DutchGridCA
, LocalCA
, TestCA
public interface CA
This interface provides an abstraction layer to access a certificate authority. It is up to each implementation to use the arguments available.
A certificate signing request is generated by the caller, and then passed
to either encodeCertificationRequest(org.bouncycastle.jce.PKCS10CertificationRequest, java.util.Properties)
or signCertificationRequest(org.bouncycastle.jce.PKCS10CertificationRequest, java.util.Properties, java.security.PrivateKey, java.security.cert.X509Certificate)
.
The return value must be stored by the caller, and is to be supplied to
uploadCertificationRequest(java.lang.String, java.util.Properties)
. Then the caller can poll to see if the
CA has finished the request using isCertificationRequestProcessed(org.bouncycastle.jce.PKCS10CertificationRequest, java.util.Properties)
,
and if that is the case the certificate can be retrieved using
downloadCertificate(org.bouncycastle.jce.PKCS10CertificationRequest, java.util.Properties)
.
The reason for the split between encoding/signing and uploading is to allow for certificate renewals that are signed by the existing key. The key must be decoded when the renewal request is generated (for signing it), and that may require user interaction. To minimise user interaction, the request is generated separately from the uploading.
To each method is supplied a Properties object, which contains information that can be used by the implementation to create and submit a request. Additionally, the implementation can use it to store properties. When, for example, a certain part of the subject DN is needed for submission, encodeCertificationRequest(org.bouncycastle.jce.PKCS10CertificationRequest, java.util.Properties) could set a property based on the request object, so that uploadCertificationRequest(java.lang.String, java.util.Properties) can easily retrieve it.
CA parameters (like URLs and settings) should be retrieved from the
system properties
in the jgridstart.ca
namespace.
Any URLs should be put in the jgridstart.ca.base
namespace. Please look at
existing implementations for reuse of property names. When a property is not defined,
each implementation must set a sensible default and also update the system property
to reflect that.
If you are creating a new implementation and find that the current interface provides insufficient information, please contact the developers, and we'll see if an API update is sensible.
Modifier and Type | Method | Description |
---|---|---|
X509Certificate |
downloadCertificate(PKCS10CertificationRequest req,
Properties info) |
Download a certificate from the CA.
|
String |
encodeCertificationRequest(PKCS10CertificationRequest req,
Properties info) |
Convert a certificate signing request to a form suitable for uploading.
|
X509Certificate |
getCACertificate() |
Return the CA certificate
|
boolean |
isCertificationRequestProcessed(PKCS10CertificationRequest req,
Properties info) |
Checks to see if a certificate signing request was processed by a CA.
|
boolean |
isIssuer(X509Certificate cert) |
Return whether a certificate was issued by this CA
|
String |
signCertificationRequest(PKCS10CertificationRequest req,
Properties info,
PrivateKey oldKey,
X509Certificate oldCert) |
Post-processes (sign) a certificate signing request for renewal.
|
void |
uploadCertificationRequest(String req,
Properties info) |
Uploads a user certificate signing request onto a CA
|
String encodeCertificationRequest(PKCS10CertificationRequest req, Properties info) throws IOException
When a certificate signing request is generated, it will need to be
uploaded to the certificate authority later using uploadCertificationRequest(java.lang.String, java.util.Properties)
.
A new request should be encoded first by this method.
It is currently assumed that this string at least contains a PEM encoded version of the certificate request.
req
- certificate signing requestinfo
- extra information that may be sent with the request (implementation-dependent)IOException
String signCertificationRequest(PKCS10CertificationRequest req, Properties info, PrivateKey oldKey, X509Certificate oldCert) throws IOException
Renewals may be implemented by different methods, one of which is
signing the text of the request with the original key. When the request
is stored for reference later (and uploading later in case of a
connection problem!), the signed request needs to be stored. That is
why a string is returned, which is the signed certificate request.
This is passed later to uploadCertificationRequest(java.lang.String, java.util.Properties)
.
Note that it is only called in case of a certificate renewal, otherwise it should be omitted.
It is currently assumed that this string at least contains a PEM encoded version of the certificate request.
req
- certificate signing requestinfo
- extra information that may be sent with the request (implementation-dependent)oldKey
- key to sign request witholdCert
- certificate to sign request withIOException
void uploadCertificationRequest(String req, Properties info) throws IOException
The request passed in as the req paremeter must be the return
value of either encodeCertificationRequest(org.bouncycastle.jce.PKCS10CertificationRequest, java.util.Properties)
or signCertificationRequest(org.bouncycastle.jce.PKCS10CertificationRequest, java.util.Properties, java.security.PrivateKey, java.security.cert.X509Certificate)
.
req
- certification signing requestinfo
- extra information that may be sent with the request (implementation-dependant)IOException
boolean isCertificationRequestProcessed(PKCS10CertificationRequest req, Properties info) throws IOException
When true, the certificate can be downloaded using downloadCertificate(org.bouncycastle.jce.PKCS10CertificationRequest, java.util.Properties)
.
Implementers of this CA interface could, for example, just return if
downloadCertificate(org.bouncycastle.jce.PKCS10CertificationRequest, java.util.Properties)
would complete without errors, optionally caching the
fetched certificate.
req
- the certificate signing request that was sentinfo
- properties supplied to previous methods as wellIOException
X509Certificate downloadCertificate(PKCS10CertificationRequest req, Properties info) throws IOException
req
- the certificate signing request that was sentinfo
- properties supplied to previous methods as wellIOException
X509Certificate getCACertificate() throws IOException
IOException
boolean isIssuer(X509Certificate cert)
Copyright © 2010-2018 Nikhef / Stichting FOM. All Rights Reserved.