Search in sources :

Example 1 with PKIFreeText

use of org.bouncycastle.asn1.cmp.PKIFreeText in project xipki by xipki.

the class X509CaCmpResponderImpl method cmpUnRevokeRemoveCertificates.

// method cmpEnrollCert
private PKIBody cmpUnRevokeRemoveCertificates(PKIMessage request, PKIHeaderBuilder respHeader, CmpControl cmpControl, PKIHeader reqHeader, PKIBody reqBody, CmpRequestorInfo requestor, String msgId, AuditEvent event) {
    Integer requiredPermission = null;
    boolean allRevdetailsOfSameType = true;
    RevReqContent rr = RevReqContent.getInstance(reqBody.getContent());
    RevDetails[] revContent = rr.toRevDetailsArray();
    int len = revContent.length;
    for (int i = 0; i < len; i++) {
        RevDetails revDetails = revContent[i];
        Extensions crlDetails = revDetails.getCrlEntryDetails();
        int reasonCode = CrlReason.UNSPECIFIED.getCode();
        if (crlDetails != null) {
            ASN1ObjectIdentifier extId = Extension.reasonCode;
            ASN1Encodable extValue = crlDetails.getExtensionParsedValue(extId);
            if (extValue != null) {
                reasonCode = ASN1Enumerated.getInstance(extValue).getValue().intValue();
            }
        }
        if (reasonCode == XiSecurityConstants.CMP_CRL_REASON_REMOVE) {
            if (requiredPermission == null) {
                event.addEventType(CaAuditConstants.TYPE_CMP_rr_remove);
                requiredPermission = PermissionConstants.REMOVE_CERT;
            } else if (requiredPermission != PermissionConstants.REMOVE_CERT) {
                allRevdetailsOfSameType = false;
                break;
            }
        } else if (reasonCode == CrlReason.REMOVE_FROM_CRL.getCode()) {
            if (requiredPermission == null) {
                event.addEventType(CaAuditConstants.TYPE_CMP_rr_unrevoke);
                requiredPermission = PermissionConstants.UNREVOKE_CERT;
            } else if (requiredPermission != PermissionConstants.UNREVOKE_CERT) {
                allRevdetailsOfSameType = false;
                break;
            }
        } else {
            if (requiredPermission == null) {
                event.addEventType(CaAuditConstants.TYPE_CMP_rr_revoke);
                requiredPermission = PermissionConstants.REVOKE_CERT;
            } else if (requiredPermission != PermissionConstants.REVOKE_CERT) {
                allRevdetailsOfSameType = false;
                break;
            }
        }
    }
    if (!allRevdetailsOfSameType) {
        ErrorMsgContent emc = new ErrorMsgContent(new PKIStatusInfo(PKIStatus.rejection, new PKIFreeText("not all revDetails are of the same type"), new PKIFailureInfo(PKIFailureInfo.badRequest)));
        return new PKIBody(PKIBody.TYPE_ERROR, emc);
    } else {
        try {
            checkPermission(requestor, requiredPermission);
        } catch (InsuffientPermissionException ex) {
            event.setStatus(AuditStatus.FAILED);
            event.addEventData(CaAuditConstants.NAME_message, "NOT_PERMITTED");
            return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.notAuthorized, null);
        }
        return unRevokeRemoveCertificates(request, rr, requiredPermission, cmpControl, msgId);
    }
}
Also used : PKIBody(org.bouncycastle.asn1.cmp.PKIBody) PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo) InsuffientPermissionException(org.xipki.ca.api.InsuffientPermissionException) Extensions(org.bouncycastle.asn1.x509.Extensions) RevReqContent(org.bouncycastle.asn1.cmp.RevReqContent) PKIFreeText(org.bouncycastle.asn1.cmp.PKIFreeText) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) BigInteger(java.math.BigInteger) PKIFailureInfo(org.bouncycastle.asn1.cmp.PKIFailureInfo) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) ErrorMsgContent(org.bouncycastle.asn1.cmp.ErrorMsgContent) RevDetails(org.bouncycastle.asn1.cmp.RevDetails) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 2 with PKIFreeText

use of org.bouncycastle.asn1.cmp.PKIFreeText in project xipki by xipki.

the class X509CaCmpResponderImpl method buildErrorMsgPkiBody.

