Search in sources :

Example 1 with CmpControl

use of org.xipki.ca.server.mgmt.api.CmpControl in project xipki by xipki.

the class CmpResponder method processPkiMessage.

public PKIMessage processPkiMessage(PKIMessage pkiMessage, X509Certificate tlsClientCert, AuditEvent event) {
    ParamUtil.requireNonNull("pkiMessage", pkiMessage);
    ParamUtil.requireNonNull("event", event);
    GeneralPKIMessage message = new GeneralPKIMessage(pkiMessage);
    PKIHeader reqHeader = message.getHeader();
    ASN1OctetString tid = reqHeader.getTransactionID();
    String msgId = null;
    if (event != null) {
        msgId = RandomUtil.nextHexLong();
        event.addEventData(CaAuditConstants.NAME_mid, msgId);
    }
    if (tid == null) {
        byte[] randomBytes = randomTransactionId();
        tid = new DEROctetString(randomBytes);
    }
    String tidStr = Base64.encodeToString(tid.getOctets());
    if (event != null) {
        event.addEventData(CaAuditConstants.NAME_tid, tidStr);
    }
    int reqPvno = reqHeader.getPvno().getValue().intValue();
    if (reqPvno != PVNO_CMP2000) {
        if (event != null) {
            event.setLevel(AuditLevel.INFO);
            event.setStatus(AuditStatus.FAILED);
            event.addEventData(CaAuditConstants.NAME_message, "unsupproted version " + reqPvno);
        }
        return buildErrorPkiMessage(tid, reqHeader, PKIFailureInfo.unsupportedVersion, null);
    }
    CmpControl cmpControl = getCmpControl();
    Integer failureCode = null;
    String statusText = null;
    Date messageTime = null;
    if (reqHeader.getMessageTime() != null) {
        try {
            messageTime = reqHeader.getMessageTime().getDate();
        } catch (ParseException ex) {
            LogUtil.error(LOG, ex, "tid=" + tidStr + ": could not parse messageTime");
        }
    }
    GeneralName recipient = reqHeader.getRecipient();
    boolean intentMe = (recipient == null) ? true : intendsMe(recipient);
    if (!intentMe) {
        LOG.warn("tid={}: I am not the intended recipient, but '{}'", tid, reqHeader.getRecipient());
        failureCode = PKIFailureInfo.badRequest;
        statusText = "I am not the intended recipient";
    } else if (messageTime == null) {
        if (cmpControl.isMessageTimeRequired()) {
            failureCode = PKIFailureInfo.missingTimeStamp;
            statusText = "missing time-stamp";
        }
    } else {
        long messageTimeBias = cmpControl.getMessageTimeBias();
        if (messageTimeBias < 0) {
            messageTimeBias *= -1;
        }
        long msgTimeMs = messageTime.getTime();
        long currentTimeMs = System.currentTimeMillis();
        long bias = (msgTimeMs - currentTimeMs) / 1000L;
        if (bias > messageTimeBias) {
            failureCode = PKIFailureInfo.badTime;
            statusText = "message time is in the future";
        } else if (bias * -1 > messageTimeBias) {
            failureCode = PKIFailureInfo.badTime;
            statusText = "message too old";
        }
    }
    if (failureCode != null) {
        if (event != null) {
            event.setLevel(AuditLevel.INFO);
            event.setStatus(AuditStatus.FAILED);
            event.addEventData(CaAuditConstants.NAME_message, statusText);
        }
        return buildErrorPkiMessage(tid, reqHeader, failureCode, statusText);
    }
    boolean isProtected = message.hasProtection();
    CmpRequestorInfo requestor;
    String errorStatus;
    if (isProtected) {
        try {
            ProtectionVerificationResult verificationResult = verifyProtection(tidStr, message, cmpControl);
            ProtectionResult pr = verificationResult.getProtectionResult();
            switch(pr) {
                case VALID:
                    errorStatus = null;
                    break;
                case INVALID:
                    errorStatus = "request is protected by signature but invalid";
                    break;
                case NOT_SIGNATURE_BASED:
                    errorStatus = "request is not protected by signature";
                    break;
                case SENDER_NOT_AUTHORIZED:
                    errorStatus = "request is protected by signature but the requestor is not authorized";
                    break;
                case SIGALGO_FORBIDDEN:
                    errorStatus = "request is protected by signature but the protection algorithm" + " is forbidden";
                    break;
                default:
                    throw new RuntimeException("should not reach here, unknown ProtectionResult " + pr);
            }
            // end switch
            requestor = (CmpRequestorInfo) verificationResult.getRequestor();
        } catch (Exception ex) {
            LogUtil.error(LOG, ex, "tid=" + tidStr + ": could not verify the signature");
            errorStatus = "request has invalid signature based protection";
            requestor = null;
        }
    } else if (tlsClientCert != null) {
        boolean authorized = false;
        requestor = getRequestor(reqHeader);
        if (requestor != null) {
            if (tlsClientCert.equals(requestor.getCert().getCert())) {
                authorized = true;
            }
        }
        if (authorized) {
            errorStatus = null;
        } else {
            LOG.warn("tid={}: not authorized requestor (TLS client '{}')", tid, X509Util.getRfc4519Name(tlsClientCert.getSubjectX500Principal()));
            errorStatus = "requestor (TLS client certificate) is not authorized";
        }
    } else {
        errorStatus = "request has no protection";
        requestor = null;
    }
    if (errorStatus != null) {
        if (event != null) {
            event.setLevel(AuditLevel.INFO);
            event.setStatus(AuditStatus.FAILED);
            event.addEventData(CaAuditConstants.NAME_message, errorStatus);
        }
        return buildErrorPkiMessage(tid, reqHeader, PKIFailureInfo.badMessageCheck, errorStatus);
    }
    PKIMessage resp = processPkiMessage0(pkiMessage, requestor, tid, message, msgId, event);
    if (isProtected) {
        resp = addProtection(resp, event);
    } else {
    // protected by TLS connection
    }
    return resp;
}
Also used : PKIHeader(org.bouncycastle.asn1.cmp.PKIHeader) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) ProtectionResult(org.xipki.cmp.ProtectionResult) ProtectedPKIMessage(org.bouncycastle.cert.cmp.ProtectedPKIMessage) PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage) GeneralPKIMessage(org.bouncycastle.cert.cmp.GeneralPKIMessage) ProtectionVerificationResult(org.xipki.cmp.ProtectionVerificationResult) DEROctetString(org.bouncycastle.asn1.DEROctetString) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DEROctetString(org.bouncycastle.asn1.DEROctetString) Date(java.util.Date) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) CMPException(org.bouncycastle.cert.cmp.CMPException) ParseException(java.text.ParseException) InvalidKeyException(java.security.InvalidKeyException) GeneralPKIMessage(org.bouncycastle.cert.cmp.GeneralPKIMessage) CmpControl(org.xipki.ca.server.mgmt.api.CmpControl) ParseException(java.text.ParseException) GeneralName(org.bouncycastle.asn1.x509.GeneralName)

