Search in sources :

Example 41 with OperationException

use of org.xipki.ca.api.OperationException in project xipki by xipki.

the class CaManagerQueryExecutor method createCaInfo.

// method createResponder
X509CaInfo createCaInfo(String name, boolean masterMode, CertificateStore certstore) throws CaMgmtException {
    final String sql = sqls.sqlSelectCa;
    PreparedStatement stmt = null;
    ResultSet rs = null;
    try {
        stmt = prepareStatement(sql);
        stmt.setString(1, name);
        rs = stmt.executeQuery();
        if (!rs.next()) {
            throw new CaMgmtException("uknown CA " + name);
        }
        int artCode = rs.getInt("ART");
        if (artCode != CertArt.X509PKC.getCode()) {
            throw new CaMgmtException("CA " + name + " is not X509CA, and is not supported");
        }
        String crlUris = rs.getString("CRL_URIS");
        String deltaCrlUris = rs.getString("DELTACRL_URIS");
        CertRevocationInfo revocationInfo = null;
        boolean revoked = rs.getBoolean("REV");
        if (revoked) {
            int revReason = rs.getInt("RR");
            long revTime = rs.getInt("RT");
            long revInvalidityTime = rs.getInt("RIT");
            Date revInvTime = (revInvalidityTime == 0) ? null : new Date(revInvalidityTime * 1000);
            revocationInfo = new CertRevocationInfo(revReason, new Date(revTime * 1000), revInvTime);
        }
        List<String> tmpCrlUris = null;
        if (StringUtil.isNotBlank(crlUris)) {
            tmpCrlUris = StringUtil.splitByComma(crlUris);
        }
        List<String> tmpDeltaCrlUris = null;
        if (StringUtil.isNotBlank(deltaCrlUris)) {
            tmpDeltaCrlUris = StringUtil.splitByComma(deltaCrlUris);
        }
        String ocspUris = rs.getString("OCSP_URIS");
        List<String> tmpOcspUris = null;
        if (StringUtil.isNotBlank(ocspUris)) {
            tmpOcspUris = StringUtil.splitByComma(ocspUris);
        }
        String caCertUris = rs.getString("CACERT_URIS");
        List<String> tmpCaCertUris = null;
        if (StringUtil.isNotBlank(caCertUris)) {
            tmpCaCertUris = StringUtil.splitByComma(caCertUris);
        }
        X509CaUris caUris = new X509CaUris(tmpCaCertUris, tmpOcspUris, tmpCrlUris, tmpDeltaCrlUris);
        int id = rs.getInt("ID");
        int serialNoSize = rs.getInt("SN_SIZE");
        long nextCrlNo = rs.getLong("NEXT_CRLNO");
        String signerType = rs.getString("SIGNER_TYPE");
        String signerConf = rs.getString("SIGNER_CONF");
        int numCrls = rs.getInt("NUM_CRLS");
        int expirationPeriod = rs.getInt("EXPIRATION_PERIOD");
        X509CaEntry entry = new X509CaEntry(new NameId(id, name), serialNoSize, nextCrlNo, signerType, signerConf, caUris, numCrls, expirationPeriod);
        String b64cert = rs.getString("CERT");
        X509Certificate cert = generateCert(b64cert);
        entry.setCert(cert);
        String status = rs.getString("STATUS");
        CaStatus caStatus = CaStatus.forName(status);
        entry.setStatus(caStatus);
        String maxValidityS = rs.getString("MAX_VALIDITY");
        CertValidity maxValidity = CertValidity.getInstance(maxValidityS);
        entry.setMaxValidity(maxValidity);
        int keepExpiredCertDays = rs.getInt("KEEP_EXPIRED_CERT_DAYS");
        entry.setKeepExpiredCertInDays(keepExpiredCertDays);
        String crlsignerName = rs.getString("CRLSIGNER_NAME");
        if (StringUtil.isNotBlank(crlsignerName)) {
            entry.setCrlSignerName(crlsignerName);
        }
        String responderName = rs.getString("RESPONDER_NAME");
        if (StringUtil.isNotBlank(responderName)) {
            entry.setResponderName(responderName);
        }
        String extraControl = rs.getString("EXTRA_CONTROL");
        if (StringUtil.isNotBlank(extraControl)) {
            entry.setExtraControl(new ConfPairs(extraControl).unmodifiable());
        }
        String cmpcontrolName = rs.getString("CMPCONTROL_NAME");
        if (StringUtil.isNotBlank(cmpcontrolName)) {
            entry.setCmpControlName(cmpcontrolName);
        }
        boolean duplicateKeyPermitted = (rs.getInt("DUPLICATE_KEY") != 0);
        entry.setDuplicateKeyPermitted(duplicateKeyPermitted);
        boolean duplicateSubjectPermitted = (rs.getInt("DUPLICATE_SUBJECT") != 0);
        entry.setDuplicateSubjectPermitted(duplicateSubjectPermitted);
        boolean saveReq = (rs.getInt("SAVE_REQ") != 0);
        entry.setSaveRequest(saveReq);
        int permission = rs.getInt("PERMISSION");
        entry.setPermission(permission);
        entry.setRevocationInfo(revocationInfo);
        String validityModeS = rs.getString("VALIDITY_MODE");
        ValidityMode validityMode = null;
        if (validityModeS != null) {
            validityMode = ValidityMode.forName(validityModeS);
        }
        if (validityMode == null) {
            validityMode = ValidityMode.STRICT;
        }
        entry.setValidityMode(validityMode);
        try {
            return new X509CaInfo(entry, certstore);
        } catch (OperationException ex) {
            throw new CaMgmtException(ex);
        }
    } catch (SQLException ex) {
        throw new CaMgmtException(datasource, sql, ex);
    } finally {
        datasource.releaseResources(stmt, rs);
    }
}
Also used : NameId(org.xipki.ca.api.NameId) CertValidity(org.xipki.ca.api.profile.CertValidity) SQLException(java.sql.SQLException) ConfPairs(org.xipki.common.ConfPairs) PreparedStatement(java.sql.PreparedStatement) CaStatus(org.xipki.ca.server.mgmt.api.CaStatus) Date(java.util.Date) X509Certificate(java.security.cert.X509Certificate) CertRevocationInfo(org.xipki.security.CertRevocationInfo) CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException) X509CaUris(org.xipki.ca.server.mgmt.api.x509.X509CaUris) ValidityMode(org.xipki.ca.server.mgmt.api.ValidityMode) ResultSet(java.sql.ResultSet) OperationException(org.xipki.ca.api.OperationException) X509CaEntry(org.xipki.ca.server.mgmt.api.x509.X509CaEntry)

