com.entrust.toolkit.credentials

Class TokenCredentialCreatorOrRecoverer

java.lang.Object

com.entrust.toolkit.credentials.CredentialReader

com.entrust.toolkit.credentials.CMPCredentialReader

com.entrust.toolkit.credentials.CMPTokenCredentialReader

com.entrust.toolkit.credentials.TokenCredentialCreatorOrRecoverer

public final class TokenCredentialCreatorOrRecoverer
extends CMPTokenCredentialReader

This credential reader is capable of creating or recovering an Entrust user's Digital Identity on a PKCS#11 device (token).

The operation to be performed (user creation or user recovery) is determined automatically based on the user's state. This class performs the services offered by both the TokenCredentialCreator class and the TokenCredentialRecoverer class and can be used in place of either. For additional details on user creation or user recovery, please refer to the class documentation of the aforementioned classes.

Note: This credential reader is not supported with Security Manager version 6.0.1 and earlier; with these older versions the user's state cannot be retrieved over PKIX-CMP.

Since:

8.0

Field Summary

Fields inherited from class com.entrust.toolkit.credentials.CMPCredentialReader

DSASignature, ECDSASignature, PKIX4Version, PKIX5Version, RSASignature

Constructor Summary

Constructors

Constructor and Description
TokenCredentialCreatorOrRecoverer(SecureStringBuffer referenceNumber, AuthorizationCode authorizationCode, long slotId, PKCS11LibraryConnection pkcs11LibraryConnection) A constructor; creates a new TokenCredentialCreatorRecoverer object configured for use with a PKCS#11 device that has already been initialized.
TokenCredentialCreatorOrRecoverer(SecureStringBuffer referenceNumber, AuthorizationCode authorizationCode, long slotId, PKCS11LibraryConnection pkcs11LibraryConnection, SecureStringBuffer currentSoPin, SecureStringBuffer newSoPin) A constructor; creates a new TokenCredentialCreatorRecoverer object configured for use with a PKCS#11 device that has already been initialized and allows Security Officer PIN change.
TokenCredentialCreatorOrRecoverer(SecureStringBuffer referenceNumber, AuthorizationCode authorizationCode, long slotId, PKCS11LibraryConnection pkcs11LibraryConnection, SecureStringBuffer soPin, java.lang.String label) A constructor; creates a new TokenCredentialCreatorRecoverer object configured for use with a PKCS#11 device that needs to be initialized (or re-initialized).

Method Summary

Methods

Modifier and Type	Method and Description
java.lang.String	getType() Returns the type (name) of this specific credential reader.

Methods inherited from class com.entrust.toolkit.credentials.CMPTokenCredentialReader

setDeletionMechanism

Methods inherited from class com.entrust.toolkit.credentials.CMPCredentialReader

setClientKeyGenParams, setForceV1KeyPair

Methods inherited from class com.entrust.toolkit.credentials.CredentialReader

checkPwd

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

TokenCredentialCreatorOrRecoverer

public TokenCredentialCreatorOrRecoverer(SecureStringBuffer referenceNumber,
                                 AuthorizationCode authorizationCode,
                                 long slotId,
                                 PKCS11LibraryConnection pkcs11LibraryConnection)

A constructor; creates a new TokenCredentialCreatorRecoverer object configured for use with a PKCS#11 device that has already been initialized.

This constructor should be used when the PKCS#11 device (token) that will be used to store the Digital Identity has already been set up with a Normal User. Prior to Digital Identity creation, the token will be prepared using one of the deletion mechanisms. A deletion mechanism indicates which objects on the token must be deleted; this can be set by calling setDeletionMechanism(TokenDeletionMechanism). The default deletion mechanism will simply delete all objects created by Entrust from the token.

When the user logs in, the token located at the indicated slot ID will be connected to using the PKCS#11 library provided. The token is then prepared, which may delete some of the objects it currently contains. Next, the Normal User is logged in to the token using the user's log-on password. At this point the token is ready for the Digital Identity create/recover operation.

Using the reference number and authentication code, the user's Digital Identity is created/recovered using the PKIX-CMP protocol. Any keys that are to be client generated are generated directly on the token. All other Digital Identity information is retrieved from the Security Manager and written to the token.

Parameters:

referenceNumber - the reference number assigned to the user; an 8 digit integer obtained from the Security Manager by the PKI Administrator

authorizationCode - the authorization code assigned to the user; an alphanumeric string (of the form ABCD-EFGH-IJKL) obtained from the Security Manager by the PKI Administrator

slotId - the slot ID indicating the location on the token where the user's Digital Identity will be stored

Note

A list of slot IDs can be retrieved from the token by calling the getSlotList() method from the PKCS11Information class.

pkcs11LibraryConnection - a connection to the PKCS#11 library of the token

Throws:

java.lang.IllegalArgumentException - thrown if any of the required parameters are null

TokenCredentialCreatorOrRecoverer

public TokenCredentialCreatorOrRecoverer(SecureStringBuffer referenceNumber,
                                 AuthorizationCode authorizationCode,
                                 long slotId,
                                 PKCS11LibraryConnection pkcs11LibraryConnection,
                                 SecureStringBuffer currentSoPin,
                                 SecureStringBuffer newSoPin)

A constructor; creates a new TokenCredentialCreatorRecoverer object configured for use with a PKCS#11 device that has already been initialized and allows Security Officer PIN change.

