Example 46 with Request
use of org.bouncycastle.asn1.ocsp.Request in project xipki by xipki.
the class CaClientImpl method removeCerts.
@Override
public Map<String, CertIdOrError> removeCerts(UnrevokeOrRemoveCertRequest request, RequestResponseDebug debug) throws CaClientException, PkiErrorException {
ParamUtil.requireNonNull("request", request);
init0(false);
List<UnrevokeOrRemoveCertEntry> requestEntries = request.getRequestEntries();
if (CollectionUtil.isEmpty(requestEntries)) {
return Collections.emptyMap();
}
X500Name issuer = requestEntries.get(0).getIssuer();
for (int i = 1; i < requestEntries.size(); i++) {
if (!issuer.equals(requestEntries.get(i).getIssuer())) {
throw new PkiErrorException(PKIStatus.REJECTION, PKIFailureInfo.badRequest, "removing certificates issued by more than one CA is not allowed");
}
}
final String caName = getCaNameByIssuer(issuer);
X509CmpRequestor cmpRequestor = casMap.get(caName).getRequestor();
RevokeCertResultType result;
try {
result = cmpRequestor.removeCertificate(request, debug);
} catch (CmpRequestorException ex) {
throw new CaClientException(ex.getMessage(), ex);
}
return parseRevokeCertResult(result);
}
Also used :
PkiErrorException(org.xipki.ca.client.api.PkiErrorException)
RevokeCertResultType(org.xipki.ca.client.api.dto.RevokeCertResultType)
X500Name(org.bouncycastle.asn1.x500.X500Name)
UnrevokeOrRemoveCertEntry(org.xipki.ca.client.api.dto.UnrevokeOrRemoveCertEntry)
CaClientException(org.xipki.ca.client.api.CaClientException)
Example 47 with Request
use of org.bouncycastle.asn1.ocsp.Request in project xipki by xipki.
the class CaClientImpl method parseEnrollCertResult.
// method getHealthCheckResult
private EnrollCertResult parseEnrollCertResult(EnrollCertResultResp result) throws CaClientException {
Map<String, CertOrError> certOrErrors = new HashMap<>();
for (ResultEntry resultEntry : result.getResultEntries()) {
CertOrError certOrError;
if (resultEntry instanceof EnrollCertResultEntry) {
EnrollCertResultEntry entry = (EnrollCertResultEntry) resultEntry;
try {
java.security.cert.Certificate cert = getCertificate(entry.getCert());
certOrError = new CertOrError(cert);
} catch (CertificateException ex) {
throw new CaClientException(String.format("CertificateParsingException for request (id=%s): %s", entry.getId(), ex.getMessage()));
}
} else if (resultEntry instanceof ErrorResultEntry) {
certOrError = new CertOrError(((ErrorResultEntry) resultEntry).getStatusInfo());
} else {
certOrError = null;
}
certOrErrors.put(resultEntry.getId(), certOrError);
}
List<CMPCertificate> cmpCaPubs = result.getCaCertificates();
if (CollectionUtil.isEmpty(cmpCaPubs)) {
return new EnrollCertResult(null, certOrErrors);
}
List<java.security.cert.Certificate> caPubs = new ArrayList<>(cmpCaPubs.size());
for (CMPCertificate cmpCaPub : cmpCaPubs) {
try {
caPubs.add(getCertificate(cmpCaPub));
} catch (CertificateException ex) {
LogUtil.error(LOG, ex, "could not extract the caPub from CMPCertificate");
}
}
java.security.cert.Certificate caCert = null;
for (CertOrError certOrError : certOrErrors.values()) {
java.security.cert.Certificate cert = certOrError.getCertificate();
if (cert == null) {
continue;
}
for (java.security.cert.Certificate caPub : caPubs) {
if (verify(caPub, cert)) {
caCert = caPub;
break;
}
}
if (caCert != null) {
break;
}
}
if (caCert == null) {
