Class CVCertificateStore
Class that abstracts a certificate and key store for a EAC PKI.
Defined in: CVCertificateStore.js.
| Constructor Attributes | Constructor Name and Description |
|---|---|
|
CVCertificateStore(DAOFactory)
Create an object to access a certificate store.
|
| Method Attributes | Method Name and Description |
|---|---|
| <static> |
CVCertificateStore.checkPath(path)
Check path
This method validates the path for semantic errors and should be called for input
validation before using the path in the certificate store API.
|
|
deleteCertificate(path, chr, selfsigned)
Remove certificate
|
|
|
deletePrivateKey(path, chr)
Remove private key
|
|
|
deleteRequest(path, chr)
Remove request
|
|
|
deleteSigner(path, chr)
Remove Signer
|
|
|
generateKeyPair(path, chr, algo, prk, puk)
Generate key pair
|
|
|
getCertificate(path, chr, selfsigned)
Return certificate for a given CHR
This method returns a self-signed root certificate if the selfsigned parameter is set. |
|
|
getCertificateBinary(path, chr, selfsigned)
Return certificate for a given CHR in binary format
This method returns a self-signed root certificate if the selfsigned parameter is set. |
|
|
getCertificateChain(path, tochr, fromcar)
Return a chain of certificates resembling a path from root to end entity.
|
|
|
Return a suitable crypto object.
|
|
|
getCurrentCHR(path)
Return the current CHR for which a valid certificate exists
|
|
|
Returns the default domain parameter for a given PKI
|
|
|
getDefaultPublicKeyOID(path)
Returns the default algorithm identifier OID from the most recent link certificate
|
|
|
getDomainParameter(path, chr)
Returns the domain parameter for a certificate identified by its CHR
This method traverses the certificate hierachie upwards and follows link certificates until domain parameter are found. |
|
|
getIssuerPathFor(cvc, cvcahint)
Determine path for certificate issuer
For CVCA and DVCA certificates we can determined the path from the CAR.
|
|
|
getNextCHR(path, countryseq)
Return the next CHR
|
|
|
getPrivateKey(path, chr)
Get a private key in the certificate store
|
|
|
getRequest(path, chr)
Return request for given CHR
|
|
|
getSigner(path, chr)
Get Signer
|
|
|
insertCertificate(crypto, cvc, cvcahint)
Insert a single certificates into the certificate store
Before a certificate is imported, the signature is verified. |
|
|
insertCertificates(crypto, certlist, insertSelfSigned, cvcahint)
Insert certificates into certificate store
The import into the internal data structure is done in three steps:
Certificates at the terminal level can only be imported, if the issuing DVCA certificate is contained in the list or a hint for the relevant CVCA is given in the first element of the path contained in parameter cvcahint. |
|
|
listCertificates(path)
List certificates stored for given PKI element sorted by CHR
|
|
|
listHolders(path)
List certificate holders for a given PKI element
|
|
|
locateCertificate(chr)
Try locating a certificate with the given CHR
This method tries to find a specific certificate in the store, irrespectively of the holder.
|
|
|
newSigner(path, chr, algo, prk, puk)
Create Signer
|
|
| <static> |
CVCertificateStore.nthElementOf(path, n)
Return the n-element of the path
|
| <static> |
CVCertificateStore.parentPathOf(path)
Strip the last element of the path, effectively defining the parent within the path
|
|
setContextMarker(contextMarker)
Set a context marker that goes into the certificate type
The context marker allows to have different certificate stores with different
namespaces in the same database.
|
|
|
setSignerNo(path, signerNo)
Set the new signer number, if it is larger than the current
|
|
|
storeCertificate(path, cert, makeCurrent)
Store a certificate in the certificate store
|
|
|
storeRequest(path, req)
Store a certificate request in the certificate store
|
|
|
validateCertificate(crypto, cvc, cvcahint)
Validate a certificate against a certificate already stored in the certificate store
If the certificate is a terminal certificate, then the first element of the path given in cvcahint is used to determine the correct CVCA. |
Class Detail
CVCertificateStore(DAOFactory)
Create an object to access a certificate store.
- Parameters:
- {DAOFactory} DAOFactory
- the factory that can create data access objects for persistent information
Method Detail
<static>
CVCertificateStore.checkPath(path)
Check path
This method validates the path for semantic errors and should be called for input
validation before using the path in the certificate store API.
