Example 6 with X509Ca
use of org.xipki.ca.server.impl.X509Ca in project xipki by xipki.
the class X509CaCmpResponderImpl method confirmCertificates.
private PKIBody confirmCertificates(ASN1OctetString transactionId, CertConfirmContent certConf, String msgId) {
CertStatus[] certStatuses = certConf.toCertStatusArray();
boolean successful = true;
for (CertStatus certStatus : certStatuses) {
ASN1Integer certReqId = certStatus.getCertReqId();
byte[] certHash = certStatus.getCertHash().getOctets();
X509CertificateInfo certInfo = pendingCertPool.removeCertificate(transactionId.getOctets(), certReqId.getPositiveValue(), certHash);
if (certInfo == null) {
if (LOG.isWarnEnabled()) {
LOG.warn("no cert under transactionId={}, certReqId={} and certHash=0X{}", transactionId, certReqId.getPositiveValue(), Hex.encode(certHash));
}
continue;
}
PKIStatusInfo statusInfo = certStatus.getStatusInfo();
boolean accept = true;
if (statusInfo != null) {
int status = statusInfo.getStatus().intValue();
if (PKIStatus.GRANTED != status && PKIStatus.GRANTED_WITH_MODS != status) {
accept = false;
}
}
if (accept) {
continue;
}
BigInteger serialNumber = certInfo.getCert().getCert().getSerialNumber();
X509Ca ca = getCa();
try {
ca.revokeCertificate(serialNumber, CrlReason.CESSATION_OF_OPERATION, new Date(), msgId);
} catch (OperationException ex) {
LogUtil.warn(LOG, ex, "could not revoke certificate ca=" + ca.getCaInfo().getIdent() + " serialNumber=" + LogUtil.formatCsn(serialNumber));
}
successful = false;
}
// all other certificates should be revoked
if (revokePendingCertificates(transactionId, msgId)) {
successful = false;
}
if (successful) {
return new PKIBody(PKIBody.TYPE_CONFIRM, DERNull.INSTANCE);
}
ErrorMsgContent emc = new ErrorMsgContent(new PKIStatusInfo(PKIStatus.rejection, null, new PKIFailureInfo(PKIFailureInfo.systemFailure)));
return new PKIBody(PKIBody.TYPE_ERROR, emc);
}
Also used :
PKIBody(org.bouncycastle.asn1.cmp.PKIBody)
PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo)
X509Ca(org.xipki.ca.server.impl.X509Ca)
X509CertificateInfo(org.xipki.ca.api.publisher.x509.X509CertificateInfo)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
Date(java.util.Date)
PKIFailureInfo(org.bouncycastle.asn1.cmp.PKIFailureInfo)
CertStatus(org.bouncycastle.asn1.cmp.CertStatus)
BigInteger(java.math.BigInteger)
ErrorMsgContent(org.bouncycastle.asn1.cmp.ErrorMsgContent)
OperationException(org.xipki.ca.api.OperationException)
Example 7 with X509Ca
use of org.xipki.ca.server.impl.X509Ca in project xipki by xipki.
the class ScepImpl method refreshCa.
private void refreshCa() throws OperationException {
try {
X509Ca ca = caManager.getX509Ca(caIdent);
X509Cert currentCaCert = ca.getCaInfo().getCert();
if (currentCaCert.equals(caCert)) {
return;
}
caCert = currentCaCert;
caCertRespBytes = new ScepCaCertRespBytes(currentCaCert.getCert(), responderCert);
} catch (CaMgmtException | CertificateException | CMSException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex.getMessage());
}
}
Also used :
ScepCaCertRespBytes(org.xipki.ca.server.api.ScepCaCertRespBytes)
CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException)
X509Cert(org.xipki.security.X509Cert)
X509Ca(org.xipki.ca.server.impl.X509Ca)
CertificateException(java.security.cert.CertificateException)
OperationException(org.xipki.ca.api.OperationException)
CMSException(org.bouncycastle.cms.CMSException)
Example 8 with X509Ca
use of org.xipki.ca.server.impl.X509Ca in project xipki by xipki.
