Search in sources :

Example 1 with ErrorCode

use of org.xipki.ca.api.OperationException.ErrorCode in project xipki by xipki.

the class X509CaCmpResponderImpl method cmpGeneralMsg.

// method cmpRevokeOrUnrevokeOrRemoveCertificates
private PKIBody cmpGeneralMsg(PKIHeaderBuilder respHeader, CmpControl cmpControl, PKIHeader reqHeader, PKIBody reqBody, CmpRequestorInfo requestor, ASN1OctetString tid, String msgId, AuditEvent event) throws InsuffientPermissionException {
    GenMsgContent genMsgBody = GenMsgContent.getInstance(reqBody.getContent());
    InfoTypeAndValue[] itvs = genMsgBody.toInfoTypeAndValueArray();
    InfoTypeAndValue itv = null;
    if (itvs != null && itvs.length > 0) {
        for (InfoTypeAndValue entry : itvs) {
            String itvType = entry.getInfoType().getId();
            if (KNOWN_GENMSG_IDS.contains(itvType)) {
                itv = entry;
                break;
            }
        }
    }
    if (itv == null) {
        String statusMessage = "PKIBody type " + PKIBody.TYPE_GEN_MSG + " is only supported with the sub-types " + KNOWN_GENMSG_IDS.toString();
        return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, statusMessage);
    }
    InfoTypeAndValue itvResp = null;
    ASN1ObjectIdentifier infoType = itv.getInfoType();
    int failureInfo;
    try {
        X509Ca ca = getCa();
        if (CMPObjectIdentifiers.it_currentCRL.equals(infoType)) {
            event.addEventType(CaAuditConstants.TYPE_CMP_genm_currentCrl);
            checkPermission(requestor, PermissionConstants.GET_CRL);
            CertificateList crl = ca.getBcCurrentCrl();
            if (itv.getInfoValue() == null) {
                // as defined in RFC 4210
                crl = ca.getBcCurrentCrl();
            } else {
                // xipki extension
                ASN1Integer crlNumber = ASN1Integer.getInstance(itv.getInfoValue());
                crl = ca.getBcCrl(crlNumber.getPositiveValue());
            }
            if (crl == null) {
                String statusMessage = "no CRL is available";
                return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage);
            }
            itvResp = new InfoTypeAndValue(infoType, crl);
        } else if (ObjectIdentifiers.id_xipki_cmp_cmpGenmsg.equals(infoType)) {
            ASN1Encodable asn1 = itv.getInfoValue();
            ASN1Integer asn1Code = null;
            ASN1Encodable reqValue = null;
            try {
                ASN1Sequence seq = ASN1Sequence.getInstance(asn1);
                asn1Code = ASN1Integer.getInstance(seq.getObjectAt(0));
                if (seq.size() > 1) {
                    reqValue = seq.getObjectAt(1);
                }
            } catch (IllegalArgumentException ex) {
                String statusMessage = "invalid value of the InfoTypeAndValue for " + ObjectIdentifiers.id_xipki_cmp_cmpGenmsg.getId();
                return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, statusMessage);
            }
            ASN1Encodable respValue;
            int action = asn1Code.getPositiveValue().intValue();
            switch(action) {
                case XiSecurityConstants.CMP_ACTION_GEN_CRL:
                    event.addEventType(CaAuditConstants.TYPE_CMP_genm_genCrl);
                    checkPermission(requestor, PermissionConstants.GEN_CRL);
                    X509CRL tmpCrl = ca.generateCrlOnDemand(msgId);
                    if (tmpCrl == null) {
                        String statusMessage = "CRL generation is not activated";
                        return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage);
                    } else {
                        respValue = CertificateList.getInstance(tmpCrl.getEncoded());
                    }
                    break;
                case XiSecurityConstants.CMP_ACTION_GET_CRL_WITH_SN:
                    event.addEventType(CaAuditConstants.TYPE_CMP_genm_crlForNumber);
                    checkPermission(requestor, PermissionConstants.GET_CRL);
