org.mozilla.jss
public final class CryptoManager extends Object implements TokenSupplier
Nested Class Summary | |
---|---|
static class | CryptoManager.CertUsage
CertUsage options for validation |
static class | CryptoManager.InitializationValues
The various options that can be used to initialize CryptoManager. |
static class | CryptoManager.InvalidLengthException |
static class | CryptoManager.NicknameConflictException |
static class | CryptoManager.NotInitializedException |
static class | CryptoManager.UserCertConflictException |
Field Summary | |
---|---|
static String | JAR_DBM_VERSION |
static String | JAR_JDK_VERSION |
static String | JAR_JSS_VERSION |
static String | JAR_NSPR_VERSION |
static String | JAR_NSS_VERSION |
Constructor Summary | |
---|---|
protected | CryptoManager()
Constructor, for internal use only. |
Method Summary | |
---|---|
X509Certificate[] | buildCertificateChain(X509Certificate leaf)
Given a certificate, constructs its certificate chain. |
void | configureOCSP(boolean ocspCheckingEnabled, String ocspResponderURL, String ocspResponderCertNickname)
Enables OCSP, note when you Initialize JSS for the first time, for
backwards compatibility, the initialize will enable OCSP if you
previously set values.ocspCheckingEnabled and
values.ocspResponderURL/values.ocspResponderCertNickname
configureOCSP will allow changing of the the OCSPResponder at runtime.
|
JSSSecureRandom | createPseudoRandomNumberGenerator()
Retrieves a FIPS-140-2 validated random number generator.
|
byte[] | exportCertsToPKCS7(X509Certificate[] certs)
Exports one or more certificates into a PKCS #7 certificate container.
|
X509Certificate | findCertByIssuerAndSerialNumber(byte[] derIssuer, INTEGER serialNumber)
Looks up a certificate by issuer and serial number. |
X509Certificate | findCertByNickname(String nickname)
Looks up a certificate given its nickname.
|
protected X509Certificate | findCertByNicknameNative(String nickname) |
X509Certificate[] | findCertsByNickname(String nickname)
Returns all certificates with the given nickname.
|
protected X509Certificate[] | findCertsByNicknameNative(String nickname) |
PrivateKey | findPrivKeyByCert(X509Certificate cert)
Looks up the PrivateKey matching the given certificate.
|
protected PrivateKey | findPrivKeyByCertNative(X509Certificate cert) |
boolean | FIPSEnabled()
Determines whether FIPS-140-2 compliance is active.
|
Enumeration | getAllTokens()
Retrieves all tokens. |
X509Certificate[] | getCACerts()
Retrieves all CA certificates in the trust database. |
Enumeration | getExternalTokens()
Retrieves all tokens except those built into NSS.
|
static CryptoManager | getInstance()
Retrieve the single instance of CryptoManager.
|
CryptoToken | getInternalCryptoToken()
Retrieves the internal cryptographic services token. |
CryptoToken | getInternalKeyStorageToken()
Retrieves the internal key storage token. |
Enumeration | getModules()
Retrieves all installed cryptographic modules.
|
PasswordCallback | getPasswordCallback()
Returns the currently registered password callback. |
X509Certificate[] | getPermCerts()
Retrieves all certificates in the trust database. |
JSSSecureRandom | getSecureRNG()
Retrieves a FIPS-140-2 validated random number generator.
|
CryptoToken | getThreadToken()
Returns the default token for the current thread. |
CryptoToken | getTokenByName(String name)
Looks up the CryptoToken with the given name. |
Enumeration | getTokensSupportingAlgorithm(Algorithm alg)
Retrieves all tokens that support the given algorithm.
|
X509Certificate | importCACertPackage(byte[] certPackage)
Imports a chain of certificates, none of which is a user certificate.
|
X509Certificate | importCertPackage(byte[] certPackage, String nickname)
Imports a chain of certificates. |
InternalCertificate | importCertToPerm(X509Certificate cert, String nickname)
Imports a single certificate into the permanent certificate
database.
