use of org.xipki.ca.server.mgmt.api.CmpControl in project xipki by xipki.
the class CmpResponder method processPkiMessage.
public PKIMessage processPkiMessage(PKIMessage pkiMessage, X509Certificate tlsClientCert, AuditEvent event) {
ParamUtil.requireNonNull("pkiMessage", pkiMessage);
ParamUtil.requireNonNull("event", event);
GeneralPKIMessage message = new GeneralPKIMessage(pkiMessage);
PKIHeader reqHeader = message.getHeader();
ASN1OctetString tid = reqHeader.getTransactionID();
String msgId = null;
if (event != null) {
msgId = RandomUtil.nextHexLong();
event.addEventData(CaAuditConstants.NAME_mid, msgId);
}
if (tid == null) {
byte[] randomBytes = randomTransactionId();
tid = new DEROctetString(randomBytes);
}
String tidStr = Base64.encodeToString(tid.getOctets());
if (event != null) {
event.addEventData(CaAuditConstants.NAME_tid, tidStr);
}
int reqPvno = reqHeader.getPvno().getValue().intValue();
if (reqPvno != PVNO_CMP2000) {
if (event != null) {
event.setLevel(AuditLevel.INFO);
event.setStatus(AuditStatus.FAILED);
event.addEventData(CaAuditConstants.NAME_message, "unsupproted version " + reqPvno);
}
return buildErrorPkiMessage(tid, reqHeader, PKIFailureInfo.unsupportedVersion, null);
}
CmpControl cmpControl = getCmpControl();
Integer failureCode = null;
String statusText = null;
Date messageTime = null;
if (reqHeader.getMessageTime() != null) {
try {
messageTime = reqHeader.getMessageTime().getDate();
} catch (ParseException ex) {
LogUtil.error(LOG, ex, "tid=" + tidStr + ": could not parse messageTime");
}
}
GeneralName recipient = reqHeader.getRecipient();
boolean intentMe = (recipient == null) ? true : intendsMe(recipient);
if (!intentMe) {
LOG.warn("tid={}: I am not the intended recipient, but '{}'", tid, reqHeader.getRecipient());
failureCode = PKIFailureInfo.badRequest;
statusText = "I am not the intended recipient";
} else if (messageTime == null) {
if (cmpControl.isMessageTimeRequired()) {
failureCode = PKIFailureInfo.missingTimeStamp;
statusText = "missing time-stamp";
}
} else {
long messageTimeBias = cmpControl.getMessageTimeBias();
if (messageTimeBias < 0) {
messageTimeBias *= -1;
}
long msgTimeMs = messageTime.getTime();
long currentTimeMs = System.currentTimeMillis();
long bias = (msgTimeMs - currentTimeMs) / 1000L;
if (bias > messageTimeBias) {
failureCode = PKIFailureInfo.badTime;
statusText = "message time is in the future";
} else if (bias * -1 > messageTimeBias) {
failureCode = PKIFailureInfo.badTime;
statusText = "message too old";
}
}
if (failureCode != null) {
if (event != null) {
event.setLevel(AuditLevel.INFO);
event.setStatus(AuditStatus.FAILED);
event.addEventData(CaAuditConstants.NAME_message, statusText);
}
return buildErrorPkiMessage(tid, reqHeader, failureCode, statusText);
}
boolean isProtected = message.hasProtection();
CmpRequestorInfo requestor;
String errorStatus;
if (isProtected) {
try {
ProtectionVerificationResult verificationResult = verifyProtection(tidStr, message, cmpControl);
ProtectionResult pr = verificationResult.getProtectionResult();
switch(pr) {
case VALID:
errorStatus = null;
break;
case INVALID:
errorStatus = "request is protected by signature but invalid";
break;
case NOT_SIGNATURE_BASED:
errorStatus = "request is not protected by signature";
break;
case SENDER_NOT_AUTHORIZED:
errorStatus = "request is protected by signature but the requestor is not authorized";
break;
case SIGALGO_FORBIDDEN:
errorStatus = "request is protected by signature but the protection algorithm" + " is forbidden";
break;
default:
throw new RuntimeException("should not reach here, unknown ProtectionResult " + pr);
}
// end switch
requestor = (CmpRequestorInfo) verificationResult.getRequestor();
} catch (Exception ex) {
LogUtil.error(LOG, ex, "tid=" + tidStr + ": could not verify the signature");
errorStatus = "request has invalid signature based protection";
requestor = null;
}
} else if (tlsClientCert != null) {
boolean authorized = false;
requestor = getRequestor(reqHeader);
if (requestor != null) {
if (tlsClientCert.equals(requestor.getCert().getCert())) {
authorized = true;
}
}
if (authorized) {
errorStatus = null;
} else {
LOG.warn("tid={}: not authorized requestor (TLS client '{}')", tid, X509Util.getRfc4519Name(tlsClientCert.getSubjectX500Principal()));
errorStatus = "requestor (TLS client certificate) is not authorized";
}
} else {
errorStatus = "request has no protection";
requestor = null;
}
if (errorStatus != null) {
if (event != null) {
event.setLevel(AuditLevel.INFO);
event.setStatus(AuditStatus.FAILED);
event.addEventData(CaAuditConstants.NAME_message, errorStatus);
}
return buildErrorPkiMessage(tid, reqHeader, PKIFailureInfo.badMessageCheck, errorStatus);
}
PKIMessage resp = processPkiMessage0(pkiMessage, requestor, tid, message, msgId, event);
if (isProtected) {
resp = addProtection(resp, event);
} else {
// protected by TLS connection
}
return resp;
}
use of org.xipki.ca.server.mgmt.api.CmpControl in project xipki by xipki.
the class CaManagerImpl method initCmpControls.
