Example 16 with XiSecurityException
use of org.xipki.security.exception.XiSecurityException in project xipki by xipki.
the class EmulatorP11Identity method rsaPkcsSign.
private byte[] rsaPkcsSign(byte[] contentToSign, HashAlgo hashAlgo) throws P11TokenException {
int modulusBitLen = getSignatureKeyBitLength();
byte[] paddedHash;
try {
if (hashAlgo == null) {
paddedHash = SignerUtil.EMSA_PKCS1_v1_5_encoding(contentToSign, modulusBitLen);
} else {
byte[] hash = hashAlgo.hash(contentToSign);
paddedHash = SignerUtil.EMSA_PKCS1_v1_5_encoding(hash, modulusBitLen, hashAlgo);
}
} catch (XiSecurityException ex) {
throw new P11TokenException("XiSecurityException: " + ex.getMessage(), ex);
}
return rsaX509Sign(paddedHash);
}
Also used :
XiSecurityException(org.xipki.security.exception.XiSecurityException)
P11TokenException(org.xipki.security.exception.P11TokenException)
Example 17 with XiSecurityException
use of org.xipki.security.exception.XiSecurityException in project xipki by xipki.
the class CaManagerImpl method addCa.
@Override
public void addCa(CaEntry caEntry) throws CaMgmtException {
ParamUtil.requireNonNull("caEntry", caEntry);
asssertMasterMode();
NameId ident = caEntry.getIdent();
String name = ident.getName();
if (caInfos.containsKey(name)) {
throw new CaMgmtException(concat("CA named ", name, " exists"));
}
String origSignerConf = caEntry.getSignerConf();
String newSignerConf = canonicalizeSignerConf(caEntry.getSignerType(), origSignerConf, null, securityFactory);
if (!origSignerConf.equals(newSignerConf)) {
caEntry.setSignerConf(newSignerConf);
}
if (caEntry instanceof X509CaEntry) {
try {
X509CaEntry tmpCaEntry = (X509CaEntry) caEntry;
List<String[]> signerConfs = CaEntry.splitCaSignerConfs(tmpCaEntry.getSignerConf());
ConcurrentContentSigner signer;
for (String[] m : signerConfs) {
SignerConf signerConf = new SignerConf(m[1]);
signer = securityFactory.createSigner(tmpCaEntry.getSignerType(), signerConf, tmpCaEntry.getCert());
if (tmpCaEntry.getCert() == null) {
if (signer.getCertificate() == null) {
throw new CaMgmtException("CA signer without certificate is not allowed");
}
tmpCaEntry.setCert(signer.getCertificate());
}
}
} catch (XiSecurityException | ObjectCreationException ex) {
throw new CaMgmtException(concat("could not create signer for new CA ", name, ": ", ex.getMessage()), ex);
}
}
queryExecutor.addCa(caEntry);
if (!createCa(name)) {
LOG.error("could not create CA {}", name);
} else {
if (startCa(name)) {
LOG.info("started CA {}", name);
} else {
LOG.error("could not start CA {}", name);
}
}
}
Also used :
CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException)
ConcurrentContentSigner(org.xipki.security.ConcurrentContentSigner)
XiSecurityException(org.xipki.security.exception.XiSecurityException)
NameId(org.xipki.ca.api.NameId)
ObjectCreationException(org.xipki.common.ObjectCreationException)
SignerConf(org.xipki.security.SignerConf)
X509CaEntry(org.xipki.ca.server.mgmt.api.x509.X509CaEntry)
Example 18 with XiSecurityException
use of org.xipki.security.exception.XiSecurityException in project xipki by xipki.
the class CaManagerImpl method startCa.
