From 621d9e5c413e561293d7484b93882d985b3fe15f Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata Date: Sat, 24 Mar 2012 02:27:47 -0500 Subject: Removed unnecessary pki folder. Previously the source code was located inside a pki folder. This folder was created during svn migration and is no longer needed. This folder has now been removed and the contents have been moved up one level. Ticket #131 --- .../src/com/netscape/certsrv/ca/CAResources.java | 42 ++ .../src/com/netscape/certsrv/ca/ECAException.java | 91 ++++ .../com/netscape/certsrv/ca/EErrorPublishCRL.java | 42 ++ .../src/com/netscape/certsrv/ca/ICAService.java | 90 ++++ .../com/netscape/certsrv/ca/ICMSCRLExtension.java | 72 +++ .../com/netscape/certsrv/ca/ICMSCRLExtensions.java | 56 +++ .../com/netscape/certsrv/ca/ICRLIssuingPoint.java | 543 +++++++++++++++++++++ .../netscape/certsrv/ca/ICertificateAuthority.java | 503 +++++++++++++++++++ 8 files changed, 1439 insertions(+) create mode 100644 base/common/src/com/netscape/certsrv/ca/CAResources.java create mode 100644 base/common/src/com/netscape/certsrv/ca/ECAException.java create mode 100644 base/common/src/com/netscape/certsrv/ca/EErrorPublishCRL.java create mode 100644 base/common/src/com/netscape/certsrv/ca/ICAService.java create mode 100644 base/common/src/com/netscape/certsrv/ca/ICMSCRLExtension.java create mode 100644 base/common/src/com/netscape/certsrv/ca/ICMSCRLExtensions.java create mode 100644 base/common/src/com/netscape/certsrv/ca/ICRLIssuingPoint.java create mode 100644 base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java (limited to 'base/common/src/com/netscape/certsrv/ca') diff --git a/base/common/src/com/netscape/certsrv/ca/CAResources.java b/base/common/src/com/netscape/certsrv/ca/CAResources.java new file mode 100644 index 000000000..dfb72d57d --- /dev/null +++ b/base/common/src/com/netscape/certsrv/ca/CAResources.java @@ -0,0 +1,42 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.ca; + +import java.util.ListResourceBundle; + +/** + * A class represents a resource bundle for CA subsystem. + *

+ * + * @version $Revision$ $Date$ + */ +public class CAResources extends ListResourceBundle { + + /** + * Returns the content of this resource. + */ + public Object[][] getContents() { + return contents; + } + + /** + * Constants. The suffix represents the number of + * possible parameters. + */ + static final Object[][] contents = {}; +} diff --git a/base/common/src/com/netscape/certsrv/ca/ECAException.java b/base/common/src/com/netscape/certsrv/ca/ECAException.java new file mode 100644 index 000000000..a530b08a5 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/ca/ECAException.java @@ -0,0 +1,91 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.ca; + +import com.netscape.certsrv.base.EBaseException; + +/** + * A class represents a CA exception. + *

+ * + * @version $Revision$, $Date$ + */ +public class ECAException extends EBaseException { + + /** + * + */ + private static final long serialVersionUID = -2963412888833532478L; + /** + * CA resource class name. + */ + private static final String CA_RESOURCES = CAResources.class.getName(); + + /** + * Constructs a CA exception. + *

+ * + * @param msgFormat constant from CAResources. + */ + public ECAException(String msgFormat) { + super(msgFormat); + } + + /** + * Constructs a CA exception. + *

+ * + * @param msgFormat constant from CAResources. + * @param param additional parameters to the message. + */ + public ECAException(String msgFormat, String param) { + super(msgFormat, param); + } + + /** + * Constructs a CA exception. + *

+ * + * @param msgFormat constant from CAResources. + * @param e embedded exception. + */ + public ECAException(String msgFormat, Exception e) { + super(msgFormat, e); + } + + /** + * Constructs a CA exception. + *

+ * + * @param msgFormat constant from CAResources. + * @param params additional parameters to the message. + */ + public ECAException(String msgFormat, Object params[]) { + super(msgFormat, params); + } + + /** + * Returns the bundle file name. + *

+ * + * @return name of bundle class associated with this exception. + */ + protected String getBundleName() { + return CA_RESOURCES; + } +} diff --git a/base/common/src/com/netscape/certsrv/ca/EErrorPublishCRL.java b/base/common/src/com/netscape/certsrv/ca/EErrorPublishCRL.java new file mode 100644 index 000000000..b4c10a0c5 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/ca/EErrorPublishCRL.java @@ -0,0 +1,42 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.ca; + +/** + * A class represents a CA exception associated with publishing error. + *

