Package org.dogtagpki.server.ca
Interface ICRLIssuingPoint
-
public interface ICRLIssuingPoint
This class encapsulates CRL issuing mechanism. CertificateAuthority contains a map of CRLIssuingPoint indexed by string ids. Each issuing point contains information about CRL issuing and publishing parameters as well as state information which includes last issued CRL, next CRL serial number, time of the next update etc. If autoUpdateInterval is set to non-zero value then worker thread is created that will perform CRL update at scheduled intervals. Update can also be triggered by invoking updateCRL method directly. Another parameter minUpdateInterval can be used to prevent CRL from being updated too often- Version:
- $Revision$, $Date$
-
-
Nested Class Summary
Nested Classes Modifier and Type Interface Description static class
ICRLIssuingPoint.CRLIssuingPointStatus
-
Field Summary
Fields Modifier and Type Field Description static int
CRL_PUBLISHING_STARTED
static int
CRL_UPDATE_DONE
for manual updates - requested by agentstatic int
CRL_UPDATE_STARTED
static java.lang.String
PROP_BEGIN_SERIAL
static java.lang.String
PROP_END_SERIAL
static java.lang.String
PROP_MIN_UPDATE_INTERVAL
static java.lang.String
PROP_PUBLISH_DN
static java.lang.String
PROP_PUBLISH_ON_START
static java.lang.String
SC_CRL_COUNT
static java.lang.String
SC_IS_DELTA_CRL
static java.lang.String
SC_ISSUING_POINT_ID
-
Method Summary
All Methods Instance Methods Abstract Methods Modifier and Type Method Description void
addExpiredCert(java.math.BigInteger serialNumber)
Adds expired and revoked certificate to delta-CRL cache.void
addRevokedCert(java.math.BigInteger serialNumber, org.mozilla.jss.netscape.security.x509.RevokedCertImpl revokedCert)
Adds revoked certificate to delta-CRL cache.void
addRevokedCert(java.math.BigInteger serialNumber, org.mozilla.jss.netscape.security.x509.RevokedCertImpl revokedCert, java.lang.String requestId)
Adds revoked certificate to delta-CRL cache.void
addUnrevokedCert(java.math.BigInteger serialNumber)
Adds unrevoked certificate to delta-CRL cache.void
addUnrevokedCert(java.math.BigInteger serialNumber, java.lang.String requestId)
Adds unrevoked certificate to delta-CRL cache.boolean
areExpiredCertsIncluded()
Checks if expired certificates are included in CRL.boolean
checkCurrentProfile(java.lang.String id)
Checks if CRL issuing point includes this profile.void
clearCRLCache()
Clears CRL cachevoid
clearDeltaCRLCache()
Clears delta-CRL cachevoid
enableCRLIssuingPoint(boolean enable)
Enables or disables CRL issuing point according to parameter.boolean
getAlwaysUpdate()
Returns true if CRL is updated for every change of revocation status of any certificate.long
getAutoUpdateInterval()
Returns auto update interval in milliseconds.ISubsystem
getCertificateAuthority()
Returns certificate authority.ICMSCRLExtensions
getCRLExtensions()
Returns list of CRL extensions.java.math.BigInteger
getCRLNumber()
Returns current CRL number of this CRL issuing point.java.lang.String
getCrlPublishErrorStr()
Returns CRL publishing error.java.lang.String
getCrlPublishStatusStr()
Returns CRL publishing status.int
getCRLSchema()
Returns current CRL generation schema for this CRL issuing point.long
getCRLSize()
Returns number of entries in the current CRL.java.lang.String
getCrlUpdateErrorStr()
Returns CRL update error.java.lang.String
getCrlUpdateStatusStr()
Returns CRL update status.java.math.BigInteger
getDeltaCRLNumber()
Returns current delta CRL number of this CRL issuing point.long
getDeltaCRLSize()
Returns number of entries in delta CRLjava.lang.String
getDescription()
Returns internal description of this CRL issuing point.java.lang.String
getFilter()
Returns filter used to build CRL based on information stored in local directory.java.lang.String
getId()
