Example 1 with PkiErrorException
use of org.xipki.ca.client.api.PkiErrorException in project xipki by xipki.
the class GetCrlCmd method execute0.
@Override
protected Object execute0() throws Exception {
if (caName != null) {
caName = caName.toLowerCase();
}
Set<String> caNames = caClient.getCaNames();
if (isEmpty(caNames)) {
throw new IllegalCmdParamException("no CA is configured");
}
if (caName != null && !caNames.contains(caName)) {
throw new IllegalCmdParamException("CA " + caName + " is not within the configured CAs " + caNames);
}
if (caName == null) {
if (caNames.size() == 1) {
caName = caNames.iterator().next();
} else {
throw new IllegalCmdParamException("no CA is specified, one of " + caNames + " is required");
}
}
X509CRL crl = null;
try {
crl = retrieveCrl();
} catch (PkiErrorException ex) {
throw new CmdFailure("received no CRL from server: " + ex.getMessage());
}
if (crl == null) {
throw new CmdFailure("received no CRL from server");
}
saveVerbose("saved CRL to file", new File(outFile), crl.getEncoded());
if (!withBaseCrl.booleanValue()) {
return null;
}
byte[] octetString = crl.getExtensionValue(Extension.deltaCRLIndicator.getId());
if (octetString == null) {
return null;
}
if (baseCrlOut == null) {
baseCrlOut = outFile + "-baseCRL";
}
byte[] extnValue = DEROctetString.getInstance(octetString).getOctets();
BigInteger baseCrlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue();
RequestResponseDebug debug = getRequestResponseDebug();
try {
crl = caClient.downloadCrl(caName, baseCrlNumber, debug);
} catch (PkiErrorException ex) {
throw new CmdFailure("received no baseCRL from server: " + ex.getMessage());
} finally {
saveRequestResponse(debug);
}
if (crl == null) {
throw new CmdFailure("received no baseCRL from server");
}
saveVerbose("saved baseCRL to file", new File(baseCrlOut), crl.getEncoded());
return null;
}
Also used :
PkiErrorException(org.xipki.ca.client.api.PkiErrorException)
X509CRL(java.security.cert.X509CRL)
RequestResponseDebug(org.xipki.common.RequestResponseDebug)
CmdFailure(org.xipki.console.karaf.CmdFailure)
IllegalCmdParamException(org.xipki.console.karaf.IllegalCmdParamException)
BigInteger(java.math.BigInteger)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
File(java.io.File)
Example 2 with PkiErrorException
use of org.xipki.ca.client.api.PkiErrorException in project xipki by xipki.
the class X509CmpRequestor method parse.
private RevokeCertResultType parse(PkiResponse response, List<? extends IssuerSerialEntry> reqEntries) throws CmpRequestorException, PkiErrorException {
ParamUtil.requireNonNull("response", response);
checkProtection(response);
PKIBody respBody = response.getPkiMessage().getBody();
int bodyType = respBody.getType();
if (PKIBody.TYPE_ERROR == bodyType) {
ErrorMsgContent content = ErrorMsgContent.getInstance(respBody.getContent());
throw new PkiErrorException(content.getPKIStatusInfo());
} else if (PKIBody.TYPE_REVOCATION_REP != bodyType) {
throw new CmpRequestorException(String.format("unknown PKI body type %s instead the expected [%s, %s]", bodyType, PKIBody.TYPE_REVOCATION_REP, PKIBody.TYPE_ERROR));
}
RevRepContent content = RevRepContent.getInstance(respBody.getContent());
PKIStatusInfo[] statuses = content.getStatus();
if (statuses == null || statuses.length != reqEntries.size()) {
int statusesLen = 0;
if (statuses != null) {
statusesLen = statuses.length;
}
throw new CmpRequestorException(String.format("incorrect number of status entries in response '%s' instead the expected '%s'", statusesLen, reqEntries.size()));
}
CertId[] revCerts = content.getRevCerts();
RevokeCertResultType result = new RevokeCertResultType();
for (int i = 0; i < statuses.length; i++) {
PKIStatusInfo statusInfo = statuses[i];