the class X509CaCmpResponderImpl method unRevokeRemoveCertificates.
private PKIBody unRevokeRemoveCertificates(PKIMessage request, RevReqContent rr, int permission, CmpControl cmpControl, String msgId) {
RevDetails[] revContent = rr.toRevDetailsArray();
RevRepContentBuilder repContentBuilder = new RevRepContentBuilder();
final int n = revContent.length;
// test the request
for (int i = 0; i < n; i++) {
RevDetails revDetails = revContent[i];
CertTemplate certDetails = revDetails.getCertDetails();
X500Name issuer = certDetails.getIssuer();
ASN1Integer serialNumber = certDetails.getSerialNumber();
try {
X500Name caSubject = getCa().getCaInfo().getCert().getSubjectAsX500Name();
if (issuer == null) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer is not present");
}
if (!issuer.equals(caSubject)) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer does not target at the CA");
}
if (serialNumber == null) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "serialNumber is not present");
}
if (certDetails.getSigningAlg() != null || certDetails.getValidity() != null || certDetails.getSubject() != null || certDetails.getPublicKey() != null || certDetails.getIssuerUID() != null || certDetails.getSubjectUID() != null) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "only version, issuer and serialNumber in RevDetails.certDetails are " + "allowed, but more is specified");
}
if (certDetails.getExtensions() == null) {
if (cmpControl.isRrAkiRequired()) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer's AKI not present");
}
} else {
Extensions exts = certDetails.getExtensions();
ASN1ObjectIdentifier[] oids = exts.getCriticalExtensionOIDs();
if (oids != null) {
for (ASN1ObjectIdentifier oid : oids) {
if (!Extension.authorityKeyIdentifier.equals(oid)) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "unknown critical extension " + oid.getId());
}
}
}
Extension ext = exts.getExtension(Extension.authorityKeyIdentifier);
if (ext == null) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer's AKI not present");
} else {
AuthorityKeyIdentifier aki = AuthorityKeyIdentifier.getInstance(ext.getParsedValue());
if (aki.getKeyIdentifier() == null) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer's AKI not present");
}
boolean issuerMatched = true;
byte[] caSki = getCa().getCaInfo().getCert().getSubjectKeyIdentifier();
if (!Arrays.equals(caSki, aki.getKeyIdentifier())) {
issuerMatched = false;
}
if (issuerMatched && aki.getAuthorityCertSerialNumber() != null) {
BigInteger caSerial = getCa().getCaInfo().getSerialNumber();
if (!caSerial.equals(aki.getAuthorityCertSerialNumber())) {
issuerMatched = false;
}
}
if (issuerMatched && aki.getAuthorityCertIssuer() != null) {
GeneralName[] names = aki.getAuthorityCertIssuer().getNames();
for (GeneralName name : names) {
if (name.getTagNo() != GeneralName.directoryName) {
issuerMatched = false;
break;
}
if (!caSubject.equals(name.getName())) {
issuerMatched = false;
break;
}
}
}
if (!issuerMatched) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer does not target at the CA");
}
}
}
} catch (IllegalArgumentException ex) {
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, "the request is not invalid");
}
}
// end for
byte[] encodedRequest = null;
if (getCa().getCaInfo().isSaveRequest()) {
try {
encodedRequest = request.getEncoded();
} catch (IOException ex) {
LOG.warn("could not encode request");
}
}
Long reqDbId = null;
for (int i = 0; i < n; i++) {
RevDetails revDetails = revContent[i];
CertTemplate certDetails = revDetails.getCertDetails();
ASN1Integer serialNumber = certDetails.getSerialNumber();
// serialNumber is not null due to the check in the previous for-block.
