Search in sources :

Example 1 with EnrollCertResultEntry

use of org.xipki.ca.client.api.dto.EnrollCertResultEntry in project xipki by xipki.

the class X509CmpRequestor method requestCertificate0.

private EnrollCertResultResp requestCertificate0(PKIMessage reqMessage, Map<BigInteger, String> reqIdIdMap, int expectedBodyType, RequestResponseDebug debug) throws CmpRequestorException, PkiErrorException {
    PkiResponse response = signAndSend(reqMessage, debug);
    checkProtection(response);
    PKIBody respBody = response.getPkiMessage().getBody();
    final int bodyType = respBody.getType();
    if (PKIBody.TYPE_ERROR == bodyType) {
        ErrorMsgContent content = ErrorMsgContent.getInstance(respBody.getContent());
        throw new PkiErrorException(content.getPKIStatusInfo());
    } else if (expectedBodyType != bodyType) {
        throw new CmpRequestorException(String.format("unknown PKI body type %s instead the expected [%s, %s]", bodyType, expectedBodyType, PKIBody.TYPE_ERROR));
    }
    CertRepMessage certRep = CertRepMessage.getInstance(respBody.getContent());
    CertResponse[] certResponses = certRep.getResponse();
    EnrollCertResultResp result = new EnrollCertResultResp();
    // CA certificates
    CMPCertificate[] caPubs = certRep.getCaPubs();
    if (caPubs != null && caPubs.length > 0) {
        for (int i = 0; i < caPubs.length; i++) {
            if (caPubs[i] != null) {
                result.addCaCertificate(caPubs[i]);
            }
        }
    }
    CertificateConfirmationContentBuilder certConfirmBuilder = null;
    if (!CmpUtil.isImplictConfirm(response.getPkiMessage().getHeader())) {
        certConfirmBuilder = new CertificateConfirmationContentBuilder();
    }
    boolean requireConfirm = false;
    // We only accept the certificates which are requested.
    for (CertResponse certResp : certResponses) {
        PKIStatusInfo statusInfo = certResp.getStatus();
        int status = statusInfo.getStatus().intValue();
        BigInteger certReqId = certResp.getCertReqId().getValue();
        String thisId = reqIdIdMap.get(certReqId);
        if (thisId != null) {
            reqIdIdMap.remove(certReqId);
        } else if (reqIdIdMap.size() == 1) {
            thisId = reqIdIdMap.values().iterator().next();
            reqIdIdMap.clear();
        }
        if (thisId == null) {
            // ignore it. this cert is not requested by me
            continue;
        }
        ResultEntry resultEntry;
        if (status == PKIStatus.GRANTED || status == PKIStatus.GRANTED_WITH_MODS) {
            CertifiedKeyPair cvk = certResp.getCertifiedKeyPair();
            if (cvk == null) {
                return null;
            }
            CMPCertificate cmpCert = cvk.getCertOrEncCert().getCertificate();
            if (cmpCert == null) {
                return null;
            }
            resultEntry = new EnrollCertResultEntry(thisId, cmpCert, status);
