|
JSS 3.1.1 | ||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object | +--org.mozilla.jss.CryptoManager
This class is the starting poing for the crypto package. Use it to initialize the subsystem and to lookup certs, keys, and tokens. Initialization is done with static methods, and must be done before an instance can be created. All other operations are done with instance methods.
Inner Class Summary | |
static class |
CryptoManager.InitializationValues
The various options that can be used to initialize CryptoManager. |
static class |
CryptoManager.InvalidLengthException
|
static class |
CryptoManager.NicknameConflictException
|
static class |
CryptoManager.NotInitializedException
|
static class |
CryptoManager.UserCertConflictException
|
Field Summary | |
static int |
DOMESTIC_POLICY
|
static int |
EXPORT_POLICY
|
static int |
FRANCE_POLICY
|
private static CryptoManager |
instance
The singleton instance, and a static initializer to create it. |
private CryptoToken |
internalCryptoToken
The internal cryptographic services token. |
private CryptoToken |
internalKeyStorageToken
The internal key storage token. |
static java.lang.String |
JAR_DBM_VERSION
|
static java.lang.String |
JAR_JDK_VERSION
|
static java.lang.String |
JAR_JSS_VERSION
|
static java.lang.String |
JAR_NSPR_VERSION
|
static java.lang.String |
JAR_NSS_VERSION
|
private static boolean |
mNativeLibrariesLoaded
|
private java.util.Vector |
moduleVector
The list of modules. |
static int |
NULL_POLICY
|
private PasswordCallback |
passwordCallback
|
private static int |
TYPE_CRL
|
private static int |
TYPE_KRL
|
Constructor Summary | |
protected |
CryptoManager()
Constructor, for internal use only. |
Method Summary | |
X509Certificate[] |
buildCertificateChain(X509Certificate leaf)
Given a certificate, constructs its certificate chain. |
(package private) X509Certificate[] |
buildCertificateChainNative(PK11Cert leaf)
|
JSSSecureRandom |
createPseudoRandomNumberGenerator()
Retrieves a FIPS-140-1 validated random number generator. |
private static boolean |
enableFIPS(boolean fips)
Enables or disables FIPS-140-1 compliant mode. |
byte[] |
exportCertsToPKCS7(X509Certificate[] certs)
Exports one or more certificates into a PKCS #7 certificate container. |
X509Certificate |
findCertByIssuerAndSerialNumber(byte[] derIssuer,
INTEGER serialNumber)
Looks up a certificate by issuer and serial number. |
private X509Certificate |
findCertByIssuerAndSerialNumberNative(byte[] derIssuer,
byte[] serialNumber)
|
X509Certificate |
findCertByNickname(java.lang.String nickname)
Looks up a certificate given its nickname. |
protected X509Certificate |
findCertByNicknameNative(java.lang.String nickname)
|
X509Certificate[] |
findCertsByNickname(java.lang.String nickname)
Returns all certificates with the given nickname. |
protected X509Certificate[] |
findCertsByNicknameNative(java.lang.String nickname)
|
PrivateKey |
findPrivKeyByCert(X509Certificate cert)
Looks up the PrivateKey matching the given certificate. |
protected PrivateKey |
findPrivKeyByCertNative(X509Certificate cert)
|
boolean |
FIPSEnabled()
Determines whether FIPS-140-1 compliance is active. |
java.util.Enumeration |
getAllTokens()
Retrieves all tokens. |
X509Certificate[] |
getCACerts()
Retrieves all CA certificates in the trust database. |
java.util.Enumeration |
getExternalTokens()
Retrieves all tokens except those built into NSS. |
static CryptoManager |
getInstance()
Retrieve the single instance of CryptoManager. |
CryptoToken |
getInternalCryptoToken()
Retrieves the internal cryptographic services token. |
CryptoToken |
getInternalKeyStorageToken()
Retrieves the internal key storage token. |
java.util.Enumeration |
getModules()
Retrieves all installed cryptographic modules. |
PasswordCallback |
getPasswordCallback()
Returns the currently registered password callback. |
X509Certificate[] |
getPermCerts()
Retrieves all certificates in the trust database. |
JSSSecureRandom |
getSecureRNG()
Retrieves a FIPS-140-1 validated random number generator. |
CryptoToken |
getTokenByName(java.lang.String name)
Looks up the CryptoToken with the given name. |
java.util.Enumeration |
getTokensSupportingAlgorithm(Algorithm alg)
Retrieves all tokens that support the given algorithm. |
X509Certificate |
importCACertPackage(byte[] certPackage)
Imports a chain of certificates, none of which is a user certificate. |
X509Certificate |
importCertPackage(byte[] certPackage,
java.lang.String nickname)
