com.amazonaws.cloudhsm.jce.provider

Class CloudHsmKeyStore

java.lang.Object

java.security.KeyStoreSpi

com.amazonaws.cloudhsm.jce.provider.CloudHsmKeyStore

public class CloudHsmKeyStore
extends java.security.KeyStoreSpi

CloudHsmKeyStore extends KeyStoreSpi to create an instance of a KeyStore which can be used to store keys or certificates.

Constructor Summary

Constructors

Constructor and Description
CloudHsmKeyStore(CloudHsmProvider provider) Constructs a CloudHSM KeyStore.

Method Summary

Modifier and Type	Method and Description
java.util.Enumeration<java.lang.String>	engineAliases()
boolean	engineContainsAlias(java.lang.String alias)
void	engineDeleteEntry(java.lang.String alias) CloudHsmKeyStore's deleteEntry method only supports deleting certificates and does not support deleting keys.
java.security.cert.Certificate	engineGetCertificate(java.lang.String alias)
java.lang.String	engineGetCertificateAlias(java.security.cert.Certificate cert)
java.security.cert.Certificate[]	engineGetCertificateChain(java.lang.String alias)
java.util.Date	engineGetCreationDate(java.lang.String alias)
java.security.Key	engineGetKey(java.security.spec.KeySpec findSpec) Returns the key that matches the provided key spec.
java.security.Key	engineGetKey(java.lang.String alias, char[] password) engineGetKey returns the key associated with the given alias.
java.util.List<java.security.Key>	engineGetKeys(java.security.spec.KeySpec keySpec) Returns the keys that matches the provided key spec.
boolean	engineIsCertificateEntry(java.lang.String alias)
boolean	engineIsKeyEntry(java.lang.String alias)
void	engineLoad(java.io.InputStream stream, char[] password)
void	engineSetCertificateEntry(java.lang.String alias, java.security.cert.Certificate cert)
void	engineSetKeyEntry(java.lang.String alias, byte[] key, java.security.cert.Certificate[] chain) Method not supported by CloudHSM.
void	engineSetKeyEntry(java.lang.String alias, java.security.Key key, char[] password, java.security.cert.Certificate[] chain) Assigns the given key to the given alias, protecting it with the given password.
int	engineSize()
void	engineStore(java.io.OutputStream stream, char[] password)

Methods inherited from class java.security.KeyStoreSpi

engineEntryInstanceOf, engineGetEntry, engineLoad, engineSetEntry, engineStore

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CloudHsmKeyStore

public CloudHsmKeyStore(CloudHsmProvider provider)
                 throws java.security.KeyStoreException,
                        java.lang.IllegalStateException

Constructs a CloudHSM KeyStore. It creates a KeyStore instance and holds a reference to it.

Parameters:

provider - CloudHSM provider offering this service.

Throws:

java.security.KeyStoreException - if it fails to get KeyStoreSpi.

java.lang.IllegalStateException - when provider is null.

Method Detail

engineAliases

public java.util.Enumeration<java.lang.String> engineAliases()

Specified by:

engineAliases in class java.security.KeyStoreSpi

engineContainsAlias

public boolean engineContainsAlias(java.lang.String alias)

Specified by:

engineContainsAlias in class java.security.KeyStoreSpi

engineDeleteEntry

public void engineDeleteEntry(java.lang.String alias)
                       throws java.security.KeyStoreException

CloudHsmKeyStore's deleteEntry method only supports deleting certificates and does not support deleting keys.

To delete CloudHSM keys, use Destroyable.destroy().

Specified by:

engineDeleteEntry in class java.security.KeyStoreSpi

Throws:

java.security.KeyStoreException - if the provided alias is null, or the provided alias is not an alias of a certificate entry.

engineGetCertificate

public java.security.cert.Certificate engineGetCertificate(java.lang.String alias)

Specified by:

engineGetCertificate in class java.security.KeyStoreSpi

engineGetCertificateAlias

public java.lang.String engineGetCertificateAlias(java.security.cert.Certificate cert)

Specified by:

engineGetCertificateAlias in class java.security.KeyStoreSpi

engineGetCertificateChain

public java.security.cert.Certificate[] engineGetCertificateChain(java.lang.String alias)

Specified by:

engineGetCertificateChain in class java.security.KeyStoreSpi

engineGetCreationDate

public java.util.Date engineGetCreationDate(java.lang.String alias)

Specified by:

engineGetCreationDate in class java.security.KeyStoreSpi

engineGetKey

public java.security.Key engineGetKey(java.lang.String alias,
                                      char[] password)
                               throws java.security.NoSuchAlgorithmException,
                                      java.security.UnrecoverableKeyException

engineGetKey returns the key associated with the given alias.