This constructor should be used when the PKCS#11 device (token) that will be used to store the Digital Identity has already been set up with a Normal User. It also provides the ability to change the Security Officer PIN. Prior to Digital Identity creation, the token will be prepared using one of the deletion mechanisms. A deletion mechanism indicates which objects on the token must be deleted; this can be set by calling setDeletionMechanism(TokenDeletionMechanism). The default deletion mechanism will simply delete all objects created by Entrust from the token.

When the user logs in, the token located at the indicated slot ID will be connected to using the PKCS#11 library provided. The token is then prepared, which may delete some of the objects it currently contains. If the current and new Security Officer PIN were provided, the PIN of the Security Officer is changed. Next, the Normal User is logged in to the token using the user's log-on password. At this point the token is ready for the Digital Identity create/recover operation.

Using the reference number and authentication code, the user's Digital Identity is created/recovered using the PKIX-CMP protocol. Any keys that are to be client generated are generated directly on the token. All other Digital Identity information is retrieved from the Security Manager and written to the token.

Parameters:

referenceNumber - the reference number assigned to the user; an 8 digit integer obtained from the Security Manager by the PKI Administrator

authorizationCode - the authorization code assigned to the user; an alphanumeric string (of the form ABCD-EFGH-IJKL) obtained from the Security Manager by the PKI Administrator

slotId - the slot ID indicating the location on the token where the user's Digital Identity will be stored

Note

A list of slot IDs can be retrieved from the token by calling the getSlotList() method from the PKCS11Information class.

pkcs11LibraryConnection - a connection to the PKCS#11 library of the token

currentSoPin - the current PIN of the Security Officer user on the token; when set (along with newSoPin) the Security Officer PIN will be changed to the new value indicated (OPTIONAL)

newSoPin - the new PIN for the Security Officer user on the token; when set (along with currentSoPin) the Security Officer PIN will be changed to this value (OPTIONAL)

Throws:

java.lang.IllegalArgumentException - thrown if any of the required parameters are null

TokenCredentialCreatorOrRecoverer

public TokenCredentialCreatorOrRecoverer(SecureStringBuffer referenceNumber,
                                 AuthorizationCode authorizationCode,
                                 long slotId,
                                 PKCS11LibraryConnection pkcs11LibraryConnection,
                                 SecureStringBuffer soPin,
                                 java.lang.String label)

A constructor; creates a new TokenCredentialCreatorRecoverer object configured for use with a PKCS#11 device that needs to be initialized (or re-initialized).

This constructor should be used when the PKCS#11 device (token) that will be used to store the Digital Identity has not yet been initialized, or is to be re-initialized. Prior to Digital Identity creation, the token will be initialized by calling the PKCS#11 function C_InitPIN. Be aware that not all tokens support this action; in this case, the token must be manually set up with a Normal User by some external means (custom token utilities).

When the user logs in, the token located at the indicated slot ID will be connected to using the PKCS#11 library provided. The token is then initialized, which will delete all information it currently contains, set the Security Officer PIN, and set the token label. Next, the Normal User PIN is initialized to the user's log-on password, and the Normal User is logged in to the token. At this point the token is ready for the Digital Identity create/recover operation.

Using the reference number and authentication code, the user's Digital Identity is created/recovered using the PKIX-CMP protocol. Any keys that are to be client generated are generated directly on the token. All other Digital Identity information is retrieved from the Security Manager and written to the token.

Note

Setting a deletion mechanism after using this constructor will not have any effect on how the token is prepared for the Digital Identity creation operation. This constructor always initializes the token, which automatically deletes all objects from the token.

Parameters:

referenceNumber - the reference number assigned to the user; an 8 digit integer obtained from the Security Manager by the PKI Administrator

authorizationCode - the authorization code assigned to the user; an alphanumeric string (of the form ABCD-EFGH-IJKL) obtained from the Security Manager by the PKI Administrator

slotId - the slot ID indicating the location on the token where the user's Digital Identity will be stored

Note

A list of slot IDs can be retrieved from the token by calling the getSlotList() method from the PKCS11Information class.

pkcs11LibraryConnection - a connection to the PKCS#11 library of the token

soPin - the PIN of the Security Officer user on the token; this is automatically set when the token is initialized

label - a label for the token; this is automatically set when the token is initialized

Throws:

java.lang.IllegalArgumentException - thrown if any of the required parameters are null

Method Detail

getType

public java.lang.String getType()

Description copied from class: CredentialReader

Returns the type (name) of this specific credential reader.

Specified by:

getType in class CredentialReader

Returns:

the type (name) of credential reader