                    ASN1Integer crlNumber = ASN1Integer.getInstance(reqValue);
                    respValue = ca.getBcCrl(crlNumber.getPositiveValue());
                    if (respValue == null) {
                        String statusMessage = "no CRL is available";
                        return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage);
                    }
                    break;
                case XiSecurityConstants.CMP_ACTION_GET_CAINFO:
                    event.addEventType(CaAuditConstants.TYPE_CMP_genm_cainfo);
                    Set<Integer> acceptVersions = new HashSet<>();
                    if (reqValue != null) {
                        ASN1Sequence seq = DERSequence.getInstance(reqValue);
                        int size = seq.size();
                        for (int i = 0; i < size; i++) {
                            ASN1Integer ai = ASN1Integer.getInstance(seq.getObjectAt(i));
                            acceptVersions.add(ai.getPositiveValue().intValue());
                        }
                    }
                    if (CollectionUtil.isEmpty(acceptVersions)) {
                        acceptVersions.add(1);
                    }
                    String systemInfo = getSystemInfo(requestor, acceptVersions);
                    respValue = new DERUTF8String(systemInfo);
                    break;
                default:
                    String statusMessage = "unsupported XiPKI action code '" + action + "'";
                    return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, statusMessage);
            }
            // end switch (action)
            ASN1EncodableVector vec = new ASN1EncodableVector();
            vec.add(asn1Code);
            if (respValue != null) {
                vec.add(respValue);
            }
            itvResp = new InfoTypeAndValue(infoType, new DERSequence(vec));
        } else if (ObjectIdentifiers.id_xipki_cmp_cacerts.equals(infoType)) {
            event.addEventType(CaAuditConstants.TYPE_CMP_genm_cacerts);
            CMPCertificate caCert = ca.getCaInfo().getCertInCmpFormat();
            itvResp = new InfoTypeAndValue(infoType, new DERSequence(caCert));
        }
        GenRepContent genRepContent = new GenRepContent(itvResp);
        return new PKIBody(PKIBody.TYPE_GEN_REP, genRepContent);
    } catch (OperationException ex) {
        failureInfo = getPKiFailureInfo(ex);
        ErrorCode code = ex.getErrorCode();
        String errorMessage;
        switch(code) {
            case DATABASE_FAILURE:
            case SYSTEM_FAILURE:
                errorMessage = code.name();
                break;
            default:
                errorMessage = code.name() + ": " + ex.getErrorMessage();
                break;
        }
        return buildErrorMsgPkiBody(PKIStatus.rejection, failureInfo, errorMessage);
    } catch (CRLException ex) {
        String statusMessage = "CRLException: " + ex.getMessage();
        return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage);
    }
}
Also used : DERUTF8String(org.bouncycastle.asn1.DERUTF8String) PKIBody(org.bouncycastle.asn1.cmp.PKIBody) X509CRL(java.security.cert.X509CRL) Set(java.util.Set) HashSet(java.util.HashSet) GenMsgContent(org.bouncycastle.asn1.cmp.GenMsgContent) GenRepContent(org.bouncycastle.asn1.cmp.GenRepContent) X509Ca(org.xipki.ca.server.impl.X509Ca) CertificateList(org.bouncycastle.asn1.x509.CertificateList) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) CMPCertificate(org.bouncycastle.asn1.cmp.CMPCertificate) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) DERSequence(org.bouncycastle.asn1.DERSequence) InfoTypeAndValue(org.bouncycastle.asn1.cmp.InfoTypeAndValue) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) ErrorCode(org.xipki.ca.api.OperationException.ErrorCode) CRLException(java.security.cert.CRLException) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) OperationException(org.xipki.ca.api.OperationException)

