Search in sources :

Example 1 with CertificateInfo

use of org.xipki.ca.api.CertificateInfo in project xipki by xipki.

the class X509PublisherModule method publishCertsInQueue.

boolean publishCertsInQueue(IdentifiedCertPublisher publisher) {
    notNull(publisher, "publisher");
    final int numEntries = 500;
    while (true) {
        List<Long> certIds;
        try {
            certIds = certstore.getPublishQueueEntries(caIdent, publisher.getIdent(), numEntries);
        } catch (OperationException ex) {
            LogUtil.error(LOG, ex);
            return false;
        }
        if (CollectionUtil.isEmpty(certIds)) {
            break;
        }
        for (Long certId : certIds) {
            CertificateInfo certInfo;
            try {
                certInfo = certstore.getCertForId(caIdent, caCert, certId, caIdNameMap);
            } catch (OperationException ex) {
                LogUtil.error(LOG, ex);
                return false;
            }
            boolean successful = publisher.certificateAdded(certInfo);
            if (!successful) {
                LOG.error("republishing certificate id={} failed", certId);
                return false;
            }
            try {
                certstore.removeFromPublishQueue(publisher.getIdent(), certId);
            } catch (OperationException ex) {
                LogUtil.warn(LOG, ex, "could not remove republished cert id=" + certId + " and publisher=" + publisher.getIdent().getName());
            }
        }
    // end for
    }
    return true;
}
Also used : CertificateInfo(org.xipki.ca.api.CertificateInfo) OperationException(org.xipki.ca.api.OperationException)

Example 2 with CertificateInfo

use of org.xipki.ca.api.CertificateInfo in project xipki by xipki.

the class CertStore method getCertInfo.

public CertificateInfo getCertInfo(NameId ca, X509Cert caCert, BigInteger serial, CaIdNameMap idNameMap) throws OperationException {
    notNulls(ca, "ca", caCert, "caCert", idNameMap, "idNameMap", serial, "serial");
    ResultRow rs = execQuery1PrepStmt0(sqlCertInfo, col2Int(ca.getId()), col2Str(serial.toString(16)));
    if (rs == null) {
        return null;
    }
    byte[] encodedCert = Base64.decodeFast(rs.getString("CERT"));
    CertWithDbId certWithMeta = new CertWithDbId(parseCert(encodedCert));
    CertificateInfo certInfo = new CertificateInfo(certWithMeta, null, ca, caCert, idNameMap.getCertprofile(rs.getInt("PID")), idNameMap.getRequestor(rs.getInt("RID")));
    certInfo.setRevocationInfo(buildCertRevInfo(rs));
    return certInfo;
}
Also used : CertWithDbId(org.xipki.ca.api.CertWithDbId) CertificateInfo(org.xipki.ca.api.CertificateInfo)

Example 3 with CertificateInfo

use of org.xipki.ca.api.CertificateInfo in project xipki by xipki.

the class CertStore method getCertForId.

// method cleanupCrls
public CertificateInfo getCertForId(NameId ca, X509Cert caCert, long certId, CaIdNameMap idNameMap) throws OperationException {
    notNulls(ca, "ca", caCert, "caCert", idNameMap, "idNameMap");
    ResultRow rs = execQuery1PrepStmt0(sqlCertForId, col2Long(certId));
    if (rs == null) {
        return null;
    }
    X509Cert cert = parseCert(Base64.decodeFast(rs.getString("CERT")));
    CertWithDbId certWithMeta = new CertWithDbId(cert);
    certWithMeta.setCertId(certId);
    CertificateInfo certInfo = new CertificateInfo(certWithMeta, null, ca, caCert, idNameMap.getCertprofile(rs.getInt("PID")), idNameMap.getRequestor(rs.getInt("RID")));
    certInfo.setRevocationInfo(buildCertRevInfo(rs));
    return certInfo;
}
Also used : CertWithDbId(org.xipki.ca.api.CertWithDbId) X509Cert(org.xipki.security.X509Cert) CertificateInfo(org.xipki.ca.api.CertificateInfo)

Example 4 with CertificateInfo

use of org.xipki.ca.api.CertificateInfo in project xipki by xipki.

the class ScepResponder method servicePkiOperation0.