int status = statusInfo.getStatus().intValue();
IssuerSerialEntry re = reqEntries.get(i);
if (status != PKIStatus.GRANTED && status != PKIStatus.GRANTED_WITH_MODS) {
PKIFreeText text = statusInfo.getStatusString();
String statusString = (text == null) ? null : text.getStringAt(0).getString();
ResultEntry resultEntry = new ErrorResultEntry(re.getId(), status, statusInfo.getFailInfo().intValue(), statusString);
result.addResultEntry(resultEntry);
continue;
}
CertId certId = null;
if (revCerts != null) {
for (CertId entry : revCerts) {
if (re.getIssuer().equals(entry.getIssuer().getName()) && re.getSerialNumber().equals(entry.getSerialNumber().getValue())) {
certId = entry;
break;
}
}
}
if (certId == null) {
LOG.warn("certId is not present in response for (issuer='{}', serialNumber={})", X509Util.getRfc4519Name(re.getIssuer()), LogUtil.formatCsn(re.getSerialNumber()));
certId = new CertId(new GeneralName(re.getIssuer()), re.getSerialNumber());
continue;
}
ResultEntry resultEntry = new RevokeCertResultEntry(re.getId(), certId);
result.addResultEntry(resultEntry);
}
return result;
}
Also used :
ErrorResultEntry(org.xipki.ca.client.api.dto.ErrorResultEntry)
RevokeCertResultEntry(org.xipki.ca.client.api.dto.RevokeCertResultEntry)
EnrollCertResultEntry(org.xipki.ca.client.api.dto.EnrollCertResultEntry)
ResultEntry(org.xipki.ca.client.api.dto.ResultEntry)
PKIBody(org.bouncycastle.asn1.cmp.PKIBody)
RevokeCertResultEntry(org.xipki.ca.client.api.dto.RevokeCertResultEntry)
CertId(org.bouncycastle.asn1.crmf.CertId)
PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo)
ErrorResultEntry(org.xipki.ca.client.api.dto.ErrorResultEntry)
IssuerSerialEntry(org.xipki.ca.client.api.dto.IssuerSerialEntry)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
RevRepContent(org.bouncycastle.asn1.cmp.RevRepContent)
PKIFreeText(org.bouncycastle.asn1.cmp.PKIFreeText)
PkiErrorException(org.xipki.ca.client.api.PkiErrorException)
RevokeCertResultType(org.xipki.ca.client.api.dto.RevokeCertResultType)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
ErrorMsgContent(org.bouncycastle.asn1.cmp.ErrorMsgContent)
Example 3 with PkiErrorException
use of org.xipki.ca.client.api.PkiErrorException in project xipki by xipki.
the class X509CmpRequestor method requestCertificate0.
private EnrollCertResultResp requestCertificate0(PKIMessage reqMessage, Map<BigInteger, String> reqIdIdMap, int expectedBodyType, RequestResponseDebug debug) throws CmpRequestorException, PkiErrorException {
PkiResponse response = signAndSend(reqMessage, debug);
checkProtection(response);
PKIBody respBody = response.getPkiMessage().getBody();
final int bodyType = respBody.getType();
if (PKIBody.TYPE_ERROR == bodyType) {
ErrorMsgContent content = ErrorMsgContent.getInstance(respBody.getContent());
throw new PkiErrorException(content.getPKIStatusInfo());
} else if (expectedBodyType != bodyType) {
throw new CmpRequestorException(String.format("unknown PKI body type %s instead the expected [%s, %s]", bodyType, expectedBodyType, PKIBody.TYPE_ERROR));
}
CertRepMessage certRep = CertRepMessage.getInstance(respBody.getContent());
CertResponse[] certResponses = certRep.getResponse();
EnrollCertResultResp result = new EnrollCertResultResp();
// CA certificates
CMPCertificate[] caPubs = certRep.getCaPubs();
if (caPubs != null && caPubs.length > 0) {
for (int i = 0; i < caPubs.length; i++) {
if (caPubs[i] != null) {
result.addCaCertificate(caPubs[i]);
}
}
}
CertificateConfirmationContentBuilder certConfirmBuilder = null;
if (!CmpUtil.isImplictConfirm(response.getPkiMessage().getHeader())) {
certConfirmBuilder = new CertificateConfirmationContentBuilder();
}
boolean requireConfirm = false;
// We only accept the certificates which are requested.