private static PKIBody buildErrorMsgPkiBody(PKIStatus pkiStatus, int failureInfo, String statusMessage) {
    PKIFreeText pkiStatusMsg = (statusMessage == null) ? null : new PKIFreeText(statusMessage);
    ErrorMsgContent emc = new ErrorMsgContent(new PKIStatusInfo(pkiStatus, pkiStatusMsg, new PKIFailureInfo(failureInfo)));
    return new PKIBody(PKIBody.TYPE_ERROR, emc);
}
Also used : PKIFailureInfo(org.bouncycastle.asn1.cmp.PKIFailureInfo) PKIBody(org.bouncycastle.asn1.cmp.PKIBody) PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo) ErrorMsgContent(org.bouncycastle.asn1.cmp.ErrorMsgContent) PKIFreeText(org.bouncycastle.asn1.cmp.PKIFreeText)

Example 3 with PKIFreeText

use of org.bouncycastle.asn1.cmp.PKIFreeText in project xipki by xipki.

the class X509CmpRequestor method parse.

private RevokeCertResultType parse(PkiResponse response, List<? extends IssuerSerialEntry> reqEntries) throws CmpRequestorException, PkiErrorException {
    ParamUtil.requireNonNull("response", response);
    checkProtection(response);
    PKIBody respBody = response.getPkiMessage().getBody();
    int bodyType = respBody.getType();
    if (PKIBody.TYPE_ERROR == bodyType) {
        ErrorMsgContent content = ErrorMsgContent.getInstance(respBody.getContent());
        throw new PkiErrorException(content.getPKIStatusInfo());
    } else if (PKIBody.TYPE_REVOCATION_REP != bodyType) {
        throw new CmpRequestorException(String.format("unknown PKI body type %s instead the expected [%s, %s]", bodyType, PKIBody.TYPE_REVOCATION_REP, PKIBody.TYPE_ERROR));
    }
    RevRepContent content = RevRepContent.getInstance(respBody.getContent());
    PKIStatusInfo[] statuses = content.getStatus();
    if (statuses == null || statuses.length != reqEntries.size()) {
        int statusesLen = 0;
        if (statuses != null) {
            statusesLen = statuses.length;
        }
        throw new CmpRequestorException(String.format("incorrect number of status entries in response '%s' instead the expected '%s'", statusesLen, reqEntries.size()));
    }
    CertId[] revCerts = content.getRevCerts();
    RevokeCertResultType result = new RevokeCertResultType();
    for (int i = 0; i < statuses.length; i++) {
        PKIStatusInfo statusInfo = statuses[i];
        int status = statusInfo.getStatus().intValue();
        IssuerSerialEntry re = reqEntries.get(i);
        if (status != PKIStatus.GRANTED && status != PKIStatus.GRANTED_WITH_MODS) {
            PKIFreeText text = statusInfo.getStatusString();
            String statusString = (text == null) ? null : text.getStringAt(0).getString();
            ResultEntry resultEntry = new ErrorResultEntry(re.getId(), status, statusInfo.getFailInfo().intValue(), statusString);
            result.addResultEntry(resultEntry);
            continue;
        }
        CertId certId = null;
        if (revCerts != null) {
            for (CertId entry : revCerts) {
                if (re.getIssuer().equals(entry.getIssuer().getName()) && re.getSerialNumber().equals(entry.getSerialNumber().getValue())) {
                    certId = entry;
                    break;
                }
            }
        }
        if (certId == null) {
            LOG.warn("certId is not present in response for (issuer='{}', serialNumber={})", X509Util.getRfc4519Name(re.getIssuer()), LogUtil.formatCsn(re.getSerialNumber()));
            certId = new CertId(new GeneralName(re.getIssuer()), re.getSerialNumber());
            continue;
        }
        ResultEntry resultEntry = new RevokeCertResultEntry(re.getId(), certId);
        result.addResultEntry(resultEntry);
    }
    return result;
}
Also used : ErrorResultEntry(org.xipki.ca.client.api.dto.ErrorResultEntry) RevokeCertResultEntry(org.xipki.ca.client.api.dto.RevokeCertResultEntry) EnrollCertResultEntry(org.xipki.ca.client.api.dto.EnrollCertResultEntry) ResultEntry(org.xipki.ca.client.api.dto.ResultEntry) PKIBody(org.bouncycastle.asn1.cmp.PKIBody) RevokeCertResultEntry(org.xipki.ca.client.api.dto.RevokeCertResultEntry) CertId(org.bouncycastle.asn1.crmf.CertId) PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo) ErrorResultEntry(org.xipki.ca.client.api.dto.ErrorResultEntry) IssuerSerialEntry(org.xipki.ca.client.api.dto.IssuerSerialEntry) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) DEROctetString(org.bouncycastle.asn1.DEROctetString) RevRepContent(org.bouncycastle.asn1.cmp.RevRepContent) PKIFreeText(org.bouncycastle.asn1.cmp.PKIFreeText) PkiErrorException(org.xipki.ca.client.api.PkiErrorException) RevokeCertResultType(org.xipki.ca.client.api.dto.RevokeCertResultType) GeneralName(org.bouncycastle.asn1.x509.GeneralName) ErrorMsgContent(org.bouncycastle.asn1.cmp.ErrorMsgContent)

