// --- BEGIN COPYRIGHT BLOCK ---
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation; version 2 of the License.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// (C) 2007 Red Hat, Inc.
// All rights reserved.
// --- END COPYRIGHT BLOCK ---
package com.netscape.cmscore.security;
import java.io.ByteArrayOutputStream;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.PrintStream;
import java.math.BigInteger;
import java.net.SocketException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.InvalidParameterException;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Principal;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Enumeration;
import java.util.Hashtable;
import java.util.Locale;
import java.util.StringTokenizer;
import java.util.Vector;
import netscape.ldap.util.DN;
import netscape.security.x509.AlgIdDSA;
import netscape.security.x509.AlgorithmId;
import netscape.security.x509.BasicConstraintsExtension;
import netscape.security.x509.CertificateExtensions;
import netscape.security.x509.X500Name;
import netscape.security.x509.X509CertImpl;
import netscape.security.x509.X509CertInfo;
import org.mozilla.jss.CryptoManager;
import org.mozilla.jss.CryptoManager.NicknameConflictException;
import org.mozilla.jss.CryptoManager.NotInitializedException;
import org.mozilla.jss.CryptoManager.UserCertConflictException;
import org.mozilla.jss.NoSuchTokenException;
import org.mozilla.jss.asn1.ASN1Util;
import org.mozilla.jss.asn1.InvalidBERException;
import org.mozilla.jss.asn1.SET;
import org.mozilla.jss.crypto.AlreadyInitializedException;
import org.mozilla.jss.crypto.CryptoStore;
import org.mozilla.jss.crypto.CryptoToken;
import org.mozilla.jss.crypto.InternalCertificate;
import org.mozilla.jss.crypto.KeyPairAlgorithm;
import org.mozilla.jss.crypto.NoSuchItemOnTokenException;
import org.mozilla.jss.crypto.ObjectNotFoundException;
import org.mozilla.jss.crypto.PQGParamGenException;
import org.mozilla.jss.crypto.PQGParams;
import org.mozilla.jss.crypto.PrivateKey;
import org.mozilla.jss.crypto.SignatureAlgorithm;
import org.mozilla.jss.crypto.TokenCertificate;
import org.mozilla.jss.crypto.TokenException;
import org.mozilla.jss.crypto.X509Certificate;
import org.mozilla.jss.pkcs11.PK11SecureRandom;
import org.mozilla.jss.pkcs7.ContentInfo;
import org.mozilla.jss.pkcs7.SignedData;
import org.mozilla.jss.pkix.cert.Certificate;
import org.mozilla.jss.ssl.SSLServerSocket;
import org.mozilla.jss.ssl.SSLSocket;
import org.mozilla.jss.util.IncorrectPasswordException;
import org.mozilla.jss.util.Password;
import org.mozilla.jss.util.PasswordCallback;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.IConfigStore;
import com.netscape.certsrv.base.ISubsystem;
import com.netscape.certsrv.common.Constants;
import com.netscape.certsrv.common.NameValuePairs;
import com.netscape.certsrv.logging.ILogger;
import com.netscape.certsrv.security.ICryptoSubsystem;
import com.netscape.certsrv.security.KeyCertData;
import com.netscape.cmscore.cert.CertPrettyPrint;
import com.netscape.cmscore.cert.CertUtils;
import com.netscape.cmscore.util.Debug;
import com.netscape.cmsutil.crypto.CryptoUtil;
import com.netscape.cmsutil.util.Utils;
/**
* Subsystem for initializing JSS>
*
*
* @version $Revision$ $Date$
*/
public final class JssSubsystem implements ICryptoSubsystem {
public static final String ID = "jss";
private static final String CONFIG_DIR = "configDir";
private static final String PROP_ENABLE = "enable";
private static final String PASSWORD_ALIAS = "password";
private static final String mId = ID;
protected IConfigStore mConfig = null;
private boolean mInited = false;
private ILogger mLogger = null;
private CryptoManager mCryptoManager = null;
protected PasswordCallback mPWCB = null;
private static JssSubsystem mInstance = new JssSubsystem();
private Hashtable mNicknameMapCertsTable = new Hashtable();
private Hashtable mNicknameMapUserCertsTable =
new Hashtable();
private FileInputStream devRandomInputStream = null;
// This date format is to format the date string of the certificate in such a way as
// May 01, 1999 01:55:55.
private static SimpleDateFormat mFormatter = new SimpleDateFormat("MMMMM dd, yyyy HH:mm:ss");
// SSL related variables.
private IConfigStore mSSLConfig = null;
private static final String PROP_SSL = "ssl";
private static final String PROP_SSL_CIPHERPREF = Constants.PR_CIPHER_PREF;
private static final String PROP_SSL_ECTYPE = Constants.PR_ECTYPE;
private static Hashtable mCipherNames = new Hashtable();
/* default sslv2 and sslv3 cipher suites(all), set if no prefs in config.*/
private static final String DEFAULT_CIPHERPREF =
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," +
"TLS_RSA_WITH_AES_128_CBC_SHA," +
"TLS_RSA_WITH_AES_256_CBC_SHA," +
"TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," +
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," +
// "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," +
// "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," +
// "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," +
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA," +
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA," +
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA," +
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA";
/* list of all ciphers JSS supports */
private static final int mJSSCipherSuites[] = {
SSLSocket.SSL2_RC4_128_WITH_MD5,
SSLSocket.SSL2_RC4_128_EXPORT40_WITH_MD5,
SSLSocket.SSL2_RC2_128_CBC_WITH_MD5,
SSLSocket.SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,
SSLSocket.SSL2_DES_64_CBC_WITH_MD5,
SSLSocket.SSL2_DES_192_EDE3_CBC_WITH_MD5,
SSLSocket.SSL3_RSA_EXPORT_WITH_RC4_40_MD5,
SSLSocket.SSL3_RSA_WITH_RC4_128_MD5,
SSLSocket.SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
SSLSocket.SSL3_RSA_WITH_DES_CBC_SHA,
SSLSocket.SSL3_RSA_WITH_3DES_EDE_CBC_SHA,
SSLSocket.SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,
SSLSocket.SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,
SSLSocket.TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
SSLSocket.TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
};
static {
/* set ssl cipher string names. */
/* disallowing SSL2 ciphers to be turned on
mCipherNames.put(Constants.PR_SSL2_RC4_128_WITH_MD5,
Integer.valueOf(SSLSocket.SSL2_RC4_128_WITH_MD5));
mCipherNames.put(Constants.PR_SSL2_RC4_128_EXPORT40_WITH_MD5,
Integer.valueOf(SSLSocket.SSL2_RC4_128_EXPORT40_WITH_MD5));
mCipherNames.put(Constants.PR_SSL2_RC2_128_CBC_WITH_MD5,
Integer.valueOf(SSLSocket.SSL2_RC2_128_CBC_WITH_MD5));
mCipherNames.put(Constants.PR_SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,
Integer.valueOf(SSLSocket.SSL2_RC2_128_CBC_EXPORT40_WITH_MD5));
mCipherNames.put(Constants.PR_SSL2_DES_64_CBC_WITH_MD5,
Integer.valueOf(SSLSocket.SSL2_DES_64_CBC_WITH_MD5));
mCipherNames.put(Constants.PR_SSL2_DES_192_EDE3_CBC_WITH_MD5,
Integer.valueOf(SSLSocket.SSL2_DES_192_EDE3_CBC_WITH_MD5));
*/
mCipherNames.put(Constants.PR_SSL3_RSA_WITH_NULL_MD5,
Integer.valueOf(SSLSocket.SSL3_RSA_WITH_NULL_MD5));
mCipherNames.put(Constants.PR_SSL3_RSA_EXPORT_WITH_RC4_40_MD5,
Integer.valueOf(SSLSocket.SSL3_RSA_EXPORT_WITH_RC4_40_MD5));
mCipherNames.put(Constants.PR_SSL3_RSA_WITH_RC4_128_MD5,
Integer.valueOf(SSLSocket.SSL3_RSA_WITH_RC4_128_MD5));
mCipherNames.put(Constants.PR_SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
Integer.valueOf(SSLSocket.SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5));
mCipherNames.put(Constants.PR_SSL3_RSA_WITH_DES_CBC_SHA,
Integer.valueOf(SSLSocket.SSL3_RSA_WITH_DES_CBC_SHA));
mCipherNames.put(Constants.PR_SSL3_RSA_WITH_3DES_EDE_CBC_SHA,
Integer.valueOf(SSLSocket.SSL3_RSA_WITH_3DES_EDE_CBC_SHA));
mCipherNames.put(Constants.PR_SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,
Integer.valueOf(SSLSocket.SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA));
mCipherNames.put(Constants.PR_SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,
Integer.valueOf(SSLSocket.SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA));
mCipherNames.put(Constants.PR_SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
Integer.valueOf(SSLSocket.SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA));
mCipherNames.put(Constants.PR_SSL_RSA_FIPS_WITH_DES_CBC_SHA,
Integer.valueOf(SSLSocket.SSL_RSA_FIPS_WITH_DES_CBC_SHA));
mCipherNames.put(Constants.PR_TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
Integer.valueOf(SSLSocket.TLS_RSA_EXPORT1024_WITH_RC4_56_SHA));
mCipherNames.put(Constants.PR_TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
Integer.valueOf(SSLSocket.TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA));
}
public static JssSubsystem getInstance() {
return mInstance;
}
/**
* Constructs a Security service subsystem.
