Search in sources :

Example 56 with CodedException

use of ee.ria.xroad.common.CodedException in project X-Road by nordic-institute.

the class SchemaValidator method validate.

protected static void validate(Schema schema, Source source, String errorCode) throws Exception {
    if (schema == null) {
        throw new IllegalStateException("Schema is not initialized");
    }
    try {
        Validator validator = schema.newValidator();
        validator.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
        validator.validate(source);
    } catch (SAXException e) {
        throw new CodedException(errorCode, e);
    }
}
Also used : CodedException(ee.ria.xroad.common.CodedException) Validator(javax.xml.validation.Validator) SAXException(org.xml.sax.SAXException)

Example 57 with CodedException

use of ee.ria.xroad.common.CodedException in project X-Road by nordic-institute.

the class TokenCertificateService method regenerateCertRequest.

/**
 * Regenerate a csr. Regenerate is used by download -endpoint.
 * Regenerate will find an existing csr from TokenManager, and
 * regenerate a new csr binary for it. TokenManager itself, and the csr
 * info stored inside it, will be unchanged.
 *
 * Permissions and possible actions use the values for generate csr,
 * there are no separate values for this operation.
 * @param keyId
 * @param csrId
 * @param format
 * @return GeneratedCertRequestInfo containing details and bytes of the cert request
 * @throws KeyNotFoundException if key with keyId was not found
 * @throws CsrNotFoundException if csr with csrId was not found
 * @throws ActionNotPossibleException if regenerate was not possible
 */
public GeneratedCertRequestInfo regenerateCertRequest(String keyId, String csrId, CertificateRequestFormat format) throws KeyNotFoundException, CsrNotFoundException, ActionNotPossibleException {
    // validate key and memberId existence
    TokenInfo tokenInfo = tokenService.getTokenForKeyId(keyId);
    KeyInfo keyInfo = keyService.getKey(tokenInfo, keyId);
    getCsr(keyInfo, csrId);
    // check usage type specific auth in service, since controller does not know usage type
    if (keyInfo.isForSigning()) {
        securityHelper.verifyAuthority("GENERATE_SIGN_CERT_REQ");
    } else {
        securityHelper.verifyAuthority("GENERATE_AUTH_CERT_REQ");
    }
    // validate that regenerate csr is a possible action
    if (keyInfo.isForSigning()) {
        possibleActionsRuleEngine.requirePossibleKeyAction(PossibleActionEnum.GENERATE_SIGN_CSR, tokenInfo, keyInfo);
    } else {
        possibleActionsRuleEngine.requirePossibleKeyAction(PossibleActionEnum.GENERATE_AUTH_CSR, tokenInfo, keyInfo);
    }
    try {
        return signerProxyFacade.regenerateCertRequest(csrId, format);
    } catch (CodedException e) {
        throw e;
    } catch (Exception e) {
        throw new SignerNotReachableException("Regenerate cert request failed", e);
    }
}
Also used : CodedException(ee.ria.xroad.common.CodedException) KeyInfo(ee.ria.xroad.signer.protocol.dto.KeyInfo) TokenInfo(ee.ria.xroad.signer.protocol.dto.TokenInfo) InternalServerErrorException(org.niis.xroad.securityserver.restapi.openapi.InternalServerErrorException) SignerNotReachableException(org.niis.xroad.restapi.service.SignerNotReachableException) ServiceException(org.niis.xroad.restapi.service.ServiceException) DeviationAwareRuntimeException(org.niis.xroad.restapi.exceptions.DeviationAwareRuntimeException) AccessDeniedException(org.springframework.security.access.AccessDeniedException) CodedException(ee.ria.xroad.common.CodedException) SignerNotReachableException(org.niis.xroad.restapi.service.SignerNotReachableException)

Example 58 with CodedException

use of ee.ria.xroad.common.CodedException in project X-Road by nordic-institute.

the class TokenCertificateService method importCertificate.

