use of org.mozilla.jss.CryptoManager in project OpenAM by OpenRock.
the class JSSInit method initialize.
public static synchronized boolean initialize() {
if (initialized) {
return true;
}
final String method = "JSSInit.initialize";
// JSS, initialize cert db
String certdbDir = SystemPropertiesManager.get("com.iplanet.am.admin.cli.certdb.dir");
if (certdbDir == null) {
certdbDir = defaultDBdir;
}
String certdbPrefix = SystemPropertiesManager.get("com.iplanet.am.admin.cli.certdb.prefix");
if (certdbPrefix == null) {
certdbPrefix = "";
}
// Property to determine if JSS needs to installed with highest priority
// at initialization of JSS. If not, it needs to added explicitly
// at the end
boolean donotInstallJSSProviderAt0 = Boolean.valueOf(SystemPropertiesManager.get("com.sun.identity.jss.donotInstallAtHighestPriority", "false")).booleanValue();
String passfile = SystemPropertiesManager.get("com.iplanet.am.admin.cli.certdb.passfile");
String ocspCheckValue = SystemPropertiesManager.get("com.sun.identity.authentication.ocspCheck");
String fipsMode = SystemPropertiesManager.get("com.sun.identity.security.fipsmode", null);
if (ocspCheckValue != null && ocspCheckValue.trim().length() == 0) {
ocspCheckValue = null;
}
boolean ocspCheck = (ocspCheckValue != null && ocspCheckValue.equalsIgnoreCase("true"));
String responderURL = SystemPropertiesManager.get("com.sun.identity.authentication.ocsp.responder.url");
if (responderURL != null && responderURL.trim().length() == 0) {
responderURL = null;
}
String responderNickName = SystemPropertiesManager.get("com.sun.identity.authentication.ocsp.responder.nickname");
if (responderNickName != null && responderNickName.trim().length() == 0) {
responderNickName = null;
}
if (debug.messageEnabled()) {
debug.message(method + "certdbDir = " + certdbDir);
debug.message(method + "certdbPrefix = " + certdbPrefix);
debug.message(method + "certdbPassfile = " + passfile);
debug.message(method + "responderURL = " + responderURL);
debug.message(method + "responderNickName = " + responderNickName);
debug.message(method + "fipsMode = " + fipsMode);
}
String password = null;
if (passfile != null) {
try {
FileInputStream fis = new FileInputStream(passfile);
InputStreamReader isr = new InputStreamReader(fis);
BufferedReader br = new BufferedReader(isr);
password = br.readLine();
} catch (Exception ex) {
if (debug.messageEnabled()) {
debug.message(method + "Unable to " + "read JSS password file " + passfile);
}
}
}
String keydbPrefix = certdbPrefix;
String moddb = "secmod.db";
try {
cm = CryptoManager.getInstance();
} catch (CryptoManager.NotInitializedException exp) {
try {
CryptoManager.InitializationValues iv = null;
if (certdbPrefix.length() == 0) {
iv = new CryptoManager.InitializationValues(certdbDir);
} else {
iv = new CryptoManager.InitializationValues(certdbDir, certdbPrefix, keydbPrefix, moddb);
}
if (debug.messageEnabled()) {
debug.message(method + "output of Initilization values ");
debug.message(method + "Manufacturer ID: " + iv.getManufacturerID());
debug.message(method + "Library: " + iv.getLibraryDescription());
debug.message(method + "Internal Slot: " + iv.getInternalSlotDescription());
debug.message(method + "Internal Token: " + iv.getInternalTokenDescription());
debug.message(method + "Key Storage Slot: " + iv.getFIPSKeyStorageSlotDescription());
debug.message(method + "Key Storage Token: " + iv.getInternalKeyStorageTokenDescription());
debug.message(method + "FIPS Slot: " + iv.getFIPSSlotDescription());
debug.message(method + "FIPS Key Storage: " + iv.getFIPSKeyStorageSlotDescription());
}
if (fipsMode == null) {
iv.fipsMode = CryptoManager.InitializationValues.FIPSMode.UNCHANGED;
} else if (fipsMode.equalsIgnoreCase("true")) {
iv.fipsMode = CryptoManager.InitializationValues.FIPSMode.ENABLED;
} else if (fipsMode.equalsIgnoreCase("false")) {
iv.fipsMode = CryptoManager.InitializationValues.FIPSMode.DISABLED;
}
iv.removeSunProvider = false;
// if other providers are being used
if (donotInstallJSSProviderAt0) {
iv.installJSSProvider = false;
}
// set open mode of the databases
iv.readOnly = true;
// enable OCSP
iv.ocspCheckingEnabled = ocspCheck;
// responderURL & responderNickname must both present
