Search in sources :

Example 11 with CrlReason

use of org.xipki.security.CrlReason in project xipki by xipki.

the class X509Ca method revokeSuspendedCerts0.

private int revokeSuspendedCerts0(AuditEvent event, String msgId) throws OperationException {
    if (!masterMode) {
        throw new OperationException(ErrorCode.NOT_PERMITTED, "CA could not remove expired certificates in slave mode");
    }
    final int numEntries = 100;
    CertValidity val = caInfo.revokeSuspendedCertsControl().getUnchangedSince();
    long ms;
    switch(val.getUnit()) {
        case DAY:
            ms = val.getValidity() * DAY_IN_MS;
            break;
        case HOUR:
            ms = val.getValidity() * DAY_IN_MS / 24;
            break;
        case YEAR:
            ms = val.getValidity() * 365 * DAY_IN_MS;
            break;
        default:
            throw new RuntimeException("should not reach here, unknown Validity Unit " + val.getUnit());
    }
    // seconds
    final long latestLastUpdatedAt = (System.currentTimeMillis() - ms) / 1000;
    final CrlReason reason = caInfo.revokeSuspendedCertsControl().getTargetReason();
    int sum = 0;
    while (true) {
        List<BigInteger> serials = certstore.getSuspendedCertSerials(caIdent, latestLastUpdatedAt, numEntries);
        if (CollectionUtil.isEmpty(serials)) {
            return sum;
        }
        for (BigInteger serial : serials) {
            boolean revoked = false;
            try {
                revoked = revokeSuspendedCert(serial, reason, msgId) != null;
                if (revoked) {
                    sum++;
                }
            } catch (OperationException ex) {
                LOG.info("revoked {} suspended certificates of CA {}", sum, caIdent);
                LogUtil.error(LOG, ex, "could not revoke suspended certificate with serial" + serial);
                throw ex;
            }
        // end try
        }
    // end for
    }
// end while (true)
}
Also used : CertValidity(org.xipki.ca.api.profile.CertValidity) BigInteger(java.math.BigInteger) CrlReason(org.xipki.security.CrlReason) OperationException(org.xipki.ca.api.OperationException) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)

Example 12 with CrlReason

use of org.xipki.security.CrlReason in project xipki by xipki.

the class CaManagerImpl method revokeCa.

// method republishCertificates
@Override
public void revokeCa(String caName, CertRevocationInfo revocationInfo) throws CaMgmtException {
    caName = ParamUtil.requireNonBlank("caName", caName).toLowerCase();
    ParamUtil.requireNonNull("revocationInfo", revocationInfo);
    asssertMasterMode();
    if (!x509cas.containsKey(caName)) {
        throw new CaMgmtException(concat("unkown CA ", caName));
    }
    LOG.info("revoking CA '{}'", caName);
    X509Ca ca = x509cas.get(caName);
    CertRevocationInfo currentRevInfo = ca.getCaInfo().getRevocationInfo();
    if (currentRevInfo != null) {
        CrlReason currentReason = currentRevInfo.getReason();
        if (currentReason != CrlReason.CERTIFICATE_HOLD) {
            throw new CaMgmtException(concat("CA ", caName, " has been revoked with reason ", currentReason.name()));
        }
    }
    queryExecutor.revokeCa(caName, revocationInfo);
    try {
        ca.revokeCa(revocationInfo, CaAuditConstants.MSGID_ca_mgmt);
    } catch (OperationException ex) {
        throw new CaMgmtException(concat("could not revoke CA ", ex.getMessage()), ex);
    }
    LOG.info("revoked CA '{}'", caName);
    auditLogPciEvent(true, concat("REVOKE CA ", caName));
}
Also used : CertRevocationInfo(org.xipki.security.CertRevocationInfo) CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException) CrlReason(org.xipki.security.CrlReason) OperationException(org.xipki.ca.api.OperationException)

Example 13 with CrlReason

use of org.xipki.security.CrlReason in project xipki by xipki.

the class RestImpl method service.

