Package com.netscape.cmscore.security
Class JssSubsystem
java.lang.Object
com.netscape.cmscore.security.JssSubsystem
- All Implemented Interfaces:
ICryptoSubsystem
Subsystem for initializing JSS
- Version:
- $Revision$ $Date$
-
Field Summary
FieldsModifier and TypeFieldDescriptionprotected JssSubsystemConfig
static final String
static org.slf4j.Logger
-
Method Summary
Modifier and TypeMethodDescriptionvoid
addEntropy
(int bits) Adds the specified number of bits of entropy from the system entropy generator to the RNG of the default PKCS#11 RNG token.void
Checks if the given base-64 encoded string contains an extension or a sequence of extensions.void
checkKeyLength
(String keyType, int keyLength, String certType, int minRSAKeyLen) void
deleteCACert
(String nickname, String notAfterTime) Delete the CA certificate from the perm database.void
deleteCert
(String nickname, String notAfterTime) Delete any certificate from the any token.void
deleteRootCert
(String nickname, String serialno, String issuername) void
deleteTokenCertificate
(String nickname, String pathname) Deletes certificate of the given nickname.void
deleteUserCert
(String nickname, String serialno, String issuername) org.mozilla.jss.netscape.security.x509.AlgorithmId
getAlgorithmId
(String algname, ConfigStore store) Retrieves CA's signing algorithm id.Retrieves a list of nicknames of certificates that are in the installed tokens.Gets all certificates on all tokens for Certificate Database Management.Gets all CA certificates on all tokens.org.mozilla.jss.crypto.PQGParams
getCAPQG
(int keysize, ConfigStore store) Retrieves PQG parameters based on key size.org.mozilla.jss.netscape.security.x509.CertificateExtensions
getCertExtensions
(String tokenname, String nickname) Retrieves extensions of the certificate that is identified by the given nickname.org.mozilla.jss.crypto.X509Certificate
getCertificate
(String nickname, String serialno, String issuerName) getCertInfo
(String b64E) getCertList
(String name) Retrieves all certificates.getCertPrettyPrint
(String nickname, String serialno, String issuerName, Locale locale) getCertPrettyPrint
(String nickname, String date, Locale locale) Retrieves certificate in pretty-print format by the nickname.getCertPrettyPrint
(String b64E, Locale locale) Retrieves the certificate in the pretty print format.getCertPrettyPrintAndFingerPrint
(String nickname, String serialno, String issuerName, Locale locale) getCertRequest
(String subjectName, KeyPair kp) Generates certificate request from the given key pair.getCertSubjectName
(String tokenname, String nickname) Retrieves subject name of the certificate that is identified by the given nickname.Retrieves the cipher preferences.Retrieves the SSL cipher version.Retrieves a configuration store of this subsystem.getECCKeyPair
(KeyCertData properties) Generates an ECC key pair based on the given parameters.getECCKeyPair
(org.mozilla.jss.crypto.CryptoToken token, String keyCurve, String certType) Generates an ECC key pair based on the given parameters.org.mozilla.jss.netscape.security.x509.CertificateExtensions
getExtensions
(String tokenname, String nickname) Retrieves extensions of the certificate that is identified by the given nickname.getId()
static JssSubsystem
Retrieves the token name of the internal (software) token.getKeyPair
(KeyCertData properties) Generates a key pair based on the given parameters.getKeyPair
(String nickname) Retrieves the key pair based on the given nickname.getKeyPair
(org.mozilla.jss.crypto.CryptoToken token, String alg, int keySize) Generates a key pair based on the given parameters.getKeyPair
