Example 1 with P11DuplicateEntityException
use of org.xipki.security.exception.P11DuplicateEntityException in project xipki by xipki.
the class P11ProxyResponder method processRequest.
/**
* The request is constructed as follows:
* <pre>
* 0 - - - 1 - - - 2 - - - 3 - - - 4 - - - 5 - - - 6 - - - 7 - - - 8
* | Version | Transaction ID | Body ... |
* | ... Length | Action | Module ID | Content... |
* | .Content | <-- 10 + Length (offset).
*
* </pre>
*/
byte[] processRequest(LocalP11CryptServicePool pool, byte[] request) {
int reqLen = request.length;
// TransactionID
byte[] transactionId = new byte[4];
if (reqLen > 5) {
System.arraycopy(request, 2, transactionId, 0, 4);
}
// Action
short action = P11ProxyConstants.ACTION_NOPE;
if (reqLen > 11) {
action = IoUtil.parseShort(request, 10);
}
if (reqLen < 14) {
LOG.error("response too short");
return getResp(P11ProxyConstants.VERSION_V1_0, transactionId, action, P11ProxyConstants.RC_BAD_REQUEST);
}
// Version
short version = IoUtil.parseShort(request, 0);
if (!versions.contains(version)) {
LOG.error("unsupported version {}", version);
return getResp(P11ProxyConstants.VERSION_V1_0, transactionId, action, P11ProxyConstants.RC_UNSUPPORTED_VERSION);
}
// Length
int reqBodyLen = IoUtil.parseInt(request, 6);
if (reqBodyLen + 10 != reqLen) {
LOG.error("message length unmatch");
return getResp(version, transactionId, action, P11ProxyConstants.RC_BAD_REQUEST);
}
short moduleId = IoUtil.parseShort(request, 12);
int contentLen = reqLen - 14;
byte[] content;
if (contentLen == 0) {
if (actionsRequireNonNullRequest.contains(action)) {
LOG.error("content is not present but is required");
return getResp(version, transactionId, P11ProxyConstants.RC_BAD_REQUEST, action);
}
content = null;
} else {
if (actionsRequireNullRequest.contains(action)) {
LOG.error("content is present but is not permitted");
return getResp(version, transactionId, P11ProxyConstants.RC_BAD_REQUEST, action);
}
content = new byte[contentLen];
System.arraycopy(request, 14, content, 0, contentLen);
}
P11CryptService p11CryptService = pool.getP11CryptService(moduleId);
if (p11CryptService == null) {
LOG.error("no module {} available", moduleId);
return getResp(version, transactionId, P11ProxyConstants.RC_UNKNOWN_MODULE, action);
}
try {
switch(action) {
case P11ProxyConstants.ACTION_ADD_CERT:
{
Asn1EntityIdAndCert asn1 = Asn1EntityIdAndCert.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getEntityId());
X509Certificate cert = X509Util.toX509Cert(asn1.getCertificate());
slot.addCert(asn1.getEntityId().getObjectId().getObjectId(), cert);
return getSuccessResp(version, transactionId, action, (byte[]) null);
}
case P11ProxyConstants.ACTION_DIGEST_SECRETKEY:
{
Asn1DigestSecretKeyTemplate template = Asn1DigestSecretKeyTemplate.getInstance(content);
long mechanism = template.getMechanism().getMechanism();
P11Identity identity = p11CryptService.getIdentity(template.getIdentityId().getEntityId());
byte[] hashValue = identity.digestSecretKey(mechanism);
ASN1Object obj = new DEROctetString(hashValue);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GEN_KEYPAIR_DSA:
{
Asn1GenDSAKeypairParams asn1 = Asn1GenDSAKeypairParams.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId());
P11ObjectIdentifier keyId = slot.generateDSAKeypair(asn1.getP(), asn1.getQ(), asn1.getG(), asn1.getLabel(), asn1.getControl());
ASN1Object obj = new Asn1P11EntityIdentifier(asn1.getSlotId(), keyId);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GEN_KEYPAIR_EC:
{
Asn1GenECKeypairParams asn1 = Asn1GenECKeypairParams.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId());
P11ObjectIdentifier keyId = slot.generateECKeypair(asn1.getCurveId().getId(), asn1.getLabel(), asn1.getControl());
ASN1Object obj = new Asn1P11EntityIdentifier(asn1.getSlotId(), keyId);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GEN_KEYPAIR_RSA:
{
Asn1GenRSAKeypairParams asn1 = Asn1GenRSAKeypairParams.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId());
P11ObjectIdentifier keyId = slot.generateRSAKeypair(asn1.getKeysize(), asn1.getPublicExponent(), asn1.getLabel(), asn1.getControl());
ASN1Object obj = new Asn1P11EntityIdentifier(asn1.getSlotId(), keyId);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GEN_KEYPAIR_SM2:
{
Asn1GenSM2KeypairParams asn1 = Asn1GenSM2KeypairParams.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId());
P11ObjectIdentifier keyId = slot.generateSM2Keypair(asn1.getLabel(), asn1.getControl());
ASN1Object obj = new Asn1P11EntityIdentifier(asn1.getSlotId(), keyId);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GEN_SECRET_KEY:
{
Asn1GenSecretKeyParams asn1 = Asn1GenSecretKeyParams.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId());
P11ObjectIdentifier keyId = slot.generateSecretKey(asn1.getKeyType(), asn1.getKeysize(), asn1.getLabel(), asn1.getControl());
ASN1Object obj = new Asn1P11EntityIdentifier(asn1.getSlotId(), keyId);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GET_CERT:
{
P11EntityIdentifier entityId = Asn1P11EntityIdentifier.getInstance(content).getEntityId();
X509Certificate cert = p11CryptService.getIdentity(entityId).getCertificate();
return getSuccessResp(version, transactionId, action, cert.getEncoded());
}
case P11ProxyConstants.ACTION_GET_CERT_IDS:
case P11ProxyConstants.ACTION_GET_IDENTITY_IDS:
{
Asn1P11SlotIdentifier slotId = Asn1P11SlotIdentifier.getInstance(content);
P11Slot slot = p11CryptService.getModule().getSlot(slotId.getSlotId());
Set<P11ObjectIdentifier> objectIds;
if (P11ProxyConstants.ACTION_GET_CERT_IDS == action) {
objectIds = slot.getCertIdentifiers();
} else {
objectIds = slot.getIdentityIdentifiers();
}
ASN1EncodableVector vec = new ASN1EncodableVector();
for (P11ObjectIdentifier objectId : objectIds) {
vec.add(new Asn1P11ObjectIdentifier(objectId));
}
ASN1Object obj = new DERSequence(vec);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GET_MECHANISMS:
{
P11SlotIdentifier slotId = Asn1P11SlotIdentifier.getInstance(content).getSlotId();
Set<Long> mechs = p11CryptService.getSlot(slotId).getMechanisms();
ASN1EncodableVector vec = new ASN1EncodableVector();
for (Long mech : mechs) {
vec.add(new ASN1Integer(mech));
}
ASN1Object obj = new DERSequence(vec);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GET_PUBLICKEY:
{
P11EntityIdentifier identityId = Asn1P11EntityIdentifier.getInstance(content).getEntityId();
PublicKey pubKey = p11CryptService.getIdentity(identityId).getPublicKey();
if (pubKey == null) {
throw new P11UnknownEntityException(identityId);
}
ASN1Object obj = KeyUtil.createSubjectPublicKeyInfo(pubKey);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GET_SERVER_CAPS:
{
boolean readOnly = p11CryptService.getModule().isReadOnly();
ASN1Object obj = new Asn1ServerCaps(readOnly, versions);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GET_SLOT_IDS:
{
List<P11SlotIdentifier> slotIds = p11CryptService.getModule().getSlotIds();
ASN1EncodableVector vector = new ASN1EncodableVector();
for (P11SlotIdentifier slotId : slotIds) {
vector.add(new Asn1P11SlotIdentifier(slotId));
}
ASN1Object obj = new DERSequence(vector);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_IMPORT_SECRET_KEY:
{
Asn1ImportSecretKeyParams asn1 = Asn1ImportSecretKeyParams.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId());
P11ObjectIdentifier keyId = slot.importSecretKey(asn1.getKeyType(), asn1.getKeyValue(), asn1.getLabel(), asn1.getControl());
ASN1Object obj = new Asn1P11EntityIdentifier(asn1.getSlotId(), keyId);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_REMOVE_CERTS:
{
Asn1P11EntityIdentifier asn1 = Asn1P11EntityIdentifier.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1);
