|
|||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES All Classes | ||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | ||||||||
java.lang.Object | +--com.novell.security.japi.pki.NPKIAPI
Establishes methods and protocols to implement a certificate authority (CA) that issues, stores, and manages digital certificates. This API can help you use the functionality of Novell eDirectory to further enhance or customize your security solutions and easily build on the certificates issued by Novell Certificate Server without re-writing your own technology.
NOTE: Novell Certificate Server requires the cryptography services of Novell International Cryptographic Infrastructure (NICI). NICI is the underlying cryptographic infrastructure that provides the cryptography for Novell Certificate Server and other Novell applications. Novell Certificate Server will not function if cryptography services are not fully installed.
NICI availability and cryptography strength is restricted if your network is located in an entity listed on the U.S. Government Restricted Party List or in a country with import controls on cryptography products or technologies.
| Field Summary | |
static int |
CHAIN_CERT
Use this flag when exporting or retrieving information on the certificate chain. |
static int |
CHAIN_CERT_DESCENDING
Use this flag to get the certificate chain in descending order. |
static int |
CRL_SIGN
Designates that the key is used to sign CRLs (Certificate Revocation Lists). |
static int |
DATA_ENCIPHERMENT
Designates that the key is used to directly encrypt data. |
static int |
DECIPHER_ONLY
Not valid for RSA keys. |
static int |
DEFAULT_YEAR_ENCODING
Specifies the X.509 default for date encoding (see RFC 2459 for more details). |
static int |
DIGITAL_SIGNATURE
Designates that the key is used to create digital signatures. |
static int |
ENCIPHER_ONLY
Not valid for RSA keys. |
static int |
EXTENSION_CRITICAL
Use to set the extension as critical in the certificate. |
static int |
EXTENSION_DONT_ENCODE
Use to exclude the extension from the certificate. |
static int |
FIELD_CRITICAL
Specifies a critical field in a certificate. |
static int |
FIELD_NON_CRITICAL
Specifies a non-critical field. |
static int |
FOUR_DIGIT_YEAR
Identifies dates that have either a four-digit year. |
static int |
KEY_AGREEMENT
Not valid for RSA keys. |
static int |
KEY_CERT_SIGN
Designates that the key is used to sign certificates. |
static int |
KEY_ENCIPHERMENT
Designates that the key is used to encrypt other keys. |
static int |
KMO_CERTIFICATE_INVALID
Indicates the object is in an invalid state. |
static int |
KMO_CERTIFICATE_PRESENT
Indicates all certificates as well as the key pair have been stored, and the object is in working order. |
static int |
KMO_EMPTY
Indicates no certificates or key pair have been stored. |
static int |
KMO_KEY_PAIR_PRESENT
Indicates a key pair has been stored, but no certificates have been stored. |
static int |
KMO_TRUSTED_ROOT_PRESENT
Indicates a key pair and the root certificate have been stored, but the object certificate has not been stored. |
static int |
MAX_CERTIFICATE_SIZE
Flags to use when creating a KMO using PKI verb #3 -- Create RSA key pair. |
static int |
MAX_CSR_SIZE
Size of the certificate signing request (CSR). |
static int |
MAX_NICK_NAME_BYTES
Size in bytes of the nickname. |
static int |
MAX_NICK_NAME_CHARS
Maximum characters in nickname. |
static int |
MAX_SINGLE_CERTIFICATE_SIZE
Maximum size in bytes that the server certificate can be set. |
static int |
NO_CA_OPERATIONAL
Indicates a CA is either not installed and/or not operational on the specified server. |
static int |
NON_REPUDIATION
Designates that the key is used for non-repudiation. |
static int |
NOVELL_CERT
Deprecated. |
static int |
NOVELL_EXTENSION_EXTRACTABLE_KEY
An additional flag that specifies that the private key can be extracted from Novell International Cryptographic Infrastructure (NICI). |
static int |
NOVELL_EXTENSION_ORGCA_DEFAULT
Specifies that the key-pair is for the organizational CA. |
static int |
NOVELL_EXTENSION_SERVER_DEFAULT
Used to specify that the key-pair is for a server. |
static int |
NOVELL_EXTENSION_USER_DEFAULT
Specifies that the key-pair is for a user. |
static int |
NPKI_CA_CHANGE_HEALTH_CHECK_FORCE
Use this value to set the 'Security Rights Level' to specify that the PKI Health Check code should force the re-creation of the default server certificates if the Trusted Root certificate for the default server certificate objects (KMOs) are not the same as the Organizational CA's root certificate. |
static int |
NPKI_CA_RIGHTS_DEFAULT
Specifies the system default Security Rights Level. |
static int |
NPKI_CA_RIGHTS_ISSUE_CRL_ALL
Specifies that the 'Security Rights Level' allows any authenticated eDirectory user to issue an emergency CRL without specific rights to the CRL Configuration object. |
static int |
NPKI_CA_RIGHTS_READ_NCP
Specifies that the 'Security Rights Level' only requires read (R) rights for any object to opereate the Certificate Authority. |
static int |
NPKI_CA_RIGHTS_SELF_PROVISION_SERVER
Specifies that the 'Security Rights Level' allows servers to create their own certificates, without specific rights to the Certificate Authority, provided that the certificates encode a subject name that is consistant with the server's IP Address, DNS Name or eDirectory identity. |
static int |
NPKI_CA_RIGHTS_SELF_PROVISION_USER
Specifies that the 'Security Rights Level' allows users to create their own certificates, without specific rights to the Certificate Authority, provided that the certificates encode a subject name that is consistant with the user's eDirectory identity. |
static int |
NPKI_CA_RIGHTS_WRITE_ALL
Specifies that the 'Security Rights Level' requires Write (W) rights for all objects to opereate the Certificate Authority. |
static int |
NPKI_CERTIFICATE_CREATE_CA_CHANGE_FORCE
This flag will cause createDefaultCertificates to force the
re-creation of the default server certificates if the Trusted Root certificate for the
default server certificate objects (KMOs) are not the same as the Organizational CA's root
certificate. |
static int |
NPKI_CERTIFICATE_CREATE_FORCE
This flag will cause createDefaultCertificates to overwrite all
default certificates with a new key pair and a new certificate. |
static int |
NPKI_CERTIFICATE_CREATE_NO_OVERWRITE
This flag will cause createDefaultCertificates to create the
default certificates if they do not exit, but none of the current default certificates will be
overwritten. |
static int |
NPKI_CERTIFICATE_CREATE_NORMAL
The default flag for createDefaultCertificates. |
static int |
NPKI_DONT_QUERY_IP_AND_DNS
Use this flag if you do not want createDefaultCertificates to queary WinSock/DNS for
the default IP and DNS info. |
static int |
NPKI_DONT_REPLACE_SSL_DNS
Use this flag if you do not want createDefaultCertificates to overwrite
the 'SSL CertificateDNS' KMO. |
static int |
NPKI_DONT_REPLACE_SSL_IP
Use this flag if you do not want createDefaultCertificates to overwrite
the 'SSL CertificateIP' KMO. |
static int |
NPKI_INVALID_CONTEXT
Specifies the context values. |
static int |
OBJECT_KEY_CERT
Use this flag when exporting or retrieving information on the object certificate. |
static int |
PKI_ADD
Use to add an entry. |
static int |
PKI_ADD_CERT
Deprecated. |
static int |
PKI_ALL_VENDORS
Lists all certificate vendors. |
static int |
PKI_CA_INFO
Use PKI_CA_INFO when querying information about creating or using a certificate
authority. |
static int |
PKI_CA_KEY_AND_CERTS
Use this flag when exporting the CA self-signed certificate, public certificate, and the CA's chain. |
static int |
PKI_CERTIFICATE_NORMAL
Indicates that a certiifcate has been issued and the key pair is present. |
static int |
PKI_CERTIFICATE_ON_HOLD
Indicates that the certificate is on hold. |
static int |
PKI_CHAIN_CERTIFICATE
Use this flag when exorting or retrieving information on the certificate chain. |
static int |
PKI_CLEAR
Use to remove (or clear) all the entries. |
static int |
PKI_CLEAR_CERTS
Deprecated. |
static int |
PKI_CSR_PENDING
Indicates that the user certificate has not been issued by the CA. |
static int |
PKI_CUSTOM_SUBJECT_NAME
Use when the subject name is not the default. |
static int |
PKI_DAYS
Specifies a time unit of days. |
static int |
PKI_DEFAULT_CONFIGURATION
Specifies that this configuration is the default configuration. |
static int |
PKI_DEL_CERT
Deprecated. |
static int |
PKI_DELETE
Use to remove an entry. |
static int |
PKI_E_ACCESS_DENIED
The user does not have the appropriate eDirectory rights to perform the operation. |
static int |
PKI_E_ADD_CERTIFICATE
The User Certificate created was not stored in the User object. |
static int |
PKI_E_ADD_KEYPAIR
Not currently used. |
static int |
PKI_E_ADD_TRUSTED_ROOT
Not currently used. |
static int |
PKI_E_ALGORITHM_NOT_SUPPORTED
The requested key generation or signature algorithm is not allowed by NICI. |
static int |
PKI_E_BAD_REQUEST_SYNTAX
An invalid request was made to the client or server. |
static int |
PKI_E_BAD_ROOT_INDEX
The certificate chain stored in a Server Certificate object Server_Certificate_Object has been corrupted. |
static int |
PKI_E_BROKEN_CHAIN
The certificate chain being stored in a Server Certificate object is invalid or corrupted. |
static int |
PKI_E_BUFFER_OVERFLOW
An internal data buffer overflow occurred. |
static int |
PKI_E_CA_ALREADY_INSTALLED
Not currently used. |
static int |
PKI_E_CA_NOT_OPERATIONAL
The specified server is not a CA. |
static int |
PKI_E_CERT_INVALID
The certificate is invalid. |
static int |
PKI_E_CERT_NOT_FOUND
The specified certificate could not be found. |
static int |
PKI_E_CREATE_CERTIFICATE_OR_CSR
The certificate or certificate signing request could not be generated. |
static int |
PKI_E_CRL_INVALID
The CRL is invalid. |
static int |
PKI_E_CRYPT_INIT
Not currently used. |
static int |
PKI_E_DATA_NOT_READY
The requested data is not available. |
static int |
PKI_E_DSIO
Not currently used. |
static int |
PKI_E_DUPLICATE
Not currently used. |
static int |
PKI_E_EXPECTING_CERTIFICATE
An attempt to store a certificate or a certificate chain with an invalid encoding into a Server Certificate object was made. |
static int |
PKI_E_EXPIRED_CERTIFICATE
A certificate is no longer valid because it has expired. |
static int |
PKI_E_FILE_CREATE
A file could not be created. |
static int |
PKI_E_FILE_OPEN
A file could not be opened. |
static int |
PKI_E_FILE_READ
A file could not be read. |
static int |
PKI_E_FILE_SEEK
The size of a file could not be determined. |
static int |
PKI_E_FILE_WRITE
A file could not be written. |
static int |
PKI_E_GENERATE_KEY
Not currently used. |
static int |
PKI_E_INIT_ERROR
The client could not initialize the required eDirectory context. |
static int |
PKI_E_INSUFFICIENT_MEMORY
Memory could not be allocated on either the client workstation or the server. |
static int |
PKI_E_INTERNAL_ERROR
An unexpected internal error has occurred. |
static int |
PKI_E_INVALID_ALGORITHM
The cryptographic algorithm is not supported. |
static int |
PKI_E_INVALID_CERTIFICATE_TIME
The validity period requested for the certificate is not valid. |
static int |
PKI_E_INVALID_CONTEXT
The specified context is not currently valid. |
static int |
PKI_E_INVALID_CREATE_CA_REQUEST
Not currently used. |
static int |
PKI_E_INVALID_DIGEST
Not currently used. |
static int |
PKI_E_INVALID_KDK_ID
Not currently used. |
static int |
PKI_E_INVALID_KEY_ID
The specified certificate nickname could not be found. |
static int |
PKI_E_INVALID_NAME
A specified name is not valid for the requested operation. |
static int |
PKI_E_INVALID_NICKNAME
A User Certificate with the specified nickname does not exist. |
static int |
PKI_E_INVALID_OBJECT
The specified object is not the expected type or does not contain the expected information. |
static int |
PKI_E_INVALID_OPERATION
The requested operation cannot be performed by the Novell Certificate Server. |
static int |
PKI_E_INVALID_SIGNATURE
Not currently used. |
static int |
PKI_E_KDK_TABLE_FULL
Not currently used. |
static int |
PKI_E_KEY_FAILURE
An error occurred while transporting a private key to the client. |
static int |
PKI_E_KEY_SIZE_NOT_SUPPORTED
The requested key size is not supported by NICI. |
static int |
PKI_E_KEYS_ALREADY_EXIST
A key pair already exists for the organizational CA. |
static int |
PKI_E_NICI_OUTOF_SYNC
An NICI session error occurred while attempting to transfer a private key. |
static int |
PKI_E_NICKNAME_IN_USE
The nickname specified is already being used. |
static int |
PKI_E_NO_IP_ADDRESSES
No IP address cannot be found for the specified server. |
static int |
PKI_E_NO_KEY_FILE
Not currently used. |
static int |
PKI_E_NO_RIGHTS
The user does not have the appropriate eDirectory rights to perform the operation. |
static int |
PKI_E_NO_SECURITY_CONTAINER
The Security container cannot be found. |
static int |
PKI_E_NO_TREE_CA
An organizational CA does not exist for the eDirectory tree. |
static int |
PKI_E_NOT_CONNECTED_TO_SERVICE
You are not currently connected to a server that can perform the requested operation. |
static int |
PKI_E_NOT_SUPPORTED
Novell Certificate Server does not support the requested operation. |
static int |
PKI_E_ONLY_ONE_TREE_CA
An attempt was made to create an organizational CA when one already exists. |
static int |
PKI_E_PARSE_CERTIFICATE
Novell Certificate Server was unable to parse a certificate that has been stored or is being stored. |
static int |
PKI_E_PUBLIC_KEY_COMPARISON_FAILURE
The public key stored in the Server Certificate object is not the same as the public key within the certificate being stored. |
static int |
PKI_E_SERVICE_NOT_AVAILABLE
The service is not available. |
static int |
PKI_E_SUBJECT_NAME_COMPARISON_FAILURE
The subject name stored in the server certificate object is not the same as the subject name within the certificate that is being stored. |
static int |
PKI_E_SYSTEM_RESOURCES
The server could not allocate the required eDirectory context or the required NICI context. |
static int |
PKI_E_UNKNOWN_ATTRIBUTE
The requested subject name, issuer name, or alternative name contains a name type that is not understood by Novell Certificate Server. |
static int |
PKI_E_UPDATE_KMO
A certificate with the specified key pair name already exists for the specified server. |
static int |
PKI_E_USER_ALREADY_IN_LIST
Not currently used. |
static int |
PKI_E_USER_CERT_NOT_FOUND
Not currently used. |
static int |
PKI_E_USER_NOT_FOUND_IN_LIST
Not currently used. |
static int |
PKI_E_WRONG_VERSION
An unrecognized version of an NCP has been sent to the server. |
static int |
PKI_EXTENSION_CRITICAL
Use to set the extension as critical in the certificate. |
static int |
PKI_EXTENSION_DONT_INCLUDE
Use to exclude the extension from the certificate. |
static int |
PKI_EXTENSION_INCLUDE
Use to include the extension in the certificate. |
static int |
PKI_EXTENSION_NON_CRITICAL
Use to set the extension as non-critical in the certificate. |
static int |
PKI_EXTERNAL_KEY_PAIR
Indicates that the key pair was generated external to the Novell PKI service. |
static int |
PKI_HOURS
Specifies a time unit of hours. |
static int |
PKI_INTERNAL_KEY_PAIR
Indicates a key pair was generated by Novell PKI service and the private key is stored in eDirectory. |
static int |
PKI_INVALID
Specifies flags for invalidity reasons. |
static int |
PKI_MINUTES
Specifies a time unit of minutes. |
static int |
PKI_MONTHS
Specifies a time unit of months. |
static int |
PKI_NO_CA
Indicates a CA is either not installed and/or not operational on the specified server. |
static int |
PKI_NOVELL_CERTIFICATE
Other flags to use with the storeServerCertificates
used to specify which cert in a chain should be treated as the root certificate. |
static int |
PKI_NS_DOS
Specifies the type of name space on the NetWare volume. |
static int |
PKI_NS_FTAM
Specifies the type of name space on the NetWare volume. |
static int |
PKI_NS_MACINTOSH
Specifies the type of name space on the NetWare volume. |
static int |
PKI_NS_OS2
Specifies the type of name space on the NetWare volume. |
static int |
PKI_NS_UNIX
Specifies the type of name space on the NetWare volume. |
static int |
PKI_OBJECT_KEY_CERTIFICATE
Flags to use with the getCACertificates,
getServerCertificates, and
storeServerCertificates to determine which certificates
are returned. |
static int |
PKI_ORG_CA_CERTIFICATE
Use the self-signed organizational certificate as the trusted root. |
static int |
PKI_ORGANIZATIONAL_CA
Indicates an organizational CA is installed and operational on the specified server. |
static int |
PKI_OVERWRITE_KEYPAIR
Overwrites any information currently associated with this key pair. |
static int |
PKI_PRIVATE_KEY_EXPORTABLE
Enables the extraction of the private key into a PKCS#12 file. |
static int |
PKI_PRIVATE_KEY_NOT_IN_NDS
Indicates that the certificate that is present does not have the private key. |
static int |
PKI_RETRY
Indicates if the call is a retry. |
static int |
PKI_RSA_ALGORITHM
Indicates support of the RSA key generation algorithm. |
static int |
PKI_SELF_SIGNED_CERTIFICATE
Specifies a DER encoder X.509 self-signed certificate; not used with getServerCertificates. |
static int |
PKI_SERVER_HEALTH_CHECK
Use this flag to have the PKI Health Check run on the server. |
static int |
PKI_SERVER_INFO
Use this flag when querying for information about creating a server certificate. |
static int |
PKI_SERVICE_INFO
Not supported, will cause an error. |
static int |
PKI_SIGN_WITH_RSA_AND_MD2
Indicates support of the MD2 with RSA encryption signing algorithm. |
static int |
PKI_SIGN_WITH_RSA_AND_MD5
Indicates support of the MD5 with RSA encryption signing algorithm. |
static int |
PKI_SIGN_WITH_RSA_AND_SHA_256
Indicates support of the SHA 256 (SHA2) with RSA encryption signing algorithm. |
static int |
PKI_SIGN_WITH_RSA_AND_SHA_384
Indicates support of the SHA 384 (SHA2) with RSA encryption signing algorithm. |
static int |
PKI_SIGN_WITH_RSA_AND_SHA_512
Indicates support of the SHA 512 (SHA2) with RSA encryption signing algorithm. |
static int |
PKI_SIGN_WITH_RSA_AND_SHA1
Indicates support of the SHA1 with RSA encryption signing algorithm. |
