Search in sources :

Example 21 with PKIBody

use of org.bouncycastle.asn1.cmp.PKIBody in project xipki by xipki.

the class X509CaCmpResponderImpl method unRevokeRemoveCertificates.

private PKIBody unRevokeRemoveCertificates(PKIMessage request, RevReqContent rr, int permission, CmpControl cmpControl, String msgId) {
    RevDetails[] revContent = rr.toRevDetailsArray();
    RevRepContentBuilder repContentBuilder = new RevRepContentBuilder();
    final int n = revContent.length;
    // test the request
    for (int i = 0; i < n; i++) {
        RevDetails revDetails = revContent[i];
        CertTemplate certDetails = revDetails.getCertDetails();
        X500Name issuer = certDetails.getIssuer();
        ASN1Integer serialNumber = certDetails.getSerialNumber();
        try {
            X500Name caSubject = getCa().getCaInfo().getCert().getSubjectAsX500Name();
            if (issuer == null) {
                return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer is not present");
            }
            if (!issuer.equals(caSubject)) {
                return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer does not target at the CA");
            }
            if (serialNumber == null) {
                return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "serialNumber is not present");
            }
            if (certDetails.getSigningAlg() != null || certDetails.getValidity() != null || certDetails.getSubject() != null || certDetails.getPublicKey() != null || certDetails.getIssuerUID() != null || certDetails.getSubjectUID() != null) {
                return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "only version, issuer and serialNumber in RevDetails.certDetails are " + "allowed, but more is specified");
            }
            if (certDetails.getExtensions() == null) {
                if (cmpControl.isRrAkiRequired()) {
                    return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer's AKI not present");
                }
            } else {
                Extensions exts = certDetails.getExtensions();
                ASN1ObjectIdentifier[] oids = exts.getCriticalExtensionOIDs();
                if (oids != null) {
                    for (ASN1ObjectIdentifier oid : oids) {
                        if (!Extension.authorityKeyIdentifier.equals(oid)) {
                            return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "unknown critical extension " + oid.getId());
                        }
                    }
                }
                Extension ext = exts.getExtension(Extension.authorityKeyIdentifier);
                if (ext == null) {
                    return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer's AKI not present");
                } else {
                    AuthorityKeyIdentifier aki = AuthorityKeyIdentifier.getInstance(ext.getParsedValue());
                    if (aki.getKeyIdentifier() == null) {
                        return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer's AKI not present");
                    }
                    boolean issuerMatched = true;
                    byte[] caSki = getCa().getCaInfo().getCert().getSubjectKeyIdentifier();
                    if (!Arrays.equals(caSki, aki.getKeyIdentifier())) {
                        issuerMatched = false;
                    }
                    if (issuerMatched && aki.getAuthorityCertSerialNumber() != null) {
                        BigInteger caSerial = getCa().getCaInfo().getSerialNumber();
                        if (!caSerial.equals(aki.getAuthorityCertSerialNumber())) {
                            issuerMatched = false;
                        }
                    }
                    if (issuerMatched && aki.getAuthorityCertIssuer() != null) {
                        GeneralName[] names = aki.getAuthorityCertIssuer().getNames();
                        for (GeneralName name : names) {
                            if (name.getTagNo() != GeneralName.directoryName) {
                                issuerMatched = false;
                                break;
                            }
                            if (!caSubject.equals(name.getName())) {
                                issuerMatched = false;
                                break;
                            }
                        }
                    }
                    if (!issuerMatched) {
                        return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer does not target at the CA");
                    }
                }
            }
        } catch (IllegalArgumentException ex) {
            return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, "the request is not invalid");
        }
    }
    // end for
    byte[] encodedRequest = null;
    if (getCa().getCaInfo().isSaveRequest()) {
        try {
            encodedRequest = request.getEncoded();
        } catch (IOException ex) {
            LOG.warn("could not encode request");
        }
    }
    Long reqDbId = null;
    for (int i = 0; i < n; i++) {
        RevDetails revDetails = revContent[i];
