Search in sources :

Example 31 with OperationException

use of org.xipki.ca.api.OperationException in project xipki by xipki.

the class CertStoreQueryExecutor method revokeCert.

// method addCrl
X509CertWithRevocationInfo revokeCert(NameId ca, BigInteger serialNumber, CertRevocationInfo revInfo, boolean force, boolean publishToDeltaCrlCache, CaIdNameMap idNameMap) throws OperationException, DataAccessException {
    ParamUtil.requireNonNull("ca", ca);
    ParamUtil.requireNonNull("serialNumber", serialNumber);
    ParamUtil.requireNonNull("revInfo", revInfo);
    X509CertWithRevocationInfo certWithRevInfo = getCertWithRevocationInfo(ca, serialNumber, idNameMap);
    if (certWithRevInfo == null) {
        LOG.warn("certificate with CA={} and serialNumber={} does not exist", ca.getName(), LogUtil.formatCsn(serialNumber));
        return null;
    }
    CertRevocationInfo currentRevInfo = certWithRevInfo.getRevInfo();
    if (currentRevInfo != null) {
        CrlReason currentReason = currentRevInfo.getReason();
        if (currentReason == CrlReason.CERTIFICATE_HOLD) {
            if (revInfo.getReason() == CrlReason.CERTIFICATE_HOLD) {
                throw new OperationException(ErrorCode.CERT_REVOKED, "certificate already revoked with the requested reason " + currentReason.getDescription());
            } else {
                revInfo.setRevocationTime(currentRevInfo.getRevocationTime());
                revInfo.setInvalidityTime(currentRevInfo.getInvalidityTime());
            }
        } else if (!force) {
            throw new OperationException(ErrorCode.CERT_REVOKED, "certificate already revoked with reason " + currentReason.getDescription());
        }
    }
    long certId = certWithRevInfo.getCert().getCertId().longValue();
    long revTimeSeconds = revInfo.getRevocationTime().getTime() / 1000;
    Long invTimeSeconds = null;
    if (revInfo.getInvalidityTime() != null) {
        invTimeSeconds = revInfo.getInvalidityTime().getTime() / 1000;
    }
    PreparedStatement ps = borrowPreparedStatement(SQLs.SQL_REVOKE_CERT);
    try {
        int idx = 1;
        ps.setLong(idx++, System.currentTimeMillis() / 1000);
        setBoolean(ps, idx++, true);
        ps.setLong(idx++, revTimeSeconds);
        setLong(ps, idx++, invTimeSeconds);
        ps.setInt(idx++, revInfo.getReason().getCode());
        ps.setLong(idx++, certId);
        int count = ps.executeUpdate();
        if (count != 1) {
            String message = (count > 1) ? count + " rows modified, but exactly one is expected" : "no row is modified, but exactly one is expected";
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, message);
        }
    } catch (SQLException ex) {
        throw datasource.translate(SQLs.SQL_REVOKE_CERT, ex);
    } finally {
        releaseDbResources(ps, null);
    }
    if (publishToDeltaCrlCache) {
        publishToDeltaCrlCache(ca, certWithRevInfo.getCert().getCert().getSerialNumber());
    }
    certWithRevInfo.setRevInfo(revInfo);
    return certWithRevInfo;
}
Also used : CertRevocationInfo(org.xipki.security.CertRevocationInfo) SQLException(java.sql.SQLException) PreparedStatement(java.sql.PreparedStatement) CrlReason(org.xipki.security.CrlReason) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DEROctetString(org.bouncycastle.asn1.DEROctetString) OperationException(org.xipki.ca.api.OperationException)

Example 32 with OperationException

use of org.xipki.ca.api.OperationException in project xipki by xipki.

the class CertStoreQueryExecutor method getCertWithRevocationInfo.