*/
private JssSubsystem() {
}
public String getId() {
return mId;
}
public void setId(String id) throws EBaseException {
throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_OPERATION"));
}
// Add entropy to the 'default' RNG token
public void addEntropy(int bits)
throws org.mozilla.jss.util.NotImplementedException,
IOException,
TokenException {
int read = 0;
int bytes = (7 + bits) / 8;
byte[] b = new byte[bytes];
if (devRandomInputStream == null) {
throw new IOException(CMS.getLogMessage("CMSCORE_SECURITY_NO_ENTROPY_STREAM"));
}
do {
int c = devRandomInputStream.read(b, read, bytes - read);
read += c;
} while (read < bytes);
CMS.debug("JssSubsystem adding " + bits + " bits (" + bytes + " bytes) of entropy to default RNG token");
CMS.debug(b);
PK11SecureRandom sr = new PK11SecureRandom();
sr.setSeed(b);
}
/**
* Initializes the Jss security subsystem.
*
*/
public void init(ISubsystem owner, IConfigStore config)
throws EBaseException {
mLogger = CMS.getLogger();
if (mInited) {
// This used to throw an exeception (e.g. - on Solaris).
// If JSS is already initialized simply return.
CMS.debug("JssSubsystem already inited.. returning.");
return;
}
mConfig = config;
// If disabled, just return
boolean enabled = config.getBoolean(PROP_ENABLE, true);
if (!enabled)
return;
try {
devRandomInputStream = new FileInputStream("/dev/urandom");
} catch (IOException ioe) {
// XXX - add new exception
}
// get hardcoded password (for debugging.
String pw;
if ((pw = config.getString(PASSWORD_ALIAS, null)) != null) {
// hardcoded password in config file
mPWCB = new Password(pw.toCharArray());
CMS.debug("JssSubsystem init() got password from hardcoded in config");
}
String certDir;
certDir = config.getString(CONFIG_DIR, null);
CryptoManager.InitializationValues vals = new CryptoManager.InitializationValues(certDir, "", "", "secmod.db");
vals.removeSunProvider = false;
vals.installJSSProvider = true;
try {
CryptoManager.initialize(vals);
} catch (AlreadyInitializedException e) {
// do nothing
} catch (Exception e) {
String[] params = { mId, e.toString() };
EBaseException ex = new EBaseException(CMS.getUserMessage("CMS_BASE_CREATE_SERVICE_FAILED", params));
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GENERAL_ERROR", ex.toString()));
throw ex;
}
try {
mCryptoManager = CryptoManager.getInstance();
initSSL();
} catch (CryptoManager.NotInitializedException e) {
String[] params = { mId, e.toString() };
EBaseException ex = new EBaseException(CMS.getUserMessage("CMS_BASE_CREATE_SERVICE_FAILED", params));
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GENERAL_ERROR", ex.toString()));
throw ex;
}
mInited = true;
}
public String getCipherVersion() throws EBaseException {
return "cipherdomestic";
}
public String getCipherPreferences() throws EBaseException {
String cipherpref = "";
if (mSSLConfig != null) {
cipherpref = mSSLConfig.getString(PROP_SSL_CIPHERPREF, "");
if (cipherpref.equals("")) {
cipherpref = DEFAULT_CIPHERPREF;
}
}
return cipherpref;
}
public String getECType(String certType) throws EBaseException {
if (mSSLConfig != null) {
// for SSL server, check the value of jss.ssl.sslserver.ectype
return mSSLConfig.getString(certType + "." + PROP_SSL_ECTYPE, "ECDHE");
} else {
return "ECDHE";
}
}
public String isCipherFortezza() throws EBaseException {
// we always display fortezza suites.
// too much work to display tokens/certs corresponding to the
// suites.
return "true";
}
void installProvider() {
int position = java.security.Security.insertProviderAt(
new com.netscape.cmscore.security.Provider(),
1);
if (position == -1) {
Debug.trace("Unable to install CMS provider");
log(ILogger.LL_FAILURE,
CMS.getLogMessage("CMSCORE_SECURITY_INSTALL_PROVIDER"));
}
}
public void setCipherPreferences(String cipherPrefs)
throws EBaseException {
if (mSSLConfig != null) {
if (cipherPrefs.equals(""))
throw new EBaseException(CMS.getUserMessage("CMS_BASE_NO_EMPTY_CIPHERPREFS"));
mSSLConfig.putString(Constants.PR_CIPHER_PREF, cipherPrefs);
}
}
/**
* Initialize SSL cipher suites from config file.
*
*/
private void initSSL() throws EBaseException {
// JSS will AND what is set and what is allowed by export policy
// so we can set what is requested.
try {
SSLServerSocket.configServerSessionIDCache(10, 0, 0, null);
} catch (SocketException e) {
}
mSSLConfig = mConfig.getSubStore(PROP_SSL);
String sslCiphers = null;
if (mSSLConfig != null)
sslCiphers = getCipherPreferences();
if (Debug.ON)
Debug.trace("configured ssl cipher prefs is " + sslCiphers);
// first, disable all ciphers, since JSS defaults to all-enabled
for (int i = mJSSCipherSuites.length - 1; i >= 0; i--) {
try {
SSLSocket.setCipherPreferenceDefault(mJSSCipherSuites[i],
false);
} catch (SocketException e) {
}
}
// the sslCiphers string will always contain something
if (sslCiphers != null && sslCiphers.length() != 0) {
StringTokenizer ciphers = new StringTokenizer(sslCiphers, ",");
if (!ciphers.hasMoreTokens()) {
log(ILogger.LL_FAILURE,
CMS.getLogMessage("CMSCORE_SECURITY_INVALID_CIPHER", sslCiphers));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_PROPERTY", PROP_SSL_CIPHERPREF));
}
while (ciphers.hasMoreTokens()) {
String cipher = ciphers.nextToken();
Integer sslcipher = mCipherNames.get(cipher);
if (sslcipher != null) {
String msg = "setting ssl cipher " + cipher;
CMS.debug("JSSSubsystem: initSSL(): " + msg);
log(ILogger.LL_INFO, msg);
if (Debug.ON)
Debug.trace(msg);
try {
SSLSocket.setCipherPreferenceDefault(
sslcipher.intValue(), true);
} catch (SocketException e) {
}
}
}
}
}
/**
* Retrieves a configuration store of this subsystem.
*
*/
public IConfigStore getConfigStore() {
return mConfig;
}
/**
* Starts up this service.
*/
public void startup() throws EBaseException {
}
/**
* Shutdowns this subsystem.
