From a4682ceae6774956461edd03b2485bbacea445f4 Mon Sep 17 00:00:00 2001 From: mharmsen Date: Tue, 4 Oct 2011 01:17:41 +0000 Subject: Bugzilla Bug #688225 - (dogtagIPAv2.1) TRACKER: of the Dogtag fixes for freeIPA 2.1 git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/tags/IPA_v2_RHEL_6_2_20111003@2252 c9f7a03b-bd48-0410-a16d-cbbf54688b0b --- .../com/netscape/certsrv/security/Credential.java | 61 ++ .../certsrv/security/ICryptoSubsystem.java | 462 ++++++++++++ .../netscape/certsrv/security/IEncryptionUnit.java | 130 ++++ .../netscape/certsrv/security/ISigningUnit.java | 165 +++++ .../netscape/certsrv/security/IStorageKeyUnit.java | 106 +++ .../src/com/netscape/certsrv/security/IToken.java | 50 ++ .../certsrv/security/ITransportKeyUnit.java | 55 ++ .../com/netscape/certsrv/security/KeyCertData.java | 813 +++++++++++++++++++++ 8 files changed, 1842 insertions(+) create mode 100644 pki/base/common/src/com/netscape/certsrv/security/Credential.java create mode 100644 pki/base/common/src/com/netscape/certsrv/security/ICryptoSubsystem.java create mode 100644 pki/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java create mode 100644 pki/base/common/src/com/netscape/certsrv/security/ISigningUnit.java create mode 100644 pki/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java create mode 100644 pki/base/common/src/com/netscape/certsrv/security/IToken.java create mode 100644 pki/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java create mode 100644 pki/base/common/src/com/netscape/certsrv/security/KeyCertData.java (limited to 'pki/base/common/src/com/netscape/certsrv/security') diff --git a/pki/base/common/src/com/netscape/certsrv/security/Credential.java b/pki/base/common/src/com/netscape/certsrv/security/Credential.java new file mode 100644 index 000000000..3b50d3294 --- /dev/null +++ b/pki/base/common/src/com/netscape/certsrv/security/Credential.java @@ -0,0 +1,61 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.security; + + +/** + * A class represents a credential. A credential contains + * information that identifies a user. In this case, + * identifier and password are used. + * + * @version $Revision$, $Date$ + */ +public class Credential implements java.io.Serializable { + + private String mId = null; + private String mPassword = null; + + /** + * Constructs credential object. + * + * @param id user id + * @param password user password + */ + public Credential(String id, String password) { + mId = id; + mPassword = password; + } + + /** + * Retrieves identifier. + * + * @return user id + */ + public String getIdentifier() { + return mId; + } + + /** + * Retrieves password. + * + * @return user password + */ + public String getPassword() { + return mPassword; + } +} diff --git a/pki/base/common/src/com/netscape/certsrv/security/ICryptoSubsystem.java b/pki/base/common/src/com/netscape/certsrv/security/ICryptoSubsystem.java new file mode 100644 index 000000000..2e4c0a9ee --- /dev/null +++ b/pki/base/common/src/com/netscape/certsrv/security/ICryptoSubsystem.java @@ -0,0 +1,462 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.security; + + +import org.mozilla.jss.crypto.*; +import org.mozilla.jss.*; +import org.mozilla.jss.CryptoManager.*; +import java.io.*; +import java.security.*; +import java.util.*; +import java.security.*; +import java.security.cert.*; +import netscape.security.x509.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.common.*; + + +/** + * This interface represents the cryptographics subsystem + * that provides all the security related functions. + * + * @version $Revision$, $Date$ + */ +public interface ICryptoSubsystem extends ISubsystem { + + public static final String ID = "jss"; + + /** + * Retrieves a list of nicknames of certificates that are + * in the installed tokens. + * + * @return a list of comma-separated nicknames + * @exception EBaseException failed to retrieve nicknames + */ + public String getAllCerts() throws EBaseException; + + /** + * Retrieves certificate in pretty-print format by the nickname. + * + * @param nickname nickname of certificate + * @param date not after of the returned certificate must be date + * @param locale user locale + * @return certificate in pretty-print format + * @exception EBaseException failed to retrieve certificate + */ + public String getCertPrettyPrint(String nickname, String date, + Locale locale) throws EBaseException; + public String getRootCertTrustBit(String nickname, String serialno, + String issuerName) throws EBaseException; + public String getCertPrettyPrint(String nickname, String serialno, + String issuername, Locale locale) throws EBaseException; + public String getCertPrettyPrintAndFingerPrint(String nickname, String serialno, + String issuername, Locale locale) throws EBaseException; + + /** + * Retrieves the certificate in the pretty print format. + * + * @param b64E certificate in mime-64 encoded format + * @param locale end user locale + * @return certificate in pretty-print format + * @exception EBaseException failed to retrieve certificate + */ + public String getCertPrettyPrint(String b64E, Locale locale) + throws EBaseException; + + /** + * Imports certificate into the server. + * + * @param b64E certificate in mime-64 encoded format + * @param nickname nickname for the importing certificate + * @param certType certificate type + * @exception EBaseException failed to import certificate + */ + public void importCert(String b64E, String nickname, String certType) + throws EBaseException; + + /** + * Imports certificate into the server. + * + * @param signedCert certificate + * @param nickname nickname for the