Skip to content

Latest commit

 

History

History
91 lines (65 loc) · 5.45 KB

pki-factory.adoc

File metadata and controls

91 lines (65 loc) · 5.45 KB

1. PKI Factory

Since version 5.13 DSS provides a possibility of building and managing a local PKI.

There are two modules provided within the scope of the framework:

  • dss-pki-factory - contains common interfaces for working with PKI entities, as well as classes for managing provision of validation data and time-stamps.

  • dss-pki-factory-jaxb - represents an implementation of dss-pki-factory module, providing a possibility to build a local PKI set-upm based on provided XML configuration.

1.1. Generic PKI Factory

Generic dss-pki-factory module provides the following interfaces and classes for working and managing the PKI:

  • CertEntity - represents a cryptographic unit linked to an X509 Certificate and a private key connection.

  • CertEntityRepository - represents a connection to a local PKI infrastructure for accessing a corresponding CertEntity, revocation status information about a certificate and its issuer certificate.

  • CertEntityRevocation - represents a DTO containing a revocation information data about a particular certificate token.

CertEntity and CertEntityRepository are interfaces and require an implementation to work with. By default, DSS provides a dss-pki-factory-jaxb module containing a JAXB implementation of the generic PKI factory. See JAXB PKI Factory for more details.

The module provides the following classes for distributing a validation data:

  • PKICRLSource - is an implementation of a CRLSource interface, providing a possibility to generate a CRL data for the given CertificateToken input. The class provides revocation information for certificates from the given CertEntityRepository with allowed CRL access option (i.e. having a CRL distribution point URL). The class can be configured to produce a revocation data with a certain thisUpdate and/or nextUpdate times or a signature algorithm. See below an example of class configuration and usage:

PKICRLSource class usage
link:../../../test/java/eu/europa/esig/dss/cookbook/example/snippets/JAXBPKICreationTest.java[role=include]

  • PKIOCSPSource - is an implementation of an OCSPSource interface, providing a possibility to generate an OCSP response for the given CertificateToken input. The class provides revocation information for certificates from the given CertEntityRepository with allowed OCSP access option (i.e. having an OCSP access point URL). The class can be configured to produce a revocation data with a certain producedAt, thisUpdate and/or nextUpdate times or a signature algorithm. See below an example of class configuration and usage:

PKIOCSPSource class usage
link:../../../test/java/eu/europa/esig/dss/cookbook/example/snippets/JAXBPKICreationTest.java[role=include]

  • PKIDelegatedOCSPSource - is an extension of PKIOCSPSource allowing to delegate OCSP issuing to a different certificate token, than the certificate’s direct issuer. Configuration of the class is similar to PKIOCSPSource. See below an example of class configuration and usage:

PKIDelegatedOCSPSource class usage
link:../../../test/java/eu/europa/esig/dss/cookbook/example/snippets/JAXBPKICreationTest.java[role=include]

  • PKIAIASource - is an implementation of an AIASource allowing to extract a given certificate’s certificate chain or an issuer. See below an example of class configuration and usage:

PKIAIASource class usage
link:../../../test/java/eu/europa/esig/dss/cookbook/example/snippets/JAXBPKICreationTest.java[role=include]

DSS also provides a class for a time-stamp creation using a local PKI. To generate a time-stamp token you may use the PKITSPSource class, which extends the KeyEntityTSPSource class and therefore benefits from all its available configuration (see [KeyEntityTSPSource] for more detail). See below an example of class usage:

PKITSPSource class usage
link:../../../test/java/eu/europa/esig/dss/cookbook/example/snippets/JAXBPKICreationTest.java[role=include]

1.2. JAXB PKI Factory

JAXB PKI Factory is a default implementation of a Generic PKI Factory module, provided within the DSS framework for a test PKI creation.

The JAXB PKI Factory provides a possibility to generate a complete PKI repository from the provided XML configuration. The XML containing certificates to be created should be conformant to the XSD schema. Examples of JAXB PKI configuration can be found by the link.

An example of a JAXB PKI generation can be found below:

JAXB PKI generation example
link:../../../test/java/eu/europa/esig/dss/cookbook/example/snippets/JAXBPKICreationTest.java[role=include]

It is also possible to modify the PKI entries dynamically, for instance, add a new certificate or revoke a certificate. See below an example of adding a new certificate to the generated earlier PKI repository:

Add new certificate to PKI repository
link:../../../test/java/eu/europa/esig/dss/cookbook/example/snippets/JAXBPKICreationTest.java[role=include]