|
|||||||||
| Home >> All >> gnu >> classpath >> tools >> [ keytool overview ] | PREV CLASS NEXT CLASS | ||||||||
SUMMARY:  JAVADOC |  SOURCE |  DOWNLOAD | NESTED | FIELD | CONSTR | METHOD |
DETAIL: FIELD | CONSTR | METHOD | ||||||||
gnu.classpath.tools.keytool
Class ImportCmd
java.lang.Objectgnu.classpath.tools.keytool.Command
- class ImportCmd
- extends Command
The -import keytool command handler is used to read an X.509
certificate, or a PKCS#7 Certificate Reply from a designated input source and
incorporate the certificates into the key store.
If the Alias does not already exist in the key store, the tool treats
the certificate read from the input source as a new Trusted Certificate. It
then attempts to discover a chain-of-trust, starting from that certificate
and ending at another Trusted Certificate, already stored in the key
store. If the -trustcacerts option is present, an additional
key store, of type JKS named cacerts, and assumed
to be present in ${JAVA_HOME}/lib/security will also be
consulted if found --${JAVA_HOME} refers to the location of an
installed Java Runtime Environment (JRE). If no chain-of-trust can be
established, and unless the -noprompt option has been specified,
the certificate is printed to STDOUT and the user is prompted for a
confirmation.
If Alias exists in the key store, the tool will treat the
certificate(s) read from the input source as a Certificate Reply,
which can be a chain of certificates, that eventually would replace the chain
of certificates associated with the Key Entry of that Alias.
The substitution of the certificates only occurs if a chain-of-trust can be
established between the bottom certificate of the chain read from the input
file and the Trusted Certificates already present in the key store.
Again, if the -trustcacerts option is specified, additional
Trusted Certificates in the same cacerts key store will
be considered. If no chain-of-trust can be established, the operation will
abort.
Possible options for this command are:
- -alias ALIAS
- Every entry, be it a Key Entry or a Trusted
Certificate, in a key store is uniquely identified by a user-defined
Alias string. Use this option to specify the Alias to use
when referring to an entry in the key store. Unless specified otherwise,
a default value of
mykeyshall be used when this option is omitted from the command line. - -file FILE_NAME
- The fully qualified path of the file to read from. If omitted, the tool will process STDIN.
- -keypass PASSWORD
- Use this option to specify the password which the tool will use to
protect the Key Entry associated with the designated Alias,
when replacing this Alias' chain of certificates with that found
in the certificate reply.
If this option is omitted, and the chain-of-trust for the certificate reply has been established, the tool will first attempt to unlock the Key Entry using the same password protecting the key store. If this fails, you will then be prompted to provide a password.
- -noprompt
- Use this option to prevent the tool from prompting the user.
- -trustcacerts
- Use this option to indicate to the tool that a key store, of type
JKS, namedcacerts, and usually located inlib/securityin an installed Java Runtime Environment should be considered when trying to establish chain-of-trusts. - -storetype STORE_TYP}
- Use this option to specify the type of the key store to use. The
default value, if this option is omitted, is that of the property
keystore.typein the security properties file, which is obtained by invoking the KeyStore.getDefaultType()>KeyStore.getDefaultType()55 static method. - -keystore URL
- Use this option to specify the location of the key store to use.
The default value is a file java.net.URL referencing the file
named
.keystorelocated in the path returned by the call to System.getProperty(String)>System.getProperty(String)55 usinguser.homeas argument.If a URL was specified, but was found to be malformed --e.g. missing protocol element-- the tool will attempt to use the URL value as a file- name (with absolute or relative path-name) of a key store --as if the protocol was
file:. - -storepass PASSWORD
- Use this option to specify the password protecting the key store. If this option is omitted from the command line, you will be prompted to provide a password.
- -provider PROVIDER_CLASS_NAME
- A fully qualified class name of a Security Provider to add to the current list of Security Providers already installed in the JVM in-use. If a provider class is specified with this option, and was successfully added to the runtime --i.e. it was not already installed-- then the tool will attempt to removed this Security Provider before exiting.
