Package org.mozilla.jss.pkcs11
Class PK11Token
- java.lang.Object
-
- org.mozilla.jss.pkcs11.PK11Token
-
- All Implemented Interfaces:
CryptoToken
public final class PK11Token extends java.lang.Object implements CryptoToken
A PKCS #11 token. Currently, these can only be obtained from the CryptoManager class.- See Also:
CryptoManager
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static classPK11Token.NotInitializedExceptionThrown if the operation requires that the token be logged in, and it isn't.
-
Field Summary
Fields Modifier and Type Field Description protected PK11StorecryptoStoreprotected booleanmIsInternalCryptoTokenprotected booleanmIsInternalKeyStorageTokenprotected TokenProxytokenProxy-
Fields inherited from interface org.mozilla.jss.crypto.CryptoToken
EVERY_TIME, ONE_TIME, TIMEOUT
-
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected voidchangePassword(byte[] oldPIN, byte[] newPIN)Change the password on the token from the old one to the new one.voidchangePassword(PasswordCallback oldPINcb, PasswordCallback newPINcb)Change password.SymmetricKeycloneKey(SymmetricKey key)Allows a SymmetricKey to be cloned on a different token.booleandoesAlgorithm(Algorithm alg)Determines whether this token is capable of performing the given algorithm.booleanequals(java.lang.Object obj)Deep-comparison operator.java.lang.StringgenerateCertRequest(java.lang.String subject, int keysize, java.lang.String keyType, byte[] P, byte[] Q, byte[] G)Generates a PKCS#10 certificate request including Begin/End bracketsprotected java.lang.StringgeneratePK10(java.lang.String subject, int keysize, java.lang.String keyType, byte[] P, byte[] Q, byte[] G)CiphergetCipherContext(EncryptionAlgorithm algorithm)Creates a Cipher object, which can be used for encryption and decryption.CryptoStoregetCryptoStore()Get the CryptoStore interface to this token's objects.JSSMessageDigestgetDigestContext(DigestAlgorithm algorithm)Creates a Digest object.KeyGeneratorgetKeyGenerator(KeyGenAlgorithm algorithm)Creates a KeyGenerator object, which can be used to generate symmetric encryption keys.KeyPairGeneratorgetKeyPairGenerator(KeyPairAlgorithm algorithm)Creates a KeyPairGenerator object, which can be used to generate key pairs.KeyWrappergetKeyWrapper(KeyWrapAlgorithm algorithm)intgetLoginMode()Returns the login mode of this token: ONE_TIME, TIMEOUT, or EVERY_TIME.intgetLoginTimeoutMinutes()Returns the login timeout period.java.lang.StringgetName()Obtain the nickname, or label, of this token.java.security.ProvidergetProvider()TokenProxygetProxy()java.security.SecureRandomgetRandomGenerator()SignaturegetSignatureContext(SignatureAlgorithm algorithm)Creates a Signature object, which can perform signing and signature verification.PK11SymmetricKeyDerivergetSymmetricKeyDeriver()voidimportPublicKey(java.security.PublicKey pubKey, boolean permanent)protected voidinitPassword(byte[] ssopw, byte[] userpw)voidinitPassword(PasswordCallback ssopwcb, PasswordCallback userpwcb)Initialize PIN.booleanisInternalCryptoToken()booleanisInternalKeyStorageToken()booleanisLoggedIn()Find out if the token is currently logged in.booleanisPresent()Determines if the given token is present on the system.booleanisWritable()voidlogin(PasswordCallback callback)Log into the token.voidlogout()Log out of the token.protected PasswordCallbackInfomakePWCBInfo()protected voidnativeLogin(PasswordCallback callback)booleanneedsLogin()returns true if this token needs to be logged into before it can be used.booleanpasswordIsInitialized()Determine whether the token has been initialized yet.protected booleanPWInitable()Make sure the PIN can be initialized.voidsetLoginMode(int mode)Sets the login mode of this token.voidsetLoginTimeoutMinutes(int timeoutMinutes)Sets the timeout period for logging in.protected booleanSSOPasswordIsCorrect(byte[] ssopw)protected booleanuserPasswordIsCorrect(byte[] pw)Check the given password, return true if it's right, false if it's wrong.
