Search in sources :

Example 81 with CaMgmtException

use of org.xipki.ca.server.mgmt.api.CaMgmtException in project xipki by xipki.

the class CaManagerImpl method unrevokeCertificate.

// method revokeCertificate
@Override
public void unrevokeCertificate(String caName, BigInteger serialNumber) throws CaMgmtException {
    caName = ParamUtil.requireNonBlank("caName", caName).toLowerCase();
    ParamUtil.requireNonNull("serialNumber", serialNumber);
    X509Ca ca = getX509Ca(caName);
    try {
        if (ca.unrevokeCertificate(serialNumber, CaAuditConstants.MSGID_ca_mgmt) == null) {
            throw new CaMgmtException("could not unrevoke non-existing certificate");
        }
    } catch (OperationException ex) {
        throw new CaMgmtException(ex.getMessage(), ex);
    }
}
Also used : CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException) OperationException(org.xipki.ca.api.OperationException)

Example 82 with CaMgmtException

use of org.xipki.ca.server.mgmt.api.CaMgmtException in project xipki by xipki.

the class CaManagerImpl method exportConf.

@Override
public void exportConf(String zipFilename, List<String> caNames) throws CaMgmtException, IOException {
    ParamUtil.requireNonBlank("zipFilename", zipFilename);
    if (!caSystemSetuped) {
        throw new CaMgmtException("CA system is not initialized yet.");
    }
    zipFilename = IoUtil.expandFilepath(zipFilename);
    if (caNames != null) {
        List<String> tmpCaNames = new ArrayList<>(caNames.size());
        for (String name : caNames) {
            name = name.toLowerCase();
            if (x509cas.containsKey(name)) {
                tmpCaNames.add(name);
            }
        }
        caNames = tmpCaNames;
    } else {
        List<String> tmpCaNames = new ArrayList<>(x509cas.size());
        for (String name : x509cas.keySet()) {
            tmpCaNames.add(name);
        }
        caNames = tmpCaNames;
    }
    File zipFile = new File(zipFilename);
    if (zipFile.exists()) {
        throw new IOException(concat("File ", zipFilename, " exists."));
    }
    File parentFile = zipFile.getParentFile();
    if (parentFile != null && !parentFile.exists()) {
        parentFile.mkdirs();
    }
    CAConfType root = new CAConfType();
    root.setVersion(1);
    ZipOutputStream zipStream = getZipOutputStream(zipFile);
    try {
        Set<String> includeCmpControlNames = new HashSet<>();
        Set<String> includeResponderNames = new HashSet<>();
        Set<String> includeRequestorNames = new HashSet<>();
        Set<String> includeProfileNames = new HashSet<>();
        Set<String> includePublisherNames = new HashSet<>();
        Set<String> includeCrlSignerNames = new HashSet<>();
        Set<String> includeUserNames = new HashSet<>();
        // users
        root.setUsers(new CAConfType.Users());
        List<UserType> users = root.getUsers().getUser();
        // cas
        if (CollectionUtil.isNonEmpty(caNames)) {
            List<CaType> list = new LinkedList<>();
            for (String name : x509cas.keySet()) {
                if (!caNames.contains(name)) {
                    continue;
                }
                CaType jaxb = new CaType();
                jaxb.setName(name);
                Set<String> strs = getAliasesForCa(name);
                if (CollectionUtil.isNonEmpty(strs)) {
                    jaxb.setAliases(createStrings(strs));
                }
                strs = caHasProfiles.get(name);
                if (CollectionUtil.isNonEmpty(strs)) {
                    includeProfileNames.addAll(strs);
                    jaxb.setProfiles(createStrings(strs));
                }
                strs = caHasPublishers.get(name);
                if (CollectionUtil.isNonEmpty(strs)) {
                    includePublisherNames.addAll(strs);
                    jaxb.setPublishers(createStrings(strs));
                }
                // CaHasRequestors
                Set<CaHasRequestorEntry> requestors = caHasRequestors.get(name);
                if (CollectionUtil.isNonEmpty(requestors)) {
                    jaxb.setRequestors(new CaType.Requestors());
                    for (CaHasRequestorEntry m : requestors) {
                        String requestorName = m.getRequestorIdent().getName();
                        includeRequestorNames.add(requestorName);
                        CaHasRequestorType jaxb2 = new CaHasRequestorType();
                        jaxb2.setRequestorName(requestorName);
                        jaxb2.setRa(m.isRa());
                        jaxb2.setProfiles(createStrings(m.getProfiles()));
                        jaxb2.setPermission(m.getPermission());
                        jaxb.getRequestors().getRequestor().add(jaxb2);
                    }
                }
                // CaHasUsers
                List<CaHasUserEntry> caHasUsers = queryExecutor.getCaHasUsersForCa(name, idNameMap);
                if (CollectionUtil.isNonEmpty(caHasUsers)) {
                    jaxb.setUsers(new CaType.Users());
                    List<CaHasUserType> list2 = jaxb.getUsers().getUser();
                    for (CaHasUserEntry m : caHasUsers) {
                        String username = m.getUserIdent().getName();
                        CaHasUserType jaxb2 = new CaHasUserType();
                        jaxb2.setUserName(username);
                        jaxb2.setPermission(m.getPermission());
                        jaxb2.setProfiles(createStrings(m.getProfiles()));
                        list2.add(jaxb2);
                        if (includeUserNames.contains(username)) {
                            continue;
                        }
                        // add also the user to the users
                        UserEntry userEntry = queryExecutor.getUser(username);
                        UserType jaxb3 = new UserType();
                        if (!userEntry.isActive()) {
                            jaxb3.setActive(Boolean.FALSE);
                        }
                        jaxb3.setName(username);
                        jaxb3.setHashedPassword(userEntry.getHashedPassword());
                        users.add(jaxb3);
                        includeUserNames.add(username);
                    }
                }
                X509CaEntry entry = x509cas.get(name).getCaInfo().getCaEntry();
                X509CaInfoType ciJaxb = new X509CaInfoType();
                ciJaxb.setCacertUris(createStrings(entry.getCaCertUris()));
                byte[] certBytes;
                try {
                    certBytes = entry.getCert().getEncoded();
                } catch (CertificateEncodingException ex) {