X500Name caSubject = getCa().getCaInfo().getCert().getSubjectAsX500Name();
BigInteger snBigInt = serialNumber.getPositiveValue();
CertId certId = new CertId(new GeneralName(caSubject), serialNumber);
PKIStatusInfo status;
try {
Object returnedObj = null;
Long certDbId = null;
X509Ca ca = getCa();
if (PermissionConstants.UNREVOKE_CERT == permission) {
// unrevoke
returnedObj = ca.unrevokeCertificate(snBigInt, msgId);
if (returnedObj != null) {
certDbId = ((X509CertWithDbId) returnedObj).getCertId();
}
} else if (PermissionConstants.REMOVE_CERT == permission) {
// remove
returnedObj = ca.removeCertificate(snBigInt, msgId);
} else {
// revoke
Date invalidityDate = null;
CrlReason reason = null;
Extensions crlDetails = revDetails.getCrlEntryDetails();
if (crlDetails != null) {
ASN1ObjectIdentifier extId = Extension.reasonCode;
ASN1Encodable extValue = crlDetails.getExtensionParsedValue(extId);
if (extValue != null) {
int reasonCode = ASN1Enumerated.getInstance(extValue).getValue().intValue();
reason = CrlReason.forReasonCode(reasonCode);
}
extId = Extension.invalidityDate;
extValue = crlDetails.getExtensionParsedValue(extId);
if (extValue != null) {
try {
invalidityDate = ASN1GeneralizedTime.getInstance(extValue).getDate();
} catch (ParseException ex) {
throw new OperationException(ErrorCode.INVALID_EXTENSION, "invalid extension " + extId.getId());
}
}
}
if (reason == null) {
reason = CrlReason.UNSPECIFIED;
}
returnedObj = ca.revokeCertificate(snBigInt, reason, invalidityDate, msgId);
if (returnedObj != null) {
certDbId = ((X509CertWithRevocationInfo) returnedObj).getCert().getCertId();
}
}
if (returnedObj == null) {
throw new OperationException(ErrorCode.UNKNOWN_CERT, "cert not exists");
}
if (certDbId != null && ca.getCaInfo().isSaveRequest()) {
if (reqDbId == null) {
reqDbId = ca.addRequest(encodedRequest);
}
ca.addRequestCert(reqDbId, certDbId);
}
status = new PKIStatusInfo(PKIStatus.granted);
} catch (OperationException ex) {
ErrorCode code = ex.getErrorCode();
LOG.warn("{}, OperationException: code={}, message={}", PermissionConstants.getTextForCode(permission), code.name(), ex.getErrorMessage());
String errorMessage;
switch(code) {
case DATABASE_FAILURE:
case SYSTEM_FAILURE:
errorMessage = code.name();
break;
default:
errorMessage = code.name() + ": " + ex.getErrorMessage();
break;
}
// end switch code
int failureInfo = getPKiFailureInfo(ex);
status = generateRejectionStatus(failureInfo, errorMessage);
}
// end try
repContentBuilder.add(status, certId);
}
return new PKIBody(PKIBody.TYPE_REVOCATION_REP, repContentBuilder.build());
}
Also used :
PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo)
X509Ca(org.xipki.ca.server.impl.X509Ca)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
X500Name(org.bouncycastle.asn1.x500.X500Name)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
Extensions(org.bouncycastle.asn1.x509.Extensions)
CertTemplate(org.bouncycastle.asn1.crmf.CertTemplate)
CrlReason(org.xipki.security.CrlReason)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
RevDetails(org.bouncycastle.asn1.cmp.RevDetails)
OperationException(org.xipki.ca.api.OperationException)
PKIBody(org.bouncycastle.asn1.cmp.PKIBody)
RevRepContentBuilder(org.bouncycastle.asn1.cmp.RevRepContentBuilder)
CertId(org.bouncycastle.asn1.crmf.CertId)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
IOException(java.io.IOException)
Date(java.util.Date)
Extension(org.bouncycastle.asn1.x509.Extension)
BigInteger(java.math.BigInteger)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
ParseException(java.text.ParseException)
ErrorCode(org.xipki.ca.api.OperationException.ErrorCode)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 9 with X509Ca
use of org.xipki.ca.server.impl.X509Ca in project xipki by xipki.