Using a password to recover keys is not supported by CloudHSM. The password should be null.

Specified by:

engineGetKey in class java.security.KeyStoreSpi

Throws:

java.security.NoSuchAlgorithmException - if the algorithm for recovering the key cannot be found.

java.security.UnrecoverableKeyException - if the key cannot be recovered.

engineIsCertificateEntry

public boolean engineIsCertificateEntry(java.lang.String alias)

Specified by:

engineIsCertificateEntry in class java.security.KeyStoreSpi

engineIsKeyEntry

public boolean engineIsKeyEntry(java.lang.String alias)

Specified by:

engineIsKeyEntry in class java.security.KeyStoreSpi

engineLoad

public void engineLoad(java.io.InputStream stream,
                       char[] password)
                throws java.io.IOException,
                       java.security.NoSuchAlgorithmException,
                       java.security.cert.CertificateException

Specified by:

engineLoad in class java.security.KeyStoreSpi

Throws:

java.io.IOException

java.security.NoSuchAlgorithmException

java.security.cert.CertificateException

engineSetCertificateEntry

public void engineSetCertificateEntry(java.lang.String alias,
                                      java.security.cert.Certificate cert)
                               throws java.security.KeyStoreException

Specified by:

engineSetCertificateEntry in class java.security.KeyStoreSpi

Throws:

java.security.KeyStoreException

engineSetKeyEntry

public void engineSetKeyEntry(java.lang.String alias,
                              byte[] key,
                              java.security.cert.Certificate[] chain)

Method not supported by CloudHSM.

Specified by:

engineSetKeyEntry in class java.security.KeyStoreSpi

Parameters:

alias - Unused

key - Unused

chain - Unused

Throws:

java.lang.UnsupportedOperationException - Always.

engineSetKeyEntry

public void engineSetKeyEntry(java.lang.String alias,
                              java.security.Key key,
                              char[] password,
                              java.security.cert.Certificate[] chain)
                       throws java.security.KeyStoreException

Assigns the given key to the given alias, protecting it with the given password. In addition, the key will be imported into the HSM as an ephemeral key if it's not already a CloudHsmKey.

If the given key is of type javax.crypto.SecretKey, it must NOT be accompanied by a certificate chain.

If the given key is of type java.security.PrivateKey, it must be accompanied by a certificate chain certifying the corresponding public key.

Specified by:

engineSetKeyEntry in class java.security.KeyStoreSpi

Parameters:

alias - the alias name

key - the key to be associated with the alias

password - the password to protect the key

chain - the certificate chain for the corresponding public key (only required if the given key is of type java.security.PrivateKey).

Throws:

java.security.KeyStoreException - if invalid parameters are given, or if the key given is unsupported, or if the given key cannot be protected, or this operation fails for some other reason

engineSize

public int engineSize()

Specified by:

engineSize in class java.security.KeyStoreSpi

engineStore

public void engineStore(java.io.OutputStream stream,
                        char[] password)
                 throws java.io.IOException,
                        java.security.NoSuchAlgorithmException,
                        java.security.cert.CertificateException

Specified by:

engineStore in class java.security.KeyStoreSpi

Throws:

java.io.IOException

java.security.NoSuchAlgorithmException

java.security.cert.CertificateException

engineGetKey

public java.security.Key engineGetKey(java.security.spec.KeySpec findSpec)
                               throws java.security.spec.InvalidKeySpecException

Returns the key that matches the provided key spec.

Parameters:

findSpec - the specification of the key. This must be either an instance of KeyAttributesMap or KeyReferenceSpec.

Returns:

A key object based on the specification.

Throws:

java.security.spec.InvalidKeySpecException - If the provided key spec is invalid.

See Also:

KeyAttributesMap, KeyReferenceSpec

engineGetKeys

public java.util.List<java.security.Key> engineGetKeys(java.security.spec.KeySpec keySpec)
                                                throws java.security.spec.InvalidKeySpecException

Returns the keys that matches the provided key spec.

Parameters:

keySpec - The attributes and their values that the keys should have.

Returns:

A list of key objects that match the specification.

Throws:

java.security.spec.InvalidKeySpecException - If the provided key spec is invalid.