// method startCaSystem0
private boolean startCa(String caName) {
X509CaInfo caEntry = caInfos.get(caName);
ConfPairs extraControl = caEntry.getCaEntry().getExtraControl();
if (extraControl != null) {
String str = extraControl.value(RevokeSuspendedCertsControl.KEY_REVOCATION_ENABLED);
boolean enabled = false;
if (str != null) {
enabled = Boolean.parseBoolean(str);
}
if (enabled) {
str = extraControl.value(RevokeSuspendedCertsControl.KEY_REVOCATION_REASON);
CrlReason reason = (str == null) ? CrlReason.CESSATION_OF_OPERATION : CrlReason.forNameOrText(str);
str = extraControl.value(RevokeSuspendedCertsControl.KEY_UNCHANGED_SINCE);
CertValidity unchangedSince = (str == null) ? new CertValidity(15, Unit.DAY) : CertValidity.getInstance(str);
RevokeSuspendedCertsControl control = new RevokeSuspendedCertsControl(reason, unchangedSince);
caEntry.setRevokeSuspendedCertsControl(control);
}
}
boolean signerRequired = caEntry.isSignerRequired();
X509CrlSignerEntryWrapper crlSignerEntry = null;
String crlSignerName = caEntry.getCrlSignerName();
// CRL will be generated only in master mode
if (signerRequired && masterMode && crlSignerName != null) {
crlSignerEntry = crlSigners.get(crlSignerName);
try {
crlSignerEntry.getDbEntry().setConfFaulty(true);
crlSignerEntry.initSigner(securityFactory);
crlSignerEntry.getDbEntry().setConfFaulty(false);
} catch (XiSecurityException | OperationException | InvalidConfException ex) {
LogUtil.error(LOG, ex, concat("X09CrlSignerEntryWrapper.initSigner (name=", crlSignerName, ")"));
return false;
}
}
X509Ca ca;
try {
ca = new X509Ca(this, caEntry, certstore);
ca.setAuditServiceRegister(auditServiceRegister);
} catch (OperationException ex) {
LogUtil.error(LOG, ex, concat("X509CA.<init> (ca=", caName, ")"));
return false;
}
x509cas.put(caName, ca);
X509CaCmpResponderImpl caResponder = new X509CaCmpResponderImpl(this, caName);
x509Responders.put(caName, caResponder);
return true;
}
Also used :
X509CaCmpResponderImpl(org.xipki.ca.server.impl.cmp.X509CaCmpResponderImpl)
CertValidity(org.xipki.ca.api.profile.CertValidity)
RevokeSuspendedCertsControl(org.xipki.ca.server.mgmt.api.x509.RevokeSuspendedCertsControl)
ConfPairs(org.xipki.common.ConfPairs)
InvalidConfException(org.xipki.common.InvalidConfException)
XiSecurityException(org.xipki.security.exception.XiSecurityException)
CrlReason(org.xipki.security.CrlReason)
OperationException(org.xipki.ca.api.OperationException)
Example 19 with XiSecurityException
use of org.xipki.security.exception.XiSecurityException in project xipki by xipki.
the class CaManagerQueryExecutor method changeCa.
// method addPublisherToCa
void changeCa(ChangeCaEntry changeCaEntry, SecurityFactory securityFactory) throws CaMgmtException {
ParamUtil.requireNonNull("changeCaEntry", changeCaEntry);
ParamUtil.requireNonNull("securityFactory", securityFactory);
if (!(changeCaEntry instanceof X509ChangeCaEntry)) {
throw new CaMgmtException("unsupported ChangeCAEntry " + changeCaEntry.getClass().getName());
}
X509ChangeCaEntry entry = (X509ChangeCaEntry) changeCaEntry;
X509Certificate cert = entry.getCert();
if (cert != null) {
boolean anyCertIssued;
try {
anyCertIssued = datasource.columnExists(null, "CERT", "CA_ID", entry.getIdent().getId());
} catch (DataAccessException ex) {
throw new CaMgmtException(ex);
}
if (anyCertIssued) {
throw new CaMgmtException("Cannot change the certificate of CA, since it has issued certificates");
}
}
Integer serialNoBitLen = entry.getSerialNoBitLen();