-
-
-
Field Detail
-
tokenProxy
protected TokenProxy tokenProxy
-
cryptoStore
protected PK11Store cryptoStore
-
mIsInternalCryptoToken
protected boolean mIsInternalCryptoToken
-
mIsInternalKeyStorageToken
protected boolean mIsInternalKeyStorageToken
-
-
Method Detail
-
getSignatureContext
public Signature getSignatureContext(SignatureAlgorithm algorithm) throws java.security.NoSuchAlgorithmException, TokenException
Description copied from interface:CryptoTokenCreates a Signature object, which can perform signing and signature verification. Signing and verification cryptographic operations will take place on this token. The signing key must be located on this token.- Specified by:
getSignatureContextin interfaceCryptoToken- Parameters:
algorithm- The algorithm used for the signing/verification.- Throws:
java.security.NoSuchAlgorithmException- If the given algorithm is not supported by this provider.TokenException
-
getDigestContext
public JSSMessageDigest getDigestContext(DigestAlgorithm algorithm) throws java.security.NoSuchAlgorithmException, java.security.DigestException
Description copied from interface:CryptoTokenCreates a Digest object. Digesting cryptographic operations will take place on this token.- Specified by:
getDigestContextin interfaceCryptoToken- Parameters:
algorithm- The algorithm used for digesting.- Throws:
java.security.NoSuchAlgorithmException- If this provider does not support the given algorithm.java.security.DigestException
-
getCipherContext
public Cipher getCipherContext(EncryptionAlgorithm algorithm) throws java.security.NoSuchAlgorithmException, TokenException
Description copied from interface:CryptoTokenCreates a Cipher object, which can be used for encryption and decryption. Cryptographic operations will take place on this token. The keys used in the operations must be located on this token.- Specified by:
getCipherContextin interfaceCryptoToken- Parameters:
algorithm- The algorithm used for encryption/decryption.- Throws:
java.security.NoSuchAlgorithmException- If this provider does not support the given algorithm.TokenException
-
getKeyGenerator
public KeyGenerator getKeyGenerator(KeyGenAlgorithm algorithm) throws java.security.NoSuchAlgorithmException, TokenException
Description copied from interface:CryptoTokenCreates a KeyGenerator object, which can be used to generate symmetric encryption keys. Any keys generated with this KeyGenerator will be generated on this token.- Specified by:
getKeyGeneratorin interfaceCryptoToken- Parameters:
algorithm- The algorithm that the keys will be used with.- Throws:
java.security.NoSuchAlgorithmException- If this token does not support the given algorithm.TokenException
-
cloneKey
public SymmetricKey cloneKey(SymmetricKey key) throws SymmetricKey.NotExtractableException, java.security.InvalidKeyException, TokenException
Allows a SymmetricKey to be cloned on a different token.- Specified by:
cloneKeyin interfaceCryptoToken- Throws:
SymmetricKey.NotExtractableException- If the key material cannot be extracted from the current token.java.security.InvalidKeyException- If the owning token cannot process the key to be cloned.TokenException
-
getSymmetricKeyDeriver
public PK11SymmetricKeyDeriver getSymmetricKeyDeriver()
- Specified by:
getSymmetricKeyDeriverin interfaceCryptoToken
-
getKeyWrapper
public KeyWrapper getKeyWrapper(KeyWrapAlgorithm algorithm) throws java.security.NoSuchAlgorithmException, TokenException
- Specified by:
getKeyWrapperin interfaceCryptoToken- Throws:
java.security.NoSuchAlgorithmExceptionTokenException
-
getRandomGenerator
public java.security.SecureRandom getRandomGenerator() throws NotImplementedException, TokenException
-
getKeyPairGenerator
public KeyPairGenerator getKeyPairGenerator(KeyPairAlgorithm algorithm) throws java.security.NoSuchAlgorithmException, TokenException
Description copied from interface:CryptoTokenCreates a KeyPairGenerator object, which can be used to generate key pairs. Any keypairs generated with this generator will be generated on this token.- Specified by:
getKeyPairGeneratorin interfaceCryptoToken- Parameters:
algorithm- The algorithm that the keys will be used with (RSA, DSA, EC, etc.)- Throws:
java.security.NoSuchAlgorithmException- If this token does not support the given algorithm.TokenException
-
isLoggedIn
