Search in sources :

Example 6 with TokenInfo

use of ee.ria.xroad.signer.protocol.dto.TokenInfo in project X-Road by nordic-institute.

the class TokenCertificateService method importCertificateFromToken.

/**
 * Find an existing cert from a token (e.g. HSM) by cert hash and import it to keyconf.xml. This enables the cert
 * to be used for signing messages.
 * @param hash cert hash of an existing cert
 * @return CertificateType
 * @throws CertificateNotFoundException
 * @throws InvalidCertificateException other general import failure
 * @throws GlobalConfOutdatedException
 * @throws KeyNotFoundException
 * @throws CertificateAlreadyExistsException
 * @throws WrongCertificateUsageException
 * @throws ClientNotFoundException
 * @throws CsrNotFoundException
 * @throws AuthCertificateNotSupportedException if trying to import an auth cert from a token
 * @throws ActionNotPossibleException if import was not possible due to cert/key/token states
 */
public CertificateInfo importCertificateFromToken(String hash) throws CertificateNotFoundException, InvalidCertificateException, GlobalConfOutdatedException, KeyNotFoundException, CertificateAlreadyExistsException, WrongCertificateUsageException, ClientNotFoundException, CsrNotFoundException, AuthCertificateNotSupportedException, ActionNotPossibleException {
    CertificateInfo certificateInfo = getCertificateInfo(hash);
    TokenInfoAndKeyId tokenInfoAndKeyId = tokenService.getTokenAndKeyIdForCertificateHash(hash);
    TokenInfo tokenInfo = tokenInfoAndKeyId.getTokenInfo();
    KeyInfo keyInfo = tokenInfoAndKeyId.getKeyInfo();
    auditDataHelper.put(tokenInfo);
    auditDataHelper.put(keyInfo);
    auditDataHelper.put(RestApiAuditProperty.CERT_ID, certificateInfo.getId());
    EnumSet<PossibleActionEnum> possibleActions = getPossibleActionsForCertificateInternal(hash, certificateInfo, keyInfo, tokenInfo);
    possibleActionsRuleEngine.requirePossibleAction(PossibleActionEnum.IMPORT_FROM_TOKEN, possibleActions);
    return importCertificate(certificateInfo.getCertificateBytes(), true);
}
Also used : TokenInfoAndKeyId(ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyId) KeyInfo(ee.ria.xroad.signer.protocol.dto.KeyInfo) CertificateInfo(ee.ria.xroad.signer.protocol.dto.CertificateInfo) TokenInfo(ee.ria.xroad.signer.protocol.dto.TokenInfo)

Example 7 with TokenInfo

use of ee.ria.xroad.signer.protocol.dto.TokenInfo in project X-Road by nordic-institute.

the class TokenCertificateService method getPossibleActionsForCsr.

/**
 * Return possible actions for one csr
 * Key not found exceptions are wrapped as RuntimeExceptions
 * since them happening is considered to be internal error.
 * @throws CertificateNotFoundException
 */
public EnumSet<PossibleActionEnum> getPossibleActionsForCsr(String csrId) throws CsrNotFoundException {
    TokenInfoAndKeyId tokenInfoAndKeyId = null;
    try {
        tokenInfoAndKeyId = tokenService.getTokenAndKeyIdForCertificateRequestId(csrId);
    } catch (KeyNotFoundException e) {
        throw new RuntimeException("internal error", e);
    }
    TokenInfo tokenInfo = tokenInfoAndKeyId.getTokenInfo();
    KeyInfo keyInfo = tokenInfoAndKeyId.getKeyInfo();
    CertRequestInfo certRequestInfo = getCsr(keyInfo, csrId);
    EnumSet<PossibleActionEnum> possibleActions = possibleActionsRuleEngine.getPossibleCsrActions(tokenInfo);
    return possibleActions;
}
Also used : TokenInfoAndKeyId(ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyId) DeviationAwareRuntimeException(org.niis.xroad.restapi.exceptions.DeviationAwareRuntimeException) KeyInfo(ee.ria.xroad.signer.protocol.dto.KeyInfo) TokenInfo(ee.ria.xroad.signer.protocol.dto.TokenInfo) GeneratedCertRequestInfo(ee.ria.xroad.commonui.SignerProxy.GeneratedCertRequestInfo) CertRequestInfo(ee.ria.xroad.signer.protocol.dto.CertRequestInfo)

Example 8 with TokenInfo

use of ee.ria.xroad.signer.protocol.dto.TokenInfo in project X-Road by nordic-institute.

the class TokenCertificateService method generateCertRequest.

