Example 1 with EnrollCertResultEntry
use of org.xipki.ca.client.api.dto.EnrollCertResultEntry in project xipki by xipki.
the class X509CmpRequestor method requestCertificate0.
private EnrollCertResultResp requestCertificate0(PKIMessage reqMessage, Map<BigInteger, String> reqIdIdMap, int expectedBodyType, RequestResponseDebug debug) throws CmpRequestorException, PkiErrorException {
PkiResponse response = signAndSend(reqMessage, debug);
checkProtection(response);
PKIBody respBody = response.getPkiMessage().getBody();
final int bodyType = respBody.getType();
if (PKIBody.TYPE_ERROR == bodyType) {
ErrorMsgContent content = ErrorMsgContent.getInstance(respBody.getContent());
throw new PkiErrorException(content.getPKIStatusInfo());
} else if (expectedBodyType != bodyType) {
throw new CmpRequestorException(String.format("unknown PKI body type %s instead the expected [%s, %s]", bodyType, expectedBodyType, PKIBody.TYPE_ERROR));
}
CertRepMessage certRep = CertRepMessage.getInstance(respBody.getContent());
CertResponse[] certResponses = certRep.getResponse();
EnrollCertResultResp result = new EnrollCertResultResp();
// CA certificates
CMPCertificate[] caPubs = certRep.getCaPubs();
if (caPubs != null && caPubs.length > 0) {
for (int i = 0; i < caPubs.length; i++) {
if (caPubs[i] != null) {
result.addCaCertificate(caPubs[i]);
}
}
}
CertificateConfirmationContentBuilder certConfirmBuilder = null;
if (!CmpUtil.isImplictConfirm(response.getPkiMessage().getHeader())) {
certConfirmBuilder = new CertificateConfirmationContentBuilder();
}
boolean requireConfirm = false;
// We only accept the certificates which are requested.
for (CertResponse certResp : certResponses) {
PKIStatusInfo statusInfo = certResp.getStatus();
int status = statusInfo.getStatus().intValue();
BigInteger certReqId = certResp.getCertReqId().getValue();
String thisId = reqIdIdMap.get(certReqId);
if (thisId != null) {
reqIdIdMap.remove(certReqId);
} else if (reqIdIdMap.size() == 1) {
thisId = reqIdIdMap.values().iterator().next();
reqIdIdMap.clear();
}
if (thisId == null) {
// ignore it. this cert is not requested by me
continue;
}
ResultEntry resultEntry;
if (status == PKIStatus.GRANTED || status == PKIStatus.GRANTED_WITH_MODS) {
CertifiedKeyPair cvk = certResp.getCertifiedKeyPair();
if (cvk == null) {
return null;
}
CMPCertificate cmpCert = cvk.getCertOrEncCert().getCertificate();
if (cmpCert == null) {
return null;
}
resultEntry = new EnrollCertResultEntry(thisId, cmpCert, status);
if (certConfirmBuilder != null) {
requireConfirm = true;
X509CertificateHolder certHolder = null;
try {
certHolder = new X509CertificateHolder(cmpCert.getEncoded());
} catch (IOException ex) {
resultEntry = new ErrorResultEntry(thisId, ClientErrorCode.PKISTATUS_RESPONSE_ERROR, PKIFailureInfo.systemFailure, "could not decode the certificate");
}
if (certHolder != null) {
certConfirmBuilder.addAcceptedCertificate(certHolder, certReqId);
}
}
} else {
PKIFreeText statusString = statusInfo.getStatusString();
String errorMessage = (statusString == null) ? null : statusString.getStringAt(0).getString();
int failureInfo = statusInfo.getFailInfo().intValue();
resultEntry = new ErrorResultEntry(thisId, status, failureInfo, errorMessage);
}
result.addResultEntry(resultEntry);
}
if (CollectionUtil.isNonEmpty(reqIdIdMap)) {
for (BigInteger reqId : reqIdIdMap.keySet()) {
ErrorResultEntry ere = new ErrorResultEntry(reqIdIdMap.get(reqId), ClientErrorCode.PKISTATUS_NO_ANSWER);
result.addResultEntry(ere);
}
}
if (!requireConfirm) {
return result;
}
PKIMessage confirmRequest = buildCertConfirmRequest(response.getPkiMessage().getHeader().getTransactionID(), certConfirmBuilder);
response = signAndSend(confirmRequest, debug);
checkProtection(response);
return result;
}
Also used :
ErrorResultEntry(org.xipki.ca.client.api.dto.ErrorResultEntry)
RevokeCertResultEntry(org.xipki.ca.client.api.dto.RevokeCertResultEntry)
EnrollCertResultEntry(org.xipki.ca.client.api.dto.EnrollCertResultEntry)
ResultEntry(org.xipki.ca.client.api.dto.ResultEntry)
PkiResponse(org.xipki.cmp.PkiResponse)
PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
CMPCertificate(org.bouncycastle.asn1.cmp.CMPCertificate)
PkiErrorException(org.xipki.ca.client.api.PkiErrorException)
CertifiedKeyPair(org.bouncycastle.asn1.cmp.CertifiedKeyPair)
PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage)
PKIBody(org.bouncycastle.asn1.cmp.PKIBody)
CertificateConfirmationContentBuilder(org.bouncycastle.cert.cmp.CertificateConfirmationContentBuilder)
CertResponse(org.bouncycastle.asn1.cmp.CertResponse)
ErrorResultEntry(org.xipki.ca.client.api.dto.ErrorResultEntry)
CertRepMessage(org.bouncycastle.asn1.cmp.CertRepMessage)
IOException(java.io.IOException)
PKIFreeText(org.bouncycastle.asn1.cmp.PKIFreeText)
EnrollCertResultResp(org.xipki.ca.client.api.dto.EnrollCertResultResp)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BigInteger(java.math.BigInteger)
EnrollCertResultEntry(org.xipki.ca.client.api.dto.EnrollCertResultEntry)
ErrorMsgContent(org.bouncycastle.asn1.cmp.ErrorMsgContent)
Example 2 with EnrollCertResultEntry
use of org.xipki.ca.client.api.dto.EnrollCertResultEntry in project xipki by xipki.
the class CaClientImpl method parseEnrollCertResult.