- -v
- Use this option to enable more verbose output.
| Field Summary | |
private java.lang.String |
_alias
|
private java.lang.String |
_certFileName
|
private java.lang.String |
_ksPassword
|
private java.lang.String |
_ksType
|
private java.lang.String |
_ksURL
|
private java.lang.String |
_password
|
private java.lang.String |
_providerClassName
|
protected java.lang.String |
alias
The Alias to use. |
private boolean |
imported
|
protected java.io.InputStream |
inStream
The input stream the concrete handler will use. |
protected java.security.KeyPairGenerator |
keyPairGenerator
The key-pair generation algorithm instance to use. |
protected char[] |
keyPasswordChars
The password characters protecting a Key Entry. |
private static java.util.logging.Logger |
log
|
private boolean |
noPrompt
|
protected java.io.OutputStream |
outStream
The output stream the concrete handler will use. |
protected java.security.Provider |
provider
A security provider to add. |
protected static gnu.java.security.OID |
SHA1_WITH_DSA
OID of SHA1withDSA signature algorithm as stated in RFC-2459. |
protected java.security.Signature |
signatureAlgorithm
The digital signature algorithm instance to use. |
protected java.security.KeyStore |
store
The key store instance to use. |
protected char[] |
storePasswordChars
The password characters protecting the key store. |
protected java.io.InputStream |
storeStream
The input stream from the key store URL. |
protected java.lang.String |
storeType
The key store type. |
protected java.net.URL |
storeURL
The key store URL. |
protected boolean |
systemOut
Whether we are printing to System.out. |
private boolean |
trustCACerts
|
protected int |
validityInDays
Validity period, in number of days, to use when generating certificates. |
protected boolean |
verbose
Whether verbose output is required or not. |
private java.security.cert.CertificateFactory |
x509Factory
|
| Constructor Summary | |
(package private) |
ImportCmd()
|
| Method Summary | |
private boolean |
areEqual(java.security.interfaces.DSAPublicKey pk1,
java.security.interfaces.DSAPublicKey pk2)
|
private boolean |
areEqual(java.security.interfaces.RSAPublicKey pk1,
java.security.interfaces.RSAPublicKey pk2)
|
protected java.lang.String |
digestWithMD5(byte[] contents)
Digest the designated contents with MD5 and return a string representation suitable for use as a fingerprint; i.e. |
void |
doCommand()
A public method to allow using any keytool command handler programmatically by using a JavaBeans style of parameter(s) initialization. |
protected void |
ensureAliasIsKeyEntry()
Ensure that the currently set Alias is associated with a Key Entry in the currently set key store; otherwise throw an exception. |
private void |
ensureReplyIsOurs(java.util.Collection certificates)
Check to ensure that alias's public key is the subject of the first certificate in the passed certificate collection. |
protected void |
ensureStoreContainsAlias()
Ensure that the currently set Alias is contained in the currently set key store; otherwise throw an exception. |
private boolean |
findTrustAndUpdate(java.util.LinkedList reply,
boolean promptUser)
Given an ordered list of certificates, this method attempts to validate the chain, and if successful, updates the key store entry for the designated alias. |
private java.security.cert.PKIXCertPathValidatorResult |
findTrustInCACerts(gnu.java.security.x509.X509CertPath certPath,
java.security.cert.CertPathValidator validator)
|
private java.security.cert.PKIXCertPathValidatorResult |
findTrustInStore(gnu.java.security.x509.X509CertPath certPath,
java.security.cert.CertPathValidator validator)
|
protected java.security.Key |
getAliasPrivateKey()
|
protected javax.security.auth.callback.CallbackHandler |
getCallbackHandler()
Return a CallbackHandler which uses the Console (System.in and System.out) for interacting with the user. |
protected byte[] |
getSelfSignedCertificate(gnu.java.security.x509.X500DistinguishedName distinguishedName,
java.security.PublicKey publicKey,
java.security.PrivateKey privateKey)
RFC-2459 (http://rfc.net/rfc2459.html) fully describes the structure and semantics of X.509 certificates. |
protected gnu.java.security.OID |
getSignatureAlgorithmOID()
This method attempts to find, and return, an OID representing the digital signature algorithm used to sign the certificate. |
private void |
importCertificate(java.security.cert.Certificate certificate)
If the reply is a single X.509 certificate, keytool attempts to establish a trust chain, starting at the certificate reply and ending at a self-signed certificate (belonging to a root CA). |
private void |
importCertificateReply()
A certificate reply is a certificate, whose Owner is stored in the key store associated to the designated Alias, and now signed by supposedly a trusted CA (Certificate Authority). |
private void |
importChain(java.util.Collection chain)
