use of ee.ria.xroad.common.CodedException in project X-Road by nordic-institute.
the class SchemaValidator method validate.
protected static void validate(Schema schema, Source source, String errorCode) throws Exception {
if (schema == null) {
throw new IllegalStateException("Schema is not initialized");
}
try {
Validator validator = schema.newValidator();
validator.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
validator.validate(source);
} catch (SAXException e) {
throw new CodedException(errorCode, e);
}
}
use of ee.ria.xroad.common.CodedException in project X-Road by nordic-institute.
the class TokenCertificateService method regenerateCertRequest.
/**
* Regenerate a csr. Regenerate is used by download -endpoint.
* Regenerate will find an existing csr from TokenManager, and
* regenerate a new csr binary for it. TokenManager itself, and the csr
* info stored inside it, will be unchanged.
*
* Permissions and possible actions use the values for generate csr,
* there are no separate values for this operation.
* @param keyId
* @param csrId
* @param format
* @return GeneratedCertRequestInfo containing details and bytes of the cert request
* @throws KeyNotFoundException if key with keyId was not found
* @throws CsrNotFoundException if csr with csrId was not found
* @throws ActionNotPossibleException if regenerate was not possible
*/
public GeneratedCertRequestInfo regenerateCertRequest(String keyId, String csrId, CertificateRequestFormat format) throws KeyNotFoundException, CsrNotFoundException, ActionNotPossibleException {
// validate key and memberId existence
TokenInfo tokenInfo = tokenService.getTokenForKeyId(keyId);
KeyInfo keyInfo = keyService.getKey(tokenInfo, keyId);
getCsr(keyInfo, csrId);
// check usage type specific auth in service, since controller does not know usage type
if (keyInfo.isForSigning()) {
securityHelper.verifyAuthority("GENERATE_SIGN_CERT_REQ");
} else {
securityHelper.verifyAuthority("GENERATE_AUTH_CERT_REQ");
}
// validate that regenerate csr is a possible action
if (keyInfo.isForSigning()) {
possibleActionsRuleEngine.requirePossibleKeyAction(PossibleActionEnum.GENERATE_SIGN_CSR, tokenInfo, keyInfo);
} else {
possibleActionsRuleEngine.requirePossibleKeyAction(PossibleActionEnum.GENERATE_AUTH_CSR, tokenInfo, keyInfo);
}
try {
return signerProxyFacade.regenerateCertRequest(csrId, format);
} catch (CodedException e) {
throw e;
} catch (Exception e) {
throw new SignerNotReachableException("Regenerate cert request failed", e);
}
}
use of ee.ria.xroad.common.CodedException in project X-Road by nordic-institute.
the class TokenCertificateService method importCertificate.
/**
* Import a cert that is found from a token by it's bytes.
* Adds audit log properties for
* - clientId (if sign cert),
* - cert hash and cert hash algo
* - key usage
* @param certificateBytes
* @param isFromToken whether the cert was read from a token or not
* @return CertificateType
* @throws GlobalConfOutdatedException
* @throws KeyNotFoundException
* @throws InvalidCertificateException other general import failure
* @throws CertificateAlreadyExistsException
* @throws WrongCertificateUsageException
* @throws AuthCertificateNotSupportedException if trying to import an auth cert from a token
*/
private CertificateInfo importCertificate(byte[] certificateBytes, boolean isFromToken) throws GlobalConfOutdatedException, KeyNotFoundException, InvalidCertificateException, CertificateAlreadyExistsException, WrongCertificateUsageException, CsrNotFoundException, AuthCertificateNotSupportedException, ClientNotFoundException {
globalConfService.verifyGlobalConfValidity();
X509Certificate x509Certificate = convertToX509Certificate(certificateBytes);
CertificateInfo certificateInfo = null;
KeyUsageInfo keyUsageInfo = null;
try {
String certificateState;
ClientId clientId = null;
boolean isAuthCert = CertUtils.isAuthCert(x509Certificate);
if (isAuthCert) {
keyUsageInfo = KeyUsageInfo.AUTHENTICATION;
securityHelper.verifyAuthority(IMPORT_AUTH_CERT);
if (isFromToken) {
throw new AuthCertificateNotSupportedException("auth cert cannot be imported from a token");
}
certificateState = CertificateInfo.STATUS_SAVED;
} else {
keyUsageInfo = KeyUsageInfo.SIGNING;
securityHelper.verifyAuthority(IMPORT_SIGN_CERT);
String xroadInstance = globalConfFacade.getInstanceIdentifier();
clientId = getClientIdForSigningCert(xroadInstance, x509Certificate);
auditDataHelper.put(clientId);
boolean clientExists = clientRepository.clientExists(clientId, true);
if (!clientExists) {
throw new ClientNotFoundException("client " + clientId.toShortString() + " " + NOT_FOUND, FormatUtils.xRoadIdToEncodedId(clientId));
}
certificateState = CertificateInfo.STATUS_REGISTERED;
}
byte[] certBytes = x509Certificate.getEncoded();
String hash = CryptoUtils.calculateCertHexHash(certBytes);
auditDataHelper.putCertificateHash(hash);
signerProxyFacade.importCert(certBytes, certificateState, clientId);
certificateInfo = getCertificateInfo(hash);
} catch (ClientNotFoundException | AccessDeniedException | AuthCertificateNotSupportedException e) {
throw e;
} catch (CodedException e) {
translateCodedExceptions(e);
} catch (Exception e) {
// something went really wrong
throw new RuntimeException("error importing certificate", e);
}
auditDataHelper.put(RestApiAuditProperty.KEY_USAGE, keyUsageInfo);
return certificateInfo;
}
use of ee.ria.xroad.common.CodedException in project X-Road by nordic-institute.
