Search in sources :

Example 1 with CmpResponder

use of org.xipki.ca.server.cmp.CmpResponder in project xipki by xipki.

the class RestResponder method service.

public RestResponse service(String path, AuditEvent event, byte[] request, HttpRequestMetadataRetriever httpRetriever) {
    event.setApplicationName(APPNAME);
    event.setName(NAME_perf);
    event.addEventData(NAME_req_type, RequestType.REST.name());
    String msgId = RandomUtil.nextHexLong();
    event.addEventData(NAME_mid, msgId);
    AuditLevel auditLevel = AuditLevel.INFO;
    AuditStatus auditStatus = AuditStatus.SUCCESSFUL;
    String auditMessage = null;
    try {
        if (responderManager == null) {
            String message = "responderManager in servlet not configured";
            LOG.error(message);
            throw new HttpRespAuditException(INTERNAL_SERVER_ERROR, message, ERROR, FAILED);
        }
        String caName = null;
        String command = null;
        X509Ca ca = null;
        if (path.length() > 1) {
            // the first char is always '/'
            String coreUri = path;
            int sepIndex = coreUri.indexOf('/', 1);
            if (sepIndex == -1 || sepIndex == coreUri.length() - 1) {
                String message = "invalid path " + path;
                LOG.error(message);
                throw new HttpRespAuditException(NOT_FOUND, message, ERROR, FAILED);
            }
            // skip also the first char ('/')
            String caAlias = coreUri.substring(1, sepIndex).toLowerCase();
            command = coreUri.substring(sepIndex + 1).toLowerCase();
            caName = responderManager.getCaNameForAlias(caAlias);
            if (caName == null) {
                caName = caAlias;
            }
            CmpResponder caResponder = responderManager.getX509CaResponder(caName);
            if (caResponder != null) {
                ca = caResponder.getCa();
            }
        }
        if (StringUtil.isBlank(command)) {
            String message = "command is not specified";
            LOG.warn(message);
            throw new HttpRespAuditException(NOT_FOUND, message, INFO, FAILED);
        }
        if (ca == null || !ca.getCaInfo().supportsRest() || ca.getCaInfo().getStatus() != CaStatus.ACTIVE) {
            String message;
            if (ca == null) {
                message = "unknown CA '" + caName + "'";
            } else if (!ca.getCaInfo().supportsRest()) {
                message = "REST is not supported by the CA '" + caName + "'";
            } else {
                message = "CA '" + caName + "' is out of service";
            }
            LOG.warn(message);
            throw new HttpRespAuditException(NOT_FOUND, message, INFO, FAILED);
        }
        event.addEventData(NAME_ca, ca.getCaIdent().getName());
        event.addEventType(command);
        RequestorInfo requestor;
        // Retrieve the user:password
        String hdrValue = httpRetriever.getHeader("Authorization");
        if (hdrValue != null && hdrValue.startsWith("Basic ")) {
            String user = null;
            byte[] password = null;
            if (hdrValue.length() > 6) {
                String b64 = hdrValue.substring(6);
                byte[] userPwd = Base64.decodeFast(b64);
                int idx = -1;
                for (int i = 0; i < userPwd.length; i++) {
                    if (userPwd[i] == ':') {
                        idx = i;
                        break;
                    }
                }
                if (idx != -1 && idx < userPwd.length - 1) {
                    user = StringUtil.toUtf8String(Arrays.copyOfRange(userPwd, 0, idx));
                    password = Arrays.copyOfRange(userPwd, idx + 1, userPwd.length);
                }
            }
            if (user == null) {
                throw new HttpRespAuditException(UNAUTHORIZED, "invalid Authorization information", INFO, FAILED);
            }
            NameId userIdent = ca.authenticateUser(user, password);
            if (userIdent == null) {
                throw new HttpRespAuditException(UNAUTHORIZED, "could not authenticate user", INFO, FAILED);
            }
            requestor = ca.getByUserRequestor(userIdent);
        } else {
            X509Cert clientCert = httpRetriever.getTlsClientCert();
            if (clientCert == null) {
                throw new HttpRespAuditException(UNAUTHORIZED, "no client certificate", INFO, FAILED);
            }
            requestor = ca.getRequestor(clientCert);
        }
        if (requestor == null) {
            throw new OperationException(NOT_PERMITTED, "no requestor specified");
        }
        event.addEventData(NAME_requestor, requestor.getIdent().getName());
        String respCt = null;
        byte[] respBytes = null;
        switch(command) {
            case CMD_cacert:
                {
                    respCt = CT_pkix_cert;
                    respBytes = ca.getCaInfo().getCert().getEncoded();
                    break;
                }
            case CMD_pop_dh_certs:
                {
                    PopControl control = responderManager.getX509Ca(caName).getCaInfo().getPopControl();
                    respBytes = new byte[0];
                    if (control != null) {
                        X509Cert[] dhCerts = control.getDhCertificates();
                        if (dhCerts != null) {
                            respCt = CT_pem_file;
                            respBytes = StringUtil.toUtf8Bytes(X509Util.encodeCertificates(dhCerts));
                        }
                    }
                    break;
                }
            case CMD_cacertchain:
                {
                    respCt = CT_pem_file;
                    List<X509Cert> certchain = ca.getCaInfo().getCertchain();