If the reply is a PKCS#7 formatted certificate chain, the chain is first ordered (with the user certificate first and the self-signed root CA certificate last), before keytool attempts to match the root CA certificate provided in the reply with any of the trusted certificates in the key store or the "cacerts" keystore file (if the -trustcacerts option was specified). |
private void |
importNewTrustedCertificate()
When importing a new trusted certificate, alias MUST NOT yet exist in the key store. |
private java.util.LinkedList |
orderChain(java.util.Collection chain)
|
protected void |
printVerbose(java.security.cert.Certificate certificate)
Convenience method. |
protected void |
printVerbose(java.security.cert.Certificate certificate,
java.io.PrintWriter writer)
Prints a human-readable form of the designated certificate to a designated java.io.PrintWriter. |
(package private) int |
processArgs(java.lang.String[] args,
int i)
Given a potential sub-array of options for this concrete handler, starting at position startIndex + 1, potentially followed by other
commands and their options, this method sets up this concrete command
handler with its own options and returns the index of the first unprocessed
argument in the array. |
protected void |
saveKeyStore()
Convenience method. |
protected void |
saveKeyStore(char[] password)
Saves the key store using the designated password. |
protected void |
setAlgorithmParams(java.lang.String kpAlg,
java.lang.String sigAlg)
Set both the key-pair generation algorithm, and the digital signature algorithm instances to use when generating new entries. |
void |
setAlias(java.lang.String alias)
|
protected void |
setAliasParam(java.lang.String name)
Set the Alias to use when associating Key Entries and Trusted Certificates in the current key store. |
void |
setFile(java.lang.String pathName)
|
protected void |
setInputStreamParam(java.lang.String fileName)
|
void |
setKeypass(java.lang.String password)
|
protected void |
setKeyPasswordNoPrompt(java.lang.String password)
Set the key password given a command line option argument. |
protected void |
setKeyPasswordParam()
Prompt the user to provide a password to protect a Key Entry in the key store. |
protected void |
setKeyPasswordParam(java.lang.String password)
Set the key password given a command line option argument. |
void |
setKeystore(java.lang.String url)
|
protected void |
setKeyStoreParams(java.lang.String className,
java.lang.String type,
java.lang.String password,
java.lang.String url)
Convenience method to setup the key store given its type, its password, its location and portentially a specialized security provider. |
protected void |
setKeystorePasswordParam(java.lang.String password)
|
protected void |
setKeystoreTypeParam(java.lang.String type)
Set the type of key store to initialize, load and use. |
protected void |
setKeystoreURLParam(java.lang.String url)
Set the key store URL to use. |
void |
setNoprompt(java.lang.String flag)
|
protected void |
setOutputStreamParam(java.lang.String fileName)
|
void |
setProvider(java.lang.String className)
|
protected void |
setProviderClassNameParam(java.lang.String className)
Set a security provider class name to (install and) use for key store related operations. |
protected void |
setSignatureAlgorithmParam(java.lang.String algorithm,
java.security.Key privateKey)
Set the signature algorithm to use when digitally signing private keys, certificates, etc... |
void |
setStorepass(java.lang.String password)
|
void |
setStoretype(java.lang.String type)
|
void |
setTrustcacerts(java.lang.String flag)
|
(package private) void |
setup()
Initialize this concrete command handler for later invocation of the start() 55 or Command.doCommand() 55 methods. |
protected void |
setValidityParam(java.lang.String days)
Set the validity period, in number of days, to use when issuing new certificates. |
void |
setVerbose(java.lang.String flag)
|
(package private) void |
start()
Do the real work this handler is supposed to do. |
(package private) void |
teardown()
Tear down the handler, releasing any resources which may have been allocated at setup time. |
| Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
| Field Detail |
log
private static final java.util.logging.Logger log
_alias
private java.lang.String _alias
_certFileName
private java.lang.String _certFileName
_password
private java.lang.String _password
noPrompt
private boolean noPrompt
trustCACerts
private boolean trustCACerts
_ksType
private java.lang.String _ksType
_ksURL
private java.lang.String _ksURL
_ksPassword
private java.lang.String _ksPassword
_providerClassName
private java.lang.String _providerClassName
x509Factory
private java.security.cert.CertificateFactory x509Factory
imported
private boolean imported
SHA1_WITH_DSA
protected static final gnu.java.security.OID SHA1_WITH_DSA
- OID of SHA1withDSA signature algorithm as stated in RFC-2459.
