Interface ICertificateAuthority

  • All Superinterfaces:
    ISubsystem

    public interface ICertificateAuthority
    extends ISubsystem
    An interface represents a Certificate Authority that is responsible for certificate specific operations.

    Version:
    $Revision$, $Date$
    • Method Detail

      • getCertificateRepository

        ICertificateRepository getCertificateRepository()
        Retrieves the certificate repository where all the locally issued certificates are kept.
        Returns:
        CA's certificate repository
      • getRequestQueue

        IRequestQueue getRequestQueue()
        Retrieves the request queue of this certificate authority.
        Returns:
        CA's request queue
      • getPolicyProcessor

        IPolicyProcessor getPolicyProcessor()
        Retrieves the policy processor of this certificate authority.
        Returns:
        CA's policy processor
      • noncesEnabled

        boolean noncesEnabled()
      • getNonces

        java.util.Map<java.lang.Object,​java.lang.Long> getNonces​(javax.servlet.http.HttpServletRequest request,
                                                                       java.lang.String name)
      • getPublisherProcessor

        IPublisherProcessor getPublisherProcessor()
        Retrieves the publishing processor of this certificate authority.
        Returns:
        CA's publishing processor
      • getStartSerial

        java.lang.String getStartSerial()
        Retrieves the next available serial number.
        Returns:
        next available serial number
      • setStartSerial

        void setStartSerial​(java.lang.String serial)
                     throws EBaseException
        Sets the next available serial number.
        Parameters:
        serial - next available serial number
        Throws:
        EBaseException - failed to set next available serial number
      • getMaxSerial

        java.lang.String getMaxSerial()
        Retrieves the last serial number that can be used for certificate issuance in this certificate authority.
        Returns:
        the last serial number
      • setMaxSerial

        void setMaxSerial​(java.lang.String serial)
                   throws EBaseException
        Sets the last serial number that can be used for certificate issuance in this certificate authority.
        Parameters:
        serial - the last serial number
        Throws:
        EBaseException - failed to set the last serial number
      • getDefaultSignatureAlgorithm

        org.mozilla.jss.crypto.SignatureAlgorithm getDefaultSignatureAlgorithm()
        Retrieves the default signature algorithm of this certificate authority.
        Returns:
        the default signature algorithm of this CA
      • getDefaultAlgorithm

        java.lang.String getDefaultAlgorithm()
        Retrieves the default signing algorithm of this certificate authority.
        Returns:
        the default signing algorithm of this CA
      • setDefaultAlgorithm

        void setDefaultAlgorithm​(java.lang.String algorithm)
                          throws EBaseException
        Sets the default signing algorithm of this certificate authority.
        Parameters:
        algorithm - new default signing algorithm
        Throws:
        EBaseException - failed to set the default signing algorithm
      • getCASigningAlgorithms

        java.lang.String[] getCASigningAlgorithms()
        Retrieves the supported signing algorithms of this certificate authority.
        Returns:
        the supported signing algorithms of this CA
      • setValidity

        void setValidity​(java.lang.String enableCAPast)
                  throws EBaseException
        Allows certificates to have validities that are longer than this certificate authority's.
        Parameters:
        enableCAPast - if equals "true", it allows certificates to have validity longer than CA's certificate validity
        Throws:
        EBaseException - failed to set above option
      • getDefaultValidity

        long getDefaultValidity()
        Retrieves the default validity period.
        Returns:
        the default validity length in days
      • getCRLIssuingPoints

        java.util.Enumeration<ICRLIssuingPoint> getCRLIssuingPoints()
        Retrieves all the CRL issuing points.
        Returns:
        enumeration of all the CRL issuing points
      • getCRLIssuingPoint

        ICRLIssuingPoint getCRLIssuingPoint​(java.lang.String id)
        Retrieves CRL issuing point with the given identifier.
        Parameters:
        id - CRL issuing point id
        Returns:
        CRL issuing point with given id
      • addCRLIssuingPoint

        boolean addCRLIssuingPoint​(IConfigStore crlSubStore,
                                   java.lang.String id,
                                   boolean enable,
                                   java.lang.String description)
        Adds CRL issuing point with the given identifier and description.
        Parameters:
        crlSubStore - sub-store with all CRL issuing points
        id - CRL issuing point id
        description - CRL issuing point description
        Returns:
        true if CRL issuing point was successfully added
      • deleteCRLIssuingPoint

        void deleteCRLIssuingPoint​(IConfigStore crlSubStore,
                                   java.lang.String id)
        Deletes CRL issuing point with the given identifier.
        Parameters:
        crlSubStore - sub-store with all CRL issuing points
        id - CRL issuing point id
      • getCRLRepository

