Example 1 with X509ChangeCaEntry
use of org.xipki.ca.server.mgmt.api.x509.X509ChangeCaEntry in project xipki by xipki.
the class CaUpdateCmd method getChangeCaEntry.
protected X509ChangeCaEntry getChangeCaEntry() throws Exception {
X509ChangeCaEntry entry = new X509ChangeCaEntry(new NameId(null, caName));
if (snBitLen != null) {
ParamUtil.requireRange("sn-bitlen", snBitLen, 63, 159);
entry.setSerialNoBitLen(snBitLen);
}
if (caStatus != null) {
entry.setStatus(CaStatus.forName(caStatus));
}
if (expirationPeriod != null && expirationPeriod < 0) {
throw new IllegalCmdParamException("invalid expirationPeriod: " + expirationPeriod);
} else {
entry.setExpirationPeriod(expirationPeriod);
}
if (keepExpiredCertInDays != null) {
entry.setKeepExpiredCertInDays(keepExpiredCertInDays);
}
if (certFile != null) {
entry.setCert(X509Util.parseCert(certFile));
}
if (signerConf != null) {
String tmpSignerType = signerType;
if (tmpSignerType == null) {
CaEntry caEntry = caManager.getCa(caName);
if (caEntry == null) {
throw new IllegalCmdParamException("please specify the signerType");
}
tmpSignerType = caEntry.getSignerType();
}
signerConf = ShellUtil.canonicalizeSignerConf(tmpSignerType, signerConf, passwordResolver, securityFactory);
entry.setSignerConf(signerConf);
}
if (duplicateKeyS != null) {
boolean permitted = isEnabled(duplicateKeyS, true, "duplicate-key");
entry.setDuplicateKeyPermitted(permitted);
}
if (duplicateSubjectS != null) {
boolean permitted = isEnabled(duplicateSubjectS, true, "duplicate-subject");
entry.setDuplicateSubjectPermitted(permitted);
}
if (saveReqS != null) {
boolean saveReq = isEnabled(saveReqS, true, "save-req");
entry.setSaveRequest(saveReq);
}
if (CollectionUtil.isNonEmpty(permissions)) {
int intPermission = ShellUtil.getPermission(permissions);
entry.setPermission(intPermission);
}
entry.setCrlUris(getUris(crlUris));
entry.setDeltaCrlUris(getUris(deltaCrlUris));
entry.setOcspUris(getUris(ocspUris));
entry.setCaCertUris(getUris(caCertUris));
if (validityModeS != null) {
ValidityMode validityMode = ValidityMode.forName(validityModeS);
entry.setValidityMode(validityMode);
}
if (maxValidity != null) {
entry.setMaxValidity(CertValidity.getInstance(maxValidity));
}
if (crlSignerName != null) {
entry.setCrlSignerName(crlSignerName);
}
if (cmpControlName != null) {
entry.setCmpControlName(cmpControlName);
}
if (responderName != null) {
entry.setResponderName(responderName);
}
if (extraControl != null) {
entry.setExtraControl(new ConfPairs(extraControl).unmodifiable());
}
if (numCrls != null) {
entry.setNumCrls(numCrls);
}
return entry;
}
Also used :
X509ChangeCaEntry(org.xipki.ca.server.mgmt.api.x509.X509ChangeCaEntry)
CaEntry(org.xipki.ca.server.mgmt.api.CaEntry)
ValidityMode(org.xipki.ca.server.mgmt.api.ValidityMode)
NameId(org.xipki.ca.api.NameId)
IllegalCmdParamException(org.xipki.console.karaf.IllegalCmdParamException)
ConfPairs(org.xipki.common.ConfPairs)
X509ChangeCaEntry(org.xipki.ca.server.mgmt.api.x509.X509ChangeCaEntry)
Example 2 with X509ChangeCaEntry
use of org.xipki.ca.server.mgmt.api.x509.X509ChangeCaEntry in project xipki by xipki.
the class CaManagerQueryExecutor method changeCa.