return new EnrollCertResult(null, certOrErrors);
}
for (CertOrError certOrError : certOrErrors.values()) {
java.security.cert.Certificate cert = certOrError.getCertificate();
if (cert == null) {
continue;
}
if (!verify(caCert, cert)) {
LOG.warn("not all certificates are issued by CA embedded in caPubs, ignore the caPubs");
return new EnrollCertResult(null, certOrErrors);
}
}
return new EnrollCertResult(caCert, certOrErrors);
}
Also used :
ErrorResultEntry(org.xipki.ca.client.api.dto.ErrorResultEntry)
RevokeCertResultEntry(org.xipki.ca.client.api.dto.RevokeCertResultEntry)
ResultEntry(org.xipki.ca.client.api.dto.ResultEntry)
EnrollCertResultEntry(org.xipki.ca.client.api.dto.EnrollCertResultEntry)
HashMap(java.util.HashMap)
ErrorResultEntry(org.xipki.ca.client.api.dto.ErrorResultEntry)
ArrayList(java.util.ArrayList)
CertificateException(java.security.cert.CertificateException)
CertOrError(org.xipki.ca.client.api.CertOrError)
CMPCertificate(org.bouncycastle.asn1.cmp.CMPCertificate)
EnrollCertResultEntry(org.xipki.ca.client.api.dto.EnrollCertResultEntry)
EnrollCertResult(org.xipki.ca.client.api.EnrollCertResult)
CaClientException(org.xipki.ca.client.api.CaClientException)
X509Certificate(java.security.cert.X509Certificate)
CMPCertificate(org.bouncycastle.asn1.cmp.CMPCertificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Example 48 with Request
use of org.bouncycastle.asn1.ocsp.Request in project fabric-sdk-java by hyperledger.
the class HFCAClientIT method testCertificateRevoke.
// Tests revoking a certificate
@Test
public void testCertificateRevoke() throws Exception {
SampleUser user = getTestUser(TEST_USER1_ORG);
if (!user.isRegistered()) {
RegistrationRequest rr = new RegistrationRequest(user.getName(), TEST_USER1_AFFILIATION);
String password = "testUserRevoke";
rr.setSecret(password);
rr.addAttribute(new Attribute("user.role", "department lead"));
rr.addAttribute(new Attribute(HFCAClient.HFCA_ATTRIBUTE_HFREVOKER, "true"));
// Admin can register other users.
user.setEnrollmentSecret(client.register(rr, admin));
if (!user.getEnrollmentSecret().equals(password)) {
fail("Secret returned from RegistrationRequest not match : " + user.getEnrollmentSecret());
}
}
if (!user.isEnrolled()) {
EnrollmentRequest req = new EnrollmentRequest(DEFAULT_PROFILE_NAME, "label 2", null);
req.addHost("example3.ibm.com");
user.setEnrollment(client.enroll(user.getName(), user.getEnrollmentSecret(), req));
}
// verify
String cert = user.getEnrollment().getCert();
BufferedInputStream pem = new BufferedInputStream(new ByteArrayInputStream(cert.getBytes()));
CertificateFactory certFactory = CertificateFactory.getInstance(Config.getConfig().getCertificateFormat());
X509Certificate certificate = (X509Certificate) certFactory.generateCertificate(pem);
// get its serial number
String serial = DatatypeConverter.printHexBinary(certificate.getSerialNumber().toByteArray());
// get its aki
// 2.5.29.35 : AuthorityKeyIdentifier
byte[] extensionValue = certificate.getExtensionValue(Extension.authorityKeyIdentifier.getId());
ASN1OctetString akiOc = ASN1OctetString.getInstance(extensionValue);
String aki = DatatypeConverter.printHexBinary(AuthorityKeyIdentifier.getInstance(akiOc.getOctets()).getKeyIdentifier());
int startedWithRevokes = -1;
if (!testConfig.isRunningAgainstFabric10()) {
// prevent clock skewing. make sure we request started with revokes.
