Search in sources :

Example 1 with CertprofileInfo

use of org.xipki.ca.client.api.CertprofileInfo in project xipki by xipki.

the class X509CmpRequestor method retrieveCaInfo.

public CaInfo retrieveCaInfo(String caName, RequestResponseDebug debug) throws CmpRequestorException, PkiErrorException {
    ParamUtil.requireNonBlank("caName", caName);
    ASN1EncodableVector vec = new ASN1EncodableVector();
    vec.add(new ASN1Integer(2));
    ASN1Sequence acceptVersions = new DERSequence(vec);
    int action = XiSecurityConstants.CMP_ACTION_GET_CAINFO;
    PKIMessage request = buildMessageWithXipkAction(action, acceptVersions);
    PkiResponse response = signAndSend(request, debug);
    ASN1Encodable itvValue = extractXipkiActionRepContent(response, action);
    DERUTF8String utf8Str = DERUTF8String.getInstance(itvValue);
    String systemInfoStr = utf8Str.getString();
    LOG.debug("CAInfo for CA {}: {}", caName, systemInfoStr);
    Document doc;
    try {
        doc = xmlDocBuilder.parse(new ByteArrayInputStream(systemInfoStr.getBytes("UTF-8")));
    } catch (SAXException | IOException ex) {
        throw new CmpRequestorException("could not parse the returned systemInfo for CA " + caName + ": " + ex.getMessage(), ex);
    }
    final String namespace = null;
    Element root = doc.getDocumentElement();
    String str = root.getAttribute("version");
    if (StringUtil.isBlank(str)) {
        str = root.getAttributeNS(namespace, "version");
    }
    int version = StringUtil.isBlank(str) ? 1 : Integer.parseInt(str);
    if (version == 2) {
        // CACert
        X509Certificate caCert;
        String b64CaCert = XmlUtil.getValueOfFirstElementChild(root, namespace, "CACert");
        try {
            caCert = X509Util.parseBase64EncodedCert(b64CaCert);
        } catch (CertificateException ex) {
            throw new CmpRequestorException("could no parse the CA certificate", ex);
        }
        // CmpControl
        ClientCmpControl cmpControl = null;
        Element cmpCtrlElement = XmlUtil.getFirstElementChild(root, namespace, "cmpControl");
        if (cmpCtrlElement != null) {
            String tmpStr = XmlUtil.getValueOfFirstElementChild(cmpCtrlElement, namespace, "rrAkiRequired");
            boolean required = (tmpStr == null) ? false : Boolean.parseBoolean(tmpStr);
            cmpControl = new ClientCmpControl(required);
        }
        // certprofiles
        Set<String> profileNames = new HashSet<>();
        Element profilesElement = XmlUtil.getFirstElementChild(root, namespace, "certprofiles");
        Set<CertprofileInfo> profiles = new HashSet<>();
        if (profilesElement != null) {
            List<Element> profileElements = XmlUtil.getElementChilden(profilesElement, namespace, "certprofile");
            for (Element element : profileElements) {
                String name = XmlUtil.getValueOfFirstElementChild(element, namespace, "name");
                String type = XmlUtil.getValueOfFirstElementChild(element, namespace, "type");
                String conf = XmlUtil.getValueOfFirstElementChild(element, namespace, "conf");
                CertprofileInfo profile = new CertprofileInfo(name, type, conf);
                profiles.add(profile);
                profileNames.add(name);
                LOG.debug("configured for CA {} certprofile (name={}, type={}, conf={})", caName, name, type, conf);
            }
        }
        LOG.info("CA {} supports profiles {}", caName, profileNames);
        return new CaInfo(caCert, cmpControl, profiles);
    } else {
        throw new CmpRequestorException("unknown CAInfo version " + version);
    }
}
Also used : PkiResponse(org.xipki.cmp.PkiResponse) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) Element(org.w3c.dom.Element) CertificateException(java.security.cert.CertificateException) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) DEROctetString(org.bouncycastle.asn1.DEROctetString) Document(org.w3c.dom.Document) SAXException(org.xml.sax.SAXException) DERSequence(org.bouncycastle.asn1.DERSequence) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) HashSet(java.util.HashSet) PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage) CertprofileInfo(org.xipki.ca.client.api.CertprofileInfo) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) ByteArrayInputStream(java.io.ByteArrayInputStream)