*
*/
public void shutdown() {
try {
// After talking to NSS teamm, we should not call close databases
// which will call NSS_Shutdown. Web Server will call NSS_Shutdown
boolean isClosing = mConfig.getBoolean("closeDatabases", false);
if (isClosing) {
JSSDatabaseCloser closer = new JSSDatabaseCloser();
closer.closeDatabases();
}
} catch (Exception e) {
}
}
public void log(int level, String msg) {
mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER, level, "JSS " + msg);
}
public PasswordCallback getPWCB() {
return mPWCB;
}
public String getInternalTokenName() throws EBaseException {
CryptoToken c = mCryptoManager.getInternalKeyStorageToken();
String name = "";
try {
name = c.getName();
} catch (TokenException e) {
String[] params = { mId, e.toString() };
EBaseException ex = new EBaseException(
CMS.getUserMessage("CMS_BASE_CREATE_SERVICE_FAILED", params));
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GENERAL_ERROR", ex.toString()));
throw ex;
}
return name;
}
public String getTokenList() throws EBaseException {
StringBuffer tokenList = new StringBuffer();
@SuppressWarnings("unchecked")
Enumeration tokens = mCryptoManager.getExternalTokens();
int num = 0;
try {
while (tokens.hasMoreElements()) {
CryptoToken c = tokens.nextElement();
// skip builtin object token
if (c.getName() != null && c.getName().equals("Builtin Object Token")) {
continue;
}
if (num++ != 0)
tokenList.append(",");
tokenList.append(c.getName());
}
} catch (TokenException e) {
String[] params = { mId, e.toString() };
EBaseException ex = new EBaseException(
CMS.getUserMessage("CMS_BASE_CREATE_SERVICE_FAILED", params));
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GENERAL_ERROR", ex.toString()));
throw ex;
}
if (tokenList.length()==0)
return Constants.PR_INTERNAL_TOKEN;
else
return tokenList.append("," + Constants.PR_INTERNAL_TOKEN).toString();
}
public boolean isTokenLoggedIn(String name) throws EBaseException {
try {
if (name.equals(Constants.PR_INTERNAL_TOKEN_NAME))
name = Constants.PR_FULL_INTERNAL_TOKEN_NAME;
CryptoToken ctoken = mCryptoManager.getTokenByName(name);
return ctoken.isLoggedIn();
} catch (TokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_TOKEN_LOGGED_IN", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_ERROR"));
} catch (NoSuchTokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_TOKEN_LOGGED_IN", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", ""));
}
}
public void loggedInToken(String tokenName, String pwd) throws EBaseException {
try {
CryptoToken ctoken = mCryptoManager.getTokenByName(tokenName);
Password clk = new Password(pwd.toCharArray());
ctoken.login(clk);
} catch (TokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_TOKEN_LOGGED_IN", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_ERROR"));
} catch (IncorrectPasswordException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_TOKEN_LOGGED_IN", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_LOGIN_FAILED"));
} catch (NoSuchTokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_TOKEN_LOGGED_IN", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", ""));
}
}
public String getCertSubjectName(String tokenname, String nickname)
throws EBaseException {
try {
return KeyCertUtil.getCertSubjectName(tokenname, nickname);
} catch (NoSuchTokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_SUBJECT_NAME", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", ""));
} catch (NotInitializedException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_SUBJECT_NAME", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED"));
} catch (TokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_SUBJECT_NAME", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", ""));
} catch (CertificateException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_SUBJECT_NAME", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", ""));
}
}
public String getAllCerts() throws EBaseException {
StringBuffer certNames = new StringBuffer();
try {
@SuppressWarnings("unchecked")
Enumeration enums = mCryptoManager.getAllTokens();
while (enums.hasMoreElements()) {
CryptoToken token = enums.nextElement();
CryptoStore store = token.getCryptoStore();
X509Certificate[] list = store.getCertificates();
for (int i = 0; i < list.length; i++) {
String nickname = list[i].getNickname();
if (certNames.length() < 1) {
certNames.append(nickname);
} else {
certNames.append("," + nickname);
}
}
}
} catch (TokenException e) {
String[] params = { mId, e.toString() };
EBaseException ex = new EBaseException(
CMS.getUserMessage("CMS_BASE_CREATE_SERVICE_FAILED", params));
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GENERAL_ERROR", ex.toString()));
throw ex;
}
return certNames.toString();
}
public String getCertListWithoutTokenName(String name) throws EBaseException {
CryptoToken c = null;
StringBuffer certNames = new StringBuffer();
try {
if (name.equals(Constants.PR_INTERNAL_TOKEN)) {
c = mCryptoManager.getInternalKeyStorageToken();
} else {
c = mCryptoManager.getTokenByName(name);
}
if (c != null) {
CryptoStore store = c.getCryptoStore();
X509Certificate[] list = store.getCertificates();
if (list == null)
return "";
for (int i = 0; i < list.length; i++) {
String nickname = list[i].getNickname();
int index = nickname.indexOf(":");
if (index != -1)
nickname = nickname.substring(index + 1);
if (i != 0)
certNames.append(",");
certNames.append(nickname);
}
return certNames.toString();
} else
return "";
} catch (TokenException e) {
String[] params = { mId, e.toString() };
EBaseException ex = new EBaseException(
CMS.getUserMessage("CMS_BASE_CREATE_SERVICE_FAILED", params));
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GENERAL_ERROR", ex.toString()));
throw ex;
} catch (NoSuchTokenException e) {
String[] params = { mId, e.toString() };
EBaseException ex = new EBaseException(
CMS.getUserMessage("CMS_BASE_CREATE_SERVICE_FAILED", params));
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GENERAL_ERROR", ex.toString()));
throw ex;
}
}
public String getCertList(String name) throws EBaseException {
CryptoToken c = null;
StringBuffer certNames = new StringBuffer();
try {
if (name.equals(Constants.PR_INTERNAL_TOKEN)) {
c = mCryptoManager.getInternalKeyStorageToken();
} else {
c = mCryptoManager.getTokenByName(name);
}
if (c != null) {
CryptoStore store = c.getCryptoStore();
X509Certificate[] list = store.getCertificates();
if (list == null)
return "";
for (int i = 0; i < list.length; i++) {
String nickname = list[i].getNickname();
if (i != 0)
certNames.append(",");
certNames.append(nickname);
}
return certNames.toString();
} else
return "";
} catch (TokenException e) {
String[] params = { mId, e.toString() };
EBaseException ex = new EBaseException(
CMS.getUserMessage("CMS_BASE_CREATE_SERVICE_FAILED", params));
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GENERAL_ERROR", ex.toString()));
throw ex;
} catch (NoSuchTokenException e) {
String[] params = { mId, e.toString() };
EBaseException ex = new EBaseException(
CMS.getUserMessage("CMS_BASE_CREATE_SERVICE_FAILED", params));
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GENERAL_ERROR", ex.toString()));
throw ex;
}
}
public AlgorithmId getAlgorithmId(String algname, IConfigStore store)
throws EBaseException {
try {
if (algname.equals("DSA")) {
byte[] p = store.getByteArray("ca.dsaP", null);
byte[] q = store.getByteArray("ca.dsaQ", null);
byte[] g = store.getByteArray("ca.dsaG", null);
if (p != null && q != null && g != null) {
BigInteger P = new BigInteger(p);
BigInteger Q = new BigInteger(q);
BigInteger G = new BigInteger(g);
return new AlgIdDSA(P, Q, G);
}
}
return AlgorithmId.get(algname);
} catch (NoSuchAlgorithmException e) {
throw new EBaseException(CMS.getUserMessage("CMS_BASE_ALG_NOT_SUPPORTED", ""));
}
}
public String getSignatureAlgorithm(String nickname) throws EBaseException {
try {
X509Certificate cert = CryptoManager.getInstance().findCertByNickname(nickname);
X509CertImpl impl = new X509CertImpl(cert.getEncoded());
return impl.getSigAlgName();
} catch (NotInitializedException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_ALG", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED"));
} catch (ObjectNotFoundException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_ALG", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_NOT_FOUND"));
} catch (TokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_ALG", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", ""));
} catch (CertificateException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_ALG", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", ""));
}
}
public KeyPair getKeyPair(String nickname) throws EBaseException {