Thread.sleep(1000);
// one more after we do this revoke.
startedWithRevokes = getRevokes(null).length;
// prevent clock skewing. make sure we request started with revokes.
Thread.sleep(1000);
}
// revoke all enrollment of this user
client.revoke(admin, serial, aki, "revoke certificate");
if (!testConfig.isRunningAgainstFabric10()) {
final int newRevokes = getRevokes(null).length;
assertEquals(format("Expected one more revocation %d, but got %d", startedWithRevokes + 1, newRevokes), startedWithRevokes + 1, newRevokes);
}
}
Also used :
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
EnrollmentRequest(org.hyperledger.fabric_ca.sdk.EnrollmentRequest)
Attribute(org.hyperledger.fabric_ca.sdk.Attribute)
BufferedInputStream(java.io.BufferedInputStream)
ByteArrayInputStream(java.io.ByteArrayInputStream)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
RegistrationRequest(org.hyperledger.fabric_ca.sdk.RegistrationRequest)
CertificateFactory(java.security.cert.CertificateFactory)
X509Certificate(java.security.cert.X509Certificate)
SampleUser(org.hyperledger.fabric.sdkintegration.SampleUser)
Test(org.junit.Test)
Example 49 with Request
use of org.bouncycastle.asn1.ocsp.Request in project fabric-sdk-java by hyperledger.
the class HFCAClientIT method testRegisterAttributes.
// Tests attributes
@Test
public void testRegisterAttributes() throws Exception {
if (testConfig.isRunningAgainstFabric10()) {
// needs v1.1
return;
}
SampleUser user = new SampleUser("mrAttributes", TEST_ADMIN_ORG, sampleStore);
RegistrationRequest rr = new RegistrationRequest(user.getName(), TEST_USER1_AFFILIATION);
String password = "mrAttributespassword";
rr.setSecret(password);
rr.addAttribute(new Attribute("testattr1", "mrAttributesValue1"));
rr.addAttribute(new Attribute("testattr2", "mrAttributesValue2"));
rr.addAttribute(new Attribute("testattrDEFAULTATTR", "mrAttributesValueDEFAULTATTR", true));
user.setEnrollmentSecret(client.register(rr, admin));
if (!user.getEnrollmentSecret().equals(password)) {
fail("Secret returned from RegistrationRequest not match : " + user.getEnrollmentSecret());
}
EnrollmentRequest req = new EnrollmentRequest();
req.addAttrReq("testattr2").setOptional(false);
user.setEnrollment(client.enroll(user.getName(), user.getEnrollmentSecret(), req));
Enrollment enrollment = user.getEnrollment();
String cert = enrollment.getCert();
String certdec = getStringCert(cert);
assertTrue(format("Missing testattr2 in certficate decoded: %s", certdec), certdec.contains("\"testattr2\":\"mrAttributesValue2\""));
// Since request had specific attributes don't expect defaults.
assertFalse(format("Contains testattrDEFAULTATTR in certificate decoded: %s", certdec), certdec.contains("\"testattrDEFAULTATTR\"") || certdec.contains("\"mrAttributesValueDEFAULTATTR\""));
assertFalse(format("Contains testattr1 in certificate decoded: %s", certdec), certdec.contains("\"testattr1\"") || certdec.contains("\"mrAttributesValue1\""));
}
Also used :
EnrollmentRequest(org.hyperledger.fabric_ca.sdk.EnrollmentRequest)
Attribute(org.hyperledger.fabric_ca.sdk.Attribute)
Enrollment(org.hyperledger.fabric.sdk.Enrollment)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
RegistrationRequest(org.hyperledger.fabric_ca.sdk.RegistrationRequest)
SampleUser(org.hyperledger.fabric.sdkintegration.SampleUser)
Test(org.junit.Test)
Example 50 with Request
use of org.bouncycastle.asn1.ocsp.Request in project fabric-sdk-java by hyperledger.
the class HFCAClient method revokeInternal.