Example 2 with ErrorCode

use of org.xipki.ca.api.OperationException.ErrorCode in project xipki by xipki.

the class X509CaCmpResponderImpl method unRevokeRemoveCertificates.

private PKIBody unRevokeRemoveCertificates(PKIMessage request, RevReqContent rr, int permission, CmpControl cmpControl, String msgId) {
    RevDetails[] revContent = rr.toRevDetailsArray();
    RevRepContentBuilder repContentBuilder = new RevRepContentBuilder();
    final int n = revContent.length;
    // test the request
    for (int i = 0; i < n; i++) {
        RevDetails revDetails = revContent[i];
        CertTemplate certDetails = revDetails.getCertDetails();
        X500Name issuer = certDetails.getIssuer();
        ASN1Integer serialNumber = certDetails.getSerialNumber();
        try {
            X500Name caSubject = getCa().getCaInfo().getCert().getSubjectAsX500Name();
            if (issuer == null) {
                return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer is not present");
            }
            if (!issuer.equals(caSubject)) {
                return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer does not target at the CA");
            }
            if (serialNumber == null) {
                return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "serialNumber is not present");
            }
            if (certDetails.getSigningAlg() != null || certDetails.getValidity() != null || certDetails.getSubject() != null || certDetails.getPublicKey() != null || certDetails.getIssuerUID() != null || certDetails.getSubjectUID() != null) {
                return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "only version, issuer and serialNumber in RevDetails.certDetails are " + "allowed, but more is specified");
            }
            if (certDetails.getExtensions() == null) {
                if (cmpControl.isRrAkiRequired()) {
                    return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer's AKI not present");
                }
            } else {
                Extensions exts = certDetails.getExtensions();
                ASN1ObjectIdentifier[] oids = exts.getCriticalExtensionOIDs();
                if (oids != null) {
                    for (ASN1ObjectIdentifier oid : oids) {
                        if (!Extension.authorityKeyIdentifier.equals(oid)) {
                            return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "unknown critical extension " + oid.getId());
                        }
                    }
                }
                Extension ext = exts.getExtension(Extension.authorityKeyIdentifier);
                if (ext == null) {
                    return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer's AKI not present");
                } else {
                    AuthorityKeyIdentifier aki = AuthorityKeyIdentifier.getInstance(ext.getParsedValue());
                    if (aki.getKeyIdentifier() == null) {
                        return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer's AKI not present");
                    }
                    boolean issuerMatched = true;
                    byte[] caSki = getCa().getCaInfo().getCert().getSubjectKeyIdentifier();
                    if (!Arrays.equals(caSki, aki.getKeyIdentifier())) {
                        issuerMatched = false;
                    }
                    if (issuerMatched && aki.getAuthorityCertSerialNumber() != null) {
                        BigInteger caSerial = getCa().getCaInfo().getSerialNumber();
                        if (!caSerial.equals(aki.getAuthorityCertSerialNumber())) {
                            issuerMatched = false;
                        }
                    }
                    if (issuerMatched && aki.getAuthorityCertIssuer() != null) {
                        GeneralName[] names = aki.getAuthorityCertIssuer().getNames();
                        for (GeneralName name : names) {
                            if (name.getTagNo() != GeneralName.directoryName) {
                                issuerMatched = false;
                                break;
                            }
                            if (!caSubject.equals(name.getName())) {
                                issuerMatched = false;
                                break;
                            }
                        }
                    }
                    if (!issuerMatched) {
                        return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer does not target at the CA");
                    }
                }
            }
        } catch (IllegalArgumentException ex) {
            return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, "the request is not invalid");
        }
    }
    // end for
    byte[] encodedRequest = null;
    if (getCa().getCaInfo().isSaveRequest()) {
        try {
            encodedRequest = request.getEncoded();
        } catch (IOException ex) {
            LOG.warn("could not encode request");
        }
    }
    Long reqDbId = null;
    for (int i = 0; i < n; i++) {
        RevDetails revDetails = revContent[i];
