Search in sources :

Example 1 with CertRevocationInfo

use of org.xipki.security.CertRevocationInfo in project xipki by xipki.

the class DbCertStatusStore method getCertStatus.

// method initIssuerStore
@Override
public CertStatusInfo getCertStatus(Date time, RequestIssuer reqIssuer, BigInteger serialNumber, boolean includeCertHash, boolean includeRit, boolean inheritCaRevocation) throws OcspStoreException {
    if (serialNumber.signum() != 1) {
        // non-positive serial number
        return CertStatusInfo.getUnknownCertStatusInfo(new Date(), null);
    }
    if (!initialized) {
        throw new OcspStoreException("initialization of CertStore is still in process");
    }
    if (initializationFailed) {
        throw new OcspStoreException("initialization of CertStore failed");
    }
    String sql;
    try {
        IssuerEntry issuer = issuerStore.getIssuerForFp(reqIssuer);
        if (issuer == null) {
            return null;
        }
        if (includeCertHash) {
            sql = includeRit ? sqlCsWithCertHash : sqlCsNoRitWithCertHash;
        } else {
            sql = includeRit ? sqlCs : sqlCsNoRit;
        }
        CrlInfo crlInfo = issuer.getCrlInfo();
        Date thisUpdate;
        Date nextUpdate = null;
        if (crlInfo != null && crlInfo.isUseCrlUpdates()) {
            thisUpdate = crlInfo.getThisUpdate();
            // this.nextUpdate is still in the future (10 seconds buffer)
            if (crlInfo.getNextUpdate().getTime() - System.currentTimeMillis() > 10 * 1000) {
                nextUpdate = crlInfo.getNextUpdate();
            }
        } else {
            thisUpdate = new Date();
        }
        ResultSet rs = null;
        CertStatusInfo certStatusInfo = null;
        boolean unknown = true;
        boolean ignore = false;
        String certprofile = null;
        String b64CertHash = null;
        boolean revoked = false;
        int reason = 0;
        long revTime = 0;
        long invalTime = 0;
        PreparedStatement ps = datasource.prepareStatement(datasource.getConnection(), sql);
        try {
            ps.setInt(1, issuer.getId());
            ps.setString(2, serialNumber.toString(16));
            rs = ps.executeQuery();
            if (rs.next()) {
                unknown = false;
                long timeInSec = time.getTime() / 1000;
                if (!ignore && ignoreNotYetValidCert) {
                    long notBeforeInSec = rs.getLong("NBEFORE");
                    if (notBeforeInSec != 0 && timeInSec < notBeforeInSec) {
                        ignore = true;
                    }
                }
                if (!ignore && ignoreExpiredCert) {
                    long notAfterInSec = rs.getLong("NAFTER");
                    if (notAfterInSec != 0 && timeInSec > notAfterInSec) {
                        ignore = true;
                    }
                }
                if (!ignore) {
                    if (includeCertHash) {
                        b64CertHash = rs.getString("HASH");
                    }
                    revoked = rs.getBoolean("REV");
                    if (revoked) {
                        reason = rs.getInt("RR");
                        revTime = rs.getLong("RT");
                        if (includeRit) {
                            invalTime = rs.getLong("RIT");
                        }
                    }
                }
            }
        // end if (rs.next())
        } catch (SQLException ex) {
            throw datasource.translate(sql, ex);
        } finally {
            releaseDbResources(ps, rs);
        }
        if (unknown) {
            if (unknownSerialAsGood) {