        ICRLRepository getCRLRepository()
        Retrieves the CRL repository.
        Returns:
        CA's CRL repository
      • getReplicaRepository

        IReplicaIDRepository getReplicaRepository()
        Retrieves the Replica ID repository.
        Returns:
        CA's Replica ID repository
      • getRequestInQListener

        IRequestListener getRequestInQListener()
        Retrieves the request in queue listener.
        Returns:
        the request in queue listener
      • getRequestListenerNames

        java.util.Enumeration<java.lang.String> getRequestListenerNames()
        Retrieves all request listeners.
        Returns:
        name enumeration of all request listeners
      • getCertIssuedListener

        IRequestListener getCertIssuedListener()
        Retrieves the request listener for issued certificates.
        Returns:
        the request listener for issued certificates
      • getCertRevokedListener

        IRequestListener getCertRevokedListener()
        Retrieves the request listener for revoked certificates.
        Returns:
        the request listener for revoked certificates
      • getCACertChain

        CertificateChain getCACertChain()
        Retrieves the CA certificate chain.
        Returns:
        the CA certificate chain
      • getCaX509Cert

        org.mozilla.jss.crypto.X509Certificate getCaX509Cert()
        Retrieves the CA certificate.
        Returns:
        the CA certificate
      • updateCRLNow

        void updateCRLNow()
                   throws EBaseException
        Updates the CRL immediately for MasterCRL issuing point if it exists.
        Throws:
        EBaseException - failed to create or publish CRL
      • publishCRLNow

        void publishCRLNow()
                    throws EBaseException
        Publishes the CRL immediately for MasterCRL issuing point if it exists.
        Throws:
        EBaseException - failed to publish CRL
      • getSigningUnit

        ISigningUnit getSigningUnit()
        Retrieves the signing unit that manages the CA signing key for signing certificates.
        Returns:
        the CA signing unit for certificates
      • getCRLSigningUnit

        ISigningUnit getCRLSigningUnit()
        Retrieves the signing unit that manages the CA signing key for signing CRL.
        Returns:
        the CA signing unit for CRLs
      • getOCSPSigningUnit

        ISigningUnit getOCSPSigningUnit()
        Retrieves the signing unit that manages the CA signing key for signing OCSP response.
        Returns:
        the CA signing unit for OCSP responses
      • setBasicConstraintMaxLen

        void setBasicConstraintMaxLen​(int num)
        Sets the maximium path length in the basic constraint extension.
        Parameters:
        num - the maximium path length
      • isClone

        boolean isClone()
        Is this a clone CA?
        Returns:
        true if this is a clone CA
      • getRequestListener

        IRequestListener getRequestListener​(java.lang.String name)
        Retrieves the request listener by name.
        Parameters:
        name - request listener name
        Returns:
        the request listener
      • getRequestNotifier

        IRequestNotifier getRequestNotifier()
        get request notifier
      • registerRequestListener

        void registerRequestListener​(IRequestListener listener)
        Registers a request listener.
        Parameters:
        listener - request listener to be registered
      • registerRequestListener

        void registerRequestListener​(java.lang.String name,
                                     IRequestListener listener)
        Registers a request listener.
        Parameters:
        name - under request listener is going to be registered
        listener - request listener to be registered
      • getX500Name

        X500Name getX500Name()
        Retrieves the issuer name of this certificate authority.
        Returns:
        the issuer name of this certificate authority
      • getCRLX500Name

        X500Name getCRLX500Name()
        Retrieves the issuer name of this certificate authority issuing point.
        Returns:
        the issuer name of this certificate authority issuing point
      • sign

        X509CRLImpl sign​(X509CRLImpl crl,
                         java.lang.String algname)
                  throws EBaseException
        Signs the given CRL with the specific algorithm.
        Parameters:
        crl - CRL to be signed
        algname - algorithm used for signing
        Returns:
        signed CRL
        Throws:
        EBaseException - failed to sign CRL
      • log

        void log​(int level,
                 java.lang.String msg)
        Logs a message to this certificate authority.
        Parameters:
        level - logging level
        msg - logged message
      • getNickname

        java.lang.String getNickname()
        Returns the nickname for the CA signing certificate.
        Returns:
        the nickname for the CA signing certificate
      • sign