static int |
PKI_SORT
Use to sort the entries. |
static int |
PKI_SORT_LIST
Deprecated. |
static int |
PKI_STORE_PRIVKEY_IN_OBJECT
Stores encrypted private key in CA object. |
static int |
PKI_SUB_ORGANIZATIONAL_CA
Indicates an subordinate CA is installed and operational on the specified server (currently not supported). |
static int |
PKI_SUCCESS
Indicates that the eDirectory object exists and that the requested operation completed successfully. |
static int |
PKI_TERISA_ADD_CERTIFICATE_ERROR
The server could not store the specified certificate or certificate chain in the Server Certificate object. |
static int |
PKI_TERISA_ADD_KEYS_ERROR
The server could not store the public and private keys in the Server Certificate object. |
static int |
PKI_TERISA_ADD_ROOT_ERROR
The server could not add the specified certificate as a trusted root to the Server Certificate object. |
static int |
PKI_TERISA_ESTABLISH_CONTEXT_ERROR
The server could not establish a Terisa context. |
static int |
PKI_TRUSTED_ROOT_CERTIFICATE
Use this flag when exporting or retrieving information on the trusted root certificate. |
static int |
PKI_TYPE_CERTIFICATE_CONTAINER
Specifies the PKI conatiner to be of type certificate. |
static int |
PKI_TYPE_CRL_CONTAINER
Specifies the PKI conatiner to be of type CRL. |
static int |
PKI_UNKNOWN_ALGORITM
Indicates that the specified algorithm is unknown and not supported. |
static int |
PKI_USER_INFO
Use this flag when querying for information about creating a user certificate. |
static int |
PKI_VENDOR_ENTRUST
Specifies an Entrust certificate. |
static int |
PKI_VENDOR_EXTERNAL
Specifies an external vendor. |
static int |
PKI_VENDOR_NOVELL
Specifies a Novell certificate. |
static int |
PKI_VENDOR_UNKNOWN
Indicates that an unregistered vendor has been selected. |
static int |
PKI_VENDOR_VERISIGN
Specfies a Verisign certificate. |
static int |
PKI_WAIVE_SUBJECT_NAME_IN_CERTIFICATE
Use when storing an external certificate whose subject name does not match original subject name. |
static int |
PKI_WEEKS
Specifies a time unit of weeks. |
static int |
PKIS_VERSION_ONE
Specifies PKI Services Version 1. |
static int |
PKIS_VERSION_ONE_FIVE
Specifies PKI Services Version 1.5. |
static int |
PKIS_VERSION_ONE_ZERO_FIVE
Specifies PKI Services Version 1.0.5. |
static int |
PKIS_VERSION_ONE_ZERO_NINE
Specifies PKI Services Version 1.0.9. |
static int |
PKIS_VERSION_ONE_ZERO_ZERO
Specifies PKI Services Version 1.0.0. |
static int |
PKIS_VERSION_THREE_ONE_ONE
Specifies PKI Services Version 3.1.1. |
static int |
PKIS_VERSION_THREE_ONE_ZERO
Specifies PKI Services Version 3.1.0. |
static int |
PKIS_VERSION_THREE_ZERO_ZERO
Specifies PKI Services Version 3.0.0. |
static int |
PKIS_VERSION_TWO
Specifies PKI Services Version 2. |
static int |
PKIS_VERSION_TWO_FIVE_FOUR
Specifies PKI Services Version 2.5.4. |
static int |
PKIS_VERSION_TWO_FIVE_TWO
Specifies PKI Services Version 2.5.2. |
static int |
PKIS_VERSION_TWO_FIVE_ZERO
Specifies PKI Services Version 2.5.0. |
static int |
PKIS_VERSION_TWO_FOUR_ZERO
Specifies PKI Services Version 2.4.0. |
static int |
PKIS_VERSION_TWO_ONE_ONE
Specifies PKI Services Version 2.1.1. |
static int |
PKIS_VERSION_TWO_SEVEN_EIGHT
Specifies PKI Services Version 2.7.8. |
static int |
PKIS_VERSION_TWO_SEVEN_FIVE
Specifies PKI Services Version 2.7.5. |
static int |
PKIS_VERSION_TWO_SEVEN_FOUR
Specifies PKI Services Version 2.7.4. |
static int |
PKIS_VERSION_TWO_SEVEN_NINE
Specifies PKI Services Version 2.7.9. |
static int |
PKIS_VERSION_TWO_SEVEN_SEVEN
Specifies PKI Services Version 2.7.7. |
static int |
PKIS_VERSION_TWO_SEVEN_SIX
Specifies PKI Services Version 2.7.6. |
static int |
PKIS_VERSION_TWO_SEVEN_THREE
Specifies PKI Services Version 2.7.3. |
static int |
PKIS_VERSION_TWO_SEVEN_TWO
Specifies PKI Services Version 2.7.2. |
static int |
PKIS_VERSION_TWO_SEVEN_ZERO
Specifies PKI Services Version 2.7.0. |
static int |
PKIS_VERSION_TWO_SIX_ZERO
Specifies PKI Services Version 2.6.0. |
static int |
PKIS_VERSION_TWO_TWO_ONE
Specifies PKI Services Version 2.2.1. |
static int |
PKIS_VERSION_TWO_TWO_ZERO
Specifies PKI Services Version 2.2.0. |
static int |
PKIS_VERSION_TWO_ZERO_THREE
Specifies PKI Services Version 2.0.3. |
static int |
PKIS_VERSION_TWO_ZERO_TWO
Specifies PKI Services Version 2.0.2. |
static int |
PKIS_VERSION_TWO_ZERO_ZERO
Specifies PKI Services Version 2.0.0. |
static int |
PRIVATE_KEY
Use for all certificates. |
static int |
PRIVATE_KEY_EXTRACTABLE
Use to allow a key to be extracted out of NICI. |
static int |
PUBLIC_KEY_EXTERNAL_CA
Use when the CA is external to Novell. |
static int |
PUBLIC_KEY_ORGANIZATIONAL_CA
Public Key Flags to use when creating an Organizational CA. |
static int |
PUBLIC_KEY_SINGLE_SERVER
Use when the key generation server is the same as the CA server. |
static int |
PUBLIC_KEY_TWO_SERVER
Use when the key generation server is not the same as the CA server. |
static int |
SELF_SIGNED_CERT
Use this flag when exporting or retrieving information on the self-signed certificate. |
static int |
SUB_CA_OPERATIONAL
Indicates an organizational CA is installed and operational on the specified server (currently not supported). |
static int |
TREE_CA_CERT
Deprecated. |
static int |
TREE_CA_OPERATIONAL
The server hosts the organizational CA. |
static int |
TRUSTED_ROOT_CERT
Use this flag when exporting or retrieving information on the trusted root certificate. |
static int |
TWO_DIGIT_YEAR
Identifies dates that have either a two-digit year. |
static int |
UNKNOWN_VERSION
Indicates that the specified version of the certificate is unknown and not supported. |
static int |
USER_CERT_RETRY_COUNT
Specifies the number of tries the system attempt when storeing a user certificate. |
static int |
VERSION_ONE
The decoded certificate is a version one certificate. |
static int |
VERSION_THREE
The decoded certificate is a version three certificate. |
static int |
VERSION_TWO
The decoded certificate is a version two certificate. |
static int |
WAIVE_SUBJECT_NAME_COMPARISON
Normally storeServerCertificates and
storeServerCertificatesFromCertificateList
check that the requested name and and the subject name in the certifcate match. |
static int |
X509_BASIC_CONSTRAINTS_CA
The X.509 basic constraints extension is used to specify that a certificate belongs to a CA (CA). |
static int |
X509_GENERAL_NAME_DIRECTORY_NAME
The alternative name must be encoded as a Name choice as specified in X.501. |
static int |
X509_GENERAL_NAME_DNS_NAME
The alternative name must be a unicode representation of an IA5String. |
static int |
X509_GENERAL_NAME_EDI_PARTY_NAME
The alternative name must be encoded as an EDIPartyName sequence as specified
RFC 3280 section 4.2.1.7. |
static int |
X509_GENERAL_NAME_IP_ADDRESS
The alternative name must be an OCTET STRING in "network byte order" as specified in ASN.1. |
static int |
X509_GENERAL_NAME_OTHER_NAME
The alternative name must be ASN.1 encoded as an OtherName sequence as specified
in RFC 3280 section 4.2.1.7. |
static int |
X509_GENERAL_NAME_REGISTERED_ID
The alternative name must be encoded as an OBJECT IDENTIFIER as specified in ASN.1. |
static int |
X509_GENERAL_NAME_RFC822_NAME
The alternative name must be a unicode representation of an IA5String. |
static int |
X509_GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER
The alternative name must be a unicode representation of an IA5String. |
static int |
X509_GENERAL_NAME_X400_ADDRESS
The alternative name must be encoded as an ORAddress sequence as specified in RFC 3280 section 4.2.1.7. |
static int |
X509_KEY_USAGE_CRL_SIGN
Designates that the key is used to sign CRL's (Certificate Revocation Lists). |
static int |
X509_KEY_USAGE_DATA_ENCIPHERMENT
Designates that the key is used to directly encrypt data. |
static int |
X509_KEY_USAGE_DECIPHER_ONLY
Not valid for RSA keys. |
static int |
X509_KEY_USAGE_DIGITAL_SIGNATURE
Designates that the key is used to create digital signatures. |
static int |
X509_KEY_USAGE_ENCIPHER_ONLY
Not valid for RSA keys. |
static int |
X509_KEY_USAGE_KEY_AGREEMENT
Not valid for RSA keys. |
static int |
X509_KEY_USAGE_KEY_CERT_SIGN
Designates that the key is used to sign certificates. |
static int |
X509_KEY_USAGE_KEY_ENCIPHERMENT
Designates that the key is used to encrypt other keys. |
static int |
X509_KEY_USAGE_NON_REPUDIATION
Designates that the key is used for non-repudiation. |
static int |
X509_SUBJECT_ALT_NAME_DIRECTORY_NAME
Depricated -- Use X509_GENERAL_NAME_DIRECTORY_NAME |
static int |
X509_SUBJECT_ALT_NAME_DNS_NAME
Depricated -- Use X509_GENERAL_NAME_DNS_NAME |
static int |
X509_SUBJECT_ALT_NAME_EDI_PARTY_NAME
Depricated -- Use X509_GENERAL_NAME_EDI_PARTY_NAME |
static int |
X509_SUBJECT_ALT_NAME_IP_ADDRESS
Depricated -- Use X509_GENERAL_NAME_IP_ADDRESS |
static int |
X509_SUBJECT_ALT_NAME_OTHER_NAME
Depricated -- Use X509_GENERAL_NAME_OTHER_NAME |
static int |
X509_SUBJECT_ALT_NAME_REGISTERED_ID
Depricated -- Use X509_GENERAL_NAME_REGISTERED_ID |
static int |
X509_SUBJECT_ALT_NAME_RFC822_NAME
Depricated -- Use X509_GENERAL_NAME_RFC822_NAME |
static int |
X509_SUBJECT_ALT_NAME_UNIFORM_RESOURCE_IDENTIFIER
Depricated -- Use X509_GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER |
static int |
X509_SUBJECT_ALT_NAME_X400_ADDRESS
Depricated -- Use X509_GENERAL_NAME_X400_ADDRESS |
| Constructor Summary | |
NPKIAPI()
Establishes methods and protocols to implement a CA (CA) that issues, stores, and manages digital certificates. |
|
| Method Summary | |
NPKI_CertificateName |
additionalCertificate(int index)
Retrieves the name of the specified certificate. |
byte[] |
additionalRootsInfo(int index)
Returns a pointer to the specified X.509 additional root certificate, and the size of the certificate. |
int |
certificateList(byte[] certificate,
int flags)
Stores a certificate (such as, X.509) or set of certificates (such as, PKCS #7) to an internal structure. |
byte[] |
certInfo()
Use to retrieve a newly created X.509 certificate. |
byte[] |
chainCertInfo(int index)
Returns a byte array containing the specified X.509 certificate from the certificate chain. |
void |
connectToAddress(int flags,
int type,
short size,
byte[] data)
Connects to server address. |
void |
connectToIPAddress(int flags,
short port,
byte[] ipAddress)
Establishes a connection to the server at the specified IP address. |
void |
connectToIPAddress(int flags,
short port,
byte[] ipAddress,
java.lang.String[] treeName,
java.lang.String[] serverDN)
Establishes a connection to the server at the specified IP address. |
void |
createContext()
Creates a new PKI context structure and initializes it with default values. |
void |
createCRLConfiguration(int flags,
java.lang.String objectName,
java.lang.String contextDN,
java.lang.String hostServerDN)
Creates an ndspkiCRLConfiguration object. |
void |
createCRLDistributionPoint(int flags,
java.lang.String objectName,
java.lang.String contextDN,
java.lang.String linkObjectDN)
Creates a cRLDistributionPoint object and optionally links it to linkObjectDN. |
int |
createDefaultCertificates(java.lang.String serverDN,
NPKI_CertificateNamesList certificateNames,
java.lang.Integer flags)
This method can be used to accomplish any or all of the three tasks listed below: Create the default server certificates. |
java.lang.String |
createOrganizationalCA(java.lang.String serverDN,
java.lang.String organizationalCAName,
int keyType,
int keySize,
java.lang.String subjectDN,
int signatureAlgorithm,
int dateFlags,
int validFrom,
int validTo,
int publicKeyFlags,
int privateKeyFlags,
NPKI_Extension keyUsage,
NPKI_Extension basicConstraints,
NPKI_ExtAltNames altNames,
NPKI_Extension NovellAttr,
NPKI_ASN1_Extensions extensions,
int retryFlag)
Creates an orgainizational (that is, Tree) certificate authority (CA) object in the Security container if one does not already exist. |
void |
createPKIContainer(int flags,
java.lang.String objectName,
java.lang.String contextDN,
int type,
java.lang.String linkObjectDN)
Creates an ndspkiContainer object and optionally links it to linkObjectDN. |
void |
createSASServiceObject(java.lang.String serverName,
java.lang.String contextDN)
Creates a Secure Authentication Services (SAS) object to maintain a list of server certificates for the specified server. |
void |
createServerCertificate(java.lang.String keyGenServerDN,
java.lang.String signServerDN,
java.lang.String certificateName,
int keyType,
int keySize,
java.lang.String subjectDN,
int signatureAlgorithm,
int dateFlags,
int validFrom,
int validTo,
int publicKeyFlags,
int privateKeyFlags,
NPKI_Extension keyUsage,
NPKI_Extension basicConstraints,
NPKI_ExtAltNames altNames,
NPKI_Extension NovellAttr,
NPKI_ASN1_Extensions extensions)
Creates a server key pair as well as the corresponding X.509 certificate. |
void |
createTrustedRoot(java.lang.String objectDN,
byte[] certificate)
Creates a Trusted Root object and stores the specified X.509 root (or CA) certificate in the eDirectory object. |
void |
createTrustedRootContainer(java.lang.String objectDN)
Creates a container where Trusted Root objects can be created. |
void |
createUserCertificate(java.lang.String keyGenServerDN,
java.lang.String signServerDN,
java.lang.String userDN,
java.lang.String nickName,
int keyType,
int keySize,
java.lang.String subjectDN,
int signatureAlgorithm,
int dateFlags,
int validFrom,
int validTo,
int publicKeyFlags,
int privateKeyFlags,
NPKI_Extension keyUsage,
NPKI_Extension basicConstraints,
NPKI_ExtAltNames altNames,
NPKI_Extension NovellAttr,
NPKI_ASN1_Extensions extensions)
Generates a key pair as well as the corresponding X.509 certificate. |
void |
cRLConfigurationDN(int index,
java.lang.Integer objectFlags,
java.lang.String[] objectDN,
java.lang.String[] data)
Returns infomation about the specified Certificate Authority (CA), specifically how many CRL configurations are assocated with the CA. |
byte[] |
csrInfo()
Returns a byte array containing the PKCS #10 Certificate Signing Request (CSR). |
void |
deleteDSObject(java.lang.String odn)
Can be used to delete any eDirectory object. |
void |
deleteUserCertificate(java.lang.String userDN,
java.lang.String nickName,
int flags,
byte[] certificate)
Deletes a user's certificate. |
void |
destroy()
|
void |
dsConnectToReferral(byte[] referral)
|
void |
dsLogin(java.lang.String objectDN,
java.lang.String password)
Performs all authentication operations needed to establish a client's connection to a network. |
void |
DSLoginAsServer()
|
void |
dsLogout()
Terminates an object's connection to the network. |
boolean |
dsObjectExists(java.lang.String objectDN)
Determines whether or not the eDirectory object exists. |
byte[] |
exportCAKey(java.lang.String organizationalCAName,
java.lang.String password,
int flags)
Exports the CA's private key and corresonding certificates in " Personal Information Exchange Syntax" (PFX) format. |
byte[] |
exportServerKey(java.lang.String serverDN,
java.lang.String certificateName,
java.lang.String password,
int flags)
Exports a server's private key and corresonding certificates in "Personal Information Exchange Syntax" (PFX) format. |
byte[] |
exportUserKey(java.lang.String nickname,
java.lang.String password,
int flags)
Exports a private key and the corresponding certificates for the currently logged-in user in "Personal Information Exchange Syntax" (PFX) format. |
void |
finalize()
|
int |
findKeyGenServersForUser(java.lang.String nameContextDN)
Finds all servers that can be used to generate a public/private key pair for users which reside in the specified name context. |
java.lang.String |
findOrganizationalCA()
Finds the name of the Certificate Authority (CA) for the current tree. |
int |
findServerCertificateNames(java.lang.String serverDN)
Finds all of the server certificate names for the specified server. |
int |
findServersInContext(java.lang.String nameContextDN)
Finds all of the NCP servers in the name context supplied. |
int |
findTrustedRootsInContext(java.lang.String nameContextDN)
Finds all of the Trusted Root objects within the specified (Trusted Root) container and returns the number found. |
int |
findUserCertificates(java.lang.String userDN,
java.lang.String nickName,
byte[] serialNumber,
int keyType,
int minKeySize,
int maxKeySize,
int searchOnKeyUsage,
short keyUsageValue,
java.lang.String issuerDN,
java.lang.String subjectDN,
int certificateValid,
int vendorID,
int certificateStatus)
Finds all of the certificates for the userDN that meets the search
criteria, stores the certificates in context specific values, and returns
the number of certificates that meet the search criteria. |
void |
freeContext()
Frees a previously allocated NPKIAPI context and all associated memory. |
void |
generateCertificateFromCSR(java.lang.String caServerDN,
byte[] extCSR,
java.lang.String subjectDN,
int signatureAlgorithm,
int dateFlags,
int validFrom,
int validTo,
NPKI_Extension keyUsage,
NPKI_Extension basicConstraints,
NPKI_ExtAltNames altNames,
NPKI_Extension NovellAttr,
NPKI_ASN1_Extensions extensions)
Accepts a PKCS #10 Certificate Signing Request (CSR) from an external source and sends the request to caServerDN, which then creates and returns an X.509 certificate. |
void |
getAlgorithmInfo(int algorithm,
java.lang.Integer maxKeyEncryptKeySize,
java.lang.Integer maxSigningKeySize,
java.lang.Integer maxDataEncryptKeySize)
Returns the supported key sizes for the specified algorithm. |
byte[] |
getCACertificates(java.lang.String objectDN,
int flags,
java.lang.Integer numberOfChainCerts,
java.lang.Integer rootCertIndex)
Reads the CA (CA) certificates for objectDN and stores
them in context specific values. |
void |
getCAInfo(java.lang.String objectDN,
java.lang.Integer numberOfCRLConfigurations)
Returns infomation about the specified CA (Certificate Authority) specifically how many CRL configuration are assocated with the CA. |
void |
getCRLConfigurationInfo(java.lang.String objectDN,
java.lang.Integer status,
java.lang.Integer cRLNumber,
java.lang.Integer issueTime,
java.lang.Integer attemptTime,
java.lang.Integer nextIssueTime,
java.lang.Integer intervalUnitType,
java.lang.Integer intervalNumberOfUnits,
java.lang.Integer fileNameSpaceType,
java.lang.String[] fileVolumeDN,