                    int size = 1 + (certchain == null ? 0 : certchain.size());
                    X509Cert[] certchainWithCaCert = new X509Cert[size];
                    certchainWithCaCert[0] = ca.getCaInfo().getCert();
                    if (size > 1) {
                        for (int i = 1; i < size; i++) {
                            certchainWithCaCert[i] = certchain.get(i - 1);
                        }
                    }
                    respBytes = StringUtil.toUtf8Bytes(X509Util.encodeCertificates(certchainWithCaCert));
                    break;
                }
            case CMD_enroll_cert:
            case CMD_enroll_cert_cagenkeypair:
                {
                    String profile = httpRetriever.getParameter(PARAM_profile);
                    if (StringUtil.isBlank(profile)) {
                        throw new HttpRespAuditException(BAD_REQUEST, "required parameter " + PARAM_profile + " not specified", INFO, FAILED);
                    }
                    profile = profile.toLowerCase();
                    try {
                        requestor.assertPermitted(PermissionConstants.ENROLL_CERT);
                    } catch (InsufficientPermissionException ex) {
                        throw new OperationException(NOT_PERMITTED, ex.getMessage());
                    }
                    if (!requestor.isCertprofilePermitted(profile)) {
                        throw new OperationException(NOT_PERMITTED, "certprofile " + profile + " is not allowed");
                    }
                    String strNotBefore = httpRetriever.getParameter(PARAM_not_before);
                    Date notBefore = (strNotBefore == null) ? null : DateUtil.parseUtcTimeyyyyMMddhhmmss(strNotBefore);
                    String strNotAfter = httpRetriever.getParameter(PARAM_not_after);
                    Date notAfter = (strNotAfter == null) ? null : DateUtil.parseUtcTimeyyyyMMddhhmmss(strNotAfter);
                    if (CMD_enroll_cert_cagenkeypair.equals(command)) {
                        String ct = httpRetriever.getHeader("Content-Type");
                        X500Name subject;
                        Extensions extensions;
                        if (ct.startsWith("text/plain")) {
                            Properties props = new Properties();
                            props.load(new ByteArrayInputStream(request));
                            String strSubject = props.getProperty("subject");
                            if (strSubject == null) {
                                throw new OperationException(BAD_CERT_TEMPLATE, "subject is not specified");
                            }
                            try {
                                subject = new X500Name(strSubject);
                            } catch (Exception ex) {
                                throw new OperationException(BAD_CERT_TEMPLATE, "invalid subject");
                            }
                            extensions = null;
                        } else if (CT_pkcs10.equalsIgnoreCase(ct)) {
                            // some clients may send the PEM encoded CSR.
                            request = X509Util.toDerEncoded(request);
                            // The PKCS#10 will only be used for transport of subject and extensions.
                            // The associated key will not be used, so the verification of POP is skipped.
                            CertificationRequestInfo certTemp = CertificationRequest.getInstance(request).getCertificationRequestInfo();
                            subject = certTemp.getSubject();
                            extensions = CaUtil.getExtensions(certTemp);
                        } else {
                            String message = "unsupported media type " + ct;
                            throw new HttpRespAuditException(UNSUPPORTED_MEDIA_TYPE, message, INFO, FAILED);
                        }
                        CertTemplateData certTemplate = new CertTemplateData(subject, null, notBefore, notAfter, extensions, profile, null, true);
                        CertificateInfo certInfo = ca.generateCert(certTemplate, requestor, RequestType.REST, null, msgId);
                        if (ca.getCaInfo().isSaveRequest()) {
                            long dbId = ca.addRequest(request);
                            ca.addRequestCert(dbId, certInfo.getCert().getCertId());
                        }
                        respCt = CT_pem_file;
                        byte[] keyBytes = PemEncoder.encode(certInfo.getPrivateKey().getEncoded(), PemLabel.PRIVATE_KEY);
                        byte[] certBytes = PemEncoder.encode(certInfo.getCert().getCert().getEncoded(), PemLabel.CERTIFICATE);
                        respBytes = new byte[keyBytes.length + 2 + certBytes.length];
                        System.arraycopy(keyBytes, 0, respBytes, 0, keyBytes.length);
                        respBytes[keyBytes.length] = '\r';
                        respBytes[keyBytes.length + 1] = '\n';
                        System.arraycopy(certBytes, 0, respBytes, keyBytes.length + 2, certBytes.length);
                    } else {
                        String ct = httpRetriever.getHeader("Content-Type");
                        if (!CT_pkcs10.equalsIgnoreCase(ct)) {
                            String message = "unsupported media type " + ct;
                            throw new HttpRespAuditException(UNSUPPORTED_MEDIA_TYPE, message, INFO, FAILED);
                        }
                        CertificationRequest csr = CertificationRequest.getInstance(request);
                        if (!ca.verifyCsr(csr)) {
                            throw new OperationException(BAD_POP);
