public class LunaKeyStore
extends java.security.KeyStoreSpi
When no InputStream is specified, the KeyStore acts essentially as a front- end to the default HSM slot.
KeyStore ks = KeyStore.getInstance("Luna");
ks.load(null, "mypasswd".toCharArray());
The code above is the bare minimum necessary to get a Luna KeyStore up and
running. This KeyStore is backed by the HSM partition that is at the
currently specified default slot in LunaSlotManager
. If no password
is supplied in load
, the user must log in via
LunaSlotManager
before using the keystore.
When the InputStream is backed by a file, the file should specify the slot to use in one of two formats. Using the string "tokenlabel:label" will attempt to open the KeyStore against the token with the provided label. Using "slot:<slotNum>" will attempt to open the KeyStore against the token at the provided slot. It is recommended that the token label be used, as the slot number of a given token may change but the label will not.
As well, the user type can be specified by adding a line with "usertype:<user type>" with possible values of CKU_CRYPTO_USER or CKU_CRYPTO_OFFICER.
Object Caching can be enabled for the LunaKeyStore by adding a line with "caching:true". If Caching is enabled the number of loading threads can be specified by adding a line with "loadingthreads:<number of threads>". If caching is enabled, adding a line with "cachingstrict:true" will prevent the LunaKeystore from accessing the HSM to search for the object if the object isn't found in the cache. If caching is enabled, adding a line with "clearcache:false" will prevent the object cache from being cleared when the LunaKeyStore is loaded. If caching is enabled, adding a line with "loadcache:false" will prevent the object cache from being loaded when the LunaKeyStore is loaded.
Using a file to back the InputStream in the load() method is optional. If there is no existing KeyStore file, a new KeyStore can be loaded by creating an InputStream backed by a String in one of the two formats above.
ByteArrayInputStream slot = new ByteArrayInputStream("slot:2".getBytes());
KeyStore ks = KeyStore.getInstance("Luna");
ks.load(slot, "mypasswd".toCharArray());
The code above will attempt to open a KeyStore on slot 2 with the partition password "mypasswd". Multiple KeyStores can be opened on the same slot, but they are not guaranteed to be thread-safe. External synchronization is recommended.
If an InputStream is provided that contains anything other than a string in one of the two formats above, the KeyStore will attempt to use the default slot.
Modifier and Type | Field and Description |
---|---|
static java.lang.String |
CACHING_STRICT_TAG |
static java.lang.String |
CACHING_TAG |
static java.lang.String |
CKU_CRYPTO_OFFICER |
static java.lang.String |
CKU_CRYPTO_USER |
static java.lang.String |
CKU_LIMITED_CRYPTO_OFFICER |
static java.lang.String |
CLEAR_CACHE_TAG |
static java.lang.String |
LABEL_TAG |
static java.lang.String |
LOAD_CACHE_TAG |
static java.lang.String |
LOADING_THREADS_TAG |
static java.lang.String |
SLOT_TAG |
static java.lang.String |
USER_TYPE_TAG |
Constructor and Description |
---|
LunaKeyStore()
Creates a new LunaKeyStore
|
Modifier and Type | Method and Description |
---|---|
java.util.Enumeration<java.lang.String> |
engineAliases() |
boolean |
engineContainsAlias(java.lang.String alias) |
void |
engineDeleteEntry(java.lang.String alias) |
java.security.cert.Certificate |
engineGetCertificate(java.lang.String alias) |
java.lang.String |
engineGetCertificateAlias(java.security.cert.Certificate certificate) |
java.security.cert.Certificate[] |
engineGetCertificateChain(java.lang.String alias) |
java.util.Date |
engineGetCreationDate(java.lang.String alias) |
java.security.Key |
engineGetKey(java.lang.String alias,
char[] password) |
boolean |
engineIsCertificateEntry(java.lang.String alias) |
boolean |
engineIsKeyEntry(java.lang.String alias) |
void |
engineLoad(java.io.InputStream inputStream,
char[] password)
The Luna KeyStore reads data from one PKCS11 slot.
|
boolean |
engineProbe(java.io.InputStream stream)
This is needed for JDK9+ as using keytool generates an exception without it
when one is pointing to LunaProvider.