slot.removeCerts(asn1.getObjectId().getObjectId());
return getSuccessResp(version, transactionId, action, (byte[]) null);
}
case P11ProxyConstants.ACTION_REMOVE_IDENTITY:
{
Asn1P11EntityIdentifier asn1 = Asn1P11EntityIdentifier.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1);
slot.removeIdentity(asn1.getObjectId().getObjectId());
return getSuccessResp(version, transactionId, action, (byte[]) null);
}
case P11ProxyConstants.ACTION_REMOVE_OBJECTS:
{
Asn1RemoveObjectsParams asn1 = Asn1RemoveObjectsParams.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId());
int num = slot.removeObjects(asn1.getOjectId(), asn1.getObjectLabel());
ASN1Object obj = new ASN1Integer(num);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_SIGN:
{
Asn1SignTemplate signTemplate = Asn1SignTemplate.getInstance(content);
long mechanism = signTemplate.getMechanism().getMechanism();
Asn1P11Params asn1Params = signTemplate.getMechanism().getParams();
P11Params params = null;
if (asn1Params != null) {
switch(asn1Params.getTagNo()) {
case Asn1P11Params.TAG_RSA_PKCS_PSS:
params = Asn1RSAPkcsPssParams.getInstance(asn1Params).getPkcsPssParams();
break;
case Asn1P11Params.TAG_OPAQUE:
params = new P11ByteArrayParams(ASN1OctetString.getInstance(asn1Params).getOctets());
break;
case Asn1P11Params.TAG_IV:
params = new P11IVParams(ASN1OctetString.getInstance(asn1Params).getOctets());
break;
default:
throw new BadAsn1ObjectException("unknown SignTemplate.params: unknown tag " + asn1Params.getTagNo());
}
}
byte[] message = signTemplate.getMessage();
P11Identity identity = p11CryptService.getIdentity(signTemplate.getIdentityId().getEntityId());
byte[] signature = identity.sign(mechanism, params, message);
ASN1Object obj = new DEROctetString(signature);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_UPDATE_CERT:
{
Asn1EntityIdAndCert asn1 = Asn1EntityIdAndCert.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getEntityId());
slot.updateCertificate(asn1.getEntityId().getObjectId().getObjectId(), X509Util.toX509Cert(asn1.getCertificate()));
return getSuccessResp(version, transactionId, action, (byte[]) null);
}
default:
{
LOG.error("unsupported XiPKI action code '{}'", action);
return getResp(version, transactionId, action, P11ProxyConstants.RC_UNSUPPORTED_ACTION);
}
}
} catch (BadAsn1ObjectException ex) {
LogUtil.error(LOG, ex, "could not process decode requested content (tid=" + Hex.encode(transactionId) + ")");
return getResp(version, transactionId, action, P11ProxyConstants.RC_BAD_REQUEST);
} catch (P11TokenException ex) {
LogUtil.error(LOG, ex, buildErrorMsg(action, transactionId));
short rc;
if (ex instanceof P11UnknownEntityException) {
rc = P11ProxyConstants.RC_DUPLICATE_ENTITY;
} else if (ex instanceof P11DuplicateEntityException) {
rc = P11ProxyConstants.RC_DUPLICATE_ENTITY;
} else if (ex instanceof P11UnsupportedMechanismException) {
rc = P11ProxyConstants.RC_UNSUPPORTED_MECHANISM;
} else {
rc = P11ProxyConstants.RC_P11_TOKENERROR;
}
return getResp(version, transactionId, action, rc);
} catch (XiSecurityException | CertificateException | InvalidKeyException ex) {
LogUtil.error(LOG, ex, buildErrorMsg(action, transactionId));
return getResp(version, transactionId, action, P11ProxyConstants.RC_INTERNAL_ERROR);
} catch (Throwable th) {
LogUtil.error(LOG, th, buildErrorMsg(action, transactionId));
return getResp(version, transactionId, action, P11ProxyConstants.RC_INTERNAL_ERROR);
}
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
Asn1ServerCaps(org.xipki.p11proxy.msg.Asn1ServerCaps)
P11TokenException(org.xipki.security.exception.P11TokenException)
Asn1P11EntityIdentifier(org.xipki.p11proxy.msg.Asn1P11EntityIdentifier)
P11EntityIdentifier(org.xipki.security.pkcs11.P11EntityIdentifier)
CertificateException(java.security.cert.CertificateException)
Asn1P11Params(org.xipki.p11proxy.msg.Asn1P11Params)