Returns internal id of this CRL issuing point.java.lang.String
getLastSigningAlgorithm()
Returns signing algorithm used in last signing operation..java.util.Date
getLastUpdate()
Returns time of the last update.java.math.BigInteger
getNextCRLNumber()
Returns next CRL number of this CRL issuing point.java.util.Date
getNextDeltaUpdate()
Returns time of the next delta CRL update.java.util.Date
getNextUpdate()
Returns time of the next update.long
getNextUpdateGracePeriod()
Returns next update grace period in minutes.int
getNumberOfRecentlyExpiredCerts()
Returns number of recently expired and revoked certificates.int
getNumberOfRecentlyRevokedCerts()
Returns number of recently revoked certificates.int
getNumberOfRecentlyUnrevokedCerts()
Returns number of recently unrevoked certificates.java.lang.String
getPublishDN()
Returns DN of the directory entry where CRLs from this issuing point are published.org.mozilla.jss.netscape.security.x509.CRLExtensions
getRequiredEntryExtensions(org.mozilla.jss.netscape.security.x509.CRLExtensions exts)
Converts list of extensions supplied by revocation request to list of extensions required to be placed in CRL.java.util.Date
getRevocationDateFromCache(java.math.BigInteger serialNumber, boolean checkDeltaCache, boolean includeExpiredCerts)
Returns date of revoked certificate or null if certificated is not listed as revoked.java.util.Set<org.mozilla.jss.netscape.security.x509.RevokedCertificate>
getRevokedCertificates(int start, int end)
Returns all the revoked certificates from the CRL cache.java.lang.String
getSigningAlgorithm()
Returns signing algorithm.java.util.Vector<java.lang.Long>
getSplitTimes()
Returns split times from CRL generation.void
init(ISubsystem ca, java.lang.String id, IConfigStore config)
Initializes CRL issuing point.boolean
isCACertsOnly()
Checks if CRL includes CA certificates only.boolean
isCRLCacheEmpty()
Returns true if CRL cache is empty.boolean
isCRLCacheEnabled()
Returns true if CRL cache is enabled.boolean
isCRLCacheTestingEnabled()
Returns true if CRL cache testing is enabled.boolean
isCRLGenerationEnabled()
Returns true if CRL generation is enabled.boolean
isCRLIssuingPointEnabled()
Returns true if CRL issuing point is enabled.boolean
isCRLIssuingPointInitialized()
Returns CRL issuing point initialization status.int
isCRLUpdateInProgress()
Returns status of CRL generation.boolean
isDeltaCRLEnabled()
Returns true if delta-CRL is enabled.boolean
isManualUpdateSet()
Checks if manual update is set.boolean
isProfileCertsOnly()
Checks if CRL includes profile certificates only.boolean
isThisCurrentDeltaCRL(org.mozilla.jss.netscape.security.x509.X509CRLImpl deltaCRL)
Returns true if supplied delta-CRL is matching current delta-CRL.void
processRevokedCerts(com.netscape.certsrv.dbs.IElementProcessor cp)
Builds a list of revoked certificates to put them into CRL.void
setCancelCurFutureThisUpdateValue(boolean b)
void
setCustomFutureThisUpdateValue(java.util.Date futureThisUpdate)
Set Optional Future thsUpdateValue to go into the CRLvoid
setDescription(java.lang.String description)
Sets internal description of this CRL issuing point.void
setManualUpdate(java.lang.String signatureAlgorithm)
Schedules immediate CRL manual-update and sets signature algorithm to be used for signing.void
shutdown()
This method is called during shutdown.boolean
updateConfig(com.netscape.certsrv.common.NameValuePairs params)
Updates issuing point configuration according to supplied data in name value pairs.void
updateCRLCacheRepository()
Updates CRL cache into local directory.void
updateCRLNow()
Generates CRL now based on cache or local directory if cache is not available.void
updateCRLNow(java.lang.String signingAlgorithm)
Generates CRL now based on cache or local directory if cache is not available.