importing certificate + * @param certType certificate type + * @exception EBaseException failed to import certificate + */ + public void importCert(X509CertImpl signedCert, String nickname, + String certType) throws EBaseException; + + /** + * Generates a key pair based on the given parameters. + * + * @param properties key parameters + * @return key pair + * @exception EBaseException failed to generate key pair + */ + public KeyPair getKeyPair(KeyCertData properties) throws EBaseException; + + /** + * Retrieves the key pair based on the given nickname. + * + * @param nickname nickname of the public key + * @exception EBaseException failed to retrieve key pair + */ + public KeyPair getKeyPair(String nickname) throws EBaseException; + + /** + * Generates a key pair based on the given parameters. + * + * @param tokenName name of token where key is generated + * @param alg key algorithm + * @param keySize key size + * @return key pair + * @exception EBaseException failed to generate key pair + */ + public KeyPair getKeyPair(String tokenName, String alg, + int keySize) throws EBaseException; + + /** + * Generates a key pair based on the given parameters. + * + * @param tokenName name of token where key is generated + * @param alg key algorithm + * @param keySize key size + * @param pqg pqg parameters if DSA key, otherwise null + * @return key pair + * @exception EBaseException failed to generate key pair + */ + public KeyPair getKeyPair(String tokenName, String alg, + int keySize, PQGParams pqg) throws EBaseException; + + /** + * Generates an ECC key pair based on the given parameters. + * + * @param properties key parameters + * @return key pair + * @exception EBaseException failed to generate key pair + */ + public KeyPair getECCKeyPair(KeyCertData properties) throws EBaseException; + + /** + * Generates an ECC key pair based on the given parameters. + * + * @param token token name + * @param curveName curve name + * @param certType type of cert(sslserver etc..) + * @return key pair + * @exception EBaseException failed to generate key pair + */ + public KeyPair getECCKeyPair(String token, String curveName, String certType) throws EBaseException; + + /** + * Retrieves the signature algorithm of the certificate named + * by the given nickname. + * + * @param nickname nickname of the certificate + * @return signature algorithm + * @exception EBaseException failed to retrieve signature + */ + public String getSignatureAlgorithm(String nickname) throws EBaseException; + + /** + * Checks if the given dn is a valid distinguished name. + * + * @param dn distinguished name + * @exception EBaseException failed to check + */ + public void isX500DN(String dn) throws EBaseException; + + /** + * Retrieves CA's signing algorithm id. If it is DSA algorithm, + * algorithm is constructed by reading the parameters + * ca.dsaP, ca.dsaQ, ca.dsaG. + * + * @param algname DSA or RSA + * @param store configuration store. + * @return algorithm id + * @exception EBaseException failed to retrieve algorithm id + */ + public AlgorithmId getAlgorithmId(String algname, IConfigStore store) throws EBaseException; + + /** + * Retrieves subject name of the certificate that is identified by + * the given nickname. + * + * @param tokenname name of token where the nickname is valid + * @param nickname nickname of the certificate + * @return subject name + * @exception EBaseException failed to get subject name + */ + public String getCertSubjectName(String tokenname, String nickname) + throws EBaseException; + + /** + * Retrieves extensions of the certificate that is identified by + * the given nickname. + * + * @param tokenname name of token where the nickname is valid + * @param nickname nickname of the certificate + * @return certificate extensions + * @exception EBaseException failed to get extensions + */ + public CertificateExtensions getExtensions(String tokenname, String nickname + ) + throws EBaseException; + + /** + * Deletes certificate of the given nickname. + * + * @param nickname nickname of the certificate + * @param pathname path where a copy of the deleted certificate is stored + * @exception EBaseException failed to delete certificate + */ + public void deleteTokenCertificate(String nickname, String pathname) + throws EBaseException; + + /** + * Delete certificate of the given nickname. + * + * @param nickname nickname of the certificate + * @param notAfterTime The notAfter of the certificate. It + * is possible to ge t multiple certificates under + * the same nickname. If one of the certificates match + * the notAfterTime, then the certificate will get + * deleted. The format of the notAfterTime has to be + * in "MMMMM dd, yyyy HH:mm:ss" format. + * @exception EBaseException failed to delete certificate + */ + public void deleteCert(String nickname, String notAfterTime) + throws EBaseException; + + /** + * Retrieves the subject DN of the certificate identified by + * the nickname. + * + * @param nickname nickname of the certificate + * @return subject distinguished name + * @exception EBaseException failed to retrieve subject DN + */ + public String getSubjectDN(String nickname) throws EBaseException; + + /** + * Trusts a certificate for all available purposes. + * + * @param nickname nickname of the certificate + * @param date certificate's not before + * @param trust "Trust" or other + * @exception EBaseException failed to trust certificate + */ + public void trustCert(String nickname, String date, String trust) + throws EBaseException; + + /** + * Checks if the given base-64 encoded string contains an extension + * or a sequence of