the class X509CaCmpResponderImpl method removeCert.
public void removeCert(CmpRequestorInfo requestor, BigInteger serialNumber, RequestType reqType, String msgId) throws OperationException {
ParamUtil.requireNonNull("requestor", requestor);
try {
checkPermission(requestor, PermissionConstants.REMOVE_CERT);
} catch (InsuffientPermissionException ex) {
throw new OperationException(ErrorCode.NOT_PERMITTED, ex.getMessage());
}
X509Ca ca = getCa();
X509CertWithDbId returnedObj = ca.removeCertificate(serialNumber, msgId);
if (returnedObj == null) {
throw new OperationException(ErrorCode.UNKNOWN_CERT, "cert not exists");
}
}
Also used :
X509Ca(org.xipki.ca.server.impl.X509Ca)
InsuffientPermissionException(org.xipki.ca.api.InsuffientPermissionException)
X509CertWithDbId(org.xipki.ca.api.X509CertWithDbId)
OperationException(org.xipki.ca.api.OperationException)
Example 10 with X509Ca
use of org.xipki.ca.server.impl.X509Ca in project xipki by xipki.
the class X509CaCmpResponderImpl method revokePendingCertificates.
// method confirmCertificates
private boolean revokePendingCertificates(ASN1OctetString transactionId, String msgId) {
Set<X509CertificateInfo> remainingCerts = pendingCertPool.removeCertificates(transactionId.getOctets());
if (CollectionUtil.isEmpty(remainingCerts)) {
return true;
}
boolean successful = true;
Date invalidityDate = new Date();
X509Ca ca = getCa();
for (X509CertificateInfo remainingCert : remainingCerts) {
try {
ca.revokeCertificate(remainingCert.getCert().getCert().getSerialNumber(), CrlReason.CESSATION_OF_OPERATION, invalidityDate, msgId);
} catch (OperationException ex) {
successful = false;
}
}
return successful;
}
Also used :
X509Ca(org.xipki.ca.server.impl.X509Ca)
X509CertificateInfo(org.xipki.ca.api.publisher.x509.X509CertificateInfo)
Date(java.util.Date)
OperationException(org.xipki.ca.api.OperationException)
Aggregations
X509Ca (org.xipki.ca.server.impl.X509Ca)15
OperationException (org.xipki.ca.api.OperationException)13
InsuffientPermissionException (org.xipki.ca.api.InsuffientPermissionException)7
Date (java.util.Date)6
ASN1Integer (org.bouncycastle.asn1.ASN1Integer)6
BigInteger (java.math.BigInteger)5
X509CertificateInfo (org.xipki.ca.api.publisher.x509.X509CertificateInfo)5
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)4
DERUTF8String (org.bouncycastle.asn1.DERUTF8String)4
PKIBody (org.bouncycastle.asn1.cmp.PKIBody)4
X500Name (org.bouncycastle.asn1.x500.X500Name)4
Extensions (org.bouncycastle.asn1.x509.Extensions)4
CertTemplateData (org.xipki.ca.server.impl.CertTemplateData)4
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)3
CertificationRequestInfo (org.bouncycastle.asn1.pkcs.CertificationRequestInfo)3
ErrorCode (org.xipki.ca.api.OperationException.ErrorCode)3
CaMgmtException (org.xipki.ca.server.mgmt.api.CaMgmtException)3
IOException (java.io.IOException)2
CRLException (java.security.cert.CRLException)2
X509CRL (java.security.cert.X509CRL)2