public RestResponse service(String path, AuditEvent event, byte[] request, HttpRequestMetadataRetriever httpRetriever) {
    event.setApplicationName(CaAuditConstants.APPNAME);
    event.setName(CaAuditConstants.NAME_PERF);
    event.addEventData(CaAuditConstants.NAME_reqType, RequestType.REST.name());
    String msgId = RandomUtil.nextHexLong();
    event.addEventData(CaAuditConstants.NAME_mid, msgId);
    AuditLevel auditLevel = AuditLevel.INFO;
    AuditStatus auditStatus = AuditStatus.SUCCESSFUL;
    String auditMessage = null;
    try {
        if (responderManager == null) {
            String message = "responderManager in servlet not configured";
            LOG.error(message);
            throw new HttpRespAuditException(HttpResponseStatus.INTERNAL_SERVER_ERROR, null, message, AuditLevel.ERROR, AuditStatus.FAILED);
        }
        String caName = null;
        String command = null;
        X509Ca ca = null;
        if (path.length() > 1) {
            // the first char is always '/'
            String coreUri = path;
            int sepIndex = coreUri.indexOf('/', 1);
            if (sepIndex == -1 || sepIndex == coreUri.length() - 1) {
                String message = "invalid path " + path;
                LOG.error(message);
                throw new HttpRespAuditException(HttpResponseStatus.NOT_FOUND, null, message, AuditLevel.ERROR, AuditStatus.FAILED);
            }
            // skip also the first char ('/')
            String caAlias = coreUri.substring(1, sepIndex);
            command = coreUri.substring(sepIndex + 1);
            caName = responderManager.getCaNameForAlias(caAlias);
            if (caName == null) {
                caName = caAlias.toLowerCase();
            }
            ca = ((X509CaCmpResponderImpl) responderManager.getX509CaResponder(caName)).getCa();
        }
        if (caName == null || ca == null || ca.getCaInfo().getStatus() != CaStatus.ACTIVE) {
            String message;
            if (caName == null) {
                message = "no CA is specified";
            } else if (ca == null) {
                message = "unknown CA '" + caName + "'";
            } else {
                message = "CA '" + caName + "' is out of service";
            }
            LOG.warn(message);
            throw new HttpRespAuditException(HttpResponseStatus.NOT_FOUND, null, message, AuditLevel.INFO, AuditStatus.FAILED);
        }
        event.addEventData(CaAuditConstants.NAME_ca, ca.getCaIdent().getName());
        event.addEventType(command);
        RequestorInfo requestor;
        // Retrieve the user:password
        String hdrValue = httpRetriever.getHeader("Authorization");
        if (hdrValue != null && hdrValue.startsWith("Basic ")) {
            String user = null;
            byte[] password = null;
            if (hdrValue.length() > 6) {
                String b64 = hdrValue.substring(6);
                byte[] userPwd = Base64.decodeFast(b64);
                int idx = -1;
                for (int i = 0; i < userPwd.length; i++) {
                    if (userPwd[i] == ':') {
                        idx = i;
                        break;
                    }
                }
                if (idx != -1 && idx < userPwd.length - 1) {
                    user = new String(Arrays.copyOfRange(userPwd, 0, idx));
                    password = Arrays.copyOfRange(userPwd, idx + 1, userPwd.length);
                }
            }
            if (user == null) {
                throw new HttpRespAuditException(HttpResponseStatus.UNAUTHORIZED, "invalid Authorization information", AuditLevel.INFO, AuditStatus.FAILED);
            }
            NameId userIdent = ca.authenticateUser(user, password);
            if (userIdent == null) {
                throw new HttpRespAuditException(HttpResponseStatus.UNAUTHORIZED, "could not authenticate user", AuditLevel.INFO, AuditStatus.FAILED);
            }
            requestor = ca.getByUserRequestor(userIdent);
        } else {
            X509Certificate clientCert = httpRetriever.getTlsClientCert();
            if (clientCert == null) {
                throw new HttpRespAuditException(HttpResponseStatus.UNAUTHORIZED, null, "no client certificate", AuditLevel.INFO, AuditStatus.FAILED);
            }
            requestor = ca.getRequestor(clientCert);
        }
        if (requestor == null) {
            throw new OperationException(ErrorCode.NOT_PERMITTED, "no requestor specified");
        }
        event.addEventData(CaAuditConstants.NAME_requestor, requestor.getIdent().getName());
        String respCt = null;
        byte[] respBytes = null;
        if (RestAPIConstants.CMD_cacert.equalsIgnoreCase(command)) {
            respCt = RestAPIConstants.CT_pkix_cert;
