Example 1 with CaUris
use of org.xipki.ca.api.CaUris in project xipki by xipki.
the class CaManagerQueryExecutor method changeCa.
// method addPublisher
public void changeCa(ChangeCaEntry changeCaEntry, CaEntry currentCaEntry, SecurityFactory securityFactory) throws CaMgmtException {
notNulls(changeCaEntry, "changeCaEntry", securityFactory, "securityFactory");
byte[] encodedCert = changeCaEntry.getEncodedCert();
if (encodedCert != null) {
boolean anyCertIssued;
try {
anyCertIssued = datasource.columnExists(null, "CERT", "CA_ID", changeCaEntry.getIdent().getId());
} catch (DataAccessException ex) {
throw new CaMgmtException(ex);
}
if (anyCertIssued) {
throw new CaMgmtException("Cannot change certificate of CA which has issued certificates");
}
}
String signerType = changeCaEntry.getSignerType();
String signerConf = changeCaEntry.getSignerConf();
X509Cert caCert = null;
if (signerType != null || signerConf != null || encodedCert != null || CollectionUtil.isNotEmpty(changeCaEntry.getEncodedCertchain())) {
// need CA certificate
if (encodedCert != null) {
caCert = parseCert(encodedCert);
} else {
final String sql = "SELECT CERT FROM CA WHERE ID=?";
ResultRow rs = execQuery1PrepStmt0(sql, col2Int(changeCaEntry.getIdent().getId()));
if (rs == null) {
throw new CaMgmtException("unknown CA '" + changeCaEntry.getIdent());
}
caCert = parseCert(Base64.decode(rs.getString("CERT")));
}
if (signerType != null || signerConf != null || encodedCert != null) {
// validate the signer configuration
final String sql = "SELECT SIGNER_TYPE,SIGNER_CONF FROM CA WHERE ID=?";
ResultRow rs = execQuery1PrepStmt0(sql, col2Int(changeCaEntry.getIdent().getId()));
if (rs == null) {
throw new CaMgmtException("unknown CA '" + changeCaEntry.getIdent());
}
if (signerType == null) {
signerType = rs.getString("SIGNER_TYPE");
}
if (signerConf == null) {
signerConf = rs.getString("SIGNER_CONF");
} else {
signerConf = CaUtil.canonicalizeSignerConf(signerType, signerConf, null, securityFactory);
}
try {
List<CaSignerConf> signerConfs = CaEntry.splitCaSignerConfs(signerConf);
for (CaSignerConf m : signerConfs) {
securityFactory.createSigner(signerType, new SignerConf(m.getConf()), caCert);
}
} catch (XiSecurityException | ObjectCreationException ex) {
throw new CaMgmtException("could not create signer for CA '" + changeCaEntry.getIdent() + "'" + ex.getMessage(), ex);
}
}
}
// end if (signerType)
String subject = null;
String base64Cert = null;
if (encodedCert != null) {
try {
subject = X509Util.parseCert(encodedCert).getIssuerRfc4519Text();
base64Cert = Base64.encodeToString(encodedCert);
} catch (CertificateException ex) {
throw new CaMgmtException("could not parse the certificate", ex);
}
}
// CHECKSTYLE:SKIP
String status = (changeCaEntry.getStatus() == null) ? null : changeCaEntry.getStatus().name();
// CHECKSTYLE:SKIP
String maxValidity = (changeCaEntry.getMaxValidity() == null) ? null : changeCaEntry.getMaxValidity().toString();
// CHECKSTYLE:SKIP
String extraControl = (changeCaEntry.getExtraControl() == null) ? null : // check also the validity
new ConfPairs(changeCaEntry.getExtraControl()).getEncoded();
// CHECKSTYLE:SKIP
String validityMode = (changeCaEntry.getValidityMode() == null) ? null : changeCaEntry.getValidityMode().name();
String caUrisStr = null;
CaUris changeUris = changeCaEntry.getCaUris();
if (changeUris != null && (changeUris.getCacertUris() != null || changeUris.getCrlUris() != null || changeUris.getDeltaCrlUris() != null || changeUris.getOcspUris() != null)) {
CaUris oldCaUris = currentCaEntry.getCaUris();
List<String> uris = changeUris.getCacertUris();
// CHECKSTYLE:SKIP
List<String> cacertUris = (uris == null) ? oldCaUris.getCacertUris() : uris;
uris = changeUris.getOcspUris();
List<String> ocspUris = (uris == null) ? oldCaUris.getOcspUris() : uris;
uris = changeUris.getCrlUris();
List<String> crlUris = (uris == null) ? oldCaUris.getCrlUris() : uris;
uris = changeUris.getDeltaCrlUris();
List<String> deltaCrlUris = (uris == null) ? oldCaUris.getDeltaCrlUris() : uris;
CaUris newCaUris = new CaUris(cacertUris, ocspUris, crlUris, deltaCrlUris);
caUrisStr = newCaUris.getEncoded();
if (caUrisStr.isEmpty()) {
caUrisStr = CaManager.NULL;
}
}
String protocolSupportStr = null;
Boolean supportCmp = changeCaEntry.getSupportCmp();
Boolean supportRest = changeCaEntry.getSupportRest();
Boolean supportScep = changeCaEntry.getSupportScep();
if (supportCmp != null || supportRest != null || supportScep != null) {
ProtocolSupport oldSupport = currentCaEntry.getProtocoSupport();
ProtocolSupport support = new ProtocolSupport(oldSupport.isCmp(), oldSupport.isRest(), oldSupport.isScep());
if (supportCmp != null) {
support.setCmp(supportCmp);
}
if (supportRest != null) {
support.setRest(supportRest);
}
if (supportScep != null) {
support.setScep(supportScep);
}
protocolSupportStr = support.getEncoded();
}
String certchainStr = null;
if (changeCaEntry.getEncodedCertchain() != null) {