|
void | importCRL(byte[] crl, String url)
Imports a CRL, and stores it into the cert7.db
Validate CRL then import it to the dbase. |
X509Certificate | importUserCACertPackage(byte[] certPackage, String nickname)
Imports a chain of certificates. |
static void | initialize(String configDir)
Initialize the security subsystem. |
static void | initialize(CryptoManager.InitializationValues values)
Initialize the security subsystem. |
boolean | isCertValid(String nickname, boolean checkSig, CryptoManager.CertUsage certUsage)
Verify a certificate that exists in the given cert database,
check if is valid and that we trust the issuer. |
boolean | isCertValid(byte[] certPackage, boolean checkSig, CryptoManager.CertUsage certUsage)
Verify a certificate in memory. |
void | setPasswordCallback(PasswordCallback pwcb)
This function sets the global password callback. |
void | setThreadToken(CryptoToken token)
Sets the default token for the current thread. |
Parameters: leaf The certificate that is the starting point of the chain.
Returns: An array of certificates, starting at the leaf and ending with the highest certificate on the chain that was found.
Throws: CertificateException If the certificate is not recognized by the underlying provider.
Returns: A JSS SecureRandom implemented with FIPS-validated NSS.
Parameters: certs One or more certificates that should be exported into
the PKCS #7 object. The leaf certificate should be the first
in the chain. The output of buildCertificateChain
would be appropriate here.
Returns: A byte array containing a PKCS #7 SignedData object.
Throws: CertificateEncodingException If the array is empty, or an error occurred encoding the certificates.
See Also: CryptoManager
Parameters: derIssuer The DER encoding of the certificate issuer name. The issuer name has ASN.1 type Name, which is defined in X.501. serialNumber The certificate serial number.
Throws: ObjectNotFoundException If the certificate is not found in the internal certificate database or on any PKCS #11 token. TokenException If an error occurs in the security library.
Parameters: nickname The nickname of the certificate to look for.
Returns: The certificate matching this nickname, if one is found.
Throws: ObjectNotFoundException If no certificate could be found with the given nickname. TokenException If an error occurs in the security library.
Parameters: nickname The nickname of the certificate to look for.
Returns: The certificates matching this nickname. The array may be empty if no matching certs were found.
Throws: TokenException If an error occurs in the security library.
Throws: ObjectNotFoundException If no private key can be found matching the given certificate. TokenException If an error occurs in the security library.
Returns: true if the security library is in FIPS-140-2 compliant mode.
Returns: All tokens accessible from JSS. Each item of the enumeration
is a CryptoToken
See Also: CryptoToken
Returns: An array of all CA certificates stored permanently in the trust database.
Returns: All tokens accessible from JSS, except for the built-in internal tokens.
Throws: NotInitializedException If
initialize(InitializationValues
has not yet been
called.
See Also: initialize
In FIPS mode, the internal cryptographic services token is the same as the internal key storage token.
Returns: The internal cryptographic services token.
In FIPS mode, the internal key storage token is the same as the internal cryptographic services token.
Returns: The internal key storage token.
Returns: An enumeration of all installed PKCS #11 modules. Each
item in the enumeration is a PK11Module
.
See Also: PK11Module
Returns: An array of all certificates stored permanently in the trust database.
Returns: A JSS SecureRandom implemented with FIPS-validated NSS.
If no token is set, the InternalKeyStorageToken will be used. Setting this thread's token to null will also cause the InternalKeyStorageToken to be used.
Returns: The default token for this thread. If it has not been specified, it will be the InternalKeyStorageToken.
Parameters: name The name of the token.
Throws: org.mozilla.jss.crypto.NoSuchTokenException If no token is found with the given name.
Parameters: certPackage An encoded certificate or certificate chain.