            respBytes = ca.getCaInfo().getCert().getEncodedCert();
        } else if (RestAPIConstants.CMD_enroll_cert.equalsIgnoreCase(command)) {
            String profile = httpRetriever.getParameter(RestAPIConstants.PARAM_profile);
            if (StringUtil.isBlank(profile)) {
                throw new HttpRespAuditException(HttpResponseStatus.BAD_REQUEST, null, "required parameter " + RestAPIConstants.PARAM_profile + " not specified", AuditLevel.INFO, AuditStatus.FAILED);
            }
            profile = profile.toLowerCase();
            try {
                requestor.assertPermitted(PermissionConstants.ENROLL_CERT);
            } catch (InsuffientPermissionException ex) {
                throw new OperationException(ErrorCode.NOT_PERMITTED, ex.getMessage());
            }
            if (!requestor.isCertProfilePermitted(profile)) {
                throw new OperationException(ErrorCode.NOT_PERMITTED, "certProfile " + profile + " is not allowed");
            }
            String ct = httpRetriever.getHeader("Content-Type");
            if (!RestAPIConstants.CT_pkcs10.equalsIgnoreCase(ct)) {
                String message = "unsupported media type " + ct;
                throw new HttpRespAuditException(HttpResponseStatus.UNSUPPORTED_MEDIA_TYPE, message, AuditLevel.INFO, AuditStatus.FAILED);
            }
            String strNotBefore = httpRetriever.getParameter(RestAPIConstants.PARAM_not_before);
            Date notBefore = (strNotBefore == null) ? null : DateUtil.parseUtcTimeyyyyMMddhhmmss(strNotBefore);
            String strNotAfter = httpRetriever.getParameter(RestAPIConstants.PARAM_not_after);
            Date notAfter = (strNotAfter == null) ? null : DateUtil.parseUtcTimeyyyyMMddhhmmss(strNotAfter);
            byte[] encodedCsr = request;
            CertificationRequest csr = CertificationRequest.getInstance(encodedCsr);
            ca.checkCsr(csr);
            CertificationRequestInfo certTemp = csr.getCertificationRequestInfo();
            X500Name subject = certTemp.getSubject();
            SubjectPublicKeyInfo publicKeyInfo = certTemp.getSubjectPublicKeyInfo();
            Extensions extensions = CaUtil.getExtensions(certTemp);
            CertTemplateData certTemplate = new CertTemplateData(subject, publicKeyInfo, notBefore, notAfter, extensions, profile);
            X509CertificateInfo certInfo = ca.generateCertificate(certTemplate, requestor, RequestType.REST, null, msgId);
            if (ca.getCaInfo().isSaveRequest()) {
                long dbId = ca.addRequest(encodedCsr);
                ca.addRequestCert(dbId, certInfo.getCert().getCertId());
            }
            X509Cert cert = certInfo.getCert();
            if (cert == null) {
                String message = "could not generate certificate";
                LOG.warn(message);
                throw new HttpRespAuditException(HttpResponseStatus.INTERNAL_SERVER_ERROR, null, message, AuditLevel.INFO, AuditStatus.FAILED);
            }
            respCt = RestAPIConstants.CT_pkix_cert;
            respBytes = cert.getEncodedCert();
        } else if (RestAPIConstants.CMD_revoke_cert.equalsIgnoreCase(command) || RestAPIConstants.CMD_delete_cert.equalsIgnoreCase(command)) {
            int permission;
            if (RestAPIConstants.CMD_revoke_cert.equalsIgnoreCase(command)) {
                permission = PermissionConstants.REVOKE_CERT;
            } else {
                permission = PermissionConstants.REMOVE_CERT;
            }
            try {
                requestor.assertPermitted(permission);
            } catch (InsuffientPermissionException ex) {
                throw new OperationException(ErrorCode.NOT_PERMITTED, ex.getMessage());
            }
            String strCaSha1 = httpRetriever.getParameter(RestAPIConstants.PARAM_ca_sha1);
            if (StringUtil.isBlank(strCaSha1)) {
                throw new HttpRespAuditException(HttpResponseStatus.BAD_REQUEST, null, "required parameter " + RestAPIConstants.PARAM_ca_sha1 + " not specified", AuditLevel.INFO, AuditStatus.FAILED);
            }
            String strSerialNumber = httpRetriever.getParameter(RestAPIConstants.PARAM_serial_number);
            if (StringUtil.isBlank(strSerialNumber)) {
                throw new HttpRespAuditException(HttpResponseStatus.BAD_REQUEST, null, "required parameter " + RestAPIConstants.PARAM_serial_number + " not specified", AuditLevel.INFO, AuditStatus.FAILED);
            }
            if (!strCaSha1.equalsIgnoreCase(ca.getHexSha1OfCert())) {
                throw new HttpRespAuditException(HttpResponseStatus.BAD_REQUEST, null, "unknown " + RestAPIConstants.PARAM_ca_sha1, AuditLevel.INFO, AuditStatus.FAILED);