                    throw new CaMgmtException(concat("could not encode CA certificate ", name));
                }
                ciJaxb.setCert(createFileOrBinary(zipStream, certBytes, concat("files/ca-", name, "-cert.der")));
                if (entry.getCmpControlName() != null) {
                    includeCmpControlNames.add(entry.getCmpControlName());
                    ciJaxb.setCmpcontrolName(entry.getCmpControlName());
                }
                if (entry.getCrlSignerName() != null) {
                    includeCrlSignerNames.add(entry.getCrlSignerName());
                    ciJaxb.setCrlsignerName(entry.getCrlSignerName());
                }
                ciJaxb.setCrlUris(createStrings(entry.getCrlUris()));
                ciJaxb.setDeltacrlUris(createStrings(entry.getDeltaCrlUris()));
                ciJaxb.setDuplicateKey(entry.isDuplicateKeyPermitted());
                ciJaxb.setDuplicateSubject(entry.isDuplicateSubjectPermitted());
                ciJaxb.setExpirationPeriod(entry.getExpirationPeriod());
                if (entry.getExtraControl() != null) {
                    ciJaxb.setExtraControl(createFileOrValue(zipStream, entry.getExtraControl().getEncoded(), concat("files/ca-", name, "-extracontrol.conf")));
                }
                ciJaxb.setKeepExpiredCertDays(entry.getKeepExpiredCertInDays());
                ciJaxb.setMaxValidity(entry.getMaxValidity().toString());
                ciJaxb.setNextCrlNo(entry.getNextCrlNumber());
                ciJaxb.setNumCrls(entry.getNumCrls());
                ciJaxb.setOcspUris(createStrings(entry.getOcspUris()));
                ciJaxb.setPermission(entry.getPermission());
                if (entry.getResponderName() != null) {
                    includeResponderNames.add(entry.getResponderName());
                    ciJaxb.setResponderName(entry.getResponderName());
                }
                ciJaxb.setSaveReq(entry.isSaveRequest());
                ciJaxb.setSignerConf(createFileOrValue(zipStream, entry.getSignerConf(), concat("files/ca-", name, "-signerconf.conf")));
                ciJaxb.setSignerType(entry.getSignerType());
                ciJaxb.setSnSize(entry.getSerialNoBitLen());
                ciJaxb.setStatus(entry.getStatus().getStatus());
                ciJaxb.setValidityMode(entry.getValidityMode().name());
                jaxb.setCaInfo(new CaType.CaInfo());
                jaxb.getCaInfo().setX509Ca(ciJaxb);
                list.add(jaxb);
            }
            if (!list.isEmpty()) {
                root.setCas(new CAConfType.Cas());
                root.getCas().getCa().addAll(list);
            }
        }
        // clear the users if the list is empty
        if (users.isEmpty()) {
            root.setUsers(null);
        }
        // cmp controls
        if (CollectionUtil.isNonEmpty(cmpControlDbEntries)) {
            List<CmpcontrolType> list = new LinkedList<>();
            for (String name : cmpControlDbEntries.keySet()) {
                if (!includeCmpControlNames.contains(name)) {
                    continue;
                }
                CmpcontrolType jaxb = new CmpcontrolType();
                CmpControlEntry entry = cmpControlDbEntries.get(name);
                jaxb.setName(name);
                jaxb.setConf(createFileOrValue(zipStream, entry.getConf(), concat("files/cmpcontrol-", name, ".conf")));
                list.add(jaxb);
            }
            if (!list.isEmpty()) {
                root.setCmpcontrols(new CAConfType.Cmpcontrols());
                root.getCmpcontrols().getCmpcontrol().addAll(list);
            }
        }
        // environments
        Set<String> names = envParameterResolver.allParameterNames();
        if (CollectionUtil.isNonEmpty(names)) {
            List<NameValueType> list = new LinkedList<>();
            for (String name : names) {
                if (ENV_EPOCH.equalsIgnoreCase(name)) {
                    continue;
                }
                NameValueType jaxb = new NameValueType();
                jaxb.setName(name);
                jaxb.setValue(envParameterResolver.getParameter(name));
                list.add(jaxb);
            }
            if (!list.isEmpty()) {
                root.setEnvironments(new CAConfType.Environments());
                root.getEnvironments().getEnvironment().addAll(list);
            }
        }
        // crlsigners
        if (CollectionUtil.isNonEmpty(crlSignerDbEntries)) {
            List<CrlsignerType> list = new LinkedList<>();
            for (String name : crlSignerDbEntries.keySet()) {
                if (!includeCrlSignerNames.contains(name)) {
                    continue;
                }
                X509CrlSignerEntry entry = crlSignerDbEntries.get(name);
                CrlsignerType jaxb = new CrlsignerType();
                jaxb.setName(name);
                jaxb.setSignerType(entry.getType());
                jaxb.setSignerConf(createFileOrValue(zipStream, entry.getConf(), concat("files/crlsigner-", name, ".conf")));
                jaxb.setSignerCert(createFileOrBase64Value(zipStream, entry.getBase64Cert(), concat("files/crlsigner-", name, ".der")));
                jaxb.setCrlControl(entry.crlControl());
                list.add(jaxb);
            }
            if (!list.isEmpty()) {
                root.setCrlsigners(new CAConfType.Crlsigners());
                root.getCrlsigners().getCrlsigner().addAll(list);
            }
        }
        // requestors
        if (CollectionUtil.isNonEmpty(requestorDbEntries)) {
            List<RequestorType> list = new LinkedList<>();
            for (String name : requestorDbEntries.keySet()) {
                if (!includeRequestorNames.contains(name)) {
                    continue;
                }
                RequestorEntry entry = requestorDbEntries.get(name);
                RequestorType jaxb = new RequestorType();
                jaxb.setName(name);
                jaxb.setCert(createFileOrBase64Value(zipStream, entry.getBase64Cert(), concat("files/requestor-", name, ".der")));
                list.add(jaxb);
            }
            if (!list.isEmpty()) {
                root.setRequestors(new CAConfType.Requestors());
                root.getRequestors().getRequestor().addAll(list);
            }
        }
        // publishers
        if (CollectionUtil.isNonEmpty(publisherDbEntries)) {
            List<PublisherType> list = new LinkedList<>();
            for (String name : publisherDbEntries.keySet()) {
                if (!includePublisherNames.contains(name)) {
                    continue;
                }
                PublisherEntry entry = publisherDbEntries.get(name);