        CertTemplate certDetails = revDetails.getCertDetails();
        ASN1Integer serialNumber = certDetails.getSerialNumber();
        // serialNumber is not null due to the check in the previous for-block.
        X500Name caSubject = getCa().getCaInfo().getCert().getSubjectAsX500Name();
        BigInteger snBigInt = serialNumber.getPositiveValue();
        CertId certId = new CertId(new GeneralName(caSubject), serialNumber);
        PKIStatusInfo status;
        try {
            Object returnedObj = null;
            Long certDbId = null;
            X509Ca ca = getCa();
            if (PermissionConstants.UNREVOKE_CERT == permission) {
                // unrevoke
                returnedObj = ca.unrevokeCertificate(snBigInt, msgId);
                if (returnedObj != null) {
                    certDbId = ((X509CertWithDbId) returnedObj).getCertId();
                }
            } else if (PermissionConstants.REMOVE_CERT == permission) {
                // remove
                returnedObj = ca.removeCertificate(snBigInt, msgId);
            } else {
                // revoke
                Date invalidityDate = null;
                CrlReason reason = null;
                Extensions crlDetails = revDetails.getCrlEntryDetails();
                if (crlDetails != null) {
                    ASN1ObjectIdentifier extId = Extension.reasonCode;
                    ASN1Encodable extValue = crlDetails.getExtensionParsedValue(extId);
                    if (extValue != null) {
                        int reasonCode = ASN1Enumerated.getInstance(extValue).getValue().intValue();
                        reason = CrlReason.forReasonCode(reasonCode);
                    }
                    extId = Extension.invalidityDate;
                    extValue = crlDetails.getExtensionParsedValue(extId);
                    if (extValue != null) {
                        try {
                            invalidityDate = ASN1GeneralizedTime.getInstance(extValue).getDate();
                        } catch (ParseException ex) {
                            throw new OperationException(ErrorCode.INVALID_EXTENSION, "invalid extension " + extId.getId());
                        }
                    }
                }
                if (reason == null) {
                    reason = CrlReason.UNSPECIFIED;
                }
                returnedObj = ca.revokeCertificate(snBigInt, reason, invalidityDate, msgId);
                if (returnedObj != null) {
                    certDbId = ((X509CertWithRevocationInfo) returnedObj).getCert().getCertId();
                }
            }
            if (returnedObj == null) {
                throw new OperationException(ErrorCode.UNKNOWN_CERT, "cert not exists");
            }
            if (certDbId != null && ca.getCaInfo().isSaveRequest()) {
                if (reqDbId == null) {
                    reqDbId = ca.addRequest(encodedRequest);
                }
                ca.addRequestCert(reqDbId, certDbId);
            }
            status = new PKIStatusInfo(PKIStatus.granted);
        } catch (OperationException ex) {
            ErrorCode code = ex.getErrorCode();
            LOG.warn("{}, OperationException: code={}, message={}", PermissionConstants.getTextForCode(permission), code.name(), ex.getErrorMessage());
            String errorMessage;
            switch(code) {
                case DATABASE_FAILURE:
                case SYSTEM_FAILURE:
                    errorMessage = code.name();
                    break;
                default:
                    errorMessage = code.name() + ": " + ex.getErrorMessage();
                    break;
            }
            // end switch code
            int failureInfo = getPKiFailureInfo(ex);
            status = generateRejectionStatus(failureInfo, errorMessage);
        }
        // end try
        repContentBuilder.add(status, certId);
    }
    return new PKIBody(PKIBody.TYPE_REVOCATION_REP, repContentBuilder.build());
}
Also used : PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo) X509Ca(org.xipki.ca.server.impl.X509Ca) AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier) X500Name(org.bouncycastle.asn1.x500.X500Name) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) Extensions(org.bouncycastle.asn1.x509.Extensions) CertTemplate(org.bouncycastle.asn1.crmf.CertTemplate) CrlReason(org.xipki.security.CrlReason) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) RevDetails(org.bouncycastle.asn1.cmp.RevDetails) OperationException(org.xipki.ca.api.OperationException) PKIBody(org.bouncycastle.asn1.cmp.PKIBody) RevRepContentBuilder(org.bouncycastle.asn1.cmp.RevRepContentBuilder) CertId(org.bouncycastle.asn1.crmf.CertId) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) IOException(java.io.IOException) Date(java.util.Date) Extension(org.bouncycastle.asn1.x509.Extension) BigInteger(java.math.BigInteger) GeneralName(org.bouncycastle.asn1.x509.GeneralName) ParseException(java.text.ParseException) ErrorCode(org.xipki.ca.api.OperationException.ErrorCode) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 3 with ErrorCode

