Package org.mozilla.jss
Class InitializationValues
java.lang.Object
org.mozilla.jss.InitializationValues
The various options that can be used to initialize CryptoManager.
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic final class
This class enumerates the possible modes for FIPS compliance. -
Field Summary
FieldsModifier and TypeFieldDescriptionboolean
Sets 4 recommended options for applications that use both NSS and the Java SunPKCS11 provider.private String
The FIPS mode of the security library.private String
boolean
Continue to force initializations even if the databases cannot be opened.boolean
boolean
Iftrue
, none of the underlying NSS components will be initialized.boolean
Install the JSS crypto provider.boolean
Whether or not to initialize the JSS provider first.private String
private String
private String
private String
final int
Library description must be this length exactly.private String
final int
ManufacturerID must be this length exactly.private String
boolean
Don't open the cert DB and key DB's, just initialize the volatile certdb.boolean
Don't open the security module DB, just initialize the PKCS #11 module.boolean
never call C_Finalize on any PKCS#11 module.boolean
Don't try to look for the root certs module automatically.boolean
To have NSS check the OCSP responder for when verifying certificates, set this flags to true.The nickname of the cert to trust (expected) to sign the OCSP responses.Specify the location and cert of the responder.boolean
Use smaller tables and caches.The password callback to be used by JSS whenever a password is needed.boolean
Init PK11Reload to ignore the CKR_CRYPTOKI_ALREADY_INITIALIZED error when loading PKCS#11 modules.boolean
only load PKCS#11 modules that are thread-safe, ie.boolean
Enable PKIX verify rather than the old cert library, to verify certificates.boolean
To open the databases in read-only mode, set this flag totrue
.boolean
Remove the Sun crypto provider.final int
Slot names must be this length exactly.final int
Token names must be this length exactly. -
Constructor Summary
ConstructorsModifierConstructorDescriptionprotected
InitializationValues
(String configDir) Default constructor taking only the path to the NSS DB directory.InitializationValues
(String configDir, String certPrefix, String keyPrefix, String secmodName) Optional constructor taking the path to the NSS DB directory, the prefix of the cert database, the prefix of the key database, and the name of the secmod/pkcs11 database. -
Method Summary
Modifier and TypeMethodDescriptionReturns the description of the internal PKCS #11 FIPS Key Storage slot.Returns the description of the internal PKCS #11 FIPS slot.boolean
Returns boolean value of initializeContext.Returns the description of the internal PKCS #11 key storage slot.Returns the description of the internal PKCS #11 key storage token.Returns the description of the internal PKCS #11 slot.Returns the description of the internal PKCS #11 token.Returns the description of the internal PKCS #11 module.Returns the Manufacturer ID of the internal PKCS #11 module.void
Sets the description of the internal PKCS #11 FIPS Key Storage slot.void
Sets the description of the internal PKCS #11 FIPS slot.void
setInitializeContext
(boolean value) Sets boolean value of initializeContext.void
Sets the description of the internal PKCS #11 key storage slot.void
Sets the description of the internal PKCS #11 key storage token.void
Sets the description of the internal PKCS #11 slot.void
Sets the description of the internal PKCS #11 token.void
Sets the description of the internal PKCS #11 module.void
Sets the Manufacturer ID of the internal PKCS #11 module.