List<byte[]> encodedCertchain = changeCaEntry.getEncodedCertchain();
if (encodedCertchain.size() == 0) {
certchainStr = CaManager.NULL;
} else {
List<X509Cert> certs = new LinkedList<>();
for (byte[] m : changeCaEntry.getEncodedCertchain()) {
certs.add(parseCert(m));
}
certs = buildCertChain(caCert, certs);
certchainStr = encodeCertchain(certs);
}
}
changeIfNotNull("CA", colInt("ID", changeCaEntry.getIdent().getId()), colInt("SN_SIZE", changeCaEntry.getSerialNoLen()), colStr("STATUS", status), colStr("SUBJECT", subject), colStr("CERT", base64Cert), colStr("CERTCHAIN", certchainStr), colStr("CA_URIS", caUrisStr), colStr("MAX_VALIDITY", maxValidity), colStr("SIGNER_TYPE", signerType), colStr("CRL_SIGNER_NAME", changeCaEntry.getCrlSignerName()), colStr("CMP_RESPONDER_NAME", changeCaEntry.getCmpResponderName()), colStr("SCEP_RESPONDER_NAME", changeCaEntry.getScepResponderName()), colStr("CMP_CONTROL", changeCaEntry.getCmpControl()), colStr("CRL_CONTROL", changeCaEntry.getCrlControl()), colStr("SCEP_CONTROL", changeCaEntry.getScepControl()), colStr("CTLOG_CONTROL", changeCaEntry.getCtlogControl()), colStr("PROTOCOL_SUPPORT", protocolSupportStr), colBool("SAVE_REQ", changeCaEntry.getSaveRequest()), colInt("PERMISSION", changeCaEntry.getPermission()), colInt("NUM_CRLS", changeCaEntry.getNumCrls()), colInt("EXPIRATION_PERIOD", changeCaEntry.getExpirationPeriod()), colInt("KEEP_EXPIRED_CERT_DAYS", changeCaEntry.getKeepExpiredCertInDays()), colStr("VALIDITY_MODE", validityMode), colStr("EXTRA_CONTROL", extraControl), colStr("SIGNER_CONF", signerConf, false, true), colStr("DHPOC_CONTROL", changeCaEntry.getDhpocControl(), false, true), colStr("REVOKE_SUSPENDED_CONTROL", changeCaEntry.getRevokeSuspendedControl()));
}
Also used :
CaSignerConf(org.xipki.ca.api.mgmt.entry.CaEntry.CaSignerConf)
CaSignerConf(org.xipki.ca.api.mgmt.entry.CaEntry.CaSignerConf)
CertificateException(java.security.cert.CertificateException)
CaUris(org.xipki.ca.api.CaUris)
DataAccessException(org.xipki.datasource.DataAccessException)
Example 2 with CaUris
use of org.xipki.ca.api.CaUris in project xipki by xipki.
the class ConfLoader method exportConf.
// method loadConf
InputStream exportConf(List<String> caNames) throws CaMgmtException, IOException {
manager.assertMasterModeAndSetuped();
if (caNames != null) {
List<String> tmpCaNames = new ArrayList<>(caNames.size());
for (String name : caNames) {
name = name.toLowerCase();
if (manager.x509cas.containsKey(name)) {
tmpCaNames.add(name);
}
}
caNames = tmpCaNames;
} else {
caNames = new ArrayList<>(manager.x509cas.keySet());
}
// initial 1M
ByteArrayOutputStream bytesStream = new ByteArrayOutputStream(1048576);
ZipOutputStream zipStream = new ZipOutputStream(bytesStream);
zipStream.setLevel(Deflater.BEST_SPEED);
CaConfType.CaSystem root = new CaConfType.CaSystem();
CaManagerQueryExecutor queryExecutor = manager.queryExecutor;
try {
Set<String> includeUserNames = new HashSet<>();
// DBSchema
root.setDbSchemas(manager.getDbSchemas());
// users
List<CaConfType.User> users = new LinkedList<>();
root.setUsers(users);
// cas
if (CollectionUtil.isNotEmpty(caNames)) {
List<CaConfType.Ca> list = new LinkedList<>();
for (String name : manager.x509cas.keySet()) {
if (!caNames.contains(name)) {
continue;
}
CaConfType.Ca ca = new CaConfType.Ca();
ca.setName(name);
Set<String> strs = manager.getAliasesForCa(name);
if (CollectionUtil.isNotEmpty(strs)) {
ca.setAliases(new ArrayList<>(strs));
}
// CaHasRequestors
Set<CaHasRequestorEntry> requestors = manager.caHasRequestors.get(name);
if (CollectionUtil.isNotEmpty(requestors)) {
ca.setRequestors(new ArrayList<>());
for (CaHasRequestorEntry m : requestors) {
String requestorName = m.getRequestorIdent().getName();
CaConfType.CaHasRequestor chr = new CaConfType.CaHasRequestor();
chr.setRequestorName(requestorName);
chr.setRa(m.isRa());
chr.setProfiles(new ArrayList<>(m.getProfiles()));
chr.setPermissions(getPermissions(m.getPermission()));
ca.getRequestors().add(chr);
}
}
// CaHasUsers
List<CaHasUserEntry> caHasUsers = queryExecutor.getCaHasUsersForCa(name, manager.idNameMap);
if (CollectionUtil.isNotEmpty(caHasUsers)) {
ca.setUsers(new ArrayList<>());
for (CaHasUserEntry m : caHasUsers) {
String username = m.getUserIdent().getName();
CaConfType.CaHasUser chu = new CaConfType.CaHasUser();
chu.setUserName(username);
chu.setProfiles(new ArrayList<>(m.getProfiles()));
chu.setPermissions(getPermissions(m.getPermission()));
ca.getUsers().add(chu);
if (includeUserNames.contains(username)) {
continue;
}
// add also the user to the users
UserEntry userEntry = queryExecutor.getUser(username);
CaConfType.User userType = new CaConfType.User();
if (!userEntry.isActive()) {
userType.setActive(Boolean.FALSE);
}
userType.setName(username);
userType.setHashedPassword(userEntry.getHashedPassword());
users.add(userType);
includeUserNames.add(username);
}
}
strs = manager.caHasProfiles.get(name);
if (CollectionUtil.isNotEmpty(strs)) {
