Package org.mozilla.jss
Class CryptoManager
java.lang.Object
org.mozilla.jss.CryptoManager
- All Implemented Interfaces:
TokenSupplier
This class is the starting poing for the crypto package.
Use it to initialize the subsystem and to lookup certs, keys, and tokens.
Initialization is done with static methods, and must be done before
an instance can be created. All other operations are done with instance
methods.
- Version:
- $Revision$ $Date$
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic final class
note: this is obsolete in NSS CertUsage options for validationstatic enum
-
Field Summary
FieldsModifier and TypeFieldDescriptionprivate static CryptoManager
The singleton instance, and a static initializer to create it.private CryptoToken
The internal cryptographic services token.private CryptoToken
The internal key storage token.static final boolean
static org.slf4j.Logger
private Vector
<PK11Module> The list of modules.private static CryptoManager.OCSPPolicy
private PasswordCallback
private ThreadLocal
<CryptoToken> private static int
private static int
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionGiven a certificate, constructs its certificate chain.(package private) X509Certificate[]
void
configureOCSP
(boolean ocspCheckingEnabled, String ocspResponderURL, String ocspResponderCertNickname) Enables OCSP, note when you Initialize JSS for the first time, for backwards compatibility, the initialize will enable OCSP if you previously set values.ocspCheckingEnabled and values.ocspResponderURL/values.ocspResponderCertNickname configureOCSP will allow changing of the the OCSPResponder at runtime.private void
configureOCSPNative
(boolean ocspCheckingEnabled, String ocspResponderURL, String ocspResponderCertNickname) Retrieves a FIPS-140-2 validated random number generator.private static boolean
enableFIPS
(boolean fips) Enables or disables FIPS-140-2 compliant mode.byte[]
exportCertsToPKCS7
(X509Certificate[] certs) Exports one or more certificates into a PKCS #7 certificate container.findCertByIssuerAndSerialNumber
(byte[] derIssuer, INTEGER serialNumber) Looks up a certificate by issuer and serial number.private X509Certificate
findCertByIssuerAndSerialNumberNative
(byte[] derIssuer, byte[] serialNumber) findCertByNickname
(String nickname) Looks up a certificate given its nickname.protected X509Certificate
findCertByNicknameNative
(String nickname) findCertsByNickname
(String nickname) Returns all certificates with the given nickname.protected X509Certificate[]
findCertsByNicknameNative
(String nickname) Looks up the PrivateKey matching the given certificate.protected PrivateKey
boolean
Determines whether FIPS-140-2 compliance is active.Retrieves all tokens.Retrieves all CA certificates in the trust database.Retrieves all tokens except those built into NSS.static CryptoManager
Retrieve the single instance of CryptoManager.Retrieves the internal cryptographic services token.Retrieves the internal key storage token.static boolean
static int
static int
static int
static final String
Retrieves all installed cryptographic modules.static int
Gets the current ocsp Policy.static CryptoManager.OCSPPolicy
Gets the current OCSP Policy.Returns the currently registered password callback.Retrieves all certificates in the trust database.Retrieves a FIPS-140-2 validated random number generator.Returns the default token for the current thread.getTokenByName
(String name) Looks up the CryptoToken with the given name.Retrieves all tokens that support the given algorithm.importCACertPackage
(byte[] certPackage) Imports a chain of certificates, none of which is a user certificate.importCertPackage
(byte[] certPackage, String nickname) Imports a chain of certificates.private X509Certificate
importCertPackageNative
(byte[] certPackage, String nickname, boolean noUser, boolean leafIsCA) importCertToPerm
(X509Certificate cert, String nickname) Imports a single certificate into the permanent certificate database.private InternalCertificate
importCertToPermNative
(X509Certificate cert, String nickname) void
Imports a CRL, and stores it into the cert7.db Validate CRL then import it to the dbase.private void
importCRLNative
(byte[] crl, String url, int rl_type) Imports a CRL, and stores it into the cert7.dbimportDERCert
(byte[] cert, CertificateUsage usage, boolean permanent, String nickname) Imports a single DER-encoded certificate into the permanent or temporary certificate database.private X509Certificate
importDERCertNative
(byte[] cert, int usage, boolean permanent, String nickname) importUserCACertPackage
(byte[] certPackage, String nickname) Imports a chain of certificates.static void
initialize
(String configDir) Initialize the security subsystem.static void
initialize
(InitializationValues values) Initialize the security subsystem.private static void
