use of org.xipki.security.X509Cert in project xipki by xipki.
the class ProxyP11Slot method refresh0.
@Override
protected P11SlotRefreshResult refresh0() throws P11TokenException {
P11SlotRefreshResult refreshResult = new P11SlotRefreshResult();
// mechanisms
List<Long> mechs = getMechanismsFromServer();
for (Long mech : mechs) {
refreshResult.addMechanism(mech);
}
// certificates
List<P11ObjectIdentifier> certIds = getObjectIdsFromServer(P11ProxyConstants.ACTION_GET_CERT_IDS);
for (P11ObjectIdentifier certId : certIds) {
X509Cert cert = getCertificate(certId);
if (cert != null) {
refreshResult.addCertificate(certId, cert);
}
}
List<P11ObjectIdentifier> keyIds = getObjectIdsFromServer(P11ProxyConstants.ACTION_GET_IDENTITY_IDS);
for (P11ObjectIdentifier keyId : keyIds) {
byte[] id = keyId.getId();
java.security.PublicKey pubKey = null;
X509Cert cert = refreshResult.getCertForId(id);
if (cert != null) {
pubKey = cert.getCert().getPublicKey();
} else {
pubKey = getPublicKey(keyId);
}
P11EntityIdentifier entityId = new P11EntityIdentifier(slotId, keyId);
ProxyP11Identity identity;
if (pubKey == null) {
identity = new ProxyP11Identity(this, entityId);
} else {
X509Certificate[] certs = (cert == null) ? null : new X509Certificate[] { cert.getCert() };
identity = new ProxyP11Identity(this, entityId, pubKey, certs);
}
refreshResult.addIdentity(identity);
}
return refreshResult;
}
use of org.xipki.security.X509Cert in project xipki by xipki.
the class EmulatorP11Slot method refresh0.
@Override
protected P11SlotRefreshResult refresh0() throws P11TokenException {
P11SlotRefreshResult ret = new P11SlotRefreshResult();
for (long mech : supportedMechs) {
ret.addMechanism(mech);
}
// Secret Keys
File[] secKeyInfoFiles = secKeyDir.listFiles(INFO_FILENAME_FILTER);
if (secKeyInfoFiles != null && secKeyInfoFiles.length != 0) {
for (File secKeyInfoFile : secKeyInfoFiles) {
byte[] id = getKeyIdFromInfoFilename(secKeyInfoFile.getName());
String hexId = hex(id);
try {
Properties props = loadProperties(secKeyInfoFile);
String label = props.getProperty(PROP_LABEL);
P11ObjectIdentifier p11ObjId = new P11ObjectIdentifier(id, label);
byte[] encodedValue = IoUtil.read(new File(secKeyDir, hexId + VALUE_FILE_SUFFIX));
KeyStore ks = KeyStore.getInstance("JCEKS");
ks.load(new ByteArrayInputStream(encodedValue), password);
SecretKey key = null;
Enumeration<String> aliases = ks.aliases();
while (aliases.hasMoreElements()) {
String alias = aliases.nextElement();
if (ks.isKeyEntry(alias)) {
key = (SecretKey) ks.getKey(alias, password);
break;
}
}
EmulatorP11Identity identity = new EmulatorP11Identity(this, new P11EntityIdentifier(slotId, p11ObjId), key, maxSessions, random);
LOG.info("added PKCS#11 secret key {}", p11ObjId);
ret.addIdentity(identity);
} catch (ClassCastException ex) {
LogUtil.warn(LOG, ex, "InvalidKeyException while initializing key with key-id " + hexId);
continue;
} catch (Throwable th) {
LOG.error("unexpected exception while initializing key with key-id " + hexId, th);
continue;
}
}
}
// Certificates
File[] certInfoFiles = certDir.listFiles(INFO_FILENAME_FILTER);
if (certInfoFiles != null) {
for (File infoFile : certInfoFiles) {
