Package org.dogtagpki.server.ca
Interface ICRLIssuingPoint
public interface ICRLIssuingPoint
This class encapsulates CRL issuing mechanism. CertificateAuthority
contains a map of CRLIssuingPoint indexed by string ids. Each issuing
point contains information about CRL issuing and publishing parameters
as well as state information which includes last issued CRL, next CRL
serial number, time of the next update etc.
If autoUpdateInterval is set to non-zero value then worker thread
is created that will perform CRL update at scheduled intervals. Update
can also be triggered by invoking updateCRL method directly. Another
parameter minUpdateInterval can be used to prevent CRL
from being updated too often
- Version:
- $Revision$, $Date$
-
Nested Class Summary
Nested Classes -
Field Summary
Fields -
Method Summary
Modifier and TypeMethodDescriptionvoid
addExpiredCert
(BigInteger serialNumber) Adds expired and revoked certificate to delta-CRL cache.void
addRevokedCert
(BigInteger serialNumber, org.mozilla.jss.netscape.security.x509.RevokedCertImpl revokedCert) Adds revoked certificate to delta-CRL cache.void
addRevokedCert
(BigInteger serialNumber, org.mozilla.jss.netscape.security.x509.RevokedCertImpl revokedCert, String requestId) Adds revoked certificate to delta-CRL cache.void
addUnrevokedCert
(BigInteger serialNumber) Adds unrevoked certificate to delta-CRL cache.void
addUnrevokedCert
(BigInteger serialNumber, String requestId) Adds unrevoked certificate to delta-CRL cache.boolean
Checks if expired certificates are included in CRL.boolean
Checks if CRL issuing point includes this profile.void
Clears CRL cachevoid
Clears delta-CRL cachevoid
enableCRLIssuingPoint
(boolean enable) Enables or disables CRL issuing point according to parameter.boolean
Returns true if CRL is updated for every change of revocation status of any certificate.long
Returns auto update interval in milliseconds.Returns certificate authority.Returns list of CRL extensions.Returns current CRL number of this CRL issuing point.Returns CRL publishing error.Returns CRL publishing status.int
Returns current CRL generation schema for this CRL issuing point.long
Returns number of entries in the current CRL.Returns CRL update error.Returns CRL update status.Returns current delta CRL number of this CRL issuing point.long
Returns number of entries in delta CRLReturns internal description of this CRL issuing point.Returns filter used to build CRL based on information stored in local directory.getId()
Returns internal id of this CRL issuing point.Returns signing algorithm used in last signing operation..Returns time of the last update.Returns next CRL number of this CRL issuing point.Returns time of the next delta CRL update.Returns time of the next update.long
Returns next update grace period in minutes.int
Returns number of recently expired and revoked certificates.int
Returns number of recently revoked certificates.int
Returns number of recently unrevoked certificates.Returns DN of the directory entry where CRLs from this issuing point are published.org.mozilla.jss.netscape.security.x509.CRLExtensions
getRequiredEntryExtensions
(org.mozilla.jss.netscape.security.x509.CRLExtensions exts) Converts list of extensions supplied by revocation request to list of extensions required to be placed in CRL.getRevocationDateFromCache
(BigInteger serialNumber, boolean checkDeltaCache, boolean includeExpiredCerts) Returns date of revoked certificate or null if certificated is not listed as revoked.Set
<org.mozilla.jss.netscape.security.x509.RevokedCertificate> getRevokedCertificates
(int start, int end) Returns all the revoked certificates from the CRL cache.Returns signing algorithm.Returns split times from CRL generation.void
init
(ISubsystem ca, String id, IConfigStore config) Initializes CRL issuing point.boolean
Checks if CRL includes CA certificates only.boolean
Returns true if CRL cache is empty.boolean
Returns true if CRL cache is enabled.boolean
Returns true if CRL cache testing is enabled.boolean
Returns true if CRL generation is enabled.boolean
Returns true if CRL issuing point is enabled.boolean
Returns CRL issuing point initialization status.int
Returns status of CRL generation.boolean
Returns true if delta-CRL is enabled.boolean
Checks if manual update is set.boolean
Checks if CRL includes profile certificates only.boolean
isThisCurrentDeltaCRL
(org.mozilla.jss.netscape.security.x509.X509CRLImpl deltaCRL) Returns true if supplied delta-CRL is matching current delta-CRL.void
Builds a list of revoked certificates to put them into CRL.void
setCancelCurFutureThisUpdateValue
(boolean b) void
setCustomFutureThisUpdateValue
(Date futureThisUpdate) Set Optional Future thsUpdateValue to go into the CRLvoid
setDescription
(String description) Sets internal description of this CRL issuing point.void
setManualUpdate
(String signatureAlgorithm) Schedules immediate CRL manual-update and sets signature algorithm to be used for signing.void
shutdown()
This method is called during shutdown.boolean
updateConfig
(NameValuePairs params) Updates issuing point configuration according to supplied data in name value pairs.void
Updates CRL cache into local directory.void
Generates CRL now based on cache or local directory if cache is not available.void
updateCRLNow
(String signingAlgorithm) Generates CRL now based on cache or local directory if cache is not available.