for (CertResponse certResp : certResponses) {
PKIStatusInfo statusInfo = certResp.getStatus();
int status = statusInfo.getStatus().intValue();
BigInteger certReqId = certResp.getCertReqId().getValue();
String thisId = reqIdIdMap.get(certReqId);
if (thisId != null) {
reqIdIdMap.remove(certReqId);
} else if (reqIdIdMap.size() == 1) {
thisId = reqIdIdMap.values().iterator().next();
reqIdIdMap.clear();
}
if (thisId == null) {
// ignore it. this cert is not requested by me
continue;
}
ResultEntry resultEntry;
if (status == PKIStatus.GRANTED || status == PKIStatus.GRANTED_WITH_MODS) {
CertifiedKeyPair cvk = certResp.getCertifiedKeyPair();
if (cvk == null) {
return null;
}
CMPCertificate cmpCert = cvk.getCertOrEncCert().getCertificate();
if (cmpCert == null) {
return null;
}
resultEntry = new EnrollCertResultEntry(thisId, cmpCert, status);
if (certConfirmBuilder != null) {
requireConfirm = true;
X509CertificateHolder certHolder = null;
try {
certHolder = new X509CertificateHolder(cmpCert.getEncoded());
} catch (IOException ex) {
resultEntry = new ErrorResultEntry(thisId, ClientErrorCode.PKISTATUS_RESPONSE_ERROR, PKIFailureInfo.systemFailure, "could not decode the certificate");
}
if (certHolder != null) {
certConfirmBuilder.addAcceptedCertificate(certHolder, certReqId);
}
}
} else {
PKIFreeText statusString = statusInfo.getStatusString();
String errorMessage = (statusString == null) ? null : statusString.getStringAt(0).getString();
int failureInfo = statusInfo.getFailInfo().intValue();
resultEntry = new ErrorResultEntry(thisId, status, failureInfo, errorMessage);
}
result.addResultEntry(resultEntry);
}
if (CollectionUtil.isNonEmpty(reqIdIdMap)) {
for (BigInteger reqId : reqIdIdMap.keySet()) {
ErrorResultEntry ere = new ErrorResultEntry(reqIdIdMap.get(reqId), ClientErrorCode.PKISTATUS_NO_ANSWER);
result.addResultEntry(ere);
}
}
if (!requireConfirm) {
return result;
}
PKIMessage confirmRequest = buildCertConfirmRequest(response.getPkiMessage().getHeader().getTransactionID(), certConfirmBuilder);
response = signAndSend(confirmRequest, debug);
checkProtection(response);
return result;
}
Also used :
ErrorResultEntry(org.xipki.ca.client.api.dto.ErrorResultEntry)
RevokeCertResultEntry(org.xipki.ca.client.api.dto.RevokeCertResultEntry)
EnrollCertResultEntry(org.xipki.ca.client.api.dto.EnrollCertResultEntry)
ResultEntry(org.xipki.ca.client.api.dto.ResultEntry)
PkiResponse(org.xipki.cmp.PkiResponse)
PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
CMPCertificate(org.bouncycastle.asn1.cmp.CMPCertificate)
PkiErrorException(org.xipki.ca.client.api.PkiErrorException)
CertifiedKeyPair(org.bouncycastle.asn1.cmp.CertifiedKeyPair)
PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage)
PKIBody(org.bouncycastle.asn1.cmp.PKIBody)
CertificateConfirmationContentBuilder(org.bouncycastle.cert.cmp.CertificateConfirmationContentBuilder)
CertResponse(org.bouncycastle.asn1.cmp.CertResponse)
ErrorResultEntry(org.xipki.ca.client.api.dto.ErrorResultEntry)
CertRepMessage(org.bouncycastle.asn1.cmp.CertRepMessage)
IOException(java.io.IOException)
PKIFreeText(org.bouncycastle.asn1.cmp.PKIFreeText)
EnrollCertResultResp(org.xipki.ca.client.api.dto.EnrollCertResultResp)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BigInteger(java.math.BigInteger)
EnrollCertResultEntry(org.xipki.ca.client.api.dto.EnrollCertResultEntry)
ErrorMsgContent(org.bouncycastle.asn1.cmp.ErrorMsgContent)
Example 4 with PkiErrorException
use of org.xipki.ca.client.api.PkiErrorException in project xipki by xipki.
the class CaClientImpl method removeCerts.
