Class JssSubsystem
java.lang.Object
com.netscape.cmscore.security.JssSubsystem
- All Implemented Interfaces:
ICryptoSubsystem
Subsystem for initializing JSS
- Version:
- $Revision$ $Date$
-
Field Summary
FieldsModifier and TypeFieldDescriptionprotected JssSubsystemConfigstatic final Stringstatic org.slf4j.Logger -
Method Summary
Modifier and TypeMethodDescriptionvoidaddEntropy(int bits) Adds the specified number of bits of entropy from the system entropy generator to the RNG of the default PKCS#11 RNG token.voidChecks if the given base-64 encoded string contains an extension or a sequence of extensions.voidcheckKeyLength(String keyType, int keyLength, String certType, int minRSAKeyLen) voiddeleteCACert(String nickname, String notAfterTime) Delete the CA certificate from the perm database.voiddeleteCert(String nickname, String notAfterTime) Delete any certificate from the any token.voiddeleteRootCert(String nickname, String serialno, String issuername) voiddeleteTokenCertificate(String nickname, String pathname) Deletes certificate of the given nickname.voiddeleteUserCert(String nickname, String serialno, String issuername) org.mozilla.jss.netscape.security.x509.AlgorithmIdgetAlgorithmId(String algname, IConfigStore store) Retrieves CA's signing algorithm id.Retrieves a list of nicknames of certificates that are in the installed tokens.Gets all certificates on all tokens for Certificate Database Management.Gets all CA certificates on all tokens.org.mozilla.jss.crypto.PQGParamsgetCAPQG(int keysize, IConfigStore store) Retrieves PQG parameters based on key size.org.mozilla.jss.netscape.security.x509.CertificateExtensionsgetCertExtensions(String tokenname, String nickname) Retrieves extensions of the certificate that is identified by the given nickname.org.mozilla.jss.crypto.X509CertificategetCertificate(String nickname, String serialno, String issuerName) getCertInfo(String b64E) getCertList(String name) Retrieves all certificates.getCertPrettyPrint(String nickname, String serialno, String issuerName, Locale locale) getCertPrettyPrint(String nickname, String date, Locale locale) Retrieves certificate in pretty-print format by the nickname.getCertPrettyPrint(String b64E, Locale locale) Retrieves the certificate in the pretty print format.getCertPrettyPrintAndFingerPrint(String nickname, String serialno, String issuerName, Locale locale) getCertRequest(String subjectName, KeyPair kp) Generates certificate request from the given key pair.getCertSubjectName(String tokenname, String nickname) Retrieves subject name of the certificate that is identified by the given nickname.Retrieves the cipher preferences.Retrieves the SSL cipher version.Retrieves a configuration store of this subsystem.getECCKeyPair(KeyCertData properties) Generates an ECC key pair based on the given parameters.getECCKeyPair(org.mozilla.jss.crypto.CryptoToken token, String keyCurve, String certType) Generates an ECC key pair based on the given parameters.org.mozilla.jss.netscape.security.x509.CertificateExtensionsgetExtensions(String tokenname, String nickname) Retrieves extensions of the certificate that is identified by the given nickname.getId()static JssSubsystemRetrieves the token name of the internal (software) token.getKeyPair(KeyCertData properties) Generates a key pair based on the given parameters.getKeyPair(String nickname) Retrieves the key pair based on the given nickname.getKeyPair(org.mozilla.jss.crypto.CryptoToken token, String alg, int keySize) Generates a key pair based on the given parameters.getKeyPair(org.mozilla.jss.crypto.CryptoToken