use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class CaManagerQueryExecutor method createCaInfo.
// method createResponder
X509CaInfo createCaInfo(String name, boolean masterMode, CertificateStore certstore) throws CaMgmtException {
final String sql = sqls.sqlSelectCa;
PreparedStatement stmt = null;
ResultSet rs = null;
try {
stmt = prepareStatement(sql);
stmt.setString(1, name);
rs = stmt.executeQuery();
if (!rs.next()) {
throw new CaMgmtException("uknown CA " + name);
}
int artCode = rs.getInt("ART");
if (artCode != CertArt.X509PKC.getCode()) {
throw new CaMgmtException("CA " + name + " is not X509CA, and is not supported");
}
String crlUris = rs.getString("CRL_URIS");
String deltaCrlUris = rs.getString("DELTACRL_URIS");
CertRevocationInfo revocationInfo = null;
boolean revoked = rs.getBoolean("REV");
if (revoked) {
int revReason = rs.getInt("RR");
long revTime = rs.getInt("RT");
long revInvalidityTime = rs.getInt("RIT");
Date revInvTime = (revInvalidityTime == 0) ? null : new Date(revInvalidityTime * 1000);
revocationInfo = new CertRevocationInfo(revReason, new Date(revTime * 1000), revInvTime);
}
List<String> tmpCrlUris = null;
if (StringUtil.isNotBlank(crlUris)) {
tmpCrlUris = StringUtil.splitByComma(crlUris);
}
List<String> tmpDeltaCrlUris = null;
if (StringUtil.isNotBlank(deltaCrlUris)) {
tmpDeltaCrlUris = StringUtil.splitByComma(deltaCrlUris);
}
String ocspUris = rs.getString("OCSP_URIS");
List<String> tmpOcspUris = null;
if (StringUtil.isNotBlank(ocspUris)) {
tmpOcspUris = StringUtil.splitByComma(ocspUris);
}
String caCertUris = rs.getString("CACERT_URIS");
List<String> tmpCaCertUris = null;
if (StringUtil.isNotBlank(caCertUris)) {
tmpCaCertUris = StringUtil.splitByComma(caCertUris);
}
X509CaUris caUris = new X509CaUris(tmpCaCertUris, tmpOcspUris, tmpCrlUris, tmpDeltaCrlUris);
int id = rs.getInt("ID");
int serialNoSize = rs.getInt("SN_SIZE");
long nextCrlNo = rs.getLong("NEXT_CRLNO");
String signerType = rs.getString("SIGNER_TYPE");
String signerConf = rs.getString("SIGNER_CONF");
int numCrls = rs.getInt("NUM_CRLS");
int expirationPeriod = rs.getInt("EXPIRATION_PERIOD");
X509CaEntry entry = new X509CaEntry(new NameId(id, name), serialNoSize, nextCrlNo, signerType, signerConf, caUris, numCrls, expirationPeriod);
String b64cert = rs.getString("CERT");
X509Certificate cert = generateCert(b64cert);
entry.setCert(cert);
String status = rs.getString("STATUS");
CaStatus caStatus = CaStatus.forName(status);
entry.setStatus(caStatus);
String maxValidityS = rs.getString("MAX_VALIDITY");
CertValidity maxValidity = CertValidity.getInstance(maxValidityS);
entry.setMaxValidity(maxValidity);
int keepExpiredCertDays = rs.getInt("KEEP_EXPIRED_CERT_DAYS");
entry.setKeepExpiredCertInDays(keepExpiredCertDays);
String crlsignerName = rs.getString("CRLSIGNER_NAME");
if (StringUtil.isNotBlank(crlsignerName)) {
entry.setCrlSignerName(crlsignerName);
}
String responderName = rs.getString("RESPONDER_NAME");
if (StringUtil.isNotBlank(responderName)) {
entry.setResponderName(responderName);
}
String extraControl = rs.getString("EXTRA_CONTROL");
if (StringUtil.isNotBlank(extraControl)) {
entry.setExtraControl(new ConfPairs(extraControl).unmodifiable());
}
String cmpcontrolName = rs.getString("CMPCONTROL_NAME");
if (StringUtil.isNotBlank(cmpcontrolName)) {
entry.setCmpControlName(cmpcontrolName);
}
boolean duplicateKeyPermitted = (rs.getInt("DUPLICATE_KEY") != 0);
entry.setDuplicateKeyPermitted(duplicateKeyPermitted);
boolean duplicateSubjectPermitted = (rs.getInt("DUPLICATE_SUBJECT") != 0);
entry.setDuplicateSubjectPermitted(duplicateSubjectPermitted);
boolean saveReq = (rs.getInt("SAVE_REQ") != 0);
entry.setSaveRequest(saveReq);
int permission = rs.getInt("PERMISSION");
entry.setPermission(permission);
entry.setRevocationInfo(revocationInfo);
String validityModeS = rs.getString("VALIDITY_MODE");
ValidityMode validityMode = null;
if (validityModeS != null) {
validityMode = ValidityMode.forName(validityModeS);
}
if (validityMode == null) {
validityMode = ValidityMode.STRICT;