// method servicePkiOperation
private PkiMessage servicePkiOperation0(CMSSignedData requestContent, DecodedPkiMessage req, String certprofileName, String msgId, AuditEvent event) throws OperationException {
    notNull(requestContent, "requestContent");
    String tid = notNull(req, "req").getTransactionId().getId();
    // verify and decrypt the request
    audit(event, NAME_tid, tid);
    if (req.getFailureMessage() != null) {
        audit(event, Scep.NAME_failure_message, req.getFailureMessage());
    }
    Boolean bo = req.isSignatureValid();
    if (bo != null && !bo) {
        audit(event, Scep.NAME_signature, "invalid");
    }
    bo = req.isDecryptionSuccessful();
    if (bo != null && !bo) {
        audit(event, Scep.NAME_decryption, "failed");
    }
    PkiMessage rep = new PkiMessage(req.getTransactionId(), MessageType.CertRep, Nonce.randomNonce());
    rep.setRecipientNonce(req.getSenderNonce());
    if (req.getFailureMessage() != null) {
        rep.setPkiStatus(PkiStatus.FAILURE);
        rep.setFailInfo(FailInfo.badRequest);
        return rep;
    }
    bo = req.isSignatureValid();
    if (bo != null && !bo) {
        rep.setPkiStatus(PkiStatus.FAILURE);
        rep.setFailInfo(FailInfo.badMessageCheck);
        return rep;
    }
    bo = req.isDecryptionSuccessful();
    if (bo != null && !bo) {
        rep.setPkiStatus(PkiStatus.FAILURE);
        rep.setFailInfo(FailInfo.badRequest);
        return rep;
    }
    Date signingTime = req.getSigningTime();
    if (maxSigningTimeBiasInMs > 0) {
        boolean isTimeBad;
        if (signingTime == null) {
            isTimeBad = true;
        } else {
            long now = System.currentTimeMillis();
            long diff = now - signingTime.getTime();
            if (diff < 0) {
                diff = -1 * diff;
            }
            isTimeBad = diff > maxSigningTimeBiasInMs;
        }
        if (isTimeBad) {
            rep.setPkiStatus(PkiStatus.FAILURE);
            rep.setFailInfo(FailInfo.badTime);
            return rep;
        }
    }
    // end if
    // check the digest algorithm
    HashAlgo hashAlgo = req.getDigestAlgorithm();
    boolean supported = false;
    if (hashAlgo == HashAlgo.SHA1) {
        if (caCaps.supportsSHA1()) {
            supported = true;
        }
    } else if (hashAlgo == HashAlgo.SHA256) {
        if (caCaps.supportsSHA256()) {
            supported = true;
        }
    } else if (hashAlgo == HashAlgo.SHA512) {
        if (caCaps.supportsSHA512()) {
            supported = true;
        }
    }
    if (!supported) {
        LOG.warn("tid={}: unsupported digest algorithm {}", tid, hashAlgo);
        rep.setPkiStatus(PkiStatus.FAILURE);
        rep.setFailInfo(FailInfo.badAlg);
        return rep;
    }
    // check the content encryption algorithm
    ASN1ObjectIdentifier encOid = req.getContentEncryptionAlgorithm();
    if (CMSAlgorithm.DES_EDE3_CBC.equals(encOid)) {
        if (!caCaps.supportsDES3()) {
            LOG.warn("tid={}: encryption with DES3 algorithm {} is not permitted", tid, encOid);
            rep.setPkiStatus(PkiStatus.FAILURE);
            rep.setFailInfo(FailInfo.badAlg);
            return rep;
        }
    } else if (CMSAlgorithm.AES128_CBC.equals(encOid)) {
        if (!caCaps.supportsAES()) {
            LOG.warn("tid={}: encryption with AES algorithm {} is not permitted", tid, encOid);
            rep.setPkiStatus(PkiStatus.FAILURE);
            rep.setFailInfo(FailInfo.badAlg);
            return rep;
        }
    } else {
        LOG.warn("tid={}: encryption with algorithm {} is not permitted", tid, encOid);
        rep.setPkiStatus(PkiStatus.FAILURE);
        rep.setFailInfo(FailInfo.badAlg);
        return rep;
    }
    X509Ca ca;
    try {
        ca = caManager.getX509Ca(caIdent);
    } catch (CaMgmtException ex) {
        LogUtil.error(LOG, ex, tid + "=" + tid + ",could not get X509CA");
        throw new OperationException(SYSTEM_FAILURE, ex);
    }
    X500Name caX500Name = ca.getCaInfo().getCert().getSubject();
    try {
        SignedData signedData;