byte[] id = getKeyIdFromInfoFilename(infoFile.getName());
Properties props = loadProperties(infoFile);
String label = props.getProperty(PROP_LABEL);
P11ObjectIdentifier objId = new P11ObjectIdentifier(id, label);
try {
X509Cert cert = readCertificate(id);
ret.addCertificate(objId, cert);
} catch (CertificateException | IOException ex) {
LOG.warn("could not parse certificate " + objId);
}
}
}
// Private / Public keys
File[] privKeyInfoFiles = privKeyDir.listFiles(INFO_FILENAME_FILTER);
if (privKeyInfoFiles != null && privKeyInfoFiles.length != 0) {
for (File privKeyInfoFile : privKeyInfoFiles) {
byte[] id = getKeyIdFromInfoFilename(privKeyInfoFile.getName());
String hexId = hex(id);
try {
Properties props = loadProperties(privKeyInfoFile);
String label = props.getProperty(PROP_LABEL);
P11ObjectIdentifier p11ObjId = new P11ObjectIdentifier(id, label);
X509Cert cert = ret.getCertForId(id);
java.security.PublicKey publicKey = (cert == null) ? readPublicKey(id) : cert.getCert().getPublicKey();
if (publicKey == null) {
LOG.warn("Neither public key nor certificate is associated with private key {}", p11ObjId);
continue;
}
byte[] encodedValue = IoUtil.read(new File(privKeyDir, hexId + VALUE_FILE_SUFFIX));
PKCS8EncryptedPrivateKeyInfo epki = new PKCS8EncryptedPrivateKeyInfo(encodedValue);
PrivateKey privateKey = privateKeyCryptor.decrypt(epki);
X509Certificate[] certs = (cert == null) ? null : new X509Certificate[] { cert.getCert() };
EmulatorP11Identity identity = new EmulatorP11Identity(this, new P11EntityIdentifier(slotId, p11ObjId), privateKey, publicKey, certs, maxSessions, random);
LOG.info("added PKCS#11 key {}", p11ObjId);
ret.addIdentity(identity);
} catch (InvalidKeyException ex) {
LogUtil.warn(LOG, ex, "InvalidKeyException while initializing key with key-id " + hexId);
continue;
} catch (Throwable th) {
LOG.error("unexpected exception while initializing key with key-id " + hexId, th);
continue;
}
}
}
return ret;
}
use of org.xipki.security.X509Cert in project xipki by xipki.
the class RestImpl method service.
public RestResponse service(String path, AuditEvent event, byte[] request, HttpRequestMetadataRetriever httpRetriever) {
event.setApplicationName(CaAuditConstants.APPNAME);
event.setName(CaAuditConstants.NAME_PERF);
event.addEventData(CaAuditConstants.NAME_reqType, RequestType.REST.name());
String msgId = RandomUtil.nextHexLong();
event.addEventData(CaAuditConstants.NAME_mid, msgId);
AuditLevel auditLevel = AuditLevel.INFO;
AuditStatus auditStatus = AuditStatus.SUCCESSFUL;
String auditMessage = null;
try {
if (responderManager == null) {
String message = "responderManager in servlet not configured";
LOG.error(message);
throw new HttpRespAuditException(HttpResponseStatus.INTERNAL_SERVER_ERROR, null, message, AuditLevel.ERROR, AuditStatus.FAILED);
}
String caName = null;
String command = null;
X509Ca ca = null;
if (path.length() > 1) {
// the first char is always '/'
String coreUri = path;
int sepIndex = coreUri.indexOf('/', 1);
if (sepIndex == -1 || sepIndex == coreUri.length() - 1) {
String message = "invalid path " + path;
LOG.error(message);
throw new HttpRespAuditException(HttpResponseStatus.NOT_FOUND, null, message, AuditLevel.ERROR, AuditStatus.FAILED);