use of org.xipki.ca.api.OperationException.ErrorCode in project xipki by xipki.

the class X509CaCmpResponderImpl method postProcessException.

// method revokeOrUnrevokeOrRemoveCertificates
private CertResponse postProcessException(ASN1Integer certReqId, OperationException ex) {
    ErrorCode code = ex.getErrorCode();
    LOG.warn("generate certificate, OperationException: code={}, message={}", code.name(), ex.getErrorMessage());
    String errorMessage;
    switch(code) {
        case DATABASE_FAILURE:
        case SYSTEM_FAILURE:
            errorMessage = code.name();
            break;
        default:
            errorMessage = code.name() + ": " + ex.getErrorMessage();
            break;
    }
    // end switch code
    int failureInfo = getPKiFailureInfo(ex);
    return new CertResponse(certReqId, generateRejectionStatus(failureInfo, errorMessage));
}
Also used : CertResponse(org.bouncycastle.asn1.cmp.CertResponse) ErrorCode(org.xipki.ca.api.OperationException.ErrorCode) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String)

Example 4 with ErrorCode

use of org.xipki.ca.api.OperationException.ErrorCode in project xipki by xipki.

the class X509CaCmpResponderImpl method getPKiFailureInfo.

private int getPKiFailureInfo(OperationException ex) {
    ErrorCode code = ex.getErrorCode();
    int failureInfo;
    switch(code) {
        case ALREADY_ISSUED:
            failureInfo = PKIFailureInfo.badRequest;
            break;
        case BAD_CERT_TEMPLATE:
            failureInfo = PKIFailureInfo.badCertTemplate;
            break;
        case BAD_REQUEST:
            failureInfo = PKIFailureInfo.badRequest;
            break;
        case CERT_REVOKED:
            failureInfo = PKIFailureInfo.certRevoked;
            break;
        case CERT_UNREVOKED:
            failureInfo = PKIFailureInfo.notAuthorized;
            break;
        case BAD_POP:
            failureInfo = PKIFailureInfo.badPOP;
            break;
        case CRL_FAILURE:
            failureInfo = PKIFailureInfo.systemFailure;
            break;
        case DATABASE_FAILURE:
            failureInfo = PKIFailureInfo.systemFailure;
            break;
        case NOT_PERMITTED:
            failureInfo = PKIFailureInfo.notAuthorized;
            break;
        case INVALID_EXTENSION:
            failureInfo = PKIFailureInfo.badRequest;
            break;
        case SYSTEM_FAILURE:
            failureInfo = PKIFailureInfo.systemFailure;
            break;
        case SYSTEM_UNAVAILABLE:
            failureInfo = PKIFailureInfo.systemUnavail;
            break;
        case UNKNOWN_CERT:
            failureInfo = PKIFailureInfo.badCertId;
            break;
        case UNKNOWN_CERT_PROFILE:
            failureInfo = PKIFailureInfo.badCertTemplate;
            break;
        default:
            failureInfo = PKIFailureInfo.systemFailure;
            break;
    }
    return failureInfo;
}
Also used : ErrorCode(org.xipki.ca.api.OperationException.ErrorCode)

Example 5 with ErrorCode

use of org.xipki.ca.api.OperationException.ErrorCode in project xipki by xipki.

the class HttpScepServlet method service0.