CaStatus status = entry.getStatus();
List<String> crlUris = entry.getCrlUris();
List<String> deltaCrlUris = entry.getDeltaCrlUris();
List<String> ocspUris = entry.getOcspUris();
List<String> caCertUris = entry.getCaCertUris();
CertValidity maxValidity = entry.getMaxValidity();
String signerType = entry.getSignerType();
String signerConf = entry.getSignerConf();
String crlsignerName = entry.getCrlSignerName();
String responderName = entry.getResponderName();
String cmpcontrolName = entry.getCmpControlName();
Boolean duplicateKeyPermitted = entry.getDuplicateKeyPermitted();
Boolean duplicateSubjectPermitted = entry.getDuplicateSubjectPermitted();
Boolean saveReq = entry.getSaveRequest();
Integer permission = entry.getPermission();
Integer numCrls = entry.getNumCrls();
Integer expirationPeriod = entry.getExpirationPeriod();
Integer keepExpiredCertInDays = entry.getKeepExpiredCertInDays();
ValidityMode validityMode = entry.getValidityMode();
ConfPairs extraControl = entry.getExtraControl();
if (signerType != null || signerConf != null || cert != null) {
final String sql = "SELECT SIGNER_TYPE,CERT,SIGNER_CONF FROM CA WHERE ID=?";
PreparedStatement stmt = null;
ResultSet rs = null;
try {
stmt = prepareStatement(sql);
stmt.setInt(1, entry.getIdent().getId());
rs = stmt.executeQuery();
if (!rs.next()) {
throw new CaMgmtException("unknown CA '" + entry.getIdent());
}
String tmpSignerType = rs.getString("SIGNER_TYPE");
String tmpSignerConf = rs.getString("SIGNER_CONF");
String tmpB64Cert = rs.getString("CERT");
if (signerType != null) {
tmpSignerType = signerType;
}
if (signerConf != null) {
tmpSignerConf = getRealString(signerConf);
if (tmpSignerConf != null) {
tmpSignerConf = CaManagerImpl.canonicalizeSignerConf(tmpSignerType, tmpSignerConf, null, securityFactory);
}
}
X509Certificate tmpCert;
if (cert != null) {
tmpCert = cert;
} else {
try {
tmpCert = X509Util.parseBase64EncodedCert(tmpB64Cert);
} catch (CertificateException ex) {
throw new CaMgmtException("could not parse the stored certificate for CA '" + changeCaEntry.getIdent() + "'" + ex.getMessage(), ex);
}
}
try {
List<String[]> signerConfs = CaEntry.splitCaSignerConfs(tmpSignerConf);
for (String[] m : signerConfs) {
securityFactory.createSigner(tmpSignerType, new SignerConf(m[1]), tmpCert);
}
} catch (XiSecurityException | ObjectCreationException ex) {
throw new CaMgmtException("could not create signer for CA '" + changeCaEntry.getIdent() + "'" + ex.getMessage(), ex);
}
} catch (SQLException ex) {
throw new CaMgmtException(datasource, sql, ex);
} finally {
datasource.releaseResources(stmt, rs);
}
}
// end if (signerType)
StringBuilder sqlBuilder = new StringBuilder();
sqlBuilder.append("UPDATE CA SET ");
AtomicInteger index = new AtomicInteger(1);
Integer idxSnSize = addToSqlIfNotNull(sqlBuilder, index, serialNoBitLen, "SN_SIZE");
Integer idxStatus = addToSqlIfNotNull(sqlBuilder, index, status, "STATUS");
Integer idxSubject = addToSqlIfNotNull(sqlBuilder, index, cert, "SUBJECT");
Integer idxCert = addToSqlIfNotNull(sqlBuilder, index, cert, "CERT");
Integer idxCrlUris = addToSqlIfNotNull(sqlBuilder, index, crlUris, "CRL_URIS");
Integer idxDeltaCrlUris = addToSqlIfNotNull(sqlBuilder, index, deltaCrlUris, "DELTACRL_URIS");
Integer idxOcspUris = addToSqlIfNotNull(sqlBuilder, index, ocspUris, "OCSP_URIS");
Integer idxCaCertUris = addToSqlIfNotNull(sqlBuilder, index, caCertUris, "CACERT_URIS");
Integer idxMaxValidity = addToSqlIfNotNull(sqlBuilder, index, maxValidity, "MAX_VALIDITY");