initializeAllNative2
(String configDir, String certPrefix, String keyPrefix, String secmodName, boolean readOnly, String manufacturerID, String libraryDescription, String internalTokenDescription, String internalKeyStorageTokenDescription, String internalSlotDescription, String internalKeyStorageSlotDescription, String fipsSlotDescription, String fipsKeyStorageSlotDescription, boolean ocspCheckingEnabled, String ocspResponderURL, String ocspResponderCertNickname, boolean initializeJavaOnly, boolean PKIXVerify, boolean noCertDB, boolean noModDB, boolean forceOpen, boolean noRootInit, boolean optimizeSpace, boolean PK11ThreadSafe, boolean PK11Reload, boolean noPK11Finalize, boolean cooperate) private static void
initializeAllNativeWithContext
(String configDir, String certPrefix, String keyPrefix, String secmodName, boolean readOnly, String manufacturerID, String libraryDescription, String internalTokenDescription, String internalKeyStorageTokenDescription, String internalSlotDescription, String internalKeyStorageSlotDescription, String fipsSlotDescription, String fipsKeyStorageSlotDescription, boolean ocspCheckingEnabled, String ocspResponderURL, String ocspResponderCertNickname, boolean initializeJavaOnly, boolean PKIXVerify, boolean noCertDB, boolean noModDB, boolean forceOpen, boolean noRootInit, boolean optimizeSpace, boolean PK11ThreadSafe, boolean PK11Reload, boolean noPK11Finalize, boolean cooperate) static void
initializeWithContext
(String configDir) static void
boolean
isCertValid
(byte[] certPackage, boolean checkSig, CryptoManager.CertUsage certUsage) Verify a certificate in memory.int
isCertValid
(String nickname, boolean checkSig) Verify a certificate that exists in the given cert database, check if is valid and that we trust the issuer.boolean
isCertValid
(String nickname, boolean checkSig, CertificateUsage certificateUsage) Deprecated.Use verifyCertificate() insteadboolean
isCertValid
(String nickname, boolean checkSig, CryptoManager.CertUsage certUsage) note: this method calls obsolete function in NSS Verify a certificate that exists in the given cert database, check if is valid and that we trust the issuer.static boolean
private static void
void
OCSPCacheSettings
(int ocsp_cache_size, int ocsp_min_cache_entry_duration, int ocsp_max_cache_entry_duration) change OCSP cache settingsprivate void
OCSPCacheSettingsNative
(int ocsp_cache_size, int ocsp_min_cache_entry_duration, int ocsp_max_cache_entry_duration) private void
putModulesInVector
(Vector<PK11Module> vector) Native code to traverse all PKCS #11 modules, wrap each one in a PK11Module, and insert each PK11Module into the given vector.private void
Re-creates the Vector of modules that is stored by CryptoManager.private void
static void
Sets the current ocsp Policy.void
setOCSPTimeout
(int ocsp_timeout) set OCSP timeout valueprivate void
setOCSPTimeoutNative
(int ocsp_timeout) void
This function sets the global password callback.void
setThreadToken
(CryptoToken token) Sets the default token for the current thread.void
shutdown()
Shutdowns this CryptoManager instance and the associated NSS initialization.void
void
verifyCertificate
(String nickname, boolean checkSig, CertificateUsage certificateUsage) Verify a certificate that exists in the given cert database, check if it's valid and that we trust the issuer.void
verifyCertificate
(X509Certificate cert, boolean checkSig, CertificateUsage certificateUsage) Verify an X509Certificate by checking if it's valid and that we trust the issuer.private int
verifyCertificateNowCUNative
(String nickname, boolean checkSig) private boolean
verifyCertificateNowNative
(String nickname, boolean checkSig, int certificateUsage) private void
verifyCertificateNowNative2
(String nickname, boolean checkSig, int certificateUsage) private void
verifyCertificateNowNative3
(X509Certificate cert, boolean checkSig, int certificateUsage) private boolean
verifyCertNowNative
(String nickname, boolean checkSig, int cUsage) private boolean
verifyCertTempNative
(byte[] certPackage, boolean checkSig, int cUsage)
-
Field Details
-
logger
public static org.slf4j.Logger logger -
moduleVector
The list of modules. This should be initialized by the constructor and updated whenever 1) a new module is added, 2) a module is deleted, or 3) FIPS mode is switched. -
internalCryptoToken
The internal cryptographic services token. -
internalKeyStorageToken
The internal key storage token. -
instance
The singleton instance, and a static initializer to create it. -
passwordCallback
-
TYPE_KRL
private static int TYPE_KRL -
TYPE_CRL
private static int TYPE_CRL -
JSS_DEBUG
public static final boolean JSS_DEBUG -
threadToken
-
ocspPolicy
-
-
Constructor Details
-
CryptoManager
protected CryptoManager()Constructor, for internal use only.
