-
Notifications
You must be signed in to change notification settings - Fork 30
JSS KeyStore
Prior to version 4.5 JSS did not support keystore. The org.mozilla.jss.crypto.CryptoStore class might be able to provide some of keystore functionality.
In JSS 4.5 the keystore functionality will be implemented to support the following functionality:
-
running Tomcat with SSL server certificate and key stored in HSM.
See also:
Alias is an identifier for an entry in the PKCS #11 token. An alias has the following format:
[<token>:]<nickname>
The <token> is the token name. It only needs to be specified for external tokens.
The <nickname> is the identifier of the entry within the token, which could be a certificate
nickname or a hexadecimal key ID.
For example, in internal token:
-
cert nickname:
ca_signing -
key ID:
b9f35690a423c5047b6a37fb15a8a5af5ed33012
In external token (e.g. HSM):
-
cert nickname:
HSM:sslserver -
key ID:
HSM:7ec9ebac7a47faa47a9ca74e728abdfa11f14869
Before creating a keystore, make sure that:
-
the NSS database already exists
-
the CryptoManager instance has been initialized
-
token authentication has been done
then the keystore can be created as follows:
KeyStore ks = KeyStore.getInstance("pkcs11", "Mozilla-JSS");
By default the keystore is not associated with a specific token, so operations such as aliases() will return aliases from all available tokens.
To configure the keystore to use a specific token:
CryptoToken token = ... ks.load(new JSSLoadStoreParameter(token));
in that case aliases() will return aliases only from the specified token.
To get all aliases:
Enumeration<String> aliases = ks.aliases();
while (aliases.hasMoreElements()) {
String alias = aliases.nextElement();
...
}
As mentioned above, by default the keystore is not associated with any specific token, so aliases() will return aliases from all available tokens.
If the keystore is configured using load() to use a specific token, the aliases() will return aliases from that token only.
To check if an alias is a certificate:
boolean result = ks.isCertificateEntry(alias);
To get a certificate:
Certificate cert = ks.getCertificate(alias);
To add a certificate:
Certificate cert = ...; ks.setCertificateEntry(alias, cert);
To remove a certificate:
ks.deleteEntry(alias);
To get a certificate chain:
Certificate[] chain = ks.getCertificateChain(alias);
for (Certificate cert : chain) {
...
}
To check if an alias is a key:
boolean result = ks.isKeyEntry(alias);
To get a key:
Key key = ks.getKey(alias, null);
To remove a key:
ks.deleteEntry(alias);