com.entrust.toolkit

Class User

java.lang.Object

com.entrust.toolkit.User

All Implemented Interfaces:

KeyAndCertContainer

public final class User
extends java.lang.Object
implements KeyAndCertContainer

User is a high-level class representing a user of a Public Key Infrastructure (PKI).

Once instantiated, a User object uniquely represents an end user in a PKI and has access to the accessor methods of the class. As well as allowing a User instance to log in and log out, the methods in this class provide the following:

• Access to the user's certificates.
• Access to the user's private keys.
• Access to a securely obtained copy of the Certification Authority's (CA) verification certificate.
• The capabilities for managing a user's credentials.

Users whose credentials are stored in an Entrust Profile Format (.epf file, PKCS#11 token, ...) have the concept of certificate streams. A certificate stream is a set of keys/certificates that can be used for a specific purpose. It contains the latest key/certificate as well as a history of all of old keys/certificates that have resulted from updating the certificate stream. A certificate in a certificate stream is superseded when it is no longer the latest certificate in that stream (the certificate stream has been updated).

Users that exist on an Entrust Security Manager 7.0 and later can have any number of certificate streams, each of which corresponds to a certificate definition and is configured according the certificate definition policy. Users that exist on an Entrust Security Manager pre-7.0 have only two certificate streams, one for signing/verification and one for encryption/decryption, which are configured according to the client policy settings. For all users that exist on Entrust Security Managers, key management of the user's keys and certificates is supported.

All other non-Entrust users must have at least one signing/verification or one encryption/decryption key/certificate to be supported. For these non-Entrust users, key management is not supported.

A user's signing key and verification certificate are considered to be the first key/certificate found in the user's profile that has not been superseded and meets one of the following requirements:

• corresponds to the 'Verification' certificate-definition (only applies to user that exist on an Entrust Security Manager 7.0 or later)
• has a 'digitalSignature' key usage
• has a 'nonRepudiation' key usage
• does not have a key usage specified

A user's decryption key and encryption certificate are considered to be the first key/certificate found in the user's profile that has not been superseded and meets one of the following requirements:

• corresponds to the 'Encryption' certificate-definition (only applies to user that exist on an Entrust Security Manager 7.0 or later)
• has a 'keyEncipherment' key usage
• has a 'dataEncipherment' key usage
• does not have a key usage specified

Each of the user's keys/certificates requires key-update when they have not been superseded and one of the following conditions is met:

• The certificate is nearing expiration (entered the rollover period)
• The certificate has expired
• The certificate has been revoked
• The certificate definition policy update date-has been reached (only applies to users that exist on an Entrust Security Manager 7.0 or later)

The rollover period is always a portion of the private key lifetime. For verification certificates (ANY of 'digitalSignature' or 'nonRepudiation' bits set in the key usage extension or does not have a key usage extension), the private key lifetime is extracted from the privateKeyUsagePeriod extension when it is present, or set to 70% of the certificate lifetime when it is not present. For encryption certificates (ONLY 'dataEncipherment' or 'keyEncipherment' bits set in the key usage extension) the private key lifetime is extracted from the privateKeyUsagePeriod extension when it is present, or set to the certificate lifetime when it is not present.

For users on an Entrust Security Manager 7.0 or later, the rollover period starts once a percentage private key lifetime has passed. This percentage is specified in the 'Update cert at % of lifetime' certificate definition policy setting. For all other users, the rollover period starts at 100 days from the end of the private key lifetime or at 50% of the private key lifetime, whichever is less.

Credential Readers and Writers

For a User object to be of use, it must be logged in to using the login method. This method requires a CredentialReader object, which is used to read the credentials, and a password which is used to unlock the credentials. The Toolkit includes the following credential readers:

• CapiCredentialReader
  Reads keys and certificates from Microsoft's Crypto API (CAPI).
• CredentialCreator
  Creates new user credentials by communicating with an Entrust PKI.
• CredentialRecoverer
  Recovers existing user credentials by communicating with an Entrust PKI.
• CredentialCreatorOrRecoverer
  Creates new user credentials or recovers existing user credentials (depending on the user state) by communicating with an Entrust PKI.
• FilenameProfileReader
  Reads an Entrust profile (.epf) from a file.
• PKCS12Reader
  Reads keys and certificates stored in PKCS#12 format.
• RoamingCredentialReader
  Reads an Entrust roaming profile from a Roaming Server.
• SingleLoginReader
  Allows users to log in to more than one application running in Microsoft Windows operating systems using the Entrust Login Interface, without having to authenticate themselves each time they want to use an application.
• StreamProfileReader
  Reads an Entrust profile (.epf) from an InputStream.
• TokenCredentialCreator
  Creates new user credentials on a PKCS#11 device by communicating with an Entrust PKI.
• TokenCredentialRecoverer
  Recovers existing user credentials to a PKCS#11 device by communicating with an Entrust PKI.
• TokenCredentialCreatorOrRecoverer
  Creates new user credentials or recovers existing user credentials (depending on the user state) to a PKCS#11 device by communicating with an Entrust PKI.
• TokenReader
  Reads keys and certificates from in Entrust format from a PKCS#11 device (a smartcard, for example).
• UALCredentialReader
  Reads credentials that have been bound to a specific computer, usually a server, using the Server Login feature.

While a User is logged in, the credentials may require an update if new keys or certificates are obtained, or the password is changed. In order to write the credentials, a CredentialWriter must be set using the setCredentialWriter method. This can be called before login() so that key management checks can be performed as part of the login procedure. If no CredentialWriter is set, the Toolkit will check for necessary key updates, but will not perform them.

The Toolkit includes the following credential writers:

• FilenameProfileWriter
  Writes credentials to a file in Entrust Profile (.epf) format.
• PKCS12Writer
  Writes credentials to a stream in PKCS#12 format.
• RoamingCredentialWriter
  Writes roaming credentials to a Roaming Server.
• StreamProfileWriter
  Writes credentials to a stream in Entrust Profile (.epf) format.
• TokenWriter
  Writes credentials to a PKCS#11 device.
• TokenInitializer
  Initializes a PKCS#11 device with keys and certificates that were stored in a software format.

Not all CredentialReader and CredentialWriter combinations are valid. The following table shows the which credential readers and writers can be used together:

	FilenameProfileWriter	PKCS12Writer1	RoamingCredentialWriter	StreamProfileWriter2	TokenWriter	TokenInitializer
CapiCredentialReader	No	No	No	No	No	No
CredentialCreator3	Yes	Yes	Yes	Yes	No	No
CredentialRecoverer3	Yes	Yes	Yes	Yes	No	No
CredentialCreatorOrRecoverer3	Yes	Yes	Yes	Yes	No	No
FilenameProfileReader	Yes	Yes	Yes	Yes	No	Yes
PKCS12Reader1	Yes	Yes	No	Yes	No	Yes
RoamingCredentialReader	Yes	No	Yes	Yes	No	No
SingleLoginReader4	No	No	No	No	No	No
StreamProfileReader	Yes	Yes	Yes	Yes	No	Yes
TokenCredentialCreator3	No	No	No	No	Yes	No
TokenCredentialRecoverer3	No	No	No	No	Yes	No
TokenCredentialCreatorOrRecoverer3	No	No	No	No	Yes	No
TokenReader	No	No	No	No	Yes	No
UALCredentialReader5	Yes5	Yes5	Yes5	Yes5	Yes5	Yes5

¹ Key management is not possible when using PKCS12 readers or writers as they do not provide information required for management operations.

² A StreamProfileWriter can only write credentials once. Credentials may be automatically written during each attempt to login or do key management. To prevent write failures, a new instance of a StreamProfileWriter should be set before each attempt to login or do key management.

³These credential readers require that a credential writer be set, and that setConnections() has been called in order to use them.

⁴While it is not possible to set a credential writer with this reader, it is still possible to perform a password change.

⁵A UALCredentialReader wraps another credential reader, and whether or not the combination is possible depends on the type of reader it wraps.

Logging in

The procedure for logging in to a User object usually looks something like the following pseudo-code :

 
    User user = new User();

    // Optionally create a connection to the Directory so that certificates can
    // be validated
    LdapDirectory directory = new JNDIDirectory(DIRECTORY_IP, DIRECTORY_PORT);
    // Optionally create a connection to an Entrust PKI so that key
    // management is possible.
    ManagerTransport transport = new ManagerTransport(MANAGER_IP, MANAGER_PORT);

    // Set the connections.
    user.setConnections(directory, transport);

    // Create a credential reader appropriate to the application.
    CredentialReader credentialReader = ...