            if (certConfirmBuilder != null) {
                requireConfirm = true;
                X509CertificateHolder certHolder = null;
                try {
                    certHolder = new X509CertificateHolder(cmpCert.getEncoded());
                } catch (IOException ex) {
                    resultEntry = new ErrorResultEntry(thisId, ClientErrorCode.PKISTATUS_RESPONSE_ERROR, PKIFailureInfo.systemFailure, "could not decode the certificate");
                }
                if (certHolder != null) {
                    certConfirmBuilder.addAcceptedCertificate(certHolder, certReqId);
                }
            }
        } else {
            PKIFreeText statusString = statusInfo.getStatusString();
            String errorMessage = (statusString == null) ? null : statusString.getStringAt(0).getString();
            int failureInfo = statusInfo.getFailInfo().intValue();
            resultEntry = new ErrorResultEntry(thisId, status, failureInfo, errorMessage);
        }
        result.addResultEntry(resultEntry);
    }
    if (CollectionUtil.isNonEmpty(reqIdIdMap)) {
        for (BigInteger reqId : reqIdIdMap.keySet()) {
            ErrorResultEntry ere = new ErrorResultEntry(reqIdIdMap.get(reqId), ClientErrorCode.PKISTATUS_NO_ANSWER);
            result.addResultEntry(ere);
        }
    }
    if (!requireConfirm) {
        return result;
    }
    PKIMessage confirmRequest = buildCertConfirmRequest(response.getPkiMessage().getHeader().getTransactionID(), certConfirmBuilder);
    response = signAndSend(confirmRequest, debug);
    checkProtection(response);
    return result;
}
Also used : ErrorResultEntry(org.xipki.ca.client.api.dto.ErrorResultEntry) RevokeCertResultEntry(org.xipki.ca.client.api.dto.RevokeCertResultEntry) EnrollCertResultEntry(org.xipki.ca.client.api.dto.EnrollCertResultEntry) ResultEntry(org.xipki.ca.client.api.dto.ResultEntry) PkiResponse(org.xipki.cmp.PkiResponse) PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) DEROctetString(org.bouncycastle.asn1.DEROctetString) CMPCertificate(org.bouncycastle.asn1.cmp.CMPCertificate) PkiErrorException(org.xipki.ca.client.api.PkiErrorException) CertifiedKeyPair(org.bouncycastle.asn1.cmp.CertifiedKeyPair) PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage) PKIBody(org.bouncycastle.asn1.cmp.PKIBody) CertificateConfirmationContentBuilder(org.bouncycastle.cert.cmp.CertificateConfirmationContentBuilder) CertResponse(org.bouncycastle.asn1.cmp.CertResponse) ErrorResultEntry(org.xipki.ca.client.api.dto.ErrorResultEntry) CertRepMessage(org.bouncycastle.asn1.cmp.CertRepMessage) IOException(java.io.IOException) PKIFreeText(org.bouncycastle.asn1.cmp.PKIFreeText) EnrollCertResultResp(org.xipki.ca.client.api.dto.EnrollCertResultResp) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) BigInteger(java.math.BigInteger) EnrollCertResultEntry(org.xipki.ca.client.api.dto.EnrollCertResultEntry) ErrorMsgContent(org.bouncycastle.asn1.cmp.ErrorMsgContent)

