use of org.xipki.ca.api.CaUris in project xipki by xipki.
the class CaManagerQueryExecutor method changeCa.
// method addPublisher
public void changeCa(ChangeCaEntry changeCaEntry, CaEntry currentCaEntry, SecurityFactory securityFactory) throws CaMgmtException {
notNulls(changeCaEntry, "changeCaEntry", securityFactory, "securityFactory");
byte[] encodedCert = changeCaEntry.getEncodedCert();
if (encodedCert != null) {
boolean anyCertIssued;
try {
anyCertIssued = datasource.columnExists(null, "CERT", "CA_ID", changeCaEntry.getIdent().getId());
} catch (DataAccessException ex) {
throw new CaMgmtException(ex);
}
if (anyCertIssued) {
throw new CaMgmtException("Cannot change certificate of CA which has issued certificates");
}
}
String signerType = changeCaEntry.getSignerType();
String signerConf = changeCaEntry.getSignerConf();
X509Cert caCert = null;
if (signerType != null || signerConf != null || encodedCert != null || CollectionUtil.isNotEmpty(changeCaEntry.getEncodedCertchain())) {
// need CA certificate
if (encodedCert != null) {
caCert = parseCert(encodedCert);
} else {
final String sql = "SELECT CERT FROM CA WHERE ID=?";
ResultRow rs = execQuery1PrepStmt0(sql, col2Int(changeCaEntry.getIdent().getId()));
if (rs == null) {
throw new CaMgmtException("unknown CA '" + changeCaEntry.getIdent());
}
caCert = parseCert(Base64.decode(rs.getString("CERT")));
}
if (signerType != null || signerConf != null || encodedCert != null) {
// validate the signer configuration
final String sql = "SELECT SIGNER_TYPE,SIGNER_CONF FROM CA WHERE ID=?";
ResultRow rs = execQuery1PrepStmt0(sql, col2Int(changeCaEntry.getIdent().getId()));
if (rs == null) {
throw new CaMgmtException("unknown CA '" + changeCaEntry.getIdent());
}
if (signerType == null) {
signerType = rs.getString("SIGNER_TYPE");
}
if (signerConf == null) {
signerConf = rs.getString("SIGNER_CONF");
} else {
signerConf = CaUtil.canonicalizeSignerConf(signerType, signerConf, null, securityFactory);
}
try {
List<CaSignerConf> signerConfs = CaEntry.splitCaSignerConfs(signerConf);
for (CaSignerConf m : signerConfs) {
securityFactory.createSigner(signerType, new SignerConf(m.getConf()), caCert);
}
} catch (XiSecurityException | ObjectCreationException ex) {
throw new CaMgmtException("could not create signer for CA '" + changeCaEntry.getIdent() + "'" + ex.getMessage(), ex);
}
}
}
// end if (signerType)
String subject = null;
String base64Cert = null;
if (encodedCert != null) {
try {
subject = X509Util.parseCert(encodedCert).getIssuerRfc4519Text();
base64Cert = Base64.encodeToString(encodedCert);
} catch (CertificateException ex) {
throw new CaMgmtException("could not parse the certificate", ex);
}
}
// CHECKSTYLE:SKIP
String status = (changeCaEntry.getStatus() == null) ? null : changeCaEntry.getStatus().name();
// CHECKSTYLE:SKIP
String maxValidity = (changeCaEntry.getMaxValidity() == null) ? null : changeCaEntry.getMaxValidity().toString();
// CHECKSTYLE:SKIP
String extraControl = (changeCaEntry.getExtraControl() == null) ? null : // check also the validity
new ConfPairs(changeCaEntry.getExtraControl()).getEncoded();
// CHECKSTYLE:SKIP
String validityMode = (changeCaEntry.getValidityMode() == null) ? null : changeCaEntry.getValidityMode().name();
String caUrisStr = null;
CaUris changeUris = changeCaEntry.getCaUris();
if (changeUris != null && (changeUris.getCacertUris() != null || changeUris.getCrlUris() != null || changeUris.getDeltaCrlUris() != null || changeUris.getOcspUris() != null)) {
CaUris oldCaUris = currentCaEntry.getCaUris();
List<String> uris = changeUris.getCacertUris();
// CHECKSTYLE:SKIP
List<String> cacertUris = (uris == null) ? oldCaUris.getCacertUris() : uris;
uris = changeUris.getOcspUris();
List<String> ocspUris = (uris == null) ? oldCaUris.getOcspUris() : uris;
uris = changeUris.getCrlUris();
List<String> crlUris = (uris == null) ? oldCaUris.getCrlUris() : uris;
uris = changeUris.getDeltaCrlUris();
List<String> deltaCrlUris = (uris == null) ? oldCaUris.getDeltaCrlUris() : uris;
CaUris newCaUris = new CaUris(cacertUris, ocspUris, crlUris, deltaCrlUris);
caUrisStr = newCaUris.getEncoded();
if (caUrisStr.isEmpty()) {
caUrisStr = CaManager.NULL;
}
}
String protocolSupportStr = null;
Boolean supportCmp = changeCaEntry.getSupportCmp();
Boolean supportRest = changeCaEntry.getSupportRest();
Boolean supportScep = changeCaEntry.getSupportScep();
if (supportCmp != null || supportRest != null || supportScep != null) {
ProtocolSupport oldSupport = currentCaEntry.getProtocoSupport();
ProtocolSupport support = new ProtocolSupport(oldSupport.isCmp(), oldSupport.isRest(), oldSupport.isScep());
if (supportCmp != null) {
support.setCmp(supportCmp);
}
if (supportRest != null) {
support.setRest(supportRest);
}
if (supportScep != null) {