                PublisherType jaxb = new PublisherType();
                jaxb.setName(name);
                jaxb.setType(entry.getType());
                jaxb.setConf(createFileOrValue(zipStream, entry.getConf(), concat("files/publisher-", name, ".conf")));
                list.add(jaxb);
            }
            if (!list.isEmpty()) {
                root.setPublishers(new CAConfType.Publishers());
                root.getPublishers().getPublisher().addAll(list);
            }
        }
        // profiles
        if (CollectionUtil.isNonEmpty(certprofileDbEntries)) {
            List<ProfileType> list = new LinkedList<>();
            for (String name : certprofileDbEntries.keySet()) {
                if (!includeProfileNames.contains(name)) {
                    continue;
                }
                CertprofileEntry entry = certprofileDbEntries.get(name);
                ProfileType jaxb = new ProfileType();
                jaxb.setName(name);
                jaxb.setType(entry.getType());
                jaxb.setConf(createFileOrValue(zipStream, entry.getConf(), concat("files/certprofile-", name, ".conf")));
                list.add(jaxb);
            }
            if (!list.isEmpty()) {
                root.setProfiles(new CAConfType.Profiles());
                root.getProfiles().getProfile().addAll(list);
            }
        }
        // sceps
        if (CollectionUtil.isNonEmpty(scepDbEntries)) {
            List<ScepType> list = new LinkedList<>();
            for (String name : scepDbEntries.keySet()) {
                ScepEntry entry = scepDbEntries.get(name);
                String caName = entry.getCaIdent().getName();
                if (!caNames.contains(caName)) {
                    continue;
                }
                String responderName = entry.getResponderName();
                includeResponderNames.add(responderName);
                ScepType jaxb = new ScepType();
                jaxb.setName(name);
                jaxb.setCaName(caName);
                jaxb.setResponderName(responderName);
                jaxb.setProfiles(createStrings(entry.getCertProfiles()));
                jaxb.setControl(entry.getControl());
                list.add(jaxb);
            }
            if (!list.isEmpty()) {
                root.setSceps(new CAConfType.Sceps());
                root.getSceps().getScep().addAll(list);
            }
        }
        // responders
        if (CollectionUtil.isNonEmpty(responderDbEntries)) {
            List<ResponderType> list = new LinkedList<>();
            for (String name : responderDbEntries.keySet()) {
                if (!includeResponderNames.contains(name)) {
                    continue;
                }
                ResponderEntry entry = responderDbEntries.get(name);
                ResponderType jaxb = new ResponderType();
                jaxb.setName(name);
                jaxb.setType(entry.getType());
                jaxb.setConf(createFileOrValue(zipStream, entry.getConf(), concat("files/responder-", name, ".conf")));
                jaxb.setCert(createFileOrBase64Value(zipStream, entry.getBase64Cert(), concat("files/responder-", name, ".der")));
                list.add(jaxb);
            }
            if (!list.isEmpty()) {
                root.setResponders(new CAConfType.Responders());
                root.getResponders().getResponder().addAll(list);
            }
        }
        // add the CAConf XML file
        ByteArrayOutputStream bout = new ByteArrayOutputStream();
        try {
            CaConf.marshal(root, bout);
        } catch (JAXBException | SAXException ex) {
            LogUtil.error(LOG, ex, "could not marshal CAConf");
            throw new CaMgmtException(concat("could not marshal CAConf: ", ex.getMessage()), ex);
        } finally {
            bout.flush();
        }
        zipStream.putNextEntry(new ZipEntry("caconf.xml"));
        try {
            zipStream.write(bout.toByteArray());
        } finally {
            zipStream.closeEntry();
        }
    } finally {
        zipStream.close();
    }
}
Also used : CaHasUserEntry(org.xipki.ca.server.mgmt.api.CaHasUserEntry) CmpcontrolType(org.xipki.ca.server.mgmt.api.conf.jaxb.CmpcontrolType) NameValueType(org.xipki.ca.server.mgmt.api.conf.jaxb.NameValueType) PublisherType(org.xipki.ca.server.mgmt.api.conf.jaxb.PublisherType) ArrayList(java.util.ArrayList) CaHasRequestorType(org.xipki.ca.server.mgmt.api.conf.jaxb.CaHasRequestorType) RequestorType(org.xipki.ca.server.mgmt.api.conf.jaxb.RequestorType) CaHasRequestorType(org.xipki.ca.server.mgmt.api.conf.jaxb.CaHasRequestorType) CaType(org.xipki.ca.server.mgmt.api.conf.jaxb.CaType) SAXException(org.xml.sax.SAXException) PublisherEntry(org.xipki.ca.server.mgmt.api.PublisherEntry) CmpControlEntry(org.xipki.ca.server.mgmt.api.CmpControlEntry) ResponderEntry(org.xipki.ca.server.mgmt.api.ResponderEntry) HashSet(java.util.HashSet) JAXBException(javax.xml.bind.JAXBException) CAConfType(org.xipki.ca.server.mgmt.api.conf.jaxb.CAConfType) ResponderType(org.xipki.ca.server.mgmt.api.conf.jaxb.ResponderType) LinkedList(java.util.LinkedList) ChangeScepEntry(org.xipki.ca.server.mgmt.api.x509.ChangeScepEntry) ScepEntry(org.xipki.ca.server.mgmt.api.x509.ScepEntry) File(java.io.File) CaHasUserType(org.xipki.ca.server.mgmt.api.conf.jaxb.CaHasUserType) UserType(org.xipki.ca.server.mgmt.api.conf.jaxb.UserType) CrlsignerType(org.xipki.ca.server.mgmt.api.conf.jaxb.CrlsignerType) X509CaEntry(org.xipki.ca.server.mgmt.api.x509.X509CaEntry) ScepType(org.xipki.ca.server.mgmt.api.conf.jaxb.ScepType) RequestorEntry(org.xipki.ca.server.mgmt.api.RequestorEntry) CaHasRequestorEntry(org.xipki.ca.server.mgmt.api.CaHasRequestorEntry) ZipEntry(java.util.zip.ZipEntry) X509CrlSignerEntry(org.xipki.ca.server.mgmt.api.x509.X509CrlSignerEntry) ProfileType(org.xipki.ca.server.mgmt.api.conf.jaxb.ProfileType) CertificateEncodingException(java.security.cert.CertificateEncodingException) IOException(java.io.IOException) ByteArrayOutputStream(java.io.ByteArrayOutputStream) CertprofileEntry(org.xipki.ca.server.mgmt.api.CertprofileEntry) CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException) ZipOutputStream(java.util.zip.ZipOutputStream) CaHasUserType(org.xipki.ca.server.mgmt.api.conf.jaxb.CaHasUserType) X509CaInfoType(org.xipki.ca.server.mgmt.api.conf.jaxb.X509CaInfoType) AddUserEntry(org.xipki.ca.server.mgmt.api.AddUserEntry) UserEntry(org.xipki.ca.server.mgmt.api.UserEntry) CaHasUserEntry(org.xipki.ca.server.mgmt.api.CaHasUserEntry) ChangeUserEntry(org.xipki.ca.server.mgmt.api.ChangeUserEntry) CaHasRequestorEntry(org.xipki.ca.server.mgmt.api.CaHasRequestorEntry)