    // Set a CredentialWriter so that key updates and can be performed and any
    // changes to the credentials can be written.
    CredentialWriter credentialWriter = ...
    user.setCredentialWriter(credentialWriter);

    // Actually log in to the User object.
    SecureStringBuffer securePassword = new SecureStringBuffer(PASSWORD);
    user.login(credentialReader, securePassword);

    // Examine status codes set by the login procedure.
    UserStatus status = user.getStatus();
    if (status.isStatusPresent(UserStatus.PASSWORD_EXPIRED))
    {
        // password has expired, prompt for password change
    }
    ...

See Also:

UserStatus, CredentialReader, CredentialWriter

Field Summary

Fields

Modifier and Type	Field and Description
static int	WARNING_DIRECTORY_IS_OLD Indicates that the directory is old; publication of a user certificate is pending (has not occurred yet) - only applies to Entrust V1-key-pair users.
static int	WARNING_DN_CHANGE_REQUIRED Indicates that the user requires a DN change.
static int	WARNING_DN_CHANGED Indicates that the user's DN was changed.
static int	WARNING_ENC_KEY_UPDATED Indicates that the user's decryption/encryption key/certificate was updated.
static int	WARNING_ENCRYPTION_KEY_NEEDS_UPDATE Indicates that the user's decryption/encryption key/certificate requires an update.
static int	WARNING_OPTIONS_CHANGED Indicates that the 'Options' information in an Entrust file-based Digital Identity store has been tampered (modified by a third-party).
static int	WARNING_OPTIONS_NOT_AVAILABLE Indicates that the 'Options' information in an Entrust file-based Digital Identity store is not available (missing/empty or MAC protection is missing).
static int	WARNING_OPTIONS_UPDATED Indicates that the 'Options' information in an Entrust file-based Digital Identity store has been updated.
static int	WARNING_PW_EXPIRED Indicates that according to the user's password history, the user's current password has expired and must be changed.
static int	WARNING_PW_NOT_VALID Indicates that according to the user's password rules found in their client policy settings, the user's current password is not valid.
static int	WARNING_SIGN_KEY_UPDATED Indicates that the user's signing/verification key/certificate was updated.
static int	WARNING_SIGNING_KEY_NEEDS_UPDATE Indicates that the user's signing/verification key/certificate requires an update.
static int	WARNING_X500NAME_CHANGED Indicates that the 'User X.500 Name' information in an Entrust file-based Digital Identity store has been tampered (modified by a third-party).

Constructor Summary

Constructors

Constructor and Description
User() Creates a new User object.
User(java.lang.String profile, SecureStringBuffer password, java.lang.String inifile) Creates a new User object and automatically logs in using settings retrieved from the user's entrust.ini file.
User(UserConfigSettings userConfigSettings) Creates a new User object that will use/obey the indicated user configuration settings.

Method Summary

Methods

Modifier and Type	Method and Description
void	addLogoutListener(LogoutListener logoutListener) Adds the given LogoutListener to the list of LogoutListeners.
void	addTrustedCertificate(X509Certificate trustedCert) Adds a trusted certificate — from an address book, for example.
void	addTrustedCertificate(X509Certificate trustedCert, boolean revcheck) Adds a trusted certificate — from an address book, for example.
void	blockELILogout() Deprecated. since 8.0; There is no longer a need to maintain this feature as the Entrust Login Interface has been discontinued. This method will be removed in a future release.
void	changePassword(SecureStringBuffer oldPassword, SecureStringBuffer newPassword) Changes the password protecting the Digital Identity.
void	closeConnections() Closes the connection to the PKI.
void	completeUserExport(LdapDirectory directory, ManagerTransport managerTransport) Completes a user export operation.
void	doRequiredKeyManagement() Does all required key management for a user.
boolean	encryptionKeyUpdateRequired() Determines whether the user's encryption/decryption key/certificate needs to be updated.
X509Certificate	getCaCertificate() Returns the Certification Authority (CA) certificate stored in the credentials if the user is logged in.
X509Certificate[]	getCaCertificateChain() Returns an array of CA certificates forming a chain to the user's root CA.
CollectionCS	getCertificateStore() Returns the main certificate store used for certificate validation.
ValidationInfo	getCertVerifier() Returns the object that validates certificates for this user.
ClientSettings	getClientSettings() Gets the client settings that were used during user login.
CredentialReader	getCredentialReader() Gets the CredentialReader.
CredentialWriter	getCredentialWriter() Gets the CredentialWriter.
Name[]	getDecryptionIssuers() Returns the history of the decryption key issuers.
java.security.PrivateKey	getDecryptionKey() Returns the latest decryption private key stored in the credentials.
java.security.PrivateKey	getDecryptionKey(Name issuer, java.lang.String serialNumber) Returns the decryption private key and serial number for the given issuer.
java.security.PrivateKey[]	getDecryptionKeys() Returns the decryption keys stored in the credentials.
java.lang.String[]	getDecryptionSerialNumbers() Returns the history of the decryption key serial numbers.
LdapDirectory	getDirectory() Returns the Directory that was set by calling setConnections().
X509Certificate	getEncryptionCertificate() Returns the user's encryption certificate.
ExtensionTester	getExtensionTester() Returns the extension tester used for certificate validation.
java.util.Hashtable	getExtensionTestlets() Returns extension testlets registered by application.
IniFile	getIniFile() Returns the Entrust initialization file that was set in the constructor of this class, if any.
ManagerTransport	getManagerTransport() Returns the ManagerTransport that was set by calling setConnections().
java.lang.String	getOption(java.lang.String optionName) Returns the option Value that corresponds to the provided option Name if one exists; otherwise null is returned.
java.util.Date	getPasswordExpiryDate() Returns the date/time at which the user's password expires.
IniFile	getPolicyCertificate() Gets the policy certificate.
CollectionRS	getRevocationStore() Returns the main revocation store used for certificate validation.
X509Certificate	getRootCaCertificate() Returns the top-level trusted root CA certificate for users in a CA hierarchy.
java.security.PrivateKey	getSigningKey() Returns the latest signing key stored in the credentials.
UserStatus	getStatus() Returns an object that provides information about the user's status during the current login session.
X509Certificate	getUserCertificate(Name issuer, java.math.BigInteger serialNumber) Returns the user's certificate that corresponds to the specified issuer DN and serial number.
X509Certificate[]	getUserCertificates() Returns all the user's current certificates (excludes superseded certificates).
X509Certificate[]	getUserCertificates(boolean includedSuperseded) Returns all the user's certificates (includes superseded certificates)
X509Certificate[]	getUserCertificates(KeyUsage keyUsage) Returns the user's certificates that can be used for purposes indicated by the key usage provided.
X509Certificate[]	getUserCertificatesByExactKeyUsage(KeyUsage keyUsage) Returns the user's certificates that can ONLY be used for purposes indicated by the key usage provided.
UserConfigSettings	getUserConfigSettings() Returns the user's configuration settings.
Name	getUserDN() Returns the user's distinguished name (DN).
java.security.PrivateKey	getUserPrivateKey(Name issuer, java.math.BigInteger serialNumber) Returns the user's private key that corresponds to the specified certificate issuer and serial number.
java.security.PrivateKey	getUserPrivateKey(X509Certificate certificate) Returns the user's private key that corresponds to the specified certificate.
X509Certificate	getVerificationCertificate() Returns the user's verification certificate.
boolean	isDuplicatePassword(SecureStringBuffer password) This method may be used to determine if the supplied password is contained in the User's password history.
boolean	isLoggedIn() Indicates whether or not the user is logged in.
boolean	isOnline() Indicates the user's working mode (online or offline).
boolean	isV2KeyPairUpgradeEnabled() Indicates whether Entrust's V2-key-pair user upgrade feature is enabled.
boolean	keyUpdatePerformed() Determines whether a key update has been performed on any of the user's keys/certificates since this User was created.
boolean	keyUpdateRequired() Determines whether any of the user's keys/certificates need to be updated.
boolean	keyUpdateRequired(X509Certificate certificate) Determines whether the user's key/certificate that corresponds to the specified certificate needs to be updated.
X509Certificate[]	keyUpdatesRequired() Determines whether any of the user's keys/certificates need to be updated.
int	login(CredentialReader credentialReader, SecureStringBuffer password) Logs in a user.
void	logout() Logs out a user.
void	registerExtensionTestlet(ExtensionTestlet testlet, ObjectID extension) Register a testlet for a certificate extension.
void	requireCRL(boolean required) Determines whether certificate validation fails when no CRL can be found.
void	setConnections(java.io.InputStream entrustIniFile) Sets the connections to the Entrust Authority Security Manager (EASM) using settings retrieved from the user's entrust.ini file.
void	setConnections(java.io.InputStream entrustIniFile, boolean enableSMProxy) Sets the connections to the Entrust Authority Security Manager (EASM) using settings retrieved from the user's entrust.ini file.
void	setConnections(LdapDirectory directory, ManagerTransport managerTransport) Sets the connections to a Public Key Infrastructure (PKI).
void	setConnections(java.lang.String entrustIniFile) Sets the connections to the Entrust Authority Security Manager (EASM) using settings retrieved from the user's entrust.ini file.
void	setConnections(java.lang.String entrustIniFile, boolean smProxyEnabled) Sets the connections to the Entrust Authority Security Manager (EASM) using settings retrieved from the user's entrust.ini file.
void	setCredentialWriter(CredentialWriter credentialWriter) Sets the CredentialWriter that will be used to write this user's credentials.
void	setPolicyCertificate(IniFile policyCertificateCache) Sets the user's policy certificate from a cache (.pch) file.
void	setV2KeyPairUpgradeEnabled(boolean enable) Enables/Disables Entrust's V2-key-pair user upgrade feature.
void	setWriteCaUpdates(boolean writeCaUpdates) Set whether or not updates detected to any CA certificates are written back to the digital identity immediately.
boolean	signingKeyUpdateRequired() Determines whether the user's signing/verification key/certificate needs to be updated.
void	unblockELILogout() Deprecated. since 8.0; There is no longer a need to maintain this feature as the Entrust Login Interface has been discontinued. This method will be removed in a future release.
void	updateAllKeys() Updates all the user's keys/certificates, which HAVE NOT been superseded.
boolean	updateEncryptionKeys() Attempts to update the user's encryption/decryption key/certificate.
boolean	updateSigningKeys() Attempts to update the user's signing/verification key/certificate.
void	updateUserKeys(X509Certificate[] certificates) Updates the user's keys/certificates that correspond to the indicated certificates, which MUST NOT have been superseded.
X509Certificate[]	validate(X509Certificate certificate) Validates an X.509 certificate.
void	write() Writes a user's credentials to the CredentialWriter that was set in setCredentialWriter().