support.setScep(supportScep);
}
protocolSupportStr = support.getEncoded();
}
String certchainStr = null;
if (changeCaEntry.getEncodedCertchain() != null) {
List<byte[]> encodedCertchain = changeCaEntry.getEncodedCertchain();
if (encodedCertchain.size() == 0) {
certchainStr = CaManager.NULL;
} else {
List<X509Cert> certs = new LinkedList<>();
for (byte[] m : changeCaEntry.getEncodedCertchain()) {
certs.add(parseCert(m));
}
certs = buildCertChain(caCert, certs);
certchainStr = encodeCertchain(certs);
}
}
changeIfNotNull("CA", colInt("ID", changeCaEntry.getIdent().getId()), colInt("SN_SIZE", changeCaEntry.getSerialNoLen()), colStr("STATUS", status), colStr("SUBJECT", subject), colStr("CERT", base64Cert), colStr("CERTCHAIN", certchainStr), colStr("CA_URIS", caUrisStr), colStr("MAX_VALIDITY", maxValidity), colStr("SIGNER_TYPE", signerType), colStr("CRL_SIGNER_NAME", changeCaEntry.getCrlSignerName()), colStr("CMP_RESPONDER_NAME", changeCaEntry.getCmpResponderName()), colStr("SCEP_RESPONDER_NAME", changeCaEntry.getScepResponderName()), colStr("CMP_CONTROL", changeCaEntry.getCmpControl()), colStr("CRL_CONTROL", changeCaEntry.getCrlControl()), colStr("SCEP_CONTROL", changeCaEntry.getScepControl()), colStr("CTLOG_CONTROL", changeCaEntry.getCtlogControl()), colStr("PROTOCOL_SUPPORT", protocolSupportStr), colBool("SAVE_REQ", changeCaEntry.getSaveRequest()), colInt("PERMISSION", changeCaEntry.getPermission()), colInt("NUM_CRLS", changeCaEntry.getNumCrls()), colInt("EXPIRATION_PERIOD", changeCaEntry.getExpirationPeriod()), colInt("KEEP_EXPIRED_CERT_DAYS", changeCaEntry.getKeepExpiredCertInDays()), colStr("VALIDITY_MODE", validityMode), colStr("EXTRA_CONTROL", extraControl), colStr("SIGNER_CONF", signerConf, false, true), colStr("DHPOC_CONTROL", changeCaEntry.getDhpocControl(), false, true), colStr("REVOKE_SUSPENDED_CONTROL", changeCaEntry.getRevokeSuspendedControl()));
}
use of org.xipki.ca.api.CaUris in project xipki by xipki.
the class ConfLoader method exportConf.
// method loadConf
InputStream exportConf(List<String> caNames) throws CaMgmtException, IOException {
manager.assertMasterModeAndSetuped();
if (caNames != null) {
List<String> tmpCaNames = new ArrayList<>(caNames.size());
for (String name : caNames) {
name = name.toLowerCase();
if (manager.x509cas.containsKey(name)) {
tmpCaNames.add(name);
}
}
caNames = tmpCaNames;
} else {
caNames = new ArrayList<>(manager.x509cas.keySet());
}
// initial 1M
ByteArrayOutputStream bytesStream = new ByteArrayOutputStream(1048576);
ZipOutputStream zipStream = new ZipOutputStream(bytesStream);
zipStream.setLevel(Deflater.BEST_SPEED);
CaConfType.CaSystem root = new CaConfType.CaSystem();
CaManagerQueryExecutor queryExecutor = manager.queryExecutor;
try {
Set<String> includeUserNames = new HashSet<>();
// DBSchema
root.setDbSchemas(manager.getDbSchemas());
// users
List<CaConfType.User> users = new LinkedList<>();
root.setUsers(users);
// cas
if (CollectionUtil.isNotEmpty(caNames)) {
List<CaConfType.Ca> list = new LinkedList<>();
for (String name : manager.x509cas.keySet()) {
if (!caNames.contains(name)) {
continue;
}
CaConfType.Ca ca = new CaConfType.Ca();
ca.setName(name);
Set<String> strs = manager.getAliasesForCa(name);
if (CollectionUtil.isNotEmpty(strs)) {
ca.setAliases(new ArrayList<>(strs));
}
// CaHasRequestors
Set<CaHasRequestorEntry> requestors = manager.caHasRequestors.get(name);
if (CollectionUtil.isNotEmpty(requestors)) {
ca.setRequestors(new ArrayList<>());
for (CaHasRequestorEntry m : requestors) {
String requestorName = m.getRequestorIdent().getName();
CaConfType.CaHasRequestor chr = new CaConfType.CaHasRequestor();
chr.setRequestorName(requestorName);
chr.setRa(m.isRa());
chr.setProfiles(new ArrayList<>(m.getProfiles()));
chr.setPermissions(getPermissions(m.getPermission()));
ca.getRequestors().add(chr);
}
}
// CaHasUsers
List<CaHasUserEntry> caHasUsers = queryExecutor.getCaHasUsersForCa(name, manager.idNameMap);
if (CollectionUtil.isNotEmpty(caHasUsers)) {
ca.setUsers(new ArrayList<>());
for (CaHasUserEntry m : caHasUsers) {
String username = m.getUserIdent().getName();
CaConfType.CaHasUser chu = new CaConfType.CaHasUser();
chu.setUserName(username);
chu.setProfiles(new ArrayList<>(m.getProfiles()));
chu.setPermissions(getPermissions(m.getPermission()));
ca.getUsers().add(chu);
if (includeUserNames.contains(username)) {
continue;
}
// add also the user to the users
UserEntry userEntry = queryExecutor.getUser(username);
CaConfType.User userType = new CaConfType.User();
if (!userEntry.isActive()) {
userType.setActive(Boolean.FALSE);
}
userType.setName(username);
userType.setHashedPassword(userEntry.getHashedPassword());
users.add(userType);
includeUserNames.add(username);
}
}
strs = manager.caHasProfiles.get(name);
