Example 41 with CmdFailure
use of org.xipki.console.karaf.CmdFailure in project xipki by xipki.
the class CrlSignerUpdateCmd method execute0.
// method getCrlSignerChangeEntry
@Override
protected Object execute0() throws Exception {
String msg = "CRL signer " + name;
try {
caManager.changeCrlSigner(getCrlSignerChangeEntry());
println("updated " + msg);
return null;
} catch (CaMgmtException ex) {
throw new CmdFailure("could not update " + msg + ", error: " + ex.getMessage(), ex);
}
}
Also used :
CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException)
CmdFailure(org.xipki.console.karaf.CmdFailure)
Example 42 with CmdFailure
use of org.xipki.console.karaf.CmdFailure in project xipki by xipki.
the class EnvUpdateCmd method execute0.
@Override
protected Object execute0() throws Exception {
String msg = "the environment " + name + "=" + getRealString(value);
try {
caManager.changeEnvParam(name, value);
println("updated " + msg);
return null;
} catch (CaMgmtException ex) {
throw new CmdFailure("could not update " + msg + ", error: " + ex.getMessage(), ex);
}
}
Also used :
CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException)
CmdFailure(org.xipki.console.karaf.CmdFailure)
Example 43 with CmdFailure
use of org.xipki.console.karaf.CmdFailure in project xipki by xipki.
the class GetCaCertCmd method execute0.
@Override
protected Object execute0() throws Exception {
if (caName != null) {
caName = caName.toLowerCase();
}
Set<String> caNames = caClient.getCaNames();
if (isEmpty(caNames)) {
throw new CmdFailure("no CA is configured");
}
if (caName != null && !caNames.contains(caName)) {
throw new IllegalCmdParamException("CA " + caName + " is not within the configured CAs " + caNames);
}
if (caName == null) {
if (caNames.size() == 1) {
caName = caNames.iterator().next();
} else {
throw new IllegalCmdParamException("no CA is specified, one of " + caNames + " is required");
}
}
Certificate caCert;
try {
caCert = caClient.getCaCert(caName);
} catch (Exception ex) {
throw new CmdFailure("Error while retrieving CA certificate: " + ex.getMessage());
}
if (caCert == null) {
throw new CmdFailure("received no CA certificate");
}
saveVerbose("saved CA certificate to file", new File(outFile), caCert.getEncoded());
return null;
}
Also used :
CmdFailure(org.xipki.console.karaf.CmdFailure)
IllegalCmdParamException(org.xipki.console.karaf.IllegalCmdParamException)
File(java.io.File)
IllegalCmdParamException(org.xipki.console.karaf.IllegalCmdParamException)
Certificate(java.security.cert.Certificate)
Example 44 with CmdFailure
use of org.xipki.console.karaf.CmdFailure in project xipki by xipki.
the class RevokeCertCmd method execute0.
@Override
protected Object execute0() throws Exception {
if (!(certFile == null ^ getSerialNumber() == null)) {
throw new IllegalCmdParamException("exactly one of cert and serial must be specified");
}
CrlReason crlReason = CrlReason.forNameOrText(reason);
if (!CrlReason.PERMITTED_CLIENT_CRLREASONS.contains(crlReason)) {
throw new IllegalCmdParamException("reason " + reason + " is not permitted");
}
CertIdOrError certIdOrError;
Date invalidityDate = null;
if (isNotBlank(invalidityDateS)) {
invalidityDate = DateUtil.parseUtcTimeyyyyMMddhhmmss(invalidityDateS);
}
if (certFile != null) {
X509Certificate cert = X509Util.parseCert(certFile);
RequestResponseDebug debug = getRequestResponseDebug();
try {
certIdOrError = caClient.revokeCert(caName, cert, crlReason.getCode(), invalidityDate, debug);
} finally {
saveRequestResponse(debug);
}
} else {
RequestResponseDebug debug = getRequestResponseDebug();
try {
certIdOrError = caClient.revokeCert(caName, getSerialNumber(), crlReason.getCode(), invalidityDate, debug);
} finally {
saveRequestResponse(debug);
}
}
if (certIdOrError.getError() != null) {
PkiStatusInfo error = certIdOrError.getError();
throw new CmdFailure("revocation failed: " + error);
} else {
println("revoked certificate");
}
return null;
}
Also used :
RequestResponseDebug(org.xipki.common.RequestResponseDebug)
CmdFailure(org.xipki.console.karaf.CmdFailure)
IllegalCmdParamException(org.xipki.console.karaf.IllegalCmdParamException)
CertIdOrError(org.xipki.ca.client.api.CertIdOrError)
PkiStatusInfo(org.xipki.cmp.PkiStatusInfo)
CrlReason(org.xipki.security.CrlReason)
Date(java.util.Date)
X509Certificate(java.security.cert.X509Certificate)
Example 45 with CmdFailure
use of org.xipki.console.karaf.CmdFailure in project xipki by xipki.
