Example 16 with OperationException
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509Ca method unrevokeCertificate.
// method revokeCertificate
public X509CertWithDbId unrevokeCertificate(BigInteger serialNumber, String msgId) throws OperationException {
if (caInfo.isSelfSigned() && caInfo.getSerialNumber().equals(serialNumber)) {
throw new OperationException(ErrorCode.NOT_PERMITTED, "insufficient permission unrevoke CA certificate");
}
AuditEvent event = newPerfAuditEvent(CaAuditConstants.TYPE_unrevoke_cert, msgId);
boolean successful = true;
try {
X509CertWithDbId ret = unrevokeCertificate0(serialNumber, false, event);
successful = true;
return ret;
} finally {
finish(event, successful);
}
}
Also used :
AuditEvent(org.xipki.audit.AuditEvent)
X509CertWithDbId(org.xipki.ca.api.X509CertWithDbId)
OperationException(org.xipki.ca.api.OperationException)
Example 17 with OperationException
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509Ca method revokeCertificate.
// method publishCrl
public X509CertWithRevocationInfo revokeCertificate(BigInteger serialNumber, CrlReason reason, Date invalidityTime, String msgId) throws OperationException {
if (caInfo.isSelfSigned() && caInfo.getSerialNumber().equals(serialNumber)) {
throw new OperationException(ErrorCode.NOT_PERMITTED, "insufficient permission to revoke CA certificate");
}
CrlReason tmpReason = reason;
if (tmpReason == null) {
tmpReason = CrlReason.UNSPECIFIED;
}
switch(tmpReason) {
case CA_COMPROMISE:
case AA_COMPROMISE:
case REMOVE_FROM_CRL:
throw new OperationException(ErrorCode.NOT_PERMITTED, "Insufficient permission revoke certificate with reason " + tmpReason.getDescription());
case UNSPECIFIED:
case KEY_COMPROMISE:
case AFFILIATION_CHANGED:
case SUPERSEDED:
case CESSATION_OF_OPERATION:
case CERTIFICATE_HOLD:
case PRIVILEGE_WITHDRAWN:
break;
default:
throw new RuntimeException("unknown CRL reason " + tmpReason);
}
// switch (reason)
AuditEvent event = newPerfAuditEvent(CaAuditConstants.TYPE_revoke_cert, msgId);
boolean successful = true;
try {
X509CertWithRevocationInfo ret = revokeCertificate0(serialNumber, reason, invalidityTime, false, event);
successful = (ret != null);
return ret;
} finally {
finish(event, successful);
}
}
Also used :
AuditEvent(org.xipki.audit.AuditEvent)
CrlReason(org.xipki.security.CrlReason)
OperationException(org.xipki.ca.api.OperationException)
X509CertWithRevocationInfo(org.xipki.ca.server.impl.store.X509CertWithRevocationInfo)
Example 18 with OperationException
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509Ca method generateCertificate0.
private X509CertificateInfo generateCertificate0(GrantedCertTemplate gct, RequestorInfo requestor, boolean keyUpdate, RequestType reqType, byte[] transactionId, AuditEvent event) throws OperationException {
ParamUtil.requireNonNull("gct", gct);
event.addEventData(CaAuditConstants.NAME_reqSubject, X509Util.getRfc4519Name(gct.requestedSubject));
event.addEventData(CaAuditConstants.NAME_certprofile, gct.certprofile.getIdent().getName());
event.addEventData(CaAuditConstants.NAME_notBefore, DateUtil.toUtcTimeyyyyMMddhhmmss(gct.grantedNotBefore));
event.addEventData(CaAuditConstants.NAME_notAfter, DateUtil.toUtcTimeyyyyMMddhhmmss(gct.grantedNotAfter));
adaptGrantedSubejct(gct);
IdentifiedX509Certprofile certprofile = gct.certprofile;
boolean publicKeyCertInProcessExisted = publicKeyCertsInProcess.add(gct.fpPublicKey);
if (!publicKeyCertInProcessExisted) {
if (!certprofile.isDuplicateKeyPermitted()) {
throw new OperationException(ErrorCode.ALREADY_ISSUED, "certificate with the given public key already in process");
}
}
if (!subjectCertsInProcess.add(gct.fpSubject)) {
if (!certprofile.isDuplicateSubjectPermitted()) {
if (!publicKeyCertInProcessExisted) {
publicKeyCertsInProcess.remove(gct.fpPublicKey);
}
throw new OperationException(ErrorCode.ALREADY_ISSUED, "certificate with the given subject " + gct.grantedSubjectText + " already in process");
}
}
try {
X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(caInfo.getPublicCaInfo().getX500Subject(), caInfo.nextSerial(), gct.grantedNotBefore, gct.grantedNotAfter, gct.grantedSubject, gct.grantedPublicKey);
X509CertificateInfo ret;
try {
X509CrlSignerEntryWrapper crlSigner = getCrlSigner();
X509Certificate crlSignerCert = (crlSigner == null) ? null : crlSigner.getCert();
ExtensionValues extensionTuples = certprofile.getExtensions(gct.requestedSubject, gct.grantedSubject, gct.extensions, gct.grantedPublicKey, caInfo.getPublicCaInfo(), crlSignerCert, gct.grantedNotBefore, gct.grantedNotAfter);
if (extensionTuples != null) {
for (ASN1ObjectIdentifier extensionType : extensionTuples.getExtensionTypes()) {
ExtensionValue extValue = extensionTuples.getExtensionValue(extensionType);
certBuilder.addExtension(extensionType, extValue.isCritical(), extValue.getValue());
}
}
ConcurrentBagEntrySigner signer0;
try {
signer0 = gct.signer.borrowSigner();
} catch (NoIdleSignerException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
}
X509CertificateHolder certHolder;
try {
certHolder = certBuilder.build(signer0.value());
} finally {
gct.signer.requiteSigner(signer0);
}
Certificate bcCert = certHolder.toASN1Structure();
byte[] encodedCert = bcCert.getEncoded();
int maxCertSize = gct.certprofile.getMaxCertSize();
if (maxCertSize > 0) {
int certSize = encodedCert.length;
if (certSize > maxCertSize) {
throw new OperationException(ErrorCode.NOT_PERMITTED, String.format("certificate exceeds the maximal allowed size: %d > %d", certSize, maxCertSize));
}
}
X509Certificate cert;
try {
cert = X509Util.toX509Cert(bcCert);
} catch (CertificateException ex) {
String message = "should not happen, could not parse generated certificate";
LOG.error(message, ex);
throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
}
if (!verifySignature(cert)) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, "could not verify the signature of generated certificate");
}
X509CertWithDbId certWithMeta = new X509CertWithDbId(cert, encodedCert);
ret = new X509CertificateInfo(certWithMeta, caIdent, caCert, gct.grantedPublicKeyData, gct.certprofile.getIdent(), requestor.getIdent());
if (requestor instanceof ByUserRequestorInfo) {
ret.setUser((((ByUserRequestorInfo) requestor).getUserId()));
}
ret.setReqType(reqType);
ret.setTransactionId(transactionId);
ret.setRequestedSubject(gct.requestedSubject);
if (publishCertificate0(ret) == 1) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, "could not save certificate");
}
} catch (BadCertTemplateException ex) {
throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, ex);
} catch (OperationException ex) {
throw ex;
} catch (Throwable th) {
LogUtil.error(LOG, th, "could not generate certificate");
throw new OperationException(ErrorCode.SYSTEM_FAILURE, th);
}
if (gct.warning != null) {
ret.setWarningMessage(gct.warning);
}
return ret;
} finally {
publicKeyCertsInProcess.remove(gct.fpPublicKey);
subjectCertsInProcess.remove(gct.fpSubject);
}
}
Also used :
X509CertificateInfo(org.xipki.ca.api.publisher.x509.X509CertificateInfo)
CertificateException(java.security.cert.CertificateException)
X509CertWithDbId(org.xipki.ca.api.X509CertWithDbId)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
ConcurrentBagEntrySigner(org.xipki.security.ConcurrentBagEntrySigner)
X509Certificate(java.security.cert.X509Certificate)
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
ExtensionValue(org.xipki.ca.api.profile.ExtensionValue)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
NoIdleSignerException(org.xipki.security.exception.NoIdleSignerException)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)
ExtensionValues(org.xipki.ca.api.profile.ExtensionValues)
OperationException(org.xipki.ca.api.OperationException)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Certificate(org.bouncycastle.asn1.x509.Certificate)
X509Certificate(java.security.cert.X509Certificate)
Example 19 with OperationException
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class CaManagerImpl method generateCrlOnDemand.
@Override
public X509CRL generateCrlOnDemand(String caName) throws CaMgmtException {
caName = ParamUtil.requireNonBlank("caName", caName).toLowerCase();
X509Ca ca = getX509Ca(caName);
try {
return ca.generateCrlOnDemand(CaAuditConstants.MSGID_ca_mgmt);
} catch (OperationException ex) {
throw new CaMgmtException(ex.getMessage(), ex);
}
}
Also used :
CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException)
OperationException(org.xipki.ca.api.OperationException)
Example 20 with OperationException
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class CaManagerImpl method revokeCertificate.
// method shutdownScheduledThreadPoolExecutor
@Override
public void revokeCertificate(String caName, BigInteger serialNumber, CrlReason reason, Date invalidityTime) throws CaMgmtException {
caName = ParamUtil.requireNonBlank("caName", caName).toLowerCase();
ParamUtil.requireNonNull("serialNumber", serialNumber);
asssertMasterMode();
X509Ca ca = getX509Ca(caName);
try {
if (ca.revokeCertificate(serialNumber, reason, invalidityTime, CaAuditConstants.MSGID_ca_mgmt) == null) {
throw new CaMgmtException("could not revoke non-existing certificate");
}
} catch (OperationException ex) {
throw new CaMgmtException(ex.getMessage(), ex);
}
}
Also used :
CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException)
OperationException(org.xipki.ca.api.OperationException)
Aggregations
OperationException (org.xipki.ca.api.OperationException)70
DERPrintableString (org.bouncycastle.asn1.DERPrintableString)20
CaMgmtException (org.xipki.ca.server.mgmt.api.CaMgmtException)19
Date (java.util.Date)16
BigInteger (java.math.BigInteger)15
X509Certificate (java.security.cert.X509Certificate)15
CertificateException (java.security.cert.CertificateException)13
DERUTF8String (org.bouncycastle.asn1.DERUTF8String)13
X509Ca (org.xipki.ca.server.impl.X509Ca)13
PreparedStatement (java.sql.PreparedStatement)12
SQLException (java.sql.SQLException)12
IOException (java.io.IOException)11
X509CertificateInfo (org.xipki.ca.api.publisher.x509.X509CertificateInfo)11
DEROctetString (org.bouncycastle.asn1.DEROctetString)10
X500Name (org.bouncycastle.asn1.x500.X500Name)10
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)10
IssuingDistributionPoint (org.bouncycastle.asn1.x509.IssuingDistributionPoint)10
CrlReason (org.xipki.security.CrlReason)10
AuditEvent (org.xipki.audit.AuditEvent)9
NameId (org.xipki.ca.api.NameId)9