java.lang.String[] fileVolumePath,
java.lang.Integer numberOfCRLDistributionPoints,
java.lang.String[] cLRdistributionPointDN,
java.lang.String[] certificateAuthorityDN)
Reads all CRL Configuration information for the object specified |
void |
getCRLDistributionPoint(int index,
java.lang.String[] cRLDistributionPoint)
Retrieves the CRL Distribution Point specified |
java.lang.String |
getDefaultDSContactServerDN()
Retrieves the fully distinguished name of the default eDirectory contact server; the server that the API uses when making modifications to eDirectory. |
java.lang.String |
getHostServerDN(java.lang.String objectDN)
Reads the eDirectory attribute A_HOST_SERVER of objectDN and returns the
value in serverDN. |
void |
getLocalServerInfo(java.lang.String[] treeName,
java.lang.String[] serverDN)
Retrieves data about the local server. |
java.lang.String |
getSAServiceName(java.lang.String serverDN)
Reads the SAS:Service attribute of serverDN to get the Secure Authentication
Service (SAS) service name of the specified server object. |
byte[] |
getServerCertificates(java.lang.String serverDN,
java.lang.String certificateName,
int flags,
java.lang.Integer numberOfChainCerts,
java.lang.Integer rootCertIndex)
Reads the certificates specified by certificateName for serverDN and stores them in context-specific values. |
int |
getServerCertificateStatus(java.lang.String serverDN,
java.lang.String certificateName)
Determines the status of the server certificate. |
java.lang.String |
getServerDNSName(int index)
Retrieves the specified DNS Name. |
void |
getServerInfo(java.lang.String serverDN,
int flags,
java.lang.Integer keyGenerationAlgorithms,
java.lang.Integer signingAlgorithms,
java.lang.Integer maxValidFromTime,
java.lang.Integer maxValidToTime,
java.lang.Integer caOperational,
java.lang.Integer pathLength,
java.lang.Integer healthCheckCcode,
java.lang.Integer serverVersion)
Opens a connection to the specified server and sends a PKI ping NCP to determine supported values for the server. |
byte[] |
getServerIPAddress(int index,
java.lang.Short ipLength,
java.lang.String[] ipNumber,
java.lang.Short numberOfDNSNames)
Retrieves information about the specified IP address. |
int |
getServerIPAndDNSInfo(java.lang.String serverDN)
Discovers IP and DNS information about the specified server by querying DNS. |
void |
getServerKMOInfo(int cacheContext,
java.lang.String serverDN,
java.lang.String certificateName,
int flags,
byte[][] objectCert,
java.lang.Integer numberOfChainCerts,
java.lang.Integer rootCertIndex,
byte[][] wrappedKey,
java.lang.Integer numberOfAdditionalRoots,
byte[][] terisaKeyFile)
Reads all KMO information for the KMO specified by certificateName for serverDN and stores the information in context-specific values. |
int |
getServerUTCTime(java.lang.String serverDN)
Returns the time according to UTC (Universal Time Coordinated) on the server whose eDirectory fully distinguished name is specified. |
byte[] |
getTrustedRootInfo(int index,
java.lang.String[] name,
java.lang.String[] validFrom,
java.lang.String[] validTo,
java.lang.String[] subjectName)
Retrieves information about the specified Trusted Root. |
byte[] |
getWrappedServerKey(java.lang.String serverDN,
java.lang.String serverCertificateName)
Returns a server private key cryptographically wrapped in the server's key storage key. |
void |
importCAKey(java.lang.String hostServerDN,
java.lang.String organizationalCAName,
java.lang.String password,
int flags,
byte[] pfx)
Imports an organization's certificate authority (CA) private key and corresponding certificate(s) from a "Personal Information Exchange Syntax" (PFX) format (also known as Public Key Cryptography Standards [PKCS] #12) to a CA object. |
void |
importServerKey(java.lang.String serverDN,
java.lang.String certificateName,
java.lang.String password,
int flags,
byte[] pfx)
Imports a server's private key and corresonding certificates from a "Personal Information Exchange Syntax" (PFX) format to a Key Material object. |
void |
importUserKey(java.lang.String userDN,
java.lang.String nickName,
java.lang.String password,
int flags,
byte[] pfx)
Imports a user's private key from a "Personal Information Exchange Syntax" (PFX) format to the specified user. |
void |
initialize()
Initializes the NPKIAPI context. |
void |
issueCRL(java.lang.String cRLConfiguationDN,
int flags)
Issues an emergency CRL. |
void |
KMOExportAddValue(java.lang.String certificateName,
java.lang.String certificatePath,
java.lang.String keyPath,
int keyType)
Used to add a value to the list of KMOExport values. |
void |
KMOExportClearAllValues()
Used to clear all values from the list of KMOExport values. |
void |
KMOExportClearValue(int index)
Used to clear a value from the list of KMOExport values. |
void |
KMOExportRead(java.lang.String objectDN,
java.lang.Integer numberOfValues)
Reads the ndspkiKMOExport attribute on the specified SAS:Service object. |
void |
KMOExportValue(int index,
java.lang.String[] certificateName,
java.lang.String[] certificatePath,
java.lang.String[] keyPath,
java.lang.Integer keyType)
Used to get the KMOExport values. |
void |
KMOExportWrite(java.lang.String objectDN)
Writes the KMOExportValues into the ndspkiKMOExport attribute on the specified SAS:Service object. |
java.lang.String |
nickName(int index)
Returns the specified certificate nickname. |
int |
readAllNickNames(java.lang.String userDN)
Reads all of the certificate nicknames for userDN and stores them in
context-specific data values. |
void |
readSecurityRightsLevel(java.lang.String objectDN,
java.lang.Integer securityRightsLevel)
Returns the value of the Security Rights Level attribute for the specified CA (Certificate Authority). |
void |
revokeCertificate(java.lang.String cRLConfiguationDN,
java.lang.String ndsObject,
byte[] certificate,
int flags,
int reasonCode,
int invalidityDate,
java.lang.String comment,
java.lang.Integer nextIssuanceDate)
Revokes the specified certificate. |
java.lang.String |
serverCertificateName(int index)
Returns a server certificate name. |
void |
serverNames(int index,
java.lang.String[] serverDN,
java.lang.String[] serverName)
Obtains the specified eDirectory server's leaf name and fully distinguished name. |
void |
setCertificateAuthorityDN(java.lang.String objectDN,
java.lang.String certificateAuthorityDN)
Sets the Certificate Authority DN (ndspkiCADN) attribute on the specified CRLConfiguration object. |
void |
setCRLFileName(java.lang.String objectDN,
int nameSpaceType,
java.lang.String volumeDN,
java.lang.String volumePath)
Sets the CRL filename (ndspkiCRLFilename) attribute on the specified CRLConfiguration object. |
void |
setDefaultDSContactServerDN(java.lang.String serverDN)
Sets the fully distinguished name of the Default eDir Contact Server. |
void |
setDistributionPointDNList(java.lang.String objectDN,
int flags,
int objectFlags,
java.lang.String linkObjectDN,
java.lang.String data)
Adds or deletes a link from the CA object to a CRL Configuration object. |
void |
setDistributionPoints(java.lang.String objectDN,
int flags,
java.lang.String distributionPoint)
Sets the CRL Distribution Points (ndspkiDistributionPoints) attribute on the specified CRLConfiguration object. |
void |
setIdentity(int idContext)
|
void |
setNextIssueTime(java.lang.String objectDN,
int nextIssueTime)
Sets the CRL next issue time (ndspkiNextIssueTime) attribute on the specified CRLConfiguration object. |
void |
setSecurityRightsLevel(java.lang.String objectDN,
int securityRightsLevel)
Set the value of the Security Rights Level attribute for the specified CA (Certificate Authority). |
void |
setTimeInterval(java.lang.String objectDN,
int unitType,
int numberOfUnits)
Sets the CRL issueance time interval (ndspkiTimeInterval) attribute on the specified CRLConfiguration object. |
void |
setTreeName(java.lang.String treeName)
Sets the specified tree name into the context. |
void |
storeServerCertificates(java.lang.String serverDN,
java.lang.String certificateName,
int flags,
int trustedRoot,
byte[] certificate)
Used to store server certificates after a successful call to createServerCertificate. |
void |
storeServerCertificatesFromCertificateList(java.lang.String serverDN,
java.lang.String certificateName,
int flags,
int trustedRootIndex)
Used to store server certificates after a successful call to createServerCertificate. |
void |
storeUserCertificate(java.lang.String userDN,
java.lang.String nickName,
java.lang.String signerDN,
int flags,
byte[] cert,
int vendorID)
Stores a certificate on a user object. |
byte[] |
userCertInfo(int index,
java.lang.String[] nickName,
java.lang.Integer certStatus,
java.lang.Integer vendorID)
Returns information about a user certificate. |
void |
verifyCertificateWithTrustedRoots(byte[] certificate,
java.lang.String TRContextDN,
int flags,
java.lang.Integer cRLReason,
java.lang.Integer cRLHoldInstruction,
java.lang.Integer cRLRevocationTime,
java.lang.Integer cRLInvalidityDateTime,
java.lang.Integer certInvalidityReason)
Construct a certificate chain starting with the specified certificate and using all of the Trusted Root objects within the specified Trusted Root container. |
int |
versionInfo()
Returns the version info of the client module, NPKIAPI. |
| Methods inherited from class java.lang.Object |
clone, equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
| Field Detail |
public static final int PKI_SUCCESS
(PKI_SUCCESS = 0)
public static final int PKI_E_FILE_CREATE
(PKI_E_FILE_CREATE = -1201)
public static final int PKI_E_FILE_OPEN
(PKI_E_FILE_OPEN = -1202)
public static final int PKI_E_FILE_READ
(PKI_E_FILE_READ = -1203)
public static final int PKI_E_FILE_WRITE
(PKI_E_FILE_WRITE = -1204)
public static final int PKI_E_FILE_SEEK
(PKI_E_FILE_SEEK = -1205)
public static final int PKI_E_CRYPT_INIT
(PKI_E_CRYPT_INIT = -1206)
public static final int PKI_E_NO_KEY_FILE
(PKI_E_NO_KEY_FILE = -1207)
public static final int PKI_E_GENERATE_KEY
(PKI_E_GENERATE_KEY = -1208)
public static final int PKI_E_KEY_SIZE_NOT_SUPPORTED
(PKI_E_KEY_SIZE_NOT_SUPPORTED = -1209)
public static final int PKI_E_KEYS_ALREADY_EXIST
(PKI_E_KEYS_ALREADY_EXIST = -1210)
public static final int PKI_E_UPDATE_KMO
(PKI_E_UPDATE_KMO = -1211)
public static final int PKI_E_INSUFFICIENT_MEMORY
(PKI_E_INSUFFICIENT_MEMORY = -1212)
public static final int PKI_E_BUFFER_OVERFLOW
(PKI_E_BUFFER_OVERFLOW = -1213)
public static final int PKI_E_BAD_REQUEST_SYNTAX
(PKI_E_BAD_REQUEST_SYNTAX = -1214)
public static final int PKI_E_DSIO
(PKI_E_DSIO = -1215)
public static final int PKI_E_CREATE_CERTIFICATE_OR_CSR
(PKI_E_CREATE_CERTIFICATE_OR_CSR = -1216)
public static final int PKI_E_ALGORITHM_NOT_SUPPORTED
(PKI_E_ALGORITHM_NOT_SUPPORTED = -1217)
public static final int PKI_E_UNKNOWN_ATTRIBUTE
(PKI_E_UNKNOWN_ATTRIBUTE = -1218)
public static final int PKI_E_INVALID_NAME
(PKI_E_INVALID_NAME = -1219)
public static final int PKI_E_INVALID_CREATE_CA_REQUEST
(PKI_E_INVALID_CREATE_CA_REQUEST = -1220)
public static final int PKI_E_INVALID_OBJECT
(PKI_E_INVALID_OBJECT = -1221)
public static final int PKI_E_NOT_SUPPORTED
(PKI_E_NOT_SUPPORTED = -1222)
public static final int PKI_E_ADD_TRUSTED_ROOT
(PKI_E_ADD_TRUSTED_ROOT = -1223)
public static final int PKI_E_ADD_KEYPAIR
(PKI_E_ADD_KEYPAIR = -1224)
public static final int PKI_E_ADD_CERTIFICATE
(PKI_E_ADD_CERTIFICATE = -1225)
public static final int PKI_E_EXPECTING_CERTIFICATE
(PKI_E_EXPECTING_CERTIFICATE = -1226)
public static final int PKI_E_BROKEN_CHAIN
(PKI_E_BROKEN_CHAIN = -1227)
public static final int PKI_E_INIT_ERROR
(PKI_E_INIT_ERROR = -1228)
public static final int PKI_E_WRONG_VERSION
(PKI_E_WRONG_VERSION = -1229)
public static final int PKI_E_ONLY_ONE_TREE_CA
(PKI_E_ONLY_ONE_TREE_CA = -1230)
public static final int PKI_E_BAD_ROOT_INDEX
(PKI_E_BAD_ROOT_INDEX = -1231)
public static final int PKI_E_SUBJECT_NAME_COMPARISON_FAILURE
(PKI_E_SUBJECT_NAME_COMPARISON_FAILURE = -1232)
public static final int PKI_E_PUBLIC_KEY_COMPARISON_FAILURE
(PKI_E_PUBLIC_KEY_COMPARISON_FAILURE = -1233)
public static final int PKI_E_NO_RIGHTS
(PKI_E_NO_RIGHTS = -1234)
public static final int PKI_TERISA_ESTABLISH_CONTEXT_ERROR
(PKI_TERISA_ESTABLISH_CONTEXT_ERROR = -1235)
public static final int PKI_TERISA_ADD_ROOT_ERROR
(PKI_TERISA_ADD_ROOT_ERROR = -1236)
public static final int PKI_TERISA_ADD_KEYS_ERROR
(PKI_TERISA_ADD_KEYS_ERROR = -1237)
public static final int PKI_TERISA_ADD_CERTIFICATE_ERROR
(PKI_TERISA_ADD_CERTIFICATE_ERROR = -1238)
public static final int PKI_E_SYSTEM_RESOURCES
(PKI_E_SYSTEM_RESOURCES = -1239)
public static final int PKI_E_PARSE_CERTIFICATE
(PKI_E_PARSE_CERTIFICATE = -1240)
public static final int PKI_E_NO_TREE_CA
(PKI_E_NO_TREE_CA = -1241)
public static final int PKI_E_INVALID_NICKNAME
(PKI_E_INVALID_NICKNAME = -1242)
public static final int PKI_E_USER_ALREADY_IN_LIST
(PKI_E_USER_ALREADY_IN_LIST = -1243)
public static final int PKI_E_USER_NOT_FOUND_IN_LIST
(PKI_E_USER_NOT_FOUND_IN_LIST = -1244)
public static final int PKI_E_USER_CERT_NOT_FOUND
(PKI_E_USER_CERT_NOT_FOUND = -1246)
public static final int PKI_E_INVALID_ALGORITHM
(PKI_E_INVALID_ALGORITHM = -1247)
public static final int PKI_E_INVALID_OPERATION
(PKI_E_INVALID_OPERATION = -1248)
public static final int PKI_E_INVALID_DIGEST
(PKI_E_INVALID_DIGEST = -1249)
public static final int PKI_E_DATA_NOT_READY
(PKI_E_DATA_NOT_READY = -1251)
public static final int PKI_E_INVALID_KDK_ID
(PKI_E_INVALID_KDK_ID = -1252)
public static final int PKI_E_INTERNAL_ERROR
(PKI_E_INTERNAL_ERROR = -1253)
public static final int PKI_E_INVALID_CERTIFICATE_TIME
(PKI_E_INVALID_CERTIFICATE_TIME = -1254)
public static final int PKI_E_EXPIRED_CERTIFICATE
(PKI_E_EXPIRED_CERTIFICATE = -1255)
public static final int PKI_E_INVALID_SIGNATURE
(PKI_E_INVALID_SIGNATURE = -1256)
public static final int PKI_E_KDK_TABLE_FULL
(PKI_E_KDK_TABLE_FULL = -1257)
public static final int PKI_E_CERT_INVALID
(PKI_E_CERT_INVALID = -1258)
public static final int PKI_E_CA_ALREADY_INSTALLED
(PKI_E_CA_ALREADY_INSTALLED = -1259)
public static final int PKI_E_CA_NOT_OPERATIONAL
(PKI_E_CA_NOT_OPERATIONAL = -1260)
public static final int PKI_E_KEY_FAILURE
(PKI_E_KEY_FAILURE = -1261)
public static final int PKI_E_INVALID_KEY_ID
(PKI_E_INVALID_KEY_ID = -1262)
public static final int PKI_E_ACCESS_DENIED
(PKI_E_ACCESS_DENIED = -1263)
public static final int PKI_E_NICI_OUTOF_SYNC
(PKI_E_NICI_OUTOF_SYNC = -1264)
public static final int PKI_E_NO_SECURITY_CONTAINER
(PKI_E_NO_SECURITY_CONTAINER = -1265)
public static final int PKI_E_NO_IP_ADDRESSES
(PKI_E_NO_IP_ADDRESSES = -1266)
public static final int PKI_E_NICKNAME_IN_USE
(PKI_E_NICKNAME_IN_USE = -1267)
public static final int PKI_E_NOT_CONNECTED_TO_SERVICE
(PKI_E_NOT_CONNECTED_TO_SERVICE = -1268)
public static final int PKI_E_DUPLICATE
(PKI_E_DUPLICATE = -1269)
public static final int PKI_E_CRL_INVALID
(PKI_E_CRL_INVALID = -1270)
public static final int PKI_E_CERT_NOT_FOUND
(PKI_E_CERT_NOT_FOUND = -1271)
public static final int PKI_E_INVALID_CONTEXT
(PKI_E_INVALID_CONTEXT = -1272)
public static final int PKI_E_SERVICE_NOT_AVAILABLE
(PKI_E_SERVICE_NOT_AVAILABLE = -1273)
public static final int NPKI_INVALID_CONTEXT
public static final int PKI_DEFAULT_CONFIGURATION
(PKI_DEFAULT_CONFIGURATION = 0x0000
public static final int PUBLIC_KEY_ORGANIZATIONAL_CA
(PUBLIC_KEY_ORGANIZATIONAL_CA = 0x0001 | 0x0002 | 0x0020)
public static final int PKI_EXTENSION_INCLUDE
(PKI_EXTENSION_INCLUDE = 0x0000)
public static final int PKI_EXTENSION_DONT_INCLUDE
(PKI_EXTENSION_DONT_INCLUDE = 0x0001)
public static final int PKI_EXTENSION_NON_CRITICAL
(PKI_EXTENSION_NON_CRITICAL = 0x0000)
public static final int PKI_EXTENSION_CRITICAL
NOTE: If an extension is set to critical, application software should understand the extension, or fail verification of the certificate.
(PKI_EXTENSION_CRITICAL = 0x0002)
public static final int X509_BASIC_CONSTRAINTS_CA
The X.509 basic constraints extension is used to specify that a certificate belongs to a CA (CA). The X.509 basic constraints extension has essentially two parts:
CAs must have the basic constraints extension encoded. Certificates for non-CAs should not have the basic constraints extension encoded. The Basic Constraints extension uses the general-purpose extension structure.
(X509_BASIC_CONSTRAINTS_CA = 0x0100)
public static final int NOVELL_EXTENSION_SERVER_DEFAULT
( NOVELL_EXTENSION_SERVER_DEFAULT = 0x00100)
public static final int NOVELL_EXTENSION_USER_DEFAULT
(NOVELL_EXTENSION_USER_DEFAULT = 0x00200)
public static final int NOVELL_EXTENSION_ORGCA_DEFAULT
(NOVELL_EXTENSION_ORGCA_DEFAULT = 0x00400)
public static final int NOVELL_EXTENSION_EXTRACTABLE_KEY
(NOVELL_EXTENSION_EXTRACTABLE_KEY = 0x10000)
public static final int X509_KEY_USAGE_DIGITAL_SIGNATURE
(X509_KEY_USAGE_DIGITAL_SIGNATURE = 0x8000)
public static final int X509_KEY_USAGE_NON_REPUDIATION
(X509_KEY_USAGE_NON_REPUDIATION = 0x4000)
public static final int X509_KEY_USAGE_KEY_ENCIPHERMENT
(X509_KEY_USAGE_KEY_ENCIPHERMENT = 0x2000)
public static final int X509_KEY_USAGE_DATA_ENCIPHERMENT
(X509_KEY_USAGE_DATA_ENCIPHERMENT = 0x1000)
public static final int X509_KEY_USAGE_KEY_AGREEMENT
(X509_KEY_USAGE_KEY_AGREEMENT = 0x0800)
public static final int X509_KEY_USAGE_KEY_CERT_SIGN
(X509_KEY_USAGE_KEY_CERT_SIGN = 0x0400)
public static final int X509_KEY_USAGE_CRL_SIGN
(X509_KEY_USAGE_CRL_SIGN = 0x0200)
public static final int X509_KEY_USAGE_ENCIPHER_ONLY
(X509_KEY_USAGE_ENCIPHER_ONLY = 0x0100)
public static final int X509_KEY_USAGE_DECIPHER_ONLY
(X509_KEY_USAGE_DECIPHER_ONLY = 0x0080)
public static final int X509_GENERAL_NAME_OTHER_NAME
OtherName sequence as specified
in RFC 3280 section 4.2.1.7.
(X509_GENERAL_NAME_OTHER_NAME = 0x0000)
public static final int X509_GENERAL_NAME_RFC822_NAME
(X509_GENERAL_NAME_RFC822_NAME = 0x0001)
public static final int X509_GENERAL_NAME_DNS_NAME
(X509_GENERAL_NAME_DNS_NAME = 0x0002)
public static final int X509_GENERAL_NAME_X400_ADDRESS
(X509_GENERAL_NAME_X400_ADDRESS = 0x0003)
public static final int X509_GENERAL_NAME_DIRECTORY_NAME
Name choice as specified in X.501.
(X509_GENERAL_NAME_DIRECTORY_NAME = 0x0004)
public static final int X509_GENERAL_NAME_EDI_PARTY_NAME
EDIPartyName sequence as specified
RFC 3280 section 4.2.1.7.
