Example 1 with X509Ca
use of org.xipki.ca.server.X509Ca in project xipki by xipki.
the class PublisherManager method republishCertificates.
// method changePublisher
void republishCertificates(String caName, List<String> publisherNames, int numThreads) throws CaMgmtException {
manager.assertMasterMode();
caName = toNonBlankLower(caName, "caName");
positive(numThreads, "numThreads");
X509Ca ca = manager.x509cas.get(caName);
if (ca == null) {
throw new CaMgmtException(concat("could not find CA named ", caName));
}
publisherNames = CollectionUtil.toLowerCaseList(publisherNames);
if (!ca.republishCerts(publisherNames, numThreads)) {
throw new CaMgmtException(concat("republishing certificates of CA ", caName, " failed"));
}
}
Also used :
CaMgmtException(org.xipki.ca.api.mgmt.CaMgmtException)
X509Ca(org.xipki.ca.server.X509Ca)
Example 2 with X509Ca
use of org.xipki.ca.server.X509Ca in project xipki by xipki.
the class BaseCmpResponder method checkPermission.
// method getSystemInfo
protected void checkPermission(CmpRequestorInfo requestor, int requiredPermission) throws InsufficientPermissionException {
X509Ca ca = getCa();
int permission = ca.getCaInfo().getPermission();
if (!PermissionConstants.contains(permission, requiredPermission)) {
throw new InsufficientPermissionException("Permission " + PermissionConstants.getTextForCode(requiredPermission) + "is not permitted");
}
requestor.assertPermitted(requiredPermission);
}
Also used :
X509Ca(org.xipki.ca.server.X509Ca)
InsufficientPermissionException(org.xipki.ca.api.InsufficientPermissionException)
Example 3 with X509Ca
use of org.xipki.ca.server.X509Ca in project xipki by xipki.
the class CmpResponder method generateCertificates.
// method processP10cr
private List<CertResponse> generateCertificates(List<CertTemplateData> certTemplates, CmpRequestorInfo requestor, ASN1OctetString tid, boolean kup, PKIMessage request, CmpControl cmpControl, String msgId, AuditEvent event) {
X509Ca ca = getCa();
final int n = certTemplates.size();
List<CertResponse> ret = new ArrayList<>(n);
if (cmpControl.isGroupEnroll()) {
List<CertificateInfo> certInfos = null;
try {
certInfos = kup ? ca.regenerateCerts(certTemplates, requestor, RequestType.CMP, tid.getOctets(), msgId) : ca.generateCerts(certTemplates, requestor, RequestType.CMP, tid.getOctets(), msgId);
// save the request
Long reqDbId = null;
if (ca.getCaInfo().isSaveRequest()) {
try {
reqDbId = ca.addRequest(request.getEncoded());
} catch (Exception ex) {
LOG.warn("could not save request");
}
}
for (int i = 0; i < n; i++) {
CertificateInfo certInfo = certInfos.get(i);
ASN1Integer certReqId = certTemplates.get(i).getCertReqId();
if (cmpControl.isConfirmCert()) {
pendingCertPool.addCertificate(tid.getOctets(), certReqId.getPositiveValue(), certInfo, System.currentTimeMillis() + cmpControl.getConfirmWaitTimeMs());
}
ret.add(postProcessCertInfo(certReqId, requestor, certInfo));
if (reqDbId != null) {
ca.addRequestCert(reqDbId, certInfo.getCert().getCertId());
}
}
} catch (OperationException ex) {
if (certInfos != null) {
for (CertificateInfo certInfo : certInfos) {
BigInteger sn = certInfo.getCert().getCert().getSerialNumber();
try {
ca.revokeCert(sn, CrlReason.CESSATION_OF_OPERATION, null, msgId);
} catch (OperationException ex2) {
LogUtil.error(LOG, ex2, "CA " + getCaName() + " could not revoke certificate " + sn);
}
}
}
event.setStatus(AuditStatus.FAILED);
ret.clear();
for (CertTemplateData certTemplate : certTemplates) {
ret.add(postProcessException(certTemplate.getCertReqId(), ex));
}
}
} else {
Long reqDbId = null;
boolean savingRequestFailed = false;
for (CertTemplateData certTemplate : certTemplates) {
ASN1Integer certReqId = certTemplate.getCertReqId();
CertificateInfo certInfo;
try {
certInfo = kup ? ca.regenerateCert(certTemplate, requestor, RequestType.CMP, tid.getOctets(), msgId) : ca.generateCert(certTemplate, requestor, RequestType.CMP, tid.getOctets(), msgId);
if (ca.getCaInfo().isSaveRequest()) {
if (reqDbId == null && !savingRequestFailed) {
try {
byte[] encodedRequest = request.getEncoded();
reqDbId = ca.addRequest(encodedRequest);
} catch (Exception ex) {
savingRequestFailed = true;
LOG.warn("could not save request");
}
}
if (reqDbId != null) {
ca.addRequestCert(reqDbId, certInfo.getCert().getCertId());
}
}
ret.add(postProcessCertInfo(certReqId, requestor, certInfo));
} catch (OperationException ex) {
event.setStatus(AuditStatus.FAILED);
ret.add(postProcessException(certReqId, ex));
}
}
}
return ret;
}
Also used :
X509Ca(org.xipki.ca.server.X509Ca)
ParseException(java.text.ParseException)
IOException(java.io.IOException)
CaMgmtException(org.xipki.ca.api.mgmt.CaMgmtException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
CertTemplateData(org.xipki.ca.server.CertTemplateData)
BigInteger(java.math.BigInteger)
Example 4 with X509Ca
use of org.xipki.ca.server.X509Ca in project xipki by xipki.