/**
 * Import a cert that is found from a token by it's bytes.
 * Adds audit log properties for
 * - clientId (if sign cert),
 * - cert hash and cert hash algo
 * - key usage
 * @param certificateBytes
 * @param isFromToken whether the cert was read from a token or not
 * @return CertificateType
 * @throws GlobalConfOutdatedException
 * @throws KeyNotFoundException
 * @throws InvalidCertificateException other general import failure
 * @throws CertificateAlreadyExistsException
 * @throws WrongCertificateUsageException
 * @throws AuthCertificateNotSupportedException if trying to import an auth cert from a token
 */
private CertificateInfo importCertificate(byte[] certificateBytes, boolean isFromToken) throws GlobalConfOutdatedException, KeyNotFoundException, InvalidCertificateException, CertificateAlreadyExistsException, WrongCertificateUsageException, CsrNotFoundException, AuthCertificateNotSupportedException, ClientNotFoundException {
    globalConfService.verifyGlobalConfValidity();
    X509Certificate x509Certificate = convertToX509Certificate(certificateBytes);
    CertificateInfo certificateInfo = null;
    KeyUsageInfo keyUsageInfo = null;
    try {
        String certificateState;
        ClientId clientId = null;
        boolean isAuthCert = CertUtils.isAuthCert(x509Certificate);
        if (isAuthCert) {
            keyUsageInfo = KeyUsageInfo.AUTHENTICATION;
            securityHelper.verifyAuthority(IMPORT_AUTH_CERT);
            if (isFromToken) {
                throw new AuthCertificateNotSupportedException("auth cert cannot be imported from a token");
            }
            certificateState = CertificateInfo.STATUS_SAVED;
        } else {
            keyUsageInfo = KeyUsageInfo.SIGNING;
            securityHelper.verifyAuthority(IMPORT_SIGN_CERT);
            String xroadInstance = globalConfFacade.getInstanceIdentifier();
            clientId = getClientIdForSigningCert(xroadInstance, x509Certificate);
            auditDataHelper.put(clientId);
            boolean clientExists = clientRepository.clientExists(clientId, true);
            if (!clientExists) {
                throw new ClientNotFoundException("client " + clientId.toShortString() + " " + NOT_FOUND, FormatUtils.xRoadIdToEncodedId(clientId));
            }
            certificateState = CertificateInfo.STATUS_REGISTERED;
        }
        byte[] certBytes = x509Certificate.getEncoded();
        String hash = CryptoUtils.calculateCertHexHash(certBytes);
        auditDataHelper.putCertificateHash(hash);
        signerProxyFacade.importCert(certBytes, certificateState, clientId);
        certificateInfo = getCertificateInfo(hash);
    } catch (ClientNotFoundException | AccessDeniedException | AuthCertificateNotSupportedException e) {
        throw e;
    } catch (CodedException e) {
        translateCodedExceptions(e);
    } catch (Exception e) {
        // something went really wrong
        throw new RuntimeException("error importing certificate", e);
    }
    auditDataHelper.put(RestApiAuditProperty.KEY_USAGE, keyUsageInfo);
    return certificateInfo;
}
Also used : AccessDeniedException(org.springframework.security.access.AccessDeniedException) X509Certificate(java.security.cert.X509Certificate) InternalServerErrorException(org.niis.xroad.securityserver.restapi.openapi.InternalServerErrorException) SignerNotReachableException(org.niis.xroad.restapi.service.SignerNotReachableException) ServiceException(org.niis.xroad.restapi.service.ServiceException) DeviationAwareRuntimeException(org.niis.xroad.restapi.exceptions.DeviationAwareRuntimeException) AccessDeniedException(org.springframework.security.access.AccessDeniedException) CodedException(ee.ria.xroad.common.CodedException) DeviationAwareRuntimeException(org.niis.xroad.restapi.exceptions.DeviationAwareRuntimeException) CodedException(ee.ria.xroad.common.CodedException) CertificateInfo(ee.ria.xroad.signer.protocol.dto.CertificateInfo) ClientId(ee.ria.xroad.common.identifier.ClientId) KeyUsageInfo(ee.ria.xroad.signer.protocol.dto.KeyUsageInfo)

Example 59 with CodedException

use of ee.ria.xroad.common.CodedException in project X-Road by nordic-institute.

the class TokenCertificateService method deleteCsr.

