Package org.dogtagpki.server.ca

Interface ICertificateAuthority

  • All Superinterfaces:
    ISubsystem
    public interface ICertificateAuthority
extends ISubsystem
    An interface represents a Certificate Authority that is responsible for certificate specific operations.

    Version:
    $Revision$, $Date$

    • Method Detail

      • getCertificateRepository

        ICertificateRepository getCertificateRepository()
        Retrieves the certificate repository where all the locally issued certificates are kept.
        Returns:
        CA's certificate repository

      • getRequestQueue

        IRequestQueue getRequestQueue()
        Retrieves the request queue of this certificate authority.
        Returns:
        CA's request queue

      • getPolicyProcessor

        IPolicyProcessor getPolicyProcessor()
        Retrieves the policy processor of this certificate authority.
        Returns:
        CA's policy processor

      • noncesEnabled

        boolean noncesEnabled()

      • getNonces

        java.util.Map<java.lang.Object,​java.lang.Long> getNonces​(javax.servlet.http.HttpServletRequest request,
                                                               java.lang.String name)

      • getPublisherProcessor

        PublisherProcessor getPublisherProcessor()
        Retrieves the publishing processor of this certificate authority.
        Returns:
        CA's publishing processor

      • getStartSerial

        java.lang.String getStartSerial()
        Retrieves the next available serial number.
        Returns:
        next available serial number

      • setStartSerial

        void setStartSerial​(java.lang.String serial)
             throws EBaseException
        Sets the next available serial number.
        Parameters:
        serial - next available serial number
        Throws:
        EBaseException - failed to set next available serial number

      • getMaxSerial

        java.lang.String getMaxSerial()
        Retrieves the last serial number that can be used for certificate issuance in this certificate authority.
        Returns:
        the last serial number

      • setMaxSerial

        void setMaxSerial​(java.lang.String serial)
           throws EBaseException
        Sets the last serial number that can be used for certificate issuance in this certificate authority.
        Parameters:
        serial - the last serial number
        Throws:
        EBaseException - failed to set the last serial number

      • getDefaultSignatureAlgorithm

        org.mozilla.jss.crypto.SignatureAlgorithm getDefaultSignatureAlgorithm()
        Retrieves the default signature algorithm of this certificate authority.
        Returns:
        the default signature algorithm of this CA

      • getDefaultAlgorithm

        java.lang.String getDefaultAlgorithm()
        Retrieves the default signing algorithm of this certificate authority.
        Returns:
        the default signing algorithm of this CA

      • setDefaultAlgorithm

        void setDefaultAlgorithm​(java.lang.String algorithm)
                  throws EBaseException
        Sets the default signing algorithm of this certificate authority.
        Parameters:
        algorithm - new default signing algorithm
        Throws:
        EBaseException - failed to set the default signing algorithm

      • getCASigningAlgorithms

        java.lang.String[] getCASigningAlgorithms()
        Retrieves the supported signing algorithms of this certificate authority.
        Returns:
        the supported signing algorithms of this CA

      • setValidity

        void setValidity​(java.lang.String enableCAPast)
          throws EBaseException
        Allows certificates to have validities that are longer than this certificate authority's.
        Parameters:
        enableCAPast - if equals "true", it allows certificates to have validity longer than CA's certificate validity
        Throws:
        EBaseException - failed to set above option

      • getDefaultValidity

        long getDefaultValidity()
        Retrieves the default validity period.
        Returns:
        the default validity length in days

      • getCRLIssuingPoints

        java.util.Enumeration<ICRLIssuingPoint> getCRLIssuingPoints()
        Retrieves all the CRL issuing points.
        Returns:
        enumeration of all the CRL issuing points

      • getCRLIssuingPoint

        ICRLIssuingPoint getCRLIssuingPoint​(java.lang.String id)
        Retrieves CRL issuing point with the given identifier.
        Parameters:
        id - CRL issuing point id
        Returns:
        CRL issuing point with given id

      • addCRLIssuingPoint

        boolean addCRLIssuingPoint​(IConfigStore crlSubStore,
                           java.lang.String id,
                           boolean enable,
                           java.lang.String description)
        Adds CRL issuing point with the given identifier and description.
        Parameters:
        crlSubStore - sub-store with all CRL issuing points
        id - CRL issuing point id
        description - CRL issuing point description
        Returns:
        true if CRL issuing point was successfully added

      • deleteCRLIssuingPoint

        void deleteCRLIssuingPoint​(IConfigStore crlSubStore,
                           java.lang.String id)
        Deletes CRL issuing point with the given identifier.
        Parameters:
        crlSubStore - sub-store with all CRL issuing points
        id - CRL issuing point id