}
entry.setValidityMode(validityMode);
try {
return new X509CaInfo(entry, certstore);
} catch (OperationException ex) {
throw new CaMgmtException(ex);
}
} catch (SQLException ex) {
throw new CaMgmtException(datasource, sql, ex);
} finally {
datasource.releaseResources(stmt, rs);
}
}
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509CaCmpResponderImpl method unRevokeRemoveCertificates.
private PKIBody unRevokeRemoveCertificates(PKIMessage request, RevReqContent rr, int permission, CmpControl cmpControl, String msgId) {
RevDetails[] revContent = rr.toRevDetailsArray();
RevRepContentBuilder repContentBuilder = new RevRepContentBuilder();
final int n = revContent.length;
// test the request
for (int i = 0; i < n; i++) {
RevDetails revDetails = revContent[i];
CertTemplate certDetails = revDetails.getCertDetails();
X500Name issuer = certDetails.getIssuer();
ASN1Integer serialNumber = certDetails.getSerialNumber();
try {
X500Name caSubject = getCa().getCaInfo().getCert().getSubjectAsX500Name();
if (issuer == null) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer is not present");
}
if (!issuer.equals(caSubject)) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer does not target at the CA");
}
if (serialNumber == null) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "serialNumber is not present");
}
if (certDetails.getSigningAlg() != null || certDetails.getValidity() != null || certDetails.getSubject() != null || certDetails.getPublicKey() != null || certDetails.getIssuerUID() != null || certDetails.getSubjectUID() != null) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "only version, issuer and serialNumber in RevDetails.certDetails are " + "allowed, but more is specified");
}
if (certDetails.getExtensions() == null) {
if (cmpControl.isRrAkiRequired()) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer's AKI not present");
}
} else {
Extensions exts = certDetails.getExtensions();
ASN1ObjectIdentifier[] oids = exts.getCriticalExtensionOIDs();
if (oids != null) {
for (ASN1ObjectIdentifier oid : oids) {
if (!Extension.authorityKeyIdentifier.equals(oid)) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "unknown critical extension " + oid.getId());
}
}
}
Extension ext = exts.getExtension(Extension.authorityKeyIdentifier);
if (ext == null) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer's AKI not present");
} else {
AuthorityKeyIdentifier aki = AuthorityKeyIdentifier.getInstance(ext.getParsedValue());
if (aki.getKeyIdentifier() == null) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer's AKI not present");
}
boolean issuerMatched = true;
byte[] caSki = getCa().getCaInfo().getCert().getSubjectKeyIdentifier();
if (!Arrays.equals(caSki, aki.getKeyIdentifier())) {
issuerMatched = false;
}
if (issuerMatched && aki.getAuthorityCertSerialNumber() != null) {
BigInteger caSerial = getCa().getCaInfo().getSerialNumber();
if (!caSerial.equals(aki.getAuthorityCertSerialNumber())) {
issuerMatched = false;
}
}
if (issuerMatched && aki.getAuthorityCertIssuer() != null) {
GeneralName[] names = aki.getAuthorityCertIssuer().getNames();
for (GeneralName name : names) {
if (name.getTagNo() != GeneralName.directoryName) {
issuerMatched = false;
break;
}
if (!caSubject.equals(name.getName())) {
issuerMatched = false;
break;
}
}
}
if (!issuerMatched) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer does not target at the CA");
}
}
}
} catch (IllegalArgumentException ex) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, "the request is not invalid");
}
}
// end for
byte[] encodedRequest = null;
if (getCa().getCaInfo().isSaveRequest()) {
try {
encodedRequest = request.getEncoded();
} catch (IOException ex) {
LOG.warn("could not encode request");
}
}
Long reqDbId = null;
for (int i = 0; i < n; i++) {
RevDetails revDetails = revContent[i];
CertTemplate certDetails = revDetails.getCertDetails();
ASN1Integer serialNumber = certDetails.getSerialNumber();
// serialNumber is not null due to the check in the previous for-block.
X500Name caSubject = getCa().getCaInfo().getCert().getSubjectAsX500Name();
BigInteger snBigInt = serialNumber.getPositiveValue();
CertId certId = new CertId(new GeneralName(caSubject), serialNumber);
PKIStatusInfo status;
try {
Object returnedObj = null;
Long certDbId = null;
X509Ca ca = getCa();
if (PermissionConstants.UNREVOKE_CERT == permission) {
// unrevoke
returnedObj = ca.unrevokeCertificate(snBigInt, msgId);
if (returnedObj != null) {
certDbId = ((X509CertWithDbId) returnedObj).getCertId();
}
} else if (PermissionConstants.REMOVE_CERT == permission) {
// remove
returnedObj = ca.removeCertificate(snBigInt, msgId);
} else {
// revoke
Date invalidityDate = null;
CrlReason reason = null;
Extensions crlDetails = revDetails.getCrlEntryDetails();
if (crlDetails != null) {
ASN1ObjectIdentifier extId = Extension.reasonCode;
ASN1Encodable extValue = crlDetails.getExtensionParsedValue(extId);
if (extValue != null) {
int reasonCode = ASN1Enumerated.getInstance(extValue).getValue().intValue();
reason = CrlReason.forReasonCode(reasonCode);
}
extId = Extension.invalidityDate;
extValue = crlDetails.getExtensionParsedValue(extId);
if (extValue != null) {
try {
invalidityDate = ASN1GeneralizedTime.getInstance(extValue).getDate();
} catch (ParseException ex) {
throw new OperationException(ErrorCode.INVALID_EXTENSION, "invalid extension " + extId.getId());
}
}
}
if (reason == null) {
reason = CrlReason.UNSPECIFIED;
}
returnedObj = ca.revokeCertificate(snBigInt, reason, invalidityDate, msgId);
if (returnedObj != null) {
certDbId = ((X509CertWithRevocationInfo) returnedObj).getCert().getCertId();
}
}
if (returnedObj == null) {
throw new OperationException(ErrorCode.UNKNOWN_CERT, "cert not exists");
}
if (certDbId != null && ca.getCaInfo().isSaveRequest()) {
if (reqDbId == null) {
reqDbId = ca.addRequest(encodedRequest);
}
ca.addRequestCert(reqDbId, certDbId);
}
status = new PKIStatusInfo(PKIStatus.granted);
} catch (OperationException ex) {
ErrorCode code = ex.getErrorCode();
LOG.warn("{}, OperationException: code={}, message={}", PermissionConstants.getTextForCode(permission), code.name(), ex.getErrorMessage());
String errorMessage;
switch(code) {
case DATABASE_FAILURE:
case SYSTEM_FAILURE:
errorMessage = code.name();
break;
default:
errorMessage = code.name() + ": " + ex.getErrorMessage();
break;
}
// end switch code
int failureInfo = getPKiFailureInfo(ex);
status = generateRejectionStatus(failureInfo, errorMessage);
}
// end try
repContentBuilder.add(status, certId);
}
return new PKIBody(PKIBody.TYPE_REVOCATION_REP, repContentBuilder.build());
}
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509CaCmpResponderImpl method removeCert.
public void removeCert(CmpRequestorInfo requestor, BigInteger serialNumber, RequestType reqType, String msgId) throws OperationException {
ParamUtil.requireNonNull("requestor", requestor);
try {
checkPermission(requestor, PermissionConstants.REMOVE_CERT);
} catch (InsuffientPermissionException ex) {
throw new OperationException(ErrorCode.NOT_PERMITTED, ex.getMessage());
}
X509Ca ca = getCa();
X509CertWithDbId returnedObj = ca.removeCertificate(serialNumber, msgId);
if (returnedObj == null) {
throw new OperationException(ErrorCode.UNKNOWN_CERT, "cert not exists");
}
}
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509CaCmpResponderImpl method revokePendingCertificates.
// method confirmCertificates
private boolean revokePendingCertificates(ASN1OctetString transactionId, String msgId) {
Set<X509CertificateInfo> remainingCerts = pendingCertPool.removeCertificates(transactionId.getOctets());
if (CollectionUtil.isEmpty(remainingCerts)) {
return true;
}
boolean successful = true;
Date invalidityDate = new Date();
X509Ca ca = getCa();
for (X509CertificateInfo remainingCert : remainingCerts) {
try {
ca.revokeCertificate(remainingCert.getCert().getCert().getSerialNumber(), CrlReason.CESSATION_OF_OPERATION, invalidityDate, msgId);
} catch (OperationException ex) {
successful = false;
}
}
return successful;
}
use of org.xipki.ca.api.OperationException in project xipki by xipki.
the class X509CaCmpResponderImpl method generateCertificates.
// method processP10cr
private List<CertResponse> generateCertificates(List<CertTemplateData> certTemplates, List<ASN1Integer> certReqIds, CmpRequestorInfo requestor, ASN1OctetString tid, boolean keyUpdate, PKIMessage request, CmpControl cmpControl, String msgId, AuditEvent event) {
X509Ca ca = getCa();
final int n = certTemplates.size();
List<CertResponse> ret = new ArrayList<>(n);
if (cmpControl.isGroupEnroll()) {
try {
List<X509CertificateInfo> certInfos;
if (keyUpdate) {
certInfos = ca.regenerateCertificates(certTemplates, requestor, RequestType.CMP, tid.getOctets(), msgId);
} else {
certInfos = ca.generateCertificates(certTemplates, requestor, RequestType.CMP, tid.getOctets(), msgId);
}
// save the request
Long reqDbId = null;
if (ca.getCaInfo().isSaveRequest()) {
try {
byte[] encodedRequest = request.getEncoded();
reqDbId = ca.addRequest(encodedRequest);
} catch (Exception ex) {
LOG.warn("could not save request");
}
}
for (int i = 0; i < n; i++) {
X509CertificateInfo certInfo = certInfos.get(i);
ret.add(postProcessCertInfo(certReqIds.get(i), certInfo, tid, cmpControl));
if (reqDbId != null) {
ca.addRequestCert(reqDbId, certInfo.getCert().getCertId());
}
}
} catch (OperationException ex) {
for (int i = 0; i < n; i++) {
ret.add(postProcessException(certReqIds.get(i), ex));
}
}
} else {
Long reqDbId = null;
boolean savingRequestFailed = false;
for (int i = 0; i < n; i++) {
CertTemplateData certTemplate = certTemplates.get(i);
ASN1Integer certReqId = certReqIds.get(i);
X509CertificateInfo certInfo;
try {
if (keyUpdate) {
certInfo = ca.regenerateCertificate(certTemplate, requestor, RequestType.CMP, tid.getOctets(), msgId);
} else {
certInfo = ca.generateCertificate(certTemplate, requestor, RequestType.CMP, tid.getOctets(), msgId);
}
if (ca.getCaInfo().isSaveRequest()) {
if (reqDbId == null && !savingRequestFailed) {
try {
byte[] encodedRequest = request.getEncoded();
reqDbId = ca.addRequest(encodedRequest);
} catch (Exception ex) {
savingRequestFailed = true;
LOG.warn("could not save request");
}
}
if (reqDbId != null) {
ca.addRequestCert(reqDbId, certInfo.getCert().getCertId());
}
}
ret.add(postProcessCertInfo(certReqId, certInfo, tid, cmpControl));
} catch (OperationException ex) {
ret.add(postProcessException(certReqId, ex));
}
}
}
return ret;
}
Aggregations