Example 46 with OperationException
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509CaCmpResponderImpl method getSystemInfo.
// method checkPermission
private String getSystemInfo(CmpRequestorInfo requestor, Set<Integer> acceptVersions) throws OperationException {
X509Ca ca = getCa();
StringBuilder sb = new StringBuilder(2000);
// current maximal support version is 2
int version = 2;
if (CollectionUtil.isNonEmpty(acceptVersions) && !acceptVersions.contains(version)) {
Integer ver = null;
for (Integer m : acceptVersions) {
if (m < version) {
ver = m;
}
}
if (ver == null) {
throw new OperationException(ErrorCode.BAD_REQUEST, "none of versions " + acceptVersions + " is supported");
} else {
version = ver;
}
}
sb.append("<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>");
sb.append("<systemInfo version=\"").append(version).append("\">");
if (version == 2) {
// CACert
sb.append("<CACert>");
sb.append(Base64.encodeToString(ca.getCaInfo().getCert().getEncodedCert()));
sb.append("</CACert>");
// CMP control
sb.append("<cmpControl>");
sb.append("<rrAkiRequired>").append(getCmpControl().isRrAkiRequired()).append("</rrAkiRequired>");
sb.append("</cmpControl>");
// Profiles
Set<String> requestorProfiles = requestor.getCaHasRequestor().getProfiles();
Set<String> supportedProfileNames = new HashSet<>();
Set<String> caProfileNames = ca.caManager().getCertprofilesForCa(ca.getCaInfo().getIdent().getName());
for (String caProfileName : caProfileNames) {
if (requestorProfiles.contains("all") || requestorProfiles.contains(caProfileName)) {
supportedProfileNames.add(caProfileName);
}
}
if (CollectionUtil.isNonEmpty(supportedProfileNames)) {
sb.append("<certprofiles>");
for (String name : supportedProfileNames) {
CertprofileEntry entry = ca.caManager().getCertprofile(name);
if (entry.isFaulty()) {
continue;
}
sb.append("<certprofile>");
sb.append("<name>").append(name).append("</name>");
sb.append("<type>").append(entry.getType()).append("</type>");
sb.append("<conf>");
String conf = entry.getConf();
if (StringUtil.isNotBlank(conf)) {
sb.append("<![CDATA[");
sb.append(conf);
sb.append("]]>");
}
sb.append("</conf>");
sb.append("</certprofile>");
}
sb.append("</certprofiles>");
}
sb.append("</systemInfo>");
} else {
throw new OperationException(ErrorCode.BAD_REQUEST, "unsupported version " + version);
}
return sb.toString();
}
Also used :
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
BigInteger(java.math.BigInteger)
X509Ca(org.xipki.ca.server.impl.X509Ca)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
OperationException(org.xipki.ca.api.OperationException)
HashSet(java.util.HashSet)
CertprofileEntry(org.xipki.ca.server.mgmt.api.CertprofileEntry)
Example 47 with OperationException
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509CaCmpResponderImpl method revokeCert.
public void revokeCert(CmpRequestorInfo requestor, BigInteger serialNumber, CrlReason reason, Date invalidityDate, RequestType reqType, String msgId) throws OperationException {
ParamUtil.requireNonNull("requestor", requestor);
int permission;
if (reason == CrlReason.REMOVE_FROM_CRL) {
permission = PermissionConstants.UNREVOKE_CERT;
} else {
permission = PermissionConstants.REVOKE_CERT;
}
try {
checkPermission(requestor, permission);
} catch (InsuffientPermissionException ex) {
throw new OperationException(ErrorCode.NOT_PERMITTED, ex.getMessage());
}
X509Ca ca = getCa();
Object returnedObj;
if (PermissionConstants.UNREVOKE_CERT == permission) {
// unrevoke
returnedObj = ca.unrevokeCertificate(serialNumber, msgId);
} else {
returnedObj = ca.revokeCertificate(serialNumber, reason, invalidityDate, msgId);
}
if (returnedObj == null) {
throw new OperationException(ErrorCode.UNKNOWN_CERT, "cert not exists");
}
}
Also used :
X509Ca(org.xipki.ca.server.impl.X509Ca)
InsuffientPermissionException(org.xipki.ca.api.InsuffientPermissionException)
OperationException(org.xipki.ca.api.OperationException)
Example 48 with OperationException
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509Ca method getCrl.