ca.setProfiles(new ArrayList<>(strs));
}
strs = manager.caHasPublishers.get(name);
if (CollectionUtil.isNotEmpty(strs)) {
ca.setPublishers(new ArrayList<>(strs));
}
CaConfType.CaInfo caInfoType = new CaConfType.CaInfo();
ca.setCaInfo(caInfoType);
CaEntry entry = manager.x509cas.get(name).getCaInfo().getCaEntry();
// CA URIs
CaUris caUris = entry.getCaUris();
if (caUris != null) {
CaConfType.CaUris caUrisType = new CaConfType.CaUris();
caUrisType.setCacertUris(caUris.getCacertUris());
caUrisType.setOcspUris(caUris.getOcspUris());
caUrisType.setCrlUris(caUris.getCrlUris());
caUrisType.setDeltacrlUris(caUris.getDeltaCrlUris());
caInfoType.setCaUris(caUrisType);
}
// Certificate
byte[] certBytes = entry.getCert().getEncoded();
caInfoType.setCert(createFileOrBinary(zipStream, certBytes, concat("files/ca-", name, "-cert.der")));
// certchain
List<X509Cert> certchain = entry.getCertchain();
if (CollectionUtil.isNotEmpty(certchain)) {
List<FileOrBinary> ccList = new LinkedList<>();
for (int i = 0; i < certchain.size(); i++) {
certBytes = certchain.get(i).getEncoded();
ccList.add(createFileOrBinary(zipStream, certBytes, concat("files/ca-", name, "-certchain-" + i + ".der")));
}
caInfoType.setCertchain(ccList);
}
if (entry.getCmpControl() != null) {
caInfoType.setCmpControl(new HashMap<>(new ConfPairs(entry.getCmpControl().getConf()).asMap()));
}
if (entry.getCmpResponderName() != null) {
caInfoType.setCmpResponderName(entry.getCmpResponderName());
}
if (entry.getCrlControl() != null) {
caInfoType.setCrlControl(new HashMap<>(new ConfPairs(entry.getCrlControl().getConf()).asMap()));
}
if (entry.getCrlSignerName() != null) {
caInfoType.setCrlSignerName(entry.getCrlSignerName());
}
if (entry.getCtlogControl() != null) {
caInfoType.setCtlogControl(new HashMap<>(new ConfPairs(entry.getCtlogControl().getConf()).asMap()));
}
if (entry.getPopControl() != null) {
FileOrValue fv = createFileOrValue(zipStream, entry.getPopControl().getConf(), concat("files/ca-", name, "-pop.conf"));
caInfoType.setPopControl(fv);
}
caInfoType.setExpirationPeriod(entry.getExpirationPeriod());
if (entry.getExtraControl() != null) {
caInfoType.setExtraControl(entry.getExtraControl().asMap());
}
caInfoType.setKeepExpiredCertDays(entry.getKeepExpiredCertInDays());
caInfoType.setMaxValidity(entry.getMaxValidity().toString());
caInfoType.setNextCrlNo(entry.getNextCrlNumber());
caInfoType.setNumCrls(entry.getNumCrls());
caInfoType.setPermissions(getPermissions(entry.getPermission()));
caInfoType.setProtocolSupport(StringUtil.splitAsSet(entry.getProtocoSupport().getEncoded(), ","));
if (entry.getRevokeSuspendedControl() != null) {
caInfoType.setRevokeSuspendedControl(new HashMap<>(new ConfPairs(entry.getRevokeSuspendedControl().getConf()).asMap()));
}
caInfoType.setSaveCert(entry.isSaveCert());
caInfoType.setSaveRequest(entry.isSaveRequest());
caInfoType.setSaveKeyPair(entry.isSaveKeypair());
if (entry.getScepControl() != null) {
caInfoType.setScepControl(new HashMap<>(new ConfPairs(entry.getScepControl().getConf()).asMap()));
}
if (entry.getScepResponderName() != null) {
caInfoType.setScepResponderName(entry.getScepResponderName());
}
if (entry.getKeypairGenNames() != null) {
caInfoType.setKeypairGenNames(entry.getKeypairGenNames());
}
caInfoType.setSignerConf(createFileOrValue(zipStream, entry.getSignerConf(), concat("files/ca-", name, "-signerconf.conf")));
caInfoType.setSignerType(entry.getSignerType());
caInfoType.setSnSize(entry.getSerialNoLen());
caInfoType.setStatus(entry.getStatus().getStatus());
caInfoType.setValidityMode(entry.getValidityMode().name());
list.add(ca);
}
if (!list.isEmpty()) {
root.setCas(list);
}
}
// clear the users if the list is empty
if (users.isEmpty()) {
root.setUsers(null);
}
// requestors
if (CollectionUtil.isNotEmpty(manager.requestorDbEntries)) {
List<CaConfType.Requestor> list = new LinkedList<>();
for (String name : manager.requestorDbEntries.keySet()) {
RequestorEntry entry = manager.requestorDbEntries.get(name);
CaConfType.Requestor type = new CaConfType.Requestor();
type.setName(name);
type.setType(entry.getType());
if (RequestorEntry.TYPE_CERT.equalsIgnoreCase(entry.getType())) {
FileOrBinary fob = createFileOrBinary(zipStream, Base64.decode(entry.getConf()), concat("files/requestor-", name, ".der"));
type.setBinaryConf(fob);
} else {
FileOrValue fov = createFileOrValue(zipStream, entry.getConf(), concat("files/requestor-", name, ".conf"));
type.setConf(fov);
}
list.add(type);
}
if (!list.isEmpty()) {
root.setRequestors(list);
}
}
// publishers
if (CollectionUtil.isNotEmpty(manager.publisherDbEntries)) {
List<NameTypeConf> list = new LinkedList<>();
for (String name : manager.publisherDbEntries.keySet()) {
PublisherEntry entry = manager.publisherDbEntries.get(name);
NameTypeConf conf = new NameTypeConf();
conf.setName(name);
conf.setType(entry.getType());
conf.setConf(createFileOrValue(zipStream, entry.getConf(), concat("files/publisher-", name, ".conf")));