the class CmpResponder method processP10cr.
// method processCertReqMessages
/**
* handle the PKI body with the choice {@code p10cr}<br/>
* Since it is not possible to add attribute to the PKCS#10 request (CSR), the certificate
* profile must be specified in the attribute regInfo-utf8Pairs (1.3.6.1.5.5.7.5.2.1) within
* PKIHeader.generalInfo
*/
private PKIBody processP10cr(String dfltCertprofileName, PKIMessage request, CmpRequestorInfo requestor, ASN1OctetString tid, PKIHeader reqHeader, CertificationRequest p10cr, CmpControl cmpControl, String msgId, AuditEvent event) {
// verify the POP first
CertResponse certResp = null;
ASN1Integer certReqId = new ASN1Integer(-1);
boolean certGenerated = false;
X509Ca ca = getCa();
if (!ca.verifyCsr(p10cr)) {
LOG.warn("could not validate POP for the pkcs#10 requst");
certResp = buildErrCertResp(certReqId, badPOP, "invalid POP");
} else {
CertificationRequestInfo certTemp = p10cr.getCertificationRequestInfo();
Extensions extensions;
try {
extensions = CaUtil.getExtensions(certTemp);
} catch (IllegalArgumentException ex) {
extensions = null;
LOG.warn("could not parse extensions of the pkcs#10 requst");
certResp = buildErrCertResp(certReqId, badCertTemplate, "invalid extensions");
}
if (certResp == null) {
X500Name subject = certTemp.getSubject();
SubjectPublicKeyInfo publicKeyInfo = certTemp.getSubjectPublicKeyInfo();
InfoTypeAndValue[] generalInfo = reqHeader.getGeneralInfo();
CmpUtf8Pairs keyvalues = CmpUtil.extractUtf8Pairs(generalInfo);
// CertProfile name
String certprofileName = null;
String[] list = CmpUtil.extractCertProfile(generalInfo);
if (list != null && list.length > 0) {
certprofileName = list[0];
} else {
if (keyvalues != null) {
certprofileName = keyvalues.value(KEY_CERTPROFILE);
}
}
// NotBefore and NotAfter
Date notBefore = null;
Date notAfter = null;
if (keyvalues != null) {
String str = keyvalues.value(CmpUtf8Pairs.KEY_NOTBEFORE);
if (str != null) {
notBefore = DateUtil.parseUtcTimeyyyyMMddhhmmss(str);
}
str = keyvalues.value(CmpUtf8Pairs.KEY_NOTAFTER);
if (str != null) {
notAfter = DateUtil.parseUtcTimeyyyyMMddhhmmss(str);
}
}
if (certprofileName == null) {
certprofileName = dfltCertprofileName;
}
if (certprofileName == null) {
LOG.warn("no certprofile is specified");
certResp = buildErrCertResp(certReqId, badCertTemplate, "badCertTemplate");
} else {
certprofileName = certprofileName.toLowerCase();
if (!requestor.isCertprofilePermitted(certprofileName)) {
String msg = "certprofile " + certprofileName + " is not allowed";
certResp = buildErrCertResp(certReqId, notAuthorized, msg);
} else {
CertTemplateData certTemplateData = new CertTemplateData(subject, publicKeyInfo, notBefore, notAfter, extensions, certprofileName, certReqId, false);
certResp = generateCertificates(Collections.singletonList(certTemplateData), requestor, tid, false, request, cmpControl, msgId, event).get(0);
certGenerated = true;
}
}
}
}
CMPCertificate[] caPubs = null;
if (certGenerated && (cmpControl.isSendCaCert() || cmpControl.isSendCertChain())) {
List<CMPCertificate> certchain = new ArrayList<>(2);
certchain.add(getCa().getCaInfo().getCertInCmpFormat());
if (cmpControl.isSendCertChain()) {
certchain.addAll(getCa().getCaInfo().getCertchainInCmpFormat());
}
caPubs = certchain.toArray(new CMPCertificate[0]);
}
if (event.getStatus() == null || event.getStatus() != AuditStatus.FAILED) {
