Search in sources :

Example 6 with InvalidConfException

use of org.xipki.common.InvalidConfException in project xipki by xipki.

the class X509SelfSignedCertBuilder method generateSelfSigned.

public static GenerateSelfSignedResult generateSelfSigned(SecurityFactory securityFactory, String signerType, String signerConf, IdentifiedX509Certprofile certprofile, CertificationRequest csr, BigInteger serialNumber, List<String> caCertUris, List<String> ocspUris, List<String> crlUris, List<String> deltaCrlUris, ConfPairs extraControl) throws OperationException, InvalidConfException {
    ParamUtil.requireNonNull("securityFactory", securityFactory);
    ParamUtil.requireNonBlank("signerType", signerType);
    ParamUtil.requireNonNull("certprofile", certprofile);
    ParamUtil.requireNonNull("csr", csr);
    ParamUtil.requireNonNull("serialNumber", serialNumber);
    if (serialNumber.compareTo(BigInteger.ZERO) != 1) {
        throw new IllegalArgumentException("serialNumber must not be non-positive: " + serialNumber);
    }
    X509CertLevel level = certprofile.getCertLevel();
    if (X509CertLevel.RootCA != level) {
        throw new IllegalArgumentException("certprofile is not of level " + X509CertLevel.RootCA);
    }
    if (!securityFactory.verifyPopo(csr, null)) {
        throw new InvalidConfException("could not validate POP for the CSR");
    }
    if ("pkcs12".equalsIgnoreCase(signerType) || "jks".equalsIgnoreCase(signerType)) {
        ConfPairs keyValues = new ConfPairs(signerConf);
        String keystoreConf = keyValues.value("keystore");
        if (keystoreConf == null) {
            throw new InvalidConfException("required parameter 'keystore' for types PKCS12 and JKS, is not specified");
        }
    }
    ConcurrentContentSigner signer;
    try {
        List<String[]> signerConfs = CaEntry.splitCaSignerConfs(signerConf);
        List<String> restrictedSigAlgos = certprofile.getSignatureAlgorithms();
        String thisSignerConf = null;
        if (CollectionUtil.isEmpty(restrictedSigAlgos)) {
            thisSignerConf = signerConfs.get(0)[1];
        } else {
            for (String algo : restrictedSigAlgos) {
                for (String[] m : signerConfs) {
                    if (m[0].equals(algo)) {
                        thisSignerConf = m[1];
                        break;
                    }
                }
                if (thisSignerConf != null) {
                    break;
                }
            }
        }
        if (thisSignerConf == null) {
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, "CA does not support any signature algorithm restricted by the cert profile");
        }
        signer = securityFactory.createSigner(signerType, new SignerConf(thisSignerConf), (X509Certificate[]) null);
    } catch (XiSecurityException | ObjectCreationException ex) {
        throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
    }
    SubjectPublicKeyInfo publicKeyInfo;
    if (signer.getCertificate() != null) {
        // this cert is the dummy one which can be considered only as public key container
        Certificate bcCert;
        try {
            bcCert = Certificate.getInstance(signer.getCertificate().getEncoded());
        } catch (Exception ex) {
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, "could not reparse certificate: " + ex.getMessage());
        }
        publicKeyInfo = bcCert.getSubjectPublicKeyInfo();
    } else {
        PublicKey signerPublicKey = signer.getPublicKey();
        try {
            publicKeyInfo = KeyUtil.createSubjectPublicKeyInfo(signerPublicKey);
        } catch (InvalidKeyException ex) {
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, "cannot generate SubjectPublicKeyInfo from publicKey: " + ex.getMessage());
        }
    }
    X509Certificate newCert = generateCertificate(signer, certprofile, csr, serialNumber, publicKeyInfo, caCertUris, ocspUris, crlUris, deltaCrlUris, extraControl);
    return new GenerateSelfSignedResult(signerConf, newCert);
}
Also used : RSAPublicKey(java.security.interfaces.RSAPublicKey) ECPublicKey(java.security.interfaces.ECPublicKey) PublicKey(java.security.PublicKey) DSAPublicKey(java.security.interfaces.DSAPublicKey) InvalidConfException(org.xipki.common.InvalidConfException) ConfPairs(org.xipki.common.ConfPairs) SignerConf(org.xipki.security.SignerConf) InvalidKeyException(java.security.InvalidKeyException) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) CertprofileException(org.xipki.ca.api.profile.CertprofileException) ObjectCreationException(org.xipki.common.ObjectCreationException) InvalidKeyException(java.security.InvalidKeyException) XiSecurityException(org.xipki.security.exception.XiSecurityException) NoIdleSignerException(org.xipki.security.exception.NoIdleSignerException) InvalidConfException(org.xipki.common.InvalidConfException) InvalidKeySpecException(java.security.spec.InvalidKeySpecException) BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) OperationException(org.xipki.ca.api.OperationException) X509Certificate(java.security.cert.X509Certificate) ConcurrentContentSigner(org.xipki.security.ConcurrentContentSigner) XiSecurityException(org.xipki.security.exception.XiSecurityException) ObjectCreationException(org.xipki.common.ObjectCreationException) X509CertLevel(org.xipki.ca.api.profile.x509.X509CertLevel) OperationException(org.xipki.ca.api.OperationException) X509Certificate(java.security.cert.X509Certificate) Certificate(org.bouncycastle.asn1.x509.Certificate)