+ * + * @version $Revision$ $Date$ + */ +public class EErrorPublishCRL extends ECAException { + + /** + * + */ + private static final long serialVersionUID = -5773392283237284399L; + + /** + * Constructs a CA exception caused by publishing error. + *

+ * + * @param errorString Detailed error message. + */ + public EErrorPublishCRL(String errorString) { + super(errorString); + } +} diff --git a/base/common/src/com/netscape/certsrv/ca/ICAService.java b/base/common/src/com/netscape/certsrv/ca/ICAService.java new file mode 100644 index 000000000..1edebcc8b --- /dev/null +++ b/base/common/src/com/netscape/certsrv/ca/ICAService.java @@ -0,0 +1,90 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.ca; + +import netscape.security.x509.RevokedCertImpl; +import netscape.security.x509.X509CertImpl; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.connector.IConnector; +import com.netscape.certsrv.request.IRequest; + +/** + * An interface representing a CA request services. + *

+ * + * @version $Revision$, $Date$ + */ +public interface ICAService { + + /** + * Marks certificate record as revoked by adding revocation information. + * Updates CRL cache. + * + * @param crlentry revocation information obtained from revocation request + * @exception EBaseException failed to mark certificate record as revoked + */ + public void revokeCert(RevokedCertImpl crlentry) + throws EBaseException; + + /** + * Marks certificate record as revoked by adding revocation information. + * Updates CRL cache. + * + * @param crlentry revocation information obtained from revocation request + * @param requestId revocation request id + * @exception EBaseException failed to mark certificate record as revoked + */ + public void revokeCert(RevokedCertImpl crlentry, String requestId) + throws EBaseException; + + /** + * Issues certificate base on enrollment information, + * creates certificate record, and stores all necessary data. + * + * @param certi information obtain from revocation request + * @exception EBaseException failed to issue certificate or create certificate record + */ + public X509CertImpl issueX509Cert(X509CertInfo certi) + throws EBaseException; + + public X509CertImpl issueX509Cert(X509CertInfo certi, String profileId, String rid) + throws EBaseException; + + /** + * Services profile request. + * + * @param request profile enrollment request information + * @exception EBaseException failed to service profile enrollment request + */ + public void serviceProfileRequest(IRequest request) + throws EBaseException; + + /** + * Returns KRA-CA connector. + * + * @return KRA-CA connector + */ + public IConnector getKRAConnector(); + + public void setKRAConnector(IConnector c); + + public IConnector getConnector(IConfigStore cs) throws EBaseException; +} diff --git a/base/common/src/com/netscape/certsrv/ca/ICMSCRLExtension.java b/base/common/src/com/netscape/certsrv/ca/ICMSCRLExtension.java new file mode 100644 index 000000000..b3e94d02e --- /dev/null +++ b/base/common/src/com/netscape/certsrv/ca/ICMSCRLExtension.java @@ -0,0 +1,72 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.ca; + +import netscape.security.x509.Extension; + +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.common.NameValuePairs; + +/** + * An interface representing a CRL extension plugin. + *

+ * + * @version $Revision$, $Date$ + */ +public interface ICMSCRLExtension { + + /** + * Returns CRL extension OID string. + * + * @return OID of CRL extension + */ + public String getCRLExtOID(); + + /** + * Sets extension criticality and returns extension + * with new criticality. + * + * @param ext CRL extension that will change criticality + * @param critical new criticality to be assigned to CRL extension + * @return extension with new criticality + */ + Extension setCRLExtensionCriticality(Extension ext, + boolean critical); + + /** + * Builds new CRL extension based on configuration data, + * issuing point information, and criticality. + * + * @param config configuration store + * @param crlIssuingPoint CRL issuing point + * @param critical criticality to be assigned to CRL extension + * @return extension new CRL extension + */ + Extension getCRLExtension(IConfigStore config, + Object crlIssuingPoint, + boolean critical); + + /** + * Reads configuration data and converts them to name value pairs. + * + * @param config configuration store + * @param nvp name value pairs obtained from configuration data + */ + public void getConfigParams(IConfigStore config, + NameValuePairs nvp); +} diff --git a/base/common/src/com/netscape/certsrv/ca/ICMSCRLExtensions.java b/base/common/src/com/netscape/certsrv/ca/ICMSCRLExtensions.java new file mode 100644 index 000000000..6fa520fbf --- /dev/null +++ b/base/common/src/com/netscape/certsrv/ca/ICMSCRLExtensions.java @@ -0,0 +1,56 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.ca; + +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.common.NameValuePairs; + +/** + * An interface representing a list of CRL extensions. + *