// method initCrlSigners
private void initCmpControls() throws CaMgmtException {
if (cmpControlInitialized) {
return;
}
cmpControls.clear();
cmpControlDbEntries.clear();
List<String> names = queryExecutor.namesFromTable("CMPCONTROL");
for (String name : names) {
CmpControlEntry cmpControlDb = queryExecutor.createCmpControl(name);
if (cmpControlDb == null) {
continue;
}
cmpControlDb.setFaulty(true);
cmpControlDbEntries.put(name, cmpControlDb);
CmpControl cmpControl;
try {
cmpControl = new CmpControl(cmpControlDb);
cmpControlDb.setFaulty(false);
cmpControls.put(name, cmpControl);
} catch (InvalidConfException ex) {
LogUtil.error(LOG, ex, concat("could not initialize CMP control ", name, ", ignore it"));
}
}
cmpControlInitialized = true;
}
use of org.xipki.ca.server.mgmt.api.CmpControl in project xipki by xipki.
the class CmpControlCheckCmd method execute0.
@Override
protected Object execute0() throws Exception {
println("checking CMP control " + name);
CmpControlEntry ce = caManager.getCmpControl(name);
if (ce == null) {
throw new CmdFailure("no CMP control named '" + name + "' is configured");
}
String is = ce.getConf();
String ex = new CmpControl(new CmpControlEntry(name, conf)).getDbEntry().getConf();
MgmtQaShellUtil.assertEquals("CMP control", ex, is);
println(" checked CMP control " + name);
return null;
}
use of org.xipki.ca.server.mgmt.api.CmpControl in project xipki by xipki.
the class CaManagerImpl method generateCertificate.
// method removeCertificate
@Override
public X509Certificate generateCertificate(String caName, String profileName, byte[] encodedCsr, Date notBefore, Date notAfter) throws CaMgmtException {
caName = ParamUtil.requireNonBlank("caName", caName).toLowerCase();
profileName = ParamUtil.requireNonBlank("profileName", profileName).toLowerCase();
ParamUtil.requireNonNull("encodedCsr", encodedCsr);
AuditEvent event = new AuditEvent(new Date());
event.setApplicationName(CaAuditConstants.APPNAME);
event.setName(CaAuditConstants.NAME_PERF);
event.addEventType("CAMGMT_CRL_GEN_ONDEMAND");
X509Ca ca = getX509Ca(caName);
CertificationRequest csr;
try {
csr = CertificationRequest.getInstance(encodedCsr);
} catch (Exception ex) {
throw new CaMgmtException(concat("invalid CSR request. ERROR: ", ex.getMessage()));
}
CmpControl cmpControl = getCmpControlObject(ca.getCaInfo().getCmpControlName());
if (!securityFactory.verifyPopo(csr, cmpControl.getPopoAlgoValidator())) {
throw new CaMgmtException("could not validate POP for the CSR");
}
CertificationRequestInfo certTemp = csr.getCertificationRequestInfo();
Extensions extensions = null;
ASN1Set attrs = certTemp.getAttributes();
for (int i = 0; i < attrs.size(); i++) {
Attribute attr = Attribute.getInstance(attrs.getObjectAt(i));
if (PKCSObjectIdentifiers.pkcs_9_at_extensionRequest.equals(attr.getAttrType())) {
extensions = Extensions.getInstance(attr.getAttributeValues()[0]);
}
}
X500Name subject = certTemp.getSubject();
SubjectPublicKeyInfo publicKeyInfo = certTemp.getSubjectPublicKeyInfo();
CertTemplateData certTemplateData = new CertTemplateData(subject, publicKeyInfo, notBefore, notAfter, extensions, profileName);
X509CertificateInfo certInfo;
try {
certInfo = ca.generateCertificate(certTemplateData, byCaRequestor, RequestType.CA, (byte[]) null, CaAuditConstants.MSGID_ca_mgmt);
} catch (OperationException ex) {
throw new CaMgmtException(ex.getMessage(), ex);
}
if (ca.getCaInfo().isSaveRequest()) {
try {
long dbId = ca.addRequest(encodedCsr);
ca.addRequestCert(dbId, certInfo.getCert().getCertId());
} catch (OperationException ex) {
LogUtil.warn(LOG, ex, "could not save request");
}
}
return certInfo.getCert().getCert();
}
use of org.xipki.ca.server.mgmt.api.CmpControl in project xipki by xipki.
the class CaManagerImpl method addCmpControl.
@Override
public void addCmpControl(CmpControlEntry dbEntry) throws CaMgmtException {
ParamUtil.requireNonNull("dbEntry", dbEntry);
asssertMasterMode();
final String name = dbEntry.getName();
if (cmpControlDbEntries.containsKey(name)) {
throw new CaMgmtException(concat("CMP control named ", name, " exists"));
}
CmpControl cmpControl;
try {
cmpControl = new CmpControl(dbEntry);
} catch (InvalidConfException ex) {
LogUtil.error(LOG, ex, "could not add CMP control to certStore");
throw new CaMgmtException(ex);
}
CmpControlEntry tmpDbEntry = cmpControl.getDbEntry();
queryExecutor.addCmpControl(tmpDbEntry);
cmpControls.put(name, cmpControl);
cmpControlDbEntries.put(name, tmpDbEntry);
}
Aggregations