Integer idxSignerType = addToSqlIfNotNull(sqlBuilder, index, signerType, "SIGNER_TYPE");
Integer idxCrlsignerName = addToSqlIfNotNull(sqlBuilder, index, crlsignerName, "CRLSIGNER_NAME");
Integer idxResponderName = addToSqlIfNotNull(sqlBuilder, index, responderName, "RESPONDER_NAME");
Integer idxCmpcontrolName = addToSqlIfNotNull(sqlBuilder, index, cmpcontrolName, "CMPCONTROL_NAME");
Integer idxDuplicateKey = addToSqlIfNotNull(sqlBuilder, index, duplicateKeyPermitted, "DUPLICATE_KEY");
Integer idxDuplicateSubject = addToSqlIfNotNull(sqlBuilder, index, duplicateKeyPermitted, "DUPLICATE_SUBJECT");
Integer idxSaveReq = addToSqlIfNotNull(sqlBuilder, index, saveReq, "SAVE_REQ");
Integer idxPermission = addToSqlIfNotNull(sqlBuilder, index, permission, "PERMISSION");
Integer idxNumCrls = addToSqlIfNotNull(sqlBuilder, index, numCrls, "NUM_CRLS");
Integer idxExpirationPeriod = addToSqlIfNotNull(sqlBuilder, index, expirationPeriod, "EXPIRATION_PERIOD");
Integer idxExpiredCerts = addToSqlIfNotNull(sqlBuilder, index, keepExpiredCertInDays, "KEEP_EXPIRED_CERT_DAYS");
Integer idxValidityMode = addToSqlIfNotNull(sqlBuilder, index, validityMode, "VALIDITY_MODE");
Integer idxExtraControl = addToSqlIfNotNull(sqlBuilder, index, extraControl, "EXTRA_CONTROL");
Integer idxSignerConf = addToSqlIfNotNull(sqlBuilder, index, signerConf, "SIGNER_CONF");
// delete the last ','
sqlBuilder.deleteCharAt(sqlBuilder.length() - 1);
sqlBuilder.append(" WHERE ID=?");
if (index.get() == 1) {
throw new IllegalArgumentException("nothing to change");
}
int idxId = index.get();
final String sql = sqlBuilder.toString();
StringBuilder sb = new StringBuilder();
PreparedStatement ps = null;
try {
ps = prepareStatement(sql);
if (idxSnSize != null) {
sb.append("sn_size: '").append(serialNoBitLen).append("'; ");
ps.setInt(idxSnSize, serialNoBitLen.intValue());
}
if (idxStatus != null) {
sb.append("status: '").append(status.name()).append("'; ");
ps.setString(idxStatus, status.name());
}
if (idxCert != null) {
String subject = X509Util.getRfc4519Name(cert.getSubjectX500Principal());
sb.append("cert: '").append(subject).append("'; ");
ps.setString(idxSubject, subject);
String base64Cert = Base64.encodeToString(cert.getEncoded());
ps.setString(idxCert, base64Cert);
}
if (idxCrlUris != null) {
String txt = StringUtil.collectionAsStringByComma(crlUris);
sb.append("crlUri: '").append(txt).append("'; ");
ps.setString(idxCrlUris, txt);
}
if (idxDeltaCrlUris != null) {
String txt = StringUtil.collectionAsStringByComma(deltaCrlUris);
sb.append("deltaCrlUri: '").append(txt).append("'; ");
ps.setString(idxDeltaCrlUris, txt);
}
if (idxOcspUris != null) {
String txt = StringUtil.collectionAsStringByComma(ocspUris);
sb.append("ocspUri: '").append(txt).append("'; ");
ps.setString(idxOcspUris, txt);
}
if (idxCaCertUris != null) {
String txt = StringUtil.collectionAsStringByComma(caCertUris);
sb.append("caCertUri: '").append(txt).append("'; ");
ps.setString(idxCaCertUris, txt);
}
if (idxMaxValidity != null) {
String txt = maxValidity.toString();
sb.append("maxValidity: '").append(txt).append("'; ");
ps.setString(idxMaxValidity, txt);
}
if (idxSignerType != null) {
sb.append("signerType: '").append(signerType).append("'; ");
ps.setString(idxSignerType, signerType);
}
if (idxSignerConf != null) {
sb.append("signerConf: '").append(SignerConf.toString(signerConf, false, true)).append("'; ");
ps.setString(idxSignerConf, signerConf);