// method addPublisherToCa
void changeCa(ChangeCaEntry changeCaEntry, SecurityFactory securityFactory) throws CaMgmtException {
ParamUtil.requireNonNull("changeCaEntry", changeCaEntry);
ParamUtil.requireNonNull("securityFactory", securityFactory);
if (!(changeCaEntry instanceof X509ChangeCaEntry)) {
throw new CaMgmtException("unsupported ChangeCAEntry " + changeCaEntry.getClass().getName());
}
X509ChangeCaEntry entry = (X509ChangeCaEntry) changeCaEntry;
X509Certificate cert = entry.getCert();
if (cert != null) {
boolean anyCertIssued;
try {
anyCertIssued = datasource.columnExists(null, "CERT", "CA_ID", entry.getIdent().getId());
} catch (DataAccessException ex) {
throw new CaMgmtException(ex);
}
if (anyCertIssued) {
throw new CaMgmtException("Cannot change the certificate of CA, since it has issued certificates");
}
}
Integer serialNoBitLen = entry.getSerialNoBitLen();
CaStatus status = entry.getStatus();
List<String> crlUris = entry.getCrlUris();
List<String> deltaCrlUris = entry.getDeltaCrlUris();
List<String> ocspUris = entry.getOcspUris();
List<String> caCertUris = entry.getCaCertUris();
CertValidity maxValidity = entry.getMaxValidity();
String signerType = entry.getSignerType();
String signerConf = entry.getSignerConf();
String crlsignerName = entry.getCrlSignerName();
String responderName = entry.getResponderName();
String cmpcontrolName = entry.getCmpControlName();
Boolean duplicateKeyPermitted = entry.getDuplicateKeyPermitted();
Boolean duplicateSubjectPermitted = entry.getDuplicateSubjectPermitted();
Boolean saveReq = entry.getSaveRequest();
Integer permission = entry.getPermission();
Integer numCrls = entry.getNumCrls();
Integer expirationPeriod = entry.getExpirationPeriod();
Integer keepExpiredCertInDays = entry.getKeepExpiredCertInDays();
ValidityMode validityMode = entry.getValidityMode();
ConfPairs extraControl = entry.getExtraControl();
if (signerType != null || signerConf != null || cert != null) {
final String sql = "SELECT SIGNER_TYPE,CERT,SIGNER_CONF FROM CA WHERE ID=?";
PreparedStatement stmt = null;
ResultSet rs = null;
try {
stmt = prepareStatement(sql);
stmt.setInt(1, entry.getIdent().getId());
rs = stmt.executeQuery();
if (!rs.next()) {
throw new CaMgmtException("unknown CA '" + entry.getIdent());
}
String tmpSignerType = rs.getString("SIGNER_TYPE");
String tmpSignerConf = rs.getString("SIGNER_CONF");
String tmpB64Cert = rs.getString("CERT");
if (signerType != null) {
tmpSignerType = signerType;
}
if (signerConf != null) {
tmpSignerConf = getRealString(signerConf);
if (tmpSignerConf != null) {
tmpSignerConf = CaManagerImpl.canonicalizeSignerConf(tmpSignerType, tmpSignerConf, null, securityFactory);
}
}
X509Certificate tmpCert;
if (cert != null) {
tmpCert = cert;
} else {
try {
tmpCert = X509Util.parseBase64EncodedCert(tmpB64Cert);
} catch (CertificateException ex) {
throw new CaMgmtException("could not parse the stored certificate for CA '" + changeCaEntry.getIdent() + "'" + ex.getMessage(), ex);
}
}
try {
List<String[]> signerConfs = CaEntry.splitCaSignerConfs(tmpSignerConf);
for (String[] m : signerConfs) {
securityFactory.createSigner(tmpSignerType, new SignerConf(m[1]), tmpCert);
}
} catch (XiSecurityException | ObjectCreationException ex) {