-
-
Method Details
-
loadLibrary
private static void loadLibrary() -
getInternalCryptoToken
Retrieves the internal cryptographic services token. This is the token built into NSS that performs bulk cryptographic operations.In FIPS mode, the internal cryptographic services token is the same as the internal key storage token.
- Specified by:
getInternalCryptoToken
in interfaceTokenSupplier
- Returns:
- The internal cryptographic services token.
-
getInternalKeyStorageToken
Retrieves the internal key storage token. This is the token provided by NSS to store private keys. The keys stored in this token are stored in an encrypted key database.In FIPS mode, the internal key storage token is the same as the internal cryptographic services token.
- Returns:
- The internal key storage token.
-
getTokenByName
Looks up the CryptoToken with the given name. Searches all loaded cryptographic modules for the token.- Parameters:
name
- The name of the token.- Returns:
- The token.
- Throws:
NoSuchTokenException
- If no token is found with the given name.
-
getTokensSupportingAlgorithm
Retrieves all tokens that support the given algorithm.- Parameters:
alg
- Algorithm.- Returns:
- Enumeration of tokens.
-
getAllTokens
Retrieves all tokens. This is an enumeration of all tokens on all modules.- Returns:
- All tokens accessible from JSS. Each item of the enumeration
is a
CryptoToken
- See Also:
-
getExternalTokens
Retrieves all tokens except those built into NSS. This excludes the internal token and the internal key storage token (which are one and the same in FIPS mode).- Returns:
- All tokens accessible from JSS, except for the built-in internal tokens.
-
getModules
Retrieves all installed cryptographic modules.- Returns:
- An enumeration of all installed PKCS #11 modules. Each
item in the enumeration is a
PK11Module
. - See Also:
-
reloadModules
private void reloadModules()Re-creates the Vector of modules that is stored by CryptoManager. This entails going into native code to enumerate all modules, wrap each one in a PK11Module, and storing the PK11Module in the vector. -
putModulesInVector
Native code to traverse all PKCS #11 modules, wrap each one in a PK11Module, and insert each PK11Module into the given vector. -
isInitialized
public static boolean isInitialized() -
getInstance
Retrieve the single instance of CryptoManager. This cannot be called before initialization.- Returns:
- CryptoManager instance.
- Throws:
NotInitializedException
- Ifinitialize(InitializationValues
has not yet been called.- See Also:
-
enableFIPS
Enables or disables FIPS-140-2 compliant mode. If this returns true, you must reloadModules(). This should only be called once in a program, at the beginning, because it invalidates tokens and modules.- Parameters:
fips
- true to turn FIPS compliant mode on, false to turn it off.- Throws:
GeneralSecurityException
-
FIPSEnabled
public boolean FIPSEnabled()Determines whether FIPS-140-2 compliance is active.- Returns:
- true if the security library is in FIPS-140-2 compliant mode.
-
setPasswordCallback
This function sets the global password callback. It is not thread-safe to change this.The callback may be NULL, in which case password callbacks will fail gracefully.
- Parameters:
pwcb
- Password callback.
-
setNativePasswordCallback
-
getPasswordCallback
Returns the currently registered password callback.- Returns:
- Password callback.
-
initialize
public static void initialize(String configDir) throws KeyDatabaseException, CertDatabaseException, AlreadyInitializedException, GeneralSecurityException Initialize the security subsystem. Opens the databases, loads all PKCS #11 modules, initializes the internal random number generator. Theinitialize
methods that take arguments should be called only once, otherwise they will throw an exception. It is OK to call them after callinginitialize()
.- Parameters:
configDir
- The directory containing the security databases.- Throws:
KeyDatabaseException
- Unable to open the key database, or it was currupted.CertDatabaseException
- Unable to open the certificate database, or it was currupted.AlreadyInitializedException
- If the security subsystem is already initialized.GeneralSecurityException
- If other security error occurred.
