Removed unnecessary pki folder.

Previously the source code was located inside a pki folder.
This folder was created during svn migration and is no longer
needed. This folder has now been removed and the contents have
been moved up one level.

Ticket #131

8 files changed, 1245 insertions, 0 deletions

diff --git a/base/common/src/com/netscape/certsrv/kra/EKRAException.java b/base/common/src/com/netscape/certsrv/kra/EKRAException.java
new file mode 100644
index 000000000..3f23bfe78
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/kra/EKRAException.java
@@ -0,0 +1,94 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.kra;
+
+import com.netscape.certsrv.base.EBaseException;
+
+/**
+ * A class represents a KRA exception. This is the base
+ * exception for all the KRA specific exceptions. It is
+ * associated with <CODE>KRAResources</CODE>.
+ * <P>
+ * 
+ * @version $Revision$, $Date$
+ */
+public class EKRAException extends EBaseException {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -6803576959258754821L;
+    /**
+     * KRA resource class name.
+     * <P>
+     */
+    private static final String KRA_RESOURCES = KRAResources.class.getName();
+
+    /**
+     * Constructs a KRA exception.
+     * <P>
+     * 
+     * @param msgFormat constant from KRAResources.
+     */
+    public EKRAException(String msgFormat) {
+        super(msgFormat);
+    }
+
+    /**
+     * Constructs a KRA exception.
+     * <P>
+     * 
+     * @param msgFormat constant from KRAResources.
+     * @param param additional parameters to the message.
+     */
+    public EKRAException(String msgFormat, String param) {
+        super(msgFormat, param);
+    }
+
+    /**
+     * Constructs a KRA exception.
+     * <P>
+     * 
+     * @param msgFormat constant from KRAResources.
+     * @param e embedded exception.
+     */
+    public EKRAException(String msgFormat, Exception e) {
+        super(msgFormat, e);
+    }
+
+    /**
+     * Constructs a KRA exception.
+     * <P>
+     * 
+     * @param msgFormat constant from KRAResources.
+     * @param params additional parameters to the message.
+     */
+    public EKRAException(String msgFormat, Object params[]) {
+        super(msgFormat, params);
+    }
+
+    /**
+     * Returns the bundle file name.
+     * <P>
+     * 
+     * @return name of bundle class associated with this exception.
+     */
+    protected String getBundleName() {
+        return KRA_RESOURCES;
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/kra/IJoinShares.java b/base/common/src/com/netscape/certsrv/kra/IJoinShares.java
new file mode 100644
index 000000000..e9a5ecae5
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/kra/IJoinShares.java
@@ -0,0 +1,36 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.kra;
+
+/**
+ * Use Java's reflection API to leverage CMS's
+ * old Share and JoinShares implementations.
+ * 
+ * @deprecated
+ * @version $Revision$ $Date$
+ */
+public interface IJoinShares {
+
+    public void initialize(int threshold) throws Exception;
+
+    public void addShare(int shareNum, byte[] share);
+
+    public int getShareCount();
+
+    public byte[] recoverSecret();
+}
diff --git a/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java b/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java
new file mode 100644
index 000000000..a7cc40507
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java
@@ -0,0 +1,321 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.kra;
+
+import java.util.Enumeration;
+import java.util.Hashtable;
+import java.util.Vector;
+
+import netscape.security.x509.X500Name;
+
+import org.mozilla.jss.crypto.CryptoToken;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.dbs.keydb.IKeyRepository;
+import com.netscape.certsrv.dbs.replicadb.IReplicaIDRepository;
+import com.netscape.certsrv.policy.IPolicyProcessor;
+import com.netscape.certsrv.request.IRequestListener;
+import com.netscape.certsrv.request.IRequestQueue;
+import com.netscape.certsrv.request.RequestId;
+import com.netscape.certsrv.security.Credential;
+import com.netscape.certsrv.security.IStorageKeyUnit;
+import com.netscape.certsrv.security.ITransportKeyUnit;
+
+/**
+ * An interface represents key recovery authority. The
+ * key recovery authority is responsibile for archiving
+ * and recovering user encryption private keys.
