Search in sources :

Example 1 with CryptoManager

use of org.mozilla.jss.CryptoManager in project OpenAM by OpenRock.

the class JSSInit method initialize.

public static synchronized boolean initialize() {
    if (initialized) {
        return true;
    }
    final String method = "JSSInit.initialize";
    // JSS, initialize cert db
    String certdbDir = SystemPropertiesManager.get("com.iplanet.am.admin.cli.certdb.dir");
    if (certdbDir == null) {
        certdbDir = defaultDBdir;
    }
    String certdbPrefix = SystemPropertiesManager.get("com.iplanet.am.admin.cli.certdb.prefix");
    if (certdbPrefix == null) {
        certdbPrefix = "";
    }
    // Property to determine if JSS needs to installed with highest priority
    // at initialization of JSS. If not, it needs to added explicitly
    // at the end
    boolean donotInstallJSSProviderAt0 = Boolean.valueOf(SystemPropertiesManager.get("com.sun.identity.jss.donotInstallAtHighestPriority", "false")).booleanValue();
    String passfile = SystemPropertiesManager.get("com.iplanet.am.admin.cli.certdb.passfile");
    String ocspCheckValue = SystemPropertiesManager.get("com.sun.identity.authentication.ocspCheck");
    String fipsMode = SystemPropertiesManager.get("com.sun.identity.security.fipsmode", null);
    if (ocspCheckValue != null && ocspCheckValue.trim().length() == 0) {
        ocspCheckValue = null;
    }
    boolean ocspCheck = (ocspCheckValue != null && ocspCheckValue.equalsIgnoreCase("true"));
    String responderURL = SystemPropertiesManager.get("com.sun.identity.authentication.ocsp.responder.url");
    if (responderURL != null && responderURL.trim().length() == 0) {
        responderURL = null;
    }
    String responderNickName = SystemPropertiesManager.get("com.sun.identity.authentication.ocsp.responder.nickname");
    if (responderNickName != null && responderNickName.trim().length() == 0) {
        responderNickName = null;
    }
    if (debug.messageEnabled()) {
        debug.message(method + "certdbDir = " + certdbDir);
        debug.message(method + "certdbPrefix = " + certdbPrefix);
        debug.message(method + "certdbPassfile = " + passfile);
        debug.message(method + "responderURL = " + responderURL);
        debug.message(method + "responderNickName = " + responderNickName);
        debug.message(method + "fipsMode = " + fipsMode);
    }
    String password = null;
    if (passfile != null) {
        try {
            FileInputStream fis = new FileInputStream(passfile);
            InputStreamReader isr = new InputStreamReader(fis);
            BufferedReader br = new BufferedReader(isr);
            password = br.readLine();
        } catch (Exception ex) {
            if (debug.messageEnabled()) {
                debug.message(method + "Unable to " + "read JSS password file " + passfile);
            }
        }
    }
    String keydbPrefix = certdbPrefix;
    String moddb = "secmod.db";
    try {
        cm = CryptoManager.getInstance();
    } catch (CryptoManager.NotInitializedException exp) {
        try {
            CryptoManager.InitializationValues iv = null;
            if (certdbPrefix.length() == 0) {
                iv = new CryptoManager.InitializationValues(certdbDir);
            } else {
                iv = new CryptoManager.InitializationValues(certdbDir, certdbPrefix, keydbPrefix, moddb);
            }
            if (debug.messageEnabled()) {
                debug.message(method + "output of Initilization values ");
                debug.message(method + "Manufacturer ID: " + iv.getManufacturerID());
                debug.message(method + "Library: " + iv.getLibraryDescription());
                debug.message(method + "Internal Slot: " + iv.getInternalSlotDescription());
                debug.message(method + "Internal Token: " + iv.getInternalTokenDescription());