Acceptable
encodings are binary PKCS #7 SignedData objects and
DER-encoded certificates, which may or may not be wrapped
in a Base-64 encoding package surrounded by
"-----BEGIN CERTIFICATE-----
" and
"-----END CERTIFICATE-----
".
Returns: The leaf certificate from the chain.
Throws: CertificateEncodingException If the package encoding was not recognized. TokenException If an error occurs importing a leaf certificate into a token.
Parameters: certPackage An encoded certificate or certificate chain.
Acceptable
encodings are binary PKCS #7 SignedData objects and
DER-encoded certificates, which may or may not be wrapped
in a Base-64 encoding package surrounded by
"-----BEGIN CERTIFICATE-----
" and
"-----END CERTIFICATE-----
". nickname The nickname for the user certificate. It must
be unique. It is ignored if there is no user certificate.
Returns: The leaf certificate from the chain.
Throws: CertificateEncodingException If the package encoding was not recognized. CertificateNicknameConflictException If the leaf certificate is a user certificate, and another certificate already has the given nickname. UserCertConflictException If the leaf certificate is a user certificate, but it has already been imported. NoSuchItemOnTokenException If the leaf certificate is a user certificate, but the matching private key cannot be found. TokenException If an error occurs importing a leaf certificate into a token.
Parameters: derCert the certificate you want to add nickname the nickname you want to refer to the certificate as (must not be null)
Parameters: crl the DER-encoded CRL. url the URL where this CRL can be retrieved from (for future updates). [ note that CRLs are not retrieved automatically ]. Can be null
Throws: CRLImportException If the package encoding was not recognized.
Parameters: certPackage An encoded certificate or certificate chain.
Acceptable
encodings are binary PKCS #7 SignedData objects and
DER-encoded certificates, which may or may not be wrapped
in a Base-64 encoding package surrounded by
"-----BEGIN CERTIFICATE-----
" and
"-----END CERTIFICATE-----
". nickname The nickname for the user certificate. It must
be unique.
Returns: The leaf certificate from the chain.
Throws: CertificateEncodingException If the package encoding was not recognized. CertificateNicknameConflictException If the leaf certificate another certificate already has the given nickname. UserCertConflictException If the leaf certificate has already been imported. NoSuchItemOnTokenException If the the private key matching the leaf certificate cannot be found. TokenException If an error occurs importing the leaf certificate into a token.
initialize
methods that take arguments should be
called only once, otherwise they will throw
an exception. It is OK to call them after calling
initialize()
.
Parameters: configDir The directory containing the security databases.
Throws: org.mozilla.jss.util.KeyDatabaseException Unable to open the key database, or it was currupted. org.mozilla.jss.util.CertDatabaseException Unable to open the certificate database, or it was currupted.
initialize
methods that take arguments should be
called only once, otherwise they will throw
an exception. It is OK to call them after calling
initialize()
.
Parameters: values The options with which to initialize CryptoManager.
Throws: org.mozilla.jss.util.KeyDatabaseException Unable to open the key database, or it was currupted. org.mozilla.jss.util.CertDatabaseException Unable to open the certificate database, or it was currupted.
Parameters: nickname The nickname of the certificate to verify. checkSig verify the signature of the certificate certUsage see exposed certUsage defines to verify Certificate
Returns: true for success; false otherwise
Throws: InvalidNicknameException If the nickname is null ObjectNotFoundException If no certificate could be found with the given nickname.
Parameters: certificate in memory checkSig verify the signature of the certificate certUsage see exposed certUsage defines to verify Certificate
Returns: true for success; false otherwise
Throws: TokenException unable to insert temporary certificate into database. CertificateEncodingException If the package encoding was not recognized.
The callback may be NULL, in which case password callbacks will fail gracefully.
If no token is set, the InternalKeyStorageToken will be used. Setting this thread's token to null will also cause the InternalKeyStorageToken to be used.
Parameters: The token to use for crypto operations. Specifying null will cause the InternalKeyStorageToken to be used.