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

WARNING_OPTIONS_CHANGED

public static final int WARNING_OPTIONS_CHANGED

Indicates that the 'Options' information in an Entrust file-based Digital Identity store has been tampered (modified by a third-party). Corresponds to the UserStatus.OPTIONS_CHANGED field.

See Also:

Constant Field Values

WARNING_OPTIONS_NOT_AVAILABLE

public static final int WARNING_OPTIONS_NOT_AVAILABLE

Indicates that the 'Options' information in an Entrust file-based Digital Identity store is not available (missing/empty or MAC protection is missing). Corresponds to the UserStatus.OPTIONS_NOT_AVAILABLE field.

See Also:

Constant Field Values

WARNING_X500NAME_CHANGED

public static final int WARNING_X500NAME_CHANGED

Indicates that the 'User X.500 Name' information in an Entrust file-based Digital Identity store has been tampered (modified by a third-party). Corresponds to the UserStatus.X500NAME_CHANGED field.

See Also:

Constant Field Values

WARNING_ENC_KEY_UPDATED

public static final int WARNING_ENC_KEY_UPDATED

Indicates that the user's decryption/encryption key/certificate was updated. Corresponds to the UserStatus.ENCRYPTION_CERTIFICATE_UPDATE_OCCURRED field.

See Also:

Constant Field Values

WARNING_SIGN_KEY_UPDATED

public static final int WARNING_SIGN_KEY_UPDATED

Indicates that the user's signing/verification key/certificate was updated. Corresponds to the UserStatus.VERIFICATION_CERTIFICATE_UPDATE_OCCURRED field.

See Also:

Constant Field Values

WARNING_PW_EXPIRED

public static final int WARNING_PW_EXPIRED

Indicates that according to the user's password history, the user's current password has expired and must be changed. Corresponds to the UserStatus.PASSWORD_EXPIRED field.

See Also:

Constant Field Values

WARNING_SIGNING_KEY_NEEDS_UPDATE

public static final int WARNING_SIGNING_KEY_NEEDS_UPDATE

Indicates that the user's signing/verification key/certificate requires an update. Corresponds to the UserStatus.VERIFICATION_CERTIFICATE_UPDATE_REQUIRED field.

See Also:

Constant Field Values

WARNING_ENCRYPTION_KEY_NEEDS_UPDATE

public static final int WARNING_ENCRYPTION_KEY_NEEDS_UPDATE

Indicates that the user's decryption/encryption key/certificate requires an update. Corresponds to the UserStatus.ENCRYPTION_CERTIFICATE_UPDATE_REQUIRED field.

See Also:

Constant Field Values

WARNING_PW_NOT_VALID

public static final int WARNING_PW_NOT_VALID

Indicates that according to the user's password rules found in their client policy settings, the user's current password is not valid. Corresponds to the UserStatus.PASSWORD_NOT_VALID field.

See Also:

Constant Field Values

WARNING_DN_CHANGED

public static final int WARNING_DN_CHANGED

Indicates that the user's DN was changed. Corresponds to the UserStatus.DN_CHANGE_OCCURRED field.

See Also:

Constant Field Values

WARNING_DN_CHANGE_REQUIRED

public static final int WARNING_DN_CHANGE_REQUIRED

Indicates that the user requires a DN change. Corresponds to the UserStatus.DN_CHANGE_REQUIRED field.

See Also:

Constant Field Values

WARNING_DIRECTORY_IS_OLD

public static final int WARNING_DIRECTORY_IS_OLD

Indicates that the directory is old; publication of a user certificate is pending (has not occurred yet) - only applies to Entrust V1-key-pair users. Corresponds to the UserStatus.DIRECTORY_IS_OLD field.

See Also:

Constant Field Values

WARNING_OPTIONS_UPDATED

public static final int WARNING_OPTIONS_UPDATED

Indicates that the 'Options' information in an Entrust file-based Digital Identity store has been updated. This can occur outside of the normal key management operations such as a user role change. Corresponds to the UserStatus.OPTIONS_UPDATED field;

See Also:

Constant Field Values

Constructor Detail

User

public User()

Creates a new User object.

A default set of user configuration settings are also created for this user; the user will use/obey these settings.

User

public User(UserConfigSettings userConfigSettings)

Creates a new User object that will use/obey the indicated user configuration settings.

When user configuration settings are not provided, a default set of configuration settings is used.

Parameters:

userConfigSettings - user configuration settings (OPTIONAL)

Since:

7.1 SP1 Patch

User

public User(java.lang.String profile,
    SecureStringBuffer password,
    java.lang.String inifile)
     throws java.io.FileNotFoundException,
            UserBadPasswordException,
            UserFatalException

Creates a new User object and automatically logs in using settings retrieved from the user's entrust.ini file.

This constructor retrieves Directory server and authority location information from an entrust.ini file, and uses the information to log in the user to a specified Entrust Profile.

A default set of user configuration settings are also created for this user; the user will use/obey these settings.

Parameters:

profile - the path to the EPF file that contains the user's Digital Identity (usually has a .epf filename extension)

password - the user's password

inifile - the path to the the user's entrust.ini file

Throws:

java.io.FileNotFoundException - if profile or inifile cannot be found

UserBadPasswordException - if the given password is incorrect

UserFatalException - if connections to the Directory and PKI cannot be set, the user's profile cannot be read, or the user's CA certificate could not be validated.

Method Detail

setConnections

public void setConnections(java.lang.String entrustIniFile)
                    throws java.io.FileNotFoundException,
                           UserFatalException

Sets the connections to the Entrust Authority Security Manager (EASM) using settings retrieved from the user's entrust.ini file.

This method retrieves both the Directory and the Security Manager location information from the file. It also retrieves Directory connections settings (connection timeout, search timeout) used to configure the Directory; when this information is not found, default values of 30 seconds are used for both.

The Security Manager connection is required during digital identity creation, recovery, and key management (key update, DN change, ...). The Directory connection aids certificate validation by allowing certificates and certificate revocation lists to be retrieved.

Parameters:

entrustIniFile - the location of the user's entrust.ini file

Throws:

java.io.FileNotFoundException - if the entrust.ini file could not be found

UserFatalException - if the connections could not be set properly (entrust.ini not correctly formatted or missing entries, Directory not available)

setConnections

public void setConnections(java.lang.String entrustIniFile,
                  boolean smProxyEnabled)
                    throws java.io.FileNotFoundException,
                           UserFatalException

Sets the connections to the Entrust Authority Security Manager (EASM) using settings retrieved from the user's entrust.ini file.