        CertTemplate certDetails = revDetails.getCertDetails();
        ASN1Integer serialNumber = certDetails.getSerialNumber();
        // serialNumber is not null due to the check in the previous for-block.
        X500Name caSubject = getCa().getCaInfo().getCert().getSubjectAsX500Name();
        BigInteger snBigInt = serialNumber.getPositiveValue();
        CertId certId = new CertId(new GeneralName(caSubject), serialNumber);
        PKIStatusInfo status;
        try {
            Object returnedObj = null;
            Long certDbId = null;
            X509Ca ca = getCa();
            if (PermissionConstants.UNREVOKE_CERT == permission) {
                // unrevoke
                returnedObj = ca.unrevokeCertificate(snBigInt, msgId);
                if (returnedObj != null) {
                    certDbId = ((X509CertWithDbId) returnedObj).getCertId();
                }
            } else if (PermissionConstants.REMOVE_CERT == permission) {
                // remove
                returnedObj = ca.removeCertificate(snBigInt, msgId);
            } else {
                // revoke
                Date invalidityDate = null;
                CrlReason reason = null;
                Extensions crlDetails = revDetails.getCrlEntryDetails();
                if (crlDetails != null) {
                    ASN1ObjectIdentifier extId = Extension.reasonCode;
                    ASN1Encodable extValue = crlDetails.getExtensionParsedValue(extId);
                    if (extValue != null) {
                        int reasonCode = ASN1Enumerated.getInstance(extValue).getValue().intValue();
                        reason = CrlReason.forReasonCode(reasonCode);
                    }
                    extId = Extension.invalidityDate;
                    extValue = crlDetails.getExtensionParsedValue(extId);
                    if (extValue != null) {
                        try {
                            invalidityDate = ASN1GeneralizedTime.getInstance(extValue).getDate();
                        } catch (ParseException ex) {
                            throw new OperationException(ErrorCode.INVALID_EXTENSION, "invalid extension " + extId.getId());
                        }
                    }
                }
                if (reason == null) {
                    reason = CrlReason.UNSPECIFIED;
                }
                returnedObj = ca.revokeCertificate(snBigInt, reason, invalidityDate, msgId);
                if (returnedObj != null) {
                    certDbId = ((X509CertWithRevocationInfo) returnedObj).getCert().getCertId();
                }
            }
            if (returnedObj == null) {
                throw new OperationException(ErrorCode.UNKNOWN_CERT, "cert not exists");
            }
            if (certDbId != null && ca.getCaInfo().isSaveRequest()) {
                if (reqDbId == null) {
                    reqDbId = ca.addRequest(encodedRequest);
                }
                ca.addRequestCert(reqDbId, certDbId);
            }
            status = new PKIStatusInfo(PKIStatus.granted);
        } catch (OperationException ex) {
            ErrorCode code = ex.getErrorCode();
            LOG.warn("{}, OperationException: code={}, message={}", PermissionConstants.getTextForCode(permission), code.name(), ex.getErrorMessage());
            String errorMessage;
            switch(code) {
                case DATABASE_FAILURE:
                case SYSTEM_FAILURE:
                    errorMessage = code.name();
                    break;
                default:
                    errorMessage = code.name() + ": " + ex.getErrorMessage();
                    break;
            }
            // end switch code
            int failureInfo = getPKiFailureInfo(ex);
            status = generateRejectionStatus(failureInfo, errorMessage);
        }
        // end try
        repContentBuilder.add(status, certId);
    }
    return new PKIBody(PKIBody.TYPE_REVOCATION_REP, repContentBuilder.build());
}
Also used : PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo) X509Ca(org.xipki.ca.server.impl.X509Ca) AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier) X500Name(org.bouncycastle.asn1.x500.X500Name) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) Extensions(org.bouncycastle.asn1.x509.Extensions) CertTemplate(org.bouncycastle.asn1.crmf.CertTemplate) CrlReason(org.xipki.security.CrlReason) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) RevDetails(org.bouncycastle.asn1.cmp.RevDetails) OperationException(org.xipki.ca.api.OperationException) PKIBody(org.bouncycastle.asn1.cmp.PKIBody) RevRepContentBuilder(org.bouncycastle.asn1.cmp.RevRepContentBuilder) CertId(org.bouncycastle.asn1.crmf.CertId) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) IOException(java.io.IOException) Date(java.util.Date) Extension(org.bouncycastle.asn1.x509.Extension) BigInteger(java.math.BigInteger) GeneralName(org.bouncycastle.asn1.x509.GeneralName) ParseException(java.text.ParseException) ErrorCode(org.xipki.ca.api.OperationException.ErrorCode) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 22 with PKIBody

use of org.bouncycastle.asn1.cmp.PKIBody in project xipki by xipki.