throw new CaMgmtException("could not create signer for CA '" + changeCaEntry.getIdent() + "'" + ex.getMessage(), ex);
}
} catch (SQLException ex) {
throw new CaMgmtException(datasource, sql, ex);
} finally {
datasource.releaseResources(stmt, rs);
}
}
// end if (signerType)
StringBuilder sqlBuilder = new StringBuilder();
sqlBuilder.append("UPDATE CA SET ");
AtomicInteger index = new AtomicInteger(1);
Integer idxSnSize = addToSqlIfNotNull(sqlBuilder, index, serialNoBitLen, "SN_SIZE");
Integer idxStatus = addToSqlIfNotNull(sqlBuilder, index, status, "STATUS");
Integer idxSubject = addToSqlIfNotNull(sqlBuilder, index, cert, "SUBJECT");
Integer idxCert = addToSqlIfNotNull(sqlBuilder, index, cert, "CERT");
Integer idxCrlUris = addToSqlIfNotNull(sqlBuilder, index, crlUris, "CRL_URIS");
Integer idxDeltaCrlUris = addToSqlIfNotNull(sqlBuilder, index, deltaCrlUris, "DELTACRL_URIS");
Integer idxOcspUris = addToSqlIfNotNull(sqlBuilder, index, ocspUris, "OCSP_URIS");
Integer idxCaCertUris = addToSqlIfNotNull(sqlBuilder, index, caCertUris, "CACERT_URIS");
Integer idxMaxValidity = addToSqlIfNotNull(sqlBuilder, index, maxValidity, "MAX_VALIDITY");
Integer idxSignerType = addToSqlIfNotNull(sqlBuilder, index, signerType, "SIGNER_TYPE");
Integer idxCrlsignerName = addToSqlIfNotNull(sqlBuilder, index, crlsignerName, "CRLSIGNER_NAME");
Integer idxResponderName = addToSqlIfNotNull(sqlBuilder, index, responderName, "RESPONDER_NAME");
Integer idxCmpcontrolName = addToSqlIfNotNull(sqlBuilder, index, cmpcontrolName, "CMPCONTROL_NAME");
Integer idxDuplicateKey = addToSqlIfNotNull(sqlBuilder, index, duplicateKeyPermitted, "DUPLICATE_KEY");
Integer idxDuplicateSubject = addToSqlIfNotNull(sqlBuilder, index, duplicateKeyPermitted, "DUPLICATE_SUBJECT");
Integer idxSaveReq = addToSqlIfNotNull(sqlBuilder, index, saveReq, "SAVE_REQ");
Integer idxPermission = addToSqlIfNotNull(sqlBuilder, index, permission, "PERMISSION");
Integer idxNumCrls = addToSqlIfNotNull(sqlBuilder, index, numCrls, "NUM_CRLS");
Integer idxExpirationPeriod = addToSqlIfNotNull(sqlBuilder, index, expirationPeriod, "EXPIRATION_PERIOD");
Integer idxExpiredCerts = addToSqlIfNotNull(sqlBuilder, index, keepExpiredCertInDays, "KEEP_EXPIRED_CERT_DAYS");
Integer idxValidityMode = addToSqlIfNotNull(sqlBuilder, index, validityMode, "VALIDITY_MODE");
Integer idxExtraControl = addToSqlIfNotNull(sqlBuilder, index, extraControl, "EXTRA_CONTROL");
Integer idxSignerConf = addToSqlIfNotNull(sqlBuilder, index, signerConf, "SIGNER_CONF");
// delete the last ','
sqlBuilder.deleteCharAt(sqlBuilder.length() - 1);
sqlBuilder.append(" WHERE ID=?");
if (index.get() == 1) {
throw new IllegalArgumentException("nothing to change");
}
int idxId = index.get();
final String sql = sqlBuilder.toString();
StringBuilder sb = new StringBuilder();
PreparedStatement ps = null;
try {
ps = prepareStatement(sql);
if (idxSnSize != null) {
sb.append("sn_size: '").append(serialNoBitLen).append("'; ");
ps.setInt(idxSnSize, serialNoBitLen.intValue());
}
if (idxStatus != null) {
sb.append("status: '").append(status.name()).append("'; ");
ps.setString(idxStatus, status.name());
}
if (idxCert != null) {
String subject = X509Util.getRfc4519Name(cert.getSubjectX500Principal());
sb.append("cert: '").append(subject).append("'; ");
ps.setString(idxSubject, subject);