extensions. + * + * @param ext extension or sequence of extension encoded in base-64 + * @exception EBaseException failed to check encoding + */ + public void checkCertificateExt(String ext) throws EBaseException; + + /** + * Gets all certificates on all tokens for Certificate Database Management. + * + * @return all certificates + * @exception EBaseException failed to retrieve certificates + */ + public NameValuePairs getAllCertsManage() throws EBaseException; + public NameValuePairs getUserCerts() throws EBaseException; + + /** + * Gets all CA certificates on all tokens. + * + * @return all CA certificates + * @exception EBaseException failed to retrieve certificates + */ + public NameValuePairs getCACerts() throws EBaseException; + + public NameValuePairs getRootCerts() throws EBaseException; + + public void setRootCertTrust(String nickname, String serialno, + String issuername, String trust) throws EBaseException; + + public void deleteRootCert(String nickname, String serialno, + String issuername) throws EBaseException; + + public void deleteUserCert(String nickname, String serialno, + String issuername) throws EBaseException; + + /** + * Retrieves PQG parameters based on key size. + * + * @param keysize key size + * @return pqg parameters + */ + public PQGParams getPQG(int keysize); + + /** + * Retrieves PQG parameters based on key size. + * + * @param keysize key size + * @param store configuration store + * @return pqg parameters + */ + public PQGParams getCAPQG(int keysize, IConfigStore store) + throws EBaseException; + + /** + * Retrieves extensions of the certificate that is identified by + * the given nickname. + * + * @param tokenname token name + * @param nickname nickname + * @return certificate extensions + */ + public CertificateExtensions getCertExtensions(String tokenname, String nickname + ) + throws NotInitializedException, TokenException, ObjectNotFoundException, + + IOException, CertificateException; + + /** + * Checks if the given token is logged in. + * + * @param name token name + * @return true if token is logged in + * @exception EBaseException failed to login + */ + public boolean isTokenLoggedIn(String name) throws EBaseException; + + /** + * Logs into token. + * + * @param tokenName name of the token + * @param pwd token password + * @exception EBaseException failed to login + */ + public void loggedInToken(String tokenName, String pwd) + throws EBaseException; + + /** + * Generates certificate request from the given key pair. + * + * @param subjectName subject name to use in the request + * @param kp key pair that contains public key material + * @return certificate request in base-64 encoded format + * @exception EBaseException failed to generate request + */ + public String getCertRequest(String subjectName, KeyPair kp) + throws EBaseException; + + /** + * Checks if fortezza is enabled. + * + * @return "true" if fortezza is enabled + */ + public String isCipherFortezza() throws EBaseException; + + /** + * Retrieves the SSL cipher version. + * + * @return cipher version (i.e. "cipherdomestic") + */ + public String getCipherVersion() throws EBaseException; + + /** + * Retrieves the cipher preferences. + * + * @return cipher preferences (i.e. "rc4export,rc2export,...") + */ + public String getCipherPreferences() throws EBaseException; + + /** + * Sets the current SSL cipher preferences. + * + * @param cipherPrefs cipher preferences (i.e. "rc4export,rc2export,...") + * @exception EBaseException failed to set cipher preferences + */ + public void setCipherPreferences(String cipherPrefs) + throws EBaseException; + + /** + * Retrieves a list of currently registered token names. + * + * @return list of token names + * @exception EBaseException failed to retrieve token list + */ + public String getTokenList() throws EBaseException; + + /** + * Retrieves all certificates. The result list will not + * contain the token tag. + * + * @param name token name + * @return list of certificates without token tag + * @exception EBaseException failed to retrieve + */ + public String getCertListWithoutTokenName(String name) throws EBaseException; + + /** + * Retrieves the token name of the internal (software) token. + * + * @return the token name + * @exception EBaseException failed to retrieve token name + */ + public String getInternalTokenName() throws EBaseException; + + /** + * Checks to see if the certificate of the given nickname is a + * CA certificate. + * + * @param fullNickname nickname of the certificate to check + * @return true if it is a CA certificate + * @exception EBaseException failed to check + */ + public boolean isCACert(String fullNickname) throws EBaseException; + + /** + * Adds the specified number of bits of entropy from the system + * entropy generator to the RNG of the default PKCS#11 RNG token. + * The default token is set using the modutil command. + * Note that the system entropy generator (usually /dev/random) + * will block until sufficient entropy is collected. + * + * @param bits number of bits of entropy + * @exception org.mozilla.jss.util.NotImplementedException If the Crypto device does not support + * adding entropy + * @exception TokenException If there was some other problem with the Crypto device + * @exception IOException If there was a problem reading from the /dev/random + */ + + public void addEntropy(int bits) + throws org.mozilla.jss.util.NotImplementedException, + IOException, + TokenException; + + /** + * Signs the certificate template into the given data and returns + * a signed certificate. + * + * @param data data that contains certificate template + * @param certType certificate type + * @param priKey CA signing key + * @return certificate + * @exception EBaseException failed to sign certificate template + */ + public X509CertImpl getSignedCert(KeyCertData data, String certType, java.security.PrivateKey priKey) throws EBaseException; +} diff --git a/pki/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java b/pki/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java new file mode 100644 index 000000000..af7030f06 --- /dev/null +++ b/pki/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java @@ -0,0 +1,130 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.security; + + +import java.util.