com.safenetinc.luna.provider

Class LunaCertificateX509

java.lang.Object

java.security.cert.Certificate

java.security.cert.X509Certificate

com.safenetinc.luna.provider.LunaCertificateX509

All Implemented Interfaces:

LunaCertificate, java.io.Serializable, java.security.cert.X509Extension

public class LunaCertificateX509
extends java.security.cert.X509Certificate
implements LunaCertificate

An implementation of X509Certificate abstract class for certificates stored on Luna hardware

See Also:

Serialized Form

Nested Class Summary

Nested classes/interfaces inherited from class java.security.cert.Certificate

java.security.cert.Certificate.CertificateRep

Constructor Summary

Constructors

Modifier	Constructor and Description
	LunaCertificateX509(byte[] certEncoding) Create a LunaCertificateX509 object from the given DER encoding.
	LunaCertificateX509(byte[] certEncoding, int slot) Create a LunaCertificateX509 object from the given DER encoding.
protected	LunaCertificateX509(LunaTokenObject object) Define a LunaCertificateX509 object from a certificate stored on Luna hardware.
protected	LunaCertificateX509(LunaTokenObject obj, com.safenetinc.luna.X509.AsnCertificate cert) Used by the factory methods to create a LunaCert when we've already retrieved/created the token object and certificate.
	LunaCertificateX509(java.security.cert.X509Certificate cert) Create a LunaCertificateX509 object and initialize it using values from the given certificate.
	LunaCertificateX509(java.security.cert.X509Certificate cert, int slot) Create a LunaCertificateX509 object and initialize it using values from the given certificate.