-
-
-
Field Detail
-
PROP_PUBLISH_DN
static final java.lang.String PROP_PUBLISH_DN
- See Also:
- Constant Field Values
-
PROP_PUBLISH_ON_START
static final java.lang.String PROP_PUBLISH_ON_START
- See Also:
- Constant Field Values
-
PROP_MIN_UPDATE_INTERVAL
static final java.lang.String PROP_MIN_UPDATE_INTERVAL
- See Also:
- Constant Field Values
-
PROP_BEGIN_SERIAL
static final java.lang.String PROP_BEGIN_SERIAL
- See Also:
- Constant Field Values
-
PROP_END_SERIAL
static final java.lang.String PROP_END_SERIAL
- See Also:
- Constant Field Values
-
SC_ISSUING_POINT_ID
static final java.lang.String SC_ISSUING_POINT_ID
- See Also:
- Constant Field Values
-
SC_IS_DELTA_CRL
static final java.lang.String SC_IS_DELTA_CRL
- See Also:
- Constant Field Values
-
SC_CRL_COUNT
static final java.lang.String SC_CRL_COUNT
- See Also:
- Constant Field Values
-
CRL_UPDATE_DONE
static final int CRL_UPDATE_DONE
for manual updates - requested by agent- See Also:
- Constant Field Values
-
CRL_UPDATE_STARTED
static final int CRL_UPDATE_STARTED
- See Also:
- Constant Field Values
-
CRL_PUBLISHING_STARTED
static final int CRL_PUBLISHING_STARTED
- See Also:
- Constant Field Values
-
-
Method Detail
-
isCRLIssuingPointEnabled
boolean isCRLIssuingPointEnabled()
Returns true if CRL issuing point is enabled.- Returns:
- true if CRL issuing point is enabled
-
isCRLGenerationEnabled
boolean isCRLGenerationEnabled()
Returns true if CRL generation is enabled.- Returns:
- true if CRL generation is enabled
-
enableCRLIssuingPoint
void enableCRLIssuingPoint(boolean enable)
Enables or disables CRL issuing point according to parameter.- Parameters:
enable
- if true enables CRL issuing point
-
getCrlUpdateStatusStr
java.lang.String getCrlUpdateStatusStr()
Returns CRL update status.- Returns:
- CRL update status
-
getCrlUpdateErrorStr
java.lang.String getCrlUpdateErrorStr()
Returns CRL update error.- Returns:
- CRL update error
-
getCrlPublishStatusStr
java.lang.String getCrlPublishStatusStr()
Returns CRL publishing status.- Returns:
- CRL publishing status
-
getCrlPublishErrorStr
java.lang.String getCrlPublishErrorStr()
Returns CRL publishing error.- Returns:
- CRL publishing error
-
isCRLIssuingPointInitialized
boolean isCRLIssuingPointInitialized()
Returns CRL issuing point initialization status.- Returns:
- true if CRL issuing point hsa been successfully initialized, otherwise false.
-
isManualUpdateSet
boolean isManualUpdateSet()
Checks if manual update is set.- Returns:
- true if manual update is set
-
areExpiredCertsIncluded
boolean areExpiredCertsIncluded()
Checks if expired certificates are included in CRL.- Returns:
- true if expired certificates are included in CRL
-
isCACertsOnly
boolean isCACertsOnly()
Checks if CRL includes CA certificates only.- Returns:
- true if CRL includes CA certificates only
-
isProfileCertsOnly
boolean isProfileCertsOnly()
Checks if CRL includes profile certificates only.- Returns:
- true if CRL includes profile certificates only
-
checkCurrentProfile
boolean checkCurrentProfile(java.lang.String id)
Checks if CRL issuing point includes this profile.- Returns:
- true if CRL issuing point includes this profile
-
init
void init(ISubsystem ca, java.lang.String id, IConfigStore config) throws EBaseException
Initializes CRL issuing point.- Parameters:
ca
- certificate authority that holds CRL issuing pointid
- CRL issuing point idconfig
- configuration sub-store for CRL issuing point- Throws:
EBaseException
- thrown if initialization failed
-
shutdown
void shutdown()
This method is called during shutdown. It updates CRL cache and stops thread controlling CRL updates.
-
getId
java.lang.String getId()
Returns internal id of this CRL issuing point.- Returns:
- internal id of this CRL issuing point
-
getDescription
java.lang.String getDescription()
Returns internal description of this CRL issuing point.- Returns:
- internal description of this CRL issuing point
-
setDescription
void setDescription(java.lang.String description)
Sets internal description of this CRL issuing point.- Parameters:
description
- description for this CRL issuing point.
-
getPublishDN
java.lang.String getPublishDN()
Returns DN of the directory entry where CRLs from this issuing point are published.- Returns:
- DN of the directory entry where CRLs are published.