-
Field Details
-
PROP_PUBLISH_DN
- See Also:
-
PROP_PUBLISH_ON_START
- See Also:
-
PROP_MIN_UPDATE_INTERVAL
- See Also:
-
PROP_BEGIN_SERIAL
- See Also:
-
PROP_END_SERIAL
- See Also:
-
SC_ISSUING_POINT_ID
- See Also:
-
SC_IS_DELTA_CRL
- See Also:
-
SC_CRL_COUNT
- See Also:
-
CRL_UPDATE_DONE
static final int CRL_UPDATE_DONEfor manual updates - requested by agent- See Also:
-
CRL_UPDATE_STARTED
static final int CRL_UPDATE_STARTED- See Also:
-
CRL_PUBLISHING_STARTED
static final int CRL_PUBLISHING_STARTED- See Also:
-
-
Method Details
-
isCRLIssuingPointEnabled
boolean isCRLIssuingPointEnabled()Returns true if CRL issuing point is enabled.- Returns:
- true if CRL issuing point is enabled
-
isCRLGenerationEnabled
boolean isCRLGenerationEnabled()Returns true if CRL generation is enabled.- Returns:
- true if CRL generation is enabled
-
enableCRLIssuingPoint
void enableCRLIssuingPoint(boolean enable) Enables or disables CRL issuing point according to parameter.- Parameters:
enable
- if true enables CRL issuing point
-
getCrlUpdateStatusStr
-
getCrlUpdateErrorStr
-
getCrlPublishStatusStr
-
getCrlPublishErrorStr
-
isCRLIssuingPointInitialized
boolean isCRLIssuingPointInitialized()Returns CRL issuing point initialization status.- Returns:
- true if CRL issuing point hsa been successfully initialized, otherwise false.
-
isManualUpdateSet
boolean isManualUpdateSet()Checks if manual update is set.- Returns:
- true if manual update is set
-
areExpiredCertsIncluded
boolean areExpiredCertsIncluded()Checks if expired certificates are included in CRL.- Returns:
- true if expired certificates are included in CRL
-
isCACertsOnly
boolean isCACertsOnly()Checks if CRL includes CA certificates only.- Returns:
- true if CRL includes CA certificates only
-
isProfileCertsOnly
boolean isProfileCertsOnly()Checks if CRL includes profile certificates only.- Returns:
- true if CRL includes profile certificates only
-
checkCurrentProfile
Checks if CRL issuing point includes this profile.- Returns:
- true if CRL issuing point includes this profile
-
init
Initializes CRL issuing point.- Parameters:
ca
- certificate authority that holds CRL issuing pointid
- CRL issuing point idconfig
- configuration sub-store for CRL issuing point- Throws:
EBaseException
- thrown if initialization failed
-
shutdown
void shutdown()This method is called during shutdown. It updates CRL cache and stops thread controlling CRL updates. -
getId
String getId()Returns internal id of this CRL issuing point.- Returns:
- internal id of this CRL issuing point
-
getDescription
String getDescription()Returns internal description of this CRL issuing point.- Returns:
- internal description of this CRL issuing point
-
setDescription
Sets internal description of this CRL issuing point.- Parameters:
description
- description for this CRL issuing point.