Method Summary

Methods

Modifier and Type	Method and Description
void	checkValidity() Checks that the certificate is currently valid.
void	checkValidity(java.util.Date date) Checks that the given date is within the certificate's validity period.
void	DestroyCert() Destroy the certificate object and remove it from the token.
int	getBasicConstraints() Gets the certificate constraints path length from the critical BasicConstraints extension, (OID = 2.5.29.19).
protected static java.lang.String	GetCertChainEntryName(java.lang.String alias, int index)
int	GetCertHandle() Returns the handle of the certificate stored in hardware.
java.util.Set<java.lang.String>	getCriticalExtensionOIDs() Gets a Set of the OID strings for the extension(s) marked CRITICAL.
java.util.Date	GetDateMadePersistent()
byte[]	getEncoded() Retrieve the encoding of the certificate.
java.util.List<java.lang.String>	getExtendedKeyUsage() Gets a list of extended key usage details
byte[]	getExtensionValue(java.lang.String oid) Gets the DER-encoded OCTET string for the extension value (extnValue) identified by the passed-in oid String.
byte[]	GetFingerprint()
java.security.Principal	getIssuerDN() Deprecated. This method has been denigrated by SUN as of Java 5.0. Use getIssuerX500Principal() instead. CANNOT REMOVE THIS : X509Certificate DECLARES IT ABSTRACT, SO MUST IMPLEMENT.
boolean[]	getIssuerUniqueID() Gets the issuerUniqueID value from the certificate.
javax.security.auth.x500.X500Principal	getIssuerX500Principal() Gets the issuer distinguished name from the certificate.
boolean[]	getKeyUsage() Gets a boolean array representing bits of the KeyUsage extension, (OID = 2.5.29.15).
java.util.Set<java.lang.String>	getNonCriticalExtensionOIDs() Gets a Set of the OID strings for the extension(s) marked NON-CRITICAL.
java.util.Date	getNotAfter() Gets the notAfter date from the validity period of the certificate.
java.util.Date	getNotBefore() Gets the notBefore date from the validity period of the certificate.
byte[]	GetOUID() Returns the CKA_OUID of the certificate object in the HSM.
java.security.PublicKey	getPublicKey() Gets the public key from this certificate.
java.math.BigInteger	getSerialNumber() Gets the serialNumber value from the certificate.
java.lang.String	getSigAlgName() Gets the signature algorithm name for the certificate signature algorithm.
java.lang.String	getSigAlgOID() Gets the signature algorithm OID string from the certificate.
byte[]	getSigAlgParams() Gets the DER-encoded signature algorithm parameters from this certificate's signature algorithm.
byte[]	getSignature() Gets the signature value (the raw signature bits) from the certificate.
java.security.Principal	getSubjectDN() Deprecated. This method has been denigrated by SUN as of Java 5.0. Use getSubjectX500Principal() instead. CANNOT REMOVE THIS : X509Certificate DECLARES IT ABSTRACT, SO MUST IMPLEMENT.
boolean[]	getSubjectUniqueID() Gets the subjectUniqueID value from the certificate.
javax.security.auth.x500.X500Principal	getSubjectX500Principal()
byte[]	getTBSCertificate() Gets the DER-encoded certificate information, the tbsCertificate from this certificate.
int	getVersion() Gets the version (version number) value from the certificate.
boolean	hasUnsupportedCriticalExtension() Check if there is a critical extension that is not supported.
boolean	IsCertPersistent()
static LunaCertificateX509	LocateCertByAlias(java.lang.String alias) Create a LunaCertificateX509 object by searching the default token for a certificate with the given alias.
static LunaCertificateX509	LocateCertByAlias(java.lang.String alias, int slot) Create a LunaCertificateX509 object by searching the specified token for a certificate with the given alias.
static LunaCertificateX509	LocateCertByHandle(int handle) Locate a certificate on the default slot by using the object handle.
static LunaCertificateX509	LocateCertByHandle(int handle, int slot) Locate a certificate on the specified slot by using the object handle.
static LunaCertificateX509	LocateCertByOUID(byte[] ouid) Create a LunaCertificateX509 object by searching the default token for a certificate with the given CKA_OUID.
static LunaCertificateX509	LocateCertByOUID(byte[] ouid, int slot) Create a LunaCertificateX509 object by searching the specified token for a certificate with the given CKA_OUID.
void	MakePersistent(java.lang.String alias) Store a LunaCertificateX509 on a Luna token
static LunaCertificateX509	SelfSign(java.security.KeyPair kp, java.lang.String subject, java.math.BigInteger serialNumber, java.util.Date notBefore, java.util.Date notAfter) Create a LunaCertificateX509 on the default slot by self-signing a key pair.
static LunaCertificateX509	SelfSign(java.security.KeyPair kp, java.lang.String subject, java.math.BigInteger serialNumber, java.util.Date notBefore, java.util.Date notAfter, int slot) Create a LunaCertificateX509 on the specified slot by self-signing a key pair.
static LunaCertificateX509	SelfSign(java.lang.String algorithm, java.security.KeyPair kp, java.lang.String subject, java.math.BigInteger serialNumber, java.util.Date notBefore, java.util.Date notAfter, int pssSaltValue) Create a LunaCertificateX509 in the default slot by self-signing a key pair.
static LunaCertificateX509	SelfSign(java.lang.String algorithm, java.security.KeyPair kp, java.lang.String subject, java.math.BigInteger serialNumber, java.util.Date notBefore, java.util.Date notAfter, int pssSaltValue, int slot) Create a LunaCertificateX509 in the specified slot by self-signing a key pair.
java.lang.String	toString() Retrieve a (short) string representation of the object
void	verify(java.security.PublicKey key) Verifies that this certificate was signed using the private key that corresponds to the specified public key.
void	verify(java.security.PublicKey key, java.lang.String sigProvider) Verifies that this certificate was signed using the private key that corresponds to the specified public key.

Methods inherited from class java.security.cert.X509Certificate

getIssuerAlternativeNames, getSubjectAlternativeNames

Methods inherited from class java.security.cert.Certificate

equals, getType, hashCode, writeReplace

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Constructor Detail

LunaCertificateX509

public LunaCertificateX509(java.security.cert.X509Certificate cert)
                    throws java.security.cert.CertificateEncodingException

Create a LunaCertificateX509 object and initialize it using values from the given certificate.

The resulting certificate is stored on the Luna hardware on the currently set default token, although it will not be persistent until it is stored in a LunaKeyStore or the MakePersistent() method is invoked.

Parameters:

cert - The certificate from which the LunaCertificateX509 object is derived.

Throws:

java.security.cert.CertificateEncodingException - exception

LunaCertificateX509

public LunaCertificateX509(java.security.cert.X509Certificate cert,
                   int slot)
                    throws java.security.cert.CertificateEncodingException

Create a LunaCertificateX509 object and initialize it using values from the given certificate.

