use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509Ca method republishCertificates.
// method publishCertificate0
public boolean republishCertificates(List<String> publisherNames, int numThreads) {
List<IdentifiedX509CertPublisher> publishers;
if (publisherNames == null) {
publishers = publishers();
} else {
publishers = new ArrayList<>(publisherNames.size());
for (String publisherName : publisherNames) {
IdentifiedX509CertPublisher publisher = null;
for (IdentifiedX509CertPublisher p : publishers()) {
if (p.getIdent().getName().equals(publisherName)) {
publisher = p;
break;
}
}
if (publisher == null) {
throw new IllegalArgumentException("could not find publisher " + publisherName + " for CA " + caIdent);
}
publishers.add(publisher);
}
}
if (CollectionUtil.isEmpty(publishers)) {
return true;
}
CaStatus status = caInfo.getStatus();
caInfo.setStatus(CaStatus.INACTIVE);
boolean onlyRevokedCerts = true;
for (IdentifiedX509CertPublisher publisher : publishers) {
if (publisher.publishsGoodCert()) {
onlyRevokedCerts = false;
}
NameId publisherIdent = publisher.getIdent();
try {
LOG.info("clearing PublishQueue for publisher {}", publisherIdent);
certstore.clearPublishQueue(caIdent, publisherIdent);
LOG.info(" cleared PublishQueue for publisher {}", publisherIdent);
} catch (OperationException ex) {
LogUtil.error(LOG, ex, "could not clear PublishQueue for publisher");
}
}
try {
for (IdentifiedX509CertPublisher publisher : publishers) {
boolean successful = publisher.caAdded(caCert);
if (!successful) {
LOG.error("republish CA certificate {} to publisher {} failed", caIdent, publisher.getIdent());
return false;
}
}
if (caInfo.getRevocationInfo() != null) {
for (IdentifiedX509CertPublisher publisher : publishers) {
boolean successful = publisher.caRevoked(caCert, caInfo.getRevocationInfo());
if (!successful) {
LOG.error("republishing CA revocation to publisher {} failed", publisher.getIdent());
return false;
}
}
}
// end if
CertRepublisher republisher = new CertRepublisher(caIdent, caCert, caIdNameMap, certstore, publishers, onlyRevokedCerts, numThreads);
return republisher.republish();
} finally {
caInfo.setStatus(status);
}
}
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509Ca method revokeCa.
// method shouldPublishToDeltaCrlCache
public void revokeCa(CertRevocationInfo revocationInfo, String msgId) throws OperationException {
ParamUtil.requireNonNull("revocationInfo", revocationInfo);
caInfo.setRevocationInfo(revocationInfo);
if (caInfo.isSelfSigned()) {
AuditEvent event = newPerfAuditEvent(CaAuditConstants.TYPE_revoke_cert, msgId);
boolean successful = true;
try {
X509CertWithRevocationInfo ret = revokeCertificate0(caInfo.getSerialNumber(), revocationInfo.getReason(), revocationInfo.getInvalidityTime(), true, event);
successful = (ret != null);
} finally {
finish(event, successful);
}
}
boolean failed = false;
for (IdentifiedX509CertPublisher publisher : publishers()) {
NameId ident = publisher.getIdent();
boolean successful = publisher.caRevoked(caCert, revocationInfo);
if (successful) {
LOG.info("published event caRevoked of CA {} to publisher {}", caIdent, ident);
} else {
failed = true;
LOG.error("could not publish event caRevoked of CA {} to publisher {}", caIdent, ident);
}
}
if (failed) {
final String message = "could not event caRevoked of CA " + caIdent + " to at least one publisher";
throw new OperationException(ErrorCode.SYSTEM_FAILURE, message);
}
}
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509Ca method revokeSuspendedCerts0.
private int revokeSuspendedCerts0(AuditEvent event, String msgId) throws OperationException {
if (!masterMode) {
throw new OperationException(ErrorCode.NOT_PERMITTED, "CA could not remove expired certificates in slave mode");
}
final int numEntries = 100;
CertValidity val = caInfo.revokeSuspendedCertsControl().getUnchangedSince();
long ms;
switch(val.getUnit()) {
case DAY:
ms = val.getValidity() * DAY_IN_MS;
break;
case HOUR:
ms = val.getValidity() * DAY_IN_MS / 24;
break;
case YEAR:
ms = val.getValidity() * 365 * DAY_IN_MS;
break;
default:
throw new RuntimeException("should not reach here, unknown Validity Unit " + val.getUnit());
}
// seconds
final long latestLastUpdatedAt = (System.currentTimeMillis() - ms) / 1000;
final CrlReason reason = caInfo.revokeSuspendedCertsControl().getTargetReason();
int sum = 0;
while (true) {
List<BigInteger> serials = certstore.getSuspendedCertSerials(caIdent, latestLastUpdatedAt, numEntries);
if (CollectionUtil.isEmpty(serials)) {
return sum;
}
for (BigInteger serial : serials) {
boolean revoked = false;
try {
revoked = revokeSuspendedCert(serial, reason, msgId) != null;
if (revoked) {
sum++;
}
} catch (OperationException ex) {
LOG.info("revoked {} suspended certificates of CA {}", sum, caIdent);
LogUtil.error(LOG, ex, "could not revoke suspended certificate with serial" + serial);
throw ex;
}
// end try
}
// end for
}
// end while (true)
}
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509Ca method removeCertificate.
// method unrevokeCertificate
public X509CertWithDbId removeCertificate(BigInteger serialNumber, String msgId) throws OperationException {
if (caInfo.isSelfSigned() && caInfo.getSerialNumber().equals(serialNumber)) {
throw new OperationException(ErrorCode.NOT_PERMITTED, "insufficient permission remove CA certificate");
}
AuditEvent event = newPerfAuditEvent(CaAuditConstants.TYPE_remove_cert, msgId);
boolean successful = true;
try {
X509CertWithDbId ret = removeCertificate0(serialNumber, event);
successful = (ret != null);
return ret;
} finally {
finish(event, successful);
}
}
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509Ca method addXipkiCertset.
// method generateCrl
/**
* Add XiPKI extension CrlCertSet.
*
* <pre>
* Xipki-CrlCertSet ::= SET OF Xipki-CrlCert
*
* Xipki-CrlCert ::= SEQUENCE {
* serial INTEGER
* cert [0] EXPLICIT Certificate OPTIONAL
* profileName [1] EXPLICIT UTF8String OPTIONAL
* }
* </pre>
*/
private void addXipkiCertset(X509v2CRLBuilder crlBuilder, boolean deltaCrl, CrlControl control, Date notExpireAt, boolean onlyCaCerts, boolean onlyUserCerts) throws OperationException {
if (deltaCrl || !control.isXipkiCertsetIncluded()) {
return;
}
ASN1EncodableVector vector = new ASN1EncodableVector();
final int numEntries = 100;
long startId = 1;
List<SerialWithId> serials;
do {
serials = certstore.getCertSerials(caIdent, notExpireAt, startId, numEntries, false, onlyCaCerts, onlyUserCerts);
long maxId = 1;
for (SerialWithId sid : serials) {
if (sid.getId() > maxId) {
maxId = sid.getId();
}
ASN1EncodableVector vec = new ASN1EncodableVector();
vec.add(new ASN1Integer(sid.getSerial()));
Integer profileId = null;
if (control.isXipkiCertsetCertIncluded()) {
X509CertificateInfo certInfo;
try {
certInfo = certstore.getCertificateInfoForId(caIdent, caCert, sid.getId(), caIdNameMap);
} catch (CertificateException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, "CertificateException: " + ex.getMessage());
}
Certificate cert = Certificate.getInstance(certInfo.getCert().getEncodedCert());
vec.add(new DERTaggedObject(true, 0, cert));
if (control.isXipkiCertsetProfilenameIncluded()) {
profileId = certInfo.getProfile().getId();
}
} else if (control.isXipkiCertsetProfilenameIncluded()) {
profileId = certstore.getCertProfileForId(caIdent, sid.getId());
}
if (profileId != null) {
String profileName = caIdNameMap.getCertprofileName(profileId);
vec.add(new DERTaggedObject(true, 1, new DERUTF8String(profileName)));
}
vector.add(new DERSequence(vec));
}
// end for
startId = maxId + 1;
} while (serials.size() >= numEntries);
try {
crlBuilder.addExtension(ObjectIdentifiers.id_xipki_ext_crlCertset, false, new DERSet(vector));
} catch (CertIOException ex) {
throw new OperationException(ErrorCode.INVALID_EXTENSION, "CertIOException: " + ex.getMessage());
}
}
Aggregations