Example 83 with CaMgmtException

use of org.xipki.ca.server.mgmt.api.CaMgmtException in project xipki by xipki.

the class CaManagerImpl method generateCertificate.

// method removeCertificate
@Override
public X509Certificate generateCertificate(String caName, String profileName, byte[] encodedCsr, Date notBefore, Date notAfter) throws CaMgmtException {
    caName = ParamUtil.requireNonBlank("caName", caName).toLowerCase();
    profileName = ParamUtil.requireNonBlank("profileName", profileName).toLowerCase();
    ParamUtil.requireNonNull("encodedCsr", encodedCsr);
    AuditEvent event = new AuditEvent(new Date());
    event.setApplicationName(CaAuditConstants.APPNAME);
    event.setName(CaAuditConstants.NAME_PERF);
    event.addEventType("CAMGMT_CRL_GEN_ONDEMAND");
    X509Ca ca = getX509Ca(caName);
    CertificationRequest csr;
    try {
        csr = CertificationRequest.getInstance(encodedCsr);
    } catch (Exception ex) {
        throw new CaMgmtException(concat("invalid CSR request. ERROR: ", ex.getMessage()));
    }
    CmpControl cmpControl = getCmpControlObject(ca.getCaInfo().getCmpControlName());
    if (!securityFactory.verifyPopo(csr, cmpControl.getPopoAlgoValidator())) {
        throw new CaMgmtException("could not validate POP for the CSR");
    }
    CertificationRequestInfo certTemp = csr.getCertificationRequestInfo();
    Extensions extensions = null;
    ASN1Set attrs = certTemp.getAttributes();
    for (int i = 0; i < attrs.size(); i++) {
        Attribute attr = Attribute.getInstance(attrs.getObjectAt(i));
        if (PKCSObjectIdentifiers.pkcs_9_at_extensionRequest.equals(attr.getAttrType())) {
            extensions = Extensions.getInstance(attr.getAttributeValues()[0]);
        }
    }
    X500Name subject = certTemp.getSubject();
    SubjectPublicKeyInfo publicKeyInfo = certTemp.getSubjectPublicKeyInfo();
    CertTemplateData certTemplateData = new CertTemplateData(subject, publicKeyInfo, notBefore, notAfter, extensions, profileName);
    X509CertificateInfo certInfo;
    try {
        certInfo = ca.generateCertificate(certTemplateData, byCaRequestor, RequestType.CA, (byte[]) null, CaAuditConstants.MSGID_ca_mgmt);
    } catch (OperationException ex) {
        throw new CaMgmtException(ex.getMessage(), ex);
    }
    if (ca.getCaInfo().isSaveRequest()) {
        try {
            long dbId = ca.addRequest(encodedCsr);
            ca.addRequestCert(dbId, certInfo.getCert().getCertId());
        } catch (OperationException ex) {
            LogUtil.warn(LOG, ex, "could not save request");
        }
    }
    return certInfo.getCert().getCert();
}
Also used : CertificationRequestInfo(org.bouncycastle.asn1.pkcs.CertificationRequestInfo) Attribute(org.bouncycastle.asn1.pkcs.Attribute) X509CertificateInfo(org.xipki.ca.api.publisher.x509.X509CertificateInfo) X500Name(org.bouncycastle.asn1.x500.X500Name) Extensions(org.bouncycastle.asn1.x509.Extensions) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) Date(java.util.Date) CertprofileException(org.xipki.ca.api.profile.CertprofileException) KeyStoreException(java.security.KeyStoreException) XiSecurityException(org.xipki.security.exception.XiSecurityException) CertificateEncodingException(java.security.cert.CertificateEncodingException) InvalidConfException(org.xipki.common.InvalidConfException) SocketException(java.net.SocketException) IOException(java.io.IOException) CertPublisherException(org.xipki.ca.api.publisher.CertPublisherException) OperationException(org.xipki.ca.api.OperationException) CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException) ObjectCreationException(org.xipki.common.ObjectCreationException) DataAccessException(org.xipki.datasource.DataAccessException) JAXBException(javax.xml.bind.JAXBException) FileNotFoundException(java.io.FileNotFoundException) SAXException(org.xml.sax.SAXException) CertificateException(java.security.cert.CertificateException) PasswordResolverException(org.xipki.password.PasswordResolverException) CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException) ASN1Set(org.bouncycastle.asn1.ASN1Set) CmpControl(org.xipki.ca.server.mgmt.api.CmpControl) PciAuditEvent(org.xipki.audit.PciAuditEvent) AuditEvent(org.xipki.audit.AuditEvent) CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest) OperationException(org.xipki.ca.api.OperationException)

Example 84 with CaMgmtException

use of org.xipki.ca.server.mgmt.api.CaMgmtException in project xipki by xipki.

the class CaManagerImpl method loadConf.

