|
IAIK High-Level API version 1.1 |
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object iaik.hlapi.KeyAndCertificate
public class KeyAndCertificate
This class serves as a container for a private key and the corresponding certificate or the complete certificate chain.
In addition, it provides utility methods for managing private keys, certificates and certificate chains. This includes:
Reading PKCS#12 files and Java
keystores
Storing keys in PKCS#12 files and Java keystores
Generating key-pairs and
certificates
Generating certificate signing requests
Reading certificate chains
Reading certificates
KeyAndCertificate key = KeyAndCertificate.readPkcs12(new FileInputStream(pkcs12file), password);The name (i.e. alias name of a Java KeyStore) of the key inside the keystore is available via the
getKeyName
method.
writeKeyStore
and storePkcs12
also use
this name for storing the key.
Constructor Summary | |
---|---|
KeyAndCertificate(PrivateKey key,
X509Certificate userCert)
Create a new object with the given private key and certificate. |
|
KeyAndCertificate(PrivateKey key,
X509Certificate[] certChain)
Create a new object with the given private key and certificate chain. |
Method Summary | |
---|---|
byte[] |
generateCertificateRequest()
Create a PKCS#10 certificate request that contains the subject DN of the certificate of this object. |
static KeyAndCertificate |
generateSelfSigned(String algorithm,
String provider,
int keySize,
String subjectDN)
Generate a new key-pair and create a self-signed certificate with it. |
X509Certificate |
getCertificate()
Get the certificate. |
X509Certificate[] |
getCertificateChain()
Get the certificate chain. |
static String |
getEMailAddress(X509Certificate certificate)
Get the e-mail address of the subject out of the certificate. |
PrivateKey |
getKey()
Get the private key. |
String |
getKeyName()
Get the name of this key. |
String |
getProviderName()
Get the name of the provider that should be used for the private key of this object, e.g. for signature creation or decryption. |
static String |
pemEncode(byte[] value,
String firstLine,
String lastLine)
An application may use this method to PEM-encode arbitrary binary data. |
static X509Certificate |
readCertificate(InputStream fileStream)
Read a single certificate. |
static X509Certificate[] |
readCertificateChain(InputStream fileStream)
Read a certificate chain. |
static KeyAndCertificate[] |
readKeyStore(InputStream stream,
String type,
String provider,
char[] password)
Read a Java keystore. |
static KeyAndCertificate |
readPkcs12(InputStream fileStream,
char[] password)
Read the the private key with associated certificate chain from a stream, e.g. a file input stream. |
void |
setKeyName(String name)
Set the name of this key. |
void |
setProviderName(String providerName)
Set the name of the provider that should be used for the private key of this object, e.g. for signature creation. |
void |
storePkcs12(OutputStream out,
char[] password)
Store this key and certificate (or certificate chain) to the given stream. |
String |
toString()
Get a string representation of this object but omitting the dump of the private key to avoid unintended revealing of private key material. |
static void |
writeKeyStore(KeyAndCertificate[] keys,
OutputStream out,
String type,
String provider,
char[] password)
Store the given keys with their certificates (or certificate chains) to the given stream. |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait |
Constructor Detail |
---|
public KeyAndCertificate(PrivateKey key, X509Certificate[] certChain)
key
- The private key. May be null
.certChain
- The ordered certificate chain with the end-user
certificate at index 0. May be null
.public KeyAndCertificate(PrivateKey key, X509Certificate userCert)
key
- The private key. May be null
.userCert
- The certificate that corresponds to the private key
or null
.Method Detail |
---|
public PrivateKey getKey()
null
if unavailable.public X509Certificate[] getCertificateChain()
null
if unavailable.public X509Certificate getCertificate()
null
if unavailable.public String getProviderName()
null
means to use defaults.public void setProviderName(String providerName)
providerName
- The provider name
or null
to use defaults.public String getKeyName()
null
if unavailable.public void setKeyName(String name)
name
- The name of the key or null
if unavailable.public String toString()
toString
in class Object
public static final X509Certificate readCertificate(InputStream fileStream) throws IOException, HlApiException
The supported formats are:
fileStream
- The stream that provides the certificate chain.
IOException
- If reading from the stream fails.
HlApiException
- If parsing the certificates fails.public static final X509Certificate[] readCertificateChain(InputStream fileStream) throws IOException, HlApiException
The supported formats are:
fileStream
- The stream that provides the certificate chain.
IOException
- If reading from the stream fails.