/**
 * Create a CSR
 * @param keyId
 * @param memberId
 * @param keyUsage
 * @param caName
 * @param subjectFieldValues user-submitted parameters for subject DN
 * @param format
 * @return GeneratedCertRequestInfo containing details and bytes of the cert request
 * @throws CertificateAuthorityNotFoundException if ca authority with name {@code caName} does not exist
 * @throws ClientNotFoundException if client with {@code memberId} id was not found
 * @throws KeyNotFoundException if key with {@code keyId} was not found
 * @throws WrongKeyUsageException if keyUsage param did not match the key's usage type
 * @throws DnFieldHelper.InvalidDnParameterException if required dn parameters were missing, or if there
 * were some extra parameters
 * @throws ActionNotPossibleException if generate csr was not possible for this key
 */
public GeneratedCertRequestInfo generateCertRequest(String keyId, ClientId memberId, KeyUsageInfo keyUsage, String caName, Map<String, String> subjectFieldValues, CertificateRequestFormat format) throws CertificateAuthorityNotFoundException, ClientNotFoundException, WrongKeyUsageException, KeyNotFoundException, DnFieldHelper.InvalidDnParameterException, ActionNotPossibleException {
    // validate key and memberId existence
    TokenInfo tokenInfo = tokenService.getTokenForKeyId(keyId);
    auditDataHelper.put(tokenInfo);
    KeyInfo key = keyService.getKey(tokenInfo, keyId);
    auditDataHelper.put(key);
    auditDataHelper.put(RestApiAuditProperty.KEY_USAGE, keyUsage);
    auditDataHelper.put(memberId);
    if (keyUsage == KeyUsageInfo.SIGNING) {
        // validate that the member exists or has a subsystem on this server
        if (!clientService.getLocalClientMemberIds().contains(memberId)) {
            throw new ClientNotFoundException("client with id " + memberId + ", or subsystem for it, " + NOT_FOUND);
        }
    }
    // check that keyUsage is allowed
    if (key.getUsage() != null) {
        if (key.getUsage() != keyUsage) {
            throw new WrongKeyUsageException();
        }
    }
    // validate that generate csr is possible
    if (keyUsage == KeyUsageInfo.SIGNING) {
        possibleActionsRuleEngine.requirePossibleKeyAction(PossibleActionEnum.GENERATE_SIGN_CSR, tokenInfo, key);
    } else {
        possibleActionsRuleEngine.requirePossibleKeyAction(PossibleActionEnum.GENERATE_AUTH_CSR, tokenInfo, key);
    }
    CertificateProfileInfo profile = null;
    try {
        profile = certificateAuthorityService.getCertificateProfile(caName, keyUsage, memberId, false);
    } catch (CertificateProfileInstantiationException e) {
        throw new DeviationAwareRuntimeException(e, e.getErrorDeviation());
    }
    List<DnFieldValue> dnFieldValues = dnFieldHelper.processDnParameters(profile, subjectFieldValues);
    String subjectName = dnFieldHelper.createSubjectName(dnFieldValues);
    auditDataHelper.put(RestApiAuditProperty.SUBJECT_NAME, subjectName);
    auditDataHelper.put(RestApiAuditProperty.CERTIFICATION_SERVICE_NAME, caName);
    auditDataHelper.put(RestApiAuditProperty.CSR_FORMAT, format);
    try {
        return signerProxyFacade.generateCertRequest(keyId, memberId, keyUsage, subjectName, format);
    } catch (CodedException e) {
        throw e;
    } catch (Exception e) {
        throw new SignerNotReachableException("Generate cert request failed", e);
    }
}
Also used : DnFieldValue(ee.ria.xroad.common.certificateprofile.DnFieldValue) DeviationAwareRuntimeException(org.niis.xroad.restapi.exceptions.DeviationAwareRuntimeException) CertificateProfileInfo(ee.ria.xroad.common.certificateprofile.CertificateProfileInfo) InternalServerErrorException(org.niis.xroad.securityserver.restapi.openapi.InternalServerErrorException) SignerNotReachableException(org.niis.xroad.restapi.service.SignerNotReachableException) ServiceException(org.niis.xroad.restapi.service.ServiceException) DeviationAwareRuntimeException(org.niis.xroad.restapi.exceptions.DeviationAwareRuntimeException) AccessDeniedException(org.springframework.security.access.AccessDeniedException) CodedException(ee.ria.xroad.common.CodedException) CodedException(ee.ria.xroad.common.CodedException) KeyInfo(ee.ria.xroad.signer.protocol.dto.KeyInfo) TokenInfo(ee.ria.xroad.signer.protocol.dto.TokenInfo) SignerNotReachableException(org.niis.xroad.restapi.service.SignerNotReachableException)

Example 9 with TokenInfo

use of ee.ria.xroad.signer.protocol.dto.TokenInfo in project X-Road by nordic-institute.

the class TokenCertificateService method auditLogTokenKeyAndCert.

