Example 1 with X509CertificateInfo
use of org.xipki.ca.api.publisher.x509.X509CertificateInfo in project xipki by xipki.
the class X509CaCmpResponderImpl method confirmCertificates.
private PKIBody confirmCertificates(ASN1OctetString transactionId, CertConfirmContent certConf, String msgId) {
CertStatus[] certStatuses = certConf.toCertStatusArray();
boolean successful = true;
for (CertStatus certStatus : certStatuses) {
ASN1Integer certReqId = certStatus.getCertReqId();
byte[] certHash = certStatus.getCertHash().getOctets();
X509CertificateInfo certInfo = pendingCertPool.removeCertificate(transactionId.getOctets(), certReqId.getPositiveValue(), certHash);
if (certInfo == null) {
if (LOG.isWarnEnabled()) {
LOG.warn("no cert under transactionId={}, certReqId={} and certHash=0X{}", transactionId, certReqId.getPositiveValue(), Hex.encode(certHash));
}
continue;
}
PKIStatusInfo statusInfo = certStatus.getStatusInfo();
boolean accept = true;
if (statusInfo != null) {
int status = statusInfo.getStatus().intValue();
if (PKIStatus.GRANTED != status && PKIStatus.GRANTED_WITH_MODS != status) {
accept = false;
}
}
if (accept) {
continue;
}
BigInteger serialNumber = certInfo.getCert().getCert().getSerialNumber();
X509Ca ca = getCa();
try {
ca.revokeCertificate(serialNumber, CrlReason.CESSATION_OF_OPERATION, new Date(), msgId);
} catch (OperationException ex) {
LogUtil.warn(LOG, ex, "could not revoke certificate ca=" + ca.getCaInfo().getIdent() + " serialNumber=" + LogUtil.formatCsn(serialNumber));
}
successful = false;
}
// all other certificates should be revoked
if (revokePendingCertificates(transactionId, msgId)) {
successful = false;
}
if (successful) {
return new PKIBody(PKIBody.TYPE_CONFIRM, DERNull.INSTANCE);
}
ErrorMsgContent emc = new ErrorMsgContent(new PKIStatusInfo(PKIStatus.rejection, null, new PKIFailureInfo(PKIFailureInfo.systemFailure)));
return new PKIBody(PKIBody.TYPE_ERROR, emc);
}
Also used :
PKIBody(org.bouncycastle.asn1.cmp.PKIBody)
PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo)
X509Ca(org.xipki.ca.server.impl.X509Ca)
X509CertificateInfo(org.xipki.ca.api.publisher.x509.X509CertificateInfo)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
Date(java.util.Date)
PKIFailureInfo(org.bouncycastle.asn1.cmp.PKIFailureInfo)
CertStatus(org.bouncycastle.asn1.cmp.CertStatus)
BigInteger(java.math.BigInteger)
ErrorMsgContent(org.bouncycastle.asn1.cmp.ErrorMsgContent)
OperationException(org.xipki.ca.api.OperationException)
Example 2 with X509CertificateInfo
use of org.xipki.ca.api.publisher.x509.X509CertificateInfo in project xipki by xipki.
the class X509Ca method generateCertificates.
private List<X509CertificateInfo> generateCertificates(List<CertTemplateData> certTemplates, RequestorInfo requestor, boolean keyUpdate, RequestType reqType, byte[] transactionId, String msgId) throws OperationExceptionWithIndex {
ParamUtil.requireNonEmpty("certTemplates", certTemplates);
final int n = certTemplates.size();
List<GrantedCertTemplate> gcts = new ArrayList<>(n);
for (int i = 0; i < n; i++) {
CertTemplateData certTemplate = certTemplates.get(i);
try {
GrantedCertTemplate gct = createGrantedCertTemplate(certTemplate, requestor, keyUpdate);
gcts.add(gct);
} catch (OperationException ex) {
throw new OperationExceptionWithIndex(i, ex);
}
}
List<X509CertificateInfo> certInfos = new ArrayList<>(n);
OperationExceptionWithIndex exception = null;
for (int i = 0; i < n; i++) {
if (exception != null) {
break;
}
GrantedCertTemplate gct = gcts.get(i);
final NameId certprofilIdent = gct.certprofile.getIdent();
final String subjectText = gct.grantedSubjectText;
LOG.info(" START generateCertificate: CA={}, profile={}, subject='{}'", caIdent, certprofilIdent, subjectText);
boolean successful = false;
try {
X509CertificateInfo certInfo = generateCertificate(gct, requestor, false, reqType, transactionId, msgId);
successful = true;
certInfos.add(certInfo);
if (LOG.isInfoEnabled()) {
String prefix = certInfo.isAlreadyIssued() ? "RETURN_OLD_CERT" : "SUCCESSFUL";
X509CertWithDbId cert = certInfo.getCert();
LOG.info("{} generateCertificate: CA={}, profile={}, subject='{}', serialNumber={}", prefix, caIdent, certprofilIdent, cert.getSubject(), LogUtil.formatCsn(cert.getCert().getSerialNumber()));
}
} catch (OperationException ex) {
exception = new OperationExceptionWithIndex(i, ex);
} catch (Throwable th) {
exception = new OperationExceptionWithIndex(i, new OperationException(ErrorCode.SYSTEM_FAILURE, th));
} finally {
if (!successful) {
LOG.warn(" FAILED generateCertificate: CA={}, profile={}, subject='{}'", caIdent, certprofilIdent, subjectText);
}
}
}
if (exception != null) {
LOG.error("could not generate certificate for request[{}], reverted all generated" + " certificates", exception.getIndex());
// delete generated certificates
for (X509CertificateInfo m : certInfos) {
BigInteger serial = m.getCert().getCert().getSerialNumber();
try {
removeCertificate(serial, msgId);
} catch (Throwable thr) {
LogUtil.error(LOG, thr, "could not delete certificate serial=" + serial);
}
}
LogUtil.warn(LOG, exception);
throw exception;
}
return certInfos;
}
Also used :
NameId(org.xipki.ca.api.NameId)
ArrayList(java.util.ArrayList)
X509CertificateInfo(org.xipki.ca.api.publisher.x509.X509CertificateInfo)
X509CertWithDbId(org.xipki.ca.api.X509CertWithDbId)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
BigInteger(java.math.BigInteger)
OperationException(org.xipki.ca.api.OperationException)
Example 3 with X509CertificateInfo
use of org.xipki.ca.api.publisher.x509.X509CertificateInfo in project xipki by xipki.
the class X509Ca method publishCertsInQueue.
private boolean publishCertsInQueue(IdentifiedX509CertPublisher publisher) {
ParamUtil.requireNonNull("publisher", publisher);
final int numEntries = 500;
while (true) {
List<Long> certIds;
try {
certIds = certstore.getPublishQueueEntries(caIdent, publisher.getIdent(), numEntries);
} catch (OperationException ex) {
LogUtil.error(LOG, ex);
return false;
}
if (CollectionUtil.isEmpty(certIds)) {
break;
}
for (Long certId : certIds) {
X509CertificateInfo certInfo;
try {
certInfo = certstore.getCertificateInfoForId(caIdent, caCert, certId, caIdNameMap);
} catch (OperationException | CertificateException ex) {
LogUtil.error(LOG, ex);
return false;
}
boolean successful = publisher.certificateAdded(certInfo);
if (!successful) {
LOG.error("republishing certificate id={} failed", certId);
return false;
}
try {
certstore.removeFromPublishQueue(publisher.getIdent(), certId);
} catch (OperationException ex) {
LogUtil.warn(LOG, ex, "could not remove republished cert id=" + certId + " and publisher=" + publisher.getIdent());
continue;
}
}
// end for
}
return true;
}
Also used :
X509CertificateInfo(org.xipki.ca.api.publisher.x509.X509CertificateInfo)
CertificateException(java.security.cert.CertificateException)
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
OperationException(org.xipki.ca.api.OperationException)
Example 4 with X509CertificateInfo
use of org.xipki.ca.api.publisher.x509.X509CertificateInfo in project xipki by xipki.
the class X509Ca method generateCertificate0.
private X509CertificateInfo generateCertificate0(GrantedCertTemplate gct, RequestorInfo requestor, boolean keyUpdate, RequestType reqType, byte[] transactionId, AuditEvent event) throws OperationException {
ParamUtil.requireNonNull("gct", gct);
event.addEventData(CaAuditConstants.NAME_reqSubject, X509Util.getRfc4519Name(gct.requestedSubject));
event.addEventData(CaAuditConstants.NAME_certprofile, gct.certprofile.getIdent().getName());
event.addEventData(CaAuditConstants.NAME_notBefore, DateUtil.toUtcTimeyyyyMMddhhmmss(gct.grantedNotBefore));
event.addEventData(CaAuditConstants.NAME_notAfter, DateUtil.toUtcTimeyyyyMMddhhmmss(gct.grantedNotAfter));
adaptGrantedSubejct(gct);
IdentifiedX509Certprofile certprofile = gct.certprofile;
boolean publicKeyCertInProcessExisted = publicKeyCertsInProcess.add(gct.fpPublicKey);
if (!publicKeyCertInProcessExisted) {
if (!certprofile.isDuplicateKeyPermitted()) {
throw new OperationException(ErrorCode.ALREADY_ISSUED, "certificate with the given public key already in process");
}
}
if (!subjectCertsInProcess.add(gct.fpSubject)) {
if (!certprofile.isDuplicateSubjectPermitted()) {
if (!publicKeyCertInProcessExisted) {
publicKeyCertsInProcess.remove(gct.fpPublicKey);
}
throw new OperationException(ErrorCode.ALREADY_ISSUED, "certificate with the given subject " + gct.grantedSubjectText + " already in process");
}
}
try {
X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(caInfo.getPublicCaInfo().getX500Subject(), caInfo.nextSerial(), gct.grantedNotBefore, gct.grantedNotAfter, gct.grantedSubject, gct.grantedPublicKey);
X509CertificateInfo ret;
try {
X509CrlSignerEntryWrapper crlSigner = getCrlSigner();
X509Certificate crlSignerCert = (crlSigner == null) ? null : crlSigner.getCert();
ExtensionValues extensionTuples = certprofile.getExtensions(gct.requestedSubject, gct.grantedSubject, gct.extensions, gct.grantedPublicKey, caInfo.getPublicCaInfo(), crlSignerCert, gct.grantedNotBefore, gct.grantedNotAfter);
if (extensionTuples != null) {
for (ASN1ObjectIdentifier extensionType : extensionTuples.getExtensionTypes()) {
ExtensionValue extValue = extensionTuples.getExtensionValue(extensionType);
certBuilder.addExtension(extensionType, extValue.isCritical(), extValue.getValue());
}
}
ConcurrentBagEntrySigner signer0;
try {
signer0 = gct.signer.borrowSigner();
} catch (NoIdleSignerException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
}
X509CertificateHolder certHolder;
try {
certHolder = certBuilder.build(signer0.value());
} finally {
gct.signer.requiteSigner(signer0);
}
Certificate bcCert = certHolder.toASN1Structure();
byte[] encodedCert = bcCert.getEncoded();
int maxCertSize = gct.certprofile.getMaxCertSize();
if (maxCertSize > 0) {
int certSize = encodedCert.length;
if (certSize > maxCertSize) {
throw new OperationException(ErrorCode.NOT_PERMITTED, String.format("certificate exceeds the maximal allowed size: %d > %d", certSize, maxCertSize));
}
}
X509Certificate cert;
try {
cert = X509Util.toX509Cert(bcCert);
} catch (CertificateException ex) {
String message = "should not happen, could not parse generated certificate";
LOG.error(message, ex);
throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
}
if (!verifySignature(cert)) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, "could not verify the signature of generated certificate");
}
X509CertWithDbId certWithMeta = new X509CertWithDbId(cert, encodedCert);
ret = new X509CertificateInfo(certWithMeta, caIdent, caCert, gct.grantedPublicKeyData, gct.certprofile.getIdent(), requestor.getIdent());
if (requestor instanceof ByUserRequestorInfo) {
ret.setUser((((ByUserRequestorInfo) requestor).getUserId()));
}
ret.setReqType(reqType);
ret.setTransactionId(transactionId);
ret.setRequestedSubject(gct.requestedSubject);
if (publishCertificate0(ret) == 1) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, "could not save certificate");
}
} catch (BadCertTemplateException ex) {
throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, ex);
} catch (OperationException ex) {
throw ex;
} catch (Throwable th) {
LogUtil.error(LOG, th, "could not generate certificate");
throw new OperationException(ErrorCode.SYSTEM_FAILURE, th);
}
if (gct.warning != null) {
ret.setWarningMessage(gct.warning);
}
return ret;
} finally {
publicKeyCertsInProcess.remove(gct.fpPublicKey);
subjectCertsInProcess.remove(gct.fpSubject);
}
}
Also used :
X509CertificateInfo(org.xipki.ca.api.publisher.x509.X509CertificateInfo)
CertificateException(java.security.cert.CertificateException)
X509CertWithDbId(org.xipki.ca.api.X509CertWithDbId)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
ConcurrentBagEntrySigner(org.xipki.security.ConcurrentBagEntrySigner)
X509Certificate(java.security.cert.X509Certificate)
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
ExtensionValue(org.xipki.ca.api.profile.ExtensionValue)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
NoIdleSignerException(org.xipki.security.exception.NoIdleSignerException)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)
ExtensionValues(org.xipki.ca.api.profile.ExtensionValues)
OperationException(org.xipki.ca.api.OperationException)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Certificate(org.bouncycastle.asn1.x509.Certificate)
X509Certificate(java.security.cert.X509Certificate)
Example 5 with X509CertificateInfo
use of org.xipki.ca.api.publisher.x509.X509CertificateInfo in project xipki by xipki.
the class CertStoreQueryExecutor method getCertForId.
// method cleanupCrls
X509CertificateInfo getCertForId(NameId ca, X509Cert caCert, long certId, CaIdNameMap idNameMap) throws DataAccessException, CertificateException {
ParamUtil.requireNonNull("ca", ca);
ParamUtil.requireNonNull("caCert", caCert);
ParamUtil.requireNonNull("idNameMap", idNameMap);
final String sql = sqls.sqlCertForId;
String b64Cert;
int certprofileId;
int requestorId;
boolean revoked;
int revReason = 0;
long revTime = 0;
long revInvTime = 0;
ResultSet rs = null;
PreparedStatement ps = borrowPreparedStatement(sql);
try {
ps.setLong(1, certId);
rs = ps.executeQuery();
if (!rs.next()) {
return null;
}
b64Cert = rs.getString("CERT");
certprofileId = rs.getInt("PID");
requestorId = rs.getInt("RID");
revoked = rs.getBoolean("REV");
if (revoked) {
revReason = rs.getInt("RR");
revTime = rs.getLong("RT");
revInvTime = rs.getLong("RIT");
}
} catch (SQLException ex) {
throw datasource.translate(sql, ex);
} finally {
releaseDbResources(ps, rs);
}
byte[] encodedCert = Base64.decodeFast(b64Cert);
X509Certificate cert = X509Util.parseCert(encodedCert);
X509CertWithDbId certWithMeta = new X509CertWithDbId(cert, encodedCert);
certWithMeta.setCertId(certId);
X509CertificateInfo certInfo = new X509CertificateInfo(certWithMeta, ca, caCert, cert.getPublicKey().getEncoded(), idNameMap.getCertprofile(certprofileId), idNameMap.getRequestor(requestorId));
if (!revoked) {
return certInfo;
}
Date invalidityTime = (revInvTime == 0 || revInvTime == revTime) ? null : new Date(revInvTime * 1000);
CertRevocationInfo revInfo = new CertRevocationInfo(revReason, new Date(revTime * 1000), invalidityTime);
certInfo.setRevocationInfo(revInfo);
return certInfo;
}
Also used :
SQLException(java.sql.SQLException)
PreparedStatement(java.sql.PreparedStatement)
X509CertWithDbId(org.xipki.ca.api.X509CertWithDbId)
X509CertificateInfo(org.xipki.ca.api.publisher.x509.X509CertificateInfo)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
CertRevocationInfo(org.xipki.security.CertRevocationInfo)
ResultSet(java.sql.ResultSet)
Aggregations
X509CertificateInfo (org.xipki.ca.api.publisher.x509.X509CertificateInfo)13
OperationException (org.xipki.ca.api.OperationException)11
Date (java.util.Date)7
X509Certificate (java.security.cert.X509Certificate)6
BigInteger (java.math.BigInteger)5
DERPrintableString (org.bouncycastle.asn1.DERPrintableString)5
X509Ca (org.xipki.ca.server.impl.X509Ca)5
CertificateException (java.security.cert.CertificateException)4
IOException (java.io.IOException)3
ASN1Integer (org.bouncycastle.asn1.ASN1Integer)3
CertificationRequest (org.bouncycastle.asn1.pkcs.CertificationRequest)3
CertificationRequestInfo (org.bouncycastle.asn1.pkcs.CertificationRequestInfo)3
X500Name (org.bouncycastle.asn1.x500.X500Name)3
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)3
Extensions (org.bouncycastle.asn1.x509.Extensions)3
IssuingDistributionPoint (org.bouncycastle.asn1.x509.IssuingDistributionPoint)3
NameId (org.xipki.ca.api.NameId)3
X509CertWithDbId (org.xipki.ca.api.X509CertWithDbId)3
CertTemplateData (org.xipki.ca.server.impl.CertTemplateData)3
CaMgmtException (org.xipki.ca.server.mgmt.api.CaMgmtException)3