Example 2 with CmpControl

use of org.xipki.ca.server.mgmt.api.CmpControl in project xipki by xipki.

the class CaManagerImpl method initCmpControls.

// method initCrlSigners
private void initCmpControls() throws CaMgmtException {
    if (cmpControlInitialized) {
        return;
    }
    cmpControls.clear();
    cmpControlDbEntries.clear();
    List<String> names = queryExecutor.namesFromTable("CMPCONTROL");
    for (String name : names) {
        CmpControlEntry cmpControlDb = queryExecutor.createCmpControl(name);
        if (cmpControlDb == null) {
            continue;
        }
        cmpControlDb.setFaulty(true);
        cmpControlDbEntries.put(name, cmpControlDb);
        CmpControl cmpControl;
        try {
            cmpControl = new CmpControl(cmpControlDb);
            cmpControlDb.setFaulty(false);
            cmpControls.put(name, cmpControl);
        } catch (InvalidConfException ex) {
            LogUtil.error(LOG, ex, concat("could not initialize CMP control ", name, ", ignore it"));
        }
    }
    cmpControlInitialized = true;
}
Also used : CmpControlEntry(org.xipki.ca.server.mgmt.api.CmpControlEntry) CmpControl(org.xipki.ca.server.mgmt.api.CmpControl) InvalidConfException(org.xipki.common.InvalidConfException)

Example 3 with CmpControl

use of org.xipki.ca.server.mgmt.api.CmpControl in project xipki by xipki.

the class CmpControlCheckCmd method execute0.