Example 7 with InvalidConfException

use of org.xipki.common.InvalidConfException in project xipki by xipki.

the class CaManagerImpl method createX509CrlSigner.

// method createCmpResponder
X509CrlSignerEntryWrapper createX509CrlSigner(X509CrlSignerEntry dbEntry) throws CaMgmtException {
    ParamUtil.requireNonNull("dbEntry", dbEntry);
    X509CrlSignerEntryWrapper signer = new X509CrlSignerEntryWrapper();
    try {
        signer.setDbEntry(dbEntry);
    } catch (InvalidConfException ex) {
        throw new CaMgmtException(concat("InvalidConfException: ", ex.getMessage()));
    }
    try {
        signer.initSigner(securityFactory);
    } catch (XiSecurityException | OperationException | InvalidConfException ex) {
        String message = "could not create CRL signer " + dbEntry.getName();
        LogUtil.error(LOG, ex, message);
        if (ex instanceof OperationException) {
            throw new CaMgmtException(message + ": " + ((OperationException) ex).getErrorCode() + ", " + ex.getMessage());
        } else {
            throw new CaMgmtException(concat(message, ": ", ex.getMessage()));
        }
    }
    return signer;
}
Also used : CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException) XiSecurityException(org.xipki.security.exception.XiSecurityException) InvalidConfException(org.xipki.common.InvalidConfException) OperationException(org.xipki.ca.api.OperationException)

Example 8 with InvalidConfException

use of org.xipki.common.InvalidConfException in project xipki by xipki.

the class CaManagerImpl method generateRootCa.