/**
 * Adds audit log data for basic token, key and cert details.
 * Executes a new signer request to find out token and key details.
 * @param fullKeyDetails true: full key details are added false: only key id is added
 * @throws CertificateNotFoundException
 */
private void auditLogTokenKeyAndCert(String hash, CertificateInfo certificateInfo, boolean fullKeyDetails) throws CertificateNotFoundException {
    TokenInfoAndKeyId tokenInfoAndKeyId = null;
    try {
        tokenInfoAndKeyId = tokenService.getTokenAndKeyIdForCertificateHash(hash);
    } catch (KeyNotFoundException e) {
        // key not found for a cert that exists, should not be possible
        throw new RuntimeException(e);
    }
    TokenInfo tokenInfo = tokenInfoAndKeyId.getTokenInfo();
    KeyInfo keyInfo = tokenInfoAndKeyId.getKeyInfo();
    auditDataHelper.put(tokenInfo);
    if (fullKeyDetails) {
        auditDataHelper.put(keyInfo);
    } else {
        auditDataHelper.put(RestApiAuditProperty.KEY_ID, keyInfo.getId());
    }
    auditDataHelper.put(certificateInfo);
    auditDataHelper.put(RestApiAuditProperty.CERT_ID, certificateInfo.getId());
}
Also used : TokenInfoAndKeyId(ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyId) DeviationAwareRuntimeException(org.niis.xroad.restapi.exceptions.DeviationAwareRuntimeException) KeyInfo(ee.ria.xroad.signer.protocol.dto.KeyInfo) TokenInfo(ee.ria.xroad.signer.protocol.dto.TokenInfo)

Example 10 with TokenInfo

use of ee.ria.xroad.signer.protocol.dto.TokenInfo in project X-Road by nordic-institute.

the class TokenService method activateToken.

/**
 * Activate a token
 *
 * @param id id of token
 * @param password password for token
 * @throws TokenNotFoundException if token was not found
 * @throws PinIncorrectException if token login failed due to wrong ping
 * @throws ActionNotPossibleException if token activation was not possible
 */
public void activateToken(String id, char[] password) throws TokenNotFoundException, PinIncorrectException, ActionNotPossibleException {
    // check that action is possible
    TokenInfo tokenInfo = getToken(id);
    auditDataHelper.put(tokenInfo);
    possibleActionsRuleEngine.requirePossibleTokenAction(PossibleActionEnum.TOKEN_ACTIVATE, tokenInfo);
    try {
        signerProxyFacade.activateToken(id, password);
    } catch (CodedException e) {
        if (isCausedByTokenNotFound(e)) {
            throw new TokenNotFoundException(e);
        } else if (isCausedByIncorrectPin(e)) {
            throw new PinIncorrectException(e);
        } else {
            throw e;
        }
    } catch (Exception other) {
        throw new SignerNotReachableException("token activation failed", other);
    }
}
Also used : CodedException(ee.ria.xroad.common.CodedException) TokenInfo(ee.ria.xroad.signer.protocol.dto.TokenInfo) SignerNotReachableException(org.niis.xroad.restapi.service.SignerNotReachableException) CodedException(ee.ria.xroad.common.CodedException) ServiceException(org.niis.xroad.restapi.service.ServiceException) SignerNotReachableException(org.niis.xroad.restapi.service.SignerNotReachableException)

Aggregations

TokenInfo (ee.ria.xroad.signer.protocol.dto.TokenInfo)52 KeyInfo (ee.ria.xroad.signer.protocol.dto.KeyInfo)33 Test (org.junit.Test)19 TokenTestUtils (org.niis.xroad.securityserver.restapi.util.TokenTestUtils)16 CodedException (ee.ria.xroad.common.CodedException)14 CertificateInfo (ee.ria.xroad.signer.protocol.dto.CertificateInfo)13 SignerNotReachableException (org.niis.xroad.restapi.service.SignerNotReachableException)11 TokenInfoAndKeyId (ee.ria.xroad.signer.protocol.dto.TokenInfoAndKeyId)9 ServiceException (org.niis.xroad.restapi.service.ServiceException)8 Before (org.junit.Before)7 CertRequestInfo (ee.ria.xroad.signer.protocol.dto.CertRequestInfo)6 CertificateTestUtils (org.niis.xroad.securityserver.restapi.util.CertificateTestUtils)6 ClientId (ee.ria.xroad.common.identifier.ClientId)5 HashMap (java.util.HashMap)5 DeviationAwareRuntimeException (org.niis.xroad.restapi.exceptions.DeviationAwareRuntimeException)5 Command (asg.cliche.Command)4 Utils.printTokenInfo (ee.ria.xroad.signer.console.Utils.printTokenInfo)4 KeyUsageInfo (ee.ria.xroad.signer.protocol.dto.KeyUsageInfo)4 ListTokens (ee.ria.xroad.signer.protocol.message.ListTokens)4 ArrayList (java.util.ArrayList)4