Example 11 with X509CaEntry
use of org.xipki.ca.server.mgmt.api.x509.X509CaEntry in project xipki by xipki.
the class CaConf method init.
private void init(CAConfType jaxb, String baseDir, ZipFile zipFile, SecurityFactory securityFactory) throws IOException, InvalidConfException, CaMgmtException {
// Properties
if (baseDir != null) {
properties.put("baseDir", baseDir);
}
if (jaxb.getProperties() != null) {
for (NameValueType m : jaxb.getProperties().getProperty()) {
String name = m.getName();
if (properties.containsKey(name)) {
throw new InvalidConfException("Property " + name + " already defined");
}
properties.put(name, m.getValue());
}
}
// CMP controls
if (jaxb.getCmpcontrols() != null) {
for (CmpcontrolType m : jaxb.getCmpcontrols().getCmpcontrol()) {
CmpControlEntry en = new CmpControlEntry(m.getName(), getValue(m.getConf(), zipFile));
addCmpControl(en);
}
}
// Responders
if (jaxb.getResponders() != null) {
for (ResponderType m : jaxb.getResponders().getResponder()) {
ResponderEntry en = new ResponderEntry(m.getName(), expandConf(m.getType()), getValue(m.getConf(), zipFile), getBase64Binary(m.getCert(), zipFile));
addResponder(en);
}
}
// Environments
if (jaxb.getEnvironments() != null) {
for (NameValueType m : jaxb.getEnvironments().getEnvironment()) {
addEnvironment(m.getName(), expandConf(m.getValue()));
}
}
// CRL signers
if (jaxb.getCrlsigners() != null) {
for (CrlsignerType m : jaxb.getCrlsigners().getCrlsigner()) {
X509CrlSignerEntry en = new X509CrlSignerEntry(m.getName(), expandConf(m.getSignerType()), getValue(m.getSignerConf(), zipFile), getBase64Binary(m.getSignerCert(), zipFile), expandConf(m.getCrlControl()));
addCrlSigner(en);
}
}
// Requestors
if (jaxb.getRequestors() != null) {
for (RequestorType m : jaxb.getRequestors().getRequestor()) {
RequestorEntry en = new RequestorEntry(new NameId(null, m.getName()), getBase64Binary(m.getCert(), zipFile));
addRequestor(en);
}
}
// Users
if (jaxb.getUsers() != null) {
for (UserType m : jaxb.getUsers().getUser()) {
boolean active = (m.isActive() != null) ? m.isActive() : true;
String password = m.getPassword();
if (password != null) {
AddUserEntry en = new AddUserEntry(new NameId(null, m.getName()), active, password);
addUser(en);
} else {
UserEntry en = new UserEntry(new NameId(null, m.getName()), active, m.getHashedPassword());
addUser(en);
}
}
}
// Publishers
if (jaxb.getPublishers() != null) {
for (PublisherType m : jaxb.getPublishers().getPublisher()) {
PublisherEntry en = new PublisherEntry(new NameId(null, m.getName()), expandConf(m.getType()), getValue(m.getConf(), zipFile));
addPublisher(en);
}
}
// CertProfiles
if (jaxb.getProfiles() != null) {
for (ProfileType m : jaxb.getProfiles().getProfile()) {
CertprofileEntry en = new CertprofileEntry(new NameId(null, m.getName()), expandConf(m.getType()), getValue(m.getConf(), zipFile));
addProfile(en);
}
}
// CAs
if (jaxb.getCas() != null) {
for (CaType m : jaxb.getCas().getCa()) {
String name = m.getName();
GenSelfIssued genSelfIssued = null;
X509CaEntry caEntry = null;
if (m.getCaInfo() != null) {
X509CaInfoType ci = m.getCaInfo().getX509Ca();
if (ci.getGenSelfIssued() != null) {
String certFilename = null;
if (ci.getCert() != null) {
if (ci.getCert().getFile() != null) {
certFilename = expandConf(ci.getCert().getFile());
} else {
throw new InvalidConfException("cert.file of CA " + name + " must not be null");
}
}
byte[] csr = getBinary(ci.getGenSelfIssued().getCsr(), zipFile);
