PKCSObjectIdentifiers
, X509ObjectIdentifiers
, BCKeyStore
public class PKCS12KeyStoreUnlimited extends JDKPKCS12KeyStore
Default Java installations have restrictions on the use of strong cryptograhpy. This can be solved by installing java policy files, but it often is undesirable to require the a user to go through this. This class provides a workaround that circumvent the Java policy restrictions and allows opening PKCS#12 keystores with passwords longer than 7 characters.
You should use PKCS12KeyStoreUnlimited.getInstance()
instead of
KeyStore.getInstance("PKCS12", "BC")
. Now KeyStore.load(java.io.InputStream, char[])
and
and KeyStore.store(java.io.OutputStream, char[])
KeyStore.store(java.io.OutputStream, char[])
will work with passwords
longer than seven characters without the unlimited strength policy files
installed.
To illustrate, here is some code to read a certificate from a PKCS#12 file.
FileInputStream in = new FileInputStream("test.p12");
KeyStore store = PKCS12KeyStoreUnlimited.getInstance();
store.load(in, "thisismylongpassworduhoh".toCharArray());
Certificate cert = store.getCertificate("certificate alias");
This class has intricate knowledge of JCE and BouncyCastle internals. When these change, this class needs to be updated appropriately.
If you are using policy files to specify permissions, you may need to add the following to permit accessing JCE's private members, e.g.:
grant {
// allow access to JCE internals to bypass keysize restrictions
// as implemented by PKCS12KeyStoreUnlimited
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.lang.RuntimePermission "accessDeclaredMembers";
}
This is tested continuously on CentOS 4, CentOS 5, Windows XP 32-bit, Windows 2003 32-bit, Mac OS X 10.4 and Mac OS X 10.5 with Java5 and Java6. In addition, OpenJDK is tested on CentOS 5. Many other platforms and configurations are tested occasionaly as well.
JDKPKCS12KeyStore.BCPKCS12KeyStore, JDKPKCS12KeyStore.BCPKCS12KeyStore3DES, JDKPKCS12KeyStore.DefPKCS12KeyStore, JDKPKCS12KeyStore.DefPKCS12KeyStore3DES
random
bagtypes, canNotDecryptAny, certBag, certTypes, crlBag, crlTypes, data, des_EDE3_CBC, dhKeyAgreement, digestAlgorithm, digestedData, encryptedData, encryptionAlgorithm, envelopedData, id_aa, id_aa_commitmentType, id_aa_contentHint, id_aa_contentIdentifier, id_aa_contentReference, id_aa_encrypKeyPref, id_aa_ets_archiveTimestamp, id_aa_ets_certCRLTimestamp, id_aa_ets_certificateRefs, id_aa_ets_certValues, id_aa_ets_commitmentType, id_aa_ets_contentTimestamp, id_aa_ets_escTimeStamp, id_aa_ets_otherSigCert, id_aa_ets_revocationRefs, id_aa_ets_revocationValues, id_aa_ets_signerAttr, id_aa_ets_signerLocation, id_aa_ets_sigPolicyId, id_aa_msgSigDigest, id_aa_otherSigCert, id_aa_receiptRequest, id_aa_signatureTimeStampToken, id_aa_signerLocation, id_aa_signingCertificate, id_aa_signingCertificateV2, id_aa_sigPolicyId, id_alg_CMS3DESwrap, id_alg_CMSRC2wrap, id_alg_PWRI_KEK, id_ct, id_ct_authData, id_ct_authEnvelopedData, id_ct_compressedData, id_ct_timestampedData, id_ct_TSTInfo, id_cti, id_cti_ets_proofOfApproval, id_cti_ets_proofOfCreation, id_cti_ets_proofOfDelivery, id_cti_ets_proofOfOrigin, id_cti_ets_proofOfReceipt, id_cti_ets_proofOfSender, id_hmacWithSHA1, id_hmacWithSHA224, id_hmacWithSHA256, id_hmacWithSHA384, id_hmacWithSHA512, id_mgf1, id_PBES2, id_PBKDF2, id_pSpecified, id_RSAES_OAEP, id_RSASSA_PSS, id_spq, id_spq_ets_unotice, id_spq_ets_uri, keyBag, md2, md2WithRSAEncryption, md4, md4WithRSAEncryption, md5, md5WithRSAEncryption, pbeWithMD2AndDES_CBC, pbeWithMD2AndRC2_CBC, pbeWithMD5AndDES_CBC, pbeWithMD5AndRC2_CBC, pbeWithSHA1AndDES_CBC, pbeWithSHA1AndRC2_CBC, pbeWithSHAAnd128BitRC2_CBC, pbeWithSHAAnd128BitRC4, pbeWithSHAAnd2_KeyTripleDES_CBC, pbeWithSHAAnd3_KeyTripleDES_CBC, pbewithSHAAnd40BitRC2_CBC, pbeWithSHAAnd40BitRC4, pkcs_1, pkcs_12, pkcs_12PbeIds, pkcs_3, pkcs_5, pkcs_7, pkcs_9, pkcs_9_at_challengePassword, pkcs_9_at_contentType, pkcs_9_at_counterSignature, pkcs_9_at_emailAddress, pkcs_9_at_extendedCertificateAttributes, pkcs_9_at_extensionRequest, pkcs_9_at_friendlyName, pkcs_9_at_localKeyId, pkcs_9_at_messageDigest, pkcs_9_at_signingDescription, pkcs_9_at_signingTime, pkcs_9_at_smimeCapabilities, pkcs_9_at_unstructuredAddress, pkcs_9_at_unstructuredName, pkcs8ShroudedKeyBag, preferSignedData, RC2_CBC, rsaEncryption, safeContentsBag, sdsiCertificate, secretBag, sha1WithRSAEncryption, sha224WithRSAEncryption, sha256WithRSAEncryption, sha384WithRSAEncryption, sha512WithRSAEncryption, signedAndEnvelopedData, signedData, sMIMECapabilitiesVersions, srsaOAEPEncryptionSET, x509Certificate, x509certType, x509Crl