(org.mozilla.jss.crypto.CryptoToken token, String alg, int keySize, org.mozilla.jss.crypto.PQGParams pqg) Generates a key pair based on the given parameters.org.mozilla.jss.crypto.PQGParams
getPQG
(int keysize) Retrieves PQG parameters based on key size.getRootCertTrustBit
(String nickname, String serialno, String issuerName) getSignatureAlgorithm
(String nickname) Retrieves the signature algorithm of the certificate named by the given nickname.org.mozilla.jss.netscape.security.x509.X509CertImpl
getSignedCert
(KeyCertData data, String certType, PrivateKey priKey) Signs the certificate template into the given data and returns a signed certificate.getSubjectDN
(String nickname) Retrieves the subject DN of the certificate identified by the nickname.Retrieves a list of currently registered token names.void
importCert
(String b64E, String nickname, String certType) Imports certificate into the server.void
importCert
(org.mozilla.jss.netscape.security.x509.X509CertImpl signedCert, String nickname, String certType) Imports certificate into the server.void
init
(JssSubsystemConfig config) Initializes the Jss security subsystem.boolean
Checks to see if the certificate of the given nickname is a CA certificate.Checks if fortezza is enabled.boolean
isTokenLoggedIn
(String name) Checks if the given token is logged in.void
Checks if the given dn is a valid distinguished name.void
loggedInToken
(String tokenName, String pwd) Logs into token.static void
void
obscureBytes
(byte[] memory) void
obscureBytes
(byte[] memory, String method) void
obscureChars
(char[] memory) void
setCipherPreferences
(String cipherPrefs) Sets the current SSL cipher preferences.void
void
setRootCertTrust
(String nickname, String serialno, String issuerName, String trust) void
shutdown()
Shutdowns this subsystem.void
startup()
Starts up this service.void
Trusts a certificate for all available purposes.
-
Field Details
-
logger
public static org.slf4j.Logger logger -
ID
- See Also:
-
config
-
-
Method Details
-
getInstance
-
getId
-
setId
- Throws:
EBaseException
-
addEntropy
public void addEntropy(int bits) throws org.mozilla.jss.util.NotImplementedException, IOException, org.mozilla.jss.crypto.TokenException Description copied from interface:ICryptoSubsystem
Adds the specified number of bits of entropy from the system entropy generator to the RNG of the default PKCS#11 RNG token. The default token is set using the modutil command. Note that the system entropy generator (usually /dev/random) will block until sufficient entropy is collected.- Specified by:
addEntropy
in interfaceICryptoSubsystem
- Parameters:
bits
- number of bits of entropy- Throws:
org.mozilla.jss.util.NotImplementedException
- If the Crypto device does not support adding entropyIOException
- If there was a problem reading from the /dev/randomorg.mozilla.jss.crypto.TokenException
- If there was some other problem with the Crypto device
-
init
Initializes the Jss security subsystem.- Throws:
EBaseException
-
getRandomNumberGenerator
-
obscureBytes
public void obscureBytes(byte[] memory) -
obscureBytes
-
obscureChars
public void obscureChars(char[] memory) -
getCipherVersion
Description copied from interface:ICryptoSubsystem
Retrieves the SSL cipher version.- Specified by:
getCipherVersion
in interfaceICryptoSubsystem
- Returns:
- cipher version (i.e. "cipherdomestic")
- Throws:
EBaseException
-
getCipherPreferences
Description copied from interface:ICryptoSubsystem
Retrieves the cipher preferences.- Specified by:
getCipherPreferences
in interfaceICryptoSubsystem
- Returns:
- cipher preferences (i.e. "rc4export,rc2export,...")
