Package org.mozilla.jss.pkcs11
Class PK11Token
java.lang.Object
org.mozilla.jss.pkcs11.PK11Token
- All Implemented Interfaces:
CryptoToken
A PKCS #11 token. Currently, these can only be obtained from the
CryptoManager class.
- Version:
- $Revision$ $Date$
- See Also:
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic class
Thrown if the operation requires that the token be logged in, and it isn't. -
Field Summary
FieldsModifier and TypeFieldDescriptionprotected PK11Store
protected boolean
protected boolean
protected TokenProxy
Fields inherited from interface org.mozilla.jss.crypto.CryptoToken
EVERY_TIME, ONE_TIME, TIMEOUT
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected void
changePassword
(byte[] oldPIN, byte[] newPIN) Change the password on the token from the old one to the new one.void
changePassword
(PasswordCallback oldPINcb, PasswordCallback newPINcb) Change password.cloneKey
(SymmetricKey key) Allows a SymmetricKey to be cloned on a different token.boolean
doesAlgorithm
(Algorithm alg) Determines whether this token is capable of performing the given algorithm.boolean
Deep-comparison operator.generateCertRequest
(String subject, int keysize, String keyType, byte[] prime, byte[] subPrime, byte[] base) Generates a PKCS#10 certificate request including Begin/End bracketsprotected String
generatePK10
(String subject, int keysize, String keyType, byte[] P, byte[] Q, byte[] G) getCipherContext
(EncryptionAlgorithm algorithm) Creates a Cipher object, which can be used for encryption and decryption.Get the CryptoStore interface to this token's objects.getDigestContext
(DigestAlgorithm algorithm) Creates a Digest object.getKeyGenerator
(KeyGenAlgorithm algorithm) Creates a KeyGenerator object, which can be used to generate symmetric encryption keys.getKeyPairGenerator
(KeyPairAlgorithm algorithm) Creates a KeyPairGenerator object, which can be used to generate key pairs.getKeyWrapper
(KeyWrapAlgorithm algorithm) int
Returns the login mode of this token: ONE_TIME, TIMEOUT, or EVERY_TIME.int
Returns the login timeout period.getName()
Obtain the nickname, or label, of this token.getProxy()
getSignatureContext
(SignatureAlgorithm algorithm) Creates a Signature object, which can perform signing and signature verification.int
hashCode()
HashCode from underline token.void
importPublicKey
(PublicKey pubKey, boolean permanent) protected void
initPassword
(byte[] ssopw, byte[] userpw) void
initPassword
(PasswordCallback ssopwcb, PasswordCallback userpwcb) Initialize PIN.boolean
boolean
boolean
Find out if the token is currently logged in.boolean
Determines if the given token is present on the system.boolean
void
login
(PasswordCallback callback) Log into the token.void
logout()
Log out of the token.protected PasswordCallbackInfo
protected void
nativeLogin
(PasswordCallback callback) boolean
returns true if this token needs to be logged into before it can be used.boolean
Determine whether the token has been initialized yet.protected boolean
Make sure the PIN can be initialized.void
setLoginMode
(int mode) Sets the login mode of this token.void
setLoginTimeoutMinutes
(int timeoutMinutes) Sets the timeout period for logging in.protected boolean
SSOPasswordIsCorrect
(byte[] ssopw) protected boolean
userPasswordIsCorrect
(byte[] pw) Check the given password, return true if it's right, false if it's wrong.
-
Field Details
-
tokenProxy
-
cryptoStore
-
mIsInternalCryptoToken
protected boolean mIsInternalCryptoToken -
mIsInternalKeyStorageToken
protected boolean mIsInternalKeyStorageToken
-
-
Constructor Details
-
PK11Token
protected PK11Token() -
PK11Token
protected PK11Token(byte[] pointer, boolean internal, boolean keyStorage) Creates a new PK11Token. Should only be called from PK11Token's native code.- Parameters:
pointer
- A byte array containing a pointer to a PKCS #11 slot.
