|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object | +--com.novell.security.japi.pki.NPKIToolbox | +--com.novell.security.japi.pki.NPKITverify
Used to perform certificate validation.
Field Summary | |
static int |
NPKIx509CertificateValid
Indicates that the certificate is valid. |
static int |
NPKIx509Invalid_Algorithm_Not_Supported
Indicates that the cryptograhic algorithm is not supported. |
static int |
NPKIx509Invalid_Cant_Process_CDP
Indicates the certificate contained a distribution point that can not be processed. |
static int |
NPKIx509Invalid_Cant_Read_CRL
Indicates that the CRL could not be read. |
static int |
NPKIx509Invalid_CDP_Exists_Did_Not_Check_CRL
Indicates that the certificate is valid. |
static int |
NPKIx509Invalid_Certificate_On_CRL
Indicates that one of the certificates in the chain is on a CRL (Certificate Revocation List). |
static int |
NPKIx509Invalid_CRL_Decode_Error
Indicates an error occurred during the decoding of the CRL (Certificate Revocation List). |
static int |
NPKIx509Invalid_CRL_Issuer_Name
Indicates that the issuer name of the CRL identified in the certificate does not match the issuer name in the actual CRL retrieved. |
static int |
NPKIx509Invalid_Decode_Error
Indicates there was a problem decoding the certificate. |
static int |
NPKIx509Invalid_Expired
Indicates that the certificate has expired. |
static int |
NPKIx509Invalid_Expired_CRL
Indicates the CRL has expired and a new one has not been issued. |
static int |
NPKIx509Invalid_Extension_Not_Critical
Indicates that an extension which must be set to critical in order for the certificate to be valid is not set to critical. |
static int |
NPKIx509Invalid_Future
Indicates that the certificate's start date is in the future. |
static int |
NPKIx509Invalid_Invalid_CRL
Indicates the CRL was not valid for this certificate. |
static int |
NPKIx509Invalid_Invalid_Signature
Indicates that the cryptographic signiture does not match. |
static int |
NPKIx509Invalid_Issuer_Not_CA
Indicates that the issuer is not a valid CA (Certification Authority). |
static int |
NPKIx509Invalid_Issuer_Not_Trusted
Indicates that one of more of the CA certificates are not in the configured Trusted Root container. |
static int |
NPKIx509Invalid_KeyUsage
Indicates that the key does not support the requested usage. |
static int |
NPKIx509Invalid_Missing_Certificate_Policy
Indicates that a critical certificate policy is absent from a CA certificate. |
static int |
NPKIx509Invalid_Missing_Required_Extension
Indicates that a required extension is not present. |
static int |
NPKIx509Invalid_OCSP_ERROR
Indicates that either the OCSP server could not be reached, or there was an error with the OCSP response. |
static int |
NPKIx509Invalid_OCSP_REVOKED
Indicates that the certificate has been revolked as reported by the OCSP server. |
static int |
NPKIx509Invalid_OCSP_UNKNOWN
Indicates that the OCSP server does not know the revocation status of the certificate. |
static int |
NPKIx509Invalid_Path_Length
Indicates that the X.509 basic constraints path length has been violated. |
static int |
NPKIx509Invalid_Subject_Issuer_Name
Indicates that the subject name of the issuing certificate does not match the issuer name of subject certificate. |
static int |
NPKIx509Invalid_System_Error
Indicates there were some hardware problems or network problems. |
static int |
NPKIx509Invalid_Unknown_Critical_Extension
Indicates the certificate contained a critical extension that could not be understood. |
static int |
PKI_AA_COMPROMISE
N/A. |
static int |
PKI_AFFILIATION_CHANGED
The subject of the certificate is no longer affilated with the issuer of the certificate. |
static int |
PKI_CA_COMPROMISED
The Certificate Authority's private key has been compromised. |
static int |
PKI_CERTIFICATE_HOLD
The certificate is temporarily on hold. |
static int |
PKI_CESSATION_OF_OPERATION
The Certificate Authority is no longer operating. |
static int |
PKI_KEY_COMPROMISED
The certificate's private key has been compromised. |
static int |
PKI_PRIVILEDGE_WITHDRAWN
The subject of the certificate no longer has priviledges. |
static int |
PKI_SUPERSEDED
A replacement certificate has been issued. |
static int |
PKI_UNSPECIFIED
The reason is not specified. |
