use of org.xipki.ca.api.CertificateInfo in project xipki by xipki.
the class X509PublisherModule method publishCertsInQueue.
boolean publishCertsInQueue(IdentifiedCertPublisher publisher) {
notNull(publisher, "publisher");
final int numEntries = 500;
while (true) {
List<Long> certIds;
try {
certIds = certstore.getPublishQueueEntries(caIdent, publisher.getIdent(), numEntries);
} catch (OperationException ex) {
LogUtil.error(LOG, ex);
return false;
}
if (CollectionUtil.isEmpty(certIds)) {
break;
}
for (Long certId : certIds) {
CertificateInfo certInfo;
try {
certInfo = certstore.getCertForId(caIdent, caCert, certId, caIdNameMap);
} catch (OperationException ex) {
LogUtil.error(LOG, ex);
return false;
}
boolean successful = publisher.certificateAdded(certInfo);
if (!successful) {
LOG.error("republishing certificate id={} failed", certId);
return false;
}
try {
certstore.removeFromPublishQueue(publisher.getIdent(), certId);
} catch (OperationException ex) {
LogUtil.warn(LOG, ex, "could not remove republished cert id=" + certId + " and publisher=" + publisher.getIdent().getName());
}
}
// end for
}
return true;
}
use of org.xipki.ca.api.CertificateInfo in project xipki by xipki.
the class CertStore method getCertInfo.
public CertificateInfo getCertInfo(NameId ca, X509Cert caCert, BigInteger serial, CaIdNameMap idNameMap) throws OperationException {
notNulls(ca, "ca", caCert, "caCert", idNameMap, "idNameMap", serial, "serial");
ResultRow rs = execQuery1PrepStmt0(sqlCertInfo, col2Int(ca.getId()), col2Str(serial.toString(16)));
if (rs == null) {
return null;
}
byte[] encodedCert = Base64.decodeFast(rs.getString("CERT"));
CertWithDbId certWithMeta = new CertWithDbId(parseCert(encodedCert));
CertificateInfo certInfo = new CertificateInfo(certWithMeta, null, ca, caCert, idNameMap.getCertprofile(rs.getInt("PID")), idNameMap.getRequestor(rs.getInt("RID")));
certInfo.setRevocationInfo(buildCertRevInfo(rs));
return certInfo;
}
use of org.xipki.ca.api.CertificateInfo in project xipki by xipki.
the class CertStore method getCertForId.
// method cleanupCrls
public CertificateInfo getCertForId(NameId ca, X509Cert caCert, long certId, CaIdNameMap idNameMap) throws OperationException {
notNulls(ca, "ca", caCert, "caCert", idNameMap, "idNameMap");
ResultRow rs = execQuery1PrepStmt0(sqlCertForId, col2Long(certId));
if (rs == null) {
return null;
}
X509Cert cert = parseCert(Base64.decodeFast(rs.getString("CERT")));
CertWithDbId certWithMeta = new CertWithDbId(cert);
certWithMeta.setCertId(certId);
CertificateInfo certInfo = new CertificateInfo(certWithMeta, null, ca, caCert, idNameMap.getCertprofile(rs.getInt("PID")), idNameMap.getRequestor(rs.getInt("RID")));
certInfo.setRevocationInfo(buildCertRevInfo(rs));
return certInfo;
}
use of org.xipki.ca.api.CertificateInfo in project xipki by xipki.
the class ScepResponder method servicePkiOperation0.