The resulting certificate is stored on the Luna hardware on the token in the specified slot, although it will not be persistent until it is stored in a LunaKeyStore or the MakePersistent() method is invoked.

Parameters:

cert - The certificate from which the LunaCertificateX509 object is derived.

slot - slot number

Throws:

java.security.cert.CertificateEncodingException - exception

LunaCertificateX509

public LunaCertificateX509(byte[] certEncoding)

Create a LunaCertificateX509 object from the given DER encoding.

The resulting certificate is stored on the Luna hardware on the currently set default token, although it will not be persistent until it is stored in a LunaKeyStore or the MakePersistent() method is invoked.

Parameters:

certEncoding - The DER encoding of a certificate.

LunaCertificateX509

public LunaCertificateX509(byte[] certEncoding,
                   int slot)

Create a LunaCertificateX509 object from the given DER encoding.

The resulting certificate is stored on the Luna hardware on the token in the specified slot, although it will not be persistent until it is stored in a LunaKeyStore or the MakePersistent() method is invoked.

Parameters:

certEncoding - The DER encoding of a certificate.

slot - slot number

LunaCertificateX509

protected LunaCertificateX509(LunaTokenObject object)

Define a LunaCertificateX509 object from a certificate stored on Luna hardware. The given object is read from the Luna hardware and used to define the fields of the LunaCertificteX509.

Parameters:

object - generic Luna object

LunaCertificateX509

protected LunaCertificateX509(LunaTokenObject obj,
                   com.safenetinc.luna.X509.AsnCertificate cert)

Used by the factory methods to create a LunaCert when we've already retrieved/created the token object and certificate.

Parameters:

obj - generic Luna object

cert - ASN-encoded certificate

Method Detail

SelfSign

public static LunaCertificateX509 SelfSign(java.lang.String algorithm,
                           java.security.KeyPair kp,
                           java.lang.String subject,
                           java.math.BigInteger serialNumber,
                           java.util.Date notBefore,
                           java.util.Date notAfter,
                           int pssSaltValue)
                                    throws java.security.InvalidKeyException,
                                           java.security.cert.CertificateEncodingException

Create a LunaCertificateX509 in the default slot by self-signing a key pair.

Accepts an RSA, DSA or ECDSA key pair and creates a self-signed certificate from them.

Parameters:

algorithm - The algorithm to use for the signature

kp - The key pair.

subject - The distinguished name for the subject and issuer

serialNumber - The serial number of the certificate

notBefore - The notBefore date of the certificate

notAfter - The notAfter date of the certificate

pssSaltValue - Salt value used if a PSS algorthm is specified

Returns:

LunaCertificateX509 -- the self-signed certificate.

Throws:

java.security.InvalidKeyException - if the key pair is not RSA or DSA.

java.security.cert.CertificateEncodingException - if we have problems encoding the certificate.

SelfSign

public static LunaCertificateX509 SelfSign(java.lang.String algorithm,
                           java.security.KeyPair kp,
                           java.lang.String subject,
                           java.math.BigInteger serialNumber,
                           java.util.Date notBefore,
                           java.util.Date notAfter,
                           int pssSaltValue,
                           int slot)
                                    throws java.security.InvalidKeyException,
                                           java.security.cert.CertificateEncodingException

Create a LunaCertificateX509 in the specified slot by self-signing a key pair.

Accepts an RSA, DSA or ECDSA key pair and creates a self-signed certificate from them.

Parameters:

algorithm - The algorithm to use for the signature

kp - The key pair.

subject - The distinguished name for the subject and issuer

serialNumber - The serial number of the certificate

notBefore - The notBefore date of the certificate

notAfter - The notAfter date of the certificate

pssSaltValue - Salt value used if a PSS algorthm is specified

slot - slot number

Returns:

LunaCertificateX509 -- the self-signed certificate.

Throws:

java.security.InvalidKeyException - if the key pair is not RSA or DSA.

java.security.cert.CertificateEncodingException - if we have problems encoding the certificate.

SelfSign

public static LunaCertificateX509 SelfSign(java.security.KeyPair kp,
                           java.lang.String subject,
                           java.math.BigInteger serialNumber,
                           java.util.Date notBefore,
                           java.util.Date notAfter)
                                    throws java.security.InvalidKeyException,
                                           java.security.cert.CertificateEncodingException

Create a LunaCertificateX509 on the default slot by self-signing a key pair.