        MessageType mt = req.getMessageType();
        audit(event, Scep.NAME_message_type, mt.toString());
        switch(mt) {
            case PKCSReq:
            case RenewalReq:
                CertificationRequest csr = CertificationRequest.getInstance(req.getMessageData());
                X500Name reqSubject = csr.getCertificationRequestInfo().getSubject();
                if (LOG.isInfoEnabled()) {
                    LOG.info("tid={}, subject={}", tid, X509Util.getRfc4519Name(reqSubject));
                }
                if (!ca.verifyCsr(csr)) {
                    LOG.warn("tid={} POP verification failed", tid);
                    throw FailInfoException.BAD_MESSAGE_CHECK;
                }
                CertificationRequestInfo csrReqInfo = csr.getCertificationRequestInfo();
                X509Cert reqSignatureCert = req.getSignatureCert();
                X500Name reqSigCertSubject = reqSignatureCert.getSubject();
                boolean selfSigned = reqSignatureCert.isSelfSigned();
                if (selfSigned) {
                    if (!reqSigCertSubject.equals(csrReqInfo.getSubject())) {
                        LOG.warn("tid={}, self-signed identityCert.subject ({}) != csr.subject ({})", tid, reqSigCertSubject, csrReqInfo.getSubject());
                        throw FailInfoException.BAD_REQUEST;
                    }
                }
                if (X509Util.getCommonName(csrReqInfo.getSubject()) == null) {
                    throw new OperationException(BAD_CERT_TEMPLATE, "tid=" + tid + ": no CommonName in requested subject");
                }
                NameId userIdent = null;
                String challengePwd = CaUtil.getChallengePassword(csrReqInfo);
                if (challengePwd != null) {
                    String[] strs = challengePwd.split(":");
                    if (strs.length != 2) {
                        LOG.warn("tid={}: challengePassword does not have the format <user>:<password>", tid);
                        throw FailInfoException.BAD_REQUEST;
                    }
                    String user = strs[0];
                    String password = strs[1];
                    userIdent = ca.authenticateUser(user, StringUtil.toUtf8Bytes(password));
                    if (userIdent == null) {
                        LOG.warn("tid={}: could not authenticate user {}", tid, user);
                        throw FailInfoException.BAD_REQUEST;
                    }
                }
                if (selfSigned) {
                    if (MessageType.PKCSReq != mt) {
                        LOG.warn("tid={}: self-signed certificate is not permitted for" + " messageType {}", tid, mt);
                        throw FailInfoException.BAD_REQUEST;
                    }
                    if (userIdent == null) {
                        LOG.warn("tid={}: could not extract user & password from challengePassword" + ", which are required for self-signed signature certificate", tid);
                        throw FailInfoException.BAD_REQUEST;
                    }
                } else {
                    // certificate is known by the CA
                    if (userIdent == null) {
                        // up to draft-nourse-scep-23 the client sends all messages to enroll
                        // certificate via MessageType PKCSReq
                        KnowCertResult knowCertRes = ca.knowsCert(reqSignatureCert);
                        if (!knowCertRes.isKnown()) {
                            LOG.warn("tid={}: signature certificate is not trusted by the CA", tid);
                            throw FailInfoException.BAD_REQUEST;
                        }
                        Integer userId = knowCertRes.getUserId();
                        if (userId == null) {
                            LOG.warn("tid={}: could not extract user from the signature cert", tid);
                            throw FailInfoException.BAD_REQUEST;
                        }
                        userIdent = ca.getUserIdent(userId);
                    }
                // end if
                }