- Parameters:
- {String} path
- the path to validate
{boolean}
deleteCertificate(path, chr, selfsigned)
Remove certificate
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {PublicKeyReference} chr
- the public key reference for this certificate
- {boolean} selfsigned
- delete the self-signed root certificate rather than a link certificate
- Returns:
- true is deleted
{boolean}
deletePrivateKey(path, chr)
Remove private key
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {PublicKeyReference} chr
- the public key reference for this key
- Returns:
- true is deleted
{boolean}
deleteRequest(path, chr)
Remove request
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {PublicKeyReference} chr
- the public key reference for this request
- Returns:
- true is deleted
{boolean}
deleteSigner(path, chr)
Remove Signer
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {PublicKeyReference} chr
- the public key reference for this key
- Returns:
- true is deleted
generateKeyPair(path, chr, algo, prk, puk)
Generate key pair
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {PublicKeyReference} chr
- the public key reference for this key pair
- {Number} algo
- the key generation algorithm (Crypto.EC or Crypto.RSA)
- {Key} prk
- the private key template
- {Key} puk
- the public key template
{CVC}
getCertificate(path, chr, selfsigned)
Return certificate for a given CHR
This method returns a self-signed root certificate if the selfsigned parameter is set. If not set or set to false, then matching link certificate, if any, is returned rather than the self-signed certificate.
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {PublicKeyReference} chr
- the public key reference for the certificate
- {boolean} selfsigned
- return the self-signed root certificate rather than a link certificate
- Returns:
- the certificate or null if not found
{ByteString}
getCertificateBinary(path, chr, selfsigned)
Return certificate for a given CHR in binary format
This method returns a self-signed root certificate if the selfsigned parameter is set. If not set or set to false, then matching link certificate, if any, is returned rather than the self-signed certificate.
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {PublicKeyReference} chr
- the public key reference for the certificate
- {boolean} selfsigned
- return the self-signed root certificate rather than a link certificate
- Returns:
- the certificate or null if not found
{CVC[]}
getCertificateChain(path, tochr, fromcar)
Return a chain of certificates resembling a path from root to end entity.
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {PublicKeyReference} tochr
- the public key reference for the certificate at the end of the chain
- {PublicKeyReference} fromcar
- the public key reference for the certificate to start with or root if undefined
- Returns:
- the list of certificates starting with a self signed root certificate (fromcar undefined) a certificate issued by fromcar up to an including the certificate referenced by tochr. Return null if fromcar is not found.
{Crypto}
getCrypto()
Return a suitable crypto object. This may be overwritten by derived classes
- Returns:
- the Crypto object
{PublicKeyReference}
getCurrentCHR(path)
Return the current CHR for which a valid certificate exists
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1")
- Returns:
- the current CHR for which a certificate exists or null if none exists
{Key}
getDefaultDomainParameter(path)
Returns the default domain parameter for a given PKI
- Parameters:
- {String} path
- the PKI path (e.g. "/UTCVCA1/UTDVCA1/UTTERM"). Only the first path element is relevant
- Returns:
- the domain parameter
{ByteString}
getDefaultPublicKeyOID(path)
Returns the default algorithm identifier OID from the most recent link certificate
- Parameters:
- {String} path
- the PKI path (e.g. "/UTCVCA1/UTDVCA1/UTTERM"). Only the first path element is relevant
- Returns:
- the algorithm identifier
{Key}
getDomainParameter(path, chr)
Returns the domain parameter for a certificate identified by its CHR
This method traverses the certificate hierachie upwards and follows link certificates until domain parameter are found.
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1")
- {PublicKeyReference} chr
- the CHR of the certificate to start the search with
- Returns:
- the domain parameter
getIssuerPathFor(cvc, cvcahint)
Determine path for certificate issuer
For CVCA and DVCA certificates we can determined the path from the CAR. For Terminal
certificates we dont know the full path, as we don't know under which CVCA the DVCA operates
that issued the Terminal certificate. So we use a two-step heuristic which first tries to locate
the DVCA certificate based on the CAR and if that is not unique uses the cvcahint to determine the path
of the issuer
- Parameters:
- cvc
- cvcahint
{PublicKeyReference}
getNextCHR(path, countryseq)
Return the next CHR
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1")
- {String} countryseq
- the 2 digit country code to include in the sequence number (optional)
- Returns:
- the next CHR based on the sequence counter maintained in the configuration file
{Key}
getPrivateKey(path, chr)
Get a private key in the certificate store
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {PublicKeyReference} chr
- the public key reference for this key
- Returns:
- the private key or null if not found
{CVC}
getRequest(path, chr)
Return request for given CHR
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {PublicKeyReference} chr
- the public key reference for the certificate
- Returns:
- the request or null
{ByteString}
getSigner(path, chr)
Get Signer
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {PublicKeyReference} chr
- the public key reference for this key
- Returns:
- the private key blob
{boolean}
insertCertificate(crypto, cvc, cvcahint)
Insert a single certificates into the certificate store
Before a certificate is imported, the signature is verified.