Example 42 with OperationException

use of org.xipki.ca.api.OperationException in project xipki by xipki.

the class X509CaCmpResponderImpl method unRevokeRemoveCertificates.

private PKIBody unRevokeRemoveCertificates(PKIMessage request, RevReqContent rr, int permission, CmpControl cmpControl, String msgId) {
    RevDetails[] revContent = rr.toRevDetailsArray();
    RevRepContentBuilder repContentBuilder = new RevRepContentBuilder();
    final int n = revContent.length;
    // test the request
    for (int i = 0; i < n; i++) {
        RevDetails revDetails = revContent[i];
        CertTemplate certDetails = revDetails.getCertDetails();
        X500Name issuer = certDetails.getIssuer();
        ASN1Integer serialNumber = certDetails.getSerialNumber();
        try {
            X500Name caSubject = getCa().getCaInfo().getCert().getSubjectAsX500Name();
            if (issuer == null) {
                return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer is not present");
            }
            if (!issuer.equals(caSubject)) {
                return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer does not target at the CA");
            }
            if (serialNumber == null) {
                return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "serialNumber is not present");
            }
            if (certDetails.getSigningAlg() != null || certDetails.getValidity() != null || certDetails.getSubject() != null || certDetails.getPublicKey() != null || certDetails.getIssuerUID() != null || certDetails.getSubjectUID() != null) {
                return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "only version, issuer and serialNumber in RevDetails.certDetails are " + "allowed, but more is specified");
            }
            if (certDetails.getExtensions() == null) {
                if (cmpControl.isRrAkiRequired()) {
                    return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer's AKI not present");
                }
            } else {
                Extensions exts = certDetails.getExtensions();
                ASN1ObjectIdentifier[] oids = exts.getCriticalExtensionOIDs();
                if (oids != null) {
                    for (ASN1ObjectIdentifier oid : oids) {
                        if (!Extension.authorityKeyIdentifier.equals(oid)) {
                            return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "unknown critical extension " + oid.getId());
                        }
                    }
                }
                Extension ext = exts.getExtension(Extension.authorityKeyIdentifier);
                if (ext == null) {
                    return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer's AKI not present");
                } else {
                    AuthorityKeyIdentifier aki = AuthorityKeyIdentifier.getInstance(ext.getParsedValue());
                    if (aki.getKeyIdentifier() == null) {
                        return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer's AKI not present");
                    }
                    boolean issuerMatched = true;
                    byte[] caSki = getCa().getCaInfo().getCert().getSubjectKeyIdentifier();
                    if (!Arrays.equals(caSki, aki.getKeyIdentifier())) {
                        issuerMatched = false;
                    }
                    if (issuerMatched && aki.getAuthorityCertSerialNumber() != null) {
                        BigInteger caSerial = getCa().getCaInfo().getSerialNumber();
                        if (!caSerial.equals(aki.getAuthorityCertSerialNumber())) {
                            issuerMatched = false;
                        }
                    }
                    if (issuerMatched && aki.getAuthorityCertIssuer() != null) {
                        GeneralName[] names = aki.getAuthorityCertIssuer().getNames();
                        for (GeneralName name : names) {
                            if (name.getTagNo() != GeneralName.directoryName) {
                                issuerMatched = false;
                                break;
                            }
                            if (!caSubject.equals(name.getName())) {
                                issuerMatched = false;
                                break;
                            }
                        }
                    }
                    if (!issuerMatched) {
                        return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer does not target at the CA");
                    }
                }
            }
        } catch (IllegalArgumentException ex) {
            return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, "the request is not invalid");
        }
    }
    // end for
    byte[] encodedRequest = null;
    if (getCa().getCaInfo().isSaveRequest()) {
        try {
            encodedRequest = request.getEncoded();
        } catch (IOException ex) {
            LOG.warn("could not encode request");
        }
    }
    Long reqDbId = null;
    for (int i = 0; i < n; i++) {
        RevDetails revDetails = revContent[i];
