use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509CaCmpResponderImpl method getSystemInfo.
// method checkPermission
private String getSystemInfo(CmpRequestorInfo requestor, Set<Integer> acceptVersions) throws OperationException {
X509Ca ca = getCa();
StringBuilder sb = new StringBuilder(2000);
// current maximal support version is 2
int version = 2;
if (CollectionUtil.isNonEmpty(acceptVersions) && !acceptVersions.contains(version)) {
Integer ver = null;
for (Integer m : acceptVersions) {
if (m < version) {
ver = m;
}
}
if (ver == null) {
throw new OperationException(ErrorCode.BAD_REQUEST, "none of versions " + acceptVersions + " is supported");
} else {
version = ver;
}
}
sb.append("<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>");
sb.append("<systemInfo version=\"").append(version).append("\">");
if (version == 2) {
// CACert
sb.append("<CACert>");
sb.append(Base64.encodeToString(ca.getCaInfo().getCert().getEncodedCert()));
sb.append("</CACert>");
// CMP control
sb.append("<cmpControl>");
sb.append("<rrAkiRequired>").append(getCmpControl().isRrAkiRequired()).append("</rrAkiRequired>");
sb.append("</cmpControl>");
// Profiles
Set<String> requestorProfiles = requestor.getCaHasRequestor().getProfiles();
Set<String> supportedProfileNames = new HashSet<>();
Set<String> caProfileNames = ca.caManager().getCertprofilesForCa(ca.getCaInfo().getIdent().getName());
for (String caProfileName : caProfileNames) {
if (requestorProfiles.contains("all") || requestorProfiles.contains(caProfileName)) {
supportedProfileNames.add(caProfileName);
}
}
if (CollectionUtil.isNonEmpty(supportedProfileNames)) {
sb.append("<certprofiles>");
for (String name : supportedProfileNames) {
CertprofileEntry entry = ca.caManager().getCertprofile(name);
if (entry.isFaulty()) {
continue;
}
sb.append("<certprofile>");
sb.append("<name>").append(name).append("</name>");
sb.append("<type>").append(entry.getType()).append("</type>");
sb.append("<conf>");
String conf = entry.getConf();
if (StringUtil.isNotBlank(conf)) {
sb.append("<![CDATA[");
sb.append(conf);
sb.append("]]>");
}
sb.append("</conf>");
sb.append("</certprofile>");
}
sb.append("</certprofiles>");
}
sb.append("</systemInfo>");
} else {
throw new OperationException(ErrorCode.BAD_REQUEST, "unsupported version " + version);
}
return sb.toString();
}
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509CaCmpResponderImpl method revokeCert.
public void revokeCert(CmpRequestorInfo requestor, BigInteger serialNumber, CrlReason reason, Date invalidityDate, RequestType reqType, String msgId) throws OperationException {
ParamUtil.requireNonNull("requestor", requestor);
int permission;
if (reason == CrlReason.REMOVE_FROM_CRL) {
permission = PermissionConstants.UNREVOKE_CERT;
} else {
permission = PermissionConstants.REVOKE_CERT;
}
try {
checkPermission(requestor, permission);
} catch (InsuffientPermissionException ex) {
throw new OperationException(ErrorCode.NOT_PERMITTED, ex.getMessage());
}
X509Ca ca = getCa();
Object returnedObj;
if (PermissionConstants.UNREVOKE_CERT == permission) {
// unrevoke
returnedObj = ca.unrevokeCertificate(serialNumber, msgId);
} else {
returnedObj = ca.revokeCertificate(serialNumber, reason, invalidityDate, msgId);
}
if (returnedObj == null) {
throw new OperationException(ErrorCode.UNKNOWN_CERT, "cert not exists");
}
}
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509Ca method getCrl.
public X509CRL getCrl(BigInteger crlNumber) throws OperationException {
LOG.info(" START getCrl: ca={}, crlNumber={}", caIdent, crlNumber);
boolean successful = false;
try {
byte[] encodedCrl = certstore.getEncodedCrl(caIdent, crlNumber);
if (encodedCrl == null) {
return null;
}
try {
X509CRL crl = X509Util.parseCrl(encodedCrl);
successful = true;
if (LOG.isInfoEnabled()) {
String timeStr = new Time(crl.getThisUpdate()).getTime();
LOG.info("SUCCESSFUL getCrl: ca={}, thisUpdate={}", caIdent, timeStr);
}
return crl;
} catch (CRLException | CertificateException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
} catch (RuntimeException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
}
} finally {
if (!successful) {
LOG.info(" FAILED getCrl: ca={}", caIdent);
}
}
}
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509Ca method cleanupCrls.