+ * + * @version $Revision$, $Date$ + */ +public interface ICMSCRLExtensions { + + /** + * Updates configuration store for extension identified by id + * with data delivered in name value pairs. + * + * @param id extension id + * @param nvp name value pairs with new configuration data + * @param config configuration store + */ + public void setConfigParams(String id, NameValuePairs nvp, IConfigStore config); + + /** + * Reads configuration data and returns them as name value pairs. + * + * @param id extension id + * @return name value pairs with configuration data + */ + public NameValuePairs getConfigParams(String id); + + /** + * Returns class name with its path. + * + * @param name extension id + * @return class name with its path + */ + public String getClassPath(String name); +} diff --git a/base/common/src/com/netscape/certsrv/ca/ICRLIssuingPoint.java b/base/common/src/com/netscape/certsrv/ca/ICRLIssuingPoint.java new file mode 100644 index 000000000..f317db9b1 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/ca/ICRLIssuingPoint.java @@ -0,0 +1,543 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.ca; + +import java.math.BigInteger; +import java.util.Date; +import java.util.Set; +import java.util.Vector; + +import netscape.security.x509.CRLExtensions; +import netscape.security.x509.RevokedCertImpl; +import netscape.security.x509.RevokedCertificate; +import netscape.security.x509.X509CRLImpl; + +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.base.ISubsystem; +import com.netscape.certsrv.common.NameValuePairs; +import com.netscape.certsrv.dbs.IElementProcessor; + +/** + * This class encapsulates CRL issuing mechanism. CertificateAuthority + * contains a map of CRLIssuingPoint indexed by string ids. Each issuing + * point contains information about CRL issuing and publishing parameters + * as well as state information which includes last issued CRL, next CRL + * serial number, time of the next update etc. + * If autoUpdateInterval is set to non-zero value then worker thread + * is created that will perform CRL update at scheduled intervals. Update + * can also be triggered by invoking updateCRL method directly. Another + * parameter minUpdateInterval can be used to prevent CRL + * from being updated too often + * + * @version $Revision$, $Date$ + */ + +public interface ICRLIssuingPoint { + + public static final String PROP_PUBLISH_DN = "publishDN"; + public static final String PROP_PUBLISH_ON_START = "publishOnStart"; + public static final String PROP_MIN_UPDATE_INTERVAL = "minUpdateInterval"; + public static final String PROP_BEGIN_SERIAL = "crlBeginSerialNo"; + public static final String PROP_END_SERIAL = "crlEndSerialNo"; + + public static final String SC_ISSUING_POINT_ID = "issuingPointId"; + public static final String SC_IS_DELTA_CRL = "isDeltaCRL"; + public static final String SC_CRL_COUNT = "crlCount"; + + /** + * for manual updates - requested by agent + */ + public static final int CRL_UPDATE_DONE = 0; + public static final int CRL_UPDATE_STARTED = 1; + public static final int CRL_PUBLISHING_STARTED = 2; + + public static final int CRL_IP_NOT_INITIALIZED = 0; + public static final int CRL_IP_INITIALIZED = 1; + public static final int CRL_IP_INITIALIZATION_FAILED = -1; + + /** + * Returns true if CRL issuing point is enabled. + * + * @return true if CRL issuing point is enabled + */ + public boolean isCRLIssuingPointEnabled(); + + /** + * Returns true if CRL generation is enabled. + * + * @return true if CRL generation is enabled + */ + public boolean isCRLGenerationEnabled(); + + /** + * Enables or disables CRL issuing point according to parameter. + * + * @param enable if true enables CRL issuing point + */ + public void enableCRLIssuingPoint(boolean enable); + + /** + * Returns CRL update status. + * + * @return CRL update status + */ + public String getCrlUpdateStatusStr(); + + /** + * Returns CRL update error. + * + * @return CRL update error + */ + public String getCrlUpdateErrorStr(); + + /** + * Returns CRL publishing status. + * + * @return CRL publishing status + */ + public String getCrlPublishStatusStr(); + + /** + * Returns CRL publishing error. + * + * @return CRL publishing error + */ + public String getCrlPublishErrorStr(); + + /** + * Returns CRL issuing point initialization status. + * + * @return status of CRL issuing point initialization + */ + public int isCRLIssuingPointInitialized(); + + /** + * Checks if manual update is set. + * + * @return true if manual update is set + */ + public boolean isManualUpdateSet(); + + /** + * Checks if expired certificates are included in CRL. + * + * @return true if expired certificates are included in CRL + */ + public boolean areExpiredCertsIncluded(); + + /** + * Checks if CRL includes CA certificates only. + * + * @return true if CRL includes CA certificates only + */ + public boolean isCACertsOnly(); + + /** + * Checks if CRL includes profile certificates only. + * + * @return true if CRL includes profile certificates only + */ + public boolean isProfileCertsOnly(); + + /** + * Checks if CRL issuing point includes this profile. + * + * @return true if CRL issuing point includes this profile + */ + public boolean checkCurrentProfile(String id); + + /** + * Initializes CRL issuing point. + * + * @param ca certificate authority that holds CRL issuing point + * @param id CRL issuing point id + * @param config configuration sub-store for CRL issuing point + * @exception EBaseException thrown if initialization failed + */ + public void init(ISubsystem ca, String id, IConfigStore config) + throws EBaseException; + + /** + * This method is called during shutdown. + * It updates CRL cache and stops thread controlling CRL updates. + */ + public void shutdown(); + + /** + * Returns internal id of this CRL issuing point. + * + * @return internal id of this CRL issuing point + */ + public String getId(); + + /** + * Returns internal description of this CRL issuing point. + * + * @return internal description of this CRL issuing point + */ + public String getDescription(); + + /** + * Sets internal description of this CRL issuing point. + * + * @param description description for this CRL issuing point. + */ + public void setDescription(String description); + + /** + * Returns DN of the directory entry where CRLs from this issuing point + * are published. + * + * @return DN of the directory entry where CRLs are published. + */ + public String getPublishDN(); + + /** + * Returns signing algorithm. + * + * @return signing algorithm + */ + public String getSigningAlgorithm(); + + /** + * Returns signing algorithm used in last signing operation.. + * + * @return last signing algorithm + */ + public String getLastSigningAlgorithm(); + + /** + * Returns current CRL generation schema for this CRL issuing point. + *

