299* or created by a call to {@code setEntry} with a1300* {@code TrustedCertificateEntry}.1301*1302* @param alias the alias for the keystore entry to be checked1303*1304* @return true if the entry identified by the given alias contains a1305* trusted certificate, false otherwise.1306*1307* @exception KeyStoreException if the keystore has not been initialized1308* (loaded).1309*/1310public final boolean isCertificateEntry(String alias)1311throws KeyStoreException1312{1313if (!initialized) {1314throw new KeyStoreException("Uninitialized keystore");1315}1316return keyStoreSpi.engineIsCertificateEntry(alias);1317}13181319/**1320* Returns the (alias) name of the first keystore entry whose certificate1321* matches the given certificate.1322*1323* <p> This method attempts to match the given certificate with each1324* keystore entry. If the entry being considered was1325* created by a call to {@code setCertificateEntry},1326* or created by a call to {@code setEntry} with a1327* {@code TrustedCertificateEntry},1328* then the given certificate is compared to that entry's certificate.1329*1330* <p> If the entry being considered was1331* created by a call to {@code setKeyEntry},1332* or created by a call to {@code setEntry} with a1333* {@code PrivateKeyEntry},1334* then the given certificate is compared to the first1335* element of that entry's certificate chain.1336*1337* @param cert the certificate to match with.1338*1339* @return the alias name of the first entry with a matching certificate,1340* or null if no such entry exists in this keystore.1341*1342* @exception KeyStoreException if the keystore has not been initialized1343* (loaded).1344*/1345public final String getCertificateAlias(Certificate cert)1346throws KeyStoreException1347{1348if (!initialized) {1349throw new KeyStoreException("Uninitialized keystore");1350}1351return keyStoreSpi.engineGetCertificateAlias(cert);1352}13531354/**1355* Stores this keystore to the given output stream, and protects its1356* integrity with the given password.1357*1358* @param stream the output stream to which this keystore is written.1359* @param password the password to generate the keystore integrity check1360*1361* @exception KeyStoreException if the keystore has not been initialized1362* (loaded).1363* @exception IOException if there was an I/O problem with data1364* @exception NoSuchAlgorithmException if the appropriate data integrity1365* algorithm could not be found1366* @exception CertificateException if any of the certificates included in1367* the keystore data could not be stored1368*/1369public final void store(OutputStream stream, char[] password)1370throws KeyStoreException, IOException, NoSuchAlgorithmException,1371CertificateException1372{1373if (!initialized) {1374throw new KeyStoreException("Uninitialized keystore");1375}1376keyStoreSpi.engineStore(stream, password);1377}13781379/**1380* Stores this keystore using the given {@code LoadStoreParameter}.1381*1382* @param param the {@code LoadStoreParameter}1383* that specifies how to store the keystore,1384* which may be {@code null}1385*1386* @exception IllegalArgumentException if the given1387* {@code LoadStoreParameter}1388* input is not recognized1389* @exception KeyStoreException if the keystore has not been initialized1390* (loaded)1391* @exception IOException if there was an I/O problem with data1392* @exception NoSuchAlgorithmException if the appropriate data integrity1393* algorithm could not be found1394* @exception CertificateException if any of the certificates included in1395* the keystore data could not be stored1396*1397* @since 1.51398*/1399public final void store(LoadStoreParameter param)1400throws KeyStoreException, IOException,1401NoSuchAlgorithmException, CertificateException {1402if (!initialized) {1403throw new KeyStoreException("Uninitialized keystore");1404}1405keyStoreSpi.engineStore(param);1406}14071408/**1409* Loads this KeyStore from the given input stream.1410*1411* <p>A password may be given to unlock the keystore1412* (e.g. the keystore resides on a hardware token device),1413* or to check the integrity of the keystore data.1414* If a password is not given for integrity checking,1415* then integrity checking is not performed.1416*1417* <p>In order to create an empty keystore, or if the keystore cannot1418* be initialized from a stream, pass {@code null}1419* as the {@code stream} argument.1420*1421* <p> Note that if this keystore has already been loaded, it is1422* reinitialized and loaded again from the given input stream.1423*1424* @param stream the input stream from which the keystore is loaded,1425* or {@code null}1426* @param