Example 2 with CertprofileInfo

use of org.xipki.ca.client.api.CertprofileInfo in project xipki by xipki.

the class CaClientImpl method init0.

private synchronized void init0(boolean force) throws CaClientException {
    if (confFile == null) {
        throw new IllegalStateException("confFile is not set");
    }
    if (securityFactory == null) {
        throw new IllegalStateException("securityFactory is not set");
    }
    if (!force && initialized.get()) {
        return;
    }
    // reset
    this.casMap.clear();
    this.autoConfCaNames.clear();
    if (this.scheduledThreadPoolExecutor != null) {
        this.scheduledThreadPoolExecutor.shutdownNow();
    }
    this.initialized.set(false);
    LOG.info("initializing ...");
    File configFile = new File(IoUtil.expandFilepath(confFile));
    if (!configFile.exists()) {
        throw new CaClientException("could not find configuration file " + confFile);
    }
    CAClientType config;
    try {
        config = parse(new FileInputStream(configFile));
    } catch (FileNotFoundException ex) {
        throw new CaClientException("could not read file " + confFile);
    }
    int numActiveCAs = 0;
    for (CAType caType : config.getCAs().getCA()) {
        if (!caType.isEnabled()) {
            LOG.info("CA " + caType.getName() + " is disabled");
            continue;
        }
        numActiveCAs++;
    }
    if (numActiveCAs == 0) {
        LOG.warn("no active CA is configured");
    }
    // responders
    Map<String, CmpResponder> responders = new HashMap<>();
    for (ResponderType m : config.getResponders().getResponder()) {
        X509Certificate cert;
        try {
            cert = X509Util.parseCert(readData(m.getCert()));
        } catch (CertificateException | IOException ex) {
            LogUtil.error(LOG, ex, "could not configure responder " + m.getName());
            throw new CaClientException(ex.getMessage(), ex);
        }
        Set<String> algoNames = new HashSet<>();
        for (String algo : m.getSignatureAlgos().getSignatureAlgo()) {
            algoNames.add(algo);
        }
        AlgorithmValidator sigAlgoValidator;
        try {
            sigAlgoValidator = new CollectionAlgorithmValidator(algoNames);
        } catch (NoSuchAlgorithmException ex) {
            throw new CaClientException(ex.getMessage());
        }
        responders.put(m.getName(), new CmpResponder(cert, sigAlgoValidator));
    }
    // CA
    Set<CaConf> cas = new HashSet<>();
    for (CAType caType : config.getCAs().getCA()) {
        if (!caType.isEnabled()) {
            continue;
        }
        String caName = caType.getName();
        try {
            // responder
            CmpResponder responder = responders.get(caType.getResponder());
            if (responder == null) {
                throw new CaClientException("no responder named " + caType.getResponder() + " is configured");
            }
            CaConf ca = new CaConf(caName, caType.getUrl(), caType.getHealthUrl(), caType.getRequestor(), responder);
            // CA cert
            if (caType.getCaCert().getAutoconf() != null) {
                ca.setCertAutoconf(true);
            } else {
                ca.setCertAutoconf(false);
                ca.setCert(X509Util.parseCert(readData(caType.getCaCert().getCert())));
            }
            // CMPControl
            CmpControlType cmpCtrlType = caType.getCmpControl();
            if (cmpCtrlType.getAutoconf() != null) {
                ca.setCmpControlAutoconf(true);
            } else {
                ca.setCmpControlAutoconf(false);
                Boolean tmpBo = cmpCtrlType.isRrAkiRequired();
                ClientCmpControl control = new ClientCmpControl((tmpBo == null) ? false : tmpBo.booleanValue());
                ca.setCmpControl(control);
            }
            // Certprofiles
            CertprofilesType certprofilesType = caType.getCertprofiles();
            if (certprofilesType.getAutoconf() != null) {
                ca.setCertprofilesAutoconf(true);
            } else {
                ca.setCertprofilesAutoconf(false);
                List<CertprofileType> types = certprofilesType.getCertprofile();
                Set<CertprofileInfo> profiles = new HashSet<>(types.size());