                        }
                        CertificationRequestInfo certTemp = csr.getCertificationRequestInfo();
                        X500Name subject = certTemp.getSubject();
                        SubjectPublicKeyInfo publicKeyInfo = certTemp.getSubjectPublicKeyInfo();
                        Extensions extensions = CaUtil.getExtensions(certTemp);
                        CertTemplateData certTemplate = new CertTemplateData(subject, publicKeyInfo, notBefore, notAfter, extensions, profile);
                        CertificateInfo certInfo = ca.generateCert(certTemplate, requestor, RequestType.REST, null, msgId);
                        if (ca.getCaInfo().isSaveRequest()) {
                            long dbId = ca.addRequest(request);
                            ca.addRequestCert(dbId, certInfo.getCert().getCertId());
                        }
                        CertWithDbId cert = certInfo.getCert();
                        if (cert == null) {
                            String message = "could not generate certificate";
                            LOG.warn(message);
                            throw new HttpRespAuditException(INTERNAL_SERVER_ERROR, message, INFO, FAILED);
                        }
                        respCt = CT_pkix_cert;
                        respBytes = cert.getCert().getEncoded();
                    }
                    break;
                }
            case CMD_revoke_cert:
            case CMD_delete_cert:
                {
                    int permission;
                    if (CMD_revoke_cert.equals(command)) {
                        permission = PermissionConstants.REVOKE_CERT;
                    } else {
                        permission = PermissionConstants.REMOVE_CERT;
                    }
                    try {
                        requestor.assertPermitted(permission);
                    } catch (InsufficientPermissionException ex) {
                        throw new OperationException(NOT_PERMITTED, ex.getMessage());
                    }
                    String strCaSha1 = httpRetriever.getParameter(PARAM_ca_sha1);
                    if (StringUtil.isBlank(strCaSha1)) {
                        throw new HttpRespAuditException(BAD_REQUEST, "required parameter " + PARAM_ca_sha1 + " not specified", INFO, FAILED);
                    }
                    String strSerialNumber = httpRetriever.getParameter(PARAM_serial_number);
                    if (StringUtil.isBlank(strSerialNumber)) {
                        throw new HttpRespAuditException(BAD_REQUEST, "required parameter " + PARAM_serial_number + " not specified", INFO, FAILED);
                    }
                    if (!strCaSha1.equalsIgnoreCase(ca.getHexSha1OfCert())) {
                        throw new HttpRespAuditException(BAD_REQUEST, "unknown " + PARAM_ca_sha1, INFO, FAILED);
                    }
                    BigInteger serialNumber;
                    try {
                        serialNumber = toBigInt(strSerialNumber);
                    } catch (NumberFormatException ex) {
                        throw new OperationException(ErrorCode.BAD_REQUEST, ex.getMessage());
                    }
                    if (CMD_revoke_cert.equals(command)) {
                        String strReason = httpRetriever.getParameter(PARAM_reason);
                        CrlReason reason = (strReason == null) ? CrlReason.UNSPECIFIED : CrlReason.forNameOrText(strReason);
                        if (reason == CrlReason.REMOVE_FROM_CRL) {
                            ca.unrevokeCert(serialNumber, msgId);
                        } else {
                            Date invalidityTime = null;
                            String strInvalidityTime = httpRetriever.getParameter(PARAM_invalidity_time);
                            if (StringUtil.isNotBlank(strInvalidityTime)) {
                                invalidityTime = DateUtil.parseUtcTimeyyyyMMddhhmmss(strInvalidityTime);
                            }
                            ca.revokeCert(serialNumber, reason, invalidityTime, msgId);
                        }
                    } else {
                        // if (CMD_delete_cert.equals(command)) {
                        ca.removeCert(serialNumber, msgId);
                    }
                    break;
                }
            case CMD_crl:
                {
                    try {
                        requestor.assertPermitted(PermissionConstants.GET_CRL);
                    } catch (InsufficientPermissionException ex) {
                        throw new OperationException(NOT_PERMITTED, ex.getMessage());
                    }
                    String strCrlNumber = httpRetriever.getParameter(PARAM_crl_number);
                    BigInteger crlNumber = null;
                    if (StringUtil.isNotBlank(strCrlNumber)) {
                        try {
                            crlNumber = toBigInt(strCrlNumber);
                        } catch (NumberFormatException ex) {
                            String message = "invalid crlNumber '" + strCrlNumber + "'";
                            LOG.warn(message);
                            throw new HttpRespAuditException(BAD_REQUEST, message, INFO, FAILED);
                        }
                    }
                    X509CRLHolder crl = ca.getCrl(crlNumber, msgId);
                    if (crl == null) {
                        String message = "could not get CRL";
                        LOG.warn(message);
                        throw new HttpRespAuditException(INTERNAL_SERVER_ERROR, message, INFO, FAILED);
                    }
                    respCt = CT_pkix_crl;
                    respBytes = crl.getEncoded();
                    break;