password the password used to check the integrity of1427* the keystore, the password used to unlock the keystore,1428* or {@code null}1429*1430* @exception IOException if there is an I/O or format problem with the1431* keystore data, if a password is required but not given,1432* or if the given password was incorrect. If the error is due to a1433* wrong password, the {@link Throwable#getCause cause} of the1434* {@code IOException} should be an1435* {@code UnrecoverableKeyException}1436* @exception NoSuchAlgorithmException if the algorithm used to check1437* the integrity of the keystore cannot be found1438* @exception CertificateException if any of the certificates in the1439* keystore could not be loaded1440*/1441public final void load(InputStream stream, char[] password)1442throws IOException, NoSuchAlgorithmException, CertificateException1443{1444keyStoreSpi.engineLoad(stream, password);1445initialized = true;1446}14471448/**1449* Loads this keystore using the given {@code LoadStoreParameter}.1450*1451* <p> Note that if this KeyStore has already been loaded, it is1452* reinitialized and loaded again from the given parameter.1453*1454* @param param the {@code LoadStoreParameter}1455* that specifies how to load the keystore,1456* which may be {@code null}1457*1458* @exception IllegalArgumentException if the given1459* {@code LoadStoreParameter}1460* input is not recognized1461* @exception IOException if there is an I/O or format problem with the1462* keystore data. If the error is due to an incorrect1463* {@code ProtectionParameter} (e.g. wrong password)1464* the {@link Throwable#getCause cause} of the1465* {@code IOException} should be an1466* {@code UnrecoverableKeyException}1467* @exception NoSuchAlgorithmException if the algorithm used to check1468* the integrity of the keystore cannot be found1469* @exception CertificateException if any of the certificates in the1470* keystore could not be loaded1471*1472* @since 1.51473*/1474public final void load(LoadStoreParameter param)1475throws IOException, NoSuchAlgorithmException,1476CertificateException {14771478keyStoreSpi.engineLoad(param);1479initialized = true;1480}14811482/**1483* Gets a keystore {@code Entry} for the specified alias1484* with the specified protection parameter.1485*1486* @param alias get the keystore {@code Entry} for this alias1487* @param protParam the {@code ProtectionParameter}1488* used to protect the {@code Entry},1489* which may be {@code null}1490*1491* @return the keystore {@code Entry} for the specified alias,1492* or {@code null} if there is no such entry1493*1494* @exception NullPointerException if1495* {@code alias} is {@code null}1496* @exception NoSuchAlgorithmException if the algorithm for recovering the1497* entry cannot be found1498* @exception UnrecoverableEntryException if the specified1499* {@code protParam} were insufficient or invalid1500* @exception UnrecoverableKeyException if the entry is a1501* {@code PrivateKeyEntry} or {@code SecretKeyEntry}1502* and the specified {@code protParam} does not contain1503* the information needed to recover the key (e.g. wrong password)1504* @exception KeyStoreException if the keystore has not been initialized1505* (loaded).1506* @see #setEntry(String, KeyStore.Entry, KeyStore.ProtectionParameter)1507*1508* @since 1.51509*/1510public final Entry getEntry(String alias, ProtectionParameter protParam)1511throws NoSuchAlgorithmException, UnrecoverableEntryException,1512KeyStoreException {15131514if (alias == null) {1515throw new NullPointerException("invalid null input");1516}1517if (!initialized) {1518throw new KeyStoreException("Uninitialized keystore");1519}1520return keyStoreSpi.engineGetEntry(alias, protParam);1521}15221523/**1524* Saves a keystore {@code Entry} under the specified alias.1525* The protection parameter is used to protect the1526* {@code Entry}.1527*1528* <p> If an entry already exists for the specified alias,1529* it is overridden.1530*1531* @param alias save the keystore {@code Entry} under this alias1532* @param entry the {@code Entry} to save1533* @param protParam the {@code ProtectionParameter}1534* used to protect the {@code Entry},1535* which may be {@code null}1536*1537* @exception NullPointerException if1538* {@code alias} or {@code entry}1539* is {@code null}1540* @exception KeyStoreException if the keystore has not been initialized1541* (loaded), or if this operation fails for some other reason1542*1543* @see #getEntry(String, KeyStore.ProtectionParameter)1544*1545* @since 1.51546*/1547public final void setEntry(String alias, Entry entry,1548ProtectionParameter protParam)1549throws KeyStoreException {1550if (alias == null || entry == null) {1551throw new NullPointerException("invalid null input");1552}1553if (!initialized) {1554throw new KeyStoreException("Uninitialized keystore");1555}1556keyStoreSpi.engineSetEntry(alias, entry, protParam);1557}15581559/**1560* Determines if the keystore {@code Entry} for the specified1561* {@code alias} is an instance or subclass of the specified1562* {@code entryClass}.1563*1564* @param alias the alias name1565* @param entryClass the entry class1566*1567* @return true if the keystore {@code Entry} for the specified1568* {@code alias} is an instance or subclass of the1569* specified {@code entryClass}, false otherwise1570*1571* @exception NullPointerException if1572* {@code alias} or {@code entryClass}1573* is {@code null}1574* @exception KeyStoreException if the keystore has not been1575* initialized (loaded)1576*1577* @since 1.51578*/1579public final boolean1580entryInstanceOf(String alias,1581Class<? extends KeyStore.Entry> entryClass)1582throws KeyStoreException1583{15841585if (alias == null || entryClass == null) {1586throw new NullPointerException("invalid null input");1587}1588if (!initialized) {1589throw new KeyStoreException("Uninitialized keystore");1590}1591return keyStoreSpi.engineEntryInstanceOf(alias, entryClass);1592}15931594/**1595* A description of a to-be-instantiated KeyStore object.1596*1597* <p>An instance of this class encapsulates the information needed to1598* instantiate and initialize a KeyStore object. That process is1599* triggered when the {@linkplain #getKeyStore} method is called.1600*1601* <p>This makes it possible to decouple configuration from KeyStore1602* object creation and e.g. delay a password prompt until it is1603* needed.1604*1605* @see KeyStore1606* @see javax.net.ssl.KeyStoreBuilderParameters1607* @since 1.51608*/1609public static abstract class Builder {16101611// maximum times to try the callbackhandler if the password is wrong1612static final int MAX_CALLBACK_TRIES = 3;16131614/**1615* Construct a new Builder.1616*/1617protected Builder() {1618// empty1619}16201621/**1622* Returns the KeyStore described by this object.1623*1624* @return the {@code KeyStore} described by this object1625* @exception KeyStoreException if an error occurred during the1626* operation, for example if the KeyStore could not be1627* instantiated or loaded1628*/1629public abstract KeyStore getKeyStore() throws KeyStoreException;16301631/**1632* Returns the ProtectionParameters that should be used to obtain1633* the {@link KeyStore.Entry Entry} with the given alias.1634* The {@code getKeyStore} method must be invoked before this1635* method may be called.1636*1637* @return the ProtectionParameters that should be used to obtain1638* the {@link KeyStore.Entry Entry} with the given alias.1639* @param alias the alias of the KeyStore entry1640* @throws NullPointerException if alias is null1641* @throws KeyStoreException if an error occurred during the1642* operation1643* @throws IllegalStateException if the getKeyStore method has1644* not been invoked prior to calling this method1645*/1646public abstract ProtectionParameter getProtectionParameter(String alias)1647throws KeyStoreException;16481649/**1650* Returns a new Builder that encapsulates the given KeyStore.1651* The {@linkplain #getKeyStore} method of the returned object1652* will return {@code keyStore}, the {@linkplain1653* #getProtectionParameter getProtectionParameter()} method will1654* return {@code protectionParameters}.1655*1656* <p> This is useful if an existing KeyStore object needs to be1657* used with Builder-based APIs.1658*1659* @return a new Builder object1660* @param keyStore the KeyStore to be encapsulated1661* @param protectionParameter the ProtectionParameter used to1662* protect the KeyStore entries1663* @throws NullPointerException if keyStore or1664* protectionParameters is null1665* @throws IllegalArgumentException if the keyStore has not been1666* initialized1667*/1668public static Builder newInstance(final KeyStore keyStore,1669final ProtectionParameter protectionParameter) {1670if ((keyStore == null) || (protectionParameter == null)) {1671throw new NullPointerException();1672}1673if (keyStore.initialized == false) {1674throw new IllegalArgumentException("KeyStore not initialized");1675}1676return new Builder() {1677private volatile boolean getCalled;16781679public KeyStore getKeyStore() {1680getCalled = true;1681return keyStore;1682}16831684public ProtectionParameter getProtectionParameter(String alias)1685{1686if (alias == null) {1687throw new NullPointerException();1688}1689if (getCalled == false) {1690throw new