Interface IKeyRecoveryAuthority

  • All Superinterfaces:
    ISubsystem

    public interface IKeyRecoveryAuthority
    extends ISubsystem
    An interface represents key recovery authority. The key recovery authority is responsibile for archiving and recovering user encryption private keys.

    Version:
    $Revision$, $Date$
    • Method Summary

      All Methods Instance Methods Abstract Methods 
      Modifier and Type Method Description
      void addAutoRecovery​(java.lang.String id, com.netscape.certsrv.security.Credential[] creds)
      Adds credentials to the given authorizated recovery operation.
      void addEntropy​(boolean logflag)
      Adds entropy to the token used for supporting server-side keygen Parameters are set in the config file
      void createError​(java.lang.String recoveryID, java.lang.String error)
      Creates error for a specific recovery operation.
      void createPk12​(java.lang.String recoveryID, byte[] pk12)
      Creates PKCS12 package in memory.
      java.util.Hashtable<java.lang.String,​java.lang.Object> createVolatileRequest​(com.netscape.certsrv.request.RequestId id)
      Creates a request object to store attributes that will not be serialized.
      void destroyVolatileRequest​(com.netscape.certsrv.request.RequestId id)
      Destroys the request object.
      java.security.KeyPair generateKeyPair​(java.lang.String alg, int keySize, java.lang.String keyCurve, org.mozilla.jss.crypto.PQGParams pqg, org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usageList)
      Generate an asymmetric key pair.
      java.security.KeyPair generateKeyPair​(java.lang.String alg, int keySize, java.lang.String keyCurve, org.mozilla.jss.crypto.PQGParams pqg, org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usageList, boolean temporary)  
      java.util.Vector<com.netscape.certsrv.security.Credential> getAppAgents​(java.lang.String recoveryID)  
      java.util.Enumeration<java.lang.String> getAutoRecoveryIDs()
      Returns a list of recovery identifiers.
      boolean getAutoRecoveryState()
      Returns the current auto recovery state.
      java.lang.String getError​(java.lang.String recoveryID)
      Retrieves error by recovery identifier.
      org.mozilla.jss.crypto.CryptoToken getKeygenToken()
      Returns the token that generates user key pairs for supporting server-side keygen
      com.netscape.certsrv.dbs.keydb.IKeyRepository getKeyRepository()
      Retrieves the key repository.
      java.lang.String getNewNickName()
      Returns the new nickname of the transport certifiate.
      java.lang.String getNickname()
      Returns the nickname of the transport certificate.
      int getNoOfRequiredAgents()
      Returns the number of required agents.
      byte[] getPk12​(java.lang.String recoveryID)
      Retrieves PKCS12 package by recovery identifier.
      org.dogtagpki.legacy.policy.IPolicyProcessor getPolicyProcessor()
      Returns policy processor of the key recovery authority.
      java.lang.String getRecoveryID()
      Returns the current recovery identifier.
      com.netscape.certsrv.dbs.replicadb.IReplicaIDRepository getReplicaRepository()
      Retrieves the Replica ID repository.
      com.netscape.certsrv.request.IRequestListener getRequestInQListener()
      Returns the request listener that listens on the request completion event.
      com.netscape.certsrv.request.IRequestQueue getRequestQueue()
      Retrieves KRA request repository.
      com.netscape.certsrv.security.IStorageKeyUnit getStorageKeyUnit()
      Returns the storage key unit that manages the stoarge key.
      org.mozilla.jss.crypto.X509Certificate getTransportCert()
      Retrieves the transport certificate.
      com.netscape.certsrv.security.ITransportKeyUnit getTransportKeyUnit()
      Returns the transport key unit that manages the transport key.
      java.util.Hashtable<java.lang.String,​java.lang.Object> getVolatileRequest​(com.netscape.certsrv.request.RequestId id)
      Retrieves the request object.
      org.mozilla.jss.netscape.security.x509.X500Name getX500Name()
      Returns the name of this subsystem.
      boolean isEphemeral​(java.lang.String realm)
      Are ephemeral requests enabled for SECURITY_DATA recovery and archival
      boolean isRetrievalSynchronous​(java.lang.String realm)
      Is the SECURITY_DATA retrieval synchronous?
      void log​(int level, java.lang.String msg)
      Logs event into key recovery authority logging.
      void processSynchronousRequest​(com.netscape.certsrv.request.IRequest request)
      Process synchronous archival and recovery requests
      void removeAutoRecovery​(java.lang.String id)
      Removes a particular auto recovery operation.
      boolean setAutoRecoveryState​(com.netscape.certsrv.security.Credential[] cs, boolean on)
      Enables the auto recovery state.
      void setNewNickName​(java.lang.String name)
      Sets the new nickname of the transport certifiate.
      void setNickname​(java.lang.String str)
      Sets the nickname of the transport certificate.
      void setNoOfRequiredAgents​(int number)
      Sets the number of required recovery agents
    • Method Detail

      • getX500Name

        org.mozilla.jss.netscape.security.x509.X500Name getX500Name()
        Returns the name of this subsystem.