+ * <P>
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IKeyRecoveryAuthority extends ISubsystem {
+
+    public static final String ID = "kra";
+
+    public final static String PROP_NAME = "name";
+    public final static String PROP_HTTP = "http";
+    public final static String PROP_POLICY = "policy";
+    public final static String PROP_DBS = "dbs";
+    public final static String PROP_TOKEN = "token";
+    public final static String PROP_SHARE = "share";
+    public final static String PROP_PROTECTOR = "protector";
+    public final static String PROP_LOGGING = "logging";
+    public final static String PROP_QUEUE_REQUESTS = "queueRequests";
+    public final static String PROP_STORAGE_KEY = "storageUnit";
+    public final static String PROP_TRANSPORT_KEY = "transportUnit";
+    public static final String PROP_NEW_NICKNAME = "newNickname";
+    public static final String PROP_KEYDB_INC = "keydbInc";
+
+    public final static String PROP_NOTIFY_SUBSTORE = "notification";
+    public final static String PROP_REQ_IN_Q_SUBSTORE = "requestInQ";
+
+    /**
+     * Returns the name of this subsystem.
+     * <P>
+     * 
+     * @return KRA name
+     */
+    public X500Name getX500Name();
+
+    /**
+     * Retrieves KRA request repository.
+     * <P>
+     * 
+     * @return request repository
+     */
+    public IRequestQueue getRequestQueue();
+
+    /**
+     * Retrieves the key repository. The key repository
+     * stores archived keys.
+     * <P>
+     */
+    public IKeyRepository getKeyRepository();
+
+    /**
+     * Retrieves the Replica ID repository.
+     * 
+     * @return KRA's Replica ID repository
+     */
+    public IReplicaIDRepository getReplicaRepository();
+
+    /**
+     * Enables the auto recovery state. Once KRA is in the auto
+     * recovery state, no recovery agents need to be present for
+     * providing credentials. This feature is for enabling
+     * user-based recovery operation.
+     * <p>
+     * 
+     * @param cs list of agent credentials
+     * @param on true if auto recovery state is on
+     * @return current auto recovery state
+     */
+    public boolean setAutoRecoveryState(Credential cs[], boolean on);
+
+    /**
+     * Returns the current auto recovery state.
+     * 
+     * @return true if auto recvoery state is on
+     */
+    public boolean getAutoRecoveryState();
+
+    /**
+     * Adds credentials to the given authorizated recovery operation.
+     * In distributed recovery mode, recovery agent login to the
+     * agent interface and submit its credential for a particular
+     * recovery operation.
+     * 
+     * @param id authorization identifier
+     * @param creds list of credentials
+     */
+    public void addAutoRecovery(String id, Credential creds[]);
+
+    /**
+     * Removes a particular auto recovery operation.
+     * 
+     * @param id authorization identifier
+     */
+    public void removeAutoRecovery(String id);
+
+    /**
+     * Returns the number of required agents. In M-out-of-N
+     * recovery schema, only M agents are required even there
+     * are N agents. This method returns M.
+     * 
+     * @return number of required agents
+     */
+    public int getNoOfRequiredAgents() throws EBaseException;
+
+    /**
+     * Sets the number of required recovery agents
+     * 
+     * @param number number of agents
+     */
+    public void setNoOfRequiredAgents(int number) throws EBaseException;
+
+    /**
+     * Returns the current recovery identifier.
+     * 
+     * @return recovery identifier
+     */
+    public String getRecoveryID();
+
+    /**
+     * Returns a list of recovery identifiers.
+     * 
+     * @return list of auto recovery identifiers
+     */
+    public Enumeration<String> getAutoRecoveryIDs();
+
+    /**
+     * Returns the storage key unit that manages the
+     * stoarge key.
+     * 
+     * @return storage key unit
+     */
+    public IStorageKeyUnit getStorageKeyUnit();
+
+    /**
+     * Returns the transport key unit that manages the
+     * transport key.