@Override
public void loadConf(CaConf conf) throws CaMgmtException {
    ParamUtil.requireNonNull("conf", conf);
    if (!caSystemSetuped) {
        throw new CaMgmtException("CA system is not initialized yet.");
    }
    // CMP control
    for (String name : conf.getCmpControlNames()) {
        CmpControlEntry entry = conf.getCmpControl(name);
        CmpControlEntry entryB = cmpControlDbEntries.get(name);
        if (entryB != null) {
            if (entry.equals(entryB)) {
                LOG.info("ignore existed CMP control {}", name);
                continue;
            } else {
                String msg = concat("CMP control ", name, " existed, could not re-added it");
                LOG.error(msg);
                throw new CaMgmtException(msg);
            }
        }
        try {
            addCmpControl(entry);
            LOG.info("added CMP control {}", name);
        } catch (CaMgmtException ex) {
            String msg = concat("could not add CMP control ", name);
            LogUtil.error(LOG, ex, msg);
            throw new CaMgmtException(msg);
        }
    }
    // Responder
    for (String name : conf.getResponderNames()) {
        ResponderEntry entry = conf.getResponder(name);
        ResponderEntry entryB = responderDbEntries.get(name);
        if (entryB != null) {
            if (entry.equals(entryB)) {
                LOG.info("ignore existed CMP responder {}", name);
                continue;
            } else {
                String msg = concat("CMP responder ", name, " existed, could not re-added it");
                LOG.error(msg);
                throw new CaMgmtException(msg);
            }
        }
        try {
            addResponder(entry);
            LOG.info("added CMP responder {}", name);
        } catch (CaMgmtException ex) {
            String msg = concat("could not add CMP responder ", name);
            LogUtil.error(LOG, ex, msg);
            throw new CaMgmtException(msg);
        }
    }
    // Environment
    for (String name : conf.getEnvironmentNames()) {
        String entry = conf.getEnvironment(name);
        String entryB = envParameterResolver.getParameter(name);
        if (entryB != null) {
            if (entry.equals(entryB)) {
                LOG.info("ignore existed environment parameter {}", name);
                continue;
            } else {
                String msg = concat("environment parameter ", name, " existed, could not re-added it");
                LOG.error(msg);
                throw new CaMgmtException(msg);
            }
        }
        try {
            addEnvParam(name, entry);
            LOG.info("could not add environment parameter {}", name);
        } catch (CaMgmtException ex) {
            String msg = concat("could not add environment parameter ", name);
            LogUtil.error(LOG, ex, msg);
            throw new CaMgmtException(msg);
        }
    }
    // CRL signer
    for (String name : conf.getCrlSignerNames()) {
        X509CrlSignerEntry entry = conf.getCrlSigner(name);
        X509CrlSignerEntry entryB = crlSignerDbEntries.get(name);
        if (entryB != null) {
            if (entry.equals(entryB)) {
                LOG.info("ignore existed CRL signer {}", name);
                continue;
            } else {
                String msg = concat("CRL signer ", name, " existed, could not re-added it");
                LOG.error(msg);
                throw new CaMgmtException(msg);
            }
        }
        try {
            addCrlSigner(entry);
            LOG.info("added CRL signer {}", name);
        } catch (CaMgmtException ex) {
            String msg = concat("could not add CRL signer ", name);
            LogUtil.error(LOG, ex, msg);
            throw new CaMgmtException(msg);
        }
    }
    // Requestor
    for (String name : conf.getRequestorNames()) {
        RequestorEntry entry = conf.getRequestor(name);
        RequestorEntry entryB = requestorDbEntries.get(name);
        if (entryB != null) {
            if (entry.equals(entryB)) {
                LOG.info("ignore existed CMP requestor {}", name);
                continue;
            } else {
                String msg = concat("CMP requestor ", name, " existed, could not re-added it");
                LOG.error(msg);
                throw new CaMgmtException(msg);
            }
        }
        try {
            addRequestor(entry);
            LOG.info("added CMP requestor {}", name);
        } catch (CaMgmtException ex) {
            String msg = concat("could not add CMP requestor ", name);
            LogUtil.error(LOG, ex, msg);
            throw new CaMgmtException(msg);
        }
    }
    // Publisher
    for (String name : conf.getPublisherNames()) {
        PublisherEntry entry = conf.getPublisher(name);
        PublisherEntry entryB = publisherDbEntries.get(name);
        if (entryB != null) {
            if (entry.equals(entryB)) {
                LOG.info("ignore existed publisher {}", name);
                continue;
            } else {
                String msg = concat("publisher ", name, " existed, could not re-added it");
                LOG.error(msg);
                throw new CaMgmtException(msg);
            }
        }
        try {
            addPublisher(entry);
            LOG.info("added publisher {}", name);
        } catch (CaMgmtException ex) {
            String msg = "could not add publisher " + name;
            LogUtil.error(LOG, ex, msg);
            throw new CaMgmtException(msg);
        }
    }
    // CertProfile
    for (String name : conf.getCertProfileNames()) {
        CertprofileEntry entry = conf.getCertProfile(name);
        CertprofileEntry entryB = certprofileDbEntries.get(name);
        if (entryB != null) {
            if (entry.equals(entryB)) {
                LOG.info("ignore existed certProfile {}", name);
                continue;
            } else {
                String msg = concat("certProfile ", name, " existed, could not re-added it");
                LOG.error(msg);
                throw new CaMgmtException(msg);
            }
        }
        try {
            addCertprofile(entry);
            LOG.info("added certProfile {}", name);
        } catch (CaMgmtException ex) {
            String msg = concat("could not add certProfile ", name);
            LogUtil.error(LOG, ex, msg);
