Example 1 with OperationException
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509SelfSignedCertBuilder method generateSelfSigned.
public static GenerateSelfSignedResult generateSelfSigned(SecurityFactory securityFactory, String signerType, String signerConf, IdentifiedX509Certprofile certprofile, CertificationRequest csr, BigInteger serialNumber, List<String> caCertUris, List<String> ocspUris, List<String> crlUris, List<String> deltaCrlUris, ConfPairs extraControl) throws OperationException, InvalidConfException {
ParamUtil.requireNonNull("securityFactory", securityFactory);
ParamUtil.requireNonBlank("signerType", signerType);
ParamUtil.requireNonNull("certprofile", certprofile);
ParamUtil.requireNonNull("csr", csr);
ParamUtil.requireNonNull("serialNumber", serialNumber);
if (serialNumber.compareTo(BigInteger.ZERO) != 1) {
throw new IllegalArgumentException("serialNumber must not be non-positive: " + serialNumber);
}
X509CertLevel level = certprofile.getCertLevel();
if (X509CertLevel.RootCA != level) {
throw new IllegalArgumentException("certprofile is not of level " + X509CertLevel.RootCA);
}
if (!securityFactory.verifyPopo(csr, null)) {
throw new InvalidConfException("could not validate POP for the CSR");
}
if ("pkcs12".equalsIgnoreCase(signerType) || "jks".equalsIgnoreCase(signerType)) {
ConfPairs keyValues = new ConfPairs(signerConf);
String keystoreConf = keyValues.value("keystore");
if (keystoreConf == null) {
throw new InvalidConfException("required parameter 'keystore' for types PKCS12 and JKS, is not specified");
}
}
ConcurrentContentSigner signer;
try {
List<String[]> signerConfs = CaEntry.splitCaSignerConfs(signerConf);
List<String> restrictedSigAlgos = certprofile.getSignatureAlgorithms();
String thisSignerConf = null;
if (CollectionUtil.isEmpty(restrictedSigAlgos)) {
thisSignerConf = signerConfs.get(0)[1];
} else {
for (String algo : restrictedSigAlgos) {
for (String[] m : signerConfs) {
if (m[0].equals(algo)) {
thisSignerConf = m[1];
break;
}
}
if (thisSignerConf != null) {
break;
}
}
}
if (thisSignerConf == null) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, "CA does not support any signature algorithm restricted by the cert profile");
}
signer = securityFactory.createSigner(signerType, new SignerConf(thisSignerConf), (X509Certificate[]) null);
} catch (XiSecurityException | ObjectCreationException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
}
SubjectPublicKeyInfo publicKeyInfo;
if (signer.getCertificate() != null) {
// this cert is the dummy one which can be considered only as public key container
Certificate bcCert;
try {
bcCert = Certificate.getInstance(signer.getCertificate().getEncoded());
} catch (Exception ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, "could not reparse certificate: " + ex.getMessage());
}
publicKeyInfo = bcCert.getSubjectPublicKeyInfo();
} else {
PublicKey signerPublicKey = signer.getPublicKey();
try {
publicKeyInfo = KeyUtil.createSubjectPublicKeyInfo(signerPublicKey);
} catch (InvalidKeyException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, "cannot generate SubjectPublicKeyInfo from publicKey: " + ex.getMessage());
}
}
X509Certificate newCert = generateCertificate(signer, certprofile, csr, serialNumber, publicKeyInfo, caCertUris, ocspUris, crlUris, deltaCrlUris, extraControl);
return new GenerateSelfSignedResult(signerConf, newCert);
}
Also used :
RSAPublicKey(java.security.interfaces.RSAPublicKey)
ECPublicKey(java.security.interfaces.ECPublicKey)
PublicKey(java.security.PublicKey)
DSAPublicKey(java.security.interfaces.DSAPublicKey)
InvalidConfException(org.xipki.common.InvalidConfException)
ConfPairs(org.xipki.common.ConfPairs)
SignerConf(org.xipki.security.SignerConf)
InvalidKeyException(java.security.InvalidKeyException)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
CertprofileException(org.xipki.ca.api.profile.CertprofileException)
ObjectCreationException(org.xipki.common.ObjectCreationException)
InvalidKeyException(java.security.InvalidKeyException)
XiSecurityException(org.xipki.security.exception.XiSecurityException)
NoIdleSignerException(org.xipki.security.exception.NoIdleSignerException)
InvalidConfException(org.xipki.common.InvalidConfException)
InvalidKeySpecException(java.security.spec.InvalidKeySpecException)
BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
OperationException(org.xipki.ca.api.OperationException)
X509Certificate(java.security.cert.X509Certificate)
ConcurrentContentSigner(org.xipki.security.ConcurrentContentSigner)
XiSecurityException(org.xipki.security.exception.XiSecurityException)
ObjectCreationException(org.xipki.common.ObjectCreationException)
X509CertLevel(org.xipki.ca.api.profile.x509.X509CertLevel)
OperationException(org.xipki.ca.api.OperationException)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Example 2 with OperationException
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509SelfSignedCertBuilder method generateCertificate.