BigInteger serialNumber = null;
String str = ci.getGenSelfIssued().getSerialNumber();
if (str != null) {
if (str.startsWith("0x") || str.startsWith("0X")) {
serialNumber = new BigInteger(str.substring(2), 16);
} else {
serialNumber = new BigInteger(str);
}
}
genSelfIssued = new GenSelfIssued(ci.getGenSelfIssued().getProfile(), csr, serialNumber, certFilename);
}
X509CaUris caUris = new X509CaUris(getStrings(ci.getCacertUris()), getStrings(ci.getOcspUris()), getStrings(ci.getCrlUris()), getStrings(ci.getDeltacrlUris()));
int exprirationPeriod = (ci.getExpirationPeriod() == null) ? 365 : ci.getExpirationPeriod().intValue();
int numCrls = (ci.getNumCrls() == null) ? 30 : ci.getNumCrls().intValue();
caEntry = new X509CaEntry(new NameId(null, name), ci.getSnSize(), ci.getNextCrlNo(), expandConf(ci.getSignerType()), getValue(ci.getSignerConf(), zipFile), caUris, numCrls, exprirationPeriod);
caEntry.setCmpControlName(ci.getCmpcontrolName());
caEntry.setCrlSignerName(ci.getCrlsignerName());
caEntry.setDuplicateKeyPermitted(ci.isDuplicateKey());
caEntry.setDuplicateSubjectPermitted(ci.isDuplicateSubject());
if (ci.getExtraControl() != null) {
String value = getValue(ci.getExtraControl(), zipFile);
if (value != null) {
caEntry.setExtraControl(new ConfPairs(value).unmodifiable());
}
}
int keepExpiredCertDays = (ci.getKeepExpiredCertDays() == null) ? -1 : ci.getKeepExpiredCertDays().intValue();
caEntry.setKeepExpiredCertInDays(keepExpiredCertDays);
caEntry.setMaxValidity(CertValidity.getInstance(ci.getMaxValidity()));
caEntry.setPermission(ci.getPermission());
caEntry.setResponderName(ci.getResponderName());
caEntry.setSaveRequest(ci.isSaveReq());
caEntry.setStatus(CaStatus.forName(ci.getStatus()));
if (ci.getValidityMode() != null) {
caEntry.setValidityMode(ValidityMode.forName(ci.getValidityMode()));
}
if (ci.getGenSelfIssued() == null) {
X509Certificate caCert;
if (ci.getCert() != null) {
byte[] bytes = getBinary(ci.getCert(), zipFile);
try {
caCert = X509Util.parseCert(bytes);
} catch (CertificateException ex) {
throw new InvalidConfException("invalid certificate of CA " + name, ex);
}
} else {
// extract from the signer configuration
ConcurrentContentSigner signer;
try {
List<String[]> signerConfs = CaEntry.splitCaSignerConfs(getValue(ci.getSignerConf(), zipFile));
SignerConf signerConf = new SignerConf(signerConfs.get(0)[1]);
signer = securityFactory.createSigner(expandConf(ci.getSignerType()), signerConf, (X509Certificate) null);
} catch (ObjectCreationException | XiSecurityException ex) {
throw new InvalidConfException("could not create CA signer for CA " + name, ex);
}
caCert = signer.getCertificate();
}
caEntry.setCert(caCert);
}
}
List<CaHasRequestorEntry> caHasRequestors = null;
if (m.getRequestors() != null) {
caHasRequestors = new LinkedList<>();
for (CaHasRequestorType req : m.getRequestors().getRequestor()) {
CaHasRequestorEntry en = new CaHasRequestorEntry(new NameId(null, req.getRequestorName()));
en.setRa(req.isRa());
List<String> strs = getStrings(req.getProfiles());
if (strs != null) {
en.setProfiles(new HashSet<>(strs));
}
en.setPermission(req.getPermission());
caHasRequestors.add(en);
}
}
List<CaHasUserEntry> caHasUsers = null;
if (m.getUsers() != null) {
caHasUsers = new LinkedList<>();
for (CaHasUserType req : m.getUsers().getUser()) {
CaHasUserEntry en = new CaHasUserEntry(new NameId(null, req.getUserName()));
en.setPermission(req.getPermission());
