List of usage examples for java.security.cert CertificateException getMessage
public String getMessage()
From source file:be.fedict.trust.xkms2.XKMSPortImpl.java
public ValidateResultType validate(ValidateRequestType body) { LOG.debug("validate"); List<X509Certificate> certificateChain = new LinkedList<X509Certificate>(); String trustDomain = null;//from w ww . j av a 2s .c o m boolean returnRevocationData = false; Date validationDate = null; List<byte[]> ocspResponses = new LinkedList<byte[]>(); List<byte[]> crls = new LinkedList<byte[]>(); byte[] timestampToken = null; List<byte[]> attributeCertificates = new LinkedList<byte[]>(); /* * Get certification chain from QueryKeyBinding */ QueryKeyBindingType queryKeyBinding = body.getQueryKeyBinding(); KeyInfoType keyInfo = queryKeyBinding.getKeyInfo(); List<Object> keyInfoContent = keyInfo.getContent(); for (Object keyInfoObject : keyInfoContent) { JAXBElement<?> keyInfoElement = (JAXBElement<?>) keyInfoObject; Object elementValue = keyInfoElement.getValue(); if (elementValue instanceof X509DataType) { X509DataType x509Data = (X509DataType) elementValue; List<Object> x509DataContent = x509Data.getX509IssuerSerialOrX509SKIOrX509SubjectName(); for (Object x509DataObject : x509DataContent) { if (!(x509DataObject instanceof JAXBElement)) { continue; } JAXBElement<?> x509DataElement = (JAXBElement<?>) x509DataObject; if (!X509_CERT_QNAME.equals(x509DataElement.getName())) { continue; } byte[] x509DataValue = (byte[]) x509DataElement.getValue(); try { X509Certificate certificate = getCertificate(x509DataValue); certificateChain.add(certificate); } catch (CertificateException e) { return createResultResponse(ResultMajorCode.SENDER, ResultMinorCode.MESSAGE_NOT_SUPPORTED); } } } } /* * Get optional trust domain name from UseKeyWith */ if (body.getQueryKeyBinding().getUseKeyWith().size() > 0) { for (UseKeyWithType useKeyWith : body.getQueryKeyBinding().getUseKeyWith()) { if (useKeyWith.getApplication().equals(XKMSConstants.TRUST_DOMAIN_APPLICATION_URI)) { trustDomain = useKeyWith.getIdentifier(); LOG.debug("validate against trust domain " + trustDomain); } } } /* * Get optional returning of used revocation data from RespondWith */ if (body.getRespondWith().contains(XKMSConstants.RETURN_REVOCATION_DATA_URI)) { LOG.debug("will return used revocation data..."); returnRevocationData = true; } /* * Get optional validation date from TimeInstant field for historical * validation */ if (null != body.getQueryKeyBinding().getTimeInstant()) { validationDate = getDate(body.getQueryKeyBinding().getTimeInstant().getTime()); } /* * Check for message extensions, these can be: * * RevocatioDataMessageExtension: historical validation, contains to be * used OCSP/CRL data * * TSAMessageExtension: TSA validation, contains encoded XAdES timestamp * token * * AttributeCertificateMessageExtension: Attribute certificate * validation, contains XAdES CertifiedRole element containing the * encoded Attribute certificate */ for (MessageExtensionAbstractType messageExtension : body.getMessageExtension()) { if (messageExtension instanceof RevocationDataMessageExtensionType) { RevocationDataMessageExtensionType revocationDataMessageExtension = (RevocationDataMessageExtensionType) messageExtension; parseRevocationDataExtension(revocationDataMessageExtension, ocspResponses, crls); } else if (messageExtension instanceof TSAMessageExtensionType) { TSAMessageExtensionType tsaMessageExtension = (TSAMessageExtensionType) messageExtension; timestampToken = parseTSAExtension(tsaMessageExtension); } else if (messageExtension instanceof AttributeCertificateMessageExtensionType) { AttributeCertificateMessageExtensionType attributeCertificateMessageExtension = (AttributeCertificateMessageExtensionType) messageExtension; parseAttributeCertificateExtension(attributeCertificateMessageExtension, attributeCertificates); } else { LOG.error("invalid message extension: " + messageExtension.getClass().toString()); return createResultResponse(ResultMajorCode.SENDER, ResultMinorCode.MESSAGE_NOT_SUPPORTED); } } /* * Check gathered data */ if (null != validationDate && ocspResponses.isEmpty() && crls.isEmpty()) { LOG.error("Historical validation requested but no revocation data provided"); return createResultResponse(ResultMajorCode.SENDER, ResultMinorCode.MESSAGE_NOT_SUPPORTED); } else if (null != timestampToken && !certificateChain.isEmpty()) { LOG.error("Cannot both add a timestamp token and a seperate certificate chain"); return createResultResponse(ResultMajorCode.SENDER, ResultMinorCode.MESSAGE_NOT_SUPPORTED); } else if (!attributeCertificates.isEmpty() && certificateChain.isEmpty()) { LOG.error("No certificate chain provided for the attribute certificates"); return createResultResponse(ResultMajorCode.SENDER, ResultMinorCode.MESSAGE_NOT_SUPPORTED); } else if (body.getMessageExtension().size() > 1) { LOG.error("Only 1 message extension at a time is supported"); return createResultResponse(ResultMajorCode.SENDER, ResultMinorCode.MESSAGE_NOT_SUPPORTED); } /* * Validate! */ ValidationResult validationResult; try { if (null != timestampToken) { validationResult = this.trustService.validateTimestamp(trustDomain, timestampToken, returnRevocationData); } else if (!attributeCertificates.isEmpty()) { validationResult = this.trustService.validateAttributeCertificates(trustDomain, attributeCertificates, certificateChain, returnRevocationData); } else if (null == validationDate) { validationResult = this.trustService.validate(trustDomain, certificateChain, returnRevocationData); } else { validationResult = this.trustService.validate(trustDomain, certificateChain, validationDate, ocspResponses, crls); } } catch (TrustDomainNotFoundException e) { LOG.error("invalid trust domain"); return createResultResponse(ResultMajorCode.SENDER, ResultMinorCode.TRUST_DOMAIN_NOT_FOUND); } catch (CRLException e) { LOG.error("CRLException: " + e.getMessage(), e); return createResultResponse(ResultMajorCode.SENDER, ResultMinorCode.MESSAGE_NOT_SUPPORTED); } catch (IOException e) { LOG.error("IOException: " + e.getMessage(), e); return createResultResponse(ResultMajorCode.SENDER, ResultMinorCode.MESSAGE_NOT_SUPPORTED); } catch (CertificateException e) { LOG.error("CertificateException: " + e.getMessage(), e); return createResultResponse(ResultMajorCode.SENDER, ResultMinorCode.MESSAGE_NOT_SUPPORTED); } catch (NoSuchProviderException e) { LOG.error("NoSuchProviderException: " + e.getMessage(), e); return createResultResponse(ResultMajorCode.SENDER, ResultMinorCode.MESSAGE_NOT_SUPPORTED); } catch (TSPException e) { LOG.error("TSPException: " + e.getMessage(), e); return createResultResponse(ResultMajorCode.SENDER, ResultMinorCode.MESSAGE_NOT_SUPPORTED); } catch (CMSException e) { LOG.error("CMSException: " + e.getMessage(), e); return createResultResponse(ResultMajorCode.SENDER, ResultMinorCode.MESSAGE_NOT_SUPPORTED); } catch (NoSuchAlgorithmException e) { LOG.error("NoSuchAlgorithmException: " + e.getMessage(), e); return createResultResponse(ResultMajorCode.SENDER, ResultMinorCode.MESSAGE_NOT_SUPPORTED); } catch (CertStoreException e) { LOG.error("CertStoreException: " + e.getMessage(), e); return createResultResponse(ResultMajorCode.SENDER, ResultMinorCode.MESSAGE_NOT_SUPPORTED); } /* * Create validation result response */ ValidateResultType validateResult = createResultResponse(ResultMajorCode.SUCCESS, null); ObjectFactory objectFactory = new ObjectFactory(); List<KeyBindingType> keyBindings = validateResult.getKeyBinding(); KeyBindingType keyBinding = objectFactory.createKeyBindingType(); keyBindings.add(keyBinding); StatusType