public X509CRL getCrl(BigInteger crlNumber) throws OperationException {
LOG.info(" START getCrl: ca={}, crlNumber={}", caIdent, crlNumber);
boolean successful = false;
try {
byte[] encodedCrl = certstore.getEncodedCrl(caIdent, crlNumber);
if (encodedCrl == null) {
return null;
}
try {
X509CRL crl = X509Util.parseCrl(encodedCrl);
successful = true;
if (LOG.isInfoEnabled()) {
String timeStr = new Time(crl.getThisUpdate()).getTime();
LOG.info("SUCCESSFUL getCrl: ca={}, thisUpdate={}", caIdent, timeStr);
}
return crl;
} catch (CRLException | CertificateException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
} catch (RuntimeException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
}
} finally {
if (!successful) {
LOG.info(" FAILED getCrl: ca={}", caIdent);
}
}
}
Also used :
X509CRL(java.security.cert.X509CRL)
ASN1GeneralizedTime(org.bouncycastle.asn1.ASN1GeneralizedTime)
Time(org.bouncycastle.asn1.x509.Time)
CertificateException(java.security.cert.CertificateException)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
CRLException(java.security.cert.CRLException)
OperationException(org.xipki.ca.api.OperationException)
Example 49 with OperationException
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509Ca method cleanupCrls.
private void cleanupCrls(String msgId) throws OperationException {
int numCrls = caInfo.getNumCrls();
LOG.info(" START cleanupCrls: ca={}, numCrls={}", caIdent, numCrls);
boolean successful = false;
AuditEvent event = newPerfAuditEvent(CaAuditConstants.TYPE_cleanup_crl, msgId);
try {
int num = (numCrls <= 0) ? 0 : certstore.cleanupCrls(caIdent, caInfo.getNumCrls());
successful = true;
event.addEventData(CaAuditConstants.NAME_num, num);
LOG.info("SUCCESSFUL cleanupCrls: ca={}, num={}", caIdent, num);
} catch (RuntimeException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
} finally {
if (!successful) {
LOG.info(" FAILED cleanupCrls: ca={}", caIdent);
}
finish(event, successful);
}
}
Also used :
AuditEvent(org.xipki.audit.AuditEvent)
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
OperationException(org.xipki.ca.api.OperationException)
Example 50 with OperationException
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509Ca method generateCrl0.
private X509CRL generateCrl0(boolean deltaCrl, Date thisUpdate, Date nextUpdate, AuditEvent event, String msgId) throws OperationException {
X509CrlSignerEntryWrapper crlSigner = getCrlSigner();
if (crlSigner == null) {
throw new OperationException(ErrorCode.NOT_PERMITTED, "CRL generation is not allowed");
}
LOG.info(" START generateCrl: ca={}, deltaCRL={}, nextUpdate={}", caIdent, deltaCrl, nextUpdate);
event.addEventData(CaAuditConstants.NAME_crlType, deltaCrl ? "DELTA_CRL" : "FULL_CRL");
if (nextUpdate == null) {
event.addEventData(CaAuditConstants.NAME_nextUpdate, "null");
} else {
event.addEventData(CaAuditConstants.NAME_nextUpdate, DateUtil.toUtcTimeyyyyMMddhhmmss(nextUpdate));
if (nextUpdate.getTime() - thisUpdate.getTime() < 10 * 60 * MS_PER_SECOND) {
// less than 10 minutes
throw new OperationException(ErrorCode.CRL_FAILURE, "nextUpdate and thisUpdate are too close");
}
}
CrlControl crlControl = crlSigner.getCrlControl();
boolean successful = false;
try {
ConcurrentContentSigner tmpCrlSigner = crlSigner.getSigner();
CrlControl control = crlSigner.getCrlControl();
boolean directCrl;
X500Name crlIssuer;
if (tmpCrlSigner == null) {
directCrl = true;
crlIssuer = caInfo.getPublicCaInfo().getX500Subject();
} else {
directCrl = false;
crlIssuer = X500Name.getInstance(tmpCrlSigner.getCertificate().getSubjectX500Principal().getEncoded());
}
X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(crlIssuer, thisUpdate);
if (nextUpdate != null) {
crlBuilder.setNextUpdate(nextUpdate);
}
final int numEntries = 100;
Date notExpireAt;
if (control.isIncludeExpiredCerts()) {
notExpireAt = new Date(0);