-
-
Method Details
-
getSignatureContext
public Signature getSignatureContext(SignatureAlgorithm algorithm) throws NoSuchAlgorithmException, TokenException Description copied from interface:CryptoToken
Creates a Signature object, which can perform signing and signature verification. Signing and verification cryptographic operations will take place on this token. The signing key must be located on this token.- Specified by:
getSignatureContext
in interfaceCryptoToken
- Parameters:
algorithm
- The algorithm used for the signing/verification.- Throws:
NoSuchAlgorithmException
- If the given algorithm is not supported by this provider.TokenException
-
getDigestContext
public JSSMessageDigest getDigestContext(DigestAlgorithm algorithm) throws NoSuchAlgorithmException, DigestException Description copied from interface:CryptoToken
Creates a Digest object. Digesting cryptographic operations will take place on this token.- Specified by:
getDigestContext
in interfaceCryptoToken
- Parameters:
algorithm
- The algorithm used for digesting.- Throws:
NoSuchAlgorithmException
- If this provider does not support the given algorithm.DigestException
-
getCipherContext
public Cipher getCipherContext(EncryptionAlgorithm algorithm) throws NoSuchAlgorithmException, TokenException Description copied from interface:CryptoToken
Creates a Cipher object, which can be used for encryption and decryption. Cryptographic operations will take place on this token. The keys used in the operations must be located on this token.- Specified by:
getCipherContext
in interfaceCryptoToken
- Parameters:
algorithm
- The algorithm used for encryption/decryption.- Throws:
NoSuchAlgorithmException
- If this provider does not support the given algorithm.TokenException
-
getKeyGenerator
public KeyGenerator getKeyGenerator(KeyGenAlgorithm algorithm) throws NoSuchAlgorithmException, TokenException Description copied from interface:CryptoToken
Creates a KeyGenerator object, which can be used to generate symmetric encryption keys. Any keys generated with this KeyGenerator will be generated on this token.- Specified by:
getKeyGenerator
in interfaceCryptoToken
- Parameters:
algorithm
- The algorithm that the keys will be used with.- Throws:
NoSuchAlgorithmException
- If this token does not support the given algorithm.TokenException
-
cloneKey
public SymmetricKey cloneKey(SymmetricKey key) throws SymmetricKey.NotExtractableException, InvalidKeyException, TokenException Allows a SymmetricKey to be cloned on a different token.- Specified by:
cloneKey
in interfaceCryptoToken
- Throws:
SymmetricKey.NotExtractableException
- If the key material cannot be extracted from the current token.InvalidKeyException
- If the owning token cannot process the key to be cloned.TokenException
-
getSymmetricKeyDeriver
- Specified by:
getSymmetricKeyDeriver
in interfaceCryptoToken
-
getKeyWrapper
public KeyWrapper getKeyWrapper(KeyWrapAlgorithm algorithm) throws NoSuchAlgorithmException, TokenException - Specified by:
getKeyWrapper
in interfaceCryptoToken
- Throws:
NoSuchAlgorithmException
TokenException
-
getRandomGenerator
-
getKeyPairGenerator
public KeyPairGenerator getKeyPairGenerator(KeyPairAlgorithm algorithm) throws NoSuchAlgorithmException, TokenException Description copied from interface:CryptoToken
Creates a KeyPairGenerator object, which can be used to generate key pairs. Any keypairs generated with this generator will be generated on this token.- Specified by:
getKeyPairGenerator
in interfaceCryptoToken
- Parameters:
algorithm
- The algorithm that the keys will be used with (RSA, DSA, EC, etc.)- Throws:
NoSuchAlgorithmException
- If this token does not support the given algorithm.TokenException
-
isLoggedIn
Description copied from interface:CryptoToken
Find out if the token is currently logged in.- Specified by:
isLoggedIn
in interfaceCryptoToken
- Throws:
TokenException
- See Also:
-
needsLogin
Description copied from interface:CryptoToken
returns true if this token needs to be logged into before it can be used.- Specified by:
needsLogin
in interfaceCryptoToken
- Throws:
TokenException
- See Also:
-
login
Log into the token. If you are already logged in, this method has no effect, even if the PIN is wrong.- Specified by:
login
in interfaceCryptoToken
- Parameters:
callback
- A callback to use to obtain the password, or a Password object.- Throws:
PK11Token.NotInitializedException
- The token has not yet been initialized.IncorrectPasswordException
- The specified password was incorrect.TokenException
- See Also:
-
nativeLogin
protected void nativeLogin(PasswordCallback callback) throws IncorrectPasswordException, TokenException -
isWritable
public boolean isWritable()- Returns:
- true if the token is writable, false if it is read-only. Writable tokens can have their keys generated on the internal token and then moved out.
-
isPresent
public boolean isPresent()Determines if the given token is present on the system. This would return false, for example, for a smart card reader that didn't have a card inserted.- Specified by:
isPresent
in interfaceCryptoToken
-
logout
Log out of the token.- Specified by:
logout
in interfaceCryptoToken
- Throws:
TokenException
- If you are already logged in, or an unspecified error occurs.