                // end if
                RequestorInfo.ByUserRequestorInfo requestor = ca.getByUserRequestor(userIdent);
                checkUserPermission(requestor, certprofileName);
                byte[] tidBytes = getTransactionIdBytes(tid);
                Extensions extensions = CaUtil.getExtensions(csrReqInfo);
                CertTemplateData certTemplateData = new CertTemplateData(csrReqInfo.getSubject(), csrReqInfo.getSubjectPublicKeyInfo(), null, null, extensions, certprofileName);
                CertificateInfo cert = ca.generateCert(certTemplateData, requestor, RequestType.SCEP, tidBytes, msgId);
                /* Don't save SCEP message, since it contains password in plaintext
          if (ca.getCaInfo().isSaveRequest() && cert.getCert().getCertId() != null) {
            byte[] encodedRequest;
            try {
              encodedRequest = requestContent.getEncoded();
            } catch (IOException ex) {
              LOG.warn("could not encode request");
              encodedRequest = null;
            }
            if (encodedRequest != null) {
              long reqId = ca.addRequest(encodedRequest);
              ca.addRequestCert(reqId, cert.getCert().getCertId());
            }
          }*/
                signedData = buildSignedData(cert.getCert().getCert());
                break;
            case CertPoll:
                IssuerAndSubject is = IssuerAndSubject.getInstance(req.getMessageData());
                audit(event, NAME_issuer, X509Util.getRfc4519Name(is.getIssuer()));
                audit(event, NAME_subject, X509Util.getRfc4519Name(is.getSubject()));
                ensureIssuedByThisCa(caX500Name, is.getIssuer());
                signedData = pollCert(ca, is.getSubject(), req.getTransactionId());
                break;
            case GetCert:
                IssuerAndSerialNumber isn = IssuerAndSerialNumber.getInstance(req.getMessageData());
                BigInteger serial = isn.getSerialNumber().getPositiveValue();
                audit(event, NAME_issuer, X509Util.getRfc4519Name(isn.getName()));
                audit(event, NAME_serial, LogUtil.formatCsn(serial));
                ensureIssuedByThisCa(caX500Name, isn.getName());
                signedData = getCert(ca, isn.getSerialNumber().getPositiveValue());
                break;
            case GetCRL:
                isn = IssuerAndSerialNumber.getInstance(req.getMessageData());
                serial = isn.getSerialNumber().getPositiveValue();
                audit(event, NAME_issuer, X509Util.getRfc4519Name(isn.getName()));
                audit(event, NAME_serial, LogUtil.formatCsn(serial));
                ensureIssuedByThisCa(caX500Name, isn.getName());
                signedData = getCrl(ca, serial);
                break;
            default:
                LOG.error("unknown SCEP messageType '{}'", req.getMessageType());
                throw FailInfoException.BAD_REQUEST;
        }
        // end switch
        ContentInfo ci = new ContentInfo(CMSObjectIdentifiers.signedData, signedData);
        rep.setMessageData(ci);
        rep.setPkiStatus(PkiStatus.SUCCESS);
    } catch (FailInfoException ex) {
        LogUtil.error(LOG, ex);
        rep.setPkiStatus(PkiStatus.FAILURE);
        rep.setFailInfo(ex.getFailInfo());
    }
    return rep;
}
Also used : IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber) CertificationRequestInfo(org.bouncycastle.asn1.pkcs.CertificationRequestInfo) NameId(org.xipki.ca.api.NameId) HashAlgo(org.xipki.security.HashAlgo) X500Name(org.bouncycastle.asn1.x500.X500Name) KnowCertResult(org.xipki.ca.server.db.CertStore.KnowCertResult) Extensions(org.bouncycastle.asn1.x509.Extensions) ContentInfo(org.bouncycastle.asn1.cms.ContentInfo) X509Cert(org.xipki.security.X509Cert) CertificateInfo(org.xipki.ca.api.CertificateInfo) OperationException(org.xipki.ca.api.OperationException) SignedData(org.bouncycastle.asn1.cms.SignedData) Date(java.util.Date) BigInteger(java.math.BigInteger) BigInteger(java.math.BigInteger) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest)

