Example 1 with CrlInfo
use of org.xipki.ocsp.api.CrlInfo in project xipki by xipki.
the class ImportCrl method importCa.
private int importCa(Connection conn) throws DataAccessException, ImportCrlException {
byte[] encodedCaCert;
try {
encodedCaCert = caCert.getEncoded();
} catch (CertificateEncodingException ex) {
throw new ImportCrlException("could not encode CA certificate");
}
String fpCaCert = HashAlgo.SHA1.base64Hash(encodedCaCert);
Integer issuerId = null;
CrlInfo crlInfo = null;
PreparedStatement ps = null;
ResultSet rs = null;
String sql = null;
try {
sql = "SELECT ID,CRL_INFO FROM ISSUER WHERE S1C=?";
ps = datasource.prepareStatement(conn, sql);
ps.setString(1, fpCaCert);
rs = ps.executeQuery();
if (rs.next()) {
issuerId = rs.getInt("ID");
String str = rs.getString("CRL_INFO");
if (str == null) {
throw new ImportCrlException("RequestIssuer for the given CA of CRL exists, but not imported from CRL");
}
crlInfo = new CrlInfo(str);
}
} catch (SQLException ex) {
throw datasource.translate(sql, ex);
} finally {
releaseResources(ps, rs);
}
boolean addNew = (issuerId == null);
if (addNew) {
if (isDeltaCrl) {
throw new ImportCrlException("Given CRL is a deltaCRL for the full CRL with number " + baseCrlNumber + ", please import this full CRL first.");
} else {
crlInfo = new CrlInfo(crlNumber, null, useCrlUpdates, crl.getThisUpdate(), crl.getNextUpdate(), crlId);
}
} else {
if (crlNumber.compareTo(crlInfo.getCrlNumber()) < 0) {
// which enables the resume of importing process if error occurred.
throw new ImportCrlException("Given CRL is not newer than existing CRL.");
}
if (isDeltaCrl) {
BigInteger lastFullCrlNumber = crlInfo.getBaseCrlNumber();
if (lastFullCrlNumber == null) {
lastFullCrlNumber = crlInfo.getCrlNumber();
}
if (!baseCrlNumber.equals(lastFullCrlNumber)) {
throw new ImportCrlException("Given CRL is a deltaCRL for the full CRL with number " + crlNumber + ", please import this full CRL first.");
}
}
crlInfo.setCrlNumber(crlNumber);
crlInfo.setBaseCrlNumber(isDeltaCrl ? baseCrlNumber : null);
crlInfo.setThisUpdate(crl.getThisUpdate());
crlInfo.setNextUpdate(crl.getNextUpdate());
}
ps = null;
rs = null;
sql = null;
try {
// issuer exists
if (addNew) {
int maxId = (int) datasource.getMax(conn, "ISSUER", "ID");
issuerId = maxId + 1;
sql = "INSERT INTO ISSUER (ID,SUBJECT,NBEFORE,NAFTER,S1C,CERT,REV,RT,RIT,CRL_INFO)" + " VALUES(?,?,?,?,?,?,?,?,?,?)";
} else {
sql = "UPDATE ISSUER SET REV=?,RT=?,RIT=?,CRL_INFO=? WHERE ID=?";
}
ps = datasource.prepareStatement(conn, sql);
int offset = 1;
if (addNew) {
String subject = X509Util.getRfc4519Name(caCert.getSubjectX500Principal());
ps.setInt(offset++, issuerId);
ps.setString(offset++, subject);
ps.setLong(offset++, caCert.getNotBefore().getTime() / 1000);
ps.setLong(offset++, caCert.getNotAfter().getTime() / 1000);
ps.setString(offset++, fpCaCert);
ps.setString(offset++, Base64.encodeToString(encodedCaCert));
}
ps.setInt(offset++, (caRevInfo == null) ? 0 : 1);
Date revTime = null;
Date revInvTime = null;
if (caRevInfo != null) {
revTime = caRevInfo.getRevocationTime();
revInvTime = caRevInfo.getInvalidityTime();
}
if (revTime != null) {
ps.setLong(offset++, revTime.getTime() / 1000);
} else {
ps.setNull(offset++, Types.BIGINT);
}
if (revInvTime != null) {
ps.setLong(offset++, revInvTime.getTime() / 1000);
} else {
ps.setNull(offset++, Types.BIGINT);
}
// CRL info
try {
ps.setString(offset++, crlInfo.getEncoded());
} catch (IOException ex) {
throw new ImportCrlException("could not encode the Crlinfo", ex);
}
if (!addNew) {
ps.setInt(offset++, issuerId.intValue());
}
ps.executeUpdate();
return issuerId.intValue();
} catch (SQLException ex) {
throw datasource.translate(sql, ex);
} finally {
releaseResources(ps, rs);
}
}
Also used :
SQLException(java.sql.SQLException)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
PreparedStatement(java.sql.PreparedStatement)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
IOException(java.io.IOException)
Date(java.util.Date)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
BigInteger(java.math.BigInteger)
CrlInfo(org.xipki.ocsp.api.CrlInfo)
ResultSet(java.sql.ResultSet)
BigInteger(java.math.BigInteger)
Example 2 with CrlInfo
use of org.xipki.ocsp.api.CrlInfo in project xipki by xipki.