            throw new CaMgmtException(msg);
        }
    }
    // User
    for (String name : conf.getUserNames()) {
        Object obj = conf.getUser(name);
        UserEntry entryB = queryExecutor.getUser(name, true);
        if (entryB != null) {
            boolean equals = false;
            if (obj instanceof UserEntry) {
                UserEntry entry = (UserEntry) obj;
                equals = entry.equals(entryB);
            } else {
                AddUserEntry entry = (AddUserEntry) obj;
                equals = PasswordHash.validatePassword(entry.getPassword(), entryB.getHashedPassword());
            }
            if (equals) {
                LOG.info("ignore existed user {}", name);
                continue;
            } else {
                String msg = concat("user ", name, " existed, could not re-added it");
                LOG.error(msg);
                throw new CaMgmtException(msg);
            }
        }
        try {
            if (obj instanceof UserEntry) {
                queryExecutor.addUser((UserEntry) obj);
            } else {
                queryExecutor.addUser((AddUserEntry) obj);
            }
            LOG.info("added user {}", name);
        } catch (CaMgmtException ex) {
            String msg = concat("could not add user ", name);
            LogUtil.error(LOG, ex, msg);
            throw new CaMgmtException(msg);
        }
    }
    // CA
    for (String caName : conf.getCaNames()) {
        SingleCaConf scc = conf.getCa(caName);
        GenSelfIssued genSelfIssued = scc.getGenSelfIssued();
        CaEntry caEntry = scc.getCaEntry();
        if (caEntry != null) {
            if (!(caEntry instanceof X509CaEntry)) {
                throw new CaMgmtException(concat("Unsupported CaEntry ", caName, " (only X509CaEntry is supported"));
            }
            X509CaEntry entry = (X509CaEntry) caEntry;
            if (caInfos.containsKey(caName)) {
                CaEntry entryB = caInfos.get(caName).getCaEntry();
                if (entry.getCert() == null && genSelfIssued != null) {
                    SignerConf signerConf = new SignerConf(entry.getSignerConf());
                    ConcurrentContentSigner signer;
                    try {
                        signer = securityFactory.createSigner(entry.getSignerType(), signerConf, (X509Certificate) null);
                    } catch (ObjectCreationException ex) {
                        throw new CaMgmtException(concat("could not create signer for CA ", caName), ex);
                    }
                    entry.setCert(signer.getCertificate());
                }
                if (entry.equals(entryB, true)) {
                    LOG.info("ignore existed CA {}", caName);
                } else {
                    String msg = concat("CA ", caName, " existed, could not re-added it");
                    LOG.error(msg);
                    throw new CaMgmtException(msg);
                }
            } else {
                if (genSelfIssued != null) {
                    X509Certificate cert = generateRootCa(entry, genSelfIssued.getProfile(), genSelfIssued.getCsr(), genSelfIssued.getSerialNumber());
                    LOG.info("generated root CA {}", caName);
                    String fn = genSelfIssued.getCertFilename();
                    if (fn != null) {
                        try {
                            IoUtil.save(fn, cert.getEncoded());
                            LOG.info("saved generated certificate of root CA {} to {}", caName, fn);
                        } catch (CertificateEncodingException ex) {
                            LogUtil.error(LOG, ex, concat("could not encode certificate of CA ", caName));
                        } catch (IOException ex) {
                            LogUtil.error(LOG, ex, concat("error while saving certificate of root CA ", caName, " to ", fn));
                        }
                    }
                } else {
                    try {
                        addCa(entry);
                        LOG.info("added CA {}", caName);
                    } catch (CaMgmtException ex) {
                        String msg = concat("could not add CA ", caName);
                        LogUtil.error(LOG, ex, msg);
                        throw new CaMgmtException(msg);
                    }
                }
            }
        }
        if (scc.getAliases() != null) {
            Set<String> aliasesB = getAliasesForCa(caName);
            for (String aliasName : scc.getAliases()) {
                if (aliasesB != null && aliasesB.contains(aliasName)) {
                    LOG.info("ignored adding existing CA alias {} to CA {}", aliasName, caName);
                } else {
                    try {
                        addCaAlias(aliasName, caName);
                        LOG.info("associated alias {} to CA {}", aliasName, caName);
                    } catch (CaMgmtException ex) {
                        String msg = concat("could not associate alias ", aliasName, " to CA ", caName);
                        LogUtil.error(LOG, ex, msg);
                        throw new CaMgmtException(msg);
                    }
                }
            }
        }
        if (scc.getProfileNames() != null) {
            Set<String> profilesB = caHasProfiles.get(caName);
            for (String profileName : scc.getProfileNames()) {
                if (profilesB != null && profilesB.contains(profileName)) {
                    LOG.info("ignored adding certprofile {} to CA {}", profileName, caName);
                } else {
                    try {
                        addCertprofileToCa(profileName, caName);
                        LOG.info("added certprofile {} to CA {}", profileName, caName);
                    } catch (CaMgmtException ex) {
                        String msg = concat("could not add certprofile ", profileName, " to CA ", caName);
                        LogUtil.error(LOG, ex, msg);
                        throw new CaMgmtException(msg);
                    }
                }
            }
        }
        if (scc.getPublisherNames() != null) {
            Set<String> publishersB = caHasPublishers.get(caName);
            for (String publisherName : scc.getPublisherNames()) {
                if (publishersB != null && publishersB.contains(publisherName)) {
