use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class OcspStoreQueryExecutor method addOrUpdateCert.
private void addOrUpdateCert(X509Cert issuer, X509CertWithDbId certificate, String certprofile, CertRevocationInfo revInfo) throws DataAccessException, OperationException {
ParamUtil.requireNonNull("issuer", issuer);
boolean revoked = (revInfo != null);
int issuerId = getIssuerId(issuer);
BigInteger serialNumber = certificate.getCert().getSerialNumber();
Long certRegisteredId = getCertId(issuerId, serialNumber);
if (!publishGoodCerts && !revoked && certRegisteredId != null) {
return;
}
if (certRegisteredId != null) {
updateRegisteredCert(certRegisteredId, revInfo);
return;
}
final String sql = revoked ? SQL_ADD_REVOKED_CERT : SQL_ADD_CERT;
long certId = certificate.getCertId();
byte[] encodedCert = certificate.getEncodedCert();
String certHash = certhashAlgo.base64Hash(encodedCert);
long currentTimeSeconds = System.currentTimeMillis() / 1000;
X509Certificate cert = certificate.getCert();
long notBeforeSeconds = cert.getNotBefore().getTime() / 1000;
long notAfterSeconds = cert.getNotAfter().getTime() / 1000;
String cuttedSubject = X509Util.cutText(certificate.getSubject(), maxX500nameLen);
PreparedStatement ps = borrowPreparedStatement(sql);
try {
// CERT
int idx = 1;
ps.setLong(idx++, certId);
ps.setLong(idx++, currentTimeSeconds);
ps.setString(idx++, serialNumber.toString(16));
ps.setLong(idx++, notBeforeSeconds);
ps.setLong(idx++, notAfterSeconds);
setBoolean(ps, idx++, revoked);
ps.setInt(idx++, issuerId);
ps.setString(idx++, certprofile);
ps.setString(idx++, certHash);
ps.setString(idx++, cuttedSubject);
if (revoked) {
long revTime = revInfo.getRevocationTime().getTime() / 1000;
ps.setLong(idx++, revTime);
if (revInfo.getInvalidityTime() != null) {
ps.setLong(idx++, revInfo.getInvalidityTime().getTime() / 1000);
} else {
ps.setNull(idx++, Types.BIGINT);
}
int reasonCode = (revInfo.getReason() == null) ? 0 : revInfo.getReason().getCode();
ps.setInt(idx++, reasonCode);
}
try {
ps.executeUpdate();
} catch (Throwable th) {
// more secure
datasource.deleteFromTable(null, "CERT", "ID", certId);
if (th instanceof SQLException) {
SQLException ex = (SQLException) th;
LOG.error("datasource {} could not add certificate with id {}: {}", datasource.getName(), certId, th.getMessage());
throw datasource.translate(sql, ex);
} else {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, th);
}
}
} catch (SQLException ex) {
throw datasource.translate(null, ex);
} finally {
datasource.releaseResources(ps, null);
}
}
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class ScepImpl method servicePkiOperation.
public ContentInfo servicePkiOperation(CMSSignedData requestContent, String certProfileName, String msgId, AuditEvent event) throws MessageDecodingException, OperationException {
CaStatus status = getStatus();
if (CaStatus.ACTIVE != status) {
LOG.warn("SCEP {} is not active", caIdent);
throw new OperationException(ErrorCode.SYSTEM_UNAVAILABLE);
}
DecodedPkiMessage req = DecodedPkiMessage.decode(requestContent, envelopedDataDecryptor, null);
PkiMessage rep = servicePkiOperation0(requestContent, req, certProfileName, msgId, event);
audit(event, CaAuditConstants.NAME_SCEP_pkiStatus, rep.getPkiStatus().toString());
if (rep.getPkiStatus() == PkiStatus.FAILURE) {
event.setStatus(AuditStatus.FAILED);
}
if (rep.getFailInfo() != null) {
audit(event, CaAuditConstants.NAME_SCEP_failInfo, rep.getFailInfo().toString());
}
return encodeResponse(rep, req);
}
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class ScepImpl method getCrl.
// method buildSignedData
private SignedData getCrl(X509Ca ca, BigInteger serialNumber) throws FailInfoException, OperationException {
if (!control.isSupportGetCrl()) {
throw FailInfoException.BAD_REQUEST;
}
CertificateList crl = ca.getBcCurrentCrl();
if (crl == null) {
throw FailInfoException.BAD_REQUEST;
}
CMSSignedDataGenerator cmsSignedDataGen = new CMSSignedDataGenerator();
cmsSignedDataGen.addCRL(new X509CRLHolder(crl));
CMSSignedData signedData;
try {
signedData = cmsSignedDataGen.generate(new CMSAbsentContent());
} catch (CMSException ex) {
LogUtil.error(LOG, ex, "could not generate CMSSignedData");
throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
}
return SignedData.getInstance(signedData.toASN1Structure().getContent());
}
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class ScepImpl method encodeResponse.
// method getCrl
private ContentInfo encodeResponse(PkiMessage response, DecodedPkiMessage request) throws OperationException {
ParamUtil.requireNonNull("response", response);
ParamUtil.requireNonNull("request", request);
String signatureAlgorithm = getSignatureAlgorithm(responderKey, request.getDigestAlgorithm());
ContentInfo ci;
try {
X509Certificate[] cmsCertSet = control.isIncludeSignerCert() ? new X509Certificate[] { responderCert } : null;
ci = response.encode(responderKey, signatureAlgorithm, responderCert, cmsCertSet, request.getSignatureCert(), request.getContentEncryptionAlgorithm());
} catch (MessageEncodingException ex) {
LogUtil.error(LOG, ex, "could not encode response");
throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
}
return ci;
}
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class ScepImpl method buildSignedData.
// method pollCert
private SignedData buildSignedData(X509Certificate cert) throws OperationException {
CMSSignedDataGenerator cmsSignedDataGen = new CMSSignedDataGenerator();
try {
X509CertificateHolder certHolder = new X509CertificateHolder(cert.getEncoded());
cmsSignedDataGen.addCertificate(certHolder);
if (control.isIncludeCaCert()) {
refreshCa();
cmsSignedDataGen.addCertificate(caCert.getCertHolder());
}
CMSSignedData signedData = cmsSignedDataGen.generate(new CMSAbsentContent());
return SignedData.getInstance(signedData.toASN1Structure().getContent());
} catch (CMSException | IOException | CertificateEncodingException ex) {
LogUtil.error(LOG, ex);
throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
}
}
Aggregations