alias
protected java.lang.String alias
- The Alias to use.
keyPasswordChars
protected char[] keyPasswordChars
- The password characters protecting a Key Entry.
provider
protected java.security.Provider provider
- A security provider to add.
storeType
protected java.lang.String storeType
- The key store type.
storePasswordChars
protected char[] storePasswordChars
- The password characters protecting the key store.
storeURL
protected java.net.URL storeURL
- The key store URL.
storeStream
protected java.io.InputStream storeStream
- The input stream from the key store URL.
store
protected java.security.KeyStore store
- The key store instance to use.
outStream
protected java.io.OutputStream outStream
- The output stream the concrete handler will use.
systemOut
protected boolean systemOut
- Whether we are printing to System.out.
keyPairGenerator
protected java.security.KeyPairGenerator keyPairGenerator
- The key-pair generation algorithm instance to use.
signatureAlgorithm
protected java.security.Signature signatureAlgorithm
- The digital signature algorithm instance to use.
validityInDays
protected int validityInDays
- Validity period, in number of days, to use when generating certificates.
inStream
protected java.io.InputStream inStream
- The input stream the concrete handler will use.
verbose
protected boolean verbose
- Whether verbose output is required or not.
| Constructor Detail |
ImportCmd
ImportCmd()
| Method Detail |
setAlias
public void setAlias(java.lang.String alias)
setFile
public void setFile(java.lang.String pathName)
setKeypass
public void setKeypass(java.lang.String password)
setNoprompt
public void setNoprompt(java.lang.String flag)
setTrustcacerts
public void setTrustcacerts(java.lang.String flag)
setStoretype
public void setStoretype(java.lang.String type)
setKeystore
public void setKeystore(java.lang.String url)
setStorepass
public void setStorepass(java.lang.String password)
setProvider
public void setProvider(java.lang.String className)
processArgs
int processArgs(java.lang.String[] args, int i)
- Description copied from class:
Command - Given a potential sub-array of options for this concrete handler, starting
at position
startIndex + 1, potentially followed by other commands and their options, this method sets up this concrete command handler with its own options and returns the index of the first unprocessed argument in the array.The general contract of this method is that it is invoked with the
startIndexargument pointing to the keyword argument that uniquelly identifies the command itself; e.g.-genkeyor-list, etc...- Specified by:
processArgsin classCommand
setup
void setup()
throws java.lang.Exception
- Description copied from class:
Command - Initialize this concrete command handler for later invocation of the
Command.start()55 orCommand.doCommand()55 methods.Handlers usually initialize their local variables and resources within the scope of this call.
start
void start()
throws java.security.cert.CertificateException,
java.security.KeyStoreException,
java.io.IOException,
javax.security.auth.callback.UnsupportedCallbackException,
java.security.NoSuchAlgorithmException,
java.security.cert.CertPathValidatorException,
java.security.UnrecoverableKeyException
- Description copied from class:
Command - Do the real work this handler is supposed to do.
The code in this (abstract) class throws a Not implemented yet runtime exception. Concrete implementations MUST override this method.
importNewTrustedCertificate
private void importNewTrustedCertificate()
throws java.security.cert.CertificateException,
java.security.KeyStoreException,
java.security.NoSuchAlgorithmException,
java.io.IOException,
javax.security.auth.callback.UnsupportedCallbackException,
java.security.cert.CertPathValidatorException,
java.security.UnrecoverableKeyException
- When importing a new trusted certificate, alias MUST NOT yet exist
in the key store.
Before adding the certificate to the key store and associate it with the designated Alias, this method tries to verify it by attempting to construct a chain of trust from that certificate to a self-signed certificate (belonging to a root CA), using (already) trusted certificates that are available in the key store.
If the
-trustcacertsoption was detected on the command line, additional trusted certificates are considered for establishing the chain of trust. Those additional certificates are assumed to be in a key store, of typeJKSnamedcacertsand usually located in${JAVA_HOME}/lib/security, where${JAVA_HOME}is the root folder location of a Java runtime.If this method fails to establish a trust path from the certificate to be imported up to a trusted self-signed certificate, the certificate is printed to
STDOUT, and the user is prompted to verify it, with the option of aborting the import operation. If however the option-nopromptwas detected on the command line, no interaction with the user will take place and the import operation will abort.
importCertificateReply
private void importCertificateReply()
throws java.security.cert.CertificateException,
java.io.IOException,
javax.security.auth.callback.UnsupportedCallbackException,
java.security.KeyStoreException,
java.security.NoSuchAlgorithmException,
java.security.cert.CertPathValidatorException,
java.security.UnrecoverableKeyException
- A certificate reply is a certificate, whose Owner is stored in the key
store associated to the designated Alias, and now signed by supposedly a
trusted CA (Certificate Authority). In other words, the Subject in this
certificate reply is Alias's own and the Issuer is a CA.