        X509CertImpl sign​(X509CertInfo certInfo,
                          java.lang.String algname)
                   throws EBaseException
        Signs a X.509 certificate template.
        Parameters:
        certInfo - X.509 certificate template
        algname - algorithm used for signing
        Returns:
        signed certificate
        Throws:
        EBaseException - failed to sign certificate
      • getDefaultCertVersion

        CertificateVersion getDefaultCertVersion()
        Retrieves the default certificate version.
        Returns:
        the default version certificate
      • isEnablePastCATime

        boolean isEnablePastCATime()
        Is this CA allowed to issue certificate that has longer validty than the CA's.
        Returns:
        true if allows certificates to have validity longer than CA's
      • getCAService

        IService getCAService()
        Retrieves the CA service object that is responsible for processing requests.
        Returns:
        CA service object
      • getDBSubsystem

        IDBSubsystem getDBSubsystem()
        Retrieves the DB subsystem managing internal data storage.
        Returns:
        DB subsystem object
      • getNumOCSPRequest

        long getNumOCSPRequest()
        Returns the in-memory count of the processed OCSP requests.
        Returns:
        number of processed OCSP requests in memory
      • getOCSPRequestTotalTime

        long getOCSPRequestTotalTime()
        Returns the in-memory time (in mini-second) of the processed time for OCSP requests.
        Returns:
        processed times for OCSP requests
      • getOCSPTotalSignTime

        long getOCSPTotalSignTime()
        Returns the in-memory time (in mini-second) of the signing time for OCSP requests.
        Returns:
        processed times for OCSP requests
      • getOCSPTotalData

        long getOCSPTotalData()
        Returns the total data signed for OCSP requests.
        Returns:
        processed times for OCSP requests
      • getCAs

        java.util.List<ICertificateAuthority> getCAs()
        Enumerate all authorities, including host authority.
      • isHostAuthority

        boolean isHostAuthority()
        Return whether this CA is the host authority (not a lightweight authority).
      • getAuthorityID

        AuthorityID getAuthorityID()
        Get the AuthorityID of this CA.
      • getAuthorityParentID

        AuthorityID getAuthorityParentID()
        Get the AuthorityID of this CA's parent CA, if available.
      • getAuthorityEnabled

        boolean getAuthorityEnabled()
        Return whether CA is enabled.
      • isReady

        boolean isReady()
        Return whether CA is ready to perform signing operations.
      • ensureReady

        void ensureReady()
                  throws ECAException
        Throw an exception if CA is not ready to perform signing operations.
        Throws:
        ECAException
      • getAuthorityDescription

        java.lang.String getAuthorityDescription()
        Return CA description. May be null.
      • createSubCA

        ICertificateAuthority createSubCA​(IAuthToken authToken,
                                          java.lang.String dn,
                                          java.lang.String desc)
                                   throws EBaseException
        Create a new sub-CA IMMEDIATELY beneath this one. This method DOES NOT add the new CA to caMap; it is the caller's responsibility.
        Throws:
        EBaseException
      • modifyAuthority

        void modifyAuthority​(java.lang.Boolean enabled,
                             java.lang.String desc)
                      throws EBaseException
        Update authority configurables.
        Parameters:
        enabled - Whether CA is enabled or disabled
        desc - Description; null or empty removes it
        Throws:
        EBaseException
      • renewAuthority

        void renewAuthority​(javax.servlet.http.HttpServletRequest httpReq)
                     throws EBaseException
        Renew certificate of CA.
        Throws:
        EBaseException
      • deleteAuthority

        void deleteAuthority​(javax.servlet.http.HttpServletRequest httpReq)
                      throws EBaseException
        Delete this lightweight CA.
        Throws:
        EBaseException
      • getIssuanceProtPubKey

        java.security.PublicKey getIssuanceProtPubKey()
        get Issuance Protection Public Key
      • getIssuanceProtPrivKey

        org.mozilla.jss.crypto.PrivateKey getIssuanceProtPrivKey()
        get Issuance Protection Private Key
      • getIssuanceProtCert

        org.mozilla.jss.crypto.X509Certificate getIssuanceProtCert()
        get Issuance Protection Certificate