                certStatusInfo = CertStatusInfo.getGoodCertStatusInfo(certHashAlgo, null, thisUpdate, nextUpdate, null);
            } else {
                certStatusInfo = CertStatusInfo.getUnknownCertStatusInfo(thisUpdate, nextUpdate);
            }
        } else {
            if (ignore) {
                certStatusInfo = CertStatusInfo.getIgnoreCertStatusInfo(thisUpdate, nextUpdate);
            } else {
                byte[] certHash = (b64CertHash == null) ? null : Base64.decodeFast(b64CertHash);
                if (revoked) {
                    Date invTime = (invalTime == 0 || invalTime == revTime) ? null : new Date(invalTime * 1000);
                    CertRevocationInfo revInfo = new CertRevocationInfo(reason, new Date(revTime * 1000), invTime);
                    certStatusInfo = CertStatusInfo.getRevokedCertStatusInfo(revInfo, certHashAlgo, certHash, thisUpdate, nextUpdate, certprofile);
                } else {
                    certStatusInfo = CertStatusInfo.getGoodCertStatusInfo(certHashAlgo, certHash, thisUpdate, nextUpdate, certprofile);
                }
            }
        }
        if (includeCrlId && crlInfo != null) {
            certStatusInfo.setCrlId(crlInfo.getCrlId());
        }
        if (includeArchiveCutoff) {
            if (retentionInterval != 0) {
                Date date;
                // expired certificate remains in status store for ever
                if (retentionInterval < 0) {
                    date = issuer.getNotBefore();
                } else {
                    long nowInMs = System.currentTimeMillis();
                    long dateInMs = Math.max(issuer.getNotBefore().getTime(), nowInMs - DAY * retentionInterval);
                    date = new Date(dateInMs);
                }
                certStatusInfo.setArchiveCutOff(date);
            }
        }
        if ((!inheritCaRevocation) || issuer.getRevocationInfo() == null) {
            return certStatusInfo;
        }
        CertRevocationInfo caRevInfo = issuer.getRevocationInfo();
        CertStatus certStatus = certStatusInfo.getCertStatus();
        boolean replaced = false;
        if (certStatus == CertStatus.GOOD || certStatus == CertStatus.UNKNOWN) {
            replaced = true;
        } else if (certStatus == CertStatus.REVOKED) {
            if (certStatusInfo.getRevocationInfo().getRevocationTime().after(caRevInfo.getRevocationTime())) {
                replaced = true;
            }
        }
        if (replaced) {
            CertRevocationInfo newRevInfo;
            if (caRevInfo.getReason() == CrlReason.CA_COMPROMISE) {
                newRevInfo = caRevInfo;
            } else {
                newRevInfo = new CertRevocationInfo(CrlReason.CA_COMPROMISE, caRevInfo.getRevocationTime(), caRevInfo.getInvalidityTime());
            }
            certStatusInfo = CertStatusInfo.getRevokedCertStatusInfo(newRevInfo, certStatusInfo.getCertHashAlgo(), certStatusInfo.getCertHash(), certStatusInfo.getThisUpdate(), certStatusInfo.getNextUpdate(), certStatusInfo.getCertprofile());
        }
        return certStatusInfo;
    } catch (DataAccessException ex) {
        throw new OcspStoreException(ex.getMessage(), ex);
    }
}
Also used : IssuerEntry(org.xipki.ocsp.api.IssuerEntry) OcspStoreException(org.xipki.ocsp.api.OcspStoreException) SQLException(java.sql.SQLException) PreparedStatement(java.sql.PreparedStatement) CertStatusInfo(org.xipki.ocsp.api.CertStatusInfo) Date(java.util.Date) CertRevocationInfo(org.xipki.security.CertRevocationInfo) CrlInfo(org.xipki.ocsp.api.CrlInfo) CertStatus(org.xipki.ocsp.api.CertStatus) ResultSet(java.sql.ResultSet) DataAccessException(org.xipki.datasource.DataAccessException)

