1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
|
// --- BEGIN COPYRIGHT BLOCK ---
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation; version 2 of the License.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// (C) 2007 Red Hat, Inc.
// All rights reserved.
// --- END COPYRIGHT BLOCK ---
package com.netscape.certsrv.security;
import org.mozilla.jss.crypto.*;
import org.mozilla.jss.*;
import org.mozilla.jss.CryptoManager.*;
import java.io.*;
import java.security.*;
import java.util.*;
import java.security.*;
import java.security.cert.*;
import netscape.security.x509.*;
import com.netscape.certsrv.base.*;
import com.netscape.certsrv.common.*;
/**
* This interface represents the cryptographics subsystem
* that provides all the security related functions.
*
* @version $Revision$, $Date$
*/
public interface ICryptoSubsystem extends ISubsystem {
public static final String ID = "jss";
/**
* Retrieves a list of nicknames of certificates that are
* in the installed tokens.
*
* @return a list of comma-separated nicknames
* @exception EBaseException failed to retrieve nicknames
*/
public String getAllCerts() throws EBaseException;
/**
* Retrieves certificate in pretty-print format by the nickname.
*
* @param nickname nickname of certificate
* @param date not after of the returned certificate must be date
* @param locale user locale
* @return certificate in pretty-print format
* @exception EBaseException failed to retrieve certificate
*/
public String getCertPrettyPrint(String nickname, String date,
Locale locale) throws EBaseException;
public String getRootCertTrustBit(String nickname, String serialno,
String issuerName) throws EBaseException;
public String getCertPrettyPrint(String nickname, String serialno,
String issuername, Locale locale) throws EBaseException;
public String getCertPrettyPrintAndFingerPrint(String nickname, String serialno,
String issuername, Locale locale) throws EBaseException;
/**
* Retrieves the certificate in the pretty print format.
*
* @param b64E certificate in mime-64 encoded format
* @param locale end user locale
* @return certificate in pretty-print format
* @exception EBaseException failed to retrieve certificate
*/
public String getCertPrettyPrint(String b64E, Locale locale)
throws EBaseException;
/**
* Imports certificate into the server.
*
* @param b64E certificate in mime-64 encoded format
* @param nickname nickname for the importing certificate
* @param certType certificate type
* @exception EBaseException failed to import certificate
*/
public void importCert(String b64E, String nickname, String certType)
throws EBaseException;
/**
* Imports certificate into the server.
*
* @param signedCert certificate
* @param nickname nickname for the importing certificate
* @param certType certificate type
* @exception EBaseException failed to import certificate
*/
public void importCert(X509CertImpl signedCert, String nickname,
String certType) throws EBaseException;
/**
* Generates a key pair based on the given parameters.
*
* @param properties key parameters
* @return key pair
* @exception EBaseException failed to generate key pair
*/
public KeyPair getKeyPair(KeyCertData properties) throws EBaseException;
/**
* Retrieves the key pair based on the given nickname.
*
* @param nickname nickname of the public key
* @exception EBaseException failed to retrieve key pair
*/
public KeyPair getKeyPair(String nickname) throws EBaseException;
/**
* Generates a key pair based on the given parameters.
*
* @param tokenName name of token where key is generated
* @param alg key algorithm
* @param keySize key size
* @return key pair
* @exception EBaseException failed to generate key pair
*/
public KeyPair getKeyPair(String tokenName, String alg,
int keySize) throws EBaseException;
/**
* Generates a key pair based on the given parameters.
*
* @param tokenName name of token where key is generated
* @param alg key algorithm
* @param keySize key size
* @param pqg pqg parameters if DSA key, otherwise null
* @return key pair
* @exception EBaseException failed to generate key pair
*/
public KeyPair getKeyPair(String tokenName, String alg,
int keySize, PQGParams pqg) throws EBaseException;
/**
* Generates an ECC key pair based on the given parameters.
*
* @param properties key parameters
* @return key pair
* @exception EBaseException failed to generate key pair
*/
public KeyPair getECCKeyPair(KeyCertData properties) throws EBaseException;
/**
* Generates an ECC key pair based on the given parameters.