                debug.message(method + "Key Storage Slot: " + iv.getFIPSKeyStorageSlotDescription());
                debug.message(method + "Key Storage Token: " + iv.getInternalKeyStorageTokenDescription());
                debug.message(method + "FIPS Slot: " + iv.getFIPSSlotDescription());
                debug.message(method + "FIPS Key Storage: " + iv.getFIPSKeyStorageSlotDescription());
            }
            if (fipsMode == null) {
                iv.fipsMode = CryptoManager.InitializationValues.FIPSMode.UNCHANGED;
            } else if (fipsMode.equalsIgnoreCase("true")) {
                iv.fipsMode = CryptoManager.InitializationValues.FIPSMode.ENABLED;
            } else if (fipsMode.equalsIgnoreCase("false")) {
                iv.fipsMode = CryptoManager.InitializationValues.FIPSMode.DISABLED;
            }
            iv.removeSunProvider = false;
            // if other providers are being used
            if (donotInstallJSSProviderAt0) {
                iv.installJSSProvider = false;
            }
            // set open mode of the databases
            iv.readOnly = true;
            // enable OCSP
            iv.ocspCheckingEnabled = ocspCheck;
            // responderURL & responderNickname must both present
            if (ocspCheck && responderURL != null && responderNickName != null) {
                iv.ocspResponderCertNickname = responderNickName;
                iv.ocspResponderURL = responderURL;
            }
            CryptoManager.initialize(iv);
            // add it to the list of JCE providers at the end
            if (donotInstallJSSProviderAt0) {
                Provider provider = null;
                try {
                    provider = (Provider) Class.forName("org.mozilla.jss.JSSProvider").newInstance();
                } catch (ClassNotFoundException e) {
                    provider = (Provider) Class.forName("org.mozilla.jss.provider.Provider").newInstance();
                }
                Security.addProvider(provider);
            }
            cm = CryptoManager.getInstance();
            if (password != null) {
                cm.setPasswordCallback(new JSSPasswordCallback(password));
            }
            token = cm.getInternalKeyStorageToken();
            if (cm.FIPSEnabled()) {
                token.login(cm.getPasswordCallback());
            }
            cm.setThreadToken(token);
            if (debug.messageEnabled()) {
                if (cm.FIPSEnabled() == true) {
                    debug.message(method + "FIPS enabled.");
                } else {
                    debug.message(method + "FIPS not enabled.");
                }
            }
            initialized = true;
        } catch (KeyDatabaseException kdbe) {
            debug.error(method + "Couldn't open the key database.", kdbe);
        } catch (CertDatabaseException cdbe) {
            debug.error(method + "Couldn't open the certificate database.", cdbe);
        } catch (AlreadyInitializedException aie) {
            debug.error(method + "CryptoManager already initialized.", aie);
        } catch (Exception e) {
            debug.error(method + "Exception occurred: ", e);
        }
    }
    return initialized;
}
Also used : InputStreamReader(java.io.InputStreamReader) CryptoManager(org.mozilla.jss.CryptoManager) KeyDatabaseException(org.mozilla.jss.KeyDatabaseException) FileInputStream(java.io.FileInputStream) AlreadyInitializedException(org.mozilla.jss.crypto.AlreadyInitializedException) KeyDatabaseException(org.mozilla.jss.KeyDatabaseException) CertDatabaseException(org.mozilla.jss.CertDatabaseException) AlreadyInitializedException(org.mozilla.jss.crypto.AlreadyInitializedException) Provider(java.security.Provider) JSSPasswordCallback(com.iplanet.am.util.JSSPasswordCallback) CertDatabaseException(org.mozilla.jss.CertDatabaseException) BufferedReader(java.io.BufferedReader)