-
initializeWithContext
public static void initializeWithContext(String configDir) throws KeyDatabaseException, CertDatabaseException, AlreadyInitializedException, GeneralSecurityException -
initializeWithContext
public static void initializeWithContext(InitializationValues values) throws KeyDatabaseException, CertDatabaseException, AlreadyInitializedException, GeneralSecurityException -
initialize
public static void initialize(InitializationValues values) throws KeyDatabaseException, CertDatabaseException, AlreadyInitializedException, GeneralSecurityException Initialize the security subsystem. Opens the databases, loads all PKCS #11 modules, initializes the internal random number generator. Theinitialize
methods that take arguments should be called only once, otherwise they will throw an exception. It is OK to call them after callinginitialize()
.- Parameters:
values
- The options with which to initialize CryptoManager.- Throws:
KeyDatabaseException
- Unable to open the key database, or it was corrupted.CertDatabaseException
- Unable to open the certificate database, or it was currupted.AlreadyInitializedException
- If security subsystem is already initialized.GeneralSecurityException
- If other security error occurred.
-
initializeAllNative2
private static void initializeAllNative2(String configDir, String certPrefix, String keyPrefix, String secmodName, boolean readOnly, String manufacturerID, String libraryDescription, String internalTokenDescription, String internalKeyStorageTokenDescription, String internalSlotDescription, String internalKeyStorageSlotDescription, String fipsSlotDescription, String fipsKeyStorageSlotDescription, boolean ocspCheckingEnabled, String ocspResponderURL, String ocspResponderCertNickname, boolean initializeJavaOnly, boolean PKIXVerify, boolean noCertDB, boolean noModDB, boolean forceOpen, boolean noRootInit, boolean optimizeSpace, boolean PK11ThreadSafe, boolean PK11Reload, boolean noPK11Finalize, boolean cooperate) throws KeyDatabaseException, CertDatabaseException, AlreadyInitializedException -
initializeAllNativeWithContext
private static void initializeAllNativeWithContext(String configDir, String certPrefix, String keyPrefix, String secmodName, boolean readOnly, String manufacturerID, String libraryDescription, String internalTokenDescription, String internalKeyStorageTokenDescription, String internalSlotDescription, String internalKeyStorageSlotDescription, String fipsSlotDescription, String fipsKeyStorageSlotDescription, boolean ocspCheckingEnabled, String ocspResponderURL, String ocspResponderCertNickname, boolean initializeJavaOnly, boolean PKIXVerify, boolean noCertDB, boolean noModDB, boolean forceOpen, boolean noRootInit, boolean optimizeSpace, boolean PK11ThreadSafe, boolean PK11Reload, boolean noPK11Finalize, boolean cooperate) throws KeyDatabaseException, CertDatabaseException, AlreadyInitializedException -
getCACerts
Retrieves all CA certificates in the trust database. This is a fairly expensive operation in that it involves traversing the entire certificate database.- Returns:
- An array of all CA certificates stored permanently in the trust database.
-
getPermCerts
Retrieves all certificates in the trust database. This is a fairly expensive operation in that it involves traversing the entire certificate database.- Returns:
- An array of all certificates stored permanently in the trust database.
-
importCertPackage
public X509Certificate importCertPackage(byte[] certPackage, String nickname) throws CertificateEncodingException, NicknameConflictException, UserCertConflictException, NoSuchItemOnTokenException, TokenException Imports a chain of certificates. The leaf certificate may be a a user certificate, that is, a certificate that belongs to the current user and whose private key is available for use. If the leaf certificate is a user certificate, it is stored on the token that contains the corresponding private key, and is assigned the given nickname.- Parameters:
certPackage
- An encoded certificate or certificate chain. Acceptable encodings are binary PKCS #7 SignedData objects and DER-encoded certificates, which may or may not be wrapped in a Base-64 encoding package surrounded by "-----BEGIN CERTIFICATE-----
" and "-----END CERTIFICATE-----
".nickname
- The nickname for the user certificate. It must be unique. It is ignored if there is no user certificate.- Returns:
- The leaf certificate from the chain.