When importing a certificate reply, the reply is validated using trusted certificates from the key store, and optionally (if the option
-trustcacertswas detected on the command line) certificates found in the key store, of typeJKSnamedcacertslocated in${JAVA_HOME}/lib/security, where${JAVA_HOME}is the root folder location of a Java runtime.
importCertificate
private void importCertificate(java.security.cert.Certificate certificate) throws java.security.NoSuchAlgorithmException, java.security.cert.CertPathValidatorException, java.security.KeyStoreException, java.security.UnrecoverableKeyException, java.io.IOException, javax.security.auth.callback.UnsupportedCallbackException, java.security.cert.CertificateException
- If the reply is a single X.509 certificate, keytool attempts to establish a
trust chain, starting at the certificate reply and ending at a self-signed
certificate (belonging to a root CA). The certificate reply and the
hierarchy of certificates used to authenticate the certificate reply form
the new certificate chain of alias. If a trust chain cannot be established,
the certificate reply is not imported. In this case, keytool does not print
out the certificate, nor does it prompt the user to verify it. This is
because it is very hard (if not impossible) for a user to determine the
authenticity of the certificate reply.
importChain
private void importChain(java.util.Collection chain) throws java.security.NoSuchAlgorithmException, java.security.cert.CertPathValidatorException, java.security.KeyStoreException, java.security.UnrecoverableKeyException, java.io.IOException, javax.security.auth.callback.UnsupportedCallbackException, java.security.cert.CertificateException
- If the reply is a PKCS#7 formatted certificate chain, the chain is first
ordered (with the user certificate first and the self-signed root CA
certificate last), before keytool attempts to match the root CA certificate
provided in the reply with any of the trusted certificates in the key store
or the "cacerts" keystore file (if the -trustcacerts option was specified).
If no match can be found, the information of the root CA certificate is
printed out, and the user is prompted to verify it, e.g., by comparing the
displayed certificate fingerprints with the fingerprints obtained from some
other (trusted) source of information, which might be the root CA itself.
The user then has the option of aborting the import operation. If the
-noprompt option is given, however, there will be no interaction with the
user.
ensureReplyIsOurs
private void ensureReplyIsOurs(java.util.Collection certificates) throws java.io.IOException, javax.security.auth.callback.UnsupportedCallbackException, java.security.KeyStoreException
- Check to ensure that alias's public key is the subject of the first
certificate in the passed certificate collection. Throws an exception if
the public keys do not match.
areEqual
private boolean areEqual(java.security.interfaces.DSAPublicKey pk1, java.security.interfaces.DSAPublicKey pk2)
areEqual
private boolean areEqual(java.security.interfaces.RSAPublicKey pk1, java.security.interfaces.RSAPublicKey pk2)
orderChain
private java.util.LinkedList orderChain(java.util.Collection chain)
findTrustAndUpdate
private boolean findTrustAndUpdate(java.util.LinkedList reply, boolean promptUser) throws java.io.IOException, java.security.NoSuchAlgorithmException, java.security.cert.CertPathValidatorException, java.security.KeyStoreException, java.security.UnrecoverableKeyException, javax.security.auth.callback.UnsupportedCallbackException, java.security.cert.CertificateEncodingException
- Given an ordered list of certificates, this method attempts to validate the
chain, and if successful, updates the key store entry for the designated
alias. The list of certificates is expected to be ordered as a chain, where
the first is the alias's own certificate and the last being a self-signed
CA certificate.
if
promptUseristrue, then even if no anchor trust certificate is found, the user is prompted to approve, or not, the import operation. On the other hand if thepromptUserparameter isfalsethen this method will throw an exception if no trust anchor is to be found.
findTrustInStore
private java.security.cert.PKIXCertPathValidatorResult findTrustInStore(gnu.java.security.x509.X509CertPath certPath, java.security.cert.CertPathValidator validator)
findTrustInCACerts
private java.security.cert.PKIXCertPathValidatorResult findTrustInCACerts(gnu.java.security.x509.X509CertPath certPath, java.security.cert.CertPathValidator validator)
doCommand
public void doCommand()
throws java.lang.Exception
- A public method to allow using any keytool command handler programmatically
by using a JavaBeans style of parameter(s) initialization. The user is
assumed to have set individually the required options through their
respective setters before invoking this method.