@Override
protected Object execute0() throws Exception {
    println("checking CMP control " + name);
    CmpControlEntry ce = caManager.getCmpControl(name);
    if (ce == null) {
        throw new CmdFailure("no CMP control named '" + name + "' is configured");
    }
    String is = ce.getConf();
    String ex = new CmpControl(new CmpControlEntry(name, conf)).getDbEntry().getConf();
    MgmtQaShellUtil.assertEquals("CMP control", ex, is);
    println(" checked CMP control " + name);
    return null;
}
Also used : CmdFailure(org.xipki.console.karaf.CmdFailure) CmpControlEntry(org.xipki.ca.server.mgmt.api.CmpControlEntry) CmpControl(org.xipki.ca.server.mgmt.api.CmpControl)

Example 4 with CmpControl

use of org.xipki.ca.server.mgmt.api.CmpControl in project xipki by xipki.

the class CaManagerImpl method generateCertificate.

// method removeCertificate
@Override
public X509Certificate generateCertificate(String caName, String profileName, byte[] encodedCsr, Date notBefore, Date notAfter) throws CaMgmtException {
    caName = ParamUtil.requireNonBlank("caName", caName).toLowerCase();
    profileName = ParamUtil.requireNonBlank("profileName", profileName).toLowerCase();
    ParamUtil.requireNonNull("encodedCsr", encodedCsr);
    AuditEvent event = new AuditEvent(new Date());
    event.setApplicationName(CaAuditConstants.APPNAME);
    event.setName(CaAuditConstants.NAME_PERF);
    event.addEventType("CAMGMT_CRL_GEN_ONDEMAND");
    X509Ca ca = getX509Ca(caName);
    CertificationRequest csr;
    try {
        csr = CertificationRequest.getInstance(encodedCsr);
    } catch (Exception ex) {
        throw new CaMgmtException(concat("invalid CSR request. ERROR: ", ex.getMessage()));
    }
    CmpControl cmpControl = getCmpControlObject(ca.getCaInfo().getCmpControlName());
    if (!securityFactory.verifyPopo(csr, cmpControl.getPopoAlgoValidator())) {
        throw new CaMgmtException("could not validate POP for the CSR");
    }
    CertificationRequestInfo certTemp = csr.getCertificationRequestInfo();
    Extensions extensions = null;
    ASN1Set attrs = certTemp.getAttributes();
    for (int i = 0; i < attrs.size(); i++) {
        Attribute attr = Attribute.getInstance(attrs.getObjectAt(i));
        if (PKCSObjectIdentifiers.pkcs_9_at_extensionRequest.equals(attr.getAttrType())) {
            extensions = Extensions.getInstance(attr.getAttributeValues()[0]);
        }
    }
    X500Name subject = certTemp.getSubject();
    SubjectPublicKeyInfo publicKeyInfo = certTemp.getSubjectPublicKeyInfo();
    CertTemplateData certTemplateData = new CertTemplateData(subject, publicKeyInfo, notBefore, notAfter, extensions, profileName);
    X509CertificateInfo certInfo;
    try {
        certInfo = ca.generateCertificate(certTemplateData, byCaRequestor, RequestType.CA, (byte[]) null, CaAuditConstants.MSGID_ca_mgmt);
    } catch (OperationException ex) {
        throw new CaMgmtException(ex.getMessage(), ex);
    }
    if (ca.getCaInfo().isSaveRequest()) {
        try {
            long dbId = ca.addRequest(encodedCsr);
            ca.addRequestCert(dbId, certInfo.getCert().getCertId());
        } catch (OperationException ex) {
            LogUtil.warn(LOG, ex, "could not save request");
        }
    }
    return certInfo.getCert().getCert();
}
Also used : CertificationRequestInfo(org.bouncycastle.asn1.pkcs.CertificationRequestInfo) Attribute(org.bouncycastle.asn1.pkcs.Attribute) X509CertificateInfo(org.xipki.ca.api.publisher.x509.X509CertificateInfo) X500Name(org.bouncycastle.asn1.x500.X500Name) Extensions(org.bouncycastle.asn1.x509.Extensions) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) Date(java.util.Date) CertprofileException(org.xipki.ca.api.profile.CertprofileException) KeyStoreException(java.security.KeyStoreException) XiSecurityException(org.xipki.security.exception.XiSecurityException) CertificateEncodingException(java.security.cert.CertificateEncodingException) InvalidConfException(org.xipki.common.InvalidConfException) SocketException(java.net.SocketException) IOException(java.io.IOException) CertPublisherException(org.xipki.ca.api.publisher.CertPublisherException) OperationException(org.xipki.ca.api.OperationException) CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException) ObjectCreationException(org.xipki.common.ObjectCreationException) DataAccessException(org.xipki.datasource.DataAccessException) JAXBException(javax.xml.bind.JAXBException) FileNotFoundException(java.io.FileNotFoundException) SAXException(org.xml.sax.SAXException) CertificateException(java.security.cert.CertificateException) PasswordResolverException(org.xipki.password.PasswordResolverException) CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException) ASN1Set(org.bouncycastle.asn1.ASN1Set) CmpControl(org.xipki.ca.server.mgmt.api.CmpControl) PciAuditEvent(org.xipki.audit.PciAuditEvent) AuditEvent(org.xipki.audit.AuditEvent) CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest) OperationException(org.xipki.ca.api.OperationException)