- Throws:
CertificateEncodingException
- If the package encoding was not recognized.NicknameConflictException
- If the leaf certificate is a user certificate, and another certificate already has the given nickname.UserCertConflictException
- If the leaf certificate is a user certificate, but it has already been imported.NoSuchItemOnTokenException
- If the leaf certificate is a user certificate, but the matching private key cannot be found.TokenException
- If an error occurs importing a leaf certificate into a token.
-
importUserCACertPackage
public X509Certificate importUserCACertPackage(byte[] certPackage, String nickname) throws CertificateEncodingException, NicknameConflictException, UserCertConflictException, NoSuchItemOnTokenException, TokenException Imports a chain of certificates. The leaf of the chain is a CA certificate AND a user certificate (this would only be called by a CA installing its own certificate).- Parameters:
certPackage
- An encoded certificate or certificate chain. Acceptable encodings are binary PKCS #7 SignedData objects and DER-encoded certificates, which may or may not be wrapped in a Base-64 encoding package surrounded by "-----BEGIN CERTIFICATE-----
" and "-----END CERTIFICATE-----
".nickname
- The nickname for the user certificate. It must be unique.- Returns:
- The leaf certificate from the chain.
- Throws:
CertificateEncodingException
- If the package encoding was not recognized.NicknameConflictException
- If the leaf certificate another certificate already has the given nickname.UserCertConflictException
- If the leaf certificate has already been imported.NoSuchItemOnTokenException
- If the the private key matching the leaf certificate cannot be found.TokenException
- If an error occurs importing the leaf certificate into a token.
-
importCACertPackage
public X509Certificate importCACertPackage(byte[] certPackage) throws CertificateEncodingException, TokenException Imports a chain of certificates, none of which is a user certificate.- Parameters:
certPackage
- An encoded certificate or certificate chain. Acceptable encodings are binary PKCS #7 SignedData objects and DER-encoded certificates, which may or may not be wrapped in a Base-64 encoding package surrounded by "-----BEGIN CERTIFICATE-----
" and "-----END CERTIFICATE-----
".- Returns:
- The leaf certificate from the chain.
- Throws:
CertificateEncodingException
- If the package encoding was not recognized.TokenException
- If an error occurs importing a leaf certificate into a token.
-
importCertToPerm
public InternalCertificate importCertToPerm(X509Certificate cert, String nickname) throws TokenException, InvalidNicknameException Imports a single certificate into the permanent certificate database.- Parameters:
cert
- the certificate you want to addnickname
- the nickname you want to refer to the certificate as (must not be null)- Returns:
- Certificate object.
- Throws:
TokenException
- If an error occurred in the token.InvalidNicknameException
- If the nickname is invalid.
-
importDERCert
public X509Certificate importDERCert(byte[] cert, CertificateUsage usage, boolean permanent, String nickname) Imports a single DER-encoded certificate into the permanent or temporary certificate database. -
importDERCertNative
private X509Certificate importDERCertNative(byte[] cert, int usage, boolean permanent, String nickname) -
importCertToPermNative
private InternalCertificate importCertToPermNative(X509Certificate cert, String nickname) throws TokenException - Throws:
TokenException
-
importCertPackageNative
private X509Certificate importCertPackageNative(byte[] certPackage, String nickname, boolean noUser, boolean leafIsCA) throws CertificateEncodingException, NicknameConflictException, UserCertConflictException, NoSuchItemOnTokenException, TokenException - Parameters:
noUser
- true if we know that none of the certs are user certs. In this case, no attempt will be made to find a matching private key for the leaf certificate.- Throws:
CertificateEncodingException
NicknameConflictException
UserCertConflictException
NoSuchItemOnTokenException
TokenException
-
importCRL
Imports a CRL, and stores it into the cert7.db Validate CRL then import it to the dbase. If there is already a CRL with the same CA in the dbase, it will be replaced if derCRL is more up to date.- Parameters:
crl
- the DER-encoded CRL.url
- the URL where this CRL can be retrieved from (for future updates). [ note that CRLs are not retrieved automatically ]. Can be null- Throws:
CRLImportException
- If the package encoding was not recognized.TokenException
- If an error occurred in the token.
-
importCRLNative
private void importCRLNative(byte[] crl, String url, int rl_type) throws CRLImportException, TokenException Imports a CRL, and stores it into the cert7.db- Parameters:
the
- DER-encoded CRL.- Throws:
CRLImportException
TokenException
-
exportCertsToPKCS7
Exports one or more certificates into a PKCS #7 certificate container. This is just a SignedData object whose certificates field contains the given certificates but whose content field is empty.- Parameters:
certs
- One or more certificates that should be exported into the PKCS #7 object. The leaf certificate should be the first in the chain. The output ofbuildCertificateChain
would be appropriate here.- Returns:
- A byte array containing a PKCS #7 SignedData object.