// method generateSelfSigned
private static X509Certificate generateCertificate(ConcurrentContentSigner signer, IdentifiedX509Certprofile certprofile, CertificationRequest csr, BigInteger serialNumber, SubjectPublicKeyInfo publicKeyInfo, List<String> caCertUris, List<String> ocspUris, List<String> crlUris, List<String> deltaCrlUris, ConfPairs extraControl) throws OperationException {
SubjectPublicKeyInfo tmpPublicKeyInfo;
try {
tmpPublicKeyInfo = X509Util.toRfc3279Style(publicKeyInfo);
} catch (InvalidKeySpecException ex) {
LOG.warn("SecurityUtil.toRfc3279Style", ex);
throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, ex);
}
try {
certprofile.checkPublicKey(tmpPublicKeyInfo);
} catch (BadCertTemplateException ex) {
LOG.warn("certprofile.checkPublicKey", ex);
throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, ex);
}
X500Name requestedSubject = csr.getCertificationRequestInfo().getSubject();
SubjectInfo subjectInfo;
// subject
try {
subjectInfo = certprofile.getSubject(requestedSubject);
} catch (CertprofileException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, "exception in cert profile " + certprofile.getIdent());
} catch (BadCertTemplateException ex) {
LOG.warn("certprofile.getSubject", ex);
throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, ex);
}
Date notBefore = certprofile.getNotBefore(null);
if (notBefore == null) {
notBefore = new Date();
}
CertValidity validity = certprofile.getValidity();
if (validity == null) {
throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "no validity specified in the profile " + certprofile.getIdent());
}
Date notAfter = validity.add(notBefore);
X500Name grantedSubject = subjectInfo.getGrantedSubject();
X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(grantedSubject, serialNumber, notBefore, notAfter, grantedSubject, tmpPublicKeyInfo);
PublicCaInfo publicCaInfo = new PublicCaInfo(grantedSubject, serialNumber, null, null, caCertUris, ocspUris, crlUris, deltaCrlUris, extraControl);
Extensions extensions = null;
ASN1Set attrs = csr.getCertificationRequestInfo().getAttributes();
for (int i = 0; i < attrs.size(); i++) {
Attribute attr = Attribute.getInstance(attrs.getObjectAt(i));
if (PKCSObjectIdentifiers.pkcs_9_at_extensionRequest.equals(attr.getAttrType())) {
extensions = Extensions.getInstance(attr.getAttributeValues()[0]);
}
}
try {
addExtensions(certBuilder, certprofile, requestedSubject, grantedSubject, extensions, tmpPublicKeyInfo, publicCaInfo, notBefore, notAfter);
ConcurrentBagEntrySigner signer0 = signer.borrowSigner();
X509CertificateHolder certHolder;
try {
certHolder = certBuilder.build(signer0.value());
} finally {
signer.requiteSigner(signer0);
}
Certificate bcCert = certHolder.toASN1Structure();
return X509Util.parseCert(bcCert.getEncoded());
} catch (BadCertTemplateException ex) {
throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, ex);
} catch (NoIdleSignerException | CertificateException | IOException | CertprofileException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
}
}
Also used :
CertValidity(org.xipki.ca.api.profile.CertValidity)
Attribute(org.bouncycastle.asn1.pkcs.Attribute)
SubjectInfo(org.xipki.ca.api.profile.x509.SubjectInfo)
CertificateException(java.security.cert.CertificateException)
X500Name(org.bouncycastle.asn1.x500.X500Name)
IOException(java.io.IOException)
Extensions(org.bouncycastle.asn1.x509.Extensions)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
PublicCaInfo(org.xipki.ca.api.PublicCaInfo)
ConcurrentBagEntrySigner(org.xipki.security.ConcurrentBagEntrySigner)
Date(java.util.Date)
ASN1Set(org.bouncycastle.asn1.ASN1Set)
CertprofileException(org.xipki.ca.api.profile.CertprofileException)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
NoIdleSignerException(org.xipki.security.exception.NoIdleSignerException)
InvalidKeySpecException(java.security.spec.InvalidKeySpecException)
OperationException(org.xipki.ca.api.OperationException)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Example 3 with OperationException
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509CaCmpResponderImpl method getCrl.