*; +import java.io.*; +import java.net.*; +import java.security.*; +import java.security.cert.X509Certificate; +import netscape.security.x509.*; +import netscape.security.util.*; +import com.netscape.certsrv.base.*; +import org.mozilla.jss.crypto.PrivateKey; + + +/** + * An interface represents a encryption unit. + * + * @version $Revision$, $Date$ + */ +public interface IEncryptionUnit extends IToken { + + /** + * Retrieves the public key in this unit. + * + * @return public key + */ + public PublicKey getPublicKey(); + + /** + * Wraps data. The given key will be wrapped by the + * private key in this unit. + * + * @param priKey private key to be wrapped + * @return wrapped data + * @exception EBaseException failed to wrap + */ + public byte[] wrap(PrivateKey priKey) throws EBaseException; + + /** + * Verifies the given key pair. + * + * @param publicKey public key + * @param privateKey private key + */ + public void verify(PublicKey publicKey, PrivateKey privateKey) throws + EBaseException; + + /** + * Unwraps data. This method rebuilds the private key by + * unwrapping the private key data. + * + * @param sessionKey session key that unwrap the private key + * @param symmAlgOID symmetric algorithm + * @param symmAlgParams symmetric algorithm parameters + * @param privateKey private key data + * @param pubKey public key + * @return private key object + * @exception EBaseException failed to unwrap + */ + public PrivateKey unwrap(byte sessionKey[], String symmAlgOID, + byte symmAlgParams[], byte privateKey[], + PublicKey pubKey) + throws EBaseException; + + /** + * Unwraps data. This method rebuilds the private key by + * unwrapping the private key data. + * + * @param privateKey private key data + * @param pubKey public key object + * @return private key object + * @exception EBaseException failed to unwrap + */ + public PrivateKey unwrap(byte privateKey[], PublicKey pubKey) + throws EBaseException; + + /** + * Encrypts the internal private key (private key to the KRA's + * internal storage). + * + * @param rawPrivate user's private key (key to be archived) + * @return encrypted data + * @exception EBaseException failed to encrypt + */ + public byte[] encryptInternalPrivate(byte rawPrivate[]) + throws EBaseException; + + /** + * Decrypts the internal private key (private key from the KRA's + * internal storage). + * + * @param wrappedPrivateData unwrapped private key data (key to be recovered) + * @return raw private key + * @exception EBaseException failed to decrypt + */ + public byte[] decryptInternalPrivate(byte wrappedPrivateData[]) + throws EBaseException; + + /** + * Decrypts the external private key (private key from the end-user). + * + * @param sessionKey session key that protects the user private + * @param symmAlgOID symmetric algorithm + * @param symmAlgParams symmetric algorithm parameters + * @param privateKey private key data + * @return private key data + * @exception EBaseException failed to decrypt + */ + public byte[] decryptExternalPrivate(byte sessionKey[], + String symmAlgOID, + byte symmAlgParams[], byte privateKey[]) + throws EBaseException; +} diff --git a/pki/base/common/src/com/netscape/certsrv/security/ISigningUnit.java b/pki/base/common/src/com/netscape/certsrv/security/ISigningUnit.java new file mode 100644 index 000000000..ac46a271d --- /dev/null +++ b/pki/base/common/src/com/netscape/certsrv/security/ISigningUnit.java @@ -0,0 +1,165 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.security; + + +import java.security.*; +import org.mozilla.jss.*; +import org.mozilla.jss.crypto.*; +import org.mozilla.jss.util.*; +import org.mozilla.jss.crypto.Signature; +import com.netscape.certsrv.base.*; +import netscape.security.x509.*; + +/** + * A class represents the signing unit which is + * capable of signing data. + * + * @version $Revision$, $Date$ + */ +public interface ISigningUnit { + + public static final String PROP_DEFAULT_SIGNALG = "defaultSigningAlgorithm"; + public static final String PROP_CERT_NICKNAME = "cacertnickname"; + // This signing unit is being used in OCSP and CRL also. So + // it is better to have a more generic name + public static final String PROP_RENAMED_CERT_NICKNAME = "certnickname"; + public static final String PROP_TOKEN_NAME = "tokenname"; + public static final String PROP_NEW_NICKNAME = "newNickname"; + + /** + * Retrieves the nickname of the signing certificate. + */ + public String getNickname(); + + /** + * Retrieves the new nickname in the renewal process. + * + * @return new nickname + * @exception EBaseException failed to get new nickname + */ + public String getNewNickName() throws EBaseException; + + /** + * Sets new nickname of the signing certificate. + * + * @param name nickname + */ + public void setNewNickName(String name); + + /** + * Retrieves the signing certificate. + * + * @return signing certificate + */ + public X509Certificate getCert(); + + /** + * Retrieves the signing certificate. + * + * @return signing certificate + */ + public X509CertImpl getCertImpl(); + + /** + * Signs the given data in specific algorithm. + * + * @param data data to be signed + * @param algname signing algorithm to be used + * @return signed data + * @exception EBaseException failed to sign + */ + public byte[] sign(byte[] data, String algname) + throws EBaseException; + + /** + * Verifies the signed data. + * + * @param data signed data + * @param signature signature + * @param algname signing algorithm + * @return true if verification is good + * @exception EBaseException failed to verify + */ + public boolean verify(byte[] data, byte[] signature, String algname) + throws EBaseException; + + /** + * Retrieves the default algorithm. + * + * @return default signing algorithm + */ + public SignatureAlgorithm getDefaultSignatureAlgorithm(); + + /** + * Retrieves the default algorithm name. + * + * @return default signing algorithm name + */ + public String getDefaultAlgorithm(); + + /** + * Set default signing algorithm. + * + * @param algorithm signing algorithm + * @exception EBaseException failed to set default signing algorithm + */ + public void setDefaultAlgorithm(String algorithm) throws EBaseException; + + /** + * Retrieves all supported signing algorithm of this unit. + * + * @return a list of signing algorithms + * @exception EBaseException failed to list + */ + public String[] getAllAlgorithms() throws EBaseException; + + /** + * Retrieves the token name of this unit. + * + * @return token name + * @exception EBaseException failed to retrieve name + */ + public String getTokenName() throws EBaseException; + + /** + * Updates new nickname and tokename in the configuration file. + * + * @param nickname new nickname + * @param tokenname new tokenname + */ + public void updateConfig(String nickname, String tokenname); + + /** + * Checks if the given algorithm name is supported. + * + * @param algname algorithm name + * @return signing algorithm + * @exception EBaseException failed to check signing algorithm + */ + public SignatureAlgorithm checkSigningAlgorithmFromName(String algname) + throws EBaseException; + + /** + * Retrieves the public key associated in this unit. + * + * @return public key + */ + public PublicKey getPublicKey(); +} + diff --git a/pki/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java b/pki/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java new file mode 100644 index 000000000..0b484bdc7 --- /dev/null +++ b/pki/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java @@ -0,0 +1,106 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.security; + + +import java.util.*; +import java.io.*; +import java.net.*; +import java.security.*; +import java.security.cert.X509Certificate; +import netscape.security.x509.*; +import netscape.security.util.*; +import com.netscape.certsrv.base.*; +import org.mozilla.jss.crypto.*; +import org.mozilla.jss.crypto.PrivateKey; + + +/** + * An interface represents a storage key unit. This storage + * unit contains a storage key pair that is used for + * encrypting the user private key for long term storage. + * + * @version $Revision$, $Date$ + */ +public interface IStorageKeyUnit extends IEncryptionUnit { + + /** + * Retrieves total number of recovery agents. + * + * @return total number of recovery agents + */ + public int getNoOfAgents() throws EBaseException; + + /** + * Retrieves number of recovery agents required to + * perform recovery operation. + * + * @return required number of recovery agents for recovery operation + */ + public int getNoOfRequiredAgents() throws EBaseException; + + /** + * Sets the numer of required recovery agents + * + * @param number number of required agents + */ + public void setNoOfRequiredAgents(int number); + + /** + * Retrieves a list of agents in this unit. + * + * @return a list of string-based agent identifiers + */ + public Enumeration getAgentIdentifiers(); + + /** + * Changes agent password. + * + * @param id agent id + * @param oldpwd old password + * @param newpwd new password + * @return true if operation successful + * @exception EBaseException failed to change password + */ + public boolean changeAgentPassword(String id, String oldpwd, + String newpwd) throws EBaseException; + + /** + * Changes M-N recovery scheme. + * + * @param n total number of agents + * @param m required number of agents for recovery operation + * @param oldcreds all old credentials + * @param newcreds all new credentials + * @return true if operation successful + * @exception EBaseException failed to change schema + */ + public boolean changeAgentMN(int n, int m, Credential oldcreds[], + Credential newcreds[]) throws EBaseException; + + /** + * Logins to this unit. + * + * @param ac agent's credentials + * @exception EBaseException failed to login + */ + public void login(Credential ac[]) throws EBaseException; + + public CryptoToken getToken(); + +} diff --git a/pki/base/common/src/com/netscape/certsrv/security/IToken.java b/pki/base/common/src/com/netscape/certsrv/security/IToken.java new file mode 100644 index 000000000..4211806fc --- /dev/null +++ b/pki/base/common/src/com/netscape/certsrv/security/IToken.java @@ -0,0 +1,50 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.security; + + +import java.util.*; +import java.io.*; +import java.net.*; +import java.security.*; +import java.security.cert.*; +import netscape.security.x509.*; +import netscape.security.util.*; +import com.netscape.certsrv.base.