use of ee.ria.xroad.signer.protocol.dto.TokenInfo in project X-Road by nordic-institute.
the class TokenCertificateService method importCertificateFromToken.
/**
* Find an existing cert from a token (e.g. HSM) by cert hash and import it to keyconf.xml. This enables the cert
* to be used for signing messages.
* @param hash cert hash of an existing cert
* @return CertificateType
* @throws CertificateNotFoundException
* @throws InvalidCertificateException other general import failure
* @throws GlobalConfOutdatedException
* @throws KeyNotFoundException
* @throws CertificateAlreadyExistsException
* @throws WrongCertificateUsageException
* @throws ClientNotFoundException
* @throws CsrNotFoundException
* @throws AuthCertificateNotSupportedException if trying to import an auth cert from a token
* @throws ActionNotPossibleException if import was not possible due to cert/key/token states
*/
public CertificateInfo importCertificateFromToken(String hash) throws CertificateNotFoundException, InvalidCertificateException, GlobalConfOutdatedException, KeyNotFoundException, CertificateAlreadyExistsException, WrongCertificateUsageException, ClientNotFoundException, CsrNotFoundException, AuthCertificateNotSupportedException, ActionNotPossibleException {
CertificateInfo certificateInfo = getCertificateInfo(hash);
TokenInfoAndKeyId tokenInfoAndKeyId = tokenService.getTokenAndKeyIdForCertificateHash(hash);
TokenInfo tokenInfo = tokenInfoAndKeyId.getTokenInfo();
KeyInfo keyInfo = tokenInfoAndKeyId.getKeyInfo();
auditDataHelper.put(tokenInfo);
auditDataHelper.put(keyInfo);
auditDataHelper.put(RestApiAuditProperty.CERT_ID, certificateInfo.getId());
EnumSet<PossibleActionEnum> possibleActions = getPossibleActionsForCertificateInternal(hash, certificateInfo, keyInfo, tokenInfo);
possibleActionsRuleEngine.requirePossibleAction(PossibleActionEnum.IMPORT_FROM_TOKEN, possibleActions);
return importCertificate(certificateInfo.getCertificateBytes(), true);
}
use of ee.ria.xroad.signer.protocol.dto.TokenInfo in project X-Road by nordic-institute.
the class TokenCertificateService method getPossibleActionsForCsr.
/**
* Return possible actions for one csr
* Key not found exceptions are wrapped as RuntimeExceptions
* since them happening is considered to be internal error.
* @throws CertificateNotFoundException
*/
public EnumSet<PossibleActionEnum> getPossibleActionsForCsr(String csrId) throws CsrNotFoundException {
TokenInfoAndKeyId tokenInfoAndKeyId = null;
try {
tokenInfoAndKeyId = tokenService.getTokenAndKeyIdForCertificateRequestId(csrId);
} catch (KeyNotFoundException e) {
throw new RuntimeException("internal error", e);
}
TokenInfo tokenInfo = tokenInfoAndKeyId.getTokenInfo();
KeyInfo keyInfo = tokenInfoAndKeyId.getKeyInfo();
CertRequestInfo certRequestInfo = getCsr(keyInfo, csrId);
EnumSet<PossibleActionEnum> possibleActions = possibleActionsRuleEngine.getPossibleCsrActions(tokenInfo);
return possibleActions;
}
use of ee.ria.xroad.signer.protocol.dto.TokenInfo in project X-Road by nordic-institute.
the class TokenCertificateService method generateCertRequest.
