Search in sources :

Example 51 with OperationException

use of org.xipki.ca.api.OperationException in project xipki by xipki.

the class X509Ca method republishCertificates.

// method publishCertificate0
public boolean republishCertificates(List<String> publisherNames, int numThreads) {
    List<IdentifiedX509CertPublisher> publishers;
    if (publisherNames == null) {
        publishers = publishers();
    } else {
        publishers = new ArrayList<>(publisherNames.size());
        for (String publisherName : publisherNames) {
            IdentifiedX509CertPublisher publisher = null;
            for (IdentifiedX509CertPublisher p : publishers()) {
                if (p.getIdent().getName().equals(publisherName)) {
                    publisher = p;
                    break;
                }
            }
            if (publisher == null) {
                throw new IllegalArgumentException("could not find publisher " + publisherName + " for CA " + caIdent);
            }
            publishers.add(publisher);
        }
    }
    if (CollectionUtil.isEmpty(publishers)) {
        return true;
    }
    CaStatus status = caInfo.getStatus();
    caInfo.setStatus(CaStatus.INACTIVE);
    boolean onlyRevokedCerts = true;
    for (IdentifiedX509CertPublisher publisher : publishers) {
        if (publisher.publishsGoodCert()) {
            onlyRevokedCerts = false;
        }
        NameId publisherIdent = publisher.getIdent();
        try {
            LOG.info("clearing PublishQueue for publisher {}", publisherIdent);
            certstore.clearPublishQueue(caIdent, publisherIdent);
            LOG.info(" cleared PublishQueue for publisher {}", publisherIdent);
        } catch (OperationException ex) {
            LogUtil.error(LOG, ex, "could not clear PublishQueue for publisher");
        }
    }
    try {
        for (IdentifiedX509CertPublisher publisher : publishers) {
            boolean successful = publisher.caAdded(caCert);
            if (!successful) {
                LOG.error("republish CA certificate {} to publisher {} failed", caIdent, publisher.getIdent());
                return false;
            }
        }
        if (caInfo.getRevocationInfo() != null) {
            for (IdentifiedX509CertPublisher publisher : publishers) {
                boolean successful = publisher.caRevoked(caCert, caInfo.getRevocationInfo());
                if (!successful) {
                    LOG.error("republishing CA revocation to publisher {} failed", publisher.getIdent());
                    return false;
                }
            }
        }
        // end if
        CertRepublisher republisher = new CertRepublisher(caIdent, caCert, caIdNameMap, certstore, publishers, onlyRevokedCerts, numThreads);
        return republisher.republish();
    } finally {
        caInfo.setStatus(status);
    }
}
Also used : NameId(org.xipki.ca.api.NameId) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) CaStatus(org.xipki.ca.server.mgmt.api.CaStatus) OperationException(org.xipki.ca.api.OperationException)

Example 52 with OperationException

use of org.xipki.ca.api.OperationException in project xipki by xipki.

the class X509Ca method revokeCa.

// method shouldPublishToDeltaCrlCache
public void revokeCa(CertRevocationInfo revocationInfo, String msgId) throws OperationException {
    ParamUtil.requireNonNull("revocationInfo", revocationInfo);
    caInfo.setRevocationInfo(revocationInfo);
    if (caInfo.isSelfSigned()) {
        AuditEvent event = newPerfAuditEvent(CaAuditConstants.TYPE_revoke_cert, msgId);
        boolean successful = true;
        try {
            X509CertWithRevocationInfo ret = revokeCertificate0(caInfo.getSerialNumber(), revocationInfo.getReason(), revocationInfo.getInvalidityTime(), true, event);
            successful = (ret != null);
        } finally {
            finish(event, successful);
        }
    }
    boolean failed = false;
    for (IdentifiedX509CertPublisher publisher : publishers()) {
        NameId ident = publisher.getIdent();
        boolean successful = publisher.caRevoked(caCert, revocationInfo);
        if (successful) {
            LOG.info("published event caRevoked of CA {} to publisher {}", caIdent, ident);
        } else {
            failed = true;
            LOG.error("could not publish event caRevoked of CA {} to publisher {}", caIdent, ident);
        }
    }
    if (failed) {
        final String message = "could not event caRevoked of CA " + caIdent + " to at least one publisher";
        throw new OperationException(ErrorCode.SYSTEM_FAILURE, message);
    }
}
Also used : NameId(org.xipki.ca.api.NameId) AuditEvent(org.xipki.audit.AuditEvent) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) X509CertWithRevocationInfo(org.xipki.ca.server.impl.store.X509CertWithRevocationInfo) OperationException(org.xipki.ca.api.OperationException)