private void service0(HttpServletRequest req, HttpServletResponse resp, boolean viaPost) throws ServletException, IOException {
    AuditServiceRegister auditServiceRegister = ServletHelper.getAuditServiceRegister();
    if (auditServiceRegister == null) {
        LOG.error("ServletHelper.auditServiceRegister not configured");
        sendError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
        return;
    }
    ResponderManager responderManager = ServletHelper.getResponderManager();
    if (responderManager == null) {
        LOG.error("ServletHelper.responderManager not configured");
        sendError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
        return;
    }
    String path = StringUtil.getRelativeRequestUri(req.getServletPath(), req.getRequestURI());
    String scepName = null;
    String certProfileName = null;
    if (path.length() > 1) {
        String scepPath = path;
        if (scepPath.endsWith(CGI_PROGRAM)) {
            // skip also the first char (which is always '/')
            String tpath = scepPath.substring(1, scepPath.length() - CGI_PROGRAM_LEN);
            String[] tokens = tpath.split("/");
            if (tokens.length == 2) {
                scepName = tokens[0];
                certProfileName = tokens[1].toLowerCase();
            }
        }
    // end if
    }
    if (scepName == null || certProfileName == null) {
        sendError(resp, HttpServletResponse.SC_NOT_FOUND);
        return;
    }
    AuditService auditService = auditServiceRegister.getAuditService();
    AuditEvent event = new AuditEvent(new Date());
    event.setApplicationName("SCEP");
    event.setName(CaAuditConstants.NAME_PERF);
    event.addEventData(CaAuditConstants.NAME_SCEP_name, scepName + "/" + certProfileName);
    event.addEventData(CaAuditConstants.NAME_reqType, RequestType.SCEP.name());
    String msgId = RandomUtil.nextHexLong();
    event.addEventData(CaAuditConstants.NAME_mid, msgId);
    AuditLevel auditLevel = AuditLevel.INFO;
    AuditStatus auditStatus = AuditStatus.SUCCESSFUL;
    String auditMessage = null;
    try {
        Scep responder = responderManager.getScep(scepName);
        if (responder == null || !responder.isOnService() || !responder.supportsCertProfile(certProfileName)) {
            auditMessage = "unknown SCEP '" + scepName + "/" + certProfileName + "'";
            LOG.warn(auditMessage);
            auditStatus = AuditStatus.FAILED;
            sendError(resp, HttpServletResponse.SC_NOT_FOUND);
            return;
        }
        String operation = req.getParameter("operation");
        event.addEventData(CaAuditConstants.NAME_SCEP_operation, operation);
        if ("PKIOperation".equalsIgnoreCase(operation)) {
            CMSSignedData reqMessage;
            // parse the request
            try {
                byte[] content;
                if (viaPost) {
                    content = IoUtil.read(req.getInputStream());
                } else {
                    String b64 = req.getParameter("message");
                    content = Base64.decode(b64);
                }
                reqMessage = new CMSSignedData(content);
            } catch (Exception ex) {
                final String msg = "invalid request";
                LogUtil.error(LOG, ex, msg);
                auditMessage = msg;
                auditStatus = AuditStatus.FAILED;
                sendError(resp, HttpServletResponse.SC_BAD_REQUEST);
                return;
            }
            ContentInfo ci;
            try {
                ci = responder.servicePkiOperation(reqMessage, certProfileName, msgId, event);
            } catch (MessageDecodingException ex) {
                final String msg = "could not decrypt and/or verify the request";
                LogUtil.error(LOG, ex, msg);
                auditMessage = msg;
                auditStatus = AuditStatus.FAILED;
                sendError(resp, HttpServletResponse.SC_BAD_REQUEST);
                return;
            } catch (OperationException ex) {
                ErrorCode code = ex.getErrorCode();
                int httpCode;
                switch(code) {
                    case ALREADY_ISSUED:
                    case CERT_REVOKED:
                    case CERT_UNREVOKED:
                        httpCode = HttpServletResponse.SC_FORBIDDEN;
                        break;
                    case BAD_CERT_TEMPLATE:
                    case BAD_REQUEST:
                    case BAD_POP:
                    case INVALID_EXTENSION:
                    case UNKNOWN_CERT:
                    case UNKNOWN_CERT_PROFILE:
                        httpCode = HttpServletResponse.SC_BAD_REQUEST;