status = objectFactory.createStatusType(); keyBinding.setStatus(status); String statusValue; if (validationResult.isValid()) { statusValue = XKMSConstants.KEY_BINDING_STATUS_VALID_URI; } else { statusValue = XKMSConstants.KEY_BINDING_STATUS_INVALID_URI; } status.setStatusValue(statusValue); /* * Add InvalidReason URI's */ if (!validationResult.isValid()) { switch (validationResult.getReason()) { case INVALID_TRUST: { status.getInvalidReason().add(XKMSConstants.KEY_BINDING_REASON_ISSUER_TRUST_URI); break; } case INVALID_REVOCATION_STATUS: { status.getInvalidReason().add(XKMSConstants.KEY_BINDING_REASON_REVOCATION_STATUS_URI); break; } case INVALID_SIGNATURE: { status.getInvalidReason().add(XKMSConstants.KEY_BINDING_REASON_SIGNATURE_URI); break; } case INVALID_VALIDITY_INTERVAL: { status.getInvalidReason().add(XKMSConstants.KEY_BINDING_REASON_VALIDITY_INTERVAL_URI); break; } } } /* * Add used revocation data if requested */ if (returnRevocationData) { addRevocationData(validateResult, validationResult.getRevocationData()); } return validateResult; }
From source file:org.dogtagpki.server.rest.UserService.java
/** * Adds a certificate to a user/* w w w. j a va2 s . com*/ * <P> * * Request/Response Syntax: http://warp.mcom.com/server/certificate/columbo/design/ * ui/admin-protocol-definition.html#user-admin * <P> * * <ul> * <li>signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring role information (anything under * users/groups) * </ul> */ @Override public Response addUserCert(String userID, UserCertData userCertData) { if (userCertData == null) throw new BadRequestException("Certificate data is null."); // ensure that any low-level exceptions are reported // to the signed audit log and stored as failures try { if (userID == null) { log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); throw new BadRequestException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID", headers)); } IUser user = userGroupManager.createUser(userID); String encoded = userCertData.getEncoded(); // no cert is a success if (encoded == null) { auditAddUserCert(userID, userCertData, ILogger.SUCCESS); return createOKResponse(); } // only one cert added per operation X509Certificate cert = null; // Base64 decode cert byte binaryCert[] = Cert.parseCertificate(encoded); try { cert = new X509CertImpl(binaryCert); } catch (CertificateException e) { CMS.debug("UserService: Submitted data is not an X.509 certificate: " + e); // ignore } if (cert == null) { // TODO: Remove this code. Importing PKCS #7 is not supported. // cert chain direction boolean assending = true; // could it be a pkcs7 blob? CMS.debug("UserService: " + CMS.getLogMessage("ADMIN_SRVLT_IS_PK_BLOB")); try { CryptoManager manager = CryptoManager.getInstance(); PKCS7 pkcs7 = new PKCS7(binaryCert); X509Certificate p7certs[] = pkcs7.getCertificates(); if (p7certs.length == 0) { CMS.debug("UserService: PKCS #7 data contains no certificates"); throw new BadRequestException("PKCS #7 data contains no certificates"); } // fix for 370099 - cert ordering can not be assumed // find out the ordering ... // self-signed and alone? take it. otherwise test // the ordering if (p7certs[0].getSubjectDN().toString().equals(p7certs[0].getIssuerDN().toString()) && (p7certs.length == 1)) { cert = p7certs[0]; CMS.debug("UserService: " + CMS.getLogMessage("ADMIN_SRVLT_SINGLE_CERT_IMPORT")); } else if (p7certs[0].getIssuerDN().toString().equals(p7certs[1].getSubjectDN().toString())) { cert = p7certs[0]; CMS.debug("UserService: " + CMS.getLogMessage("ADMIN_SRVLT_CERT_CHAIN_ACEND_ORD")); } else if (p7certs[1].getIssuerDN().toString().equals(p7certs[0].getSubjectDN().toString())) { assending = false; CMS.debug("UserService: " + CMS.getLogMessage("ADMIN_SRVLT_CERT_CHAIN_DESC_ORD")); cert = p7certs[p7certs.length - 1]; } else { // not a chain, or in random order CMS.debug("UserService: " + CMS.getLogMessage("ADMIN_SRVLT_CERT_BAD_CHAIN")); throw new BadRequestException(getUserMessage("CMS_USRGRP_SRVLT_CERT_ERROR", headers)); } CMS.debug("UserService: " + CMS.getLogMessage("ADMIN_SRVLT_CHAIN_STORED_DB", String.valueOf(p7certs.length))); int j = 0; int jBegin = 0; int jEnd = 0; if (assending == true) { jBegin = 1; jEnd = p7certs.length; } else { jBegin = 0; jEnd = p7certs.length - 1; } // store the chain into cert db, except for the user cert for (j = jBegin; j < jEnd; j++) { CMS.debug("UserService: " + CMS.getLogMessage("ADMIN_SRVLT_CERT_IN_CHAIN", String.valueOf(j), String.valueOf(p7certs[j].getSubjectDN()))); org.mozilla.jss.crypto.X509Certificate leafCert = manager .importCACertPackage(p7certs[j].getEncoded()); if (leafCert == null) { CMS.debug("UserService: missing leaf certificate"); log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_LEAF_CERT_NULL")); } else { CMS.debug("UserService: " + CMS.getLogMessage("ADMIN_SRVLT_LEAF_CERT_NON_NULL")); } if (leafCert instanceof InternalCertificate) { ((InternalCertificate) leafCert).setSSLTrust(InternalCertificate.VALID_CA | InternalCertificate.TRUSTED_CA | InternalCertificate.TRUSTED_CLIENT_CA); } else { log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NOT_INTERNAL_CERT", String.valueOf(p7certs[j].getSubjectDN()))); } } /* } catch (CryptoManager.UserCertConflictException e) { // got a "user cert" in the chain, most likely the CA // cert of this instance, which has a private key. Ignore log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_PKS7_IGNORED", e.toString())); */ } catch (PKIException e) { CMS.debug("UserService: Unable to import user certificate from PKCS #7 data: " + e); log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_CERT_ERROR", e.toString())); throw e; } catch (Exception e) { CMS.debug(e); log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_CERT_ERROR", e.toString())); throw new PKIException("Unable to import user certificate from PKCS #7 data: " + e.getMessage(), e); } } try { CMS.debug("UserService: " + CMS.getLogMessage("ADMIN_SRVLT_BEFORE_VALIDITY")); cert.checkValidity(); // throw exception if fails user.setX509Certificates(new X509Certificate[] { cert }); userGroupManager.addUserCert(user); auditAddUserCert(userID, userCertData, ILogger.SUCCESS); // read the data back userCertData.setVersion(cert.getVersion()); userCertData.setSerialNumber(new CertId(cert.getSerialNumber())); userCertData.setIssuerDN(cert.getIssuerDN().toString()); userCertData.setSubjectDN(cert.getSubjectDN().toString()); String certID = userCertData.getID(); userCertData = getUserCertData(userID, URLEncoder.encode(certID, "UTF-8")); return createCreatedResponse(userCertData, userCertData.getLink().getHref()); } catch (CertificateExpiredException e) { CMS.debug("UserService: Certificate expired: " + e); log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_ADD_CERT_EXPIRED", String.valueOf(cert.getSubjectDN()))); throw new BadRequestException("Certificate expired: " + e.getMessage(), e); } catch (CertificateNotYetValidException e) { CMS.debug("UserService: Certificate not yet valid: " + e); log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_CERT_NOT_YET_VALID", String.valueOf(cert.getSubjectDN()))); throw new BadRequestException("Certificate not yet valid: " + e.getMessage(), e); } } catch (PKIException e) { CMS.debug("UserService: Unable to import user certificate: " + e); auditAddUserCert(userID, userCertData, ILogger.FAILURE); throw e; } catch (Exception e) { CMS.debug(e); log(ILogger.LL_FAILURE, e.toString()); auditAddUserCert(userID, userCertData, ILogger.FAILURE); throw new PKIException("Unable to import user certificate: " + e.getMessage(), e); } }