        Returns:
        KRA name
      • getRequestQueue

        com.netscape.certsrv.request.IRequestQueue getRequestQueue()
        Retrieves KRA request repository.

        Returns:
        request repository
      • getKeyRepository

        com.netscape.certsrv.dbs.keydb.IKeyRepository getKeyRepository()
        Retrieves the key repository. The key repository stores archived keys.

      • getReplicaRepository

        com.netscape.certsrv.dbs.replicadb.IReplicaIDRepository getReplicaRepository()
        Retrieves the Replica ID repository.
        Returns:
        KRA's Replica ID repository
      • setAutoRecoveryState

        boolean setAutoRecoveryState​(com.netscape.certsrv.security.Credential[] cs,
                                     boolean on)
        Enables the auto recovery state. Once KRA is in the auto recovery state, no recovery agents need to be present for providing credentials. This feature is for enabling user-based recovery operation.

        Parameters:
        cs - list of agent credentials
        on - true if auto recovery state is on
        Returns:
        current auto recovery state
      • getAutoRecoveryState

        boolean getAutoRecoveryState()
        Returns the current auto recovery state.
        Returns:
        true if auto recvoery state is on
      • addAutoRecovery

        void addAutoRecovery​(java.lang.String id,
                             com.netscape.certsrv.security.Credential[] creds)
        Adds credentials to the given authorizated recovery operation. In distributed recovery mode, recovery agent login to the agent interface and submit its credential for a particular recovery operation.
        Parameters:
        id - authorization identifier
        creds - list of credentials
      • removeAutoRecovery

        void removeAutoRecovery​(java.lang.String id)
        Removes a particular auto recovery operation.
        Parameters:
        id - authorization identifier
      • getNoOfRequiredAgents

        int getNoOfRequiredAgents()
                           throws EBaseException
        Returns the number of required agents. In M-out-of-N recovery schema, only M agents are required even there are N agents. This method returns M.
        Returns:
        number of required agents
        Throws:
        EBaseException
      • setNoOfRequiredAgents

        void setNoOfRequiredAgents​(int number)
                            throws EBaseException
        Sets the number of required recovery agents
        Parameters:
        number - number of agents
        Throws:
        EBaseException
      • getRecoveryID

        java.lang.String getRecoveryID()
        Returns the current recovery identifier.
        Returns:
        recovery identifier
      • getAutoRecoveryIDs

        java.util.Enumeration<java.lang.String> getAutoRecoveryIDs()
        Returns a list of recovery identifiers.
        Returns:
        list of auto recovery identifiers
      • getStorageKeyUnit

        com.netscape.certsrv.security.IStorageKeyUnit getStorageKeyUnit()
        Returns the storage key unit that manages the stoarge key.
        Returns:
        storage key unit
      • getTransportKeyUnit

        com.netscape.certsrv.security.ITransportKeyUnit getTransportKeyUnit()
        Returns the transport key unit that manages the transport key.
        Returns:
        transport key unit
      • getKeygenToken

        org.mozilla.jss.crypto.CryptoToken getKeygenToken()
        Returns the token that generates user key pairs for supporting server-side keygen
        Returns:
        keygen token
      • addEntropy

        void addEntropy​(boolean logflag)
        Adds entropy to the token used for supporting server-side keygen Parameters are set in the config file
        Parameters:
        logflag - create log messages at info level to report entropy shortage
      • getRequestInQListener

        com.netscape.certsrv.request.IRequestListener getRequestInQListener()
        Returns the request listener that listens on the request completion event.
        Returns:
        request listener
      • getPolicyProcessor

        org.dogtagpki.legacy.policy.IPolicyProcessor getPolicyProcessor()
        Returns policy processor of the key recovery authority.
        Returns:
        policy processor
      • getNickname