                        break;
                    case NOT_PERMITTED:
                        httpCode = HttpServletResponse.SC_UNAUTHORIZED;
                        break;
                    case SYSTEM_UNAVAILABLE:
                        httpCode = HttpServletResponse.SC_SERVICE_UNAVAILABLE;
                        break;
                    case CRL_FAILURE:
                    case DATABASE_FAILURE:
                    case SYSTEM_FAILURE:
                        httpCode = HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
                        break;
                    default:
                        httpCode = HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
                        break;
                }
                auditMessage = ex.getMessage();
                LogUtil.error(LOG, ex, auditMessage);
                auditStatus = AuditStatus.FAILED;
                sendError(resp, httpCode);
                return;
            }
            byte[] bodyBytes = ci.getEncoded();
            sendOKResponse(resp, CT_RESPONSE, bodyBytes);
        } else if (Operation.GetCACaps.getCode().equalsIgnoreCase(operation)) {
            // CA-Ident is ignored
            byte[] caCapsBytes = responder.getCaCaps().getBytes();
            sendOKResponse(resp, ScepConstants.CT_TEXT_PLAIN, caCapsBytes);
        } else if (Operation.GetCACert.getCode().equalsIgnoreCase(operation)) {
            // CA-Ident is ignored
            byte[] respBytes = responder.getCaCertResp().getBytes();
            sendOKResponse(resp, ScepConstants.CT_X509_CA_RA_CERT, respBytes);
        } else if (Operation.GetNextCACert.getCode().equalsIgnoreCase(operation)) {
            auditMessage = "SCEP operation '" + operation + "' is not permitted";
            auditStatus = AuditStatus.FAILED;
            sendError(resp, HttpServletResponse.SC_FORBIDDEN);
            return;
        } else {
            auditMessage = "unknown SCEP operation '" + operation + "'";
            auditStatus = AuditStatus.FAILED;
            sendError(resp, HttpServletResponse.SC_BAD_REQUEST);
            return;
        }
    } catch (Throwable th) {
        if (th instanceof EOFException) {
            final String msg = "connection reset by peer";
            if (LOG.isWarnEnabled()) {
                LogUtil.warn(LOG, th, msg);
            }
            LOG.debug(msg, th);
        } else {
            LOG.error("Throwable thrown, this should not happen!", th);
        }
        auditLevel = AuditLevel.ERROR;
        auditStatus = AuditStatus.FAILED;
        auditMessage = "internal error";
        sendError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
    } finally {
        audit(auditService, event, auditLevel, auditStatus, auditMessage);
    }
}
Also used : AuditLevel(org.xipki.audit.AuditLevel) ResponderManager(org.xipki.ca.server.api.ResponderManager) CMSSignedData(org.bouncycastle.cms.CMSSignedData) Date(java.util.Date) ServletException(javax.servlet.ServletException) MessageDecodingException(org.xipki.scep.exception.MessageDecodingException) IOException(java.io.IOException) EOFException(java.io.EOFException) OperationException(org.xipki.ca.api.OperationException) AuditStatus(org.xipki.audit.AuditStatus) MessageDecodingException(org.xipki.scep.exception.MessageDecodingException) ContentInfo(org.bouncycastle.asn1.cms.ContentInfo) EOFException(java.io.EOFException) AuditEvent(org.xipki.audit.AuditEvent) ErrorCode(org.xipki.ca.api.OperationException.ErrorCode) Scep(org.xipki.ca.server.api.Scep) AuditServiceRegister(org.xipki.audit.AuditServiceRegister) AuditService(org.xipki.audit.AuditService) OperationException(org.xipki.ca.api.OperationException)

Aggregations

ErrorCode (org.xipki.ca.api.OperationException.ErrorCode)7 OperationException (org.xipki.ca.api.OperationException)5 Date (java.util.Date)4 EOFException (java.io.EOFException)3 IOException (java.io.IOException)3 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)3 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)3 AuditLevel (org.xipki.audit.AuditLevel)3 AuditStatus (org.xipki.audit.AuditStatus)3 X509Ca (org.xipki.ca.server.impl.X509Ca)3 BigInteger (java.math.BigInteger)2 X509CRL (java.security.cert.X509CRL)2 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)2 ASN1Integer (org.bouncycastle.asn1.ASN1Integer)2 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)2 PKIBody (org.bouncycastle.asn1.cmp.PKIBody)2 ContentInfo (org.bouncycastle.asn1.cms.ContentInfo)2 X500Name (org.bouncycastle.asn1.x500.X500Name)2 Extensions (org.bouncycastle.asn1.x509.Extensions)2 CMSSignedData (org.bouncycastle.cms.CMSSignedData)2