+     * 
+     * @return transport key unit
+     */
+    public ITransportKeyUnit getTransportKeyUnit();
+
+    /**
+     * Returns the token that generates user key pairs for supporting server-side keygen
+     * 
+     * @return keygen token
+     */
+    public CryptoToken getKeygenToken();
+
+    /**
+     * Adds entropy to the token used for supporting server-side keygen
+     * Parameters are set in the config file
+     * 
+     * @param logflag create log messages at info level to report entropy shortage
+     */
+    public void addEntropy(boolean logflag);
+
+    /**
+     * Returns the request listener that listens on
+     * the request completion event.
+     * 
+     * @return request listener
+     */
+    public IRequestListener getRequestInQListener();
+
+    /**
+     * Returns policy processor of the key recovery
+     * authority.
+     * @deprecated
+     * @return policy processor
+     */
+    public IPolicyProcessor getPolicyProcessor();
+
+    /**
+     * Returns the nickname of the transport certificate.
+     * 
+     * @return transport certificate nickname.
+     */
+    public String getNickname();
+
+    /**
+     * Sets the nickname of the transport certificate.
+     * 
+     * @param str nickname
+     */
+    public void setNickname(String str);
+
+    /**
+     * Returns the new nickname of the transport certifiate.
+     * 
+     * @return new nickname
+     */
+    public String getNewNickName() throws EBaseException;
+
+    /**
+     * Sets the new nickname of the transport certifiate.
+     * 
+     * @param name new nickname
+     */
+    public void setNewNickName(String name);
+
+    /**
+     * Logs event into key recovery authority logging.
+     * 
+     * @param level log level
+     * @param msg log message
+     */
+    public void log(int level, String msg);
+
+    /**
+     * Creates a request object to store attributes that
+     * will not be serialized. Currently, request queue
+     * framework will try to serialize all the attribute into
+     * persistent storage. Things like passwords are not
+     * desirable to be stored.
+     * 
+     * @param id request id
+     * @return volatile requests
+     */
+    public Hashtable<String, Object> createVolatileRequest(RequestId id);
+
+    /**
+     * Retrieves the request object.
+     * 
+     * @param id request id
+     * @return volatile requests
+     */
+    public Hashtable<String, Object> getVolatileRequest(RequestId id);
+
+    /**
+     * Destroys the request object.
+     * 
+     * @param id request id
+     */
+    public void destroyVolatileRequest(RequestId id);
+
+    public Vector<Credential> getAppAgents(
+            String recoveryID) throws EBaseException;
+
+    /**
+     * Creates error for a specific recovery operation.
+     * 
+     * @param recoveryID recovery id
+     * @param error error
+     * @exception EBaseException failed to create error
+     */
+    public void createError(String recoveryID, String error)
+            throws EBaseException;
+
+    /**
+     * Retrieves error by recovery identifier.
+     * 
+     * @param recoveryID recovery id
+     * @return error message
+     */
+    public String getError(String recoveryID)
+            throws EBaseException;
+
+    /**
+     * Retrieves PKCS12 package by recovery identifier.
+     * 
+     * @param recoveryID recovery id
+     * @return pkcs12 package in bytes
+     */
+    public byte[] getPk12(String recoveryID)
+            throws EBaseException;
+
+    /**
+     * Creates PKCS12 package in memory.
+     * 
+     * @param recoveryID recovery id
+     * @param pk12 package in bytes
+     */
+    public void createPk12(String recoveryID, byte[] pk12)
+            throws EBaseException;
+
+    /**
+     * Retrieves the transport certificate.
+     */
+    public org.mozilla.jss.crypto.X509Certificate getTransportCert();
+}
diff --git a/base/common/src/com/netscape/certsrv/kra/IKeyService.java b/base/common/src/com/netscape/certsrv/kra/IKeyService.java
new file mode 100644
index 000000000..13748f2d1
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/kra/IKeyService.java
@@ -0,0 +1,179 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.kra;
+
+import java.math.BigInteger;
+import java.util.Hashtable;
+
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.security.Credential;
+
+/**
+ * An interface representing a recovery service.
+ * <P>
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IKeyService {
+
+    /**
+     * Retrieves number of agent required to perform
+     * key recovery operation.
