use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class CertStoreQueryExecutor method revokeCert.
// method addCrl
X509CertWithRevocationInfo revokeCert(NameId ca, BigInteger serialNumber, CertRevocationInfo revInfo, boolean force, boolean publishToDeltaCrlCache, CaIdNameMap idNameMap) throws OperationException, DataAccessException {
ParamUtil.requireNonNull("ca", ca);
ParamUtil.requireNonNull("serialNumber", serialNumber);
ParamUtil.requireNonNull("revInfo", revInfo);
X509CertWithRevocationInfo certWithRevInfo = getCertWithRevocationInfo(ca, serialNumber, idNameMap);
if (certWithRevInfo == null) {
LOG.warn("certificate with CA={} and serialNumber={} does not exist", ca.getName(), LogUtil.formatCsn(serialNumber));
return null;
}
CertRevocationInfo currentRevInfo = certWithRevInfo.getRevInfo();
if (currentRevInfo != null) {
CrlReason currentReason = currentRevInfo.getReason();
if (currentReason == CrlReason.CERTIFICATE_HOLD) {
if (revInfo.getReason() == CrlReason.CERTIFICATE_HOLD) {
throw new OperationException(ErrorCode.CERT_REVOKED, "certificate already revoked with the requested reason " + currentReason.getDescription());
} else {
revInfo.setRevocationTime(currentRevInfo.getRevocationTime());
revInfo.setInvalidityTime(currentRevInfo.getInvalidityTime());
}
} else if (!force) {
throw new OperationException(ErrorCode.CERT_REVOKED, "certificate already revoked with reason " + currentReason.getDescription());
}
}
long certId = certWithRevInfo.getCert().getCertId().longValue();
long revTimeSeconds = revInfo.getRevocationTime().getTime() / 1000;
Long invTimeSeconds = null;
if (revInfo.getInvalidityTime() != null) {
invTimeSeconds = revInfo.getInvalidityTime().getTime() / 1000;
}
PreparedStatement ps = borrowPreparedStatement(SQLs.SQL_REVOKE_CERT);
try {
int idx = 1;
ps.setLong(idx++, System.currentTimeMillis() / 1000);
setBoolean(ps, idx++, true);
ps.setLong(idx++, revTimeSeconds);
setLong(ps, idx++, invTimeSeconds);
ps.setInt(idx++, revInfo.getReason().getCode());
ps.setLong(idx++, certId);
int count = ps.executeUpdate();
if (count != 1) {
String message = (count > 1) ? count + " rows modified, but exactly one is expected" : "no row is modified, but exactly one is expected";
throw new OperationException(ErrorCode.SYSTEM_FAILURE, message);
}
} catch (SQLException ex) {
throw datasource.translate(SQLs.SQL_REVOKE_CERT, ex);
} finally {
releaseDbResources(ps, null);
}
if (publishToDeltaCrlCache) {
publishToDeltaCrlCache(ca, certWithRevInfo.getCert().getCert().getSerialNumber());
}
certWithRevInfo.setRevInfo(revInfo);
return certWithRevInfo;
}
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class CertStoreQueryExecutor method getCertWithRevocationInfo.
// method getCertForId
X509CertWithRevocationInfo getCertWithRevocationInfo(NameId ca, BigInteger serial, CaIdNameMap idNameMap) throws DataAccessException, OperationException {
ParamUtil.requireNonNull("ca", ca);
ParamUtil.requireNonNull("serial", serial);
ParamUtil.requireNonNull("idNameMap", idNameMap);
final String sql = sqls.sqlCertWithRevInfo;
long certId;
String b64Cert;
boolean revoked;
int revReason = 0;
long revTime = 0;
long revInvTime = 0;
int certprofileId = 0;
ResultSet rs = null;
PreparedStatement ps = borrowPreparedStatement(sql);
try {
int idx = 1;
ps.setInt(idx++, ca.getId());
ps.setString(idx++, serial.toString(16));
rs = ps.executeQuery();
if (!rs.next()) {
return null;
}
certId = rs.getLong("ID");
b64Cert = rs.getString("CERT");
certprofileId = rs.getInt("PID");
revoked = rs.getBoolean("REV");
if (revoked) {
revReason = rs.getInt("RR");
revTime = rs.getLong("RT");
revInvTime = rs.getLong("RIT");
}
} catch (SQLException ex) {
throw datasource.translate(sql, ex);
} finally {
releaseDbResources(ps, null);
}
byte[] certBytes = Base64.decodeFast(b64Cert);
X509Certificate cert;
try {
cert = X509Util.parseCert(certBytes);
} catch (CertificateException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
}
CertRevocationInfo revInfo = null;
if (revoked) {
Date invalidityTime = (revInvTime == 0) ? null : new Date(1000 * revInvTime);
revInfo = new CertRevocationInfo(revReason, new Date(1000 * revTime), invalidityTime);
}
X509CertWithDbId certWithMeta = new X509CertWithDbId(cert, certBytes);
certWithMeta.setCertId(certId);
String profileName = idNameMap.getCertprofileName(certprofileId);
X509CertWithRevocationInfo ret = new X509CertWithRevocationInfo();
ret.setCertprofile(profileName);
ret.setCert(certWithMeta);
ret.setRevInfo(revInfo);
return ret;
}
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class CaManagerImpl method getCurrentCrl.