the class OcspStatusCmd method processResponse.
@Override
protected Object processResponse(OCSPResp response, X509Certificate respIssuer, IssuerHash issuerHash, List<BigInteger> serialNumbers, Map<BigInteger, byte[]> encodedCerts) throws Exception {
ParamUtil.requireNonNull("response", response);
ParamUtil.requireNonNull("issuerHash", issuerHash);
ParamUtil.requireNonNull("serialNumbers", serialNumbers);
BasicOCSPResp basicResp = OcspUtils.extractBasicOcspResp(response);
boolean extendedRevoke = basicResp.getExtension(ObjectIdentifiers.id_pkix_ocsp_extendedRevoke) != null;
SingleResp[] singleResponses = basicResp.getResponses();
if (singleResponses == null || singleResponses.length == 0) {
throw new CmdFailure("received no status from server");
}
final int n = singleResponses.length;
if (n != serialNumbers.size()) {
throw new CmdFailure("received status with " + n + " single responses from server, but " + serialNumbers.size() + " were requested");
}
Date[] thisUpdates = new Date[n];
for (int i = 0; i < n; i++) {
thisUpdates[i] = singleResponses[i].getThisUpdate();
}
// check the signature if available
if (null == basicResp.getSignature()) {
println("response is not signed");
} else {
X509CertificateHolder[] responderCerts = basicResp.getCerts();
if (responderCerts == null || responderCerts.length < 1) {
throw new CmdFailure("no responder certificate is contained in the response");
}
ResponderID respId = basicResp.getResponderId().toASN1Primitive();
X500Name respIdByName = respId.getName();
byte[] respIdByKey = respId.getKeyHash();
X509CertificateHolder respSigner = null;
for (X509CertificateHolder cert : responderCerts) {
if (respIdByName != null) {
if (cert.getSubject().equals(respIdByName)) {
respSigner = cert;
}
} else {
byte[] spkiSha1 = HashAlgo.SHA1.hash(cert.getSubjectPublicKeyInfo().getPublicKeyData().getBytes());
if (Arrays.equals(respIdByKey, spkiSha1)) {
respSigner = cert;
}
}
if (respSigner != null) {
break;
}
}
if (respSigner == null) {
throw new CmdFailure("no responder certificate match the ResponderId");
}
boolean validOn = true;
for (Date thisUpdate : thisUpdates) {
validOn = respSigner.isValidOn(thisUpdate);
if (!validOn) {
throw new CmdFailure("responder certificate is not valid on " + thisUpdate);
}
}
if (validOn) {
PublicKey responderPubKey = KeyUtil.generatePublicKey(respSigner.getSubjectPublicKeyInfo());
ContentVerifierProvider cvp = securityFactory.getContentVerifierProvider(responderPubKey);
boolean sigValid = basicResp.isSignatureValid(cvp);
if (!sigValid) {
throw new CmdFailure("response is equipped with invalid signature");
}
// verify the OCSPResponse signer
if (respIssuer != null) {
boolean certValid = true;
X509Certificate jceRespSigner = X509Util.toX509Cert(respSigner.toASN1Structure());
if (X509Util.issues(respIssuer, jceRespSigner)) {
try {
jceRespSigner.verify(respIssuer.getPublicKey());
} catch (SignatureException ex) {
certValid = false;
}
}
if (!certValid) {
throw new CmdFailure("response is equipped with valid signature but the" + " OCSP signer is not trusted");
}
} else {
println("response is equipped with valid signature");
}
// end if(respIssuer)
}
if (verbose.booleanValue()) {