-
getPublishDN
String getPublishDN()Returns DN of the directory entry where CRLs from this issuing point are published.- Returns:
- DN of the directory entry where CRLs are published.
-
getSigningAlgorithm
-
getLastSigningAlgorithm
String getLastSigningAlgorithm()Returns signing algorithm used in last signing operation..- Returns:
- last signing algorithm
-
getCRLSchema
int getCRLSchema()Returns current CRL generation schema for this CRL issuing point.- Returns:
- current CRL generation schema for this CRL issuing point
-
getCRLNumber
BigInteger getCRLNumber()Returns current CRL number of this CRL issuing point.- Returns:
- current CRL number of this CRL issuing point
-
getDeltaCRLNumber
BigInteger getDeltaCRLNumber()Returns current delta CRL number of this CRL issuing point.- Returns:
- current delta CRL number of this CRL issuing point
-
getNextCRLNumber
BigInteger getNextCRLNumber()Returns next CRL number of this CRL issuing point.- Returns:
- next CRL number of this CRL issuing point
-
getCRLSize
long getCRLSize()Returns number of entries in the current CRL.- Returns:
- number of entries in the current CRL
-
getDeltaCRLSize
long getDeltaCRLSize()Returns number of entries in delta CRL- Returns:
- number of entries in delta CRL
-
getLastUpdate
-
getNextUpdate
-
getNextDeltaUpdate
Date getNextDeltaUpdate()Returns time of the next delta CRL update.- Returns:
- next delta CRL update time
-
getRevokedCertificates
Set<org.mozilla.jss.netscape.security.x509.RevokedCertificate> getRevokedCertificates(int start, int end) Returns all the revoked certificates from the CRL cache.- Parameters:
start
- first requested CRL entryend
- next after last requested CRL entry- Returns:
- set of all the revoked certificates or null if there are none.
-
getCertificateAuthority
-
setManualUpdate
Schedules immediate CRL manual-update and sets signature algorithm to be used for signing.- Parameters:
signatureAlgorithm
- signature algorithm to be used for signing
-
getAutoUpdateInterval
long getAutoUpdateInterval()Returns auto update interval in milliseconds.- Returns:
- auto update interval in milliseconds
-
getAlwaysUpdate
boolean getAlwaysUpdate()Returns true if CRL is updated for every change of revocation status of any certificate.- Returns:
- true if CRL update is always triggered by revocation operation
-
getNextUpdateGracePeriod
long getNextUpdateGracePeriod()Returns next update grace period in minutes.- Returns:
- next update grace period in minutes
-
getFilter
String getFilter()Returns filter used to build CRL based on information stored in local directory.- Returns:
- filter used to search local directory
-
processRevokedCerts
Builds a list of revoked certificates to put them into CRL. Calls certificate record processor to get necessary data from certificate records. This also regenerates CRL cache.- Parameters:
cp
- certificate record processor- Throws:
EBaseException
- if an error occurred in the database.