int status = certResp.getStatus().getStatus().intValue();
if (status != GRANTED && status != GRANTED_WITH_MODS && status != WAITING) {
event.setStatus(AuditStatus.FAILED);
PKIFreeText statusStr = certResp.getStatus().getStatusString();
if (statusStr != null) {
event.addEventData(CaAuditConstants.NAME_message, statusStr.getStringAt(0).getString());
}
}
}
return new PKIBody(PKIBody.TYPE_CERT_REP, new CertRepMessage(caPubs, new CertResponse[] { certResp }));
}
Also used :
CertificationRequestInfo(org.bouncycastle.asn1.pkcs.CertificationRequestInfo)
CmpUtf8Pairs(org.xipki.security.cmp.CmpUtf8Pairs)
X509Ca(org.xipki.ca.server.X509Ca)
X500Name(org.bouncycastle.asn1.x500.X500Name)
CertTemplateData(org.xipki.ca.server.CertTemplateData)
Example 5 with X509Ca
use of org.xipki.ca.server.X509Ca in project xipki by xipki.
the class CmpResponder method cmpGeneralMsg.
// method cmpRevokeOrUnrevokeOrRemoveCertificates
@Override
protected PKIBody cmpGeneralMsg(PKIHeaderBuilder respHeader, CmpControl cmpControl, PKIHeader reqHeader, PKIBody reqBody, CmpRequestorInfo requestor, ASN1OctetString tid, String msgId, AuditEvent event) throws InsufficientPermissionException {
GenMsgContent genMsgBody = GenMsgContent.getInstance(reqBody.getContent());
InfoTypeAndValue[] itvs = genMsgBody.toInfoTypeAndValueArray();
InfoTypeAndValue itv = null;
if (itvs != null && itvs.length > 0) {
for (InfoTypeAndValue entry : itvs) {
String itvType = entry.getInfoType().getId();
if (KNOWN_GENMSG_IDS.contains(itvType)) {
itv = entry;
break;
}
}
}
if (itv == null) {
String statusMessage = "PKIBody type " + PKIBody.TYPE_GEN_MSG + " is only supported with the sub-types " + KNOWN_GENMSG_IDS.toString();
return buildErrorMsgPkiBody(rejection, badRequest, statusMessage);
}
InfoTypeAndValue itvResp = null;
ASN1ObjectIdentifier infoType = itv.getInfoType();
int failureInfo;
try {
X509Ca ca = getCa();
if (CMPObjectIdentifiers.it_currentCRL.equals(infoType)) {
event.addEventType(CaAuditConstants.Cmp.TYPE_genm_current_crl);
checkPermission(requestor, PermissionConstants.GET_CRL);
CertificateList crl;
if (itv.getInfoValue() == null) {
// as defined in RFC 4210
crl = ca.getBcCurrentCrl(msgId);
} else {
// xipki extension
ASN1Integer crlNumber = ASN1Integer.getInstance(itv.getInfoValue());
crl = ca.getBcCrl(crlNumber.getPositiveValue(), msgId);
}
if (crl == null) {
return buildErrorMsgPkiBody(rejection, systemFailure, "no CRL is available");
}
itvResp = new InfoTypeAndValue(infoType, crl);
} else if (ObjectIdentifiers.Xipki.id_xipki_cmp_cmpGenmsg.equals(infoType)) {
ASN1Encodable asn1 = itv.getInfoValue();
ASN1Integer asn1Code;
ASN1Encodable reqValue = null;
try {
ASN1Sequence seq = ASN1Sequence.getInstance(asn1);
asn1Code = ASN1Integer.getInstance(seq.getObjectAt(0));
if (seq.size() > 1) {
reqValue = seq.getObjectAt(1);
}
} catch (IllegalArgumentException ex) {
return buildErrorMsgPkiBody(rejection, badRequest, "invalid value of the InfoTypeAndValue for " + infoType.getId());
}
ASN1Encodable respValue;
int action = asn1Code.getPositiveValue().intValue();
if (action == XiSecurityConstants.CMP_ACTION_GEN_CRL) {
event.addEventType(CaAuditConstants.Cmp.TYPE_genm_gen_crl);
checkPermission(requestor, PermissionConstants.GEN_CRL);
X509CRLHolder tmpCrl = ca.generateCrlOnDemand(msgId);
respValue = tmpCrl.toASN1Structure();
} else if (action == XiSecurityConstants.CMP_ACTION_GET_CRL_WITH_SN) {