*; + + +/** + * An interface represents a generic token unit. + * + * @version $Revision$, $Date$ + */ +public interface IToken { + + /** + * Logins to the token unit. + * + * @param pin password to access the token + * @exception EBaseException failed to login to this token + */ + public void login(String pin) throws EBaseException; + + /** + * Logouts token. + */ + public void logout(); +} diff --git a/pki/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java b/pki/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java new file mode 100644 index 000000000..1ad0e378c --- /dev/null +++ b/pki/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java @@ -0,0 +1,55 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.security; + + +import java.util.*; +import java.io.*; +import java.net.*; +import java.security.*; +import java.security.cert.X509Certificate; +import netscape.security.x509.*; +import netscape.security.util.*; +import com.netscape.certsrv.base.*; +import org.mozilla.jss.crypto.*; +import org.mozilla.jss.crypto.PrivateKey; + + +/** + * An interface represents the transport key pair. + * This key pair is used to protected EE's private + * key in transit. + * + * @version $Revision$, $Date$ + */ +public interface ITransportKeyUnit extends IEncryptionUnit { + + /** + * Retrieves public key. + * + * @return certificate + */ + public org.mozilla.jss.crypto.X509Certificate getCertificate(); + public SymmetricKey unwrap_sym(byte encSymmKey[]); + public SymmetricKey unwrap_encrypt_sym(byte encSymmKey[]); + public PrivateKey unwrap_temp(byte wrappedKeyData[], PublicKey + pubKey) throws EBaseException; + public CryptoToken getToken(); + public String getSigningAlgorithm() throws EBaseException; + public void setSigningAlgorithm(String str) throws EBaseException; +} diff --git a/pki/base/common/src/com/netscape/certsrv/security/KeyCertData.java b/pki/base/common/src/com/netscape/certsrv/security/KeyCertData.java new file mode 100644 index 000000000..87dd298f7 --- /dev/null +++ b/pki/base/common/src/com/netscape/certsrv/security/KeyCertData.java @@ -0,0 +1,813 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.security; + + +import java.util.*; +import java.security.*; +import java.math.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.common.*; +import org.mozilla.jss.crypto.*; +import netscape.security.x509.*; + +/** + * This class represents a container for storaging + * data in the security package. + * + * @version $Revision$, $Date$ + */ +public class KeyCertData extends Properties { + + /** + * Constructs a key certificate data. + */ + public KeyCertData() { + super(); + } + + /** + * Retrieves the key pair from this container. + * + * @return key pair + */ + public KeyPair getKeyPair() { + return (KeyPair) get("keypair"); + } + + /** + * Sets key pair into this container. + * + * @param keypair key pair + */ + public void setKeyPair(KeyPair keypair) { + put("keypair", keypair); + } + + /** + * Retrieves the issuer name from this container. + * + * @return issuer name + */ + public String getIssuerName() { + return (String) get(Constants.PR_ISSUER_NAME); + } + + /** + * Sets the issuer name in this container. + * + * @param name issuer name + */ + public void setIssuerName(String name) { + put(Constants.PR_ISSUER_NAME, name); + } + + /** + * Retrieves certificate server instance name. + * + * @return instance name + */ + public String getCertInstanceName() { + return (String) get(ConfigConstants.PR_CERT_INSTANCE_NAME); + } + + /** + * Sets certificate server instance name. + * + * @param name instance name + */ + public void setCertInstanceName(String name) { + put(ConfigConstants.PR_CERT_INSTANCE_NAME, name); + } + + /** + * Retrieves certificate nickname. + * + * @return certificate nickname + */ + public String getCertNickname() { + return (String) get(Constants.PR_NICKNAME); + } + + /** + * Sets certificate nickname. + * + * @param nickname certificate nickname + */ + public void setCertNickname(String nickname) { + put(Constants.PR_NICKNAME, nickname); + } + + /** + * Retrieves key length. + * + * @return key length + */ + public String getKeyLength() { + return (String) get(Constants.PR_KEY_LENGTH); + } + + /** + * Sets key length. + * + * @param len key length + */ + public void setKeyLength(String len) { + put(Constants.PR_KEY_LENGTH, len); + } + + /** + * Retrieves key type. + * + * @return key type + */ + public String getKeyType() { + return (String) get(Constants.PR_KEY_TYPE); + } + + /** + * Sets key type. + * + * @param type key type + */ + public void setKeyType(String type) { + put(Constants.PR_KEY_TYPE, type); + } + + /** + * Retrieves key curve name. + * + * @return key curve name + */ + public String getKeyCurveName() { + return (String) get(Constants.PR_KEY_CURVENAME); + } + + /** + * Sets key curvename. + * + * @param len key curvename + */ + public void setKeyCurveName(String len) { + put(Constants.PR_KEY_CURVENAME, len); + } + + /** + * Retrieves signature algorithm. + * + * @return signature algorithm + */ + public SignatureAlgorithm getSignatureAlgorithm() { + return (SignatureAlgorithm) get(Constants.PR_SIGNATURE_ALGORITHM); + } + + /** + * Sets signature algorithm + * + * @param alg signature algorithm + */ + public void setSignatureAlgorithm(SignatureAlgorithm alg) { + put(Constants.PR_SIGNATURE_ALGORITHM, alg); + } + + /** + * Retrieves algorithm used to sign the root CA Cert. + * + * @return signature algorithm + */ + public String getSignedBy() { + return (String) get(Constants.PR_SIGNEDBY_TYPE); + } + + /** + * Sets signature algorithm used to sign root CA cert + * + * @param alg signature algorithm + */ + public void setSignedBy(String alg) { + put(Constants.PR_SIGNEDBY_TYPE, alg); + } + + /** + * Retrieves signature algorithm. + * + * @return