com.netscape.certsrv.ca

Interface ICRLIssuingPoint

public interface ICRLIssuingPoint

This class encapsulates CRL issuing mechanism. CertificateAuthority contains a map of CRLIssuingPoint indexed by string ids. Each issuing point contains information about CRL issuing and publishing parameters as well as state information which includes last issued CRL, next CRL serial number, time of the next update etc. If autoUpdateInterval is set to non-zero value then worker thread is created that will perform CRL update at scheduled intervals. Update can also be triggered by invoking updateCRL method directly. Another parameter minUpdateInterval can be used to prevent CRL from being updated too often

Version:

$Revision$, $Date$

Field Summary

Fields

Modifier and Type	Field and Description
static int	CRL_IP_INITIALIZATION_FAILED
static int	CRL_IP_INITIALIZED
static int	CRL_IP_NOT_INITIALIZED
static int	CRL_PUBLISHING_STARTED
static int	CRL_UPDATE_DONE for manual updates - requested by agent
static int	CRL_UPDATE_STARTED
static java.lang.String	PROP_BEGIN_SERIAL
static java.lang.String	PROP_END_SERIAL
static java.lang.String	PROP_MIN_UPDATE_INTERVAL
static java.lang.String	PROP_PUBLISH_DN
static java.lang.String	PROP_PUBLISH_ON_START
static java.lang.String	SC_CRL_COUNT
static java.lang.String	SC_IS_DELTA_CRL
static java.lang.String	SC_ISSUING_POINT_ID