+ * + * @return current CRL generation schema for this CRL issuing point + */ + public int getCRLSchema(); + + /** + * Returns current CRL number of this CRL issuing point. + * + * @return current CRL number of this CRL issuing point + */ + public BigInteger getCRLNumber(); + + /** + * Returns current delta CRL number of this CRL issuing point. + *

+ * + * @return current delta CRL number of this CRL issuing point + */ + public BigInteger getDeltaCRLNumber(); + + /** + * Returns next CRL number of this CRL issuing point. + * + * @return next CRL number of this CRL issuing point + */ + public BigInteger getNextCRLNumber(); + + /** + * Returns number of entries in the current CRL. + * + * @return number of entries in the current CRL + */ + public long getCRLSize(); + + /** + * Returns number of entries in delta CRL + * + * @return number of entries in delta CRL + */ + public long getDeltaCRLSize(); + + /** + * Returns time of the last update. + * + * @return last CRL update time + */ + public Date getLastUpdate(); + + /** + * Returns time of the next update. + * + * @return next CRL update time + */ + public Date getNextUpdate(); + + /** + * Returns time of the next delta CRL update. + * + * @return next delta CRL update time + */ + public Date getNextDeltaUpdate(); + + /** + * Returns all the revoked certificates from the CRL cache. + * + * @param start first requested CRL entry + * @param end next after last requested CRL entry + * @return set of all the revoked certificates or null if there are none. + */ + public Set getRevokedCertificates(int start, int end); + + /** + * Returns certificate authority. + * + * @return certificate authority + */ + public ISubsystem getCertificateAuthority(); + + /** + * Schedules immediate CRL manual-update + * and sets signature algorithm to be used for signing. + * + * @param signatureAlgorithm signature algorithm to be used for signing + */ + public void setManualUpdate(String signatureAlgorithm); + + /** + * Returns auto update interval in milliseconds. + * + * @return auto update interval in milliseconds + */ + public long getAutoUpdateInterval(); + + /** + * Returns true if CRL is updated for every change + * of revocation status of any certificate. + * + * @return true if CRL update is always triggered by revocation operation + */ + public boolean getAlwaysUpdate(); + + /** + * Returns next update grace period in minutes. + * + * @return next update grace period in minutes + */ + public long getNextUpdateGracePeriod(); + + /** + * Returns filter used to build CRL based on information stored + * in local directory. + * + * @return filter used to search local directory + */ + public String getFilter(); + + /** + * Builds a list of revoked certificates to put them into CRL. + * Calls certificate record processor to get necessary data + * from certificate records. + * This also regenerates CRL cache. + * + * @param cp certificate record processor + * @exception EBaseException if an error occurred in the database. + */ + public void processRevokedCerts(IElementProcessor cp) + throws EBaseException; + + /** + * Returns date of revoked certificate or null + * if certificated is not listed as revoked. + * + * @param serialNumber serial number of certificate to be checked + * @param checkDeltaCache true if delta CRL cache suppose to be + * included in checking process + * @param includeExpiredCerts true if delta CRL cache with expired + * certificates suppose to be included in checking process + * @return date of revoked certificate or null + */ + public Date getRevocationDateFromCache(BigInteger serialNumber, + boolean checkDeltaCache, + boolean includeExpiredCerts); + + /** + * Returns split times from CRL generation. + * + * @return split times from CRL generation in milliseconds + */ + public Vector getSplitTimes(); + + /** + * Generates CRL now based on cache or local directory if cache + * is not available. It also publishes CRL if it is required. + * + * @param signingAlgorithm signing algorithm to be used for CRL signing + * @exception EBaseException if an error occurred during + * CRL generation or publishing + */ + public void updateCRLNow(String signingAlgorithm) + throws EBaseException; + + /** + * Clears CRL cache + */ + public void clearCRLCache(); + + /** + * Clears delta-CRL cache + */ + public void clearDeltaCRLCache(); + + /** + * Returns number of recently revoked certificates. + * + * @return number of recently revoked certificates + */ + public int getNumberOfRecentlyRevokedCerts(); + + /** + * Returns number of recently unrevoked certificates. + * + * @return number of recently unrevoked certificates + */ + public int getNumberOfRecentlyUnrevokedCerts(); + + /** + * Returns number of recently expired and revoked certificates. + * + * @return number of recently expired and revoked certificates + */ + public int getNumberOfRecentlyExpiredCerts(); + + /** + * Converts list of extensions supplied by