NAME

App::CamelPKI::Model::CA - Constructor of CA instances used by the whole application.

DESCRIPTION

The App::CamelPKI::Model::CA object is a singleton owned by Catalyst to construct instances of App::CamelPKI::CA following the application configuration, and distribute them to the controllers at the "model" in App::CamelPKI initiative. App::CamelPKI::Model::CA have some methods on its own like "certification_chain" to modelise the Camel-PKI Operational CA in what is particular.

CAPABILITY DISCIPLINE

An instance of App::CamelPKI::Model::CA modelise nearly the same amount of privileges than an instance of App::CamelPKI::CA that she embeds (excepted for the "certification_chain" that is a App::CamelPKI::Model::CA particularism). In the same way, App::CamelPKI::Model::CA have the same facet set as App::CamelPKI::CA.

CONFIGURATION

The following variables are configurable in App::CamelPKI::Model::CA:

db_dir

The directory where the AC database and its cryptographic material (certificates and keys) are to be installed.

keysize

The size of keys used for the Key Ceremony.

METHODS

new

Constuctor of the singleton called by Catalyst. Overloaded to use App::CamelPKI::RestrictedClassMethod, so that it cannot be called from anywere, except from the application's initialization sequence.

set_brands($ca_brand, $cadb_brand)

Conveys authority to create instances of App::CamelPKI::CA and App::CamelPKI::CADB to this class when the restricted class method discipline is enabled (see App::CamelPKI::RestrictedClassMethod). Called by "setup" in App::CamelPKI after restricting all the constructors in the application . $ca_brand and $cadb_brand are the respective brands for classes App::CamelPKI::CA and App::CamelPKI::CADB, as created by "grab" in App::CamelPKI::RestrictedClassMethod.

This class method is in turn restricted, so that only the application initialization code may call it. By default (eg in tests), App::CamelPKI::Model::CA uses fake brands (see "fake_grab" in App::CamelPKI::RestrictedClassMethod).

instance

Verify this CA has already undergone its Key Ceremony, or else throw an exception; then create and returns an App::CamelPKI::CA instance which has all privileges and represents the (unique) Operational CA installed on this host.

Note that instance is not idempotent, and returns different instances at each invocation. Were it not the case, constructors could construct a covert channel using the shared instance, which is mutable, and so a malicious controller could hide some information for constructors that will later run in the same UNIX process.

db_dir()

Returns the directory where are stored the App-PKI Certificate Authority informations (certification chain, certificate, private keys and AC database).

do_ceremony($privdir, $webserver)

Runs the Key Ceremony for the Camel-PKI Certificate Authority. The Operational CA and Root CA certificates are recorded in the private directory configured with the db_dir key (see "CONFIGURATION"). The Root CA certificate and key, and the administrator credentials are written into $privdir, under the respective names ca0.key, ca0.crt, admin.key and admin.pem. Last but not least, the Web server certificate and key are installed in $webserver, an App::CamelPKI::SysV::Apache instance.

make_admin_credentials

Regenerate an initial administrator certificate and private key, and returns a pair ($cert, $key) which are respectively App::CamelPKI::Certificate and App::CamelPKI::PrivateKey instances. Old administrator certificates are revoked.

certification_chain

Returns an App::CamelPKI::Certificate objects list which represents certificates that have been signed by this Certificate Authority, excluding this CA certificate itself (which is accessible using "certificate" in App::CamelPKI::CA). Returns an empty list for an autosigned Certicate Authority.

FACETS

facet_readonly

facet_crl_only

facet_certtemplate($template)

facet_operational

These methods create and return a new App::CamelPKI::Model::CA object with restricted rights, using the following way:

"do_ceremony"

This method is made inaccessible in all facets.

"instance"

The underlying App::CamelPKI::CA instance returned is restricted in exactly the same ways as the facet of the same name in App::CamelPKI::CA.