                }
            case CMD_new_crl:
                {
                    try {
                        requestor.assertPermitted(PermissionConstants.GEN_CRL);
                    } catch (InsufficientPermissionException ex) {
                        throw new OperationException(NOT_PERMITTED, ex.getMessage());
                    }
                    X509CRLHolder crl = ca.generateCrlOnDemand(msgId);
                    respCt = CT_pkix_crl;
                    respBytes = crl.getEncoded();
                    break;
                }
            default:
                {
                    String message = "invalid command '" + command + "'";
                    LOG.error(message);
                    throw new HttpRespAuditException(NOT_FOUND, message, INFO, FAILED);
                }
        }
        Map<String, String> headers = new HashMap<>();
        headers.put(HEADER_PKISTATUS, PKISTATUS_accepted);
        return new RestResponse(OK, respCt, headers, respBytes);
    } catch (OperationException ex) {
        ErrorCode code = ex.getErrorCode();
        if (LOG.isWarnEnabled()) {
            String msg = StringUtil.concat("generate certificate, OperationException: code=", code.name(), ", message=", ex.getErrorMessage());
            LogUtil.warn(LOG, ex, msg);
        }
        int sc;
        String failureInfo;
        switch(code) {
            case ALREADY_ISSUED:
                sc = BAD_REQUEST;
                failureInfo = FAILINFO_badRequest;
                break;
            case BAD_CERT_TEMPLATE:
                sc = BAD_REQUEST;
                failureInfo = FAILINFO_badCertTemplate;
                break;
            case BAD_REQUEST:
                sc = BAD_REQUEST;
                failureInfo = FAILINFO_badRequest;
                break;
            case CERT_REVOKED:
                sc = CONFLICT;
                failureInfo = FAILINFO_certRevoked;
                break;
            case CRL_FAILURE:
                sc = INTERNAL_SERVER_ERROR;
                failureInfo = FAILINFO_systemFailure;
                break;
            case DATABASE_FAILURE:
                sc = INTERNAL_SERVER_ERROR;
                failureInfo = FAILINFO_systemFailure;
                break;
            case NOT_PERMITTED:
                sc = UNAUTHORIZED;
                failureInfo = FAILINFO_notAuthorized;
                break;
            case INVALID_EXTENSION:
                sc = BAD_REQUEST;
                failureInfo = FAILINFO_badRequest;
                break;
            case SYSTEM_FAILURE:
                sc = INTERNAL_SERVER_ERROR;
                failureInfo = FAILINFO_systemFailure;
                break;
            case SYSTEM_UNAVAILABLE:
                sc = SERVICE_UNAVAILABLE;
                failureInfo = FAILINFO_systemUnavail;
                break;
            case UNKNOWN_CERT:
                sc = BAD_REQUEST;
                failureInfo = FAILINFO_badCertId;
                break;
            case UNKNOWN_CERT_PROFILE:
                sc = BAD_REQUEST;
                failureInfo = FAILINFO_badCertTemplate;
                break;
            default:
                sc = INTERNAL_SERVER_ERROR;
                failureInfo = FAILINFO_systemFailure;
                break;
        }
        // end switch (code)
        event.setStatus(AuditStatus.FAILED);
        event.addEventData(NAME_message, code.name());
        switch(code) {
            case DATABASE_FAILURE:
            case SYSTEM_FAILURE:
                auditMessage = code.name();
                break;
            default:
                auditMessage = code.name() + ": " + ex.getErrorMessage();
                break;
        }
        // end switch code
        Map<String, String> headers = new HashMap<>();
        headers.put(HEADER_PKISTATUS, PKISTATUS_rejection);
        if (StringUtil.isNotBlank(failureInfo)) {
            headers.put(HEADER_failInfo, failureInfo);
        }
        return new RestResponse(sc, null, headers, null);
    } catch (HttpRespAuditException ex) {
        auditStatus = ex.getAuditStatus();
        auditLevel = ex.getAuditLevel();
        auditMessage = ex.getAuditMessage();
        return new RestResponse(ex.getHttpStatus(), null, null, null);
    } catch (Throwable th) {
        if (th instanceof EOFException) {
            LogUtil.warn(LOG, th, "connection reset by peer");
        } else {
            LOG.error("Throwable thrown, this should not happen!", th);
        }
        auditLevel = AuditLevel.ERROR;
        auditStatus = AuditStatus.FAILED;
        auditMessage = "internal error";
        return new RestResponse(INTERNAL_SERVER_ERROR, null, null, null);
    } finally {
        event.setStatus(auditStatus);
        event.setLevel(auditLevel);
        if (auditMessage != null) {
            event.addEventData(NAME_message, auditMessage);
        }
    }
}
Also used : CertificationRequestInfo(org.bouncycastle.asn1.pkcs.CertificationRequestInfo) X500Name(org.bouncycastle.asn1.x500.X500Name) Extensions(org.bouncycastle.asn1.x509.Extensions) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) X509Cert(org.xipki.security.X509Cert) EOFException(java.io.EOFException) CrlReason(org.xipki.security.CrlReason) CmpResponder(org.xipki.ca.server.cmp.CmpResponder) AuditLevel(org.xipki.audit.AuditLevel) EOFException(java.io.EOFException) AuditStatus(org.xipki.audit.AuditStatus) ByteArrayInputStream(java.io.ByteArrayInputStream) X509CRLHolder(org.bouncycastle.cert.X509CRLHolder) BigInteger(java.math.BigInteger) ErrorCode(org.xipki.ca.api.OperationException.ErrorCode) RequestorInfo(org.xipki.ca.api.mgmt.RequestorInfo) CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest) PopControl(org.xipki.ca.api.mgmt.PopControl)