}
// skip also the first char ('/')
String caAlias = coreUri.substring(1, sepIndex);
command = coreUri.substring(sepIndex + 1);
caName = responderManager.getCaNameForAlias(caAlias);
if (caName == null) {
caName = caAlias.toLowerCase();
}
ca = ((X509CaCmpResponderImpl) responderManager.getX509CaResponder(caName)).getCa();
}
if (caName == null || ca == null || ca.getCaInfo().getStatus() != CaStatus.ACTIVE) {
String message;
if (caName == null) {
message = "no CA is specified";
} else if (ca == null) {
message = "unknown CA '" + caName + "'";
} else {
message = "CA '" + caName + "' is out of service";
}
LOG.warn(message);
throw new HttpRespAuditException(HttpResponseStatus.NOT_FOUND, null, message, AuditLevel.INFO, AuditStatus.FAILED);
}
event.addEventData(CaAuditConstants.NAME_ca, ca.getCaIdent().getName());
event.addEventType(command);
RequestorInfo requestor;
// Retrieve the user:password
String hdrValue = httpRetriever.getHeader("Authorization");
if (hdrValue != null && hdrValue.startsWith("Basic ")) {
String user = null;
byte[] password = null;
if (hdrValue.length() > 6) {
String b64 = hdrValue.substring(6);
byte[] userPwd = Base64.decodeFast(b64);
int idx = -1;
for (int i = 0; i < userPwd.length; i++) {
if (userPwd[i] == ':') {
idx = i;
break;
}
}
if (idx != -1 && idx < userPwd.length - 1) {
user = new String(Arrays.copyOfRange(userPwd, 0, idx));
password = Arrays.copyOfRange(userPwd, idx + 1, userPwd.length);
}
}
if (user == null) {
throw new HttpRespAuditException(HttpResponseStatus.UNAUTHORIZED, "invalid Authorization information", AuditLevel.INFO, AuditStatus.FAILED);
}
NameId userIdent = ca.authenticateUser(user, password);
if (userIdent == null) {
throw new HttpRespAuditException(HttpResponseStatus.UNAUTHORIZED, "could not authenticate user", AuditLevel.INFO, AuditStatus.FAILED);
}
requestor = ca.getByUserRequestor(userIdent);
} else {
X509Certificate clientCert = httpRetriever.getTlsClientCert();
if (clientCert == null) {
throw new HttpRespAuditException(HttpResponseStatus.UNAUTHORIZED, null, "no client certificate", AuditLevel.INFO, AuditStatus.FAILED);
}
requestor = ca.getRequestor(clientCert);
}
if (requestor == null) {
throw new OperationException(ErrorCode.NOT_PERMITTED, "no requestor specified");
}
event.addEventData(CaAuditConstants.NAME_requestor, requestor.getIdent().getName());
String respCt = null;
byte[] respBytes = null;
if (RestAPIConstants.CMD_cacert.equalsIgnoreCase(command)) {
respCt = RestAPIConstants.CT_pkix_cert;
respBytes = ca.getCaInfo().getCert().getEncodedCert();
} else if (RestAPIConstants.CMD_enroll_cert.equalsIgnoreCase(command)) {
String profile = httpRetriever.getParameter(RestAPIConstants.PARAM_profile);
if (StringUtil.isBlank(profile)) {
throw new HttpRespAuditException(HttpResponseStatus.BAD_REQUEST, null, "required parameter " + RestAPIConstants.PARAM_profile + " not specified", AuditLevel.INFO, AuditStatus.FAILED);
}
profile = profile.toLowerCase();
try {
requestor.assertPermitted(PermissionConstants.ENROLL_CERT);
} catch (InsuffientPermissionException ex) {
throw new OperationException(ErrorCode.NOT_PERMITTED, ex.getMessage());
}
if (!requestor.isCertProfilePermitted(profile)) {
