Skip to main content

com.eruces.teagent.FileX509Context

The FileX509Context class is a file-backed, soft-key concrete X509Context for the AM08 X.509 challenge-response authentication protocol. It is the PKCS#12-file sibling of PKCS11Context: where PKCS11Context takes its certificate and private key from a PKCS#11 token, FileX509Context takes them from a PKCS#12 (.p12/.pfx) file protected by a password. No hardware token, no JNI, and no native access are involved — it is pure Java on the JDK's built-in PKCS12 KeyStore and JCA Signature.

Typical use, exactly like the other authentication contexts:

FileX509Context ctx = FileX509Context.getInstance(); ctx.open("/path/to/user.p12", "password"); TEAgentConnection c = TEAgentConnectionFactory.getConnection(TEConnectionType.SECURE_SOCKET); c.open(host, port, ctx); // drives X509Authentication against the KS/RE

The protocol (inherited from X509Context). The client sends its certificate; the server loads the matching principal by certificate digest and returns a random 32-byte challenge; the client signs that challenge with the certificate's private key and returns the signature; the server verifies it with the certificate's public key. This runs over the ordinary server-auth-only SSL port — it is an application-level challenge-response, not TLS mutual authentication (that is the separate SSLM path).

Signature construction (RSA). calculateResponse signs the raw challenge bytes with RSA PKCS#1v1.5 padding and no message digest and no DigestInfo wrapper — i.e. the JCA algorithm NONEwithRSA. This is byte-for-byte identical to the C++ agent's server-verified signing path (EVP_PKEY_sign over a default RSA EVP_PKEY_CTX) and to PKCS11Context's CKM_RSA_PKCS mechanism. It was proven by the TE81-195 P1 reference vector: for a fixed challenge and key, Java NONEwithRSA reproduces the C++ signature exactly, whereas SHA1withRSA/SHA256withRSA do not. (The legacy "signed with SHA-1 digest" wording in the C++ header teauthcertctx.h documents an older intent; the wire reality is the raw construction above.)

Scope. RSA keys only in this initial version; a non-RSA entry is rejected with a clear, explicit error rather than a late failure.

Inheritance

Public Member Functions

MemberDescription
FileX509Context()The default constructor.
void open(String path, String password)Loads the certificate and private key from a password-protected PKCS#12 file.
byte[] getCertificate()Returns the DER-encoded certificate to present to the server, as the X509Authentication protocol requires.
byte[] calculateResponse(byte[] challenge)Signs the server's challenge with the certificate's RSA private key, using RSA PKCS#1v1.5 padding over the raw challenge bytes with no digest (JCA NONEwithRSA) — the construction the server's EVP_PKEY_verify accepts (proven byte-exact by the TE81-195 P1 reference vector; see the class comment).

Static Public Member Functions

MemberDescription
FileX509Context getInstance()Factory method that returns a new FileX509Context, matching the getInstance() idiom of the other authentication contexts.

Member Function Documentation

FileX509Context()

The default constructor.

Call open before using the context for authentication.

void open(String path, String password)

Loads the certificate and private key from a password-protected PKCS#12 file.

The first key entry in the keystore is used.

Parameters

ParameterDescription
pathPath to the PKCS#12 file (.p12/.pfx).
passwordPassword protecting both the keystore and the key entry.

byte[] getCertificate()

Returns the DER-encoded certificate to present to the server, as the X509Authentication protocol requires.

open must have been called.

Returns: the DER encoding of the certificate.

byte[] calculateResponse(byte[] challenge)

Signs the server's challenge with the certificate's RSA private key, using RSA PKCS#1v1.5 padding over the raw challenge bytes with no digest (JCA NONEwithRSA) — the construction the server's EVP_PKEY_verify accepts (proven byte-exact by the TE81-195 P1 reference vector; see the class comment).

Parameters

ParameterDescription
challengeThe random challenge sent by the server.

Returns: the signature bytes to return to the server.

FileX509Context getInstance()

Factory method that returns a new FileX509Context, matching the getInstance() idiom of the other authentication contexts.

Returns: a new FileX509Context.