                for (CertprofileType m : types) {
                    String conf = null;
                    if (m.getConf() != null) {
                        conf = m.getConf().getValue();
                        if (conf == null) {
                            conf = new String(IoUtil.read(m.getConf().getFile()));
                        }
                    }
                    CertprofileInfo profile = new CertprofileInfo(m.getName(), m.getType(), conf);
                    profiles.add(profile);
                }
                ca.setCertprofiles(profiles);
            }
            cas.add(ca);
            if (ca.isCertAutoconf() || ca.isCertprofilesAutoconf() || ca.isCmpControlAutoconf()) {
                autoConfCaNames.add(caName);
            }
        } catch (IOException | CertificateException ex) {
            LogUtil.error(LOG, ex, "could not configure CA " + caName);
            throw new CaClientException(ex.getMessage(), ex);
        }
    }
    // requestors
    Map<String, X509Certificate> requestorCerts = new HashMap<>();
    Map<String, ConcurrentContentSigner> requestorSigners = new HashMap<>();
    Map<String, Boolean> requestorSignRequests = new HashMap<>();
    for (RequestorType requestorConf : config.getRequestors().getRequestor()) {
        String name = requestorConf.getName();
        requestorSignRequests.put(name, requestorConf.isSignRequest());
        X509Certificate requestorCert = null;
        if (requestorConf.getCert() != null) {
            try {
                requestorCert = X509Util.parseCert(readData(requestorConf.getCert()));
                requestorCerts.put(name, requestorCert);
            } catch (Exception ex) {
                throw new CaClientException(ex.getMessage(), ex);
            }
        }
        if (requestorConf.getSignerType() != null) {
            try {
                SignerConf signerConf = new SignerConf(requestorConf.getSignerConf());
                ConcurrentContentSigner requestorSigner = securityFactory.createSigner(requestorConf.getSignerType(), signerConf, requestorCert);
                requestorSigners.put(name, requestorSigner);
            } catch (ObjectCreationException ex) {
                throw new CaClientException(ex.getMessage(), ex);
            }
        } else {
            if (requestorConf.isSignRequest()) {
                throw new CaClientException("signer of requestor must be configured");
            } else if (requestorCert == null) {
                throw new CaClientException("at least one of certificate and signer of requestor must be configured");
            }
        }
    }
    for (CaConf ca : cas) {
        if (this.casMap.containsKey(ca.getName())) {
            throw new CaClientException("duplicate CAs with the same name " + ca.getName());
        }
        String requestorName = ca.getRequestorName();
        X509CmpRequestor cmpRequestor;
        if (requestorSigners.containsKey(requestorName)) {
            cmpRequestor = new DfltHttpX509CmpRequestor(requestorSigners.get(requestorName), ca.getResponder(), ca.getUrl(), securityFactory);
            cmpRequestor.setSignRequest(requestorSignRequests.get(requestorName));
        } else if (requestorCerts.containsKey(requestorName)) {
            cmpRequestor = new DfltHttpX509CmpRequestor(requestorCerts.get(requestorName), ca.getResponder(), ca.getUrl(), securityFactory);
        } else {
            throw new CaClientException("could not find requestor named " + requestorName + " for CA " + ca.getName());
        }
        ca.setRequestor(cmpRequestor);
        this.casMap.put(ca.getName(), ca);
    }
    if (!autoConfCaNames.isEmpty()) {
        Integer caInfoUpdateInterval = config.getCAs().getCAInfoUpdateInterval();
        if (caInfoUpdateInterval == null) {
            caInfoUpdateInterval = 10;
        } else if (caInfoUpdateInterval <= 0) {
            caInfoUpdateInterval = 0;
        } else if (caInfoUpdateInterval < 5) {
            caInfoUpdateInterval = 5;
        }
        LOG.info("configuring CAs {}", autoConfCaNames);
        Set<String> failedCaNames = autoConfCas(autoConfCaNames);
        // try to re-configure the failed CAs
        if (CollectionUtil.isNonEmpty(failedCaNames)) {