try {
X509Certificate cert = CryptoManager.getInstance().findCertByNickname(nickname);
PrivateKey priKey = CryptoManager.getInstance().findPrivKeyByCert(cert);
PublicKey publicKey = cert.getPublicKey();
return new KeyPair(publicKey, priKey);
} catch (NotInitializedException e) {
log(ILogger.LL_FAILURE, "Key Pair Error " + e);
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED"));
} catch (ObjectNotFoundException e) {
log(ILogger.LL_FAILURE, "Key Pair Error " + e);
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_NOT_FOUND"));
} catch (TokenException e) {
log(ILogger.LL_FAILURE, "Key Pair Error " + e);
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", ""));
}
}
public KeyPair getKeyPair(String tokenName, String alg,
int keySize) throws EBaseException {
return getKeyPair(tokenName, alg, keySize, null);
}
public KeyPair getKeyPair(String tokenName, String alg,
int keySize, PQGParams pqg) throws EBaseException {
String t = tokenName;
if (tokenName.equals(Constants.PR_INTERNAL_TOKEN))
t = Constants.PR_FULL_INTERNAL_TOKEN_NAME;
CryptoToken token = null;
try {
token = mCryptoManager.getTokenByName(t);
} catch (NoSuchTokenException e) {
log(ILogger.LL_FAILURE, "Generate Key Pair Error " + e);
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", tokenName));
}
KeyPairAlgorithm kpAlg = null;
if (alg.equals("RSA"))
kpAlg = KeyPairAlgorithm.RSA;
else {
kpAlg = KeyPairAlgorithm.DSA;
}
try {
KeyPair kp = KeyCertUtil.generateKeyPair(token, kpAlg, keySize, pqg);
return kp;
} catch (InvalidParameterException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_KEY_PAIR", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEYSIZE_PARAMS",
"" + keySize));
} catch (PQGParamGenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_KEY_PAIR", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_PQG_GEN_FAILED"));
} catch (NoSuchAlgorithmException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_KEY_PAIR", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_ALG_NOT_SUPPORTED",
kpAlg.toString()));
} catch (TokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_KEY_PAIR", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_KEY_GEN_FAILED"));
} catch (InvalidAlgorithmParameterException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_KEY_PAIR", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_ALG_NOT_SUPPORTED", "DSA"));
}
}
public void isX500DN(String dn) throws EBaseException {
try {
new X500Name(dn); // check for errors
} catch (IOException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_X500_NAME", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_X500_NAME", dn));
}
}
public String getCertRequest(String subjectName, KeyPair kp)
throws EBaseException {
try {
netscape.security.pkcs.PKCS10 pkcs = KeyCertUtil.getCertRequest(subjectName, kp);
ByteArrayOutputStream bs = new ByteArrayOutputStream();
PrintStream ps = new PrintStream(bs);
pkcs.print(ps);
return bs.toString();
} catch (NoSuchAlgorithmException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_CERT_REQUEST", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_ALG_NOT_SUPPORTED", ""));
} catch (NoSuchProviderException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_CERT_REQUEST", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_PROVIDER_NOT_SUPPORTED"));
} catch (InvalidKeyException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_CERT_REQUEST", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY"));
} catch (IOException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_CERT_REQUEST", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_REQ_FAILED"));
} catch (CertificateException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_CERT_REQUEST", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_CERT", e.toString()));
} catch (SignatureException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_CERT_REQUEST", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_SIGNATURE"));
}
}
public void importCert(String b64E, String nickname, String certType)
throws EBaseException {
try {
KeyCertUtil.importCert(b64E, nickname, certType);
} catch (CertificateException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_IMPORT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_DECODE_CERT_FAILED"));
} catch (NotInitializedException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_IMPORT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED"));
} catch (TokenException e) {
String eString = e.toString();
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_IMPORT_CERT", e.toString()));
if (eString.contains("Failed to find certificate that was just imported")) {
throw new EBaseException(eString);
} else {
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", ""));
}
} catch (UserCertConflictException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_IMPORT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_USERCERT_CONFLICT"));
} catch (NicknameConflictException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_IMPORT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_NICKNAME_CONFLICT"));
} catch (NoSuchItemOnTokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_IMPORT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_ITEM_NOT_FOUND_ON_TOKEN"));
}
}
public KeyPair getKeyPair(KeyCertData properties) throws EBaseException {
String tokenname = Constants.PR_INTERNAL_TOKEN_NAME;
String keyType = "RSA";
int keyLength = 512;
String tmp = (String) properties.get(Constants.PR_TOKEN_NAME);
if ((tmp != null) &&
(!tmp.equals(Constants.PR_INTERNAL_TOKEN)))
tokenname = tmp;
tmp = (String) properties.get(Constants.PR_KEY_TYPE);
if (tmp != null)
keyType = tmp;
tmp = (String) properties.get(Constants.PR_KEY_LENGTH);
if (tmp != null)
keyLength = Integer.parseInt(tmp);
KeyPair pair = getKeyPair(tokenname, keyType, keyLength);
return pair;
}
public KeyPair getECCKeyPair(KeyCertData properties) throws EBaseException {
String token = Constants.PR_INTERNAL_TOKEN_NAME;
String keyCurve = "nistp512";
String certType = null;
KeyPair pair = null;
String tmp = (String) properties.get(Constants.PR_TOKEN_NAME);
if (tmp != null)
token = tmp;
tmp = (String) properties.get(Constants.PR_KEY_CURVENAME);
if (tmp != null)
keyCurve = tmp;
certType = (String) properties.get(Constants.RS_ID);
pair = getECCKeyPair(token, keyCurve, certType);
return pair;
}
public KeyPair getECCKeyPair(String token, String keyCurve, String certType) throws EBaseException {
KeyPair pair = null;
if ((token == null) || (token.equals("")))
token = Constants.PR_INTERNAL_TOKEN_NAME;
if ((keyCurve == null) || (keyCurve.equals("")))
keyCurve = "nistp512";
String ectype = getECType(certType);
// ECDHE needs "SIGN" but no "DERIVE"
org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask[] = {
org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.DERIVE
};
// ECDH needs "DERIVE" but no any kind of "SIGN"
org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage ECDH_usages_mask[] = {
org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN,
org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN_RECOVER,
};
try {
if (ectype.equals("ECDHE"))
pair = CryptoUtil.generateECCKeyPair(token, keyCurve, null, usages_mask);
else
pair = CryptoUtil.generateECCKeyPair(token, keyCurve, null, ECDH_usages_mask);
} catch (NotInitializedException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_ECC_KEY", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED"));
} catch (NoSuchTokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_ECC_KEY", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", ""));
} catch (NoSuchAlgorithmException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_ECC_KEY", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_NO_SUCH_ALGORITHM", e.toString()));
} catch (TokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_ECC_KEY", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", ""));
}
return pair;
}
public void importCert(X509CertImpl signedCert, String nickname,
String certType) throws EBaseException {
try {
KeyCertUtil.importCert(signedCert, nickname, certType);
} catch (NotInitializedException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_IMPORT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED"));
} catch (TokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_IMPORT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", ""));
} catch (CertificateEncodingException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_IMPORT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_ENCODE_CERT_FAILED"));