commonName, countryName, crlAccessMethod, id, id_ad, id_ad_caIssuers, id_ad_ocsp, id_at_name, id_at_telephoneNumber, id_ea_rsa, id_pe, id_pkix, id_SHA1, localityName, ocspAccessMethod, organization, organizationalUnitName, ripemd160, ripemd160WithRSAEncryption, stateOrProvinceName
Constructor | Description |
---|---|
PKCS12KeyStoreUnlimited(Provider provider,
DERObjectIdentifier keyAlgorithm,
DERObjectIdentifier certAlgorithm) |
Standard constructor
|
PKCS12KeyStoreUnlimited(Provider provider,
JDKPKCS12KeyStore from) |
Kind of copy constructor
|
Modifier and Type | Method | Description |
---|---|---|
protected byte[] |
cipherCrypt(String algorithm,
SecretKey key,
boolean encrypt,
byte[] data,
PBEParameterSpec defParams) |
|
protected Key |
cipherUnwrap(String algorithm,
SecretKey key,
byte[] data,
PBEParameterSpec defParams) |
|
protected byte[] |
cipherWrap(String algorithm,
SecretKey key,
Key data,
PBEParameterSpec defParams) |
|
protected byte[] |
cryptData(boolean forEncryption,
AlgorithmIdentifier algId,
char[] password,
boolean wrongPKCS12Zero,
byte[] data) |
|
protected static DERObjectIdentifier[] |
getAlgorithm(JDKPKCS12KeyStore from) |
Extract algorithms from an object.
|
static KeyStore |
getInstance() |
Return a
KeyStore that circumvents JCE security restrictions. |
protected PrivateKey |
unwrapKey(AlgorithmIdentifier algId,
byte[] data,
char[] password,
boolean wrongPKCS12Zero) |
|
protected byte[] |
wrapKey(String algorithm,
Key key,
PKCS12PBEParams pbeParams,
char[] password) |
engineAliases, engineContainsAlias, engineDeleteEntry, engineGetCertificate, engineGetCertificateAlias, engineGetCertificateChain, engineGetCreationDate, engineGetKey, engineIsCertificateEntry, engineIsKeyEntry, engineLoad, engineSetCertificateEntry, engineSetKeyEntry, engineSetKeyEntry, engineSize, engineStore, engineStore, setRandom
engineEntryInstanceOf, engineGetEntry, engineLoad, engineProbe, engineSetEntry
public PKCS12KeyStoreUnlimited(Provider provider, DERObjectIdentifier keyAlgorithm, DERObjectIdentifier certAlgorithm)
public PKCS12KeyStoreUnlimited(Provider provider, JDKPKCS12KeyStore from)
public static KeyStore getInstance() throws KeyStoreException, NoSuchProviderException
KeyStore
that circumvents JCE security restrictions.
This requires using BouncyCastle algorithms, that should be ok by default. Currently Cipher restrictions on key length are bypassed.
KeyStoreException
NoSuchProviderException
protected static DERObjectIdentifier[] getAlgorithm(JDKPKCS12KeyStore from)
This method needs updating when bouncycastle adds implementations.
protected PrivateKey unwrapKey(AlgorithmIdentifier algId, byte[] data, char[] password, boolean wrongPKCS12Zero) throws IOException
Same as BouncyCastle's implementation, but calls BouncyCastle's cipher
directly instead of going via JCE's Cipher
.
unwrapKey
in class JDKPKCS12KeyStore
IOException
protected byte[] wrapKey(String algorithm, Key key, PKCS12PBEParams pbeParams, char[] password) throws IOException
Same as BouncyCastle's implementation, but calls BouncyCastle's cipher
directly instead of going via JCE's Cipher
.
wrapKey
in class JDKPKCS12KeyStore
IOException
protected byte[] cryptData(boolean forEncryption, AlgorithmIdentifier algId, char[] password, boolean wrongPKCS12Zero, byte[] data) throws IOException
Same as BouncyCastle's implementation, but calls BouncyCastle's cipher
directly instead of going via JCE's Cipher
.
cryptData
in class JDKPKCS12KeyStore
IOException
protected byte[] cipherCrypt(String algorithm, SecretKey key, boolean encrypt, byte[] data, PBEParameterSpec defParams) throws Exception
Exception
protected byte[] cipherWrap(String algorithm, SecretKey key, Key data, PBEParameterSpec defParams) throws Exception
Exception
Copyright © 2010-2018 Nikhef / Stichting FOM. All Rights Reserved.