/**
* Create a CSR
* @param keyId
* @param memberId
* @param keyUsage
* @param caName
* @param subjectFieldValues user-submitted parameters for subject DN
* @param format
* @return GeneratedCertRequestInfo containing details and bytes of the cert request
* @throws CertificateAuthorityNotFoundException if ca authority with name {@code caName} does not exist
* @throws ClientNotFoundException if client with {@code memberId} id was not found
* @throws KeyNotFoundException if key with {@code keyId} was not found
* @throws WrongKeyUsageException if keyUsage param did not match the key's usage type
* @throws DnFieldHelper.InvalidDnParameterException if required dn parameters were missing, or if there
* were some extra parameters
* @throws ActionNotPossibleException if generate csr was not possible for this key
*/
public GeneratedCertRequestInfo generateCertRequest(String keyId, ClientId memberId, KeyUsageInfo keyUsage, String caName, Map<String, String> subjectFieldValues, CertificateRequestFormat format) throws CertificateAuthorityNotFoundException, ClientNotFoundException, WrongKeyUsageException, KeyNotFoundException, DnFieldHelper.InvalidDnParameterException, ActionNotPossibleException {
// validate key and memberId existence
TokenInfo tokenInfo = tokenService.getTokenForKeyId(keyId);
auditDataHelper.put(tokenInfo);
KeyInfo key = keyService.getKey(tokenInfo, keyId);
auditDataHelper.put(key);
auditDataHelper.put(RestApiAuditProperty.KEY_USAGE, keyUsage);
auditDataHelper.put(memberId);
if (keyUsage == KeyUsageInfo.SIGNING) {
// validate that the member exists or has a subsystem on this server
if (!clientService.getLocalClientMemberIds().contains(memberId)) {
throw new ClientNotFoundException("client with id " + memberId + ", or subsystem for it, " + NOT_FOUND);
}
}
// check that keyUsage is allowed
if (key.getUsage() != null) {
if (key.getUsage() != keyUsage) {
throw new WrongKeyUsageException();
}
}
// validate that generate csr is possible
if (keyUsage == KeyUsageInfo.SIGNING) {
possibleActionsRuleEngine.requirePossibleKeyAction(PossibleActionEnum.GENERATE_SIGN_CSR, tokenInfo, key);
} else {
possibleActionsRuleEngine.requirePossibleKeyAction(PossibleActionEnum.GENERATE_AUTH_CSR, tokenInfo, key);
}
CertificateProfileInfo profile = null;
try {
profile = certificateAuthorityService.getCertificateProfile(caName, keyUsage, memberId, false);
} catch (CertificateProfileInstantiationException e) {
throw new DeviationAwareRuntimeException(e, e.getErrorDeviation());
}
List<DnFieldValue> dnFieldValues = dnFieldHelper.processDnParameters(profile, subjectFieldValues);
String subjectName = dnFieldHelper.createSubjectName(dnFieldValues);
auditDataHelper.put(RestApiAuditProperty.SUBJECT_NAME, subjectName);
auditDataHelper.put(RestApiAuditProperty.CERTIFICATION_SERVICE_NAME, caName);
auditDataHelper.put(RestApiAuditProperty.CSR_FORMAT, format);
try {
return signerProxyFacade.generateCertRequest(keyId, memberId, keyUsage, subjectName, format);
} catch (CodedException e) {
throw e;
} catch (Exception e) {
throw new SignerNotReachableException("Generate cert request failed", e);
}
}
use of ee.ria.xroad.signer.protocol.dto.TokenInfo in project X-Road by nordic-institute.
the class TokenCertificateService method auditLogTokenKeyAndCert.
/**
* Adds audit log data for basic token, key and cert details.
* Executes a new signer request to find out token and key details.
* @param fullKeyDetails true: full key details are added false: only key id is added
* @throws CertificateNotFoundException
*/
private void auditLogTokenKeyAndCert(String hash, CertificateInfo certificateInfo, boolean fullKeyDetails) throws CertificateNotFoundException {
TokenInfoAndKeyId tokenInfoAndKeyId = null;
try {
tokenInfoAndKeyId = tokenService.getTokenAndKeyIdForCertificateHash(hash);
} catch (KeyNotFoundException e) {
// key not found for a cert that exists, should not be possible
throw new RuntimeException(e);
}
TokenInfo tokenInfo = tokenInfoAndKeyId.getTokenInfo();
KeyInfo keyInfo = tokenInfoAndKeyId.getKeyInfo();
auditDataHelper.put(tokenInfo);
if (fullKeyDetails) {
auditDataHelper.put(keyInfo);
} else {
auditDataHelper.put(RestApiAuditProperty.KEY_ID, keyInfo.getId());
}
auditDataHelper.put(certificateInfo);
auditDataHelper.put(RestApiAuditProperty.CERT_ID, certificateInfo.getId());
}
use of ee.ria.xroad.signer.protocol.dto.TokenInfo in project X-Road by nordic-institute.
the class TokenService method activateToken.
/**
* Activate a token
*
* @param id id of token
* @param password password for token
* @throws TokenNotFoundException if token was not found
* @throws PinIncorrectException if token login failed due to wrong ping
* @throws ActionNotPossibleException if token activation was not possible
*/
public void activateToken(String id, char[] password) throws TokenNotFoundException, PinIncorrectException, ActionNotPossibleException {
// check that action is possible
TokenInfo tokenInfo = getToken(id);
auditDataHelper.put(tokenInfo);
possibleActionsRuleEngine.requirePossibleTokenAction(PossibleActionEnum.TOKEN_ACTIVATE, tokenInfo);
try {
signerProxyFacade.activateToken(id, password);
} catch (CodedException e) {
if (isCausedByTokenNotFound(e)) {
throw new TokenNotFoundException(e);
} else if (isCausedByIncorrectPin(e)) {
throw new PinIncorrectException(e);
} else {
throw e;
}
} catch (Exception other) {
throw new SignerNotReachableException("token activation failed", other);
}
}
Aggregations