Imports a chain of certificates. |
private X509Certificate |
importCertPackageNative(byte[] certPackage,
java.lang.String nickname,
boolean noUser,
boolean leafIsCA)
|
InternalCertificate |
importCertToPerm(X509Certificate cert,
java.lang.String nickname)
Imports a single certificate into the permanent certificate database. |
private InternalCertificate |
importCertToPermNative(X509Certificate cert,
java.lang.String nickname)
|
void |
importCRL(byte[] crl,
java.lang.String url)
Imports a CRL, and stores it into the cert7.db Validate CRL then import it to the dbase. |
private void |
importCRLNative(byte[] crl,
java.lang.String url,
int rl_type)
Imports a CRL, and stores it into the cert7.db |
X509Certificate |
importUserCACertPackage(byte[] certPackage,
java.lang.String nickname)
Imports a chain of certificates. |
static void |
initialize(CryptoManager.InitializationValues values)
Initialize the security subsystem. |
static void |
initialize(java.lang.String configDir)
Initialize the security subsystem. |
private static void |
initializeAllNative(java.lang.String configDir,
java.lang.String certPrefix,
java.lang.String keyPrefix,
java.lang.String secmodName,
boolean readOnly,
java.lang.String manufacturerID,
java.lang.String libraryDescription,
java.lang.String internalTokenDescription,
java.lang.String internalKeyStorageTokenDescription,
java.lang.String internalSlotDescription,
java.lang.String internalKeyStorageSlotDescription,
java.lang.String fipsSlotDescription,
java.lang.String fipsKeyStorageSlotDescription,
boolean ocspCheckingEnabled,
java.lang.String ocspResponderURL,
java.lang.String ocspResponderCertNickname)
|
(package private) static void |
loadNativeLibraries()
Loads the JSS dynamic library if necessary. |
private void |
putModulesInVector(java.util.Vector vector)
Native code to traverse all PKCS #11 modules, wrap each one in a PK11Module, and insert each PK11Module into the given vector. |
private void |
reloadModules()
Re-creates the Vector of modules that is stored by CryptoManager. |
private void |
setNativePasswordCallback(PasswordCallback cb)
|
void |
setPasswordCallback(PasswordCallback pwcb)
This function sets the global password callback. |
Methods inherited from class java.lang.Object |
|
Field Detail |
private java.util.Vector moduleVector
private CryptoToken internalCryptoToken
private CryptoToken internalKeyStorageToken
private static CryptoManager instance
private PasswordCallback passwordCallback
private static int TYPE_KRL
private static int TYPE_CRL
public static final int NULL_POLICY
public static final int DOMESTIC_POLICY
public static final int EXPORT_POLICY
public static final int FRANCE_POLICY
public static final java.lang.String JAR_JSS_VERSION
public static final java.lang.String JAR_JDK_VERSION
public static final java.lang.String JAR_NSS_VERSION
public static final java.lang.String JAR_DBM_VERSION
public static final java.lang.String JAR_NSPR_VERSION
private static boolean mNativeLibrariesLoaded
Constructor Detail |
protected CryptoManager()
Method Detail |
public CryptoToken getInternalCryptoToken()
In FIPS mode, the internal cryptographic services token is the same as the internal key storage token.
getInternalCryptoToken
in interface TokenSupplier
public CryptoToken getInternalKeyStorageToken()
In FIPS mode, the internal key storage token is the same as the internal cryptographic services token.
public CryptoToken getTokenByName(java.lang.String name) throws NoSuchTokenException
name
- The name of the token.org.mozilla.jss.crypto.NoSuchTokenException
- If no token
is found with the given name.public java.util.Enumeration getTokensSupportingAlgorithm(Algorithm alg)
public java.util.Enumeration getAllTokens()
CryptoToken
CryptoToken
public java.util.Enumeration getExternalTokens()
public java.util.Enumeration getModules()
PK11Module
.PK11Module
private void reloadModules()
private void putModulesInVector(java.util.Vector vector)
public static CryptoManager getInstance() throws CryptoManager.NotInitializedException
CryptoManager.NotInitializedException
- If
initialize(InitializationValues
has not yet been
called.initialize(CryptoManager.InitializationValues)
private static boolean enableFIPS(boolean fips) throws java.security.GeneralSecurityException
fips
- true to turn FIPS compliant mode on, false to turn it off.public boolean FIPSEnabled()
public void setPasswordCallback(PasswordCallback pwcb)
The callback may be NULL, in which case password callbacks will fail gracefully.