List<String> strs = getStrings(req.getProfiles());
if (strs != null) {
en.setProfiles(new HashSet<>(strs));
}
caHasUsers.add(en);
}
}
List<String> aliases = getStrings(m.getAliases());
List<String> profileNames = getStrings(m.getProfiles());
List<String> publisherNames = getStrings(m.getPublishers());
SingleCaConf singleCa = new SingleCaConf(name, genSelfIssued, caEntry, aliases, profileNames, caHasRequestors, caHasUsers, publisherNames);
addSingleCa(singleCa);
}
}
// SCEPs
if (jaxb.getSceps() != null) {
for (ScepType m : jaxb.getSceps().getScep()) {
String name = m.getName();
NameId caIdent = new NameId(null, m.getCaName());
List<String> certProfiles = getStrings(m.getProfiles());
ScepEntry dbEntry = new ScepEntry(name, caIdent, true, m.getResponderName(), new HashSet<>(certProfiles), m.getControl());
sceps.put(name, dbEntry);
}
}
}
Also used :
CmpcontrolType(org.xipki.ca.server.mgmt.api.conf.jaxb.CmpcontrolType)
CaHasUserEntry(org.xipki.ca.server.mgmt.api.CaHasUserEntry)
NameValueType(org.xipki.ca.server.mgmt.api.conf.jaxb.NameValueType)
NameId(org.xipki.ca.api.NameId)
PublisherType(org.xipki.ca.server.mgmt.api.conf.jaxb.PublisherType)
RequestorType(org.xipki.ca.server.mgmt.api.conf.jaxb.RequestorType)
CaHasRequestorType(org.xipki.ca.server.mgmt.api.conf.jaxb.CaHasRequestorType)
CertificateException(java.security.cert.CertificateException)
CaHasRequestorType(org.xipki.ca.server.mgmt.api.conf.jaxb.CaHasRequestorType)
CaType(org.xipki.ca.server.mgmt.api.conf.jaxb.CaType)
PublisherEntry(org.xipki.ca.server.mgmt.api.PublisherEntry)
CmpControlEntry(org.xipki.ca.server.mgmt.api.CmpControlEntry)
ResponderEntry(org.xipki.ca.server.mgmt.api.ResponderEntry)
SignerConf(org.xipki.security.SignerConf)
ResponderType(org.xipki.ca.server.mgmt.api.conf.jaxb.ResponderType)
X509Certificate(java.security.cert.X509Certificate)
ScepEntry(org.xipki.ca.server.mgmt.api.x509.ScepEntry)
AddUserEntry(org.xipki.ca.server.mgmt.api.AddUserEntry)
BigInteger(java.math.BigInteger)
UserType(org.xipki.ca.server.mgmt.api.conf.jaxb.UserType)
CaHasUserType(org.xipki.ca.server.mgmt.api.conf.jaxb.CaHasUserType)
CrlsignerType(org.xipki.ca.server.mgmt.api.conf.jaxb.CrlsignerType)
X509CaEntry(org.xipki.ca.server.mgmt.api.x509.X509CaEntry)
ScepType(org.xipki.ca.server.mgmt.api.conf.jaxb.ScepType)
RequestorEntry(org.xipki.ca.server.mgmt.api.RequestorEntry)
CaHasRequestorEntry(org.xipki.ca.server.mgmt.api.CaHasRequestorEntry)
InvalidConfException(org.xipki.common.InvalidConfException)
XiSecurityException(org.xipki.security.exception.XiSecurityException)
X509CrlSignerEntry(org.xipki.ca.server.mgmt.api.x509.X509CrlSignerEntry)
ProfileType(org.xipki.ca.server.mgmt.api.conf.jaxb.ProfileType)
ConfPairs(org.xipki.common.ConfPairs)
CertprofileEntry(org.xipki.ca.server.mgmt.api.CertprofileEntry)
X509CaUris(org.xipki.ca.server.mgmt.api.x509.X509CaUris)
ConcurrentContentSigner(org.xipki.security.ConcurrentContentSigner)
ObjectCreationException(org.xipki.common.ObjectCreationException)
CaHasUserType(org.xipki.ca.server.mgmt.api.conf.jaxb.CaHasUserType)
X509CaInfoType(org.xipki.ca.server.mgmt.api.conf.jaxb.X509CaInfoType)
CaHasUserEntry(org.xipki.ca.server.mgmt.api.CaHasUserEntry)
AddUserEntry(org.xipki.ca.server.mgmt.api.AddUserEntry)
UserEntry(org.xipki.ca.server.mgmt.api.UserEntry)
CaHasRequestorEntry(org.xipki.ca.server.mgmt.api.CaHasRequestorEntry)
Example 12 with X509CaEntry
use of org.xipki.ca.server.mgmt.api.x509.X509CaEntry in project xipki by xipki.