Method Summary

Methods

Modifier and Type	Method and Description
void	addExpiredCert(java.math.BigInteger serialNumber) Adds expired and revoked certificate to delta-CRL cache.
void	addRevokedCert(java.math.BigInteger serialNumber, netscape.security.x509.RevokedCertImpl revokedCert) Adds revoked certificate to delta-CRL cache.
void	addRevokedCert(java.math.BigInteger serialNumber, netscape.security.x509.RevokedCertImpl revokedCert, java.lang.String requestId) Adds revoked certificate to delta-CRL cache.
void	addUnrevokedCert(java.math.BigInteger serialNumber) Adds unrevoked certificate to delta-CRL cache.
void	addUnrevokedCert(java.math.BigInteger serialNumber, java.lang.String requestId) Adds unrevoked certificate to delta-CRL cache.
boolean	areExpiredCertsIncluded() Checks if expired certificates are included in CRL.
boolean	checkCurrentProfile(java.lang.String id) Checks if CRL issuing point includes this profile.
void	clearCRLCache() Clears CRL cache
void	clearDeltaCRLCache() Clears delta-CRL cache
void	enableCRLIssuingPoint(boolean enable) Enables or disables CRL issuing point according to parameter.
boolean	getAlwaysUpdate() Returns true if CRL is updated for every change of revocation status of any certificate.
long	getAutoUpdateInterval() Returns auto update interval in milliseconds.
ISubsystem	getCertificateAuthority() Returns certificate authority.
ICMSCRLExtensions	getCRLExtensions() Returns list of CRL extensions.
java.math.BigInteger	getCRLNumber() Returns current CRL number of this CRL issuing point.
java.lang.String	getCrlPublishErrorStr() Returns CRL publishing error.
java.lang.String	getCrlPublishStatusStr() Returns CRL publishing status.
int	getCRLSchema() Returns current CRL generation schema for this CRL issuing point.
long	getCRLSize() Returns number of entries in the current CRL.
java.lang.String	getCrlUpdateErrorStr() Returns CRL update error.
java.lang.String	getCrlUpdateStatusStr() Returns CRL update status.
java.math.BigInteger	getDeltaCRLNumber() Returns current delta CRL number of this CRL issuing point.
long	getDeltaCRLSize() Returns number of entries in delta CRL
java.lang.String	getDescription() Returns internal description of this CRL issuing point.
java.lang.String	getFilter() Returns filter used to build CRL based on information stored in local directory.
java.lang.String	getId() Returns internal id of this CRL issuing point.
java.lang.String	getLastSigningAlgorithm() Returns signing algorithm used in last signing operation..
java.util.Date	getLastUpdate() Returns time of the last update.
java.math.BigInteger	getNextCRLNumber() Returns next CRL number of this CRL issuing point.
java.util.Date	getNextDeltaUpdate() Returns time of the next delta CRL update.
java.util.Date	getNextUpdate() Returns time of the next update.
long	getNextUpdateGracePeriod() Returns next update grace period in minutes.
int	getNumberOfRecentlyExpiredCerts() Returns number of recently expired and revoked certificates.
int	getNumberOfRecentlyRevokedCerts() Returns number of recently revoked certificates.
int	getNumberOfRecentlyUnrevokedCerts() Returns number of recently unrevoked certificates.
java.lang.String	getPublishDN() Returns DN of the directory entry where CRLs from this issuing point are published.
netscape.security.x509.CRLExtensions	getRequiredEntryExtensions(netscape.security.x509.CRLExtensions exts) Converts list of extensions supplied by revocation request to list of extensions required to be placed in CRL.
java.util.Date	getRevocationDateFromCache(java.math.BigInteger serialNumber, boolean checkDeltaCache, boolean includeExpiredCerts) Returns date of revoked certificate or null if certificated is not listed as revoked.
java.util.Set	getRevokedCertificates(int start, int end) Returns all the revoked certificates from the CRL cache.
java.lang.String	getSigningAlgorithm() Returns signing algorithm.
java.util.Vector	getSplitTimes() Returns split times from CRL generation.
void	init(ISubsystem ca, java.lang.String id, IConfigStore config) Initializes CRL issuing point.
boolean	isCACertsOnly() Checks if CRL includes CA certificates only.
boolean	isCRLCacheEmpty() Returns true if CRL cache is empty.
boolean	isCRLCacheEnabled() Returns true if CRL cache is enabled.
boolean	isCRLCacheTestingEnabled() Returns true if CRL cache testing is enabled.
boolean	isCRLGenerationEnabled() Returns true if CRL generation is enabled.
boolean	isCRLIssuingPointEnabled() Returns true if CRL issuing point is enabled.
int	isCRLIssuingPointInitialized() Returns CRL issuing point initialization status.
int	isCRLUpdateInProgress() Returns status of CRL generation.
boolean	isDeltaCRLEnabled() Returns true if delta-CRL is enabled.
boolean	isManualUpdateSet() Checks if manual update is set.
boolean	isProfileCertsOnly() Checks if CRL includes profile certificates only.
boolean	isThisCurrentDeltaCRL(netscape.security.x509.X509CRLImpl deltaCRL) Returns true if supplied delta-CRL is matching current delta-CRL.
void	processRevokedCerts(IElementProcessor cp) Builds a list of revoked certificates to put them into CRL.
void	setDescription(java.lang.String description) Sets internal description of this CRL issuing point.
void	setManualUpdate(java.lang.String signatureAlgorithm) Schedules immediate CRL manual-update and sets signature algorithm to be used for signing.
void	shutdown() This method is called during shutdown.
boolean	updateConfig(NameValuePairs params) Updates issuing point configuration according to supplied data in name value pairs.
void	updateCRLCacheRepository() Updates CRL cache into local directory.
void	updateCRLNow() Generates CRL now based on cache or local directory if cache is not available.
void	updateCRLNow(java.lang.String signingAlgorithm) Generates CRL now based on cache or local directory if cache is not available.

Field Detail

PROP_PUBLISH_DN

static final java.lang.String PROP_PUBLISH_DN

See Also:

Constant Field Values

PROP_PUBLISH_ON_START

static final java.lang.String PROP_PUBLISH_ON_START

See Also:

Constant Field Values

PROP_MIN_UPDATE_INTERVAL

static final java.lang.String PROP_MIN_UPDATE_INTERVAL

See Also:

Constant Field Values

PROP_BEGIN_SERIAL

static final java.lang.String PROP_BEGIN_SERIAL

See Also:

Constant Field Values

PROP_END_SERIAL

static final java.lang.String PROP_END_SERIAL

See Also:

Constant Field Values

SC_ISSUING_POINT_ID

static final java.lang.String SC_ISSUING_POINT_ID

See Also:

Constant Field Values

SC_IS_DELTA_CRL

static final java.lang.String SC_IS_DELTA_CRL

See Also:

Constant Field Values

SC_CRL_COUNT

static final java.lang.String SC_CRL_COUNT

See Also:

Constant Field Values

CRL_UPDATE_DONE

static final int CRL_UPDATE_DONE

for manual updates - requested by agent

See Also:

Constant Field Values

CRL_UPDATE_STARTED

static final int CRL_UPDATE_STARTED

See Also:

Constant Field Values

CRL_PUBLISHING_STARTED

static final int CRL_PUBLISHING_STARTED

See Also:

Constant Field Values

CRL_IP_NOT_INITIALIZED

static final int CRL_IP_NOT_INITIALIZED

See Also:

Constant Field Values

CRL_IP_INITIALIZED

static final int CRL_IP_INITIALIZED

See Also:

Constant Field Values

CRL_IP_INITIALIZATION_FAILED

static final int CRL_IP_INITIALIZATION_FAILED

See Also:

Constant Field Values

Method Detail

isCRLIssuingPointEnabled

boolean isCRLIssuingPointEnabled()

Returns true if CRL issuing point is enabled.

Returns:

true if CRL issuing point is enabled

isCRLGenerationEnabled

boolean isCRLGenerationEnabled()

Returns true if CRL generation is enabled.

Returns:

true if CRL generation is enabled

enableCRLIssuingPoint

void enableCRLIssuingPoint(boolean enable)

Enables or disables CRL issuing point according to parameter.

Parameters:

enable - if true enables CRL issuing point

getCrlUpdateStatusStr

java.lang.String getCrlUpdateStatusStr()

Returns CRL update status.

Returns:

CRL update status

getCrlUpdateErrorStr

java.lang.String getCrlUpdateErrorStr()

Returns CRL update error.

Returns:

CRL update error

getCrlPublishStatusStr

java.lang.String getCrlPublishStatusStr()

Returns CRL publishing status.

Returns:

CRL publishing status

getCrlPublishErrorStr

java.lang.String getCrlPublishErrorStr()

Returns CRL publishing error.

Returns:

CRL publishing error

isCRLIssuingPointInitialized

int isCRLIssuingPointInitialized()

Returns CRL issuing point initialization status.

Returns:

status of CRL issuing point initialization

isManualUpdateSet

boolean isManualUpdateSet()

Checks if manual update is set.

Returns:

true if manual update is set

areExpiredCertsIncluded

boolean areExpiredCertsIncluded()

Checks if expired certificates are included in CRL.

Returns:

true if expired certificates are included in CRL

isCACertsOnly

boolean isCACertsOnly()

Checks if CRL includes CA certificates only.

Returns:

true if CRL includes CA certificates only

isProfileCertsOnly

boolean isProfileCertsOnly()

Checks if CRL includes profile certificates only.

Returns:

true if CRL includes profile certificates only

checkCurrentProfile

boolean checkCurrentProfile(java.lang.String id)

Checks if CRL issuing point includes this profile.

Returns:

true if CRL issuing point includes this profile

init

void init(ISubsystem ca,
        java.lang.String id,
        IConfigStore config)
          throws EBaseException

Initializes CRL issuing point.

Parameters:

ca - certificate authority that holds CRL issuing point

id - CRL issuing point id

config - configuration sub-store for CRL issuing point

Throws:

EBaseException - thrown if initialization failed

shutdown

void shutdown()

This method is called during shutdown. It updates CRL cache and stops thread controlling CRL updates.

getId

java.lang.String getId()

Returns internal id of this CRL issuing point.

Returns:

internal id of this CRL issuing point

getDescription

java.lang.String getDescription()

Returns internal description of this CRL issuing point.

Returns:

internal description of this CRL issuing point

setDescription

void setDescription(java.lang.String description)

Sets internal description of this CRL issuing point.

Parameters:

description - description for this CRL issuing point.

getPublishDN

java.lang.String getPublishDN()

Returns DN of the directory entry where CRLs from this issuing point are published.

Returns:

DN of the directory entry where CRLs are published.

getSigningAlgorithm

java.lang.String getSigningAlgorithm()

Returns signing algorithm.

Returns:

signing algorithm

getLastSigningAlgorithm

java.lang.String getLastSigningAlgorithm()

Returns signing algorithm used in last signing operation..