throw new OperationException(ErrorCode.NOT_PERMITTED, "certProfile " + profile + " is not allowed");
}
String ct = httpRetriever.getHeader("Content-Type");
if (!RestAPIConstants.CT_pkcs10.equalsIgnoreCase(ct)) {
String message = "unsupported media type " + ct;
throw new HttpRespAuditException(HttpResponseStatus.UNSUPPORTED_MEDIA_TYPE, message, AuditLevel.INFO, AuditStatus.FAILED);
}
String strNotBefore = httpRetriever.getParameter(RestAPIConstants.PARAM_not_before);
Date notBefore = (strNotBefore == null) ? null : DateUtil.parseUtcTimeyyyyMMddhhmmss(strNotBefore);
String strNotAfter = httpRetriever.getParameter(RestAPIConstants.PARAM_not_after);
Date notAfter = (strNotAfter == null) ? null : DateUtil.parseUtcTimeyyyyMMddhhmmss(strNotAfter);
byte[] encodedCsr = request;
CertificationRequest csr = CertificationRequest.getInstance(encodedCsr);
ca.checkCsr(csr);
CertificationRequestInfo certTemp = csr.getCertificationRequestInfo();
X500Name subject = certTemp.getSubject();
SubjectPublicKeyInfo publicKeyInfo = certTemp.getSubjectPublicKeyInfo();
Extensions extensions = CaUtil.getExtensions(certTemp);
CertTemplateData certTemplate = new CertTemplateData(subject, publicKeyInfo, notBefore, notAfter, extensions, profile);
X509CertificateInfo certInfo = ca.generateCertificate(certTemplate, requestor, RequestType.REST, null, msgId);
if (ca.getCaInfo().isSaveRequest()) {
long dbId = ca.addRequest(encodedCsr);
ca.addRequestCert(dbId, certInfo.getCert().getCertId());
}
X509Cert cert = certInfo.getCert();
if (cert == null) {
String message = "could not generate certificate";
LOG.warn(message);
throw new HttpRespAuditException(HttpResponseStatus.INTERNAL_SERVER_ERROR, null, message, AuditLevel.INFO, AuditStatus.FAILED);
}
respCt = RestAPIConstants.CT_pkix_cert;
respBytes = cert.getEncodedCert();
} else if (RestAPIConstants.CMD_revoke_cert.equalsIgnoreCase(command) || RestAPIConstants.CMD_delete_cert.equalsIgnoreCase(command)) {
int permission;
if (RestAPIConstants.CMD_revoke_cert.equalsIgnoreCase(command)) {
permission = PermissionConstants.REVOKE_CERT;
} else {
permission = PermissionConstants.REMOVE_CERT;
}
try {
requestor.assertPermitted(permission);
} catch (InsuffientPermissionException ex) {
throw new OperationException(ErrorCode.NOT_PERMITTED, ex.getMessage());
}
String strCaSha1 = httpRetriever.getParameter(RestAPIConstants.PARAM_ca_sha1);
if (StringUtil.isBlank(strCaSha1)) {
throw new HttpRespAuditException(HttpResponseStatus.BAD_REQUEST, null, "required parameter " + RestAPIConstants.PARAM_ca_sha1 + " not specified", AuditLevel.INFO, AuditStatus.FAILED);
}
String strSerialNumber = httpRetriever.getParameter(RestAPIConstants.PARAM_serial_number);
if (StringUtil.isBlank(strSerialNumber)) {
throw new HttpRespAuditException(HttpResponseStatus.BAD_REQUEST, null, "required parameter " + RestAPIConstants.PARAM_serial_number + " not specified", AuditLevel.INFO, AuditStatus.FAILED);
}
if (!strCaSha1.equalsIgnoreCase(ca.getHexSha1OfCert())) {
throw new HttpRespAuditException(HttpResponseStatus.BAD_REQUEST, null, "unknown " + RestAPIConstants.PARAM_ca_sha1, AuditLevel.INFO, AuditStatus.FAILED);
}
BigInteger serialNumber = toBigInt(strSerialNumber);