// method getHealthCheckResult
private EnrollCertResult parseEnrollCertResult(EnrollCertResultResp result) throws CaClientException {
Map<String, CertOrError> certOrErrors = new HashMap<>();
for (ResultEntry resultEntry : result.getResultEntries()) {
CertOrError certOrError;
if (resultEntry instanceof EnrollCertResultEntry) {
EnrollCertResultEntry entry = (EnrollCertResultEntry) resultEntry;
try {
java.security.cert.Certificate cert = getCertificate(entry.getCert());
certOrError = new CertOrError(cert);
} catch (CertificateException ex) {
throw new CaClientException(String.format("CertificateParsingException for request (id=%s): %s", entry.getId(), ex.getMessage()));
}
} else if (resultEntry instanceof ErrorResultEntry) {
certOrError = new CertOrError(((ErrorResultEntry) resultEntry).getStatusInfo());
} else {
certOrError = null;
}
certOrErrors.put(resultEntry.getId(), certOrError);
}
List<CMPCertificate> cmpCaPubs = result.getCaCertificates();
if (CollectionUtil.isEmpty(cmpCaPubs)) {
return new EnrollCertResult(null, certOrErrors);
}
List<java.security.cert.Certificate> caPubs = new ArrayList<>(cmpCaPubs.size());
for (CMPCertificate cmpCaPub : cmpCaPubs) {
try {
caPubs.add(getCertificate(cmpCaPub));
} catch (CertificateException ex) {
LogUtil.error(LOG, ex, "could not extract the caPub from CMPCertificate");
}
}
java.security.cert.Certificate caCert = null;
for (CertOrError certOrError : certOrErrors.values()) {
java.security.cert.Certificate cert = certOrError.getCertificate();
if (cert == null) {
continue;
}
for (java.security.cert.Certificate caPub : caPubs) {
if (verify(caPub, cert)) {
caCert = caPub;
break;
}
}
if (caCert != null) {
break;
}
}
if (caCert == null) {
return new EnrollCertResult(null, certOrErrors);
}
for (CertOrError certOrError : certOrErrors.values()) {
java.security.cert.Certificate cert = certOrError.getCertificate();
if (cert == null) {
continue;
}
if (!verify(caCert, cert)) {
LOG.warn("not all certificates are issued by CA embedded in caPubs, ignore the caPubs");
return new EnrollCertResult(null, certOrErrors);
}
}
return new EnrollCertResult(caCert, certOrErrors);
}
Also used :
ErrorResultEntry(org.xipki.ca.client.api.dto.ErrorResultEntry)
RevokeCertResultEntry(org.xipki.ca.client.api.dto.RevokeCertResultEntry)
ResultEntry(org.xipki.ca.client.api.dto.ResultEntry)
EnrollCertResultEntry(org.xipki.ca.client.api.dto.EnrollCertResultEntry)
HashMap(java.util.HashMap)
ErrorResultEntry(org.xipki.ca.client.api.dto.ErrorResultEntry)
ArrayList(java.util.ArrayList)
CertificateException(java.security.cert.CertificateException)
CertOrError(org.xipki.ca.client.api.CertOrError)
CMPCertificate(org.bouncycastle.asn1.cmp.CMPCertificate)
EnrollCertResultEntry(org.xipki.ca.client.api.dto.EnrollCertResultEntry)
EnrollCertResult(org.xipki.ca.client.api.EnrollCertResult)
CaClientException(org.xipki.ca.client.api.CaClientException)
X509Certificate(java.security.cert.X509Certificate)
CMPCertificate(org.bouncycastle.asn1.cmp.CMPCertificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Aggregations
CMPCertificate (org.bouncycastle.asn1.cmp.CMPCertificate)2
EnrollCertResultEntry (org.xipki.ca.client.api.dto.EnrollCertResultEntry)2
ErrorResultEntry (org.xipki.ca.client.api.dto.ErrorResultEntry)2
ResultEntry (org.xipki.ca.client.api.dto.ResultEntry)2
RevokeCertResultEntry (org.xipki.ca.client.api.dto.RevokeCertResultEntry)2
IOException (java.io.IOException)1
BigInteger (java.math.BigInteger)1
CertificateException (java.security.cert.CertificateException)1
X509Certificate (java.security.cert.X509Certificate)1
ArrayList (java.util.ArrayList)1
HashMap (java.util.HashMap)1
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)1
DEROctetString (org.bouncycastle.asn1.DEROctetString)1
DERUTF8String (org.bouncycastle.asn1.DERUTF8String)1
CertRepMessage (org.bouncycastle.asn1.cmp.CertRepMessage)1
CertResponse (org.bouncycastle.asn1.cmp.CertResponse)1
CertifiedKeyPair (org.bouncycastle.asn1.cmp.CertifiedKeyPair)1
ErrorMsgContent (org.bouncycastle.asn1.cmp.ErrorMsgContent)1
PKIBody (org.bouncycastle.asn1.cmp.PKIBody)1
PKIFreeText (org.bouncycastle.asn1.cmp.PKIFreeText)1
