use of org.niis.xroad.restapi.service.SignerNotReachableException in project X-Road by nordic-institute.
the class TokenCertificateService method unregisterAuthCertAndMarkForDeletion.
/**
* Send the authentication certificate deletion request to central server and set the cert status to
* {@link CertificateInfo#STATUS_DELINPROG}
* @param hash certificate hash
* @param skipUnregister whether to skip the actual delete request and only change cert status
* @throws SignCertificateNotSupportedException
* @throws ActionNotPossibleException
* @throws GlobalConfOutdatedException
* @throws InvalidCertificateException
* @throws KeyNotFoundException
* @throws CertificateNotFoundException
* @throws ManagementRequestSendingFailedException
*/
private void unregisterAuthCertAndMarkForDeletion(String hash, boolean skipUnregister) throws CertificateNotFoundException, GlobalConfOutdatedException, InvalidCertificateException, SignCertificateNotSupportedException, KeyNotFoundException, ActionNotPossibleException, ManagementRequestSendingFailedException {
CertificateInfo certificateInfo = getCertificateInfo(hash);
auditLogTokenKeyAndCert(hash, certificateInfo, false);
verifyAuthCert(certificateInfo);
verifyCertAction(PossibleActionEnum.UNREGISTER, certificateInfo, hash);
if (!skipUnregister) {
Integer requestId = managementRequestSenderService.sendAuthCertDeletionRequest(certificateInfo.getCertificateBytes());
auditDataHelper.putManagementRequestId(requestId);
}
try {
auditDataHelper.put(RestApiAuditProperty.CERT_STATUS, CertificateInfo.STATUS_DELINPROG);
signerProxyFacade.setCertStatus(certificateInfo.getId(), CertificateInfo.STATUS_DELINPROG);
} catch (Exception e) {
// this means that cert was not found (which has been handled already) or some Akka error
throw new SignerNotReachableException("Could not change auth cert status", e);
}
}
use of org.niis.xroad.restapi.service.SignerNotReachableException in project X-Road by nordic-institute.
the class TokenCertificateService method registerAuthCert.
/**
* Send the authentication certificate registration request to central server
* @param hash certificate hash
* @param securityServerAddress IP address or DNS name of the security server
* @throws CertificateNotFoundException
* @throws GlobalConfOutdatedException
* @throws InvalidCertificateException
* @throws SignCertificateNotSupportedException
* @throws KeyNotFoundException
* @throws ActionNotPossibleException
*/
public void registerAuthCert(String hash, String securityServerAddress) throws CertificateNotFoundException, GlobalConfOutdatedException, InvalidCertificateException, SignCertificateNotSupportedException, KeyNotFoundException, ActionNotPossibleException {
CertificateInfo certificateInfo = getCertificateInfo(hash);
auditLogTokenKeyAndCert(hash, certificateInfo, false);
verifyAuthCert(certificateInfo);
verifyCertAction(PossibleActionEnum.REGISTER, certificateInfo, hash);
try {
Integer requestId = managementRequestSenderService.sendAuthCertRegisterRequest(securityServerAddress, certificateInfo.getCertificateBytes());
auditDataHelper.put(RestApiAuditProperty.ADDRESS, securityServerAddress);
auditDataHelper.putManagementRequestId(requestId);
auditDataHelper.put(RestApiAuditProperty.CERT_STATUS, CertificateInfo.STATUS_REGINPROG);
signerProxyFacade.setCertStatus(certificateInfo.getId(), CertificateInfo.STATUS_REGINPROG);
} catch (GlobalConfOutdatedException | CodedException e) {
throw e;
} catch (Exception e) {
throw new SignerNotReachableException("Could not register auth cert", e);
}
}
use of org.niis.xroad.restapi.service.SignerNotReachableException in project X-Road by nordic-institute.
the class TokenCertificateService method generateCertRequest.
