Search in sources :

Example 46 with OperationException

use of org.xipki.ca.api.OperationException in project xipki by xipki.

the class X509CaCmpResponderImpl method getSystemInfo.

// method checkPermission
private String getSystemInfo(CmpRequestorInfo requestor, Set<Integer> acceptVersions) throws OperationException {
    X509Ca ca = getCa();
    StringBuilder sb = new StringBuilder(2000);
    // current maximal support version is 2
    int version = 2;
    if (CollectionUtil.isNonEmpty(acceptVersions) && !acceptVersions.contains(version)) {
        Integer ver = null;
        for (Integer m : acceptVersions) {
            if (m < version) {
                ver = m;
            }
        }
        if (ver == null) {
            throw new OperationException(ErrorCode.BAD_REQUEST, "none of versions " + acceptVersions + " is supported");
        } else {
            version = ver;
        }
    }
    sb.append("<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>");
    sb.append("<systemInfo version=\"").append(version).append("\">");
    if (version == 2) {
        // CACert
        sb.append("<CACert>");
        sb.append(Base64.encodeToString(ca.getCaInfo().getCert().getEncodedCert()));
        sb.append("</CACert>");
        // CMP control
        sb.append("<cmpControl>");
        sb.append("<rrAkiRequired>").append(getCmpControl().isRrAkiRequired()).append("</rrAkiRequired>");
        sb.append("</cmpControl>");
        // Profiles
        Set<String> requestorProfiles = requestor.getCaHasRequestor().getProfiles();
        Set<String> supportedProfileNames = new HashSet<>();
        Set<String> caProfileNames = ca.caManager().getCertprofilesForCa(ca.getCaInfo().getIdent().getName());
        for (String caProfileName : caProfileNames) {
            if (requestorProfiles.contains("all") || requestorProfiles.contains(caProfileName)) {
                supportedProfileNames.add(caProfileName);
            }
        }
        if (CollectionUtil.isNonEmpty(supportedProfileNames)) {
            sb.append("<certprofiles>");
            for (String name : supportedProfileNames) {
                CertprofileEntry entry = ca.caManager().getCertprofile(name);
                if (entry.isFaulty()) {
                    continue;
                }
                sb.append("<certprofile>");
                sb.append("<name>").append(name).append("</name>");
                sb.append("<type>").append(entry.getType()).append("</type>");
                sb.append("<conf>");
                String conf = entry.getConf();
                if (StringUtil.isNotBlank(conf)) {
                    sb.append("<![CDATA[");
                    sb.append(conf);
                    sb.append("]]>");
                }
                sb.append("</conf>");
                sb.append("</certprofile>");
            }
            sb.append("</certprofiles>");
        }
        sb.append("</systemInfo>");
    } else {
        throw new OperationException(ErrorCode.BAD_REQUEST, "unsupported version " + version);
    }
    return sb.toString();
}
Also used : ASN1Integer(org.bouncycastle.asn1.ASN1Integer) BigInteger(java.math.BigInteger) X509Ca(org.xipki.ca.server.impl.X509Ca) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) OperationException(org.xipki.ca.api.OperationException) HashSet(java.util.HashSet) CertprofileEntry(org.xipki.ca.server.mgmt.api.CertprofileEntry)

Example 47 with OperationException

use of org.xipki.ca.api.OperationException in project xipki by xipki.

the class X509CaCmpResponderImpl method revokeCert.

public void revokeCert(CmpRequestorInfo requestor, BigInteger serialNumber, CrlReason reason, Date invalidityDate, RequestType reqType, String msgId) throws OperationException {
    ParamUtil.requireNonNull("requestor", requestor);
    int permission;
    if (reason == CrlReason.REMOVE_FROM_CRL) {
        permission = PermissionConstants.UNREVOKE_CERT;
    } else {
        permission = PermissionConstants.REVOKE_CERT;
    }
    try {
        checkPermission(requestor, permission);
    } catch (InsuffientPermissionException ex) {
        throw new OperationException(ErrorCode.NOT_PERMITTED, ex.getMessage());
    }
    X509Ca ca = getCa();
    Object returnedObj;
    if (PermissionConstants.UNREVOKE_CERT == permission) {
        // unrevoke
        returnedObj = ca.unrevokeCertificate(serialNumber, msgId);
    } else {
        returnedObj = ca.revokeCertificate(serialNumber, reason, invalidityDate, msgId);
    }
    if (returnedObj == null) {
        throw new OperationException(ErrorCode.UNKNOWN_CERT, "cert not exists");
    }
}
Also used : X509Ca(org.xipki.ca.server.impl.X509Ca) InsuffientPermissionException(org.xipki.ca.api.InsuffientPermissionException) OperationException(org.xipki.ca.api.OperationException)