public boolean isLoggedIn() throws TokenExceptionDescription copied from interface:CryptoTokenFind out if the token is currently logged in.- Specified by:
isLoggedInin interfaceCryptoToken- Throws:
TokenException- See Also:
CryptoToken.login(org.mozilla.jss.util.PasswordCallback),CryptoToken.logout()
-
needsLogin
public boolean needsLogin() throws TokenExceptionDescription copied from interface:CryptoTokenreturns true if this token needs to be logged into before it can be used.- Specified by:
needsLoginin interfaceCryptoToken- Throws:
TokenException- See Also:
CryptoToken.login(org.mozilla.jss.util.PasswordCallback),CryptoToken.logout()
-
login
public void login(PasswordCallback callback) throws PK11Token.NotInitializedException, IncorrectPasswordException, TokenException
Log into the token. If you are already logged in, this method has no effect, even if the PIN is wrong.- Specified by:
loginin interfaceCryptoToken- Parameters:
callback- A callback to use to obtain the password, or a Password object.- Throws:
PK11Token.NotInitializedException- The token has not yet been initialized.IncorrectPasswordException- The specified password was incorrect.TokenException- See Also:
CryptoToken.setLoginMode(int),CryptoManager.setPasswordCallback(org.mozilla.jss.util.PasswordCallback)
-
nativeLogin
protected void nativeLogin(PasswordCallback callback) throws PK11Token.NotInitializedException, IncorrectPasswordException, TokenException
-
isWritable
public boolean isWritable()
- Returns:
- true if the token is writable, false if it is read-only. Writable tokens can have their keys generated on the internal token and then moved out.
-
isPresent
public boolean isPresent()
Determines if the given token is present on the system. This would return false, for example, for a smart card reader that didn't have a card inserted.- Specified by:
isPresentin interfaceCryptoToken
-
logout
public void logout() throws TokenExceptionLog out of the token.- Specified by:
logoutin interfaceCryptoToken- Throws:
TokenException- If you are already logged in, or an unspecified error occurs.
-
getLoginMode
public int getLoginMode() throws TokenExceptionDescription copied from interface:CryptoTokenReturns the login mode of this token: ONE_TIME, TIMEOUT, or EVERY_TIME. The default is ONE_TIME.- Specified by:
getLoginModein interfaceCryptoToken- Throws:
TokenException- If an error occurs on the token.- See Also:
CryptoToken.getLoginTimeoutMinutes()
-
setLoginMode
public void setLoginMode(int mode) throws TokenExceptionDescription copied from interface:CryptoTokenSets the login mode of this token.- Specified by:
setLoginModein interfaceCryptoToken- Parameters:
mode- ONE_TIME, TIMEOUT, or EVERY_TIME- Throws:
TokenException- If this mode is not supported by this token, or an error occurs on the token.- See Also:
CryptoToken.login(org.mozilla.jss.util.PasswordCallback),CryptoToken.setLoginTimeoutMinutes(int)
-
getLoginTimeoutMinutes
public int getLoginTimeoutMinutes() throws TokenExceptionDescription copied from interface:CryptoTokenReturns the login timeout period. The timeout is only used if the login mode is TIMEOUT.- Specified by:
getLoginTimeoutMinutesin interfaceCryptoToken- Throws:
TokenException- If an error occurs on the token.- See Also:
CryptoToken.getLoginMode()
-
setLoginTimeoutMinutes
public void setLoginTimeoutMinutes(int timeoutMinutes) throws TokenExceptionDescription copied from interface:CryptoTokenSets the timeout period for logging in. This will only be used if the login mode is TIMEOUT.- Specified by:
setLoginTimeoutMinutesin interfaceCryptoToken- Throws:
TokenException- If timeouts are not supported by this token, or an error occurs on the token.- See Also:
CryptoToken.setLoginMode(int)
-
initPassword
public void initPassword(PasswordCallback ssopwcb, PasswordCallback userpwcb) throws IncorrectPasswordException, AlreadyInitializedException, TokenException
Initialize PIN. This sets the user's new PIN, using the current security officer PIN for authentication.- Specified by:
initPasswordin interfaceCryptoToken- Parameters:
ssopwcb- The security officer's current password callback.userpwcb- The user's new password callback.- Throws:
IncorrectPasswordException- If the security officer PIN is incorrect.AlreadyInitializedException- If the password hasn't already been set.TokenException- If the PIN was already initialized, or there was an unspecified error in the token.