String base64Cert = Base64.encodeToString(cert.getEncoded());
ps.setString(idxCert, base64Cert);
}
if (idxCrlUris != null) {
String txt = StringUtil.collectionAsStringByComma(crlUris);
sb.append("crlUri: '").append(txt).append("'; ");
ps.setString(idxCrlUris, txt);
}
if (idxDeltaCrlUris != null) {
String txt = StringUtil.collectionAsStringByComma(deltaCrlUris);
sb.append("deltaCrlUri: '").append(txt).append("'; ");
ps.setString(idxDeltaCrlUris, txt);
}
if (idxOcspUris != null) {
String txt = StringUtil.collectionAsStringByComma(ocspUris);
sb.append("ocspUri: '").append(txt).append("'; ");
ps.setString(idxOcspUris, txt);
}
if (idxCaCertUris != null) {
String txt = StringUtil.collectionAsStringByComma(caCertUris);
sb.append("caCertUri: '").append(txt).append("'; ");
ps.setString(idxCaCertUris, txt);
}
if (idxMaxValidity != null) {
String txt = maxValidity.toString();
sb.append("maxValidity: '").append(txt).append("'; ");
ps.setString(idxMaxValidity, txt);
}
if (idxSignerType != null) {
sb.append("signerType: '").append(signerType).append("'; ");
ps.setString(idxSignerType, signerType);
}
if (idxSignerConf != null) {
sb.append("signerConf: '").append(SignerConf.toString(signerConf, false, true)).append("'; ");
ps.setString(idxSignerConf, signerConf);
}
if (idxCrlsignerName != null) {
String txt = getRealString(crlsignerName);
sb.append("crlSigner: '").append(txt).append("'; ");
ps.setString(idxCrlsignerName, txt);
}
if (idxResponderName != null) {
String txt = getRealString(responderName);
sb.append("responder: '").append(txt).append("'; ");
ps.setString(idxResponderName, txt);
}
if (idxCmpcontrolName != null) {
String txt = getRealString(cmpcontrolName);
sb.append("cmpControl: '").append(txt).append("'; ");
ps.setString(idxCmpcontrolName, txt);
}
if (idxDuplicateKey != null) {
sb.append("duplicateKey: '").append(duplicateKeyPermitted).append("'; ");
setBoolean(ps, idxDuplicateKey, duplicateKeyPermitted);
}
if (idxDuplicateSubject != null) {
sb.append("duplicateSubject: '").append(duplicateSubjectPermitted).append("'; ");
setBoolean(ps, idxDuplicateSubject, duplicateSubjectPermitted);
}
if (idxSaveReq != null) {
sb.append("saveReq: '").append(saveReq).append("'; ");
setBoolean(ps, idxSaveReq, saveReq);
}
if (idxPermission != null) {
sb.append("permission: '").append(permission).append("'; ");
ps.setInt(idxPermission, permission);
}
if (idxNumCrls != null) {
sb.append("numCrls: '").append(numCrls).append("'; ");
ps.setInt(idxNumCrls, numCrls);
}
if (idxExpirationPeriod != null) {
sb.append("expirationPeriod: '").append(expirationPeriod).append("'; ");
ps.setInt(idxExpirationPeriod, expirationPeriod);
}
if (idxExpiredCerts != null) {
sb.append("keepExpiredCertDays: '").append(keepExpiredCertInDays).append("'; ");
ps.setInt(idxExpiredCerts, keepExpiredCertInDays);
}
if (idxValidityMode != null) {
String txt = validityMode.name();
sb.append("validityMode: '").append(txt).append("'; ");
ps.setString(idxValidityMode, txt);
}
if (idxExtraControl != null) {
sb.append("extraControl: '").append(extraControl).append("'; ");
ps.setString(idxExtraControl, extraControl.getEncoded());
}
ps.setInt(idxId, changeCaEntry.getIdent().getId());
if (ps.executeUpdate() == 0) {
throw new CaMgmtException("could not change CA " + entry.getIdent());
}
if (sb.length() > 0) {