If an exception is encountered during the processing of the command, this implementation attempts to release any resources that may have been allocated at the time the exception occurs, before re-throwing that exception.
setVerbose
public void setVerbose(java.lang.String flag)
teardown
void teardown()
- Tear down the handler, releasing any resources which may have been
allocated at setup time.
setKeyStoreParams
protected void setKeyStoreParams(java.lang.String className, java.lang.String type, java.lang.String password, java.lang.String url) throws java.io.IOException, javax.security.auth.callback.UnsupportedCallbackException, java.security.KeyStoreException, java.security.NoSuchAlgorithmException, java.security.cert.CertificateException
- Convenience method to setup the key store given its type, its password, its
location and portentially a specialized security provider.
setProviderClassNameParam
protected void setProviderClassNameParam(java.lang.String className)
- Set a security provider class name to (install and) use for key store
related operations.
setKeystoreTypeParam
protected void setKeystoreTypeParam(java.lang.String type)
- Set the type of key store to initialize, load and use.
setKeyPasswordParam
protected void setKeyPasswordParam(java.lang.String password) throws java.io.IOException, javax.security.auth.callback.UnsupportedCallbackException
- Set the key password given a command line option argument. If no value was
present on the command line then prompt the user to provide one.
setAliasParam
protected void setAliasParam(java.lang.String name)
- Set the Alias to use when associating Key Entries and Trusted Certificates
in the current key store.
setKeyPasswordNoPrompt
protected void setKeyPasswordNoPrompt(java.lang.String password)
- Set the key password given a command line option argument.
setKeyPasswordParam
protected void setKeyPasswordParam()
throws java.io.IOException,
javax.security.auth.callback.UnsupportedCallbackException
- Prompt the user to provide a password to protect a Key Entry in the key
store.
setKeystorePasswordParam
protected void setKeystorePasswordParam(java.lang.String password) throws java.io.IOException, javax.security.auth.callback.UnsupportedCallbackException
setKeystoreURLParam
protected void setKeystoreURLParam(java.lang.String url) throws java.io.IOException, java.security.KeyStoreException, javax.security.auth.callback.UnsupportedCallbackException, java.security.NoSuchAlgorithmException, java.security.cert.CertificateException
- Set the key store URL to use.
setOutputStreamParam
protected void setOutputStreamParam(java.lang.String fileName) throws java.lang.SecurityException, java.io.IOException
setInputStreamParam
protected void setInputStreamParam(java.lang.String fileName) throws java.io.FileNotFoundException
setAlgorithmParams
protected void setAlgorithmParams(java.lang.String kpAlg, java.lang.String sigAlg) throws java.security.NoSuchAlgorithmException
- Set both the key-pair generation algorithm, and the digital signature
algorithm instances to use when generating new entries.
setSignatureAlgorithmParam
protected void setSignatureAlgorithmParam(java.lang.String algorithm, java.security.Key privateKey) throws java.security.NoSuchAlgorithmException
- Set the signature algorithm to use when digitally signing private keys,
certificates, etc...
If the designated algorithm name is
nullor is an empty string, this method checks the private key (the second argument) and based on its type decides which algorithm to use. The keytool public specification states that if the private key is a DSA key, then the signature algorithm will beSHA1withDSA, otherwise if it is an RSA private key, then the signature algorithm will beMD5withRSA. If the private key is neither a private DSA nor a private RSA key, then this method throws an java.lang.IllegalArgumentException.
setValidityParam
protected void setValidityParam(java.lang.String days)
- Set the validity period, in number of days, to use when issuing new
certificates.
getSelfSignedCertificate
protected byte[] getSelfSignedCertificate(gnu.java.security.x509.X500DistinguishedName distinguishedName, java.security.PublicKey publicKey, java.security.PrivateKey privateKey) throws java.io.IOException, java.security.SignatureException, java.security.InvalidKeyException
- RFC-2459 (http://rfc.net/rfc2459.html) fully describes the structure and
semantics of X.509 certificates. The ASN.1 structures below are gleaned
from that reference.