                    LOG.info("ignored adding publisher {} to CA {}", publisherName, caName);
                } else {
                    try {
                        addPublisherToCa(publisherName, caName);
                        LOG.info("added publisher {} to CA {}", publisherName, caName);
                    } catch (CaMgmtException ex) {
                        String msg = concat("could not add publisher ", publisherName, " to CA ", caName);
                        LogUtil.error(LOG, ex, msg);
                        throw new CaMgmtException(msg);
                    }
                }
            }
        }
        if (scc.getRequestors() != null) {
            Set<CaHasRequestorEntry> requestorsB = caHasRequestors.get(caName);
            for (CaHasRequestorEntry requestor : scc.getRequestors()) {
                String requestorName = requestor.getRequestorIdent().getName();
                CaHasRequestorEntry requestorB = null;
                if (requestorsB != null) {
                    for (CaHasRequestorEntry m : requestorsB) {
                        if (m.getRequestorIdent().getName().equals(requestorName)) {
                            requestorB = m;
                            break;
                        }
                    }
                }
                if (requestorB != null) {
                    if (requestor.equals(requestorB)) {
                        LOG.info("ignored adding requestor {} to CA {}", requestorName, caName);
                    } else {
                        String msg = concat("could not add requestor ", requestorName, " to CA", caName);
                        LOG.error(msg);
                        throw new CaMgmtException(msg);
                    }
                } else {
                    try {
                        addRequestorToCa(requestor, caName);
                        LOG.info("added publisher {} to CA {}", requestorName, caName);
                    } catch (CaMgmtException ex) {
                        String msg = concat("could not add requestor ", requestorName, " to CA ", caName);
                        LogUtil.error(LOG, ex, msg);
                        throw new CaMgmtException(msg);
                    }
                }
            }
        }
        if (scc.getUsers() != null) {
            List<CaHasUserEntry> usersB = queryExecutor.getCaHasUsersForCa(caName, idNameMap);
            for (CaHasUserEntry user : scc.getUsers()) {
                String userName = user.getUserIdent().getName();
                CaHasUserEntry userB = null;
                if (usersB != null) {
                    for (CaHasUserEntry m : usersB) {
                        if (m.getUserIdent().getName().equals(userName)) {
                            userB = m;
                            break;
                        }
                    }
                }
                if (userB != null) {
                    if (user.equals(userB)) {
                        LOG.info("ignored adding user {} to CA {}", userName, caName);
                    } else {
                        String msg = concat("could not add user ", userName, " to CA", caName);
                        LOG.error(msg);
                        throw new CaMgmtException(msg);
                    }
                } else {
                    try {
                        addUserToCa(user, caName);
                        LOG.info("added user {} to CA {}", userName, caName);
                    } catch (CaMgmtException ex) {
                        String msg = concat("could not add user ", userName, " to CA ", caName);
                        LogUtil.error(LOG, ex, msg);
                        throw new CaMgmtException(msg);
                    }
                }
            }
        }
    // scc.getUsers()
    }
    // SCEP
    for (String name : conf.getScepNames()) {
        ScepEntry entry = conf.getScep(name);
        ScepEntry entryB = scepDbEntries.get(name);
        if (entryB != null) {
            if (entry.equals(entryB)) {
                LOG.error("ignore existed SCEP {}", name);
                continue;
            } else {
                String msg = concat("SCEP ", name, " existed, could not re-added it");
                LOG.error(msg);
                throw new CaMgmtException(msg);
            }
        } else {
            try {
                addScep(entry);
                LOG.info("added SCEP {}", name);
            } catch (CaMgmtException ex) {
                String msg = concat("could not add SCEP ", name);
                LogUtil.error(LOG, ex, msg);
                throw new CaMgmtException(msg);
            }
        }
    }
}
Also used : CaHasUserEntry(org.xipki.ca.server.mgmt.api.CaHasUserEntry) RequestorEntry(org.xipki.ca.server.mgmt.api.RequestorEntry) CaHasRequestorEntry(org.xipki.ca.server.mgmt.api.CaHasRequestorEntry) X509CaEntry(org.xipki.ca.server.mgmt.api.x509.X509CaEntry) ChangeCaEntry(org.xipki.ca.server.mgmt.api.ChangeCaEntry) CaEntry(org.xipki.ca.server.mgmt.api.CaEntry) PublisherEntry(org.xipki.ca.server.mgmt.api.PublisherEntry) CmpControlEntry(org.xipki.ca.server.mgmt.api.CmpControlEntry) X509CrlSignerEntry(org.xipki.ca.server.mgmt.api.x509.X509CrlSignerEntry) ResponderEntry(org.xipki.ca.server.mgmt.api.ResponderEntry) SignerConf(org.xipki.security.SignerConf) CertificateEncodingException(java.security.cert.CertificateEncodingException) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) CertprofileEntry(org.xipki.ca.server.mgmt.api.CertprofileEntry) ChangeScepEntry(org.xipki.ca.server.mgmt.api.x509.ChangeScepEntry) ScepEntry(org.xipki.ca.server.mgmt.api.x509.ScepEntry) CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException) ConcurrentContentSigner(org.xipki.security.ConcurrentContentSigner) ObjectCreationException(org.xipki.common.ObjectCreationException) SingleCaConf(org.xipki.ca.server.mgmt.api.conf.SingleCaConf) AddUserEntry(org.xipki.ca.server.mgmt.api.AddUserEntry) AddUserEntry(org.xipki.ca.server.mgmt.api.AddUserEntry) UserEntry(org.xipki.ca.server.mgmt.api.UserEntry) CaHasUserEntry(org.xipki.ca.server.mgmt.api.CaHasUserEntry) ChangeUserEntry(org.xipki.ca.server.mgmt.api.ChangeUserEntry) CaHasRequestorEntry(org.xipki.ca.server.mgmt.api.CaHasRequestorEntry) GenSelfIssued(org.xipki.ca.server.mgmt.api.conf.GenSelfIssued) X509CaEntry(org.xipki.ca.server.mgmt.api.x509.X509CaEntry)