} catch (UserCertConflictException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_IMPORT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_USERCERT_CONFLICT"));
} catch (NicknameConflictException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_IMPORT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_NICKNAME_CONFLICT"));
} catch (NoSuchItemOnTokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_IMPORT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_ITEM_NOT_FOUND_ON_TOKEN"));
} catch (CertificateException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_IMPORT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_ENCODE_CERT_FAILED"));
}
}
public NameValuePairs getCertInfo(String b64E) throws EBaseException {
try {
byte[] b = KeyCertUtil.convertB64EToByteArray(b64E);
X509CertImpl impl = new X509CertImpl(b);
NameValuePairs results = new NameValuePairs();
results.put(Constants.PR_CERT_SUBJECT_NAME, impl.getSubjectDN().getName());
results.put(Constants.PR_ISSUER_NAME, impl.getIssuerDN().getName());
results.put(Constants.PR_SERIAL_NUMBER, impl.getSerialNumber().toString());
results.put(Constants.PR_BEFORE_VALIDDATE, impl.getNotBefore().toString());
results.put(Constants.PR_AFTER_VALIDDATE, impl.getNotAfter().toString());
// fingerprint is using MD5 hash
return results;
} catch (CertificateException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_CERT_INFO", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_DECODE_CERT_FAILED"));
} catch (IOException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_CERT_INFO", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_DECODE_CERT_FAILED"));
}
}
public void deleteUserCert(String nickname, String serialno, String issuername)
throws EBaseException {
try {
X509Certificate cert = getCertificate(nickname, serialno, issuername);
if (cert instanceof TokenCertificate) {
TokenCertificate tcert = (TokenCertificate) cert;
CMS.debug("*** deleting this token cert");
tcert.getOwningToken().getCryptoStore().deleteCert(tcert);
CMS.debug("*** finish deleting this token cert");
} else {
CryptoToken token = CryptoManager.getInstance().getInternalKeyStorageToken();
CryptoStore store = token.getCryptoStore();
CMS.debug("*** deleting this interna cert");
store.deleteCert(cert);
CMS.debug("*** removing this interna cert");
}
} catch (NotInitializedException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_DELETE_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED"));
} catch (TokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_DELETE_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", ""));
} catch (NoSuchItemOnTokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_DELETE_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_ITEM_NOT_FOUND_ON_TOKEN"));
}
}
public void deleteRootCert(String nickname, String serialno,
String issuername) throws EBaseException {
int index = nickname.indexOf(":");
String tokenname = nickname.substring(0, index);
if (tokenname.equals(Constants.PR_INTERNAL_TOKEN_NAME)) {
nickname = nickname.substring(index + 1);
}
try {
if (mNicknameMapCertsTable != null) {
X509Certificate[] certs = mNicknameMapCertsTable.get(nickname);
if (certs == null) {
EBaseException e = new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_NOT_FOUND"));
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_DELETE_CA_CERT", e.toString()));
throw e;
} else {
for (int i = 0; i < certs.length; i++) {
X509Certificate cert = certs[i];
X509CertImpl impl = new X509CertImpl(cert.getEncoded());
String num = impl.getSerialNumber().toString();
String issuer = impl.getIssuerDN().toString();
CMS.debug("*** num " + num);
CMS.debug("*** issuer " + issuer);
if (num.equals(serialno) && issuername.equals(issuer)) {
CMS.debug("*** removing root cert");
if (cert instanceof TokenCertificate) {
TokenCertificate tcert = (TokenCertificate) cert;
CMS.debug("*** deleting this token cert");
tcert.getOwningToken().getCryptoStore().deleteCert(tcert);
CMS.debug("*** finish deleting this token cert");
} else {
CryptoToken token = CryptoManager.getInstance().getInternalKeyStorageToken();
CryptoStore store = token.getCryptoStore();
CMS.debug("*** deleting this interna cert");
store.deleteCert(cert);
CMS.debug("*** removing this interna cert");
}
mNicknameMapCertsTable.remove(nickname);
break;
}
}
}
}
} catch (NotInitializedException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_DELETE_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED"));
} catch (TokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_DELETE_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", ""));
} catch (NoSuchItemOnTokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_DELETE_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_ITEM_NOT_FOUND_ON_TOKEN"));
} catch (CertificateException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_DELETE_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString()));
}
}
public NameValuePairs getRootCerts() throws EBaseException {
NameValuePairs nvps = new NameValuePairs();
try {
@SuppressWarnings("unchecked")
Enumeration enums = mCryptoManager.getAllTokens();
if (mNicknameMapCertsTable != null) {
mNicknameMapCertsTable.clear();
} else {
CMS.debug("JssSubsystem::getRootCerts() - mNicknameMapCertsTable is null");
throw new EBaseException("JssSubsystem::getRootCerts() - mNicknameMapCertsTable is null");
}
// a temp hashtable with vectors
Hashtable> vecTable = new Hashtable>();
while (enums.hasMoreElements()) {
CryptoToken token = enums.nextElement();
String tokenName = token.getName();
CryptoStore store = token.getCryptoStore();
X509Certificate[] list = store.getCertificates();
for (int i = 0; i < list.length; i++) {
try {
@SuppressWarnings("unused")
PrivateKey key = CryptoManager.getInstance().findPrivKeyByCert(list[i]); // check for errors
Debug.trace("JssSubsystem getRootCerts: find private key "
+ list[i].getNickname());
} catch (ObjectNotFoundException e) {
String nickname = list[i].getNickname();
if (tokenName.equals(Constants.PR_INTERNAL_TOKEN_NAME)) {
nickname = Constants.PR_INTERNAL_TOKEN_NAME + ":" + nickname;
}
X509CertImpl impl = null;
try {
Vector v;
if (vecTable.containsKey(nickname) == true) {
v = vecTable.get(nickname);
} else {
v = new Vector();
}
v.addElement(list[i]);
vecTable.put(nickname, v);
impl = new X509CertImpl(list[i].getEncoded());
} catch (CertificateException ex) {
// skip bad certificate
CMS.debug("bad certificate - " + nickname);
continue;
}
String serialno = impl.getSerialNumber().toString();
String issuer = impl.getIssuerDN().toString();
nvps.put(nickname + "," + serialno, issuer);
Debug.trace("getRootCerts: nickname=" + nickname + ", serialno=" +
serialno + ", issuer=" + issuer);
continue;
} catch (CryptoManager.NotInitializedException e) {
continue;
}
}
// convert hashtable of vectors to hashtable of arrays
Enumeration elms = vecTable.keys();
while (elms.hasMoreElements()) {
String key = elms.nextElement();
Vector v = vecTable.get(key);
X509Certificate[] a = new X509Certificate[v.size()];
v.copyInto(a);
mNicknameMapCertsTable.put(key, a);
}
}
} catch (TokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_ALL_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", ""));
}
return nvps;
}
public NameValuePairs getUserCerts() throws EBaseException {
NameValuePairs nvps = new NameValuePairs();
try {
@SuppressWarnings("unchecked")
Enumeration enums = mCryptoManager.getAllTokens();
while (enums.hasMoreElements()) {
CryptoToken token = enums.nextElement();
String tokenName = token.getName();
CryptoStore store = token.getCryptoStore();
X509Certificate[] list = store.getCertificates();
for (int i = 0; i < list.length; i++) {
try {
@SuppressWarnings("unused")
PrivateKey key =
CryptoManager.getInstance().findPrivKeyByCert(list[i]); // check for errors
String nickname = list[i].getNickname();
if (tokenName.equals(Constants.PR_INTERNAL_TOKEN_NAME) ||
tokenName.equals(Constants.PR_FULL_INTERNAL_TOKEN_NAME)) {
nickname = Constants.PR_INTERNAL_TOKEN_NAME + ":" + nickname;
}
X509CertImpl impl = null;
try {
impl = new X509CertImpl(list[i].getEncoded());
} catch (CertificateException e) {
// skip bad certificate
CMS.debug("bad certificate - " + nickname);
continue;
}
String serialno = impl.getSerialNumber().toString();
String issuer = impl.getIssuerDN().toString();
nvps.put(nickname + "," + serialno, issuer);
Debug.trace("getUserCerts: nickname=" + nickname + ", serialno=" +
serialno + ", issuer=" + issuer);
} catch (ObjectNotFoundException e) {
Debug.trace("JssSubsystem getUserCerts: cant find private key "
+ list[i].getNickname());
continue;
} catch (CryptoManager.NotInitializedException e) {
continue;
}
}
}