(X509_GENERAL_NAME_EDI_PARTY_NAME = 0x0005)
public static final int X509_GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER
(X509_GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER = 0x0006)
public static final int X509_GENERAL_NAME_IP_ADDRESS
(X509_GENERAL_NAME_IP_ADDRESS = 0x0007)
public static final int X509_GENERAL_NAME_REGISTERED_ID
(X509_GENERAL_NAME_REGISTERED_ID = 0x0008)
public static final int X509_SUBJECT_ALT_NAME_OTHER_NAME
X509_GENERAL_NAME_OTHER_NAME
public static final int X509_SUBJECT_ALT_NAME_RFC822_NAME
X509_GENERAL_NAME_RFC822_NAME
public static final int X509_SUBJECT_ALT_NAME_DNS_NAME
X509_GENERAL_NAME_DNS_NAME
public static final int X509_SUBJECT_ALT_NAME_X400_ADDRESS
X509_GENERAL_NAME_X400_ADDRESS
public static final int X509_SUBJECT_ALT_NAME_DIRECTORY_NAME
X509_GENERAL_NAME_DIRECTORY_NAME
public static final int X509_SUBJECT_ALT_NAME_EDI_PARTY_NAME
X509_GENERAL_NAME_EDI_PARTY_NAME
public static final int X509_SUBJECT_ALT_NAME_UNIFORM_RESOURCE_IDENTIFIER
X509_GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER
public static final int X509_SUBJECT_ALT_NAME_IP_ADDRESS
X509_GENERAL_NAME_IP_ADDRESS
public static final int X509_SUBJECT_ALT_NAME_REGISTERED_ID
X509_GENERAL_NAME_REGISTERED_ID
public static final int PKI_RSA_ALGORITHM
(PKI_RSA_ALGORITHM = 0x01)
public static final int PKI_UNKNOWN_ALGORITM
(PKI_UNKNOWN_ALGORITM = 0x00)
public static final int PKI_SIGN_WITH_RSA_AND_MD2
(PKI_SIGN_WITH_RSA_AND_MD2 = 0x01)
public static final int PKI_SIGN_WITH_RSA_AND_MD5
(PKI_SIGN_WITH_RSA_AND_MD5 = 0x02)
public static final int PKI_SIGN_WITH_RSA_AND_SHA1
(PKI_SIGN_WITH_RSA_AND_SHA1 = 0x04)
public static final int PKI_SIGN_WITH_RSA_AND_SHA_256
(PKI_SIGN_WITH_RSA_AND_SHA_256 = 0x08)
public static final int PKI_SIGN_WITH_RSA_AND_SHA_384
(PKI_SIGN_WITH_RSA_AND_SHA_384 = 0x10)
public static final int PKI_SIGN_WITH_RSA_AND_SHA_512
(PKI_SIGN_WITH_RSA_AND_SHA_512 = 0x20)
public static final int OBJECT_KEY_CERT
(OBJECT_KEY_CERT = 0x01)
public static final int TRUSTED_ROOT_CERT
(TRUSTED_ROOT_CERT = 0x02)
public static final int CHAIN_CERT
(CHAIN_CERT = 0x04)
public static final int CHAIN_CERT_DESCENDING
(CHAIN_CERT_DESCENDING = 0x8)
public static final int SELF_SIGNED_CERT
NOTE: This flag is NOT for use with getServerCertificates.
(SELF_SIGNED_CERT = 0x10)
public static final int WAIVE_SUBJECT_NAME_COMPARISON
storeServerCertificates and
storeServerCertificatesFromCertificateList
check that the requested name and and the subject name in the certifcate match. This optional
flag waives the check, enabling the certifcate to be stored even if the requested name
and certificate name are not the same.
(WAIVE_SUBJECT_NAME_COMPARISON = 0x100)
public static final int PRIVATE_KEY
(PRIVATE_KEY = 0x0002)
public static final int PRIVATE_KEY_EXTRACTABLE
NOTE: When using the PRIVATE_KEY_EXTRACTABLE flag and including the
Novell Security Attributes Extension, it is necessary to bitwise-OR the extractable
option (that is, NOVELL_EXTENSION_EXTRACTABLE_KEY) along with the appropriate
Novell attribute to the flags field in the Novell Security Attributes Extension.
(PRIVATE_KEY_EXTRACTABLE = 0x0004)
public static final int PKI_NO_CA
(PKI_NO_CA = 0x00)
public static final int PKI_ORGANIZATIONAL_CA
(PKI_ORGANIZATIONAL_CA = 0x01)
public static final int PKI_SUB_ORGANIZATIONAL_CA
(PKI_SUB_ORGANIZATIONAL_CA = 0x02)
public static final int NOVELL_CERT
storeServerCertificates to finish the
process of creating a server certificate, you should normally specify the trustedRoot
paramater as TREE_CA_CERT. This will cause the self-signed certificate to be used as the
as the Trusted Root certificate.
NOTE: If NOVELL_CERT is specified, the developer's relying software
must understand and be able to handle the Novell Security Attribute extension.(see X.509
Extensions).
(NOVELL_CERT = 0x00080000)
public static final int TREE_CA_CERT
storeServerCertificates to finish the
process of creating a server certificate, you should normally specify the trustedRoot
paramater as TREE_CA_CERT. This will cause the self-signed certificate to be used as the
as the Trusted Root certificate.
NOTE: If NOVELL_CERT is specified, the developer's relying software
must understand and be able to handle the Novell Security Attribute extension.(see X.509
Extensions).
(TREE_CA_CERT = 0x00100000)
public static final int DEFAULT_YEAR_ENCODING
(DEFAULT_YEAR_ENCODING = 0x00)
public static final int TWO_DIGIT_YEAR
(TWO_DIGIT_YEAR = 0x00)
public static final int FOUR_DIGIT_YEAR
(FOUR_DIGIT_YEAR = 0x01)
public static final int PKI_SERVICE_INFO
(PKI_SERVICE_INFO = 0)
public static final int PKI_CA_INFO
PKI_CA_INFO when querying information about creating or using a certificate
authority. Setting the flags field to PKI_CA_INFO will ensure that the proper
information for creating or using a CA is retrieved.
(PKI_CA_INFO = 1)
public static final int PKI_USER_INFO
(PKI_USER_INFO = 2)
public static final int PKI_SERVER_INFO
(PKI_SERVER_INFO = 3)
public static final int PKI_SERVER_HEALTH_CHECK
(PKI_SERVER_HEALTH_CHECK = 4)
public static final int PKI_OVERWRITE_KEYPAIR
(PKI_OVERWRITE_KEYPAIR = 0x0001)
public static final int PKI_STORE_PRIVKEY_IN_OBJECT
(PKI_STORE_PRIVKEY_IN_OBJECT = 0x0002)
public static final int PKI_PRIVATE_KEY_EXPORTABLE
(PKI_PRIVATE_KEY_EXPORTABLE = 0x0004)
public static final int PKI_CUSTOM_SUBJECT_NAME
(PKI_CUSTOM_SUBJECT_NAME = 0x00001000)
public static final int PUBLIC_KEY_SINGLE_SERVER
(PUBLIC_KEY_SINGLE_SERVER = 0x0002 | 0x0010 | 0x0020 | 0x0100)
public static final int PUBLIC_KEY_TWO_SERVER
(PUBLIC_KEY_TWO_SERVER = 0x0004 | 0x0010 | 0x0100)
public static final int PUBLIC_KEY_EXTERNAL_CA
(PUBLIC_KEY_EXTERNAL_CA = 0x0004 | 0x0010 | 0x0100)
public static final int KMO_EMPTY
(KMO_EMPTY = 0)
public static final int KMO_KEY_PAIR_PRESENT
(KMO_KEY_PAIR_PRESENT = 1)
public static final int KMO_TRUSTED_ROOT_PRESENT
(KMO_TRUSTED_ROOT_PRESENT = 2)
public static final int KMO_CERTIFICATE_PRESENT
(KMO_CERTIFICATE_PRESENT = 3)
public static final int KMO_CERTIFICATE_INVALID
(KMO_CERTIFICATE_INVALID = 0xFFFFFFFF)
public static final int NO_CA_OPERATIONAL
(NO_CA_OPERATIONAL = 0x00)
public static final int TREE_CA_OPERATIONAL
(TREE_CA_OPERATIONAL = 0x01)
public static final int SUB_CA_OPERATIONAL
(SUB_CA_OPERATIONAL = 0x02)
public static final int MAX_CERTIFICATE_SIZE
(MAX_CERTIFICATE_SIZE = 65536)
public static final int MAX_SINGLE_CERTIFICATE_SIZE
(MAX_SINGLE_CERTIFICATE_SIZE = 8192)
public static final int MAX_CSR_SIZE
(MAX_CSR_SIZE = 8192)
public static final int MAX_NICK_NAME_BYTES
(MAX_NICK_NAME_BYTES = 1024)
public static final int MAX_NICK_NAME_CHARS
(MAX_NICK_NAME_CHARS = 512)
public static final int PKI_RETRY
(PKI_RETRY = 1)
public static final int PKI_INVALID
(PKI_INVALID = 0xFFFFFFFF)
public static final int USER_CERT_RETRY_COUNT
(USER_CERT_RETRY_COUNT = 3)
public static final int UNKNOWN_VERSION
(UNKNOWN_VERSION = 0)
public static final int VERSION_ONE
(VERSION_ONE = 1)
public static final int VERSION_TWO
(VERSION_TWO = 2)
public static final int VERSION_THREE
(VERSION_THREE = 3)
public static final int FIELD_NON_CRITICAL
(FIELD_NON_CRITICAL = 0)
public static final int FIELD_CRITICAL
(FIELD_CRITICAL = 1)
public static final int PKI_INTERNAL_KEY_PAIR
(PKI_INTERNAL_KEY_PAIR = 0x01)
public static final int PKI_EXTERNAL_KEY_PAIR
(PKI_EXTERNAL_KEY_PAIR = 0x02)
public static final int DIGITAL_SIGNATURE
(DIGITAL_SIGNATURE = 0x8000)
public static final int NON_REPUDIATION
(NON_REPUDIATION = 0x4000)
public static final int KEY_ENCIPHERMENT
(KEY_ENCIPHERMENT = 0x2000)
public static final int DATA_ENCIPHERMENT
(DATA_ENCIPHERMENT = 0x1000)
public static final int KEY_AGREEMENT
(KEY_AGREEMENT = 0x0800)
public static final int KEY_CERT_SIGN
(KEY_CERT_SIGN = 0x0400)
public static final int CRL_SIGN
(CRL_SIGN = 0x0200)
public static final int ENCIPHER_ONLY
(ENCIPHER_ONLY = 0x0100)
public static final int DECIPHER_ONLY
(DECIPHER_ONLY = 0x0080)
public static final int PKIS_VERSION_ONE
(PKIS_VERSION_ONE = 0x00010000)
public static final int PKIS_VERSION_ONE_FIVE
(PKIS_VERSION_ONE_FIVE = 0x00010005)
public static final int PKIS_VERSION_TWO
(PKIS_VERSION_TWO = 0x00020000)
public static final int PKIS_VERSION_ONE_ZERO_ZERO
(PKIS_VERSION_ONE_ZERO_ZERO = 0x00010000)
public static final int PKIS_VERSION_ONE_ZERO_FIVE
(PKIS_VERSION_ONE_ZERO_FIVE = 0x00010005)
public static final int PKIS_VERSION_ONE_ZERO_NINE
(PKIS_VERSION_ONE_ZERO_NINE = 0x00010009)
public static final int PKIS_VERSION_TWO_ZERO_ZERO
(PKIS_VERSION_TWO_ZERO_ZERO = 0x00020000)
public static final int PKIS_VERSION_TWO_ZERO_TWO
(PKIS_VERSION_TWO_ZERO_TWO = 0x00020002)
public static final int PKIS_VERSION_TWO_ZERO_THREE
(PKIS_VERSION_TWO_ZERO_THREE = 0x00020003)
public static final int PKIS_VERSION_TWO_ONE_ONE
(PKIS_VERSION_TWO_ONE_ONE = 0x00020011)
public static final int PKIS_VERSION_TWO_TWO_ZERO
(PKIS_VERSION_TWO_TWO_ZERO = 0x00020200)
public static final int PKIS_VERSION_TWO_TWO_ONE
(PKIS_VERSION_TWO_TWO_ONE = 0x00020201)
public static final int PKIS_VERSION_TWO_FOUR_ZERO
(PKIS_VERSION_TWO_FOUR_ZERO = 0x00020400)
public static final int PKIS_VERSION_TWO_FIVE_ZERO
(PKIS_VERSION_TWO_FIVE_ZERO = 0x00020500)
public static final int PKIS_VERSION_TWO_FIVE_TWO
(PKIS_VERSION_TWO_FIVE_TWO = 0x00020502)
public static final int PKIS_VERSION_TWO_FIVE_FOUR
(PKIS_VERSION_TWO_FIVE_FOUR = 0x00020504)
public static final int PKIS_VERSION_TWO_SIX_ZERO
(PKIS_VERSION_TWO_SIX_ZERO = 0x00020600)
public static final int PKIS_VERSION_TWO_SEVEN_ZERO
(PKIS_VERSION_TWO_SEVEN_ZERO = 0x00020700)
public static final int PKIS_VERSION_TWO_SEVEN_TWO
(PKIS_VERSION_TWO_SEVEN_TWO = 0x00020702)
public static final int PKIS_VERSION_TWO_SEVEN_THREE
(PKIS_VERSION_TWO_SEVEN_THREE = 0x00020703)
public static final int PKIS_VERSION_TWO_SEVEN_FOUR
(PKIS_VERSION_TWO_SEVEN_FOUR = 0x00020704)
public static final int PKIS_VERSION_TWO_SEVEN_FIVE
(PKIS_VERSION_TWO_SEVEN_FIVE = 0x00020705)
public static final int PKIS_VERSION_TWO_SEVEN_SIX
(PKIS_VERSION_TWO_SEVEN_SIX = 0x00020706)
public static final int PKIS_VERSION_TWO_SEVEN_SEVEN
(PKIS_VERSION_TWO_SEVEN_SEVEN = 0x00020707)
public static final int PKIS_VERSION_TWO_SEVEN_EIGHT
(PKIS_VERSION_TWO_SEVEN_EIGHT = 0x00020708)
public static final int PKIS_VERSION_TWO_SEVEN_NINE
(PKIS_VERSION_TWO_SEVEN_NINE = 0x00020709)
public static final int PKIS_VERSION_THREE_ZERO_ZERO
(PKIS_VERSION_THREE_ZERO_ZERO = 0x00030000)
public static final int PKIS_VERSION_THREE_ONE_ZERO
(PKIS_VERSION_THREE_ONE_ZERO = 0x00030100)
public static final int PKIS_VERSION_THREE_ONE_ONE
(PKIS_VERSION_THREE_ONE_ONE = 0x00030101)
public static final int PKI_CERTIFICATE_NORMAL
(PKI_CERTIFICATE_NORMAL = 0x0004)
public static final int PKI_CSR_PENDING
(PKI_CSR_PENDING = 0x0001 | 0x0008)
public static final int PKI_PRIVATE_KEY_NOT_IN_NDS
(PKI_PRIVATE_KEY_NOT_IN_NDS = 0x0002 | 0x0004)
public static final int PKI_CERTIFICATE_ON_HOLD
(PKI_CERTIFICATE_ON_HOLD = 0x0001 | 0x0004 | 0x10000)
public static final int PKI_ALL_VENDORS
(PKI_ALL_VENDORS = 0)
public static final int PKI_VENDOR_UNKNOWN
(PKI_VENDOR_UNKNOWN = 1)
public static final int PKI_VENDOR_EXTERNAL
(PKI_VENDOR_EXTERNAL = 2)
public static final int PKI_VENDOR_NOVELL
(PKI_VENDOR_NOVELL = 3)
public static final int PKI_VENDOR_ENTRUST
(PKI_VENDOR_ENTRUST = 4)
public static final int PKI_VENDOR_VERISIGN
(PKI_VENDOR_VERISIGN = 5)
public static final int PKI_OBJECT_KEY_CERTIFICATE
getCACertificates,
getServerCertificates, and
storeServerCertificates to determine which certificates
are returned.
Use this flag when exporting or retrieving information on the object certificate.
(PKI_OBJECT_KEY_CERTIFICATE = 0x01)
public static final int PKI_TRUSTED_ROOT_CERTIFICATE
(PKI_TRUSTED_ROOT_CERTIFICATE = 0x02)
public static final int PKI_CHAIN_CERTIFICATE
(PKI_CHAIN_CERTIFICATE = 0x04)
public static final int PKI_SELF_SIGNED_CERTIFICATE
(PKI_SELF_SIGNED_CERTIFICATE = 0x10)
public static final int PKI_CA_KEY_AND_CERTS
(PKI_CA_KEY_AND_CERTS = 0x04 | 0x10 | 0x01)
public static final int PKI_NOVELL_CERTIFICATE
storeServerCertificates
used to specify which cert in a chain should be treated as the root certificate.
Use the Novell Root Certifier Certificate as the trusted root. (Use this option
only if your software understands the Novell Security Attribute.)
NOTE: If PKI_NOVELL_CERTIFICATE is used, the developer's relying software
must be configured to handle the Novell Security Attributes extensions.
(PKI_NOVELL_CERTIFICATE = 0x00080000)
public static final int PKI_ORG_CA_CERTIFICATE
NOTE: This is the flag developers typically should use.
(PKI_ORG_CA_CERTIFICATE = 0x00100000)
public static final int PKI_WAIVE_SUBJECT_NAME_IN_CERTIFICATE
storeServerCertificates checks that the requested name and the
subject name in the certificate match. This optional flag waives the check,
enabling the certificate to be stored even if the requested name and certificate
name are dissimilar.
NOTE: The flags PKI_CHAIN_CERTIFICATE, PKI_TRUSTED_ROOT_CERTIFICATE and
PKI_SELF_SIGNED_CERTIFICATE are mutually exclusive.
PKI_OBJECT_KEY_CERTIFICATE and PKI_TRUSTED_ROOT_CERTIFICATE also are
mutually exclusive.
(PKI_WAIVE_SUBJECT_NAME_IN_CERTIFICATE = 0x100)
public static final int PKI_TYPE_CRL_CONTAINER
(PKI_TYPE_CRL_CONTAINER = 0x01)
public static final int PKI_TYPE_CERTIFICATE_CONTAINER
(PKI_TYPE_CERTIFICATE_CONTAINER = 0x02)
public static final int PKI_MINUTES
(PKI_MINUTES = 1)
public static final int PKI_HOURS
(PKI_HOURS = 2)
public static final int PKI_DAYS
(PKI_DAYS = 3)
public static final int PKI_WEEKS
(PKI_PKI_WEEKS = 4)
public static final int PKI_MONTHS
(PKI_MONTHS = 5)
public static final int PKI_NS_DOS
(PKI_DS_DOS = 0)
public static final int PKI_NS_MACINTOSH
(PKI_DS_DOS = 0)
public static final int PKI_NS_UNIX
(PKI_DS_MACINTOSH = 0)
public static final int PKI_NS_FTAM
(PKI_DS_DOS = 0)
public static final int PKI_NS_OS2
(PKI_DS_DOS = 0)
public static final int PKI_CLEAR
(PKI_CLEAR = 0x01)
public static final int PKI_ADD
PKI_SORT.
(PKI_ADD = 0x02)
public static final int PKI_DELETE
PKI_SORT.
(PKI_DELETE = 0x04)
public static final int PKI_SORT
PKI_ADD, PKI_DELETE.
(PKI_SORT = 0x10)
public static final int PKI_CLEAR_CERTS
PKI_CLEAR.
public static final int PKI_ADD_CERT
PKI_ADD.
public static final int PKI_DEL_CERT
PKI_DELETE.
public static final int PKI_SORT_LIST
PKI_SORT.
public static final int EXTENSION_DONT_ENCODE
(EXTENSION_DONT_ENCODE = 0x0001)
public static final int EXTENSION_CRITICAL
NOTE: If an extension is set to critical, application software should understand the extension, or fail verification of the certificate.
(EXTENSION_CRITICAL = 0x0002)
public static final int NPKI_CERTIFICATE_CREATE_NORMAL
createDefaultCertificates.
The default certificates will be overwritten with a new key pair and new certificate if and only if
one of the following conditons is true:NPKI_CERTIFICATE_CREATE_CA_CHANGE_FORCE is also
specified.
public static final int NPKI_CERTIFICATE_CREATE_FORCE
createDefaultCertificates to overwrite all
default certificates with a new key pair and a new certificate.
NOTE: NOTE: this flag should not be 'or'ed with NPKI_CERTIFICATE_CREATE_NO_OVERWRITE
or NPKI_CERTIFICATE_CREATE_CA_CHANGE_FORCE.
public static final int NPKI_CERTIFICATE_CREATE_NO_OVERWRITE
createDefaultCertificates to create the
default certificates if they do not exit, but none of the current default certificates will be
overwritten.
NOTE: NOTE: this flag should not be 'or'ed with NPKI_CERTIFICATE_CREATE_FORCE
or NPKI_CERTIFICATE_CREATE_CA_CHANGE_FORCE.
public static final int NPKI_CERTIFICATE_CREATE_CA_CHANGE_FORCE
createDefaultCertificates to force the
re-creation of the default server certificates if the Trusted Root certificate for the
default server certificate objects (KMOs) are not the same as the Organizational CA's root
certificate. This flag adds this condition to the list of possible reasons why a certificate would be
replaced. See NPKI_CERTIFICATE_CREATE_NORMAL above.