Example 2 with CertRevocationInfo

use of org.xipki.security.CertRevocationInfo in project xipki by xipki.

the class IssuerEntry method setRevocationInfo.

public void setRevocationInfo(Date revocationTime) {
    ParamUtil.requireNonNull("revocationTime", revocationTime);
    this.revocationInfo = new CertRevocationInfo(CrlReason.CA_COMPROMISE, revocationTime, null);
}
Also used : CertRevocationInfo(org.xipki.security.CertRevocationInfo)

Example 3 with CertRevocationInfo

use of org.xipki.security.CertRevocationInfo in project xipki by xipki.

the class X509Ca method revokeCertificate0.

// method removeCertificate0
private X509CertWithRevocationInfo revokeCertificate0(BigInteger serialNumber, CrlReason reason, Date invalidityTime, boolean force, AuditEvent event) throws OperationException {
    String hexSerial = LogUtil.formatCsn(serialNumber);
    event.addEventData(CaAuditConstants.NAME_serial, hexSerial);
    event.addEventData(CaAuditConstants.NAME_reason, reason.getDescription());
    if (invalidityTime != null) {
        event.addEventData(CaAuditConstants.NAME_invalidityTime, DateUtil.toUtcTimeyyyyMMddhhmmss(invalidityTime));
    }
    LOG.info("     START revokeCertificate: ca={}, serialNumber={}, reason={}, invalidityTime={}", caIdent, hexSerial, reason.getDescription(), invalidityTime);
    X509CertWithRevocationInfo revokedCert = null;
    CertRevocationInfo revInfo = new CertRevocationInfo(reason, new Date(), invalidityTime);
    revokedCert = certstore.revokeCertificate(caIdent, serialNumber, revInfo, force, shouldPublishToDeltaCrlCache(), caIdNameMap);
    if (revokedCert == null) {
        return null;
    }
    for (IdentifiedX509CertPublisher publisher : publishers()) {
        if (!publisher.isAsyn()) {
            boolean successful;
            try {
                successful = publisher.certificateRevoked(caCert, revokedCert.getCert(), revokedCert.getCertprofile(), revokedCert.getRevInfo());
            } catch (RuntimeException ex) {
                successful = false;
                LogUtil.error(LOG, ex, "could not publish revocation of certificate to the publisher " + publisher.getIdent());
            }
            if (successful) {
                continue;
            }
        }
        // end if
        Long certId = revokedCert.getCert().getCertId();
        try {
            certstore.addToPublishQueue(publisher.getIdent(), certId.longValue(), caIdent);
        } catch (Throwable th) {
            LogUtil.error(LOG, th, "could not add entry to PublishQueue");
        }
    }
    if (LOG.isInfoEnabled()) {
        LOG.info("SUCCESSFUL revokeCertificate: ca={}, serialNumber={}, reason={}, invalidityTime={}," + " revocationResult=REVOKED", caIdent, hexSerial, reason.getDescription(), invalidityTime);
    }
    return revokedCert;
}
Also used : CertRevocationInfo(org.xipki.security.CertRevocationInfo) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) X509CertWithRevocationInfo(org.xipki.ca.server.impl.store.X509CertWithRevocationInfo) Date(java.util.Date)

Example 4 with CertRevocationInfo

use of org.xipki.security.CertRevocationInfo in project xipki by xipki.

the class CertStoreQueryExecutor method revokeSuspendedCert.

// method revokeCert
X509CertWithRevocationInfo revokeSuspendedCert(NameId ca, BigInteger serialNumber, CrlReason reason, boolean publishToDeltaCrlCache, CaIdNameMap idNameMap) throws OperationException, DataAccessException {
    ParamUtil.requireNonNull("ca", ca);
    ParamUtil.requireNonNull("serialNumber", serialNumber);
    ParamUtil.requireNonNull("reason", reason);
    X509CertWithRevocationInfo certWithRevInfo = getCertWithRevocationInfo(ca, serialNumber, idNameMap);
    if (certWithRevInfo == null) {
        LOG.warn("certificate with CA={} and serialNumber={} does not exist", ca.getName(), LogUtil.formatCsn(serialNumber));
        return null;
    }
    CertRevocationInfo currentRevInfo = certWithRevInfo.getRevInfo();
    if (currentRevInfo == null) {
        throw new OperationException(ErrorCode.CERT_UNREVOKED, "certificate is not revoked");
    }
    CrlReason currentReason = currentRevInfo.getReason();
    if (currentReason != CrlReason.CERTIFICATE_HOLD) {
        throw new OperationException(ErrorCode.CERT_REVOKED, "certificate is revoked but not with reason " + CrlReason.CERTIFICATE_HOLD.getDescription());
    }
    long certId = certWithRevInfo.getCert().getCertId().longValue();
    PreparedStatement ps = borrowPreparedStatement(SQLs.SQL_REVOKE_SUSPENDED_CERT);
    try {
        int idx = 1;
        ps.setLong(idx++, System.currentTimeMillis() / 1000);
        ps.setInt(idx++, reason.getCode());
        ps.setLong(idx++, certId);
        int count = ps.executeUpdate();
        if (count != 1) {
            String message = (count > 1) ? count + " rows modified, but exactly one is expected" : "no row is modified, but exactly one is expected";
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, message);
        }
    } catch (SQLException ex) {
        throw datasource.translate(SQLs.SQL_REVOKE_CERT, ex);
    } finally {
        releaseDbResources(ps, null);
    }
    if (publishToDeltaCrlCache) {
        publishToDeltaCrlCache(ca, certWithRevInfo.getCert().getCert().getSerialNumber());
    }
    currentRevInfo.setReason(reason);
    return certWithRevInfo;
}
Also used : CertRevocationInfo(org.xipki.security.CertRevocationInfo) SQLException(java.sql.SQLException) PreparedStatement(java.sql.PreparedStatement) CrlReason(org.xipki.security.CrlReason) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DEROctetString(org.bouncycastle.asn1.DEROctetString) OperationException(org.xipki.ca.api.OperationException)

Example 5 with CertRevocationInfo

use of org.xipki.security.CertRevocationInfo in project xipki by xipki.

the class CertStoreQueryExecutor method getCertForId.

