com.netscape.certsrv.ca
Interface ICRLIssuingPoint


public interface ICRLIssuingPoint

This class encapsulates CRL issuing mechanism. CertificateAuthority contains a map of CRLIssuingPoint indexed by string ids. Each issuing point contains information about CRL issuing and publishing parameters as well as state information which includes last issued CRL, next CRL serial number, time of the next update etc. If autoUpdateInterval is set to non-zero value then worker thread is created that will perform CRL update at scheduled intervals. Update can also be triggered by invoking updateCRL method directly. Another parameter minUpdateInterval can be used to prevent CRL from being updated too often

Version:
$Revision: 1211 $, $Date: 2010-08-18 10:15:37 -0700 (Wed, 18 Aug 2010) $

Field Summary
static int CRL_IP_INITIALIZATION_FAILED
           
static int CRL_IP_INITIALIZED
           
static int CRL_IP_NOT_INITIALIZED
           
static int CRL_PUBLISHING_STARTED
           
static int CRL_UPDATE_DONE
          for manual updates - requested by agent
static int CRL_UPDATE_STARTED
           
static java.lang.String PROP_BEGIN_SERIAL
           
static java.lang.String PROP_END_SERIAL
           
static java.lang.String PROP_MIN_UPDATE_INTERVAL
           
static java.lang.String PROP_PUBLISH_DN
           
static java.lang.String PROP_PUBLISH_ON_START
           
static java.lang.String SC_CRL_COUNT
           
static java.lang.String SC_IS_DELTA_CRL
           
static java.lang.String SC_ISSUING_POINT_ID
           
 
Method Summary
 void addExpiredCert(java.math.BigInteger serialNumber)
          Adds expired and revoked certificate to delta-CRL cache.
 void addRevokedCert(java.math.BigInteger serialNumber, netscape.security.x509.RevokedCertImpl revokedCert)
          Adds revoked certificate to delta-CRL cache.
 void addRevokedCert(java.math.BigInteger serialNumber, netscape.security.x509.RevokedCertImpl revokedCert, java.lang.String requestId)
          Adds revoked certificate to delta-CRL cache.
 void addUnrevokedCert(java.math.BigInteger serialNumber)
          Adds unrevoked certificate to delta-CRL cache.
 void addUnrevokedCert(java.math.BigInteger serialNumber, java.lang.String requestId)
          Adds unrevoked certificate to delta-CRL cache.
 boolean areExpiredCertsIncluded()
          Checks if expired certificates are included in CRL.
 boolean checkCurrentProfile(java.lang.String id)
          Checks if CRL issuing point includes this profile.
 void clearCRLCache()
          Clears CRL cache
 void clearDeltaCRLCache()
          Clears delta-CRL cache
 void enableCRLIssuingPoint(boolean enable)
          Enables or disables CRL issuing point according to parameter.
 boolean getAlwaysUpdate()
          Returns true if CRL is updated for every change of revocation status of any certificate.
 long getAutoUpdateInterval()
          Returns auto update interval in milliseconds.
 ISubsystem getCertificateAuthority()
          Returns certificate authority.
 ICMSCRLExtensions getCRLExtensions()
          Returns list of CRL extensions.
 java.math.BigInteger getCRLNumber()
          Returns current CRL number of this CRL issuing point.
 java.lang.String getCrlPublishErrorStr()
          Returns CRL publishing error.
 java.lang.String getCrlPublishStatusStr()
          Returns CRL publishing status.
 int getCRLSchema()
          Returns current CRL generation schema for this CRL issuing point.
 long getCRLSize()
          Returns number of entries in the current CRL.
 java.lang.String getCrlUpdateErrorStr()
          Returns CRL update error.
 java.lang.String getCrlUpdateStatusStr()
          Returns CRL update status.
 java.math.BigInteger getDeltaCRLNumber()
          Returns current delta CRL number of this CRL issuing point.
 long getDeltaCRLSize()
          Returns number of entries in delta CRL
 java.lang.String getDescription()
          Returns internal description of this CRL issuing point.
 java.lang.String getFilter()
          Returns filter used to build CRL based on information stored in local directory.
 java.lang.String getId()
          Returns internal id of this CRL issuing point.
 java.lang.String getLastSigningAlgorithm()
          Returns signing algorithm used in last signing operation..
 java.util.Date getLastUpdate()
          Returns time of the last update.
 java.math.BigInteger getNextCRLNumber()
          Returns next CRL number of this CRL issuing point.
 java.util.Date getNextDeltaUpdate()
          Returns time of the next delta CRL update.
 java.util.Date getNextUpdate()
          Returns time of the next update.
 long getNextUpdateGracePeriod()
          Returns next update grace period in minutes.
 int getNumberOfRecentlyExpiredCerts()
          Returns number of recently expired and revoked certificates.
 int getNumberOfRecentlyRevokedCerts()
          Returns number of recently revoked certificates.
 int getNumberOfRecentlyUnrevokedCerts()
          Returns number of recently unrevoked certificates.
 java.lang.String getPublishDN()
          Returns DN of the directory entry where CRLs from this issuing point are published.
 netscape.security.x509.CRLExtensions getRequiredEntryExtensions(netscape.security.x509.CRLExtensions exts)
          Converts list of extensions supplied by revocation request to list of extensions required to be placed in CRL.
 java.util.Date getRevocationDateFromCache(java.math.BigInteger serialNumber, boolean checkDeltaCache, boolean includeExpiredCerts)
          Returns date of revoked certificate or null if certificated is not listed as revoked.
 java.util.Set getRevokedCertificates(int start, int end)
          Returns all the revoked certificates from the CRL cache.
 java.lang.String getSigningAlgorithm()
          Returns signing algorithm.
 java.util.Vector getSplitTimes()
          Returns split times from CRL generation.
 void init(ISubsystem ca, java.lang.String id, IConfigStore config)
          Initializes CRL issuing point.
 boolean isCACertsOnly()
          Checks if CRL includes CA certificates only.
 boolean isCRLCacheEmpty()
          Returns true if CRL cache is empty.
 boolean isCRLCacheEnabled()
          Returns true if CRL cache is enabled.
 boolean isCRLCacheTestingEnabled()
          Returns true if CRL cache testing is enabled.
 boolean isCRLGenerationEnabled()
          Returns true if CRL generation is enabled.
 boolean isCRLIssuingPointEnabled()
          Returns true if CRL issuing point is enabled.
 int isCRLIssuingPointInitialized()
          Returns CRL issuing point initialization status.
 int isCRLUpdateInProgress()
          Returns status of CRL generation.
 boolean isDeltaCRLEnabled()
          Returns true if delta-CRL is enabled.
 boolean isManualUpdateSet()
          Checks if manual update is set.
 boolean isProfileCertsOnly()
          Checks if CRL includes profile certificates only.
 boolean isThisCurrentDeltaCRL(netscape.security.x509.X509CRLImpl deltaCRL)
          Returns true if supplied delta-CRL is matching current delta-CRL.
 void processRevokedCerts(IElementProcessor cp)
          Builds a list of revoked certificates to put them into CRL.
 void setDescription(java.lang.String description)
          Sets internal description of this CRL issuing point.
 void setManualUpdate(java.lang.String signatureAlgorithm)
          Schedules immediate CRL manual-update and sets signature algorithm to be used for signing.
 void shutdown()
          This method is called during shutdown.
 boolean updateConfig(NameValuePairs params)
          Updates issuing point configuration according to supplied data in name value pairs.
 void updateCRLCacheRepository()
          Updates CRL cache into local directory.
 void updateCRLNow()
          Generates CRL now based on cache or local directory if cache is not available.
 void updateCRLNow(java.lang.String signingAlgorithm)
          Generates CRL now based on cache or local directory if cache is not available.
 

Field Detail

PROP_PUBLISH_DN

static final java.lang.String PROP_PUBLISH_DN
See Also:
Constant Field Values

PROP_PUBLISH_ON_START

static final java.lang.String PROP_PUBLISH_ON_START
See Also:
Constant Field Values

PROP_MIN_UPDATE_INTERVAL

static final java.lang.String PROP_MIN_UPDATE_INTERVAL
See Also:
Constant Field Values

PROP_BEGIN_SERIAL

static final java.lang.String PROP_BEGIN_SERIAL
See Also:
Constant Field Values

PROP_END_SERIAL

static final java.lang.String PROP_END_SERIAL
See Also:
Constant Field Values

SC_ISSUING_POINT_ID

static final java.lang.String SC_ISSUING_POINT_ID
See Also:
Constant Field Values

SC_IS_DELTA_CRL

static final java.lang.String SC_IS_DELTA_CRL
See Also:
Constant Field Values

SC_CRL_COUNT

static final java.lang.String SC_CRL_COUNT
See Also:
Constant Field Values

CRL_UPDATE_DONE

static final int CRL_UPDATE_DONE
for manual updates - requested by agent

See Also:
Constant Field Values

CRL_UPDATE_STARTED

static final int CRL_UPDATE_STARTED
See Also:
Constant Field Values

CRL_PUBLISHING_STARTED

static final int CRL_PUBLISHING_STARTED
See Also:
Constant Field Values

CRL_IP_NOT_INITIALIZED

static final int CRL_IP_NOT_INITIALIZED
See Also:
Constant Field Values

CRL_IP_INITIALIZED

static final int CRL_IP_INITIALIZED
See Also:
Constant Field Values

CRL_IP_INITIALIZATION_FAILED

static final int CRL_IP_INITIALIZATION_FAILED
See Also:
Constant Field Values
Method Detail

isCRLIssuingPointEnabled

boolean isCRLIssuingPointEnabled()
Returns true if CRL issuing point is enabled.

Returns:
true if CRL issuing point is enabled

isCRLGenerationEnabled

boolean isCRLGenerationEnabled()
Returns true if CRL generation is enabled.

Returns:
true if CRL generation is enabled

enableCRLIssuingPoint

void enableCRLIssuingPoint(boolean enable)
Enables or disables CRL issuing point according to parameter.

Parameters:
enable - if true enables CRL issuing point

getCrlUpdateStatusStr

java.lang.String getCrlUpdateStatusStr()
Returns CRL update status.

Returns:
CRL update status

getCrlUpdateErrorStr

java.lang.String getCrlUpdateErrorStr()
Returns CRL update error.

Returns:
CRL update error

getCrlPublishStatusStr

java.lang.String getCrlPublishStatusStr()
Returns CRL publishing status.

Returns:
CRL publishing status

getCrlPublishErrorStr

java.lang.String getCrlPublishErrorStr()
Returns CRL publishing error.

Returns:
CRL publishing error

isCRLIssuingPointInitialized

int isCRLIssuingPointInitialized()
Returns CRL issuing point initialization status.

Returns:
status of CRL issuing point initialization

isManualUpdateSet

boolean isManualUpdateSet()
Checks if manual update is set.

Returns:
true if manual update is set

areExpiredCertsIncluded

boolean areExpiredCertsIncluded()
Checks if expired certificates are included in CRL.

Returns:
true if expired certificates are included in CRL

isCACertsOnly

boolean isCACertsOnly()
Checks if CRL includes CA certificates only.

Returns:
true if CRL includes CA certificates only

isProfileCertsOnly

boolean isProfileCertsOnly()
Checks if CRL includes profile certificates only.

Returns:
true if CRL includes profile certificates only

checkCurrentProfile

boolean checkCurrentProfile(java.lang.String id)
Checks if CRL issuing point includes this profile.

Returns:
true if CRL issuing point includes this profile

init

void init(ISubsystem ca,
          java.lang.String id,
          IConfigStore config)
          throws EBaseException
Initializes CRL issuing point.

Parameters:
ca - certificate authority that holds CRL issuing point
id - CRL issuing point id
config - configuration sub-store for CRL issuing point
Throws:
EBaseException - thrown if initialization failed

shutdown

void shutdown()
This method is called during shutdown. It updates CRL cache and stops thread controlling CRL updates.


getId

java.lang.String getId()
Returns internal id of this CRL issuing point.

Returns:
internal id of this CRL issuing point

getDescription

java.lang.String getDescription()
Returns internal description of this CRL issuing point.

Returns:
internal description of this CRL issuing point

setDescription

void setDescription(java.lang.String description)
Sets internal description of this CRL issuing point.

Parameters:
description - description for this CRL issuing point.

getPublishDN

java.lang.String getPublishDN()
Returns DN of the directory entry where CRLs from this issuing point are published.

Returns:
DN of the directory entry where CRLs are published.

getSigningAlgorithm

java.lang.String getSigningAlgorithm()
Returns signing algorithm.

Returns:
signing algorithm

getLastSigningAlgorithm

java.lang.String getLastSigningAlgorithm()
Returns signing algorithm used in last signing operation..

Returns:
last signing algorithm

getCRLSchema

int getCRLSchema()
Returns current CRL generation schema for this CRL issuing point.

Returns:
current CRL generation schema for this CRL issuing point

getCRLNumber

java.math.BigInteger getCRLNumber()
Returns current CRL number of this CRL issuing point.

Returns:
current CRL number of this CRL issuing point

getDeltaCRLNumber

java.math.BigInteger getDeltaCRLNumber()
Returns current delta CRL number of this CRL issuing point.

Returns:
current delta CRL number of this CRL issuing point

getNextCRLNumber

java.math.BigInteger getNextCRLNumber()
Returns next CRL number of this CRL issuing point.

Returns:
next CRL number of this CRL issuing point

getCRLSize

long getCRLSize()
Returns number of entries in the current CRL.

Returns:
number of entries in the current CRL

getDeltaCRLSize

long getDeltaCRLSize()
Returns number of entries in delta CRL

Returns:
number of entries in delta CRL

getLastUpdate

java.util.Date getLastUpdate()
Returns time of the last update.

Returns:
last CRL update time

getNextUpdate

java.util.Date getNextUpdate()
Returns time of the next update.

Returns:
next CRL update time

getNextDeltaUpdate

java.util.Date getNextDeltaUpdate()
Returns time of the next delta CRL update.

Returns:
next delta CRL update time

getRevokedCertificates

java.util.Set getRevokedCertificates(int start,
                                     int end)
Returns all the revoked certificates from the CRL cache.

Parameters:
start - first requested CRL entry
end - next after last requested CRL entry
Returns:
set of all the revoked certificates or null if there are none.

getCertificateAuthority

ISubsystem getCertificateAuthority()
Returns certificate authority.

Returns:
certificate authority

setManualUpdate

void setManualUpdate(java.lang.String signatureAlgorithm)
Schedules immediate CRL manual-update and sets signature algorithm to be used for signing.

Parameters:
signatureAlgorithm - signature algorithm to be used for signing

getAutoUpdateInterval

long getAutoUpdateInterval()
Returns auto update interval in milliseconds.

Returns:
auto update interval in milliseconds

getAlwaysUpdate

boolean getAlwaysUpdate()
Returns true if CRL is updated for every change of revocation status of any certificate.

Returns:
true if CRL update is always triggered by revocation operation

getNextUpdateGracePeriod

long getNextUpdateGracePeriod()
Returns next update grace period in minutes.

Returns:
next update grace period in minutes

getFilter

java.lang.String getFilter()
Returns filter used to build CRL based on information stored in local directory.

Returns:
filter used to search local directory

processRevokedCerts

void processRevokedCerts(IElementProcessor cp)
                         throws EBaseException
Builds a list of revoked certificates to put them into CRL. Calls certificate record processor to get necessary data from certificate records. This also regenerates CRL cache.

Parameters:
cp - certificate record processor
Throws:
EBaseException - if an error occurred in the database.

getRevocationDateFromCache

java.util.Date getRevocationDateFromCache(java.math.BigInteger serialNumber,
                                          boolean checkDeltaCache,
                                          boolean includeExpiredCerts)
Returns date of revoked certificate or null if certificated is not listed as revoked.

Parameters:
serialNumber - serial number of certificate to be checked
checkDeltaCache - true if delta CRL cache suppose to be included in checking process
includeExpiredCerts - true if delta CRL cache with expired certificates suppose to be included in checking process
Returns:
date of revoked certificate or null

getSplitTimes

java.util.Vector getSplitTimes()
Returns split times from CRL generation.

Returns:
split times from CRL generation in milliseconds

updateCRLNow

void updateCRLNow(java.lang.String signingAlgorithm)
                  throws EBaseException
Generates CRL now based on cache or local directory if cache is not available. It also publishes CRL if it is required.

Parameters:
signingAlgorithm - signing algorithm to be used for CRL signing
Throws:
EBaseException - if an error occurred during CRL generation or publishing

clearCRLCache

void clearCRLCache()
Clears CRL cache


clearDeltaCRLCache

void clearDeltaCRLCache()
Clears delta-CRL cache


getNumberOfRecentlyRevokedCerts

int getNumberOfRecentlyRevokedCerts()
Returns number of recently revoked certificates.

Returns:
number of recently revoked certificates

getNumberOfRecentlyUnrevokedCerts

int getNumberOfRecentlyUnrevokedCerts()
Returns number of recently unrevoked certificates.

Returns:
number of recently unrevoked certificates

getNumberOfRecentlyExpiredCerts

int getNumberOfRecentlyExpiredCerts()
Returns number of recently expired and revoked certificates.

Returns:
number of recently expired and revoked certificates

getRequiredEntryExtensions

netscape.security.x509.CRLExtensions getRequiredEntryExtensions(netscape.security.x509.CRLExtensions exts)
Converts list of extensions supplied by revocation request to list of extensions required to be placed in CRL.

Parameters:
exts - list of extensions supplied by revocation request
Returns:
list of extensions required to be placed in CRL

addRevokedCert

void addRevokedCert(java.math.BigInteger serialNumber,
                    netscape.security.x509.RevokedCertImpl revokedCert)
Adds revoked certificate to delta-CRL cache.

Parameters:
serialNumber - serial number of revoked certificate
revokedCert - revocation information supplied by revocation request

addRevokedCert

void addRevokedCert(java.math.BigInteger serialNumber,
                    netscape.security.x509.RevokedCertImpl revokedCert,
                    java.lang.String requestId)
Adds revoked certificate to delta-CRL cache.

Parameters:
serialNumber - serial number of revoked certificate
revokedCert - revocation information supplied by revocation request
requestId - revocation request id

addUnrevokedCert

void addUnrevokedCert(java.math.BigInteger serialNumber)
Adds unrevoked certificate to delta-CRL cache.

Parameters:
serialNumber - serial number of unrevoked certificate

addUnrevokedCert

void addUnrevokedCert(java.math.BigInteger serialNumber,
                      java.lang.String requestId)
Adds unrevoked certificate to delta-CRL cache.

Parameters:
serialNumber - serial number of unrevoked certificate
requestId - unrevocation request id

addExpiredCert

void addExpiredCert(java.math.BigInteger serialNumber)
Adds expired and revoked certificate to delta-CRL cache.

Parameters:
serialNumber - serial number of expired and revoked certificate

updateCRLCacheRepository

void updateCRLCacheRepository()
Updates CRL cache into local directory.


updateConfig

boolean updateConfig(NameValuePairs params)
Updates issuing point configuration according to supplied data in name value pairs.

Parameters:
params - name value pairs defining new issuing point configuration
Returns:
true if configuration is updated successfully

isDeltaCRLEnabled

boolean isDeltaCRLEnabled()
Returns true if delta-CRL is enabled.

Returns:
true if delta-CRL is enabled

isCRLCacheEnabled

boolean isCRLCacheEnabled()
Returns true if CRL cache is enabled.

Returns:
true if CRL cache is enabled

isCRLCacheEmpty

boolean isCRLCacheEmpty()
Returns true if CRL cache is empty.

Returns:
true if CRL cache is empty

isCRLCacheTestingEnabled

boolean isCRLCacheTestingEnabled()
Returns true if CRL cache testing is enabled.

Returns:
true if CRL cache testing is enabled

isThisCurrentDeltaCRL

boolean isThisCurrentDeltaCRL(netscape.security.x509.X509CRLImpl deltaCRL)
Returns true if supplied delta-CRL is matching current delta-CRL.

Parameters:
deltaCRL - delta-CRL to verify against current delta-CRL
Returns:
true if supplied delta-CRL is matching current delta-CRL

isCRLUpdateInProgress

int isCRLUpdateInProgress()
Returns status of CRL generation.

Returns:
one of the following according to CRL generation status: CRL_UPDATE_DONE, CRL_UPDATE_STARTED, and CRL_PUBLISHING_STARTED

updateCRLNow

void updateCRLNow()
                  throws EBaseException
Generates CRL now based on cache or local directory if cache is not available. It also publishes CRL if it is required. CRL is signed by default signing algorithm.

Throws:
EBaseException - if an error occurred during CRL generation or publishing

getCRLExtensions

ICMSCRLExtensions getCRLExtensions()
Returns list of CRL extensions.

Returns:
list of CRL extensions