println("responder is " + X509Util.getRfc4519Name(responderCerts[0].getSubject()));
}
}
for (int i = 0; i < n; i++) {
if (n > 1) {
println("---------------------------- " + i + "----------------------------");
}
SingleResp singleResp = singleResponses[i];
CertificateStatus singleCertStatus = singleResp.getCertStatus();
String status;
if (singleCertStatus == null) {
status = "good";
} else if (singleCertStatus instanceof RevokedStatus) {
RevokedStatus revStatus = (RevokedStatus) singleCertStatus;
Date revTime = revStatus.getRevocationTime();
Date invTime = null;
Extension ext = singleResp.getExtension(Extension.invalidityDate);
if (ext != null) {
invTime = ASN1GeneralizedTime.getInstance(ext.getParsedValue()).getDate();
}
if (revStatus.hasRevocationReason()) {
int reason = revStatus.getRevocationReason();
if (extendedRevoke && reason == CrlReason.CERTIFICATE_HOLD.getCode() && revTime.getTime() == 0) {
status = "unknown (RFC6960)";
} else {
status = StringUtil.concatObjects("revoked, reason = ", CrlReason.forReasonCode(reason).getDescription(), ", revocationTime = ", revTime, (invTime == null ? "" : ", invalidityTime = " + invTime));
}
} else {
status = "revoked, no reason, revocationTime = " + revTime;
}
} else if (singleCertStatus instanceof UnknownStatus) {
status = "unknown (RFC2560)";
} else {
status = "ERROR";
}
StringBuilder msg = new StringBuilder();
CertificateID certId = singleResp.getCertID();
HashAlgo hashAlgo = HashAlgo.getNonNullInstance(certId.getHashAlgOID());
boolean issuerMatch = issuerHash.match(hashAlgo, certId.getIssuerNameHash(), certId.getIssuerKeyHash());
BigInteger serialNumber = certId.getSerialNumber();
msg.append("issuer matched: ").append(issuerMatch);
msg.append("\nserialNumber: ").append(LogUtil.formatCsn(serialNumber));
msg.append("\nCertificate status: ").append(status);
if (verbose.booleanValue()) {
msg.append("\nthisUpdate: ").append(singleResp.getThisUpdate());
msg.append("\nnextUpdate: ").append(singleResp.getNextUpdate());
Extension extension = singleResp.getExtension(ISISMTTObjectIdentifiers.id_isismtt_at_certHash);
if (extension != null) {
msg.append("\nCertHash is provided:\n");
ASN1Encodable extensionValue = extension.getParsedValue();
CertHash certHash = CertHash.getInstance(extensionValue);
ASN1ObjectIdentifier hashAlgOid = certHash.getHashAlgorithm().getAlgorithm();
byte[] hashValue = certHash.getCertificateHash();
msg.append("\tHash algo : ").append(hashAlgOid.getId()).append("\n");
msg.append("\tHash value: ").append(Hex.encode(hashValue)).append("\n");
if (encodedCerts != null) {
byte[] encodedCert = encodedCerts.get(serialNumber);
MessageDigest md = MessageDigest.getInstance(hashAlgOid.getId());
byte[] expectedHashValue = md.digest(encodedCert);
if (Arrays.equals(expectedHashValue, hashValue)) {
msg.append("\tThis matches the requested certificate");
} else {
msg.append("\tThis differs from the requested certificate");
}
}
}
// end if (extension != null)
extension = singleResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_archive_cutoff);
if (extension != null) {
ASN1Encodable extensionValue = extension.getParsedValue();
ASN1GeneralizedTime time = ASN1GeneralizedTime.getInstance(extensionValue);