list.add(conf);
}
if (!list.isEmpty()) {
root.setPublishers(list);
}
}
// profiles
if (CollectionUtil.isNotEmpty(manager.certprofileDbEntries)) {
List<NameTypeConf> list = new LinkedList<>();
for (String name : manager.certprofileDbEntries.keySet()) {
CertprofileEntry entry = manager.certprofileDbEntries.get(name);
NameTypeConf conf = new NameTypeConf();
conf.setName(name);
conf.setType(entry.getType());
conf.setConf(createFileOrValue(zipStream, entry.getConf(), concat("files/certprofile-", name, ".conf")));
list.add(conf);
}
if (!list.isEmpty()) {
root.setProfiles(list);
}
}
// signers
if (CollectionUtil.isNotEmpty(manager.signerDbEntries)) {
List<CaConfType.Signer> list = new LinkedList<>();
for (String name : manager.signerDbEntries.keySet()) {
SignerEntry entry = manager.signerDbEntries.get(name);
CaConfType.Signer conf = new CaConfType.Signer();
conf.setName(name);
conf.setType(entry.getType());
conf.setConf(createFileOrValue(zipStream, entry.getConf(), concat("files/signer-", name, ".conf")));
conf.setCert(createFileOrBase64Value(zipStream, entry.getBase64Cert(), concat("files/signer-", name, ".der")));
list.add(conf);
}
if (!list.isEmpty()) {
root.setSigners(list);
}
}
if (CollectionUtil.isNotEmpty(manager.keypairGenDbEntries)) {
List<CaConfType.NameTypeConf> list = new LinkedList<>();
for (String name : manager.keypairGenDbEntries.keySet()) {
KeypairGenEntry entry = manager.keypairGenDbEntries.get(name);
CaConfType.NameTypeConf conf = new CaConfType.NameTypeConf();
conf.setName(name);
conf.setType(entry.getType());
if (entry.getConf() != null) {
FileOrValue fv = new FileOrValue();
fv.setValue(entry.getConf());
conf.setConf(fv);
}
list.add(conf);
}
if (!list.isEmpty()) {
root.setKeypairGens(list);
}
}
// add the CAConf XML file
ByteArrayOutputStream bout = new ByteArrayOutputStream();
try {
root.validate();
JSON.writeJSONString(bout, root, SerializerFeature.PrettyFormat);
} catch (InvalidConfException ex) {
LogUtil.error(LOG, ex, "could not marshal CAConf");
throw new CaMgmtException(concat("could not marshal CAConf: ", ex.getMessage()), ex);
} finally {
bout.flush();
}
zipStream.putNextEntry(new ZipEntry("caconf.json"));
try {
zipStream.write(bout.toByteArray());
} finally {
zipStream.closeEntry();
}
} finally {
zipStream.flush();
zipStream.close();
}
return new ByteArrayInputStream(bytesStream.toByteArray());
}
Also used :
NameTypeConf(org.xipki.ca.api.mgmt.CaConfType.NameTypeConf)
ByteArrayInputStream(java.io.ByteArrayInputStream)
NameTypeConf(org.xipki.ca.api.mgmt.CaConfType.NameTypeConf)
ZipEntry(java.util.zip.ZipEntry)
ConcurrentContentSigner(org.xipki.security.ConcurrentContentSigner)
X509Cert(org.xipki.security.X509Cert)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
CaMgmtException(org.xipki.ca.api.mgmt.CaMgmtException)
ZipOutputStream(java.util.zip.ZipOutputStream)
CaUris(org.xipki.ca.api.CaUris)
CaManagerQueryExecutor(org.xipki.ca.server.db.CaManagerQueryExecutor)
CaConfType(org.xipki.ca.api.mgmt.CaConfType)
Example 3 with CaUris
use of org.xipki.ca.api.CaUris in project xipki by xipki.
the class CaManagerQueryExecutor method buildChangeCaConfColumn.
// method changeCa
private SqlColumn buildChangeCaConfColumn(ChangeCaEntry changeCaEntry, CaEntry currentCaEntry, CaConfColumn currentCaConfColumn) {
CaConfColumn newCC = currentCaConfColumn.clone();
if (changeCaEntry.getMaxValidity() != null) {
newCC.setMaxValidity(changeCaEntry.getMaxValidity().toString());
}
String str = changeCaEntry.getExtraControl();
if (str != null) {
if (CaManager.NULL.equalsIgnoreCase(str)) {
newCC.setExtraControl(null);
} else {
// check also the validity
newCC.setExtraControl(new ConfPairs(str).asMap());
}
}
if (changeCaEntry.getValidityMode() != null) {
newCC.setValidityMode(changeCaEntry.getValidityMode().name());
}
CaUris changeUris = changeCaEntry.getCaUris();
if (changeUris != null) {
// CAcert URIs
List<String> uris = changeUris.getCacertUris();
if (uris != null) {
if (uris.isEmpty()) {
// clear the URIs
newCC.setCacertUris(null);
} else {
newCC.setCacertUris(uris);
}
}
// CRL URIs
uris = changeUris.getCrlUris();
if (uris != null) {
if (uris.isEmpty()) {
// clear the URIs
newCC.setCrlUris(null);
} else {
newCC.setCrlUris(uris);
}
}
// DeltaCRL URIs
uris = changeUris.getDeltaCrlUris();
if (uris != null) {
if (uris.isEmpty()) {
// clear the URIs
newCC.setDeltaCrlUris(null);
} else {
newCC.setDeltaCrlUris(uris);
}
}
// OCSP URIs
uris = changeUris.getOcspUris();
if (uris != null) {
if (uris.isEmpty()) {
// clear the URIs
newCC.setOcspUris(null);
} else {
newCC.setOcspUris(uris);
}
}
}
// protocol support
Boolean supportCmp = changeCaEntry.getSupportCmp();
Boolean supportRest = changeCaEntry.getSupportRest();
Boolean supportScep = changeCaEntry.getSupportScep();
if (supportCmp != null || supportRest != null || supportScep != null) {
ProtocolSupport oldSupport = currentCaEntry.getProtocoSupport();
ProtocolSupport support = new ProtocolSupport(oldSupport.isCmp(), oldSupport.isRest(), oldSupport.isScep());