This method retrieves both the Directory and the Security Manager location information from the file. It also retrieves Directory connections settings (connection timeout, search timeout) used to configure the Directory; when this information is not found, default values of 30 seconds are used for both. If a Security Manager Proxy has been configured in the entrust.ini, the use of the proxy can be controlled with the enableSMProxy parameter.

Note: If enableSMProxy is set, the SMProxy values will take precedence.

The Security Manager connection is required during digital identity creation, recovery, and key management (key update, DN change, ...). The Directory connection aids certificate validation by allowing certificates and certificate revocation lists to be retrieved.

Parameters:

entrustIniFile - the location of the user's entrust.ini file

smProxyEnabled - determines if the Security Manager Proxy should be used

Throws:

java.io.FileNotFoundException - if the entrust.ini file could not be found

UserFatalException - if the connections could not be set properly (entrust.ini not correctly formatted or missing entries, Directory not available)

Since:

8.1

setConnections

public void setConnections(java.io.InputStream entrustIniFile)
                    throws UserFatalException

Sets the connections to the Entrust Authority Security Manager (EASM) using settings retrieved from the user's entrust.ini file.

This method retrieves both the Directory and the Security Manager location information from the file. It also retrieves Directory connections settings (connection timeout, search timeout) used to configure the Directory; when this information is not found, default values of 30 seconds are used for both. If the Directory is not found in the file an offline login will occur.

The Security Manager connection is required during digital identity creation, recovery, and key management (key update, DN change, ...). The Directory connection aids certificate validation by allowing certificates and certificate revocation lists to be retrieved.

Note: Secure LDAP is enabled by using the SecureLDAP=1 setting under [Directory Connection Settings]. In this mode, the directory is obtained from the SecureLDAPServer= line from the [Directory Connection Settings] section. If no SecureLDAPServer line is found when in this mode, an offline connection will be performed.

Parameters:

entrustIniFile - an input stream from which the user's entrust.ini file can be read

Throws:

java.io.FileNotFoundException - if the entrust.ini file could not be found

UserFatalException - if the connections could not be set properly (entrust.ini not correctly formatted or missing entries, Directory not available)

setConnections

public void setConnections(java.io.InputStream entrustIniFile,
                  boolean enableSMProxy)
                    throws UserFatalException

Sets the connections to the Entrust Authority Security Manager (EASM) using settings retrieved from the user's entrust.ini file.

This method retrieves both the Directory and the Security Manager location information from the file. It also retrieves Directory connections settings (connection timeout, search timeout) used to configure the Directory; when this information is not found, default values of 30 seconds are used for both. If the Directory is not found in the file an offline login will occur. If a Security Manager Proxy has been configured in the entrust.ini, the use of the proxy can be controlled with the enableSMProxy parameter.

Note: If enableSMProxy is set, the SMProxy values will take precedence.

The Security Manager connection is required during digital identity creation, recovery, and key management (key update, DN change, ...). The Directory connection aids certificate validation by allowing certificates and certificate revocation lists to be retrieved.

Note: Secure LDAP is enabled by using the SecureLDAP=1 setting under [Directory Connection Settings]. In this mode, the directory is obtained from the SecureLDAPServer= line from the [Directory Connection Settings] section. If no SecureLDAPServer line is found when in this mode, an offline connection will be performed.

Parameters:

entrustIniFile - an input stream from which the user's entrust.ini file can be read

enableSMProxy - determines if the Security Manager Proxy should be used

Throws:

java.io.FileNotFoundException - if the entrust.ini file could not be found

UserFatalException - if the connections could not be set properly (entrust.ini not correctly formatted or missing entries, Directory not available)

Since:

8.1

setConnections

public void setConnections(LdapDirectory directory,
                  ManagerTransport managerTransport)
                    throws UserFatalException

Sets the connections to a Public Key Infrastructure (PKI).

This includes a connection to an Certification Authority (CA) and a Directory. Whenever you create or recover credentials, or update keys, you must connect to, and communicate with, the PKI. This method should also be used when you want to retrieve information, such as revocation lists, from the Directory server.

If you are using an HttpsDirectoryClient or HttpsManagerClient to protect access to the Directory and Manager through SSL, the toolkit will use the SSL configurations specified in HttpsDirectoryClient or HttpsManagerClient if they have been configured before the call to this method. If no SSL configuration has been configured the toolkit will set the SSL configuration using the certificates contained in the Identity being logged into by this User object.

Parameters:

directory - the connection to the Directory (OPTIONAL)

managerTransport - the connection to the CA (OPTIONAL)

Throws:

UserFatalException - if the connection to the CA and/or Directory, when provided, cannot be used (incorrect IP/Port, service down or not available)

closeConnections

public void closeConnections()

Closes the connection to the PKI.

If the connections to the Directory and the Security Manager are closed, the user works in offline mode. In offline mode, the user cannot create or recover credentials, update the keys in the credentials, or retrieve new revocation information when validating certificates.

isOnline

public boolean isOnline()

Indicates the user's working mode (online or offline).

The user is online if the connection to the Directory is set.

Returns:

true if the user is online, otherwise returns false.

isLoggedIn

public boolean isLoggedIn()

Indicates whether or not the user is logged in.

The user is logged in after successfully calling the login method.

Returns:

true if the user is logged in, otherwise returns false.

setPolicyCertificate

public void setPolicyCertificate(IniFile policyCertificateCache)

Sets the user's policy certificate from a cache (.pch) file.

If the user is working in offline mode, the policy certificate cannot be obtained from the Directory and must be set using this method.

Parameters:

policyCertificateCache - the policy certificate cache file.

setCredentialWriter

public void setCredentialWriter(CredentialWriter credentialWriter)

Sets the CredentialWriter that will be used to write this user's credentials.

The CredentialWriter must be set when creating or recovering credentials, or when updating the keys in credentials. The new credentials are written to the specified CredentialWriter.

If a CredentialWriter is already set when this method is called, it will be replaced by the new one.

Note: the type of the credential writer is not checked for compatibility with the reader until an attempt is made to write the credentials. See the class documentation for details on which reader/writer combinations are possible.

Parameters:

credentialWriter - the CredentialWriter to be used to write the credentials.

login

public int login(CredentialReader credentialReader,
        SecureStringBuffer password)
          throws UserFatalException,
                 UserRecoverException,
                 UserBadPasswordException,
                 java.security.cert.CertificateException

Logs in a user.

The login method reads the user's credentials from the CredentialReader. The user's credentials are keys, certificates, and other data that constitute the user's identity.

Note: After calling this method, the getStatus() method should be called so that an application can see details of what updates occurred or are required.

Parameters:

credentialReader - the selected CredentialReader

password - the user's password

Returns:

the status code, which is a bit mask of the WARNING fields defined in this class. For example, if both encryption and signing keys were updated, the value would be WARNING_ENC_KEY_UPDATED | WARNING_SIGN_KEY_UPDATED. However, there are more status codes that are not returned as part of this value. After login, the getStatus() method should be called, which includes all of the status codes. The return value of this method is for compatibility with applications written for older versions of the Toolkit.

Throws:

UserFatalException - thrown if a non-recoverable error occurs during the login process. This could include a communication failure with the PKI during credential creation, or failure to find required information in the credentials.

UserRecoverException - if an error occurs that causes the login process to fail and may require the user to be recovered (Digital Identity store corrupt/invalid)

UserBadPasswordException - thrown if a user is being created/recovered, and the password does not follow the password rules in the client policy settings, or if an existing user is being logged in and the password is incorrect

java.security.cert.CertificateException - thrown if there is a problem with the user's client settings policy certificates, or the user's CA certificate could not be validated

See Also:

getStatus()

getStatus

public UserStatus getStatus()

Returns an object that provides information about the user's status during the current login session.

This method should be called after login or any method that may attempt key management to see what the result was.

Note: The user's status information is cleared before every login attempt; this ensure that user's status information from one login session is not carried over into another.

Returns:

an object that provides information about the user's status; null if the user is not logged in.

logout

public void logout()
            throws UserNotLoggedInException

Logs out a user.

After calling the logout method, the User object no longer has access to its credentials, such as keys and certificates.

Throws:

UserNotLoggedInException - if the user is not logged in.

changePassword

public void changePassword(SecureStringBuffer oldPassword,
                  SecureStringBuffer newPassword)
                    throws UserNotLoggedInException,
                           UserFatalException,
                           UserBadPasswordException

Changes the password protecting the Digital Identity.

For a password change to be possible, a credential writer that is capable of doing at least one more write operation must have been set, because the Digital Identity must be written to complete the password change operation.