private String revokeInternal(User revoker, String serial, String aki, String reason, boolean genCRL) throws RevocationException, InvalidArgumentException {
if (cryptoSuite == null) {
throw new InvalidArgumentException("Crypto primitives not set.");
}
if (Utils.isNullOrEmpty(serial)) {
throw new IllegalArgumentException("Serial number id required to revoke ceritificate");
}
if (Utils.isNullOrEmpty(aki)) {
throw new IllegalArgumentException("AKI is required to revoke certificate");
}
if (revoker == null) {
throw new InvalidArgumentException("revoker is not set");
}
logger.debug(format("revoke revoker: %s, reason: %s, url: %s", revoker.getName(), reason, url));
try {
setUpSSL();
// build request body
RevocationRequest req = new RevocationRequest(caName, null, serial, aki, reason, genCRL);
String body = req.toJson();
// send revoke request
JsonObject resp = httpPost(url + HFCA_REVOKE, body, revoker);
logger.debug("revoke done");
if (genCRL) {
if (resp.isEmpty()) {
throw new RevocationException("Failed to return CRL, revoke response is empty");
}
if (resp.isNull("CRL")) {
throw new RevocationException("Failed to return CRL");
}
return resp.getString("CRL");
}
return null;
} catch (CertificateException e) {
logger.error("Cannot validate certificate. Error is: " + e.getMessage());
throw new RevocationException("Error while revoking cert. " + e.getMessage(), e);
} catch (Exception e) {
logger.error(e.getMessage(), e);
throw new RevocationException("Error while revoking the user. " + e.getMessage(), e);
}
}
Also used :
InvalidArgumentException(org.hyperledger.fabric_ca.sdk.exception.InvalidArgumentException)
RevocationException(org.hyperledger.fabric_ca.sdk.exception.RevocationException)
JsonObject(javax.json.JsonObject)
CertificateException(java.security.cert.CertificateException)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
InvalidArgumentException(org.hyperledger.fabric_ca.sdk.exception.InvalidArgumentException)
URISyntaxException(java.net.URISyntaxException)
RegistrationException(org.hyperledger.fabric_ca.sdk.exception.RegistrationException)
KeyStoreException(java.security.KeyStoreException)
AffiliationException(org.hyperledger.fabric_ca.sdk.exception.AffiliationException)
GenerateCRLException(org.hyperledger.fabric_ca.sdk.exception.GenerateCRLException)
KeyManagementException(java.security.KeyManagementException)
IdentityException(org.hyperledger.fabric_ca.sdk.exception.IdentityException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
EnrollmentException(org.hyperledger.fabric_ca.sdk.exception.EnrollmentException)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
RevocationException(org.hyperledger.fabric_ca.sdk.exception.RevocationException)
ParseException(org.apache.http.ParseException)
MalformedURLException(java.net.MalformedURLException)
InfoException(org.hyperledger.fabric_ca.sdk.exception.InfoException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
HTTPException(org.hyperledger.fabric_ca.sdk.exception.HTTPException)
Aggregations
IOException (java.io.IOException)47
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)30
Date (java.util.Date)27
DEROctetString (org.bouncycastle.asn1.DEROctetString)26
BigInteger (java.math.BigInteger)23
X509Certificate (java.security.cert.X509Certificate)22
PKIMessage (org.bouncycastle.asn1.cmp.PKIMessage)22
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)20
CertificateException (java.security.cert.CertificateException)18
ArrayList (java.util.ArrayList)17
DERUTF8String (org.bouncycastle.asn1.DERUTF8String)17
X500Name (org.bouncycastle.asn1.x500.X500Name)16
Extension (org.bouncycastle.asn1.x509.Extension)16
Extensions (org.bouncycastle.asn1.x509.Extensions)16
ASN1Integer (org.bouncycastle.asn1.ASN1Integer)15
DERIA5String (org.bouncycastle.asn1.DERIA5String)15
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)14
PKIBody (org.bouncycastle.asn1.cmp.PKIBody)13
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)12
GeneralName (org.bouncycastle.asn1.x509.GeneralName)11