the class CmpRequestor method buildMessageWithGeneralMsgContent.

protected PKIMessage buildMessageWithGeneralMsgContent(ASN1ObjectIdentifier type, ASN1Encodable value) throws CmpRequestorException {
    ParamUtil.requireNonNull("type", type);
    PKIHeader header = buildPkiHeader(null);
    InfoTypeAndValue itv = (value != null) ? new InfoTypeAndValue(type, value) : new InfoTypeAndValue(type);
    GenMsgContent genMsgContent = new GenMsgContent(itv);
    PKIBody body = new PKIBody(PKIBody.TYPE_GEN_MSG, genMsgContent);
    return new PKIMessage(header, body);
}
Also used : PKIHeader(org.bouncycastle.asn1.cmp.PKIHeader) ProtectedPKIMessage(org.bouncycastle.cert.cmp.ProtectedPKIMessage) PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage) GeneralPKIMessage(org.bouncycastle.cert.cmp.GeneralPKIMessage) PKIBody(org.bouncycastle.asn1.cmp.PKIBody) GenMsgContent(org.bouncycastle.asn1.cmp.GenMsgContent) InfoTypeAndValue(org.bouncycastle.asn1.cmp.InfoTypeAndValue)

Example 23 with PKIBody

use of org.bouncycastle.asn1.cmp.PKIBody in project xipki by xipki.

the class CmpRequestor method buildMessageWithXipkAction.

// method verifyProtection
protected PKIMessage buildMessageWithXipkAction(int action, ASN1Encodable value) throws CmpRequestorException {
    PKIHeader header = buildPkiHeader(null);
    ASN1EncodableVector vec = new ASN1EncodableVector();
    vec.add(new ASN1Integer(action));
    if (value != null) {
        vec.add(value);
    }
    InfoTypeAndValue itv = new InfoTypeAndValue(ObjectIdentifiers.id_xipki_cmp_cmpGenmsg, new DERSequence(vec));
    GenMsgContent genMsgContent = new GenMsgContent(itv);
    PKIBody body = new PKIBody(PKIBody.TYPE_GEN_MSG, genMsgContent);
    return new PKIMessage(header, body);
}
Also used : PKIHeader(org.bouncycastle.asn1.cmp.PKIHeader) ProtectedPKIMessage(org.bouncycastle.cert.cmp.ProtectedPKIMessage) PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage) GeneralPKIMessage(org.bouncycastle.cert.cmp.GeneralPKIMessage) PKIBody(org.bouncycastle.asn1.cmp.PKIBody) DERSequence(org.bouncycastle.asn1.DERSequence) GenMsgContent(org.bouncycastle.asn1.cmp.GenMsgContent) InfoTypeAndValue(org.bouncycastle.asn1.cmp.InfoTypeAndValue) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector) ASN1Integer(org.bouncycastle.asn1.ASN1Integer)

Example 24 with PKIBody

use of org.bouncycastle.asn1.cmp.PKIBody in project xipki by xipki.

the class X509CmpRequestor method buildPkiMessage.

// method buildUnrevokeOrRemoveCertRequest
private PKIMessage buildPkiMessage(CsrEnrollCertRequest csr, Date notBefore, Date notAfter) {
    CmpUtf8Pairs utf8Pairs = new CmpUtf8Pairs(CmpUtf8Pairs.KEY_CERTPROFILE, csr.getCertprofile());
    if (notBefore != null) {
        utf8Pairs.putUtf8Pair(CmpUtf8Pairs.KEY_NOTBEFORE, DateUtil.toUtcTimeyyyyMMddhhmmss(notBefore));
    }
    if (notAfter != null) {
        utf8Pairs.putUtf8Pair(CmpUtf8Pairs.KEY_NOTAFTER, DateUtil.toUtcTimeyyyyMMddhhmmss(notAfter));
    }
    PKIHeader header = buildPkiHeader(implicitConfirm, null, utf8Pairs);
    PKIBody body = new PKIBody(PKIBody.TYPE_P10_CERT_REQ, csr.getCsr());
    return new PKIMessage(header, body);
}
Also used : PKIHeader(org.bouncycastle.asn1.cmp.PKIHeader) PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage) PKIBody(org.bouncycastle.asn1.cmp.PKIBody) CmpUtf8Pairs(org.xipki.cmp.CmpUtf8Pairs)

