public final class CryptoManager extends java.lang.Object implements TokenSupplier
Modifier and Type | Class and Description |
---|---|
static class |
CryptoManager.CertUsage
note: this is obsolete in NSS
CertUsage options for validation
|
static class |
CryptoManager.OCSPPolicy |
Modifier and Type | Field and Description |
---|---|
static java.lang.String |
JAR_JSS_VERSION |
static boolean |
JSS_DEBUG |
static org.slf4j.Logger |
logger |
Modifier | Constructor and Description |
---|---|
protected |
CryptoManager()
Constructor, for internal use only.
|
Modifier and Type | Method and Description |
---|---|
X509Certificate[] |
buildCertificateChain(X509Certificate leaf)
Given a certificate, constructs its certificate chain.
|
void |
configureOCSP(boolean ocspCheckingEnabled,
java.lang.String ocspResponderURL,
java.lang.String ocspResponderCertNickname)
Enables OCSP, note when you Initialize JSS for the first time, for
backwards compatibility, the initialize will enable OCSP if you
previously set values.ocspCheckingEnabled and
values.ocspResponderURL/values.ocspResponderCertNickname
configureOCSP will allow changing of the the OCSPResponder at runtime.
|
JSSSecureRandom |
createPseudoRandomNumberGenerator()
Retrieves a FIPS-140-2 validated random number generator.
|
byte[] |
exportCertsToPKCS7(X509Certificate[] certs)
Exports one or more certificates into a PKCS #7 certificate container.
|
X509Certificate |
findCertByIssuerAndSerialNumber(byte[] derIssuer,
INTEGER serialNumber)
Looks up a certificate by issuer and serial number.
|
X509Certificate |
findCertByNickname(java.lang.String nickname)
Looks up a certificate given its nickname.
|
protected X509Certificate |
findCertByNicknameNative(java.lang.String nickname) |
X509Certificate[] |
findCertsByNickname(java.lang.String nickname)
Returns all certificates with the given nickname.
|
protected X509Certificate[] |
findCertsByNicknameNative(java.lang.String nickname) |
PrivateKey |
findPrivKeyByCert(X509Certificate cert)
Looks up the PrivateKey matching the given certificate.
|
protected PrivateKey |
findPrivKeyByCertNative(X509Certificate cert) |
boolean |
FIPSEnabled()
Determines whether FIPS-140-2 compliance is active.
|
java.util.Enumeration<CryptoToken> |
getAllTokens()
Retrieves all tokens.
|
X509Certificate[] |
getCACerts()
Retrieves all CA certificates in the trust database.
|
java.util.Enumeration<CryptoToken> |
getExternalTokens()
Retrieves all tokens except those built into NSS.
|
static CryptoManager |
getInstance()
Retrieve the single instance of CryptoManager.
|
CryptoToken |
getInternalCryptoToken()
Retrieves the internal cryptographic services token.
|
CryptoToken |
getInternalKeyStorageToken()
Retrieves the internal key storage token.
|
static int |
getJSSMajorVersion() |
static int |
getJSSMinorVersion() |
static int |
getJSSPatchVersion() |
java.util.Enumeration<PK11Module> |
getModules()
Retrieves all installed cryptographic modules.
|
static int |
getOCSPPolicy()
Gets the current ocsp Policy.
|
static CryptoManager.OCSPPolicy |
getOCSPPolicyEnum()
Gets the current OCSP Policy.
|
PasswordCallback |
getPasswordCallback()
Returns the currently registered password callback.
|
X509Certificate[] |
getPermCerts()
Retrieves all certificates in the trust database.
|
JSSSecureRandom |
getSecureRNG()
Retrieves a FIPS-140-2 validated random number generator.
|
CryptoToken |
getThreadToken()
Returns the default token for the current thread.
|
CryptoToken |
getTokenByName(java.lang.String name)
Looks up the CryptoToken with the given name.
|
java.util.Enumeration<CryptoToken> |
getTokensSupportingAlgorithm(Algorithm alg)
Retrieves all tokens that support the given algorithm.