// method getIdentifiedPublishersForCa
@Override
public X509Certificate generateRootCa(X509CaEntry caEntry, String profileName, byte[] encodedCsr, BigInteger serialNumber) throws CaMgmtException {
    ParamUtil.requireNonNull("caEntry", caEntry);
    profileName = ParamUtil.requireNonBlank("profileName", profileName).toLowerCase();
    ParamUtil.requireNonNull("encodedCsr", encodedCsr);
    int numCrls = caEntry.getNumCrls();
    List<String> crlUris = caEntry.getCrlUris();
    List<String> deltaCrlUris = caEntry.getDeltaCrlUris();
    List<String> ocspUris = caEntry.getOcspUris();
    List<String> caCertUris = caEntry.getCaCertUris();
    String signerType = caEntry.getSignerType();
    asssertMasterMode();
    if (numCrls < 0) {
        System.err.println("invalid numCrls: " + numCrls);
        return null;
    }
    int expirationPeriod = caEntry.getExpirationPeriod();
    if (expirationPeriod < 0) {
        System.err.println("invalid expirationPeriod: " + expirationPeriod);
        return null;
    }
    CertificationRequest csr;
    try {
        csr = CertificationRequest.getInstance(encodedCsr);
    } catch (Exception ex) {
        System.err.println("invalid encodedCsr");
        return null;
    }
    IdentifiedX509Certprofile certprofile = getIdentifiedCertprofile(profileName);
    if (certprofile == null) {
        throw new CaMgmtException(concat("unknown certprofile ", profileName));
    }
    BigInteger serialOfThisCert = (serialNumber != null) ? serialNumber : RandomSerialNumberGenerator.getInstance().nextSerialNumber(caEntry.getSerialNoBitLen());
    GenerateSelfSignedResult result;
    try {
        result = X509SelfSignedCertBuilder.generateSelfSigned(securityFactory, signerType, caEntry.getSignerConf(), certprofile, csr, serialOfThisCert, caCertUris, ocspUris, crlUris, deltaCrlUris, caEntry.getExtraControl());
    } catch (OperationException | InvalidConfException ex) {
        throw new CaMgmtException(concat(ex.getClass().getName(), ": ", ex.getMessage()), ex);
    }
    String signerConf = result.getSignerConf();
    X509Certificate caCert = result.getCert();
    if ("PKCS12".equalsIgnoreCase(signerType) || "JKS".equalsIgnoreCase(signerType)) {
        try {
            signerConf = canonicalizeSignerConf(signerType, signerConf, new X509Certificate[] { caCert }, securityFactory);
        } catch (Exception ex) {
            throw new CaMgmtException(concat(ex.getClass().getName(), ": ", ex.getMessage()), ex);
        }
    }
    X509CaUris caUris = new X509CaUris(caCertUris, ocspUris, crlUris, deltaCrlUris);
    String name = caEntry.getIdent().getName();
    long nextCrlNumber = caEntry.getNextCrlNumber();
    CaStatus status = caEntry.getStatus();
    X509CaEntry entry = new X509CaEntry(new NameId(null, name), caEntry.getSerialNoBitLen(), nextCrlNumber, signerType, signerConf, caUris, numCrls, expirationPeriod);
    entry.setCert(caCert);
    entry.setCmpControlName(caEntry.getCmpControlName());
    entry.setCrlSignerName(caEntry.getCrlSignerName());
    entry.setDuplicateKeyPermitted(caEntry.isDuplicateKeyPermitted());
    entry.setDuplicateSubjectPermitted(caEntry.isDuplicateSubjectPermitted());
    entry.setExtraControl(caEntry.getExtraControl());
    entry.setKeepExpiredCertInDays(caEntry.getKeepExpiredCertInDays());
    entry.setMaxValidity(caEntry.getMaxValidity());
    entry.setPermission(caEntry.getPermission());
    entry.setResponderName(caEntry.getResponderName());
    entry.setSaveRequest(caEntry.isSaveRequest());
    entry.setStatus(status);
    entry.setValidityMode(caEntry.getValidityMode());
    addCa(entry);
    return caCert;
}
Also used : NameId(org.xipki.ca.api.NameId) InvalidConfException(org.xipki.common.InvalidConfException) CaStatus(org.xipki.ca.server.mgmt.api.CaStatus) CertprofileException(org.xipki.ca.api.profile.CertprofileException) KeyStoreException(java.security.KeyStoreException) XiSecurityException(org.xipki.security.exception.XiSecurityException) CertificateEncodingException(java.security.cert.CertificateEncodingException) InvalidConfException(org.xipki.common.InvalidConfException) SocketException(java.net.SocketException) IOException(java.io.IOException) CertPublisherException(org.xipki.ca.api.publisher.CertPublisherException) OperationException(org.xipki.ca.api.OperationException) CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException) ObjectCreationException(org.xipki.common.ObjectCreationException) DataAccessException(org.xipki.datasource.DataAccessException) JAXBException(javax.xml.bind.JAXBException) FileNotFoundException(java.io.FileNotFoundException) SAXException(org.xml.sax.SAXException) CertificateException(java.security.cert.CertificateException) PasswordResolverException(org.xipki.password.PasswordResolverException) X509Certificate(java.security.cert.X509Certificate) CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException) X509CaUris(org.xipki.ca.server.mgmt.api.x509.X509CaUris) GenerateSelfSignedResult(org.xipki.ca.server.impl.X509SelfSignedCertBuilder.GenerateSelfSignedResult) BigInteger(java.math.BigInteger) CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest) OperationException(org.xipki.ca.api.OperationException) X509CaEntry(org.xipki.ca.server.mgmt.api.x509.X509CaEntry)

Example 9 with InvalidConfException

use of org.xipki.common.InvalidConfException in project xipki by xipki.

the class CaManagerQueryExecutor method getScep.