Constructor Summary | |
NPKITverify()
Constructor. |
Method Summary | |
int |
certificate(byte[] issuerCertificate,
byte[] subjectCertificate)
Determines if the specified subjectCertificate can be verified by the issuerCertificate. |
static void |
certificateChain(com.novell.security.japi.pki.NPKI_CertChain certChain,
int flags,
java.lang.Integer crlReason,
java.lang.Integer crlHoldInstruction,
java.lang.Integer crlRevocationTime,
java.lang.Integer crlInvalidityDateTime,
com.novell.security.japi.pki.NPKI_CertChain revokedCertificate,
java.lang.Integer certInvalidityReason,
com.novell.security.japi.pki.NPKI_crlCacheContext crlCacheContext)
Verifies the certificate chain passed in. |
void |
createContext()
Creates a new NPKIT API context handle. |
void |
freeContext()
Frees a previously allocated NPKIT context and all associated memory. |
void |
initialize()
Initializes the PKI context. |
void |
issuerSubjectNameMatch(byte[] issuerCertificate,
byte[] subjectCertificate)
Determines if the specified subjectCertificate's issuer name matches the issuerCertificate's subject name. |
void |
verifyCertificatePrivateKeyAgreement(byte[] certificate,
byte[] wrappedPrivateKey)
Determines if the public key contained in the certificate matches the
wrappedPrivateKey . |
void |
verifySignatureWithCertificate(byte[] data,
int algorithmId,
byte[] signature,
byte[] certificate)
Determines if the specified signature of the data was signed by the
private key matchingcertificate . |
Methods inherited from class com.novell.security.japi.pki.NPKIToolbox |
decodeCSR, destroy, finalize, getUTCString, loadLibrary, version |
Methods inherited from class java.lang.Object |
clone, equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
public static final int PKI_UNSPECIFIED
(PKI_UNSPECIFIED = 0)
public static final int PKI_KEY_COMPROMISED
(PKI_KEY_COMPROMISED = 1)
public static final int PKI_CA_COMPROMISED
(PKI_CA_COMPROMISED = 2)
public static final int PKI_AFFILIATION_CHANGED
(PKI_AFFILIATION_CHANGED = 3)
public static final int PKI_SUPERSEDED
(PKI_SUPERSEDED = 4)
public static final int PKI_CESSATION_OF_OPERATION
(PKI_CESSATION_OF_OPERATION = 5)
public static final int PKI_CERTIFICATE_HOLD
(PKI_CERTIFICATE_HOLD = 6)
public static final int PKI_PRIVILEDGE_WITHDRAWN
(PKI_PRIVILEDGE_WITHDRAWN = 7)
public static final int PKI_AA_COMPROMISE
(PKI_AA_COMPROMISE = 8)
public static final int NPKIx509CertificateValid
(NPKIx509CertificateValid = 0x0000000)
public static final int NPKIx509Invalid_System_Error
(NPKIx509Invalid_System_Error = 0x0000001)
public static final int NPKIx509Invalid_Decode_Error
(NPKIx509Invalid_Decode_Error = 0x0000002)
public static final int NPKIx509Invalid_Subject_Issuer_Name
(NPKIx509Invalid_Subject_Issuer_Name = 0x0000003)
public static final int NPKIx509Invalid_Future
(NPKIx509Invalid_Future = 0x0000004)
public static final int NPKIx509Invalid_Expired
(NPKIx509Invalid_Expired = 0x0000005)
public static final int NPKIx509Invalid_Issuer_Not_CA
(NPKIx509Invalid_Issuer_Not_CA = 0x0000006)
public static final int NPKIx509Invalid_Path_Length
(NPKIx509Invalid_Path_Length = 0x0000007)
public static final int NPKIx509Invalid_Unknown_Critical_Extension
(NPKIx509Invalid_Unknown_Critical_Extension = 0x0000008)
public static final int NPKIx509Invalid_KeyUsage
(NPKIx509Invalid_KeyUsage = 0x0000009)
public static final int NPKIx509Invalid_CRL_Decode_Error
(NPKIx509Invalid_CRL_Decode_Error = 0x000000A)
public static final int NPKIx509Invalid_Certificate_On_CRL
(NPKIx509Invalid_Certificate_On_CRL = 0x000000B)
public static final int NPKIx509Invalid_Cant_Process_CDP
(NPKIx509Invalid_Cant_Process_CDP = 0x000000C)
public static final int NPKIx509Invalid_Cant_Read_CRL
(NPKIx509Invalid_Cant_Read_CRL = 0x000000D)
public static final int NPKIx509Invalid_Invalid_CRL
(NPKIx509Invalid_Invalid_CRL = 0x000000E)
public static final int NPKIx509Invalid_Expired_CRL
(NPKIx509Invalid_Expired_CRL = 0x000000F)
public static final int NPKIx509Invalid_CRL_Issuer_Name
(NPKIx509Invalid_CRL_Issuer_Name = 0x0000010)
public static final int NPKIx509Invalid_Issuer_Not_Trusted
(NPKIx509Invalid_Issuer_Not_Trusted = 0x0000011)
public static final int NPKIx509Invalid_CDP_Exists_Did_Not_Check_CRL