        CertTemplate certDetails = revDetails.getCertDetails();
        ASN1Integer serialNumber = certDetails.getSerialNumber();
        // serialNumber is not null due to the check in the previous for-block.
        X500Name caSubject = getCa().getCaInfo().getCert().getSubjectAsX500Name();
        BigInteger snBigInt = serialNumber.getPositiveValue();
        CertId certId = new CertId(new GeneralName(caSubject), serialNumber);
        PKIStatusInfo status;
        try {
            Object returnedObj = null;
            Long certDbId = null;
            X509Ca ca = getCa();
            if (PermissionConstants.UNREVOKE_CERT == permission) {
                // unrevoke
                returnedObj = ca.unrevokeCertificate(snBigInt, msgId);
                if (returnedObj != null) {
                    certDbId = ((X509CertWithDbId) returnedObj).getCertId();
                }
            } else if (PermissionConstants.REMOVE_CERT == permission) {
                // remove
                returnedObj = ca.removeCertificate(snBigInt, msgId);
            } else {
                // revoke
                Date invalidityDate = null;
                CrlReason reason = null;
                Extensions crlDetails = revDetails.getCrlEntryDetails();
                if (crlDetails != null) {
                    ASN1ObjectIdentifier extId = Extension.reasonCode;
                    ASN1Encodable extValue = crlDetails.getExtensionParsedValue(extId);
                    if (extValue != null) {
                        int reasonCode = ASN1Enumerated.getInstance(extValue).getValue().intValue();
                        reason = CrlReason.forReasonCode(reasonCode);
                    }
                    extId = Extension.invalidityDate;
                    extValue = crlDetails.getExtensionParsedValue(extId);
                    if (extValue != null) {
                        try {
                            invalidityDate = ASN1GeneralizedTime.getInstance(extValue).getDate();
                        } catch (ParseException ex) {
                            throw new OperationException(ErrorCode.INVALID_EXTENSION, "invalid extension " + extId.getId());
                        }
                    }
                }
                if (reason == null) {
                    reason = CrlReason.UNSPECIFIED;
                }
                returnedObj = ca.revokeCertificate(snBigInt, reason, invalidityDate, msgId);
                if (returnedObj != null) {
                    certDbId = ((X509CertWithRevocationInfo) returnedObj).getCert().getCertId();
                }
            }
            if (returnedObj == null) {
                throw new OperationException(ErrorCode.UNKNOWN_CERT, "cert not exists");
            }
            if (certDbId != null && ca.getCaInfo().isSaveRequest()) {
                if (reqDbId == null) {
                    reqDbId = ca.addRequest(encodedRequest);
                }
                ca.addRequestCert(reqDbId, certDbId);
            }
            status = new PKIStatusInfo(PKIStatus.granted);
        } catch (OperationException ex) {
            ErrorCode code = ex.getErrorCode();
            LOG.warn("{}, OperationException: code={}, message={}", PermissionConstants.getTextForCode(permission), code.name(), ex.getErrorMessage());
            String errorMessage;
            switch(code) {
                case DATABASE_FAILURE:
                case SYSTEM_FAILURE:
                    errorMessage = code.name();
                    break;
                default:
                    errorMessage = code.name() + ": " + ex.getErrorMessage();
                    break;
            }
            // end switch code
            int failureInfo = getPKiFailureInfo(ex);
            status = generateRejectionStatus(failureInfo, errorMessage);
        }
        // end try
        repContentBuilder.add(status, certId);
    }
    return new PKIBody(PKIBody.TYPE_REVOCATION_REP, repContentBuilder.build());
}
Also used : PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo) X509Ca(org.xipki.ca.server.impl.X509Ca) AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier) X500Name(org.bouncycastle.asn1.x500.X500Name) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) Extensions(org.bouncycastle.asn1.x509.Extensions) CertTemplate(org.bouncycastle.asn1.crmf.CertTemplate) CrlReason(org.xipki.security.CrlReason) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) RevDetails(org.bouncycastle.asn1.cmp.RevDetails) OperationException(org.xipki.ca.api.OperationException) PKIBody(org.bouncycastle.asn1.cmp.PKIBody) RevRepContentBuilder(org.bouncycastle.asn1.cmp.RevRepContentBuilder) CertId(org.bouncycastle.asn1.crmf.CertId) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) IOException(java.io.IOException) Date(java.util.Date) Extension(org.bouncycastle.asn1.x509.Extension) BigInteger(java.math.BigInteger) GeneralName(org.bouncycastle.asn1.x509.GeneralName) ParseException(java.text.ParseException) ErrorCode(org.xipki.ca.api.OperationException.ErrorCode) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 43 with OperationException