if (CollectionUtil.isNotEmpty(strs)) {
ca.setProfiles(new ArrayList<>(strs));
}
strs = manager.caHasPublishers.get(name);
if (CollectionUtil.isNotEmpty(strs)) {
ca.setPublishers(new ArrayList<>(strs));
}
CaConfType.CaInfo caInfoType = new CaConfType.CaInfo();
ca.setCaInfo(caInfoType);
CaEntry entry = manager.x509cas.get(name).getCaInfo().getCaEntry();
// CA URIs
CaUris caUris = entry.getCaUris();
if (caUris != null) {
CaConfType.CaUris caUrisType = new CaConfType.CaUris();
caUrisType.setCacertUris(caUris.getCacertUris());
caUrisType.setOcspUris(caUris.getOcspUris());
caUrisType.setCrlUris(caUris.getCrlUris());
caUrisType.setDeltacrlUris(caUris.getDeltaCrlUris());
caInfoType.setCaUris(caUrisType);
}
// Certificate
byte[] certBytes = entry.getCert().getEncoded();
caInfoType.setCert(createFileOrBinary(zipStream, certBytes, concat("files/ca-", name, "-cert.der")));
// certchain
List<X509Cert> certchain = entry.getCertchain();
if (CollectionUtil.isNotEmpty(certchain)) {
List<FileOrBinary> ccList = new LinkedList<>();
for (int i = 0; i < certchain.size(); i++) {
certBytes = certchain.get(i).getEncoded();
ccList.add(createFileOrBinary(zipStream, certBytes, concat("files/ca-", name, "-certchain-" + i + ".der")));
}
caInfoType.setCertchain(ccList);
}
if (entry.getCmpControl() != null) {
caInfoType.setCmpControl(new HashMap<>(new ConfPairs(entry.getCmpControl().getConf()).asMap()));
}
if (entry.getCmpResponderName() != null) {
caInfoType.setCmpResponderName(entry.getCmpResponderName());
}
if (entry.getCrlControl() != null) {
caInfoType.setCrlControl(new HashMap<>(new ConfPairs(entry.getCrlControl().getConf()).asMap()));
}
if (entry.getCrlSignerName() != null) {
caInfoType.setCrlSignerName(entry.getCrlSignerName());
}
if (entry.getCtlogControl() != null) {
caInfoType.setCtlogControl(new HashMap<>(new ConfPairs(entry.getCtlogControl().getConf()).asMap()));
}
if (entry.getPopControl() != null) {
FileOrValue fv = createFileOrValue(zipStream, entry.getPopControl().getConf(), concat("files/ca-", name, "-pop.conf"));
caInfoType.setPopControl(fv);
}
caInfoType.setExpirationPeriod(entry.getExpirationPeriod());
if (entry.getExtraControl() != null) {
caInfoType.setExtraControl(entry.getExtraControl().asMap());
}
caInfoType.setKeepExpiredCertDays(entry.getKeepExpiredCertInDays());
caInfoType.setMaxValidity(entry.getMaxValidity().toString());
caInfoType.setNextCrlNo(entry.getNextCrlNumber());
caInfoType.setNumCrls(entry.getNumCrls());
caInfoType.setPermissions(getPermissions(entry.getPermission()));
caInfoType.setProtocolSupport(StringUtil.splitAsSet(entry.getProtocoSupport().getEncoded(), ","));
if (entry.getRevokeSuspendedControl() != null) {
caInfoType.setRevokeSuspendedControl(new HashMap<>(new ConfPairs(entry.getRevokeSuspendedControl().getConf()).asMap()));
}
caInfoType.setSaveCert(entry.isSaveCert());
caInfoType.setSaveRequest(entry.isSaveRequest());
caInfoType.setSaveKeyPair(entry.isSaveKeypair());
if (entry.getScepControl() != null) {
caInfoType.setScepControl(new HashMap<>(new ConfPairs(entry.getScepControl().getConf()).asMap()));
}
if (entry.getScepResponderName() != null) {
caInfoType.setScepResponderName(entry.getScepResponderName());
}
if (entry.getKeypairGenNames() != null) {
caInfoType.setKeypairGenNames(entry.getKeypairGenNames());
}
caInfoType.setSignerConf(createFileOrValue(zipStream, entry.getSignerConf(), concat("files/ca-", name, "-signerconf.conf")));
caInfoType.setSignerType(entry.getSignerType());
caInfoType.setSnSize(entry.getSerialNoLen());
caInfoType.setStatus(entry.getStatus().getStatus());
caInfoType.setValidityMode(entry.getValidityMode().name());
list.add(ca);
}
if (!list.isEmpty()) {
root.setCas(list);
}
}
// clear the users if the list is empty
if (users.isEmpty()) {
root.setUsers(null);
}
// requestors
if (CollectionUtil.isNotEmpty(manager.requestorDbEntries)) {
List<CaConfType.Requestor> list = new LinkedList<>();
for (String name : manager.requestorDbEntries.keySet()) {
RequestorEntry entry = manager.requestorDbEntries.get(name);
CaConfType.Requestor type = new CaConfType.Requestor();
type.setName(name);
type.setType(entry.getType());
if (RequestorEntry.TYPE_CERT.equalsIgnoreCase(entry.getType())) {
FileOrBinary fob = createFileOrBinary(zipStream, Base64.decode(entry.getConf()), concat("files/requestor-", name, ".der"));
type.setBinaryConf(fob);
} else {
FileOrValue fov = createFileOrValue(zipStream, entry.getConf(), concat("files/requestor-", name, ".conf"));
type.setConf(fov);
}
list.add(type);
}
if (!list.isEmpty()) {
root.setRequestors(list);
}
}
// publishers
if (CollectionUtil.isNotEmpty(manager.publisherDbEntries)) {
List<NameTypeConf> list = new LinkedList<>();
for (String name : manager.publisherDbEntries.keySet()) {
