Class CVCertificateStore

Object
   |
   +--CVCertificateStore

class CVCertificateStore

Class that abstracts a certificate and key store for a EAC PKI.
Defined in cvcertstore.js

Field Detail

path

Object path

CVCertificateStore

CVCertificateStore(<String> path)

Create an object to access a certificate store.

Parameters:
path - the root of the certificate store

deleteCertificate

boolean deleteCertificate(<String> path, <PublicKeyReference> chr, <boolean> selfsigned)

Remove certificate

Parameters:
path - the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
chr - the public key reference for this certificate
selfsigned - delete the self-signed root certificate rather than a link certificate

Returns:
true is deleted

deletePrivateKey

boolean deletePrivateKey(<String> path, <PublicKeyReference> chr)

Remove private key

Parameters:
path - the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
chr - the public key reference for this key

Returns:
true is deleted

deleteRequest

boolean deleteRequest(<String> path, <PublicKeyReference> chr)

Remove request

Parameters:
path - the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
chr - the public key reference for this request

Returns:
true is deleted

getCertificate

CVC getCertificate(<String> path, <PublicKeyReference> chr, <boolean> selfsigned)

Return certificate for a given CHR

This method returns a self-signed root certificate if the selfsigned parameter is set. If not set or set to false, then matching link certificate, if any, is returned rather than the self-signed certificate.

Parameters:
path - the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
chr - the public key reference for the certificate
selfsigned - return the self-signed root certificate rather than a link certificate

Returns:
the certificate or null if not found

getCertificateBinary

ByteString getCertificateBinary(<String> path, <PublicKeyReference> chr, <boolean> selfsigned)

Return certificate for a given CHR in binary format

This method returns a self-signed root certificate if the selfsigned parameter is set. If not set or set to false, then matching link certificate, if any, is returned rather than the self-signed certificate.

Parameters:
path - the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
chr - the public key reference for the certificate
selfsigned - return the self-signed root certificate rather than a link certificate

Returns:
the certificate or null if not found

getCertificateChain

CVC[] getCertificateChain(<String> path, <PublicKeyReference> tochr, <PublicKeyReference> fromcar)

Return a chain of certificates resembling a path from root to end entity.

Parameters:
path - the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
tochr - the public key reference for the certificate at the end of the chain
fromcar - the public key reference for the certificate to start with or root if undefined

Returns:
the list of certificates starting with a self signed root certificate (fromcar undefined) a certificate issued by fromcar up to an including the certificate referenced by tochr. Return null if fromcar is not found.

getCertificateChainFor

CVC[] getCertificateChainFor(<PublicKeyReference> cvcaref)

Returns a certificate chain for the current terminal certificate up to, but not including the the CVCA certificated referenced.

Parameters:
cvcaref - the public key reference (CHR) of the CVCA.

Returns:
the list of certificates starting with optional CVCA link certificates, the DV certificate and the terminal certificate

getCHRForSequenceNumber

PublicKeyReference getCHRForSequenceNumber(<String> path, sequence, <String> countryseq)

Create a CHR for the given path and sequence number

Parameters:
path - the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1")
countryseq - the 2 digit country code to include in the sequence number (optional)
the - sequence number to be translated

Returns:
the CHR

getCrypto

Crypto getCrypto()

Return a suitable crypto object. This may be overwritten by derived classes

Returns:
the Crypto object

getCurrentCHR

PublicKeyReference getCurrentCHR(<String> path)

Return the current CHR for which a valid certificate exists

Parameters:
path - the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1")

Returns:
the current CHR for which a certificate exists or null if none exists

getCVCACertificateFor

CVC getCVCACertificateFor(<PublicKeyReference> cvcaref)

Returns the country verifying certification authority's certificate for a given CVCA reference.

Parameters:
cvcaref - the public key reference (CHR) of the CVCA.
dvcaref - the public key reference (CHR) of the DV.