-
getSigningAlgorithm
java.lang.String getSigningAlgorithm()
Returns signing algorithm.- Returns:
- signing algorithm
-
getLastSigningAlgorithm
java.lang.String getLastSigningAlgorithm()
Returns signing algorithm used in last signing operation..- Returns:
- last signing algorithm
-
getCRLSchema
int getCRLSchema()
Returns current CRL generation schema for this CRL issuing point.- Returns:
- current CRL generation schema for this CRL issuing point
-
getCRLNumber
java.math.BigInteger getCRLNumber()
Returns current CRL number of this CRL issuing point.- Returns:
- current CRL number of this CRL issuing point
-
getDeltaCRLNumber
java.math.BigInteger getDeltaCRLNumber()
Returns current delta CRL number of this CRL issuing point.- Returns:
- current delta CRL number of this CRL issuing point
-
getNextCRLNumber
java.math.BigInteger getNextCRLNumber()
Returns next CRL number of this CRL issuing point.- Returns:
- next CRL number of this CRL issuing point
-
getCRLSize
long getCRLSize()
Returns number of entries in the current CRL.- Returns:
- number of entries in the current CRL
-
getDeltaCRLSize
long getDeltaCRLSize()
Returns number of entries in delta CRL- Returns:
- number of entries in delta CRL
-
getLastUpdate
java.util.Date getLastUpdate()
Returns time of the last update.- Returns:
- last CRL update time
-
getNextUpdate
java.util.Date getNextUpdate()
Returns time of the next update.- Returns:
- next CRL update time
-
getNextDeltaUpdate
java.util.Date getNextDeltaUpdate()
Returns time of the next delta CRL update.- Returns:
- next delta CRL update time
-
getRevokedCertificates
java.util.Set<org.mozilla.jss.netscape.security.x509.RevokedCertificate> getRevokedCertificates(int start, int end)
Returns all the revoked certificates from the CRL cache.- Parameters:
start
- first requested CRL entryend
- next after last requested CRL entry- Returns:
- set of all the revoked certificates or null if there are none.
-
getCertificateAuthority
ISubsystem getCertificateAuthority()
Returns certificate authority.- Returns:
- certificate authority
-
setManualUpdate
void setManualUpdate(java.lang.String signatureAlgorithm)
Schedules immediate CRL manual-update and sets signature algorithm to be used for signing.- Parameters:
signatureAlgorithm
- signature algorithm to be used for signing
-
getAutoUpdateInterval
long getAutoUpdateInterval()
Returns auto update interval in milliseconds.- Returns:
- auto update interval in milliseconds
-
getAlwaysUpdate
boolean getAlwaysUpdate()
Returns true if CRL is updated for every change of revocation status of any certificate.- Returns:
- true if CRL update is always triggered by revocation operation
-
getNextUpdateGracePeriod
long getNextUpdateGracePeriod()
Returns next update grace period in minutes.- Returns:
- next update grace period in minutes
-
getFilter
java.lang.String getFilter()
Returns filter used to build CRL based on information stored in local directory.- Returns:
- filter used to search local directory
-
processRevokedCerts
void processRevokedCerts(com.netscape.certsrv.dbs.IElementProcessor cp) throws EBaseException
Builds a list of revoked certificates to put them into CRL. Calls certificate record processor to get necessary data from certificate records. This also regenerates CRL cache.- Parameters:
cp
- certificate record processor- Throws:
EBaseException
- if an error occurred in the database.
-
getRevocationDateFromCache
java.util.Date getRevocationDateFromCache(java.math.BigInteger serialNumber, boolean checkDeltaCache, boolean includeExpiredCerts)
Returns date of revoked certificate or null if certificated is not listed as revoked.- Parameters:
serialNumber
- serial number of certificate to be checkedcheckDeltaCache
- true if delta CRL cache suppose to be included in checking processincludeExpiredCerts
- true if delta CRL cache with expired certificates suppose to be included in checking process- Returns:
- date of revoked certificate or null
-
getSplitTimes
java.util.Vector<java.lang.Long> getSplitTimes()
Returns split times from CRL generation.- Returns:
- split times from CRL generation in milliseconds
-
updateCRLNow
void updateCRLNow(java.lang.String signingAlgorithm) throws EBaseException
Generates CRL now based on cache or local directory if cache is not available. It also publishes CRL if it is required.- Parameters:
signingAlgorithm
- signing algorithm to be used for CRL signing- Throws:
EBaseException
- if an error occurred during CRL generation or publishing
-
clearCRLCache
void clearCRLCache()