*
* @param token token name
* @param curveName curve name
* @param certType type of cert(sslserver etc..)
* @return key pair
* @exception EBaseException failed to generate key pair
*/
public KeyPair getECCKeyPair(String token, String curveName, String certType) throws EBaseException;
/**
* Retrieves the signature algorithm of the certificate named
* by the given nickname.
*
* @param nickname nickname of the certificate
* @return signature algorithm
* @exception EBaseException failed to retrieve signature
*/
public String getSignatureAlgorithm(String nickname) throws EBaseException;
/**
* Checks if the given dn is a valid distinguished name.
*
* @param dn distinguished name
* @exception EBaseException failed to check
*/
public void isX500DN(String dn) throws EBaseException;
/**
* Retrieves CA's signing algorithm id. If it is DSA algorithm,
* algorithm is constructed by reading the parameters
* ca.dsaP, ca.dsaQ, ca.dsaG.
*
* @param algname DSA or RSA
* @param store configuration store.
* @return algorithm id
* @exception EBaseException failed to retrieve algorithm id
*/
public AlgorithmId getAlgorithmId(String algname, IConfigStore store) throws EBaseException;
/**
* Retrieves subject name of the certificate that is identified by
* the given nickname.
*
* @param tokenname name of token where the nickname is valid
* @param nickname nickname of the certificate
* @return subject name
* @exception EBaseException failed to get subject name
*/
public String getCertSubjectName(String tokenname, String nickname)
throws EBaseException;
/**
* Retrieves extensions of the certificate that is identified by
* the given nickname.
*
* @param tokenname name of token where the nickname is valid
* @param nickname nickname of the certificate
* @return certificate extensions
* @exception EBaseException failed to get extensions
*/
public CertificateExtensions getExtensions(String tokenname, String nickname
)
throws EBaseException;
/**
* Deletes certificate of the given nickname.
*
* @param nickname nickname of the certificate
* @param pathname path where a copy of the deleted certificate is stored
* @exception EBaseException failed to delete certificate
*/
public void deleteTokenCertificate(String nickname, String pathname)
throws EBaseException;
/**
* Delete certificate of the given nickname.
*
* @param nickname nickname of the certificate
* @param notAfterTime The notAfter of the certificate. It
* is possible to ge t multiple certificates under
* the same nickname. If one of the certificates match
* the notAfterTime, then the certificate will get
* deleted. The format of the notAfterTime has to be
* in "MMMMM dd, yyyy HH:mm:ss" format.
* @exception EBaseException failed to delete certificate
*/
public void deleteCert(String nickname, String notAfterTime)
throws EBaseException;
/**
* Retrieves the subject DN of the certificate identified by
* the nickname.
*
* @param nickname nickname of the certificate
* @return subject distinguished name
* @exception EBaseException failed to retrieve subject DN
*/
public String getSubjectDN(String nickname) throws EBaseException;
/**
* Trusts a certificate for all available purposes.
*
* @param nickname nickname of the certificate
* @param date certificate's not before
* @param trust "Trust" or other
* @exception EBaseException failed to trust certificate
*/
public void trustCert(String nickname, String date, String trust)
throws EBaseException;
/**
* Checks if the given base-64 encoded string contains an extension
* or a sequence of extensions.
*
* @param ext extension or sequence of extension encoded in base-64
* @exception EBaseException failed to check encoding
*/
public void checkCertificateExt(String ext) throws EBaseException;
/**
* Gets all certificates on all tokens for Certificate Database Management.
*
* @return all certificates
* @exception EBaseException failed to retrieve certificates
*/
public NameValuePairs getAllCertsManage() throws EBaseException;
public NameValuePairs getUserCerts() throws EBaseException;
/**
* Gets all CA certificates on all tokens.
*
* @return all CA certificates
* @exception EBaseException failed to retrieve certificates
*/
public NameValuePairs getCACerts() throws EBaseException;
public NameValuePairs getRootCerts() throws EBaseException;
public void setRootCertTrust(String nickname, String serialno,
String issuername, String trust) throws EBaseException;
public void deleteRootCert(String nickname, String serialno,
String issuername) throws EBaseException;
public void deleteUserCert(String nickname, String serialno,
String issuername) throws EBaseException;
/**
* Retrieves PQG parameters based on key size.