Example 85 with CaMgmtException

use of org.xipki.ca.server.mgmt.api.CaMgmtException in project xipki by xipki.

the class CaManagerImpl method getCertRequest.

@Override
public byte[] getCertRequest(String caName, BigInteger serialNumber) throws CaMgmtException {
    caName = ParamUtil.requireNonBlank("caName", caName).toLowerCase();
    ParamUtil.requireNonNull("serialNumber", serialNumber);
    X509Ca ca = getX509Ca(caName);
    try {
        return ca.getCertRequest(serialNumber);
    } catch (OperationException ex) {
        throw new CaMgmtException(ex.getMessage(), ex);
    }
}
Also used : CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException) OperationException(org.xipki.ca.api.OperationException)

Aggregations

CaMgmtException (org.xipki.ca.server.mgmt.api.CaMgmtException)157 PreparedStatement (java.sql.PreparedStatement)63 SQLException (java.sql.SQLException)63 CmdFailure (org.xipki.console.karaf.CmdFailure)52 NameId (org.xipki.ca.api.NameId)31 ResultSet (java.sql.ResultSet)24 OperationException (org.xipki.ca.api.OperationException)18 AtomicInteger (java.util.concurrent.atomic.AtomicInteger)16 InvalidConfException (org.xipki.common.InvalidConfException)11 DataAccessException (org.xipki.datasource.DataAccessException)11 CertificateEncodingException (java.security.cert.CertificateEncodingException)9 CaHasRequestorEntry (org.xipki.ca.server.mgmt.api.CaHasRequestorEntry)9 CertificateException (java.security.cert.CertificateException)8 ObjectCreationException (org.xipki.common.ObjectCreationException)8 X509Certificate (java.security.cert.X509Certificate)7 Date (java.util.Date)7 X509CaEntry (org.xipki.ca.server.mgmt.api.x509.X509CaEntry)7 IOException (java.io.IOException)6 Statement (java.sql.Statement)6 CaHasUserEntry (org.xipki.ca.server.mgmt.api.CaHasUserEntry)6