com.eruces.teagent.FileX509Context
The FileX509Context class is a file-backed, soft-key concrete X509Context for the AM08 X.509 challenge-response authentication protocol. It is the PKCS#12-file sibling of PKCS11Context: where PKCS11Context takes its certificate and private key from a PKCS#11 token, FileX509Context takes them from a PKCS#12 (.p12/.pfx) file protected by a password. No hardware token, no JNI, and no native access are involved — it is pure Java on the JDK's built-in PKCS12 KeyStore and JCA Signature.
Typical use, exactly like the other authentication contexts:
FileX509Context ctx = FileX509Context.getInstance(); ctx.open("/path/to/user.p12", "password"); TEAgentConnection c = TEAgentConnectionFactory.getConnection(TEConnectionType.SECURE_SOCKET); c.open(host, port, ctx); // drives X509Authentication against the KS/RE
The protocol (inherited from X509Context). The client sends its certificate; the server loads the matching principal by certificate digest and returns a random 32-byte challenge; the client signs that challenge with the certificate's private key and returns the signature; the server verifies it with the certificate's public key. This runs over the ordinary server-auth-only SSL port — it is an application-level challenge-response, not TLS mutual authentication (that is the separate SSLM path).
Signature construction (RSA). calculateResponse signs the raw challenge bytes with RSA PKCS#1v1.5 padding and no message digest and no DigestInfo wrapper — i.e. the JCA algorithm NONEwithRSA. This is byte-for-byte identical to the C++ agent's server-verified signing path (EVP_PKEY_sign over a default RSA EVP_PKEY_CTX) and to PKCS11Context's CKM_RSA_PKCS mechanism. It was proven by the TE81-195 P1 reference vector: for a fixed challenge and key, Java NONEwithRSA reproduces the C++ signature exactly, whereas SHA1withRSA/SHA256withRSA do not. (The legacy "signed with SHA-1 digest" wording in the C++ header teauthcertctx.h documents an older intent; the wire reality is the raw construction above.)
Scope. RSA keys only in this initial version; a non-RSA entry is rejected with a clear, explicit error rather than a late failure.
Inheritance
- Inherits com.eruces.teagent.X509Context
Public Member Functions
| Member | Description |
|---|---|
FileX509Context() | The default constructor. |
void open(String path, String password) | Loads the certificate and private key from a password-protected PKCS#12 file. |
byte[] getCertificate() | Returns the DER-encoded certificate to present to the server, as the X509Authentication protocol requires. |
byte[] calculateResponse(byte[] challenge) | Signs the server's challenge with the certificate's RSA private key, using RSA PKCS#1v1.5 padding over the raw challenge bytes with no digest (JCA NONEwithRSA) — the construction the server's EVP_PKEY_verify accepts (proven byte-exact by the TE81-195 P1 reference vector; see the class comment). |
Static Public Member Functions
| Member | Description |
|---|---|
FileX509Context getInstance() | Factory method that returns a new FileX509Context, matching the getInstance() idiom of the other authentication contexts. |
Member Function Documentation
FileX509Context()
The default constructor.
Call open before using the context for authentication.
void open(String path, String password)
Loads the certificate and private key from a password-protected PKCS#12 file.
The first key entry in the keystore is used.
Parameters
| Parameter | Description |
|---|---|
path | Path to the PKCS#12 file (.p12/.pfx). |
password | Password protecting both the keystore and the key entry. |
byte[] getCertificate()
Returns the DER-encoded certificate to present to the server, as the X509Authentication protocol requires.
open must have been called.
Returns: the DER encoding of the certificate.
byte[] calculateResponse(byte[] challenge)
Signs the server's challenge with the certificate's RSA private key, using RSA PKCS#1v1.5 padding over the raw challenge bytes with no digest (JCA NONEwithRSA) — the construction the server's EVP_PKEY_verify accepts (proven byte-exact by the TE81-195 P1 reference vector; see the class comment).
Parameters
| Parameter | Description |
|---|---|
challenge | The random challenge sent by the server. |
Returns: the signature bytes to return to the server.
FileX509Context getInstance()
Factory method that returns a new FileX509Context, matching the getInstance() idiom of the other authentication contexts.
Returns: a new FileX509Context.