            }
            BigInteger serialNumber = toBigInt(strSerialNumber);
            if (RestAPIConstants.CMD_revoke_cert.equalsIgnoreCase(command)) {
                String strReason = httpRetriever.getParameter(RestAPIConstants.PARAM_reason);
                CrlReason reason = (strReason == null) ? CrlReason.UNSPECIFIED : CrlReason.forNameOrText(strReason);
                if (reason == CrlReason.REMOVE_FROM_CRL) {
                    ca.unrevokeCertificate(serialNumber, msgId);
                } else {
                    Date invalidityTime = null;
                    String strInvalidityTime = httpRetriever.getParameter(RestAPIConstants.PARAM_invalidity_time);
                    if (StringUtil.isNotBlank(strInvalidityTime)) {
                        invalidityTime = DateUtil.parseUtcTimeyyyyMMddhhmmss(strInvalidityTime);
                    }
                    ca.revokeCertificate(serialNumber, reason, invalidityTime, msgId);
                }
            } else if (RestAPIConstants.CMD_delete_cert.equalsIgnoreCase(command)) {
                ca.removeCertificate(serialNumber, msgId);
            }
        } else if (RestAPIConstants.CMD_crl.equalsIgnoreCase(command)) {
            try {
                requestor.assertPermitted(PermissionConstants.GET_CRL);
            } catch (InsuffientPermissionException ex) {
                throw new OperationException(ErrorCode.NOT_PERMITTED, ex.getMessage());
            }
            String strCrlNumber = httpRetriever.getParameter(RestAPIConstants.PARAM_crl_number);
            BigInteger crlNumber = null;
            if (StringUtil.isNotBlank(strCrlNumber)) {
                try {
                    crlNumber = toBigInt(strCrlNumber);
                } catch (NumberFormatException ex) {
                    String message = "invalid crlNumber '" + strCrlNumber + "'";
                    LOG.warn(message);
                    throw new HttpRespAuditException(HttpResponseStatus.BAD_REQUEST, null, message, AuditLevel.INFO, AuditStatus.FAILED);
                }
            }
            X509CRL crl = ca.getCrl(crlNumber);
            if (crl == null) {
                String message = "could not get CRL";
                LOG.warn(message);
                throw new HttpRespAuditException(HttpResponseStatus.INTERNAL_SERVER_ERROR, null, message, AuditLevel.INFO, AuditStatus.FAILED);
            }
            respCt = RestAPIConstants.CT_pkix_crl;
            respBytes = crl.getEncoded();
        } else if (RestAPIConstants.CMD_new_crl.equalsIgnoreCase(command)) {
            try {
                requestor.assertPermitted(PermissionConstants.GEN_CRL);
            } catch (InsuffientPermissionException ex) {
                throw new OperationException(ErrorCode.NOT_PERMITTED, ex.getMessage());
            }
            X509CRL crl = ca.generateCrlOnDemand(msgId);
            if (crl == null) {
                String message = "could not generate CRL";
                LOG.warn(message);
                throw new HttpRespAuditException(HttpResponseStatus.INTERNAL_SERVER_ERROR, null, message, AuditLevel.INFO, AuditStatus.FAILED);
            }
            respCt = RestAPIConstants.CT_pkix_crl;
            respBytes = crl.getEncoded();
        } else {
            String message = "invalid command '" + command + "'";
            LOG.error(message);
            throw new HttpRespAuditException(HttpResponseStatus.NOT_FOUND, message, AuditLevel.INFO, AuditStatus.FAILED);
        }
        Map<String, String> headers = new HashMap<>();
        headers.put(RestAPIConstants.HEADER_PKISTATUS, RestAPIConstants.PKISTATUS_accepted);
        return new RestResponse(HttpResponseStatus.OK, respCt, headers, respBytes);
    } catch (OperationException ex) {
        ErrorCode code = ex.getErrorCode();
        if (LOG.isWarnEnabled()) {
            String msg = StringUtil.concat("generate certificate, OperationException: code=", code.name(), ", message=", ex.getErrorMessage());
            LOG.warn(msg);
            LOG.debug(msg, ex);
        }
        int sc;
        String failureInfo;
        switch(code) {
            case ALREADY_ISSUED:
                sc = HttpResponseStatus.BAD_REQUEST;
                failureInfo = RestAPIConstants.FAILINFO_badRequest;
                break;
            case BAD_CERT_TEMPLATE:
                sc = HttpResponseStatus.BAD_REQUEST;
                failureInfo = RestAPIConstants.FAILINFO_badCertTemplate;
                break;
            case BAD_REQUEST:
                sc = HttpResponseStatus.BAD_REQUEST;
                failureInfo = RestAPIConstants.FAILINFO_badRequest;
                break;
            case CERT_REVOKED:
                sc = HttpResponseStatus.CONFLICT;
                failureInfo = RestAPIConstants.FAILINFO_certRevoked;
                break;
            case CRL_FAILURE:
                sc = HttpResponseStatus.INTERNAL_SERVER_ERROR;
                failureInfo = RestAPIConstants.FAILINFO_systemFailure;
                break;
            case DATABASE_FAILURE:
                sc = HttpResponseStatus.INTERNAL_SERVER_ERROR;
                failureInfo = RestAPIConstants.FAILINFO_systemFailure;
                break;
            case NOT_PERMITTED:
                sc = HttpResponseStatus.UNAUTHORIZED;
                failureInfo = RestAPIConstants.FAILINFO_notAuthorized;
                break;
            case INVALID_EXTENSION:
                sc = HttpResponseStatus.BAD_REQUEST;
                failureInfo = RestAPIConstants.FAILINFO_badRequest;
                break;
            case SYSTEM_FAILURE:
                sc = HttpResponseStatus.INTERNAL_SERVER_ERROR;
                failureInfo = RestAPIConstants.FAILINFO_systemFailure;
                break;
            case SYSTEM_UNAVAILABLE:
                sc = HttpResponseStatus.SERVICE_UNAVAILABLE;
                failureInfo = RestAPIConstants.FAILINFO_systemUnavail;
                break;
            case UNKNOWN_CERT:
                sc = HttpResponseStatus.BAD_REQUEST;
                failureInfo = RestAPIConstants.FAILINFO_badCertId;
                break;
            case UNKNOWN_CERT_PROFILE:
                sc = HttpResponseStatus.BAD_REQUEST;
                failureInfo = RestAPIConstants.FAILINFO_badCertTemplate;
                break;
            default:
                sc = HttpResponseStatus.INTERNAL_SERVER_ERROR;
                failureInfo = RestAPIConstants.FAILINFO_systemFailure;
                break;
        }
        // end switch (code)
        event.setStatus(AuditStatus.FAILED);
        event.addEventData(CaAuditConstants.NAME_message, code.name());
        switch(code) {
            case DATABASE_FAILURE:
            case SYSTEM_FAILURE:
                auditMessage = code.name();
                break;
            default:
                auditMessage = code.name() + ": " + ex.getErrorMessage();
                break;
        }
        // end switch code
        Map<String, String> headers = new HashMap<>();
        headers.put(RestAPIConstants.HEADER_PKISTATUS, RestAPIConstants.PKISTATUS_rejection);
        if (StringUtil.isNotBlank(failureInfo)) {
            headers.put(RestAPIConstants.HEADER_failInfo, failureInfo);
        }
        return new RestResponse(sc, null, headers, null);
    } catch (HttpRespAuditException ex) {
        auditStatus = ex.getAuditStatus();
        auditLevel = ex.getAuditLevel();
        auditMessage = ex.getAuditMessage();
        return new RestResponse(ex.getHttpStatus(), null, null, null);
    } catch (Throwable th) {
        if (th instanceof EOFException) {
            LogUtil.warn(LOG, th, "connection reset by peer");
        } else {
            LOG.error("Throwable thrown, this should not happen!", th);
        }
        auditLevel = AuditLevel.ERROR;
        auditStatus = AuditStatus.FAILED;
        auditMessage = "internal error";
        return new RestResponse(HttpResponseStatus.INTERNAL_SERVER_ERROR, null, null, null);
    } finally {
        event.setStatus(auditStatus);
        event.setLevel(auditLevel);
        if (auditMessage != null) {
            event.addEventData(CaAuditConstants.NAME_message, auditMessage);
        }
    }
}
Also used : CertificationRequestInfo(org.bouncycastle.asn1.pkcs.CertificationRequestInfo) X509CRL(java.security.cert.X509CRL) NameId(org.xipki.ca.api.NameId) HashMap(java.util.HashMap) X509Ca(org.xipki.ca.server.impl.X509Ca) InsuffientPermissionException(org.xipki.ca.api.InsuffientPermissionException) X500Name(org.bouncycastle.asn1.x500.X500Name) Extensions(org.bouncycastle.asn1.x509.Extensions) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) CertTemplateData(org.xipki.ca.server.impl.CertTemplateData) X509Cert(org.xipki.security.X509Cert) EOFException(java.io.EOFException) CrlReason(org.xipki.security.CrlReason) OperationException(org.xipki.ca.api.OperationException) RestResponse(org.xipki.ca.server.api.RestResponse) AuditLevel(org.xipki.audit.AuditLevel) X509CertificateInfo(org.xipki.ca.api.publisher.x509.X509CertificateInfo) X509Certificate(java.security.cert.X509Certificate) Date(java.util.Date) AuditStatus(org.xipki.audit.AuditStatus) BigInteger(java.math.BigInteger) ErrorCode(org.xipki.ca.api.OperationException.ErrorCode) HashMap(java.util.HashMap) Map(java.util.Map) RequestorInfo(org.xipki.ca.server.mgmt.api.RequestorInfo) CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest)