the class UnRevRmCertAction method getSerialNumber.
protected BigInteger getSerialNumber() throws CmdFailure, IllegalCmdParamException, CertificateException, IOException {
CaEntry ca = caManager.getCa(caName);
if (ca == null) {
throw new CmdFailure("CA " + caName + " not available");
}
if (!(ca instanceof X509CaEntry)) {
throw new CmdFailure("CA " + caName + " is not an X.509-CA");
}
BigInteger serialNumber;
if (serialNumberS != null) {
serialNumber = toBigInt(serialNumberS);
} else if (certFile != null) {
X509Certificate caCert = ((X509CaEntry) ca).getCert();
X509Certificate cert = X509Util.parseCert(IoUtil.read(certFile));
if (!X509Util.issues(caCert, cert)) {
throw new CmdFailure("certificate '" + certFile + "' is not issued by CA " + caName);
}
serialNumber = cert.getSerialNumber();
} else {
throw new IllegalCmdParamException("neither serialNumber nor certFile is specified");
}
return serialNumber;
}
Also used :
X509CaEntry(org.xipki.ca.server.mgmt.api.x509.X509CaEntry)
CaEntry(org.xipki.ca.server.mgmt.api.CaEntry)
CmdFailure(org.xipki.console.karaf.CmdFailure)
IllegalCmdParamException(org.xipki.console.karaf.IllegalCmdParamException)
BigInteger(java.math.BigInteger)
X509Certificate(java.security.cert.X509Certificate)
X509CaEntry(org.xipki.ca.server.mgmt.api.x509.X509CaEntry)
Example 13 with X509CaEntry
use of org.xipki.ca.server.mgmt.api.x509.X509CaEntry in project xipki by xipki.
the class CaCheckCmd method execute0.
@Override
protected Object execute0() throws Exception {
X509ChangeCaEntry ey = getChangeCaEntry();
String caName = ey.getIdent().getName();
println("checking CA" + caName);
CaEntry entry = caManager.getCa(caName);
if (entry == null) {
throw new CmdFailure("could not find CA '" + caName + "'");
}
if (!(entry instanceof X509CaEntry)) {
throw new CmdFailure("CA '" + caName + "' is not an X509-CA");
}
X509CaEntry ca = (X509CaEntry) entry;
// CA cert uris
if (ey.getCaCertUris() != null) {
MgmtQaShellUtil.assertEquals("CA cert URIs", ey.getCaCertUris(), ca.getCaCertUris());
}
// CA certificate
if (ey.getCert() != null) {
if (!ey.getCert().equals(ca.getCert())) {
throw new CmdFailure("CA cert is not as expected");
}
}
// SN size
if (ey.getSerialNoBitLen() != null) {
assertObjEquals("serial number bit length", ey.getSerialNoBitLen(), ca.getSerialNoBitLen());
}
// CMP control name
if (ey.getCmpControlName() != null) {
MgmtQaShellUtil.assertEquals("CMP control name", ey.getCmpControlName(), ca.getCmpControlName());
}
// CRL signer name
if (ey.getCrlSignerName() != null) {
MgmtQaShellUtil.assertEquals("CRL signer name", ey.getCrlSignerName(), ca.getCrlSignerName());
}
// CRL uris
if (ey.getCrlUris() != null) {
MgmtQaShellUtil.assertEquals("CRL URIs", ey.getCrlUris(), ca.getCrlUris());
}
// DeltaCRL uris
if (ey.getDeltaCrlUris() != null) {
MgmtQaShellUtil.assertEquals("Delta CRL URIs", ey.getDeltaCrlUris(), ca.getDeltaCrlUris());
}
// Duplicate key mode
if (ey.getDuplicateKeyPermitted() != null) {
assertObjEquals("Duplicate key permitted", ey.getDuplicateKeyPermitted(), ca.isDuplicateKeyPermitted());
}
// Duplicate subject mode
if (ey.getDuplicateSubjectPermitted() != null) {
assertObjEquals("Duplicate subject permitted", ey.getDuplicateSubjectPermitted(), ca.isDuplicateSubjectPermitted());
}
// Expiration period