signature algorithm + */ + public AlgorithmId getAlgorithmId() { + return (AlgorithmId) get(Constants.PR_ALGORITHM_ID); + } + + /** + * Sets algorithm identifier + * + * @param id signature algorithm + */ + public void setAlgorithmId(AlgorithmId id) { + put(Constants.PR_ALGORITHM_ID, id); + } + + /** + * Retrieves serial number. + * + * @return serial number + */ + public BigInteger getSerialNumber() { + return (BigInteger) get("serialno"); + } + + /** + * Sets serial number. + * + * @param num serial number + */ + public void setSerialNumber(BigInteger num) { + put("serialno", num); + } + + /** + * Retrieves configuration file. + * + * @return configuration file + */ + public IConfigStore getConfigFile() { + return (IConfigStore)(get("cmsFile")); + } + + /** + * Sets configuration file. + * + * @param file configuration file + */ + public void setConfigFile(IConfigStore file) { + put("cmsFile", file); + } + + /** + * Retrieves begining year of validity. + * + * @return begining year + */ + public String getBeginYear() { + return (String) get(Constants.PR_BEGIN_YEAR); + } + + /** + * Sets begining year of validity. + * + * @param year begining year + */ + public void setBeginYear(String year) { + put(Constants.PR_BEGIN_YEAR, year); + } + + /** + * Retrieves ending year of validity. + * + * @return ending year + */ + public String getAfterYear() { + return (String) get(Constants.PR_AFTER_YEAR); + } + + /** + * Sets ending year of validity. + * + * @param year ending year + */ + public void setAfterYear(String year) { + put(Constants.PR_AFTER_YEAR, year); + } + + /** + * Retrieves begining month of validity. + * + * @return begining month + */ + public String getBeginMonth() { + return (String) get(Constants.PR_BEGIN_MONTH); + } + + /** + * Sets begining month of validity. + * + * @param month begining month + */ + public void setBeginMonth(String month) { + put(Constants.PR_BEGIN_MONTH, month); + } + + /** + * Retrieves ending month of validity. + * + * @return ending month + */ + public String getAfterMonth() { + return (String) get(Constants.PR_AFTER_MONTH); + } + + /** + * Sets ending month of validity. + * + * @param month ending month + */ + public void setAfterMonth(String month) { + put(Constants.PR_AFTER_MONTH, month); + } + + /** + * Retrieves begining date of validity. + * + * @return begining date + */ + public String getBeginDate() { + return (String) get(Constants.PR_BEGIN_DATE); + } + + /** + * Sets begining date of validity. + * + * @param date begining date + */ + public void setBeginDate(String date) { + put(Constants.PR_BEGIN_DATE, date); + } + + /** + * Retrieves ending date of validity. + * + * @return ending date + */ + public String getAfterDate() { + return (String) get(Constants.PR_AFTER_DATE); + } + + /** + * Sets ending date of validity. + * + * @param date ending date + */ + public void setAfterDate(String date) { + put(Constants.PR_AFTER_DATE, date); + } + + /** + * Retrieves starting hour of validity. + * + * @return starting hour + */ + public String getBeginHour() { + return (String) get(Constants.PR_BEGIN_HOUR); + } + + /** + * Sets starting hour of validity. + * + * @param hour starting hour + */ + public void setBeginHour(String hour) { + put(Constants.PR_BEGIN_HOUR, hour); + } + + /** + * Retrieves ending hour of validity. + * + * @return ending hour + */ + public String getAfterHour() { + return (String) get(Constants.PR_AFTER_HOUR); + } + + /** + * Sets ending hour of validity. + * + * @param hour ending hour + */ + public void setAfterHour(String hour) { + put(Constants.PR_AFTER_HOUR, hour); + } + + /** + * Retrieves starting minute of validity. + * + * @return starting minute + */ + public String getBeginMin() { + return (String) get(Constants.PR_BEGIN_MIN); + } + + /** + * Sets starting minute of validity. + * + * @param min starting minute + */ + public void setBeginMin(String min) { + put(Constants.PR_BEGIN_MIN, min); + } + + /** + * Retrieves ending minute of validity. + * + * @return ending minute + */ + public String getAfterMin() { + return (String) get(Constants.PR_AFTER_MIN); + } + + /** + * Sets ending minute of validity. + * + * @param min ending minute + */ + public void setAfterMin(String min) { + put(Constants.PR_AFTER_MIN, min); + } + + /** + * Retrieves starting second of validity. + * + * @return starting second + */ + public String getBeginSec() { + return (String) get(Constants.PR_BEGIN_SEC); + } + + /** + * Sets starting second of validity. + * + * @param sec starting second + */ + public void setBeginSec(String sec) { + put(Constants.PR_BEGIN_SEC, sec); + } + + /** + * Retrieves ending second of validity. + * + * @return ending second + */ + public String getAfterSec() { + return (String) get(Constants.PR_AFTER_SEC); + } + + /** + * Sets ending second of validity. + * + * @param sec ending second + */ + public void setAfterSec(String sec) { + put(Constants.PR_AFTER_SEC, sec); + } + + /** + * Retrieves CA key pair + * + * @return CA key pair + */ + public KeyPair getCAKeyPair() { + return (KeyPair) get(Constants.PR_CA_KEYPAIR); + } + + /** + * Sets CA key pair + * + * @param keypair key pair + */ + public void setCAKeyPair(KeyPair keypair) { + put(Constants.PR_CA_KEYPAIR, keypair); + } + + /** + * Retrieves extensions + * + * @return extensions + */ + public String getDerExtension() { + return (String) get(Constants.PR_DER_EXTENSION); + } + + /** + * Sets extensions + * + * @param ext extensions + */ + public void setDerExtension(String ext) { + put(Constants.PR_DER_EXTENSION, ext); + } + + /** + * Retrieves isCA + * + * @return "true" if it is CA + */ + public