NOTE: NOTE: this flag should not be 'or'ed with NPKI_CERTIFICATE_CREATE_FORCE
or NPKI_CERTIFICATE_CREATE_NO_OVERWRITE.
public static final int NPKI_DONT_QUERY_IP_AND_DNS
createDefaultCertificates to queary WinSock/DNS for
the default IP and DNS info.
public static final int NPKI_DONT_REPLACE_SSL_IP
createDefaultCertificates to overwrite
the 'SSL CertificateIP' KMO.
public static final int NPKI_DONT_REPLACE_SSL_DNS
createDefaultCertificates to overwrite
the 'SSL CertificateDNS' KMO.
public static final int NPKI_CA_RIGHTS_DEFAULT
(NPKI_CA_RIGHTS_DEFAULT = 0x0000)
public static final int NPKI_CA_RIGHTS_READ_NCP
(NPKI_CA_RIGHTS_READ_NCP = 0x0001)
public static final int NPKI_CA_RIGHTS_WRITE_ALL
(NPKI_CA_RIGHTS_WRITE_ALL = 0x0002)
public static final int NPKI_CA_RIGHTS_SELF_PROVISION_SERVER
(NPKI_CA_RIGHTS_SELF_PROVISION_SERVER = 0x0004)
public static final int NPKI_CA_RIGHTS_SELF_PROVISION_USER
(NPKI_CA_RIGHTS_SELF_PROVISION_USER = 0x0008)
public static final int NPKI_CA_RIGHTS_ISSUE_CRL_ALL
(NPKI_CA_RIGHTS_ISSUE_CRL_ALL = 0x0010)
public static final int NPKI_CA_CHANGE_HEALTH_CHECK_FORCE
NPKI_CA_RIGHTS_SELF_PROVISION_SERVER value.
(NPKI_CA_CHANGE_HEALTH_CHECK_FORCE = 0x0020)
| Constructor Detail |
public NPKIAPI()
throws NPKI_Exception
NOTE: Novell Certificate Server requires the cryptography services of Novell International Cryptographic Infrastructure (NICI). NICI is the underlying cryptographic infrastructure that provides the cryptography for Novell Certificate Server and other Novell applications. Novell Certificate Server will not function if cryptography services are not fully installed.
NICI availability and cryptography strength is restricted if your network is located in an entity listed on the U.S. Government Restricted Party List or in a country with import controls on cryptography products or technologies.
NPKI_Exception - Returns 0 if successful, or an eDirectory or PKI error code if not successful.| Method Detail |
public void createContext()
throws NPKI_Exception
NPKI_Exception - If an eDirectory, NICI or PKI error occurs.public void freeContext()
throws NPKI_Exception
NPKI_Exception - If a PKI error occurs.public void setTreeName(java.lang.String treeName)
throws NPKI_Exception
treeName - Specifies the tree name. This must be a valid eDirectory tree.
NPKI_Exception - If an eDirectory or PKI error occurs.dsLoginpublic void setDefaultDSContactServerDN(java.lang.String serverDN)
throws NPKI_Exception
serverDN - The fully distinguished name of the server.
NPKI_Exception - If an eDirectory or PKI error occurs.public java.lang.String getDefaultDSContactServerDN()
throws NPKI_Exception
NPKI_Exception - If an eDirectory or PKI error occurs.public void dsLogin(java.lang.String objectDN,
java.lang.String password)
throws NPKI_Exception
objectDN - Specifies the fully distinguished name of the object logging in to the network.password - Specifies the object's password.
NPKI_Exception - If an eDirectory or PKI error occurs.dsLogout,
setTreeNamepublic void setIdentity(int idContext)
throws NPKI_Exception
NPKI_Exceptionpublic void dsLogout()
throws NPKI_Exception
NPKI_Exception - If an eDirectory or PKI error occurs.dsLogin,
setTreeNamepublic void dsConnectToReferral(byte[] referral)
throws NPKI_Exception
NPKI_Exceptionpublic void deleteDSObject(java.lang.String odn)
throws NPKI_Exception
odn - Specifies the fully distinguished name of the eDirectory object to be deleted.
NPKI_Exception - If an eDirectory error occurs.public int findKeyGenServersForUser(java.lang.String nameContextDN)
throws NPKI_Exception
The requriement for a server to generate a key pair for a user are:
findKeyGenServersForUser finds all of the servers that meet the first requirement.
A Call to getServerInfo can be made to determine if the selected server meets the second
requirement.
After a successful call to findKeyGenServersForUser, the server names can be accessed
by calling serverNames.
nameContextDN - Specifies the eDirectory fully distinguished name context of the user(s)
for which you wish to find a key generation server. This must be a valid
eDirectory container in the current tree.
NPKI_Exception - If an eDirectory or PKI error occurs.serverNamespublic int findServersInContext(java.lang.String nameContextDN)
throws NPKI_Exception
serverNames.
nameContextDN - Specifes the eDirectory fully distinguished name for which you
want to find an NCP server. This must be a valid eDirectory container in the current tree.
NPKI_Exception - If an eDirectory or PKI error occurs.serverNamespublic void serverNames(int index,
java.lang.String[] serverDN,
java.lang.String[] serverName)
throws NPKI_Exception
index - Specifies which server name is to be returned.
index is 0 based.serverDN - Returns the eDirectory fully distinguished name of the server.serverName - Returns the leaf name of the server.
NPKI_Exception - If an eDirectory or PKI error occurs.public java.lang.String findOrganizationalCA()
throws NPKI_Exception
NPKI_Exception - If an eDirectory or PKI error occurs.public void readSecurityRightsLevel(java.lang.String objectDN,
java.lang.Integer securityRightsLevel)
throws NPKI_Exception
NPKI_CA_RIGHTS_DEFAULT
NPKI_CA_RIGHTS_READ_NCP
NPKI_CA_RIGHTS_WRITE_ALL
NPKI_CA_RIGHTS_SELF_PROVISION_SERVER
NPKI_CA_RIGHTS_SELF_PROVISION_USER
NPKI_CA_RIGHTS_ISSUE_CRL_ALL
objectDN - (IN) Specifies the Certificate Authority's fully distinguished name.securityRightsLevel - (OUT) Returns the value of the Security Rights Level attribute.
NPKI_Exception - If an eDirectory or PKI error occurs.findOrganizationalCA,
setSecurityRightsLevelpublic void setSecurityRightsLevel(java.lang.String objectDN,
int securityRightsLevel)
throws NPKI_Exception
NPKI_CA_RIGHTS_DEFAULT
NPKI_CA_RIGHTS_READ_NCP
NPKI_CA_RIGHTS_WRITE_ALL
NPKI_CA_RIGHTS_SELF_PROVISION_SERVER
NPKI_CA_RIGHTS_SELF_PROVISION_USER
NPKI_CA_RIGHTS_ISSUE_CRL_ALL
objectDN - (IN) Specifies the Certificate Authority's fully distinguished name.securityRightsLevel - (IN) Specifies the value of the Security Rights Level attribute.
NPKI_Exception - If an eDirectory or PKI error occurs.findOrganizationalCA,
readSecurityRightsLevelpublic void getCAInfo(java.lang.String objectDN,
java.lang.Integer numberOfCRLConfigurations)
throws NPKI_Exception
cRLConfigurationDN can be made to retieve information about any CRL
Configurations associated with the CA.
objectDN - (IN) Specifies the Certificate Authority's fully distinguished name.numberOfCRLConfigurations - (OUT) Returns the number of CRL Configurations for the CA.
NPKI_Exception - If an eDirectory or PKI error occurs.cRLConfigurationDN,
findOrganizationalCApublic void cRLConfigurationDN(int index,
java.lang.Integer objectFlags,
java.lang.String[] objectDN,
java.lang.String[] data)
throws NPKI_Exception
getCAInfo must be made prior to calling this routine.
Configurations associated with the CA.
index - (IN) Specifies which CRL Configuration DN is to be returned.
objectFlags - (OUT) The object flags field for the specified CRL Configuration.objectDN - (OUT) Returns the fully distinguished name of the specified CRL Configuration object.data - (OUT) Returns any special data associated with the CRL Configuration object.
NPKI_Exception - If an eDirectory or PKI error occurs.getCAInfo,
findOrganizationalCApublic int getServerUTCTime(java.lang.String serverDN)
throws NPKI_Exception
serverDN - Specifies the eDirectory Server's fully distinguished name.
This must be a valid eDirectory server in the current tree.
NPKI_Exception - If an eDirectory or PKI error occurs.getServerInfopublic java.lang.String getHostServerDN(java.lang.String objectDN)
throws NPKI_Exception
A_HOST_SERVER of objectDN and returns the
value in serverDN. The eDirectory A_HOST_SERVER attribute is used on
PKI and SAS objects to identifiy which server hosts the object (or service).
objectDN - (IN) Specifies the fully distinguished name of the object being read. This
must be a valid eDirectory object name.
NPKI_Exception - If an eDirectory or PKI error occurs.createServerCertificate,
getServerInfo,
userCertInfopublic int getServerCertificateStatus(java.lang.String serverDN,
java.lang.String certificateName)
throws NPKI_Exception
serverDN - (IN) Specifies the fully distinguished name of the eDirectory server. This must
be a valid eDirectory server in the current tree.certificateName - (IN) Specifies the certificate name that you want to get information about.
This must be a valid certificate for the specified server.
KMO_EMPTY
KMO_KEY_PAIR_PRESENT
KMO_TRUSTED_ROOT_PRESENT
KMO_CERTIFICATE_PRESENT
KMO_CERTIFICATE_INVALID
NPKI_Exception - If an eDirectory or PKI error occurs.createServerCertificate,
findServerCertificateNames,
getCACertificates,
serverCertificateName,
storeServerCertificatesFromCertificateList,
storeServerCertificatespublic java.lang.String getSAServiceName(java.lang.String serverDN)
throws NPKI_Exception
serverDN to get the Secure Authentication
Service (SAS) service name of the specified server object.
serverDN - (IN) Specifies the eDirectory server for which you want to get the SAS service
associated name. This must be a valid eDirectory server in the current tree with
SAS installed.
NPKI_Exception - If an eDirectory or PKI error occurs.public void getServerInfo(java.lang.String serverDN,
int flags,
java.lang.Integer keyGenerationAlgorithms,
java.lang.Integer signingAlgorithms,
java.lang.Integer maxValidFromTime,
java.lang.Integer maxValidToTime,
java.lang.Integer caOperational,
java.lang.Integer pathLength,
java.lang.Integer healthCheckCcode,
java.lang.Integer serverVersion)
throws NPKI_Exception
serverDN - (IN) Specifies the eDirectory server's fully distinguished name. This must
be a valid eDirectory server in the current tree.flags - (IN) Specifies which information the ping requests. The three
possible flags and the corresponding information acquired are listed
below:PKI_CA_INFO - Setting the flags field to PKI_CA_INFO will ensure that
the proper information for creating or using a CA is retrieved.
PKI_SERVER_INFO - Setting the flags field to PKI_SERVER_INFO
will ensure that the proper information for creating a server certificate is
retrieved.
PKI_USER_INFO - Setting the flags field to PKI_USER_INFO will
ensure that the proper information for creating a user certificate is
retrieved.
PKI_SERVER_HEALTH_CHECK - Setting the flags field to PKI_SERVER_HEALTH_CHECK will
cause the PKI Health Check to run on the server.keyGenerationAlgorithms - (OUT) Returns a bit mask indicating which key generation algorithms are
available on the server. For each of the algorithms, a call to
getAlgorithmInfo can be made to determine the maximum key size supported.
(This key generation algorithm is used as an argument in the getAlgorithmInfo method to
identify the maximum supported key sizes for key-generation). Currently only the
PKI_RSA_ALGORITHM key generation algorithm is supported.signingAlgorithms - (OUT) Returns a bit mask indicating which signing algorithms are available
on the server. The currently supported signing algorithms are listed below:PKI_SIGN_WITH_RSA_AND_MD2 - The MD2 aglorithm has a security flaw and should only be
used to support older applications which do not support the SHA1 algorithm.
PKI_SIGN_WITH_RSA_AND_MD5 - The MD5 aglorithm has a security flaw and should only be
used to support older applications which do not support the SHA1 algorithm.
PKI_SIGN_WITH_RSA_AND_SHA1 - Currently the default signing algorithm.
PKI_SIGN_WITH_RSA_AND_SHA_256 - The 256 bit version of the SHA2 algorithm.
PKI_SIGN_WITH_RSA_AND_SHA_384 - The 384 bit version of the SHA2 algorithm.
PKI_SIGN_WITH_RSA_AND_SHA_512 - The 512 bit version of the SHA2 algorithm.maxValidFromTime - (OUT) Returns the maximum starting validity period, represented as the number
of seconds since 00:00:00 UTC January 1, 1970.maxValidToTime - (OUT) Returns the maximum ending validity period, represented as the number
of seconds since 00:00:00 UTC January 1, 1970.caOperational - (OUT) Returns a bit mask indicating whether a CA (CA) is
installed and operational on the server specified in the call to
getServerInfo. The current possible bit values are as follows:PKI_NO_CA_PRESENT - The server does not host a CA.
PKI_TREE_CA_PRESENT - The server hosts the organizational
CA.pathLength - (OUT) Indicates the path length of the CA certificates.
See the X.509 basic constraints extension section for more details.flags is set to PKI_CA_INFO.healthCheckCcode - (OUT) Returns the completion code from the PKI Health Check when the flags field is
set to PKI_SERVER_HEALTH_CHECK.serverVersion - (OUT) This returns the version of the PKI.NLM, PKI.DLM or pkiserver.so running on
the server specified in the the serverDN parameter.
NPKI_Exception - Throws an NPKI_Exception If an eDirectory, NICI or PKI error occurs.getAlgorithmInfopublic void getAlgorithmInfo(int algorithm,
java.lang.Integer maxKeyEncryptKeySize,
java.lang.Integer maxSigningKeySize,
java.lang.Integer maxDataEncryptKeySize)
throws NPKI_Exception
getServerInfo must have been made immediately before calling this method.
algorithm - (IN) Specifies a bit mask indicating which algorithm information to return. The
correct algorithm(s) to use are the key-generation algorithm(s) (not the
signing algorithms) returned from getServerInfo. Currently only the
PKI_RSA_ALGORITHM key generation algorithm is supported.maxKeyEncryptKeySize - (OUT) Returns the maximum key size supported for use as a
key encrypting key.maxSigningKeySize - (OUT) Returns the maximum key size supported for use as a
key signing key.maxDataEncryptKeySize - (OUT) Returns the maximum key size supported for use as a
data encrypting key.
NPKI_Exception - If an eDirectory or PKI error occurs.getServerInfopublic void generateCertificateFromCSR(java.lang.String caServerDN,
byte[] extCSR,
java.lang.String subjectDN,
int signatureAlgorithm,
int dateFlags,
int validFrom,
int validTo,
NPKI_Extension keyUsage,
NPKI_Extension basicConstraints,
NPKI_ExtAltNames altNames,
NPKI_Extension NovellAttr,
NPKI_ASN1_Extensions extensions)
throws NPKI_Exception
caServerDN - (IN) Specifies the eDirectory fully distinguished name of the server that hosts
the CA. This must be a valid eDirectory server in the current tree.extCSR - (IN) Specifies the PKCS #10 CSR that is to be sent to the CA in order to
create the X.509 certificate.subjectDN - (IN) Not supported in this release. Specifies a subject name to use in the
certificate, rather than using the subject name in the CSR. At this time,
this parameter will be ignored regardless of the given value.signatureAlgorithm - (IN) Not supported in this release. Specifies a signature algorithm to use
to sign the certificate, rather than using the signature algorithm in the
CSR. A call to getServerInfo can be made to determine which signature
algorithms are supported. At this time, this parameter will be ignored
regardless of the given value.dateFlags - (IN) Specifies whether dates have either a two-digit year or a four-digit
year. For this release, this should be set to DEFAULT_YEAR_ENCODING.validFrom - (IN) Specifies the beginning of the period of validity, represented as the
number of seconds since 00:00:00 UTC Jan 1, 1970, or 0xFFFFFFFF to
represent the current time on the server.getServerInfo can be made to determine the
supported validity period available on the server.validTo - (IN) Specifies the end of the period of validity, represented as the number
of seconds since 00:00:00 UTC Jan 1, 1970, or 0xFFFFFFFF to represent
the greatest validity period available on the server.getServerInfo can be made to determine the
supported validity period available on the server.keyUsage - (IN) Specifies the X.509 key usage extension. See X.509
Extensions and Key Usage Extension sections for more details.basicConstraints - Specifies the X.509 basic constraints extension. See X.509
Extensions and Basic Constraints Extension sections for more details.altNames - (IN) Specifies the X.509 subject alternative name extension. See the
X.509 Extensions and the Subject Alternative Names Extension sections for
more details.NovellAttr - (IN) Specifies the Novell Security Attributes extension. See the
sections X.509 Extensions and Novell Security Attributes Extension sections
for more details.extensions - (IN) Specifies any generic ASN.1 encoded extensions to add to the
certificate.
NPKI_Exception - If an eDirectory or PKI error occurs.certInfo,
getServerInfopublic boolean dsObjectExists(java.lang.String objectDN)
throws NPKI_Exception
objectDN - (IN) The fully distinguished name of the object to be checked.
NPKI_Exception - If an eDirectory or PKI error occurs.public void createServerCertificate(java.lang.String keyGenServerDN,
java.lang.String signServerDN,
java.lang.String certificateName,
int keyType,
int keySize,
java.lang.String subjectDN,
int signatureAlgorithm,
int dateFlags,
int validFrom,
int validTo,
int publicKeyFlags,
int privateKeyFlags,
NPKI_Extension keyUsage,
NPKI_Extension basicConstraints,
NPKI_ExtAltNames altNames,
NPKI_Extension NovellAttr,
NPKI_ASN1_Extensions extensions)
throws NPKI_Exception
When calling createServerCertificate, three different modes can be
used:
Depending on the mode selected, different NCPs will be sent and different results will occur.
signServerDN
should be set to null, and publicKeyFlags should consist of the define
PUBLIC_KEY_SINGLE_SERVER combined with any optional public key flags desired.
After a successful call to createServerCertificate, the newly
generated server certificate and its corresponding certificate chain are
stored in eDirectory. The newly generated server certificate is returned and can be
accessed by making a call to certInfo.
NOTE: Single Server mode is possible only when the key generation server also hosts a CA.
publicKeyFlags
should consist of the define PUBLIC_KEY_TWO_SERVER combined with
any optional public key flags desired. The newly generated server certificate is returned
and can be accessed by making a call to certInfo.
After a successful call to createServerCertificate it is necessary to
store the newly generated certificate and its corresponding certificate chain.
Retrieve the certificate chain by calling getCACertificates
with the flags field set to PKI_OBJECT_KEY_CERTIFICATE combined with
PKI_SELF_SIGNED_CERTIFICATE.
After the successful call to getCACertificates you should call certificateList
to add the certificates one at a time with the flags field set to PKI_ADD_CERT.
Once all the certificates have been added make the call again with the flags field set to
PKI_SORT_LIST. You must call storeServerCertificatesFromCertificateList to actially
store the certificates into the object.
signServerDN should be set to null, and publicKeyFlags should consist of
the define PUBLIC_KEY_EXTERNAL_CA combined with any optional public
key flags desired. A PKCS #10 CSR will be generated and can be accessed by making a call to
csrInfo.The CSR should be sent to the external CA. The external CA will send a new X.509 server
certificate in responce. The new X.509 server certificate signed (created) by the external CA, as
well as the external CA's certificate chain, should be added by making calls to
certificateList, with the flags field set to PKI_ADD_CERT. Once all
the certificates have been added make the call again with the flags field set to
PKI_SORT_LIST. You must call storeServerCertificatesFromCertificateList to actially
store the certificates into the object. This method of storing certificates will handle PKCS #7 file(s)
that contain multiple certificates.
To have the ability to backup the server private key, the optional private key flag
PRIVATE_KEY_EXTRACTABLE must be used.
keyGenServerDN - (IN) Specifies the eDirectory FDN of the server for which
an X.509 certificate will be generated.signServerDN - (IN) Specifies the eDirectory FDN of the server that hosts
the CA that will be used to sign the X.509 certificate.certificateName - (IN) Specifies the certificate name to be used to identify the key pair and
corresponding certificate.keyType - (IN) Specifies the type of key that is to be generated. For
this release, the only supported key type is RSA or a value of
PKI_RSA_ALGORITHM.keySize - (IN) Specifies the requested size of the key to be generated. If the key size
requested could not be generated, an exception will be thrown and no
key will be generated. A call to getServerInfo with flags set to
PKI_SERVER_INFO followed by a call to getAlgorithmInfo can be made to
get the supported key sizes on this server. The intersection of the key sizes and algorithms
supported by the keyGenServerDN and the signServerDN are the valid key
sizes and algorithms.subjectDN - (IN) Specifies the subjectDN. This is the name to be encoded in the subject
field in the X.509 certificate. The subject field identifies the entity associated with the
public/private key pair. (For more information see RFC 2459 Section 4.1.2.6.)signatureAlgorithm - (IN) Specifies which signature algorithm will be used to sign the
certificate. A call to getServerInfo can be made to determine which
signature algorithms are supported.dateFlags - (IN) Specifies whether dates have either a two-digit year or a four-digit
year. For this release, this should be set to DEFAULT_YEAR_ENCODING.validFrom - (IN) Specifies the beginning of the period of validity, represented as the
number of seconds since 00:00:00 UTC Jan 1, 1970, or 0xFFFFFFFF to
represent the current time on the server.
getServerInfo can
be made to determine the validity period supported by the server.validTo - (IN) Specifies the end of the period of validity, represented as the number
of seconds since 00:00:00 UTC Jan 1, 1970, or 0xFFFFFFFF to represent
the greatest validity period available on the server.
getServerInfo can be made
to determine the validity period supported by the server.publicKeyFlags - (IN) Specifies the public key options to use when creating the key pair.