if (supportCmp != null) {
support.setCmp(supportCmp);
}
if (supportRest != null) {
support.setRest(supportRest);
}
if (supportScep != null) {
support.setScep(supportScep);
}
newCC.setProtocolSupport(support.getProtocols());
}
// Keypair generation names
List<String> names = changeCaEntry.getKeypairGenNames();
if (names != null) {
if (names.isEmpty() || names.get(0).equalsIgnoreCase(CaManager.NULL)) {
newCC.setKeypairGenNames(null);
} else {
newCC.setKeypairGenNames(names);
}
}
// serial number size
if (changeCaEntry.getSerialNoLen() != null) {
newCC.setSnSize(changeCaEntry.getSerialNoLen());
}
// CMP control
str = changeCaEntry.getCmpControl();
if (str != null) {
if (CaManager.NULL.equalsIgnoreCase(str)) {
newCC.setCmpControl(null);
} else {
newCC.setCmpControl(new ConfPairs(str).asMap());
}
}
// CRL control
str = changeCaEntry.getCrlControl();
if (str != null) {
if (CaManager.NULL.equalsIgnoreCase(str)) {
newCC.setCrlControl(null);
} else {
newCC.setCrlControl(new ConfPairs(str).asMap());
}
}
// SCEP control
str = changeCaEntry.getScepControl();
if (str != null) {
if (CaManager.NULL.equalsIgnoreCase(str)) {
newCC.setScepControl(null);
} else {
newCC.setScepControl(new ConfPairs(str).asMap());
}
}
// CTLog control
str = changeCaEntry.getCtlogControl();
if (str != null) {
if (CaManager.NULL.equalsIgnoreCase(str)) {
newCC.setCtlogControl(null);
} else {
newCC.setCtlogControl(new ConfPairs(str).asMap());
}
}
Boolean b = changeCaEntry.getSaveCert();
if (b != null) {
newCC.setSaveCert(b);
}
b = changeCaEntry.getSaveRequest();
if (b != null) {
newCC.setSaveRequest(b);
}
b = changeCaEntry.getSaveKeypair();
if (b != null) {
newCC.setSaveKeypair(b);
}
Integer i = changeCaEntry.getPermission();
if (i != null) {
newCC.setPermission(i);
}
i = changeCaEntry.getNumCrls();
if (i != null) {
newCC.setNumCrls(i);
}
i = changeCaEntry.getExpirationPeriod();
if (i != null) {
newCC.setExpirationPeriod(i);
}
i = changeCaEntry.getKeepExpiredCertInDays();
if (i != null) {
newCC.setKeepExpiredCertDays(i);
}
str = changeCaEntry.getRevokeSuspendedControl();
if (str != null) {
if (CaManager.NULL.equalsIgnoreCase(str)) {
newCC.setRevokeSuspendedControl(null);
} else {
newCC.setRevokeSuspendedControl(new ConfPairs(str).asMap());
}
}
str = changeCaEntry.getPopControl();
if (str != null) {
if (CaManager.NULL.equalsIgnoreCase(str)) {
newCC.setPopControl(null);
} else {
newCC.setPopControl(new ConfPairs(str).asMap());
}
}
String encodedConf = newCC.encode();
boolean confIsSensitive = false;
String encodedOrigConf = currentCaConfColumn.encode();
if (encodedConf.equals(encodedOrigConf)) {
encodedConf = null;
} else if (encodedConf.contains("password")) {
confIsSensitive = true;
}
return colStr("CONF", encodedConf, confIsSensitive, false);
}
Also used :
CaUris(org.xipki.ca.api.CaUris)
Example 4 with CaUris
use of org.xipki.ca.api.CaUris in project xipki by xipki.
the class CaManagerQueryExecutor method addCa.
public void addCa(CaEntry caEntry) throws CaMgmtException {
notNull(caEntry, "caEntry");
if (dbSchemaVersion <= 6) {
if (caEntry.isSaveKeypair()) {
assertDbSchemaVersion7on("Saving keypair");
}
List<String> keypairGenNames = caEntry.getKeypairGenNames();
if (CollectionUtil.isNotEmpty(keypairGenNames)) {
for (String n : keypairGenNames) {
if (!"software".equalsIgnoreCase(n)) {
assertDbSchemaVersion7on("Keypair generation name (" + n + ") different than 'software'");
}
}
}
}
caEntry.getIdent().setId((int) getNextId(Table.CA));
List<String> colNames = CaUtil.asModifiableList("ID", "NAME", "STATUS", "NEXT_CRLNO", "CRL_SIGNER_NAME", "CMP_RESPONDER_NAME", "SCEP_RESPONDER_NAME", "SUBJECT", "SIGNER_TYPE", "SIGNER_CONF", "CERT", "CERTCHAIN");
if (dbSchemaVersion <= 6) {
CaUtil.addAll(colNames, "SN_SIZE", "CA_URIS", "MAX_VALIDITY", "CRL_CONTROL", "CMP_CONTROL", "SCEP_CONTROL", "CTLOG_CONTROL", "PROTOCOL_SUPPORT", "SAVE_REQ", "PERMISSION", "NUM_CRLS", "EXPIRATION_PERIOD", "KEEP_EXPIRED_CERT_DAYS", "VALIDITY_MODE", "EXTRA_CONTROL", "DHPOC_CONTROL", "REVOKE_SUSPENDED_CONTROL");
} else {
colNames.add("CONF");
}
String sql = buildInsertSql("CA", colNames.toArray(new String[0]));
byte[] encodedCert = caEntry.getCert().getEncoded();
List<X509Cert> certchain = caEntry.getCertchain();
String certchainStr = CollectionUtil.isEmpty(certchain) ? null : encodeCertchain(buildCertChain(caEntry.getCert(), certchain));
List<SqlColumn2> cols = CaUtil.asModifiableList(// ID
col2Int(caEntry.getIdent().getId()), // NAME
col2Str(caEntry.getIdent().getName()), // STATUS
col2Str(caEntry.getStatus().getStatus()), // NEXT_CRLNO
col2Long(caEntry.getNextCrlNumber()), // CRL_SIGNER_NAME
col2Str(caEntry.getCrlSignerName()), // CMP_RESPONDER_NAME
col2Str(caEntry.getCmpResponderName()), // SCEP_RESPONDER_NAME
col2Str(caEntry.getScepResponderName()), // SUBJECT
col2Str(caEntry.getSubject()), // SIGNER_TYPE
col2Str(caEntry.getSignerType()), // SIGNER_CONF
col2Str(caEntry.getSignerConf()), // CERT