if (RestAPIConstants.CMD_revoke_cert.equalsIgnoreCase(command)) {
String strReason = httpRetriever.getParameter(RestAPIConstants.PARAM_reason);
CrlReason reason = (strReason == null) ? CrlReason.UNSPECIFIED : CrlReason.forNameOrText(strReason);
if (reason == CrlReason.REMOVE_FROM_CRL) {
ca.unrevokeCertificate(serialNumber, msgId);
} else {
Date invalidityTime = null;
String strInvalidityTime = httpRetriever.getParameter(RestAPIConstants.PARAM_invalidity_time);
if (StringUtil.isNotBlank(strInvalidityTime)) {
invalidityTime = DateUtil.parseUtcTimeyyyyMMddhhmmss(strInvalidityTime);
}
ca.revokeCertificate(serialNumber, reason, invalidityTime, msgId);
}
} else if (RestAPIConstants.CMD_delete_cert.equalsIgnoreCase(command)) {
ca.removeCertificate(serialNumber, msgId);
}
} else if (RestAPIConstants.CMD_crl.equalsIgnoreCase(command)) {
try {
requestor.assertPermitted(PermissionConstants.GET_CRL);
} catch (InsuffientPermissionException ex) {
throw new OperationException(ErrorCode.NOT_PERMITTED, ex.getMessage());
}
String strCrlNumber = httpRetriever.getParameter(RestAPIConstants.PARAM_crl_number);
BigInteger crlNumber = null;
if (StringUtil.isNotBlank(strCrlNumber)) {
try {
crlNumber = toBigInt(strCrlNumber);
} catch (NumberFormatException ex) {
String message = "invalid crlNumber '" + strCrlNumber + "'";
LOG.warn(message);
throw new HttpRespAuditException(HttpResponseStatus.BAD_REQUEST, null, message, AuditLevel.INFO, AuditStatus.FAILED);
}
}
X509CRL crl = ca.getCrl(crlNumber);
if (crl == null) {
String message = "could not get CRL";
LOG.warn(message);
throw new HttpRespAuditException(HttpResponseStatus.INTERNAL_SERVER_ERROR, null, message, AuditLevel.INFO, AuditStatus.FAILED);
}
respCt = RestAPIConstants.CT_pkix_crl;
respBytes = crl.getEncoded();
} else if (RestAPIConstants.CMD_new_crl.equalsIgnoreCase(command)) {
try {
requestor.assertPermitted(PermissionConstants.GEN_CRL);
} catch (InsuffientPermissionException ex) {
throw new OperationException(ErrorCode.NOT_PERMITTED, ex.getMessage());
}
X509CRL crl = ca.generateCrlOnDemand(msgId);
if (crl == null) {
String message = "could not generate CRL";
LOG.warn(message);
throw new HttpRespAuditException(HttpResponseStatus.INTERNAL_SERVER_ERROR, null, message, AuditLevel.INFO, AuditStatus.FAILED);
}
respCt = RestAPIConstants.CT_pkix_crl;
respBytes = crl.getEncoded();
} else {
String message = "invalid command '" + command + "'";
LOG.error(message);
throw new HttpRespAuditException(HttpResponseStatus.NOT_FOUND, message, AuditLevel.INFO, AuditStatus.FAILED);
}
Map<String, String> headers = new HashMap<>();
headers.put(RestAPIConstants.HEADER_PKISTATUS, RestAPIConstants.PKISTATUS_accepted);
return new RestResponse(HttpResponseStatus.OK, respCt, headers, respBytes);
} catch (OperationException ex) {
ErrorCode code = ex.getErrorCode();
if (LOG.isWarnEnabled()) {
String msg = StringUtil.concat("generate certificate, OperationException: code=", code.name(), ", message=", ex.getErrorMessage());
LOG.warn(msg);
LOG.debug(msg, ex);
}
int sc;
String failureInfo;
switch(code) {
case ALREADY_ISSUED:
sc = HttpResponseStatus.BAD_REQUEST;
failureInfo = RestAPIConstants.FAILINFO_badRequest;
break;
case BAD_CERT_TEMPLATE:
sc = HttpResponseStatus.BAD_REQUEST;
failureInfo = RestAPIConstants.FAILINFO_badCertTemplate;
break;
case BAD_REQUEST:
sc = HttpResponseStatus.BAD_REQUEST;
failureInfo = RestAPIConstants.FAILINFO_badRequest;
break;
case CERT_REVOKED:
sc = HttpResponseStatus.CONFLICT;
failureInfo = RestAPIConstants.FAILINFO_certRevoked;
break;
case CRL_FAILURE:
sc = HttpResponseStatus.INTERNAL_SERVER_ERROR;
failureInfo = RestAPIConstants.FAILINFO_systemFailure;
break;
case DATABASE_FAILURE:
sc = HttpResponseStatus.INTERNAL_SERVER_ERROR;
failureInfo = RestAPIConstants.FAILINFO_systemFailure;
break;
case NOT_PERMITTED:
sc = HttpResponseStatus.UNAUTHORIZED;
failureInfo = RestAPIConstants.FAILINFO_notAuthorized;
break;
case INVALID_EXTENSION:
sc = HttpResponseStatus.BAD_REQUEST;
failureInfo = RestAPIConstants.FAILINFO_badRequest;
break;
case SYSTEM_FAILURE:
sc = HttpResponseStatus.INTERNAL_SERVER_ERROR;
failureInfo = RestAPIConstants.FAILINFO_systemFailure;
break;
case SYSTEM_UNAVAILABLE:
sc = HttpResponseStatus.SERVICE_UNAVAILABLE;
failureInfo = RestAPIConstants.FAILINFO_systemUnavail;
break;
case UNKNOWN_CERT:
sc = HttpResponseStatus.BAD_REQUEST;
failureInfo = RestAPIConstants.FAILINFO_badCertId;
break;
case UNKNOWN_CERT_PROFILE:
sc = HttpResponseStatus.BAD_REQUEST;
failureInfo = RestAPIConstants.FAILINFO_badCertTemplate;
break;
default:
sc = HttpResponseStatus.INTERNAL_SERVER_ERROR;
failureInfo = RestAPIConstants.FAILINFO_systemFailure;
break;
}
// end switch (code)
event.setStatus(AuditStatus.FAILED);
event.addEventData(CaAuditConstants.NAME_message, code.name());
switch(code) {
case DATABASE_FAILURE:
case SYSTEM_FAILURE:
auditMessage = code.name();
break;
default:
auditMessage = code.name() + ": " + ex.getErrorMessage();
break;
}
// end switch code
Map<String, String> headers = new HashMap<>();
headers.put(RestAPIConstants.HEADER_PKISTATUS, RestAPIConstants.PKISTATUS_rejection);
if (StringUtil.isNotBlank(failureInfo)) {
headers.put(RestAPIConstants.HEADER_failInfo, failureInfo);
}
return new RestResponse(sc, null, headers, null);
} catch (HttpRespAuditException ex) {
auditStatus = ex.getAuditStatus();
auditLevel = ex.getAuditLevel();
auditMessage = ex.getAuditMessage();
return new RestResponse(ex.getHttpStatus(), null, null, null);
} catch (Throwable th) {
if (th instanceof EOFException) {
LogUtil.warn(LOG, th, "connection reset by peer");
} else {
LOG.error("Throwable thrown, this should not happen!", th);
}
auditLevel = AuditLevel.ERROR;
auditStatus = AuditStatus.FAILED;
auditMessage = "internal error";
return new RestResponse(HttpResponseStatus.INTERNAL_SERVER_ERROR, null, null, null);
} finally {
event.setStatus(auditStatus);
event.setLevel(auditLevel);
if (auditMessage != null) {
event.addEventData(CaAuditConstants.NAME_message, auditMessage);
}
}
}
use of org.xipki.security.X509Cert in project xipki by xipki.
the class AbstractP11Slot method addCert.
@Override
public void addCert(P11ObjectIdentifier objectId, X509Certificate cert) throws P11TokenException, CertificateException {
addCert0(objectId, cert);
certificates.put(objectId, new X509Cert(cert));
updateCaCertsOfIdentities();
LOG.info("added certificate {}", objectId);
}
Aggregations