msg.append("\nArchive-CutOff: ");
msg.append(time.getTimeString());
}
AlgorithmIdentifier sigAlg = basicResp.getSignatureAlgorithmID();
if (sigAlg == null) {
msg.append(("\nresponse is not signed"));
} else {
String sigAlgName = AlgorithmUtil.getSignatureAlgoName(sigAlg);
if (sigAlgName == null) {
sigAlgName = "unknown";
}
msg.append("\nresponse is signed with ").append(sigAlgName);
}
// extensions
msg.append("\nExtensions: ");
List<?> extensionOids = basicResp.getExtensionOIDs();
if (extensionOids == null || extensionOids.size() == 0) {
msg.append("-");
} else {
int size = extensionOids.size();
for (int j = 0; j < size; j++) {
ASN1ObjectIdentifier extensionOid = (ASN1ObjectIdentifier) extensionOids.get(j);
String name = EXTENSION_OIDNAME_MAP.get(extensionOid);
if (name == null) {
msg.append(extensionOid.getId());
} else {
msg.append(name);
}
if (j != size - 1) {
msg.append(", ");
}
}
}
}
// end if (verbose.booleanValue())
println(msg.toString());
}
// end for
println("");
return null;
}
Also used :
HashAlgo(org.xipki.security.HashAlgo)
ResponderID(org.bouncycastle.asn1.ocsp.ResponderID)
ASN1GeneralizedTime(org.bouncycastle.asn1.ASN1GeneralizedTime)
X500Name(org.bouncycastle.asn1.x500.X500Name)
SignatureException(java.security.SignatureException)
UnknownStatus(org.bouncycastle.cert.ocsp.UnknownStatus)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
CmdFailure(org.xipki.console.karaf.CmdFailure)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
MessageDigest(java.security.MessageDigest)
SingleResp(org.bouncycastle.cert.ocsp.SingleResp)
ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider)
CertHash(org.bouncycastle.asn1.isismtt.ocsp.CertHash)
PublicKey(java.security.PublicKey)
CertificateID(org.bouncycastle.cert.ocsp.CertificateID)
CertificateStatus(org.bouncycastle.cert.ocsp.CertificateStatus)
Date(java.util.Date)
X509Certificate(java.security.cert.X509Certificate)
Extension(org.bouncycastle.asn1.x509.Extension)
RevokedStatus(org.bouncycastle.cert.ocsp.RevokedStatus)
BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BigInteger(java.math.BigInteger)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Aggregations
CmdFailure (org.xipki.console.karaf.CmdFailure)99
CaMgmtException (org.xipki.ca.server.mgmt.api.CaMgmtException)52
File (java.io.File)20
X509Certificate (java.security.cert.X509Certificate)20
IllegalCmdParamException (org.xipki.console.karaf.IllegalCmdParamException)15
BigInteger (java.math.BigInteger)9
NameId (org.xipki.ca.api.NameId)9
X509CRL (java.security.cert.X509CRL)7
ArrayList (java.util.ArrayList)6
Date (java.util.Date)6
CaEntry (org.xipki.ca.server.mgmt.api.CaEntry)6
RequestResponseDebug (org.xipki.common.RequestResponseDebug)6
PublisherEntry (org.xipki.ca.server.mgmt.api.PublisherEntry)5
ScepClient (org.xipki.scep.client.ScepClient)4
DEROctetString (org.bouncycastle.asn1.DEROctetString)3
CertificationRequest (org.bouncycastle.asn1.pkcs.CertificationRequest)3
X500Name (org.bouncycastle.asn1.x500.X500Name)3
Client (org.jscep.client.Client)3
CertprofileEntry (org.xipki.ca.server.mgmt.api.CertprofileEntry)3
X509CrlSignerEntry (org.xipki.ca.server.mgmt.api.x509.X509CrlSignerEntry)3