Example 4 with PKIFreeText

use of org.bouncycastle.asn1.cmp.PKIFreeText in project xipki by xipki.

the class X509CmpRequestor method requestCertificate0.

private EnrollCertResultResp requestCertificate0(PKIMessage reqMessage, Map<BigInteger, String> reqIdIdMap, int expectedBodyType, RequestResponseDebug debug) throws CmpRequestorException, PkiErrorException {
    PkiResponse response = signAndSend(reqMessage, debug);
    checkProtection(response);
    PKIBody respBody = response.getPkiMessage().getBody();
    final int bodyType = respBody.getType();
    if (PKIBody.TYPE_ERROR == bodyType) {
        ErrorMsgContent content = ErrorMsgContent.getInstance(respBody.getContent());
        throw new PkiErrorException(content.getPKIStatusInfo());
    } else if (expectedBodyType != bodyType) {
        throw new CmpRequestorException(String.format("unknown PKI body type %s instead the expected [%s, %s]", bodyType, expectedBodyType, PKIBody.TYPE_ERROR));
    }
    CertRepMessage certRep = CertRepMessage.getInstance(respBody.getContent());
    CertResponse[] certResponses = certRep.getResponse();
    EnrollCertResultResp result = new EnrollCertResultResp();
    // CA certificates
    CMPCertificate[] caPubs = certRep.getCaPubs();
    if (caPubs != null && caPubs.length > 0) {
        for (int i = 0; i < caPubs.length; i++) {
            if (caPubs[i] != null) {
                result.addCaCertificate(caPubs[i]);
            }
        }
    }
    CertificateConfirmationContentBuilder certConfirmBuilder = null;
    if (!CmpUtil.isImplictConfirm(response.getPkiMessage().getHeader())) {
        certConfirmBuilder = new CertificateConfirmationContentBuilder();
    }
    boolean requireConfirm = false;
    // We only accept the certificates which are requested.
    for (CertResponse certResp : certResponses) {
        PKIStatusInfo statusInfo = certResp.getStatus();
        int status = statusInfo.getStatus().intValue();
        BigInteger certReqId = certResp.getCertReqId().getValue();
        String thisId = reqIdIdMap.get(certReqId);
        if (thisId != null) {
            reqIdIdMap.remove(certReqId);
        } else if (reqIdIdMap.size() == 1) {
            thisId = reqIdIdMap.values().iterator().next();
            reqIdIdMap.clear();
        }
        if (thisId == null) {
            // ignore it. this cert is not requested by me
            continue;
        }
        ResultEntry resultEntry;
        if (status == PKIStatus.GRANTED || status == PKIStatus.GRANTED_WITH_MODS) {
            CertifiedKeyPair cvk = certResp.getCertifiedKeyPair();
            if (cvk == null) {
                return null;
            }
            CMPCertificate cmpCert = cvk.getCertOrEncCert().getCertificate();
            if (cmpCert == null) {
                return null;
            }
            resultEntry = new EnrollCertResultEntry(thisId, cmpCert, status);
            if (certConfirmBuilder != null) {
                requireConfirm = true;
                X509CertificateHolder certHolder = null;
                try {
                    certHolder = new X509CertificateHolder(cmpCert.getEncoded());
                } catch (IOException ex) {
                    resultEntry = new ErrorResultEntry(thisId, ClientErrorCode.PKISTATUS_RESPONSE_ERROR, PKIFailureInfo.systemFailure, "could not decode the certificate");
                }
                if (certHolder != null) {
                    certConfirmBuilder.addAcceptedCertificate(certHolder, certReqId);
                }
            }
        } else {
            PKIFreeText statusString = statusInfo.getStatusString();
            String errorMessage = (statusString == null) ? null : statusString.getStringAt(0).getString();
            int failureInfo = statusInfo.getFailInfo().intValue();
            resultEntry = new ErrorResultEntry(thisId, status, failureInfo, errorMessage);
        }
        result.addResultEntry(resultEntry);
    }
    if (CollectionUtil.isNonEmpty(reqIdIdMap)) {
        for (BigInteger reqId : reqIdIdMap.keySet()) {
            ErrorResultEntry ere = new ErrorResultEntry(reqIdIdMap.get(reqId), ClientErrorCode.PKISTATUS_NO_ANSWER);
            result.addResultEntry(ere);
        }
    }
    if (!requireConfirm) {
        return result;
    }
    PKIMessage confirmRequest = buildCertConfirmRequest(response.getPkiMessage().getHeader().getTransactionID(), certConfirmBuilder);
    response = signAndSend(confirmRequest, debug);
    checkProtection(response);
    return result;
}
Also used : ErrorResultEntry(org.xipki.ca.client.api.dto.ErrorResultEntry) RevokeCertResultEntry(org.xipki.ca.client.api.dto.RevokeCertResultEntry) EnrollCertResultEntry(org.xipki.ca.client.api.dto.EnrollCertResultEntry) ResultEntry(org.xipki.ca.client.api.dto.ResultEntry) PkiResponse(org.xipki.cmp.PkiResponse) PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) DEROctetString(org.bouncycastle.asn1.DEROctetString) CMPCertificate(org.bouncycastle.asn1.cmp.CMPCertificate) PkiErrorException(org.xipki.ca.client.api.PkiErrorException) CertifiedKeyPair(org.bouncycastle.asn1.cmp.CertifiedKeyPair) PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage) PKIBody(org.bouncycastle.asn1.cmp.PKIBody) CertificateConfirmationContentBuilder(org.bouncycastle.cert.cmp.CertificateConfirmationContentBuilder) CertResponse(org.bouncycastle.asn1.cmp.CertResponse) ErrorResultEntry(org.xipki.ca.client.api.dto.ErrorResultEntry) CertRepMessage(org.bouncycastle.asn1.cmp.CertRepMessage) IOException(java.io.IOException) PKIFreeText(org.bouncycastle.asn1.cmp.PKIFreeText) EnrollCertResultResp(org.xipki.ca.client.api.dto.EnrollCertResultResp) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) BigInteger(java.math.BigInteger) EnrollCertResultEntry(org.xipki.ca.client.api.dto.EnrollCertResultEntry) ErrorMsgContent(org.bouncycastle.asn1.cmp.ErrorMsgContent)