// method getCertForId
X509CertWithRevocationInfo getCertWithRevocationInfo(NameId ca, BigInteger serial, CaIdNameMap idNameMap) throws DataAccessException, OperationException {
    ParamUtil.requireNonNull("ca", ca);
    ParamUtil.requireNonNull("serial", serial);
    ParamUtil.requireNonNull("idNameMap", idNameMap);
    final String sql = sqls.sqlCertWithRevInfo;
    long certId;
    String b64Cert;
    boolean revoked;
    int revReason = 0;
    long revTime = 0;
    long revInvTime = 0;
    int certprofileId = 0;
    ResultSet rs = null;
    PreparedStatement ps = borrowPreparedStatement(sql);
    try {
        int idx = 1;
        ps.setInt(idx++, ca.getId());
        ps.setString(idx++, serial.toString(16));
        rs = ps.executeQuery();
        if (!rs.next()) {
            return null;
        }
        certId = rs.getLong("ID");
        b64Cert = rs.getString("CERT");
        certprofileId = rs.getInt("PID");
        revoked = rs.getBoolean("REV");
        if (revoked) {
            revReason = rs.getInt("RR");
            revTime = rs.getLong("RT");
            revInvTime = rs.getLong("RIT");
        }
    } catch (SQLException ex) {
        throw datasource.translate(sql, ex);
    } finally {
        releaseDbResources(ps, null);
    }
    byte[] certBytes = Base64.decodeFast(b64Cert);
    X509Certificate cert;
    try {
        cert = X509Util.parseCert(certBytes);
    } catch (CertificateException ex) {
        throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
    }
    CertRevocationInfo revInfo = null;
    if (revoked) {
        Date invalidityTime = (revInvTime == 0) ? null : new Date(1000 * revInvTime);
        revInfo = new CertRevocationInfo(revReason, new Date(1000 * revTime), invalidityTime);
    }
    X509CertWithDbId certWithMeta = new X509CertWithDbId(cert, certBytes);
    certWithMeta.setCertId(certId);
    String profileName = idNameMap.getCertprofileName(certprofileId);
    X509CertWithRevocationInfo ret = new X509CertWithRevocationInfo();
    ret.setCertprofile(profileName);
    ret.setCert(certWithMeta);
    ret.setRevInfo(revInfo);
    return ret;
}
Also used : SQLException(java.sql.SQLException) PreparedStatement(java.sql.PreparedStatement) CertificateException(java.security.cert.CertificateException) X509CertWithDbId(org.xipki.ca.api.X509CertWithDbId) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DEROctetString(org.bouncycastle.asn1.DEROctetString) X509Certificate(java.security.cert.X509Certificate) Date(java.util.Date) CertRevocationInfo(org.xipki.security.CertRevocationInfo) ResultSet(java.sql.ResultSet) OperationException(org.xipki.ca.api.OperationException)

Example 33 with OperationException

use of org.xipki.ca.api.OperationException in project xipki by xipki.

the class CaManagerImpl method getCurrentCrl.

// method getCrl
@Override
public X509CRL getCurrentCrl(String caName) throws CaMgmtException {
    caName = ParamUtil.requireNonBlank("caName", caName).toLowerCase();
    X509Ca ca = getX509Ca(caName);
    try {
        X509CRL crl = ca.getCurrentCrl();
        if (crl == null) {
            LOG.warn("found no CRL for CA {}", caName);
        }
        return crl;
    } catch (OperationException ex) {
        throw new CaMgmtException(ex.getMessage(), ex);
    }
}
Also used : CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException) X509CRL(java.security.cert.X509CRL) OperationException(org.xipki.ca.api.OperationException)

Example 34 with OperationException

use of org.xipki.ca.api.OperationException in project xipki by xipki.

the class CaManagerImpl method unrevokeCertificate.

// method revokeCertificate
@Override
public void unrevokeCertificate(String caName, BigInteger serialNumber) throws CaMgmtException {
    caName = ParamUtil.requireNonBlank("caName", caName).toLowerCase();
    ParamUtil.requireNonNull("serialNumber", serialNumber);
    X509Ca ca = getX509Ca(caName);
    try {
        if (ca.unrevokeCertificate(serialNumber, CaAuditConstants.MSGID_ca_mgmt) == null) {
            throw new CaMgmtException("could not unrevoke non-existing certificate");
        }
    } catch (OperationException ex) {
        throw new CaMgmtException(ex.getMessage(), ex);
    }
}
Also used : CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException) OperationException(org.xipki.ca.api.OperationException)

Example 35 with OperationException

use of org.xipki.ca.api.OperationException in project xipki by xipki.

the class CaManagerImpl method startCa.