- Throws:
CertificateEncodingException
- If the array is empty, or an error occurred encoding the certificates.- See Also:
-
findCertByNickname
public X509Certificate findCertByNickname(String nickname) throws ObjectNotFoundException, TokenException Looks up a certificate given its nickname.- Parameters:
nickname
- The nickname of the certificate to look for.- Returns:
- The certificate matching this nickname, if one is found.
- Throws:
ObjectNotFoundException
- If no certificate could be found with the given nickname.TokenException
- If an error occurs in the security library.
-
findCertsByNickname
Returns all certificates with the given nickname.- Parameters:
nickname
- The nickname of the certificate to look for.- Returns:
- The certificates matching this nickname. The array may be empty if no matching certs were found.
- Throws:
TokenException
- If an error occurs in the security library.
-
findCertByIssuerAndSerialNumber
public X509Certificate findCertByIssuerAndSerialNumber(byte[] derIssuer, INTEGER serialNumber) throws ObjectNotFoundException, TokenException Looks up a certificate by issuer and serial number. The internal database and all PKCS #11 modules are searched.- Parameters:
derIssuer
- The DER encoding of the certificate issuer name. The issuer name has ASN.1 type Name, which is defined in X.501.serialNumber
- The certificate serial number.- Returns:
- Certificate object.
- Throws:
ObjectNotFoundException
- If the certificate is not found in the internal certificate database or on any PKCS #11 token.TokenException
- If an error occurs in the security library.
-
findCertByIssuerAndSerialNumberNative
private X509Certificate findCertByIssuerAndSerialNumberNative(byte[] derIssuer, byte[] serialNumber) throws ObjectNotFoundException, TokenException - Parameters:
serialNumber
- The contents octets of a DER-encoding of the certificate serial number.- Throws:
ObjectNotFoundException
TokenException
-
findCertByNicknameNative
protected X509Certificate findCertByNicknameNative(String nickname) throws ObjectNotFoundException, TokenException -
findCertsByNicknameNative
- Throws:
TokenException
-
buildCertificateChain
public X509Certificate[] buildCertificateChain(X509Certificate leaf) throws CertificateException, TokenException Given a certificate, constructs its certificate chain. It may or may not chain up to a trusted root.- Parameters:
leaf
- The certificate that is the starting point of the chain.- Returns:
- An array of certificates, starting at the leaf and ending with the highest certificate on the chain that was found.
- Throws:
CertificateException
- If the certificate is not recognized by the underlying provider.TokenException
- If an error occurred in the token.
-
buildCertificateChainNative
X509Certificate[] buildCertificateChainNative(PK11Cert leaf) throws CertificateException, TokenException - Throws:
CertificateException
TokenException
-
findPrivKeyByCert
public PrivateKey findPrivKeyByCert(X509Certificate cert) throws ObjectNotFoundException, TokenException Looks up the PrivateKey matching the given certificate.- Parameters:
cert
- Certificate.- Returns:
- Private key.
- Throws:
ObjectNotFoundException
- If no private key can be found matching the given certificate.TokenException
- If an error occurs in the security library.
-
findPrivKeyByCertNative
protected PrivateKey findPrivKeyByCertNative(X509Certificate cert) throws ObjectNotFoundException, TokenException -
createPseudoRandomNumberGenerator
Retrieves a FIPS-140-2 validated random number generator.- Returns:
- A JSS SecureRandom implemented with FIPS-validated NSS.
-
getSecureRNG
Retrieves a FIPS-140-2 validated random number generator.- Specified by:
getSecureRNG
in interfaceTokenSupplier
- Returns:
- A JSS SecureRandom implemented with FIPS-validated NSS.
-
getJSSMajorVersion
public static int getJSSMajorVersion() -
getJSSMinorVersion
public static int getJSSMinorVersion() -
getJSSPatchVersion
public static int getJSSPatchVersion() -
getJSSVersion
-
getJSSDebug
public static boolean getJSSDebug() -
setThreadToken
Sets the default token for the current thread. This token will be used when JSS is called through the JCA interface, which has no means of specifying which token to use.If no token is set, the InternalKeyStorageToken will be used. Setting this thread's token to
null
will also cause the InternalKeyStorageToken to be used.- Specified by:
setThreadToken
in interfaceTokenSupplier
- Parameters:
token
- The token to use for crypto operations. Specifyingnull
will cause the InternalKeyStorageToken to be used.