|
X509Certificate |
importCACertPackage(byte[] certPackage)
Imports a chain of certificates, none of which is a user certificate.
|
X509Certificate |
importCertPackage(byte[] certPackage,
java.lang.String nickname)
Imports a chain of certificates.
|
InternalCertificate |
importCertToPerm(X509Certificate cert,
java.lang.String nickname)
Imports a single certificate into the permanent certificate
database.
|
void |
importCRL(byte[] crl,
java.lang.String url)
Imports a CRL, and stores it into the cert7.db
Validate CRL then import it to the dbase.
|
X509Certificate |
importDERCert(byte[] cert,
CertificateUsage usage,
boolean permanent,
java.lang.String nickname)
Imports a single DER-encoded certificate into the permanent or temporary
certificate database.
|
X509Certificate |
importUserCACertPackage(byte[] certPackage,
java.lang.String nickname)
Imports a chain of certificates.
|
static void |
initialize(InitializationValues values)
Initialize the security subsystem.
|
static void |
initialize(java.lang.String configDir)
Initialize the security subsystem.
|
boolean |
isCertValid(byte[] certPackage,
boolean checkSig,
CryptoManager.CertUsage certUsage)
Verify a certificate in memory.
|
int |
isCertValid(java.lang.String nickname,
boolean checkSig)
Verify a certificate that exists in the given cert database,
check if is valid and that we trust the issuer.
|
boolean |
isCertValid(java.lang.String nickname,
boolean checkSig,
CertificateUsage certificateUsage)
Deprecated.
Use verifyCertificate() instead
|
boolean |
isCertValid(java.lang.String nickname,
boolean checkSig,
CryptoManager.CertUsage certUsage)
note: this method calls obsolete function in NSS
Verify a certificate that exists in the given cert database,
check if is valid and that we trust the issuer.
|
static boolean |
isInitialized() |
void |
OCSPCacheSettings(int ocsp_cache_size,
int ocsp_min_cache_entry_duration,
int ocsp_max_cache_entry_duration)
change OCSP cache settings
|
static void |
setOCSPPolicy(CryptoManager.OCSPPolicy policy)
Sets the current ocsp Policy.
|
void |
setOCSPTimeout(int ocsp_timeout)
set OCSP timeout value
|
void |
setPasswordCallback(PasswordCallback pwcb)
This function sets the global password callback.
|
void |
setThreadToken(CryptoToken token)
Sets the default token for the current thread.
|
void |
shutdown()
Shutdowns this CryptoManager instance and the associated NSS
initialization.
|
void |
shutdownNative() |
void |
verifyCertificate(java.lang.String nickname,
boolean checkSig,
CertificateUsage certificateUsage)
Verify a certificate that exists in the given cert database,
check if it's valid and that we trust the issuer.
|
void |
verifyCertificate(X509Certificate cert,
boolean checkSig,
CertificateUsage certificateUsage)
Verify an X509Certificate by checking if it's valid and that we trust
the issuer.
|
public static org.slf4j.Logger logger
public static final java.lang.String JAR_JSS_VERSION
public static final boolean JSS_DEBUG
public CryptoToken getInternalCryptoToken()
In FIPS mode, the internal cryptographic services token is the same as the internal key storage token.
getInternalCryptoToken
in interface TokenSupplier
public CryptoToken getInternalKeyStorageToken()
In FIPS mode, the internal key storage token is the same as the internal cryptographic services token.
public CryptoToken getTokenByName(java.lang.String name) throws NoSuchTokenException
name
- The name of the token.NoSuchTokenException
- If no token
is found with the given name.public java.util.Enumeration<CryptoToken> getTokensSupportingAlgorithm(Algorithm alg)
alg
- Algorithm.public java.util.Enumeration<CryptoToken> getAllTokens()
CryptoToken
CryptoToken
public java.util.Enumeration<CryptoToken> getExternalTokens()
public java.util.Enumeration<PK11Module> getModules()
PK11Module
.PK11Module
public static boolean isInitialized()
public static CryptoManager getInstance() throws NotInitializedException
NotInitializedException
- If
initialize(InitializationValues
has not yet been
called.initialize(InitializationValues)
public boolean FIPSEnabled()
public void setPasswordCallback(PasswordCallback pwcb)
The callback may be NULL, in which case password callbacks will fail gracefully.