-
getLoginMode
Description copied from interface:CryptoToken
Returns the login mode of this token: ONE_TIME, TIMEOUT, or EVERY_TIME. The default is ONE_TIME.- Specified by:
getLoginMode
in interfaceCryptoToken
- Throws:
TokenException
- If an error occurs on the token.- See Also:
-
setLoginMode
Description copied from interface:CryptoToken
Sets the login mode of this token.- Specified by:
setLoginMode
in interfaceCryptoToken
- Parameters:
mode
- ONE_TIME, TIMEOUT, or EVERY_TIME- Throws:
TokenException
- If this mode is not supported by this token, or an error occurs on the token.- See Also:
-
getLoginTimeoutMinutes
Description copied from interface:CryptoToken
Returns the login timeout period. The timeout is only used if the login mode is TIMEOUT.- Specified by:
getLoginTimeoutMinutes
in interfaceCryptoToken
- Throws:
TokenException
- If an error occurs on the token.- See Also:
-
setLoginTimeoutMinutes
Description copied from interface:CryptoToken
Sets the timeout period for logging in. This will only be used if the login mode is TIMEOUT.- Specified by:
setLoginTimeoutMinutes
in interfaceCryptoToken
- Throws:
TokenException
- If timeouts are not supported by this token, or an error occurs on the token.- See Also:
-
initPassword
public void initPassword(PasswordCallback ssopwcb, PasswordCallback userpwcb) throws IncorrectPasswordException, AlreadyInitializedException, TokenException Initialize PIN. This sets the user's new PIN, using the current security officer PIN for authentication.- Specified by:
initPassword
in interfaceCryptoToken
- Parameters:
ssopwcb
- The security officer's current password callback.userpwcb
- The user's new password callback.- Throws:
IncorrectPasswordException
- If the security officer PIN is incorrect.AlreadyInitializedException
- If the password hasn't already been set.TokenException
- If the PIN was already initialized, or there was an unspecified error in the token.
-
PWInitable
Make sure the PIN can be initialized. This is mainly to check the internal module.- Throws:
TokenException
-
SSOPasswordIsCorrect
protected boolean SSOPasswordIsCorrect(byte[] ssopw) throws TokenException, AlreadyInitializedException -
initPassword
protected void initPassword(byte[] ssopw, byte[] userpw) throws IncorrectPasswordException, AlreadyInitializedException, TokenException -
passwordIsInitialized
Determine whether the token has been initialized yet.- Specified by:
passwordIsInitialized
in interfaceCryptoToken
- Throws:
TokenException
- If an error occurs on the token.
-
changePassword
public void changePassword(PasswordCallback oldPINcb, PasswordCallback newPINcb) throws IncorrectPasswordException, TokenException Change password. This changes the user's PIN after it has already been initialized.- Specified by:
changePassword
in interfaceCryptoToken
- Parameters:
oldPINcb
- The user's old PIN callback.newPINcb
- The new PIN callback.- Throws:
IncorrectPasswordException
- If the old PIN is incorrect.TokenException
- If some other error occurs on the token.
-
makePWCBInfo
-
userPasswordIsCorrect
Check the given password, return true if it's right, false if it's wrong.- Throws:
TokenException
-
changePassword
protected void changePassword(byte[] oldPIN, byte[] newPIN) throws IncorrectPasswordException, TokenException Change the password on the token from the old one to the new one. -
getName
Description copied from interface:CryptoToken
Obtain the nickname, or label, of this token.- Specified by:
getName
in interfaceCryptoToken
-
getProvider
-
getCryptoStore
Description copied from interface:CryptoToken
Get the CryptoStore interface to this token's objects.- Specified by:
getCryptoStore
in interfaceCryptoToken
-
equals
Deep-comparison operator.- Specified by:
equals
in interfaceCryptoToken
- Overrides:
equals
in classObject
- Returns:
- true if these tokens point to the same underlying native token.
false otherwise, or if
compare
is null.
-
hashCode
public int hashCode()HashCode from underline token. Two token are equals if they have the same underline native token so they should return the same hash code -
doesAlgorithm
Determines whether this token is capable of performing the given algorithm.- Specified by:
doesAlgorithm
in interfaceCryptoToken
- Parameters:
alg
- A JSS algorithm. Note that for Signature, a token may fail to support a specific SignatureAlgorithm (such as RSASignatureWithMD5Digest) even though it does support the generic algorithm (RSASignature). In this case, the signature operation will be performed on that token, but the digest operation will be performed on the internal token.- Returns:
- true if the token supports the algorithm.
-
generateCertRequest
public String generateCertRequest(String subject, int keysize, String keyType, byte[] prime, byte[] subPrime, byte[] base) throws TokenException, InvalidParameterException, PQGParamGenException Generates a PKCS#10 certificate request including Begin/End brackets- Specified by:
generateCertRequest
in interfaceCryptoToken
- Parameters:
subject
- subject dn of the certificatekeysize
- size of the keykeyType
- "rsa" or "dsa"prime
- The DSA prime parametersubPrime
- The DSA sub-prime parameterbase
- The DSA base parameter- Returns:
- String that represents a PKCS#10 b64 encoded blob with begin/end brackets
- Throws:
TokenException
InvalidParameterException
PQGParamGenException
-
generatePK10
protected String generatePK10(String subject, int keysize, String keyType, byte[] P, byte[] Q, byte[] G) throws TokenException, InvalidParameterException -
getProxy
-
isInternalCryptoToken
public boolean isInternalCryptoToken()- Returns:
- true if this is the internal token used for bulk crypto.
-
isInternalKeyStorageToken
public boolean isInternalKeyStorageToken()- Returns:
- true if this is the internal key storage token.
-
importPublicKey
- Specified by:
importPublicKey
in interfaceCryptoToken
- Throws:
TokenException
-