Example 2 with CmpResponder

use of org.xipki.ca.server.cmp.CmpResponder in project xipki by xipki.

the class HealthCheckServlet method doGet.

@Override
protected void doGet(final HttpServletRequest req, final HttpServletResponse resp) throws ServletException, IOException {
    resp.setHeader("Access-Control-Allow-Origin", "*");
    try {
        String caName = null;
        CmpResponder responder = null;
        String path = (String) req.getAttribute(HttpConstants.ATTR_XIPKI_PATH);
        if (path.length() > 1) {
            // skip the first char which is always '/'
            String caAlias = path.substring(1);
            caName = responderManager.getCaNameForAlias(caAlias);
            if (caName == null) {
                caName = caAlias.toLowerCase();
            }
            responder = responderManager.getX509CaResponder(caName);
        }
        if (caName == null || responder == null || !responder.isOnService()) {
            String auditMessage;
            if (caName == null) {
                auditMessage = "no CA is specified";
            } else if (responder == null) {
                auditMessage = "unknown CA '" + caName + "'";
            } else {
                auditMessage = "CA '" + caName + "' is out of service";
            }
            LOG.warn(auditMessage);
            sendError(resp, HttpServletResponse.SC_NOT_FOUND);
            return;
        }
        HealthCheckResult healthResult = responder.healthCheck();
        int status = healthResult.isHealthy() ? HttpServletResponse.SC_OK : HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
        byte[] respBytes = JSON.toJSONBytes(healthResult);
        resp.setStatus(status);
        resp.setContentLength(respBytes.length);
        resp.setContentType(CT_RESPONSE);
        resp.getOutputStream().write(respBytes);
    } catch (Throwable th) {
        if (th instanceof EOFException) {
            LogUtil.warn(LOG, th, "connection reset by peer");
        } else {
            LOG.error("Throwable thrown, this should not happen!", th);
        }
        sendError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
    } finally {
        resp.flushBuffer();
    }
}
Also used : CmpResponder(org.xipki.ca.server.cmp.CmpResponder) EOFException(java.io.EOFException) HealthCheckResult(org.xipki.util.HealthCheckResult)