- Throws:
EBaseException
-
getECType
- Throws:
EBaseException
-
isCipherFortezza
Description copied from interface:ICryptoSubsystem
Checks if fortezza is enabled.- Specified by:
isCipherFortezza
in interfaceICryptoSubsystem
- Returns:
- "true" if fortezza is enabled
- Throws:
EBaseException
-
setCipherPreferences
Description copied from interface:ICryptoSubsystem
Sets the current SSL cipher preferences.- Specified by:
setCipherPreferences
in interfaceICryptoSubsystem
- Parameters:
cipherPrefs
- cipher preferences (i.e. "rc4export,rc2export,...")- Throws:
EBaseException
- failed to set cipher preferences
-
getConfigStore
Retrieves a configuration store of this subsystem. -
startup
Starts up this service.- Throws:
EBaseException
-
shutdown
public void shutdown()Shutdowns this subsystem. -
getInternalTokenName
Description copied from interface:ICryptoSubsystem
Retrieves the token name of the internal (software) token.- Specified by:
getInternalTokenName
in interfaceICryptoSubsystem
- Returns:
- the token name
- Throws:
EBaseException
- failed to retrieve token name
-
getTokenList
Description copied from interface:ICryptoSubsystem
Retrieves a list of currently registered token names.- Specified by:
getTokenList
in interfaceICryptoSubsystem
- Returns:
- list of token names
- Throws:
EBaseException
- failed to retrieve token list
-
isTokenLoggedIn
Description copied from interface:ICryptoSubsystem
Checks if the given token is logged in.- Specified by:
isTokenLoggedIn
in interfaceICryptoSubsystem
- Parameters:
name
- token name- Returns:
- true if token is logged in
- Throws:
EBaseException
- failed to login
-
loggedInToken
Description copied from interface:ICryptoSubsystem
Logs into token.- Specified by:
loggedInToken
in interfaceICryptoSubsystem
- Parameters:
tokenName
- name of the tokenpwd
- token password- Throws:
EBaseException
- failed to login
-
getCertSubjectName
Description copied from interface:ICryptoSubsystem
Retrieves subject name of the certificate that is identified by the given nickname.- Specified by:
getCertSubjectName
in interfaceICryptoSubsystem
- Parameters:
tokenname
- name of token where the nickname is validnickname
- nickname of the certificate- Returns:
- subject name
- Throws:
EBaseException
- failed to get subject name
-
getAllCerts
Description copied from interface:ICryptoSubsystem
Retrieves a list of nicknames of certificates that are in the installed tokens.- Specified by:
getAllCerts
in interfaceICryptoSubsystem
- Returns:
- a list of comma-separated nicknames
- Throws:
EBaseException
- failed to retrieve nicknames
-
getCertListWithoutTokenName
Description copied from interface:ICryptoSubsystem
Retrieves all certificates. The result list will not contain the token tag.- Specified by:
getCertListWithoutTokenName
in interfaceICryptoSubsystem
- Parameters:
name
- token name- Returns:
- list of certificates without token tag
- Throws:
EBaseException
- failed to retrieve
-
getCertList
- Throws:
EBaseException
-
getAlgorithmId
public org.mozilla.jss.netscape.security.x509.AlgorithmId getAlgorithmId(String algname, ConfigStore store) throws EBaseException Description copied from interface:ICryptoSubsystem
Retrieves CA's signing algorithm id. If it is DSA algorithm, algorithm is constructed by reading the parameters ca.dsaP, ca.dsaQ, ca.dsaG.- Specified by:
getAlgorithmId
in interfaceICryptoSubsystem
- Parameters:
algname
- DSA or RSAstore
- configuration store.- Returns:
- algorithm id
- Throws:
EBaseException
- failed to retrieve algorithm id
-
getSignatureAlgorithm
Description copied from interface:ICryptoSubsystem
Retrieves the signature algorithm of the certificate named by the given nickname.- Specified by:
getSignatureAlgorithm
in interfaceICryptoSubsystem
- Parameters:
nickname
- nickname of the certificate- Returns:
- signature algorithm
- Throws:
EBaseException
- failed to retrieve signature
-
getKeyPair
Description copied from interface:ICryptoSubsystem
Retrieves the key pair based on the given nickname.- Specified by:
getKeyPair