Example 2 with EnrollCertResultEntry

use of org.xipki.ca.client.api.dto.EnrollCertResultEntry in project xipki by xipki.

the class CaClientImpl method parseEnrollCertResult.

// method getHealthCheckResult
private EnrollCertResult parseEnrollCertResult(EnrollCertResultResp result) throws CaClientException {
    Map<String, CertOrError> certOrErrors = new HashMap<>();
    for (ResultEntry resultEntry : result.getResultEntries()) {
        CertOrError certOrError;
        if (resultEntry instanceof EnrollCertResultEntry) {
            EnrollCertResultEntry entry = (EnrollCertResultEntry) resultEntry;
            try {
                java.security.cert.Certificate cert = getCertificate(entry.getCert());
                certOrError = new CertOrError(cert);
            } catch (CertificateException ex) {
                throw new CaClientException(String.format("CertificateParsingException for request (id=%s): %s", entry.getId(), ex.getMessage()));
            }
        } else if (resultEntry instanceof ErrorResultEntry) {
            certOrError = new CertOrError(((ErrorResultEntry) resultEntry).getStatusInfo());
        } else {
            certOrError = null;
        }
        certOrErrors.put(resultEntry.getId(), certOrError);
    }
    List<CMPCertificate> cmpCaPubs = result.getCaCertificates();
    if (CollectionUtil.isEmpty(cmpCaPubs)) {
        return new EnrollCertResult(null, certOrErrors);
    }
    List<java.security.cert.Certificate> caPubs = new ArrayList<>(cmpCaPubs.size());
    for (CMPCertificate cmpCaPub : cmpCaPubs) {
        try {
            caPubs.add(getCertificate(cmpCaPub));
        } catch (CertificateException ex) {
            LogUtil.error(LOG, ex, "could not extract the caPub from CMPCertificate");
        }
    }
    java.security.cert.Certificate caCert = null;
    for (CertOrError certOrError : certOrErrors.values()) {
        java.security.cert.Certificate cert = certOrError.getCertificate();
        if (cert == null) {
            continue;
        }
        for (java.security.cert.Certificate caPub : caPubs) {
            if (verify(caPub, cert)) {
                caCert = caPub;
                break;
            }
        }
        if (caCert != null) {
            break;
        }
    }
    if (caCert == null) {
        return new EnrollCertResult(null, certOrErrors);
    }
    for (CertOrError certOrError : certOrErrors.values()) {
        java.security.cert.Certificate cert = certOrError.getCertificate();
        if (cert == null) {
            continue;
        }
        if (!verify(caCert, cert)) {
            LOG.warn("not all certificates are issued by CA embedded in caPubs, ignore the caPubs");
            return new EnrollCertResult(null, certOrErrors);
        }
    }
    return new EnrollCertResult(caCert, certOrErrors);
}
Also used : ErrorResultEntry(org.xipki.ca.client.api.dto.ErrorResultEntry) RevokeCertResultEntry(org.xipki.ca.client.api.dto.RevokeCertResultEntry) ResultEntry(org.xipki.ca.client.api.dto.ResultEntry) EnrollCertResultEntry(org.xipki.ca.client.api.dto.EnrollCertResultEntry) HashMap(java.util.HashMap) ErrorResultEntry(org.xipki.ca.client.api.dto.ErrorResultEntry) ArrayList(java.util.ArrayList) CertificateException(java.security.cert.CertificateException) CertOrError(org.xipki.ca.client.api.CertOrError) CMPCertificate(org.bouncycastle.asn1.cmp.CMPCertificate) EnrollCertResultEntry(org.xipki.ca.client.api.dto.EnrollCertResultEntry) EnrollCertResult(org.xipki.ca.client.api.EnrollCertResult) CaClientException(org.xipki.ca.client.api.CaClientException) X509Certificate(java.security.cert.X509Certificate) CMPCertificate(org.bouncycastle.asn1.cmp.CMPCertificate) Certificate(org.bouncycastle.asn1.x509.Certificate)

Aggregations

CMPCertificate (org.bouncycastle.asn1.cmp.CMPCertificate)2 EnrollCertResultEntry (org.xipki.ca.client.api.dto.EnrollCertResultEntry)2 ErrorResultEntry (org.xipki.ca.client.api.dto.ErrorResultEntry)2 ResultEntry (org.xipki.ca.client.api.dto.ResultEntry)2 RevokeCertResultEntry (org.xipki.ca.client.api.dto.RevokeCertResultEntry)2 IOException (java.io.IOException)1 BigInteger (java.math.BigInteger)1 CertificateException (java.security.cert.CertificateException)1 X509Certificate (java.security.cert.X509Certificate)1 ArrayList (java.util.ArrayList)1 HashMap (java.util.HashMap)1 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)1 DEROctetString (org.bouncycastle.asn1.DEROctetString)1 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)1 CertRepMessage (org.bouncycastle.asn1.cmp.CertRepMessage)1 CertResponse (org.bouncycastle.asn1.cmp.CertResponse)1 CertifiedKeyPair (org.bouncycastle.asn1.cmp.CertifiedKeyPair)1 ErrorMsgContent (org.bouncycastle.asn1.cmp.ErrorMsgContent)1 PKIBody (org.bouncycastle.asn1.cmp.PKIBody)1 PKIFreeText (org.bouncycastle.asn1.cmp.PKIFreeText)1