Package org.mozilla.jss.pkcs11
Class PK11Token
java.lang.Object
org.mozilla.jss.pkcs11.PK11Token
- All Implemented Interfaces:
CryptoToken
A PKCS #11 token. Currently, these can only be obtained from the
CryptoManager class.
- Version:
- $Revision$ $Date$
- See Also:
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic classThrown if the operation requires that the token be logged in, and it isn't. -
Field Summary
FieldsModifier and TypeFieldDescriptionprotected PK11Storeprotected booleanprotected booleanprotected TokenProxyFields inherited from interface org.mozilla.jss.crypto.CryptoToken
EVERY_TIME, ONE_TIME, TIMEOUT -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected voidchangePassword(byte[] oldPIN, byte[] newPIN) Change the password on the token from the old one to the new one.voidchangePassword(PasswordCallback oldPINcb, PasswordCallback newPINcb) Change password.cloneKey(SymmetricKey key) Allows a SymmetricKey to be cloned on a different token.booleandoesAlgorithm(Algorithm alg) Determines whether this token is capable of performing the given algorithm.booleanDeep-comparison operator.generateCertRequest(String subject, int keysize, String keyType, byte[] prime, byte[] subPrime, byte[] base) Generates a PKCS#10 certificate request including Begin/End bracketsprotected StringgeneratePK10(String subject, int keysize, String keyType, byte[] P, byte[] Q, byte[] G) getCipherContext(EncryptionAlgorithm algorithm) Creates a Cipher object, which can be used for encryption and decryption.Get the CryptoStore interface to this token's objects.getDigestContext(DigestAlgorithm algorithm) Creates a Digest object.getKeyGenerator(KeyGenAlgorithm algorithm) Creates a KeyGenerator object, which can be used to generate symmetric encryption keys.getKeyPairGenerator(KeyPairAlgorithm algorithm) Creates a KeyPairGenerator object, which can be used to generate key pairs.getKeyWrapper(KeyWrapAlgorithm algorithm) intReturns the login mode of this token: ONE_TIME, TIMEOUT, or EVERY_TIME.intReturns the login timeout period.getName()Obtain the nickname, or label, of this token.getProxy()getSignatureContext(SignatureAlgorithm algorithm) Creates a Signature object, which can perform signing and signature verification.inthashCode()HashCode from underline token.voidimportPublicKey(PublicKey pubKey, boolean permanent) protected voidinitPassword(byte[] ssopw, byte[] userpw) voidinitPassword(PasswordCallback ssopwcb, PasswordCallback userpwcb) Initialize PIN.booleanbooleanbooleanFind out if the token is currently logged in.booleanDetermines if the given token is present on the system.booleanvoidlogin(PasswordCallback callback) Log into the token.voidlogout()Log out of the token.protected PasswordCallbackInfoprotected voidnativeLogin(PasswordCallback callback) booleanreturns true if this token needs to be logged into before it can be used.booleanDetermine whether the token has been initialized yet.protected booleanMake sure the PIN can be initialized.voidsetLoginMode(int mode) Sets the login mode of this token.voidsetLoginTimeoutMinutes(int timeoutMinutes) Sets the timeout period for logging in.protected booleanSSOPasswordIsCorrect(byte[] ssopw) protected booleanuserPasswordIsCorrect(byte[] pw) Check the given password, return true if it's right, false if it's wrong.
-
Field Details
-
tokenProxy
-
cryptoStore
-
mIsInternalCryptoToken
protected boolean mIsInternalCryptoToken -
mIsInternalKeyStorageToken
protected boolean mIsInternalKeyStorageToken
-
-
Constructor Details
-
PK11Token
protected PK11Token() -
PK11Token
protected PK11Token(byte[] pointer, boolean internal, boolean keyStorage) Creates a new PK11Token. Should only be called from PK11Token's native code.- Parameters:
pointer- A byte array containing a pointer to a PKCS #11 slot.