sb.deleteCharAt(sb.length() - 1).deleteCharAt(sb.length() - 1);
}
LOG.info("changed CA '{}': {}", changeCaEntry.getIdent(), sb);
} catch (SQLException ex) {
throw new CaMgmtException(datasource, sql, ex);
} catch (CertificateEncodingException ex) {
throw new CaMgmtException(ex);
} finally {
datasource.releaseResources(ps, null);
}
}
Also used :
CertValidity(org.xipki.ca.api.profile.CertValidity)
SQLException(java.sql.SQLException)
CertificateException(java.security.cert.CertificateException)
CaStatus(org.xipki.ca.server.mgmt.api.CaStatus)
ValidityMode(org.xipki.ca.server.mgmt.api.ValidityMode)
XiSecurityException(org.xipki.security.exception.XiSecurityException)
ResultSet(java.sql.ResultSet)
DataAccessException(org.xipki.datasource.DataAccessException)
ConfPairs(org.xipki.common.ConfPairs)
SignerConf(org.xipki.security.SignerConf)
PreparedStatement(java.sql.PreparedStatement)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
X509ChangeCaEntry(org.xipki.ca.server.mgmt.api.x509.X509ChangeCaEntry)
X509Certificate(java.security.cert.X509Certificate)
AtomicInteger(java.util.concurrent.atomic.AtomicInteger)
CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException)
AtomicInteger(java.util.concurrent.atomic.AtomicInteger)
ObjectCreationException(org.xipki.common.ObjectCreationException)
Example 3 with X509ChangeCaEntry
use of org.xipki.ca.server.mgmt.api.x509.X509ChangeCaEntry in project xipki by xipki.
the class CaCheckCmd method execute0.
@Override
protected Object execute0() throws Exception {
X509ChangeCaEntry ey = getChangeCaEntry();
String caName = ey.getIdent().getName();
println("checking CA" + caName);
CaEntry entry = caManager.getCa(caName);
if (entry == null) {
throw new CmdFailure("could not find CA '" + caName + "'");
}
if (!(entry instanceof X509CaEntry)) {
throw new CmdFailure("CA '" + caName + "' is not an X509-CA");
}
X509CaEntry ca = (X509CaEntry) entry;
// CA cert uris
if (ey.getCaCertUris() != null) {
MgmtQaShellUtil.assertEquals("CA cert URIs", ey.getCaCertUris(), ca.getCaCertUris());
}
// CA certificate
if (ey.getCert() != null) {
if (!ey.getCert().equals(ca.getCert())) {
throw new CmdFailure("CA cert is not as expected");
}
}
// SN size
if (ey.getSerialNoBitLen() != null) {
assertObjEquals("serial number bit length", ey.getSerialNoBitLen(), ca.getSerialNoBitLen());
}
// CMP control name
if (ey.getCmpControlName() != null) {
MgmtQaShellUtil.assertEquals("CMP control name", ey.getCmpControlName(), ca.getCmpControlName());
}
// CRL signer name
if (ey.getCrlSignerName() != null) {
MgmtQaShellUtil.assertEquals("CRL signer name", ey.getCrlSignerName(), ca.getCrlSignerName());
}
// CRL uris
if (ey.getCrlUris() != null) {
MgmtQaShellUtil.assertEquals("CRL URIs", ey.getCrlUris(), ca.getCrlUris());
}
// DeltaCRL uris
if (ey.getDeltaCrlUris() != null) {
MgmtQaShellUtil.assertEquals("Delta CRL URIs", ey.getDeltaCrlUris(), ca.getDeltaCrlUris());
}
// Duplicate key mode
if (ey.getDuplicateKeyPermitted() != null) {
assertObjEquals("Duplicate key permitted", ey.getDuplicateKeyPermitted(), ca.isDuplicateKeyPermitted());
}
// Duplicate subject mode
if (ey.getDuplicateSubjectPermitted() != null) {
assertObjEquals("Duplicate subject permitted", ey.getDuplicateSubjectPermitted(), ca.isDuplicateSubjectPermitted());