Example 3 with CmpResponder

use of org.xipki.ca.server.cmp.CmpResponder in project xipki by xipki.

the class HttpCmpServlet method doPost.

@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    X509Cert clientCert = TlsHelper.getTlsClientCert(req);
    AuditService auditService = Audits.getAuditService();
    AuditEvent event = new AuditEvent(new Date());
    event.setApplicationName(CaAuditConstants.APPNAME);
    event.setName(CaAuditConstants.NAME_perf);
    event.addEventData(CaAuditConstants.NAME_req_type, RequestType.CMP.name());
    try {
        String reqContentType = req.getHeader("Content-Type");
        if (!CT_REQUEST.equalsIgnoreCase(reqContentType)) {
            String message = "unsupported media type " + reqContentType;
            throw new HttpRespAuditException(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, message, AuditLevel.INFO, AuditStatus.FAILED);
        }
        String caName = null;
        CmpResponder responder = null;
        String path = (String) req.getAttribute(HttpConstants.ATTR_XIPKI_PATH);
        if (path.length() > 1) {
            // skip the first char which is always '/'
            String caAlias = path.substring(1);
            caName = responderManager.getCaNameForAlias(caAlias);
            if (caName == null) {
                caName = caAlias.toLowerCase();
            }
            responder = responderManager.getX509CaResponder(caName);
        }
        if (caName == null || responder == null || !responder.isOnService()) {
            String message;
            if (caName == null) {
                message = "no CA is specified";
            } else if (responder == null) {
                message = "unknown CA '" + caName + "'";
            } else {
                message = "CA '" + caName + "' is out of service";
            }
            LOG.warn(message);
            throw new HttpRespAuditException(HttpServletResponse.SC_NOT_FOUND, message, AuditLevel.INFO, AuditStatus.FAILED);
        }
        event.addEventData(CaAuditConstants.NAME_ca, responder.getCaName());
        byte[] reqContent = IoUtil.read(req.getInputStream());
        PKIMessage pkiReq;
        try {
            pkiReq = PKIMessage.getInstance(reqContent);
        } catch (Exception ex) {
            LogUtil.error(LOG, ex, "could not parse the request (PKIMessage)");
            throw new HttpRespAuditException(HttpServletResponse.SC_BAD_REQUEST, "bad request", AuditLevel.INFO, AuditStatus.FAILED);
        }
        Map<String, String[]> map = req.getParameterMap();
        Map<String, String> parameters = new HashMap<>();
        for (Entry<String, String[]> entry : map.entrySet()) {
            parameters.put(entry.getKey(), entry.getValue()[0]);
        }
        PKIMessage pkiResp = responder.processPkiMessage(pkiReq, clientCert, parameters, event);
        byte[] encodedPkiResp = pkiResp.getEncoded();
        if (logReqResp && LOG.isDebugEnabled()) {
            LOG.debug("HTTP POST CA CMP path: {}\nRequest:\n{}\nResponse:\n{}", req.getRequestURI(), Base64.encodeToString(reqContent, true), Base64.encodeToString(encodedPkiResp, true));
        }
        resp.setContentType(CT_RESPONSE);
        resp.setContentLength(encodedPkiResp.length);
        resp.getOutputStream().write(encodedPkiResp);
    } catch (Throwable th) {
        AuditLevel auditLevel;
        AuditStatus auditStatus;
        String auditMessage;
        if (th instanceof HttpRespAuditException) {
            HttpRespAuditException hae = (HttpRespAuditException) th;
            auditStatus = hae.getAuditStatus();
            auditLevel = hae.getAuditLevel();
            auditMessage = hae.getAuditMessage();
        } else {
            auditLevel = AuditLevel.ERROR;
            auditStatus = AuditStatus.FAILED;
            auditMessage = "internal error";
            if (th instanceof EOFException) {
                LogUtil.warn(LOG, th, "connection reset by peer");
            } else {
                LOG.error("Throwable thrown, this should not happen!", th);
            }
        }
        event.setStatus(auditStatus);
        event.setLevel(auditLevel);
        if (auditMessage != null) {
            event.addEventData(CaAuditConstants.NAME_message, auditMessage);
        }
        resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
    } finally {
        resp.flushBuffer();
        event.finish();
        auditService.logEvent(event);
    }
}
Also used : PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage) CmpResponder(org.xipki.ca.server.cmp.CmpResponder) HashMap(java.util.HashMap) Date(java.util.Date) ServletException(javax.servlet.ServletException) IOException(java.io.IOException) EOFException(java.io.EOFException) X509Cert(org.xipki.security.X509Cert) EOFException(java.io.EOFException)