Example 25 with PKIBody

use of org.bouncycastle.asn1.cmp.PKIBody in project xipki by xipki.

the class X509CmpRequestor method evaluateCrlResponse.

private X509CRL evaluateCrlResponse(PkiResponse response, Integer xipkiAction) throws CmpRequestorException, PkiErrorException {
    ParamUtil.requireNonNull("response", response);
    checkProtection(response);
    PKIBody respBody = response.getPkiMessage().getBody();
    int bodyType = respBody.getType();
    if (PKIBody.TYPE_ERROR == bodyType) {
        ErrorMsgContent content = ErrorMsgContent.getInstance(respBody.getContent());
        throw new PkiErrorException(content.getPKIStatusInfo());
    } else if (PKIBody.TYPE_GEN_REP != bodyType) {
        throw new CmpRequestorException(String.format("unknown PKI body type %s instead the expected [%s, %s]", bodyType, PKIBody.TYPE_GEN_REP, PKIBody.TYPE_ERROR));
    }
    ASN1ObjectIdentifier expectedType = (xipkiAction == null) ? CMPObjectIdentifiers.it_currentCRL : ObjectIdentifiers.id_xipki_cmp_cmpGenmsg;
    GenRepContent genRep = GenRepContent.getInstance(respBody.getContent());
    InfoTypeAndValue[] itvs = genRep.toInfoTypeAndValueArray();
    InfoTypeAndValue itv = null;
    if (itvs != null && itvs.length > 0) {
        for (InfoTypeAndValue m : itvs) {
            if (expectedType.equals(m.getInfoType())) {
                itv = m;
                break;
            }
        }
    }
    if (itv == null) {
        throw new CmpRequestorException("the response does not contain InfoTypeAndValue " + expectedType);
    }
    ASN1Encodable certListAsn1Object = (xipkiAction == null) ? itv.getInfoValue() : extractXiActionContent(itv.getInfoValue(), xipkiAction);
    CertificateList certList = CertificateList.getInstance(certListAsn1Object);
    X509CRL crl;
    try {
        crl = X509Util.toX509Crl(certList);
    } catch (CRLException | CertificateException ex) {
        throw new CmpRequestorException("returned CRL is invalid: " + ex.getMessage());
    }
    return crl;
}
Also used : PKIBody(org.bouncycastle.asn1.cmp.PKIBody) X509CRL(java.security.cert.X509CRL) GenRepContent(org.bouncycastle.asn1.cmp.GenRepContent) CertificateList(org.bouncycastle.asn1.x509.CertificateList) CertificateException(java.security.cert.CertificateException) PkiErrorException(org.xipki.ca.client.api.PkiErrorException) InfoTypeAndValue(org.bouncycastle.asn1.cmp.InfoTypeAndValue) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) ErrorMsgContent(org.bouncycastle.asn1.cmp.ErrorMsgContent) CRLException(java.security.cert.CRLException) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Aggregations

PKIBody (org.bouncycastle.asn1.cmp.PKIBody)30 PKIMessage (org.bouncycastle.asn1.cmp.PKIMessage)16 ErrorMsgContent (org.bouncycastle.asn1.cmp.ErrorMsgContent)12 InfoTypeAndValue (org.bouncycastle.asn1.cmp.InfoTypeAndValue)11 PKIHeader (org.bouncycastle.asn1.cmp.PKIHeader)11 Date (java.util.Date)10 PKIStatusInfo (org.bouncycastle.asn1.cmp.PKIStatusInfo)10 GeneralPKIMessage (org.bouncycastle.cert.cmp.GeneralPKIMessage)10 IOException (java.io.IOException)9 ASN1Integer (org.bouncycastle.asn1.ASN1Integer)9 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)9 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)8 ProtectedPKIMessage (org.bouncycastle.cert.cmp.ProtectedPKIMessage)8 Extensions (org.bouncycastle.asn1.x509.Extensions)6 InvalidKeyException (java.security.InvalidKeyException)5 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)5 DEROctetString (org.bouncycastle.asn1.DEROctetString)5 CMPCertificate (org.bouncycastle.asn1.cmp.CMPCertificate)5 RevDetails (org.bouncycastle.asn1.cmp.RevDetails)5 CMPException (org.bouncycastle.cert.cmp.CMPException)5