Class CVCertificateStore
Class that abstracts a certificate and key store for a EAC PKI.
Defined in: CVCertificateStore.js.
Constructor Attributes | Constructor Name and Description |
---|---|
CVCertificateStore(DAOFactory)
Create an object to access a certificate store.
|
Method Attributes | Method Name and Description |
---|---|
<static> |
CVCertificateStore.checkPath(path)
Check path
This method validates the path for semantic errors and should be called for input
validation before using the path in the certificate store API.
|
deleteCertificate(path, chr, selfsigned)
Remove certificate
|
|
deletePrivateKey(path, chr)
Remove private key
|
|
deleteRequest(path, chr)
Remove request
|
|
deleteSigner(path, chr)
Remove Signer
|
|
generateKeyPair(path, chr, algo, prk, puk)
Generate key pair
|
|
getCertificate(path, chr, selfsigned)
Return certificate for a given CHR
This method returns a self-signed root certificate if the selfsigned parameter is set. |
|
getCertificateBinary(path, chr, selfsigned)
Return certificate for a given CHR in binary format
This method returns a self-signed root certificate if the selfsigned parameter is set. |
|
getCertificateChain(path, tochr, fromcar)
Return a chain of certificates resembling a path from root to end entity.
|
|
Return a suitable crypto object.
|
|
getCurrentCHR(path)
Return the current CHR for which a valid certificate exists
|
|
Returns the default domain parameter for a given PKI
|
|
getDefaultPublicKeyOID(path)
Returns the default algorithm identifier OID from the most recent link certificate
|
|
getDomainParameter(path, chr)
Returns the domain parameter for a certificate identified by its CHR
This method traverses the certificate hierachie upwards and follows link certificates until domain parameter are found. |
|
getIssuerPathFor(cvc, cvcahint)
Determine path for certificate issuer
For CVCA and DVCA certificates we can determined the path from the CAR.
|
|
getNextCHR(path, countryseq)
Return the next CHR
|
|
getPrivateKey(path, chr)
Get a private key in the certificate store
|
|
getRequest(path, chr)
Return request for given CHR
|
|
getSigner(path, chr)
Get Signer
|
|
insertCertificate(crypto, cvc, cvcahint)
Insert a single certificates into the certificate store
Before a certificate is imported, the signature is verified. |
|
insertCertificates(crypto, certlist, insertSelfSigned, cvcahint)
Insert certificates into certificate store
The import into the internal data structure is done in three steps:
Certificates at the terminal level can only be imported, if the issuing DVCA certificate is contained in the list or a hint for the relevant CVCA is given in the first element of the path contained in parameter cvcahint. |
|
listCertificates(path)
List certificates stored for given PKI element sorted by CHR
|
|
listHolders(path)
List certificate holders for a given PKI element
|
|
locateCertificate(chr)
Try locating a certificate with the given CHR
This method tries to find a specific certificate in the store, irrespectively of the holder.
|
|
newSigner(path, chr, algo, prk, puk)
Create Signer
|
|
<static> |
CVCertificateStore.nthElementOf(path, n)
Return the n-element of the path
|
<static> |
CVCertificateStore.parentPathOf(path)
Strip the last element of the path, effectively defining the parent within the path
|
setContextMarker(contextMarker)
Set a context marker that goes into the certificate type
The context marker allows to have different certificate stores with different
namespaces in the same database.
|
|
setSignerNo(path, signerNo)
Set the new signer number, if it is larger than the current
|
|
storeCertificate(path, cert, makeCurrent)
Store a certificate in the certificate store
|
|
storeRequest(path, req)
Store a certificate request in the certificate store
|
|
validateCertificate(crypto, cvc, cvcahint)
Validate a certificate against a certificate already stored in the certificate store
If the certificate is a terminal certificate, then the first element of the path given in cvcahint is used to determine the correct CVCA. |
- Parameters:
- {DAOFactory} DAOFactory
- the factory that can create data access objects for persistent information
- Parameters:
- {String} path
- the path to validate
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {PublicKeyReference} chr
- the public key reference for this certificate
- {boolean} selfsigned
- delete the self-signed root certificate rather than a link certificate
- Returns:
- true is deleted
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {PublicKeyReference} chr
- the public key reference for this key
- Returns:
- true is deleted
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {PublicKeyReference} chr
- the public key reference for this request
- Returns:
- true is deleted
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {PublicKeyReference} chr
- the public key reference for this key
- Returns:
- true is deleted
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {PublicKeyReference} chr
- the public key reference for this key pair
- {Number} algo
- the key generation algorithm (Crypto.EC or Crypto.RSA)
- {Key} prk
- the private key template
- {Key} puk
- the public key template
This method returns a self-signed root certificate if the selfsigned parameter is set. If not set or set to false, then matching link certificate, if any, is returned rather than the self-signed certificate.