Example 4 with CmpResponder

use of org.xipki.ca.server.cmp.CmpResponder in project xipki by xipki.

the class Ca2Manager method startCa.

// method restartCa
boolean startCa(String caName) {
    CaInfo caEntry = manager.caInfos.get(caName);
    CtlogControl ctlogControl = caEntry.getCtlogControl();
    CtLogClient ctlogClient = null;
    if (ctlogControl != null && ctlogControl.isEnabled()) {
        String name = ctlogControl.getSslContextName();
        SslContextConf ctxConf;
        if (name == null) {
            ctxConf = null;
        } else {
            ctxConf = manager.caServerConf.getSslContextConf(name);
            if (ctxConf == null) {
                LOG.error(concat("getSslContextConf (ca=", caName, "): found no SslContext named " + name));
                return false;
            }
        }
        ctlogClient = new CtLogClient(ctlogControl.getServers(), ctxConf);
    }
    X509Ca ca;
    try {
        ca = new X509Ca(manager, caEntry, manager.certstore, ctlogClient);
    } catch (OperationException ex) {
        LogUtil.error(LOG, ex, concat("X509CA.<init> (ca=", caName, ")"));
        return false;
    }
    manager.x509cas.put(caName, ca);
    CmpResponder caResponder;
    try {
        caResponder = new CmpResponder(manager, caName);
    } catch (NoSuchAlgorithmException ex) {
        LogUtil.error(LOG, ex, concat("CmpResponder.<init> (ca=", caName, ")"));
        return false;
    }
    manager.cmpResponders.put(caName, caResponder);
    if (caEntry.getScepResponderName() != null) {
        try {
            manager.scepResponders.put(caName, new ScepResponder(manager, caEntry.getCaEntry()));
        } catch (CaMgmtException ex) {
            LogUtil.error(LOG, ex, concat("ScepResponder.<init> (ca=", caName, ")"));
            return false;
        }
    }
    return true;
}
Also used : SslContextConf(org.xipki.util.http.SslContextConf) CmpResponder(org.xipki.ca.server.cmp.CmpResponder) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) OperationException(org.xipki.ca.api.OperationException)

Aggregations

CmpResponder (org.xipki.ca.server.cmp.CmpResponder)4 EOFException (java.io.EOFException)3 X509Cert (org.xipki.security.X509Cert)2 ByteArrayInputStream (java.io.ByteArrayInputStream)1 IOException (java.io.IOException)1 BigInteger (java.math.BigInteger)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 Date (java.util.Date)1 HashMap (java.util.HashMap)1 ServletException (javax.servlet.ServletException)1 PKIMessage (org.bouncycastle.asn1.cmp.PKIMessage)1 CertificationRequest (org.bouncycastle.asn1.pkcs.CertificationRequest)1 CertificationRequestInfo (org.bouncycastle.asn1.pkcs.CertificationRequestInfo)1 X500Name (org.bouncycastle.asn1.x500.X500Name)1 Extensions (org.bouncycastle.asn1.x509.Extensions)1 SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)1 X509CRLHolder (org.bouncycastle.cert.X509CRLHolder)1 AuditLevel (org.xipki.audit.AuditLevel)1 AuditStatus (org.xipki.audit.AuditStatus)1 OperationException (org.xipki.ca.api.OperationException)1