// method cleanupCrls
X509CertificateInfo getCertForId(NameId ca, X509Cert caCert, long certId, CaIdNameMap idNameMap) throws DataAccessException, CertificateException {
    ParamUtil.requireNonNull("ca", ca);
    ParamUtil.requireNonNull("caCert", caCert);
    ParamUtil.requireNonNull("idNameMap", idNameMap);
    final String sql = sqls.sqlCertForId;
    String b64Cert;
    int certprofileId;
    int requestorId;
    boolean revoked;
    int revReason = 0;
    long revTime = 0;
    long revInvTime = 0;
    ResultSet rs = null;
    PreparedStatement ps = borrowPreparedStatement(sql);
    try {
        ps.setLong(1, certId);
        rs = ps.executeQuery();
        if (!rs.next()) {
            return null;
        }
        b64Cert = rs.getString("CERT");
        certprofileId = rs.getInt("PID");
        requestorId = rs.getInt("RID");
        revoked = rs.getBoolean("REV");
        if (revoked) {
            revReason = rs.getInt("RR");
            revTime = rs.getLong("RT");
            revInvTime = rs.getLong("RIT");
        }
    } catch (SQLException ex) {
        throw datasource.translate(sql, ex);
    } finally {
        releaseDbResources(ps, rs);
    }
    byte[] encodedCert = Base64.decodeFast(b64Cert);
    X509Certificate cert = X509Util.parseCert(encodedCert);
    X509CertWithDbId certWithMeta = new X509CertWithDbId(cert, encodedCert);
    certWithMeta.setCertId(certId);
    X509CertificateInfo certInfo = new X509CertificateInfo(certWithMeta, ca, caCert, cert.getPublicKey().getEncoded(), idNameMap.getCertprofile(certprofileId), idNameMap.getRequestor(requestorId));
    if (!revoked) {
        return certInfo;
    }
    Date invalidityTime = (revInvTime == 0 || revInvTime == revTime) ? null : new Date(revInvTime * 1000);
    CertRevocationInfo revInfo = new CertRevocationInfo(revReason, new Date(revTime * 1000), invalidityTime);
    certInfo.setRevocationInfo(revInfo);
    return certInfo;
}
Also used : SQLException(java.sql.SQLException) PreparedStatement(java.sql.PreparedStatement) X509CertWithDbId(org.xipki.ca.api.X509CertWithDbId) X509CertificateInfo(org.xipki.ca.api.publisher.x509.X509CertificateInfo) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DEROctetString(org.bouncycastle.asn1.DEROctetString) X509Certificate(java.security.cert.X509Certificate) Date(java.util.Date) CertRevocationInfo(org.xipki.security.CertRevocationInfo) ResultSet(java.sql.ResultSet)

Aggregations

CertRevocationInfo (org.xipki.security.CertRevocationInfo)14 Date (java.util.Date)9 PreparedStatement (java.sql.PreparedStatement)8 SQLException (java.sql.SQLException)8 DERPrintableString (org.bouncycastle.asn1.DERPrintableString)7 OperationException (org.xipki.ca.api.OperationException)7 DEROctetString (org.bouncycastle.asn1.DEROctetString)6 ResultSet (java.sql.ResultSet)5 CrlReason (org.xipki.security.CrlReason)5 X509Certificate (java.security.cert.X509Certificate)4 X509CertWithDbId (org.xipki.ca.api.X509CertWithDbId)3 CaMgmtException (org.xipki.ca.server.mgmt.api.CaMgmtException)3 X509CertificateInfo (org.xipki.ca.api.publisher.x509.X509CertificateInfo)2 CertStatusInfo (org.xipki.ocsp.api.CertStatusInfo)2 OcspStoreException (org.xipki.ocsp.api.OcspStoreException)2 File (java.io.File)1 FileInputStream (java.io.FileInputStream)1 IOException (java.io.IOException)1 BigInteger (java.math.BigInteger)1 CertificateException (java.security.cert.CertificateException)1