org.mozilla.jss.pkcs12
Class PFX
java.lang.Object
org.mozilla.jss.pkcs12.PFX
- ASN1Value
public class PFX
extends java.lang.Object
The top level ASN.1 structure for a PKCS #12 blob.
The general procedure for creating a PFX blob is as follows:
- Create instances of
SafeBag
containing things such as
private keys, certificates, or arbitrary secrets.
- Store the SafeBags in one or more SEQUENCEs. Each SEQUENCE is
called a SafeContents.
- Create an AuthenticatedSafes. Store each SafeContents into the
AuthenticatedSafes with
addEncryptedSafeContents
or
addSafeContents
.
Standard procedure for browsers is for the AuthenticatedSafes to contain
two instances of SafeContents, one encrypted and the other not.
Anything you want encrypted can go in the encrypted SafeContents,
and anything you want in plaintext can go in the regular SafeContents.
Keep in mind that private key SafeBags usually consist of an
EncryptedPrivateKeyInfo, which has its own (strong) encryption,
in which case it is not essential that the SafeContents containing
the private key also be encrypted.
- Create a PFX containing the AuthenticatedSafes instance, using the
PFX(AuthenticatedSafes)
constructor.
- Add a MAC to the PFX so it can be verified, using
PFX.computeMacData
.
To decode a PFX,
- Use a
PFX.Template
to decode the ASN.1 into a
PFX
object.
- Check the output of
PFX.verifyAuthSafes
to verify
the MAC on the PFX.
- Use
PFX.getAuthSafes
to extract the AuthenticatedSafes
instance.
- Use
AuthenticatedSafes.getSafeContentsAt
to grab the
SafeContents objects in the AuthenticatedSafes.
- Each SafeContents is a SEQUENCE of SafeBags, each of which may
contain a private key, cert, or arbitrary secret.
static class | PFX.Template - A Template for decoding a BER-encoded PFX.
|
static int | DEFAULT_ITERATIONS - The default number of iterations to use when generating the MAC.
|
void | computeMacData(Password password, byte[] salt, int iterationCount) - Computes the macData field and adds it to the PFX.
|
void | encode(OutputStream ostream) - Write this value's DER encoding to an output stream using
its own base tag.
|
void | encode(Tag implicitTag, OutputStream ostream) - Write this value's DER encoding to an output stream using
an implicit tag.
|
AuthenticatedSafes | getAuthSafes()
|
MacData | getMacData() - Returns the MacData of this PFX, which is used to verify the contents.
|
Tag | getTag() - Returns the base tag for this type, not counting any tags
that may be imposed on it by its context.
|
INTEGER | getVersion()
|
static void | main(String[] args)
|
boolean | verifyAuthSafes(Password password, StringBuffer reason) - Verifies the HMAC on the authenticated safes, using the password
provided.
|
DEFAULT_ITERATIONS
public static final int DEFAULT_ITERATIONS
The default number of iterations to use when generating the MAC.
Currently, it is 1.
PFX
public PFX(AuthenticatedSafes authSafes)
Creates a PFX with the default version and no MacData. The MacData
can be added later with computeMacData
.
computeMacData
public void computeMacData(Password password,
byte[] salt,
int iterationCount)
throws CryptoManager.NotInitializedException,
DigestException,
TokenException,
CharConversionException
Computes the macData field and adds it to the PFX. The macData field
is a Message Authentication Code of the AuthenticatedSafes, and
is used to prove the authenticity of the PFX.
password
- The password to be used to create the password-based MAC.salt
- The salt to be used. If null is passed in, a new salt
will be created from a random source.iterationCount
- The iteration count for the key generation.
Use DEFAULT_ITERATIONS unless there's a need to be clever.
encode
public void encode(OutputStream ostream)
throws IOException
Write this value's DER encoding to an output stream using
its own base tag.
- encode in interface ASN1Value
encode
public void encode(Tag implicitTag,
OutputStream ostream)
throws IOException
Write this value's DER encoding to an output stream using
an implicit tag.
- encode in interface ASN1Value
getMacData
public MacData getMacData()
Returns the MacData of this PFX, which is used to verify the contents.
This field is optional. If it is not present, null is returned.
getTag
public Tag getTag()
Returns the base tag for this type, not counting any tags
that may be imposed on it by its context.
- getTag in interface ASN1Value
getVersion
public INTEGER getVersion()
main
public static void main(String[] args)
verifyAuthSafes
public boolean verifyAuthSafes(Password password,
StringBuffer reason)
throws CryptoManager.NotInitializedException
Verifies the HMAC on the authenticated safes, using the password
provided.
password
- The password to use to compute the HMAC.reason
- If supplied, the reason for the verification failure
will be appended to this StringBuffer.
- true if the MAC verifies correctly, false otherwise. If
this PFX does not contain a MacData, returns false.