001/*
002 * (C) Copyright 2011 Nuxeo SA (http://nuxeo.com/) and others.
003 *
004 * Licensed under the Apache License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 *     http://www.apache.org/licenses/LICENSE-2.0
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 *
016 * Contributors:
017 *     Wojciech Sulejman
018 */
019
020package org.nuxeo.ecm.platform.signature.api.pki;
021
022import java.io.InputStream;
023import java.io.OutputStream;
024import java.security.KeyPair;
025import java.security.KeyStore;
026import java.security.cert.X509Certificate;
027
028import org.nuxeo.ecm.platform.signature.api.exception.CertException;
029import org.nuxeo.ecm.platform.signature.api.user.UserInfo;
030
031/**
032 * This service provides certificate generation and certificate related keystore operations.
033 * <p>
034 * The interfaces provided by this service are intended to abstract low-level generic certificate operations like PKI
035 * key and certificate generation, CSR (Certificate Signing Request) signing with the root certificate, retrieving the
036 * certificates from the keystore in a generic way, and also providing CRLs (Certificate Revocation Lists).
037 * <p>
038 * The bulk of this functionality is provided via the initializeUser(..) method used to generate a fully initialized
039 * certificate enclosed in a secured keystore.
040 * 
041 * @author <a href="mailto:ws@nuxeo.com">Wojciech Sulejman</a>
042 */
043public interface CertService {
044
045    /**
046     * Retrieves the root certificate.
047     * 
048     * @return
049     * @throws CertException
050     */
051    public X509Certificate getRootCertificate() throws CertException;
052
053    /**
054     * Sets up a root service to be used for CA-related services like certificate request signing and certificate
055     * revocation.
056     * 
057     * @param keystore
058     * @throws CertException
059     */
060    public void setRootService(RootService rootService) throws CertException;
061
062    /**
063     * Retrieves a KeyStore object from a supplied InputStream. Requires a keystore password.
064     * 
065     * @param userId
066     * @return
067     */
068    public KeyStore getKeyStore(InputStream keystoreIS, String password) throws CertException;
069
070    /**
071     * Retrieves existing private and public key from a KeyStore.
072     * 
073     * @param userId
074     * @return
075     */
076    public KeyPair getKeyPair(KeyStore ks, String keyAlias, String certificateAlias, String keyPassword)
077            throws CertException;
078
079    /**
080     * Retrieves an existing certificate from a keystore using keystore's certificate alias.
081     * 
082     * @param userId
083     * @return
084     */
085    public X509Certificate getCertificate(KeyStore keystore, String certificateAlias) throws CertException;
086
087    /**
088     * Generates a private key and a public certificate for a user whose X.509 field information was enclosed in a
089     * UserInfo parameter. Stores those artifacts in a password protected keystore. This is the principal method for
090     * activating a new certificate and signing it with a root certificate.
091     * 
092     * @param userId
093     * @return KeyStore based on the provided userInfo
094     */
095
096    public KeyStore initializeUser(UserInfo userInfo, String keyPassword) throws CertException;
097
098    /**
099     * Wraps a certificate object into an OutputStream object secured by a keystore password
100     * 
101     * @param keystore
102     * @param os
103     * @param keystorePassword
104     * @throws CertException
105     */
106    public void storeCertificate(KeyStore keystore, OutputStream os, String keystorePassword) throws CertException;
107
108    /**
109     * Extracts the email address from a certificate
110     * 
111     * @param certificate
112     * @return
113     * @throws CertException
114     */
115    public String getCertificateEmail(X509Certificate certificate) throws CertException;
116
117}