-
getThreadToken
Returns the default token for the current thread. This token will be used when JSS is called through the JCA interface, which has no means of specifying which token to use.If no token is set, the InternalKeyStorageToken will be used. Setting this thread's token to
null
will also cause the InternalKeyStorageToken to be used.- Specified by:
getThreadToken
in interfaceTokenSupplier
- Returns:
- The default token for this thread. If it has not been specified, it will be the InternalKeyStorageToken.
-
isCertValid
public int isCertValid(String nickname, boolean checkSig) throws ObjectNotFoundException, InvalidNicknameException Verify a certificate that exists in the given cert database, check if is valid and that we trust the issuer. Verify time against Now.- Parameters:
nickname
- The nickname of the certificate to verify.checkSig
- verify the signature of the certificate- Returns:
- currCertificateUsage which contains current usage bit map as defined in CertificateUsage
- Throws:
InvalidNicknameException
- If the nickname is nullObjectNotFoundException
- If no certificate could be found with the given nickname.
-
verifyCertificateNowCUNative
private int verifyCertificateNowCUNative(String nickname, boolean checkSig) throws ObjectNotFoundException - Throws:
ObjectNotFoundException
-
isCertValid
@Deprecated public boolean isCertValid(String nickname, boolean checkSig, CertificateUsage certificateUsage) throws ObjectNotFoundException, InvalidNicknameException Deprecated.Use verifyCertificate() insteadVerify a certificate that exists in the given cert database, check if is valid and that we trust the issuer. Verify time against Now.- Parameters:
nickname
- The nickname of the certificate to verify.checkSig
- verify the signature of the certificatecertificateUsage
- see certificateUsage defined to verify Certificate; to retrieve current certificate usage, call the isCertValid() above- Returns:
- true for success; false otherwise
- Throws:
InvalidNicknameException
- If the nickname is nullObjectNotFoundException
- If no certificate could be found with the given nickname.
-
verifyCertificate
public void verifyCertificate(String nickname, boolean checkSig, CertificateUsage certificateUsage) throws ObjectNotFoundException, InvalidNicknameException, CertificateException Verify a certificate that exists in the given cert database, check if it's valid and that we trust the issuer. Verify time against now.- Parameters:
nickname
- nickname of the certificate to verify.checkSig
- verify the signature of the certificatecertificateUsage
- see certificate usage defined to verify certificate- Throws:
InvalidNicknameException
- If the nickname is null.ObjectNotFoundException
- If no certificate could be found with the given nickname.CertificateException
- If certificate is invalid.
-
verifyCertificate
public void verifyCertificate(X509Certificate cert, boolean checkSig, CertificateUsage certificateUsage) throws ObjectNotFoundException, InvalidNicknameException, CertificateException Verify an X509Certificate by checking if it's valid and that we trust the issuer. Verify time against now.- Parameters:
cert
- the certificate to verifycheckSig
- verify the signature of the certificatecertificateUsage
- see certificate usage defined to verify certificate- Throws:
InvalidNicknameException
- If the nickname is null.ObjectNotFoundException
- If no certificate could be found with the given nickname.CertificateException
- If certificate is invalid.
-
verifyCertificateNowNative
private boolean verifyCertificateNowNative(String nickname, boolean checkSig, int certificateUsage) throws ObjectNotFoundException - Throws:
ObjectNotFoundException
-
verifyCertificateNowNative2
private void verifyCertificateNowNative2(String nickname, boolean checkSig, int certificateUsage) throws ObjectNotFoundException, InvalidNicknameException, CertificateException -
verifyCertificateNowNative3
private void verifyCertificateNowNative3(X509Certificate cert, boolean checkSig, int certificateUsage) throws ObjectNotFoundException, InvalidNicknameException, CertificateException -
isCertValid
public boolean isCertValid(String nickname, boolean checkSig, CryptoManager.CertUsage certUsage) throws ObjectNotFoundException, InvalidNicknameException note: this method calls obsolete function in NSS Verify a certificate that exists in the given cert database, check if is valid and that we trust the issuer. Verify time against Now.- Parameters:
nickname
- The nickname of the certificate to verify.checkSig
- verify the signature of the certificatecertUsage
- see exposed certUsage defines to verify Certificate- Returns:
- true for success; false otherwise
- Throws:
InvalidNicknameException
- If the nickname is nullObjectNotFoundException
- If no certificate could be found with the given nickname.