Use one of the following flags, together with any optional public key flags:privateKeyFlags - (IN) Specifies the private key options to use
when creating the key pair. For this release use the define
PRIVATE_KEY.
PRIVATE_KEY_EXTRACTABLE.
To use this optional flag, it must be OR'ed with the value PRIVATE_KEY to enable
extraction of the server's private key into PKCS12 file (PKCS12 is the standard
format for extracting and importing keys).
When using the PRIVATE_KEY_EXTRACTABLE flag and including the Novell
Security Attributes Extension, it's necessary to bitwise-OR the extractable option
(that is, NOVELL_EXTENSION_EXTRACTABLE_KEY along with the appropriate
Novell attribute NOVELL_EXTENSION_SERVER_DEFAULT to the
flags field in the Novell Security Attributes Extension.keyUsage - (IN) Specifies the X.509 key usage extension. See the X.509 Extensions
and the Key Usage Extension sections for more details.
basicConstraints - Specifies the X.509 basic constraints extension. See X.509
Extensions and Basic Constraints Extension sections for more details.
altNames - (IN) Specifies the X.509 subject alternative name extension. See the
X.509 Extensions and the Subject Alternative Names Extension sections for
more details.
NovellAttr - (IN) Specifies the Novell Security Attributes extension. See the
sections X.509 Extensions and Novell Security Attributes Extension sections for more details.
extensions - (IN) Specifies any generic ASN.1 encoded extensions to add to the
certificate.
NPKI_Exception - If an eDirectory, NICI or PKI error occurs.getServerCertificateStatus,
getCACertificates,
getServerInfo,
storeServerCertificates,
certificateList,
storeServerCertificatesFromCertificateList,
csrInfo,
certInfo,
findServerCertificateNames,
serverCertificateNamepublic byte[] csrInfo()
throws NPKI_Exception
A successful call to createServerCertificate (using the
external CA method) must be made just prior to calling this routine.
NPKI_Exception - If an eDirectory or PKI error occurs.createServerCertificatepublic byte[] certInfo()
throws NPKI_Exception
A successful call to either generateCertificateFromCSR or createServerCertificate
must have been made just prior to calling this routine.
NPKI_Exception - If a PKI error occurs.generateCertificateFromCSR,
createServerCertificatepublic void createUserCertificate(java.lang.String keyGenServerDN,
java.lang.String signServerDN,
java.lang.String userDN,
java.lang.String nickName,
int keyType,
int keySize,
java.lang.String subjectDN,
int signatureAlgorithm,
int dateFlags,
int validFrom,
int validTo,
int publicKeyFlags,
int privateKeyFlags,
NPKI_Extension keyUsage,
NPKI_Extension basicConstraints,
NPKI_ExtAltNames altNames,
NPKI_Extension NovellAttr,
NPKI_ASN1_Extensions extensions)
throws NPKI_Exception
The key pair is stored securely in eDirectory as an attribute on the user's object. The private key is cryptographically wrapped using NICI (Novell International Cryptographic Infrastructure) to protect the key.
When calling createUserCertificate, three different modes can be
used: single server mode, dual server mode, or external mode (external mode
is not supported in this release). Depending on the mode selected, different
NCPs will be sent and different results will occur.
signServerDN
should be set to null, and publicKeyFlags should consist of the define
PUBLIC_KEY_SINGLE_SERVER combined with any optional public key flags
desired. The newly generated user certificate will be returned and can be
accessed by making a call to userCertInfo.
publicKeyFlags
should consist of the define PUBLIC_KEY_TWO_SERVER combined with
any optional public key flags desired. The newly generated user certificate will
be returned and can be accessed by making a call to userCertInfo.
PKI_E_ADD_CERTIFICATE may be returned when using the
dual server mode; this means that although the certificate was created, it could not
be stored in eDirectory because of replication delays. A successful call to
storeUserCertificate should be made if this error occurs. (The
fields userDN, nickName, and signServerDN should be the same as in
createUserCertificate; the flags field should be set to
PKI_INTERNAL_KEY_PAIR and all other fields should be either null or 0.)The signServerDN must host a CA in the current tree. Calls to
findKeyGenServersForUser and getServerInfo can be made to determine which servers
meet the requirements to act as a CA for a specified user.
After a successful call to createUserCertificate, the certificate can be obtained by making a
call to userCertInfo using a parameter of 0 in the index field.
keyGenServerDN - (IN) Specifies the eDirectory fully distinguished name of the server that will be
used to generate the user's key pair.signServerDN - (IN) Specifies the eDirectory fully distinguished name of the server that hosts
the CA that will be used to generate the X.509 certificate.userDN - (IN) Specifies the fully distinguished name of a user object for which a certificate
will be generated. This must be a valid eDirectory user object in the current tree.nickName - (IN) Specifies the certificate nickname. This name will be used to identify
the key pair and associated certificate. This name must be unique for the
specified user.keyType - (IN) Specifies the type of key that the caller wants to be generated. A call
to getServerInfo can be made to get the supported key
generation algorithms. For this release, the only supported key type is
PKI_RSA_ALGORITHM.keySize - (IN) Specifies the requested size of the key to be generated. If the key size
requested cannot be generated, an exception will be thrown and
no key will be generated. A call to getServerInfo followed by a call to
getAlgorithmInfo can be made to get the supported key sizes on this server.
The intersection of the key sizes and algorithms supported by the keyGenServerDN
and the signServerDN are the valid key sizes and algorithms.subjectDN - (IN) Specifies the subjectDN. This is the name to be encoded in
the subject field in the X.509 certificate. The subject field identifies the entity associated
with the public/private key pair. (For more information see RFC 2459 Section 4.1.2.6.)
This field should be null if the subject
name (in the user certificate) is to be the user's typed fully distinguished
eDirectory name. If a name other than the eDirectory username is desired, then this
field must contain that typed fully distinguished name (and publicKeyFlags must
include the flag PKI_CUSTOM_SUBJECT_NAME).signatureAlgorithm - (IN) Specifies the signature algorithm to use to sign the certificate.
To get the supported algorithms, the call getServerInfo must be made. For this release,
signatureAlgorithm must be set to one of the following:PKI_SIGN_WITH_RSA_AND_MD2
PKI_SIGN_WITH_RSA_AND_MD5
PKI_SIGN_WITH_RSA_AND_SHA1
PKI_SIGN_WITH_RSA_AND_SHA_256
PKI_SIGN_WITH_RSA_AND_SHA_384
PKI_SIGN_WITH_RSA_AND_SHA_512dateFlags - (IN) Specifies whether dates have either a two-digit year or a four-digit
year. For this release, this should be set to DEFAULT_YEAR_ENCODING.validFrom - (IN) Specifies the beginning of the period of validity, represented as the
number of seconds since 00:00:00 UTC Jan 1, 1970, or 0xFFFFFFFF to
represent the current time on the server.
getServerInfo can be made to determine the
greatest validity period available on the server.validTo - (IN) Specifies the end of the period of validity, represented as the number
of seconds since 00:00:00 UTC Jan 1, 1970, or 0xFFFFFFFF to represent
the greatest validity period available on the server.
getServerInfo can be made to determine the
greatest validity period available on the server.publicKeyFlags - (IN) Specifies the public key options to use when creating the key pair.
Use one of the following flags, together with any optional public key
flags:PUBLIC_KEY_SINGLE_SERVER - Used when the signing server is the
same as the key generation server. PUBLIC_KEY_TWO_SERVER - Used when the signing server is not the
same as the key generation server.privateKeyFlags - (IN) Specifies the private key options to use when creating the key pair.
For this release use the define PRIVATE_KEY together with any optional
private key flags.
There currently is one Optional Private Key Flag (PRIVATE_KEY_EXTRACTABLE).
To use this optional flag, it must be bitwise-OR'ed with the value PRIVATE_KEY
to enable extraction of a user's private key
into a PKCS12 file (PKCS12 is the standard format to import keys into a browser).
When using the PRIVATE_KEY_EXTRACTABLE flag and including the Novell
Security Attributes Extension, it's necessary to bitwise-OR the
extractable option (i.e, NOVELL_EXTENSION_EXTRACTABLE_KEY
along with the appropriate Novell attribute (NOVELL_EXTENSION_USER_DEFAULT).
keyUsage - (IN) Specifies the X.509 key usage extension. See X.509
Extensions and Key Usage Extension sections for more details.
basicConstraints - Specifies the X.509 basic constraints extension. See X.509
Extensions and Basic Constraints Extension section for more details.
altNames - (IN) Specifies the X.509 subject alternative name extension. See X.509
Extensions and Subject Alternative Names Extension section for more details.
NovellAttr - (IN) Specifies the Novell Security Attributes extension. See the
sections X.509 Extensions and Novell Security Attributes Extension sections for more details.
extensions - (IN) Specifies any generic ASN.1 encoded extensions to add to the
certificate. See the X.509 Extensions for more details.
NPKI_Exception - If an eDirectory, NICI or PKI error occurs.findUserCertificates,
userCertInfo,
storeUserCertificate,
deleteUserCertificatepublic void deleteUserCertificate(java.lang.String userDN,
java.lang.String nickName,
int flags,
byte[] certificate)
throws NPKI_Exception
The certificate field is used if there is no nickname for
the user certificate. This can happen if the certificate was added through
LDAP. If the nickname field has a value, then certificate can be null.
WARNING: Deleting a certificate can have severe consequences such as the inability to read encrypted email or encrypted files.
userDN - (IN) Specifies the fully distinguished name of a user object. This must be
a valid eDirectory user object in the current tree.nickName - (IN) Specifies the certificate nickname. This name is used to identify
the key pair and associated certificate. This name must be unique for the
specified user.flags - (IN) This should currently be set to 0.certificate - (IN) Specifies the DER encoded X.509 certificate you
wish to be deleted.
NPKI_Exception - If an eDirectory or PKI error occurs.findUserCertificates,
createUserCertificatepublic int readAllNickNames(java.lang.String userDN)
throws NPKI_Exception
userDN and stores them in
context-specific data values.
Calls to nickName can be made to retrieve each of the nicknames.
userDN - (IN) Specifies the eDirectory user's fully distinguished name for which you
want to read certificate names. userDN must be a valid user object in the
current tree.
NPKI_Exception - If an eDirectory or PKI error occurs.findUserCertificates,
nickNamepublic java.lang.String nickName(int index)
throws NPKI_Exception
readAllNickNames must be made before calling this routine.
index - (IN) Specifies which nickname is to be returned.NPKI_Exception - If an eDirectory or PKI error occurs.findUserCertificates,
readAllNickNamespublic void storeUserCertificate(java.lang.String userDN,
java.lang.String nickName,
java.lang.String signerDN,
int flags,
byte[] cert,
int vendorID)
throws NPKI_Exception
userDN - (IN) Specifies the fully distinguished name of a user object.
This must be a valid eDirectory user object in the current tree.nickName - (IN) Specifies the certificate nickname. This name will be used to
identify the key pair and associated certificate. This name must be unique
for the specified user.signerDN - (IN) Specifies the eDirectory fully distinguished name of the object that signed
the certificate. If the certificate is an external certificate, signerDN can be
set to point to the trusted root object that contains the certificate of the
signing CA, or it can be set to the user object.flags - (IN) Specifies options when storing user certificates. If the key pair was generated
by the Novell Certificate Server and the private key is stored in eDirectory, then the flag
PKI_INTERNAL_KEY_PAIR should be used. If the key pair was
generated external to the Novell Certificate Server, then the flag
PKI_EXTERNAL_KEY_PAIR should be used.cert - (IN) Specifies the DER encoded X.509 certificate you want to store. (A null can
be passed in this field if a call to createUserCertificate was made just prior,
and an error PKI_E_ADD_CERTIFICATE was returned. The flag PKI_INTERNAL_KEY_PAIR
must be set when passing a null.)vendorID - (IN) Specifies which vendor supplied the certificate. If the flag
PKI_INTERNAL_KEY_PAIR is set, then this field is ignored, and the
vendorID is set to PKI_VENDOR_NOVELL.
NPKI_Exception - If an eDirectory or PKI error occurs.createUserCertificate,
findUserCertificatespublic int certificateList(byte[] certificate,
int flags)
throws NPKI_Exception
certificateList can store, remove,
and/or sort the internal certificate chain structure. A subsequent call to
storeServerCertificatesFromCertificateList will store
the chain of certificates to a Key Material Object (KMO).
certificate - (IN) The X.509 certificate or PKCS#7 certificate to be acted upon.flags - (IN) Specifies the task to perform on the certificate being passed in. Use
one or more of the following flags:PKI_ADD - Used to add a certificate to the certificate list. When using this flag,
the field certificate must point to a valid X.509 DER encoded certificate. This flag
can be used alone or with PKI_SORT. Using this flag with PKI_DELETE causes an error.
PKI_DELETE - Used to remove a certifcate from the certificate list. When using this flag,
the field certificate must point to a valid X.509 DER encoded certificate. This flag
can be used alone or with PKI_SORT. Using this flag with PKI_ADD causes an error.
PKI_CLEAR - Used to remove all the certificates from the certificate list. When using
this flag, the field certificate should be set to null. This flag must be used alone.
PKI_SORT - Used to sort the certificates in the certificate list. This flag can be
used with either PKI_ADD or PKI_DELETE. When used alone, the field
certificate should be null. If the certificates in the certificate list do not form a
complete chain, the PKI_E_BROKEN_CHAIN exception will be thrown.NPKI_Exception - If an eDirectory or PKI error occurs.public void storeServerCertificatesFromCertificateList(java.lang.String serverDN,
java.lang.String certificateName,
int flags,
int trustedRootIndex)
throws NPKI_Exception
createServerCertificate.
Two of the three modes of calling createServerCertificate require
subsequent calls to certificateList and storeServerCertificatesFromCertificateList.
In the two server mode, after successfully calling createServerCertificate,
a successful call to getCACertificates should be made to retrieve the CA's self-signed
certificate. Call certificateList to add the self-signed certificate to the list. Then call
certInfo to retrieve the newly created server certificate. Next call certificateList
to add it to the list. Then call storeServerCertificatesFromCertificateList
to store the certificates,
In the external certificate authority mode, calls to certificateList should
be made for each of the certificates to store the whole certificate
chain from root to leaf. Then a call to storeServerCertificatesFromCertificateList
should be made to store the newly formed chain to the KMO.
serverDN - (IN) The distinguished name of the server.certificateName - (IN) Identifies which server certificate you want to store.flags - (IN) Reserved; pass in zerotrustedRootIndex - (IN) Specifies which certificate will be marked as the trusted root. Use
one of the following defines:NPKI_Exception - If an eDirectory or PKI error occurs.getCACertificates,
createServerCertificate,
findServerCertificateNames,
serverCertificateNamepublic int findUserCertificates(java.lang.String userDN,
java.lang.String nickName,
byte[] serialNumber,
int keyType,
int minKeySize,
int maxKeySize,
int searchOnKeyUsage,
short keyUsageValue,
java.lang.String issuerDN,
java.lang.String subjectDN,
int certificateValid,
int vendorID,
int certificateStatus)
throws NPKI_Exception
userDN that meets the search
criteria, stores the certificates in context specific values, and returns
the number of certificates that meet the search criteria.
Making calls to userCertInfo can access the certificates and their sizes.
If nickName is specified, then the certificate matching the nickname is
returned (assuming a valid nickname) and all the other search parameters are
ignored. For all other cases, the set of certificates will match all of the search
criteria. If no search criteria are specified, then all certificates for the user will
be available.
Sample Code: FindUserCerts.java
userDN - (IN) Specifies the eDirectory user's fully distinguished name for which you
want to find a certificate. userDN must be a valid user object in the current
tree.nickName - (IN) (Optional) Specifies the certificate nickname that identifies which
user certificate is to be read. nickName must be either null or a valid
certificate nickname for the specified user.serialNumber - (IN) (Optional) Specifies the certificate serial number. serialNumber must
be either null or the serial number of a certificate for the specified user.keyType - (IN) (Optional) Specifies the algorithm type used to generate the public/private
key pair. Currently the only algorithm supported is RSA
(see PKI_RSA_ALGORITHM). If keyType is not specified, then it should be set to zero.minKeySize - (IN) (Optional) Specifies the minimum key size of the public/private key pair. If
minKeySize is not specified, then it should be set to zero.maxKeySize - (IN) (Optional) Specifies the maximum key size of the public/private key pair. If
maxKeySize is not specified, then it should be set to zero.searchOnKeyUsage - (IN) (Optional) Specifies whether to search using the
keyUsageValue field. This field is necessary because a value of zero is valid for the
keyUsageValue field. searchOnKeyUsage should be set to either TRUE
or FALSE.keyUsageValue - (IN) (Optional) Specifies the X.509 certificate extension, Key Usage. keyUsage is
a bit field, and can either be zero (that is, not present or not specified) or it
can be constructed using any valid combination of the following defines:issuerDN - (IN) (Optional) Specifies the X.509 typed fully distinguished name of the
CA that issued the certificate. If issuerDN is not
specified, then it should be set to null.subjectDN - (IN) (Optional) Specifies the X.509 typed fully distinguished subject name
of the certificate. If subjectDN is not specified, then it should be set to
null.certificateValid - (IN) (Optional) Specifies a specific date on which the requested
certificate will be valid. The date is represented as the number of seconds
since 00:00:00 UTC January 1, 1970. If certificateValid is not specified,
then it should be set to zero.vendorID - (IN) (Optional) Specifies the vendor that issued the certificate. This parameter can
be used to narrow the search to certificates supplied by a specific vendor. If vendorID
is not specified, then it should be set to zero or PKI_ALL_VENDORS.certificateStatus - (IN) (Optional) Specifies the status of the certificates you want to find.
This field can be used to narrow the search to certificates that have a specific status. If
certificateStatus is not specified, then it should be set to zero.
NPKI_Exception - If an eDirectory or PKI error occurs.userCertInfo,
createUserCertificate,
storeUserCertificatepublic byte[] userCertInfo(int index,
java.lang.String[] nickName,
java.lang.Integer certStatus,
java.lang.Integer vendorID)
throws NPKI_Exception
A successful call to either createUserCertificate
or findUserCertificates
must have been made just prior to calling this routine.
index - (IN) Specifies which certificate is to be returned.
index is 0 based.nickName - (OUT) Returns the certificate nickname. This name is used to
identify the key pair and associated certificate. This name must be unique
for the specified user.certStatus - (OUT) Returns the status of the certificate.vendorID - (OUT) Returns the vendor ID associated with the certificate.
NPKI_Exception - If an eDirectory or PKI error occurs.createUserCertificate,
findUserCertificatespublic void importUserKey(java.lang.String userDN,
java.lang.String nickName,
java.lang.String password,
int flags,
byte[] pfx)
throws NPKI_Exception
PKI NCP Calls: 0x2222 93 10 Write Key
userDN - (IN) Specifies the user's fully distinguished name on which the to store
the private key and certificate. This must be a valid user userver in the current tree.nickName - (IN) Specifies the nickname of the certificate and
private key you want to import.password - (IN) Specifies the password used to decrypt the private key and
certificate.flags - (IN) Specifies options for importing the server key and certificate. There
are not currently any defined flags. Pass a Zero value.pfx - (IN) The PKCS #12 encoded data to import.
NPKI_Exception - If an eDirectory, NICI or PKI error occurs.exportUserKey,
createTrustedRootContainer,
findTrustedRootsInContextpublic void importServerKey(java.lang.String serverDN,
java.lang.String certificateName,
java.lang.String password,
int flags,
byte[] pfx)
throws NPKI_Exception
PKI NCP Calls: 0x2222 93 10 Write Key
serverDN - (IN) Specifies the eDirectory server's fully distinguished name. This
must be a valid eDirectory server in the current tree.certificateName - (IN) Specifies the name of the certificate and
private key you want to import. If the KMO corresponding to
certificateName does not exist, one will be created.password - (IN) Specifies the password used to decrypt the private key and
certificate.flags - (IN) Specifies options for importing the server key and certificate. The
flags currently defined are:pfx - (IN) The PKCS #12 encoded data to import.
NPKI_Exception - If an eDirectory, NICI or PKI error occurs.exportServerKeypublic void importCAKey(java.lang.String hostServerDN,
java.lang.String organizationalCAName,
java.lang.String password,
int flags,
byte[] pfx)
throws NPKI_Exception
NPKI NCP Calls: 0x2222 93 10 Write Key
hostServerDN - (IN) Specifies the fully distinguished name of the server that will
host the CA.organizationalCAName - (IN) Specifies the name of the Organizational CA object.