} catch (TokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_ALL_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", ""));
}
return nvps;
}
/*
* get all certificates on all tokens for Certificate Database Management
*/
public NameValuePairs getAllCertsManage() throws EBaseException {
/*
* first get all CA certs (internal only),
* then all user certs (both internal and external)
*/
NameValuePairs pairs = getCACerts();
if (mNicknameMapUserCertsTable != null) {
mNicknameMapUserCertsTable.clear();
} else {
CMS.debug("JssSubsystem:: getAllCertsManage() : mNicknameMapCertsTable is null");
throw new EBaseException("JssSubsystem:: getAllCertsManage() : mNicknameMapCertsTable is null");
}
try {
@SuppressWarnings("unchecked")
Enumeration enums = mCryptoManager.getAllTokens();
while (enums.hasMoreElements()) {
CryptoToken token = enums.nextElement();
CryptoStore store = token.getCryptoStore();
X509Certificate[] list = store.getCertificates();
for (int i = 0; i < list.length; i++) {
String nickname = list[i].getNickname();
X509Certificate[] certificates =
CryptoManager.getInstance().findCertsByNickname(nickname);
mNicknameMapUserCertsTable.put(nickname, certificates);
X509CertImpl impl = null;
try {
impl = new X509CertImpl(list[i].getEncoded());
} catch (CertificateException e) {
// skip bad certificate
CMS.debug("bad certificate - " + nickname);
continue;
}
Date date = impl.getNotAfter();
String dateStr = mFormatter.format(date);
String vvalue = pairs.get(nickname);
/* always user cert here*/
String certValue = dateStr + "," + "u";
if (vvalue == null)
pairs.put(nickname, certValue);
else {
if (vvalue.endsWith(",u")) {
pairs.put(nickname, vvalue + ";" + certValue);
}
}
}
} /* while */
} catch (NotInitializedException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_ALL_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED"));
// } catch (CertificateException e) {
// log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_ALL_CERT", e.toString()));
// throw new EBaseException(BaseResources.CERT_ERROR);
} catch (TokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_ALL_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", ""));
}
return pairs;
}
public NameValuePairs getCACerts() throws EBaseException {
NameValuePairs pairs = new NameValuePairs();
//InternalCertificate[] certs;
X509Certificate[] certs;
try {
certs = CryptoManager.getInstance().getCACerts();
} catch (NotInitializedException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_CA_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED"));
}
if (mNicknameMapCertsTable == null) {
CMS.debug("JssSubsystem::getCACerts() - " + "mNicknameMapCertsTable is null!");
throw new EBaseException("JssSubsystem::getCACerts() - mNicknameMapCertsTable is null");
} else {
mNicknameMapCertsTable.clear();
}
// a temp hashtable with vectors
Hashtable> vecTable = new Hashtable>();
for (int i = 0; i < certs.length; i++) {
String nickname = certs[i].getNickname();
/* build a table of our own */
Vector v;
if (vecTable.containsKey(nickname) == true) {
v = vecTable.get(nickname);
} else {
v = new Vector();
}
v.addElement(certs[i]);
vecTable.put(nickname, v);
}
// convert hashtable of vectors to hashtable of arrays
Enumeration elms = vecTable.keys();
while (elms.hasMoreElements()) {
String key = elms.nextElement();
Vector v = vecTable.get(key);
X509Certificate[] a = new X509Certificate[v.size()];
v.copyInto(a);
mNicknameMapCertsTable.put(key, a);
}
Enumeration keys = mNicknameMapCertsTable.keys();
while (keys.hasMoreElements()) {
String nickname = keys.nextElement();
X509Certificate[] value = mNicknameMapCertsTable.get(nickname);
for (int i = 0; i < value.length; i++) {
InternalCertificate icert = null;
if (value[i] instanceof InternalCertificate)
icert = (InternalCertificate) value[i];
else {
Debug.trace("cert is not an InternalCertificate");
Debug.trace("nickname: " + nickname + " index " + i);
Debug.trace("cert: " + value[i]);
continue;
}
int flag = icert.getSSLTrust();
String trust = "U";
if ((InternalCertificate.TRUSTED_CLIENT_CA & flag) == InternalCertificate.TRUSTED_CLIENT_CA)
trust = "T";
X509CertImpl impl = null;
try {
impl = new X509CertImpl(icert.getEncoded());
Date date = impl.getNotAfter();
String dateStr = mFormatter.format(date);
String vvalue = pairs.get(nickname);
String certValue = dateStr + "," + trust;
if (vvalue == null)
pairs.put(nickname, certValue);
else {
pairs.put(nickname, vvalue + ";" + certValue);
}
} catch (CertificateException e) {
log(ILogger.LL_FAILURE,
CMS.getLogMessage("CMSCORE_SECURITY_GET_CA_CERT_FOR", nickname, e.toString()));
// allow it to continue with other certs even if one blows
// up
// throw new EBaseException(BaseResources.CERT_ERROR);
}
}
}
return pairs;
}
public void trustCert(String nickname, String date, String trust) throws
EBaseException {
try {
if (mNicknameMapCertsTable != null) {
X509Certificate[] certs = mNicknameMapCertsTable.get(nickname);
if (certs == null) {
EBaseException e = new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_NOT_FOUND"));
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_TRUST_CERT", e.toString()));
throw e;
} else {
for (int i = 0; i < certs.length; i++) {
X509Certificate cert = certs[i];
X509CertImpl certImpl = new X509CertImpl(cert.getEncoded());
Date notAfter = certImpl.getNotAfter();
Date qualifier = mFormatter.parse(date);
if (notAfter.equals(qualifier)) {
if (cert instanceof InternalCertificate) {
if (trust.equals("Trust")) {
int trustflag = InternalCertificate.TRUSTED_CA |
InternalCertificate.TRUSTED_CLIENT_CA |
InternalCertificate.VALID_CA;
((InternalCertificate) cert).setSSLTrust(trustflag);
} else
((InternalCertificate) cert).setSSLTrust(InternalCertificate.VALID_CA);
break;
} else {
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", ""));
}
}
}
}
}
} catch (ParseException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_TRUST_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString()));
} catch (CertificateException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_TRUST_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString()));
}
}
/**
* Delete the CA certificate from the perm database.
*
* @param nickname The nickname of the CA certificate.
* @param notAfterTime The notAfter of the certificate. It is possible to get multiple
* certificates under the same nickname. If one of the certificates match the notAfterTime,
* then the certificate will get deleted. The format of the notAfterTime has to be
* in "MMMMM dd, yyyy HH:mm:ss" format.
*/
public void deleteCACert(String nickname, String notAfterTime) throws EBaseException {
try {
if (mNicknameMapCertsTable != null) {
X509Certificate[] certs = mNicknameMapCertsTable.get(nickname);
if (certs == null) {
EBaseException e = new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_NOT_FOUND"));
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_DELETE_CA_CERT", e.toString()));
throw e;
} else {
for (int i = 0; i < certs.length; i++) {
X509Certificate cert = certs[i];
X509CertImpl certImpl = new X509CertImpl(cert.getEncoded());
Date notAfter = certImpl.getNotAfter();
Date qualifier = mFormatter.parse(notAfterTime);
if (notAfter.equals(qualifier)) {
if (cert instanceof TokenCertificate) {
TokenCertificate tcert = (TokenCertificate) cert;
tcert.getOwningToken().getCryptoStore().deleteCert(tcert);
} else {
CryptoToken token = CryptoManager.getInstance().getInternalKeyStorageToken();
CryptoStore store = token.getCryptoStore();
store.deleteCert(cert);
}
mNicknameMapCertsTable.remove(nickname);
break;
}
}
}
}
} catch (NotInitializedException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_DELETE_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED"));
} catch (TokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_DELETE_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", ""));
} catch (NoSuchItemOnTokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_DELETE_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_ITEM_NOT_FOUND_ON_TOKEN"));
} catch (ParseException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_DELETE_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString()));
} catch (CertificateException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_DELETE_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString()));
}
}
/**
* Delete any certificate from the any token.
*
* @param nickname The nickname of the certificate.
* @param notAfterTime The notAfter of the certificate. It is possible to get multiple
* certificates under the same nickname. If one of the certificates match the notAfterTime,
* then the certificate will get deleted. The format of the notAfterTime has to be
* in "MMMMM dd, yyyy HH:mm:ss" format.
