001/* 002 * (C) Copyright 2011 Nuxeo SA (http://nuxeo.com/) and others. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 * 016 * Contributors: 017 * Wojciech Sulejman 018 */ 019 020package org.nuxeo.ecm.platform.signature.api.pki; 021 022import java.io.InputStream; 023import java.io.OutputStream; 024import java.security.KeyPair; 025import java.security.KeyStore; 026import java.security.cert.X509Certificate; 027 028import org.nuxeo.ecm.platform.signature.api.exception.CertException; 029import org.nuxeo.ecm.platform.signature.api.user.UserInfo; 030 031/** 032 * This service provides certificate generation and certificate related keystore operations. 033 * <p> 034 * The interfaces provided by this service are intended to abstract low-level generic certificate operations like PKI 035 * key and certificate generation, CSR (Certificate Signing Request) signing with the root certificate, retrieving the 036 * certificates from the keystore in a generic way, and also providing CRLs (Certificate Revocation Lists). 037 * <p> 038 * The bulk of this functionality is provided via the initializeUser(..) method used to generate a fully initialized 039 * certificate enclosed in a secured keystore. 040 * 041 * @author <a href="mailto:ws@nuxeo.com">Wojciech Sulejman</a> 042 */ 043public interface CertService { 044 045 /** 046 * Retrieves the root certificate. 047 */ 048 X509Certificate getRootCertificate() throws CertException; 049 050 /** 051 * Sets up a root service to be used for CA-related services like certificate request signing and certificate 052 * revocation. 053 */ 054 void setRootService(RootService rootService) throws CertException; 055 056 /** 057 * Retrieves a KeyStore object from a supplied InputStream. Requires a keystore password. 058 */ 059 KeyStore getKeyStore(InputStream keystoreIS, String password) throws CertException; 060 061 /** 062 * Retrieves existing private and public key from a KeyStore. 063 */ 064 KeyPair getKeyPair(KeyStore ks, String keyAlias, String certificateAlias, String keyPassword) 065 throws CertException; 066 067 /** 068 * Retrieves an existing certificate from a keystore using keystore's certificate alias. 069 */ 070 X509Certificate getCertificate(KeyStore keystore, String certificateAlias) throws CertException; 071 072 /** 073 * Generates a private key and a public certificate for a user whose X.509 field information was enclosed in a 074 * UserInfo parameter. Stores those artifacts in a password protected keystore. This is the principal method for 075 * activating a new certificate and signing it with a root certificate. 076 * 077 * @return KeyStore based on the provided userInfo 078 */ 079 080 KeyStore initializeUser(UserInfo userInfo, String keyPassword) throws CertException; 081 082 /** 083 * Wraps a certificate object into an OutputStream object secured by a keystore password 084 */ 085 void storeCertificate(KeyStore keystore, OutputStream os, String keystorePassword) throws CertException; 086 087 /** 088 * Extracts the email address from a certificate 089 */ 090 String getCertificateEmail(X509Certificate certificate) throws CertException; 091 092}