(NPKIx509Invalid_CDP_Exists_Did_Not_Check_CRL = 0x0000012)
public static final int NPKIx509Invalid_Invalid_Signature
(NPKIx509Invalid_Invalid_Signature = 0x0000013)
public static final int NPKIx509Invalid_Algorithm_Not_Supported
(NPKIx509Invalid_Algorithm_Not_Supported = 0x0000014)
public static final int NPKIx509Invalid_Missing_Required_Extension
(NPKIx509Invalid_Missing_Required_Extension = 0x0000015)
public static final int NPKIx509Invalid_Extension_Not_Critical
(NPKIx509Invalid_Extension_Not_Critical = 0x0000016)
public static final int NPKIx509Invalid_Missing_Certificate_Policy
(NPKIx509Invalid_Missing_Certificate_Policy = 0x0000017)
public static final int NPKIx509Invalid_OCSP_REVOKED
(NPKIx509Invalid_OCSP_REVOKED = 0x0000020)
public static final int NPKIx509Invalid_OCSP_ERROR
(NPKIx509Invalid_OCSP_ERROR = 0x0000021)
public static final int NPKIx509Invalid_OCSP_UNKNOWN
(NPKIx509Invalid_OCSP_UNKNOWN = 0x0000022)
Constructor Detail |
public NPKITverify() throws NPKI_Exception
NPKI_Exception
- An NPKIT error code.Method Detail |
public void initialize() throws NPKI_Exception
NPKIToolbox
This function must be called to instantiate PKI services.
initialize
in class NPKIToolbox
NPKI_Exception
- Throws a PKI error code if not successful.public void createContext() throws NPKI_Exception
createContext
in class NPKIToolbox
NPKI_Exception
- An NPKIT error code.freeContext
public void freeContext() throws NPKI_Exception
freeContext
in class NPKIToolbox
NPKI_Exception
- If an error occurs.createContext
public static final void certificateChain(com.novell.security.japi.pki.NPKI_CertChain certChain, int flags, java.lang.Integer crlReason, java.lang.Integer crlHoldInstruction, java.lang.Integer crlRevocationTime, java.lang.Integer crlInvalidityDateTime, com.novell.security.japi.pki.NPKI_CertChain revokedCertificate, java.lang.Integer certInvalidityReason, com.novell.security.japi.pki.NPKI_crlCacheContext crlCacheContext) throws NPKI_Exception
The certificate chain must be in leaf to root order. The last certificate in the chain is assumed to be trusted by the caller of the API. If any certificate is invalid (i.e. revoked or expired), an error is returned. The caller of this method must build the chain in the proper order using the NPKI_CertChain class.
certChain
- Certificate chainflags
- Certificate flags: (IN) Use one of the following flags:NPKI_VERIFY_NORMAL - (0x00000000)
NPKI_VERIFY_DONT_CHECK_CERTIFICATE - (0x00000001)
NPKI_VERIFY_DONT_CHECK_CRL - (0x00000002)
crlReason
- (OUT) Returns an Integer indicating the reason why the certificate was
revoked. This will only be set if the return code is set to PKI_E_CERT_INVALID
.
The possible values for are defined below:crlHoldInstruction
- (OUT) If the certificate is invalid, and the certInvalidityReason is set to
NPKIx509Invalid_Certificate_On_CRL
, and the crlReason is set to
PKI_HOLD_INSTRUCTION_NONE
then the hold instruction from the CRL will be returned in
this parameter. The possible values for cRLHoldInstruction are:PKI_HOLD_INSTRUCTION_NONE - (0)
PKI_HOLD_INSTRUCTION_CALL_ISSUER - (1)
PKI_HOLD_INSTRUCTION_REJECT - (2)
crlRevocationTime
- (OUT) Returns the time and date the certificate was revoked. This will
only be set if the return code is set to PKI_E_CERT_INVALID.crlInvalidityDateTime
- (OUT) The time and date the CRL becomes invalid.revokedCertificate
- (OUT) A chain of the X.509 certificate(s) that were found to be on a
CRL. This will only be set if the return code is set to PKI_E_CERT_INVALID.certInvalidityReason
- (OUT) Reason why the certificate is invalid. This will only be set
if the return code is set to PKI_E_CERT_INVALID. The possible reasons why the certificate is
invalid are defined below:NPKIx509CertificateValid
- Indicates that the certificate is valid.
NPKIx509Invalid_System_Error
- Indicates there were some hardware problems or
network problems.
NPKIx509Invalid_Decode_Error
- Indicates there was a problem decoding the certificate.
NPKIx509Invalid_Subject_Issuer_Name
- Indicates that the subject name of the
issuing certificate does not match the issuer name of subject certificate.
NPKIx509Invalid_Future
- Indicates that the certificate's start date is in the future.
NPKIx509Invalid_Expired
- Indicates that the certificate has expired.