*
* @param keysize key size
* @return pqg parameters
*/
public PQGParams getPQG(int keysize);
/**
* Retrieves PQG parameters based on key size.
*
* @param keysize key size
* @param store configuration store
* @return pqg parameters
*/
public PQGParams getCAPQG(int keysize, IConfigStore store)
throws EBaseException;
/**
* Retrieves extensions of the certificate that is identified by
* the given nickname.
*
* @param tokenname token name
* @param nickname nickname
* @return certificate extensions
*/
public CertificateExtensions getCertExtensions(String tokenname, String nickname
)
throws NotInitializedException, TokenException, ObjectNotFoundException,
IOException, CertificateException;
/**
* Checks if the given token is logged in.
*
* @param name token name
* @return true if token is logged in
* @exception EBaseException failed to login
*/
public boolean isTokenLoggedIn(String name) throws EBaseException;
/**
* Logs into token.
*
* @param tokenName name of the token
* @param pwd token password
* @exception EBaseException failed to login
*/
public void loggedInToken(String tokenName, String pwd)
throws EBaseException;
/**
* Generates certificate request from the given key pair.
*
* @param subjectName subject name to use in the request
* @param kp key pair that contains public key material
* @return certificate request in base-64 encoded format
* @exception EBaseException failed to generate request
*/
public String getCertRequest(String subjectName, KeyPair kp)
throws EBaseException;
/**
* Checks if fortezza is enabled.
*
* @return "true" if fortezza is enabled
*/
public String isCipherFortezza() throws EBaseException;
/**
* Retrieves the SSL cipher version.
*
* @return cipher version (i.e. "cipherdomestic")
*/
public String getCipherVersion() throws EBaseException;
/**
* Retrieves the cipher preferences.
*
* @return cipher preferences (i.e. "rc4export,rc2export,...")
*/
public String getCipherPreferences() throws EBaseException;
/**
* Sets the current SSL cipher preferences.
*
* @param cipherPrefs cipher preferences (i.e. "rc4export,rc2export,...")
* @exception EBaseException failed to set cipher preferences
*/
public void setCipherPreferences(String cipherPrefs)
throws EBaseException;
/**
* Retrieves a list of currently registered token names.
*
* @return list of token names
* @exception EBaseException failed to retrieve token list
*/
public String getTokenList() throws EBaseException;
/**
* Retrieves all certificates. The result list will not
* contain the token tag.
*
* @param name token name
* @return list of certificates without token tag
* @exception EBaseException failed to retrieve
*/
public String getCertListWithoutTokenName(String name) throws EBaseException;
/**
* Retrieves the token name of the internal (software) token.
*
* @return the token name
* @exception EBaseException failed to retrieve token name
*/
public String getInternalTokenName() throws EBaseException;
/**
* Checks to see if the certificate of the given nickname is a
* CA certificate.
*
* @param fullNickname nickname of the certificate to check
* @return true if it is a CA certificate
* @exception EBaseException failed to check
*/
public boolean isCACert(String fullNickname) throws EBaseException;
/**
* Adds the specified number of bits of entropy from the system
* entropy generator to the RNG of the default PKCS#11 RNG token.
* The default token is set using the modutil command.
* Note that the system entropy generator (usually /dev/random)
* will block until sufficient entropy is collected.
*
* @param bits number of bits of entropy
* @exception org.mozilla.jss.util.NotImplementedException If the Crypto device does not support
* adding entropy
* @exception TokenException If there was some other problem with the Crypto device
* @exception IOException If there was a problem reading from the /dev/random
*/
public void addEntropy(int bits)
throws org.mozilla.jss.util.NotImplementedException,
IOException,
TokenException;
/**
* Signs the certificate template into the given data and returns
* a signed certificate.
*
* @param data data that contains certificate template
* @param certType certificate type
* @param priKey CA signing key
* @return certificate
* @exception EBaseException failed to sign certificate template
*/
public X509CertImpl getSignedCert(KeyCertData data, String certType, java.security.PrivateKey priKey) throws EBaseException;
}
|