// method getCrl
@Override
public X509CRL getCurrentCrl(String caName) throws CaMgmtException {
caName = ParamUtil.requireNonBlank("caName", caName).toLowerCase();
X509Ca ca = getX509Ca(caName);
try {
X509CRL crl = ca.getCurrentCrl();
if (crl == null) {
LOG.warn("found no CRL for CA {}", caName);
}
return crl;
} catch (OperationException ex) {
throw new CaMgmtException(ex.getMessage(), ex);
}
}
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class CaManagerImpl method unrevokeCertificate.
// method revokeCertificate
@Override
public void unrevokeCertificate(String caName, BigInteger serialNumber) throws CaMgmtException {
caName = ParamUtil.requireNonBlank("caName", caName).toLowerCase();
ParamUtil.requireNonNull("serialNumber", serialNumber);
X509Ca ca = getX509Ca(caName);
try {
if (ca.unrevokeCertificate(serialNumber, CaAuditConstants.MSGID_ca_mgmt) == null) {
throw new CaMgmtException("could not unrevoke non-existing certificate");
}
} catch (OperationException ex) {
throw new CaMgmtException(ex.getMessage(), ex);
}
}
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class CaManagerImpl method startCa.
// method startCaSystem0
private boolean startCa(String caName) {
X509CaInfo caEntry = caInfos.get(caName);
ConfPairs extraControl = caEntry.getCaEntry().getExtraControl();
if (extraControl != null) {
String str = extraControl.value(RevokeSuspendedCertsControl.KEY_REVOCATION_ENABLED);
boolean enabled = false;
if (str != null) {
enabled = Boolean.parseBoolean(str);
}
if (enabled) {
str = extraControl.value(RevokeSuspendedCertsControl.KEY_REVOCATION_REASON);
CrlReason reason = (str == null) ? CrlReason.CESSATION_OF_OPERATION : CrlReason.forNameOrText(str);
str = extraControl.value(RevokeSuspendedCertsControl.KEY_UNCHANGED_SINCE);
CertValidity unchangedSince = (str == null) ? new CertValidity(15, Unit.DAY) : CertValidity.getInstance(str);
RevokeSuspendedCertsControl control = new RevokeSuspendedCertsControl(reason, unchangedSince);
caEntry.setRevokeSuspendedCertsControl(control);
}
}
boolean signerRequired = caEntry.isSignerRequired();
X509CrlSignerEntryWrapper crlSignerEntry = null;
String crlSignerName = caEntry.getCrlSignerName();
// CRL will be generated only in master mode
if (signerRequired && masterMode && crlSignerName != null) {
crlSignerEntry = crlSigners.get(crlSignerName);
try {
crlSignerEntry.getDbEntry().setConfFaulty(true);
crlSignerEntry.initSigner(securityFactory);
crlSignerEntry.getDbEntry().setConfFaulty(false);
} catch (XiSecurityException | OperationException | InvalidConfException ex) {
LogUtil.error(LOG, ex, concat("X09CrlSignerEntryWrapper.initSigner (name=", crlSignerName, ")"));
return false;
}
}
X509Ca ca;
try {
ca = new X509Ca(this, caEntry, certstore);
ca.setAuditServiceRegister(auditServiceRegister);
} catch (OperationException ex) {
LogUtil.error(LOG, ex, concat("X509CA.<init> (ca=", caName, ")"));
return false;
}
x509cas.put(caName, ca);
X509CaCmpResponderImpl caResponder = new X509CaCmpResponderImpl(this, caName);
x509Responders.put(caName, caResponder);
return true;
}
Aggregations