// method servicePkiOperation
private PkiMessage servicePkiOperation0(CMSSignedData requestContent, DecodedPkiMessage req, String certprofileName, String msgId, AuditEvent event) throws OperationException {
notNull(requestContent, "requestContent");
String tid = notNull(req, "req").getTransactionId().getId();
// verify and decrypt the request
audit(event, NAME_tid, tid);
if (req.getFailureMessage() != null) {
audit(event, Scep.NAME_failure_message, req.getFailureMessage());
}
Boolean bo = req.isSignatureValid();
if (bo != null && !bo) {
audit(event, Scep.NAME_signature, "invalid");
}
bo = req.isDecryptionSuccessful();
if (bo != null && !bo) {
audit(event, Scep.NAME_decryption, "failed");
}
PkiMessage rep = new PkiMessage(req.getTransactionId(), MessageType.CertRep, Nonce.randomNonce());
rep.setRecipientNonce(req.getSenderNonce());
if (req.getFailureMessage() != null) {
rep.setPkiStatus(PkiStatus.FAILURE);
rep.setFailInfo(FailInfo.badRequest);
return rep;
}
bo = req.isSignatureValid();
if (bo != null && !bo) {
rep.setPkiStatus(PkiStatus.FAILURE);
rep.setFailInfo(FailInfo.badMessageCheck);
return rep;
}
bo = req.isDecryptionSuccessful();
if (bo != null && !bo) {
rep.setPkiStatus(PkiStatus.FAILURE);
rep.setFailInfo(FailInfo.badRequest);
return rep;
}
Date signingTime = req.getSigningTime();
if (maxSigningTimeBiasInMs > 0) {
boolean isTimeBad;
if (signingTime == null) {
isTimeBad = true;
} else {
long now = System.currentTimeMillis();
long diff = now - signingTime.getTime();
if (diff < 0) {
diff = -1 * diff;
}
isTimeBad = diff > maxSigningTimeBiasInMs;
}
if (isTimeBad) {
rep.setPkiStatus(PkiStatus.FAILURE);
rep.setFailInfo(FailInfo.badTime);
return rep;
}
}
// end if
// check the digest algorithm
HashAlgo hashAlgo = req.getDigestAlgorithm();
boolean supported = false;
if (hashAlgo == HashAlgo.SHA1) {
if (caCaps.supportsSHA1()) {
supported = true;
}
} else if (hashAlgo == HashAlgo.SHA256) {
if (caCaps.supportsSHA256()) {
supported = true;
}
} else if (hashAlgo == HashAlgo.SHA512) {
if (caCaps.supportsSHA512()) {
supported = true;
}
}
if (!supported) {
LOG.warn("tid={}: unsupported digest algorithm {}", tid, hashAlgo);
rep.setPkiStatus(PkiStatus.FAILURE);
rep.setFailInfo(FailInfo.badAlg);
return rep;
}
// check the content encryption algorithm
ASN1ObjectIdentifier encOid = req.getContentEncryptionAlgorithm();
if (CMSAlgorithm.DES_EDE3_CBC.equals(encOid)) {
if (!caCaps.supportsDES3()) {
LOG.warn("tid={}: encryption with DES3 algorithm {} is not permitted", tid, encOid);
rep.setPkiStatus(PkiStatus.FAILURE);
rep.setFailInfo(FailInfo.badAlg);
return rep;
}
} else if (CMSAlgorithm.AES128_CBC.equals(encOid)) {
if (!caCaps.supportsAES()) {
LOG.warn("tid={}: encryption with AES algorithm {} is not permitted", tid, encOid);
rep.setPkiStatus(PkiStatus.FAILURE);
rep.setFailInfo(FailInfo.badAlg);
return rep;
}
} else {
LOG.warn("tid={}: encryption with algorithm {} is not permitted", tid, encOid);
rep.setPkiStatus(PkiStatus.FAILURE);
rep.setFailInfo(FailInfo.badAlg);
return rep;
}
X509Ca ca;
try {
ca = caManager.getX509Ca(caIdent);
} catch (CaMgmtException ex) {
LogUtil.error(LOG, ex, tid + "=" + tid + ",could not get X509CA");
throw new OperationException(SYSTEM_FAILURE, ex);
}
X500Name caX500Name = ca.getCaInfo().getCert().getSubject();
try {
SignedData signedData;
MessageType mt = req.getMessageType();
audit(event, Scep.NAME_message_type, mt.toString());
switch(mt) {
case PKCSReq:
case RenewalReq:
CertificationRequest csr = CertificationRequest.getInstance(req.getMessageData());