PublisherEntry entry = manager.publisherDbEntries.get(name);
NameTypeConf conf = new NameTypeConf();
conf.setName(name);
conf.setType(entry.getType());
conf.setConf(createFileOrValue(zipStream, entry.getConf(), concat("files/publisher-", name, ".conf")));
list.add(conf);
}
if (!list.isEmpty()) {
root.setPublishers(list);
}
}
// profiles
if (CollectionUtil.isNotEmpty(manager.certprofileDbEntries)) {
List<NameTypeConf> list = new LinkedList<>();
for (String name : manager.certprofileDbEntries.keySet()) {
CertprofileEntry entry = manager.certprofileDbEntries.get(name);
NameTypeConf conf = new NameTypeConf();
conf.setName(name);
conf.setType(entry.getType());
conf.setConf(createFileOrValue(zipStream, entry.getConf(), concat("files/certprofile-", name, ".conf")));
list.add(conf);
}
if (!list.isEmpty()) {
root.setProfiles(list);
}
}
// signers
if (CollectionUtil.isNotEmpty(manager.signerDbEntries)) {
List<CaConfType.Signer> list = new LinkedList<>();
for (String name : manager.signerDbEntries.keySet()) {
SignerEntry entry = manager.signerDbEntries.get(name);
CaConfType.Signer conf = new CaConfType.Signer();
conf.setName(name);
conf.setType(entry.getType());
conf.setConf(createFileOrValue(zipStream, entry.getConf(), concat("files/signer-", name, ".conf")));
conf.setCert(createFileOrBase64Value(zipStream, entry.getBase64Cert(), concat("files/signer-", name, ".der")));
list.add(conf);
}
if (!list.isEmpty()) {
root.setSigners(list);
}
}
if (CollectionUtil.isNotEmpty(manager.keypairGenDbEntries)) {
List<CaConfType.NameTypeConf> list = new LinkedList<>();
for (String name : manager.keypairGenDbEntries.keySet()) {
KeypairGenEntry entry = manager.keypairGenDbEntries.get(name);
CaConfType.NameTypeConf conf = new CaConfType.NameTypeConf();
conf.setName(name);
conf.setType(entry.getType());
if (entry.getConf() != null) {
FileOrValue fv = new FileOrValue();
fv.setValue(entry.getConf());
conf.setConf(fv);
}
list.add(conf);
}
if (!list.isEmpty()) {
root.setKeypairGens(list);
}
}
// add the CAConf XML file
ByteArrayOutputStream bout = new ByteArrayOutputStream();
try {
root.validate();
JSON.writeJSONString(bout, root, SerializerFeature.PrettyFormat);
} catch (InvalidConfException ex) {
LogUtil.error(LOG, ex, "could not marshal CAConf");
throw new CaMgmtException(concat("could not marshal CAConf: ", ex.getMessage()), ex);
} finally {
bout.flush();
}
zipStream.putNextEntry(new ZipEntry("caconf.json"));
try {
zipStream.write(bout.toByteArray());
} finally {
zipStream.closeEntry();
}
} finally {
zipStream.flush();
zipStream.close();
}
return new ByteArrayInputStream(bytesStream.toByteArray());
}
use of org.xipki.ca.api.CaUris in project xipki by xipki.
the class CaManagerQueryExecutor method buildChangeCaConfColumn.
// method changeCa
private SqlColumn buildChangeCaConfColumn(ChangeCaEntry changeCaEntry, CaEntry currentCaEntry, CaConfColumn currentCaConfColumn) {
CaConfColumn newCC = currentCaConfColumn.clone();
if (changeCaEntry.getMaxValidity() != null) {
newCC.setMaxValidity(changeCaEntry.getMaxValidity().toString());
}
String str = changeCaEntry.getExtraControl();
if (str != null) {
if (CaManager.NULL.equalsIgnoreCase(str)) {
newCC.setExtraControl(null);
} else {
// check also the validity
newCC.setExtraControl(new ConfPairs(str).asMap());
}
}
if (changeCaEntry.getValidityMode() != null) {
newCC.setValidityMode(changeCaEntry.getValidityMode().name());
}
CaUris changeUris = changeCaEntry.getCaUris();
if (changeUris != null) {
// CAcert URIs
List<String> uris = changeUris.getCacertUris();
if (uris != null) {
if (uris.isEmpty()) {
// clear the URIs
newCC.setCacertUris(null);
} else {
newCC.setCacertUris(uris);
}
}
// CRL URIs
uris = changeUris.getCrlUris();
if (uris != null) {
if (uris.isEmpty()) {
// clear the URIs
newCC.setCrlUris(null);
} else {
newCC.setCrlUris(uris);
}
}
// DeltaCRL URIs
uris = changeUris.getDeltaCrlUris();
if (uris != null) {
if (uris.isEmpty()) {
// clear the URIs
newCC.setDeltaCrlUris(null);
} else {
newCC.setDeltaCrlUris(uris);
}
}
// OCSP URIs
uris = changeUris.getOcspUris();
if (uris != null) {
if (uris.isEmpty()) {
// clear the URIs
newCC.setOcspUris(null);
} else {
newCC.setOcspUris(uris);
}
}
}
// protocol support
Boolean supportCmp = changeCaEntry.getSupportCmp();
Boolean supportRest = changeCaEntry.getSupportRest();
Boolean supportScep = changeCaEntry.getSupportScep();
if (supportCmp != null || supportRest != null || supportScep != null) {
ProtocolSupport oldSupport = currentCaEntry.getProtocoSupport();
ProtocolSupport support = new ProtocolSupport(oldSupport.isCmp(), oldSupport.isRest(), oldSupport.isScep());
if (supportCmp != null) {
support.setCmp(supportCmp);
}
if (supportRest != null) {
support.setRest(supportRest);
}
if (supportScep != null) {
support.setScep(supportScep);
