Example 6 with X509CertificateInfo
use of org.xipki.ca.api.publisher.x509.X509CertificateInfo in project xipki by xipki.
the class CaManagerImpl method generateCertificate.
// method removeCertificate
@Override
public X509Certificate generateCertificate(String caName, String profileName, byte[] encodedCsr, Date notBefore, Date notAfter) throws CaMgmtException {
caName = ParamUtil.requireNonBlank("caName", caName).toLowerCase();
profileName = ParamUtil.requireNonBlank("profileName", profileName).toLowerCase();
ParamUtil.requireNonNull("encodedCsr", encodedCsr);
AuditEvent event = new AuditEvent(new Date());
event.setApplicationName(CaAuditConstants.APPNAME);
event.setName(CaAuditConstants.NAME_PERF);
event.addEventType("CAMGMT_CRL_GEN_ONDEMAND");
X509Ca ca = getX509Ca(caName);
CertificationRequest csr;
try {
csr = CertificationRequest.getInstance(encodedCsr);
} catch (Exception ex) {
throw new CaMgmtException(concat("invalid CSR request. ERROR: ", ex.getMessage()));
}
CmpControl cmpControl = getCmpControlObject(ca.getCaInfo().getCmpControlName());
if (!securityFactory.verifyPopo(csr, cmpControl.getPopoAlgoValidator())) {
throw new CaMgmtException("could not validate POP for the CSR");
}
CertificationRequestInfo certTemp = csr.getCertificationRequestInfo();
Extensions extensions = null;
ASN1Set attrs = certTemp.getAttributes();
for (int i = 0; i < attrs.size(); i++) {
Attribute attr = Attribute.getInstance(attrs.getObjectAt(i));
if (PKCSObjectIdentifiers.pkcs_9_at_extensionRequest.equals(attr.getAttrType())) {
extensions = Extensions.getInstance(attr.getAttributeValues()[0]);
}
}
X500Name subject = certTemp.getSubject();
SubjectPublicKeyInfo publicKeyInfo = certTemp.getSubjectPublicKeyInfo();
CertTemplateData certTemplateData = new CertTemplateData(subject, publicKeyInfo, notBefore, notAfter, extensions, profileName);
X509CertificateInfo certInfo;
try {
certInfo = ca.generateCertificate(certTemplateData, byCaRequestor, RequestType.CA, (byte[]) null, CaAuditConstants.MSGID_ca_mgmt);
} catch (OperationException ex) {
throw new CaMgmtException(ex.getMessage(), ex);
}
if (ca.getCaInfo().isSaveRequest()) {
try {
long dbId = ca.addRequest(encodedCsr);
ca.addRequestCert(dbId, certInfo.getCert().getCertId());
} catch (OperationException ex) {
LogUtil.warn(LOG, ex, "could not save request");
}
}
return certInfo.getCert().getCert();
}
Also used :
CertificationRequestInfo(org.bouncycastle.asn1.pkcs.CertificationRequestInfo)
Attribute(org.bouncycastle.asn1.pkcs.Attribute)
X509CertificateInfo(org.xipki.ca.api.publisher.x509.X509CertificateInfo)
X500Name(org.bouncycastle.asn1.x500.X500Name)
Extensions(org.bouncycastle.asn1.x509.Extensions)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
Date(java.util.Date)
CertprofileException(org.xipki.ca.api.profile.CertprofileException)
KeyStoreException(java.security.KeyStoreException)
XiSecurityException(org.xipki.security.exception.XiSecurityException)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
InvalidConfException(org.xipki.common.InvalidConfException)
SocketException(java.net.SocketException)
IOException(java.io.IOException)
CertPublisherException(org.xipki.ca.api.publisher.CertPublisherException)
OperationException(org.xipki.ca.api.OperationException)
CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException)
ObjectCreationException(org.xipki.common.ObjectCreationException)
DataAccessException(org.xipki.datasource.DataAccessException)
JAXBException(javax.xml.bind.JAXBException)
FileNotFoundException(java.io.FileNotFoundException)
SAXException(org.xml.sax.SAXException)
CertificateException(java.security.cert.CertificateException)
PasswordResolverException(org.xipki.password.PasswordResolverException)
CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException)
ASN1Set(org.bouncycastle.asn1.ASN1Set)
CmpControl(org.xipki.ca.server.mgmt.api.CmpControl)
PciAuditEvent(org.xipki.audit.PciAuditEvent)
AuditEvent(org.xipki.audit.AuditEvent)
CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest)
OperationException(org.xipki.ca.api.OperationException)
Example 7 with X509CertificateInfo
use of org.xipki.ca.api.publisher.x509.X509CertificateInfo in project xipki by xipki.
the class X509CaCmpResponderImpl method revokePendingCertificates.
// method confirmCertificates
private boolean revokePendingCertificates(ASN1OctetString transactionId, String msgId) {
Set<X509CertificateInfo> remainingCerts = pendingCertPool.removeCertificates(transactionId.getOctets());
if (CollectionUtil.isEmpty(remainingCerts)) {
return true;
}
boolean successful = true;
Date invalidityDate = new Date();
X509Ca ca = getCa();
for (X509CertificateInfo remainingCert : remainingCerts) {
try {
ca.revokeCertificate(remainingCert.getCert().getCert().getSerialNumber(), CrlReason.CESSATION_OF_OPERATION, invalidityDate, msgId);
} catch (OperationException ex) {
successful = false;
}
}
return successful;
}
Also used :
X509Ca(org.xipki.ca.server.impl.X509Ca)
X509CertificateInfo(org.xipki.ca.api.publisher.x509.X509CertificateInfo)
Date(java.util.Date)
OperationException(org.xipki.ca.api.OperationException)
Example 8 with X509CertificateInfo
use of org.xipki.ca.api.publisher.x509.X509CertificateInfo in project xipki by xipki.
the class X509CaCmpResponderImpl method generateCertificates.
// method processP10cr
private List<CertResponse> generateCertificates(List<CertTemplateData> certTemplates, List<ASN1Integer> certReqIds, CmpRequestorInfo requestor, ASN1OctetString tid, boolean keyUpdate, PKIMessage request, CmpControl cmpControl, String msgId, AuditEvent event) {
X509Ca ca = getCa();
final int n = certTemplates.size();
List<CertResponse> ret = new ArrayList<>(n);
if (cmpControl.isGroupEnroll()) {
try {
List<X509CertificateInfo> certInfos;
if (keyUpdate) {
certInfos = ca.regenerateCertificates(certTemplates, requestor, RequestType.CMP, tid.getOctets(), msgId);
} else {
certInfos = ca.generateCertificates(certTemplates, requestor, RequestType.CMP, tid.getOctets(), msgId);
}
// save the request
Long reqDbId = null;
if (ca.getCaInfo().isSaveRequest()) {
try {
byte[] encodedRequest = request.getEncoded();
reqDbId = ca.addRequest(encodedRequest);
} catch (Exception ex) {
LOG.warn("could not save request");
}
}
for (int i = 0; i < n; i++) {
X509CertificateInfo certInfo = certInfos.get(i);
ret.add(postProcessCertInfo(certReqIds.get(i), certInfo, tid, cmpControl));
if (reqDbId != null) {
ca.addRequestCert(reqDbId, certInfo.getCert().getCertId());
}
}
} catch (OperationException ex) {
for (int i = 0; i < n; i++) {
ret.add(postProcessException(certReqIds.get(i), ex));
}
}
} else {
Long reqDbId = null;
boolean savingRequestFailed = false;
for (int i = 0; i < n; i++) {
CertTemplateData certTemplate = certTemplates.get(i);
ASN1Integer certReqId = certReqIds.get(i);
X509CertificateInfo certInfo;
try {
if (keyUpdate) {
certInfo = ca.regenerateCertificate(certTemplate, requestor, RequestType.CMP, tid.getOctets(), msgId);
} else {
certInfo = ca.generateCertificate(certTemplate, requestor, RequestType.CMP, tid.getOctets(), msgId);
}
if (ca.getCaInfo().isSaveRequest()) {
if (reqDbId == null && !savingRequestFailed) {
try {
byte[] encodedRequest = request.getEncoded();
reqDbId = ca.addRequest(encodedRequest);
} catch (Exception ex) {
savingRequestFailed = true;
LOG.warn("could not save request");
}
}
if (reqDbId != null) {
ca.addRequestCert(reqDbId, certInfo.getCert().getCertId());
}
}
ret.add(postProcessCertInfo(certReqId, certInfo, tid, cmpControl));
} catch (OperationException ex) {
ret.add(postProcessException(certReqId, ex));
}
}
}
return ret;
}
Also used :
CertResponse(org.bouncycastle.asn1.cmp.CertResponse)
X509Ca(org.xipki.ca.server.impl.X509Ca)
ArrayList(java.util.ArrayList)
X509CertificateInfo(org.xipki.ca.api.publisher.x509.X509CertificateInfo)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
IOException(java.io.IOException)
OperationException(org.xipki.ca.api.OperationException)
CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException)
ParseException(java.text.ParseException)
CRLException(java.security.cert.CRLException)
CRMFException(org.bouncycastle.cert.crmf.CRMFException)
InsuffientPermissionException(org.xipki.ca.api.InsuffientPermissionException)
CertTemplateData(org.xipki.ca.server.impl.CertTemplateData)
OperationException(org.xipki.ca.api.OperationException)
Example 9 with X509CertificateInfo
use of org.xipki.ca.api.publisher.x509.X509CertificateInfo in project xipki by xipki.
the class X509Ca method addXipkiCertset.
// method generateCrl
/**
* Add XiPKI extension CrlCertSet.
*
* <pre>
* Xipki-CrlCertSet ::= SET OF Xipki-CrlCert
*
* Xipki-CrlCert ::= SEQUENCE {
* serial INTEGER
* cert [0] EXPLICIT Certificate OPTIONAL
* profileName [1] EXPLICIT UTF8String OPTIONAL
* }
* </pre>
*/
private void addXipkiCertset(X509v2CRLBuilder crlBuilder, boolean deltaCrl, CrlControl control, Date notExpireAt, boolean onlyCaCerts, boolean onlyUserCerts) throws OperationException {
if (deltaCrl || !control.isXipkiCertsetIncluded()) {
return;
}
ASN1EncodableVector vector = new ASN1EncodableVector();
final int numEntries = 100;
long startId = 1;
List<SerialWithId> serials;
do {
serials = certstore.getCertSerials(caIdent, notExpireAt, startId, numEntries, false, onlyCaCerts, onlyUserCerts);
long maxId = 1;
for (SerialWithId sid : serials) {
if (sid.getId() > maxId) {
maxId = sid.getId();
}
ASN1EncodableVector vec = new ASN1EncodableVector();
vec.add(new ASN1Integer(sid.getSerial()));
Integer profileId = null;
if (control.isXipkiCertsetCertIncluded()) {
X509CertificateInfo certInfo;
try {
certInfo = certstore.getCertificateInfoForId(caIdent, caCert, sid.getId(), caIdNameMap);
} catch (CertificateException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, "CertificateException: " + ex.getMessage());
}
Certificate cert = Certificate.getInstance(certInfo.getCert().getEncodedCert());
vec.add(new DERTaggedObject(true, 0, cert));
if (control.isXipkiCertsetProfilenameIncluded()) {
profileId = certInfo.getProfile().getId();
}
} else if (control.isXipkiCertsetProfilenameIncluded()) {
profileId = certstore.getCertProfileForId(caIdent, sid.getId());
}
if (profileId != null) {
String profileName = caIdNameMap.getCertprofileName(profileId);
vec.add(new DERTaggedObject(true, 1, new DERUTF8String(profileName)));
}
vector.add(new DERSequence(vec));
}
// end for
startId = maxId + 1;
} while (serials.size() >= numEntries);
try {
crlBuilder.addExtension(ObjectIdentifiers.id_xipki_ext_crlCertset, false, new DERSet(vector));
} catch (CertIOException ex) {
throw new OperationException(ErrorCode.INVALID_EXTENSION, "CertIOException: " + ex.getMessage());
}
}
Also used :
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject)
X509CertificateInfo(org.xipki.ca.api.publisher.x509.X509CertificateInfo)
CertificateException(java.security.cert.CertificateException)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
DERSet(org.bouncycastle.asn1.DERSet)
CertIOException(org.bouncycastle.cert.CertIOException)
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
BigInteger(java.math.BigInteger)
DERSequence(org.bouncycastle.asn1.DERSequence)
ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)
OperationException(org.xipki.ca.api.OperationException)
Certificate(org.bouncycastle.asn1.x509.Certificate)
X509Certificate(java.security.cert.X509Certificate)
Example 10 with X509CertificateInfo
use of org.xipki.ca.api.publisher.x509.X509CertificateInfo in project xipki by xipki.
the class X509Ca method generateCertificate.
private X509CertificateInfo generateCertificate(GrantedCertTemplate gct, RequestorInfo requestor, boolean keyUpdate, RequestType reqType, byte[] transactionId, String msgId) throws OperationException {
AuditEvent event = newPerfAuditEvent(CaAuditConstants.TYPE_gen_cert, msgId);
boolean successful = false;
try {
X509CertificateInfo ret = generateCertificate0(gct, requestor, keyUpdate, reqType, transactionId, event);
successful = (ret != null);
return ret;
} finally {
finish(event, successful);
}
}
Also used :
AuditEvent(org.xipki.audit.AuditEvent)
X509CertificateInfo(org.xipki.ca.api.publisher.x509.X509CertificateInfo)
Aggregations
X509CertificateInfo (org.xipki.ca.api.publisher.x509.X509CertificateInfo)13
OperationException (org.xipki.ca.api.OperationException)11
Date (java.util.Date)7
X509Certificate (java.security.cert.X509Certificate)6
BigInteger (java.math.BigInteger)5
DERPrintableString (org.bouncycastle.asn1.DERPrintableString)5
X509Ca (org.xipki.ca.server.impl.X509Ca)5
CertificateException (java.security.cert.CertificateException)4
IOException (java.io.IOException)3
ASN1Integer (org.bouncycastle.asn1.ASN1Integer)3
CertificationRequest (org.bouncycastle.asn1.pkcs.CertificationRequest)3
CertificationRequestInfo (org.bouncycastle.asn1.pkcs.CertificationRequestInfo)3
X500Name (org.bouncycastle.asn1.x500.X500Name)3
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)3
Extensions (org.bouncycastle.asn1.x509.Extensions)3
IssuingDistributionPoint (org.bouncycastle.asn1.x509.IssuingDistributionPoint)3
NameId (org.xipki.ca.api.NameId)3
X509CertWithDbId (org.xipki.ca.api.X509CertWithDbId)3
CertTemplateData (org.xipki.ca.server.impl.CertTemplateData)3
CaMgmtException (org.xipki.ca.server.mgmt.api.CaMgmtException)3