private void setNativePasswordCallback(PasswordCallback cb)
public PasswordCallback getPasswordCallback()
public static void initialize(java.lang.String configDir) throws KeyDatabaseException, CertDatabaseException, AlreadyInitializedException, java.security.GeneralSecurityException
initialize
methods that take arguments should be
called only once, otherwise they will throw
an exception. It is OK to call them after calling
initialize()
.configDir
- The directory containing the security databases.org.mozilla.jss.util.KeyDatabaseException
- Unable to open
the key database, or it was currupted.org.mozilla.jss.util.CertDatabaseException
- Unable
to open the certificate database, or it was currupted.public static void initialize(CryptoManager.InitializationValues values) throws KeyDatabaseException, CertDatabaseException, AlreadyInitializedException, java.security.GeneralSecurityException
initialize
methods that take arguments should be
called only once, otherwise they will throw
an exception. It is OK to call them after calling
initialize()
.values
- The options with which to initialize CryptoManager.org.mozilla.jss.util.KeyDatabaseException
- Unable to open
the key database, or it was currupted.org.mozilla.jss.util.CertDatabaseException
- Unable
to open the certificate database, or it was currupted.private static void initializeAllNative(java.lang.String configDir, java.lang.String certPrefix, java.lang.String keyPrefix, java.lang.String secmodName, boolean readOnly, java.lang.String manufacturerID, java.lang.String libraryDescription, java.lang.String internalTokenDescription, java.lang.String internalKeyStorageTokenDescription, java.lang.String internalSlotDescription, java.lang.String internalKeyStorageSlotDescription, java.lang.String fipsSlotDescription, java.lang.String fipsKeyStorageSlotDescription, boolean ocspCheckingEnabled, java.lang.String ocspResponderURL, java.lang.String ocspResponderCertNickname) throws KeyDatabaseException, CertDatabaseException, AlreadyInitializedException
public X509Certificate[] getCACerts()
public X509Certificate[] getPermCerts()
public X509Certificate importCertPackage(byte[] certPackage, java.lang.String nickname) throws java.security.cert.CertificateEncodingException, CryptoManager.NicknameConflictException, CryptoManager.UserCertConflictException, NoSuchItemOnTokenException, TokenException
certPackage
- An encoded certificate or certificate chain.
Acceptable
encodings are binary PKCS #7 SignedData objects and
DER-encoded certificates, which may or may not be wrapped
in a Base-64 encoding package surrounded by
"-----BEGIN CERTIFICATE-----
" and
"-----END CERTIFICATE-----
".nickname
- The nickname for the user certificate. It must
be unique. It is ignored if there is no user certificate.java.security.cert.CertificateEncodingException
- If the package encoding
was not recognized.CertificateNicknameConflictException
- If the leaf certificate
is a user certificate, and another certificate already has the
given nickname.CryptoManager.UserCertConflictException
- If the leaf certificate
is a user certificate, but it has already been imported.NoSuchItemOnTokenException
- If the leaf certificate is
a user certificate, but the matching private key cannot be found.TokenException
- If an error occurs importing a leaf
certificate into a token.public X509Certificate importUserCACertPackage(byte[] certPackage, java.lang.String nickname) throws java.security.cert.CertificateEncodingException, CryptoManager.NicknameConflictException, CryptoManager.UserCertConflictException, NoSuchItemOnTokenException, TokenException
certPackage
- An encoded certificate or certificate chain.
Acceptable
encodings are binary PKCS #7 SignedData objects and
DER-encoded certificates, which may or may not be wrapped
in a Base-64 encoding package surrounded by
"-----BEGIN CERTIFICATE-----
" and
"-----END CERTIFICATE-----
".nickname
- The nickname for the user certificate. It must
be unique.java.security.cert.CertificateEncodingException
- If the package encoding
was not recognized.CertificateNicknameConflictException
- If the leaf certificate
another certificate already has the given nickname.CryptoManager.UserCertConflictException
- If the leaf certificate
has already been imported.NoSuchItemOnTokenException
- If the the private key matching
the leaf certificate cannot be found.TokenException
- If an error occurs importing the leaf
certificate into a token.public X509Certificate importCACertPackage(byte[] certPackage) throws java.security.cert.CertificateEncodingException, TokenException
certPackage
- An encoded certificate or certificate chain.