Clears CRL cache
-
clearDeltaCRLCache
void clearDeltaCRLCache()
Clears delta-CRL cache
-
getNumberOfRecentlyRevokedCerts
int getNumberOfRecentlyRevokedCerts()
Returns number of recently revoked certificates.- Returns:
- number of recently revoked certificates
-
getNumberOfRecentlyUnrevokedCerts
int getNumberOfRecentlyUnrevokedCerts()
Returns number of recently unrevoked certificates.- Returns:
- number of recently unrevoked certificates
-
getNumberOfRecentlyExpiredCerts
int getNumberOfRecentlyExpiredCerts()
Returns number of recently expired and revoked certificates.- Returns:
- number of recently expired and revoked certificates
-
getRequiredEntryExtensions
org.mozilla.jss.netscape.security.x509.CRLExtensions getRequiredEntryExtensions(org.mozilla.jss.netscape.security.x509.CRLExtensions exts)
Converts list of extensions supplied by revocation request to list of extensions required to be placed in CRL.- Parameters:
exts
- list of extensions supplied by revocation request- Returns:
- list of extensions required to be placed in CRL
-
addRevokedCert
void addRevokedCert(java.math.BigInteger serialNumber, org.mozilla.jss.netscape.security.x509.RevokedCertImpl revokedCert)
Adds revoked certificate to delta-CRL cache.- Parameters:
serialNumber
- serial number of revoked certificaterevokedCert
- revocation information supplied by revocation request
-
addRevokedCert
void addRevokedCert(java.math.BigInteger serialNumber, org.mozilla.jss.netscape.security.x509.RevokedCertImpl revokedCert, java.lang.String requestId)
Adds revoked certificate to delta-CRL cache.- Parameters:
serialNumber
- serial number of revoked certificaterevokedCert
- revocation information supplied by revocation requestrequestId
- revocation request id
-
addUnrevokedCert
void addUnrevokedCert(java.math.BigInteger serialNumber)
Adds unrevoked certificate to delta-CRL cache.- Parameters:
serialNumber
- serial number of unrevoked certificate
-
addUnrevokedCert
void addUnrevokedCert(java.math.BigInteger serialNumber, java.lang.String requestId)
Adds unrevoked certificate to delta-CRL cache.- Parameters:
serialNumber
- serial number of unrevoked certificaterequestId
- unrevocation request id
-
addExpiredCert
void addExpiredCert(java.math.BigInteger serialNumber)
Adds expired and revoked certificate to delta-CRL cache.- Parameters:
serialNumber
- serial number of expired and revoked certificate
-
updateCRLCacheRepository
void updateCRLCacheRepository()
Updates CRL cache into local directory.
-
updateConfig
boolean updateConfig(com.netscape.certsrv.common.NameValuePairs params)
Updates issuing point configuration according to supplied data in name value pairs.- Parameters:
params
- name value pairs defining new issuing point configuration- Returns:
- true if configuration is updated successfully
-
isDeltaCRLEnabled
boolean isDeltaCRLEnabled()
Returns true if delta-CRL is enabled.- Returns:
- true if delta-CRL is enabled
-
isCRLCacheEnabled
boolean isCRLCacheEnabled()
Returns true if CRL cache is enabled.- Returns:
- true if CRL cache is enabled
-
isCRLCacheEmpty
boolean isCRLCacheEmpty()
Returns true if CRL cache is empty.- Returns:
- true if CRL cache is empty
-
isCRLCacheTestingEnabled
boolean isCRLCacheTestingEnabled()
Returns true if CRL cache testing is enabled.- Returns:
- true if CRL cache testing is enabled
-
isThisCurrentDeltaCRL
boolean isThisCurrentDeltaCRL(org.mozilla.jss.netscape.security.x509.X509CRLImpl deltaCRL)
Returns true if supplied delta-CRL is matching current delta-CRL.- Parameters:
deltaCRL
- delta-CRL to verify against current delta-CRL- Returns:
- true if supplied delta-CRL is matching current delta-CRL
-
isCRLUpdateInProgress
int isCRLUpdateInProgress()
Returns status of CRL generation.- Returns:
- one of the following according to CRL generation status: CRL_UPDATE_DONE, CRL_UPDATE_STARTED, and CRL_PUBLISHING_STARTED
-
updateCRLNow
void updateCRLNow() throws EBaseException
Generates CRL now based on cache or local directory if cache is not available. It also publishes CRL if it is required. CRL is signed by default signing algorithm.- Throws:
EBaseException
- if an error occurred during CRL generation or publishing
-
getCRLExtensions
ICMSCRLExtensions getCRLExtensions()
Returns list of CRL extensions.- Returns:
- list of CRL extensions
-
setCustomFutureThisUpdateValue
void setCustomFutureThisUpdateValue(java.util.Date futureThisUpdate)
Set Optional Future thsUpdateValue to go into the CRL
-
setCancelCurFutureThisUpdateValue
void setCancelCurFutureThisUpdateValue(boolean b)
-
-