}
newCC.setProtocolSupport(support.getProtocols());
}
// Keypair generation names
List<String> names = changeCaEntry.getKeypairGenNames();
if (names != null) {
if (names.isEmpty() || names.get(0).equalsIgnoreCase(CaManager.NULL)) {
newCC.setKeypairGenNames(null);
} else {
newCC.setKeypairGenNames(names);
}
}
// serial number size
if (changeCaEntry.getSerialNoLen() != null) {
newCC.setSnSize(changeCaEntry.getSerialNoLen());
}
// CMP control
str = changeCaEntry.getCmpControl();
if (str != null) {
if (CaManager.NULL.equalsIgnoreCase(str)) {
newCC.setCmpControl(null);
} else {
newCC.setCmpControl(new ConfPairs(str).asMap());
}
}
// CRL control
str = changeCaEntry.getCrlControl();
if (str != null) {
if (CaManager.NULL.equalsIgnoreCase(str)) {
newCC.setCrlControl(null);
} else {
newCC.setCrlControl(new ConfPairs(str).asMap());
}
}
// SCEP control
str = changeCaEntry.getScepControl();
if (str != null) {
if (CaManager.NULL.equalsIgnoreCase(str)) {
newCC.setScepControl(null);
} else {
newCC.setScepControl(new ConfPairs(str).asMap());
}
}
// CTLog control
str = changeCaEntry.getCtlogControl();
if (str != null) {
if (CaManager.NULL.equalsIgnoreCase(str)) {
newCC.setCtlogControl(null);
} else {
newCC.setCtlogControl(new ConfPairs(str).asMap());
}
}
Boolean b = changeCaEntry.getSaveCert();
if (b != null) {
newCC.setSaveCert(b);
}
b = changeCaEntry.getSaveRequest();
if (b != null) {
newCC.setSaveRequest(b);
}
b = changeCaEntry.getSaveKeypair();
if (b != null) {
newCC.setSaveKeypair(b);
}
Integer i = changeCaEntry.getPermission();
if (i != null) {
newCC.setPermission(i);
}
i = changeCaEntry.getNumCrls();
if (i != null) {
newCC.setNumCrls(i);
}
i = changeCaEntry.getExpirationPeriod();
if (i != null) {
newCC.setExpirationPeriod(i);
}
i = changeCaEntry.getKeepExpiredCertInDays();
if (i != null) {
newCC.setKeepExpiredCertDays(i);
}
str = changeCaEntry.getRevokeSuspendedControl();
if (str != null) {
if (CaManager.NULL.equalsIgnoreCase(str)) {
newCC.setRevokeSuspendedControl(null);
} else {
newCC.setRevokeSuspendedControl(new ConfPairs(str).asMap());
}
}
str = changeCaEntry.getPopControl();
if (str != null) {
if (CaManager.NULL.equalsIgnoreCase(str)) {
newCC.setPopControl(null);
} else {
newCC.setPopControl(new ConfPairs(str).asMap());
}
}
String encodedConf = newCC.encode();
boolean confIsSensitive = false;
String encodedOrigConf = currentCaConfColumn.encode();
if (encodedConf.equals(encodedOrigConf)) {
encodedConf = null;
} else if (encodedConf.contains("password")) {
confIsSensitive = true;
}
return colStr("CONF", encodedConf, confIsSensitive, false);
}
use of org.xipki.ca.api.CaUris in project xipki by xipki.
the class CaManagerQueryExecutor method addCa.
public void addCa(CaEntry caEntry) throws CaMgmtException {
notNull(caEntry, "caEntry");
if (dbSchemaVersion <= 6) {
if (caEntry.isSaveKeypair()) {
assertDbSchemaVersion7on("Saving keypair");
}
List<String> keypairGenNames = caEntry.getKeypairGenNames();
if (CollectionUtil.isNotEmpty(keypairGenNames)) {
for (String n : keypairGenNames) {
if (!"software".equalsIgnoreCase(n)) {
assertDbSchemaVersion7on("Keypair generation name (" + n + ") different than 'software'");
}
}
}
}
caEntry.getIdent().setId((int) getNextId(Table.CA));
List<String> colNames = CaUtil.asModifiableList("ID", "NAME", "STATUS", "NEXT_CRLNO", "CRL_SIGNER_NAME", "CMP_RESPONDER_NAME", "SCEP_RESPONDER_NAME", "SUBJECT", "SIGNER_TYPE", "SIGNER_CONF", "CERT", "CERTCHAIN");
if (dbSchemaVersion <= 6) {
CaUtil.addAll(colNames, "SN_SIZE", "CA_URIS", "MAX_VALIDITY", "CRL_CONTROL", "CMP_CONTROL", "SCEP_CONTROL", "CTLOG_CONTROL", "PROTOCOL_SUPPORT", "SAVE_REQ", "PERMISSION", "NUM_CRLS", "EXPIRATION_PERIOD", "KEEP_EXPIRED_CERT_DAYS", "VALIDITY_MODE", "EXTRA_CONTROL", "DHPOC_CONTROL", "REVOKE_SUSPENDED_CONTROL");
} else {
colNames.add("CONF");
}
String sql = buildInsertSql("CA", colNames.toArray(new String[0]));
byte[] encodedCert = caEntry.getCert().getEncoded();
List<X509Cert> certchain = caEntry.getCertchain();
String certchainStr = CollectionUtil.isEmpty(certchain) ? null : encodeCertchain(buildCertChain(caEntry.getCert(), certchain));
List<SqlColumn2> cols = CaUtil.asModifiableList(// ID
col2Int(caEntry.getIdent().getId()), // NAME
col2Str(caEntry.getIdent().getName()), // STATUS
col2Str(caEntry.getStatus().getStatus()), // NEXT_CRLNO
col2Long(caEntry.getNextCrlNumber()), // CRL_SIGNER_NAME
col2Str(caEntry.getCrlSignerName()), // CMP_RESPONDER_NAME
col2Str(caEntry.getCmpResponderName()), // SCEP_RESPONDER_NAME
col2Str(caEntry.getScepResponderName()), // SUBJECT
col2Str(caEntry.getSubject()), // SIGNER_TYPE
col2Str(caEntry.getSignerType()), // SIGNER_CONF
col2Str(caEntry.getSignerConf()), // CERT
col2Str(Base64.encodeToString(encodedCert)), // CERTCHAIN
