Example 6 with X509CertWithDbId
use of org.xipki.ca.api.X509CertWithDbId in project xipki by xipki.
the class X509Ca method generateCertificate0.
private X509CertificateInfo generateCertificate0(GrantedCertTemplate gct, RequestorInfo requestor, boolean keyUpdate, RequestType reqType, byte[] transactionId, AuditEvent event) throws OperationException {
ParamUtil.requireNonNull("gct", gct);
event.addEventData(CaAuditConstants.NAME_reqSubject, X509Util.getRfc4519Name(gct.requestedSubject));
event.addEventData(CaAuditConstants.NAME_certprofile, gct.certprofile.getIdent().getName());
event.addEventData(CaAuditConstants.NAME_notBefore, DateUtil.toUtcTimeyyyyMMddhhmmss(gct.grantedNotBefore));
event.addEventData(CaAuditConstants.NAME_notAfter, DateUtil.toUtcTimeyyyyMMddhhmmss(gct.grantedNotAfter));
adaptGrantedSubejct(gct);
IdentifiedX509Certprofile certprofile = gct.certprofile;
boolean publicKeyCertInProcessExisted = publicKeyCertsInProcess.add(gct.fpPublicKey);
if (!publicKeyCertInProcessExisted) {
if (!certprofile.isDuplicateKeyPermitted()) {
throw new OperationException(ErrorCode.ALREADY_ISSUED, "certificate with the given public key already in process");
}
}
if (!subjectCertsInProcess.add(gct.fpSubject)) {
if (!certprofile.isDuplicateSubjectPermitted()) {
if (!publicKeyCertInProcessExisted) {
publicKeyCertsInProcess.remove(gct.fpPublicKey);
}
throw new OperationException(ErrorCode.ALREADY_ISSUED, "certificate with the given subject " + gct.grantedSubjectText + " already in process");
}
}
try {
X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(caInfo.getPublicCaInfo().getX500Subject(), caInfo.nextSerial(), gct.grantedNotBefore, gct.grantedNotAfter, gct.grantedSubject, gct.grantedPublicKey);
X509CertificateInfo ret;
try {
X509CrlSignerEntryWrapper crlSigner = getCrlSigner();
X509Certificate crlSignerCert = (crlSigner == null) ? null : crlSigner.getCert();
ExtensionValues extensionTuples = certprofile.getExtensions(gct.requestedSubject, gct.grantedSubject, gct.extensions, gct.grantedPublicKey, caInfo.getPublicCaInfo(), crlSignerCert, gct.grantedNotBefore, gct.grantedNotAfter);
if (extensionTuples != null) {
for (ASN1ObjectIdentifier extensionType : extensionTuples.getExtensionTypes()) {
ExtensionValue extValue = extensionTuples.getExtensionValue(extensionType);
certBuilder.addExtension(extensionType, extValue.isCritical(), extValue.getValue());
}
}
ConcurrentBagEntrySigner signer0;
try {
signer0 = gct.signer.borrowSigner();
} catch (NoIdleSignerException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
}
X509CertificateHolder certHolder;
try {
certHolder = certBuilder.build(signer0.value());
} finally {
gct.signer.requiteSigner(signer0);
}
Certificate bcCert = certHolder.toASN1Structure();
byte[] encodedCert = bcCert.getEncoded();
int maxCertSize = gct.certprofile.getMaxCertSize();
if (maxCertSize > 0) {
int certSize = encodedCert.length;
if (certSize > maxCertSize) {
throw new OperationException(ErrorCode.NOT_PERMITTED, String.format("certificate exceeds the maximal allowed size: %d > %d", certSize, maxCertSize));
}
}
X509Certificate cert;
try {
cert = X509Util.toX509Cert(bcCert);
} catch (CertificateException ex) {
String message = "should not happen, could not parse generated certificate";
LOG.error(message, ex);
throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
}
if (!verifySignature(cert)) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, "could not verify the signature of generated certificate");
}
X509CertWithDbId certWithMeta = new X509CertWithDbId(cert, encodedCert);
ret = new X509CertificateInfo(certWithMeta, caIdent, caCert, gct.grantedPublicKeyData, gct.certprofile.getIdent(), requestor.getIdent());
if (requestor instanceof ByUserRequestorInfo) {
ret.setUser((((ByUserRequestorInfo) requestor).getUserId()));
}
ret.setReqType(reqType);
ret.setTransactionId(transactionId);
ret.setRequestedSubject(gct.requestedSubject);
if (publishCertificate0(ret) == 1) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, "could not save certificate");
}
} catch (BadCertTemplateException ex) {
throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, ex);
} catch (OperationException ex) {
throw ex;
} catch (Throwable th) {
LogUtil.error(LOG, th, "could not generate certificate");
throw new OperationException(ErrorCode.SYSTEM_FAILURE, th);
}
if (gct.warning != null) {
ret.setWarningMessage(gct.warning);
}
return ret;
} finally {
publicKeyCertsInProcess.remove(gct.fpPublicKey);
subjectCertsInProcess.remove(gct.fpSubject);
}
}
Also used :
X509CertificateInfo(org.xipki.ca.api.publisher.x509.X509CertificateInfo)
CertificateException(java.security.cert.CertificateException)
X509CertWithDbId(org.xipki.ca.api.X509CertWithDbId)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
ConcurrentBagEntrySigner(org.xipki.security.ConcurrentBagEntrySigner)
X509Certificate(java.security.cert.X509Certificate)
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
ExtensionValue(org.xipki.ca.api.profile.ExtensionValue)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
NoIdleSignerException(org.xipki.security.exception.NoIdleSignerException)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)
ExtensionValues(org.xipki.ca.api.profile.ExtensionValues)
OperationException(org.xipki.ca.api.OperationException)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Certificate(org.bouncycastle.asn1.x509.Certificate)
X509Certificate(java.security.cert.X509Certificate)
Example 7 with X509CertWithDbId
use of org.xipki.ca.api.X509CertWithDbId in project xipki by xipki.
the class OcspCertPublisher method certificateAdded.
@Override
public boolean certificateAdded(X509CertificateInfo certInfo) {
X509Cert caCert = certInfo.getIssuerCert();
X509CertWithDbId cert = certInfo.getCert();
try {
queryExecutor.addCert(caCert, cert, certInfo.getProfile().getName(), certInfo.getRevocationInfo());
return true;
} catch (Exception ex) {
logAndAudit(caCert.getSubject(), cert, ex, "could not save certificate");
return false;
}
}
Also used :
X509Cert(org.xipki.security.X509Cert)
X509CertWithDbId(org.xipki.ca.api.X509CertWithDbId)
DataAccessException(org.xipki.datasource.DataAccessException)
CertPublisherException(org.xipki.ca.api.publisher.CertPublisherException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
Example 8 with X509CertWithDbId
use of org.xipki.ca.api.X509CertWithDbId in project xipki by xipki.
the class OcspCertPublisher method logAndAudit.
private void logAndAudit(String issuer, X509Cert cert, Exception ex, String messagePrefix) {
String subjectText = cert.getSubject();
String serialText = LogUtil.formatCsn(cert.getCert().getSerialNumber());
LOG.error("{} (issuser='{}': subject='{}', serialNumber={}). Message: {}", messagePrefix, issuer, subjectText, serialText, ex.getMessage());
LOG.debug("error", ex);
AuditEvent event = new AuditEvent(new Date());
event.setApplicationName("CAPublisher");
event.setName("SYSTEM");
event.setLevel(AuditLevel.ERROR);
event.setStatus(AuditStatus.FAILED);
if (cert instanceof X509CertWithDbId) {
Long certId = ((X509CertWithDbId) cert).getCertId();
if (certId != null) {
event.addEventData(CaAuditConstants.NAME_id, certId);
}
}
event.addEventData(CaAuditConstants.NAME_issuer, issuer);
event.addEventData(CaAuditConstants.NAME_subject, subjectText);
event.addEventData(CaAuditConstants.NAME_serial, serialText);
event.addEventData(CaAuditConstants.NAME_message, messagePrefix);
auditServiceRegister.getAuditService().logEvent(event);
}
Also used :
AuditEvent(org.xipki.audit.AuditEvent)
X509CertWithDbId(org.xipki.ca.api.X509CertWithDbId)
Date(java.util.Date)
Example 9 with X509CertWithDbId
use of org.xipki.ca.api.X509CertWithDbId in project xipki by xipki.
the class CertStoreQueryExecutor method getCertForId.
// method cleanupCrls
X509CertificateInfo getCertForId(NameId ca, X509Cert caCert, long certId, CaIdNameMap idNameMap) throws DataAccessException, CertificateException {
ParamUtil.requireNonNull("ca", ca);
ParamUtil.requireNonNull("caCert", caCert);
ParamUtil.requireNonNull("idNameMap", idNameMap);
final String sql = sqls.sqlCertForId;
String b64Cert;
int certprofileId;
int requestorId;
boolean revoked;
int revReason = 0;
long revTime = 0;
long revInvTime = 0;
ResultSet rs = null;
PreparedStatement ps = borrowPreparedStatement(sql);
try {
ps.setLong(1, certId);
rs = ps.executeQuery();
if (!rs.next()) {
return null;
}
b64Cert = rs.getString("CERT");
certprofileId = rs.getInt("PID");
requestorId = rs.getInt("RID");
revoked = rs.getBoolean("REV");
if (revoked) {
revReason = rs.getInt("RR");
revTime = rs.getLong("RT");
revInvTime = rs.getLong("RIT");
}
} catch (SQLException ex) {
throw datasource.translate(sql, ex);
} finally {
releaseDbResources(ps, rs);
}
byte[] encodedCert = Base64.decodeFast(b64Cert);
X509Certificate cert = X509Util.parseCert(encodedCert);
X509CertWithDbId certWithMeta = new X509CertWithDbId(cert, encodedCert);
certWithMeta.setCertId(certId);
X509CertificateInfo certInfo = new X509CertificateInfo(certWithMeta, ca, caCert, cert.getPublicKey().getEncoded(), idNameMap.getCertprofile(certprofileId), idNameMap.getRequestor(requestorId));
if (!revoked) {
return certInfo;
}
Date invalidityTime = (revInvTime == 0 || revInvTime == revTime) ? null : new Date(revInvTime * 1000);
CertRevocationInfo revInfo = new CertRevocationInfo(revReason, new Date(revTime * 1000), invalidityTime);
certInfo.setRevocationInfo(revInfo);
return certInfo;
}
Also used :
SQLException(java.sql.SQLException)
PreparedStatement(java.sql.PreparedStatement)
X509CertWithDbId(org.xipki.ca.api.X509CertWithDbId)
X509CertificateInfo(org.xipki.ca.api.publisher.x509.X509CertificateInfo)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
CertRevocationInfo(org.xipki.security.CertRevocationInfo)
ResultSet(java.sql.ResultSet)
Example 10 with X509CertWithDbId
use of org.xipki.ca.api.X509CertWithDbId in project xipki by xipki.
the class CertStoreQueryExecutor method getCertWithRevocationInfo.
// method getCertForId
X509CertWithRevocationInfo getCertWithRevocationInfo(NameId ca, BigInteger serial, CaIdNameMap idNameMap) throws DataAccessException, OperationException {
ParamUtil.requireNonNull("ca", ca);
ParamUtil.requireNonNull("serial", serial);
ParamUtil.requireNonNull("idNameMap", idNameMap);
final String sql = sqls.sqlCertWithRevInfo;
long certId;
String b64Cert;
boolean revoked;
int revReason = 0;
long revTime = 0;
long revInvTime = 0;
int certprofileId = 0;
ResultSet rs = null;
PreparedStatement ps = borrowPreparedStatement(sql);
try {
int idx = 1;
ps.setInt(idx++, ca.getId());
ps.setString(idx++, serial.toString(16));
rs = ps.executeQuery();
if (!rs.next()) {
return null;
}
certId = rs.getLong("ID");
b64Cert = rs.getString("CERT");
certprofileId = rs.getInt("PID");
revoked = rs.getBoolean("REV");
if (revoked) {
revReason = rs.getInt("RR");
revTime = rs.getLong("RT");
revInvTime = rs.getLong("RIT");
}
} catch (SQLException ex) {
throw datasource.translate(sql, ex);
} finally {
releaseDbResources(ps, null);
}
byte[] certBytes = Base64.decodeFast(b64Cert);
X509Certificate cert;
try {
cert = X509Util.parseCert(certBytes);
} catch (CertificateException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
}
CertRevocationInfo revInfo = null;
if (revoked) {
Date invalidityTime = (revInvTime == 0) ? null : new Date(1000 * revInvTime);
revInfo = new CertRevocationInfo(revReason, new Date(1000 * revTime), invalidityTime);
}
X509CertWithDbId certWithMeta = new X509CertWithDbId(cert, certBytes);
certWithMeta.setCertId(certId);
String profileName = idNameMap.getCertprofileName(certprofileId);
X509CertWithRevocationInfo ret = new X509CertWithRevocationInfo();
ret.setCertprofile(profileName);
ret.setCert(certWithMeta);
ret.setRevInfo(revInfo);
return ret;
}
Also used :
SQLException(java.sql.SQLException)
PreparedStatement(java.sql.PreparedStatement)
CertificateException(java.security.cert.CertificateException)
X509CertWithDbId(org.xipki.ca.api.X509CertWithDbId)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
CertRevocationInfo(org.xipki.security.CertRevocationInfo)
ResultSet(java.sql.ResultSet)
OperationException(org.xipki.ca.api.OperationException)
Aggregations
X509CertWithDbId (org.xipki.ca.api.X509CertWithDbId)15
DERPrintableString (org.bouncycastle.asn1.DERPrintableString)8
OperationException (org.xipki.ca.api.OperationException)8
X509Certificate (java.security.cert.X509Certificate)7
PreparedStatement (java.sql.PreparedStatement)5
ResultSet (java.sql.ResultSet)5
SQLException (java.sql.SQLException)5
DEROctetString (org.bouncycastle.asn1.DEROctetString)5
Date (java.util.Date)4
X509CertificateInfo (org.xipki.ca.api.publisher.x509.X509CertificateInfo)4
CertificateException (java.security.cert.CertificateException)3
DERUTF8String (org.bouncycastle.asn1.DERUTF8String)3
AuditEvent (org.xipki.audit.AuditEvent)3
CertRevocationInfo (org.xipki.security.CertRevocationInfo)3
ArrayList (java.util.ArrayList)2
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)2
IssuingDistributionPoint (org.bouncycastle.asn1.x509.IssuingDistributionPoint)2
IOException (java.io.IOException)1
BigInteger (java.math.BigInteger)1
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