+     * 
+     * @return number of required recovery agents
+     * @exception EBaseException failed to retrieve value
+     */
+    public int getNoOfRequiredAgents() throws EBaseException;
+
+    /**
+     * is async recovery request status APPROVED -
+     * i.e. all required # of recovery agents approved
+     * 
+     * @param reqID request id
+     * @return true if # of recovery required agents approved; false otherwise
+     */
+    public boolean isApprovedAsyncKeyRecovery(String reqID)
+            throws EBaseException;
+
+    /**
+     * get async recovery request initiating agent
+     * 
+     * @param reqID request id
+     * @return agentUID
+     */
+    public String getInitAgentAsyncKeyRecovery(String reqID)
+            throws EBaseException;
+
+    /**
+     * Initiate asynchronous key recovery
+     * 
+     * @param kid key identifier
+     * @param cert certificate embedded in PKCS12
+     * @return requestId
+     * @exception EBaseException failed to initiate async recovery
+     */
+    public String initAsyncKeyRecovery(BigInteger kid, X509CertImpl cert, String agent)
+            throws EBaseException;
+
+    /**
+     * add approving agent in asynchronous key recovery
+     * 
+     * @param reqID request id
+     * @param agentID agent id
+     * @exception EBaseException failed to initiate async recovery
+     */
+    public void addAgentAsyncKeyRecovery(String reqID, String agentID)
+            throws EBaseException;
+
+    /**
+     * Performs administrator-initiated key recovery.
+     * 
+     * @param kid key identifier
+     * @param creds list of credentials (id and password)
+     * @param pwd password to protect PKCS12
+     * @param cert certificate embedded in PKCS12
+     * @param delivery delivery mechanism
+     * @return pkcs12
+     * @exception EBaseException failed to perform recovery
+     */
+    public byte[] doKeyRecovery(BigInteger kid,
+            Credential creds[], String pwd, X509CertImpl cert,
+            String delivery, String nickname, String agent) throws EBaseException;
+
+    /**
+     * Async Recovers key for administrators. This method is
+     * invoked by the agent operation of the key recovery servlet.
+     * <P>
+     * 
+     * <ul>
+     * <li>signed.audit LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST used whenever a user private key recovery request is
+     * made (this is when the DRM receives the request)
+     * <li>signed.audit LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED used whenever a user private key recovery
+     * request is processed (this is when the DRM processes the request)
+     * </ul>
+     * 
+     * @param reqID request id
+     * @param password password of the PKCS12 package
+     *            subsystem
+     * @exception EBaseException failed to recover key
+     * @return a byte array containing the key
+     */
+    public byte[] doKeyRecovery(
+            String reqID,
+            String password)
+            throws EBaseException;
+
+    /**
+     * Retrieves recovery identifier.
+     * 
+     * @return recovery id
+     */
+    public String getRecoveryID();
+
+    /**
+     * Creates recovery parameters for the given recovery operation.
+     * 
+     * @param recoveryID recovery id
+     * @return recovery parameters
+     * @exception EBaseException failed to create
+     */
+    public Hashtable<String, Object> createRecoveryParams(String recoveryID)
+            throws EBaseException;
+
+    /**
+     * Destroys recovery parameters for the given recovery operation.
+     * 
+     * @param recoveryID recovery id
+     * @exception EBaseException failed to destroy
+     */
+    public void destroyRecoveryParams(String recoveryID)
+            throws EBaseException;
+
+    /**
+     * Retrieves recovery parameters for the given recovery operation.
+     * 
+     * @param recoveryID recovery id
+     * @return recovery parameters
+     * @exception EBaseException failed to retrieve
+     */
+    public Hashtable<String, Object> getRecoveryParams(String recoveryID)
+            throws EBaseException;
+
+    /**
+     * Adds password in the distributed recovery operation.
+     * 
+     * @param recoveryID recovery id
+     * @param uid agent uid
+     * @param pwd agent password
+     * @exception EBaseException failed to add
+     */
+    public void addDistributedCredential(String recoveryID,
+            String uid, String pwd) throws EBaseException;
+
+    /**
+     * Retrieves credentials in the distributed recovery operation.