the class TokenCertificateService method deleteCsr.
/**
* Deletes one csr
* @param csrId
* @throws KeyNotFoundException if for some reason the key linked to the csr could not
* be loaded (should not be possible)
* @throws CsrNotFoundException if csr with csrId was not found
* @throws ActionNotPossibleException if delete was not possible due to csr/key/token states
*/
public void deleteCsr(String csrId) throws KeyNotFoundException, CsrNotFoundException, ActionNotPossibleException {
// different audit fields for these events
if (auditDataHelper.dataIsForEvent(RestApiAuditEvent.DELETE_ORPHANS)) {
auditDataHelper.addListPropertyItem(RestApiAuditProperty.CERT_REQUEST_IDS, csrId);
} else if (auditDataHelper.dataIsForEvent(RestApiAuditEvent.DELETE_CSR)) {
auditDataHelper.put(RestApiAuditProperty.CSR_ID, csrId);
}
TokenInfoAndKeyId tokenInfoAndKeyId = tokenService.getTokenAndKeyIdForCertificateRequestId(csrId);
TokenInfo tokenInfo = tokenInfoAndKeyId.getTokenInfo();
KeyInfo keyInfo = tokenInfoAndKeyId.getKeyInfo();
if (auditDataHelper.dataIsForEvent(RestApiAuditEvent.DELETE_CSR)) {
auditDataHelper.put(tokenInfo);
auditDataHelper.put(keyInfo);
}
CertRequestInfo certRequestInfo = getCsr(keyInfo, csrId);
if (keyInfo.isForSigning()) {
securityHelper.verifyAuthority("DELETE_SIGN_CERT");
} else {
securityHelper.verifyAuthority("DELETE_AUTH_CERT");
}
// check that delete is possible
possibleActionsRuleEngine.requirePossibleCsrAction(PossibleActionEnum.DELETE, tokenInfo, keyInfo, certRequestInfo);
try {
signerProxyFacade.deleteCertRequest(csrId);
} catch (CodedException e) {
if (isCausedByCsrNotFound(e)) {
throw new CsrNotFoundException(e);
} else {
throw e;
}
} catch (Exception other) {
throw new SignerNotReachableException("deleting a csr failed", other);
}
}
use of ee.ria.xroad.common.CodedException in project X-Road by nordic-institute.
the class TokenCertificateService method changeCertificateActivation.
/**
* Deactivates or activates certificate
*/
private void changeCertificateActivation(String hash, boolean activate) throws CertificateNotFoundException, AccessDeniedException, ActionNotPossibleException {
// verify correct authority
CertificateInfo certificateInfo = getCertificateInfo(hash);
try {
verifyActivateDisableAuthority(certificateInfo.getCertificateBytes());
} catch (InvalidCertificateException e) {
// cert from signer proxy was invalid, should not be possible
throw new RuntimeException(e);
}
// verify possible actions
EnumSet<PossibleActionEnum> possibleActions = getPossibleActionsForCertificateInternal(hash, certificateInfo, null, null);
PossibleActionEnum activationAction = null;
if (activate) {
activationAction = PossibleActionEnum.ACTIVATE;
} else {
activationAction = PossibleActionEnum.DISABLE;
}
possibleActionsRuleEngine.requirePossibleAction(activationAction, possibleActions);
// audit log data
auditLogTokenKeyAndCert(hash, certificateInfo, true);
try {
if (activate) {
signerProxyFacade.activateCert(certificateInfo.getId());
} else {
signerProxyFacade.deactivateCert(certificateInfo.getId());
}
} catch (CodedException e) {
if (isCausedByCertNotFound(e)) {
throw new CertificateNotFoundException("Certificate with id " + certificateInfo.getId() + " " + NOT_FOUND);
} else {
throw e;
}
} catch (Exception e) {
throw new SignerNotReachableException("certificate " + (activate ? "activation" : "deactivation") + " failed", e);
}
}
Aggregations