IllegalStateException1691("getKeyStore() must be called first");1692}1693return protectionParameter;1694}1695};1696}16971698/**1699* Returns a new Builder object.1700*1701* <p>The first call to the {@link #getKeyStore} method on the returned1702* builder will create a KeyStore of type {@code type} and call1703* its {@link KeyStore#load load()} method.1704* The {@code inputStream} argument is constructed from1705* {@code file}.1706* If {@code protection} is a1707* {@code PasswordProtection}, the password is obtained by1708* calling the {@code getPassword} method.1709* Otherwise, if {@code protection} is a1710* {@code CallbackHandlerProtection}, the password is obtained1711* by invoking the CallbackHandler.1712*1713* <p>Subsequent calls to {@link #getKeyStore} return the same object1714* as the initial call. If the initial call to failed with a1715* KeyStoreException, subsequent calls also throw a1716* KeyStoreException.1717*1718* <p>The KeyStore is instantiated from {@code provider} if1719* non-null. Otherwise, all installed providers are searched.1720*1721* <p>Calls to {@link #getProtectionParameter getProtectionParameter()}1722* will return a {@link KeyStore.PasswordProtection PasswordProtection}1723* object encapsulating the password that was used to invoke the1724* {@code load} method.1725*1726* <p><em>Note</em> that the {@link #getKeyStore} method is executed1727* within the {@link AccessControlContext} of the code invoking this1728* method.1729*1730* @return a new Builder object1731* @param type the type of KeyStore to be constructed1732* @param provider the provider from which the KeyStore is to1733* be instantiated (or null)1734* @param file the File that contains the KeyStore data1735* @param protection the ProtectionParameter securing the KeyStore data1736* @throws NullPointerException if type, file or protection is null1737* @throws IllegalArgumentException if protection is not an instance1738* of either PasswordProtection or CallbackHandlerProtection; or1739* if file does not exist or does not refer to a normal file1740*/1741public static Builder newInstance(String type, Provider provider,1742File file, ProtectionParameter protection) {1743if ((type == null) || (file == null) || (protection == null)) {1744throw new NullPointerException();1745}1746if ((protection instanceof PasswordProtection == false) &&1747(protection instanceof CallbackHandlerProtection == false)) {1748throw new IllegalArgumentException1749("Protection must be PasswordProtection or " +1750"CallbackHandlerProtection");1751}1752if (file.isFile() == false) {1753throw new IllegalArgumentException1754("File does not exist or it does not refer " +1755"to a normal file: " + file);1756}1757return new FileBuilder(type, provider, file, protection,1758AccessController.getContext());1759}17601761private static final class FileBuilder extends Builder {17621763private final String type;1764private final Provider provider;1765private final File file;1766private ProtectionParameter protection;1767private ProtectionParameter keyProtection;1768private final AccessControlContext context;17691770private KeyStore keyStore;17711772private Throwable oldException;17731774FileBuilder(String type, Provider provider, File file,1775ProtectionParameter protection,1776AccessControlContext context) {1777this.type = type;1778this.provider = provider;1779this.file = file;1780this.protection = protection;1781this.context = context;1782}17831784public synchronized KeyStore getKeyStore() throws KeyStoreException1785{1786if (keyStore != null) {1787return keyStore;1788}1789if (oldException != null) {1790throw new KeyStoreException1791("Previous KeyStore instantiation failed",1792oldException);1793}1794PrivilegedExceptionAction<KeyStore> action =1795new PrivilegedExceptionAction<KeyStore>() {1796public KeyStore run() throws Exception {1797if (protection instanceof CallbackHandlerProtection == false) {1798return run0();1799}1800// when using a CallbackHandler,1801// reprompt if the password is wrong1802int tries = 0;1803while (true) {1804tries++;1805try {1806return run0();1807} catch (IOException e) {1808if ((tries < MAX_CALLBACK_TRIES)1809&& (e.getCause() instanceof UnrecoverableKeyException)) {1810continue;1811}1812throw e;1813}1814}1815}1816public KeyStore run0() throws Exception {1817KeyStore ks;1818if (provider == null) {1819ks = KeyStore.getInstance(type);1820} else {1821ks = KeyStore.getInstance(type, provider);1822}1823InputStream in = null;1824char[] password = null;1825try {1826in = new FileInputStream(file);1827if (protection instanceof PasswordProtection) {1828password =1829((PasswordProtection)protection).getPassword();1830keyProtection = protection;1831} else {1832CallbackHandler handler =1833((CallbackHandlerProtection)protection)1834.getCallbackHandler();1835PasswordCallback callback = new PasswordCallback1836("Password for keystore " + file.getName(),1837false);1838handler.handle(new Callback[] {callback});1839password = callback.getPassword();1840if (password == null) {1841throw new KeyStoreException("No password" +1842" provided");1843}1844callback.clearPassword();1845keyProtection = new PasswordProtection(password);1846}1847ks.load(in, password);1848return ks;1849} finally {1850if (in != null) {1851in.close();1852}1853}1854}1855};1856try {1857keyStore = AccessController.doPrivileged(action, context);1858return keyStore;1859} catch (PrivilegedActionException e) {1860oldException = e.getCause();1861throw new KeyStoreException1862("KeyStore instantiation failed", oldException);1863}1864}18651866public synchronized ProtectionParameter1867getProtectionParameter(String alias) {1868if (alias == null) {1869throw new NullPointerException();1870}1871if (keyStore == null) {1872throw new IllegalStateException1873("getKeyStore() must be called first");1874}1875return keyProtection;1876}1877}18781879/**1880* Returns a new Builder object.1881*1882* <p>Each call to the {@link #getKeyStore} method on the returned1883* builder will return a new KeyStore object of type {@code type}.1884* Its {@link KeyStore#load(KeyStore.LoadStoreParameter) load()}1885* method is invoked using a1886* {@code LoadStoreParameter} that encapsulates1887* {@code protection}.1888*1889* <p>The KeyStore is instantiated from {@code provider} if1890* non-null. Otherwise, all installed providers are searched.1891*1892* <p>Calls to {@link #getProtectionParameter getProtectionParameter()}1893* will return {@code protection}.1894*1895* <p><em>Note</em> that the {@link #getKeyStore} method is executed1896* within the {@link AccessControlContext} of the code invoking this1897* method.1898*1899* @return a new Builder object1900* @param type the type of KeyStore to be constructed1901* @param provider the provider from which the KeyStore is to1902* be instantiated (or null)1903* @param protection the ProtectionParameter securing the Keystore1904* @throws NullPointerException if type or protection is null1905*/1906public static Builder newInstance(final String type,1907final Provider provider, final ProtectionParameter protection) {1908if ((type == null) || (protection == null)) {1909throw new NullPointerException();1910}1911final AccessControlContext context = AccessController.getContext();1912return new Builder() {1913private volatile boolean getCalled;1914private IOException oldException;19151916private final PrivilegedExceptionAction<KeyStore> action1917= new PrivilegedExceptionAction<KeyStore>() {19181919public KeyStore run() throws Exception {1920KeyStore ks;1921if (provider == null) {1922ks = KeyStore.getInstance(type);1923} else {1924ks = KeyStore.getInstance(type, provider);1925}1926LoadStoreParameter param = new SimpleLoadStoreParameter(protection);1927if (protection instanceof CallbackHandlerProtection == false) {1928ks.load(param);1929} else {1930// when using a CallbackHandler,1931// reprompt if the password is wrong1932int tries = 0;1933while (true) {1934tries++;1935try {1936ks.load(param);1937break;1938} catch (IOException e) {1939if (e.getCause() instanceof UnrecoverableKeyException) {1940if (tries < MAX_CALLBACK_TRIES) {1941continue;1942} else {1943oldException = e;1944}1945}1946throw e;1947}1948}1949}1950getCalled = true;1951return ks;1952}1953};19541955public synchronized KeyStore getKeyStore()1956throws KeyStoreException {1957if (oldException != null) {1958throw new KeyStoreException1959("Previous KeyStore instantiation failed",1960oldException);1961}1962try {1963return AccessController.doPrivileged(action, context);1964} catch (PrivilegedActionException e) {1965Throwable cause = e.getCause();1966throw new KeyStoreException1967("KeyStore instantiation failed", cause);1968}1969}19701971public ProtectionParameter getProtectionParameter(String alias)1972{1973if (alias == null) {1974throw new NullPointerException();1975}1976if (getCalled == false) {1977throw new IllegalStateException1978("getKeyStore() must be called first");1979}1980return protection;1981}1982};1983}19841985}19861987static class SimpleLoadStoreParameter implements LoadStoreParameter {19881989private final ProtectionParameter protection;19901991SimpleLoadStoreParameter(ProtectionParameter protection) {1992this.protection = protection;1993}19941995public ProtectionParameter getProtectionParameter() {1996return protection;1997}1998}19992000}200120022003