P11Params(org.xipki.security.pkcs11.P11Params)
Asn1RemoveObjectsParams(org.xipki.p11proxy.msg.Asn1RemoveObjectsParams)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
P11DuplicateEntityException(org.xipki.security.exception.P11DuplicateEntityException)
Asn1GenSecretKeyParams(org.xipki.p11proxy.msg.Asn1GenSecretKeyParams)
Asn1P11EntityIdentifier(org.xipki.p11proxy.msg.Asn1P11EntityIdentifier)
DERSequence(org.bouncycastle.asn1.DERSequence)
XiSecurityException(org.xipki.security.exception.XiSecurityException)
P11ByteArrayParams(org.xipki.security.pkcs11.P11ByteArrayParams)
P11UnknownEntityException(org.xipki.security.exception.P11UnknownEntityException)
Asn1DigestSecretKeyTemplate(org.xipki.p11proxy.msg.Asn1DigestSecretKeyTemplate)
Asn1GenDSAKeypairParams(org.xipki.p11proxy.msg.Asn1GenDSAKeypairParams)
ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)
List(java.util.List)
Asn1ImportSecretKeyParams(org.xipki.p11proxy.msg.Asn1ImportSecretKeyParams)
ASN1Object(org.bouncycastle.asn1.ASN1Object)
Asn1P11Params(org.xipki.p11proxy.msg.Asn1P11Params)
Asn1P11SlotIdentifier(org.xipki.p11proxy.msg.Asn1P11SlotIdentifier)
P11SlotIdentifier(org.xipki.security.pkcs11.P11SlotIdentifier)
PublicKey(java.security.PublicKey)
Asn1SignTemplate(org.xipki.p11proxy.msg.Asn1SignTemplate)
P11Slot(org.xipki.security.pkcs11.P11Slot)
Asn1P11ObjectIdentifier(org.xipki.p11proxy.msg.Asn1P11ObjectIdentifier)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
P11Identity(org.xipki.security.pkcs11.P11Identity)
InvalidKeyException(java.security.InvalidKeyException)
P11CryptService(org.xipki.security.pkcs11.P11CryptService)
X509Certificate(java.security.cert.X509Certificate)
Asn1GenRSAKeypairParams(org.xipki.p11proxy.msg.Asn1GenRSAKeypairParams)
Asn1EntityIdAndCert(org.xipki.p11proxy.msg.Asn1EntityIdAndCert)
P11UnsupportedMechanismException(org.xipki.security.exception.P11UnsupportedMechanismException)
Asn1GenSM2KeypairParams(org.xipki.p11proxy.msg.Asn1GenSM2KeypairParams)
Asn1P11ObjectIdentifier(org.xipki.p11proxy.msg.Asn1P11ObjectIdentifier)
P11ObjectIdentifier(org.xipki.security.pkcs11.P11ObjectIdentifier)
Asn1GenECKeypairParams(org.xipki.p11proxy.msg.Asn1GenECKeypairParams)
P11IVParams(org.xipki.security.pkcs11.P11IVParams)
Asn1P11SlotIdentifier(org.xipki.p11proxy.msg.Asn1P11SlotIdentifier)
BadAsn1ObjectException(org.xipki.security.exception.BadAsn1ObjectException)
Example 2 with P11DuplicateEntityException
use of org.xipki.security.exception.P11DuplicateEntityException in project xipki by xipki.
the class AbstractP11Slot method generateDSAKeypair.
@Override
public P11ObjectIdentifier generateDSAKeypair(int plength, int qlength, String label, P11NewKeyControl control) throws P11TokenException {
ParamUtil.requireMin("plength", plength, 1024);
if (plength % 1024 != 0) {
throw new IllegalArgumentException("key size is not multiple of 1024: " + plength);
}
assertWritable("generateDSAKeypair");
assertMechanismSupported(PKCS11Constants.CKM_DSA_KEY_PAIR_GEN);
if (getObjectIdForLabel(label) != null) {
throw new P11DuplicateEntityException("identity with label " + label + " already exists");
}
DSAParameterSpec dsaParams = DSAParameterCache.getDSAParameterSpec(plength, qlength, random);
P11Identity identity = generateDSAKeypair0(dsaParams.getP(), dsaParams.getQ(), dsaParams.getG(), label, control);
addIdentity(identity);
P11ObjectIdentifier objId = identity.getIdentityId().getObjectId();
LOG.info("generated DSA keypair {}", objId);
return objId;
}
Also used :
P11DuplicateEntityException(org.xipki.security.exception.P11DuplicateEntityException)
DSAParameterSpec(java.security.spec.DSAParameterSpec)
Example 3 with P11DuplicateEntityException
use of org.xipki.security.exception.P11DuplicateEntityException in project xipki by xipki.
the class AbstractP11Slot method generateECKeypair.