      • getCRLRepository

        ICRLRepository getCRLRepository()
        Retrieves the CRL repository.
        Returns:
        CA's CRL repository

      • getReplicaRepository

        IReplicaIDRepository getReplicaRepository()
        Retrieves the Replica ID repository.
        Returns:
        CA's Replica ID repository

      • getRequestInQListener

        IRequestListener getRequestInQListener()
        Retrieves the request in queue listener.
        Returns:
        the request in queue listener

      • getRequestListenerNames

        java.util.Enumeration<java.lang.String> getRequestListenerNames()
        Retrieves all request listeners.
        Returns:
        name enumeration of all request listeners

      • getCertIssuedListener

        IRequestListener getCertIssuedListener()
        Retrieves the request listener for issued certificates.
        Returns:
        the request listener for issued certificates

      • getCertRevokedListener

        IRequestListener getCertRevokedListener()
        Retrieves the request listener for revoked certificates.
        Returns:
        the request listener for revoked certificates

      • getCACertChain

        org.mozilla.jss.netscape.security.x509.CertificateChain getCACertChain()
        Retrieves the CA certificate chain.
        Returns:
        the CA certificate chain

      • getCaX509Cert

        org.mozilla.jss.crypto.X509Certificate getCaX509Cert()
        Retrieves the CA certificate.
        Returns:
        the CA certificate

      • getCACert

        org.mozilla.jss.netscape.security.x509.X509CertImpl getCACert()
                                                       throws EBaseException
        Retrieves the CA certificate.
        Returns:
        the CA certificate
        Throws:
        EBaseException

      • updateCRLNow

        void updateCRLNow()
           throws EBaseException
        Updates the CRL immediately for MasterCRL issuing point if it exists.
        Throws:
        EBaseException - failed to create or publish CRL

      • publishCRLNow

        void publishCRLNow()
            throws EBaseException
        Publishes the CRL immediately for MasterCRL issuing point if it exists.
        Throws:
        EBaseException - failed to publish CRL

      • getSigningUnit

        ISigningUnit getSigningUnit()
        Retrieves the signing unit that manages the CA signing key for signing certificates.
        Returns:
        the CA signing unit for certificates

      • getCRLSigningUnit

        ISigningUnit getCRLSigningUnit()
        Retrieves the signing unit that manages the CA signing key for signing CRL.
        Returns:
        the CA signing unit for CRLs

      • getOCSPSigningUnit

        ISigningUnit getOCSPSigningUnit()
        Retrieves the signing unit that manages the CA signing key for signing OCSP response.
        Returns:
        the CA signing unit for OCSP responses

      • setBasicConstraintMaxLen

        void setBasicConstraintMaxLen​(int num)
        Sets the maximium path length in the basic constraint extension.
        Parameters:
        num - the maximium path length

      • isClone

        boolean isClone()
        Is this a clone CA?
        Returns:
        true if this is a clone CA

      • getRequestListener

        IRequestListener getRequestListener​(java.lang.String name)
        Retrieves the request listener by name.
        Parameters:
        name - request listener name
        Returns:
        the request listener

      • getRequestNotifier

        IRequestNotifier getRequestNotifier()
        get request notifier

      • registerRequestListener

        void registerRequestListener​(IRequestListener listener)
        Registers a request listener.
        Parameters:
        listener - request listener to be registered

      • registerRequestListener

        void registerRequestListener​(java.lang.String name,
                             IRequestListener listener)
        Registers a request listener.
        Parameters:
        name - under request listener is going to be registered
        listener - request listener to be registered

      • getX500Name

        org.mozilla.jss.netscape.security.x509.X500Name getX500Name()
        Retrieves the issuer name of this certificate authority.
        Returns:
        the issuer name of this certificate authority

      • getCRLX500Name

        org.mozilla.jss.netscape.security.x509.X500Name getCRLX500Name()
        Retrieves the issuer name of this certificate authority issuing point.
        Returns:
        the issuer name of this certificate authority issuing point

      • sign

        org.mozilla.jss.netscape.security.x509.X509CRLImpl sign​(org.mozilla.jss.netscape.security.x509.X509CRLImpl crl,
                                                        java.lang.String algname)
                                                 throws EBaseException
        Signs the given CRL with the specific algorithm.
        Parameters:
        crl - CRL to be signed
        algname - algorithm used for signing
        Returns:
        signed CRL
        Throws:
        EBaseException - failed to sign CRL

      • log

        void log​(int level,
         java.lang.String msg)
        Logs a message to this certificate authority.
        Parameters:
        level - logging level
        msg - logged message

      • getNickname

        java.lang.String getNickname()
        Returns the nickname for the CA signing certificate.
        Returns:
        the nickname for the CA signing certificate