Example 5 with CmpControl

use of org.xipki.ca.server.mgmt.api.CmpControl in project xipki by xipki.

the class CaManagerImpl method addCmpControl.

@Override
public void addCmpControl(CmpControlEntry dbEntry) throws CaMgmtException {
    ParamUtil.requireNonNull("dbEntry", dbEntry);
    asssertMasterMode();
    final String name = dbEntry.getName();
    if (cmpControlDbEntries.containsKey(name)) {
        throw new CaMgmtException(concat("CMP control named ", name, " exists"));
    }
    CmpControl cmpControl;
    try {
        cmpControl = new CmpControl(dbEntry);
    } catch (InvalidConfException ex) {
        LogUtil.error(LOG, ex, "could not add CMP control to certStore");
        throw new CaMgmtException(ex);
    }
    CmpControlEntry tmpDbEntry = cmpControl.getDbEntry();
    queryExecutor.addCmpControl(tmpDbEntry);
    cmpControls.put(name, cmpControl);
    cmpControlDbEntries.put(name, tmpDbEntry);
}
Also used : CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException) CmpControlEntry(org.xipki.ca.server.mgmt.api.CmpControlEntry) CmpControl(org.xipki.ca.server.mgmt.api.CmpControl) InvalidConfException(org.xipki.common.InvalidConfException)

Aggregations

CmpControl (org.xipki.ca.server.mgmt.api.CmpControl)8 CmpControlEntry (org.xipki.ca.server.mgmt.api.CmpControlEntry)4 InvalidConfException (org.xipki.common.InvalidConfException)4 CaMgmtException (org.xipki.ca.server.mgmt.api.CaMgmtException)3 Date (java.util.Date)2 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)2 PKIHeader (org.bouncycastle.asn1.cmp.PKIHeader)2 PKIMessage (org.bouncycastle.asn1.cmp.PKIMessage)2 GeneralPKIMessage (org.bouncycastle.cert.cmp.GeneralPKIMessage)2 FileNotFoundException (java.io.FileNotFoundException)1 IOException (java.io.IOException)1 SocketException (java.net.SocketException)1 InvalidKeyException (java.security.InvalidKeyException)1 KeyStoreException (java.security.KeyStoreException)1 CertificateEncodingException (java.security.cert.CertificateEncodingException)1 CertificateException (java.security.cert.CertificateException)1 PreparedStatement (java.sql.PreparedStatement)1 SQLException (java.sql.SQLException)1 ParseException (java.text.ParseException)1 JAXBException (javax.xml.bind.JAXBException)1