Returns:
the country verifying certification authority's certificate

getDefaultConfig

XML getDefaultConfig()

Create a default configuration

Returns:
a suitable default configuration object

getDefaultDomainParameter

Key getDefaultDomainParameter(<String> path)

Returns the default domain parameter for a given PKI

Parameters:
path - the PKI path (e.g. "/UTCVCA1/UTDVCA1/UTTERM"). Only the first path element is relevant

Returns:
the domain parameter

getDefaultPublicKeyOID

ByteString getDefaultPublicKeyOID(<String> path)

Returns the default algorithm identifier OID from the most recent link certificate

Parameters:
path - the PKI path (e.g. "/UTCVCA1/UTDVCA1/UTTERM"). Only the first path element is relevant

Returns:
the algorithm identifier

getDomainParameter

Key getDomainParameter(<String> path, <PublicKeyReference> chr)

Returns the domain parameter for a certificate identified by its CHR

This method traverses the certificate hierachie upwards and follows link certificates until domain parameter are found.

Parameters:
path - the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1")
chr - the CHR of the certificate to start the search with

Returns:
the domain parameter

getDVCACertificateFor

CVC getDVCACertificateFor(<PublicKeyReference> cvcaref, <PublicKeyReference> dvcaref)

Returns the document verifier certificate for a given CVCA and DV reference.

Parameters:
cvcaref - the public key reference (CHR) of the CVCA.
dvcaref - the public key reference (CHR) of the DV.

Returns:
the document verifier CVC

getNextCHR

PublicKeyReference getNextCHR(<String> path, <String> countryseq)

Return the next CHR

Parameters:
path - the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1")
countryseq - the 2 digit country code to include in the sequence number (optional)

Returns:
the next CHR based on the sequence counter maintained in the configuration file

getPrivateKey

Key getPrivateKey(<String> path, <PublicKeyReference> chr)

Get a private key in the certificate store

Parameters:
path - the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
chr - the public key reference for this key

Returns:
the private key or null if not found

getRequest

CVC getRequest(<String> path, <PublicKeyReference> chr)

Return request for given CHR

Parameters:
path - the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
chr - the public key reference for the certificate

Returns:
the request or null

getTerminalCertificateFor

CVC getTerminalCertificateFor(<PublicKeyReference> cvcaref)

Returns the current terminal certificate for a given CVCA reference.

Parameters:
cvcaref - the public key reference (CHR) of the root CA.

Returns:
the current terminal CVC

getTerminalKeyFor

Key getTerminalKeyFor(<PublicKeyReference> cvcaref)

Return the current terminal key for a PKI identified by the CVCA reference

Parameters:
cvcaref - the public key reference (CHR) of the CVCA.

Returns:
the private key

insertCertificate

boolean insertCertificate(<Crypto> crypto, <CVC> cvc, <String> cvcahint)

Insert a single certificates into the certificate store

Before a certificate is imported, the signature is verified.

If the certificate is a terminal certificate, then the first element of the path given in cvcahint is used to determine the correct CVCA.

Parameters:
crypto - the crypto provider to be used for certificate verification
cvc - the certificate
cvcahint - the PKI path (e.g. "/UTCVCA1/UTDVCA1/UTTERM"). Only the first path element is relevant

Returns:
true, if the certificate was inserted

insertCertificates

CVC[] insertCertificates(<Crypto> crypto, <CVC[]> certlist, <Boolean> insertSelfSigned)

Insert certificates into certificate store

The import into the internal data structure is done in three steps:

1. If allowed, all self-signed certificates are imported
2. All certificates issued by root CAs are imported
3. All other certificates issued by subordinate CAs are imported

Certificates at the terminal level can only be imported, if the issuing DVCA certificate is contained in the list. Even if a DVCA certificate is already stored, the import of such a certificate will be skipped if the DVCA certificate is not part of the imported list.

Before a certificate is imported, the signature is verified.