revocation request + * to list of extensions required to be placed in CRL. + * + * @param exts list of extensions supplied by revocation request + * @return list of extensions required to be placed in CRL + */ + public CRLExtensions getRequiredEntryExtensions(CRLExtensions exts); + + /** + * Adds revoked certificate to delta-CRL cache. + * + * @param serialNumber serial number of revoked certificate + * @param revokedCert revocation information supplied by revocation request + */ + public void addRevokedCert(BigInteger serialNumber, RevokedCertImpl revokedCert); + + /** + * Adds revoked certificate to delta-CRL cache. + * + * @param serialNumber serial number of revoked certificate + * @param revokedCert revocation information supplied by revocation request + * @param requestId revocation request id + */ + public void addRevokedCert(BigInteger serialNumber, RevokedCertImpl revokedCert, + String requestId); + + /** + * Adds unrevoked certificate to delta-CRL cache. + * + * @param serialNumber serial number of unrevoked certificate + */ + public void addUnrevokedCert(BigInteger serialNumber); + + /** + * Adds unrevoked certificate to delta-CRL cache. + * + * @param serialNumber serial number of unrevoked certificate + * @param requestId unrevocation request id + */ + public void addUnrevokedCert(BigInteger serialNumber, String requestId); + + /** + * Adds expired and revoked certificate to delta-CRL cache. + * + * @param serialNumber serial number of expired and revoked certificate + */ + public void addExpiredCert(BigInteger serialNumber); + + /** + * Updates CRL cache into local directory. + */ + public void updateCRLCacheRepository(); + + /** + * Updates issuing point configuration according to supplied data + * in name value pairs. + * + * @param params name value pairs defining new issuing point configuration + * @return true if configuration is updated successfully + */ + public boolean updateConfig(NameValuePairs params); + + /** + * Returns true if delta-CRL is enabled. + * + * @return true if delta-CRL is enabled + */ + public boolean isDeltaCRLEnabled(); + + /** + * Returns true if CRL cache is enabled. + * + * @return true if CRL cache is enabled + */ + public boolean isCRLCacheEnabled(); + + /** + * Returns true if CRL cache is empty. + * + * @return true if CRL cache is empty + */ + public boolean isCRLCacheEmpty(); + + /** + * Returns true if CRL cache testing is enabled. + * + * @return true if CRL cache testing is enabled + */ + public boolean isCRLCacheTestingEnabled(); + + /** + * Returns true if supplied delta-CRL is matching current delta-CRL. + * + * @param deltaCRL delta-CRL to verify against current delta-CRL + * @return true if supplied delta-CRL is matching current delta-CRL + */ + public boolean isThisCurrentDeltaCRL(X509CRLImpl deltaCRL); + + /** + * Returns status of CRL generation. + * + * @return one of the following according to CRL generation status: + * CRL_UPDATE_DONE, CRL_UPDATE_STARTED, and CRL_PUBLISHING_STARTED + */ + public int isCRLUpdateInProgress(); + + /** + * Generates CRL now based on cache or local directory if cache + * is not available. It also publishes CRL if it is required. + * CRL is signed by default signing algorithm. + * + * @exception EBaseException if an error occurred during + * CRL generation or publishing + */ + public void updateCRLNow() throws EBaseException; + + /** + * Returns list of CRL extensions. + * + * @return list of CRL extensions + */ + public ICMSCRLExtensions getCRLExtensions(); +} diff --git a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java new file mode 100644 index 000000000..25bc9cabe --- /dev/null +++ b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java @@ -0,0 +1,503 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.ca; + +import java.util.Enumeration; + +import netscape.security.x509.CertificateChain; +import netscape.security.x509.CertificateVersion; +import netscape.security.x509.X500Name; +import netscape.security.x509.X509CRLImpl; +import netscape.security.x509.X509CertImpl; +import netscape.security.x509.X509CertInfo; + +import org.mozilla.jss.crypto.SignatureAlgorithm; + +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.base.ISubsystem; +import com.netscape.certsrv.base.Nonces; +import com.netscape.certsrv.dbs.certdb.ICertificateRepository; +import com.netscape.certsrv.dbs.crldb.ICRLRepository; +import com.netscape.certsrv.dbs.replicadb.IReplicaIDRepository; +import com.netscape.certsrv.policy.IPolicyProcessor; +import com.netscape.certsrv.publish.IPublisherProcessor; +import com.netscape.certsrv.request.IRequestListener; +import com.netscape.certsrv.request.IRequestNotifier; +import com.netscape.certsrv.request.IRequestQueue; +import com.netscape.certsrv.request.IService; +import com.netscape.certsrv.security.ISigningUnit; + +/** + * An interface represents a Certificate Authority that is + * responsible for certificate specific operations. + *