/**
 * Deletes one csr
 * @param csrId
 * @throws KeyNotFoundException if for some reason the key linked to the csr could not
 * be loaded (should not be possible)
 * @throws CsrNotFoundException if csr with csrId was not found
 * @throws ActionNotPossibleException if delete was not possible due to csr/key/token states
 */
public void deleteCsr(String csrId) throws KeyNotFoundException, CsrNotFoundException, ActionNotPossibleException {
    // different audit fields for these events
    if (auditDataHelper.dataIsForEvent(RestApiAuditEvent.DELETE_ORPHANS)) {
        auditDataHelper.addListPropertyItem(RestApiAuditProperty.CERT_REQUEST_IDS, csrId);
    } else if (auditDataHelper.dataIsForEvent(RestApiAuditEvent.DELETE_CSR)) {
        auditDataHelper.put(RestApiAuditProperty.CSR_ID, csrId);
    }
    TokenInfoAndKeyId tokenInfoAndKeyId = tokenService.getTokenAndKeyIdForCertificateRequestId(csrId);
    TokenInfo tokenInfo = tokenInfoAndKeyId.getTokenInfo();
    KeyInfo keyInfo = tokenInfoAndKeyId.getKeyInfo();
    if (auditDataHelper.dataIsForEvent(RestApiAuditEvent.DELETE_CSR)) {
        auditDataHelper.put(tokenInfo);
        auditDataHelper.put(keyInfo);
    }
    CertRequestInfo certRequestInfo = getCsr(keyInfo, csrId);
    if (keyInfo.isForSigning()) {
        securityHelper.verifyAuthority("DELETE_SIGN_CERT");
    } else {
        securityHelper.verifyAuthority("DELETE_AUTH_CERT");
    }
    // check that delete is possible
    possibleActionsRuleEngine.requirePossibleCsrAction(PossibleActionEnum.DELETE, tokenInfo, keyInfo, certRequestInfo);
    try {
        signerProxyFacade.deleteCertRequest(csrId);
    } catch (CodedException e) {
        if (isCausedByCsrNotFound(e)) {
            throw new CsrNotFoundException(e);
        } else {
            throw e;
        }
    } catch (Exception other) {
        throw new SignerNotReachableException("deleting a csr failed", other);
    }
}
Also used : TokenInfoAndKeyId(ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyId) CodedException(ee.ria.xroad.common.CodedException) KeyInfo(ee.ria.xroad.signer.protocol.dto.KeyInfo) TokenInfo(ee.ria.xroad.signer.protocol.dto.TokenInfo) InternalServerErrorException(org.niis.xroad.securityserver.restapi.openapi.InternalServerErrorException) SignerNotReachableException(org.niis.xroad.restapi.service.SignerNotReachableException) ServiceException(org.niis.xroad.restapi.service.ServiceException) DeviationAwareRuntimeException(org.niis.xroad.restapi.exceptions.DeviationAwareRuntimeException) AccessDeniedException(org.springframework.security.access.AccessDeniedException) CodedException(ee.ria.xroad.common.CodedException) SignerNotReachableException(org.niis.xroad.restapi.service.SignerNotReachableException) GeneratedCertRequestInfo(ee.ria.xroad.commonui.SignerProxy.GeneratedCertRequestInfo) CertRequestInfo(ee.ria.xroad.signer.protocol.dto.CertRequestInfo)

Example 60 with CodedException

use of ee.ria.xroad.common.CodedException in project X-Road by nordic-institute.

the class TokenCertificateService method changeCertificateActivation.