If the certificate is a terminal certificate, then the first element of the path given in cvcahint is used to determine the correct CVCA.
- Parameters:
- {Crypto} crypto
- the crypto provider to be used for certificate verification
- {CVC} cvc
- the certificate
- {String} cvcahint
- the PKI path (e.g. "/UTCVCA1/UTDVCA1/UTTERM"). Only the first path element is relevant
- Returns:
- true, if the certificate was inserted
{CVC[]}
insertCertificates(crypto, certlist, insertSelfSigned, cvcahint)
Insert certificates into certificate store
The import into the internal data structure is done in three steps:
- If allowed, all self-signed certificates are imported
- All possible certificate chains are build
- Certificate chains are processed starting with the topmost certificate in the hierachie
Certificates at the terminal level can only be imported, if the issuing DVCA certificate is contained in the list or a hint for the relevant CVCA is given in the first element of the path contained in parameter cvcahint.
Before a certificate is imported, the signature is verified.
- Parameters:
- {Crypto} crypto
- the crypto provider to be used for certificate verification
- {CVC[]} certlist
- the unordered list of certificates
- {Boolean} insertSelfSigned
- true, if the import of root certificates is allowed
- {String} cvcahint
- the PKI path (e.g. "/UTCVCA1/UTDVCA1/UTTERM"). Only the first path element is relevant
- Returns:
- the (ideally empty) list of unprocessed certificates. This does not contains certificates that fail signature verification.
{CVC[]}
listCertificates(path)
List certificates stored for given PKI element sorted by CHR
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- Returns:
- a list of certificates, possibly empty
{String[]}
listHolders(path)
List certificate holders for a given PKI element
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1")
- Returns:
- a list of holder ids, possibly empty
{CVC}
locateCertificate(chr)
Try locating a certificate with the given CHR
This method tries to find a specific certificate in the store, irrespectively of the holder.
- Parameters:
- {PublicKeyReference} chr
- the public key reference for the certificate
- Returns:
- the certificate or null if none found or more than one found
newSigner(path, chr, algo, prk, puk)
Create Signer
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {PublicKeyReference} chr
- the public key reference for this key pair
- {Number} algo
- the key generation algorithm (Crypto.EC or Crypto.RSA)
- {Key} prk
- the private key template
- {Key} puk
- the public key template
<static>
{String}
CVCertificateStore.nthElementOf(path, n)
Return the n-element of the path
- Parameters:
- {String} path
- the path to return the last element from
- n
- Returns:
- the last path element or null for the root
<static>
{String}
CVCertificateStore.parentPathOf(path)
Strip the last element of the path, effectively defining the parent within the path
- Parameters:
- {String} path
- the path to strip the last element from
- Returns:
- the parent path or null for the root
setContextMarker(contextMarker)
Set a context marker that goes into the certificate type
The context marker allows to have different certificate stores with different
namespaces in the same database. The default context marker is 0.
The context marker is stored with the Holder table.
- Parameters:
- {Number} contextMarker
- the marker
setSignerNo(path, signerNo)
Set the new signer number, if it is larger than the current
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1")
- {Number} signerNo
- the new signer number
storeCertificate(path, cert, makeCurrent)
Store a certificate in the certificate store
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {CVC} cert
- the certificate
- {Boolean} makeCurrent
- true if this certificate become the current certificate
storeRequest(path, req)
Store a certificate request in the certificate store
- Parameters:
- {String} path
- the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")
- {CVC} req
- the request
{Object}
validateCertificate(crypto, cvc, cvcahint)
Validate a certificate against a certificate already stored in the certificate store
If the certificate is a terminal certificate, then the first element of the path given in cvcahint is used to determine the correct CVCA.
Throws an exception if the certificate can not be validated- Parameters:
- {Crypto} crypto
- the crypto provider to be used for certificate verification
- {CVC} cvc
- the certificate
- {String} cvcahint
- the PKI path (e.g. "/UTCVCA1/UTDVCA1/UTTERM"). Only the first path element is relevant
- Returns:
- object containing the path and domain parameter used for validating the certificate. Returns null if no issuer could be found