Example 48 with OperationException

use of org.xipki.ca.api.OperationException in project xipki by xipki.

the class X509Ca method getCrl.

public X509CRL getCrl(BigInteger crlNumber) throws OperationException {
    LOG.info("     START getCrl: ca={}, crlNumber={}", caIdent, crlNumber);
    boolean successful = false;
    try {
        byte[] encodedCrl = certstore.getEncodedCrl(caIdent, crlNumber);
        if (encodedCrl == null) {
            return null;
        }
        try {
            X509CRL crl = X509Util.parseCrl(encodedCrl);
            successful = true;
            if (LOG.isInfoEnabled()) {
                String timeStr = new Time(crl.getThisUpdate()).getTime();
                LOG.info("SUCCESSFUL getCrl: ca={}, thisUpdate={}", caIdent, timeStr);
            }
            return crl;
        } catch (CRLException | CertificateException ex) {
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
        } catch (RuntimeException ex) {
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
        }
    } finally {
        if (!successful) {
            LOG.info("    FAILED getCrl: ca={}", caIdent);
        }
    }
}
Also used : X509CRL(java.security.cert.X509CRL) ASN1GeneralizedTime(org.bouncycastle.asn1.ASN1GeneralizedTime) Time(org.bouncycastle.asn1.x509.Time) CertificateException(java.security.cert.CertificateException) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) CRLException(java.security.cert.CRLException) OperationException(org.xipki.ca.api.OperationException)

Example 49 with OperationException

use of org.xipki.ca.api.OperationException in project xipki by xipki.

the class X509Ca method cleanupCrls.

private void cleanupCrls(String msgId) throws OperationException {
    int numCrls = caInfo.getNumCrls();
    LOG.info("     START cleanupCrls: ca={}, numCrls={}", caIdent, numCrls);
    boolean successful = false;
    AuditEvent event = newPerfAuditEvent(CaAuditConstants.TYPE_cleanup_crl, msgId);
    try {
        int num = (numCrls <= 0) ? 0 : certstore.cleanupCrls(caIdent, caInfo.getNumCrls());
        successful = true;
        event.addEventData(CaAuditConstants.NAME_num, num);
        LOG.info("SUCCESSFUL cleanupCrls: ca={}, num={}", caIdent, num);
    } catch (RuntimeException ex) {
        throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
    } finally {
        if (!successful) {
            LOG.info("    FAILED cleanupCrls: ca={}", caIdent);
        }
        finish(event, successful);
    }
}
Also used : AuditEvent(org.xipki.audit.AuditEvent) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) OperationException(org.xipki.ca.api.OperationException)

Example 50 with OperationException

use of org.xipki.ca.api.OperationException in project xipki by xipki.

the class X509Ca method generateCrl0.