If the Digital Identity was logged in using a SingleLoginReader, the password change is performed via the Entrust Login Interface. In all other cases, the password change operation consists of the following steps:

• the old password is verified to ensure that it is correct
• the new password is validated against the password rules from the user's client policy settings
• the password is changed
• the password history is updated with the new password
• the Digital Identity is written to reflect the password change

Parameters:

oldPassword - the current password protecting the Digital Identity

newPassword - the new password

Throws:

UserNotLoggedInException - thrown if the user is not logged in.

UserFatalException - thrown if an error occurred during the password change operation

UserBadPasswordException - thrown if the new password is not valid according the the password rules in the user's client policy settings

See Also:

setCredentialWriter

getOption

public java.lang.String getOption(java.lang.String optionName)
                           throws UserNotLoggedInException

Returns the option Value that corresponds to the provided option Name if one exists; otherwise null is returned.

Parameters:

optionName - the string Name of the option

Returns:

the string representation of the requested option Value

Throws:

UserNotLoggedInException

Since:

8.0 patch

getPasswordExpiryDate

public java.util.Date getPasswordExpiryDate()
                                     throws UserNotLoggedInException,
                                            UserFatalException

Returns the date/time at which the user's password expires.

The user's client policy settings contain a set of password rules which indicate the 'password expiry in weeks'. This value indicates how long a password can be used for (in weeks) before it must be changed. This value, along with a timestamp of when the password (retrieved from the user's Digital Identity), it can be determined if the password is expired at the present date/time.

If the password rules contain a value of zero for 'password expiry in weeks', then the password never expires and null is returned. If the Digital Identity does not contain a password timestamp, then the password never expires and null is returned.

Returns:

the date/time at which the password expires; null if the password never expires

Throws:

UserNotLoggedInException - if the user is not logged in

UserFatalException - if the user's password rules could not be extracted from their client policy settings

Since:

7.0

signingKeyUpdateRequired

public boolean signingKeyUpdateRequired()
                                 throws UserNotLoggedInException

Determines whether the user's signing/verification key/certificate needs to be updated.

Returns:

true if the user's signing/verification key/certificate needs to be updated; false otherwise

Throws:

UserNotLoggedInException - thrown if the user has not yet been logged in

encryptionKeyUpdateRequired

public boolean encryptionKeyUpdateRequired()
                                    throws UserNotLoggedInException

Determines whether the user's encryption/decryption key/certificate needs to be updated.

Returns:

true if the user's encryption/decryption key/certificate needs to be updated; false otherwise

Throws:

UserNotLoggedInException - thrown if the user has not yet been logged in

keyUpdateRequired

public boolean keyUpdateRequired()
                          throws UserNotLoggedInException

Determines whether any of the user's keys/certificates need to be updated. This method looks at key and certificate expiry for all keys and certificates in the user's digital identity.

Returns:

true if any of the user's keys/certificates need to be updated; false otherwise

Throws:

UserNotLoggedInException - thrown if the user has not yet been logged in

keyUpdateRequired

public boolean keyUpdateRequired(X509Certificate certificate)
                          throws UserNotLoggedInException

Determines whether the user's key/certificate that corresponds to the specified certificate needs to be updated.

Parameters:

certificate - the user's certificate

Returns:

true if the user's key/certificate needs to be updated; false otherwise

Throws:

UserNotLoggedInException - thrown if the user has not yet been logged in

Since:

7.0

keyUpdatesRequired

public X509Certificate[] keyUpdatesRequired()
                                     throws UserNotLoggedInException

Determines whether any of the user's keys/certificates need to be updated. This method looks at key and certificate expiry for all keys and certificates in the user's digital identity.

Returns:

contains the user's certificates that need to be updated; empty when no updates are necessary

Throws:

UserNotLoggedInException - thrown if the user has not yet been logged in

Since:

7.0

updateSigningKeys

public boolean updateSigningKeys()
                          throws UserNotLoggedInException,
                                 UserRecoverException

Attempts to update the user's signing/verification key/certificate.

Returns:

true if the signing/verification key/certificate was updated successfully; false otherwise

Throws:

UserNotLoggedInException - thrown if the user has not yet been logged in

UserRecoverException - if a fatal error occurs that causes the update operation to fail and may require the user to be recovered (Digital Identity store corrupt/invalid)

updateEncryptionKeys

public boolean updateEncryptionKeys()
                             throws UserNotLoggedInException,
                                    UserRecoverException

Attempts to update the user's encryption/decryption key/certificate.

Returns:

true if the encryption/decryption key/certificate was updated successfully; false otherwise

Throws:

UserNotLoggedInException - thrown if the user has not yet been logged in

UserRecoverException - if a fatal error occurs that causes the update operation to fail and may require the user to be recovered (Digital Identity store corrupt/invalid)

updateUserKeys

public void updateUserKeys(X509Certificate[] certificates)
                    throws UserNotLoggedInException,
                           UserKeyManagementException,
                           UserFatalException,
                           UserRecoverException

Updates the user's keys/certificates that correspond to the indicated certificates, which MUST NOT have been superseded.

Parameters:

certificates - the certificates to be updated

Throws:

UserNotLoggedInException - thrown if the user has not yet been logged in

UserKeyManagementException - thrown when an update operation is not possible (no directory connection, no credential writer ...)

UserFatalException - if an error occurs that causes the update operation to fail

UserRecoverException - if an error occurs that causes the update operation to fail and may require the user to be recovered (Digital Identity store corrupt/invalid)

Since:

7.0

updateAllKeys

public void updateAllKeys()
                   throws UserNotLoggedInException,
                          UserKeyManagementException,
                          UserFatalException,
                          UserRecoverException

Updates all the user's keys/certificates, which HAVE NOT been superseded.

Throws:

UserNotLoggedInException - thrown if the user has not yet been logged in

UserKeyManagementException - thrown when an update operation is not possible (no directory connection, no credential writer ...)

UserFatalException - if an error occurs that causes the update operation to fail

UserRecoverException - if an error occurs that causes the update operation to fail and may require the user to be recovered (Digital Identity store corrupt/invalid)

Since:

7.0

doRequiredKeyManagement

public void doRequiredKeyManagement()
                             throws UserNotLoggedInException,
                                    UserKeyManagementException,
                                    UserFatalException,
                                    UserRecoverException

Does all required key management for a user.

The different types of key management operations that can occur are listed below:

Security Manager Upgrade

When a Security Manager is upgraded from one the support V1-key-pair to one that supports V2-key-pair, all the information in the user's Digital Identity will automatically be updated to reflect this; this includes storing the event-identifier and event-indicator, as well as associating each key/certificate with a certificate-type and definition

Move User

When a user has been exported from their current Security Manager to another, key management is not possible until the client manually completes the move user operation

Forced Key Update

When the Security Manager has initiated a forced key-update, each certificate-stream in the Digital Identity is updated with a new key/certificate

DN-Change

When the Security Manager has initiated a DN change, each certificate-stream in the Digital Identity is updated with a new key/certificate; these certificates will all be issued to the user's new DN

Key Update Detection

Each of the user's keys/certificates will automatically be updated for any of the following reasons: rollover period, expired, revoked, certificate-definition forced update (V2-key-pair only).

New Certificate Stream

When the user detects that their certificate-type has changed, or a new certificate definition has been added to their certificate-type, a new certificate stream is created by requesting a key/certificate (V2-key-pair only)

Certificate streams that have become obsolete are not managed. This happens when a V2-key-pair user has a certificate-definition removed from their certificate-type.

Note: This method contacts the security manager, so it can be considered an expensive check to perform. A less expensive check can be done with keyUpdateRequired(), which will only check for key updates due to pending key and certificate expiry.

Throws:

UserNotLoggedInException - thrown if the user has not yet been logged in

UserKeyManagementException - thrown when key management is not possible (no directory connection, no credential writer ...)

UserFatalException - if an error occurs that causes the key management operation to fail

UserRecoverException - if an error occurs that causes the key management operation to fail and may require the user to be recovered (Digital Identity store corrupt/invalid)

Since:

7.0

keyUpdatePerformed

public boolean keyUpdatePerformed()

Determines whether a key update has been performed on any of the user's keys/certificates since this User was created.

To see more details about which keys were updated during the previous call to perform key management, call getStatus().

Returns:

true if a key update has been performed; false otherwise

write

public void write()
           throws UserNotLoggedInException,
                  UserFatalException

Writes a user's credentials to the CredentialWriter that was set in setCredentialWriter().

The write is only possible when the user has a credential writer that is capable of doing at least one more write operation, and the user is not logged in using Entrust Single Login.

Throws:

UserNotLoggedInException - thrown if the user is not logged in.

UserFatalException - thrown if an error occurred during the write operation. This may be caused by trying to write credentials using a writer that is not compatible with the reader used during login. See the class documentation for details on which reader/writer combinations are possible.