// method removeScep
ScepEntry getScep(String name, CaIdNameMap idNameMap) throws CaMgmtException {
    ParamUtil.requireNonBlank("name", name);
    final String sql = sqls.sqlSelectScep;
    ResultSet rs = null;
    PreparedStatement ps = null;
    try {
        ps = prepareStatement(sql);
        ps.setString(1, name);
        rs = ps.executeQuery();
        if (!rs.next()) {
            throw new CaMgmtException("unknown SCEP " + name);
        }
        int caId = rs.getInt("CA_ID");
        boolean active = rs.getBoolean("ACTIVE");
        String profilesText = rs.getString("PROFILES");
        String control = rs.getString("CONTROL");
        String responderName = rs.getString("RESPONDER_NAME");
        Set<String> profiles = StringUtil.splitByCommaAsSet(profilesText);
        return new ScepEntry(name, idNameMap.getCa(caId), active, responderName, profiles, control);
    } catch (SQLException ex) {
        throw new CaMgmtException(datasource, sql, ex);
    } catch (InvalidConfException ex) {
        throw new CaMgmtException(ex);
    } finally {
        datasource.releaseResources(ps, rs);
    }
}
Also used : CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException) SQLException(java.sql.SQLException) ResultSet(java.sql.ResultSet) InvalidConfException(org.xipki.common.InvalidConfException) PreparedStatement(java.sql.PreparedStatement) ScepEntry(org.xipki.ca.server.mgmt.api.x509.ScepEntry)

Example 10 with InvalidConfException

use of org.xipki.common.InvalidConfException in project xipki by xipki.

the class CaManagerQueryExecutor method changeCrlSigner.