            for (int i = 0; i < 3; i++) {
                LOG.info("configuring ({}-th retry) CAs {}", i + 1, failedCaNames);
                failedCaNames = autoConfCas(failedCaNames);
                if (CollectionUtil.isEmpty(failedCaNames)) {
                    break;
                }
                try {
                    Thread.sleep(10000);
                } catch (InterruptedException ex) {
                    LOG.warn("interrupted", ex);
                }
            }
        }
        if (CollectionUtil.isNonEmpty(failedCaNames)) {
            throw new CaClientException("could not configure following CAs " + failedCaNames);
        }
        if (caInfoUpdateInterval > 0) {
            scheduledThreadPoolExecutor = new ScheduledThreadPoolExecutor(1);
            scheduledThreadPoolExecutor.scheduleAtFixedRate(new ClientConfigUpdater(), caInfoUpdateInterval, caInfoUpdateInterval, TimeUnit.MINUTES);
        }
    }
    initialized.set(true);
    LOG.info("initialized");
}
Also used : CollectionAlgorithmValidator(org.xipki.security.CollectionAlgorithmValidator) AlgorithmValidator(org.xipki.security.AlgorithmValidator) HashMap(java.util.HashMap) ScheduledThreadPoolExecutor(java.util.concurrent.ScheduledThreadPoolExecutor) FileNotFoundException(java.io.FileNotFoundException) RequestorType(org.xipki.ca.client.impl.jaxb.RequestorType) CertificateException(java.security.cert.CertificateException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) CmpControlType(org.xipki.ca.client.impl.jaxb.CmpControlType) CertprofilesType(org.xipki.ca.client.impl.jaxb.CertprofilesType) AtomicBoolean(java.util.concurrent.atomic.AtomicBoolean) HashSet(java.util.HashSet) CertprofileType(org.xipki.ca.client.impl.jaxb.CertprofileType) CertprofileInfo(org.xipki.ca.client.api.CertprofileInfo) CAType(org.xipki.ca.client.impl.jaxb.CAType) SignerConf(org.xipki.security.SignerConf) IOException(java.io.IOException) ResponderType(org.xipki.ca.client.impl.jaxb.ResponderType) FileInputStream(java.io.FileInputStream) X509Certificate(java.security.cert.X509Certificate) CollectionAlgorithmValidator(org.xipki.security.CollectionAlgorithmValidator) ObjectCreationException(org.xipki.common.ObjectCreationException) SignatureException(java.security.SignatureException) JAXBException(javax.xml.bind.JAXBException) FileNotFoundException(java.io.FileNotFoundException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) SAXException(org.xml.sax.SAXException) InvalidKeyException(java.security.InvalidKeyException) CertificateEncodingException(java.security.cert.CertificateEncodingException) PkiErrorException(org.xipki.ca.client.api.PkiErrorException) CaClientException(org.xipki.ca.client.api.CaClientException) MalformedURLException(java.net.MalformedURLException) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) NoSuchProviderException(java.security.NoSuchProviderException) BigInteger(java.math.BigInteger) ConcurrentContentSigner(org.xipki.security.ConcurrentContentSigner) CAClientType(org.xipki.ca.client.impl.jaxb.CAClientType) ObjectCreationException(org.xipki.common.ObjectCreationException) File(java.io.File) CaClientException(org.xipki.ca.client.api.CaClientException)

Aggregations

IOException (java.io.IOException)2 CertificateException (java.security.cert.CertificateException)2 X509Certificate (java.security.cert.X509Certificate)2 HashSet (java.util.HashSet)2 CertprofileInfo (org.xipki.ca.client.api.CertprofileInfo)2 SAXException (org.xml.sax.SAXException)2 ByteArrayInputStream (java.io.ByteArrayInputStream)1 File (java.io.File)1 FileInputStream (java.io.FileInputStream)1 FileNotFoundException (java.io.FileNotFoundException)1 BigInteger (java.math.BigInteger)1 MalformedURLException (java.net.MalformedURLException)1 InvalidKeyException (java.security.InvalidKeyException)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 NoSuchProviderException (java.security.NoSuchProviderException)1 SignatureException (java.security.SignatureException)1 CertificateEncodingException (java.security.cert.CertificateEncodingException)1 HashMap (java.util.HashMap)1 ScheduledThreadPoolExecutor (java.util.concurrent.ScheduledThreadPoolExecutor)1 AtomicBoolean (java.util.concurrent.atomic.AtomicBoolean)1