See Also:

setCredentialWriter()

registerExtensionTestlet

public void registerExtensionTestlet(ExtensionTestlet testlet,
                            ObjectID extension)

Register a testlet for a certificate extension. This allows registering testlets for critical certificate extensions that are not processed by the Toolkit. If a testlet is not registered for a critical certificate extension in a user's certificate, the user will not be able to log in as the certificate will not validate.

If a testlet already exists for the given ObjectID, this testlet, as the most recent to be registered, will be used to test the extension.

An extension testlet only need to be registered once for a user object. It is not necessary to re-register the testlet before every user login.

Parameters:

testlet - the new testlet to be registered

extension - the object ID of the extension that testlet validates

validate

public X509Certificate[] validate(X509Certificate certificate)
                           throws CertificationException,
                                  UserNotLoggedInException

Validates an X.509 certificate.

The validation comprises three steps:

1. Find a certificate chain from certificate to the root of trust.
2. Validate the chain with all certificate extensions.
3. Verify that no certificate in the chain has been revoked.

The method returns a certificate chain from the root of trust to the given certificate if a chain is found and successfully validated. It throws a CertificateException if no chain is found, or if a chain is found but fails to validate.

Parameters:

certificate - the certificate to validate

Returns:

The valid certificate chain from the root of trust to the given certificate.

Throws:

CertificationException - if no valid certificate chain is found.

UserNotLoggedInException - if the user is not logged in

blockELILogout

public void blockELILogout()
                    throws UserNotLoggedInException

Deprecated. since 8.0; There is no longer a need to maintain this feature as the Entrust Login Interface has been discontinued. This method will be removed in a future release.

Prevents the user from being logged out at the same time as the Entrust Login Interface (ELI) logs out.

Use this method if a user has logged in using Entrust Login Interface, i.e. used a SingleLoginReader, to prevent the user from being logged out when ELI times out. The ELI timeout can be defined using Entrust Entelligence.

There might be situations when the Toolkit user does not want to be logged out at the same time as ELI logs out. This might be the case, for example, when performing unattended security operations over an extended period of time. Using this method, the user can block the logout until the operations have been completed.

Call the unblockELILogout method to remove the logout restriction.

Note

If you do not blocked the ELI logout, the user is logged out at the same time as ELI logs out. Performing Toolkit operations without the user logged in will cause these operations to fail.

Throws:

UserNotLoggedInException - if the user is not logged in

unblockELILogout

public void unblockELILogout()
                      throws UserNotLoggedInException

Deprecated. since 8.0; There is no longer a need to maintain this feature as the Entrust Login Interface has been discontinued. This method will be removed in a future release.

Removes the ELI logout block set using the blockELILogout method.

Throws:

UserNotLoggedInException - if the user is not logged in

addTrustedCertificate

public void addTrustedCertificate(X509Certificate trustedCert)
                           throws CertificationRootException

Adds a trusted certificate — from an address book, for example.

Trusted certificates are stored in a static memory based repository. The fact that the repository is static means that any certificate marked as trusted will be recognized as trusted by all User objects and/or CertVerifier certificate validation engine objects in an application. Because the repository is memory based it is non-persistent, meaning it exists only while the application is running and is not shared between separate applications.

Note

The policy settings might prohibit the adding of trusted certificates, in which case this method throws a CertificationRootException exception.

Parameters:

trustedCert - the trusted certificate

Throws:

CertificationRootException - if the policy settings prohibit adding trusted certificates.

addTrustedCertificate

public void addTrustedCertificate(X509Certificate trustedCert,
                         boolean revcheck)
                           throws CertificationException

Adds a trusted certificate — from an address book, for example.

If revcheck is set to true, a revocation check of the certificate will be done before the certificate is added. If the certificate is revoked, or revocation information could not be found for the certificate, it will not be added as a trusted certificate. In this case a CertificationException will be thrown.

If revcheck is set to false, it is the same as calling addTrustedCertificate(X509Certificate)

Trusted certificates are stored in a static memory based repository. The fact that the repository is static means that any certificate marked as trusted will be recognized as trusted by all User objects and/or CertVerifier certificate validation engine objects in an application. Because the repository is memory based it is non-persistent, meaning it exists only while the application is running and is not shared between separate applications.

Note

The policy settings might prohibit the adding of trusted certificates, in which case this method throws a CertificationRootException exception.

Parameters:

trustedCert - - the trusted certificate

revcheck - - true if revocation checking of the certificate should be done before it is added, false if no revocation checking will be used.

Throws:

CertificationException - - if revocation information could not be determined

RevocationException - - if the certificate is revoked

requireCRL

public void requireCRL(boolean required)
                throws UserNotLoggedInException

Determines whether certificate validation fails when no CRL can be found.

By default, if there is a connection to an LDAP directory and no CRL can be found for a certificate, the certificate is considered to be invalid. If there is no connection to an LDAP directory, the certificate is considered to be not revoked, even if no CRL can be found for it.

This method changes the default behaviour.

Parameters:

required - if true, certificate validation fails if no CRL can be found for a certificate. If false, certificate validation succeeds even if no CRL can be found for a certificate

Throws:

UserNotLoggedInException - if the user is not logged in

addLogoutListener

public void addLogoutListener(LogoutListener logoutListener)

Adds the given LogoutListener to the list of LogoutListeners. Each listener will be called when the logout() method is called.

Parameters:

logoutListener - the object that will be notified when the logout method is called.

getIniFile

public IniFile getIniFile()

Returns the Entrust initialization file that was set in the constructor of this class, if any. This method is mainly for internal use.

Returns null if no initialization file was set; e.g. the User instance logged in with the login() method, not the User constructor.

Returns:

The IniFile object that specifies the settings used during login, such as location information of the Directory server and the PKI Authority.

See Also:

User(String, SecureStringBuffer, String)

getDirectory

public LdapDirectory getDirectory()

Returns the Directory that was set by calling setConnections().

Returns:

the Directory if the user is working online, otherwise returns null.

getManagerTransport

public ManagerTransport getManagerTransport()

Returns the ManagerTransport that was set by calling setConnections().

Returns:

the MangerTransport if the user is working online, otherwise returns null.

getPolicyCertificate

public IniFile getPolicyCertificate()

Gets the policy certificate.

Returns the policy certificate that was set using the setPolicyCertificate() method.

Returns:

the policy certificate if one was set, otherwise returns null.

getClientSettings

public ClientSettings getClientSettings()

Gets the client settings that were used during user login.

Allows the application to examine the client settings that were used during a login. This is useful if a login attempt failed. For example, user creation might have failed because the initial profile password did not conform to the rules specified in the client settings.

Returns:

the client settings that were retrieved from the PKI Authority during login

getCredentialReader

public CredentialReader getCredentialReader()

Gets the CredentialReader.

Returns the CredentialReader used when calling the login method.

Returns:

the CredentialReader used when calling the login() method.

getCredentialWriter

public CredentialWriter getCredentialWriter()

Gets the CredentialWriter.

Returns the CredentialWriter set by the setCredentialWriter method.

Returns:

the CredentialWriter set by the setCredentialWriter() method.

getVerificationCertificate

public X509Certificate getVerificationCertificate()
                                           throws UserNotLoggedInException

Returns the user's verification certificate.

The verification certificate is used to verify signatures that are created with the user's private signing key. This key/certificate pair can be used together to provide data integrity (assurance that data has not changed over time).

For users that exist created on an Entrust Security Manager version 7.0 or later, it is possible for the user to have multiple verification certificates. In this case, the verification certificate returned is determined using the following order of precedence:

• certificate that corresponds to the 'Verification' certificate-type
• certificate with 'digitalSignature' key usage
• certificate with 'nonRepudiation' key usage
• certificate with no key usage

For users whose credentials are stored in an Entrust Profile Format that supports the concept of certificate streams (EPF, token, ...), the certificate that is returned is always the latest, one that has not been superseded. A certificate in a certificate stream is superseded when it is no longer the latest certificate in that stream (the certificate stream has been updated).

Specified by:

getVerificationCertificate in interface KeyAndCertContainer

Returns:

the user's verification certificate

Throws:

UserNotLoggedInException - thrown if the user has not yet been logged in

getEncryptionCertificate

public X509Certificate getEncryptionCertificate()
                                         throws UserNotLoggedInException

Returns the user's encryption certificate.

The encryption certificate is used to protect information that can only be unprotected with the user's private decryption key. This key/certificate pair can be used together to provide data protection (assurance that protected data cannot be read by anyone other than the user).