+ * + * @version $Revision$, $Date$ + */ +public interface ICertificateAuthority extends ISubsystem { + + public static final String ID = "ca"; + + public static final String PROP_CERTDB_INC = "certdbInc"; + public static final String PROP_CRLDB_INC = "crldbInc"; + public static final String PROP_REGISTRATION = "Registration"; + public static final String PROP_POLICY = "Policy"; + public static final String PROP_GATEWAY = "gateway"; + public static final String PROP_CLASS = "class"; + public static final String PROP_TYPE = "type"; + public static final String PROP_IMPL = "impl"; + public static final String PROP_PLUGIN = "plugin"; + public static final String PROP_INSTANCE = "instance"; + public static final String PROP_LISTENER_SUBSTORE = "listener"; + public final static String PROP_LDAP_PUBLISH_SUBSTORE = "ldappublish"; + public final static String PROP_PUBLISH_SUBSTORE = "publish"; + public final static String PROP_ENABLE_PUBLISH = "enablePublish"; + public final static String PROP_ENABLE_LDAP_PUBLISH = "enableLdapPublish"; + + public final static String PROP_X509CERT_VERSION = "X509CertVersion"; + public final static String PROP_ENABLE_PAST_CATIME = "enablePastCATime"; + public final static String PROP_DEF_VALIDITY = "DefaultIssueValidity"; + public final static String PROP_FAST_SIGNING = "fastSigning"; + public static final String PROP_ENABLE_ADMIN_ENROLL = + "enableAdminEnroll"; + + public final static String PROP_CRL_SUBSTORE = "crl"; + // make this public so agent gateway can access for now. + public final static String PROP_CRL_PAGE_SIZE = "pageSize"; + public final static String PROP_MASTER_CRL = "MasterCRL"; + public final static String PROP_CRLEXT_SUBSTORE = "extension"; + public final static String PROP_ISSUING_CLASS = + "com.netscape.cmscore.ca.CRLIssuingPoint"; + public final static String PROP_EXPIREDCERTS_CLASS = + "com.netscape.cmscore.ca.CRLWithExpiredCerts"; + + public final static String PROP_NOTIFY_SUBSTORE = "notification"; + public final static String PROP_CERT_ISSUED_SUBSTORE = "certIssued"; + public final static String PROP_CERT_REVOKED_SUBSTORE = "certRevoked"; + public final static String PROP_REQ_IN_Q_SUBSTORE = "requestInQ"; + public final static String PROP_PUB_QUEUE_SUBSTORE = "publishingQueue"; + + public final static String PROP_ISSUER_NAME = "name"; + public final static String PROP_CA_NAMES = "CAs"; + public final static String PROP_DBS_SUBSTORE = "dbs"; + public final static String PROP_SIGNING_SUBSTORE = "signing"; + public final static String PROP_CA_CHAIN_NUM = "certchainNum"; + public final static String PROP_CA_CHAIN = "certchain"; + public final static String PROP_CA_CERT = "cert"; + public final static String PROP_ENABLE_OCSP = "ocsp"; + public final static String PROP_OCSP_SIGNING_SUBSTORE = "ocsp_signing"; + public final static String PROP_CRL_SIGNING_SUBSTORE = "crl_signing"; + public final static String PROP_ID = "id"; + + public final static String PROP_CERTDB_TRANS_MAXRECORDS = "transitMaxRecords"; + public final static String PROP_CERTDB_TRANS_PAGESIZE = "transitRecordPageSize"; + + /** + * Retrieves the certificate repository where all the locally + * issued certificates are kept. + * + * @return CA's certificate repository + */ + public ICertificateRepository getCertificateRepository(); + + /** + * Retrieves the request queue of this certificate authority. + * + * @return CA's request queue + */ + public IRequestQueue getRequestQueue(); + + /** + * Retrieves the policy processor of this certificate authority. + * @deprecated + * @return CA's policy processor + */ + public IPolicyProcessor getPolicyProcessor(); + + public boolean noncesEnabled(); + + public Nonces getNonces(); + + /** + * Retrieves the publishing processor of this certificate authority. + * + * @return CA's publishing processor + */ + public IPublisherProcessor getPublisherProcessor(); + + /** + * Retrieves the next available serial number. + * + * @return next available serial number + */ + public String getStartSerial(); + + /** + * Sets the next available serial number. + * + * @param serial next available serial number + * @exception EBaseException failed to set next available serial number + */ + public void setStartSerial(String serial) throws EBaseException; + + /** + * Retrieves the last serial number that can be used for + * certificate issuance in this certificate