Returns:

last signing algorithm

getCRLSchema

int getCRLSchema()

Returns current CRL generation schema for this CRL issuing point.

Returns:

current CRL generation schema for this CRL issuing point

getCRLNumber

java.math.BigInteger getCRLNumber()

Returns current CRL number of this CRL issuing point.

Returns:

current CRL number of this CRL issuing point

getDeltaCRLNumber

java.math.BigInteger getDeltaCRLNumber()

Returns current delta CRL number of this CRL issuing point.

Returns:

current delta CRL number of this CRL issuing point

getNextCRLNumber

java.math.BigInteger getNextCRLNumber()

Returns next CRL number of this CRL issuing point.

Returns:

next CRL number of this CRL issuing point

getCRLSize

long getCRLSize()

Returns number of entries in the current CRL.

Returns:

number of entries in the current CRL

getDeltaCRLSize

long getDeltaCRLSize()

Returns number of entries in delta CRL

Returns:

number of entries in delta CRL

getLastUpdate

java.util.Date getLastUpdate()

Returns time of the last update.

Returns:

last CRL update time

getNextUpdate

java.util.Date getNextUpdate()

Returns time of the next update.

Returns:

next CRL update time

getNextDeltaUpdate

java.util.Date getNextDeltaUpdate()

Returns time of the next delta CRL update.

Returns:

next delta CRL update time

getRevokedCertificates

java.util.Set getRevokedCertificates(int start,
                                   int end)

Returns all the revoked certificates from the CRL cache.

Parameters:

start - first requested CRL entry

end - next after last requested CRL entry

Returns:

set of all the revoked certificates or null if there are none.

getCertificateAuthority

ISubsystem getCertificateAuthority()

Returns certificate authority.

Returns:

certificate authority

setManualUpdate

void setManualUpdate(java.lang.String signatureAlgorithm)

Schedules immediate CRL manual-update and sets signature algorithm to be used for signing.

Parameters:

signatureAlgorithm - signature algorithm to be used for signing

getAutoUpdateInterval

long getAutoUpdateInterval()

Returns auto update interval in milliseconds.

Returns:

auto update interval in milliseconds

getAlwaysUpdate

boolean getAlwaysUpdate()

Returns true if CRL is updated for every change of revocation status of any certificate.

Returns:

true if CRL update is always triggered by revocation operation

getNextUpdateGracePeriod

long getNextUpdateGracePeriod()

Returns next update grace period in minutes.

Returns:

next update grace period in minutes

getFilter

java.lang.String getFilter()

Returns filter used to build CRL based on information stored in local directory.

Returns:

filter used to search local directory

processRevokedCerts

void processRevokedCerts(IElementProcessor cp)
                         throws EBaseException

Builds a list of revoked certificates to put them into CRL. Calls certificate record processor to get necessary data from certificate records. This also regenerates CRL cache.

Parameters:

cp - certificate record processor

Throws:

EBaseException - if an error occurred in the database.

getRevocationDateFromCache

java.util.Date getRevocationDateFromCache(java.math.BigInteger serialNumber,
                                        boolean checkDeltaCache,
                                        boolean includeExpiredCerts)

Returns date of revoked certificate or null if certificated is not listed as revoked.

Parameters:

serialNumber - serial number of certificate to be checked

checkDeltaCache - true if delta CRL cache suppose to be included in checking process

includeExpiredCerts - true if delta CRL cache with expired certificates suppose to be included in checking process

Returns:

date of revoked certificate or null

getSplitTimes

java.util.Vector getSplitTimes()

Returns split times from CRL generation.

Returns:

split times from CRL generation in milliseconds

updateCRLNow

void updateCRLNow(java.lang.String signingAlgorithm)
                  throws EBaseException

Generates CRL now based on cache or local directory if cache is not available. It also publishes CRL if it is required.

Parameters:

signingAlgorithm - signing algorithm to be used for CRL signing

Throws:

EBaseException - if an error occurred during CRL generation or publishing

clearCRLCache

void clearCRLCache()

Clears CRL cache

clearDeltaCRLCache

void clearDeltaCRLCache()

Clears delta-CRL cache

getNumberOfRecentlyRevokedCerts

int getNumberOfRecentlyRevokedCerts()

Returns number of recently revoked certificates.