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {PublicKeyReference} chr
- the public key reference for the certificate
- {boolean} selfsigned
- return the self-signed root certificate rather than a link certificate
- Returns:
- the certificate or null if not found
This method returns a self-signed root certificate if the selfsigned parameter is set. If not set or set to false, then matching link certificate, if any, is returned rather than the self-signed certificate.
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {PublicKeyReference} chr
- the public key reference for the certificate
- {boolean} selfsigned
- return the self-signed root certificate rather than a link certificate
- Returns:
- the certificate or null if not found
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {PublicKeyReference} tochr
- the public key reference for the certificate at the end of the chain
- {PublicKeyReference} fromcar
- the public key reference for the certificate to start with or root if undefined
- Returns:
- the list of certificates starting with a self signed root certificate (fromcar undefined) a certificate issued by fromcar up to an including the certificate referenced by tochr. Return null if fromcar is not found.
- Returns:
- the Crypto object
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1")
- Returns:
- the current CHR for which a certificate exists or null if none exists
- Parameters:
- {String} path
- the PKI path (e.g. "/UTCVCA1/UTDVCA1/UTTERM"). Only the first path element is relevant
- Returns:
- the domain parameter
- Parameters:
- {String} path
- the PKI path (e.g. "/UTCVCA1/UTDVCA1/UTTERM"). Only the first path element is relevant
- Returns:
- the algorithm identifier
This method traverses the certificate hierachie upwards and follows link certificates until domain parameter are found.
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1")
- {PublicKeyReference} chr
- the CHR of the certificate to start the search with
- Returns:
- the domain parameter
- Parameters:
- cvc
- cvcahint
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1")
- {String} countryseq
- the 2 digit country code to include in the sequence number (optional)
- Returns:
- the next CHR based on the sequence counter maintained in the configuration file
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {PublicKeyReference} chr
- the public key reference for this key
- Returns:
- the private key or null if not found
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {PublicKeyReference} chr
- the public key reference for the certificate
- Returns:
- the request or null
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {PublicKeyReference} chr
- the public key reference for this key
- Returns:
- the private key blob
Before a certificate is imported, the signature is verified.
If the certificate is a terminal certificate, then the first element of the path given in cvcahint is used to determine the correct CVCA.
- Parameters:
- {Crypto} crypto
- the crypto provider to be used for certificate verification
- {CVC} cvc
- the certificate
- {String} cvcahint
- the PKI path (e.g. "/UTCVCA1/UTDVCA1/UTTERM"). Only the first path element is relevant
- Returns:
- true, if the certificate was inserted
The import into the internal data structure is done in three steps:
- If allowed, all self-signed certificates are imported
- All possible certificate chains are build
- Certificate chains are processed starting with the topmost certificate in the hierachie
Certificates at the terminal level can only be imported, if the issuing DVCA certificate is contained in the list or a hint for the relevant CVCA is given in the first element of the path contained in parameter cvcahint.
Before a certificate is imported, the signature is verified.
- Parameters:
- {Crypto} crypto
- the crypto provider to be used for certificate verification
- {CVC[]} certlist
- the unordered list of certificates
- {Boolean} insertSelfSigned
- true, if the import of root certificates is allowed
- {String} cvcahint
- the PKI path (e.g. "/UTCVCA1/UTDVCA1/UTTERM"). Only the first path element is relevant
- Returns:
- the (ideally empty) list of unprocessed certificates. This does not contains certificates that fail signature verification.
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- Returns:
- a list of certificates, possibly empty
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1")
- Returns:
- a list of holder ids, possibly empty
- Parameters:
- {PublicKeyReference} chr
- the public key reference for the certificate
- Returns:
- the certificate or null if none found or more than one found
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {PublicKeyReference} chr
- the public key reference for this key pair
- {Number} algo
- the key generation algorithm (Crypto.EC or Crypto.RSA)
- {Key} prk
- the private key template
- {Key} puk
- the public key template
- Parameters:
- {String} path
- the path to return the last element from
- n
- Returns:
- the last path element or null for the root
- Parameters:
- {String} path
- the path to strip the last element from
- Returns:
- the parent path or null for the root
- Parameters:
- {Number} contextMarker
- the marker
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1")
- {Number} signerNo
- the new signer number
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {CVC} cert
- the certificate
- {Boolean} makeCurrent
- true if this certificate become the current certificate
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {CVC} req
- the request
If the certificate is a terminal certificate, then the first element of the path given in cvcahint is used to determine the correct CVCA.
Throws an exception if the certificate can not be validated- Parameters:
- {Crypto} crypto
- the crypto provider to be used for certificate verification
- {CVC} cvc
- the certificate
- {String} cvcahint
- the PKI path (e.g. "/UTCVCA1/UTDVCA1/UTTERM"). Only the first path element is relevant
- Returns:
- object containing the path and domain parameter used for validating the certificate. Returns null if no issuer could be found