-
PWInitable
protected boolean PWInitable() throws TokenExceptionMake sure the PIN can be initialized. This is mainly to check the internal module.- Throws:
TokenException
-
SSOPasswordIsCorrect
protected boolean SSOPasswordIsCorrect(byte[] ssopw) throws TokenException, AlreadyInitializedException
-
initPassword
protected void initPassword(byte[] ssopw, byte[] userpw) throws IncorrectPasswordException, AlreadyInitializedException, TokenException
-
passwordIsInitialized
public boolean passwordIsInitialized() throws TokenExceptionDetermine whether the token has been initialized yet.- Specified by:
passwordIsInitializedin interfaceCryptoToken- Throws:
TokenException- If an error occurs on the token.
-
changePassword
public void changePassword(PasswordCallback oldPINcb, PasswordCallback newPINcb) throws IncorrectPasswordException, TokenException
Change password. This changes the user's PIN after it has already been initialized.- Specified by:
changePasswordin interfaceCryptoToken- Parameters:
oldPINcb- The user's old PIN callback.newPINcb- The new PIN callback.- Throws:
IncorrectPasswordException- If the old PIN is incorrect.TokenException- If some other error occurs on the token.
-
makePWCBInfo
protected PasswordCallbackInfo makePWCBInfo()
-
userPasswordIsCorrect
protected boolean userPasswordIsCorrect(byte[] pw) throws TokenExceptionCheck the given password, return true if it's right, false if it's wrong.- Throws:
TokenException
-
changePassword
protected void changePassword(byte[] oldPIN, byte[] newPIN) throws IncorrectPasswordException, TokenExceptionChange the password on the token from the old one to the new one.
-
getName
public java.lang.String getName()
Description copied from interface:CryptoTokenObtain the nickname, or label, of this token.- Specified by:
getNamein interfaceCryptoToken
-
getProvider
public java.security.Provider getProvider()
-
getCryptoStore
public CryptoStore getCryptoStore()
Description copied from interface:CryptoTokenGet the CryptoStore interface to this token's objects.- Specified by:
getCryptoStorein interfaceCryptoToken
-
equals
public boolean equals(java.lang.Object obj)
Deep-comparison operator.- Specified by:
equalsin interfaceCryptoToken- Overrides:
equalsin classjava.lang.Object- Returns:
- true if these tokens point to the same underlying native token.
false otherwise, or if
compareis null.
-
doesAlgorithm
public boolean doesAlgorithm(Algorithm alg)
Determines whether this token is capable of performing the given algorithm.- Specified by:
doesAlgorithmin interfaceCryptoToken- Parameters:
alg- A JSS algorithm. Note that for Signature, a token may fail to support a specific SignatureAlgorithm (such as RSASignatureWithMD5Digest) even though it does support the generic algorithm (RSASignature). In this case, the signature operation will be performed on that token, but the digest operation will be performed on the internal token.- Returns:
- true if the token supports the algorithm.
-
generateCertRequest
public java.lang.String generateCertRequest(java.lang.String subject, int keysize, java.lang.String keyType, byte[] P, byte[] Q, byte[] G) throws TokenException, java.security.InvalidParameterException, PQGParamGenExceptionGenerates a PKCS#10 certificate request including Begin/End brackets- Specified by:
generateCertRequestin interfaceCryptoToken- Parameters:
subject- subject dn of the certificatekeysize- size of the keykeyType- "rsa" or "dsa"P- The DSA prime parameterQ- The DSA sub-prime parameterG- The DSA base parameter- Returns:
- String that represents a PKCS#10 b64 encoded blob with begin/end brackets
- Throws:
TokenExceptionjava.security.InvalidParameterExceptionPQGParamGenException
-
generatePK10
protected java.lang.String generatePK10(java.lang.String subject, int keysize, java.lang.String keyType, byte[] P, byte[] Q, byte[] G) throws TokenException, java.security.InvalidParameterException- Throws:
TokenExceptionjava.security.InvalidParameterException
-
getProxy
public TokenProxy getProxy()
-
isInternalCryptoToken
public boolean isInternalCryptoToken()
- Returns:
- true if this is the internal token used for bulk crypto.
-
isInternalKeyStorageToken
public boolean isInternalKeyStorageToken()
- Returns:
- true if this is the internal key storage token.
-
importPublicKey
public void importPublicKey(java.security.PublicKey pubKey, boolean permanent) throws TokenException- Specified by:
importPublicKeyin interfaceCryptoToken- Throws:
TokenException
-
-