event.addEventType(CaAuditConstants.Cmp.TYPE_genm_crl4number);
checkPermission(requestor, PermissionConstants.GET_CRL);
respValue = ca.getBcCrl(ASN1Integer.getInstance(reqValue).getPositiveValue(), msgId);
if (respValue == null) {
return buildErrorMsgPkiBody(rejection, systemFailure, "no CRL is available");
}
} else if (action == XiSecurityConstants.CMP_ACTION_GET_CAINFO) {
event.addEventType(CaAuditConstants.Cmp.TYPE_genm_cainfo);
Set<Integer> acceptVersions = new HashSet<>();
if (reqValue != null) {
ASN1Sequence seq = DERSequence.getInstance(reqValue);
int size = seq.size();
for (int i = 0; i < size; i++) {
ASN1Integer ai = ASN1Integer.getInstance(seq.getObjectAt(i));
acceptVersions.add(ai.getPositiveValue().intValue());
}
}
if (CollectionUtil.isEmpty(acceptVersions)) {
acceptVersions.add(3);
}
String systemInfo = getSystemInfo(requestor, acceptVersions);
respValue = new DERUTF8String(systemInfo);
} else if (action == XiSecurityConstants.CMP_ACTION_CACERTCHAIN) {
event.addEventType(CaAuditConstants.Cmp.TYPE_genm_cacertchain);
ASN1EncodableVector vec = new ASN1EncodableVector();
vec.add(ca.getCaInfo().getCertInCmpFormat());
List<X509Cert> certchain = ca.getCaInfo().getCertchain();
if (CollectionUtil.isNotEmpty(certchain)) {
for (X509Cert m : certchain) {
vec.add(m.toBcCert().toASN1Structure());
}
}
respValue = new DERSequence(vec);
} else {
return buildErrorMsgPkiBody(rejection, badRequest, "unsupported XiPKI action code " + action);
}
ASN1EncodableVector vec = new ASN1EncodableVector();
vec.add(asn1Code);
if (respValue != null) {
vec.add(respValue);
}
itvResp = new InfoTypeAndValue(infoType, new DERSequence(vec));
}
GenRepContent genRepContent = new GenRepContent(itvResp);
return new PKIBody(PKIBody.TYPE_GEN_REP, genRepContent);
} catch (OperationException ex) {
failureInfo = getPKiFailureInfo(ex);
ErrorCode code = ex.getErrorCode();
String errorMessage = (code == ErrorCode.DATABASE_FAILURE || code == ErrorCode.SYSTEM_FAILURE) ? code.name() : code.name() + ": " + ex.getErrorMessage();
return buildErrorMsgPkiBody(rejection, failureInfo, errorMessage);
}
}
Also used :
X509Ca(org.xipki.ca.server.X509Ca)
X509Cert(org.xipki.security.X509Cert)
X509CRLHolder(org.bouncycastle.cert.X509CRLHolder)
ErrorCode(org.xipki.ca.api.OperationException.ErrorCode)
Aggregations
X509Ca (org.xipki.ca.server.X509Ca)10
BigInteger (java.math.BigInteger)3
CaMgmtException (org.xipki.ca.api.mgmt.CaMgmtException)3
IOException (java.io.IOException)2
ParseException (java.text.ParseException)2
X500Name (org.bouncycastle.asn1.x500.X500Name)2
OperationException (org.xipki.ca.api.OperationException)2
ErrorCode (org.xipki.ca.api.OperationException.ErrorCode)2
CertTemplateData (org.xipki.ca.server.CertTemplateData)2
JSONObject (com.alibaba.fastjson.JSONObject)1
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
PKIFailureInfo (org.bouncycastle.asn1.cmp.PKIFailureInfo)1
CertificationRequestInfo (org.bouncycastle.asn1.pkcs.CertificationRequestInfo)1
X509CRLHolder (org.bouncycastle.cert.X509CRLHolder)1
InsufficientPermissionException (org.xipki.ca.api.InsufficientPermissionException)1
CertprofileEntry (org.xipki.ca.api.mgmt.entry.CertprofileEntry)1
CaInfo (org.xipki.ca.server.CaInfo)1
CrlReason (org.xipki.security.CrlReason)1
X509Cert (org.xipki.security.X509Cert)1
CmpUtf8Pairs (org.xipki.security.cmp.CmpUtf8Pairs)1
