PKCSObjectIdentifiers, X509ObjectIdentifiers, BCKeyStorepublic class PKCS12KeyStoreUnlimited extends JDKPKCS12KeyStore
Default Java installations have restrictions on the use of strong cryptograhpy. This can be solved by installing java policy files, but it often is undesirable to require the a user to go through this. This class provides a workaround that circumvent the Java policy restrictions and allows opening PKCS#12 keystores with passwords longer than 7 characters.
You should use PKCS12KeyStoreUnlimited.getInstance() instead of
KeyStore.getInstance("PKCS12", "BC"). Now KeyStore.load(java.io.InputStream, char[]) and
and KeyStore.store(java.io.OutputStream, char[]) KeyStore.store(java.io.OutputStream, char[]) will work with passwords
longer than seven characters without the unlimited strength policy files
installed.
To illustrate, here is some code to read a certificate from a PKCS#12 file.
FileInputStream in = new FileInputStream("test.p12");
KeyStore store = PKCS12KeyStoreUnlimited.getInstance();
store.load(in, "thisismylongpassworduhoh".toCharArray());
Certificate cert = store.getCertificate("certificate alias");
This class has intricate knowledge of JCE and BouncyCastle internals. When these change, this class needs to be updated appropriately.
If you are using policy files to specify permissions, you may need to add the following to permit accessing JCE's private members, e.g.:
grant {
// allow access to JCE internals to bypass keysize restrictions
// as implemented by PKCS12KeyStoreUnlimited
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.lang.RuntimePermission "accessDeclaredMembers";
}
This is tested continuously on CentOS 4, CentOS 5, Windows XP 32-bit, Windows 2003 32-bit, Mac OS X 10.4 and Mac OS X 10.5 with Java5 and Java6. In addition, OpenJDK is tested on CentOS 5. Many other platforms and configurations are tested occasionaly as well.
JDKPKCS12KeyStore.BCPKCS12KeyStore, JDKPKCS12KeyStore.BCPKCS12KeyStore3DES, JDKPKCS12KeyStore.DefPKCS12KeyStore, JDKPKCS12KeyStore.DefPKCS12KeyStore3DESrandombagtypes, canNotDecryptAny, certBag, certTypes, crlBag, crlTypes, data, des_EDE3_CBC, dhKeyAgreement, digestAlgorithm, digestedData, encryptedData, encryptionAlgorithm, envelopedData, id_aa, id_aa_commitmentType, id_aa_contentHint, id_aa_contentIdentifier, id_aa_contentReference, id_aa_encrypKeyPref, id_aa_ets_archiveTimestamp, id_aa_ets_certCRLTimestamp, id_aa_ets_certificateRefs, id_aa_ets_certValues, id_aa_ets_commitmentType, id_aa_ets_contentTimestamp, id_aa_ets_escTimeStamp, id_aa_ets_otherSigCert, id_aa_ets_revocationRefs, id_aa_ets_revocationValues, id_aa_ets_signerAttr, id_aa_ets_signerLocation, id_aa_ets_sigPolicyId, id_aa_msgSigDigest, id_aa_otherSigCert, id_aa_receiptRequest, id_aa_signatureTimeStampToken, id_aa_signerLocation, id_aa_signingCertificate, id_aa_signingCertificateV2, id_aa_sigPolicyId, id_alg_CMS3DESwrap, id_alg_CMSRC2wrap, id_alg_PWRI_KEK, id_ct, id_ct_authData, id_ct_authEnvelopedData, id_ct_compressedData, id_ct_timestampedData, id_ct_TSTInfo, id_cti, id_cti_ets_proofOfApproval, id_cti_ets_proofOfCreation, id_cti_ets_proofOfDelivery, id_cti_ets_proofOfOrigin, id_cti_ets_proofOfReceipt, id_cti_ets_proofOfSender, id_hmacWithSHA1, id_hmacWithSHA224, id_hmacWithSHA256, id_hmacWithSHA384, id_hmacWithSHA512, id_mgf1, id_PBES2, id_PBKDF2, id_pSpecified, id_RSAES_OAEP, id_RSASSA_PSS, id_spq, id_spq_ets_unotice, id_spq_ets_uri, keyBag, md2, md2WithRSAEncryption, md4, md4WithRSAEncryption, md5, md5WithRSAEncryption, pbeWithMD2AndDES_CBC, pbeWithMD2AndRC2_CBC, pbeWithMD5AndDES_CBC, pbeWithMD5AndRC2_CBC, pbeWithSHA1AndDES_CBC, pbeWithSHA1AndRC2_CBC, pbeWithSHAAnd128BitRC2_CBC, pbeWithSHAAnd128BitRC4, pbeWithSHAAnd2_KeyTripleDES_CBC, pbeWithSHAAnd3_KeyTripleDES_CBC, pbewithSHAAnd40BitRC2_CBC, pbeWithSHAAnd40BitRC4, pkcs_1, pkcs_12, pkcs_12PbeIds, pkcs_3, pkcs_5, pkcs_7, pkcs_9, pkcs_9_at_challengePassword, pkcs_9_at_contentType, pkcs_9_at_counterSignature, pkcs_9_at_emailAddress, pkcs_9_at_extendedCertificateAttributes, pkcs_9_at_extensionRequest, pkcs_9_at_friendlyName, pkcs_9_at_localKeyId, pkcs_9_at_messageDigest, pkcs_9_at_signingDescription, pkcs_9_at_signingTime, pkcs_9_at_smimeCapabilities, pkcs_9_at