-
verifyCertNowNative
private boolean verifyCertNowNative(String nickname, boolean checkSig, int cUsage) throws ObjectNotFoundException - Throws:
ObjectNotFoundException
-
isCertValid
public boolean isCertValid(byte[] certPackage, boolean checkSig, CryptoManager.CertUsage certUsage) throws TokenException, CertificateEncodingException Verify a certificate in memory. Check if valid and that we trust the issuer. Verify time against Now.- Parameters:
certPackage
- certificate in memorycheckSig
- verify the signature of the certificatecertUsage
- see exposed certUsage defines to verify Certificate- Returns:
- true for success; false otherwise
- Throws:
TokenException
- unable to insert temporary certificate into database.CertificateEncodingException
- If the package encoding was not recognized.
-
verifyCertTempNative
private boolean verifyCertTempNative(byte[] certPackage, boolean checkSig, int cUsage) throws TokenException, CertificateEncodingException -
getOCSPPolicy
public static int getOCSPPolicy()Gets the current ocsp Policy. Currently we only support 2 modes OCSP_LEAF_AND_CHAIN_POLICY. And OCSP_NORMAL_POLICY, which is current processing , by default. If we have AIA based OCSP enabled we will check all certs in the chain. using PKIX cert verfication calls in the various cert auth callbacks we have.- Returns:
- - The current ocsp policy in effect.
-
getOCSPPolicyEnum
Gets the current OCSP Policy.- Returns:
- - The current OCSP policy in effect.
- See Also:
-
setOCSPPolicy
Sets the current ocsp Policy. Currently we only support one mode OCSP_LEAF_AND_CHAIN_POLICY. If we have AIA based OCSP enabled we will check all certs in the chain. using PKIX cert verfication calls in the various cert auth callbacks we have.- Parameters:
policy
- - Either cert and chain or normal default processing.
-
configureOCSP
public void configureOCSP(boolean ocspCheckingEnabled, String ocspResponderURL, String ocspResponderCertNickname) throws GeneralSecurityException Enables OCSP, note when you Initialize JSS for the first time, for backwards compatibility, the initialize will enable OCSP if you previously set values.ocspCheckingEnabled and values.ocspResponderURL/values.ocspResponderCertNickname configureOCSP will allow changing of the the OCSPResponder at runtime.- Parameters:
ocspCheckingEnabled
- true or false to enable/disable OCSPocspResponderURL
- - url of the OCSP responderocspResponderCertNickname
- - the nickname of the OCSP signer certificate or the CA certificate found in the cert DB- Throws:
GeneralSecurityException
- If a security error has occurred.
-
configureOCSPNative
private void configureOCSPNative(boolean ocspCheckingEnabled, String ocspResponderURL, String ocspResponderCertNickname) throws GeneralSecurityException - Throws:
GeneralSecurityException
-
OCSPCacheSettings
public void OCSPCacheSettings(int ocsp_cache_size, int ocsp_min_cache_entry_duration, int ocsp_max_cache_entry_duration) throws GeneralSecurityException change OCSP cache settings- Parameters:
ocsp_cache_size
- max cache entriesocsp_min_cache_entry_duration
- minimum seconds to next fetch attemptocsp_max_cache_entry_duration
- maximum seconds to next fetch attempt- Throws:
GeneralSecurityException
- If a security error has occurred.
-
OCSPCacheSettingsNative
private void OCSPCacheSettingsNative(int ocsp_cache_size, int ocsp_min_cache_entry_duration, int ocsp_max_cache_entry_duration) throws GeneralSecurityException - Throws:
GeneralSecurityException
-
setOCSPTimeout
set OCSP timeout value- Parameters:
ocsp_timeout
- OCSP timeout in seconds- Throws:
GeneralSecurityException
- If a security error has occurred.
-
setOCSPTimeoutNative
- Throws:
GeneralSecurityException
-
shutdown
Shutdowns this CryptoManager instance and the associated NSS initialization.- Throws:
Exception
-
shutdownNative
public void shutdownNative()
-