-
Field Details
-
TOKEN_LENGTH
public final int TOKEN_LENGTHToken names must be this length exactly.- See Also:
-
SLOT_LENGTH
public final int SLOT_LENGTHSlot names must be this length exactly.- See Also:
-
MANUFACTURER_LENGTH
public final int MANUFACTURER_LENGTHManufacturerID must be this length exactly.- See Also:
-
LIBRARY_LENGTH
public final int LIBRARY_LENGTHLibrary description must be this length exactly.- See Also:
-
configDir
-
certPrefix
-
keyPrefix
-
secmodName
-
passwordCallback
The password callback to be used by JSS whenever a password is needed. May be NULL, in which the library will immediately fail to get a password if it tries to login automatically while performing a cryptographic operation. It will still work if the token has been manually logged in withCryptoToken.login
.The default is a
ConsolePasswordCallback
. -
fipsMode
The FIPS mode of the security library. Servers should useFIPSMode.UNCHANGED
, since only Admin Server is supposed to alter this value.The default is
FIPSMode.UNCHANGED
. -
readOnly
public boolean readOnlyTo open the databases in read-only mode, set this flag totrue
. The default isfalse
, meaning the databases are opened in read-write mode. -
initializeContext
public boolean initializeContext -
manufacturerID
-
libraryDescription
-
internalTokenDescription
-
internalKeyStorageTokenDescription
-
internalSlotDescription
-
internalKeyStorageSlotDescription
-
FIPSSlotDescription
-
FIPSKeyStorageSlotDescription
-
ocspCheckingEnabled
public boolean ocspCheckingEnabledTo have NSS check the OCSP responder for when verifying certificates, set this flags to true. It is false by default. -
ocspResponderURL
Specify the location and cert of the responder. If OCSP checking is enabled *and* this variable is set to some URL, all OCSP checking will be done via this URL. If this variable is null, the OCSP responder URL will be obtained from the AIA extension in the certificate being queried. If this is set, you must also set ocspResponderCertNickname -
ocspResponderCertNickname
The nickname of the cert to trust (expected) to sign the OCSP responses. Only checked when the OCSPResponder value is set. -
installJSSProvider
public boolean installJSSProviderInstall the JSS crypto provider. Default is true. -
removeSunProvider
public boolean removeSunProviderRemove the Sun crypto provider. Default is false. -
installJSSProviderFirst
public boolean installJSSProviderFirstWhether or not to initialize the JSS provider first. Default is true. -
initializeJavaOnly
public boolean initializeJavaOnlyIftrue
, none of the underlying NSS components will be initialized. Only the Java portions of JSS will be initialized. This should only be used if NSS has been initialized elsewhere.Specifically, the following components will not be configured by
CryptoManager.initialize
if this flag is set:- The NSS databases.
- OCSP checking.
- The NSS password callback.
- The internal PKCS #11 software token's identifier labels: slot, token, module, and manufacturer.
- The minimum PIN length for the software token.
- The frequency with which the user must login to the software token.
- The cipher strength policy (export/domestic).
The default is
false
. -
PKIXVerify
public boolean PKIXVerifyEnable PKIX verify rather than the old cert library, to verify certificates. Default is false. -
noCertDB
public boolean noCertDBDon't open the cert DB and key DB's, just initialize the volatile certdb. Default is false. -
noModDB
public boolean noModDBDon't open the security module DB, just initialize the PKCS #11 module. Default is false. -
forceOpen
public boolean forceOpenContinue to force initializations even if the databases cannot be opened. Default is false. -
noRootInit
public boolean noRootInitDon't try to look for the root certs module automatically. Default is false. -
optimizeSpace
public boolean optimizeSpaceUse smaller tables and caches. Default is false. -
PK11ThreadSafe
public boolean PK11ThreadSafeonly load PKCS#11 modules that are thread-safe, ie. that support locking - either OS locking or NSS-provided locks . If a PKCS#11 module isn't thread-safe, don't serialize its calls; just don't load it instead. This is necessary if another piece of code is using the same PKCS#11 modules that NSS is accessing without going through NSS, for example the Java SunPKCS11 provider. Default is false. -
PK11Reload
public boolean PK11ReloadInit PK11Reload to ignore the CKR_CRYPTOKI_ALREADY_INITIALIZED error when loading PKCS#11 modules. This is necessary if another piece of code is using the same PKCS#11 modules that NSS is accessing without going through NSS, for example Java SunPKCS11 provider. Default is false. -
noPK11Finalize
public boolean noPK11Finalizenever call C_Finalize on any PKCS#11 module. This may be necessary in order to ensure continuous operation and proper shutdown sequence if another piece of code is using the same PKCS#11 modules that NSS is accessing without going through NSS, for example Java SunPKCS11 provider. The following limitation applies when this is set : SECMOD_WaitForAnyTokenEvent will not use C_WaitForSlotEvent, in order to prevent the need for C_Finalize. This call will be emulated instead. Default is false. -
cooperate
public boolean cooperateSets 4 recommended options for applications that use both NSS and the Java SunPKCS11 provider. Default is false.
-
-
Constructor Details
-
InitializationValues
protected InitializationValues() -
InitializationValues
Default constructor taking only the path to the NSS DB directory. -
InitializationValues
public InitializationValues(String configDir, String certPrefix, String keyPrefix, String secmodName) Optional constructor taking the path to the NSS DB directory, the prefix of the cert database, the prefix of the key database, and the name of the secmod/pkcs11 database.
-
-
Method Details
-
getInitializeContext
public boolean getInitializeContext()Returns boolean value of initializeContext.The default is
"false "
.- Returns:
- initializeContext.
-
setInitializeContext
public void setInitializeContext(boolean value) Sets boolean value of initializeContext.- Parameters:
value
- of initializeContext.
-
getManufacturerID
Returns the Manufacturer ID of the internal PKCS #11 module.The default is
"mozilla.org "
.- Returns:
- Manufacturer ID.
-
setManufacturerID
Sets the Manufacturer ID of the internal PKCS #11 module. This value must be exactlyMANUFACTURER_LENGTH
characters long.- Parameters:
s
- Manufacturer ID.- Throws:
InvalidLengthException
- Ifs.length()
is not exactlyMANUFACTURER_LENGTH
.
-
getLibraryDescription
Returns the description of the internal PKCS #11 module.The default is
"Internal Crypto Services "
.- Returns:
- Library description.
-
setLibraryDescription
Sets the description of the internal PKCS #11 module. This value must be exactlyLIBRARY_LENGTH
characters long.- Parameters:
s
- Library description.- Throws:
InvalidLengthException
- Ifs.length()
is not exactlyLIBRARY_LENGTH
.
-
getInternalTokenDescription
Returns the description of the internal PKCS #11 token.The default is
"Internal Crypto Services Token "
.- Returns:
- Description of internal PKCS #11 token.
-
setInternalTokenDescription
Sets the description of the internal PKCS #11 token. This value must be exactlyTOKEN_LENGTH
characters long.- Parameters:
s
- Description of internal PKCS #11 token.- Throws:
InvalidLengthException
- Ifs.length()
is not exactlyTOKEN_LENGTH
.
-
getInternalKeyStorageTokenDescription
Returns the description of the internal PKCS #11 key storage token.The default is
"Internal Key Storage Token "
.- Returns:
- Description of internal PKCS #11 key storage token.
-
setInternalKeyStorageTokenDescription
Sets the description of the internal PKCS #11 key storage token. This value must be exactlyTOKEN_LENGTH
characters long.- Parameters:
s
- Description of internal PKCS #11 key storage token.- Throws:
InvalidLengthException
- Ifs.length()
is not exactlyTOKEN_LENGTH
.
-
getInternalSlotDescription
Returns the description of the internal PKCS #11 slot.The default is
"NSS Internal Cryptographic Services "
.- Returns:
- Description of internal PKCS #11 slot.
-
setInternalSlotDescription
Sets the description of the internal PKCS #11 slot. This value must be exactlySLOT_LENGTH
characters long.- Parameters:
s
- Description of internal PKCS #11 slot.- Throws:
InvalidLengthException
- Ifs.length()
is not exactlySLOT_LENGTH
.
-
getInternalKeyStorageSlotDescription
Returns the description of the internal PKCS #11 key storage slot.The default is
"NSS Internal Private Key and Certificate Storage "
.- Returns:
- Description of internal PKCS #11 key storage slot.
-
setInternalKeyStorageSlotDescription
Sets the description of the internal PKCS #11 key storage slot. This value must be exactlySLOT_LENGTH
characters long.- Parameters:
s
- Description of internal PKCS #11 key storage slot.- Throws:
InvalidLengthException
- Ifs.length()
is not exactlySLOT_LENGTH
.
-
getFIPSSlotDescription
Returns the description of the internal PKCS #11 FIPS slot.The default is
"NSS FIPS 140-2 User Private Key Services"
.- Returns:
- Description of internal PKCS #11 FIPS slot.
-
setFIPSSlotDescription
Sets the description of the internal PKCS #11 FIPS slot. This value must be exactlySLOT_LENGTH
characters long.- Parameters:
s
- Description of internal PKCS #11 FIPS slot.- Throws:
InvalidLengthException
- Ifs.length()
is not exactlySLOT_LENGTH
.
-
getFIPSKeyStorageSlotDescription
Returns the description of the internal PKCS #11 FIPS Key Storage slot.The default is
"NSS FIPS 140-2 User Private Key Services"
.- Returns:
- Description of internal PKCS #11 FIPS key storage slot.
-
setFIPSKeyStorageSlotDescription
Sets the description of the internal PKCS #11 FIPS Key Storage slot. This value must be exactlySLOT_LENGTH
characters long.- Parameters:
s
- Description of internal PKCS #11 FIPS key storage slot.- Throws:
InvalidLengthException
- Ifs.length()
is not exactlySLOT_LENGTH
.
-