001/* 002 * (C) Copyright 2011 Nuxeo SA (http://nuxeo.com/) and contributors. 003 * 004 * All rights reserved. This program and the accompanying materials 005 * are made available under the terms of the GNU Lesser General Public License 006 * (LGPL) version 2.1 which accompanies this distribution, and is available at 007 * http://www.gnu.org/licenses/lgpl.html 008 * 009 * This library is distributed in the hope that it will be useful, 010 * but WITHOUT ANY WARRANTY; without even the implied warranty of 011 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 012 * Lesser General Public License for more details. 013 * 014 * Contributors: 015 * Wojciech Sulejman 016 */ 017 018package org.nuxeo.ecm.platform.signature.api.pki; 019 020import java.io.InputStream; 021import java.io.OutputStream; 022import java.security.KeyPair; 023import java.security.KeyStore; 024import java.security.cert.X509Certificate; 025 026import org.nuxeo.ecm.platform.signature.api.exception.CertException; 027import org.nuxeo.ecm.platform.signature.api.user.UserInfo; 028 029/** 030 * This service provides certificate generation and certificate related keystore operations. 031 * <p> 032 * The interfaces provided by this service are intended to abstract low-level generic certificate operations like PKI 033 * key and certificate generation, CSR (Certificate Signing Request) signing with the root certificate, retrieving the 034 * certificates from the keystore in a generic way, and also providing CRLs (Certificate Revocation Lists). 035 * <p> 036 * The bulk of this functionality is provided via the initializeUser(..) method used to generate a fully initialized 037 * certificate enclosed in a secured keystore. 038 * 039 * @author <a href="mailto:ws@nuxeo.com">Wojciech Sulejman</a> 040 */ 041public interface CertService { 042 043 /** 044 * Retrieves the root certificate. 045 * 046 * @return 047 * @throws CertException 048 */ 049 public X509Certificate getRootCertificate() throws CertException; 050 051 /** 052 * Sets up a root service to be used for CA-related services like certificate request signing and certificate 053 * revocation. 054 * 055 * @param keystore 056 * @throws CertException 057 */ 058 public void setRootService(RootService rootService) throws CertException; 059 060 /** 061 * Retrieves a KeyStore object from a supplied InputStream. Requires a keystore password. 062 * 063 * @param userId 064 * @return 065 */ 066 public KeyStore getKeyStore(InputStream keystoreIS, String password) throws CertException; 067 068 /** 069 * Retrieves existing private and public key from a KeyStore. 070 * 071 * @param userId 072 * @return 073 */ 074 public KeyPair getKeyPair(KeyStore ks, String keyAlias, String certificateAlias, String keyPassword) 075 throws CertException; 076 077 /** 078 * Retrieves an existing certificate from a keystore using keystore's certificate alias. 079 * 080 * @param userId 081 * @return 082 */ 083 public X509Certificate getCertificate(KeyStore keystore, String certificateAlias) throws CertException; 084 085 /** 086 * Generates a private key and a public certificate for a user whose X.509 field information was enclosed in a 087 * UserInfo parameter. Stores those artifacts in a password protected keystore. This is the principal method for 088 * activating a new certificate and signing it with a root certificate. 089 * 090 * @param userId 091 * @return KeyStore based on the provided userInfo 092 */ 093 094 public KeyStore initializeUser(UserInfo userInfo, String keyPassword) throws CertException; 095 096 /** 097 * Wraps a certificate object into an OutputStream object secured by a keystore password 098 * 099 * @param keystore 100 * @param os 101 * @param keystorePassword 102 * @throws CertException 103 */ 104 public void storeCertificate(KeyStore keystore, OutputStream os, String keystorePassword) throws CertException; 105 106 /** 107 * Extracts the email address from a certificate 108 * 109 * @param certificate 110 * @return 111 * @throws CertException 112 */ 113 public String getCertificateEmail(X509Certificate certificate) throws CertException; 114 115}