|
void |
engineSetCertificateEntry(java.lang.String alias,
java.security.cert.Certificate certificate) |
void |
engineSetKeyEntry(java.lang.String alias,
byte[] key,
java.security.cert.Certificate[] certificate) |
void |
engineSetKeyEntry(java.lang.String alias,
java.security.Key key,
char[] password,
java.security.cert.Certificate[] certificateChain) |
int |
engineSize() |
void |
engineStore(java.io.OutputStream outputStream,
char[] password) |
protected static boolean |
isCertChainEntry(java.lang.String alias) |
public static final java.lang.String LABEL_TAG
public static final java.lang.String SLOT_TAG
public static final java.lang.String USER_TYPE_TAG
public static final java.lang.String CKU_CRYPTO_OFFICER
public static final java.lang.String CKU_CRYPTO_USER
public static final java.lang.String CKU_LIMITED_CRYPTO_OFFICER
public static final java.lang.String CACHING_TAG
public static final java.lang.String CACHING_STRICT_TAG
public static final java.lang.String LOADING_THREADS_TAG
public static final java.lang.String CLEAR_CACHE_TAG
public static final java.lang.String LOAD_CACHE_TAG
protected static boolean isCertChainEntry(java.lang.String alias)
public java.util.Enumeration<java.lang.String> engineAliases()
engineAliases
in class java.security.KeyStoreSpi
public boolean engineContainsAlias(java.lang.String alias)
engineContainsAlias
in class java.security.KeyStoreSpi
public void engineDeleteEntry(java.lang.String alias) throws java.security.KeyStoreException
engineDeleteEntry
in class java.security.KeyStoreSpi
java.security.KeyStoreException
public java.security.cert.Certificate engineGetCertificate(java.lang.String alias)
engineGetCertificate
in class java.security.KeyStoreSpi
public java.lang.String engineGetCertificateAlias(java.security.cert.Certificate certificate)
engineGetCertificateAlias
in class java.security.KeyStoreSpi
public java.security.cert.Certificate[] engineGetCertificateChain(java.lang.String alias)
engineGetCertificateChain
in class java.security.KeyStoreSpi
public java.util.Date engineGetCreationDate(java.lang.String alias)
engineGetCreationDate
in class java.security.KeyStoreSpi
public java.security.Key engineGetKey(java.lang.String alias, char[] password) throws java.security.NoSuchAlgorithmException, java.security.UnrecoverableKeyException
engineGetKey
in class java.security.KeyStoreSpi
alias
- key labelpassword
- per-key password (unused by Luna)java.security.NoSuchAlgorithmException
- exceptionjava.security.UnrecoverableKeyException
- exceptionpublic boolean engineIsCertificateEntry(java.lang.String alias)
engineIsCertificateEntry
in class java.security.KeyStoreSpi
public boolean engineIsKeyEntry(java.lang.String alias)
engineIsKeyEntry
in class java.security.KeyStoreSpi
public void engineSetCertificateEntry(java.lang.String alias, java.security.cert.Certificate certificate) throws java.security.KeyStoreException
engineSetCertificateEntry
in class java.security.KeyStoreSpi
java.security.KeyStoreException
public void engineSetKeyEntry(java.lang.String alias, byte[] key, java.security.cert.Certificate[] certificate) throws java.security.KeyStoreException
engineSetKeyEntry
in class java.security.KeyStoreSpi
java.security.KeyStoreException
public void engineSetKeyEntry(java.lang.String alias, java.security.Key key, char[] password, java.security.cert.Certificate[] certificateChain) throws java.security.KeyStoreException
engineSetKeyEntry
in class java.security.KeyStoreSpi
alias
- key labelkey
- key object to be associated with the aliaspassword
- per-key password (unused by Luna)certificateChain
- the certificate chain for the corresponding public
key (only required if the given key is of type
java.security.PrivateKey).java.security.KeyStoreException
- exceptionpublic int engineSize()
engineSize
in class java.security.KeyStoreSpi
public void engineLoad(java.io.InputStream inputStream, char[] password) throws java.io.IOException, java.security.NoSuchAlgorithmException, java.security.cert.CertificateException
engineLoad
in class java.security.KeyStoreSpi
inputStream
- Determines the slot the keystore is loaded against as
described abovepassword
- Password for the slot. If no password is given, keystore
operations will fail unless the user logs in to the slot
directly using LunaSlotManager, or is already logged injava.io.IOException
java.security.NoSuchAlgorithmException
java.security.cert.CertificateException
public void engineStore(java.io.OutputStream outputStream, char[] password) throws java.io.IOException, java.security.NoSuchAlgorithmException, java.security.cert.CertificateException
engineStore
in class java.security.KeyStoreSpi
java.io.IOException
java.security.NoSuchAlgorithmException
java.security.cert.CertificateException
public boolean engineProbe(java.io.InputStream stream) throws java.io.IOException
stream
- Input streamjava.io.IOException
- exceptionCopyright 2014-2018 SafeNet. All rights reserved.