-
-
Method Details
-
getSignatureContext
public Signature getSignatureContext(SignatureAlgorithm algorithm) throws NoSuchAlgorithmException, TokenException Description copied from interface:CryptoTokenCreates a Signature object, which can perform signing and signature verification. Signing and verification cryptographic operations will take place on this token. The signing key must be located on this token.- Specified by:
getSignatureContextin interfaceCryptoToken- Parameters:
algorithm- The algorithm used for the signing/verification.- Throws:
NoSuchAlgorithmException- If the given algorithm is not supported by this provider.TokenException
-
getDigestContext
public JSSMessageDigest getDigestContext(DigestAlgorithm algorithm) throws NoSuchAlgorithmException, DigestException Description copied from interface:CryptoTokenCreates a Digest object. Digesting cryptographic operations will take place on this token.- Specified by:
getDigestContextin interfaceCryptoToken- Parameters:
algorithm- The algorithm used for digesting.- Throws:
NoSuchAlgorithmException- If this provider does not support the given algorithm.DigestException
-
getCipherContext
public Cipher getCipherContext(EncryptionAlgorithm algorithm) throws NoSuchAlgorithmException, TokenException Description copied from interface:CryptoTokenCreates a Cipher object, which can be used for encryption and decryption. Cryptographic operations will take place on this token. The keys used in the operations must be located on this token.- Specified by:
getCipherContextin interfaceCryptoToken- Parameters:
algorithm- The algorithm used for encryption/decryption.- Throws:
NoSuchAlgorithmException- If this provider does not support the given algorithm.TokenException
-
getKeyGenerator
public KeyGenerator getKeyGenerator(KeyGenAlgorithm algorithm) throws NoSuchAlgorithmException, TokenException Description copied from interface:CryptoTokenCreates a KeyGenerator object, which can be used to generate symmetric encryption keys. Any keys generated with this KeyGenerator will be generated on this token.- Specified by:
getKeyGeneratorin interfaceCryptoToken- Parameters:
algorithm- The algorithm that the keys will be used with.- Throws:
NoSuchAlgorithmException- If this token does not support the given algorithm.TokenException
-
cloneKey
public SymmetricKey cloneKey(SymmetricKey key) throws SymmetricKey.NotExtractableException, InvalidKeyException, TokenException Allows a SymmetricKey to be cloned on a different token.- Specified by:
cloneKeyin interfaceCryptoToken- Throws:
SymmetricKey.NotExtractableException- If the key material cannot be extracted from the current token.InvalidKeyException- If the owning token cannot process the key to be cloned.TokenException
-
getSymmetricKeyDeriver
- Specified by:
getSymmetricKeyDeriverin interfaceCryptoToken
-
getKeyWrapper
public KeyWrapper getKeyWrapper(KeyWrapAlgorithm algorithm) throws NoSuchAlgorithmException, TokenException - Specified by:
getKeyWrapperin interfaceCryptoToken- Throws:
NoSuchAlgorithmExceptionTokenException
-
getRandomGenerator
-
getKeyPairGenerator
public KeyPairGenerator getKeyPairGenerator(KeyPairAlgorithm algorithm) throws NoSuchAlgorithmException, TokenException Description copied from interface:CryptoTokenCreates a KeyPairGenerator object, which can be used to generate key pairs. Any keypairs generated with this generator will be generated on this token.- Specified by:
getKeyPairGeneratorin interfaceCryptoToken- Parameters:
algorithm- The algorithm that the keys will be used with (RSA, DSA, EC, etc.)- Throws:
NoSuchAlgorithmException- If this token does not support the given algorithm.TokenException
-
isLoggedIn
Description copied from interface:CryptoTokenFind out if the token is currently logged in.- Specified by:
isLoggedInin interfaceCryptoToken- Throws:
TokenException- See Also:
-
needsLogin
Description copied from interface:CryptoTokenreturns true if this token needs to be logged into before it can be used.- Specified by:
needsLoginin interfaceCryptoToken- Throws:
TokenException- See Also:
-
login
Log into the token. If you are already logged in, this method has no effect, even if the PIN is wrong.- Specified by:
loginin interfaceCryptoToken- Parameters:
callback- A callback to use to obtain the password, or a Password object.- Throws:
PK11Token.NotInitializedException- The token has not yet been initialized.IncorrectPasswordException- The specified password was incorrect.TokenException- See Also:
-
nativeLogin
protected void nativeLogin(PasswordCallback callback) throws IncorrectPasswordException, TokenException -
isWritable
public boolean isWritable()- Returns:
- true if the token is writable, false if it is read-only. Writable tokens can have their keys generated on the internal token and then moved out.
-
isPresent
public boolean isPresent()Determines if the given token is present on the system. This would return false, for example, for a smart card reader that didn't have a card inserted.- Specified by:
isPresentin interfaceCryptoToken
-
logout
Log out of the token.- Specified by:
logoutin interfaceCryptoToken- Throws:
TokenException- If you are already logged in, or an unspecified error occurs.