X500Name reqSubject = csr.getCertificationRequestInfo().getSubject();
if (LOG.isInfoEnabled()) {
LOG.info("tid={}, subject={}", tid, X509Util.getRfc4519Name(reqSubject));
}
if (!ca.verifyCsr(csr)) {
LOG.warn("tid={} POP verification failed", tid);
throw FailInfoException.BAD_MESSAGE_CHECK;
}
CertificationRequestInfo csrReqInfo = csr.getCertificationRequestInfo();
X509Cert reqSignatureCert = req.getSignatureCert();
X500Name reqSigCertSubject = reqSignatureCert.getSubject();
boolean selfSigned = reqSignatureCert.isSelfSigned();
if (selfSigned) {
if (!reqSigCertSubject.equals(csrReqInfo.getSubject())) {
LOG.warn("tid={}, self-signed identityCert.subject ({}) != csr.subject ({})", tid, reqSigCertSubject, csrReqInfo.getSubject());
throw FailInfoException.BAD_REQUEST;
}
}
if (X509Util.getCommonName(csrReqInfo.getSubject()) == null) {
throw new OperationException(BAD_CERT_TEMPLATE, "tid=" + tid + ": no CommonName in requested subject");
}
NameId userIdent = null;
String challengePwd = CaUtil.getChallengePassword(csrReqInfo);
if (challengePwd != null) {
String[] strs = challengePwd.split(":");
if (strs.length != 2) {
LOG.warn("tid={}: challengePassword does not have the format <user>:<password>", tid);
throw FailInfoException.BAD_REQUEST;
}
String user = strs[0];
String password = strs[1];
userIdent = ca.authenticateUser(user, StringUtil.toUtf8Bytes(password));
if (userIdent == null) {
LOG.warn("tid={}: could not authenticate user {}", tid, user);
throw FailInfoException.BAD_REQUEST;
}
}
if (selfSigned) {
if (MessageType.PKCSReq != mt) {
LOG.warn("tid={}: self-signed certificate is not permitted for" + " messageType {}", tid, mt);
throw FailInfoException.BAD_REQUEST;
}
if (userIdent == null) {
LOG.warn("tid={}: could not extract user & password from challengePassword" + ", which are required for self-signed signature certificate", tid);
throw FailInfoException.BAD_REQUEST;
}
} else {
// certificate is known by the CA
if (userIdent == null) {
// up to draft-nourse-scep-23 the client sends all messages to enroll
// certificate via MessageType PKCSReq
KnowCertResult knowCertRes = ca.knowsCert(reqSignatureCert);
if (!knowCertRes.isKnown()) {
LOG.warn("tid={}: signature certificate is not trusted by the CA", tid);
throw FailInfoException.BAD_REQUEST;
}
Integer userId = knowCertRes.getUserId();
if (userId == null) {
LOG.warn("tid={}: could not extract user from the signature cert", tid);
throw FailInfoException.BAD_REQUEST;
}
userIdent = ca.getUserIdent(userId);
}
// end if
}
// end if
RequestorInfo.ByUserRequestorInfo requestor = ca.getByUserRequestor(userIdent);
checkUserPermission(requestor, certprofileName);
byte[] tidBytes = getTransactionIdBytes(tid);
Extensions extensions = CaUtil.getExtensions(csrReqInfo);
CertTemplateData certTemplateData = new CertTemplateData(csrReqInfo.getSubject(), csrReqInfo.getSubjectPublicKeyInfo(), null, null, extensions, certprofileName);
CertificateInfo cert = ca.generateCert(certTemplateData, requestor, RequestType.SCEP, tidBytes, msgId);
/* Don't save SCEP message, since it contains password in plaintext
if (ca.getCaInfo().isSaveRequest() && cert.getCert().getCertId() != null) {
byte[] encodedRequest;
try {
encodedRequest = requestContent.getEncoded();
} catch (IOException ex) {
LOG.warn("could not encode request");
encodedRequest = null;
}
if (encodedRequest != null) {
long reqId = ca.addRequest(encodedRequest);
ca.addRequestCert(reqId, cert.getCert().getCertId());
}
}*/
signedData = buildSignedData(cert.getCert().getCert());
break;