_unstructuredAddress, pkcs_9_at_unstructuredName, pkcs8ShroudedKeyBag, preferSignedData, RC2_CBC, rsaEncryption, safeContentsBag, sdsiCertificate, secretBag, sha1WithRSAEncryption, sha224WithRSAEncryption, sha256WithRSAEncryption, sha384WithRSAEncryption, sha512WithRSAEncryption, signedAndEnvelopedData, signedData, sMIMECapabilitiesVersions, srsaOAEPEncryptionSET, x509Certificate, x509certType, x509CrlcommonName, countryName, crlAccessMethod, id, id_ad, id_ad_caIssuers, id_ad_ocsp, id_at_name, id_at_telephoneNumber, id_ea_rsa, id_pe, id_pkix, id_SHA1, localityName, ocspAccessMethod, organization, organizationalUnitName, ripemd160, ripemd160WithRSAEncryption, stateOrProvinceName| Constructor | Description |
|---|---|
PKCS12KeyStoreUnlimited(Provider provider,
DERObjectIdentifier keyAlgorithm,
DERObjectIdentifier certAlgorithm) |
Standard constructor
|
PKCS12KeyStoreUnlimited(Provider provider,
JDKPKCS12KeyStore from) |
Kind of copy constructor
|
| Modifier and Type | Method | Description |
|---|---|---|
protected byte[] |
cipherCrypt(String algorithm,
SecretKey key,
boolean encrypt,
byte[] data,
PBEParameterSpec defParams) |
|
protected Key |
cipherUnwrap(String algorithm,
SecretKey key,
byte[] data,
PBEParameterSpec defParams) |
|
protected byte[] |
cipherWrap(String algorithm,
SecretKey key,
Key data,
PBEParameterSpec defParams) |
|
protected byte[] |
cryptData(boolean forEncryption,
AlgorithmIdentifier algId,
char[] password,
boolean wrongPKCS12Zero,
byte[] data) |
|
protected static DERObjectIdentifier[] |
getAlgorithm(JDKPKCS12KeyStore from) |
Extract algorithms from an object.
|
static KeyStore |
getInstance() |
Return a
KeyStore that circumvents JCE security restrictions. |
protected PrivateKey |
unwrapKey(AlgorithmIdentifier algId,
byte[] data,
char[] password,
boolean wrongPKCS12Zero) |
|
protected byte[] |
wrapKey(String algorithm,
Key key,
PKCS12PBEParams pbeParams,
char[] password) |
engineAliases, engineContainsAlias, engineDeleteEntry, engineGetCertificate, engineGetCertificateAlias, engineGetCertificateChain, engineGetCreationDate, engineGetKey, engineIsCertificateEntry, engineIsKeyEntry, engineLoad, engineSetCertificateEntry, engineSetKeyEntry, engineSetKeyEntry, engineSize, engineStore, engineStore, setRandomengineEntryInstanceOf, engineGetEntry, engineLoad, engineProbe, engineSetEntrypublic PKCS12KeyStoreUnlimited(Provider provider, DERObjectIdentifier keyAlgorithm, DERObjectIdentifier certAlgorithm)
public PKCS12KeyStoreUnlimited(Provider provider, JDKPKCS12KeyStore from)
public static KeyStore getInstance() throws KeyStoreException, NoSuchProviderException
KeyStore that circumvents JCE security restrictions.
This requires using BouncyCastle algorithms, that should be ok by default. Currently Cipher restrictions on key length are bypassed.
KeyStoreExceptionNoSuchProviderExceptionprotected static DERObjectIdentifier[] getAlgorithm(JDKPKCS12KeyStore from)
This method needs updating when bouncycastle adds implementations.
protected PrivateKey unwrapKey(AlgorithmIdentifier algId, byte[] data, char[] password, boolean wrongPKCS12Zero) throws IOException
Same as BouncyCastle's implementation, but calls BouncyCastle's cipher
directly instead of going via JCE's Cipher.
unwrapKey in class JDKPKCS12KeyStoreIOExceptionprotected byte[] wrapKey(String algorithm, Key key, PKCS12PBEParams pbeParams, char[] password) throws IOException
Same as BouncyCastle's implementation, but calls BouncyCastle's cipher
directly instead of going via JCE's Cipher.
wrapKey in class JDKPKCS12KeyStoreIOExceptionprotected byte[] cryptData(boolean forEncryption,
AlgorithmIdentifier algId,
char[] password,
boolean wrongPKCS12Zero,
byte[] data)
throws IOException
Same as BouncyCastle's implementation, but calls BouncyCastle's cipher
directly instead of going via JCE's Cipher.
cryptData in class JDKPKCS12KeyStoreIOExceptionprotected byte[] cipherCrypt(String algorithm, SecretKey key, boolean encrypt, byte[] data, PBEParameterSpec defParams) throws Exception
Exceptionprotected byte[] cipherWrap(String algorithm, SecretKey key, Key data, PBEParameterSpec defParams) throws Exception
ExceptionCopyright © 2010-2018 Nikhef / Stichting FOM. All Rights Reserved.