col2Str(certchainStr));
if (dbSchemaVersion <= 6) {
CaUris caUris = caEntry.getCaUris();
CrlControl crlControl = caEntry.getCrlControl();
ScepControl scepControl = caEntry.getScepControl();
CtlogControl ctlogControl = caEntry.getCtlogControl();
ProtocolSupport protocolSupport = caEntry.getProtocoSupport();
ConfPairs extraControl = caEntry.getExtraControl();
String encodedExtraCtrl = (extraControl == null) ? null : extraControl.getEncoded();
RevokeSuspendedControl revokeSuspended = caEntry.getRevokeSuspendedControl();
// adapt the configuration
PopControl popCtrl = caEntry.getPopControl();
String cmpCtrlText = null;
String dhPopCtrlText = null;
if (popCtrl != null) {
ConfPairs pairs = popCtrl.getConfPairs();
CmpControl cmpControl = caEntry.getCmpControl();
ConfPairs cmpPairs = cmpControl == null ? new ConfPairs() : cmpControl.getConfPairs();
ConfPairs dhpopPairs = new ConfPairs();
for (String n : pairs.names()) {
if ("sigalgo".equals(n)) {
cmpPairs.putPair("popo.sigalgo", pairs.value(n));
} else if (n.startsWith("dh.")) {
dhpopPairs.putPair(n.substring(3), pairs.value(n));
} else {
LOG.warn("unsupported POP control entry {}: {}", n, pairs.value(n));
}
}
if (!cmpPairs.isEmpty()) {
cmpCtrlText = cmpPairs.getEncoded();
}
if (!dhpopPairs.isEmpty()) {
dhPopCtrlText = dhpopPairs.getEncoded();
}
} else {
if (caEntry.getCmpControl() != null) {
cmpCtrlText = caEntry.getCmpControl().getConf();
}
}
CaUtil.addAll(cols, col2Int(caEntry.getSerialNoLen()), col2Str(caUris == null ? null : caEntry.getCaUris().getEncoded()), col2Str(caEntry.getMaxValidity().toString()), col2Str(crlControl == null ? null : crlControl.getConf()), col2Str(cmpCtrlText), col2Str(scepControl == null ? null : scepControl.getConf()), col2Str(ctlogControl == null ? null : ctlogControl.getConf()), col2Str(protocolSupport == null ? null : protocolSupport.getEncoded()), col2Bool(caEntry.isSaveRequest()), col2Int(caEntry.getPermission()), col2Int(caEntry.getNumCrls()), col2Int(caEntry.getExpirationPeriod()), col2Int(caEntry.getKeepExpiredCertInDays()), col2Str(caEntry.getValidityMode().name()), col2Str(StringUtil.isBlank(encodedExtraCtrl) ? null : encodedExtraCtrl), col2Str(dhPopCtrlText), col2Str(revokeSuspended == null ? null : revokeSuspended.getConf()));
// END DB Schema Version 6
} else {
// START DB Schema Version 7
CaConfColumn cc = new CaConfColumn();
// CA URIS
CaUris caUris = caEntry.getCaUris();
if (caUris != null) {
cc.setCacertUris(caUris.getCacertUris());
cc.setCrlUris(caUris.getCrlUris());
cc.setDeltaCrlUris(caUris.getDeltaCrlUris());
cc.setOcspUris(caUris.getOcspUris());
}
// CRL Control
CrlControl crlControl = caEntry.getCrlControl();
if (crlControl != null) {
cc.setCrlControl(crlControl.getConfPairs().asMap());
}
// CMP Control
CmpControl cmpControl = caEntry.getCmpControl();
if (cmpControl != null) {
cc.setCmpControl(cmpControl.getConfPairs().asMap());
}
// SCEP Control
ScepControl scepControl = caEntry.getScepControl();
if (scepControl != null) {
cc.setScepControl(scepControl.getConfPairs().asMap());
}
// CTLog Control
CtlogControl ctlogControl = caEntry.getCtlogControl();
if (ctlogControl != null) {
cc.setCtlogControl(ctlogControl.getConfPairs().asMap());
}
ProtocolSupport protocolSupport = caEntry.getProtocoSupport();
if (protocolSupport != null) {
cc.setProtocolSupport(protocolSupport.getProtocols());
}
ConfPairs extraControl = caEntry.getExtraControl();
if (extraControl != null) {
cc.setExtraControl(extraControl.asMap());
}
RevokeSuspendedControl revokeSuspended = caEntry.getRevokeSuspendedControl();
if (revokeSuspended != null) {
cc.setRevokeSuspendedControl(revokeSuspended.getConfPairs().asMap());
}
cc.setSnSize(caEntry.getSerialNoLen());
if (caEntry.getMaxValidity() != null) {
cc.setMaxValidity(caEntry.getMaxValidity().toString());
}
cc.setKeypairGenNames(caEntry.getKeypairGenNames());
cc.setSaveCert(caEntry.isSaveCert());
cc.setSaveRequest(caEntry.isSaveRequest());
cc.setSaveKeypair(caEntry.isSaveKeypair());
cc.setPermission(caEntry.getPermission());
cc.setNumCrls(caEntry.getNumCrls());
cc.setExpirationPeriod(caEntry.getExpirationPeriod());
cc.setKeepExpiredCertDays(caEntry.getKeepExpiredCertInDays());
if (caEntry.getValidityMode() != null) {
cc.setValidityMode(caEntry.getValidityMode().name());
}
if (caEntry.getPopControl() != null) {
cc.setPopControl(caEntry.getPopControl().getConfPairs().asMap());
}
// add to cols
cols.add(col2Str(cc.encode()));
}
// insert to table ca
int num = execUpdatePrepStmt0(sql, cols.toArray(new SqlColumn2[0]));
if (num == 0) {
throw new CaMgmtException("could not add CA " + caEntry.getIdent());
}
if (LOG.isInfoEnabled()) {
LOG.info("add CA '{}': {}", caEntry.getIdent(), caEntry.toString(false, true));
}
}
use of org.xipki.ca.api.CaUris in project xipki by xipki.
