com.entrust.toolkit.credentials

Class CredentialRecoverer

java.lang.Object

com.entrust.toolkit.credentials.CredentialReader

com.entrust.toolkit.credentials.CMPCredentialReader

com.entrust.toolkit.credentials.CMPSoftwareCredentialReader

com.entrust.toolkit.credentials.CredentialRecoverer

public final class CredentialRecoverer
extends CMPSoftwareCredentialReader

This credential reader is designed for recovering an Entrust user's Digital Identity in software (not on a PKCS#11 device) using Entrust profile format version 4.

All communication with the Entrust Security Manager is done using the PKIX-CMP protocol.

Recovering an Entrust Digital Identity involves generating all client generated key pairs in software, requesting all server generated key pairs from the Security Manager, and securely storing all in a software-based Digital Identity store.

When recovering an Entrust Digital Identity, the user must have a connection to the Security Manager and Directory set, and must have a credential writer set. The following credential writers can all be used with this credential reader:

• FilenameProfileWriter
• StreamProfileWriter
• RoamingCredentialWriter

Below is an example of how a user's Digital Identity can be recovered (all capitalized values must be provided by the user):

 User user = new User();
 
 JNDIDirectory directory = new JNDIDirectory(DIRECTORY_IP, DIRECTORY_PORT);
 ManagerTransport transport = new ManagerTransport(MANAGER_IP, MANAGER_PORT);
 user.setConnections(directory, transport);
 
 SecureStringBuffer secureRefNum = new SecureStringBuffer(REF_NUM);
 AuthorizationCode secureAuthCode = new AuthorizationCode(AUTH_CODE);
 SecureStringBuffer securePassword = new SecureStringBuffer(PASSWORD);
 CredentialReader credentialReader = new CredentialRecoverer(secureRefNum, secureAuthCode);
 CredentialWriter credentialWriter = new FilenameProfileWriter(EPF_FILE_NAME);
 user.setCredentialWriter(credentialWriter);
 user.login(credentialReader, securePassword);
 

Field Summary

Fields inherited from class com.entrust.toolkit.credentials.CMPCredentialReader

DSASignature, ECDSASignature, PKIX4Version, PKIX5Version, RSASignature

Constructor Summary

Constructors

Constructor and Description
CredentialRecoverer(SecureStringBuffer referenceNumber, AuthorizationCode authorizationCode) A constructor; create a new CredentialRecoverer object.
CredentialRecoverer(SecureStringBuffer referenceNumber, AuthorizationCode authorizationCode, java.security.spec.AlgorithmParameterSpec clientKeyGenerationParameter) A constructor; creates a new CredentialRecoverer object and configures it for operation with custom key generation parameters.
CredentialRecoverer(SecureStringBuffer referenceNumber, AuthorizationCode authorizationCode, int signingKeyAlgorithm, java.security.spec.AlgorithmParameterSpec clientKeyGenerationParameter, int pkixVersion) Deprecated. this constructor contains obsolete parameters; use another constructor that does not.
CredentialRecoverer(SecureStringBuffer referenceNumber, AuthorizationCode authorizationCode, int signingKeyAlgorithm, int signingKeyStrength, int pkixVersion) Deprecated. this constructor contains obsolete parameters; use another constructor that does not

Method Summary

Methods

Modifier and Type	Method and Description
java.lang.String	getType() Returns the type (name) of this specific credential reader.
void	setPreserveUserKeyPairVersion(boolean preserveUserKeyPairVersion) Allows the caller to maintain the client key-pair version during a recover operation.

Methods inherited from class com.entrust.toolkit.credentials.CMPSoftwareCredentialReader

setClientKeyGenerationUtil

Methods inherited from class com.entrust.toolkit.credentials.CMPCredentialReader

setClientKeyGenParams, setForceV1KeyPair

Methods inherited from class com.entrust.toolkit.credentials.CredentialReader

checkPwd

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CredentialRecoverer

public CredentialRecoverer(SecureStringBuffer referenceNumber,
                   AuthorizationCode authorizationCode)

A constructor; create a new CredentialRecoverer object.

Using the reference number and authentication code, the user's Digital Identity is recovered using the PKIX-CMP protocol. Any keys that are to be client generated are generated in software. All other information is retrieved from the Security Manager and written to the software-based Digital Identity store.