}
if (idxCrlsignerName != null) {
String txt = getRealString(crlsignerName);
sb.append("crlSigner: '").append(txt).append("'; ");
ps.setString(idxCrlsignerName, txt);
}
if (idxResponderName != null) {
String txt = getRealString(responderName);
sb.append("responder: '").append(txt).append("'; ");
ps.setString(idxResponderName, txt);
}
if (idxCmpcontrolName != null) {
String txt = getRealString(cmpcontrolName);
sb.append("cmpControl: '").append(txt).append("'; ");
ps.setString(idxCmpcontrolName, txt);
}
if (idxDuplicateKey != null) {
sb.append("duplicateKey: '").append(duplicateKeyPermitted).append("'; ");
setBoolean(ps, idxDuplicateKey, duplicateKeyPermitted);
}
if (idxDuplicateSubject != null) {
sb.append("duplicateSubject: '").append(duplicateSubjectPermitted).append("'; ");
setBoolean(ps, idxDuplicateSubject, duplicateSubjectPermitted);
}
if (idxSaveReq != null) {
sb.append("saveReq: '").append(saveReq).append("'; ");
setBoolean(ps, idxSaveReq, saveReq);
}
if (idxPermission != null) {
sb.append("permission: '").append(permission).append("'; ");
ps.setInt(idxPermission, permission);
}
if (idxNumCrls != null) {
sb.append("numCrls: '").append(numCrls).append("'; ");
ps.setInt(idxNumCrls, numCrls);
}
if (idxExpirationPeriod != null) {
sb.append("expirationPeriod: '").append(expirationPeriod).append("'; ");
ps.setInt(idxExpirationPeriod, expirationPeriod);
}
if (idxExpiredCerts != null) {
sb.append("keepExpiredCertDays: '").append(keepExpiredCertInDays).append("'; ");
ps.setInt(idxExpiredCerts, keepExpiredCertInDays);
}
if (idxValidityMode != null) {
String txt = validityMode.name();
sb.append("validityMode: '").append(txt).append("'; ");
ps.setString(idxValidityMode, txt);
}
if (idxExtraControl != null) {
sb.append("extraControl: '").append(extraControl).append("'; ");
ps.setString(idxExtraControl, extraControl.getEncoded());
}
ps.setInt(idxId, changeCaEntry.getIdent().getId());
if (ps.executeUpdate() == 0) {
throw new CaMgmtException("could not change CA " + entry.getIdent());
}
if (sb.length() > 0) {
sb.deleteCharAt(sb.length() - 1).deleteCharAt(sb.length() - 1);
}
LOG.info("changed CA '{}': {}", changeCaEntry.getIdent(), sb);
} catch (SQLException ex) {
throw new CaMgmtException(datasource, sql, ex);
} catch (CertificateEncodingException ex) {
throw new CaMgmtException(ex);
} finally {
datasource.releaseResources(ps, null);
}
}
Also used :
CertValidity(org.xipki.ca.api.profile.CertValidity)
SQLException(java.sql.SQLException)
CertificateException(java.security.cert.CertificateException)
CaStatus(org.xipki.ca.server.mgmt.api.CaStatus)
ValidityMode(org.xipki.ca.server.mgmt.api.ValidityMode)
XiSecurityException(org.xipki.security.exception.XiSecurityException)
ResultSet(java.sql.ResultSet)
DataAccessException(org.xipki.datasource.DataAccessException)
ConfPairs(org.xipki.common.ConfPairs)
SignerConf(org.xipki.security.SignerConf)
PreparedStatement(java.sql.PreparedStatement)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
X509ChangeCaEntry(org.xipki.ca.server.mgmt.api.x509.X509ChangeCaEntry)
X509Certificate(java.security.cert.X509Certificate)
AtomicInteger(java.util.concurrent.atomic.AtomicInteger)
CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException)
AtomicInteger(java.util.concurrent.atomic.AtomicInteger)
ObjectCreationException(org.xipki.common.ObjectCreationException)
Example 20 with XiSecurityException
use of org.xipki.security.exception.XiSecurityException in project xipki by xipki.