pwcb
- Password callback.public PasswordCallback getPasswordCallback()
public static void initialize(java.lang.String configDir) throws KeyDatabaseException, CertDatabaseException, AlreadyInitializedException, java.security.GeneralSecurityException
initialize
methods that take arguments should be
called only once, otherwise they will throw
an exception. It is OK to call them after calling
initialize()
.configDir
- The directory containing the security databases.KeyDatabaseException
- Unable to open
the key database, or it was currupted.CertDatabaseException
- Unable
to open the certificate database, or it was currupted.AlreadyInitializedException
- If the security subsystem is already initialized.java.security.GeneralSecurityException
- If other security error occurred.public static void initialize(InitializationValues values) throws KeyDatabaseException, CertDatabaseException, AlreadyInitializedException, java.security.GeneralSecurityException
initialize
methods that take arguments should be
called only once, otherwise they will throw
an exception. It is OK to call them after calling
initialize()
.values
- The options with which to initialize CryptoManager.KeyDatabaseException
- Unable to open
the key database, or it was corrupted.CertDatabaseException
- Unable
to open the certificate database, or it was currupted.AlreadyInitializedException
- If security subsystem is already initialized.java.security.GeneralSecurityException
- If other security error occurred.public X509Certificate[] getCACerts()
public X509Certificate[] getPermCerts()
public X509Certificate importCertPackage(byte[] certPackage, java.lang.String nickname) throws java.security.cert.CertificateEncodingException, NicknameConflictException, UserCertConflictException, NoSuchItemOnTokenException, TokenException
certPackage
- An encoded certificate or certificate chain.
Acceptable
encodings are binary PKCS #7 SignedData objects and
DER-encoded certificates, which may or may not be wrapped
in a Base-64 encoding package surrounded by
"-----BEGIN CERTIFICATE-----
" and
"-----END CERTIFICATE-----
".nickname
- The nickname for the user certificate. It must
be unique. It is ignored if there is no user certificate.java.security.cert.CertificateEncodingException
- If the package encoding
was not recognized.NicknameConflictException
- If the leaf certificate
is a user certificate, and another certificate already has the
given nickname.UserCertConflictException
- If the leaf certificate
is a user certificate, but it has already been imported.NoSuchItemOnTokenException
- If the leaf certificate is
a user certificate, but the matching private key cannot be found.TokenException
- If an error occurs importing a leaf
certificate into a token.public X509Certificate importUserCACertPackage(byte[] certPackage, java.lang.String nickname) throws java.security.cert.CertificateEncodingException, NicknameConflictException, UserCertConflictException, NoSuchItemOnTokenException, TokenException
certPackage
- An encoded certificate or certificate chain.
Acceptable
encodings are binary PKCS #7 SignedData objects and
DER-encoded certificates, which may or may not be wrapped
in a Base-64 encoding package surrounded by
"-----BEGIN CERTIFICATE-----
" and
"-----END CERTIFICATE-----
".nickname
- The nickname for the user certificate. It must
be unique.java.security.cert.CertificateEncodingException
- If the package encoding
was not recognized.NicknameConflictException
- If the leaf certificate
another certificate already has the given nickname.UserCertConflictException
- If the leaf certificate
has already been imported.NoSuchItemOnTokenException
- If the the private key matching
the leaf certificate cannot be found.TokenException
- If an error occurs importing the leaf
certificate into a token.public X509Certificate importCACertPackage(byte[] certPackage) throws java.security.cert.CertificateEncodingException, TokenException
certPackage
- An encoded certificate or certificate chain.