*/
public void deleteCert(String nickname, String notAfterTime) throws EBaseException {
boolean isUserCert = false;
X509Certificate[] certs = null;
try {
if (mNicknameMapCertsTable != null) {
certs = mNicknameMapCertsTable.get(nickname);
}
if (certs == null) {
if (mNicknameMapUserCertsTable != null) {
certs = mNicknameMapUserCertsTable.get(nickname);
if (certs != null) {
CMS.debug("in mNicknameMapUserCertsTable, isUserCert is true");
isUserCert = true;
}
} else
CMS.debug("mNicknameMapUserCertsTable is null");
}
if (certs == null) {
EBaseException e = new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_NOT_FOUND"));
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_DELETE_CERT", e.toString()));
throw e;
} else {
for (int i = 0; i < certs.length; i++) {
X509Certificate cert = certs[i];
X509CertImpl certImpl = new X509CertImpl(cert.getEncoded());
Date notAfter = certImpl.getNotAfter();
Date qualifier = mFormatter.parse(notAfterTime);
if (notAfter.equals(qualifier)) {
if (cert instanceof TokenCertificate) {
TokenCertificate tcert = (TokenCertificate) cert;
tcert.getOwningToken().getCryptoStore().deleteCert(tcert);
} else {
CryptoToken token = CryptoManager.getInstance().getInternalKeyStorageToken();
CryptoStore store = token.getCryptoStore();
store.deleteCert(cert);
}
if (isUserCert == true) {
mNicknameMapUserCertsTable.remove(nickname);
} else {
mNicknameMapCertsTable.remove(nickname);
}
break;
}
}
}
} catch (NotInitializedException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_DELETE_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED"));
} catch (TokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_DELETE_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", ""));
} catch (NoSuchItemOnTokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_DELETE_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_ITEM_NOT_FOUND_ON_TOKEN"));
} catch (ParseException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_DELETE_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString()));
} catch (CertificateException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_DELETE_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString()));
}
}
public void deleteTokenCertificate(String nickname, String pathname) throws EBaseException {
try {
X509Certificate cert = CryptoManager.getInstance().findCertByNickname(nickname);
Principal principal = cert.getSubjectDN();
DN dn = new DN(principal.getName());
BigInteger serialno = cert.getSerialNumber();
String suffix = "." + System.currentTimeMillis();
String b64E = Utils.base64encode(cert.getEncoded());
PrintStream stream = new PrintStream(new FileOutputStream(pathname + suffix));
stream.println("-----BEGIN CERTIFICATE-----");
stream.print(b64E);
stream.println("-----END CERTIFICATE-----");
stream.close();
if (cert instanceof TokenCertificate) {
TokenCertificate tcert = (TokenCertificate) cert;
tcert.getOwningToken().getCryptoStore().deleteCert(tcert);
} else
throw new EBaseException(CMS.getUserMessage("CMS_BASE_NOT_TOKEN_CERT"));
int index = nickname.indexOf(":");
// the deleted certificate is on the hardware token. We should delete the same one from
// the internal token.
if (index > 0) {
CryptoToken cToken = CryptoManager.getInstance().getInternalKeyStorageToken();
CryptoStore store = cToken.getCryptoStore();
X509Certificate[] allcerts = CryptoManager.getInstance().getCACerts();
for (int i = 0; i < allcerts.length; i++) {
try {
X509CertImpl certImpl = new X509CertImpl(allcerts[i].getEncoded());
Principal certPrincipal = certImpl.getSubjectDN();
DN certdn = new DN(certPrincipal.getName());
BigInteger certSerialNo = certImpl.getSerialNumber();
if (dn.equals(certdn) && certSerialNo.compareTo(serialno) == 0) {
store.deleteCert(allcerts[i]);
break;
}
} catch (Exception ee) {
Debug.trace("JssSubsystem:deleteTokenCertificate: " + ee.toString());
}
}
}
} catch (TokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_DELETE_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", ""));
} catch (NoSuchItemOnTokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_DELETE_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_ITEM_NOT_FOUND_ON_TOKEN"));
} catch (NotInitializedException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_DELETE_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED"));
} catch (ObjectNotFoundException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_DELETE_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_ITEM_NOT_FOUND_ON_TOKEN"));
} catch (CertificateEncodingException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_DELETE_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString()));
} catch (IOException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_DELETE_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString()));
}
}
public String getSubjectDN(String nickname) throws EBaseException {
try {
X509Certificate cert = CryptoManager.getInstance().findCertByNickname(nickname);
X509CertImpl impl = new X509CertImpl(cert.getEncoded());
return impl.getSubjectDN().getName();
} catch (NotInitializedException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_SUBJECT_NAME", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED"));
} catch (TokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_SUBJECT_NAME", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", ""));
} catch (ObjectNotFoundException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_SUBJECT_NAME", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_NOT_FOUND"));
} catch (CertificateException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_SUBJECT_NAME", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString()));
}
}
public void setRootCertTrust(String nickname, String serialno,
String issuerName, String trust) throws EBaseException {
X509Certificate cert = getCertificate(nickname, serialno, issuerName);
if (cert instanceof InternalCertificate) {
if (trust.equals("trust")) {
int trustflag = InternalCertificate.TRUSTED_CA |
InternalCertificate.TRUSTED_CLIENT_CA |
InternalCertificate.VALID_CA;
((InternalCertificate) cert).setSSLTrust(trustflag);
} else {
((InternalCertificate) cert).setSSLTrust(InternalCertificate.VALID_CA);
}
}
}
public X509Certificate getCertificate(String nickname, String serialno,
String issuerName) throws EBaseException {
int index = nickname.indexOf(":");
String tokenname = nickname.substring(0, index);
if (tokenname.equals(Constants.PR_INTERNAL_TOKEN_NAME)) {
nickname = nickname.substring(index + 1);
}
try {
X509Certificate[] certs = CryptoManager.getInstance().findCertsByNickname(nickname);
X509CertImpl impl = null;
int i = 0;
if (certs != null && certs.length > 0) {
for (; i < certs.length; i++) {
impl = new X509CertImpl(certs[i].getEncoded());
if (impl.getIssuerDN().toString().equals(issuerName) &&
impl.getSerialNumber().toString().equals(serialno))
return certs[i];
}
} else {
EBaseException e = new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_NOT_FOUND"));
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_PRINT_CERT", e.toString()));
throw e;
}
} catch (NotInitializedException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_PRINT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED"));
} catch (TokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_PRINT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", ""));
} catch (CertificateException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_PRINT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString()));
}
return null;
}
public String getRootCertTrustBit(String nickname, String serialno,
String issuerName) throws EBaseException {
int index = nickname.indexOf(":");
String tokenname = nickname.substring(0, index);
if (tokenname.equals(Constants.PR_INTERNAL_TOKEN_NAME)) {
nickname = nickname.substring(index + 1);
}
try {
X509Certificate[] certs = CryptoManager.getInstance().findCertsByNickname(nickname);
X509CertImpl impl = null;
int i = 0;
if (certs != null && certs.length > 0) {
for (; i < certs.length; i++) {
impl = new X509CertImpl(certs[i].getEncoded());
if (impl.getIssuerDN().toString().equals(issuerName) &&
impl.getSerialNumber().toString().equals(serialno))
break;
}
} else {
EBaseException e = new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_NOT_FOUND"));
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_PRINT_CERT", e.toString()));
throw e;
}
String trust = "U";
if (certs[i] instanceof InternalCertificate) {
InternalCertificate icert = (InternalCertificate) certs[i];
int flag = icert.getSSLTrust();
if ((InternalCertificate.TRUSTED_CLIENT_CA & flag) == InternalCertificate.TRUSTED_CLIENT_CA)
trust = "T";
} else
trust = "N/A";
return trust;
} catch (NotInitializedException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_PRINT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED"));
} catch (TokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_PRINT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", ""));
} catch (CertificateException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_PRINT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString()));
}
}
public String getCertPrettyPrint(String nickname, String serialno,
String issuerName, Locale locale) throws EBaseException {
int index = nickname.indexOf(":");
String tokenname = nickname.substring(0, index);
if (tokenname.equals(Constants.PR_INTERNAL_TOKEN_NAME)) {
nickname = nickname.substring(index + 1);
}
try {
X509Certificate[] certs = CryptoManager.getInstance().findCertsByNickname(nickname);
X509CertImpl impl = null;
if (certs != null && certs.length > 0) {
for (int i = 0; i < certs.length; i++) {
impl = new X509CertImpl(certs[i].getEncoded());
if (impl.getIssuerDN().toString().equals(issuerName) &&
impl.getSerialNumber().toString().equals(serialno))
break;
}
} else {
EBaseException e = new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_NOT_FOUND"));
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_PRINT_CERT", e.toString()));
throw e;
}
CertPrettyPrint print = null;
if (impl != null)
print = new CertPrettyPrint(impl);
if (print != null)
return print.toString(locale);
else
return null;