+     * 
+     * @param recoveryID recovery id
+     * @return agent's credentials
+     * @exception EBaseException failed to retrieve
+     */
+    public Credential[] getDistributedCredentials(String recoveryID)
+            throws EBaseException;
+}
diff --git a/base/common/src/com/netscape/certsrv/kra/IProofOfArchival.java b/base/common/src/com/netscape/certsrv/kra/IProofOfArchival.java
new file mode 100644
index 000000000..20ac336e5
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/kra/IProofOfArchival.java
@@ -0,0 +1,80 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.kra;
+
+import java.math.BigInteger;
+import java.util.Date;
+
+/**
+ * An interface represents a proof of archival.
+ * <P>
+ * Here is the ASN1 definition of a proof of escrow:
+ * 
+ * <PRE>
+ * ProofOfArchival ::= SIGNED {
+ *   SEQUENCE {
+ *     version [0] Version DEFAULT v1,
+ *     serialNumber INTEGER,
+ *     subjectName Name,
+ *     issuerName Name,
+ *     dateOfArchival Time,
+ *     extensions [1] Extensions OPTIONAL
+ *   }
+ * }
+ * </PRE>
+ * <P>
+ * 
+ * @version $Revision$, $Date$
+ */
+public interface IProofOfArchival {
+
+    /**
+     * Retrieves version of this proof.
+     * 
+     * @return version
+     */
+    public BigInteger getVersion();
+
+    /**
+     * Retrieves the serial number.
+     * 
+     * @return serial number
+     */
+    public BigInteger getSerialNumber();
+
+    /**
+     * Retrieves the subject name.
+     * 
+     * @return subject name
+     */
+    public String getSubjectName();
+
+    /**
+     * Retrieves the issuer name.
+     * 
+     * @return issuer name
+     */
+    public String getIssuerName();
+
+    /**
+     * Returns the beginning of the escrowed perioid.
+     * 
+     * @return date of archival
+     */
+    public Date getDateOfArchival();
+}
diff --git a/base/common/src/com/netscape/certsrv/kra/IShare.java b/base/common/src/com/netscape/certsrv/kra/IShare.java
new file mode 100644
index 000000000..19e7d7ce2
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/kra/IShare.java
@@ -0,0 +1,33 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.kra;
+
+/**
+ * Use Java's reflection API to leverage CMS's
+ * old Share and JoinShares implementations.
+ * 
+ * @deprecated
+ * @version $Revision$ $Date$
+ */
+public interface IShare {
+
+    public void initialize(byte[] secret, int threshold) throws Exception;
+
+    public byte[] createShare(int sharenumber);
+
+}
diff --git a/base/common/src/com/netscape/certsrv/kra/KRAResources.java b/base/common/src/com/netscape/certsrv/kra/KRAResources.java
new file mode 100644
index 000000000..14b686e63
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/kra/KRAResources.java
@@ -0,0 +1,39 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.kra;
+
+import java.util.ListResourceBundle;
+
+/**
+ * A class represents a resource bundle for KRA subsystem.
+ * <P>
+ * 
+ * @version $Revision$, $Date$
+ */
+public class KRAResources extends ListResourceBundle {
+
+    /**
+     * Returns the content of this resource.
+     */
+    public Object[][] getContents() {
+        return contents;
+    }
+
+    static final Object[][] contents = {
+        };
+}
diff --git a/base/common/src/com/netscape/certsrv/kra/ProofOfArchival.java b/base/common/src/com/netscape/certsrv/kra/ProofOfArchival.java
new file mode 100644
index 000000000..df05c882f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/kra/ProofOfArchival.java
@@ -0,0 +1,463 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.kra;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Serializable;
+import java.math.BigInteger;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PrivateKey;
+import java.security.Signature;
+import java.security.SignatureException;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Vector;
+
+import netscape.security.util.BigInt;
+import netscape.security.util.DerOutputStream;
+import netscape.security.util.DerValue;
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.X500Name;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.dbs.IDBObj;
+
+/**
+ * A class represents a proof of escrow. It indicates a key
+ * pairs have been escrowed by appropriate authority. The
+ * structure of this object is very similar (if not exact) to
+ * X.509 certificate. A proof of escrow is signed by an escrow
+ * authority. It is possible to have a CMS policy to reject
+ * the certificate issuance request if proof of escrow is not
+ * presented.