// method cmpGeneralMsg
public CertificateList getCrl(CmpRequestorInfo requestor, BigInteger crlNumber) throws OperationException {
ParamUtil.requireNonNull("requestor", requestor);
try {
checkPermission(requestor, PermissionConstants.GET_CRL);
} catch (InsuffientPermissionException ex) {
throw new OperationException(ErrorCode.NOT_PERMITTED, ex.getMessage());
}
X509Ca ca = getCa();
return (crlNumber == null) ? ca.getBcCurrentCrl() : ca.getBcCrl(crlNumber);
}
Also used :
X509Ca(org.xipki.ca.server.impl.X509Ca)
InsuffientPermissionException(org.xipki.ca.api.InsuffientPermissionException)
OperationException(org.xipki.ca.api.OperationException)
Example 4 with OperationException
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509CaCmpResponderImpl method generateCrlOnDemand.
public X509CRL generateCrlOnDemand(CmpRequestorInfo requestor, RequestType reqType, String msgId) throws OperationException {
ParamUtil.requireNonNull("requestor", requestor);
try {
checkPermission(requestor, PermissionConstants.GEN_CRL);
} catch (InsuffientPermissionException ex) {
throw new OperationException(ErrorCode.NOT_PERMITTED, ex.getMessage());
}
X509Ca ca = getCa();
return ca.generateCrlOnDemand(msgId);
}
Also used :
X509Ca(org.xipki.ca.server.impl.X509Ca)
InsuffientPermissionException(org.xipki.ca.api.InsuffientPermissionException)
OperationException(org.xipki.ca.api.OperationException)
Example 5 with OperationException
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509CaCmpResponderImpl method cmpGeneralMsg.
// method cmpRevokeOrUnrevokeOrRemoveCertificates
private PKIBody cmpGeneralMsg(PKIHeaderBuilder respHeader, CmpControl cmpControl, PKIHeader reqHeader, PKIBody reqBody, CmpRequestorInfo requestor, ASN1OctetString tid, String msgId, AuditEvent event) throws InsuffientPermissionException {
GenMsgContent genMsgBody = GenMsgContent.getInstance(reqBody.getContent());
InfoTypeAndValue[] itvs = genMsgBody.toInfoTypeAndValueArray();
InfoTypeAndValue itv = null;
if (itvs != null && itvs.length > 0) {
for (InfoTypeAndValue entry : itvs) {
String itvType = entry.getInfoType().getId();
if (KNOWN_GENMSG_IDS.contains(itvType)) {
itv = entry;
break;
}
}
}
if (itv == null) {
String statusMessage = "PKIBody type " + PKIBody.TYPE_GEN_MSG + " is only supported with the sub-types " + KNOWN_GENMSG_IDS.toString();
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, statusMessage);
}
InfoTypeAndValue itvResp = null;
ASN1ObjectIdentifier infoType = itv.getInfoType();
int failureInfo;
try {
X509Ca ca = getCa();
if (CMPObjectIdentifiers.it_currentCRL.equals(infoType)) {
event.addEventType(CaAuditConstants.TYPE_CMP_genm_currentCrl);
checkPermission(requestor, PermissionConstants.GET_CRL);
CertificateList crl = ca.getBcCurrentCrl();
if (itv.getInfoValue() == null) {
// as defined in RFC 4210
crl = ca.getBcCurrentCrl();
} else {
// xipki extension
ASN1Integer crlNumber = ASN1Integer.getInstance(itv.getInfoValue());
crl = ca.getBcCrl(crlNumber.getPositiveValue());
}
if (crl == null) {
String statusMessage = "no CRL is available";
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage);
}
itvResp = new InfoTypeAndValue(infoType, crl);
} else if (ObjectIdentifiers.id_xipki_cmp_cmpGenmsg.equals(infoType)) {
ASN1Encodable asn1 = itv.getInfoValue();
ASN1Integer asn1Code = null;
ASN1Encodable reqValue = null;
try {
ASN1Sequence seq = ASN1Sequence.getInstance(asn1);
asn1Code = ASN1Integer.getInstance(seq.getObjectAt(0));
if (seq.size() > 1) {
reqValue = seq.getObjectAt(1);
}
} catch (IllegalArgumentException ex) {
String statusMessage = "invalid value of the InfoTypeAndValue for " + ObjectIdentifiers.id_xipki_cmp_cmpGenmsg.getId();
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, statusMessage);
}
ASN1Encodable respValue;
int action = asn1Code.getPositiveValue().intValue();
switch(action) {
case XiSecurityConstants.CMP_ACTION_GEN_CRL:
event.addEventType(CaAuditConstants.TYPE_CMP_genm_genCrl);
checkPermission(requestor, PermissionConstants.GEN_CRL);
X509CRL tmpCrl = ca.generateCrlOnDemand(msgId);
if (tmpCrl == null) {
String statusMessage = "CRL generation is not activated";
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage);
} else {
respValue = CertificateList.getInstance(tmpCrl.getEncoded());
}
break;