if (ocspCheck && responderURL != null && responderNickName != null) {
iv.ocspResponderCertNickname = responderNickName;
iv.ocspResponderURL = responderURL;
}
CryptoManager.initialize(iv);
// add it to the list of JCE providers at the end
if (donotInstallJSSProviderAt0) {
Provider provider = null;
try {
provider = (Provider) Class.forName("org.mozilla.jss.JSSProvider").newInstance();
} catch (ClassNotFoundException e) {
provider = (Provider) Class.forName("org.mozilla.jss.provider.Provider").newInstance();
}
Security.addProvider(provider);
}
cm = CryptoManager.getInstance();
if (password != null) {
cm.setPasswordCallback(new JSSPasswordCallback(password));
}
token = cm.getInternalKeyStorageToken();
if (cm.FIPSEnabled()) {
token.login(cm.getPasswordCallback());
}
cm.setThreadToken(token);
if (debug.messageEnabled()) {
if (cm.FIPSEnabled() == true) {
debug.message(method + "FIPS enabled.");
} else {
debug.message(method + "FIPS not enabled.");
}
}
initialized = true;
} catch (KeyDatabaseException kdbe) {
debug.error(method + "Couldn't open the key database.", kdbe);
} catch (CertDatabaseException cdbe) {
debug.error(method + "Couldn't open the certificate database.", cdbe);
} catch (AlreadyInitializedException aie) {
debug.error(method + "CryptoManager already initialized.", aie);
} catch (Exception e) {
debug.error(method + "Exception occurred: ", e);
}
}
return initialized;
}
use of org.mozilla.jss.CryptoManager in project OpenAM by OpenRock.
the class JSSEncryption method findToken.
private static CryptoToken findToken() throws CryptoManager.NotInitializedException {
// This crypto token has to support encryption algorithm
// and all the key generation algorithms in KEYGEN_ALGS.
// CryptoManager returns "Internal Key Storage Token" at least.
CryptoToken token = null;
CryptoManager cm = CryptoManager.getInstance();
Enumeration e = cm.getTokensSupportingAlgorithm(getEncryptionAlg(DEFAULT_ENCYPTION_ALG));
while (e.hasMoreElements()) {
CryptoToken tok = (CryptoToken) e.nextElement();
boolean foundToken = true;
for (int i = 0; i < NUM_KEYGEN_ALG; i++) {
if (!tok.doesAlgorithm(getKeyGenAlg(KEYGEN_ALGS[i]))) {
foundToken = false;
break;
}
}
if (foundToken) {
return tok;
}
}
return null;
}
use of org.mozilla.jss.CryptoManager in project OpenAM by OpenRock.
the class Cert method doJSSRevocationValidation.
private int doJSSRevocationValidation(X509Certificate cert) {
int ret = ISAuthConstants.LOGIN_IGNORE;
boolean validateCA = amAuthCert_validateCA.equalsIgnoreCase("true");
X509CRL crl = null;
if (crlEnabled) {
crl = AMCRLStore.getCRL(ldapParam, cert, amAuthCert_chkAttributesCRL);
if ((crl != null) && (!crl.isRevoked(cert))) {
ret = ISAuthConstants.LOGIN_SUCCEED;
}
}
/**
* OCSP validation, this will use the CryptoManager.isCertvalid()
* method to validate certificate, OCSP is one of the steps in
* this process. Here is the algorith to find OCSP responder:
* 1. use global OCSP responder if set
* 2. use the OCSP responder in user's certificate if presents
* 3. no OCSP responder
* The isCertValid() WON'T perform OCSP validation if no OCSP responder
* found in above process.
*/
if (ocspEnabled) {
try {
CryptoManager cm = CryptoManager.getInstance();
if (cm.isCertValid(cert.getEncoded(), true, CryptoManager.CertUsage.SSLClient) == true) {
debug.message("cert is valid");
ret = ISAuthConstants.LOGIN_SUCCEED;
} else {
ret = ISAuthConstants.LOGIN_IGNORE;
}
} catch (Exception e) {
debug.message("certValidation failed with exception", e);
}
}
if ((ret == ISAuthConstants.LOGIN_SUCCEED) && (crlEnabled || ocspEnabled) && validateCA && !AMCertStore.isRootCA(cert)) {
/*
The trust anchor is not necessarily a certificate, but a public key (trusted) entry in the trust-store. Don't
march up the chain unless the AMCertStore can actually return a non-null issuer certificate. If the issuer
certificate is null, then the result of the previous doRevocationValidation invocation is the final answer.
*/
X509Certificate issuerCertificate = AMCertStore.getIssuerCertificate(ldapParam, cert, amAuthCert_chkAttrCertInLDAP);
if (issuerCertificate != null) {
ret = doJSSRevocationValidation(issuerCertificate);
}
}
return ret;
}
Aggregations