Parameters:
crypto - the crypto provider to be used for certificate verification
certlist - the unordered list of certificates
insertSelfSigned - true, if the import of root certificates is allowed

Returns:
the (ideally empty) list of unprocessed certificates. This does not contains certificates that fail signature verification.

insertCertificates2

CVC[] insertCertificates2(<Crypto> crypto, <CVC[]> certlist, <Boolean> insertSelfSigned, <String> cvcahint)

Insert certificates into certificate store

The import into the internal data structure is done in three steps:

1. If allowed, all self-signed certificates are imported
2. All possible certificate chains are build
3. Certificate chains are processed starting with the topmost certificate in the hierachie

Certificates at the terminal level can only be imported, if the issuing DVCA certificate is contained in the list or a hint for the relevant CVCA is given in the first element of the path contained in parameter cvcahint.

Before a certificate is imported, the signature is verified.

Parameters:
crypto - the crypto provider to be used for certificate verification
certlist - the unordered list of certificates
insertSelfSigned - true, if the import of root certificates is allowed
cvcahint - the PKI path (e.g. "/UTCVCA1/UTDVCA1/UTTERM"). Only the first path element is relevant

Returns:
the (ideally empty) list of unprocessed certificates. This does not contains certificates that fail signature verification.

listCertificates

CVC[] listCertificates(<String> path)

List certificates stored for given PKI element sorted by CHR

Parameters:
path - the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")

Returns:
a list of certificates, possibly empty

listHolders

String[] listHolders(<String> path)

List certificate holders for a given PKI element

Parameters:
path - the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1")

Returns:
a list of holder ids, possibly empty

loadConfig

XML loadConfig(<String> path)

Load configuration

Parameters:
path - the relative path of the PKI element (e.g. "UTCVCA1/UTDVCA1")

Returns:
the configuration object or null if none defined

mapPath

String mapPath(<String> path)

Map to absolute path on file system

Parameters:
path - the relative path

Returns:
the absolute path on the file system

saveConfig

void saveConfig(<String> path, <XML> cfg)

Save configuration

This method will create the necessary path and save the configuration to config.xml

Parameters:
path - the relative path of the PKI element (e.g. "UTCVCA1/UTDVCA1")
cfg - the configuration object

storeCertificate

void storeCertificate(<String> path, <CVC> cert, <Boolean> makeCurrent)

Store a certificate in the certificate store

Parameters:
path - the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
cert - the certificate
makeCurrent - true if this certificate become the current certificate

storePrivateKey

void storePrivateKey(<String> path, <PublicKeyReference> chr, <Key> prk)

Store a private key in the certificate store

Parameters:
path - the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
chr - the public key reference for this key
prk - the private key

storeRequest

void storeRequest(<String> path, <CVC> req)

Store a certificate request in the certificate store

Parameters:
path - the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
req - the request

checkPath

<static> void checkPath(path)

Check path for legal encodings

encodeBase36

<static> String encodeBase36(<Number> value)

Encode a three character alpha-numeric sequence number

This function encodes values in the range 0 to 999 as numeric string with leading zeros.

Value in the range 1000 to 34695 (999 + 26 * 36 * 36) are encoded as alphanumeric string.

Value beyond 34696 are truncated

Parameters:
value - integer sequence value

Returns:
the 3 character string

loadBinaryFile

<static> ByteString loadBinaryFile(<String> filename)

Loads a binary file from disk

Parameters:
filename - the fully qualified file name

Returns:
the binary content

loadXMLFile

<static> XML loadXMLFile(<String> filename)

Loads a XML file from disk

Parameters:
filename - the fully qualified file name

Returns:
the XML content

nthElementOf

<static> String nthElementOf(<String> path, n)

Return the n-element of the path

Parameters:
path - the path to return the last element from

Returns:
the last path element or null for the root

parentPathOf

<static> String parentPathOf(<String> path)

Strip the last element of the path, effectively defining the parent within the path

Parameters:
path - the path to strip the last element from

Returns:
the parent path or null for the root

saveBinaryFile

<static> void saveBinaryFile(<String> filename, <ByteString> data)

Saves a binary file to disk

Parameters:
filename - the fully qualified file name
data - the binary content

saveXMLFile

<static> void saveXMLFile(<String> filename, xml)

Saves XML to disk

Parameters:
filename - the fully qualified file name
data - the XML content