@Override
public Map<String, CertIdOrError> removeCerts(UnrevokeOrRemoveCertRequest request, RequestResponseDebug debug) throws CaClientException, PkiErrorException {
ParamUtil.requireNonNull("request", request);
init0(false);
List<UnrevokeOrRemoveCertEntry> requestEntries = request.getRequestEntries();
if (CollectionUtil.isEmpty(requestEntries)) {
return Collections.emptyMap();
}
X500Name issuer = requestEntries.get(0).getIssuer();
for (int i = 1; i < requestEntries.size(); i++) {
if (!issuer.equals(requestEntries.get(i).getIssuer())) {
throw new PkiErrorException(PKIStatus.REJECTION, PKIFailureInfo.badRequest, "removing certificates issued by more than one CA is not allowed");
}
}
final String caName = getCaNameByIssuer(issuer);
X509CmpRequestor cmpRequestor = casMap.get(caName).getRequestor();
RevokeCertResultType result;
try {
result = cmpRequestor.removeCertificate(request, debug);
} catch (CmpRequestorException ex) {
throw new CaClientException(ex.getMessage(), ex);
}
return parseRevokeCertResult(result);
}
Also used :
PkiErrorException(org.xipki.ca.client.api.PkiErrorException)
RevokeCertResultType(org.xipki.ca.client.api.dto.RevokeCertResultType)
X500Name(org.bouncycastle.asn1.x500.X500Name)
UnrevokeOrRemoveCertEntry(org.xipki.ca.client.api.dto.UnrevokeOrRemoveCertEntry)
CaClientException(org.xipki.ca.client.api.CaClientException)
Example 5 with PkiErrorException
use of org.xipki.ca.client.api.PkiErrorException in project xipki by xipki.
the class CaClientImpl method revokeCerts.
@Override
public Map<String, CertIdOrError> revokeCerts(RevokeCertRequest request, RequestResponseDebug debug) throws CaClientException, PkiErrorException {
ParamUtil.requireNonNull("request", request);
List<RevokeCertRequestEntry> requestEntries = request.getRequestEntries();
if (CollectionUtil.isEmpty(requestEntries)) {
return Collections.emptyMap();
}
X500Name issuer = requestEntries.get(0).getIssuer();
for (int i = 1; i < requestEntries.size(); i++) {
if (!issuer.equals(requestEntries.get(i).getIssuer())) {
throw new PkiErrorException(PKIStatus.REJECTION, PKIFailureInfo.badRequest, "revoking certificates issued by more than one CA is not allowed");
}
}
final String caName = getCaNameByIssuer(issuer);
CaConf caConf = casMap.get(caName);
if (caConf.getCmpControl().isRrAkiRequired()) {
byte[] aki = caConf.getSubjectKeyIdentifier();
List<RevokeCertRequestEntry> entries = request.getRequestEntries();
for (RevokeCertRequestEntry entry : entries) {
if (entry.getAuthorityKeyIdentifier() == null) {
entry.setAuthorityKeyIdentifier(aki);
}
}
}
X509CmpRequestor cmpRequestor = caConf.getRequestor();
RevokeCertResultType result;
try {
result = cmpRequestor.revokeCertificate(request, debug);
} catch (CmpRequestorException ex) {
throw new CaClientException(ex.getMessage(), ex);
}
return parseRevokeCertResult(result);
}
Also used :
RevokeCertRequestEntry(org.xipki.ca.client.api.dto.RevokeCertRequestEntry)
PkiErrorException(org.xipki.ca.client.api.PkiErrorException)
RevokeCertResultType(org.xipki.ca.client.api.dto.RevokeCertResultType)
X500Name(org.bouncycastle.asn1.x500.X500Name)
CaClientException(org.xipki.ca.client.api.CaClientException)
Aggregations
PkiErrorException (org.xipki.ca.client.api.PkiErrorException)9
RevokeCertResultType (org.xipki.ca.client.api.dto.RevokeCertResultType)4
X509CRL (java.security.cert.X509CRL)3
DEROctetString (org.bouncycastle.asn1.DEROctetString)3
ErrorMsgContent (org.bouncycastle.asn1.cmp.ErrorMsgContent)3
PKIBody (org.bouncycastle.asn1.cmp.PKIBody)3
X500Name (org.bouncycastle.asn1.x500.X500Name)3
CaClientException (org.xipki.ca.client.api.CaClientException)3
File (java.io.File)2
BigInteger (java.math.BigInteger)2
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)2
DERUTF8String (org.bouncycastle.asn1.DERUTF8String)2
PKIFreeText (org.bouncycastle.asn1.cmp.PKIFreeText)2
PKIStatusInfo (org.bouncycastle.asn1.cmp.PKIStatusInfo)2
EnrollCertResultEntry (org.xipki.ca.client.api.dto.EnrollCertResultEntry)2
ErrorResultEntry (org.xipki.ca.client.api.dto.ErrorResultEntry)2
ResultEntry (org.xipki.ca.client.api.dto.ResultEntry)2
RevokeCertResultEntry (org.xipki.ca.client.api.dto.RevokeCertResultEntry)2
UnrevokeOrRemoveCertEntry (org.xipki.ca.client.api.dto.UnrevokeOrRemoveCertEntry)2
CmdFailure (org.xipki.console.karaf.CmdFailure)2