Acceptable
encodings are binary PKCS #7 SignedData objects and
DER-encoded certificates, which may or may not be wrapped
in a Base-64 encoding package surrounded by
"-----BEGIN CERTIFICATE-----
" and
"-----END CERTIFICATE-----
".java.security.cert.CertificateEncodingException
- If the package encoding
was not recognized.TokenException
- If an error occurs importing a leaf
certificate into a token.public InternalCertificate importCertToPerm(X509Certificate cert, java.lang.String nickname) throws TokenException, InvalidNicknameException
cert
- the certificate you want to addnickname
- the nickname you want to refer to the certificate as
(must not be null)TokenException
- If an error occurred in the token.InvalidNicknameException
- If the nickname is invalid.public X509Certificate importDERCert(byte[] cert, CertificateUsage usage, boolean permanent, java.lang.String nickname)
public void importCRL(byte[] crl, java.lang.String url) throws CRLImportException, TokenException
crl
- the DER-encoded CRL.url
- the URL where this CRL can be retrieved from (for future updates).
[ note that CRLs are not retrieved automatically ]. Can be nullCRLImportException
- If the package encoding
was not recognized.TokenException
- If an error occurred in the token.public byte[] exportCertsToPKCS7(X509Certificate[] certs) throws java.security.cert.CertificateEncodingException
certs
- One or more certificates that should be exported into
the PKCS #7 object. The leaf certificate should be the first
in the chain. The output of buildCertificateChain
would be appropriate here.java.security.cert.CertificateEncodingException
- If the array is empty,
or an error occurred encoding the certificates.buildCertificateChain(org.mozilla.jss.crypto.X509Certificate)
public X509Certificate findCertByNickname(java.lang.String nickname) throws ObjectNotFoundException, TokenException
nickname
- The nickname of the certificate to look for.ObjectNotFoundException
- If no certificate could be found
with the given nickname.TokenException
- If an error occurs in the security library.public X509Certificate[] findCertsByNickname(java.lang.String nickname) throws TokenException
nickname
- The nickname of the certificate to look for.TokenException
- If an error occurs in the security library.public X509Certificate findCertByIssuerAndSerialNumber(byte[] derIssuer, INTEGER serialNumber) throws ObjectNotFoundException, TokenException
derIssuer
- The DER encoding of the certificate issuer name.
The issuer name has ASN.1 type Name, which is defined in
X.501.serialNumber
- The certificate serial number.ObjectNotFoundException
- If the certificate is not found
in the internal certificate database or on any PKCS #11 token.TokenException
- If an error occurs in the security library.protected X509Certificate findCertByNicknameNative(java.lang.String nickname) throws ObjectNotFoundException, TokenException
protected X509Certificate[] findCertsByNicknameNative(java.lang.String nickname) throws TokenException
TokenException
public X509Certificate[] buildCertificateChain(X509Certificate leaf) throws java.security.cert.CertificateException, TokenException
leaf
- The certificate that is the starting point of the chain.java.security.cert.CertificateException
- If the certificate is not recognized
by the underlying provider.TokenException
- If an error occurred in the token.public PrivateKey findPrivKeyByCert(X509Certificate cert) throws ObjectNotFoundException, TokenException
cert
- Certificate.ObjectNotFoundException
- If no private key can be
found matching the given certificate.TokenException
- If an error occurs in the security library.protected PrivateKey findPrivKeyByCertNative(X509Certificate cert) throws ObjectNotFoundException, TokenException
public JSSSecureRandom createPseudoRandomNumberGenerator()
public JSSSecureRandom getSecureRNG()
getSecureRNG
in interface TokenSupplier
public static int getJSSMajorVersion()
public static int getJSSMinorVersion()
public static int getJSSPatchVersion()
public void setThreadToken(CryptoToken token)
If no token is set, the InternalKeyStorageToken will be used. Setting
this thread's token to null
will also cause the
InternalKeyStorageToken to be used.
setThreadToken
in interface TokenSupplier
token
- The token to use for crypto operations. Specifying
null
will cause the InternalKeyStorageToken to be used.public CryptoToken getThreadToken()
If no token is set, the InternalKeyStorageToken will be used. Setting
this thread's token to null
will also cause the
InternalKeyStorageToken to be used.