Example 5 with PKIFreeText

use of org.bouncycastle.asn1.cmp.PKIFreeText in project xipki by xipki.

the class CmpResponder method generateRejectionStatus.

// method generateCmpRejectionStatus
protected PKIStatusInfo generateRejectionStatus(PKIStatus status, Integer info, String errorMessage) {
    PKIFreeText statusMessage = (errorMessage == null) ? null : new PKIFreeText(errorMessage);
    PKIFailureInfo failureInfo = (info == null) ? null : new PKIFailureInfo(info);
    return new PKIStatusInfo(status, statusMessage, failureInfo);
}
Also used : PKIFailureInfo(org.bouncycastle.asn1.cmp.PKIFailureInfo) PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo) PKIFreeText(org.bouncycastle.asn1.cmp.PKIFreeText)

Aggregations

PKIFreeText (org.bouncycastle.asn1.cmp.PKIFreeText)9 PKIStatusInfo (org.bouncycastle.asn1.cmp.PKIStatusInfo)7 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)5 ErrorMsgContent (org.bouncycastle.asn1.cmp.ErrorMsgContent)5 PKIBody (org.bouncycastle.asn1.cmp.PKIBody)5 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)4 PKIFailureInfo (org.bouncycastle.asn1.cmp.PKIFailureInfo)4 BigInteger (java.math.BigInteger)2 DEROctetString (org.bouncycastle.asn1.DEROctetString)2 CertResponse (org.bouncycastle.asn1.cmp.CertResponse)2 CertifiedKeyPair (org.bouncycastle.asn1.cmp.CertifiedKeyPair)2 PKIHeader (org.bouncycastle.asn1.cmp.PKIHeader)2 PKIMessage (org.bouncycastle.asn1.cmp.PKIMessage)2 GeneralName (org.bouncycastle.asn1.x509.GeneralName)2 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)2 InsuffientPermissionException (org.xipki.ca.api.InsuffientPermissionException)2 PkiErrorException (org.xipki.ca.client.api.PkiErrorException)2 EnrollCertResultEntry (org.xipki.ca.client.api.dto.EnrollCertResultEntry)2 ErrorResultEntry (org.xipki.ca.client.api.dto.ErrorResultEntry)2 ResultEntry (org.xipki.ca.client.api.dto.ResultEntry)2