+ * <P>
+ * Here is the ASN1 definition of a proof of escrow:
+ * 
+ * <PRE>
+ * ProofOfEscrow ::= SIGNED {
+ *   SEQUENCE {
+ *     version [0] Version DEFAULT v1,
+ *     serialNumber INTEGER,
+ *     subjectName Name,
+ *     issuerName Name,
+ *     dateOfArchival Time,
+ *     extensions [1] Extensions OPTIONAL
+ *   }
+ * }
+ * </PRE>
+ * <P>
+ * 
+ * @author thomask
+ * @version $Revision$, $Date$
+ */
+public class ProofOfArchival implements IDBObj, IProofOfArchival, Serializable {
+
+    /**
+     *
+     */
+    private static final long serialVersionUID = -2533562170977678799L;
+
+    /**
+     * Constants
+     */
+    public static final BigInteger DEFAULT_VERSION = new BigInteger("1");
+
+    public static final String ATTR_VERSION = "pofVersion";
+    public static final String ATTR_SERIALNO = "pofSerialNo";
+    public static final String ATTR_SUBJECT = "pofSubject";
+    public static final String ATTR_ISSUER = "pofIssuer";
+    public static final String ATTR_DATE_OF_ARCHIVAL = "pofDateOfArchival";
+
+    protected BigInteger mSerialNo = null;
+    protected BigInteger mVersion = null;
+    protected String mSubject = null;
+    protected String mIssuer = null;
+    protected Date mDateOfArchival = null;
+
+    protected static Vector<String> mNames = new Vector<String>();
+    static {
+        mNames.addElement(ATTR_VERSION);
+        mNames.addElement(ATTR_SERIALNO);
+        mNames.addElement(ATTR_SUBJECT);
+        mNames.addElement(ATTR_ISSUER);
+        mNames.addElement(ATTR_DATE_OF_ARCHIVAL);
+    }
+
+    /**
+     * Constructs a proof of escrow.
+     * <P>
+     * 
+     * @param serialNo serial number of proof
+     * @param subject subject name
+     * @param issuer issuer name
+     * @param dateOfArchival date of archival
+     */
+    public ProofOfArchival(BigInteger serialNo, String subject,
+            String issuer, Date dateOfArchival) {
+        mVersion = DEFAULT_VERSION;
+        mSerialNo = serialNo;
+        mSubject = subject;
+        mIssuer = issuer;
+        mDateOfArchival = dateOfArchival;
+    }
+
+    /**
+     * Constructs proof of escrow from input stream.
+     * <P>
+     * 
+     * @param in encoding source
+     * @exception EBaseException failed to decode
+     */
+    public ProofOfArchival(InputStream in) throws EBaseException {
+        decode(in);
+    }
+
+    /**
+     * Sets an attribute value.
+     * <P>
+     * 
+     * @param name attribute name
+     * @param obj attribute value
+     * @exception EBaseException failed to set attribute
+     */
+    public void set(String name, Object obj) throws EBaseException {
+        if (name.equals(ATTR_VERSION)) {
+            mVersion = (BigInteger) obj;
+        } else if (name.equals(ATTR_SERIALNO)) {
+            mSerialNo = (BigInteger) obj;
+        } else if (name.equals(ATTR_SUBJECT)) {
+            mSubject = (String) obj;
+        } else if (name.equals(ATTR_ISSUER)) {
+            mIssuer = (String) obj;
+        } else if (name.equals(ATTR_DATE_OF_ARCHIVAL)) {
+            mDateOfArchival = (Date) obj;
+        } else {
+            throw new EBaseException(
+                    CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name));
+        }
+    }
+
+    /**
+     * Retrieves the value of an named attribute.
+     * <P>
+     * 
+     * @param name attribute name
+     * @return attribute value
+     * @exception EBaseException failed to get attribute
+     */
+    public Object get(String name) throws EBaseException {
+        if (name.equals(ATTR_VERSION)) {
+            return mVersion;
+        } else if (name.equals(ATTR_SERIALNO)) {
+            return mSerialNo;
+        } else if (name.equals(ATTR_SUBJECT)) {
+            return mSubject;
+        } else if (name.equals(ATTR_ISSUER)) {
+            return mIssuer;
+        } else if (name.equals(ATTR_DATE_OF_ARCHIVAL)) {
+            return mDateOfArchival;
+        } else {
+            throw new EBaseException(
+                    CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name));
+        }
+    }
+
+    /**
+     * Deletes an attribute.