col2Str(Base64.encodeToString(encodedCert)), // CERTCHAIN
col2Str(certchainStr));
if (dbSchemaVersion <= 6) {
CaUris caUris = caEntry.getCaUris();
CrlControl crlControl = caEntry.getCrlControl();
ScepControl scepControl = caEntry.getScepControl();
CtlogControl ctlogControl = caEntry.getCtlogControl();
ProtocolSupport protocolSupport = caEntry.getProtocoSupport();
ConfPairs extraControl = caEntry.getExtraControl();
String encodedExtraCtrl = (extraControl == null) ? null : extraControl.getEncoded();
RevokeSuspendedControl revokeSuspended = caEntry.getRevokeSuspendedControl();
// adapt the configuration
PopControl popCtrl = caEntry.getPopControl();
String cmpCtrlText = null;
String dhPopCtrlText = null;
if (popCtrl != null) {
ConfPairs pairs = popCtrl.getConfPairs();
CmpControl cmpControl = caEntry.getCmpControl();
ConfPairs cmpPairs = cmpControl == null ? new ConfPairs() : cmpControl.getConfPairs();
ConfPairs dhpopPairs = new ConfPairs();
for (String n : pairs.names()) {
if ("sigalgo".equals(n)) {
cmpPairs.putPair("popo.sigalgo", pairs.value(n));
} else if (n.startsWith("dh.")) {
dhpopPairs.putPair(n.substring(3), pairs.value(n));
} else {
LOG.warn("unsupported POP control entry {}: {}", n, pairs.value(n));
}
}
if (!cmpPairs.isEmpty()) {
cmpCtrlText = cmpPairs.getEncoded();
}
if (!dhpopPairs.isEmpty()) {
dhPopCtrlText = dhpopPairs.getEncoded();
}
} else {
if (caEntry.getCmpControl() != null) {
cmpCtrlText = caEntry.getCmpControl().getConf();
}
}
CaUtil.addAll(cols, col2Int(caEntry.getSerialNoLen()), col2Str(caUris == null ? null : caEntry.getCaUris().getEncoded()), col2Str(caEntry.getMaxValidity().toString()), col2Str(crlControl == null ? null : crlControl.getConf()), col2Str(cmpCtrlText), col2Str(scepControl == null ? null : scepControl.getConf()), col2Str(ctlogControl == null ? null : ctlogControl.getConf()), col2Str(protocolSupport == null ? null : protocolSupport.getEncoded()), col2Bool(caEntry.isSaveRequest()), col2Int(caEntry.getPermission()), col2Int(caEntry.getNumCrls()), col2Int(caEntry.getExpirationPeriod()), col2Int(caEntry.getKeepExpiredCertInDays()), col2Str(caEntry.getValidityMode().name()), col2Str(StringUtil.isBlank(encodedExtraCtrl) ? null : encodedExtraCtrl), col2Str(dhPopCtrlText), col2Str(revokeSuspended == null ? null : revokeSuspended.getConf()));
// END DB Schema Version 6
} else {
// START DB Schema Version 7
CaConfColumn cc = new CaConfColumn();
// CA URIS
CaUris caUris = caEntry.getCaUris();
if (caUris != null) {
cc.setCacertUris(caUris.getCacertUris());
cc.setCrlUris(caUris.getCrlUris());
cc.setDeltaCrlUris(caUris.getDeltaCrlUris());
cc.setOcspUris(caUris.getOcspUris());
}
// CRL Control
CrlControl crlControl = caEntry.getCrlControl();
if (crlControl != null) {
cc.setCrlControl(crlControl.getConfPairs().asMap());
}
// CMP Control
CmpControl cmpControl = caEntry.getCmpControl();
if (cmpControl != null) {
cc.setCmpControl(cmpControl.getConfPairs().asMap());
}
// SCEP Control
ScepControl scepControl = caEntry.getScepControl();
if (scepControl != null) {
cc.setScepControl(scepControl.getConfPairs().asMap());
}
// CTLog Control
CtlogControl ctlogControl = caEntry.getCtlogControl();
if (ctlogControl != null) {
cc.setCtlogControl(ctlogControl.getConfPairs().asMap());
}
ProtocolSupport protocolSupport = caEntry.getProtocoSupport();
if (protocolSupport != null) {
cc.setProtocolSupport(protocolSupport.getProtocols());
}
ConfPairs extraControl = caEntry.getExtraControl();
if (extraControl != null) {
cc.setExtraControl(extraControl.asMap());
}
RevokeSuspendedControl revokeSuspended = caEntry.getRevokeSuspendedControl();
if (revokeSuspended != null) {
cc.setRevokeSuspendedControl(revokeSuspended.getConfPairs().asMap());
}
cc.setSnSize(caEntry.getSerialNoLen());
if (caEntry.getMaxValidity() != null) {
cc.setMaxValidity(caEntry.getMaxValidity().toString());
}
cc.setKeypairGenNames(caEntry.getKeypairGenNames());
cc.setSaveCert(caEntry.isSaveCert());
cc.setSaveRequest(caEntry.isSaveRequest());
cc.setSaveKeypair(caEntry.isSaveKeypair());
cc.setPermission(caEntry.getPermission());
cc.setNumCrls(caEntry.getNumCrls());
cc.setExpirationPeriod(caEntry.getExpirationPeriod());
cc.setKeepExpiredCertDays(caEntry.getKeepExpiredCertInDays());
if (caEntry.getValidityMode() != null) {
cc.setValidityMode(caEntry.getValidityMode().name());
}
if (caEntry.getPopControl() != null) {
cc.setPopControl(caEntry.getPopControl().getConfPairs().asMap());
}
// add to cols
cols.add(col2Str(cc.encode()));
}
// insert to table ca
int num = execUpdatePrepStmt0(sql, cols.toArray(new SqlColumn2[0]));
if (num == 0) {
throw new CaMgmtException("could not add CA " + caEntry.getIdent());
}
if (LOG.isInfoEnabled()) {
LOG.info("add CA '{}': {}", caEntry.getIdent(), caEntry.toString(false, true));
}
}
Also used :
CaUris(org.xipki.ca.api.CaUris)
Example 5 with CaUris
use of org.xipki.ca.api.CaUris in project xipki by xipki.
the class CaManagerQueryExecutor method changeCa.