the class DbCertStatusStore method getCertStatus.
// method initIssuerStore
@Override
public CertStatusInfo getCertStatus(Date time, RequestIssuer reqIssuer, BigInteger serialNumber, boolean includeCertHash, boolean includeRit, boolean inheritCaRevocation) throws OcspStoreException {
if (serialNumber.signum() != 1) {
// non-positive serial number
return CertStatusInfo.getUnknownCertStatusInfo(new Date(), null);
}
if (!initialized) {
throw new OcspStoreException("initialization of CertStore is still in process");
}
if (initializationFailed) {
throw new OcspStoreException("initialization of CertStore failed");
}
String sql;
try {
IssuerEntry issuer = issuerStore.getIssuerForFp(reqIssuer);
if (issuer == null) {
return null;
}
if (includeCertHash) {
sql = includeRit ? sqlCsWithCertHash : sqlCsNoRitWithCertHash;
} else {
sql = includeRit ? sqlCs : sqlCsNoRit;
}
CrlInfo crlInfo = issuer.getCrlInfo();
Date thisUpdate;
Date nextUpdate = null;
if (crlInfo != null && crlInfo.isUseCrlUpdates()) {
thisUpdate = crlInfo.getThisUpdate();
// this.nextUpdate is still in the future (10 seconds buffer)
if (crlInfo.getNextUpdate().getTime() - System.currentTimeMillis() > 10 * 1000) {
nextUpdate = crlInfo.getNextUpdate();
}
} else {
thisUpdate = new Date();
}
ResultSet rs = null;
CertStatusInfo certStatusInfo = null;
boolean unknown = true;
boolean ignore = false;
String certprofile = null;
String b64CertHash = null;
boolean revoked = false;
int reason = 0;
long revTime = 0;
long invalTime = 0;
PreparedStatement ps = datasource.prepareStatement(datasource.getConnection(), sql);
try {
ps.setInt(1, issuer.getId());
ps.setString(2, serialNumber.toString(16));
rs = ps.executeQuery();
if (rs.next()) {
unknown = false;
long timeInSec = time.getTime() / 1000;
if (!ignore && ignoreNotYetValidCert) {
long notBeforeInSec = rs.getLong("NBEFORE");
if (notBeforeInSec != 0 && timeInSec < notBeforeInSec) {
ignore = true;
}
}
if (!ignore && ignoreExpiredCert) {
long notAfterInSec = rs.getLong("NAFTER");
if (notAfterInSec != 0 && timeInSec > notAfterInSec) {
ignore = true;
}
}
if (!ignore) {
if (includeCertHash) {
b64CertHash = rs.getString("HASH");
}
revoked = rs.getBoolean("REV");
if (revoked) {
reason = rs.getInt("RR");
revTime = rs.getLong("RT");
if (includeRit) {
invalTime = rs.getLong("RIT");
}
}
}
}
// end if (rs.next())
} catch (SQLException ex) {
throw datasource.translate(sql, ex);
} finally {
releaseDbResources(ps, rs);
}
if (unknown) {
if (unknownSerialAsGood) {
certStatusInfo = CertStatusInfo.getGoodCertStatusInfo(certHashAlgo, null, thisUpdate, nextUpdate, null);
} else {
certStatusInfo = CertStatusInfo.getUnknownCertStatusInfo(thisUpdate, nextUpdate);
}
} else {
if (ignore) {
certStatusInfo = CertStatusInfo.getIgnoreCertStatusInfo(thisUpdate, nextUpdate);