use of org.xipki.ca.api.OperationException in project xipki by xipki.

the class X509CaCmpResponderImpl method removeCert.

public void removeCert(CmpRequestorInfo requestor, BigInteger serialNumber, RequestType reqType, String msgId) throws OperationException {
    ParamUtil.requireNonNull("requestor", requestor);
    try {
        checkPermission(requestor, PermissionConstants.REMOVE_CERT);
    } catch (InsuffientPermissionException ex) {
        throw new OperationException(ErrorCode.NOT_PERMITTED, ex.getMessage());
    }
    X509Ca ca = getCa();
    X509CertWithDbId returnedObj = ca.removeCertificate(serialNumber, msgId);
    if (returnedObj == null) {
        throw new OperationException(ErrorCode.UNKNOWN_CERT, "cert not exists");
    }
}
Also used : X509Ca(org.xipki.ca.server.impl.X509Ca) InsuffientPermissionException(org.xipki.ca.api.InsuffientPermissionException) X509CertWithDbId(org.xipki.ca.api.X509CertWithDbId) OperationException(org.xipki.ca.api.OperationException)

Example 44 with OperationException

use of org.xipki.ca.api.OperationException in project xipki by xipki.

the class X509CaCmpResponderImpl method revokePendingCertificates.

// method confirmCertificates
private boolean revokePendingCertificates(ASN1OctetString transactionId, String msgId) {
    Set<X509CertificateInfo> remainingCerts = pendingCertPool.removeCertificates(transactionId.getOctets());
    if (CollectionUtil.isEmpty(remainingCerts)) {
        return true;
    }
    boolean successful = true;
    Date invalidityDate = new Date();
    X509Ca ca = getCa();
    for (X509CertificateInfo remainingCert : remainingCerts) {
        try {
            ca.revokeCertificate(remainingCert.getCert().getCert().getSerialNumber(), CrlReason.CESSATION_OF_OPERATION, invalidityDate, msgId);
        } catch (OperationException ex) {
            successful = false;
        }
    }
    return successful;
}
Also used : X509Ca(org.xipki.ca.server.impl.X509Ca) X509CertificateInfo(org.xipki.ca.api.publisher.x509.X509CertificateInfo) Date(java.util.Date) OperationException(org.xipki.ca.api.OperationException)

Example 45 with OperationException

use of org.xipki.ca.api.OperationException in project xipki by xipki.

the class X509CaCmpResponderImpl method generateCertificates.