// method addPublisher
public void changeCa(ChangeCaEntry changeCaEntry, CaEntry currentCaEntry, CaConfColumn currentCaConfColumn, SecurityFactory securityFactory) throws CaMgmtException {
notNulls(changeCaEntry, "changeCaEntry", securityFactory, "securityFactory");
if (changeCaEntry.getSaveKeypair() != null && changeCaEntry.getSaveKeypair()) {
assertDbSchemaVersion7on("Saving keypair");
}
List<String> keypairGenNames = changeCaEntry.getKeypairGenNames();
if (CollectionUtil.isNotEmpty(keypairGenNames)) {
for (String n : keypairGenNames) {
if (!"software".equalsIgnoreCase(n)) {
assertDbSchemaVersion7on("Keypair generation name " + n + ") different than 'sofware'");
}
}
}
byte[] encodedCert = changeCaEntry.getEncodedCert();
if (encodedCert != null) {
boolean anyCertIssued;
try {
anyCertIssued = datasource.columnExists(null, "CERT", "CA_ID", changeCaEntry.getIdent().getId());
} catch (DataAccessException ex) {
throw new CaMgmtException(ex);
}
if (anyCertIssued) {
throw new CaMgmtException("Cannot change certificate of CA which has issued certificates");
}
}
String signerType = changeCaEntry.getSignerType();
String signerConf = changeCaEntry.getSignerConf();
X509Cert caCert = null;
if (signerType != null || signerConf != null || encodedCert != null || CollectionUtil.isNotEmpty(changeCaEntry.getEncodedCertchain())) {
// need CA certificate
if (encodedCert != null) {
caCert = parseCert(encodedCert);
} else {
final String sql = "SELECT CERT FROM CA WHERE ID=?";
ResultRow rs = execQuery1PrepStmt0(sql, col2Int(changeCaEntry.getIdent().getId()));
if (rs == null) {
throw new CaMgmtException("unknown CA '" + changeCaEntry.getIdent());
}
caCert = parseCert(Base64.decode(rs.getString("CERT")));
}
if (signerType != null || signerConf != null || encodedCert != null) {
// validate the signer configuration
final String sql = "SELECT SIGNER_TYPE,SIGNER_CONF FROM CA WHERE ID=?";
ResultRow rs = execQuery1PrepStmt0(sql, col2Int(changeCaEntry.getIdent().getId()));
if (rs == null) {
throw new CaMgmtException("unknown CA '" + changeCaEntry.getIdent());
}
if (signerType == null) {
signerType = rs.getString("SIGNER_TYPE");
}
if (signerConf == null) {
signerConf = rs.getString("SIGNER_CONF");
} else {
signerConf = CaUtil.canonicalizeSignerConf(signerType, signerConf, null, securityFactory);
}
try {
List<CaSignerConf> signerConfs = CaEntry.splitCaSignerConfs(signerConf);
for (CaSignerConf m : signerConfs) {
securityFactory.createSigner(signerType, new SignerConf(m.getConf()), caCert);
}
} catch (XiSecurityException | ObjectCreationException ex) {
throw new CaMgmtException("could not create signer for CA '" + changeCaEntry.getIdent() + "'" + ex.getMessage(), ex);
}
}
}
// end if (signerType)
String subject = null;
String base64Cert = null;
if (encodedCert != null) {
try {
subject = X509Util.parseCert(encodedCert).getIssuerRfc4519Text();
base64Cert = Base64.encodeToString(encodedCert);
} catch (CertificateException ex) {
throw new CaMgmtException("could not parse the certificate", ex);
}
}
String certchainStr = null;
if (changeCaEntry.getEncodedCertchain() != null) {
List<byte[]> encodedCertchain = changeCaEntry.getEncodedCertchain();
if (encodedCertchain.size() == 0) {
certchainStr = CaManager.NULL;
} else {
List<X509Cert> certs = new LinkedList<>();
for (byte[] m : changeCaEntry.getEncodedCertchain()) {
certs.add(parseCert(m));
}
certs = buildCertChain(caCert, certs);
certchainStr = encodeCertchain(certs);
}
}
String status = (changeCaEntry.getStatus() == null) ? null : changeCaEntry.getStatus().name();
List<SqlColumn> cols = CaUtil.asModifiableList(colStr("STATUS", status), colStr("CRL_SIGNER_NAME", changeCaEntry.getCrlSignerName()), colStr("CMP_RESPONDER_NAME", changeCaEntry.getCmpResponderName()), colStr("SCEP_RESPONDER_NAME", changeCaEntry.getScepResponderName()), colStr("SUBJECT", subject), colStr("SIGNER_TYPE", signerType), colStr("SIGNER_CONF", signerConf, false, true), colStr("CERT", base64Cert), colStr("CERTCHAIN", certchainStr));
if (dbSchemaVersion <= 6) {
String maxValidity = (changeCaEntry.getMaxValidity() == null) ? null : changeCaEntry.getMaxValidity().toString();
String extraControl = (changeCaEntry.getExtraControl() == null) ? null : // check also the validity
new ConfPairs(changeCaEntry.getExtraControl()).getEncoded();
String validityMode = (changeCaEntry.getValidityMode() == null) ? null : changeCaEntry.getValidityMode().name();
String caUrisStr = null;
CaUris changeUris = changeCaEntry.getCaUris();
if (changeUris != null && (changeUris.getCacertUris() != null || changeUris.getCrlUris() != null || changeUris.getDeltaCrlUris() != null || changeUris.getOcspUris() != null)) {