+     * <P>
+     * 
+     * @param name attribute name
+     * @exception EBaseException failed to get attribute
+     */
+    public void delete(String name) throws EBaseException {
+        throw new EBaseException(
+                CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name));
+    }
+
+    /**
+     * Retrieves a list of possible attribute names.
+     * <P>
+     * 
+     * @return a list of names
+     */
+    public Enumeration<String> getElements() {
+        return mNames.elements();
+    }
+
+    /**
+     * Retrieves serializable attribute names.
+     * 
+     * @return a list of serializable attribute names
+     */
+    public Enumeration<String> getSerializableAttrNames() {
+        return mNames.elements();
+    }
+
+    /**
+     * Retrieves version of this proof.
+     * <P>
+     * 
+     * @return version
+     */
+    public BigInteger getVersion() {
+        return mVersion;
+    }
+
+    /**
+     * Retrieves the serial number.
+     * <P>
+     * 
+     * @return serial number
+     */
+    public BigInteger getSerialNumber() {
+        return mSerialNo;
+    }
+
+    /**
+     * Retrieves the subject name.
+     * <P>
+     * 
+     * @return subject name
+     */
+    public String getSubjectName() {
+        return mSubject;
+    }
+
+    /**
+     * Retrieves the issuer name.
+     * <P>
+     * 
+     * @return issuer name
+     */
+    public String getIssuerName() {
+        return mIssuer;
+    }
+
+    /**
+     * Returns the beginning of the escrowed perioid.
+     * <P>
+     * 
+     * @return date of archival
+     */
+    public Date getDateOfArchival() {
+        return mDateOfArchival;
+    }
+
+    /**
+     * Encodes this proof of escrow into the given
+     * output stream.
+     * <P>
+     */
+    public void encode(DerOutputStream out) throws EBaseException {
+        try {
+            DerOutputStream seq = new DerOutputStream();
+
+            // version (OPTIONAL)
+            if (!mVersion.equals(DEFAULT_VERSION)) {
+                DerOutputStream version = new DerOutputStream();
+
+                version.putInteger(new BigInt(mVersion));
+                seq.write(DerValue.createTag(
+                        DerValue.TAG_CONTEXT, true, (byte) 0),
+                        version);
+            }
+
+            // serial number
+            seq.putInteger(new BigInt(mSerialNo));
+
+            // subject name
+            new X500Name(mSubject).encode(seq);
+
+            // issuer name
+            new X500Name(mIssuer).encode(seq);
+
+            // issue date
+            seq.putUTCTime(mDateOfArchival);
+            out.write(DerValue.tag_Sequence, seq);
+
+        } catch (IOException e) {
+            throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_DECODE_FAILED", e.toString()));
+        }
+    }
+
+    /**
+     * Encodes and signs this proof of escrow.
+     * <P>
+     */
+    public void encodeAndSign(PrivateKey key, String algorithm,
+            String provider, DerOutputStream out)
+            throws EBaseException {
+
+        try {
+            Signature sigEngine = null;
+
+            if (provider == null) {
+                sigEngine = Signature.getInstance(algorithm);
+            } else {
+                sigEngine = Signature.getInstance(algorithm,
+                            provider);
+            }
+
+            sigEngine.initSign(key);
+            DerOutputStream tmp = new DerOutputStream();
+
+            encode(tmp);
+
+            AlgorithmId sigAlgId = AlgorithmId.get(
+                    sigEngine.getAlgorithm());
+
+            sigAlgId.encode(tmp);
+            byte dataToSign[] = tmp.toByteArray();
+
+            sigEngine.update(dataToSign, 0, dataToSign.length);
+            byte signature[] = sigEngine.sign();
+
+            tmp.putBitString(signature);
+            out.write(DerValue.tag_Sequence, tmp);
+            return;
+        } catch (NoSuchAlgorithmException e) {
+            throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_ENCODE_FAILED_1", e.toString()));
+        } catch (NoSuchProviderException e) {
+            throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_ENCODE_FAILED_1", e.toString()));
+        } catch (InvalidKeyException e) {
+            throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_ENCODE_FAILED_1", e.toString()));
+        } catch (SignatureException e) {
+            throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_ENCODE_FAILED_1", e.toString()));
+        } catch (IOException e) {
+            throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_ENCODE_FAILED_1", e.toString()));
+        }
+    }
+
+    /**
+     * Decodes the input stream.
