Package org.mozilla.jss
Class JSSLoader
java.lang.Object
org.mozilla.jss.JSSLoader
The JSS Loader facilitates loading JSS via the Provider interface directly,
including from a static java.security configuration file.
This replaces the previous CryptoManager.initialize(...) approach, allowing
better control over where the JSSProvider gets loaded. In order to use this
provider, the caller has to specify a configuration file (either via a
String path or its contents via an InputStream). This configuration file is
a java.util.Properties file. The following keys are understood:
- nss.config_dir -- the path to the NSS DB to initialize with
- nss.cert_prefix -- the prefix for the certificate store
- nss.key_prefix -- the prefix for the key store
- nss.secmod_name -- the name of the secmod file
- nss.read_only -- whether to open the NSS DB read-only (default: false)
- nss.java_only -- whether to initialize only the java portion of JSS,
and assume that NSS is already initialized (default:
false)
- nss.pkix_verify -- whether to use PKIX for verification (default: false)
- nss.no_cert_db -- whether to open the certificate and key databases;
see InitializationValues for more info (default: false)
- nss.no_mod_db -- whether to open the security module database; see
InitializationValues for more info (default: false)
- nss.force_open -- whether to force initializations even if the database
cannot be opened; see InitializationValues for more
info (default: false)
- nss.no_root_init -- whether to look for root certificate module and load
it; see InitializationValues for more info
(default: false)
- nss.optimize_space -- whether to use smaller tables and caches; see
InitializationValues for more info (default: false)
- nss.pk11_thread_safe -- whether to only load PKCS#11 modules that are
thread-safe; see InitializationValues for more
info (default: false)
- nss.pk11_reload -- whether to ignore already initialized errors when
loading PKCS#11 modules; see InitializationValues for
more info (default: false)
- nss.no_pk11_finalize -- whether to avoid calling C_Finalize on PKCS#11
modules; see InitializationValues for more info
(default: false)
- nss.cooperate -- whether to cooperate with other parts of the program
already having initialized NSS (default: false)
- jss.experimental.sslengine -- whether to enable experimental SSLEngine
support
- jss.fips -- whether to switch this NSS DB into FIPS mode; allowed values
are ENABLED (to force FIPS mode), DISABLED (to force
non-FIPS mode), or UNCHANGED (default, to infer the value
from the NSS DB and/or the system)
- jss.ocsp.enabled -- whether or not to enable OCSP checking
- jss.ocsp.responder.url -- URL of the OCSP responder to check
- jss.ocsp.responder.cert_nickname -- nickname of the OCSP responder's
certificate in the NSS DB
- jss.ocsp.policy -- which JSS OCSP checking policy to use; allowed values
are NONE, NORMAL, and LEAF_AND_CHAIN; refer to
CryptoManager documentation for the difference
- jss.password -- static password to use to authenticate to tokens; if
this fails, the user will be prompted via the console
-
Field Summary
Fields -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprivate static InitializationValues
constructIV
(Properties config) Constructs an InitializationValues from the specified properties files, reading only the properties required to construct a new instance.static CryptoManager
init
(InputStream istream) Initialize JSS from an InputStream.static CryptoManager
Initialize JSS from the specified path to a configuration file.private static Boolean
parseBoolean
(Properties config, String key_name) Helper function to parse a boolean value at the given key name.private static void
parseExperimental
(Properties config) Check for exerpimental flags.private static void
parseFipsMode
(Properties config, InitializationValues ivs) Updates the specified InitializationValues with the FIPS-specific properties.private static void
parseNSSSettings
(Properties config, InitializationValues ivs) Configure the specified InitializationValues with the values of various NSS-specific configuration values.private static void
parseOCSPPolicy
(Properties config, CryptoManager cm) Once the CryptoManager has been initialized, update it with the value of the remaining OCSP propertiy, jss.ocsp.policy.private static void
parseOCSPSettings
(Properties config, InitializationValues ivs) Update the specified InitializationValues with the value of the OCSP properties.private static void
parsePasswords
(Properties config, CryptoManager cm) Once the CryptoManager has been initialized, update it with the correct PasswordCallback handler.private static void
parseProviderSettings
(Properties config, InitializationValues ivs) Configure the specified InitializationValues with the correct provider-related properties.private static void
parseReadOnly
(Properties config, InitializationValues ivs) Update the specified InitializationValues with the value of the nss.read_only property.
-
Field Details
-
logger
public static org.slf4j.Logger logger
-
-
Constructor Details
-
JSSLoader
public JSSLoader()
-
-
Method Details
-
init
Initialize JSS from the specified path to a configuration file.- Throws:
Exception
-
init
Initialize JSS from an InputStream.- Throws:
Exception
-
constructIV
Constructs an InitializationValues from the specified properties files, reading only the properties required to construct a new instance. These properties are: - nss.config_dir - nss.cert_prefix - nss.key_prefix - nss.secmod_name -
parseFipsMode
Updates the specified InitializationValues with the FIPS-specific properties. These properties are: - jss.fips -
parseReadOnly
Update the specified InitializationValues with the value of the nss.read_only property. -
parseOCSPSettings
Update the specified InitializationValues with the value of the OCSP properties. These properties are: - jss.ocsp.enabled - jss.ocsp.responder.url - jss.ocsp.responder.cert_nickname -
parseProviderSettings
Configure the specified InitializationValues with the correct provider-related properties. -
parseNSSSettings
Configure the specified InitializationValues with the values of various NSS-specific configuration values. These properties are: - nss.java_only - nss.pkix_verify - nss.no_cert_db - nss.no_mod_db - nss.force_open - nss.no_root_init - nss.optimize_space - nss.pk11_thread_safe - nss.pk11_reload - nss.no_pk11_finalize - nss.cooperate -
parseOCSPPolicy
Once the CryptoManager has been initialized, update it with the value of the remaining OCSP propertiy, jss.ocsp.policy. -
parsePasswords
Once the CryptoManager has been initialized, update it with the correct PasswordCallback handler. Currently only understands a hard-coded password set via jss.password. -
parseExperimental
Check for exerpimental flags. -
parseBoolean
Helper function to parse a boolean value at the given key name. Returns true if the value is true or yes, false if the value is false or no, and null if the value is empty or not present. Throws an exception for a malformed value. Case insensitive.
-