the class CaManagerQueryExecutor method changeCa.
// method addPublisher
public void changeCa(ChangeCaEntry changeCaEntry, CaEntry currentCaEntry, CaConfColumn currentCaConfColumn, SecurityFactory securityFactory) throws CaMgmtException {
notNulls(changeCaEntry, "changeCaEntry", securityFactory, "securityFactory");
if (changeCaEntry.getSaveKeypair() != null && changeCaEntry.getSaveKeypair()) {
assertDbSchemaVersion7on("Saving keypair");
}
List<String> keypairGenNames = changeCaEntry.getKeypairGenNames();
if (CollectionUtil.isNotEmpty(keypairGenNames)) {
for (String n : keypairGenNames) {
if (!"software".equalsIgnoreCase(n)) {
assertDbSchemaVersion7on("Keypair generation name " + n + ") different than 'sofware'");
}
}
}
byte[] encodedCert = changeCaEntry.getEncodedCert();
if (encodedCert != null) {
boolean anyCertIssued;
try {
anyCertIssued = datasource.columnExists(null, "CERT", "CA_ID", changeCaEntry.getIdent().getId());
} catch (DataAccessException ex) {
throw new CaMgmtException(ex);
}
if (anyCertIssued) {
throw new CaMgmtException("Cannot change certificate of CA which has issued certificates");
}
}
String signerType = changeCaEntry.getSignerType();
String signerConf = changeCaEntry.getSignerConf();
X509Cert caCert = null;
if (signerType != null || signerConf != null || encodedCert != null || CollectionUtil.isNotEmpty(changeCaEntry.getEncodedCertchain())) {
// need CA certificate
if (encodedCert != null) {
caCert = parseCert(encodedCert);
} else {
final String sql = "SELECT CERT FROM CA WHERE ID=?";
ResultRow rs = execQuery1PrepStmt0(sql, col2Int(changeCaEntry.getIdent().getId()));
if (rs == null) {
throw new CaMgmtException("unknown CA '" + changeCaEntry.getIdent());
}
caCert = parseCert(Base64.decode(rs.getString("CERT")));
}
if (signerType != null || signerConf != null || encodedCert != null) {
// validate the signer configuration
final String sql = "SELECT SIGNER_TYPE,SIGNER_CONF FROM CA WHERE ID=?";
ResultRow rs = execQuery1PrepStmt0(sql, col2Int(changeCaEntry.getIdent().getId()));
if (rs == null) {
throw new CaMgmtException("unknown CA '" + changeCaEntry.getIdent());
}
if (signerType == null) {
signerType = rs.getString("SIGNER_TYPE");
}
if (signerConf == null) {
signerConf = rs.getString("SIGNER_CONF");
} else {
signerConf = CaUtil.canonicalizeSignerConf(signerType, signerConf, null, securityFactory);
}
try {
List<CaSignerConf> signerConfs = CaEntry.splitCaSignerConfs(signerConf);
for (CaSignerConf m : signerConfs) {
securityFactory.createSigner(signerType, new SignerConf(m.getConf()), caCert);
}
} catch (XiSecurityException | ObjectCreationException ex) {
throw new CaMgmtException("could not create signer for CA '" + changeCaEntry.getIdent() + "'" + ex.getMessage(), ex);
}
}
}
// end if (signerType)
String subject = null;
String base64Cert = null;
if (encodedCert != null) {
try {
subject = X509Util.parseCert(encodedCert).getIssuerRfc4519Text();
base64Cert = Base64.encodeToString(encodedCert);
} catch (CertificateException ex) {
throw new CaMgmtException("could not parse the certificate", ex);
}
}
String certchainStr = null;
if (changeCaEntry.getEncodedCertchain() != null) {
List<byte[]> encodedCertchain = changeCaEntry.getEncodedCertchain();
if (encodedCertchain.size() == 0) {
certchainStr = CaManager.NULL;
} else {
List<X509Cert> certs = new LinkedList<>();
for (byte[] m : changeCaEntry.getEncodedCertchain()) {
certs.add(parseCert(m));
}
certs = buildCertChain(caCert, certs);
certchainStr = encodeCertchain(certs);
}
}
String status = (changeCaEntry.getStatus() == null) ? null : changeCaEntry.getStatus().name();
List<SqlColumn> cols = CaUtil.asModifiableList(colStr("STATUS", status), colStr("CRL_SIGNER_NAME", changeCaEntry.getCrlSignerName()), colStr("CMP_RESPONDER_NAME", changeCaEntry.getCmpResponderName()), colStr("SCEP_RESPONDER_NAME", changeCaEntry.getScepResponderName()), colStr("SUBJECT", subject), colStr("SIGNER_TYPE", signerType), colStr("SIGNER_CONF", signerConf, false, true), colStr("CERT", base64Cert), colStr("CERTCHAIN", certchainStr));
if (dbSchemaVersion <= 6) {