If the CA object does not exist, one will be created.password - (IN) Specifies the password used to decrypt the private key and certificate(s).flags - (IN) Specifies options for importing the server key and certificate.
The flags currently defined are:pfx - (IN) The PKCS #12 encoded data to import.
NPKI_Exception - If an eDirectory, NICI or PKI error occurs.exportCAKeypublic byte[] exportUserKey(java.lang.String nickname,
java.lang.String password,
int flags)
throws NPKI_Exception
The key and certificate are encrypted using the input password as specified in the Public Key Cryptography Standards (PKCS) #12.
PKI NCP Calls: 0x2222 93 09 Read Key
nickname - (IN) Specifies the certificate nickname that identifies which private key and
certificates are to be exported. nickname must be a valid certificate
nickname for the currently logged-in user in the current tree.password - (IN) Specifies the password to use to encrypt the private key and certificate.flags - (IN) Specifies options for exporting the user key and certificates. The flags
currently defined are:PKI_CHAIN_CERTIFICATE - Exports the chain of certificates in the
certification path along with the specified user certificate.NPKI_Exception - If an eDirectory, NICI or PKI error occurs.public byte[] exportServerKey(java.lang.String serverDN,
java.lang.String certificateName,
java.lang.String password,
int flags)
throws NPKI_Exception
PKI NCP Calls: 0x2222 93 09 Read Key
serverDN - (IN) Specifies the fully distinguished name of the eDirectory Server whose
private key and certificates you want to export. This must be a valid eDirectory server in the
current tree.certificateName - (IN) Specifies which private key and certificates you want to export. Must
be a valid certificate name for the specified server.password - (IN) Specifies the password to use to encrypt the private key and
certificates.flags - (IN) Specifies options for exporting the server key and certificates. The
flags currently defined are:PKI_CHAIN_CERTIFICATE - Exports the chain of certificates in the
certification path along with the specified server certificate.NPKI_Exception - If an eDirectory, NICI or PKI error occurs.public byte[] exportCAKey(java.lang.String organizationalCAName,
java.lang.String password,
int flags)
throws NPKI_Exception
PKI NCP Calls: 0x2222 93 09 Read Key
organizationalCAName - (IN) Specifies the name of the CA object(ex. If your CA is called
"Orginizational CA" and it exists in the Security container, this field should be set to
"Orginizational CA").This must be a valid eDirectory name of a CA object
in the current tree.password - (IN) Specifies the password to use to encrypt the private key and certificate.flags - (IN) Specifies options for exporting the server key and certificate. The
flags currently defined are:PKI_CA_KEY_AND_CERTS - Exports the CA self-signed certificate
and the chain of certificates in the certification.NPKI_Exception - If an eDirectory, NICI or PKI error occurs.importCAKeypublic void KMOExportRead(java.lang.String objectDN,
java.lang.Integer numberOfValues)
throws NPKI_Exception
KMOExportValue to acquire the values.
objectDN - (IN) Specifies the fully distinguished name of the SAS:Service object to read.numberOfValues - (OUT) Returns the number of configured values.
NPKI_Exception - If an eDirectory or PKI error occurs.getSAServiceName,
KMOExportValue,
KMOExportWritepublic void KMOExportValue(int index,
java.lang.String[] certificateName,
java.lang.String[] certificatePath,
java.lang.String[] keyPath,
java.lang.Integer keyType)
throws NPKI_Exception
KMOExportRead
or KMOExportAddValue must be made prior to making this call.
index - (IN) Specifies which value is to be returned.
index is 0 based.certificateName - (OUT) Returns the certificate name identifing which Server Certificate
is to be exported.certificatePath - (OUT) Returns the complete file name and path (in UTF8) of the file where the server
certificate chain is to be exported.keyType - (OUT) Returns the key type that the server private key is to be exported in. The
supported key types are:
#NPKI_RAW_PRIVATE_KEY_INFO (PKCS#8)
#NPKI_RAW_PRIVATE_KEY (PKCS#1)
NPKI_Exception - If an eDirectory or PKI error occurs.KMOExportRead,
KMOExportAddValue,
KMOExportClearValue,
KMOExportClearAllValues,
KMOExportWritepublic void KMOExportAddValue(java.lang.String certificateName,
java.lang.String certificatePath,
java.lang.String keyPath,
int keyType)
throws NPKI_Exception
KMOExportWrite.
certificateName - (IN) Specifies the certificate name identifing which Server Certificate
is to be exported.certificatePath - (IN) Specifies the complete file name and path (in UTF8) of the file where the server
certificate chain is to be exported.keyType - (IN) Specifies the key type that the server private key is to be exported in. The
supported key types are:
#NPKI_RAW_PRIVATE_KEY_INFO (PKCS#8)
#NPKI_RAW_PRIVATE_KEY (PKCS#1)
NPKI_Exception - If an eDirectory or PKI error occurs.KMOExportRead,
KMOExportValue,
KMOExportClearValue,
KMOExportClearAllValues,
KMOExportWritepublic void KMOExportClearValue(int index)
throws NPKI_Exception
KMOExportWrite.
index - (IN) Specifies which value is to be cleared.
index is 0 based.NPKI_Exception - If an eDirectory or PKI error occurs.KMOExportRead,
KMOExportValue,
KMOExportAddValue,
KMOExportClearAllValues,
KMOExportWritepublic void KMOExportClearAllValues()
throws NPKI_Exception
KMOExportWrite.
NPKI_Exception - If an eDirectory or PKI error occurs.KMOExportRead,
KMOExportValue,
KMOExportAddValue,
KMOExportClearValue,
KMOExportWritepublic void KMOExportWrite(java.lang.String objectDN)
throws NPKI_Exception
KMOExportAddValue to add values to the list or
KMOExportClearValue to remove values from the list.
objectDN - (IN) Specifies the fully distinguished name of the SAS:Service object to written to.
NPKI_Exception - If an eDirectory or PKI error occurs.KMOExportRead,
KMOExportValue,
KMOExportAddValue,
KMOExportClearValue,
KMOExportClearAllValuespublic java.lang.String createOrganizationalCA(java.lang.String serverDN,
java.lang.String organizationalCAName,
int keyType,
int keySize,
java.lang.String subjectDN,
int signatureAlgorithm,
int dateFlags,
int validFrom,
int validTo,
int publicKeyFlags,
int privateKeyFlags,
NPKI_Extension keyUsage,
NPKI_Extension basicConstraints,
NPKI_ExtAltNames altNames,
NPKI_Extension NovellAttr,
NPKI_ASN1_Extensions extensions,
int retryFlag)
throws NPKI_Exception
This call gives serverDN supervisor (S) rights to the All_Attributes ACL
of the CA object, sets the NDSPKI:Organizational CA DN attribute of the Security
container to be the distinguished name of the CA object, and gives [Public] read (R)
rights to the NDSPKI:Organizational CA DN attribute of the Security container.
This call makes the Install CA NCP call to serverDN. This causes PKI services
to generate an RSA key pair, create two X.509 certificates (one self-signed and one signed by
the server's machine unique key) and store all of this information in the CA object.
PKI NCP Calls: 0x 2222 92 02 Install CA
serverDN - (IN) Specifies the eDirectory Server that will host the organizational CA.
This must be a valid eDirectory Server in contextDN.organizationalCAName - (IN) Specifies the CA object name.keyType - (IN) Specifies the type of key that the caller wants to be generated. For
this release, the only supported key type is RSA or a value of
PKI_RSA_ALGORITHM.keySize - (IN) Specifies the size of the key to be generated. If the key size
requested cannot be generated, an exception will be thrown and no key will be generated. A
call to getServerInfo with flags set to PKI_CA_INFO followed by a call to
getAlgorithmInfo can be made to get the supported key sizes on the server.subjectDN - (IN) Specifies the subjectDN. This is the name to be encoded in the subject
field in the X.509 certificate. The subject field identifies the entity associated with the
public/private key pair. (For more information see RFC 2459 Section 4.1.2.6.)signatureAlgorithm - (IN) Specifies the algorithm to use to sign the certificate. A call
to getServerInfo can be made to determine which signature algorithms are supported.dateFlags - (IN) Specifies whether dates have either a two-digit year or a four-digit
year. For this release, this should be set to DEFAULT_YEAR_ENCODING.validFrom - (IN) Specifies the beginning of the period of validity, represented as the
number of seconds since 00:00:00 UTC Jan 1, 1970, or as 0xFFFFFFFF to represent the current
time on the server.
getServerInfo can be made to determine
the validity period supported by the server.validTo - (IN) Specifies the end of the period of validity, represented as the number
of seconds since 00:00:00 UTC Jan 1, 1970, or as 0xFFFFFFFF to represent the greatest
validity period available on the server.
getServerInfo can
be made to determine the validity period supported by the server.publicKeyFlags - (IN) Specifies the public key options to use when creating the key pair.
For this release, use the define PUBLIC_KEY_SINGLE_SERVER, together with
any optional public key flags.privateKeyFlags - (IN) Specifies the private key options to use when creating the key pair.
For this release, use the define PRIVATE_KEY.
PRIVATE_KEY_EXTRACTABLE.
To use this optional flag, it must be ORed with the value PRIVATE_KEY to enable extraction
of the CA's private key into a PKCS #12 file. (PKCS #12 is the standard format for extracting and
importing keys). This flag must be used to enable backup of the CA's private key.keyUsage - (IN) Specifies the X.509 key usage extension. See the X.509 Extension and
the Key Usage Extension sections for more details.
basicConstraints - (IN) Specifies the X.509 basic constraints extension. See the X.509
Extensions and the Basic Constraints Extension sections for more details.
altNames - (IN) Specifies the X.509 subject alternative name extension. See the
X.509 Extensions and the Subject Alternative Names Extension for more details.
NovellAttr - (IN) Specifies the Novell Security Attributes extension. See the
sections X.509 Extensions and Novell Security Attributes Extension for more details.
extensions - Specifies any generic ASN.1 encoded extensions to add to the certificate.
Pass in a null.retryFlag - (IN) Specifies if the call is a retry. When createOrganizationalCA is called,
a CA object is created; however eDirectory may take some time
to replicate the object. Because of the possibility of replication delay,
subsequent calls to createOrganizationalCA may be necessary (for example, if previous
calls fail due to replication delay); however, subsequent calls should be made
with the retryFlag set to PKI_RETRY so that the system will not try to create
a new CA object.
organizationalCAName, and the
system concatenates it with the Security container's name to get the CA object's FDN.
NPKI_Exception - If an eDirectory, NICI or PKI error occurs.findOrganizationalCA,
getServerUTCTime,
getServerInfo,
getAlgorithmInfopublic void getCRLConfigurationInfo(java.lang.String objectDN,
java.lang.Integer status,
java.lang.Integer cRLNumber,
java.lang.Integer issueTime,
java.lang.Integer attemptTime,
java.lang.Integer nextIssueTime,
java.lang.Integer intervalUnitType,
java.lang.Integer intervalNumberOfUnits,
java.lang.Integer fileNameSpaceType,
java.lang.String[] fileVolumeDN,
java.lang.String[] fileVolumePath,
java.lang.Integer numberOfCRLDistributionPoints,
java.lang.String[] cLRdistributionPointDN,
java.lang.String[] certificateAuthorityDN)
throws NPKI_Exception
objectDN - (IN) The fully distinguished name of the CRL Configuratin Objectstatus - (OUT) Returns the status of the last attempted CRL issuance.cRLNumber - (OUT) Returns the CRL number of the last CRL issued.issueTime - (OUT) Returns the time the last CRL was issued.attemptTime - (OUT) Returns the time of the last attempt to issue a CRL.nextIssueTime - (OUT) Returns the next scheduled issue time.intervalUnitType - (OUT) Returns the interval unit type (i.e. hour, day, week etc).intervalNumberOfUnits - (OUT) Returns the interval number of units.fileNameSpaceType - (OUT) Returns the Name Space Type field of the CRL filename.fileVolumeDN - (OUT) Returns the Volume DN field of the CRL filename.fileVolumePath - (OUT) Returns the Volume Path field of the CRL filename.numberOfCRLDistributionPoints - (OUT) Returns the number of CRL Distribution Points.
Calls to getCRLDistributionPoint() can be used to retrieve the CRL Distribution Points.cLRdistributionPointDN - (OUT) Returns the DN of the CRL Distribution Point object.certificateAuthorityDN - (OUT) Returns the DN of the Certificate Authority object.
NPKI_Exception - Returns 0 if successful, or an NDS, or PKI error code if not successful.getCRLDistributionPoint,
createCRLConfigurationpublic void getCRLDistributionPoint(int index,
java.lang.String[] cRLDistributionPoint)
throws NPKI_Exception
index - (IN) Specifies which CRL Distribtion Point to return.
NOTE: index is 0 based.cRLDistributionPoint - (OUT) Returns the CRL Dristribution Point
NPKI_Exception - Returns 0 if successful, or an NDS, or PKI error code if not successful.getCRLConfigurationInfopublic void createPKIContainer(int flags,
java.lang.String objectName,
java.lang.String contextDN,
int type,
java.lang.String linkObjectDN)
throws NPKI_Exception
flags - (IN) No flags are currently defined; pass in NULL.objectName - (IN) The name of object to be created.contextDN - (IN) The context in which the object will be created.type - (IN) (Optional) Specifies which type of PKI container to create. The possible
types of containers are listed below:PKI_TYPE_CRL_CONTAINER - This type of container is used to store CRL confiuration
objects. NOTE: Only a single CRL container should be created.
PKI_TYPE_CERTIFICATE_CONTAINER - This type of container is used to store certificate
objects.linkObjectDN - (IN) (Optional) Specifies which object to create a link on. Currently all links
should be created on the Certificate Authority object (ex. "CN=Orgizational CA.CN=Security").
NPKI_Exception - Returns 0 if successful, or an NDS, or PKI error code if not successful.public void createCRLConfiguration(int flags,
java.lang.String objectName,
java.lang.String contextDN,
java.lang.String hostServerDN)
throws NPKI_Exception
flags - (IN) No flags are currently defined; pass in NULL.objectName - (IN) The name of object to be created.contextDN - (IN) The context in which the object will be created.hostServerDN - (IN) The server which will host the CRL generation.
NPKI_Exception - Returns 0 if successful, or an NDS, or PKI error code if not successful.createPKIContainer,
getCRLConfigurationInfo,
setCRLFileName,
setNextIssueTime,
setTimeInterval,
setDistributionPoints,
setCertificateAuthorityDN,
setDistributionPointDNListpublic void setCRLFileName(java.lang.String objectDN,
int nameSpaceType,
java.lang.String volumeDN,
java.lang.String volumePath)
throws NPKI_Exception
objectDN - (IN) The fully distinguished name of the CRL Configuratin ObjectnameSpaceType - (IN) The Name Space Type field of the CRL filename. This field is really
only relevant on NetWare and the specified name space must be supported on the NetWare volume.
On all other platforms pass a zero. The possible name space types are listed below:PKI_NS_DOS - The DOS name space (The default name space).
PKI_NS_MACINTOSH - The Macintosh name space.
PKI_NS_UNIX - The Unix name space.
PKI_NS_FTAM - The FTAM name space.
PKI_NS_OS2 - The OS2 name space.volumeDN - (IN) The Volume DN field of the CRL filename on NetWare. On all other platforms
use the DN of the Server object.volumePath - (IN) The Volume Path field of the CRL filename.
NPKI_Exception - Returns 0 if successful, or an NDS, or PKI error code if not successful.createCRLConfiguration,
getCRLConfigurationInfopublic void setNextIssueTime(java.lang.String objectDN,
int nextIssueTime)
throws NPKI_Exception
NOTE: After successfully calling setNextIssueTime, a call to
issueCRL should be made in order for the changes to take affect immediately. If the call to
issueCRL is not made, the changes will not take a affect until the next regurlarly
scheduled CRL issuance.
objectDN - (IN) The fully distinguished name of the CRL Configuratin ObjectnextIssueTime - (IN) The next issuance time according to UTC, represented as
the number of seconds since 00:00:00 UTC January 1, 1970.
NPKI_Exception - Returns 0 if successful, or an NDS, or PKI error code if not successful.createCRLConfiguration,
getCRLConfigurationInfo,
issueCRLpublic void setTimeInterval(java.lang.String objectDN,
int unitType,
int numberOfUnits)
throws NPKI_Exception
NOTE: After successfully calling setTimeInterval, a call to
issueCRL should be made in order for the changes to take affect immediately. If the call to
issueCRL is not made, the changes will not take a affect until the next regurlarly
scheduled CRL issuance.
objectDN - (IN) The fully distinguished name of the CRL Configuratin ObjectunitType - (IN) The interval unit type. The possible unit types are listed below:PKI_MINUTES - Specifies minutes as the unit type.
PKI_HOURS - Specifies hours as the unit type.
PKI_DAYS - Specifies days as the unit type.
PKI_WEEKS - Specifies weeks as the unit type.
PKI_MONTHS - Specifies months as the unit type.numberOfUnits - (IN) The interval number of units.
NPKI_Exception - Returns 0 if successful, or an NDS, or PKI error code if not successful.createCRLConfiguration,
getCRLConfigurationInfo,
issueCRLpublic void setDistributionPoints(java.lang.String objectDN,
int flags,
java.lang.String distributionPoint)
throws NPKI_Exception
objectDN - (IN) The fully distinguished name of the CRL Configuratin Objectflags - (IN) Specifies which operation to perform. Use one of the following flags:PKI_ADD - Adds the specified CRL Distribution Point. This flag must be used alone.
PKI_DELETE - Deletes the specified CRL Distribution Point. This flag must be used alone.
PKI_CLEAR - Clears all CRL Distribution Points. This flag must be used alone.distributionPoint - (IN) Specifies the CRL Distribution Point,
NPKI_Exception - Returns 0 if successful, or an NDS, or PKI error code if not successful.createCRLConfiguration,
getCRLConfigurationInfopublic void setCertificateAuthorityDN(java.lang.String objectDN,
java.lang.String certificateAuthorityDN)
throws NPKI_Exception
objectDN - (IN) The fully distinguished name of the CRL Configuratin Object
(ex. "CN=One - Configuration.CN=CRL Container.CN=Security").certificateAuthorityDN - (IN) Specifies the DN of the Certificate Authority object
(ex. "CN=Organizational CA.CN=Security").
NPKI_Exception - Returns 0 if successful, or an NDS, or PKI error code if not successful.createCRLConfiguration,
getCRLConfigurationInfopublic void createCRLDistributionPoint(int flags,
java.lang.String objectName,
java.lang.String contextDN,
java.lang.String linkObjectDN)
throws NPKI_Exception
flags - (IN) No flags are currently defined; pass in NULL.objectName - (IN) The name of object to be created.contextDN - (IN) The context in which the object will be created.linkObjectDN - (IN) (Optional) Specifies which object to create a link on. The link object
should be the corresponding CRL Configuration object.
NOTE: The linkObjectDN is optional ONLY when the CRL Distribution Point to be created is NOT
to be used as part of the Novell Certificate Server.
NPKI_Exception - Returns 0 if successful, or an NDS, or PKI error code if not successful.createPKIContainer,
createCRLConfigurationpublic void setDistributionPointDNList(java.lang.String objectDN,
int flags,
int objectFlags,
java.lang.String linkObjectDN,
java.lang.String data)
throws NPKI_Exception
NOTE: Currently the system only supports one Configuration Object linked to the CA.
objectDN - (IN) The fully distinguished name of the CA Objectflags - (IN) Specifies the task to perform on the attribute. Use one of the following flags:PKI_ADD - Used to add a DN to the list. When using this flag, the field
linkObjectDN must point to a valid CRL Configuration object. This flag must be used alone.
PKI_DELETE - Used to remove a DN from the list. When using this flag, the field
linkObjectDN must point to a valid CRL Configuration object. This flag must be used alone.
PKI_CLEAR - Used to remove all the entries from the list. When using this flag, the field
linkObjectDN should be set to null. This flag must be used alone.objectFlags - (IN) Specifies information about the CRL Configuration object. Currently only one
value is valid:PKI_DEFAULT_CONFIGURATION - Used to set this CRL Configuration object as the default one.linkObjectDN - (IN) The fully distinguished name of the CRL Configuratin Object.data - (IN) Not currently used.
NPKI_Exception - Returns 0 if successful, or an NDS, or PKI error code if not successful.createCRLConfigurationpublic void issueCRL(java.lang.String cRLConfiguationDN,
int flags)
throws NPKI_Exception
PKI NCP Calls: 0x2222 93 16 PKI ISSUE CRL
cRLConfiguationDN - (IN) Specifies the CRL configuration object from which the
CRL is to be generated.flags - (IN) Specifies any flags. Currently no flags are defined; pass in NULL.