// method startCaSystem0
private boolean startCa(String caName) {
    X509CaInfo caEntry = caInfos.get(caName);
    ConfPairs extraControl = caEntry.getCaEntry().getExtraControl();
    if (extraControl != null) {
        String str = extraControl.value(RevokeSuspendedCertsControl.KEY_REVOCATION_ENABLED);
        boolean enabled = false;
        if (str != null) {
            enabled = Boolean.parseBoolean(str);
        }
        if (enabled) {
            str = extraControl.value(RevokeSuspendedCertsControl.KEY_REVOCATION_REASON);
            CrlReason reason = (str == null) ? CrlReason.CESSATION_OF_OPERATION : CrlReason.forNameOrText(str);
            str = extraControl.value(RevokeSuspendedCertsControl.KEY_UNCHANGED_SINCE);
            CertValidity unchangedSince = (str == null) ? new CertValidity(15, Unit.DAY) : CertValidity.getInstance(str);
            RevokeSuspendedCertsControl control = new RevokeSuspendedCertsControl(reason, unchangedSince);
            caEntry.setRevokeSuspendedCertsControl(control);
        }
    }
    boolean signerRequired = caEntry.isSignerRequired();
    X509CrlSignerEntryWrapper crlSignerEntry = null;
    String crlSignerName = caEntry.getCrlSignerName();
    // CRL will be generated only in master mode
    if (signerRequired && masterMode && crlSignerName != null) {
        crlSignerEntry = crlSigners.get(crlSignerName);
        try {
            crlSignerEntry.getDbEntry().setConfFaulty(true);
            crlSignerEntry.initSigner(securityFactory);
            crlSignerEntry.getDbEntry().setConfFaulty(false);
        } catch (XiSecurityException | OperationException | InvalidConfException ex) {
            LogUtil.error(LOG, ex, concat("X09CrlSignerEntryWrapper.initSigner (name=", crlSignerName, ")"));
            return false;
        }
    }
    X509Ca ca;
    try {
        ca = new X509Ca(this, caEntry, certstore);
        ca.setAuditServiceRegister(auditServiceRegister);
    } catch (OperationException ex) {
        LogUtil.error(LOG, ex, concat("X509CA.<init> (ca=", caName, ")"));
        return false;
    }
    x509cas.put(caName, ca);
    X509CaCmpResponderImpl caResponder = new X509CaCmpResponderImpl(this, caName);
    x509Responders.put(caName, caResponder);
    return true;
}
Also used : X509CaCmpResponderImpl(org.xipki.ca.server.impl.cmp.X509CaCmpResponderImpl) CertValidity(org.xipki.ca.api.profile.CertValidity) RevokeSuspendedCertsControl(org.xipki.ca.server.mgmt.api.x509.RevokeSuspendedCertsControl) ConfPairs(org.xipki.common.ConfPairs) InvalidConfException(org.xipki.common.InvalidConfException) XiSecurityException(org.xipki.security.exception.XiSecurityException) CrlReason(org.xipki.security.CrlReason) OperationException(org.xipki.ca.api.OperationException)

Aggregations

OperationException (org.xipki.ca.api.OperationException)70 DERPrintableString (org.bouncycastle.asn1.DERPrintableString)20 CaMgmtException (org.xipki.ca.server.mgmt.api.CaMgmtException)19 Date (java.util.Date)16 BigInteger (java.math.BigInteger)15 X509Certificate (java.security.cert.X509Certificate)15 CertificateException (java.security.cert.CertificateException)13 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)13 X509Ca (org.xipki.ca.server.impl.X509Ca)13 PreparedStatement (java.sql.PreparedStatement)12 SQLException (java.sql.SQLException)12 IOException (java.io.IOException)11 X509CertificateInfo (org.xipki.ca.api.publisher.x509.X509CertificateInfo)11 DEROctetString (org.bouncycastle.asn1.DEROctetString)10 X500Name (org.bouncycastle.asn1.x500.X500Name)10 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)10 IssuingDistributionPoint (org.bouncycastle.asn1.x509.IssuingDistributionPoint)10 CrlReason (org.xipki.security.CrlReason)10 AuditEvent (org.xipki.audit.AuditEvent)9 NameId (org.xipki.ca.api.NameId)9