in interfaceICryptoSubsystem
- Parameters:
nickname
- nickname of the public key- Throws:
EBaseException
- failed to retrieve key pair
-
getKeyPair
public KeyPair getKeyPair(org.mozilla.jss.crypto.CryptoToken token, String alg, int keySize) throws EBaseException Description copied from interface:ICryptoSubsystem
Generates a key pair based on the given parameters.- Specified by:
getKeyPair
in interfaceICryptoSubsystem
- Parameters:
token
- token where key is generatedalg
- key algorithmkeySize
- key size- Returns:
- key pair
- Throws:
EBaseException
- failed to generate key pair
-
getKeyPair
public KeyPair getKeyPair(org.mozilla.jss.crypto.CryptoToken token, String alg, int keySize, org.mozilla.jss.crypto.PQGParams pqg) throws EBaseException Description copied from interface:ICryptoSubsystem
Generates a key pair based on the given parameters.- Specified by:
getKeyPair
in interfaceICryptoSubsystem
- Parameters:
token
- token where key is generatedalg
- key algorithmkeySize
- key sizepqg
- pqg parameters if DSA key, otherwise null- Returns:
- key pair
- Throws:
EBaseException
- failed to generate key pair
-
isX500DN
Description copied from interface:ICryptoSubsystem
Checks if the given dn is a valid distinguished name.- Specified by:
isX500DN
in interfaceICryptoSubsystem
- Parameters:
dn
- distinguished name- Throws:
EBaseException
- failed to check
-
getCertRequest
Description copied from interface:ICryptoSubsystem
Generates certificate request from the given key pair.- Specified by:
getCertRequest
in interfaceICryptoSubsystem
- Parameters:
subjectName
- subject name to use in the requestkp
- key pair that contains public key material- Returns:
- certificate request in base-64 encoded format
- Throws:
EBaseException
- failed to generate request
-
importCert
Description copied from interface:ICryptoSubsystem
Imports certificate into the server.- Specified by:
importCert
in interfaceICryptoSubsystem
- Parameters:
b64E
- certificate in mime-64 encoded formatnickname
- nickname for the importing certificatecertType
- certificate type- Throws:
EBaseException
- failed to import certificate
-
getKeyPair
Description copied from interface:ICryptoSubsystem
Generates a key pair based on the given parameters.- Specified by:
getKeyPair
in interfaceICryptoSubsystem
- Parameters:
properties
- key parameters- Returns:
- key pair
- Throws:
EBaseException
- failed to generate key pair
-
getECCKeyPair
Description copied from interface:ICryptoSubsystem
Generates an ECC key pair based on the given parameters.- Specified by:
getECCKeyPair
in interfaceICryptoSubsystem
- Parameters:
properties
- key parameters- Returns:
- key pair
- Throws:
EBaseException
- failed to generate key pair
-
getECCKeyPair
public KeyPair getECCKeyPair(org.mozilla.jss.crypto.CryptoToken token, String keyCurve, String certType) throws EBaseException Description copied from interface:ICryptoSubsystem
Generates an ECC key pair based on the given parameters.- Specified by:
getECCKeyPair
in interfaceICryptoSubsystem
- Parameters:
token
- token namekeyCurve
- curve namecertType
- type of cert(sslserver etc..)- Returns:
- key pair
- Throws:
EBaseException
- failed to generate key pair
-
importCert
public void importCert(org.mozilla.jss.netscape.security.x509.X509CertImpl signedCert, String nickname, String certType) throws EBaseException Description copied from interface:ICryptoSubsystem
Imports certificate into the server.- Specified by:
importCert
in interfaceICryptoSubsystem
- Parameters:
signedCert
- certificatenickname
- nickname for the importing certificatecertType
- certificate type- Throws:
EBaseException
- failed to import certificate
-
getCertInfo
- Throws:
EBaseException
-
deleteUserCert
public void deleteUserCert(String nickname, String serialno, String issuername) throws EBaseException - Specified by:
deleteUserCert
in interfaceICryptoSubsystem
- Throws:
EBaseException
-
deleteRootCert
public void deleteRootCert(String nickname, String serialno, String issuername) throws EBaseException - Specified by:
deleteRootCert