For users that exist created on an Entrust Security Manager version 7.0 or later, it is possible for the user to have multiple encryption certificates. In this case, the encryption certificate returned is determined using the following order of precedence:

• certificate that corresponds to the 'Encryption' certificate-type
• certificate with 'keyEncipherment' key usage
• certificate with 'dataEncipherment' key usage
• certificate with no key usage

For users whose credentials are stored in an Entrust Profile Format that supports the concept of certificate streams (EPF, token, ...), the certificate that is returned is always the latest, one that has not been superseded. A certificate in a certificate stream is superseded when it is no longer the latest certificate in that stream (the certificate stream has been updated).

Specified by:

getEncryptionCertificate in interface KeyAndCertContainer

Returns:

the user's encryption certificate

Throws:

UserNotLoggedInException - thrown if the user has not yet been logged in

getUserCertificates

public X509Certificate[] getUserCertificates()
                                      throws UserNotLoggedInException

Returns all the user's current certificates (excludes superseded certificates).

For users whose credentials are stored in an Entrust Digital Identity store that supports the concept of certificate streams (EPF, Entrust PKCS#11, ...), the certificates that are returned are always the latest - ones that have not been superseded. Otherwise all certificates are considered to be from a different stream (and thus not superseded). A certificate in a certificate stream is superseded when it is no longer the latest certificate in that stream (the certificate stream has been updated). Superseded certificates should generally not be used; the latest certificate in the certificate stream should be used instead.

Returns:

the user's certificates

Throws:

UserNotLoggedInException - thrown if the user has not yet been logged in

Since:

7.0

getUserCertificates

public X509Certificate[] getUserCertificates(boolean includedSuperseded)
                                      throws UserNotLoggedInException

Returns all the user's certificates (includes superseded certificates)

A certificate in a certificate stream is superseded when it is no longer the latest certificate in that stream (the certificate stream has been updated). Superseded certificates should generally not be used; the latest certificate in the certificate stream should be used instead.

Returns:

the user's certificates

Throws:

UserNotLoggedInException - thrown if the user has not yet been logged in

Since:

7.2 SP2 Patch

getUserCertificate

public X509Certificate getUserCertificate(Name issuer,
                                 java.math.BigInteger serialNumber)
                                   throws UserNotLoggedInException

Returns the user's certificate that corresponds to the specified issuer DN and serial number.

All of the user's certificates are searched, including the user's certificates that have been superseded (non-current).

Parameters:

issuer - the issuer of the certificate

serialNumber - the serial number of the certificate

Returns:

the user certificate with the requested issuer DN and serial number; null if no such certificate exists

Throws:

UserNotLoggedInException - thrown if the user has not yet been logged in

Since:

7.0

getUserCertificates

public X509Certificate[] getUserCertificates(KeyUsage keyUsage)
                                      throws UserNotLoggedInException

Returns the user's certificates that can be used for purposes indicated by the key usage provided.

It searches for certificates that have a key usage extension that indicates they can be used for the requested purpose. This includes any certificates with a key usage extension that contains all of the key usage bits in the key usage provided. These certificates may also contain additional key usage bits that were not requested, but they will at a bare minimum contain all the key usage bits requested. This also includes certificates that do not have a key usage extension, since these certificates have no restrictions on the purpose for which they can be used.

When the requested key usage is null, only certificates that do not have key usage extension are returned.

For users whose credentials are stored in an Entrust Profile Format that supports the concept of certificate streams (EPF, token, ...), the certificates that are returned are always the latest, ones that have not been superseded. A certificate in a certificate stream is superseded when it is no longer the latest certificate in that stream (the certificate stream has been updated). Superseded certificates should NOT be used; the latest certificate in the certificate stream should be used instead.

Parameters:

keyUsage - the requested key usage (OPTIONAL)

Returns:

the user certificates that can be used for the purpose indicated by the requested key usage; an empty array is returned if no such certificates exist

Throws:

UserNotLoggedInException - if the user has not yet been logged in

Since:

7.0

getUserCertificatesByExactKeyUsage

public X509Certificate[] getUserCertificatesByExactKeyUsage(KeyUsage keyUsage)
                                                     throws UserNotLoggedInException

Returns the user's certificates that can ONLY be used for purposes indicated by the key usage provided.

It searches for certificates that have a key usage extension that is identical to the key usage provided. This only includes certificates with a key usage extension that contains the exact key usage bits in the key usage provided.

When the requested key usage is null, only certificates that do not have a key usage extension are returned.

For users whose credentials are stored in an Entrust Profile Format that supports the concept of certificate streams (EPF, token, ...), the certificates that are returned are always the latest, ones that have not been superseded. A certificate in a certificate stream is superseded when it is no longer the latest certificate in that stream (the certificate stream has been updated). Superseded certificates should NOT be used; the latest certificate in the certificate stream should be used instead.

Parameters:

keyUsage - the requested key usage (OPTIONAL)

Returns:

the user certificates that can ONLY be used for the purpose indicated by the requested key usage; an empty array is returned if no such certificates exist

Throws:

UserNotLoggedInException - if the user has not yet been logged in

Since:

7.0

getSigningKey

public java.security.PrivateKey getSigningKey()
                                       throws UserNotLoggedInException

Returns the latest signing key stored in the credentials.

Specified by:

getSigningKey in interface KeyAndCertContainer

Returns:

The signing key as a PrivateKey object, or null if the user does not have a signing key.

Throws:

UserNotLoggedInException - if the user is not logged in.

getDecryptionKeys

public java.security.PrivateKey[] getDecryptionKeys()
                                             throws UserNotLoggedInException

Returns the decryption keys stored in the credentials.

Returns:

The decryption keys in an array of PrivateKey objects.

Throws:

UserNotLoggedInException - if the user is not logged in.

getDecryptionSerialNumbers

public java.lang.String[] getDecryptionSerialNumbers()
                                              throws UserNotLoggedInException

Returns the history of the decryption key serial numbers.

Returns:

an array of the decryption key serial numbers as a String.

Throws:

UserNotLoggedInException - if the user is not logged in.

getDecryptionIssuers

public Name[] getDecryptionIssuers()
                            throws UserNotLoggedInException,
                                   CodingException,
                                   Base64Exception

Returns the history of the decryption key issuers.

Returns:

a Name array of the decryption key issuers

Throws:

UserNotLoggedInException - if the user is not logged in.

CodingException - if the issuer name component of the decryption key/certificate key identifier is incorrectly formatted (does not contain Base64 encoded DER encoded data)

Base64Exception - if the issuer name component of the decryption key/certificate key identifier is incorrectly formatted (does not contain Base64 encoded data)

getDecryptionKey

public java.security.PrivateKey getDecryptionKey()
                                          throws UserNotLoggedInException

Returns the latest decryption private key stored in the credentials.

Returns:

The latest decryption key as a PrivateKey object, or null if there is no decryption key in the credentials.

Throws:

UserNotLoggedInException - if the user is not logged in.

getDecryptionKey

public java.security.PrivateKey getDecryptionKey(Name issuer,
                                        java.lang.String serialNumber)
                                          throws UserNotLoggedInException

Returns the decryption private key and serial number for the given issuer.

Specified by:

getDecryptionKey in interface KeyAndCertContainer

Parameters:

issuer - the issuer of the certificate

serialNumber - the serial number of the certificate

Returns:

The decryption key as a PrivateKey object.

Throws:

UserNotLoggedInException - if the user is not logged in.

getUserPrivateKey

public java.security.PrivateKey getUserPrivateKey(X509Certificate certificate)
                                           throws UserNotLoggedInException

Returns the user's private key that corresponds to the specified certificate.

Parameters:

certificate - the certificate that corresponds to the requested private key

Returns:

the user's private key that corresponds to the specified certificate; null if no such private key exists

Throws:

UserNotLoggedInException - thrown if the user has not yet been logged in

Since:

7.0

getUserPrivateKey

public java.security.PrivateKey getUserPrivateKey(Name issuer,
                                         java.math.BigInteger serialNumber)
                                           throws UserNotLoggedInException

Returns the user's private key that corresponds to the specified certificate issuer and serial number.

Parameters:

issuer - the issuer of the certificate that corresponds to the requested private key

serialNumber - the serial number of the certificate that corresponds to the requested private key

Returns:

the user's private key that corresponds to the requested certificate issuer and serial number; null if no such private key exists

Throws:

UserNotLoggedInException - thrown if the user has not yet been logged in

Since:

7.0

getUserDN

public Name getUserDN()
               throws UserNotLoggedInException

Returns the user's distinguished name (DN).

Returns:

the user's DN

Throws:

UserNotLoggedInException - if the user has not yet been logged in

Since:

7.0

getCaCertificate

public X509Certificate getCaCertificate()
                                 throws UserNotLoggedInException

Returns the Certification Authority (CA) certificate stored in the credentials if the user is logged in. This is the CA certificate that signed the user's most recent certificate.