NPKIx509Invalid_Issuer_Not_CA
- Indicates that the issuer is not a valid CA
(Certification Authority).
NPKIx509Invalid_Path_Length
- Indicates that the X.509 basic constraints path length
has been violated.
NPKIx509Invalid_Unknown_Critical_Extension
- Indicates the certificate contained a
critical extension that could not be understood.
NPKIx509Invalid_KeyUsage
- Indicates that the key does not support the requested usage.
NPKIx509Invalid_CRL_Decode_Error
- Indicates an error occurred during the decoding of
the CRL (Certificate Revocation List).
NPKIx509Invalid_Certificate_On_CRL
- Indicates that one of the certificates in the
chain is on a CRL (Certificate Revocation List).
NPKIx509Invalid_Cant_Process_CDP
- Indicates the certificate contained a distribution
point that can not be processed.
NPKIx509Invalid_Cant_Read_CRL
- Indicates that the CRL could not be read.
NPKIx509Invalid_Invalid_CRL
- Indicates the CRL was not valid for this certificate.
NPKIx509Invalid_Expired_CRL
- Indicates the CRL has expired and a new one has not been
issued.
NPKIx509Invalid_CRL_Issuer_Name
- Indicates that the issuer name of the CRL identified
in the certificate does not match the issuer name in the actual CRL retrieved.
NPKIx509Invalid_Issuer_Not_Trusted
- Indicates that one of more of the CA certificates
are not in the configured Trusted Root container.
NPKIx509Invalid_CDP_Exists_Did_Not_Check_CRL
- This is an advisory flag. The CDP
(Certificate Distribution Point) exists but the CRL (Certificate Revocation List) was not checked
because the caller of the API requested that it not be checked.
NPKIx509Invalid_Invalid_Signature
- Indicates that the cryptographic signiture does
not match. Either an invalid key was used to encode the signurture or the signed data has been
modified.
NPKIx509Invalid_Algorithm_Not_Supported
- Indicates that the cryptograhic algorithm
is not supported.
NPKIx509Invalid_Missing_Required_Extension
- Indicates that a required extension is
not present.
NPKIx509Invalid_Extension_Not_Critical
- Indicates that an extension which must be
set to critical in order for the certificate to be valid is not set to critical.
NPKIx509Invalid_Missing_Certificate_Policy
- Indicates that a critical certificate
policy is absent from a CA certificate.
NPKIx509Invalid_OCSP_REVOKED
- Indicates that the certificate has been revolked as
reported by the OCSP server.
NPKIx509Invalid_OCSP_ERROR
- Indicates that either the OCSP server could not be reached,
or there was an error with the OCSP response.
NPKIx509Invalid_OCSP_UNKNOWN
- Indicates that the OCSP server does not know the
revocation status of the certificate.crlCacheContext
- (OUT) Reserved for future use. Pass a NULL.
NPKI_Exception
- Throws a NICI or PKI error code if not successful.public int certificate(byte[] issuerCertificate, byte[] subjectCertificate) throws NPKI_Exception
certificate
checks the following: NOTE: This API does not check certificate revocation. Use
certificateChain
for complete certificate verification
issuerCertificate
- (IN) Certificate you wish to use to verify the subject certificate.subjectCertificate
- (IN) Subject certificate you wish to be verified.
NPKI_Exception
- Throws a NICI or PKI error code if not successful.public void issuerSubjectNameMatch(byte[] issuerCertificate, byte[] subjectCertificate) throws NPKI_Exception
issuerCertificate
- (IN) Certificate you wish to use to verify the subject certificate.subjectCertificate
- (IN) Subject certificate you wish to verify.
NPKI_Exception
- Thrown if a PKI error occurs or if not successful.public void verifySignatureWithCertificate(byte[] data, int algorithmId, byte[] signature, byte[] certificate) throws NPKI_Exception
signature
of the data
was signed by the
private key matchingcertificate
. This API is a designed to help determine the authenticy of signed data.
data
- (IN) The original data.algorithmId
- (IN) The signing algorithm used in sign the data.signature
- (IN) The signature of the signed data.certificate
- (IN) The certificate to be used to verify the authenticy of the signature.
NPKI_Exception
- Thrown if a PKI error occurs or if the signature does not match.public void verifyCertificatePrivateKeyAgreement(byte[] certificate, byte[] wrappedPrivateKey) throws NPKI_Exception
certificate
matches the
wrappedPrivateKey
. This API is a designed to help determine if the public key in
the cerificate is the match pair to the private key.
certificate
- (IN) The certificate containing the public key.wrappedPrivateKey
- (IN) The crytograhically wrapped private key. This key was crytograhically
wrapped in the NICI storage key to protect it from disclosure.
NPKI_Exception
- Thrown if a PKI error occurs or if the keys do not match.
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |