Example 6 with OperationException
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509CaCmpResponderImpl method confirmCertificates.
private PKIBody confirmCertificates(ASN1OctetString transactionId, CertConfirmContent certConf, String msgId) {
CertStatus[] certStatuses = certConf.toCertStatusArray();
boolean successful = true;
for (CertStatus certStatus : certStatuses) {
ASN1Integer certReqId = certStatus.getCertReqId();
byte[] certHash = certStatus.getCertHash().getOctets();
X509CertificateInfo certInfo = pendingCertPool.removeCertificate(transactionId.getOctets(), certReqId.getPositiveValue(), certHash);
if (certInfo == null) {
if (LOG.isWarnEnabled()) {
LOG.warn("no cert under transactionId={}, certReqId={} and certHash=0X{}", transactionId, certReqId.getPositiveValue(), Hex.encode(certHash));
}
continue;
}
PKIStatusInfo statusInfo = certStatus.getStatusInfo();
boolean accept = true;
if (statusInfo != null) {
int status = statusInfo.getStatus().intValue();
if (PKIStatus.GRANTED != status && PKIStatus.GRANTED_WITH_MODS != status) {
accept = false;
}
}
if (accept) {
continue;
}
BigInteger serialNumber = certInfo.getCert().getCert().getSerialNumber();
X509Ca ca = getCa();
try {
ca.revokeCertificate(serialNumber, CrlReason.CESSATION_OF_OPERATION, new Date(), msgId);
} catch (OperationException ex) {
LogUtil.warn(LOG, ex, "could not revoke certificate ca=" + ca.getCaInfo().getIdent() + " serialNumber=" + LogUtil.formatCsn(serialNumber));
}
successful = false;
}
// all other certificates should be revoked
if (revokePendingCertificates(transactionId, msgId)) {
successful = false;
}
if (successful) {
return new PKIBody(PKIBody.TYPE_CONFIRM, DERNull.INSTANCE);
}
ErrorMsgContent emc = new ErrorMsgContent(new PKIStatusInfo(PKIStatus.rejection, null, new PKIFailureInfo(PKIFailureInfo.systemFailure)));
return new PKIBody(PKIBody.TYPE_ERROR, emc);
}
Also used :
PKIBody(org.bouncycastle.asn1.cmp.PKIBody)
PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo)
X509Ca(org.xipki.ca.server.impl.X509Ca)
X509CertificateInfo(org.xipki.ca.api.publisher.x509.X509CertificateInfo)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
Date(java.util.Date)
PKIFailureInfo(org.bouncycastle.asn1.cmp.PKIFailureInfo)
CertStatus(org.bouncycastle.asn1.cmp.CertStatus)
BigInteger(java.math.BigInteger)
ErrorMsgContent(org.bouncycastle.asn1.cmp.ErrorMsgContent)
OperationException(org.xipki.ca.api.OperationException)
Example 7 with OperationException
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class CaManagerImpl method createX509CrlSigner.
// method createCmpResponder
X509CrlSignerEntryWrapper createX509CrlSigner(X509CrlSignerEntry dbEntry) throws CaMgmtException {
ParamUtil.requireNonNull("dbEntry", dbEntry);
X509CrlSignerEntryWrapper signer = new X509CrlSignerEntryWrapper();
try {
signer.setDbEntry(dbEntry);
} catch (InvalidConfException ex) {
throw new CaMgmtException(concat("InvalidConfException: ", ex.getMessage()));
}
try {
signer.initSigner(securityFactory);
} catch (XiSecurityException | OperationException | InvalidConfException ex) {
String message = "could not create CRL signer " + dbEntry.getName();
LogUtil.error(LOG, ex, message);
if (ex instanceof OperationException) {
throw new CaMgmtException(message + ": " + ((OperationException) ex).getErrorCode() + ", " + ex.getMessage());
} else {
throw new CaMgmtException(concat(message, ": ", ex.getMessage()));
}
}
return signer;
}
Also used :
CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException)
XiSecurityException(org.xipki.security.exception.XiSecurityException)
InvalidConfException(org.xipki.common.InvalidConfException)
OperationException(org.xipki.ca.api.OperationException)
Example 8 with OperationException
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class CaManagerImpl method getCrl.
// method generateCrlOnDemand
@Override
public X509CRL getCrl(String caName, BigInteger crlNumber) throws CaMgmtException {
caName = ParamUtil.requireNonBlank("caName", caName).toLowerCase();
ParamUtil.requireNonNull("crlNumber", crlNumber);
X509Ca ca = getX509Ca(caName);
try {
X509CRL crl = ca.getCrl(crlNumber);
if (crl == null) {
LOG.warn("found no CRL for CA {} and crlNumber {}", caName, crlNumber);
}
return crl;
} catch (OperationException ex) {
throw new CaMgmtException(ex.getMessage(), ex);
}
}
Also used :
CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException)
X509CRL(java.security.cert.X509CRL)
OperationException(org.xipki.ca.api.OperationException)
Example 9 with OperationException
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class CaManagerImpl method generateRootCa.
// method getIdentifiedPublishersForCa
@Override
public X509Certificate generateRootCa(X509CaEntry caEntry, String profileName, byte[] encodedCsr, BigInteger serialNumber) throws CaMgmtException {
ParamUtil.requireNonNull("caEntry", caEntry);
profileName = ParamUtil.requireNonBlank("profileName", profileName).toLowerCase();
ParamUtil.requireNonNull("encodedCsr", encodedCsr);
int numCrls = caEntry.getNumCrls();
List<String> crlUris = caEntry.getCrlUris();
List<String> deltaCrlUris = caEntry.getDeltaCrlUris();
List<String> ocspUris = caEntry.getOcspUris();
List<String> caCertUris = caEntry.getCaCertUris();
String signerType = caEntry.getSignerType();
asssertMasterMode();
if (numCrls < 0) {
System.err.println("invalid numCrls: " + numCrls);
return null;
}
int expirationPeriod = caEntry.getExpirationPeriod();
if (expirationPeriod < 0) {
System.err.println("invalid expirationPeriod: " + expirationPeriod);
return null;
}
CertificationRequest csr;
try {
csr = CertificationRequest.getInstance(encodedCsr);
} catch (Exception ex) {
System.err.println("invalid encodedCsr");
return null;
}
IdentifiedX509Certprofile certprofile = getIdentifiedCertprofile(profileName);
if (certprofile == null) {
throw new CaMgmtException(concat("unknown certprofile ", profileName));
}
BigInteger serialOfThisCert = (serialNumber != null) ? serialNumber : RandomSerialNumberGenerator.getInstance().nextSerialNumber(caEntry.getSerialNoBitLen());
GenerateSelfSignedResult result;
try {
result = X509SelfSignedCertBuilder.generateSelfSigned(securityFactory, signerType, caEntry.getSignerConf(), certprofile, csr, serialOfThisCert, caCertUris, ocspUris, crlUris, deltaCrlUris, caEntry.getExtraControl());
} catch (OperationException | InvalidConfException ex) {
throw new CaMgmtException(concat(ex.getClass().getName(), ": ", ex.getMessage()), ex);
}
String signerConf = result.getSignerConf();
X509Certificate caCert = result.getCert();
if ("PKCS12".equalsIgnoreCase(signerType) || "JKS".equalsIgnoreCase(signerType)) {
try {
signerConf = canonicalizeSignerConf(signerType, signerConf, new X509Certificate[] { caCert }, securityFactory);
} catch (Exception ex) {
throw new CaMgmtException(concat(ex.getClass().getName(), ": ", ex.getMessage()), ex);
}
}
X509CaUris caUris = new X509CaUris(caCertUris, ocspUris, crlUris, deltaCrlUris);
String name = caEntry.getIdent().getName();
long nextCrlNumber = caEntry.getNextCrlNumber();
CaStatus status = caEntry.getStatus();
X509CaEntry entry = new X509CaEntry(new NameId(null, name), caEntry.getSerialNoBitLen(), nextCrlNumber, signerType, signerConf, caUris, numCrls, expirationPeriod);
entry.setCert(caCert);
entry.setCmpControlName(caEntry.getCmpControlName());
entry.setCrlSignerName(caEntry.getCrlSignerName());
entry.setDuplicateKeyPermitted(caEntry.isDuplicateKeyPermitted());
entry.setDuplicateSubjectPermitted(caEntry.isDuplicateSubjectPermitted());
entry.setExtraControl(caEntry.getExtraControl());
entry.setKeepExpiredCertInDays(caEntry.getKeepExpiredCertInDays());
entry.setMaxValidity(caEntry.getMaxValidity());
entry.setPermission(caEntry.getPermission());
entry.setResponderName(caEntry.getResponderName());
entry.setSaveRequest(caEntry.isSaveRequest());
entry.setStatus(status);
entry.setValidityMode(caEntry.getValidityMode());
addCa(entry);
return caCert;
}
Also used :
NameId(org.xipki.ca.api.NameId)
InvalidConfException(org.xipki.common.InvalidConfException)
CaStatus(org.xipki.ca.server.mgmt.api.CaStatus)
CertprofileException(org.xipki.ca.api.profile.CertprofileException)
KeyStoreException(java.security.KeyStoreException)
XiSecurityException(org.xipki.security.exception.XiSecurityException)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
InvalidConfException(org.xipki.common.InvalidConfException)
SocketException(java.net.SocketException)
IOException(java.io.IOException)
CertPublisherException(org.xipki.ca.api.publisher.CertPublisherException)
OperationException(org.xipki.ca.api.OperationException)
CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException)
ObjectCreationException(org.xipki.common.ObjectCreationException)
DataAccessException(org.xipki.datasource.DataAccessException)
JAXBException(javax.xml.bind.JAXBException)
FileNotFoundException(java.io.FileNotFoundException)
SAXException(org.xml.sax.SAXException)
CertificateException(java.security.cert.CertificateException)
PasswordResolverException(org.xipki.password.PasswordResolverException)
X509Certificate(java.security.cert.X509Certificate)
CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException)
X509CaUris(org.xipki.ca.server.mgmt.api.x509.X509CaUris)
GenerateSelfSignedResult(org.xipki.ca.server.impl.X509SelfSignedCertBuilder.GenerateSelfSignedResult)
BigInteger(java.math.BigInteger)
CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest)
OperationException(org.xipki.ca.api.OperationException)
X509CaEntry(org.xipki.ca.server.mgmt.api.x509.X509CaEntry)
Example 10 with OperationException
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class CertRepublisher method republish0.
private boolean republish0() {
long total;
try {
total = certstore.getCountOfCerts(ca, onlyRevokedCerts);
} catch (OperationException ex) {
LogUtil.error(LOG, ex, "could not getCountOfCerts");
return false;
}
processLog = new ProcessLog(total);
processLog.printHeader();
ExecutorService executor = Executors.newFixedThreadPool(numThreads + 1);
List<CertRepublishConsumer> consumers = new ArrayList<>(numThreads);
AtomicBoolean stopMe = new AtomicBoolean(false);
for (int i = 0; i < numThreads; i++) {
CertRepublishConsumer consumer = new CertRepublishConsumer();
consumers.add(consumer);
}
CertRepublishProducer producer = new CertRepublishProducer();
executor.execute(producer);
for (CertRepublishConsumer consumer : consumers) {
executor.execute(consumer);
}
executor.shutdown();
boolean successful = true;
while (true) {
processLog.printStatus();
if (successful) {
if (producer.failed) {
successful = false;
}
if (successful) {
for (CertRepublishConsumer consumer : consumers) {
if (consumer.failed) {
successful = false;
break;
}
}
}
if (!successful) {
stopMe.set(true);
LOG.warn("failed");
}
}
try {
boolean terminated = executor.awaitTermination(1, TimeUnit.SECONDS);
if (terminated) {
break;
}
} catch (InterruptedException ex) {
stopMe.set(true);
LogUtil.warn(LOG, ex, "interrupted: " + ex.getMessage());
}
}
if (successful) {
if (producer.failed) {
successful = false;
}
if (successful) {
for (CertRepublishConsumer consumer : consumers) {
if (consumer.failed) {
successful = false;
break;
}
}
}
if (!successful) {
LOG.warn("failed");
}
}
return successful;
}
Also used :
AtomicBoolean(java.util.concurrent.atomic.AtomicBoolean)
ExecutorService(java.util.concurrent.ExecutorService)
ArrayList(java.util.ArrayList)
OperationException(org.xipki.ca.api.OperationException)
ProcessLog(org.xipki.common.ProcessLog)
Aggregations
OperationException (org.xipki.ca.api.OperationException)70
DERPrintableString (org.bouncycastle.asn1.DERPrintableString)20
CaMgmtException (org.xipki.ca.server.mgmt.api.CaMgmtException)19
Date (java.util.Date)16
BigInteger (java.math.BigInteger)15
X509Certificate (java.security.cert.X509Certificate)15
CertificateException (java.security.cert.CertificateException)13
DERUTF8String (org.bouncycastle.asn1.DERUTF8String)13
X509Ca (org.xipki.ca.server.impl.X509Ca)13
PreparedStatement (java.sql.PreparedStatement)12
SQLException (java.sql.SQLException)12
IOException (java.io.IOException)11
X509CertificateInfo (org.xipki.ca.api.publisher.x509.X509CertificateInfo)11
DEROctetString (org.bouncycastle.asn1.DEROctetString)10
X500Name (org.bouncycastle.asn1.x500.X500Name)10
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)10
IssuingDistributionPoint (org.bouncycastle.asn1.x509.IssuingDistributionPoint)10
CrlReason (org.xipki.security.CrlReason)10
AuditEvent (org.xipki.audit.AuditEvent)9
NameId (org.xipki.ca.api.NameId)9