authority. + * + * @return the last serial number + */ + public String getMaxSerial(); + + /** + * Sets the last serial number that can be used for + * certificate issuance in this certificate authority. + * + * @param serial the last serial number + * @exception EBaseException failed to set the last serial number + */ + public void setMaxSerial(String serial) throws EBaseException; + + /** + * Retrieves the default signature algorithm of this certificate authority. + * + * @return the default signature algorithm of this CA + */ + public SignatureAlgorithm getDefaultSignatureAlgorithm(); + + /** + * Retrieves the default signing algorithm of this certificate authority. + * + * @return the default signing algorithm of this CA + */ + public String getDefaultAlgorithm(); + + /** + * Sets the default signing algorithm of this certificate authority. + * + * @param algorithm new default signing algorithm + * @exception EBaseException failed to set the default signing algorithm + */ + public void setDefaultAlgorithm(String algorithm) throws EBaseException; + + /** + * Retrieves the supported signing algorithms of this certificate authority. + * + * @return the supported signing algorithms of this CA + */ + public String[] getCASigningAlgorithms(); + + /** + * Allows certificates to have validities that are longer + * than this certificate authority's. + * + * @param enableCAPast if equals "true", it allows certificates + * to have validity longer than CA's certificate validity + * @exception EBaseException failed to set above option + */ + public void setValidity(String enableCAPast) throws EBaseException; + + /** + * Retrieves the default validity period. + * + * @return the default validity length in days + */ + public long getDefaultValidity(); + + /** + * Retrieves all the CRL issuing points. + * + * @return enumeration of all the CRL issuing points + */ + public Enumeration getCRLIssuingPoints(); + + /** + * Retrieves CRL issuing point with the given identifier. + * + * @param id CRL issuing point id + * @return CRL issuing point with given id + */ + public ICRLIssuingPoint getCRLIssuingPoint(String id); + + /** + * Adds CRL issuing point with the given identifier and description. + * + * @param crlSubStore sub-store with all CRL issuing points + * @param id CRL issuing point id + * @param description CRL issuing point description + * @return true if CRL issuing point was successfully added + */ + public boolean addCRLIssuingPoint(IConfigStore crlSubStore, String id, + boolean enable, String description); + + /** + * Deletes CRL issuing point with the given identifier. + * + * @param crlSubStore sub-store with all CRL issuing points + * @param id CRL issuing point id + */ + public void deleteCRLIssuingPoint(IConfigStore crlSubStore, String id); + + /** + * Retrieves the CRL repository. + * + * @return CA's CRL repository + */ + public ICRLRepository getCRLRepository(); + + /** + * Retrieves the Replica ID repository. + * + * @return CA's Replica ID repository + */ + public IReplicaIDRepository getReplicaRepository(); + + /** + * Retrieves the request in queue listener. + * + * @return the request in queue listener + */ + public IRequestListener getRequestInQListener(); + + /** + * Retrieves all request listeners. + * + * @return name enumeration of all request listeners + */ + public Enumeration getRequestListenerNames(); + + /** + * Retrieves the request listener for issued certificates. + * + * @return the request listener for issued certificates + */ + public IRequestListener getCertIssuedListener(); + + /** + * Retrieves the request listener for revoked certificates. + * + * @return the request listener for revoked certificates + */ + public IRequestListener getCertRevokedListener(); + + /** + * Retrieves the CA certificate chain. + * + * @return the CA certificate chain + */ + public CertificateChain getCACertChain(); + + /** + * Retrieves the CA certificate. + * + * @return the CA certificate + */ + public org.mozilla.jss.crypto.X509Certificate getCaX509Cert(); + + /** + * Retrieves the CA certificate. + * + * @return the CA certificate + */ + public X509CertImpl getCACert(); + + /** + * Updates the CRL immediately for MasterCRL issuing point if it exists. + * + * @exception EBaseException failed to create or publish CRL + */ + public void updateCRLNow() throws