token, String alg, int keySize, org.mozilla.jss.crypto.PQGParams pqg) Generates a key pair based on the given parameters.org.mozilla.jss.crypto.PQGParamsgetPQG(int keysize) Retrieves PQG parameters based on key size.getRootCertTrustBit(String nickname, String serialno, String issuerName) getSignatureAlgorithm(String nickname) Retrieves the signature algorithm of the certificate named by the given nickname.org.mozilla.jss.netscape.security.x509.X509CertImplgetSignedCert(KeyCertData data, String certType, PrivateKey priKey) Signs the certificate template into the given data and returns a signed certificate.getSubjectDN(String nickname) Retrieves the subject DN of the certificate identified by the nickname.Retrieves a list of currently registered token names.voidimportCert(String b64E, String nickname, String certType) Imports certificate into the server.voidimportCert(org.mozilla.jss.netscape.security.x509.X509CertImpl signedCert, String nickname, String certType) Imports certificate into the server.voidinit(JssSubsystemConfig config) Initializes the Jss security subsystem.booleanChecks to see if the certificate of the given nickname is a CA certificate.Checks if fortezza is enabled.booleanisTokenLoggedIn(String name) Checks if the given token is logged in.voidChecks if the given dn is a valid distinguished name.voidloggedInToken(String tokenName, String pwd) Logs into token.static voidvoidobscureBytes(byte[] memory) voidobscureBytes(byte[] memory, String method) voidobscureChars(char[] memory) voidsetCipherPreferences(String cipherPrefs) Sets the current SSL cipher preferences.voidvoidsetRootCertTrust(String nickname, String serialno, String issuerName, String trust) voidshutdown()Shutdowns this subsystem.voidstartup()Starts up this service.voidTrusts a certificate for all available purposes.
-
Field Details
-
logger
public static org.slf4j.Logger logger -
ID
- See Also:
-
config
-
-
Method Details
-
getInstance
-
getId
-
setId
- Throws:
EBaseException
-
addEntropy
public void addEntropy(int bits) throws org.mozilla.jss.util.NotImplementedException, IOException, org.mozilla.jss.crypto.TokenException Description copied from interface:ICryptoSubsystemAdds the specified number of bits of entropy from the system entropy generator to the RNG of the default PKCS#11 RNG token. The default token is set using the modutil command. Note that the system entropy generator (usually /dev/random) will block until sufficient entropy is collected.- Specified by:
addEntropyin interfaceICryptoSubsystem- Parameters:
bits- number of bits of entropy- Throws:
org.mozilla.jss.util.NotImplementedException- If the Crypto device does not support adding entropyIOException- If there was a problem reading from the /dev/randomorg.mozilla.jss.crypto.TokenException- If there was some other problem with the Crypto device
-
init
Initializes the Jss security subsystem.- Throws:
EBaseException
-
getRandomNumberGenerator
-
obscureBytes
public void obscureBytes(byte[] memory) -
obscureBytes
-
obscureChars
public void obscureChars(char[] memory) -
getCipherVersion
Description copied from interface:ICryptoSubsystemRetrieves the SSL cipher version.- Specified by:
getCipherVersionin interfaceICryptoSubsystem- Returns:
- cipher version (i.e. "cipherdomestic")
- Throws:
EBaseException
-
getCipherPreferences
Description copied from interface:ICryptoSubsystemRetrieves the cipher preferences.- Specified by:
getCipherPreferencesin interfaceICryptoSubsystem- Returns:
- cipher preferences (i.e. "rc4export,rc2export,...")