in interfaceICryptoSubsystem
- Throws:
EBaseException
-
getRootCerts
- Specified by:
getRootCerts
in interfaceICryptoSubsystem
- Throws:
EBaseException
-
getUserCerts
- Specified by:
getUserCerts
in interfaceICryptoSubsystem
- Throws:
EBaseException
-
getAllCertsManage
Description copied from interface:ICryptoSubsystem
Gets all certificates on all tokens for Certificate Database Management.- Specified by:
getAllCertsManage
in interfaceICryptoSubsystem
- Returns:
- all certificates
- Throws:
EBaseException
- failed to retrieve certificates
-
getCACerts
Description copied from interface:ICryptoSubsystem
Gets all CA certificates on all tokens.- Specified by:
getCACerts
in interfaceICryptoSubsystem
- Returns:
- all CA certificates
- Throws:
EBaseException
- failed to retrieve certificates
-
trustCert
Description copied from interface:ICryptoSubsystem
Trusts a certificate for all available purposes.- Specified by:
trustCert
in interfaceICryptoSubsystem
- Parameters:
nickname
- nickname of the certificatedate
- certificate's not beforetrust
- "Trust" or other- Throws:
EBaseException
- failed to trust certificate
-
deleteCACert
Delete the CA certificate from the perm database.- Parameters:
nickname
- The nickname of the CA certificate.notAfterTime
- The notAfter of the certificate. It is possible to get multiple certificates under the same nickname. If one of the certificates match the notAfterTime, then the certificate will get deleted. The format of the notAfterTime has to be in "MMMMM dd, yyyy HH:mm:ss" format.- Throws:
EBaseException
-
deleteCert
Delete any certificate from the any token.- Specified by:
deleteCert
in interfaceICryptoSubsystem
- Parameters:
nickname
- The nickname of the certificate.notAfterTime
- The notAfter of the certificate. It is possible to get multiple certificates under the same nickname. If one of the certificates match the notAfterTime, then the certificate will get deleted. The format of the notAfterTime has to be in "MMMMM dd, yyyy HH:mm:ss" format.- Throws:
EBaseException
- failed to delete certificate
-
deleteTokenCertificate
Description copied from interface:ICryptoSubsystem
Deletes certificate of the given nickname.- Specified by:
deleteTokenCertificate
in interfaceICryptoSubsystem
- Parameters:
nickname
- nickname of the certificatepathname
- path where a copy of the deleted certificate is stored- Throws:
EBaseException
- failed to delete certificate
-
getSubjectDN
Description copied from interface:ICryptoSubsystem
Retrieves the subject DN of the certificate identified by the nickname.- Specified by:
getSubjectDN
in interfaceICryptoSubsystem
- Parameters:
nickname
- nickname of the certificate- Returns:
- subject distinguished name
- Throws:
EBaseException
- failed to retrieve subject DN
-
setRootCertTrust
public void setRootCertTrust(String nickname, String serialno, String issuerName, String trust) throws EBaseException - Specified by:
setRootCertTrust
in interfaceICryptoSubsystem
- Throws:
EBaseException
-
getCertificate
public org.mozilla.jss.crypto.X509Certificate getCertificate(String nickname, String serialno, String issuerName) throws EBaseException - Throws:
EBaseException
-
getRootCertTrustBit
public String getRootCertTrustBit(String nickname, String serialno, String issuerName) throws EBaseException - Specified by:
getRootCertTrustBit
in interfaceICryptoSubsystem
- Throws:
EBaseException
-
getCertPrettyPrint
public String getCertPrettyPrint(String nickname, String serialno, String issuerName, Locale locale) throws EBaseException - Specified by:
getCertPrettyPrint
in interfaceICryptoSubsystem
- Throws:
EBaseException
-
getCertPrettyPrintAndFingerPrint
public String getCertPrettyPrintAndFingerPrint(String nickname, String serialno, String issuerName, Locale locale) throws EBaseException - Specified by:
getCertPrettyPrintAndFingerPrint
in interfaceICryptoSubsystem
- Throws:
EBaseException
-
getCertPrettyPrint
Description copied from interface:ICryptoSubsystem
Retrieves certificate in pretty-print format by the nickname.- Specified by:
getCertPrettyPrint
in interfaceICryptoSubsystem
- Parameters:
nickname
- nickname of certificatedate
- not after of the returned certificate must be datelocale
- user locale- Returns:
- certificate in pretty-print format
- Throws:
EBaseException
- failed to retrieve certificate
-
getCertPrettyPrint
Description copied from interface:ICryptoSubsystem
Retrieves the certificate in the pretty print format.- Specified by:
getCertPrettyPrint
in interfaceICryptoSubsystem
- Parameters:
b64E
- certificate in mime-64 encoded formatlocale
- end user locale- Returns:
- certificate in pretty-print format
- Throws:
EBaseException
- failed to retrieve certificate
-
getSignedCert
public org.mozilla.jss.netscape.security.x509.X509CertImpl getSignedCert(KeyCertData data, String certType, PrivateKey priKey) throws EBaseException Description copied from interface:ICryptoSubsystem
Signs the certificate template into the given data and returns a signed certificate.- Specified by:
getSignedCert
in interfaceICryptoSubsystem
- Parameters:
data
- data that contains certificate templatecertType
- certificate typepriKey
- CA signing key- Returns:
- certificate
- Throws:
EBaseException
- failed to sign certificate template
-
isCACert
Description copied from interface:ICryptoSubsystem
Checks to see if the certificate of the given nickname is a CA certificate.- Specified by:
isCACert
in interfaceICryptoSubsystem
- Parameters:
fullNickname
- nickname of the certificate to check- Returns:
- true if it is a CA certificate
- Throws:
EBaseException
- failed to check
-
getExtensions
public org.mozilla.jss.netscape.security.x509.CertificateExtensions getExtensions(String tokenname, String nickname) throws EBaseException Description copied from interface:ICryptoSubsystem
Retrieves extensions of the certificate that is identified by the given nickname.- Specified by:
getExtensions
in interfaceICryptoSubsystem
- Parameters:
tokenname
- name of token where the nickname is validnickname
- nickname of the certificate- Returns:
- certificate extensions
- Throws:
EBaseException
- failed to get extensions
-
checkCertificateExt
Description copied from interface:ICryptoSubsystem
Checks if the given base-64 encoded string contains an extension or a sequence of extensions.- Specified by:
checkCertificateExt
in interfaceICryptoSubsystem
- Parameters:
ext
- extension or sequence of extension encoded in base-64- Throws:
EBaseException
- failed to check encoding
-
checkKeyLength
public void checkKeyLength(String keyType, int keyLength, String certType, int minRSAKeyLen) throws EBaseException - Throws:
EBaseException
-
getPQG
public org.mozilla.jss.crypto.PQGParams getPQG(int keysize) Description copied from interface:ICryptoSubsystem
Retrieves PQG parameters based on key size.- Specified by:
getPQG
in interfaceICryptoSubsystem
- Parameters:
keysize
- key size- Returns:
- pqg parameters
-
getCAPQG
public org.mozilla.jss.crypto.PQGParams getCAPQG(int keysize, ConfigStore store) throws EBaseException Description copied from interface:ICryptoSubsystem
Retrieves PQG parameters based on key size.- Specified by:
getCAPQG
in interfaceICryptoSubsystem
- Parameters:
keysize
- key sizestore
- configuration store- Returns:
- pqg parameters
- Throws:
EBaseException
-
getCertExtensions
public org.mozilla.jss.netscape.security.x509.CertificateExtensions getCertExtensions(String tokenname, String nickname) throws org.mozilla.jss.NotInitializedException, org.mozilla.jss.crypto.TokenException, org.mozilla.jss.crypto.ObjectNotFoundException, IOException, CertificateException Description copied from interface:ICryptoSubsystem
Retrieves extensions of the certificate that is identified by the given nickname.- Specified by:
getCertExtensions
in interfaceICryptoSubsystem
- Parameters:
tokenname
- token namenickname
- nickname- Returns:
- certificate extensions
- Throws:
org.mozilla.jss.NotInitializedException
org.mozilla.jss.crypto.TokenException
org.mozilla.jss.crypto.ObjectNotFoundException
IOException
CertificateException
-
main
- Throws:
Exception
-