Class JSSLoader

java.lang.Object
org.mozilla.jss.JSSLoader

public class JSSLoader extends Object
The JSS Loader facilitates loading JSS via the Provider interface directly, including from a static java.security configuration file. This replaces the previous CryptoManager.initialize(...) approach, allowing better control over where the JSSProvider gets loaded. In order to use this provider, the caller has to specify a configuration file (either via a String path or its contents via an InputStream). This configuration file is a java.util.Properties file. The following keys are understood: - nss.config_dir -- the path to the NSS DB to initialize with - nss.cert_prefix -- the prefix for the certificate store - nss.key_prefix -- the prefix for the key store - nss.secmod_name -- the name of the secmod file - nss.read_only -- whether to open the NSS DB read-only (default: false) - nss.java_only -- whether to initialize only the java portion of JSS, and assume that NSS is already initialized (default: false) - nss.pkix_verify -- whether to use PKIX for verification (default: false) - nss.no_cert_db -- whether to open the certificate and key databases; see InitializationValues for more info (default: false) - nss.no_mod_db -- whether to open the security module database; see InitializationValues for more info (default: false) - nss.force_open -- whether to force initializations even if the database cannot be opened; see InitializationValues for more info (default: false) - nss.no_root_init -- whether to look for root certificate module and load it; see InitializationValues for more info (default: false) - nss.optimize_space -- whether to use smaller tables and caches; see InitializationValues for more info (default: false) - nss.pk11_thread_safe -- whether to only load PKCS#11 modules that are thread-safe; see InitializationValues for more info (default: false) - nss.pk11_reload -- whether to ignore already initialized errors when loading PKCS#11 modules; see InitializationValues for more info (default: false) - nss.no_pk11_finalize -- whether to avoid calling C_Finalize on PKCS#11 modules; see InitializationValues for more info (default: false) - nss.cooperate -- whether to cooperate with other parts of the program already having initialized NSS (default: false) - jss.experimental.sslengine -- whether to enable experimental SSLEngine support - jss.fips -- whether to switch this NSS DB into FIPS mode; allowed values are ENABLED (to force FIPS mode), DISABLED (to force non-FIPS mode), or UNCHANGED (default, to infer the value from the NSS DB and/or the system) - jss.ocsp.enabled -- whether or not to enable OCSP checking - jss.ocsp.responder.url -- URL of the OCSP responder to check - jss.ocsp.responder.cert_nickname -- nickname of the OCSP responder's certificate in the NSS DB - jss.ocsp.policy -- which JSS OCSP checking policy to use; allowed values are NONE, NORMAL, and LEAF_AND_CHAIN; refer to CryptoManager documentation for the difference - jss.password -- static password to use to authenticate to tokens; if this fails, the user will be prompted via the console
  • Field Details

    • logger

      public static org.slf4j.Logger logger
  • Constructor Details

    • JSSLoader

      public JSSLoader()
  • Method Details

    • init

      public static CryptoManager init(String config_path) throws Exception
      Initialize JSS from the specified path to a configuration file.
      Throws:
      Exception
    • init

      public static CryptoManager init(InputStream istream) throws Exception
      Initialize JSS from an InputStream.
      Throws:
      Exception
    • constructIV

      private static InitializationValues constructIV(Properties config)
      Constructs an InitializationValues from the specified properties files, reading only the properties required to construct a new instance. These properties are: - nss.config_dir - nss.cert_prefix - nss.key_prefix - nss.secmod_name
    • parseFipsMode

      private static void parseFipsMode(Properties config, InitializationValues ivs)
      Updates the specified InitializationValues with the FIPS-specific properties. These properties are: - jss.fips
    • parseReadOnly

      private static void parseReadOnly(Properties config, InitializationValues ivs)
      Update the specified InitializationValues with the value of the nss.read_only property.
    • parseOCSPSettings

      private static void parseOCSPSettings(Properties config, InitializationValues ivs)
      Update the specified InitializationValues with the value of the OCSP properties. These properties are: - jss.ocsp.enabled - jss.ocsp.responder.url - jss.ocsp.responder.cert_nickname
    • parseProviderSettings

      private static void parseProviderSettings(Properties config, InitializationValues ivs)
      Configure the specified InitializationValues with the correct provider-related properties.
    • parseNSSSettings

      private static void parseNSSSettings(Properties config, InitializationValues ivs)
      Configure the specified InitializationValues with the values of various NSS-specific configuration values. These properties are: - nss.java_only - nss.pkix_verify - nss.no_cert_db - nss.no_mod_db - nss.force_open - nss.no_root_init - nss.optimize_space - nss.pk11_thread_safe - nss.pk11_reload - nss.no_pk11_finalize - nss.cooperate
    • parseOCSPPolicy

      private static void parseOCSPPolicy(Properties config, CryptoManager cm)
      Once the CryptoManager has been initialized, update it with the value of the remaining OCSP propertiy, jss.ocsp.policy.
    • parsePasswords

      private static void parsePasswords(Properties config, CryptoManager cm)
      Once the CryptoManager has been initialized, update it with the correct PasswordCallback handler. Currently only understands a hard-coded password set via jss.password.
    • parseExperimental

      private static void parseExperimental(Properties config)
      Check for exerpimental flags.
    • parseBoolean

      private static Boolean parseBoolean(Properties config, String key_name)
      Helper function to parse a boolean value at the given key name. Returns true if the value is true or yes, false if the value is false or no, and null if the value is empty or not present. Throws an exception for a malformed value. Case insensitive.