-
getRevocationDateFromCache
Date getRevocationDateFromCache(BigInteger serialNumber, boolean checkDeltaCache, boolean includeExpiredCerts) Returns date of revoked certificate or null if certificated is not listed as revoked.- Parameters:
serialNumber
- serial number of certificate to be checkedcheckDeltaCache
- true if delta CRL cache suppose to be included in checking processincludeExpiredCerts
- true if delta CRL cache with expired certificates suppose to be included in checking process- Returns:
- date of revoked certificate or null
-
getSplitTimes
-
updateCRLNow
Generates CRL now based on cache or local directory if cache is not available. It also publishes CRL if it is required.- Parameters:
signingAlgorithm
- signing algorithm to be used for CRL signing- Throws:
EBaseException
- if an error occurred during CRL generation or publishing
-
clearCRLCache
void clearCRLCache()Clears CRL cache -
clearDeltaCRLCache
void clearDeltaCRLCache()Clears delta-CRL cache -
getNumberOfRecentlyRevokedCerts
int getNumberOfRecentlyRevokedCerts()Returns number of recently revoked certificates.- Returns:
- number of recently revoked certificates
-
getNumberOfRecentlyUnrevokedCerts
int getNumberOfRecentlyUnrevokedCerts()Returns number of recently unrevoked certificates.- Returns:
- number of recently unrevoked certificates
-
getNumberOfRecentlyExpiredCerts
int getNumberOfRecentlyExpiredCerts()Returns number of recently expired and revoked certificates.- Returns:
- number of recently expired and revoked certificates
-
getRequiredEntryExtensions
org.mozilla.jss.netscape.security.x509.CRLExtensions getRequiredEntryExtensions(org.mozilla.jss.netscape.security.x509.CRLExtensions exts) Converts list of extensions supplied by revocation request to list of extensions required to be placed in CRL.- Parameters:
exts
- list of extensions supplied by revocation request- Returns:
- list of extensions required to be placed in CRL
-
addRevokedCert
void addRevokedCert(BigInteger serialNumber, org.mozilla.jss.netscape.security.x509.RevokedCertImpl revokedCert) Adds revoked certificate to delta-CRL cache.- Parameters:
serialNumber
- serial number of revoked certificaterevokedCert
- revocation information supplied by revocation request
-
addRevokedCert
void addRevokedCert(BigInteger serialNumber, org.mozilla.jss.netscape.security.x509.RevokedCertImpl revokedCert, String requestId) Adds revoked certificate to delta-CRL cache.- Parameters:
serialNumber
- serial number of revoked certificaterevokedCert
- revocation information supplied by revocation requestrequestId
- revocation request id
-
addUnrevokedCert
Adds unrevoked certificate to delta-CRL cache.- Parameters:
serialNumber
- serial number of unrevoked certificate
-
addUnrevokedCert
Adds unrevoked certificate to delta-CRL cache.- Parameters:
serialNumber
- serial number of unrevoked certificaterequestId
- unrevocation request id
-
addExpiredCert
Adds expired and revoked certificate to delta-CRL cache.- Parameters:
serialNumber
- serial number of expired and revoked certificate
-
updateCRLCacheRepository
void updateCRLCacheRepository()Updates CRL cache into local directory. -
updateConfig
Updates issuing point configuration according to supplied data in name value pairs.- Parameters:
params
- name value pairs defining new issuing point configuration- Returns:
- true if configuration is updated successfully
-
isDeltaCRLEnabled
boolean isDeltaCRLEnabled()Returns true if delta-CRL is enabled.- Returns:
- true if delta-CRL is enabled
-
isCRLCacheEnabled
boolean isCRLCacheEnabled()Returns true if CRL cache is enabled.- Returns:
- true if CRL cache is enabled
-
isCRLCacheEmpty
boolean isCRLCacheEmpty()Returns true if CRL cache is empty.- Returns:
- true if CRL cache is empty
-
isCRLCacheTestingEnabled
boolean isCRLCacheTestingEnabled()Returns true if CRL cache testing is enabled.- Returns:
- true if CRL cache testing is enabled
-
isThisCurrentDeltaCRL
boolean isThisCurrentDeltaCRL(org.mozilla.jss.netscape.security.x509.X509CRLImpl deltaCRL) Returns true if supplied delta-CRL is matching current delta-CRL.- Parameters:
deltaCRL
- delta-CRL to verify against current delta-CRL- Returns:
- true if supplied delta-CRL is matching current delta-CRL
-
isCRLUpdateInProgress
int isCRLUpdateInProgress()Returns status of CRL generation.- Returns:
- one of the following according to CRL generation status: CRL_UPDATE_DONE, CRL_UPDATE_STARTED, and CRL_PUBLISHING_STARTED
-
updateCRLNow
Generates CRL now based on cache or local directory if cache is not available. It also publishes CRL if it is required. CRL is signed by default signing algorithm.- Throws:
EBaseException
- if an error occurred during CRL generation or publishing
-
getCRLExtensions
ICMSCRLExtensions getCRLExtensions()Returns list of CRL extensions.- Returns:
- list of CRL extensions
-
setCustomFutureThisUpdateValue
Set Optional Future thsUpdateValue to go into the CRL -
setCancelCurFutureThisUpdateValue
void setCancelCurFutureThisUpdateValue(boolean b)
-