} catch (NotInitializedException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_PRINT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED"));
} catch (TokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_PRINT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", ""));
} catch (CertificateException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_PRINT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString()));
}
}
public String getCertPrettyPrintAndFingerPrint(String nickname, String serialno,
String issuerName, Locale locale) throws EBaseException {
int index = nickname.indexOf(":");
String tokenname = nickname.substring(0, index);
if (tokenname.equals(Constants.PR_INTERNAL_TOKEN_NAME)) {
nickname = nickname.substring(index + 1);
}
try {
X509Certificate[] certs = CryptoManager.getInstance().findCertsByNickname(nickname);
X509CertImpl impl = null;
if (certs != null && certs.length > 0) {
for (int i = 0; i < certs.length; i++) {
impl = new X509CertImpl(certs[i].getEncoded());
if (impl.getIssuerDN().toString().equals(issuerName) &&
impl.getSerialNumber().toString().equals(serialno))
break;
}
} else {
EBaseException e = new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_NOT_FOUND"));
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_PRINT_CERT", e.toString()));
throw e;
}
CertPrettyPrint print = null;
String fingerPrint = "";
if (impl != null) {
print = new CertPrettyPrint(impl);
fingerPrint = CMS.getFingerPrints(impl.getEncoded());
}
if ((print != null) && (fingerPrint != "")) {
String pp = print.toString(locale) + "\n" +
"Certificate Fingerprints:" + '\n' + fingerPrint;
return pp;
} else
return null;
} catch (NotInitializedException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_PRINT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED"));
} catch (TokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_PRINT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", ""));
} catch (CertificateException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_PRINT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString()));
} catch (NoSuchAlgorithmException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_PRINT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_NO_SUCH_ALGORITHM", e.toString()));
}
}
public String getCertPrettyPrint(String nickname, String date,
Locale locale) throws EBaseException {
try {
X509Certificate[] certs = CryptoManager.getInstance().findCertsByNickname(nickname);
if ((certs == null || certs.length == 0) &&
mNicknameMapCertsTable != null) {
certs = mNicknameMapCertsTable.get(nickname);
}
if (certs == null) {
EBaseException e = new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_NOT_FOUND"));
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_PRINT_CERT", e.toString()));
throw e;
}
X509CertImpl impl = null;
Date qualifier = mFormatter.parse(date);
for (int i = 0; i < certs.length; i++) {
impl = new X509CertImpl(certs[i].getEncoded());
Date d = impl.getNotAfter();
if (d.equals(qualifier))
break;
}
CertPrettyPrint print = null;
if (impl != null)
print = new CertPrettyPrint(impl);
if (print != null)
return print.toString(locale);
else
return null;
} catch (NotInitializedException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_PRINT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED"));
} catch (TokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_PRINT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", ""));
} catch (CertificateException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_PRINT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString()));
} catch (ParseException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_PRINT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString()));
}
}
public String getCertPrettyPrint(String b64E, Locale locale) throws EBaseException {
try {
try {
byte[] b = KeyCertUtil.convertB64EToByteArray(b64E);
X509CertImpl impl = new X509CertImpl(b);
CertPrettyPrint print = new CertPrettyPrint(impl);
return print.toString(locale);
} catch (CertificateException e) {
// failed to decode as a certificate, try decoding
// as a PKCS #7 blob
StringBuffer content = new StringBuffer();
String noHeader = CertUtils.stripCertBrackets(b64E);
String normalized = CertUtils.normalizeCertStr(noHeader);
byte data[] = Utils.base64decode(normalized);
ContentInfo ci = (ContentInfo)
ASN1Util.decode(ContentInfo.getTemplate(), data);
if (!ci.getContentType().equals(ContentInfo.SIGNED_DATA)) {
throw new CertificateException(
"PKCS #7 structure is not a SignedData");
}
SignedData sd = (SignedData) ci.getInterpretedContent();
if (!sd.hasCertificates()) {
throw new CertificateException(
"No certificates in PKCS #7 structure");
}
SET certs = sd.getCertificates();
for (int i = 0; i < certs.size(); i++) {
Certificate cert = (Certificate) certs.elementAt(i);
X509CertImpl certImpl = new X509CertImpl(
ASN1Util.encode(cert));
CertPrettyPrint print = new CertPrettyPrint(certImpl);
content.append(print.toString(Locale.getDefault()));
}
return content.toString();
}
} catch (InvalidBERException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_PRINT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR",
"Failed to decode"));
} catch (CertificateException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_PRINT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.getMessage()));
} catch (IOException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_PRINT_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", ""));
}
}
public X509CertImpl getSignedCert(KeyCertData data, String certType, java.security.PrivateKey priKey)
throws EBaseException {
CertificateInfo cert = null;
if (certType.equals(Constants.PR_CA_SIGNING_CERT)) {
cert = new CASigningCert(data);
} else if (certType.equals(Constants.PR_OCSP_SIGNING_CERT)) {
cert = new OCSPSigningCert(data);
} else if (certType.equals(Constants.PR_SERVER_CERT)) {
cert = new SSLCert(data);
} else if (certType.equals(Constants.PR_SERVER_CERT_RADM)) {
cert = new SSLSelfSignedCert(data);
}
if (cert == null) {
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", ""));
}
X509CertInfo certInfo = null;
X509CertImpl signedCert = null;
try {
certInfo = cert.getCertInfo();
SignatureAlgorithm sigAlg = (SignatureAlgorithm) data.get(Constants.PR_SIGNATURE_ALGORITHM);
signedCert = KeyCertUtil.signCert(priKey, certInfo, sigAlg);
} catch (NoSuchTokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_SIGN_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", ""));
} catch (NotInitializedException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_SIGN_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED"));
} catch (PQGParamGenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_SIGN_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_PQG_GEN_FAILED"));
}
return signedCert;
}
public boolean isCACert(String fullNickname) throws EBaseException {
try {
X509Certificate cert = mCryptoManager.findCertByNickname(fullNickname);
X509CertImpl impl = new X509CertImpl(cert.getEncoded());
X509CertInfo certinfo = (X509CertInfo) impl.get(
X509CertImpl.NAME + "." + X509CertImpl.INFO);
if (certinfo == null)
return false;
else {
CertificateExtensions exts = (CertificateExtensions) certinfo.get(X509CertInfo.EXTENSIONS);
if (exts == null)
return false;
else {
try {
BasicConstraintsExtension ext = (BasicConstraintsExtension) exts
.get(BasicConstraintsExtension.NAME);
if (ext == null)
return false;
else {
Boolean bool = (Boolean) ext.get(BasicConstraintsExtension.IS_CA);
return bool.booleanValue();
}
} catch (IOException ee) {
return false;
}
}
}
} catch (ObjectNotFoundException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_IS_CA_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_NOT_FOUND"));
} catch (TokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_IS_CA_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_ERROR"));
} catch (CertificateEncodingException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_IS_CA_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_ERROR"));
} catch (CertificateException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_IS_CA_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", ""));
} catch (IOException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_IS_CA_CERT", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_DECODE_CERT_FAILED"));
}
}
public CertificateExtensions getExtensions(String tokenname, String nickname)
throws EBaseException {
try {
return KeyCertUtil.getExtensions(tokenname, nickname);
} catch (NotInitializedException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_EXTENSIONS", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED"));
} catch (TokenException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_EXTENSIONS", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_ERROR"));
} catch (ObjectNotFoundException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_EXTENSIONS", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_NOT_FOUND"));
} catch (IOException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_EXTENSIONS", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_DECODE_CERT_FAILED"));
} catch (CertificateException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_EXTENSIONS", e.toString()));
throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", ""));
}
}
public void checkCertificateExt(String ext) throws EBaseException {
KeyCertUtil.checkCertificateExt(ext);
}
public void checkKeyLength(String keyType, int keyLength, String certType, int minRSAKeyLen) throws EBaseException {
// KeyCertUtil.checkKeyLength(keyType, keyLength, certType, minRSAKeyLen);
}
public PQGParams getPQG(int keysize) {
return KeyCertUtil.getPQG(keysize);
}
public PQGParams getCAPQG(int keysize, IConfigStore store)
throws EBaseException {
return KeyCertUtil.getCAPQG(keysize, store);
}
public CertificateExtensions getCertExtensions(String tokenname, String nickname)
throws NotInitializedException, TokenException, ObjectNotFoundException,
IOException, CertificateException {
return KeyCertUtil.getExtensions(tokenname, nickname);
}
}
class JSSDatabaseCloser extends org.mozilla.jss.DatabaseCloser {
public JSSDatabaseCloser() throws Exception {
super();
}
public void closeDatabases() {
super.closeDatabases();
}
}