private void cleanupCrls(String msgId) throws OperationException {
int numCrls = caInfo.getNumCrls();
LOG.info(" START cleanupCrls: ca={}, numCrls={}", caIdent, numCrls);
boolean successful = false;
AuditEvent event = newPerfAuditEvent(CaAuditConstants.TYPE_cleanup_crl, msgId);
try {
int num = (numCrls <= 0) ? 0 : certstore.cleanupCrls(caIdent, caInfo.getNumCrls());
successful = true;
event.addEventData(CaAuditConstants.NAME_num, num);
LOG.info("SUCCESSFUL cleanupCrls: ca={}, num={}", caIdent, num);
} catch (RuntimeException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
} finally {
if (!successful) {
LOG.info(" FAILED cleanupCrls: ca={}", caIdent);
}
finish(event, successful);
}
}
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509Ca method generateCrl0.
private X509CRL generateCrl0(boolean deltaCrl, Date thisUpdate, Date nextUpdate, AuditEvent event, String msgId) throws OperationException {
X509CrlSignerEntryWrapper crlSigner = getCrlSigner();
if (crlSigner == null) {
throw new OperationException(ErrorCode.NOT_PERMITTED, "CRL generation is not allowed");
}
LOG.info(" START generateCrl: ca={}, deltaCRL={}, nextUpdate={}", caIdent, deltaCrl, nextUpdate);
event.addEventData(CaAuditConstants.NAME_crlType, deltaCrl ? "DELTA_CRL" : "FULL_CRL");
if (nextUpdate == null) {
event.addEventData(CaAuditConstants.NAME_nextUpdate, "null");
} else {
event.addEventData(CaAuditConstants.NAME_nextUpdate, DateUtil.toUtcTimeyyyyMMddhhmmss(nextUpdate));
if (nextUpdate.getTime() - thisUpdate.getTime() < 10 * 60 * MS_PER_SECOND) {
// less than 10 minutes
throw new OperationException(ErrorCode.CRL_FAILURE, "nextUpdate and thisUpdate are too close");
}
}
CrlControl crlControl = crlSigner.getCrlControl();
boolean successful = false;
try {
ConcurrentContentSigner tmpCrlSigner = crlSigner.getSigner();
CrlControl control = crlSigner.getCrlControl();
boolean directCrl;
X500Name crlIssuer;
if (tmpCrlSigner == null) {
directCrl = true;
crlIssuer = caInfo.getPublicCaInfo().getX500Subject();
} else {
directCrl = false;
crlIssuer = X500Name.getInstance(tmpCrlSigner.getCertificate().getSubjectX500Principal().getEncoded());
}
X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(crlIssuer, thisUpdate);
if (nextUpdate != null) {
crlBuilder.setNextUpdate(nextUpdate);
}
final int numEntries = 100;
Date notExpireAt;
if (control.isIncludeExpiredCerts()) {
notExpireAt = new Date(0);
} else {
// 10 minutes buffer
notExpireAt = new Date(thisUpdate.getTime() - 600L * MS_PER_SECOND);
}
long startId = 1;
// we have to cache the serial entries to sort them
List<CertRevInfoWithSerial> allRevInfos = new LinkedList<>();
List<CertRevInfoWithSerial> revInfos;
do {
if (deltaCrl) {
revInfos = certstore.getCertsForDeltaCrl(caIdent, startId, numEntries, control.isOnlyContainsCaCerts(), control.isOnlyContainsUserCerts());
} else {
revInfos = certstore.getRevokedCerts(caIdent, notExpireAt, startId, numEntries, control.isOnlyContainsCaCerts(), control.isOnlyContainsUserCerts());
}
allRevInfos.addAll(revInfos);
long maxId = 1;
for (CertRevInfoWithSerial revInfo : revInfos) {
if (revInfo.getId() > maxId) {
maxId = revInfo.getId();
}
}
// end for
startId = maxId + 1;
} while (// end do
revInfos.size() >= numEntries);
if (revInfos != null) {
// free the memory
revInfos.clear();
}
// sort the list by SerialNumber ASC
Collections.sort(allRevInfos);
boolean isFirstCrlEntry = true;
for (CertRevInfoWithSerial revInfo : allRevInfos) {
CrlReason reason = revInfo.getReason();
if (crlControl.isExcludeReason() && reason != CrlReason.REMOVE_FROM_CRL) {
reason = CrlReason.UNSPECIFIED;
}
Date revocationTime = revInfo.getRevocationTime();
Date invalidityTime = revInfo.getInvalidityTime();
switch(crlControl.getInvalidityDateMode()) {
case FORBIDDEN:
invalidityTime = null;
break;
case OPTIONAL:
break;
case REQUIRED:
if (invalidityTime == null) {
invalidityTime = revocationTime;
}
break;
default:
throw new RuntimeException("unknown TripleState: " + crlControl.getInvalidityDateMode());
}
BigInteger serial = revInfo.getSerial();
LOG.debug("added cert ca={} serial={} to CRL", caIdent, serial);
if (directCrl || !isFirstCrlEntry) {
if (invalidityTime != null) {
crlBuilder.addCRLEntry(serial, revocationTime, reason.getCode(), invalidityTime);
} else {
crlBuilder.addCRLEntry(serial, revocationTime, reason.getCode());
}
continue;
}
List<Extension> extensions = new ArrayList<>(3);
if (reason != CrlReason.UNSPECIFIED) {
Extension ext = createReasonExtension(reason.getCode());
extensions.add(ext);
}
if (invalidityTime != null) {
Extension ext = createInvalidityDateExtension(invalidityTime);
extensions.add(ext);
}
Extension ext = createCertificateIssuerExtension(caInfo.getPublicCaInfo().getX500Subject());
extensions.add(ext);
crlBuilder.addCRLEntry(serial, revocationTime, new Extensions(extensions.toArray(new Extension[0])));
isFirstCrlEntry = false;
}
// free the memory
allRevInfos.clear();
BigInteger crlNumber = caInfo.nextCrlNumber();
event.addEventData(CaAuditConstants.NAME_crlNumber, crlNumber);
boolean onlyUserCerts = crlControl.isOnlyContainsUserCerts();
boolean onlyCaCerts = crlControl.isOnlyContainsCaCerts();
if (onlyUserCerts && onlyCaCerts) {
throw new RuntimeException("should not reach here, onlyUserCerts and onlyCACerts are both true");
}
try {
// AuthorityKeyIdentifier
byte[] akiValues = directCrl ? caInfo.getPublicCaInfo().getSubjectKeyIdentifer() : crlSigner.getSubjectKeyIdentifier();
AuthorityKeyIdentifier aki = new AuthorityKeyIdentifier(akiValues);
crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, aki);
// add extension CRL Number
crlBuilder.addExtension(Extension.cRLNumber, false, new ASN1Integer(crlNumber));
// IssuingDistributionPoint
if (onlyUserCerts || onlyCaCerts || !directCrl) {
IssuingDistributionPoint idp = new IssuingDistributionPoint(// distributionPoint,
(DistributionPointName) null, // onlyContainsUserCerts,
onlyUserCerts, // onlyContainsCACerts,
onlyCaCerts, // onlySomeReasons,
(ReasonFlags) null, // indirectCRL,
!directCrl, // onlyContainsAttributeCerts
false);
crlBuilder.addExtension(Extension.issuingDistributionPoint, true, idp);
}
// freshestCRL
List<String> deltaCrlUris = getCaInfo().getPublicCaInfo().getDeltaCrlUris();
if (control.getDeltaCrlIntervals() > 0 && CollectionUtil.isNonEmpty(deltaCrlUris)) {
CRLDistPoint cdp = CaUtil.createCrlDistributionPoints(deltaCrlUris, caInfo.getPublicCaInfo().getX500Subject(), crlIssuer);
crlBuilder.addExtension(Extension.freshestCRL, false, cdp);
}
} catch (CertIOException ex) {
LogUtil.error(LOG, ex, "crlBuilder.addExtension");
throw new OperationException(ErrorCode.INVALID_EXTENSION, ex);
}
addXipkiCertset(crlBuilder, deltaCrl, control, notExpireAt, onlyCaCerts, onlyUserCerts);
ConcurrentContentSigner concurrentSigner = (tmpCrlSigner == null) ? caInfo.getSigner(null) : tmpCrlSigner;
ConcurrentBagEntrySigner signer0;
try {
signer0 = concurrentSigner.borrowSigner();
} catch (NoIdleSignerException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, "NoIdleSignerException: " + ex.getMessage());
}
X509CRLHolder crlHolder;
try {
crlHolder = crlBuilder.build(signer0.value());
} finally {
concurrentSigner.requiteSigner(signer0);
}
try {
X509CRL crl = X509Util.toX509Crl(crlHolder.toASN1Structure());
caInfo.getCaEntry().setNextCrlNumber(crlNumber.longValue() + 1);
caManager.commitNextCrlNo(caIdent, caInfo.getCaEntry().getNextCrlNumber());
publishCrl(crl);
successful = true;
LOG.info("SUCCESSFUL generateCrl: ca={}, crlNumber={}, thisUpdate={}", caIdent, crlNumber, crl.getThisUpdate());
if (!deltaCrl) {
// clean up the CRL
cleanupCrlsWithoutException(msgId);
}
return crl;
} catch (CRLException | CertificateException ex) {
throw new OperationException(ErrorCode.CRL_FAILURE, ex);
}
} finally {
if (!successful) {
LOG.info(" FAILED generateCrl: ca={}", caIdent);
}
}
}
Aggregations