case CertPoll:
IssuerAndSubject is = IssuerAndSubject.getInstance(req.getMessageData());
audit(event, NAME_issuer, X509Util.getRfc4519Name(is.getIssuer()));
audit(event, NAME_subject, X509Util.getRfc4519Name(is.getSubject()));
ensureIssuedByThisCa(caX500Name, is.getIssuer());
signedData = pollCert(ca, is.getSubject(), req.getTransactionId());
break;
case GetCert:
IssuerAndSerialNumber isn = IssuerAndSerialNumber.getInstance(req.getMessageData());
BigInteger serial = isn.getSerialNumber().getPositiveValue();
audit(event, NAME_issuer, X509Util.getRfc4519Name(isn.getName()));
audit(event, NAME_serial, LogUtil.formatCsn(serial));
ensureIssuedByThisCa(caX500Name, isn.getName());
signedData = getCert(ca, isn.getSerialNumber().getPositiveValue());
break;
case GetCRL:
isn = IssuerAndSerialNumber.getInstance(req.getMessageData());
serial = isn.getSerialNumber().getPositiveValue();
audit(event, NAME_issuer, X509Util.getRfc4519Name(isn.getName()));
audit(event, NAME_serial, LogUtil.formatCsn(serial));
ensureIssuedByThisCa(caX500Name, isn.getName());
signedData = getCrl(ca, serial);
break;
default:
LOG.error("unknown SCEP messageType '{}'", req.getMessageType());
throw FailInfoException.BAD_REQUEST;
}
// end switch
ContentInfo ci = new ContentInfo(CMSObjectIdentifiers.signedData, signedData);
rep.setMessageData(ci);
rep.setPkiStatus(PkiStatus.SUCCESS);
} catch (FailInfoException ex) {
LogUtil.error(LOG, ex);
rep.setPkiStatus(PkiStatus.FAILURE);
rep.setFailInfo(ex.getFailInfo());
}
return rep;
}
use of org.xipki.ca.api.CertificateInfo in project xipki by xipki.
the class Ca2Manager method generateCertificate.
// method generateRootCa
X509Cert generateCertificate(String caName, String profileName, byte[] encodedCsr, Date notBefore, Date notAfter) throws CaMgmtException {
caName = toNonBlankLower(caName, "caName");
profileName = toNonBlankLower(profileName, "profileName");
notNull(encodedCsr, "encodedCsr");
AuditEvent event = new AuditEvent(new Date());
event.setApplicationName(APPNAME);
event.setName(NAME_perf);
event.addEventType("CAMGMT_CRL_GEN_ONDEMAND");
X509Ca ca = getX509Ca(caName);
CertificationRequest csr;
try {
csr = X509Util.parseCsr(encodedCsr);
} catch (Exception ex) {
throw new CaMgmtException(concat("invalid CSR request. ERROR: ", ex.getMessage()));
}
if (!ca.verifyCsr(csr)) {
throw new CaMgmtException("could not validate POP for the CSR");
}
CertificationRequestInfo certTemp = csr.getCertificationRequestInfo();
Extensions extensions = null;
ASN1Set attrs = certTemp.getAttributes();
for (int i = 0; i < attrs.size(); i++) {
Attribute attr = Attribute.getInstance(attrs.getObjectAt(i));
if (PKCSObjectIdentifiers.pkcs_9_at_extensionRequest.equals(attr.getAttrType())) {
extensions = Extensions.getInstance(attr.getAttributeValues()[0]);
}
}
X500Name subject = certTemp.getSubject();
SubjectPublicKeyInfo publicKeyInfo = certTemp.getSubjectPublicKeyInfo();
CertTemplateData certTemplateData = new CertTemplateData(subject, publicKeyInfo, notBefore, notAfter, extensions, profileName);
CertificateInfo certInfo;
try {
certInfo = ca.generateCert(certTemplateData, manager.byCaRequestor, RequestType.CA, null, MSGID_ca_mgmt);
} catch (OperationException ex) {
throw new CaMgmtException(ex.getMessage(), ex);
}
if (ca.getCaInfo().isSaveRequest()) {
try {
long dbId = ca.addRequest(encodedCsr);
ca.addRequestCert(dbId, certInfo.getCert().getCertId());
} catch (OperationException ex) {
LogUtil.warn(LOG, ex, "could not save request");
}
}
return certInfo.getCert().getCert();
}
Aggregations