Example 5 with CertificateInfo

use of org.xipki.ca.api.CertificateInfo in project xipki by xipki.

the class Ca2Manager method generateCertificate.

// method generateRootCa
X509Cert generateCertificate(String caName, String profileName, byte[] encodedCsr, Date notBefore, Date notAfter) throws CaMgmtException {
    caName = toNonBlankLower(caName, "caName");
    profileName = toNonBlankLower(profileName, "profileName");
    notNull(encodedCsr, "encodedCsr");
    AuditEvent event = new AuditEvent(new Date());
    event.setApplicationName(APPNAME);
    event.setName(NAME_perf);
    event.addEventType("CAMGMT_CRL_GEN_ONDEMAND");
    X509Ca ca = getX509Ca(caName);
    CertificationRequest csr;
    try {
        csr = X509Util.parseCsr(encodedCsr);
    } catch (Exception ex) {
        throw new CaMgmtException(concat("invalid CSR request. ERROR: ", ex.getMessage()));
    }
    if (!ca.verifyCsr(csr)) {
        throw new CaMgmtException("could not validate POP for the CSR");
    }
    CertificationRequestInfo certTemp = csr.getCertificationRequestInfo();
    Extensions extensions = null;
    ASN1Set attrs = certTemp.getAttributes();
    for (int i = 0; i < attrs.size(); i++) {
        Attribute attr = Attribute.getInstance(attrs.getObjectAt(i));
        if (PKCSObjectIdentifiers.pkcs_9_at_extensionRequest.equals(attr.getAttrType())) {
            extensions = Extensions.getInstance(attr.getAttributeValues()[0]);
        }
    }
    X500Name subject = certTemp.getSubject();
    SubjectPublicKeyInfo publicKeyInfo = certTemp.getSubjectPublicKeyInfo();
    CertTemplateData certTemplateData = new CertTemplateData(subject, publicKeyInfo, notBefore, notAfter, extensions, profileName);
    CertificateInfo certInfo;
    try {
        certInfo = ca.generateCert(certTemplateData, manager.byCaRequestor, RequestType.CA, null, MSGID_ca_mgmt);
    } catch (OperationException ex) {
        throw new CaMgmtException(ex.getMessage(), ex);
    }
    if (ca.getCaInfo().isSaveRequest()) {
        try {
            long dbId = ca.addRequest(encodedCsr);
            ca.addRequestCert(dbId, certInfo.getCert().getCertId());
        } catch (OperationException ex) {
            LogUtil.warn(LOG, ex, "could not save request");
        }
    }
    return certInfo.getCert().getCert();
}
Also used : CertificationRequestInfo(org.bouncycastle.asn1.pkcs.CertificationRequestInfo) Attribute(org.bouncycastle.asn1.pkcs.Attribute) X500Name(org.bouncycastle.asn1.x500.X500Name) Extensions(org.bouncycastle.asn1.x509.Extensions) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) DataAccessException(org.xipki.datasource.DataAccessException) CertificateException(java.security.cert.CertificateException) OperationException(org.xipki.ca.api.OperationException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) ASN1Set(org.bouncycastle.asn1.ASN1Set) CertificateInfo(org.xipki.ca.api.CertificateInfo) AuditEvent(org.xipki.audit.AuditEvent) CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest) OperationException(org.xipki.ca.api.OperationException)

Aggregations

CertificateInfo (org.xipki.ca.api.CertificateInfo)5 OperationException (org.xipki.ca.api.OperationException)3 CertificationRequest (org.bouncycastle.asn1.pkcs.CertificationRequest)2 CertificationRequestInfo (org.bouncycastle.asn1.pkcs.CertificationRequestInfo)2 X500Name (org.bouncycastle.asn1.x500.X500Name)2 Extensions (org.bouncycastle.asn1.x509.Extensions)2 CertWithDbId (org.xipki.ca.api.CertWithDbId)2 X509Cert (org.xipki.security.X509Cert)2 BigInteger (java.math.BigInteger)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 CertificateException (java.security.cert.CertificateException)1 Date (java.util.Date)1 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)1 ASN1Set (org.bouncycastle.asn1.ASN1Set)1 ContentInfo (org.bouncycastle.asn1.cms.ContentInfo)1 IssuerAndSerialNumber (org.bouncycastle.asn1.cms.IssuerAndSerialNumber)1 SignedData (org.bouncycastle.asn1.cms.SignedData)1 Attribute (org.bouncycastle.asn1.pkcs.Attribute)1 SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)1 AuditEvent (org.xipki.audit.AuditEvent)1