NPKI_Exception - Returns 0 if successful, or an NDS, PKI, or NICI error code if not successful.revokeCertificatepublic void revokeCertificate(java.lang.String cRLConfiguationDN,
java.lang.String ndsObject,
byte[] certificate,
int flags,
int reasonCode,
int invalidityDate,
java.lang.String comment,
java.lang.Integer nextIssuanceDate)
throws NPKI_Exception
PKI NCP Calls: 0x2222 93 15 PKI Revoke Certificate
cRLConfiguationDN - (IN) Specifies the CRL configuration object that will be used to
revoke the certificate. This should be the same configuration object that was in use when
the certificate was issued. NOTE: The X.500 type CRL distribution point encoded in the certificate can be used to determine the correct configuration object (the configuration object is the parent of the CRL object).
ndsObject - (IN) The the ndsObject which the certificate was created for.certificate - (IN) The certificate to be revoked.flags - (IN) Specifies any flags. Currently no flags are defined; pass in NULL.reasonCode - (IN) Specifies the reason the certificate is being revoked. Possible
reasons include:invalidityDate - (IN) (Optional) Specifies the date on which it is known or suspected that
the certificate became invalid.comment - Comment (IN) (Optional) Specifies any additional comments that the revolker wishes
to record in the CRL database. The comment will not be put into the CRL.nextIssuanceDate - (OUT) Indicates when the CRL is next scheduled to be issued.
NPKI_Exception - Returns 0 if successful, or an NDS, PKI, or NICI error code if not successful.issueCRLpublic void getServerKMOInfo(int cacheContext,
java.lang.String serverDN,
java.lang.String certificateName,
int flags,
byte[][] objectCert,
java.lang.Integer numberOfChainCerts,
java.lang.Integer rootCertIndex,
byte[][] wrappedKey,
java.lang.Integer numberOfAdditionalRoots,
byte[][] terisaKeyFile)
throws NPKI_Exception
cacheContext - (IN) (Optional) Specifies a context handle to a NPKIT Cache context previously
created. The flag PKI_READ_AND_CACHE_DATA must be set in order for the API to put information
into the Cache context.serverDN - (IN) Specifies the eDirectory Server's fully distinguished name whose
KMO infomation you want to get. This must be a valid eDirectory server in the current tree.certificateName - (IN) Specifies which server certificate set you want to get.flags - (IN) Specifies what is done with the information. The
flags currently defined are the following:objectCert - (OUT) Returns the object certificate for the specified server.numberOfChainCerts - (OUT) Returns the number of certificates in the certificate chain.
Calls to chainCertInfo can be used to retrieve the certificates in the
certificate chain.rootCertIndex - (OUT) Returns which certificate in the certificate chain is marked as the
root certificate.wrappedKey - (OUT) Returns the wrapped private key.numberOfAdditionalRoots - (OUT) Returns the number of additional root certificates in the
KMO. Calls to additionalRootsInfo can be used to retrieve the additional root certificates.terisaKeyFile - (OUT) Returns the Terisa Key File, if it exists.
NPKI_Exception - If an eDirectory or PKI error occurs.findServerCertificateNames,
serverCertificateName,
chainCertInfo,
additionalRootsInfopublic byte[] getServerCertificates(java.lang.String serverDN,
java.lang.String certificateName,
int flags,
java.lang.Integer numberOfChainCerts,
java.lang.Integer rootCertIndex)
throws NPKI_Exception
PKI NCP Calls: 0x2222 93 05 PKI Get Certificate
serverDN - (IN) Specifies the eDirectory Server's fully distinguished name whose
certificates you want to get. This must be a valid eDirectory server in the
current tree.certificateName - (IN) Specifies which server certificate set you want to get.flags - (IN) Specifies which certificates are read and stored. The
flags currently defined are the following:PKI_CHAIN_CERTIFICATE - Retrieves the certificate chain.
PKI_TRUSTED_ROOT_CERTIFICATE - Retrieves the trusted root
certificate.
PKI_OBJECT_KEY_CERTIFICATE - Retrieves the object certificate
(that is, the certificate for the specified object).PKI_CHAIN_CERTIFICATE and PKI_TRUSTED_ROOT_CERTIFICATE
cannot be combined.numberOfChainCerts - (OUT) Returns the number of certificates in the
certificate chain. Calls to chainCertInfo can be used to retrieve the
certificates in the certificate chain.rootCertIndex - (OUT) Returns which certificate in the certificate
chain is marked as the root certificate.
NPKI_Exception - If an eDirectory or PKI error occurs.createServerCertificate,
getCACertificates,
storeServerCertificatesFromCertificateList,
storeServerCertificates,
chainCertInfo,
findServerCertificateNames,
serverCertificateNamepublic byte[] getCACertificates(java.lang.String objectDN,
int flags,
java.lang.Integer numberOfChainCerts,
java.lang.Integer rootCertIndex)
throws NPKI_Exception
objectDN and stores
them in context specific values. The flags field determines which
certificates are read. A call to chainCertInfo can be made to access
the certificates in the chain.
PKI NCP Calls: 0x2222 93 05 PKI Get Certificate
objectDN - (IN) Specifies the fully distinguished name of the object whose CA certificates
you want to get. objectDN must be a valid CA object in
the current tree.flags - (IN) Specifies which certificates are read and stored. The
flags currently defined are the following:PKI_CHAIN_CERTIFICATE - Retrieves the certificate chain (that is, the
chain rooted in the Novell Certifier CA). Only software that natively understands and processes
the Novell Security Attributes Extension should use this chain.
PKI_TRUSTED_ROOT_CERTIFICATE - Retrieves the trusted root
certificate. Only software that natively understands and processes
the Novell Security Attributes Extension should use this certificate.
PKI_SELF_SIGNED_CERTIFICATE - Retrieves the self-signed
certificate.
PKI_OBJECT_KEY_CERTIFICATE - Retrieves the object certificate
(that is, the certificate for the specified object). Only software that natively understands and processes
the Novell Security Attributes Extension should use this certificate.getServerCertificates and getCACertificates
use the same internal variables to store results, each call to one of these functions
destroys the result of any previous call.numberOfChainCerts - (OUT) Returns the number of certificates in the certificate chain.
chainCertInfo can be made to retrieve the certificates
in the certificate chain.rootCertIndex - (OUT) Returns which certificate in the certificate chain is marked as the
root certificate.
NPKI_Exception - If an eDirectory or PKI error occurs.chainCertInfo,
findOrganizationalCApublic byte[] additionalRootsInfo(int index)
throws NPKI_Exception
A successful call to getServerKMOInfo must have been made prior
to calling this routine.
index - (IN) Specifies which additional root certificate is to be returned.
NOTE: index is 0 based.
NPKI_Exception - If an eDirectory or PKI error occurs.public byte[] chainCertInfo(int index)
throws NPKI_Exception
A successful call to either getCACertificates
or getServerCertificates
must have been made prior to calling this routine.
index - (IN) Indicates which certificate is to be returned.NPKI_Exception - If an eDirectory or PKI error occurs.getCACertificates,
getServerCertificatespublic void storeServerCertificates(java.lang.String serverDN,
java.lang.String certificateName,
int flags,
int trustedRoot,
byte[] certificate)
throws NPKI_Exception
createServerCertificate.
This call has been deprecated because it can only handle a chain of two certificates use
certificateList and storeServerCertificatesFromCertificateList.
Two of the three modes of calling createServerCertificate require
subsequent calls to storeServerCertificates. In the two server mode, after
successfully calling createServerCertificate, a successful call to
getCACertificates should be made to retrieve the CA's self signed certificate.
Then a call to storeServerCertificates should be made to store
the certificates.
In the external certificate authority mode, two calls to storeServerCertificates
should be made. One call should store the certificate chain and the other should store the newly
created certificate. The field certificate
provides the capability to send in a certificate to be stored.
PKI NCP Calls: 00x2222 93 07 Store Certificate
serverDN - (IN) Specifies the fully distinguished name of the eDirectory server
(that is, the server which the certificate(s) are for.) This must be a valid eDirectory
server in the current tree.certificateName - (IN) Specifies which server certificate you want to store.flags - (IN) Specifies which certificates are stored. The flags
currently defined are as follows:PKI_CHAIN_CERTIFICATE - Store the certificate chain.
PKI_TRUSTED_ROOT_CERTIFICATE - Store the trusted root.
PKI_SELF_SIGNED_CERTIFICATE - Store the self-signed certificate.
PKI_OBJECT_KEY_CERTIFICATE - Store the object certificate.
PKI_WAIVE_SUBJECT_NAME_IN_CERTIFICATE - Normally storeServerCertificates
checks that the requested name and the subject name in the certificate match.
This optional flag waives the check, enabling the certificate to be stored even
if the requested name and certificate name are dissimilar.PKI_CHAIN_CERTIFICATE, PKI_TRUSTED_ROOT_CERTIFICATE,
and PKI_SELF_SIGNED_CERTIFICATE are mutually exclusive. In addition,
PKI_OBJECT_KEY_CERTIFICATE and PKI_TRUSTED_ROOT_CERTIFICATE are also
mutually exclusive.trustedRoot - (IN) Specifies which certificate will be marked as the trusted root. Use
one of the following defines:PKI_ORG_CA_CERTIFICATE - Use the self-signed organizational
certificate as the trusted root. This is the most commonly used option.PKI_NOVELL_CERTIFICATE - Use the Novell Root Certifier
Certificate as the trusted root. (Use this option only if your software can natively
understand and process the Novell Security Attribute.)PKI_NOVELL_CERTIFICATE is used, the developer's relying software
must be configured to handle the Novell Security Attributes extensions. Also see
X.509 Extensions.certificate - (IN) (Optional) Specifies a DER encoded X.509 certificate.
getCACertificates must have been made immediately prior to
storeServerCertificates.NPKI_Exception - If an eDirectory or PKI error occurs.getCACertificates,
createServerCertificate,
findServerCertificateNames,
serverCertificateName,
certificateList,
storeServerCertificatesFromCertificateListpublic int findServerCertificateNames(java.lang.String serverDN)
throws NPKI_Exception
Calls to serverCertificateName can be made to retrieve the server certificate names.
serverDN - (IN) Specifies the eDirectory fully distinguished name of the sever.
NPKI_Exception - If an eDirectory or PKI error occurs.createServerCertificate,
serverCertificateNamepublic java.lang.String serverCertificateName(int index)
throws NPKI_Exception
A successful call to findServerCertificateNames must have been made just prior
to calling this routine.
index - (IN) Specifies which server certificate name is to be returned.
NOTE: index is 0 based.
NPKI_Exception - If an eDirectory or PKI error occurs.findServerCertificateNamespublic byte[] getWrappedServerKey(java.lang.String serverDN,
java.lang.String serverCertificateName)
throws NPKI_Exception
serverDN - (IN) Specifies the eDirectory fully distinguished server name.serverCertificateName - (IN) Specifies which server key to retrieve.
NPKI_Exception - If an eDirectory, NICI or PKI error occurs.createServerCertificate,
findServerCertificateNames,
serverCertificateNamepublic int getServerIPAndDNSInfo(java.lang.String serverDN)
throws NPKI_Exception
getServerIPAddress for each of the addresses.
PKI NCP Calls: 0x2222 93 14 GET IP AND DNS ADDRESSES
serverDN - (IN) Specifies the fully distinguished name of the eDirectory Server.
NPKI_Exception - If an eDirectory or PKI error occurs.getServerIPAddress,
getServerDNSNamepublic byte[] getServerIPAddress(int index,
java.lang.Short ipLength,
java.lang.String[] ipNumber,
java.lang.Short numberOfDNSNames)
throws NPKI_Exception
The call can only be used after a successful call to getServerIPAndDNSInfo.
index - (IN) Specifies which IP address is to be returned.
ipLength - (OUT) Returns the length of the IP address (that is, the length of this method's
return value).ipNumber - (OUT) Returns to the IP address in Unicode format.numberOfDNSNames - (OUT) Returns to the number of DNS names associated with the IP Address.
NPKI_Exception - If an eDirectory or PKI error occurs.getServerIPAndDNSInfo,
getServerDNSNamepublic java.lang.String getServerDNSName(int index)
throws NPKI_Exception
The call can only be used after a successful call to getServerIPAndDNSInfo
followed by a successful call to getServerIPAddress.
index - (IN) Specifies which DNS Name is to be returned. This DNS name is
associated with the IP address returned in the prior successful call to
getServerIPAddress.
NOTE: index is 0 based.
NPKI_Exception - If an eDirectory or PKI error occurs.getServerIPAddress,
getServerDNSNamepublic void createTrustedRootContainer(java.lang.String objectDN)
throws NPKI_Exception
Trusted Root containers along with Trusted Root objects provide a method of logically grouping, managing, and accessing X.509 root (or CA) certificates within a directory service.
Sample Code: CreateTrustedRootContainer.java
objectDN - (IN) Specifies the eDirectory fully distinguished name of the Trusted
Root container that is to be created.
NPKI_Exception - If an eDirectory or PKI error occurs.createTrustedRoot,
findTrustedRootsInContext,
getTrustedRootInfopublic void createTrustedRoot(java.lang.String objectDN,
byte[] certificate)
throws NPKI_Exception
Trusted Root containers along with Trusted Root objects provide a method of logically grouping, managing, and accessing X.509 root (or CA) certificates within a directory service.
objectDN - (IN) Specifes the eDirectory fully distinguished name of the Trusted
Root object to be created.
certificate - (IN) Specifies the DER encoded X.509 root (or CA)
certificate you wish to store in the Trusted Root object.
NPKI_Exception - If an eDirectory or PKI error occurs.createTrustedRootContainer,
findTrustedRootsInContext,
getTrustedRootInfopublic int findTrustedRootsInContext(java.lang.String nameContextDN)
throws NPKI_Exception
For each root found, a call to getTrustedRootInfo can be made to retrieve the
relevant information about the root.
Trusted Root containers, along with Trusted Root objects, provide a method of logically grouping, managing, and accessing X.509 root (or CA) certificates within a directory service.
nameContextDN - (IN) Specifies of the eDirectory fully distinguished name of the Trusted Root
container that is to be searched.
NPKI_Exception - If an eDirectory or PKI error occurs.createTrustedRootContainer,
createTrustedRoot,
getTrustedRootInfopublic byte[] getTrustedRootInfo(int index,
java.lang.String[] name,
java.lang.String[] validFrom,
java.lang.String[] validTo,
java.lang.String[] subjectName)
throws NPKI_Exception
A successful call to findTrustedRootsInContext should be made before calling
this method. Trusted Root containers, along with Trusted Root objects, provide a
method of logically grouping, managing and accessing X.509 root (or CA)
certificates within a directory service.
index - (IN) Specifies which Trusted Root object information is to be returned.
name - (OUT) Returns the eDirectory fully distinguished name of the specified
Trusted Root object.validFrom - (OUT) Returns a Unicode string representation of the starting validity of the
X.509 certificate stored in the specified Trusted Root object.
validTo - (OUT) Returns a Unicode string representation of the ending validity of the
X.509 certificate stored in the specified Trusted Root object.
subjectName - (OUT) Returns a Unicode representation of the subject name of the
X.509 certificate stored in the specified Trusted Root object.
NPKI_Exception - If an eDirectory or PKI error occurs.createTrustedRootContainer,
createTrustedRoot,
findTrustedRootsInContextpublic void verifyCertificateWithTrustedRoots(byte[] certificate,
java.lang.String TRContextDN,
int flags,
java.lang.Integer cRLReason,
java.lang.Integer cRLHoldInstruction,
java.lang.Integer cRLRevocationTime,
java.lang.Integer cRLInvalidityDateTime,
java.lang.Integer certInvalidityReason)
throws NPKI_Exception
The chain is considered complete once a self-signed certificate has been found. Once the complete certificate chain has been constructed, it is verified. Certificate revocation checking is supported.
certificate - (IN) Specifies the DER encoded X.509 certificate you wish to be
verified.TRContextDN - (IN) Specifies the eDirectory fully distinguished name of the Trusted Root
container that is to be searched.flags - Specifies whether to verfiy the certificate, check certificate revocation, both,
or neither. See related flag definitions, NPKIx509 Certificate Invalidity Reasons and NPKIx509
CRL Hold Types.cRLReason - (OUT) Returns the reason code, if the certificate has been revoked (that is the
reason the certificate has been revoked -- private key compromised, affiliate change, superseded,
etc.). This field is set only if the exception PKI_E_CERT_INVALID is thrown and
certInvalidityReason is set to NPKIx509Invalid_Certificate_On_CRL.cRLHoldInstruction - (OUT) Returns the hold instruction from the CRL, if the certificate
has been revoked, and the reason code is certificateHold. This field is set only
if the exception PKI_E_CERT_INVALID is thrown and certInvalidityReason
is set to NPKIx509Invalid_Certificate_On_CRL and the cRLReason is set
to PKI_CERTIFICATE_HOLD.cRLRevocationTime - Returns the date the certificate became invalid. This field is set only
if the exception PKI_E_CERT_INVALID is thrown and certInvalidityReason is
set to NPKIx509Invalid_Certificate_On_CRL.cRLInvalidityDateTime - Returns the date the CRL becomes invalid.certInvalidityReason - (OUT) Returns the reason why the certificate is invalid. (that is, Revoked,
invalid issuer, unreadable extensions, expired, etc.). This field is set only
if the exception PKI_E_CERT_INVALID is thrown
NPKI_Exception - If an eDirectory, NICI or PKI error occurs.createTrustedRootContainer,
createTrustedRoot,
findTrustedRootsInContext,
getTrustedRootInfopublic void createSASServiceObject(java.lang.String serverName,
java.lang.String contextDN)
throws NPKI_Exception
serverName - (IN) Specifies the name of the server for which to create SAS service object.contextDN - (IN) Specifies the context of the server.
NPKI_Exception - If an eDirectory or PKI error occurs.public void connectToIPAddress(int flags,
short port,
byte[] ipAddress)
throws NPKI_Exception
This call should come after setTreeName and before
dsLogin.
flags - (IN) Reserved for future use, pass zero.port - (IN) Indicates the port number to be used. If zero is passed in,
the default IP port (524) is used.ipAddress - (IN) Indicates the IP address to use in the format XXX.XXX.XXX.XXX.
NPKI_Exception - If an eDirectory or PKI error occurs.public void connectToIPAddress(int flags,
short port,
byte[] ipAddress,
java.lang.String[] treeName,
java.lang.String[] serverDN)
throws NPKI_Exception
This call should come before dsLogin. It is no longer necessary
to call setTreeName if this call is successfully made.
flags - (IN) Reserved for future use, pass zero.port - (IN) Indicates the port number to be used. If zero is passed in,
the default IP port (524) is used.ipAddress - (IN) Indicates the IP address to use in the format XXX.XXX.XXX.XXX.treeName - (OUT) Returns the name of the tree that the server is in.serverDN - (OUT) Returns the fully distinguished name of the server.
NPKI_Exception - If an eDirectory or PKI error occurs.public void getLocalServerInfo(java.lang.String[] treeName,
java.lang.String[] serverDN)
throws NPKI_Exception
treeName - Returns the name of the tree that the local server is in.serverDN - Returns the fully distinguished name of the local server.
NPKI_Exception - If an eDirectory or PKI error occurs.public void connectToAddress(int flags,
int type,
short size,
byte[] data)
throws NPKI_Exception
flags - Reserved for future use, pass zero.type - Indicates type of address connection.size - Identifies address size.data - Byte array of the address.
NPKI_Exception - If an eDirectory or PKI error occurs.public int versionInfo()
throws NPKI_Exception
NOTE: A context does not need to be created in order to call this function.
Sample Code: VersionInfo.java
NPKI_Exception - If a PKI error occurspublic int createDefaultCertificates(java.lang.String serverDN,
NPKI_CertificateNamesList certificateNames,
java.lang.Integer flags)
throws NPKI_Exception
After a successful call, if the method attemped to create any certificates which were not
specifically specified in the certificateNames parameter, then the field
numberOfAdditionalCertificates will be set to the number attempted and the names
of the additional certificates as well as the success code can be acquired by calling
additionalCertificate. The success code for any certificates
specified in the certificateNames field will be returned within the appropiate
NPKI_CertificateNames object.
serverDN - Specifies the DN of the server object.certificateNames - Specifies the name(s) of any additional server certificates you want created.flags - Specifies the DN of the server object.
NPKI_Exception - If a eDirectory, NICI or PKI error occurs.additionalCertificatepublic NPKI_CertificateName additionalCertificate(int index)
throws NPKI_Exception
createDefaultCertificates must have been made immediately
before calling this method.
index - Specifies which name is to be returned.
index is 0 based.NPKI_Exception - If a PKI error occurs.public void DSLoginAsServer()
throws NPKI_Exception
NPKI_Exceptionpublic void initialize()
throws NPKI_Exception
NPKI_Exception - If a PKI error occurs.public void destroy()
public void finalize()
throws java.lang.Throwable
finalize in class java.lang.Objectjava.lang.Throwable
|
|||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES All Classes | ||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | ||||||||