      • sign

        org.mozilla.jss.netscape.security.x509.X509CertImpl sign​(org.mozilla.jss.netscape.security.x509.X509CertInfo certInfo,
                                                         java.lang.String algname)
                                                  throws EBaseException
        Signs a X.509 certificate template.
        Parameters:
        certInfo - X.509 certificate template
        algname - algorithm used for signing
        Returns:
        signed certificate
        Throws:
        EBaseException - failed to sign certificate

      • getDefaultCertVersion

        org.mozilla.jss.netscape.security.x509.CertificateVersion getDefaultCertVersion()
        Retrieves the default certificate version.
        Returns:
        the default version certificate

      • isEnablePastCATime

        boolean isEnablePastCATime()
        Is this CA allowed to issue certificate that has longer validty than the CA's.
        Returns:
        true if allows certificates to have validity longer than CA's

      • getCAService

        IService getCAService()
        Retrieves the CA service object that is responsible for processing requests.
        Returns:
        CA service object

      • getDBSubsystem

        IDBSubsystem getDBSubsystem()
        Retrieves the DB subsystem managing internal data storage.
        Returns:
        DB subsystem object

      • getNumOCSPRequest

        long getNumOCSPRequest()
        Returns the in-memory count of the processed OCSP requests.
        Returns:
        number of processed OCSP requests in memory

      • getOCSPRequestTotalTime

        long getOCSPRequestTotalTime()
        Returns the in-memory time (in mini-second) of the processed time for OCSP requests.
        Returns:
        processed times for OCSP requests

      • getOCSPTotalSignTime

        long getOCSPTotalSignTime()
        Returns the in-memory time (in mini-second) of the signing time for OCSP requests.
        Returns:
        processed times for OCSP requests

      • getOCSPTotalData

        long getOCSPTotalData()
        Returns the total data signed for OCSP requests.
        Returns:
        processed times for OCSP requests

      • getIssuerObj

        org.mozilla.jss.netscape.security.x509.CertificateIssuerName getIssuerObj()

      • getSubjectObj

        org.mozilla.jss.netscape.security.x509.CertificateSubjectName getSubjectObj()

      • getCAs

        java.util.List<ICertificateAuthority> getCAs()
        Enumerate all authorities, including host authority.

      • isHostAuthority

        boolean isHostAuthority()
        Return whether this CA is the host authority (not a lightweight authority).

      • getAuthorityID

        AuthorityID getAuthorityID()
        Get the AuthorityID of this CA.

      • getAuthorityParentID

        AuthorityID getAuthorityParentID()
        Get the AuthorityID of this CA's parent CA, if available.

      • getAuthorityEnabled

        boolean getAuthorityEnabled()
        Return whether CA is enabled.

      • isReady

        boolean isReady()
        Return whether CA is ready to perform signing operations.

      • ensureReady

        void ensureReady()
          throws ECAException
        Throw an exception if CA is not ready to perform signing operations.
        Throws:
        ECAException

      • getAuthorityDescription

        java.lang.String getAuthorityDescription()
        Return CA description. May be null.

      • getCA

        ICertificateAuthority getCA​(org.mozilla.jss.netscape.security.x509.X500Name dn)
        Get the CA by DN. Returns null if CA not found.

      • createSubCA

        ICertificateAuthority createSubCA​(IAuthToken authToken,
                                  java.lang.String dn,
                                  java.lang.String desc)
                           throws EBaseException
        Create a new sub-CA IMMEDIATELY beneath this one. This method DOES NOT add the new CA to caMap; it is the caller's responsibility.
        Throws:
        EBaseException

      • modifyAuthority

        void modifyAuthority​(java.lang.Boolean enabled,
                     java.lang.String desc)
              throws EBaseException
        Update authority configurables.
        Parameters:
        enabled - Whether CA is enabled or disabled
        desc - Description; null or empty removes it
        Throws:
        EBaseException

      • renewAuthority

        void renewAuthority​(javax.servlet.http.HttpServletRequest httpReq)
             throws java.lang.Exception
        Renew certificate of CA.
        Throws:
        java.lang.Exception

      • deleteAuthority

        void deleteAuthority​(javax.servlet.http.HttpServletRequest httpReq)
              throws EBaseException
        Delete this lightweight CA.
        Throws:
        EBaseException

      • getIssuanceProtPubKey

        java.security.PublicKey getIssuanceProtPubKey()
        get Issuance Protection Public Key

      • getIssuanceProtPrivKey

        org.mozilla.jss.crypto.PrivateKey getIssuanceProtPrivKey()
        get Issuance Protection Private Key

      • getIssuanceProtCert

        org.mozilla.jss.crypto.X509Certificate getIssuanceProtCert()
        get Issuance Protection Certificate