Returns:

number of recently revoked certificates

getNumberOfRecentlyUnrevokedCerts

int getNumberOfRecentlyUnrevokedCerts()

Returns number of recently unrevoked certificates.

Returns:

number of recently unrevoked certificates

getNumberOfRecentlyExpiredCerts

int getNumberOfRecentlyExpiredCerts()

Returns number of recently expired and revoked certificates.

Returns:

number of recently expired and revoked certificates

getRequiredEntryExtensions

netscape.security.x509.CRLExtensions getRequiredEntryExtensions(netscape.security.x509.CRLExtensions exts)

Converts list of extensions supplied by revocation request to list of extensions required to be placed in CRL.

Parameters:

exts - list of extensions supplied by revocation request

Returns:

list of extensions required to be placed in CRL

addRevokedCert

void addRevokedCert(java.math.BigInteger serialNumber,
                  netscape.security.x509.RevokedCertImpl revokedCert)

Adds revoked certificate to delta-CRL cache.

Parameters:

serialNumber - serial number of revoked certificate

revokedCert - revocation information supplied by revocation request

addRevokedCert

void addRevokedCert(java.math.BigInteger serialNumber,
                  netscape.security.x509.RevokedCertImpl revokedCert,
                  java.lang.String requestId)

Adds revoked certificate to delta-CRL cache.

Parameters:

serialNumber - serial number of revoked certificate

revokedCert - revocation information supplied by revocation request

requestId - revocation request id

addUnrevokedCert

void addUnrevokedCert(java.math.BigInteger serialNumber)

Adds unrevoked certificate to delta-CRL cache.

Parameters:

serialNumber - serial number of unrevoked certificate

addUnrevokedCert

void addUnrevokedCert(java.math.BigInteger serialNumber,
                    java.lang.String requestId)

Adds unrevoked certificate to delta-CRL cache.

Parameters:

serialNumber - serial number of unrevoked certificate

requestId - unrevocation request id

addExpiredCert

void addExpiredCert(java.math.BigInteger serialNumber)

Adds expired and revoked certificate to delta-CRL cache.

Parameters:

serialNumber - serial number of expired and revoked certificate

updateCRLCacheRepository

void updateCRLCacheRepository()

Updates CRL cache into local directory.

updateConfig

boolean updateConfig(NameValuePairs params)

Updates issuing point configuration according to supplied data in name value pairs.

Parameters:

params - name value pairs defining new issuing point configuration

Returns:

true if configuration is updated successfully

isDeltaCRLEnabled

boolean isDeltaCRLEnabled()

Returns true if delta-CRL is enabled.

Returns:

true if delta-CRL is enabled

isCRLCacheEnabled

boolean isCRLCacheEnabled()

Returns true if CRL cache is enabled.

Returns:

true if CRL cache is enabled

isCRLCacheEmpty

boolean isCRLCacheEmpty()

Returns true if CRL cache is empty.

Returns:

true if CRL cache is empty

isCRLCacheTestingEnabled

boolean isCRLCacheTestingEnabled()

Returns true if CRL cache testing is enabled.

Returns:

true if CRL cache testing is enabled

isThisCurrentDeltaCRL

boolean isThisCurrentDeltaCRL(netscape.security.x509.X509CRLImpl deltaCRL)

Returns true if supplied delta-CRL is matching current delta-CRL.

Parameters:

deltaCRL - delta-CRL to verify against current delta-CRL

Returns:

true if supplied delta-CRL is matching current delta-CRL

isCRLUpdateInProgress

int isCRLUpdateInProgress()

Returns status of CRL generation.

Returns:

one of the following according to CRL generation status: CRL_UPDATE_DONE, CRL_UPDATE_STARTED, and CRL_PUBLISHING_STARTED

updateCRLNow

void updateCRLNow()
                  throws EBaseException

Generates CRL now based on cache or local directory if cache is not available. It also publishes CRL if it is required. CRL is signed by default signing algorithm.

Throws:

EBaseException - if an error occurred during CRL generation or publishing

getCRLExtensions

ICMSCRLExtensions getCRLExtensions()

Returns list of CRL extensions.

Returns:

list of CRL extensions