the class X509CrlSignerEntryWrapper method initSigner.
public void initSigner(SecurityFactory securityFactory) throws XiSecurityException, OperationException, InvalidConfException {
ParamUtil.requireNonNull("securityFactory", securityFactory);
if (signer != null) {
return;
}
if (dbEntry == null) {
throw new XiSecurityException("dbEntry is null");
}
if ("CA".equals(dbEntry.getType())) {
return;
}
dbEntry.setConfFaulty(true);
X509Certificate responderCert = dbEntry.getCert();
try {
signer = securityFactory.createSigner(dbEntry.getType(), new SignerConf(dbEntry.getConf()), responderCert);
} catch (ObjectCreationException ex1) {
throw new XiSecurityException("signer without certificate is not allowed");
}
X509Certificate signerCert = signer.getCertificate();
if (signerCert == null) {
throw new XiSecurityException("signer without certificate is not allowed");
}
if (dbEntry.getBase64Cert() == null) {
dbEntry.setCert(signerCert);
}
byte[] encodedSkiValue = signerCert.getExtensionValue(Extension.subjectKeyIdentifier.getId());
if (encodedSkiValue == null) {
throw new OperationException(ErrorCode.INVALID_EXTENSION, "CA certificate does not have required extension SubjectKeyIdentifier");
}
ASN1OctetString ski;
try {
ski = (ASN1OctetString) X509ExtensionUtil.fromExtensionValue(encodedSkiValue);
} catch (IOException ex) {
throw new OperationException(ErrorCode.INVALID_EXTENSION, ex);
}
this.subjectKeyIdentifier = ski.getOctets();
if (!X509Util.hasKeyusage(signerCert, KeyUsage.cRLSign)) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, "CRL signer does not have keyusage cRLSign");
}
dbEntry.setConfFaulty(false);
}
Also used :
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
XiSecurityException(org.xipki.security.exception.XiSecurityException)
ObjectCreationException(org.xipki.common.ObjectCreationException)
SignerConf(org.xipki.security.SignerConf)
IOException(java.io.IOException)
X509Certificate(java.security.cert.X509Certificate)
OperationException(org.xipki.ca.api.OperationException)
Aggregations
XiSecurityException (org.xipki.security.exception.XiSecurityException)36
P11TokenException (org.xipki.security.exception.P11TokenException)16
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)8
X509Certificate (java.security.cert.X509Certificate)6
ObjectCreationException (org.xipki.common.ObjectCreationException)6
SignerConf (org.xipki.security.SignerConf)6
IOException (java.io.IOException)5
CertificateException (java.security.cert.CertificateException)5
ConcurrentContentSigner (org.xipki.security.ConcurrentContentSigner)5
ByteArrayOutputStream (java.io.ByteArrayOutputStream)4
PublicKey (java.security.PublicKey)4
ArrayList (java.util.ArrayList)4
OperationException (org.xipki.ca.api.OperationException)4
ConfPairs (org.xipki.common.ConfPairs)4
InvalidConfException (org.xipki.common.InvalidConfException)4
P11ObjectIdentifier (org.xipki.security.pkcs11.P11ObjectIdentifier)4
SignatureException (java.security.SignatureException)3
DfltConcurrentContentSigner (org.xipki.security.DfltConcurrentContentSigner)3
XiContentSigner (org.xipki.security.XiContentSigner)3
Session (iaik.pkcs.pkcs11.Session)2