+     * <P>
+     */
+    public void decode(InputStream in) throws EBaseException {
+        try {
+            // POA is a SIGNED ASN.1 macro, a three element sequence:
+            // - Data to be signed (ToBeSigned) -- the "raw" data
+            // - Signature algorithm (SigAlgId)
+            // - The Signature bits
+
+            DerValue val = new DerValue(in);
+
+            DerValue seq[] = new DerValue[3];
+
+            seq[0] = val.data.getDerValue();
+            if (seq[0].tag == DerValue.tag_Sequence) {
+                // with signature
+                seq[1] = val.data.getDerValue();
+                seq[2] = val.data.getDerValue();
+                if (seq[1].data.available() != 0) {
+                    throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_DECODE_FAILED_1",
+                                "no algorithm found"));
+                }
+
+                if (seq[2].data.available() != 0) {
+                    throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_DECODE_FAILED_1",
+                                "no signature found"));
+                }
+
+                @SuppressWarnings("unused")
+                AlgorithmId algid = AlgorithmId.parse(seq[1]); // consume algid
+
+                @SuppressWarnings("unused")
+                byte signature[] = seq[2].getBitString(); // consume signature
+
+                decodePOA(val, null);
+            } else {
+                // without signature
+                decodePOA(val, seq[0]);
+            }
+        } catch (IOException e) {
+            throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_DECODE_FAILED_1", e.toString()));
+        }
+    }
+
+    /**
+     * Decodes proof of escrow.
+     * <P>
+     */
+    private void decodePOA(DerValue val, DerValue preprocessed)
+            throws EBaseException {
+        try {
+            DerValue tmp = null;
+
+            if (preprocessed == null) {
+                if (val.tag != DerValue.tag_Sequence) {
+                    throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_DECODE_FAILED_1",
+                                "not start with sequence"));
+                }
+                tmp = val.data.getDerValue();
+            } else {
+                tmp = preprocessed;
+            }
+
+            // version
+            if (tmp.isContextSpecific((byte) 0)) {
+                if (tmp.isConstructed() && tmp.isContextSpecific()) {
+                    DerValue version = tmp.data.getDerValue();
+                    BigInt ver = version.getInteger();
+
+                    mVersion = ver.toBigInteger();
+                    tmp = val.data.getDerValue();
+                }
+            } else {
+                mVersion = DEFAULT_VERSION;
+            }
+
+            // serial number
+            DerValue serialno = tmp;
+
+            mSerialNo = serialno.getInteger().toBigInteger();
+
+            // subject
+            DerValue subject = val.data.getDerValue();
+
+            // mSubject = new X500Name(subject); // doesnt work
+            mSubject = new String(subject.toByteArray());
+
+            // issuer
+            DerValue issuer = val.data.getDerValue();
+
+            mIssuer = new String(issuer.toByteArray());
+
+            // date of archival
+            mDateOfArchival = val.data.getUTCTime();
+        } catch (IOException e) {
+            throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_DECODE_FAILED_1", e.toString()));
+        }
+    }
+
+    /**
+     * Retrieves the string reprensetation of this
+     * proof of archival.
+     */
+    public String toString() {
+        return "Version: " + mVersion.toString() + "\n" +
+                "SerialNo: " + mSerialNo.toString() + "\n" +
+                "Subject: " + mSubject + "\n" +
+                "Issuer: " + mIssuer + "\n" +
+                "DateOfArchival: " + mDateOfArchival.toString();
+    }
+
+}