HlApiException
- If parsing the certificates fails.public static final KeyAndCertificate[] readKeyStore(InputStream stream, String type, String provider, char[] password) throws IOException, HlApiException
java.security.KeyStore
interface,
including JKS
and PKCS12
.
It returns the private key entries with their associated certificate chains.
stream
- The stream that provides the keystore contents.type
- The keystore type, e.g. JKS for Java keystores from SUN.provider
- The name of the JCA provider to use, or null
to use defaults.password
- The password that protects the keystore.
IOException
- If reading from the stream fails.
HlApiException
- If reading the keystore content fails.public static final KeyAndCertificate readPkcs12(InputStream fileStream, char[] password) throws IOException, HlApiException
Use it like this:
String fileName = ... char[] password = ... HlApi.readPkcs12(new FileInputStream(fileName), password);
fileStream
- The stream which provides the content of the PKCS#12 file.password
- The password that protects the PKCS#12 file.
IOException
- If reading the file stream fails.
HlApiException
- If reading the PKCS#12 content fails.public void storePkcs12(OutputStream out, char[] password) throws IOException, HlApiException
out
- The output stream, e.g. a java.io.FileOutputStream
.password
- The password for protecting the private key.
IOException
- If writing to the stream fails.
HlApiException
- If this object does not contain a private key
or a certificate.public static void writeKeyStore(KeyAndCertificate[] keys, OutputStream out, String type, String provider, char[] password) throws IOException, HlApiException
keys
- The list or keys, which must not be empty.out
- The output stream, e.g. a java.io.FileOutputStream
.type
- The type of keystore, e.g. JKS or PKCS12.provider
- The name of the JCA provider to use, or null
to use defaults.password
- The password for protecting the private key.
IOException
- If writing to the stream fails.
HlApiException
- If this object does not contain a private key
or a certificate.public static final KeyAndCertificate generateSelfSigned(String algorithm, String provider, int keySize, String subjectDN) throws HlApiException
algorithm
- The JCA/JCE algorithm name for the key-pair, e.g. RSA.provider
- The optional JCA/JCE provider to use for key generation.
Set null
to use default.keySize
- The key size in bits, e.g. 1024.subjectDN
- The subject distinguished name (DN) as RFC 2253 string,
e.g. CN=Karl Scheibelhofer,O=IAIK,C=AT,EMAIL=karl.scheibelhofer@iaik.at
HlApiException
public byte[] generateCertificateRequest() throws HlApiException
This method is especially useful for objects that have just been created
using generateSelfSigned(String, String, int, String)
. The self-signed
certificate acts as a place-holder until the actual certificate or
certificate chain is available (i.e. issued by a CA).
The application may need to encode the result using
pemEncode(byte[], String, String)
before for sending it to
the CA. However, this depends on the CA.
HlApiException
public static String pemEncode(byte[] value, String firstLine, String lastLine)
For example, it may use it to convert a certificate signing request (CSR) into a text message, e.g.
KeyAndCertificate keyAndCert = KeyAndCertificate.generateSelfSigned("RSA", 1024, "CN=Karl Scheibelhofer,O=IAIK,C=AT,EMAIL=karl.scheibelhofer@iaik.at"); byte[] binaryCSR = keyAndCert.createCertificateRequest(); String textCSR = KeyAndCertificate.pemEncode( binaryCSR, "-----BEGIN NEW CERTIFICATE REQUEST-----", "-----END NEW CERTIFICATE REQUEST-----");
value
- The binary value.firstLine
- The first line in the encoding, e.g.
-----BEGIN NEW CERTIFICATE REQUEST-----
for a certificate request.lastLine
- The last line in the encoding, e.g.
-----END NEW CERTIFICATE REQUEST-----
for a certificate request.
-----BEGIN CERTIFICATE----- MIIEijCCA3KgAwIBAgIBETANBgkqhkiG9w0BAQUFADBBMRAwDgYDVQQKEwdFdXJv ... QRdSvpib2FjBq57wfHY= -----END CERTIFICATE-----
public static String getEMailAddress(X509Certificate certificate) throws HlApiException
First, it searches in the subject DN for an e-mail address. Second, it looks for an e-mail address in the subject alternative name extension, if present.
certificate
- The X.509 certificate containing the subject's e-mail address.
null
if no e-mail address
was found.
HlApiException
- If parsing the certificate fails.
|
IAIK High-Level API version 1.1 |
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
Copyright © 2007,
IAIK, Graz University of Technology Copyright © 2007, Stiftung SIC |