001/*
002 * (C) Copyright 2011 Nuxeo SA (http://nuxeo.com/) and contributors.
003 *
004 * All rights reserved. This program and the accompanying materials
005 * are made available under the terms of the GNU Lesser General Public License
006 * (LGPL) version 2.1 which accompanies this distribution, and is available at
007 * http://www.gnu.org/licenses/lgpl.html
008 *
009 * This library is distributed in the hope that it will be useful,
010 * but WITHOUT ANY WARRANTY; without even the implied warranty of
011 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
012 * Lesser General Public License for more details.
013 *
014 * Contributors:
015 *     Wojciech Sulejman
016 */
017
018package org.nuxeo.ecm.platform.signature.api.pki;
019
020import java.io.InputStream;
021import java.io.OutputStream;
022import java.security.KeyPair;
023import java.security.KeyStore;
024import java.security.cert.X509Certificate;
025
026import org.nuxeo.ecm.platform.signature.api.exception.CertException;
027import org.nuxeo.ecm.platform.signature.api.user.UserInfo;
028
029/**
030 * This service provides certificate generation and certificate related keystore operations.
031 * <p>
032 * The interfaces provided by this service are intended to abstract low-level generic certificate operations like PKI
033 * key and certificate generation, CSR (Certificate Signing Request) signing with the root certificate, retrieving the
034 * certificates from the keystore in a generic way, and also providing CRLs (Certificate Revocation Lists).
035 * <p>
036 * The bulk of this functionality is provided via the initializeUser(..) method used to generate a fully initialized
037 * certificate enclosed in a secured keystore.
038 * 
039 * @author <a href="mailto:ws@nuxeo.com">Wojciech Sulejman</a>
040 */
041public interface CertService {
042
043    /**
044     * Retrieves the root certificate.
045     * 
046     * @return
047     * @throws CertException
048     */
049    public X509Certificate getRootCertificate() throws CertException;
050
051    /**
052     * Sets up a root service to be used for CA-related services like certificate request signing and certificate
053     * revocation.
054     * 
055     * @param keystore
056     * @throws CertException
057     */
058    public void setRootService(RootService rootService) throws CertException;
059
060    /**
061     * Retrieves a KeyStore object from a supplied InputStream. Requires a keystore password.
062     * 
063     * @param userId
064     * @return
065     */
066    public KeyStore getKeyStore(InputStream keystoreIS, String password) throws CertException;
067
068    /**
069     * Retrieves existing private and public key from a KeyStore.
070     * 
071     * @param userId
072     * @return
073     */
074    public KeyPair getKeyPair(KeyStore ks, String keyAlias, String certificateAlias, String keyPassword)
075            throws CertException;
076
077    /**
078     * Retrieves an existing certificate from a keystore using keystore's certificate alias.
079     * 
080     * @param userId
081     * @return
082     */
083    public X509Certificate getCertificate(KeyStore keystore, String certificateAlias) throws CertException;
084
085    /**
086     * Generates a private key and a public certificate for a user whose X.509 field information was enclosed in a
087     * UserInfo parameter. Stores those artifacts in a password protected keystore. This is the principal method for
088     * activating a new certificate and signing it with a root certificate.
089     * 
090     * @param userId
091     * @return KeyStore based on the provided userInfo
092     */
093
094    public KeyStore initializeUser(UserInfo userInfo, String keyPassword) throws CertException;
095
096    /**
097     * Wraps a certificate object into an OutputStream object secured by a keystore password
098     * 
099     * @param keystore
100     * @param os
101     * @param keystorePassword
102     * @throws CertException
103     */
104    public void storeCertificate(KeyStore keystore, OutputStream os, String keystorePassword) throws CertException;
105
106    /**
107     * Extracts the email address from a certificate
108     * 
109     * @param certificate
110     * @return
111     * @throws CertException
112     */
113    public String getCertificateEmail(X509Certificate certificate) throws CertException;
114
115}