/**
 * Deactivates or activates certificate
 */
private void changeCertificateActivation(String hash, boolean activate) throws CertificateNotFoundException, AccessDeniedException, ActionNotPossibleException {
    // verify correct authority
    CertificateInfo certificateInfo = getCertificateInfo(hash);
    try {
        verifyActivateDisableAuthority(certificateInfo.getCertificateBytes());
    } catch (InvalidCertificateException e) {
        // cert from signer proxy was invalid, should not be possible
        throw new RuntimeException(e);
    }
    // verify possible actions
    EnumSet<PossibleActionEnum> possibleActions = getPossibleActionsForCertificateInternal(hash, certificateInfo, null, null);
    PossibleActionEnum activationAction = null;
    if (activate) {
        activationAction = PossibleActionEnum.ACTIVATE;
    } else {
        activationAction = PossibleActionEnum.DISABLE;
    }
    possibleActionsRuleEngine.requirePossibleAction(activationAction, possibleActions);
    // audit log data
    auditLogTokenKeyAndCert(hash, certificateInfo, true);
    try {
        if (activate) {
            signerProxyFacade.activateCert(certificateInfo.getId());
        } else {
            signerProxyFacade.deactivateCert(certificateInfo.getId());
        }
    } catch (CodedException e) {
        if (isCausedByCertNotFound(e)) {
            throw new CertificateNotFoundException("Certificate with id " + certificateInfo.getId() + " " + NOT_FOUND);
        } else {
            throw e;
        }
    } catch (Exception e) {
        throw new SignerNotReachableException("certificate " + (activate ? "activation" : "deactivation") + " failed", e);
    }
}
Also used : DeviationAwareRuntimeException(org.niis.xroad.restapi.exceptions.DeviationAwareRuntimeException) CodedException(ee.ria.xroad.common.CodedException) CertificateInfo(ee.ria.xroad.signer.protocol.dto.CertificateInfo) InternalServerErrorException(org.niis.xroad.securityserver.restapi.openapi.InternalServerErrorException) SignerNotReachableException(org.niis.xroad.restapi.service.SignerNotReachableException) ServiceException(org.niis.xroad.restapi.service.ServiceException) DeviationAwareRuntimeException(org.niis.xroad.restapi.exceptions.DeviationAwareRuntimeException) AccessDeniedException(org.springframework.security.access.AccessDeniedException) CodedException(ee.ria.xroad.common.CodedException) SignerNotReachableException(org.niis.xroad.restapi.service.SignerNotReachableException)

Aggregations

CodedException (ee.ria.xroad.common.CodedException)131 X509Certificate (java.security.cert.X509Certificate)28 IOException (java.io.IOException)17 ErrorCodes.translateException (ee.ria.xroad.common.ErrorCodes.translateException)15 SignerNotReachableException (org.niis.xroad.restapi.service.SignerNotReachableException)14 TokenInfo (ee.ria.xroad.signer.protocol.dto.TokenInfo)12 OCSPResp (org.bouncycastle.cert.ocsp.OCSPResp)11 ServiceException (org.niis.xroad.restapi.service.ServiceException)11 ClientId (ee.ria.xroad.common.identifier.ClientId)10 ArrayList (java.util.ArrayList)10 Test (org.junit.Test)10 KeyInfo (ee.ria.xroad.signer.protocol.dto.KeyInfo)8 InputStream (java.io.InputStream)8 URISyntaxException (java.net.URISyntaxException)7 Date (java.util.Date)7 SoapFault (ee.ria.xroad.common.message.SoapFault)6 ServiceId (ee.ria.xroad.common.identifier.ServiceId)5 Soap (ee.ria.xroad.common.message.Soap)5 SoapMessageImpl (ee.ria.xroad.common.message.SoapMessageImpl)5 ByteArrayInputStream (java.io.ByteArrayInputStream)5