if (ey.getExpirationPeriod() != null) {
assertObjEquals("Expiration period", ey.getExpirationPeriod(), ca.getExpirationPeriod());
}
// Extra control
if (ey.getExtraControl() != null) {
assertObjEquals("Extra control", ey.getExtraControl(), ca.getExtraControl());
}
// Max validity
if (ey.getMaxValidity() != null) {
assertObjEquals("Max validity", ey.getMaxValidity(), ca.getMaxValidity());
}
// Keep expired certificate
if (ey.getKeepExpiredCertInDays() != null) {
assertObjEquals("keepExiredCertInDays", ey.getKeepExpiredCertInDays(), ca.getKeepExpiredCertInDays());
}
// Num CRLs
if (ey.getNumCrls() != null) {
assertObjEquals("num CRLs", ey.getNumCrls(), ca.getNumCrls());
}
// OCSP uris
if (ey.getOcspUris() != null) {
MgmtQaShellUtil.assertEquals("OCSP URIs", ey.getOcspUris(), ca.getOcspUris());
}
// Permissions
if (ey.getPermission() != null) {
assertObjEquals("permission", ey.getPermission(), ca.getPermission());
}
// Responder name
if (ey.getResponderName() != null) {
MgmtQaShellUtil.assertEquals("responder name", ey.getResponderName(), ca.getResponderName());
}
// Signer Type
if (ey.getSignerType() != null) {
MgmtQaShellUtil.assertEquals("signer type", ey.getSignerType(), ca.getSignerType());
}
if (ey.getSignerConf() != null) {
ConfPairs ex = new ConfPairs(ey.getSignerConf());
ex.removePair("keystore");
ConfPairs is = new ConfPairs(ca.getSignerConf());
is.removePair("keystore");
assertObjEquals("signer conf", ex, is);
}
// Status
if (ey.getStatus() != null) {
assertObjEquals("status", ey.getStatus(), ca.getStatus());
}
// validity mode
if (ey.getValidityMode() != null) {
assertObjEquals("validity mode", ey.getValidityMode(), ca.getValidityMode());
}
println(" checked CA" + caName);
return null;
}
Also used :
X509CaEntry(org.xipki.ca.server.mgmt.api.x509.X509CaEntry)
CaEntry(org.xipki.ca.server.mgmt.api.CaEntry)
X509ChangeCaEntry(org.xipki.ca.server.mgmt.api.x509.X509ChangeCaEntry)
CmdFailure(org.xipki.console.karaf.CmdFailure)
ConfPairs(org.xipki.common.ConfPairs)
X509ChangeCaEntry(org.xipki.ca.server.mgmt.api.x509.X509ChangeCaEntry)
X509CaEntry(org.xipki.ca.server.mgmt.api.x509.X509CaEntry)
Aggregations
X509CaEntry (org.xipki.ca.server.mgmt.api.x509.X509CaEntry)13
X509Certificate (java.security.cert.X509Certificate)8
CaMgmtException (org.xipki.ca.server.mgmt.api.CaMgmtException)7
NameId (org.xipki.ca.api.NameId)5
ConfPairs (org.xipki.common.ConfPairs)5
BigInteger (java.math.BigInteger)4
CertificateEncodingException (java.security.cert.CertificateEncodingException)4
CaEntry (org.xipki.ca.server.mgmt.api.CaEntry)4
ObjectCreationException (org.xipki.common.ObjectCreationException)4
IOException (java.io.IOException)3
AddUserEntry (org.xipki.ca.server.mgmt.api.AddUserEntry)3
CaHasRequestorEntry (org.xipki.ca.server.mgmt.api.CaHasRequestorEntry)3
CaHasUserEntry (org.xipki.ca.server.mgmt.api.CaHasUserEntry)3
CertprofileEntry (org.xipki.ca.server.mgmt.api.CertprofileEntry)3
CmpControlEntry (org.xipki.ca.server.mgmt.api.CmpControlEntry)3
PublisherEntry (org.xipki.ca.server.mgmt.api.PublisherEntry)3
RequestorEntry (org.xipki.ca.server.mgmt.api.RequestorEntry)3
ResponderEntry (org.xipki.ca.server.mgmt.api.ResponderEntry)3
UserEntry (org.xipki.ca.server.mgmt.api.UserEntry)3
ScepEntry (org.xipki.ca.server.mgmt.api.x509.ScepEntry)3