Accepts an RSA, DSA or ECDSA key pair and creates a self-signed certificate from them. If the key pair is RSA, SHA1withRSA is used as the signature algorithm. If the key pair is DSA, SHA1withDSA is used. If the key pair is ECDSA, SHA1withECDSA is used.

Parameters:

kp - The key pair

subject - The distinguished name for the subject and issuer

serialNumber - The serial number of the certificate

notBefore - the notBefore date of the certificate

notAfter - the notAfter date of the certificate

Returns:

-- the self-signed certificate

Throws:

java.security.InvalidKeyException - Returned if the key pair is not RSA or DSA

java.security.cert.CertificateEncodingException - Returned if there are problems encoding the certificate

SelfSign

public static LunaCertificateX509 SelfSign(java.security.KeyPair kp,
                           java.lang.String subject,
                           java.math.BigInteger serialNumber,
                           java.util.Date notBefore,
                           java.util.Date notAfter,
                           int slot)
                                    throws java.security.InvalidKeyException,
                                           java.security.cert.CertificateEncodingException

Create a LunaCertificateX509 on the specified slot by self-signing a key pair.

Accepts an RSA, DSA or ECDSA key pair and creates a self-signed certificate from them. If the key pair is RSA, SHA1withRSA is used as the signature algorithm. If the key pair is DSA, SHA1withDSA is used. If the key pair is ECDSA, SHA1withECDSA is used.

Parameters:

kp - The key pair

subject - The distinguished name for the subject and issuer

serialNumber - The serial number of the certificate

notBefore - the notBefore date of the certificate

notAfter - the notAfter date of the certificate

slot - slot number

Returns:

-- the self-signed certificate

Throws:

java.security.InvalidKeyException - Returned if the key pair is not RSA, DSA or ECDSA

java.security.cert.CertificateEncodingException - Returned if there are problems encoding the certificate

LocateCertByAlias

public static LunaCertificateX509 LocateCertByAlias(java.lang.String alias)

Create a LunaCertificateX509 object by searching the default token for a certificate with the given alias.

Parameters:

alias - The alias of the certificate to search for

Returns:

The certificate, or null if no such certificate exists

LocateCertByAlias

public static LunaCertificateX509 LocateCertByAlias(java.lang.String alias,
                                    int slot)

Create a LunaCertificateX509 object by searching the specified token for a certificate with the given alias.

Parameters:

alias - The alias of the certificate to search for

slot - The slot to search

Returns:

The certificate, or null if no such certificate exists

LocateCertByOUID

public static LunaCertificateX509 LocateCertByOUID(byte[] ouid)

Create a LunaCertificateX509 object by searching the default token for a certificate with the given CKA_OUID.

Parameters:

ouid - The OUID of the certificate to search for

Returns:

The certificate, or null if no such certificate exists

LocateCertByOUID

public static LunaCertificateX509 LocateCertByOUID(byte[] ouid,
                                   int slot)

Create a LunaCertificateX509 object by searching the specified token for a certificate with the given CKA_OUID.

Parameters:

ouid - The OUID of the certificate to search for

slot - The slot to search

Returns:

The certificate, or null if no such certificate exists

LocateCertByHandle

public static LunaCertificateX509 LocateCertByHandle(int handle)

Locate a certificate on the default slot by using the object handle.

Parameters:

handle - The handle of the certificate to retrieve

Returns:

Returns The certificate object

LocateCertByHandle

public static LunaCertificateX509 LocateCertByHandle(int handle,
                                     int slot)

Locate a certificate on the specified slot by using the object handle.

Parameters:

handle - The handle of the certificate to retrieve

slot - The slot the certificate lives on

Returns:

the certificate object

Throws:

LunaException - if the handle does not point to a certificate object on the HSM

getEncoded

public byte[] getEncoded()
                  throws java.security.cert.CertificateEncodingException

Retrieve the encoding of the certificate.