// method changeResponder
X509CrlSignerEntryWrapper changeCrlSigner(String name, String signerType, String signerConf, String base64Cert, String crlControl, CaManagerImpl caManager, SecurityFactory securityFactory) throws CaMgmtException {
    ParamUtil.requireNonBlank("name", name);
    ParamUtil.requireNonNull("caManager", caManager);
    StringBuilder sqlBuilder = new StringBuilder();
    sqlBuilder.append("UPDATE CRLSIGNER SET ");
    AtomicInteger index = new AtomicInteger(1);
    Integer idxSignerType = addToSqlIfNotNull(sqlBuilder, index, signerType, "SIGNER_TYPE");
    Integer idxSignerCert = addToSqlIfNotNull(sqlBuilder, index, base64Cert, "SIGNER_CERT");
    Integer idxCrlControl = addToSqlIfNotNull(sqlBuilder, index, crlControl, "CRL_CONTROL");
    Integer idxSignerConf = addToSqlIfNotNull(sqlBuilder, index, signerConf, "SIGNER_CONF");
    sqlBuilder.deleteCharAt(sqlBuilder.length() - 1);
    sqlBuilder.append(" WHERE NAME=?");
    if (index.get() == 1) {
        throw new IllegalArgumentException("nothing to change");
    }
    X509CrlSignerEntry dbEntry = createCrlSigner(name);
    String tmpSignerType = (signerType == null) ? dbEntry.getType() : signerType;
    String tmpCrlControl = crlControl;
    String tmpSignerConf;
    String tmpBase64Cert;
    if ("CA".equalsIgnoreCase(tmpSignerType)) {
        tmpSignerConf = null;
        tmpBase64Cert = null;
    } else {
        if (signerConf == null) {
            tmpSignerConf = dbEntry.getConf();
        } else {
            tmpSignerConf = CaManagerImpl.canonicalizeSignerConf(tmpSignerType, signerConf, null, securityFactory);
        }
        if (base64Cert == null) {
            tmpBase64Cert = dbEntry.getBase64Cert();
        } else {
            tmpBase64Cert = base64Cert;
        }
    }
    if (tmpCrlControl == null) {
        tmpCrlControl = dbEntry.crlControl();
    } else {
        // validate crlControl
        try {
            new CrlControl(tmpCrlControl);
        } catch (InvalidConfException ex) {
            throw new CaMgmtException(concat("invalid CRL control '", tmpCrlControl, "'"));
        }
    }
    try {
        dbEntry = new X509CrlSignerEntry(name, tmpSignerType, tmpSignerConf, tmpBase64Cert, tmpCrlControl);
    } catch (InvalidConfException ex) {
        throw new CaMgmtException(ex);
    }
    X509CrlSignerEntryWrapper crlSigner = caManager.createX509CrlSigner(dbEntry);
    final String sql = sqlBuilder.toString();
    PreparedStatement ps = null;
    try {
        StringBuilder sb = new StringBuilder();
        ps = prepareStatement(sql);
        if (idxSignerType != null) {
            sb.append("signerType: '").append(tmpSignerType).append("'; ");
            ps.setString(idxSignerType, tmpSignerType);
        }
        if (idxSignerConf != null) {
            String txt = getRealString(tmpSignerConf);
            sb.append("signerConf: '").append(SignerConf.toString(txt, false, true)).append("'; ");
            ps.setString(idxSignerConf, txt);
        }
        if (idxSignerCert != null) {
            String txt = getRealString(tmpBase64Cert);
            String subject = null;
            if (txt != null) {
                try {
                    subject = canonicalizName(X509Util.parseBase64EncodedCert(txt).getSubjectX500Principal());
                } catch (CertificateException ex) {
                    subject = "ERROR";
                }
            }
            sb.append("signerCert: '").append(subject).append("'; ");
            ps.setString(idxSignerCert, txt);
        }
        if (idxCrlControl != null) {
            sb.append("crlControl: '").append(tmpCrlControl).append("'; ");
            ps.setString(idxCrlControl, tmpCrlControl);
        }
        ps.setString(index.get(), name);
        if (ps.executeUpdate() == 0) {
            throw new CaMgmtException("could not change CRL signer " + name);
        }
        if (sb.length() > 0) {
            sb.deleteCharAt(sb.length() - 1).deleteCharAt(sb.length() - 1);
        }
        LOG.info("changed CRL signer '{}': {}", name, sb);
        return crlSigner;
    } catch (SQLException ex) {
        throw new CaMgmtException(datasource, sql, ex);
    } finally {
        datasource.releaseResources(ps, null);
    }
}
Also used : CrlControl(org.xipki.ca.server.mgmt.api.x509.CrlControl) SQLException(java.sql.SQLException) InvalidConfException(org.xipki.common.InvalidConfException) PreparedStatement(java.sql.PreparedStatement) CertificateException(java.security.cert.CertificateException) AtomicInteger(java.util.concurrent.atomic.AtomicInteger) CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException) AtomicInteger(java.util.concurrent.atomic.AtomicInteger) X509CrlSignerEntry(org.xipki.ca.server.mgmt.api.x509.X509CrlSignerEntry)

Aggregations

InvalidConfException (org.xipki.common.InvalidConfException)20 CaMgmtException (org.xipki.ca.server.mgmt.api.CaMgmtException)10 PreparedStatement (java.sql.PreparedStatement)6 SQLException (java.sql.SQLException)6 IOException (java.io.IOException)5 CertificateException (java.security.cert.CertificateException)5 ObjectCreationException (org.xipki.common.ObjectCreationException)5 XiSecurityException (org.xipki.security.exception.XiSecurityException)5 BigInteger (java.math.BigInteger)4 X509Certificate (java.security.cert.X509Certificate)4 OperationException (org.xipki.ca.api.OperationException)4 JAXBException (javax.xml.bind.JAXBException)3 CmpControlEntry (org.xipki.ca.server.mgmt.api.CmpControlEntry)3 SAXException (org.xml.sax.SAXException)3 CertificateEncodingException (java.security.cert.CertificateEncodingException)2 ResultSet (java.sql.ResultSet)2 ArrayList (java.util.ArrayList)2 HashSet (java.util.HashSet)2 AtomicInteger (java.util.concurrent.atomic.AtomicInteger)2 JAXBContext (javax.xml.bind.JAXBContext)2