private X509CRL generateCrl0(boolean deltaCrl, Date thisUpdate, Date nextUpdate, AuditEvent event, String msgId) throws OperationException {
    X509CrlSignerEntryWrapper crlSigner = getCrlSigner();
    if (crlSigner == null) {
        throw new OperationException(ErrorCode.NOT_PERMITTED, "CRL generation is not allowed");
    }
    LOG.info("     START generateCrl: ca={}, deltaCRL={}, nextUpdate={}", caIdent, deltaCrl, nextUpdate);
    event.addEventData(CaAuditConstants.NAME_crlType, deltaCrl ? "DELTA_CRL" : "FULL_CRL");
    if (nextUpdate == null) {
        event.addEventData(CaAuditConstants.NAME_nextUpdate, "null");
    } else {
        event.addEventData(CaAuditConstants.NAME_nextUpdate, DateUtil.toUtcTimeyyyyMMddhhmmss(nextUpdate));
        if (nextUpdate.getTime() - thisUpdate.getTime() < 10 * 60 * MS_PER_SECOND) {
            // less than 10 minutes
            throw new OperationException(ErrorCode.CRL_FAILURE, "nextUpdate and thisUpdate are too close");
        }
    }
    CrlControl crlControl = crlSigner.getCrlControl();
    boolean successful = false;
    try {
        ConcurrentContentSigner tmpCrlSigner = crlSigner.getSigner();
        CrlControl control = crlSigner.getCrlControl();
        boolean directCrl;
        X500Name crlIssuer;
        if (tmpCrlSigner == null) {
            directCrl = true;
            crlIssuer = caInfo.getPublicCaInfo().getX500Subject();
        } else {
            directCrl = false;
            crlIssuer = X500Name.getInstance(tmpCrlSigner.getCertificate().getSubjectX500Principal().getEncoded());
        }
        X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(crlIssuer, thisUpdate);
        if (nextUpdate != null) {
            crlBuilder.setNextUpdate(nextUpdate);
        }
        final int numEntries = 100;
        Date notExpireAt;
        if (control.isIncludeExpiredCerts()) {
            notExpireAt = new Date(0);
        } else {
            // 10 minutes buffer
            notExpireAt = new Date(thisUpdate.getTime() - 600L * MS_PER_SECOND);
        }
        long startId = 1;
        // we have to cache the serial entries to sort them
        List<CertRevInfoWithSerial> allRevInfos = new LinkedList<>();
        List<CertRevInfoWithSerial> revInfos;
        do {
            if (deltaCrl) {
                revInfos = certstore.getCertsForDeltaCrl(caIdent, startId, numEntries, control.isOnlyContainsCaCerts(), control.isOnlyContainsUserCerts());
            } else {
                revInfos = certstore.getRevokedCerts(caIdent, notExpireAt, startId, numEntries, control.isOnlyContainsCaCerts(), control.isOnlyContainsUserCerts());
            }
            allRevInfos.addAll(revInfos);
            long maxId = 1;
            for (CertRevInfoWithSerial revInfo : revInfos) {
                if (revInfo.getId() > maxId) {
                    maxId = revInfo.getId();
                }
            }
            // end for
            startId = maxId + 1;
        } while (// end do
        revInfos.size() >= numEntries);
        if (revInfos != null) {
            // free the memory
            revInfos.clear();
        }
        // sort the list by SerialNumber ASC
        Collections.sort(allRevInfos);
        boolean isFirstCrlEntry = true;
        for (CertRevInfoWithSerial revInfo : allRevInfos) {
            CrlReason reason = revInfo.getReason();
            if (crlControl.isExcludeReason() && reason != CrlReason.REMOVE_FROM_CRL) {
                reason = CrlReason.UNSPECIFIED;
            }
            Date revocationTime = revInfo.getRevocationTime();
            Date invalidityTime = revInfo.getInvalidityTime();
            switch(crlControl.getInvalidityDateMode()) {
                case FORBIDDEN:
                    invalidityTime = null;
                    break;
                case OPTIONAL:
                    break;
                case REQUIRED:
                    if (invalidityTime == null) {
                        invalidityTime = revocationTime;
                    }
                    break;
                default:
                    throw new RuntimeException("unknown TripleState: " + crlControl.getInvalidityDateMode());
            }
            BigInteger serial = revInfo.getSerial();
            LOG.debug("added cert ca={} serial={} to CRL", caIdent, serial);
            if (directCrl || !isFirstCrlEntry) {
                if (invalidityTime != null) {
                    crlBuilder.addCRLEntry(serial, revocationTime, reason.getCode(), invalidityTime);
                } else {
                    crlBuilder.addCRLEntry(serial, revocationTime, reason.getCode());
                }
                continue;
            }
            List<Extension> extensions = new ArrayList<>(3);
            if (reason != CrlReason.UNSPECIFIED) {
                Extension ext = createReasonExtension(reason.getCode());
                extensions.add(ext);
            }
            if (invalidityTime != null) {
                Extension ext = createInvalidityDateExtension(invalidityTime);
                extensions.add(ext);
            }
            Extension ext = createCertificateIssuerExtension(caInfo.getPublicCaInfo().getX500Subject());
            extensions.add(ext);
            crlBuilder.addCRLEntry(serial, revocationTime, new Extensions(extensions.toArray(new Extension[0])));
            isFirstCrlEntry = false;
        }
        // free the memory
        allRevInfos.clear();
        BigInteger crlNumber = caInfo.nextCrlNumber();
        event.addEventData(CaAuditConstants.NAME_crlNumber, crlNumber);
        boolean onlyUserCerts = crlControl.isOnlyContainsUserCerts();
        boolean onlyCaCerts = crlControl.isOnlyContainsCaCerts();
        if (onlyUserCerts && onlyCaCerts) {
            throw new RuntimeException("should not reach here, onlyUserCerts and onlyCACerts are both true");
        }
        try {
            // AuthorityKeyIdentifier
            byte[] akiValues = directCrl ? caInfo.getPublicCaInfo().getSubjectKeyIdentifer() : crlSigner.getSubjectKeyIdentifier();
            AuthorityKeyIdentifier aki = new AuthorityKeyIdentifier(akiValues);
            crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, aki);
            // add extension CRL Number
            crlBuilder.addExtension(Extension.cRLNumber, false, new ASN1Integer(crlNumber));
            // IssuingDistributionPoint
            if (onlyUserCerts || onlyCaCerts || !directCrl) {
                IssuingDistributionPoint idp = new IssuingDistributionPoint(// distributionPoint,
                (DistributionPointName) null, // onlyContainsUserCerts,
                onlyUserCerts, // onlyContainsCACerts,
                onlyCaCerts, // onlySomeReasons,
                (ReasonFlags) null, // indirectCRL,
                !directCrl, // onlyContainsAttributeCerts
                false);
                crlBuilder.addExtension(Extension.issuingDistributionPoint, true, idp);
            }
            // freshestCRL
            List<String> deltaCrlUris = getCaInfo().getPublicCaInfo().getDeltaCrlUris();
            if (control.getDeltaCrlIntervals() > 0 && CollectionUtil.isNonEmpty(deltaCrlUris)) {
                CRLDistPoint cdp = CaUtil.createCrlDistributionPoints(deltaCrlUris, caInfo.getPublicCaInfo().getX500Subject(), crlIssuer);
                crlBuilder.addExtension(Extension.freshestCRL, false, cdp);
            }
        } catch (CertIOException ex) {
            LogUtil.error(LOG, ex, "crlBuilder.addExtension");
            throw new OperationException(ErrorCode.INVALID_EXTENSION, ex);
        }
        addXipkiCertset(crlBuilder, deltaCrl, control, notExpireAt, onlyCaCerts, onlyUserCerts);
        ConcurrentContentSigner concurrentSigner = (tmpCrlSigner == null) ? caInfo.getSigner(null) : tmpCrlSigner;
        ConcurrentBagEntrySigner signer0;
        try {
            signer0 = concurrentSigner.borrowSigner();
        } catch (NoIdleSignerException ex) {
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, "NoIdleSignerException: " + ex.getMessage());
        }
        X509CRLHolder crlHolder;
        try {
            crlHolder = crlBuilder.build(signer0.value());
        } finally {
            concurrentSigner.requiteSigner(signer0);
        }
        try {
            X509CRL crl = X509Util.toX509Crl(crlHolder.toASN1Structure());
            caInfo.getCaEntry().setNextCrlNumber(crlNumber.longValue() + 1);
            caManager.commitNextCrlNo(caIdent, caInfo.getCaEntry().getNextCrlNumber());
            publishCrl(crl);
            successful = true;
            LOG.info("SUCCESSFUL generateCrl: ca={}, crlNumber={}, thisUpdate={}", caIdent, crlNumber, crl.getThisUpdate());
            if (!deltaCrl) {
                // clean up the CRL
                cleanupCrlsWithoutException(msgId);
            }
            return crl;
        } catch (CRLException | CertificateException ex) {
            throw new OperationException(ErrorCode.CRL_FAILURE, ex);
        }
    } finally {
        if (!successful) {
            LOG.info("    FAILED generateCrl: ca={}", caIdent);
        }
    }
}
Also used : CrlControl(org.xipki.ca.server.mgmt.api.x509.CrlControl) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) X509CRL(java.security.cert.X509CRL) ArrayList(java.util.ArrayList) AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier) CertificateException(java.security.cert.CertificateException) X500Name(org.bouncycastle.asn1.x500.X500Name) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) Extensions(org.bouncycastle.asn1.x509.Extensions) NoIdleSignerException(org.xipki.security.exception.NoIdleSignerException) X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder) CrlReason(org.xipki.security.CrlReason) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) CRLException(java.security.cert.CRLException) OperationException(org.xipki.ca.api.OperationException) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) CertIOException(org.bouncycastle.cert.CertIOException) ConcurrentBagEntrySigner(org.xipki.security.ConcurrentBagEntrySigner) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) Date(java.util.Date) LinkedList(java.util.LinkedList) Extension(org.bouncycastle.asn1.x509.Extension) ConcurrentContentSigner(org.xipki.security.ConcurrentContentSigner) X509CRLHolder(org.bouncycastle.cert.X509CRLHolder) BigInteger(java.math.BigInteger)

Aggregations

OperationException (org.xipki.ca.api.OperationException)70 DERPrintableString (org.bouncycastle.asn1.DERPrintableString)20 CaMgmtException (org.xipki.ca.server.mgmt.api.CaMgmtException)19 Date (java.util.Date)16 BigInteger (java.math.BigInteger)15 X509Certificate (java.security.cert.X509Certificate)15 CertificateException (java.security.cert.CertificateException)13 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)13 X509Ca (org.xipki.ca.server.impl.X509Ca)13 PreparedStatement (java.sql.PreparedStatement)12 SQLException (java.sql.SQLException)12 IOException (java.io.IOException)11 X509CertificateInfo (org.xipki.ca.api.publisher.x509.X509CertificateInfo)11 DEROctetString (org.bouncycastle.asn1.DEROctetString)10 X500Name (org.bouncycastle.asn1.x500.X500Name)10 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)10 IssuingDistributionPoint (org.bouncycastle.asn1.x509.IssuingDistributionPoint)10 CrlReason (org.xipki.security.CrlReason)10 AuditEvent (org.xipki.audit.AuditEvent)9 NameId (org.xipki.ca.api.NameId)9