/**
* Create a CSR
* @param keyId
* @param memberId
* @param keyUsage
* @param caName
* @param subjectFieldValues user-submitted parameters for subject DN
* @param format
* @return GeneratedCertRequestInfo containing details and bytes of the cert request
* @throws CertificateAuthorityNotFoundException if ca authority with name {@code caName} does not exist
* @throws ClientNotFoundException if client with {@code memberId} id was not found
* @throws KeyNotFoundException if key with {@code keyId} was not found
* @throws WrongKeyUsageException if keyUsage param did not match the key's usage type
* @throws DnFieldHelper.InvalidDnParameterException if required dn parameters were missing, or if there
* were some extra parameters
* @throws ActionNotPossibleException if generate csr was not possible for this key
*/
public GeneratedCertRequestInfo generateCertRequest(String keyId, ClientId memberId, KeyUsageInfo keyUsage, String caName, Map<String, String> subjectFieldValues, CertificateRequestFormat format) throws CertificateAuthorityNotFoundException, ClientNotFoundException, WrongKeyUsageException, KeyNotFoundException, DnFieldHelper.InvalidDnParameterException, ActionNotPossibleException {
// validate key and memberId existence
TokenInfo tokenInfo = tokenService.getTokenForKeyId(keyId);
auditDataHelper.put(tokenInfo);
KeyInfo key = keyService.getKey(tokenInfo, keyId);
auditDataHelper.put(key);
auditDataHelper.put(RestApiAuditProperty.KEY_USAGE, keyUsage);
auditDataHelper.put(memberId);
if (keyUsage == KeyUsageInfo.SIGNING) {
// validate that the member exists or has a subsystem on this server
if (!clientService.getLocalClientMemberIds().contains(memberId)) {
throw new ClientNotFoundException("client with id " + memberId + ", or subsystem for it, " + NOT_FOUND);
}
}
// check that keyUsage is allowed
if (key.getUsage() != null) {
if (key.getUsage() != keyUsage) {
throw new WrongKeyUsageException();
}
}
// validate that generate csr is possible
if (keyUsage == KeyUsageInfo.SIGNING) {
possibleActionsRuleEngine.requirePossibleKeyAction(PossibleActionEnum.GENERATE_SIGN_CSR, tokenInfo, key);
} else {
possibleActionsRuleEngine.requirePossibleKeyAction(PossibleActionEnum.GENERATE_AUTH_CSR, tokenInfo, key);
}
CertificateProfileInfo profile = null;
try {
profile = certificateAuthorityService.getCertificateProfile(caName, keyUsage, memberId, false);
} catch (CertificateProfileInstantiationException e) {
throw new DeviationAwareRuntimeException(e, e.getErrorDeviation());
}
List<DnFieldValue> dnFieldValues = dnFieldHelper.processDnParameters(profile, subjectFieldValues);
String subjectName = dnFieldHelper.createSubjectName(dnFieldValues);
auditDataHelper.put(RestApiAuditProperty.SUBJECT_NAME, subjectName);
auditDataHelper.put(RestApiAuditProperty.CERTIFICATION_SERVICE_NAME, caName);
auditDataHelper.put(RestApiAuditProperty.CSR_FORMAT, format);
try {
return signerProxyFacade.generateCertRequest(keyId, memberId, keyUsage, subjectName, format);
} catch (CodedException e) {
throw e;
} catch (Exception e) {
throw new SignerNotReachableException("Generate cert request failed", e);
}
}
use of org.niis.xroad.restapi.service.SignerNotReachableException in project X-Road by nordic-institute.
the class TokenService method activateToken.
/**
* Activate a token
*
* @param id id of token
* @param password password for token
* @throws TokenNotFoundException if token was not found
* @throws PinIncorrectException if token login failed due to wrong ping
* @throws ActionNotPossibleException if token activation was not possible
*/
public void activateToken(String id, char[] password) throws TokenNotFoundException, PinIncorrectException, ActionNotPossibleException {
// check that action is possible
TokenInfo tokenInfo = getToken(id);
auditDataHelper.put(tokenInfo);
possibleActionsRuleEngine.requirePossibleTokenAction(PossibleActionEnum.TOKEN_ACTIVATE, tokenInfo);
try {
signerProxyFacade.activateToken(id, password);
} catch (CodedException e) {
if (isCausedByTokenNotFound(e)) {
throw new TokenNotFoundException(e);
} else if (isCausedByIncorrectPin(e)) {
throw new PinIncorrectException(e);
} else {
throw e;
}
} catch (Exception other) {
throw new SignerNotReachableException("token activation failed", other);
}
}
use of org.niis.xroad.restapi.service.SignerNotReachableException in project X-Road by nordic-institute.
the class KeyService method unregisterAuthCert.
/**
* Unregister one auth cert
*/
private void unregisterAuthCert(CertificateInfo certificateInfo) throws GlobalConfOutdatedException {
// this permission is not checked by unregisterCertificate()
securityHelper.verifyAuthority("SEND_AUTH_CERT_DEL_REQ");
try {
// management request to unregister / delete
managementRequestSenderService.sendAuthCertDeletionRequest(certificateInfo.getCertificateBytes());
// update status
signerProxyFacade.setCertStatus(certificateInfo.getId(), CertificateInfo.STATUS_DELINPROG);
} catch (GlobalConfOutdatedException | CodedException e) {
throw e;
} catch (Exception e) {
throw new SignerNotReachableException("Could not unregister auth cert", e);
}
}
Aggregations