case XiSecurityConstants.CMP_ACTION_GET_CRL_WITH_SN:
event.addEventType(CaAuditConstants.TYPE_CMP_genm_crlForNumber);
checkPermission(requestor, PermissionConstants.GET_CRL);
ASN1Integer crlNumber = ASN1Integer.getInstance(reqValue);
respValue = ca.getBcCrl(crlNumber.getPositiveValue());
if (respValue == null) {
String statusMessage = "no CRL is available";
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage);
}
break;
case XiSecurityConstants.CMP_ACTION_GET_CAINFO:
event.addEventType(CaAuditConstants.TYPE_CMP_genm_cainfo);
Set<Integer> acceptVersions = new HashSet<>();
if (reqValue != null) {
ASN1Sequence seq = DERSequence.getInstance(reqValue);
int size = seq.size();
for (int i = 0; i < size; i++) {
ASN1Integer ai = ASN1Integer.getInstance(seq.getObjectAt(i));
acceptVersions.add(ai.getPositiveValue().intValue());
}
}
if (CollectionUtil.isEmpty(acceptVersions)) {
acceptVersions.add(1);
}
String systemInfo = getSystemInfo(requestor, acceptVersions);
respValue = new DERUTF8String(systemInfo);
break;
default:
String statusMessage = "unsupported XiPKI action code '" + action + "'";
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, statusMessage);
}
// end switch (action)
ASN1EncodableVector vec = new ASN1EncodableVector();
vec.add(asn1Code);
if (respValue != null) {
vec.add(respValue);
}
itvResp = new InfoTypeAndValue(infoType, new DERSequence(vec));
} else if (ObjectIdentifiers.id_xipki_cmp_cacerts.equals(infoType)) {
event.addEventType(CaAuditConstants.TYPE_CMP_genm_cacerts);
CMPCertificate caCert = ca.getCaInfo().getCertInCmpFormat();
itvResp = new InfoTypeAndValue(infoType, new DERSequence(caCert));
}
GenRepContent genRepContent = new GenRepContent(itvResp);
return new PKIBody(PKIBody.TYPE_GEN_REP, genRepContent);
} catch (OperationException ex) {
failureInfo = getPKiFailureInfo(ex);
ErrorCode code = ex.getErrorCode();
String errorMessage;
switch(code) {
case DATABASE_FAILURE:
case SYSTEM_FAILURE:
errorMessage = code.name();
break;
default:
errorMessage = code.name() + ": " + ex.getErrorMessage();
break;
}
return buildErrorMsgPkiBody(PKIStatus.rejection, failureInfo, errorMessage);
} catch (CRLException ex) {
String statusMessage = "CRLException: " + ex.getMessage();
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage);
}
}
Also used :
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
PKIBody(org.bouncycastle.asn1.cmp.PKIBody)
X509CRL(java.security.cert.X509CRL)
Set(java.util.Set)
HashSet(java.util.HashSet)
GenMsgContent(org.bouncycastle.asn1.cmp.GenMsgContent)
GenRepContent(org.bouncycastle.asn1.cmp.GenRepContent)
X509Ca(org.xipki.ca.server.impl.X509Ca)
CertificateList(org.bouncycastle.asn1.x509.CertificateList)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
CMPCertificate(org.bouncycastle.asn1.cmp.CMPCertificate)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
DERSequence(org.bouncycastle.asn1.DERSequence)
InfoTypeAndValue(org.bouncycastle.asn1.cmp.InfoTypeAndValue)
ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
ErrorCode(org.xipki.ca.api.OperationException.ErrorCode)
CRLException(java.security.cert.CRLException)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
OperationException(org.xipki.ca.api.OperationException)
Aggregations
OperationException (org.xipki.ca.api.OperationException)70
DERPrintableString (org.bouncycastle.asn1.DERPrintableString)20
CaMgmtException (org.xipki.ca.server.mgmt.api.CaMgmtException)19
Date (java.util.Date)16
BigInteger (java.math.BigInteger)15
X509Certificate (java.security.cert.X509Certificate)15
CertificateException (java.security.cert.CertificateException)13
DERUTF8String (org.bouncycastle.asn1.DERUTF8String)13
X509Ca (org.xipki.ca.server.impl.X509Ca)13
PreparedStatement (java.sql.PreparedStatement)12
SQLException (java.sql.SQLException)12
IOException (java.io.IOException)11
X509CertificateInfo (org.xipki.ca.api.publisher.x509.X509CertificateInfo)11
DEROctetString (org.bouncycastle.asn1.DEROctetString)10
X500Name (org.bouncycastle.asn1.x500.X500Name)10
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)10
IssuingDistributionPoint (org.bouncycastle.asn1.x509.IssuingDistributionPoint)10
CrlReason (org.xipki.security.CrlReason)10
AuditEvent (org.xipki.audit.AuditEvent)9
NameId (org.xipki.ca.api.NameId)9