-
getLoginMode
Description copied from interface:CryptoTokenReturns the login mode of this token: ONE_TIME, TIMEOUT, or EVERY_TIME. The default is ONE_TIME.- Specified by:
getLoginModein interfaceCryptoToken- Throws:
TokenException- If an error occurs on the token.- See Also:
-
setLoginMode
Description copied from interface:CryptoTokenSets the login mode of this token.- Specified by:
setLoginModein interfaceCryptoToken- Parameters:
mode- ONE_TIME, TIMEOUT, or EVERY_TIME- Throws:
TokenException- If this mode is not supported by this token, or an error occurs on the token.- See Also:
-
getLoginTimeoutMinutes
Description copied from interface:CryptoTokenReturns the login timeout period. The timeout is only used if the login mode is TIMEOUT.- Specified by:
getLoginTimeoutMinutesin interfaceCryptoToken- Throws:
TokenException- If an error occurs on the token.- See Also:
-
setLoginTimeoutMinutes
Description copied from interface:CryptoTokenSets the timeout period for logging in. This will only be used if the login mode is TIMEOUT.- Specified by:
setLoginTimeoutMinutesin interfaceCryptoToken- Throws:
TokenException- If timeouts are not supported by this token, or an error occurs on the token.- See Also:
-
initPassword
public void initPassword(PasswordCallback ssopwcb, PasswordCallback userpwcb) throws IncorrectPasswordException, AlreadyInitializedException, TokenException Initialize PIN. This sets the user's new PIN, using the current security officer PIN for authentication.- Specified by:
initPasswordin interfaceCryptoToken- Parameters:
ssopwcb- The security officer's current password callback.userpwcb- The user's new password callback.- Throws:
IncorrectPasswordException- If the security officer PIN is incorrect.AlreadyInitializedException- If the password hasn't already been set.TokenException- If the PIN was already initialized, or there was an unspecified error in the token.
-
PWInitable
Make sure the PIN can be initialized. This is mainly to check the internal module.- Throws:
TokenException
-
SSOPasswordIsCorrect
protected boolean SSOPasswordIsCorrect(byte[] ssopw) throws TokenException, AlreadyInitializedException -
initPassword
protected void initPassword(byte[] ssopw, byte[] userpw) throws IncorrectPasswordException, AlreadyInitializedException, TokenException -
passwordIsInitialized
Determine whether the token has been initialized yet.- Specified by:
passwordIsInitializedin interfaceCryptoToken- Throws:
TokenException- If an error occurs on the token.
-
changePassword
public void changePassword(PasswordCallback oldPINcb, PasswordCallback newPINcb) throws IncorrectPasswordException, TokenException Change password. This changes the user's PIN after it has already been initialized.- Specified by:
changePasswordin interfaceCryptoToken- Parameters:
oldPINcb- The user's old PIN callback.newPINcb- The new PIN callback.- Throws:
IncorrectPasswordException- If the old PIN is incorrect.TokenException- If some other error occurs on the token.
-
makePWCBInfo
-
userPasswordIsCorrect
Check the given password, return true if it's right, false if it's wrong.- Throws:
TokenException
-
changePassword
protected void changePassword(byte[] oldPIN, byte[] newPIN) throws IncorrectPasswordException, TokenException Change the password on the token from the old one to the new one. -
getName
Description copied from interface:CryptoTokenObtain the nickname, or label, of this token.- Specified by:
getNamein interfaceCryptoToken
-
getProvider
-
getCryptoStore
Description copied from interface:CryptoTokenGet the CryptoStore interface to this token's objects.- Specified by:
getCryptoStorein interfaceCryptoToken
-
equals
Deep-comparison operator.- Specified by:
equalsin interfaceCryptoToken- Overrides:
equalsin classObject- Returns:
- true if these tokens point to the same underlying native token.
false otherwise, or if
compareis null.
-
hashCode
public int hashCode()HashCode from underline token. Two token are equals if they have the same underline native token so they should return the same hash code -
doesAlgorithm
Determines whether this token is capable of performing the given algorithm.- Specified by:
doesAlgorithmin interfaceCryptoToken- Parameters:
alg- A JSS algorithm. Note that for Signature, a token may fail to support a specific SignatureAlgorithm (such as RSASignatureWithMD5Digest) even though it does support the generic algorithm (RSASignature). In this case, the signature operation will be performed on that token, but the digest operation will be performed on the internal token.- Returns:
- true if the token supports the algorithm.
-
generateCertRequest
public String generateCertRequest(String subject, int keysize, String keyType, byte[] prime, byte[] subPrime, byte[] base) throws TokenException, InvalidParameterException, PQGParamGenException Generates a PKCS#10 certificate request including Begin/End brackets- Specified by:
generateCertRequestin interfaceCryptoToken- Parameters:
subject- subject dn of the certificatekeysize- size of the keykeyType- "rsa" or "dsa"prime- The DSA prime parametersubPrime- The DSA sub-prime parameterbase- The DSA base parameter- Returns:
- String that represents a PKCS#10 b64 encoded blob with begin/end brackets
- Throws:
TokenExceptionInvalidParameterExceptionPQGParamGenException
-
generatePK10
protected String generatePK10(String subject, int keysize, String keyType, byte[] P, byte[] Q, byte[] G) throws TokenException, InvalidParameterException -
getProxy
-
isInternalCryptoToken
public boolean isInternalCryptoToken()- Returns:
- true if this is the internal token used for bulk crypto.
-
isInternalKeyStorageToken
public boolean isInternalKeyStorageToken()- Returns:
- true if this is the internal key storage token.
-
importPublicKey
- Specified by:
importPublicKeyin interfaceCryptoToken- Throws:
TokenException
-