getThreadToken
in interface TokenSupplier
public int isCertValid(java.lang.String nickname, boolean checkSig) throws ObjectNotFoundException, InvalidNicknameException
nickname
- The nickname of the certificate to verify.checkSig
- verify the signature of the certificateInvalidNicknameException
- If the nickname is nullObjectNotFoundException
- If no certificate could be found
with the given nickname.@Deprecated public boolean isCertValid(java.lang.String nickname, boolean checkSig, CertificateUsage certificateUsage) throws ObjectNotFoundException, InvalidNicknameException
nickname
- The nickname of the certificate to verify.checkSig
- verify the signature of the certificatecertificateUsage
- see certificateUsage defined to verify Certificate; to retrieve current certificate usage, call the isCertValid() aboveInvalidNicknameException
- If the nickname is nullObjectNotFoundException
- If no certificate could be found
with the given nickname.public void verifyCertificate(java.lang.String nickname, boolean checkSig, CertificateUsage certificateUsage) throws ObjectNotFoundException, InvalidNicknameException, java.security.cert.CertificateException
nickname
- nickname of the certificate to verify.checkSig
- verify the signature of the certificatecertificateUsage
- see certificate usage defined to verify certificateInvalidNicknameException
- If the nickname is null.ObjectNotFoundException
- If no certificate could be found
with the given nickname.java.security.cert.CertificateException
- If certificate is invalid.public void verifyCertificate(X509Certificate cert, boolean checkSig, CertificateUsage certificateUsage) throws ObjectNotFoundException, InvalidNicknameException, java.security.cert.CertificateException
cert
- the certificate to verifycheckSig
- verify the signature of the certificatecertificateUsage
- see certificate usage defined to verify certificateInvalidNicknameException
- If the nickname is null.ObjectNotFoundException
- If no certificate could be found
with the given nickname.java.security.cert.CertificateException
- If certificate is invalid.public boolean isCertValid(java.lang.String nickname, boolean checkSig, CryptoManager.CertUsage certUsage) throws ObjectNotFoundException, InvalidNicknameException
nickname
- The nickname of the certificate to verify.checkSig
- verify the signature of the certificatecertUsage
- see exposed certUsage defines to verify CertificateInvalidNicknameException
- If the nickname is nullObjectNotFoundException
- If no certificate could be found
with the given nickname.public boolean isCertValid(byte[] certPackage, boolean checkSig, CryptoManager.CertUsage certUsage) throws TokenException, java.security.cert.CertificateEncodingException
certPackage
- certificate in memorycheckSig
- verify the signature of the certificatecertUsage
- see exposed certUsage defines to verify CertificateTokenException
- unable to insert temporary certificate
into database.java.security.cert.CertificateEncodingException
- If the package encoding
was not recognized.public static int getOCSPPolicy()
public static CryptoManager.OCSPPolicy getOCSPPolicyEnum()
getOCSPPolicy()
public static void setOCSPPolicy(CryptoManager.OCSPPolicy policy)
policy
- - Either cert and chain or normal default processing.public void configureOCSP(boolean ocspCheckingEnabled, java.lang.String ocspResponderURL, java.lang.String ocspResponderCertNickname) throws java.security.GeneralSecurityException
ocspCheckingEnabled
- true or false to enable/disable OCSPocspResponderURL
- - url of the OCSP responderocspResponderCertNickname
- - the nickname of the OCSP
signer certificate or the CA certificate found in the cert DBjava.security.GeneralSecurityException
- If a security error has occurred.public void OCSPCacheSettings(int ocsp_cache_size, int ocsp_min_cache_entry_duration, int ocsp_max_cache_entry_duration) throws java.security.GeneralSecurityException
ocsp_cache_size
- max cache entriesocsp_min_cache_entry_duration
- minimum seconds to next fetch attemptocsp_max_cache_entry_duration
- maximum seconds to next fetch attemptjava.security.GeneralSecurityException
- If a security error has occurred.public void setOCSPTimeout(int ocsp_timeout) throws java.security.GeneralSecurityException
ocsp_timeout
- OCSP timeout in secondsjava.security.GeneralSecurityException
- If a security error has occurred.public void shutdown() throws java.lang.Exception
java.lang.Exception
public void shutdownNative()