Note: This method returns the latest available CA certificate. This means that if the user is offline, the latest CA certificate from the digital identity is returned. When online, the latest CA from the directory is returned. In most cases an identical certificate will be returned whether online or offline, but it is possible that different certificates could be returned if the digital identity has not been updated since the CA certificate was updated. This identity will be updated to the latest CA certificate the next time an online login is performed with a configured CredentialWriter, LdapDirectory and ManagerTransport.

Returns:

The CA certificate

Throws:

UserNotLoggedInException - thrown if the user has not yet been logged in

getRootCaCertificate

public X509Certificate getRootCaCertificate()
                                     throws UserNotLoggedInException

Returns the top-level trusted root CA certificate for users in a CA hierarchy.

Depending on whether or not the user is in a hierarchy, the top-level trusted root CA certificate can be either the same or different from the user's issuing CA certificate.

Returns:

The top-level trusted root CA certificate, or null if the user is not part of a CA hierarchy.

Throws:

UserNotLoggedInException - thrown if the user has not yet been logged in

See Also:

getCaCertificate()

getCaCertificateChain

public X509Certificate[] getCaCertificateChain()
                                        throws UserFatalException,
                                               UserNotLoggedInException

Returns an array of CA certificates forming a chain to the user's root CA.

The first element of the array is the immediate CA certificate and the last element is the top level trusted root certificate.

Note: The CA certificate chain returned from this method is always the latest CA certificate chain. For example, if the CA certificate chain contains certificates that have been rolled, and the user calling this method is from a previously rolled CA, the chain returned will contain the latest CA certificates, not the certificates which have since been rolled. If a chain containing these older certificates is required, a call to validate(X509Certificate) will return the desired chain.

Specified by:

getCaCertificateChain in interface KeyAndCertContainer

Returns:

The chain of CA certificates up to the top-level root CA.

Throws:

UserFatalException - thrown if the chain cannot be built.

UserNotLoggedInException - thrown if the user is not logged in.

getCertificateStore

public CollectionCS getCertificateStore()
                                 throws UserNotLoggedInException

Returns the main certificate store used for certificate validation.

Specified by:

getCertificateStore in interface KeyAndCertContainer

Returns:

The main certificate store.

Throws:

UserNotLoggedInException - thrown if the user is not logged in.

getRevocationStore

public CollectionRS getRevocationStore()
                                throws UserNotLoggedInException

Returns the main revocation store used for certificate validation.

Returns:

The main revocation store.

Throws:

UserNotLoggedInException - if the user is not logged in

getCertVerifier

public ValidationInfo getCertVerifier()
                               throws UserNotLoggedInException

Returns the object that validates certificates for this user.

All information that is accessible through the returned ValidationInfo is also available through the User object directly, and should be accessed there.

At each login, a new ValidationInfo object is created.

Returns:

the ValidationInfo object that is used by the user to validate certificates.

Throws:

UserNotLoggedInException - if the user is not logged in

getExtensionTester

public ExtensionTester getExtensionTester()
                                   throws UserNotLoggedInException

Returns the extension tester used for certificate validation.

Returns:

The extension tester as an ExtensionTester object

Throws:

UserNotLoggedInException - if the user is not logged in

getExtensionTestlets

public java.util.Hashtable getExtensionTestlets()

Returns extension testlets registered by application.

Returns:

a hashtable containing the testlets, keyed by extension object ID.

setWriteCaUpdates

public void setWriteCaUpdates(boolean writeCaUpdates)

Set whether or not updates detected to any CA certificates are written back to the digital identity immediately.

If changes are written immediately, and no certificate cache is set up, the User will not be able to log in again without a connection to a Directory until they experience a key update.

This method is only effective if called before login

The default is for changes to be written immediately.

Parameters:

writeCaUpdates - set to true if updates to CA certificates should be written to the digital identity immediately, false if changes should only be written when the user receives a certificate signed by a new CA certificate.

Since:

7.0

completeUserExport

public void completeUserExport(LdapDirectory directory,
                      ManagerTransport managerTransport)
                        throws UserNotLoggedInException,
                               UserKeyManagementException,
                               UserFatalException,
                               UserRecoverException

Completes a user export operation.

In order for this operation to be possible, the following prerequisites must be met:

• The user must be logged in
• The user must have a credential writer set
• The user must be in the 'import key recovery' state at the Security Manager

This operation does a signed key recovery of the user at the Security Manager they have been exported to. Once complete, the user will be in the active state at the new Security Manager. The user's Digital Identity store will have been be updated to contain all the user's keys/certificates known to the Security Manager. This will include the user's backed-up keys/certificates issued by the old Security Manager as well as all the user's keys/certificate issued by the new Security Manager.

Parameters:

directory - the Directory used by the new Security Manager

managerTransport - a connection to the Security Manager the user has been exported to

Throws:

UserNotLoggedInException - if the user is not logged in

UserKeyManagementException - if the complete export user operation is not possible because one of the prerequisites has not been met

UserFatalException - if an error occurs that causes the complete user export operation to fail

UserRecoverException - if an error occurs that causes the complete user export operation to fail and may require the user to be recovered (Digital Identity store corrupt/invalid)

Since:

7.0

setV2KeyPairUpgradeEnabled

public void setV2KeyPairUpgradeEnabled(boolean enable)

Enables/Disables Entrust's V2-key-pair user upgrade feature.

By default, V2-key-pair user upgrade is enabled; for a description of how this feature works, refer to isV2KeyPairUpgradeEnabled()

Parameters:

enable - indicates whether the V2-key-pair user upgrade is to be enabled or disabled

Since:

7.0 Patch

See Also:

isV2KeyPairUpgradeEnabled()

isV2KeyPairUpgradeEnabled

public boolean isV2KeyPairUpgradeEnabled()

Indicates whether Entrust's V2-key-pair user upgrade feature is enabled.

The terminology V1-key-pair and V2-key-pair only applies to users created against an Entrust Authority Security Manager (EASM), whose digital identity exists in Entrust format (Entrust Profile (EPF), Entrust format on a smart card or token, or Entrust format in the Microsoft CryptoAPI repository). These terms are defined as follows:

V1-key-pair user

An Entrust user that has client policy settings attached to their role; users have either 1 or 2 key pairs. This type of user is created using either a pre-7.0 client OR a pre-7.0 EASM.

V2-key-pair user

An Entrust user that has certificate definition policy attached to each certificate; users have 1 to 4 key pairs. This type of user is created only when using a 7.0 (or later) client AND a 7.0 (or later) EASM.

When a V1-key-pair user that exists on a 7.0 (or later) EASM is logged in online using the 7.0 Toolkit (or later), it will be detected that a V2-key-pair upgrade is required. This involves associating each of the user's keys/certificates with an appropriate certificate definition and doing any necessary key management. By default, a V2-key-pair upgrade is done automatically when any other key management operation is required (key rollover, forced key update, ...).

The consequence of upgrading a user to V2-key-pair is that any pre-7.0 client is no longer capable of doing key management for this user. For this reason, under certain circumstances, it may desirable to disable the V2-key-pair upgrade feature; This can be done using setV2KeyPairUpgradeEnabled(boolean). For instance, Entrust user's that will use both pre-7.0 and 7.0 (or later) based client applications should disable V2-key-pair upgrade.

Returns:

true if V2-key-pair user upgrade is enabled; false otherwise

Since:

7.0 Patch

See Also:

setV2KeyPairUpgradeEnabled(boolean)

isDuplicatePassword

public boolean isDuplicatePassword(SecureStringBuffer password)
                            throws UserFatalException,
                                   UserNotLoggedInException

This method may be used to determine if the supplied password is contained in the User's password history. This method will return true to indicate the supplied password is in the password history, and false to indicate it was not previously used.

This method may be used before the changePassword(SecureStringBuffer, SecureStringBuffer) method is called for applications that need to know whether a password has already been used.

This method may only be called after the User has been logged in.

Parameters:

password - The password to check against the User's password history.

Returns:

true if the password is contained in the User's password history, false if the password is not in the User's password history

Throws:

UserFatalException

UserNotLoggedInException

Since:

8.0

See Also:

#changePassword(SecureStringBuffer, SecureStringBuffer)}

getUserConfigSettings

public UserConfigSettings getUserConfigSettings()

Returns the user's configuration settings.

User configuration settings can be specified when the User object is instantiated. If not specified, a default set of configuration settings is automatically created. These configuration settings allow the calling application to have control over various aspects of user operation. The settings can be changed at any point with the change taking effect immediately.

Returns:

the user's configuration settings

Since:

7.1 SP1 Patch