Acceptable
encodings are binary PKCS #7 SignedData objects and
DER-encoded certificates, which may or may not be wrapped
in a Base-64 encoding package surrounded by
"-----BEGIN CERTIFICATE-----
" and
"-----END CERTIFICATE-----
".java.security.cert.CertificateEncodingException
- If the package encoding
was not recognized.TokenException
- If an error occurs importing a leaf
certificate into a token.public InternalCertificate importCertToPerm(X509Certificate cert, java.lang.String nickname) throws TokenException, InvalidNicknameException
derCert
- the certificate you want to addnickname
- the nickname you want to refer to the certificate as
(must not be null)private InternalCertificate importCertToPermNative(X509Certificate cert, java.lang.String nickname) throws TokenException
private X509Certificate importCertPackageNative(byte[] certPackage, java.lang.String nickname, boolean noUser, boolean leafIsCA) throws java.security.cert.CertificateEncodingException, CryptoManager.NicknameConflictException, CryptoManager.UserCertConflictException, NoSuchItemOnTokenException, TokenException
noUser
- true if we know that none of the certs are user certs.
In this case, no attempt will be made to find a matching private
key for the leaf certificate.public void importCRL(byte[] crl, java.lang.String url) throws CRLImportException, TokenException
crl
- the DER-encoded CRL.url
- the URL where this CRL can be retrieved from (for future updates).
[ note that CRLs are not retrieved automatically ]. Can be nullCRLImportException
- If the package encoding
was not recognized.private void importCRLNative(byte[] crl, java.lang.String url, int rl_type) throws CRLImportException, TokenException
the
- DER-encoded CRL.public byte[] exportCertsToPKCS7(X509Certificate[] certs) throws java.security.cert.CertificateEncodingException
certs
- One or more certificates that should be exported into
the PKCS #7 object. The leaf certificate should be the first
in the chain. The output of buildCertificateChain
would be appropriate here.java.security.cert.CertificateEncodingException
- If the array is empty,
or an error occurred encoding the certificates.buildCertificateChain(org.mozilla.jss.crypto.X509Certificate)
public X509Certificate findCertByNickname(java.lang.String nickname) throws ObjectNotFoundException, TokenException
nickname
- The nickname of the certificate to look for.ObjectNotFoundException
- If no certificate could be found
with the given nickname.TokenException
- If an error occurs in the security library.public X509Certificate[] findCertsByNickname(java.lang.String nickname) throws TokenException
nickname
- The nickname of the certificate to look for.TokenException
- If an error occurs in the security library.public X509Certificate findCertByIssuerAndSerialNumber(byte[] derIssuer, INTEGER serialNumber) throws ObjectNotFoundException, TokenException
derIssuer
- The DER encoding of the certificate issuer name.
The issuer name has ASN.1 type Name, which is defined in
X.501.serialNumber
- The certificate serial number.ObjectNotFoundException
- If the certificate is not found
in the internal certificate database or on any PKCS #11 token.TokenException
- If an error occurs in the security library.private X509Certificate findCertByIssuerAndSerialNumberNative(byte[] derIssuer, byte[] serialNumber) throws ObjectNotFoundException, TokenException
serialNumber
- The contents octets of a DER-encoding of the
certificate serial number.protected X509Certificate findCertByNicknameNative(java.lang.String nickname) throws ObjectNotFoundException, TokenException
protected X509Certificate[] findCertsByNicknameNative(java.lang.String nickname) throws TokenException
public X509Certificate[] buildCertificateChain(X509Certificate leaf) throws java.security.cert.CertificateException, TokenException
leaf
- The certificate that is the starting point of the chain.java.security.cert.CertificateException
- If the certificate is not recognized
by the underlying provider.X509Certificate[] buildCertificateChainNative(PK11Cert leaf) throws java.security.cert.CertificateException, TokenException
public PrivateKey findPrivKeyByCert(X509Certificate cert) throws ObjectNotFoundException, TokenException
ObjectNotFoundException
- If no private key can be
found matching the given certificate.TokenException
- If an error occurs in the security library.protected PrivateKey findPrivKeyByCertNative(X509Certificate cert) throws ObjectNotFoundException, TokenException
public JSSSecureRandom createPseudoRandomNumberGenerator()
public JSSSecureRandom getSecureRNG()
getSecureRNG
in interface TokenSupplier
static void loadNativeLibraries()
This method is idempotent.
|
JSS 3.1.1 | ||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |