Search in sources :

Example 21 with OperationException

use of org.xipki.ca.api.OperationException in project xipki by xipki.

the class OcspStoreQueryExecutor method addOrUpdateCert.

private void addOrUpdateCert(X509Cert issuer, X509CertWithDbId certificate, String certprofile, CertRevocationInfo revInfo) throws DataAccessException, OperationException {
    ParamUtil.requireNonNull("issuer", issuer);
    boolean revoked = (revInfo != null);
    int issuerId = getIssuerId(issuer);
    BigInteger serialNumber = certificate.getCert().getSerialNumber();
    Long certRegisteredId = getCertId(issuerId, serialNumber);
    if (!publishGoodCerts && !revoked && certRegisteredId != null) {
        return;
    }
    if (certRegisteredId != null) {
        updateRegisteredCert(certRegisteredId, revInfo);
        return;
    }
    final String sql = revoked ? SQL_ADD_REVOKED_CERT : SQL_ADD_CERT;
    long certId = certificate.getCertId();
    byte[] encodedCert = certificate.getEncodedCert();
    String certHash = certhashAlgo.base64Hash(encodedCert);
    long currentTimeSeconds = System.currentTimeMillis() / 1000;
    X509Certificate cert = certificate.getCert();
    long notBeforeSeconds = cert.getNotBefore().getTime() / 1000;
    long notAfterSeconds = cert.getNotAfter().getTime() / 1000;
    String cuttedSubject = X509Util.cutText(certificate.getSubject(), maxX500nameLen);
    PreparedStatement ps = borrowPreparedStatement(sql);
    try {
        // CERT
        int idx = 1;
        ps.setLong(idx++, certId);
        ps.setLong(idx++, currentTimeSeconds);
        ps.setString(idx++, serialNumber.toString(16));
        ps.setLong(idx++, notBeforeSeconds);
        ps.setLong(idx++, notAfterSeconds);
        setBoolean(ps, idx++, revoked);
        ps.setInt(idx++, issuerId);
        ps.setString(idx++, certprofile);
        ps.setString(idx++, certHash);
        ps.setString(idx++, cuttedSubject);
        if (revoked) {
            long revTime = revInfo.getRevocationTime().getTime() / 1000;
            ps.setLong(idx++, revTime);
            if (revInfo.getInvalidityTime() != null) {
                ps.setLong(idx++, revInfo.getInvalidityTime().getTime() / 1000);
            } else {
                ps.setNull(idx++, Types.BIGINT);
            }
            int reasonCode = (revInfo.getReason() == null) ? 0 : revInfo.getReason().getCode();
            ps.setInt(idx++, reasonCode);
        }
        try {
            ps.executeUpdate();
        } catch (Throwable th) {
            // more secure
            datasource.deleteFromTable(null, "CERT", "ID", certId);
            if (th instanceof SQLException) {
                SQLException ex = (SQLException) th;
                LOG.error("datasource {} could not add certificate with id {}: {}", datasource.getName(), certId, th.getMessage());
                throw datasource.translate(sql, ex);
            } else {
                throw new OperationException(ErrorCode.SYSTEM_FAILURE, th);
            }
        }
    } catch (SQLException ex) {
        throw datasource.translate(null, ex);
    } finally {
        datasource.releaseResources(ps, null);
    }
}
Also used : SQLException(java.sql.SQLException) BigInteger(java.math.BigInteger) PreparedStatement(java.sql.PreparedStatement) X509Certificate(java.security.cert.X509Certificate) OperationException(org.xipki.ca.api.OperationException)

Example 22 with OperationException

use of org.xipki.ca.api.OperationException in project xipki by xipki.

the class ScepImpl method servicePkiOperation.

public ContentInfo servicePkiOperation(CMSSignedData requestContent, String certProfileName, String msgId, AuditEvent event) throws MessageDecodingException, OperationException {
    CaStatus status = getStatus();
    if (CaStatus.ACTIVE != status) {
        LOG.warn("SCEP {} is not active", caIdent);
        throw new OperationException(ErrorCode.SYSTEM_UNAVAILABLE);
    }
    DecodedPkiMessage req = DecodedPkiMessage.decode(requestContent, envelopedDataDecryptor, null);
    PkiMessage rep = servicePkiOperation0(requestContent, req, certProfileName, msgId, event);
    audit(event, CaAuditConstants.NAME_SCEP_pkiStatus, rep.getPkiStatus().toString());
    if (rep.getPkiStatus() == PkiStatus.FAILURE) {
        event.setStatus(AuditStatus.FAILED);
    }
    if (rep.getFailInfo() != null) {
        audit(event, CaAuditConstants.NAME_SCEP_failInfo, rep.getFailInfo().toString());
    }
    return encodeResponse(rep, req);
}
Also used : DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage) PkiMessage(org.xipki.scep.message.PkiMessage) DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage) CaStatus(org.xipki.ca.server.mgmt.api.CaStatus) OperationException(org.xipki.ca.api.OperationException)

Example 23 with OperationException

use of org.xipki.ca.api.OperationException in project xipki by xipki.

the class ScepImpl method getCrl.

// method buildSignedData
private SignedData getCrl(X509Ca ca, BigInteger serialNumber) throws FailInfoException, OperationException {
    if (!control.isSupportGetCrl()) {
        throw FailInfoException.BAD_REQUEST;
    }
    CertificateList crl = ca.getBcCurrentCrl();
    if (crl == null) {
        throw FailInfoException.BAD_REQUEST;
    }
    CMSSignedDataGenerator cmsSignedDataGen = new CMSSignedDataGenerator();
    cmsSignedDataGen.addCRL(new X509CRLHolder(crl));
    CMSSignedData signedData;
    try {
        signedData = cmsSignedDataGen.generate(new CMSAbsentContent());
    } catch (CMSException ex) {
        LogUtil.error(LOG, ex, "could not generate CMSSignedData");
        throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
    }
    return SignedData.getInstance(signedData.toASN1Structure().getContent());
}
Also used : CMSSignedDataGenerator(org.bouncycastle.cms.CMSSignedDataGenerator) CMSAbsentContent(org.bouncycastle.cms.CMSAbsentContent) CertificateList(org.bouncycastle.asn1.x509.CertificateList) X509CRLHolder(org.bouncycastle.cert.X509CRLHolder) CMSSignedData(org.bouncycastle.cms.CMSSignedData) OperationException(org.xipki.ca.api.OperationException) CMSException(org.bouncycastle.cms.CMSException)

Example 24 with OperationException

use of org.xipki.ca.api.OperationException in project xipki by xipki.

the class ScepImpl method encodeResponse.

// method getCrl
private ContentInfo encodeResponse(PkiMessage response, DecodedPkiMessage request) throws OperationException {
    ParamUtil.requireNonNull("response", response);
    ParamUtil.requireNonNull("request", request);
    String signatureAlgorithm = getSignatureAlgorithm(responderKey, request.getDigestAlgorithm());
    ContentInfo ci;
    try {
        X509Certificate[] cmsCertSet = control.isIncludeSignerCert() ? new X509Certificate[] { responderCert } : null;
        ci = response.encode(responderKey, signatureAlgorithm, responderCert, cmsCertSet, request.getSignatureCert(), request.getContentEncryptionAlgorithm());
    } catch (MessageEncodingException ex) {
        LogUtil.error(LOG, ex, "could not encode response");
        throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
    }
    return ci;
}
Also used : ContentInfo(org.bouncycastle.asn1.cms.ContentInfo) MessageEncodingException(org.xipki.scep.exception.MessageEncodingException) X509Certificate(java.security.cert.X509Certificate) OperationException(org.xipki.ca.api.OperationException)

Example 25 with OperationException

use of org.xipki.ca.api.OperationException in project xipki by xipki.

the class ScepImpl method buildSignedData.

// method pollCert
private SignedData buildSignedData(X509Certificate cert) throws OperationException {
    CMSSignedDataGenerator cmsSignedDataGen = new CMSSignedDataGenerator();
    try {
        X509CertificateHolder certHolder = new X509CertificateHolder(cert.getEncoded());
        cmsSignedDataGen.addCertificate(certHolder);
        if (control.isIncludeCaCert()) {
            refreshCa();
            cmsSignedDataGen.addCertificate(caCert.getCertHolder());
        }
        CMSSignedData signedData = cmsSignedDataGen.generate(new CMSAbsentContent());
        return SignedData.getInstance(signedData.toASN1Structure().getContent());
    } catch (CMSException | IOException | CertificateEncodingException ex) {
        LogUtil.error(LOG, ex);
        throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
    }
}
Also used : CMSSignedDataGenerator(org.bouncycastle.cms.CMSSignedDataGenerator) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) CMSAbsentContent(org.bouncycastle.cms.CMSAbsentContent) CertificateEncodingException(java.security.cert.CertificateEncodingException) IOException(java.io.IOException) CMSSignedData(org.bouncycastle.cms.CMSSignedData) OperationException(org.xipki.ca.api.OperationException) CMSException(org.bouncycastle.cms.CMSException)

Aggregations

OperationException (org.xipki.ca.api.OperationException)70 DERPrintableString (org.bouncycastle.asn1.DERPrintableString)20 CaMgmtException (org.xipki.ca.server.mgmt.api.CaMgmtException)19 Date (java.util.Date)16 BigInteger (java.math.BigInteger)15 X509Certificate (java.security.cert.X509Certificate)15 CertificateException (java.security.cert.CertificateException)13 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)13 X509Ca (org.xipki.ca.server.impl.X509Ca)13 PreparedStatement (java.sql.PreparedStatement)12 SQLException (java.sql.SQLException)12 IOException (java.io.IOException)11 X509CertificateInfo (org.xipki.ca.api.publisher.x509.X509CertificateInfo)11 DEROctetString (org.bouncycastle.asn1.DEROctetString)10 X500Name (org.bouncycastle.asn1.x500.X500Name)10 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)10 IssuingDistributionPoint (org.bouncycastle.asn1.x509.IssuingDistributionPoint)10 CrlReason (org.xipki.security.CrlReason)10 AuditEvent (org.xipki.audit.AuditEvent)9 NameId (org.xipki.ca.api.NameId)9