CaUris oldCaUris = currentCaEntry.getCaUris();
List<String> uris = changeUris.getCacertUris();
List<String> cacertUris = (uris == null) ? oldCaUris.getCacertUris() : uris;
uris = changeUris.getOcspUris();
List<String> ocspUris = (uris == null) ? oldCaUris.getOcspUris() : uris;
uris = changeUris.getCrlUris();
List<String> crlUris = (uris == null) ? oldCaUris.getCrlUris() : uris;
uris = changeUris.getDeltaCrlUris();
List<String> deltaCrlUris = (uris == null) ? oldCaUris.getDeltaCrlUris() : uris;
CaUris newCaUris = new CaUris(cacertUris, ocspUris, crlUris, deltaCrlUris);
caUrisStr = newCaUris.getEncoded();
if (caUrisStr.isEmpty()) {
caUrisStr = CaManager.NULL;
}
}
String protocolSupportStr = null;
Boolean supportCmp = changeCaEntry.getSupportCmp();
Boolean supportRest = changeCaEntry.getSupportRest();
Boolean supportScep = changeCaEntry.getSupportScep();
if (supportCmp != null || supportRest != null || supportScep != null) {
ProtocolSupport oldSupport = currentCaEntry.getProtocoSupport();
ProtocolSupport support = new ProtocolSupport(oldSupport.isCmp(), oldSupport.isRest(), oldSupport.isScep());
if (supportCmp != null) {
support.setCmp(supportCmp);
}
if (supportRest != null) {
support.setRest(supportRest);
}
if (supportScep != null) {
support.setScep(supportScep);
}
protocolSupportStr = support.getEncoded();
}
// Dapt: CMP Control and DHPOP Control
String cmpCtrlText = changeCaEntry.getCmpControl();
String popCtrlText = changeCaEntry.getPopControl();
ConfPairs popCtrlPairs = null;
if (StringUtil.isNotBlank(popCtrlText)) {
popCtrlPairs = new ConfPairs(changeCaEntry.getPopControl());
}
ConfPairs cmpPairs = new ConfPairs(CaManager.NULL.equals(cmpCtrlText) ? null : cmpCtrlText);
ConfPairs dhpopPairs = new ConfPairs();
// adapt CMP control
if (popCtrlPairs != null) {
for (String n : popCtrlPairs.names()) {
if ("sigalgo".equals(n)) {
cmpPairs.putPair("popo.sigalgo", popCtrlPairs.value(n));
} else if (n.startsWith("dh.")) {
dhpopPairs.putPair(n.substring(3), popCtrlPairs.value(n));
} else {
LOG.warn("unsupported POP entry {}: {}", n, popCtrlPairs.value(n));
}
}
}
if (!cmpPairs.isEmpty()) {
cmpCtrlText = cmpPairs.getEncoded();
}
String dhpopCtrlText = null;
if (!dhpopPairs.isEmpty()) {
dhpopCtrlText = dhpopPairs.getEncoded();
}
CaUtil.addAll(cols, colInt("SN_SIZE", changeCaEntry.getSerialNoLen()), colStr("CA_URIS", caUrisStr), colStr("MAX_VALIDITY", maxValidity), colStr("CMP_CONTROL", cmpCtrlText), colStr("CRL_CONTROL", changeCaEntry.getCrlControl()), colStr("SCEP_CONTROL", changeCaEntry.getScepControl()), colStr("CTLOG_CONTROL", changeCaEntry.getCtlogControl()), colStr("PROTOCOL_SUPPORT", protocolSupportStr), colBool("SAVE_REQ", changeCaEntry.getSaveRequest()), colInt("PERMISSION", changeCaEntry.getPermission()), colInt("NUM_CRLS", changeCaEntry.getNumCrls()), colInt("EXPIRATION_PERIOD", changeCaEntry.getExpirationPeriod()), colInt("KEEP_EXPIRED_CERT_DAYS", changeCaEntry.getKeepExpiredCertInDays()), colStr("VALIDITY_MODE", validityMode), colStr("EXTRA_CONTROL", extraControl), colStr("DHPOC_CONTROL", dhpopCtrlText, false, true), colStr("REVOKE_SUSPENDED_CONTROL", changeCaEntry.getRevokeSuspendedControl()));
} else {
cols.add(buildChangeCaConfColumn(changeCaEntry, currentCaEntry, currentCaConfColumn));
}
changeIfNotNull(// where column
"CA", // where column
colInt("ID", changeCaEntry.getIdent().getId()), cols.toArray(new SqlColumn[0]));
}
Also used :
CaSignerConf(org.xipki.ca.api.mgmt.entry.CaEntry.CaSignerConf)
CaSignerConf(org.xipki.ca.api.mgmt.entry.CaEntry.CaSignerConf)
CertificateException(java.security.cert.CertificateException)
CaUris(org.xipki.ca.api.CaUris)
DataAccessException(org.xipki.datasource.DataAccessException)
Aggregations
CaUris (org.xipki.ca.api.CaUris)9
CertificateException (java.security.cert.CertificateException)3
CaSignerConf (org.xipki.ca.api.mgmt.entry.CaEntry.CaSignerConf)3
NameId (org.xipki.ca.api.NameId)2
DataAccessException (org.xipki.datasource.DataAccessException)2
ByteArrayInputStream (java.io.ByteArrayInputStream)1
ByteArrayOutputStream (java.io.ByteArrayOutputStream)1
BigInteger (java.math.BigInteger)1
ResultSet (java.sql.ResultSet)1
SQLException (java.sql.SQLException)1
Statement (java.sql.Statement)1
LinkedList (java.util.LinkedList)1
ZipEntry (java.util.zip.ZipEntry)1
ZipOutputStream (java.util.zip.ZipOutputStream)1
X500Name (org.bouncycastle.asn1.x500.X500Name)1
org.bouncycastle.asn1.x509 (org.bouncycastle.asn1.x509)1
BadCertTemplateException (org.xipki.ca.api.BadCertTemplateException)1
OperationException (org.xipki.ca.api.OperationException)1
CaConfType (org.xipki.ca.api.mgmt.CaConfType)1
NameTypeConf (org.xipki.ca.api.mgmt.CaConfType.NameTypeConf)1
