public final class P11PrivateKeyObject extends P11StorageObject
A software representation of an Entrust digital identity in PKCS #11 format, as required by a Card Management System (CMS), will contain instances of these private key objects. The CMS is responsible for writing this object to the smart card.
The following object attributes are specified, in addition to those defined by a storage object:
For keys that were generated by the Entrust Authority Security Manager
(EASM) and securely passed back to the CMS following the CMP transaction,
the encrypted private key will also be included as an
EncryptedValue object. The private key will be encrypted using
the CMS protocol encryption certificate that was specified in the
Certificate Management Protocol (CMP) transaction from which this private
key object representation was returned. It is the responsibility of the CMS
to decrypt and extract the private key.
For keys that were generated by the CMS, the certificate definition identifier for the certificate definition that this private key object corresponds to is also included. This is required to allow the CMS to determine which private key this in fact is. The certificate definition identifier SHOULD NOT be written to the smart card; it is included for private key identification purposes only.
The CMS must additionally supply the following attributes when the private key is written to the smart card:
Currently, only RSA and DSA private keys are supported in Entrust digital identities in PKCS #11 format. For an RSA private key, the following attributes are required:
Additionally, the following attributes may also be specified, but are not required by PKCS #11 or Entrust applications:
For a DSA private key, the following attributes are required:
For private key attributes that have not yet been specified (CKA_SUBJECT, CKA_SECONDARY_AUTH, ...), or have been specified but have not been set in the private key object representation, default values are to be used when the object is written to the smart card by the CMS.
In addition to writing the private key to the smart card, the CMS may also wish to import the key into the Microsoft CryptoAPI (CAPI). To aid in this process, the CAPI key container name for the private key formatted according to Entrust's key container naming schema is also provided by this class. It is the responsibility of the CMS to import the digital identity into CAPI if necessary.
| Modifier and Type | Method and Description |
|---|---|
java.lang.String |
getCAPIKeyContainerName()
Returns the CAPI key container name.
|
EntrustCertInfoId |
getCertDefnId()
Returns the certificate definition identifier for the certificate definition
that this private key corresponds to.
|
java.lang.Boolean |
getCkaDecrypt()
Returns an indicator for whether or not the key supports decryption.
|
java.lang.Boolean |
getCkaExtractable()
Returns an indicator for whether or not the key is extractable.
|
byte[] |
getCkaId()
Returns the key identifier for the key.
|
java.lang.Boolean |
getCkaSensitive()
Returns an indicator for whether or not the key is sensitive.
|
java.lang.Boolean |
getCkaSign()
Returns an indicator for whether or not the key supports signatures where
the signature is an appendix to the date.
|
EncryptedValue |
getEncryptedPrivateKey()
Returns the private key in encrypted format.
|
P11X509CertificateObject |
getMatchingP11CertObj()
Returns the P11 certificate object that corresponds to this P11 private
key object.
|
getCkaClass, getCkaLabel, getCkaPrivate, getCkaToken, isDataObject, isPrivateKeyObject, isX509CertificateObjectpublic byte[] getCkaId()
null
otherwisepublic java.lang.Boolean getCkaSensitive()
null otherwisepublic java.lang.Boolean getCkaDecrypt()
null otherwisepublic java.lang.Boolean getCkaSign()
null otherwisepublic java.lang.Boolean getCkaExtractable()
null otherwisepublic EntrustCertInfoId getCertDefnId()
The certificate definition identifier is always set. For keys that were generated by the CMS, it allows the CMS to determine which private key this in fact is. The certificate definition identifier SHOULD NOT be written to the smart card; it is included for private key identification purposes only.
public EncryptedValue getEncryptedPrivateKey()
For keys that were generated by the EASM and securely passed back to the CMS
following the CMP transaction, the encrypted private key will also be
included as an EncryptedValue object. The private key will be
encrypted using the CMS protocol encryption certificate that was specified
in the CMP transaction from which this private key object representation was
returned. It is the responsibility of the CMS to decrypt and extract the
private key.
null
otherwisepublic java.lang.String getCAPIKeyContainerName()
The CAPI key container name is formatted according to Entrust's key container naming schema. It identifies the key container in CAPI the private key should be imported into when the digital identity this key belongs to is being imported into CAPI.
public P11X509CertificateObject getMatchingP11CertObj()
When the digital identity is being created in CAPI, a certificate is required for every private key; this API provides access to the certificate that corresponds to this private key (provides easy key/certificate matching). This API should only be used for digital identities that are being written to CAPI.
If the digital identity representation does not include all certificates
in the user's certificate history, it is possible that a matching P11
certificate object will not exist (a user's certificate history is
typically not stored in an Entrust PKCS #11 formatted digital identity).
To request that the digital identity representation contains a user's
certificate history refer to
CMPForCardMS.setIncludeUserCertHistory(boolean).