}
// Expiration period
if (ey.getExpirationPeriod() != null) {
assertObjEquals("Expiration period", ey.getExpirationPeriod(), ca.getExpirationPeriod());
}
// Extra control
if (ey.getExtraControl() != null) {
assertObjEquals("Extra control", ey.getExtraControl(), ca.getExtraControl());
}
// Max validity
if (ey.getMaxValidity() != null) {
assertObjEquals("Max validity", ey.getMaxValidity(), ca.getMaxValidity());
}
// Keep expired certificate
if (ey.getKeepExpiredCertInDays() != null) {
assertObjEquals("keepExiredCertInDays", ey.getKeepExpiredCertInDays(), ca.getKeepExpiredCertInDays());
}
// Num CRLs
if (ey.getNumCrls() != null) {
assertObjEquals("num CRLs", ey.getNumCrls(), ca.getNumCrls());
}
// OCSP uris
if (ey.getOcspUris() != null) {
MgmtQaShellUtil.assertEquals("OCSP URIs", ey.getOcspUris(), ca.getOcspUris());
}
// Permissions
if (ey.getPermission() != null) {
assertObjEquals("permission", ey.getPermission(), ca.getPermission());
}
// Responder name
if (ey.getResponderName() != null) {
MgmtQaShellUtil.assertEquals("responder name", ey.getResponderName(), ca.getResponderName());
}
// Signer Type
if (ey.getSignerType() != null) {
MgmtQaShellUtil.assertEquals("signer type", ey.getSignerType(), ca.getSignerType());
}
if (ey.getSignerConf() != null) {
ConfPairs ex = new ConfPairs(ey.getSignerConf());
ex.removePair("keystore");
ConfPairs is = new ConfPairs(ca.getSignerConf());
is.removePair("keystore");
assertObjEquals("signer conf", ex, is);
}
// Status
if (ey.getStatus() != null) {
assertObjEquals("status", ey.getStatus(), ca.getStatus());
}
// validity mode
if (ey.getValidityMode() != null) {
assertObjEquals("validity mode", ey.getValidityMode(), ca.getValidityMode());
}
println(" checked CA" + caName);
return null;
}
Also used :
X509CaEntry(org.xipki.ca.server.mgmt.api.x509.X509CaEntry)
CaEntry(org.xipki.ca.server.mgmt.api.CaEntry)
X509ChangeCaEntry(org.xipki.ca.server.mgmt.api.x509.X509ChangeCaEntry)
CmdFailure(org.xipki.console.karaf.CmdFailure)
ConfPairs(org.xipki.common.ConfPairs)
X509ChangeCaEntry(org.xipki.ca.server.mgmt.api.x509.X509ChangeCaEntry)
X509CaEntry(org.xipki.ca.server.mgmt.api.x509.X509CaEntry)
Aggregations
X509ChangeCaEntry (org.xipki.ca.server.mgmt.api.x509.X509ChangeCaEntry)3
ConfPairs (org.xipki.common.ConfPairs)3
CaEntry (org.xipki.ca.server.mgmt.api.CaEntry)2
ValidityMode (org.xipki.ca.server.mgmt.api.ValidityMode)2
CertificateEncodingException (java.security.cert.CertificateEncodingException)1
CertificateException (java.security.cert.CertificateException)1
X509Certificate (java.security.cert.X509Certificate)1
PreparedStatement (java.sql.PreparedStatement)1
ResultSet (java.sql.ResultSet)1
SQLException (java.sql.SQLException)1
AtomicInteger (java.util.concurrent.atomic.AtomicInteger)1
NameId (org.xipki.ca.api.NameId)1
CertValidity (org.xipki.ca.api.profile.CertValidity)1
CaMgmtException (org.xipki.ca.server.mgmt.api.CaMgmtException)1
CaStatus (org.xipki.ca.server.mgmt.api.CaStatus)1
X509CaEntry (org.xipki.ca.server.mgmt.api.x509.X509CaEntry)1
ObjectCreationException (org.xipki.common.ObjectCreationException)1
CmdFailure (org.xipki.console.karaf.CmdFailure)1
IllegalCmdParamException (org.xipki.console.karaf.IllegalCmdParamException)1
DataAccessException (org.xipki.datasource.DataAccessException)1