} else {
byte[] certHash = (b64CertHash == null) ? null : Base64.decodeFast(b64CertHash);
if (revoked) {
Date invTime = (invalTime == 0 || invalTime == revTime) ? null : new Date(invalTime * 1000);
CertRevocationInfo revInfo = new CertRevocationInfo(reason, new Date(revTime * 1000), invTime);
certStatusInfo = CertStatusInfo.getRevokedCertStatusInfo(revInfo, certHashAlgo, certHash, thisUpdate, nextUpdate, certprofile);
} else {
certStatusInfo = CertStatusInfo.getGoodCertStatusInfo(certHashAlgo, certHash, thisUpdate, nextUpdate, certprofile);
}
}
}
if (includeCrlId && crlInfo != null) {
certStatusInfo.setCrlId(crlInfo.getCrlId());
}
if (includeArchiveCutoff) {
if (retentionInterval != 0) {
Date date;
// expired certificate remains in status store for ever
if (retentionInterval < 0) {
date = issuer.getNotBefore();
} else {
long nowInMs = System.currentTimeMillis();
long dateInMs = Math.max(issuer.getNotBefore().getTime(), nowInMs - DAY * retentionInterval);
date = new Date(dateInMs);
}
certStatusInfo.setArchiveCutOff(date);
}
}
if ((!inheritCaRevocation) || issuer.getRevocationInfo() == null) {
return certStatusInfo;
}
CertRevocationInfo caRevInfo = issuer.getRevocationInfo();
CertStatus certStatus = certStatusInfo.getCertStatus();
boolean replaced = false;
if (certStatus == CertStatus.GOOD || certStatus == CertStatus.UNKNOWN) {
replaced = true;
} else if (certStatus == CertStatus.REVOKED) {
if (certStatusInfo.getRevocationInfo().getRevocationTime().after(caRevInfo.getRevocationTime())) {
replaced = true;
}
}
if (replaced) {
CertRevocationInfo newRevInfo;
if (caRevInfo.getReason() == CrlReason.CA_COMPROMISE) {
newRevInfo = caRevInfo;
} else {
newRevInfo = new CertRevocationInfo(CrlReason.CA_COMPROMISE, caRevInfo.getRevocationTime(), caRevInfo.getInvalidityTime());
}
certStatusInfo = CertStatusInfo.getRevokedCertStatusInfo(newRevInfo, certStatusInfo.getCertHashAlgo(), certStatusInfo.getCertHash(), certStatusInfo.getThisUpdate(), certStatusInfo.getNextUpdate(), certStatusInfo.getCertprofile());
}
return certStatusInfo;
} catch (DataAccessException ex) {
throw new OcspStoreException(ex.getMessage(), ex);
}
}
Also used :
IssuerEntry(org.xipki.ocsp.api.IssuerEntry)
OcspStoreException(org.xipki.ocsp.api.OcspStoreException)
SQLException(java.sql.SQLException)
PreparedStatement(java.sql.PreparedStatement)
CertStatusInfo(org.xipki.ocsp.api.CertStatusInfo)
Date(java.util.Date)
CertRevocationInfo(org.xipki.security.CertRevocationInfo)
CrlInfo(org.xipki.ocsp.api.CrlInfo)
CertStatus(org.xipki.ocsp.api.CertStatus)
ResultSet(java.sql.ResultSet)
DataAccessException(org.xipki.datasource.DataAccessException)
Example 3 with CrlInfo
use of org.xipki.ocsp.api.CrlInfo in project xipki by xipki.
the class DbCertStatusStore method initIssuerStore.