        java.lang.String getNickname()
        Returns the nickname of the transport certificate.
        Returns:
        transport certificate nickname.
      • setNickname

        void setNickname​(java.lang.String str)
        Sets the nickname of the transport certificate.
        Parameters:
        str - nickname
      • getNewNickName

        java.lang.String getNewNickName()
                                 throws EBaseException
        Returns the new nickname of the transport certifiate.
        Returns:
        new nickname
        Throws:
        EBaseException
      • setNewNickName

        void setNewNickName​(java.lang.String name)
        Sets the new nickname of the transport certifiate.
        Parameters:
        name - new nickname
      • log

        void log​(int level,
                 java.lang.String msg)
        Logs event into key recovery authority logging.
        Parameters:
        level - log level
        msg - log message
      • createVolatileRequest

        java.util.Hashtable<java.lang.String,​java.lang.Object> createVolatileRequest​(com.netscape.certsrv.request.RequestId id)
        Creates a request object to store attributes that will not be serialized. Currently, request queue framework will try to serialize all the attribute into persistent storage. Things like passwords are not desirable to be stored.
        Parameters:
        id - request id
        Returns:
        volatile requests
      • getVolatileRequest

        java.util.Hashtable<java.lang.String,​java.lang.Object> getVolatileRequest​(com.netscape.certsrv.request.RequestId id)
        Retrieves the request object.
        Parameters:
        id - request id
        Returns:
        volatile requests
      • destroyVolatileRequest

        void destroyVolatileRequest​(com.netscape.certsrv.request.RequestId id)
        Destroys the request object.
        Parameters:
        id - request id
      • getAppAgents

        java.util.Vector<com.netscape.certsrv.security.Credential> getAppAgents​(java.lang.String recoveryID)
                                                                         throws EBaseException
        Throws:
        EBaseException
      • createError

        void createError​(java.lang.String recoveryID,
                         java.lang.String error)
                  throws EBaseException
        Creates error for a specific recovery operation.
        Parameters:
        recoveryID - recovery id
        error - error
        Throws:
        EBaseException - failed to create error
      • getError

        java.lang.String getError​(java.lang.String recoveryID)
                           throws EBaseException
        Retrieves error by recovery identifier.
        Parameters:
        recoveryID - recovery id
        Returns:
        error message
        Throws:
        EBaseException
      • getPk12

        byte[] getPk12​(java.lang.String recoveryID)
                throws EBaseException
        Retrieves PKCS12 package by recovery identifier.
        Parameters:
        recoveryID - recovery id
        Returns:
        pkcs12 package in bytes
        Throws:
        EBaseException
      • createPk12

        void createPk12​(java.lang.String recoveryID,
                        byte[] pk12)
                 throws EBaseException
        Creates PKCS12 package in memory.
        Parameters:
        recoveryID - recovery id
        pk12 - package in bytes
        Throws:
        EBaseException
      • getTransportCert

        org.mozilla.jss.crypto.X509Certificate getTransportCert()
        Retrieves the transport certificate.
      • processSynchronousRequest

        void processSynchronousRequest​(com.netscape.certsrv.request.IRequest request)
                                throws EBaseException
        Process synchronous archival and recovery requests
        Throws:
        EBaseException
      • isEphemeral

        boolean isEphemeral​(java.lang.String realm)
        Are ephemeral requests enabled for SECURITY_DATA recovery and archival
        Parameters:
        realm - authz realm
      • isRetrievalSynchronous

        boolean isRetrievalSynchronous​(java.lang.String realm)
        Is the SECURITY_DATA retrieval synchronous?
        Parameters:
        realm -
      • generateKeyPair

        java.security.KeyPair generateKeyPair​(java.lang.String alg,
                                              int keySize,
                                              java.lang.String keyCurve,
                                              org.mozilla.jss.crypto.PQGParams pqg,
                                              org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usageList)
                                       throws EBaseException
        Generate an asymmetric key pair.
        Parameters:
        alg -
        keySize -
        keyCurve -
        pqg -
        usageList - - RSA only for now
        Returns:
        key pair
        Throws:
        EBaseException
      • generateKeyPair

        java.security.KeyPair generateKeyPair​(java.lang.String alg,
                                              int keySize,
                                              java.lang.String keyCurve,
                                              org.mozilla.jss.crypto.PQGParams pqg,
                                              org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usageList,
                                              boolean temporary)
                                       throws EBaseException
        Throws:
        EBaseException