- Throws:
EBaseException
-
getECType
- Throws:
EBaseException
-
isCipherFortezza
Description copied from interface:ICryptoSubsystemChecks if fortezza is enabled.- Specified by:
isCipherFortezzain interfaceICryptoSubsystem- Returns:
- "true" if fortezza is enabled
- Throws:
EBaseException
-
setCipherPreferences
Description copied from interface:ICryptoSubsystemSets the current SSL cipher preferences.- Specified by:
setCipherPreferencesin interfaceICryptoSubsystem- Parameters:
cipherPrefs- cipher preferences (i.e. "rc4export,rc2export,...")- Throws:
EBaseException- failed to set cipher preferences
-
getConfigStore
Retrieves a configuration store of this subsystem. -
startup
-
shutdown
public void shutdown()Shutdowns this subsystem. -
getInternalTokenName
Description copied from interface:ICryptoSubsystemRetrieves the token name of the internal (software) token.- Specified by:
getInternalTokenNamein interfaceICryptoSubsystem- Returns:
- the token name
- Throws:
EBaseException- failed to retrieve token name
-
getTokenList
Description copied from interface:ICryptoSubsystemRetrieves a list of currently registered token names.- Specified by:
getTokenListin interfaceICryptoSubsystem- Returns:
- list of token names
- Throws:
EBaseException- failed to retrieve token list
-
isTokenLoggedIn
Description copied from interface:ICryptoSubsystemChecks if the given token is logged in.- Specified by:
isTokenLoggedInin interfaceICryptoSubsystem- Parameters:
name- token name- Returns:
- true if token is logged in
- Throws:
EBaseException- failed to login
-
loggedInToken
Description copied from interface:ICryptoSubsystemLogs into token.- Specified by:
loggedInTokenin interfaceICryptoSubsystem- Parameters:
tokenName- name of the tokenpwd- token password- Throws:
EBaseException- failed to login
-
getCertSubjectName
Description copied from interface:ICryptoSubsystemRetrieves subject name of the certificate that is identified by the given nickname.- Specified by:
getCertSubjectNamein interfaceICryptoSubsystem- Parameters:
tokenname- name of token where the nickname is validnickname- nickname of the certificate- Returns:
- subject name
- Throws:
EBaseException- failed to get subject name
-
getAllCerts
Description copied from interface:ICryptoSubsystemRetrieves a list of nicknames of certificates that are in the installed tokens.- Specified by:
getAllCertsin interfaceICryptoSubsystem- Returns:
- a list of comma-separated nicknames
- Throws:
EBaseException- failed to retrieve nicknames
-
getCertListWithoutTokenName
Description copied from interface:ICryptoSubsystemRetrieves all certificates. The result list will not contain the token tag.- Specified by:
getCertListWithoutTokenNamein interfaceICryptoSubsystem- Parameters:
name- token name- Returns:
- list of certificates without token tag
- Throws:
EBaseException- failed to retrieve
-
getCertList
- Throws:
EBaseException
-
getAlgorithmId
public org.mozilla.jss.netscape.security.x509.AlgorithmId getAlgorithmId(String algname, IConfigStore store) throws EBaseException Description copied from interface:ICryptoSubsystemRetrieves CA's signing algorithm id. If it is DSA algorithm, algorithm is constructed by reading the parameters ca.dsaP, ca.dsaQ, ca.dsaG.- Specified by:
getAlgorithmIdin interfaceICryptoSubsystem- Parameters:
algname- DSA or RSAstore- configuration store.- Returns:
- algorithm id
- Throws:
EBaseException- failed to retrieve algorithm id
-
getSignatureAlgorithm
Description copied from interface:ICryptoSubsystemRetrieves the signature algorithm of the certificate named by the given nickname.- Specified by:
getSignatureAlgorithmin interfaceICryptoSubsystem- Parameters:
nickname- nickname of the certificate- Returns:
- signature algorithm
- Throws:
EBaseException- failed to retrieve signature
-
getKeyPair
Description copied from interface:ICryptoSubsystemRetrieves the key pair based on the given nickname.- Specified by:
getKeyPairin interfaceICryptoSubsystem- Parameters:
nickname- nickname of the public key- Throws:
EBaseException- failed to retrieve key pair
-
getKeyPair
public KeyPair getKeyPair(org.mozilla.jss.crypto.CryptoToken token, String alg, int keySize) throws EBaseException Description copied from interface:ICryptoSubsystemGenerates a key pair based on the given parameters.- Specified by:
getKeyPairin interfaceICryptoSubsystem- Parameters:
token- token where key is generatedalg- key algorithmkeySize- key size- Returns:
- key pair
- Throws:
EBaseException- failed to generate key pair
-
getKeyPair
public KeyPair getKeyPair(org.mozilla.jss.crypto.CryptoToken token, String alg, int keySize, org.mozilla.jss.crypto.PQGParams pqg) throws EBaseException Description copied from interface:ICryptoSubsystemGenerates a key pair based on the given parameters.- Specified by:
getKeyPairin interfaceICryptoSubsystem- Parameters:
token- token where key is generatedalg- key algorithmkeySize- key sizepqg- pqg parameters if DSA key, otherwise null- Returns:
- key pair
- Throws:
EBaseException- failed to generate key pair
-
isX500DN
Description copied from interface:ICryptoSubsystemChecks if the given dn is a valid distinguished name.- Specified by:
isX500DNin interfaceICryptoSubsystem- Parameters:
dn- distinguished name- Throws:
EBaseException- failed to check
-
getCertRequest
Description copied from interface:ICryptoSubsystemGenerates certificate request from the given key pair.- Specified by:
getCertRequestin interfaceICryptoSubsystem- Parameters:
subjectName- subject name to use in the requestkp- key pair that contains public key material- Returns:
- certificate request in base-64 encoded format
- Throws:
EBaseException- failed to generate request
-
importCert
Description copied from interface:ICryptoSubsystemImports certificate into the server.- Specified by:
importCertin interfaceICryptoSubsystem- Parameters:
b64E- certificate in mime-64 encoded formatnickname- nickname for the importing certificatecertType- certificate type- Throws:
EBaseException- failed to import certificate
-
getKeyPair
Description copied from interface:ICryptoSubsystemGenerates a key pair based on the given parameters.- Specified by:
getKeyPairin interfaceICryptoSubsystem- Parameters:
properties- key parameters- Returns:
- key pair
- Throws:
EBaseException- failed to generate key pair
-
getECCKeyPair
Description copied from interface:ICryptoSubsystemGenerates an ECC key pair based on the given parameters.- Specified by:
getECCKeyPairin interfaceICryptoSubsystem- Parameters:
properties- key parameters- Returns:
- key pair
- Throws:
EBaseException- failed to generate key pair
-
getECCKeyPair
public KeyPair getECCKeyPair(org.mozilla.jss.crypto.CryptoToken token, String keyCurve, String certType) throws EBaseException Description copied from interface:ICryptoSubsystemGenerates an ECC key pair based on the given parameters.- Specified by:
getECCKeyPairin interfaceICryptoSubsystem- Parameters:
token- token namekeyCurve- curve namecertType- type of cert(sslserver etc..)- Returns:
- key pair
- Throws:
EBaseException- failed to generate key pair
-
importCert
public void importCert(org.mozilla.jss.netscape.security.x509.X509CertImpl signedCert, String nickname, String certType) throws EBaseException Description copied from interface:ICryptoSubsystemImports certificate into the server.- Specified by:
importCertin interfaceICryptoSubsystem- Parameters:
signedCert- certificatenickname- nickname for the importing certificatecertType- certificate type- Throws:
EBaseException- failed to import certificate
-
getCertInfo
- Throws:
EBaseException
-
deleteUserCert
public void deleteUserCert(String nickname, String serialno, String issuername) throws EBaseException - Specified by:
deleteUserCertin interfaceICryptoSubsystem- Throws:
EBaseException
-
deleteRootCert
public void deleteRootCert(String nickname, String serialno, String issuername) throws EBaseException - Specified by:
deleteRootCertin interfaceICryptoSubsystem- Throws:
EBaseException
-
getRootCerts
- Specified by:
getRootCertsin interfaceICryptoSubsystem- Throws:
EBaseException
-
getUserCerts
- Specified by:
getUserCertsin interfaceICryptoSubsystem- Throws:
EBaseException
-
getAllCertsManage
Description copied from interface:ICryptoSubsystemGets all certificates on all tokens for Certificate Database Management.- Specified by:
getAllCertsManagein interfaceICryptoSubsystem- Returns:
- all certificates
- Throws:
EBaseException- failed to retrieve certificates
-
getCACerts
Description copied from interface:ICryptoSubsystemGets all CA certificates on all tokens.- Specified by:
getCACertsin interfaceICryptoSubsystem- Returns:
- all CA certificates
- Throws:
EBaseException- failed to retrieve certificates
-
trustCert
Description copied from interface:ICryptoSubsystemTrusts a certificate for all available purposes.- Specified by:
trustCertin interfaceICryptoSubsystem- Parameters:
nickname- nickname of the certificatedate- certificate's not beforetrust- "Trust" or other- Throws:
EBaseException- failed to trust certificate
-
deleteCACert
Delete the CA certificate from the perm database.- Parameters:
nickname- The nickname of the CA certificate.notAfterTime- The notAfter of the certificate. It is possible to get multiple certificates under the same nickname. If one of the certificates match the notAfterTime, then the certificate will get deleted. The format of the notAfterTime has to be in "MMMMM dd, yyyy HH:mm:ss" format.- Throws:
EBaseException
-
deleteCert
Delete any certificate from the any token.- Specified by:
deleteCertin interfaceICryptoSubsystem- Parameters:
nickname- The nickname of the certificate.notAfterTime- The notAfter of the certificate. It is possible to get multiple certificates under the same nickname. If one of the certificates match the notAfterTime, then the certificate will get deleted. The format of the notAfterTime has to be in "MMMMM dd, yyyy HH:mm:ss" format.- Throws:
EBaseException- failed to delete certificate
-
deleteTokenCertificate
Description copied from interface:ICryptoSubsystemDeletes certificate of the given nickname.- Specified by:
deleteTokenCertificatein interfaceICryptoSubsystem- Parameters:
nickname- nickname of the certificatepathname- path where a copy of the deleted certificate is stored- Throws:
EBaseException- failed to delete certificate
-
getSubjectDN
Description copied from interface:ICryptoSubsystemRetrieves the subject DN of the certificate identified by the nickname.- Specified by:
getSubjectDNin interfaceICryptoSubsystem- Parameters:
nickname- nickname of the certificate- Returns:
- subject distinguished name
- Throws:
EBaseException- failed to retrieve subject DN
-
setRootCertTrust
public void setRootCertTrust(String nickname, String serialno, String issuerName, String trust) throws EBaseException - Specified by:
setRootCertTrustin interfaceICryptoSubsystem- Throws:
EBaseException
-
getCertificate
public org.mozilla.jss.crypto.X509Certificate getCertificate(String nickname, String serialno, String issuerName) throws EBaseException - Throws:
EBaseException
-
getRootCertTrustBit
public String getRootCertTrustBit(String nickname, String serialno, String issuerName) throws EBaseException - Specified by:
getRootCertTrustBitin interfaceICryptoSubsystem- Throws:
EBaseException
-
getCertPrettyPrint
public String getCertPrettyPrint(String nickname, String serialno, String issuerName, Locale locale) throws EBaseException - Specified by:
getCertPrettyPrintin interfaceICryptoSubsystem- Throws:
EBaseException
-
getCertPrettyPrintAndFingerPrint
public String getCertPrettyPrintAndFingerPrint(String nickname, String serialno, String issuerName, Locale locale) throws EBaseException - Specified by:
getCertPrettyPrintAndFingerPrintin interfaceICryptoSubsystem- Throws:
EBaseException
-
getCertPrettyPrint
Description copied from interface:ICryptoSubsystemRetrieves certificate in pretty-print format by the nickname.- Specified by:
getCertPrettyPrintin interfaceICryptoSubsystem- Parameters:
nickname- nickname of certificatedate- not after of the returned certificate must be datelocale- user locale- Returns:
- certificate in pretty-print format
- Throws:
EBaseException- failed to retrieve certificate
-
getCertPrettyPrint
Description copied from interface:ICryptoSubsystemRetrieves the certificate in the pretty print format.- Specified by:
getCertPrettyPrintin interfaceICryptoSubsystem- Parameters:
b64E- certificate in mime-64 encoded formatlocale- end user locale- Returns:
- certificate in pretty-print format
- Throws:
EBaseException- failed to retrieve certificate
-
getSignedCert
public org.mozilla.jss.netscape.security.x509.X509CertImpl getSignedCert(KeyCertData data, String certType, PrivateKey priKey) throws EBaseException Description copied from interface:ICryptoSubsystemSigns the certificate template into the given data and returns a signed certificate.- Specified by:
getSignedCertin interfaceICryptoSubsystem- Parameters:
data- data that contains certificate templatecertType- certificate typepriKey- CA signing key- Returns:
- certificate
- Throws:
EBaseException- failed to sign certificate template
-
isCACert
Description copied from interface:ICryptoSubsystemChecks to see if the certificate of the given nickname is a CA certificate.- Specified by:
isCACertin interfaceICryptoSubsystem- Parameters:
fullNickname- nickname of the certificate to check- Returns:
- true if it is a CA certificate
- Throws:
EBaseException- failed to check
-
getExtensions
public org.mozilla.jss.netscape.security.x509.CertificateExtensions getExtensions(String tokenname, String nickname) throws EBaseException Description copied from interface:ICryptoSubsystemRetrieves extensions of the certificate that is identified by the given nickname.- Specified by:
getExtensionsin interfaceICryptoSubsystem- Parameters:
tokenname- name of token where the nickname is validnickname- nickname of the certificate- Returns:
- certificate extensions
- Throws:
EBaseException- failed to get extensions
-
checkCertificateExt
Description copied from interface:ICryptoSubsystemChecks if the given base-64 encoded string contains an extension or a sequence of extensions.- Specified by:
checkCertificateExtin interfaceICryptoSubsystem- Parameters:
ext- extension or sequence of extension encoded in base-64- Throws:
EBaseException- failed to check encoding
-
checkKeyLength
public void checkKeyLength(String keyType, int keyLength, String certType, int minRSAKeyLen) throws EBaseException - Throws:
EBaseException
-
getPQG
public org.mozilla.jss.crypto.PQGParams getPQG(int keysize) Description copied from interface:ICryptoSubsystemRetrieves PQG parameters based on key size.- Specified by:
getPQGin interfaceICryptoSubsystem- Parameters:
keysize- key size- Returns:
- pqg parameters
-
getCAPQG
public org.mozilla.jss.crypto.PQGParams getCAPQG(int keysize, IConfigStore store) throws EBaseException Description copied from interface:ICryptoSubsystemRetrieves PQG parameters based on key size.- Specified by:
getCAPQGin interfaceICryptoSubsystem- Parameters:
keysize- key sizestore- configuration store- Returns:
- pqg parameters
- Throws:
EBaseException
-
getCertExtensions
public org.mozilla.jss.netscape.security.x509.CertificateExtensions getCertExtensions(String tokenname, String nickname) throws org.mozilla.jss.NotInitializedException, org.mozilla.jss.crypto.TokenException, org.mozilla.jss.crypto.ObjectNotFoundException, IOException, CertificateException Description copied from interface:ICryptoSubsystemRetrieves extensions of the certificate that is identified by the given nickname.- Specified by:
getCertExtensionsin interfaceICryptoSubsystem- Parameters:
tokenname- token namenickname- nickname- Returns:
- certificate extensions
- Throws:
org.mozilla.jss.NotInitializedExceptionorg.mozilla.jss.crypto.TokenExceptionorg.mozilla.jss.crypto.ObjectNotFoundExceptionIOExceptionCertificateException
-
main
-