@Override
public P11ObjectIdentifier generateECKeypair(String curveNameOrOid, String label, P11NewKeyControl control) throws P11TokenException {
ParamUtil.requireNonBlank("curveNameOrOid", curveNameOrOid);
ParamUtil.requireNonBlank("label", label);
assertWritable("generateECKeypair");
assertMechanismSupported(PKCS11Constants.CKM_EC_KEY_PAIR_GEN);
if (getObjectIdForLabel(label) != null) {
throw new P11DuplicateEntityException("identity with label " + label + " already exists");
}
ASN1ObjectIdentifier curveId = AlgorithmUtil.getCurveOidForCurveNameOrOid(curveNameOrOid);
if (curveId == null) {
throw new IllegalArgumentException("unknown curve " + curveNameOrOid);
}
P11Identity identity = generateECKeypair0(curveId, label, control);
addIdentity(identity);
P11ObjectIdentifier objId = identity.getIdentityId().getObjectId();
LOG.info("generated EC keypair {}", objId);
return objId;
}
Also used :
P11DuplicateEntityException(org.xipki.security.exception.P11DuplicateEntityException)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 4 with P11DuplicateEntityException
use of org.xipki.security.exception.P11DuplicateEntityException in project xipki by xipki.
the class AbstractP11Slot method generateRSAKeypair.
@Override
public P11ObjectIdentifier generateRSAKeypair(int keysize, BigInteger publicExponent, String label, P11NewKeyControl control) throws P11TokenException {
ParamUtil.requireNonBlank("label", label);
ParamUtil.requireMin("keysize", keysize, 1024);
if (keysize % 1024 != 0) {
throw new IllegalArgumentException("key size is not multiple of 1024: " + keysize);
}
assertWritable("generateRSAKeypair");
assertMechanismSupported(PKCS11Constants.CKM_RSA_PKCS_KEY_PAIR_GEN);
if (getObjectIdForLabel(label) != null) {
throw new P11DuplicateEntityException("identity with label " + label + " already exists");
}
BigInteger tmpPublicExponent = publicExponent;
if (tmpPublicExponent == null) {
tmpPublicExponent = BigInteger.valueOf(65537);
}
P11Identity identity = generateRSAKeypair0(keysize, tmpPublicExponent, label, control);
addIdentity(identity);
P11ObjectIdentifier objId = identity.getIdentityId().getObjectId();
LOG.info("generated RSA keypair {}", objId);
return objId;
}
Also used :
P11DuplicateEntityException(org.xipki.security.exception.P11DuplicateEntityException)
BigInteger(java.math.BigInteger)
Aggregations
P11DuplicateEntityException (org.xipki.security.exception.P11DuplicateEntityException)4
BigInteger (java.math.BigInteger)1
InvalidKeyException (java.security.InvalidKeyException)1
PublicKey (java.security.PublicKey)1
CertificateException (java.security.cert.CertificateException)1
X509Certificate (java.security.cert.X509Certificate)1
DSAParameterSpec (java.security.spec.DSAParameterSpec)1
HashSet (java.util.HashSet)1
List (java.util.List)1
Set (java.util.Set)1
ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)1
ASN1Integer (org.bouncycastle.asn1.ASN1Integer)1
ASN1Object (org.bouncycastle.asn1.ASN1Object)1
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)1
DEROctetString (org.bouncycastle.asn1.DEROctetString)1
DERSequence (org.bouncycastle.asn1.DERSequence)1
Asn1DigestSecretKeyTemplate (org.xipki.p11proxy.msg.Asn1DigestSecretKeyTemplate)1
Asn1EntityIdAndCert (org.xipki.p11proxy.msg.Asn1EntityIdAndCert)1
Asn1GenDSAKeypairParams (org.xipki.p11proxy.msg.Asn1GenDSAKeypairParams)1
Asn1GenECKeypairParams (org.xipki.p11proxy.msg.Asn1GenECKeypairParams)1