} else {
// 10 minutes buffer
notExpireAt = new Date(thisUpdate.getTime() - 600L * MS_PER_SECOND);
}
long startId = 1;
// we have to cache the serial entries to sort them
List<CertRevInfoWithSerial> allRevInfos = new LinkedList<>();
List<CertRevInfoWithSerial> revInfos;
do {
if (deltaCrl) {
revInfos = certstore.getCertsForDeltaCrl(caIdent, startId, numEntries, control.isOnlyContainsCaCerts(), control.isOnlyContainsUserCerts());
} else {
revInfos = certstore.getRevokedCerts(caIdent, notExpireAt, startId, numEntries, control.isOnlyContainsCaCerts(), control.isOnlyContainsUserCerts());
}
allRevInfos.addAll(revInfos);
long maxId = 1;
for (CertRevInfoWithSerial revInfo : revInfos) {
if (revInfo.getId() > maxId) {
maxId = revInfo.getId();
}
}
// end for
startId = maxId + 1;
} while (// end do
revInfos.size() >= numEntries);
if (revInfos != null) {
// free the memory
revInfos.clear();
}
// sort the list by SerialNumber ASC
Collections.sort(allRevInfos);
boolean isFirstCrlEntry = true;
for (CertRevInfoWithSerial revInfo : allRevInfos) {
CrlReason reason = revInfo.getReason();
if (crlControl.isExcludeReason() && reason != CrlReason.REMOVE_FROM_CRL) {
reason = CrlReason.UNSPECIFIED;
}
Date revocationTime = revInfo.getRevocationTime();
Date invalidityTime = revInfo.getInvalidityTime();
switch(crlControl.getInvalidityDateMode()) {
case FORBIDDEN:
invalidityTime = null;
break;
case OPTIONAL:
break;
case REQUIRED:
if (invalidityTime == null) {
invalidityTime = revocationTime;
}
break;
default:
throw new RuntimeException("unknown TripleState: " + crlControl.getInvalidityDateMode());
}
BigInteger serial = revInfo.getSerial();
LOG.debug("added cert ca={} serial={} to CRL", caIdent, serial);
if (directCrl || !isFirstCrlEntry) {
if (invalidityTime != null) {
crlBuilder.addCRLEntry(serial, revocationTime, reason.getCode(), invalidityTime);
} else {
crlBuilder.addCRLEntry(serial, revocationTime, reason.getCode());
}
continue;
}
List<Extension> extensions = new ArrayList<>(3);
if (reason != CrlReason.UNSPECIFIED) {
Extension ext = createReasonExtension(reason.getCode());
extensions.add(ext);
}
if (invalidityTime != null) {
Extension ext = createInvalidityDateExtension(invalidityTime);
extensions.add(ext);
}
Extension ext = createCertificateIssuerExtension(caInfo.getPublicCaInfo().getX500Subject());
extensions.add(ext);
crlBuilder.addCRLEntry(serial, revocationTime, new Extensions(extensions.toArray(new Extension[0])));
isFirstCrlEntry = false;
}
// free the memory
allRevInfos.clear();
BigInteger crlNumber = caInfo.nextCrlNumber();
event.addEventData(CaAuditConstants.NAME_crlNumber, crlNumber);
boolean onlyUserCerts = crlControl.isOnlyContainsUserCerts();
boolean onlyCaCerts = crlControl.isOnlyContainsCaCerts();
if (onlyUserCerts && onlyCaCerts) {
throw new RuntimeException("should not reach here, onlyUserCerts and onlyCACerts are both true");
}
try {
// AuthorityKeyIdentifier
byte[] akiValues = directCrl ? caInfo.getPublicCaInfo().getSubjectKeyIdentifer() : crlSigner.getSubjectKeyIdentifier();
AuthorityKeyIdentifier aki = new AuthorityKeyIdentifier(akiValues);
crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, aki);
// add extension CRL Number
crlBuilder.addExtension(Extension.cRLNumber, false, new ASN1Integer(crlNumber));
// IssuingDistributionPoint
if (onlyUserCerts || onlyCaCerts || !directCrl) {
IssuingDistributionPoint idp = new IssuingDistributionPoint(// distributionPoint,
(DistributionPointName) null, // onlyContainsUserCerts,
onlyUserCerts, // onlyContainsCACerts,
onlyCaCerts, // onlySomeReasons,
(ReasonFlags) null, // indirectCRL,
!directCrl, // onlyContainsAttributeCerts
false);
crlBuilder.addExtension(Extension.issuingDistributionPoint, true, idp);
}
// freshestCRL
List<String> deltaCrlUris = getCaInfo().getPublicCaInfo().getDeltaCrlUris();
if (control.getDeltaCrlIntervals() > 0 && CollectionUtil.isNonEmpty(deltaCrlUris)) {