String isCA() { + return (String) get(Constants.PR_IS_CA); + } + + /** + * Sets isCA + * + * @param ext "true" if it is CA + */ + public void setCA(String ext) { + put(Constants.PR_IS_CA, ext); + } + + /** + * Retrieves key length + * + * @return certificate's key length + */ + public String getCertLen() { + return (String) get(Constants.PR_CERT_LEN); + } + + /** + * Sets key length + * + * @param len certificate's key length + */ + public void setCertLen(String len) { + put(Constants.PR_CERT_LEN, len); + } + + /** + * Retrieves SSL Client bit + * + * @return SSL Client bit + */ + public String getSSLClientBit() { + return (String) get(Constants.PR_SSL_CLIENT_BIT); + } + + /** + * Sets SSL Client bit + * + * @param sslClientBit SSL Client bit + */ + public void setSSLClientBit(String sslClientBit) { + put(Constants.PR_SSL_CLIENT_BIT, sslClientBit); + } + + /** + * Retrieves SSL Server bit + * + * @return SSL Server bit + */ + public String getSSLServerBit() { + return (String) get(Constants.PR_SSL_SERVER_BIT); + } + + /** + * Sets SSL Server bit + * + * @param sslServerBit SSL Server bit + */ + public void setSSLServerBit(String sslServerBit) { + put(Constants.PR_SSL_SERVER_BIT, sslServerBit); + } + + /** + * Retrieves SSL Mail bit + * + * @return SSL Mail bit + */ + public String getSSLMailBit() { + return (String) get(Constants.PR_SSL_MAIL_BIT); + } + + /** + * Sets SSL Mail bit + * + * @param sslMailBit SSL Mail bit + */ + public void setSSLMailBit(String sslMailBit) { + put(Constants.PR_SSL_MAIL_BIT, sslMailBit); + } + + /** + * Retrieves SSL CA bit + * + * @return SSL CA bit + */ + public String getSSLCABit() { + return (String) get(Constants.PR_SSL_CA_BIT); + } + + /** + * Sets SSL CA bit + * + * @param cabit SSL CA bit + */ + public void setSSLCABit(String cabit) { + put(Constants.PR_SSL_CA_BIT, cabit); + } + + /** + * Retrieves SSL Signing bit + * + * @return SSL Signing bit + */ + public String getObjectSigningBit() { + return (String) get(Constants.PR_OBJECT_SIGNING_BIT); + } + + /** + * Retrieves Time Stamping bit + * + * @return Time Stamping bit + */ + public String getTimeStampingBit() { + return (String) get(Constants.PR_TIMESTAMPING_BIT); + } + + /** + * Sets SSL Signing bit + * + * @param objectSigningBit SSL Signing bit + */ + public void setObjectSigningBit(String objectSigningBit) { + put(Constants.PR_OBJECT_SIGNING_BIT, objectSigningBit); + } + + /** + * Retrieves SSL Mail CA bit + * + * @return SSL Mail CA bit + */ + public String getMailCABit() { + return (String) get(Constants.PR_MAIL_CA_BIT); + } + + /** + * Sets SSL Mail CA bit + * + * @param mailCABit SSL Mail CA bit + */ + public void setMailCABit(String mailCABit) { + put(Constants.PR_MAIL_CA_BIT, mailCABit); + } + + /** + * Retrieves SSL Object Signing bit + * + * @return SSL Object Signing bit + */ + public String getObjectSigningCABit() { + return (String) get(Constants.PR_OBJECT_SIGNING_CA_BIT); + } + + /** + * Sets SSL Object Signing bit + * + * @param bit SSL Object Signing bit + */ + public void setObjectSigningCABit(String bit) { + put(Constants.PR_OBJECT_SIGNING_CA_BIT, bit); + } + + /** + * Retrieves OCSP Signing flag + * + * @return OCSP Signing flag + */ + public String getOCSPSigning() { + return (String) get(Constants.PR_OCSP_SIGNING); + } + + /** + * Sets OCSP Signing flag + * + * @param aki OCSP Signing flag + */ + public void setOCSPSigning(String aki) { + put(Constants.PR_OCSP_SIGNING, aki); + } + + /** + * Retrieves OCSP No Check flag + * + * @return OCSP No Check flag + */ + public String getOCSPNoCheck() { + return (String) get(Constants.PR_OCSP_NOCHECK); + } + + /** + * Sets OCSP No Check flag + * + * @param noCheck OCSP No Check flag + */ + public void setOCSPNoCheck(String noCheck) { + put(Constants.PR_OCSP_NOCHECK, noCheck); + } + + /** + * Retrieves Authority Information Access flag + * + * @return Authority Information Access flag + */ + public String getAIA() { + return (String) get(Constants.PR_AIA); + } + + /** + * Sets Authority Information Access flag + * + * @param aia Authority Information Access flag + */ + public void setAIA(String aia) { + put(Constants.PR_AIA, aia); + } + + /** + * Retrieves Authority Key Identifier flag + * + * @return Authority Key Identifier flag + */ + public String getAKI() { + return (String) get(Constants.PR_AKI); + } + + /** + * Sets Authority Key Identifier flag + * + * @param aki Authority Key Identifier flag + */ + public void setAKI(String aki) { + put(Constants.PR_AKI, aki); + } + + /** + * Retrieves Subject Key Identifier flag + * + * @return Subject Key Identifier flag + */ + public String getSKI() { + return (String) get(Constants.PR_SKI); + } + + /** + * Sets Subject Key Identifier flag + * + * @param ski Subject Key Identifier flag + */ + public void setSKI(String ski) { + put(Constants.PR_SKI, ski); + } + + /** + * Retrieves key usage extension + * + * @return true if key usage extension set + */ + public boolean getKeyUsageExtension() { + String str = (String) get(Constants.PR_KEY_USAGE); + + if (str == null || str.equals(ConfigConstants.FALSE)) + return false; + return true; + } + + /** + * Sets CA extensions + * + * @param ext CA extensions + */ + public void setCAExtensions(CertificateExtensions ext) { + put("CAEXTENSIONS", ext); + } + + /** + * Retrieves CA extensions + * + * @return CA extensions + */ + public CertificateExtensions getCAExtensions() { + return (CertificateExtensions) get("CAEXTENSIONS"); + } + + /** + * Retrieves hash type + * + * @return hash type + */ + public String getHashType() { + return (String) get(ConfigConstants.PR_HASH_TYPE); + } +} + -- cgit