// method processP10cr
private List<CertResponse> generateCertificates(List<CertTemplateData> certTemplates, List<ASN1Integer> certReqIds, CmpRequestorInfo requestor, ASN1OctetString tid, boolean keyUpdate, PKIMessage request, CmpControl cmpControl, String msgId, AuditEvent event) {
    X509Ca ca = getCa();
    final int n = certTemplates.size();
    List<CertResponse> ret = new ArrayList<>(n);
    if (cmpControl.isGroupEnroll()) {
        try {
            List<X509CertificateInfo> certInfos;
            if (keyUpdate) {
                certInfos = ca.regenerateCertificates(certTemplates, requestor, RequestType.CMP, tid.getOctets(), msgId);
            } else {
                certInfos = ca.generateCertificates(certTemplates, requestor, RequestType.CMP, tid.getOctets(), msgId);
            }
            // save the request
            Long reqDbId = null;
            if (ca.getCaInfo().isSaveRequest()) {
                try {
                    byte[] encodedRequest = request.getEncoded();
                    reqDbId = ca.addRequest(encodedRequest);
                } catch (Exception ex) {
                    LOG.warn("could not save request");
                }
            }
            for (int i = 0; i < n; i++) {
                X509CertificateInfo certInfo = certInfos.get(i);
                ret.add(postProcessCertInfo(certReqIds.get(i), certInfo, tid, cmpControl));
                if (reqDbId != null) {
                    ca.addRequestCert(reqDbId, certInfo.getCert().getCertId());
                }
            }
        } catch (OperationException ex) {
            for (int i = 0; i < n; i++) {
                ret.add(postProcessException(certReqIds.get(i), ex));
            }
        }
    } else {
        Long reqDbId = null;
        boolean savingRequestFailed = false;
        for (int i = 0; i < n; i++) {
            CertTemplateData certTemplate = certTemplates.get(i);
            ASN1Integer certReqId = certReqIds.get(i);
            X509CertificateInfo certInfo;
            try {
                if (keyUpdate) {
                    certInfo = ca.regenerateCertificate(certTemplate, requestor, RequestType.CMP, tid.getOctets(), msgId);
                } else {
                    certInfo = ca.generateCertificate(certTemplate, requestor, RequestType.CMP, tid.getOctets(), msgId);
                }
                if (ca.getCaInfo().isSaveRequest()) {
                    if (reqDbId == null && !savingRequestFailed) {
                        try {
                            byte[] encodedRequest = request.getEncoded();
                            reqDbId = ca.addRequest(encodedRequest);
                        } catch (Exception ex) {
                            savingRequestFailed = true;
                            LOG.warn("could not save request");
                        }
                    }
                    if (reqDbId != null) {
                        ca.addRequestCert(reqDbId, certInfo.getCert().getCertId());
                    }
                }
                ret.add(postProcessCertInfo(certReqId, certInfo, tid, cmpControl));
            } catch (OperationException ex) {
                ret.add(postProcessException(certReqId, ex));
            }
        }
    }
    return ret;
}
Also used : CertResponse(org.bouncycastle.asn1.cmp.CertResponse) X509Ca(org.xipki.ca.server.impl.X509Ca) ArrayList(java.util.ArrayList) X509CertificateInfo(org.xipki.ca.api.publisher.x509.X509CertificateInfo) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeyException(java.security.InvalidKeyException) IOException(java.io.IOException) OperationException(org.xipki.ca.api.OperationException) CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException) ParseException(java.text.ParseException) CRLException(java.security.cert.CRLException) CRMFException(org.bouncycastle.cert.crmf.CRMFException) InsuffientPermissionException(org.xipki.ca.api.InsuffientPermissionException) CertTemplateData(org.xipki.ca.server.impl.CertTemplateData) OperationException(org.xipki.ca.api.OperationException)

Aggregations

OperationException (org.xipki.ca.api.OperationException)70 DERPrintableString (org.bouncycastle.asn1.DERPrintableString)20 CaMgmtException (org.xipki.ca.server.mgmt.api.CaMgmtException)19 Date (java.util.Date)16 BigInteger (java.math.BigInteger)15 X509Certificate (java.security.cert.X509Certificate)15 CertificateException (java.security.cert.CertificateException)13 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)13 X509Ca (org.xipki.ca.server.impl.X509Ca)13 PreparedStatement (java.sql.PreparedStatement)12 SQLException (java.sql.SQLException)12 IOException (java.io.IOException)11 X509CertificateInfo (org.xipki.ca.api.publisher.x509.X509CertificateInfo)11 DEROctetString (org.bouncycastle.asn1.DEROctetString)10 X500Name (org.bouncycastle.asn1.x500.X500Name)10 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)10 IssuingDistributionPoint (org.bouncycastle.asn1.x509.IssuingDistributionPoint)10 CrlReason (org.xipki.security.CrlReason)10 AuditEvent (org.xipki.audit.AuditEvent)9 NameId (org.xipki.ca.api.NameId)9