Specified by:

getEncoded in class java.security.cert.Certificate

Throws:

java.security.cert.CertificateEncodingException

toString

public java.lang.String toString()

Retrieve a (short) string representation of the object

Specified by:

toString in class java.security.cert.Certificate

verify

public void verify(java.security.PublicKey key)
            throws java.security.cert.CertificateException,
                   java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.NoSuchProviderException,
                   java.security.SignatureException

Verifies that this certificate was signed using the private key that corresponds to the specified public key.

Specified by:

verify in class java.security.cert.Certificate

Throws:

java.security.cert.CertificateException

java.security.NoSuchAlgorithmException

java.security.InvalidKeyException

java.security.NoSuchProviderException

java.security.SignatureException

verify

public void verify(java.security.PublicKey key,
          java.lang.String sigProvider)
            throws java.security.cert.CertificateException,
                   java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.NoSuchProviderException,
                   java.security.SignatureException

Verifies that this certificate was signed using the private key that corresponds to the specified public key.

Specified by:

verify in class java.security.cert.Certificate

Throws:

java.security.cert.CertificateException

java.security.NoSuchAlgorithmException

java.security.InvalidKeyException

java.security.NoSuchProviderException

java.security.SignatureException

getPublicKey

public java.security.PublicKey getPublicKey()

Gets the public key from this certificate.

Specified by:

getPublicKey in class java.security.cert.Certificate

checkValidity

public void checkValidity()
                   throws java.security.cert.CertificateExpiredException,
                          java.security.cert.CertificateNotYetValidException

Checks that the certificate is currently valid.

Specified by:

checkValidity in class java.security.cert.X509Certificate

Throws:

java.security.cert.CertificateExpiredException

java.security.cert.CertificateNotYetValidException

checkValidity

public void checkValidity(java.util.Date date)
                   throws java.security.cert.CertificateExpiredException,
                          java.security.cert.CertificateNotYetValidException

Checks that the given date is within the certificate's validity period.

Specified by:

checkValidity in class java.security.cert.X509Certificate

Throws:

java.security.cert.CertificateExpiredException

java.security.cert.CertificateNotYetValidException

getBasicConstraints

public int getBasicConstraints()

Gets the certificate constraints path length from the critical BasicConstraints extension, (OID = 2.5.29.19).

Specified by:

getBasicConstraints in class java.security.cert.X509Certificate

getIssuerDN

@Deprecated
public java.security.Principal getIssuerDN()

Deprecated. This method has been denigrated by SUN as of Java 5.0. Use getIssuerX500Principal() instead. CANNOT REMOVE THIS : X509Certificate DECLARES IT ABSTRACT, SO MUST IMPLEMENT.

Gets the issuer (issuer distinguished name) value from the certificate.

Specified by:

getIssuerDN in class java.security.cert.X509Certificate

getIssuerX500Principal

public javax.security.auth.x500.X500Principal getIssuerX500Principal()

Gets the issuer distinguished name from the certificate.

Overrides:

getIssuerX500Principal in class java.security.cert.X509Certificate

See Also:

X509Certificate.getIssuerX500Principal()

getIssuerUniqueID

public boolean[] getIssuerUniqueID()

Gets the issuerUniqueID value from the certificate.

Specified by:

getIssuerUniqueID in class java.security.cert.X509Certificate

getKeyUsage

public boolean[] getKeyUsage()

Gets a boolean array representing bits of the KeyUsage extension, (OID = 2.5.29.15).

Specified by:

getKeyUsage in class java.security.cert.X509Certificate

getExtendedKeyUsage

public java.util.List<java.lang.String> getExtendedKeyUsage()

Gets a list of extended key usage details

Overrides:

getExtendedKeyUsage in class java.security.cert.X509Certificate

getNotAfter

public java.util.Date getNotAfter()

Gets the notAfter date from the validity period of the certificate.

Specified by:

getNotAfter in class java.security.cert.X509Certificate

getNotBefore

public java.util.Date getNotBefore()

Gets the notBefore date from the validity period of the certificate.

Specified by:

getNotBefore in class java.security.cert.X509Certificate

getSerialNumber

public java.math.BigInteger getSerialNumber()

Gets the serialNumber value from the certificate.

Specified by:

getSerialNumber in class java.security.cert.X509Certificate

getSigAlgName

public java.lang.String getSigAlgName()

Gets the signature algorithm name for the certificate signature algorithm.