Example 14 with CrlReason

use of org.xipki.security.CrlReason in project xipki by xipki.

the class RevokeCertCmd method execute0.

@Override
protected Object execute0() throws Exception {
    CrlReason crlReason = CrlReason.forNameOrText(reason);
    if (!CrlReason.PERMITTED_CLIENT_CRLREASONS.contains(crlReason)) {
        throw new InvalidConfException("reason " + reason + " is not permitted");
    }
    Date invalidityDate = null;
    if (isNotBlank(invalidityDateS)) {
        invalidityDate = DateUtil.parseUtcTimeyyyyMMddhhmmss(invalidityDateS);
    }
    BigInteger serialNo = getSerialNumber();
    String msg = "certificate (serial number = 0x" + serialNo.toString(16) + ")";
    try {
        caManager.revokeCertificate(caName, serialNo, crlReason, invalidityDate);
        println("revoked " + msg);
        return null;
    } catch (CaMgmtException ex) {
        throw new CmdFailure("could not revoke " + msg + ", error: " + ex.getMessage(), ex);
    }
}
Also used : CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException) CmdFailure(org.xipki.console.karaf.CmdFailure) InvalidConfException(org.xipki.common.InvalidConfException) BigInteger(java.math.BigInteger) CrlReason(org.xipki.security.CrlReason) Date(java.util.Date)

Example 15 with CrlReason

use of org.xipki.security.CrlReason in project xipki by xipki.

the class CertStoreQueryExecutor method unrevokeCert.