Example 2 with CryptoManager

use of org.mozilla.jss.CryptoManager in project OpenAM by OpenRock.

the class JSSEncryption method findToken.

private static CryptoToken findToken() throws CryptoManager.NotInitializedException {
    // This crypto token has to support encryption algorithm 
    // and all the key generation algorithms in KEYGEN_ALGS.
    // CryptoManager returns "Internal Key Storage Token" at least.
    CryptoToken token = null;
    CryptoManager cm = CryptoManager.getInstance();
    Enumeration e = cm.getTokensSupportingAlgorithm(getEncryptionAlg(DEFAULT_ENCYPTION_ALG));
    while (e.hasMoreElements()) {
        CryptoToken tok = (CryptoToken) e.nextElement();
        boolean foundToken = true;
        for (int i = 0; i < NUM_KEYGEN_ALG; i++) {
            if (!tok.doesAlgorithm(getKeyGenAlg(KEYGEN_ALGS[i]))) {
                foundToken = false;
                break;
            }
        }
        if (foundToken) {
            return tok;
        }
    }
    return null;
}
Also used : CryptoToken(org.mozilla.jss.crypto.CryptoToken) Enumeration(java.util.Enumeration) CryptoManager(org.mozilla.jss.CryptoManager)

Example 3 with CryptoManager

use of org.mozilla.jss.CryptoManager in project OpenAM by OpenRock.

the class Cert method doJSSRevocationValidation.

private int doJSSRevocationValidation(X509Certificate cert) {
    int ret = ISAuthConstants.LOGIN_IGNORE;
    boolean validateCA = amAuthCert_validateCA.equalsIgnoreCase("true");
    X509CRL crl = null;
    if (crlEnabled) {
        crl = AMCRLStore.getCRL(ldapParam, cert, amAuthCert_chkAttributesCRL);
        if ((crl != null) && (!crl.isRevoked(cert))) {
            ret = ISAuthConstants.LOGIN_SUCCEED;
        }
    }
    /**
         * OCSP validation, this will use the CryptoManager.isCertvalid()
         * method to validate certificate, OCSP is one of the steps in
         * this process. Here is the algorith to find OCSP responder:
         * 1. use global OCSP responder if set
         * 2. use the OCSP responder in user's certificate if presents
         * 3. no OCSP responder
         * The isCertValid() WON'T perform OCSP validation if no OCSP responder
         * found in above process.
         */
    if (ocspEnabled) {
        try {
            CryptoManager cm = CryptoManager.getInstance();
            if (cm.isCertValid(cert.getEncoded(), true, CryptoManager.CertUsage.SSLClient) == true) {
                debug.message("cert is valid");
                ret = ISAuthConstants.LOGIN_SUCCEED;
            } else {
                ret = ISAuthConstants.LOGIN_IGNORE;
            }
        } catch (Exception e) {
            debug.message("certValidation failed with exception", e);
        }
    }
    if ((ret == ISAuthConstants.LOGIN_SUCCEED) && (crlEnabled || ocspEnabled) && validateCA && !AMCertStore.isRootCA(cert)) {
        /*
            The trust anchor is not necessarily a certificate, but a public key (trusted) entry in the trust-store. Don't
            march up the chain unless the AMCertStore can actually return a non-null issuer certificate. If the issuer
            certificate is null, then the result of the previous doRevocationValidation invocation is the final answer.
             */
        X509Certificate issuerCertificate = AMCertStore.getIssuerCertificate(ldapParam, cert, amAuthCert_chkAttrCertInLDAP);
        if (issuerCertificate != null) {
            ret = doJSSRevocationValidation(issuerCertificate);
        }
    }
    return ret;
}
Also used : X509CRL(java.security.cert.X509CRL) CryptoManager(org.mozilla.jss.CryptoManager) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException) X509Certificate(java.security.cert.X509Certificate)

Aggregations

CryptoManager (org.mozilla.jss.CryptoManager)3 JSSPasswordCallback (com.iplanet.am.util.JSSPasswordCallback)1 AuthLoginException (com.sun.identity.authentication.spi.AuthLoginException)1 BufferedReader (java.io.BufferedReader)1 FileInputStream (java.io.FileInputStream)1 InputStreamReader (java.io.InputStreamReader)1 Provider (java.security.Provider)1 X509CRL (java.security.cert.X509CRL)1 X509Certificate (java.security.cert.X509Certificate)1 Enumeration (java.util.Enumeration)1 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)1 CertDatabaseException (org.mozilla.jss.CertDatabaseException)1 KeyDatabaseException (org.mozilla.jss.KeyDatabaseException)1 AlreadyInitializedException (org.mozilla.jss.crypto.AlreadyInitializedException)1 CryptoToken (org.mozilla.jss.crypto.CryptoToken)1