String maxValidity = (changeCaEntry.getMaxValidity() == null) ? null : changeCaEntry.getMaxValidity().toString();
String extraControl = (changeCaEntry.getExtraControl() == null) ? null : // check also the validity
new ConfPairs(changeCaEntry.getExtraControl()).getEncoded();
String validityMode = (changeCaEntry.getValidityMode() == null) ? null : changeCaEntry.getValidityMode().name();
String caUrisStr = null;
CaUris changeUris = changeCaEntry.getCaUris();
if (changeUris != null && (changeUris.getCacertUris() != null || changeUris.getCrlUris() != null || changeUris.getDeltaCrlUris() != null || changeUris.getOcspUris() != null)) {
CaUris oldCaUris = currentCaEntry.getCaUris();
List<String> uris = changeUris.getCacertUris();
List<String> cacertUris = (uris == null) ? oldCaUris.getCacertUris() : uris;
uris = changeUris.getOcspUris();
List<String> ocspUris = (uris == null) ? oldCaUris.getOcspUris() : uris;
uris = changeUris.getCrlUris();
List<String> crlUris = (uris == null) ? oldCaUris.getCrlUris() : uris;
uris = changeUris.getDeltaCrlUris();
List<String> deltaCrlUris = (uris == null) ? oldCaUris.getDeltaCrlUris() : uris;
CaUris newCaUris = new CaUris(cacertUris, ocspUris, crlUris, deltaCrlUris);
caUrisStr = newCaUris.getEncoded();
if (caUrisStr.isEmpty()) {
caUrisStr = CaManager.NULL;
}
}
String protocolSupportStr = null;
Boolean supportCmp = changeCaEntry.getSupportCmp();
Boolean supportRest = changeCaEntry.getSupportRest();
Boolean supportScep = changeCaEntry.getSupportScep();
if (supportCmp != null || supportRest != null || supportScep != null) {
ProtocolSupport oldSupport = currentCaEntry.getProtocoSupport();
ProtocolSupport support = new ProtocolSupport(oldSupport.isCmp(), oldSupport.isRest(), oldSupport.isScep());
if (supportCmp != null) {
support.setCmp(supportCmp);
}
if (supportRest != null) {
support.setRest(supportRest);
}
if (supportScep != null) {
support.setScep(supportScep);
}
protocolSupportStr = support.getEncoded();
}
// Dapt: CMP Control and DHPOP Control
String cmpCtrlText = changeCaEntry.getCmpControl();
String popCtrlText = changeCaEntry.getPopControl();
ConfPairs popCtrlPairs = null;
if (StringUtil.isNotBlank(popCtrlText)) {
popCtrlPairs = new ConfPairs(changeCaEntry.getPopControl());
}
ConfPairs cmpPairs = new ConfPairs(CaManager.NULL.equals(cmpCtrlText) ? null : cmpCtrlText);
ConfPairs dhpopPairs = new ConfPairs();
// adapt CMP control
if (popCtrlPairs != null) {
for (String n : popCtrlPairs.names()) {
if ("sigalgo".equals(n)) {
cmpPairs.putPair("popo.sigalgo", popCtrlPairs.value(n));
} else if (n.startsWith("dh.")) {
dhpopPairs.putPair(n.substring(3), popCtrlPairs.value(n));
} else {
LOG.warn("unsupported POP entry {}: {}", n, popCtrlPairs.value(n));
}
}
}
if (!cmpPairs.isEmpty()) {
cmpCtrlText = cmpPairs.getEncoded();
}
String dhpopCtrlText = null;
if (!dhpopPairs.isEmpty()) {
dhpopCtrlText = dhpopPairs.getEncoded();
}
CaUtil.addAll(cols, colInt("SN_SIZE", changeCaEntry.getSerialNoLen()), colStr("CA_URIS", caUrisStr), colStr("MAX_VALIDITY", maxValidity), colStr("CMP_CONTROL", cmpCtrlText), colStr("CRL_CONTROL", changeCaEntry.getCrlControl()), colStr("SCEP_CONTROL", changeCaEntry.getScepControl()), colStr("CTLOG_CONTROL", changeCaEntry.getCtlogControl()), colStr("PROTOCOL_SUPPORT", protocolSupportStr), colBool("SAVE_REQ", changeCaEntry.getSaveRequest()), colInt("PERMISSION", changeCaEntry.getPermission()), colInt("NUM_CRLS", changeCaEntry.getNumCrls()), colInt("EXPIRATION_PERIOD", changeCaEntry.getExpirationPeriod()), colInt("KEEP_EXPIRED_CERT_DAYS", changeCaEntry.getKeepExpiredCertInDays()), colStr("VALIDITY_MODE", validityMode), colStr("EXTRA_CONTROL", extraControl), colStr("DHPOC_CONTROL", dhpopCtrlText, false, true), colStr("REVOKE_SUSPENDED_CONTROL", changeCaEntry.getRevokeSuspendedControl()));
} else {
cols.add(buildChangeCaConfColumn(changeCaEntry, currentCaEntry, currentCaConfColumn));
}
changeIfNotNull(// where column
"CA", // where column
colInt("ID", changeCaEntry.getIdent().getId()), cols.toArray(new SqlColumn[0]));
}
Aggregations