// method revokeSuspendedCert
X509CertWithDbId unrevokeCert(NameId ca, BigInteger serialNumber, boolean force, boolean publishToDeltaCrlCache, CaIdNameMap idNamMap) throws OperationException, DataAccessException {
    ParamUtil.requireNonNull("ca", ca);
    ParamUtil.requireNonNull("serialNumber", serialNumber);
    X509CertWithRevocationInfo certWithRevInfo = getCertWithRevocationInfo(ca, serialNumber, idNamMap);
    if (certWithRevInfo == null) {
        LOG.warn("certificate with CA={} and serialNumber={} does not exist", ca.getName(), LogUtil.formatCsn(serialNumber));
        return null;
    }
    CertRevocationInfo currentRevInfo = certWithRevInfo.getRevInfo();
    if (currentRevInfo == null) {
        throw new OperationException(ErrorCode.CERT_UNREVOKED, "certificate is not revoked");
    }
    CrlReason currentReason = currentRevInfo.getReason();
    if (!force) {
        if (currentReason != CrlReason.CERTIFICATE_HOLD) {
            throw new OperationException(ErrorCode.NOT_PERMITTED, "could not unrevoke certificate revoked with reason " + currentReason.getDescription());
        }
    }
    final String sql = "UPDATE CERT SET LUPDATE=?,REV=?,RT=?,RIT=?,RR=? WHERE ID=?";
    long certId = certWithRevInfo.getCert().getCertId().longValue();
    long currentTimeSeconds = System.currentTimeMillis() / 1000;
    PreparedStatement ps = borrowPreparedStatement(sql);
    try {
        int idx = 1;
        ps.setLong(idx++, currentTimeSeconds);
        setBoolean(ps, idx++, false);
        ps.setNull(idx++, Types.INTEGER);
        ps.setNull(idx++, Types.INTEGER);
        ps.setNull(idx++, Types.INTEGER);
        ps.setLong(idx++, certId);
        int count = ps.executeUpdate();
        if (count != 1) {
            String message = (count > 1) ? count + " rows modified, but exactly one is expected" : "no row is modified, but exactly one is expected";
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, message);
        }
    } catch (SQLException ex) {
        throw datasource.translate(sql, ex);
    } finally {
        releaseDbResources(ps, null);
    }
    if (publishToDeltaCrlCache) {
        publishToDeltaCrlCache(ca, certWithRevInfo.getCert().getCert().getSerialNumber());
    }
    return certWithRevInfo.getCert();
}
Also used : CertRevocationInfo(org.xipki.security.CertRevocationInfo) SQLException(java.sql.SQLException) PreparedStatement(java.sql.PreparedStatement) CrlReason(org.xipki.security.CrlReason) DERPrintableString(org.bouncycastle.asn1.DERPrintableString) DEROctetString(org.bouncycastle.asn1.DEROctetString) OperationException(org.xipki.ca.api.OperationException)

Aggregations

CrlReason (org.xipki.security.CrlReason)16 OperationException (org.xipki.ca.api.OperationException)10 Date (java.util.Date)9 BigInteger (java.math.BigInteger)7 CertRevocationInfo (org.xipki.security.CertRevocationInfo)5 PreparedStatement (java.sql.PreparedStatement)4 SQLException (java.sql.SQLException)4 DEROctetString (org.bouncycastle.asn1.DEROctetString)4 DERPrintableString (org.bouncycastle.asn1.DERPrintableString)4 IOException (java.io.IOException)3 X509Certificate (java.security.cert.X509Certificate)3 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)3 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)3 X500Name (org.bouncycastle.asn1.x500.X500Name)3 Extension (org.bouncycastle.asn1.x509.Extension)3 Extensions (org.bouncycastle.asn1.x509.Extensions)3 CaMgmtException (org.xipki.ca.server.mgmt.api.CaMgmtException)3 X509CRL (java.security.cert.X509CRL)2 ParseException (java.text.ParseException)2 LinkedList (java.util.LinkedList)2