Parameters:

referenceNumber - the reference number assigned to the user; an 8 digit integer obtained from the Security Manager by the PKI Administrator

authorizationCode - the authorization code assigned to the user; an alphanumeric string (of the form ABCD-EFGH-IJKL) obtained from the Security Manager by the PKI Administrator

Throws:

java.lang.IllegalArgumentException - thrown if any of the required parameters are null

Since:

7.0

CredentialRecoverer

public CredentialRecoverer(SecureStringBuffer referenceNumber,
                   AuthorizationCode authorizationCode,
                   int signingKeyAlgorithm,
                   int signingKeyStrength,
                   int pkixVersion)

Deprecated. this constructor contains obsolete parameters; use another constructor that does not

A constructor; create a new CredentialRecoverer object (legacy).

Using the reference number and authentication code, the user's Digital Identity is recovered using the PKIX-CMP protocol. Any keys that are to be client generated are generated in software. All other information is retrieved from the Security Manager and written to the software-based Digital Identity store.

Parameters:

referenceNumber - the reference number assigned to the user; an 8 digit integer obtained from the Security Manager by the PKI Administrator

authorizationCode - the authorization code assigned to the user; an alphanumeric string (of the form ABCD-EFGH-IJKL) obtained from the Security Manager by the PKI Administrator

signingKeyAlgorithm - this parameter is no longer used; as of JTK 7.0 the algorithm of the signing key pair is always extracted from the user's policy settings

signingKeyStrength - this parameter is no longer used; as of JTK 7.0 the strength of the signing key pair is always extracted from the user's policy settings

pkixVersion - this parameter is no longer used; as of JTK 7.0 proto-PKIX is not supported and instead PKIX-CMP is always used for communication with the Security Manager

Throws:

java.lang.IllegalArgumentException - thrown if any of the required parameters are null

CredentialRecoverer

public CredentialRecoverer(SecureStringBuffer referenceNumber,
                   AuthorizationCode authorizationCode,
                   java.security.spec.AlgorithmParameterSpec clientKeyGenerationParameter)

A constructor; creates a new CredentialRecoverer object and configures it for operation with custom key generation parameters.

Using the reference number and authentication code, the user's Digital Identity is recovered using the PKIX-CMP protocol. Any keys that are to be client generated are generated in software. All other information is retrieved from the Security Manager and written to a software-based Digital Identity store.

Parameters:

referenceNumber - the reference number assigned to the user; an 8 digit integer obtained from the Security Manager by the PKI Administrator

authorizationCode - the authorization code assigned to the user; an alphanumeric string (of the form ABCD-EFGH-IJKL) obtained from the Security Manager by the PKI Administrator

clientKeyGenerationParameter - client specified key generation parameters

Throws:

java.lang.IllegalArgumentException - thrown if any of the required parameters are null

Since:

7.0

CredentialRecoverer

public CredentialRecoverer(SecureStringBuffer referenceNumber,
                   AuthorizationCode authorizationCode,
                   int signingKeyAlgorithm,
                   java.security.spec.AlgorithmParameterSpec clientKeyGenerationParameter,
                   int pkixVersion)

Deprecated. this constructor contains obsolete parameters; use another constructor that does not.

A constructor; creates a new CredentialRecoverer object and configures it for operation with custom key generation parameters (legacy).

Using the reference number and authentication code, the user's Digital Identity is recovered using the PKIX-CMP protocol. Any keys that are to be client generated are generated in software. All other information is retrieved from the Security Manager and written to a software-based Digital Identity store.

Parameters:

referenceNumber - the reference number assigned to the user; an 8 digit integer obtained from the Security Manager by the PKI Administrator

authorizationCode - the authorization code assigned to the user; an alphanumeric string (of the form ABCD-EFGH-IJKL) obtained from the Security Manager by the PKI Administrator

signingKeyAlgorithm - this parameter is no longer used; as of JTK 7.0 the algorithm of the signing key pair is always extracted from the user's policy settings

clientKeyGenerationParameter - client specified key generation parameters

pkixVersion - this parameter is no longer used; as of JTK 7.0 proto-PKIX is not supported and instead PKIX-CMP is always used for communication with the Security Manager

Throws:

java.lang.IllegalArgumentException - thrown if any of the required parameters are null

Method Detail

getType

public java.lang.String getType()

Description copied from class: CredentialReader

Returns the type (name) of this specific credential reader.

Specified by:

getType in class CredentialReader

Returns:

the type (name) of credential reader

setPreserveUserKeyPairVersion

public void setPreserveUserKeyPairVersion(boolean preserveUserKeyPairVersion)

Allows the caller to maintain the client key-pair version during a recover operation.

The user will be recovered using the protocol version that matches the users key-pair type.

Parameters:

preserveUserKeyPairVersion - when true the user key-pair version will not change. When false the user key-pair version will be handled as described in setForceV1KeyPair. This setting takes precedence over the setForceV1KeyPair setting.

Since:

8.0 patch

See Also:

setForceV1KeyPair