EBaseException; + + /** + * Publishes the CRL immediately for MasterCRL issuing point if it exists. + * + * @exception EBaseException failed to publish CRL + */ + public void publishCRLNow() throws EBaseException; + + /** + * Retrieves the signing unit that manages the CA signing key for + * signing certificates. + * + * @return the CA signing unit for certificates + */ + public ISigningUnit getSigningUnit(); + + /** + * Retrieves the signing unit that manages the CA signing key for + * signing CRL. + * + * @return the CA signing unit for CRLs + */ + public ISigningUnit getCRLSigningUnit(); + + /** + * Retrieves the signing unit that manages the CA signing key for + * signing OCSP response. + * + * @return the CA signing unit for OCSP responses + */ + public ISigningUnit getOCSPSigningUnit(); + + /** + * Sets the maximium path length in the basic constraint extension. + * + * @param num the maximium path length + */ + public void setBasicConstraintMaxLen(int num); + + /** + * Is this a clone CA? + * + * @return true if this is a clone CA + */ + public boolean isClone(); + + /** + * Retrieves the request listener by name. + * + * @param name request listener name + * @return the request listener + */ + public IRequestListener getRequestListener(String name); + + /** + * get request notifier + */ + public IRequestNotifier getRequestNotifier(); + + /** + * Registers a request listener. + * + * @param listener request listener to be registered + */ + public void registerRequestListener(IRequestListener listener); + + /** + * Registers a request listener. + * + * @param name under request listener is going to be registered + * @param listener request listener to be registered + */ + public void registerRequestListener(String name, IRequestListener listener); + + /** + * Retrieves the issuer name of this certificate authority. + * + * @return the issuer name of this certificate authority + */ + public X500Name getX500Name(); + + /** + * Retrieves the issuer name of this certificate authority issuing point. + * + * @return the issuer name of this certificate authority issuing point + */ + public X500Name getCRLX500Name(); + + /** + * Signs the given CRL with the specific algorithm. + * + * @param crl CRL to be signed + * @param algname algorithm used for signing + * @return signed CRL + * @exception EBaseException failed to sign CRL + */ + public X509CRLImpl sign(X509CRLImpl crl, String algname) + throws EBaseException; + + /** + * Logs a message to this certificate authority. + * + * @param level logging level + * @param msg logged message + */ + public void log(int level, String msg); + + /** + * Returns the nickname for the CA signing certificate. + * + * @return the nickname for the CA signing certificate + */ + public String getNickname(); + + /** + * Signs a X.509 certificate template. + * + * @param certInfo X.509 certificate template + * @param algname algorithm used for signing + * @return signed certificate + * @exception EBaseException failed to sign certificate + */ + public X509CertImpl sign(X509CertInfo certInfo, String algname) + throws EBaseException; + + /** + * Retrieves the default certificate version. + * + * @return the default version certificate + */ + public CertificateVersion getDefaultCertVersion(); + + /** + * Is this CA allowed to issue certificate that has longer + * validty than the CA's. + * + * @return true if allows certificates to have validity longer than CA's + */ + public boolean isEnablePastCATime(); + + /** + * Retrieves the CA service object that is responsible for + * processing requests. + * + * @return CA service object + */ + public IService getCAService(); + + /** + * Returns the in-memory count of the processed OCSP requests. + * + * @return number of processed OCSP requests in memory + */ + public long getNumOCSPRequest(); + + /** + * Returns the in-memory time (in mini-second) of + * the processed time for OCSP requests. + * + * @return processed times for OCSP requests + */ + public long getOCSPRequestTotalTime(); + + /** + * Returns the in-memory time (in mini-second) of + * the signing time for OCSP requests. + * + * @return processed times for OCSP requests + */ + public long getOCSPTotalSignTime(); + + /** + * Returns the total data signed + * for OCSP requests. + * + * @return processed times for OCSP requests + */ + public long getOCSPTotalData(); +} -- cgit