Example 53 with OperationException

use of org.xipki.ca.api.OperationException in project xipki by xipki.

the class X509Ca method revokeSuspendedCerts0.

private int revokeSuspendedCerts0(AuditEvent event, String msgId) throws OperationException {
    if (!masterMode) {
        throw new OperationException(ErrorCode.NOT_PERMITTED, "CA could not remove expired certificates in slave mode");
    }
    final int numEntries = 100;
    CertValidity val = caInfo.revokeSuspendedCertsControl().getUnchangedSince();
    long ms;
    switch(val.getUnit()) {
        case DAY:
            ms = val.getValidity() * DAY_IN_MS;
            break;
        case HOUR:
            ms = val.getValidity() * DAY_IN_MS / 24;
            break;
        case YEAR:
            ms = val.getValidity() * 365 * DAY_IN_MS;
            break;
        default:
            throw new RuntimeException("should not reach here, unknown Validity Unit " + val.getUnit());
    }
    // seconds
    final long latestLastUpdatedAt = (System.currentTimeMillis() - ms) / 1000;
    final CrlReason reason = caInfo.revokeSuspendedCertsControl().getTargetReason();
    int sum = 0;
    while (true) {
        List<BigInteger> serials = certstore.getSuspendedCertSerials(caIdent, latestLastUpdatedAt, numEntries);
        if (CollectionUtil.isEmpty(serials)) {
            return sum;
        }
        for (BigInteger serial : serials) {
            boolean revoked = false;
            try {
                revoked = revokeSuspendedCert(serial, reason, msgId) != null;
                if (revoked) {
                    sum++;
                }
            } catch (OperationException ex) {
                LOG.info("revoked {} suspended certificates of CA {}", sum, caIdent);
                LogUtil.error(LOG, ex, "could not revoke suspended certificate with serial" + serial);
                throw ex;
            }
        // end try
        }
    // end for
    }
// end while (true)
}
Also used : CertValidity(org.xipki.ca.api.profile.CertValidity) BigInteger(java.math.BigInteger) CrlReason(org.xipki.security.CrlReason) OperationException(org.xipki.ca.api.OperationException) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)

Example 54 with OperationException

use of org.xipki.ca.api.OperationException in project xipki by xipki.

the class X509Ca method removeCertificate.

// method unrevokeCertificate
public X509CertWithDbId removeCertificate(BigInteger serialNumber, String msgId) throws OperationException {
    if (caInfo.isSelfSigned() && caInfo.getSerialNumber().equals(serialNumber)) {
        throw new OperationException(ErrorCode.NOT_PERMITTED, "insufficient permission remove CA certificate");
    }
    AuditEvent event = newPerfAuditEvent(CaAuditConstants.TYPE_remove_cert, msgId);
    boolean successful = true;
    try {
        X509CertWithDbId ret = removeCertificate0(serialNumber, event);
        successful = (ret != null);
        return ret;
    } finally {
        finish(event, successful);
    }
}
Also used : AuditEvent(org.xipki.audit.AuditEvent) X509CertWithDbId(org.xipki.ca.api.X509CertWithDbId) OperationException(org.xipki.ca.api.OperationException)

Example 55 with OperationException

use of org.xipki.ca.api.OperationException in project xipki by xipki.

the class X509Ca method addXipkiCertset.