CRLDistPoint cdp = CaUtil.createCrlDistributionPoints(deltaCrlUris, caInfo.getPublicCaInfo().getX500Subject(), crlIssuer);
crlBuilder.addExtension(Extension.freshestCRL, false, cdp);
}
} catch (CertIOException ex) {
LogUtil.error(LOG, ex, "crlBuilder.addExtension");
throw new OperationException(ErrorCode.INVALID_EXTENSION, ex);
}
addXipkiCertset(crlBuilder, deltaCrl, control, notExpireAt, onlyCaCerts, onlyUserCerts);
ConcurrentContentSigner concurrentSigner = (tmpCrlSigner == null) ? caInfo.getSigner(null) : tmpCrlSigner;
ConcurrentBagEntrySigner signer0;
try {
signer0 = concurrentSigner.borrowSigner();
} catch (NoIdleSignerException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, "NoIdleSignerException: " + ex.getMessage());
}
X509CRLHolder crlHolder;
try {
crlHolder = crlBuilder.build(signer0.value());
} finally {
concurrentSigner.requiteSigner(signer0);
}
try {
X509CRL crl = X509Util.toX509Crl(crlHolder.toASN1Structure());
caInfo.getCaEntry().setNextCrlNumber(crlNumber.longValue() + 1);
caManager.commitNextCrlNo(caIdent, caInfo.getCaEntry().getNextCrlNumber());
publishCrl(crl);
successful = true;
LOG.info("SUCCESSFUL generateCrl: ca={}, crlNumber={}, thisUpdate={}", caIdent, crlNumber, crl.getThisUpdate());
if (!deltaCrl) {
// clean up the CRL
cleanupCrlsWithoutException(msgId);
}
return crl;
} catch (CRLException | CertificateException ex) {
throw new OperationException(ErrorCode.CRL_FAILURE, ex);
}
} finally {
if (!successful) {
LOG.info(" FAILED generateCrl: ca={}", caIdent);
}
}
}
Also used :
CrlControl(org.xipki.ca.server.mgmt.api.x509.CrlControl)
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
X509CRL(java.security.cert.X509CRL)
ArrayList(java.util.ArrayList)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
CertificateException(java.security.cert.CertificateException)
X500Name(org.bouncycastle.asn1.x500.X500Name)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
Extensions(org.bouncycastle.asn1.x509.Extensions)
NoIdleSignerException(org.xipki.security.exception.NoIdleSignerException)
X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder)
CrlReason(org.xipki.security.CrlReason)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
CRLException(java.security.cert.CRLException)
OperationException(org.xipki.ca.api.OperationException)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
CertIOException(org.bouncycastle.cert.CertIOException)
ConcurrentBagEntrySigner(org.xipki.security.ConcurrentBagEntrySigner)
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
Date(java.util.Date)
LinkedList(java.util.LinkedList)
Extension(org.bouncycastle.asn1.x509.Extension)
ConcurrentContentSigner(org.xipki.security.ConcurrentContentSigner)
X509CRLHolder(org.bouncycastle.cert.X509CRLHolder)
BigInteger(java.math.BigInteger)
Aggregations
OperationException (org.xipki.ca.api.OperationException)70
DERPrintableString (org.bouncycastle.asn1.DERPrintableString)20
CaMgmtException (org.xipki.ca.server.mgmt.api.CaMgmtException)19
Date (java.util.Date)16
BigInteger (java.math.BigInteger)15
X509Certificate (java.security.cert.X509Certificate)15
CertificateException (java.security.cert.CertificateException)13
DERUTF8String (org.bouncycastle.asn1.DERUTF8String)13
X509Ca (org.xipki.ca.server.impl.X509Ca)13
PreparedStatement (java.sql.PreparedStatement)12
SQLException (java.sql.SQLException)12
IOException (java.io.IOException)11
X509CertificateInfo (org.xipki.ca.api.publisher.x509.X509CertificateInfo)11
DEROctetString (org.bouncycastle.asn1.DEROctetString)10
X500Name (org.bouncycastle.asn1.x500.X500Name)10
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)10
IssuingDistributionPoint (org.bouncycastle.asn1.x509.IssuingDistributionPoint)10
CrlReason (org.xipki.security.CrlReason)10
AuditEvent (org.xipki.audit.AuditEvent)9
NameId (org.xipki.ca.api.NameId)9