Specified by:

getSigAlgName in class java.security.cert.X509Certificate

getSigAlgOID

public java.lang.String getSigAlgOID()

Gets the signature algorithm OID string from the certificate.

Specified by:

getSigAlgOID in class java.security.cert.X509Certificate

getSigAlgParams

public byte[] getSigAlgParams()

Gets the DER-encoded signature algorithm parameters from this certificate's signature algorithm.

Specified by:

getSigAlgParams in class java.security.cert.X509Certificate

getSignature

public byte[] getSignature()

Gets the signature value (the raw signature bits) from the certificate.

Specified by:

getSignature in class java.security.cert.X509Certificate

getSubjectDN

@Deprecated
public java.security.Principal getSubjectDN()

Deprecated. This method has been denigrated by SUN as of Java 5.0. Use getSubjectX500Principal() instead. CANNOT REMOVE THIS : X509Certificate DECLARES IT ABSTRACT, SO MUST IMPLEMENT.

Gets the subject (subject distinguished name) value from the certificate.

Specified by:

getSubjectDN in class java.security.cert.X509Certificate

getSubjectX500Principal

public javax.security.auth.x500.X500Principal getSubjectX500Principal()

Overrides:

getSubjectX500Principal in class java.security.cert.X509Certificate

getSubjectUniqueID

public boolean[] getSubjectUniqueID()

Gets the subjectUniqueID value from the certificate.

Specified by:

getSubjectUniqueID in class java.security.cert.X509Certificate

getTBSCertificate

public byte[] getTBSCertificate()
                         throws java.security.cert.CertificateEncodingException

Gets the DER-encoded certificate information, the tbsCertificate from this certificate.

Specified by:

getTBSCertificate in class java.security.cert.X509Certificate

Throws:

java.security.cert.CertificateEncodingException

getVersion

public int getVersion()

Gets the version (version number) value from the certificate.

Specified by:

getVersion in class java.security.cert.X509Certificate

getExtensionValue

public byte[] getExtensionValue(java.lang.String oid)

Gets the DER-encoded OCTET string for the extension value (extnValue) identified by the passed-in oid String.

Specified by:

getExtensionValue in interface java.security.cert.X509Extension

getNonCriticalExtensionOIDs

public java.util.Set<java.lang.String> getNonCriticalExtensionOIDs()

Gets a Set of the OID strings for the extension(s) marked NON-CRITICAL.

Specified by:

getNonCriticalExtensionOIDs in interface java.security.cert.X509Extension

getCriticalExtensionOIDs

public java.util.Set<java.lang.String> getCriticalExtensionOIDs()

Gets a Set of the OID strings for the extension(s) marked CRITICAL.

Specified by:

getCriticalExtensionOIDs in interface java.security.cert.X509Extension

hasUnsupportedCriticalExtension

public boolean hasUnsupportedCriticalExtension()

Check if there is a critical extension that is not supported. Given that all we have to do with extensions is return their value, there are no extensions we can't support.

Specified by:

hasUnsupportedCriticalExtension in interface java.security.cert.X509Extension

GetCertChainEntryName

protected static java.lang.String GetCertChainEntryName(java.lang.String alias,
                                     int index)

GetCertHandle

public int GetCertHandle()

Returns the handle of the certificate stored in hardware.

Returns:

the handle of the certificate in the HSM

MakePersistent

public void MakePersistent(java.lang.String alias)

Store a LunaCertificateX509 on a Luna token

Parameters:

alias - The alias to assign to the certificate

IsCertPersistent

public boolean IsCertPersistent()

Returns:

a boolean indicating whether or not the given LunaKey object is persistent.

GetDateMadePersistent

public java.util.Date GetDateMadePersistent()

Returns:

the date that the LunaCertificateX509 was made persistent.

DestroyCert

public void DestroyCert()

Destroy the certificate object and remove it from the token.

GetFingerprint

public byte[] GetFingerprint()

Returns:

a fingerprint of an object (a byte array that contains a cryptographic hash of various attributes of the object). It is exceedingly unlikely that any two objects will share a fingerprint unless the objects are true duplicates of each other.

GetOUID

public byte[] GetOUID()

Returns the CKA_OUID of the certificate object in the HSM.

Returns:

the OUID as a byte array