// method generateCrl
/**
 * Add XiPKI extension CrlCertSet.
 *
 * <pre>
 * Xipki-CrlCertSet ::= SET OF Xipki-CrlCert
 *
 * Xipki-CrlCert ::= SEQUENCE {
 *         serial            INTEGER
 *         cert        [0] EXPLICIT    Certificate OPTIONAL
 *         profileName [1] EXPLICIT    UTF8String    OPTIONAL
 *         }
 * </pre>
 */
private void addXipkiCertset(X509v2CRLBuilder crlBuilder, boolean deltaCrl, CrlControl control, Date notExpireAt, boolean onlyCaCerts, boolean onlyUserCerts) throws OperationException {
    if (deltaCrl || !control.isXipkiCertsetIncluded()) {
        return;
    }
    ASN1EncodableVector vector = new ASN1EncodableVector();
    final int numEntries = 100;
    long startId = 1;
    List<SerialWithId> serials;
    do {
        serials = certstore.getCertSerials(caIdent, notExpireAt, startId, numEntries, false, onlyCaCerts, onlyUserCerts);
        long maxId = 1;
        for (SerialWithId sid : serials) {
            if (sid.getId() > maxId) {
                maxId = sid.getId();
            }
            ASN1EncodableVector vec = new ASN1EncodableVector();
            vec.add(new ASN1Integer(sid.getSerial()));
            Integer profileId = null;
            if (control.isXipkiCertsetCertIncluded()) {
                X509CertificateInfo certInfo;
                try {
                    certInfo = certstore.getCertificateInfoForId(caIdent, caCert, sid.getId(), caIdNameMap);
                } catch (CertificateException ex) {
                    throw new OperationException(ErrorCode.SYSTEM_FAILURE, "CertificateException: " + ex.getMessage());
                }
                Certificate cert = Certificate.getInstance(certInfo.getCert().getEncodedCert());
                vec.add(new DERTaggedObject(true, 0, cert));
                if (control.isXipkiCertsetProfilenameIncluded()) {
                    profileId = certInfo.getProfile().getId();
                }
            } else if (control.isXipkiCertsetProfilenameIncluded()) {
                profileId = certstore.getCertProfileForId(caIdent, sid.getId());
            }
            if (profileId != null) {
                String profileName = caIdNameMap.getCertprofileName(profileId);
                vec.add(new DERTaggedObject(true, 1, new DERUTF8String(profileName)));
            }
            vector.add(new DERSequence(vec));
        }
        // end for
        startId = maxId + 1;
    } while (serials.size() >= numEntries);
    try {
        crlBuilder.addExtension(ObjectIdentifiers.id_xipki_ext_crlCertset, false, new DERSet(vector));
    } catch (CertIOException ex) {
        throw new OperationException(ErrorCode.INVALID_EXTENSION, "CertIOException: " + ex.getMessage());
    }
}
Also used : DERUTF8String(org.bouncycastle.asn1.DERUTF8String) DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject) X509CertificateInfo(org.xipki.ca.api.publisher.x509.X509CertificateInfo) CertificateException(java.security.cert.CertificateException) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) DERSet(org.bouncycastle.asn1.DERSet) CertIOException(org.bouncycastle.cert.CertIOException) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) BigInteger(java.math.BigInteger) DERSequence(org.bouncycastle.asn1.DERSequence) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector) OperationException(org.xipki.ca.api.OperationException) Certificate(org.bouncycastle.asn1.x509.Certificate) X509Certificate(java.security.cert.X509Certificate)

Aggregations

OperationException (org.xipki.ca.api.OperationException)70 DERPrintableString (org.bouncycastle.asn1.DERPrintableString)20 CaMgmtException (org.xipki.ca.server.mgmt.api.CaMgmtException)19 Date (java.util.Date)16 BigInteger (java.math.BigInteger)15 X509Certificate (java.security.cert.X509Certificate)15 CertificateException (java.security.cert.CertificateException)13 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)13 X509Ca (org.xipki.ca.server.impl.X509Ca)13 PreparedStatement (java.sql.PreparedStatement)12 SQLException (java.sql.SQLException)12 IOException (java.io.IOException)11 X509CertificateInfo (org.xipki.ca.api.publisher.x509.X509CertificateInfo)11 DEROctetString (org.bouncycastle.asn1.DEROctetString)10 X500Name (org.bouncycastle.asn1.x500.X500Name)10 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)10 IssuingDistributionPoint (org.bouncycastle.asn1.x509.IssuingDistributionPoint)10 CrlReason (org.xipki.security.CrlReason)10 AuditEvent (org.xipki.audit.AuditEvent)9 NameId (org.xipki.ca.api.NameId)9