Certificate ::= SEQUENCE { tbsCertificate TBSCertificate, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING } TBSCertificate ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, serialNumber CertificateSerialNumber, signature AlgorithmIdentifier, issuer Name, validity Validity, subject Name, subjectPublicKeyInfo SubjectPublicKeyInfo } Version ::= INTEGER { v1(0), v2(1), v3(2) } CertificateSerialNumber ::= INTEGER Validity ::= SEQUENCE { notBefore Time, notAfter Time } Time ::= CHOICE { utcTime UTCTime, generalTime GeneralizedTime } UniqueIdentifier ::= BIT STRING SubjectPublicKeyInfo ::= SEQUENCE { algorithm AlgorithmIdentifier, subjectPublicKey BIT STRING }
getSignatureAlgorithmOID
protected gnu.java.security.OID getSignatureAlgorithmOID()
- This method attempts to find, and return, an OID representing the digital
signature algorithm used to sign the certificate. The OIDs returned are
those described in RFC-2459. They are listed here for the sake of
completness.
id-dsa-with-sha1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) x9-57 (10040) x9cm(4) 3 } md2WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 2 } md5WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 4 } sha-1WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 5 }IMPORTANT: This method checks the signature algorithm name against (a) The GNU algorithm implementation's name, and (b) publicly referenced names of the same algorithm. In other words this search is not comprehensive and may fail for uncommon names of the same algorithms.
saveKeyStore
protected void saveKeyStore(char[] password)
throws java.io.IOException,
java.security.KeyStoreException,
java.security.NoSuchAlgorithmException,
java.security.cert.CertificateException
- Saves the key store using the designated password. This operation is called
by handlers if/when the key store password has changed, or amendements have
been made to the contents of the store; e.g. addition of a new Key Entry or
a Trusted Certificate.
saveKeyStore
protected void saveKeyStore()
throws java.io.IOException,
java.security.KeyStoreException,
java.security.NoSuchAlgorithmException,
java.security.cert.CertificateException
- Convenience method. Calls the method with the same name passing it the
same password characters used to initially load the key-store.
printVerbose
protected void printVerbose(java.security.cert.Certificate certificate, java.io.PrintWriter writer) throws java.security.cert.CertificateEncodingException
- Prints a human-readable form of the designated certificate to a designated
java.io.PrintWriter.
printVerbose
protected void printVerbose(java.security.cert.Certificate certificate) throws java.security.cert.CertificateEncodingException
- Convenience method. Prints a human-readable form of the designated
certificate to
System.out.
digestWithMD5
protected java.lang.String digestWithMD5(byte[] contents)
- Digest the designated contents with MD5 and return a string representation
suitable for use as a fingerprint; i.e. sequence of hexadecimal pairs of
characters separated by a colon.
ensureStoreContainsAlias
protected void ensureStoreContainsAlias()
throws java.security.KeyStoreException
- Ensure that the currently set Alias is contained in the currently set key
store; otherwise throw an exception.
ensureAliasIsKeyEntry
protected void ensureAliasIsKeyEntry()
throws java.security.KeyStoreException
- Ensure that the currently set Alias is associated with a Key Entry in the
currently set key store; otherwise throw an exception.
getAliasPrivateKey
protected java.security.Key getAliasPrivateKey() throws java.security.KeyStoreException, java.security.NoSuchAlgorithmException, java.io.IOException, javax.security.auth.callback.UnsupportedCallbackException, java.security.UnrecoverableKeyException
getCallbackHandler
protected javax.security.auth.callback.CallbackHandler getCallbackHandler()
- Return a CallbackHandler which uses the Console (System.in and System.out)
for interacting with the user.
This method first finds all currently installed security providers capable of providing such service and then in turn attempts to instantiate the handler from those providers. As soon as one provider returns a non-null instance of the callback handler, the search stops and that instance is set to be used from now on.
If no installed providers were found, this method falls back on the GNU provider, by-passing the Security search mechanism. The default console callback handler implementation is gnu.javax.security.auth.callback.ConsoleCallbackHandler.
|
|||||||||
| Home >> All >> gnu >> classpath >> tools >> [ keytool overview ] | PREV CLASS NEXT CLASS | ||||||||
|
SUMMARY: JAVADOC | SOURCE | DOWNLOAD | NESTED | FIELD | CONSTR | METHOD |
DETAIL: FIELD | CONSTR | METHOD | ||||||||