private synchronized void initIssuerStore() {
if (storeUpdateInProcess.get()) {
return;
}
storeUpdateInProcess.set(true);
try {
if (initialized) {
final String sql = "SELECT ID,REV,RT,S1C FROM ISSUER";
PreparedStatement ps = preparedStatement(sql);
ResultSet rs = null;
try {
Map<Integer, SimpleIssuerEntry> newIssuers = new HashMap<>();
rs = ps.executeQuery();
while (rs.next()) {
String sha1Fp = rs.getString("S1C");
if (!issuerFilter.includeIssuerWithSha1Fp(sha1Fp)) {
continue;
}
int id = rs.getInt("ID");
boolean revoked = rs.getBoolean("REV");
Long revTimeMs = revoked ? rs.getLong("RT") * 1000 : null;
SimpleIssuerEntry issuerEntry = new SimpleIssuerEntry(id, revTimeMs);
newIssuers.put(id, issuerEntry);
}
// no change in the issuerStore
Set<Integer> newIds = newIssuers.keySet();
Set<Integer> ids = (issuerStore != null) ? issuerStore.getIds() : Collections.emptySet();
boolean issuersUnchanged = (ids.size() == newIds.size()) && ids.containsAll(newIds) && newIds.containsAll(ids);
if (issuersUnchanged) {
for (Integer id : newIds) {
IssuerEntry entry = issuerStore.getIssuerForId(id);
SimpleIssuerEntry newEntry = newIssuers.get(id);
if (newEntry.match(entry)) {
issuersUnchanged = false;
break;
}
}
}
if (issuersUnchanged) {
return;
}
} finally {
releaseDbResources(ps, rs);
}
}
// end if(initialized)
final String sql = "SELECT ID,NBEFORE,REV,RT,S1C,CERT,CRL_INFO FROM ISSUER";
PreparedStatement ps = preparedStatement(sql);
ResultSet rs = null;
try {
rs = ps.executeQuery();
List<IssuerEntry> caInfos = new LinkedList<>();
while (rs.next()) {
String sha1Fp = rs.getString("S1C");
if (!issuerFilter.includeIssuerWithSha1Fp(sha1Fp)) {
continue;
}
int id = rs.getInt("ID");
String b64Cert = rs.getString("CERT");
X509Certificate cert = X509Util.parseBase64EncodedCert(b64Cert);
IssuerEntry caInfoEntry = new IssuerEntry(id, cert);
String crlInfoStr = rs.getString("CRL_INFO");
if (StringUtil.isNotBlank(crlInfoStr)) {
CrlInfo crlInfo = new CrlInfo(crlInfoStr);
caInfoEntry.setCrlInfo(crlInfo);
}
RequestIssuer reqIssuer = new RequestIssuer(HashAlgo.SHA1, caInfoEntry.getEncodedHash(HashAlgo.SHA1));
for (IssuerEntry existingIssuer : caInfos) {
if (existingIssuer.matchHash(reqIssuer)) {
throw new Exception("found at least two issuers with the same subject and key");
}
}
boolean revoked = rs.getBoolean("REV");
if (revoked) {
long lo = rs.getLong("RT");
caInfoEntry.setRevocationInfo(new Date(lo * 1000));
}
caInfos.add(caInfoEntry);
}
// end while (rs.next())
initialized = false;
this.issuerStore = new IssuerStore(caInfos);
LOG.info("Updated issuers: {}", name);
initializationFailed = false;
initialized = true;
} finally {
releaseDbResources(ps, rs);
}
} catch (Throwable th) {
storeUpdateInProcess.set(false);
LogUtil.error(LOG, th, "could not executing initIssuerStore()");
initializationFailed = true;
initialized = true;
}
}
Also used :
RequestIssuer(org.xipki.ocsp.api.RequestIssuer)
IssuerEntry(org.xipki.ocsp.api.IssuerEntry)
HashMap(java.util.HashMap)
PreparedStatement(java.sql.PreparedStatement)
IssuerStore(org.xipki.ocsp.api.IssuerStore)
LinkedList(java.util.LinkedList)
X509Certificate(java.security.cert.X509Certificate)
OcspStoreException(org.xipki.ocsp.api.OcspStoreException)
SQLException(java.sql.SQLException)
DataAccessException(org.xipki.datasource.DataAccessException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
Date(java.util.Date)
BigInteger(java.math.BigInteger)
CrlInfo(org.xipki.ocsp.api.CrlInfo)
ResultSet(java.sql.ResultSet)
Aggregations
PreparedStatement (java.sql.PreparedStatement)3
ResultSet (java.sql.ResultSet)3
SQLException (java.sql.SQLException)3
Date (java.util.Date)3
CrlInfo (org.xipki.ocsp.api.CrlInfo)3
IOException (java.io.IOException)2
BigInteger (java.math.BigInteger)2
DataAccessException (org.xipki.datasource.DataAccessException)2
IssuerEntry (org.xipki.ocsp.api.IssuerEntry)2
OcspStoreException (org.xipki.ocsp.api.OcspStoreException)2
CertificateEncodingException (java.security.cert.CertificateEncodingException)1
CertificateException (java.security.cert.CertificateException)1
X509Certificate (java.security.cert.X509Certificate)1
HashMap (java.util.HashMap)1
LinkedList (java.util.LinkedList)1
ASN1Integer (org.bouncycastle.asn1.ASN1Integer)1
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)1
DERIA5String (org.bouncycastle.asn1.DERIA5String)1
DEROctetString (org.bouncycastle.asn1.DEROctetString)1
DERUTF8String (org.bouncycastle.asn1.DERUTF8String)1
