List of usage examples for org.bouncycastle.asn1 ASN1Integer getInstance
public static ASN1Integer getInstance(Object obj)
From source file:org.xipki.ocsp.server.impl.certstore.CrlCertStatusStore.java
License:Open Source License
private synchronized void initializeStore(final boolean force) { Boolean updateCRLSuccessfull = null; try {//from ww w.jav a2 s . c o m File fullCrlFile = new File(crlFilename); if (fullCrlFile.exists() == false) { // file does not exist LOG.warn("CRL File {} does not exist", crlFilename); return; } long newLastModifed = fullCrlFile.lastModified(); boolean deltaCrlExists; File deltaCrlFile = null; if (deltaCrlFilename != null) { deltaCrlFile = new File(deltaCrlFilename); deltaCrlExists = deltaCrlFile.exists(); } else { deltaCrlExists = false; } long newLastModifedOfDeltaCrl = deltaCrlExists ? deltaCrlFile.lastModified() : 0; if (force == false) { long now = System.currentTimeMillis(); if (newLastModifed != lastmodifiedOfCrlFile) { if (now - newLastModifed < 5000) { return; // still in copy process } } if (deltaCrlExists) { if (newLastModifedOfDeltaCrl != lastModifiedOfDeltaCrlFile) { if (now - newLastModifed < 5000) { return; // still in copy process } } } } // end if(force) byte[] newFp = sha1Fp(fullCrlFile); boolean crlFileChanged = Arrays.equals(newFp, fpOfCrlFile) == false; if (crlFileChanged == false) { auditLogPCIEvent(AuditLevel.INFO, "UPDATE_CERTSTORE", "current CRL is still up-to-date"); return; } byte[] newFpOfDeltaCrl = deltaCrlExists ? sha1Fp(deltaCrlFile) : null; boolean deltaCrlFileChanged = Arrays.equals(newFpOfDeltaCrl, fpOfDeltaCrlFile) == false; if (crlFileChanged == false && deltaCrlFileChanged == false) { return; } if (crlFileChanged) { LOG.info("CRL file {} has changed, updating of the CertStore required", crlFilename); } if (deltaCrlFileChanged) { LOG.info("DeltaCRL file {} has changed, updating of the CertStore required", deltaCrlFilename); } auditLogPCIEvent(AuditLevel.INFO, "UPDATE_CERTSTORE", "a newer version of CRL is available"); updateCRLSuccessfull = false; X509CRL crl = X509Util.parseCRL(crlFilename); BigInteger crlNumber; { byte[] octetString = crl.getExtensionValue(Extension.cRLNumber.getId()); if (octetString != null) { byte[] extnValue = DEROctetString.getInstance(octetString).getOctets(); crlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue(); } else { crlNumber = null; } } X500Principal issuer = crl.getIssuerX500Principal(); boolean caAsCrlIssuer = true; if (caCert.getSubjectX500Principal().equals(issuer) == false) { caAsCrlIssuer = false; if (issuerCert == null) { throw new IllegalArgumentException("issuerCert could not be null"); } if (issuerCert.getSubjectX500Principal().equals(issuer) == false) { throw new IllegalArgumentException("The issuerCert and CRL do not match"); } } X509Certificate crlSignerCert = caAsCrlIssuer ? caCert : issuerCert; try { crl.verify(crlSignerCert.getPublicKey()); } catch (Exception e) { throw new CertStatusStoreException(e.getMessage(), e); } X509CRL deltaCrl = null; BigInteger deltaCrlNumber = null; BigInteger baseCrlNumber = null; if (deltaCrlExists) { if (crlNumber == null) { throw new CertStatusStoreException("baseCRL does not contains CRLNumber"); } deltaCrl = X509Util.parseCRL(deltaCrlFilename); byte[] octetString = deltaCrl.getExtensionValue(Extension.deltaCRLIndicator.getId()); if (octetString == null) { deltaCrl = null; LOG.warn("{} is a full CRL instead of delta CRL, ignore it", deltaCrlFilename); } else { byte[] extnValue = DEROctetString.getInstance(octetString).getOctets(); baseCrlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue(); if (baseCrlNumber.equals(crlNumber) == false) { deltaCrl = null; LOG.info("{} is not a deltaCRL for the CRL {}, ignore it", deltaCrlFilename, crlFilename); } else { octetString = deltaCrl.getExtensionValue(Extension.cRLNumber.getId()); extnValue = DEROctetString.getInstance(octetString).getOctets(); deltaCrlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue(); } } } if (crlFileChanged == false && deltaCrl == null) { return; } Date newThisUpdate; Date newNextUpdate; if (deltaCrl != null) { LOG.info("try to update CRL with CRLNumber={} and DeltaCRL with CRLNumber={}", crlNumber, deltaCrlNumber); newThisUpdate = deltaCrl.getThisUpdate(); newNextUpdate = deltaCrl.getNextUpdate(); } else { newThisUpdate = crl.getThisUpdate(); newNextUpdate = crl.getNextUpdate(); } // Construct CrlID ASN1EncodableVector v = new ASN1EncodableVector(); if (StringUtil.isNotBlank(crlUrl)) { v.add(new DERTaggedObject(true, 0, new DERIA5String(crlUrl, true))); } byte[] extValue = (deltaCrlExists ? deltaCrl : crl).getExtensionValue(Extension.cRLNumber.getId()); if (extValue != null) { ASN1Integer asn1CrlNumber = ASN1Integer.getInstance(removeTagAndLenFromExtensionValue(extValue)); v.add(new DERTaggedObject(true, 1, asn1CrlNumber)); } v.add(new DERTaggedObject(true, 2, new DERGeneralizedTime(newThisUpdate))); this.crlID = CrlID.getInstance(new DERSequence(v)); byte[] encodedCaCert; try { encodedCaCert = caCert.getEncoded(); } catch (CertificateEncodingException e) { throw new CertStatusStoreException(e.getMessage(), e); } Certificate bcCaCert = Certificate.getInstance(encodedCaCert); byte[] encodedName; try { encodedName = bcCaCert.getSubject().getEncoded("DER"); } catch (IOException e) { throw new CertStatusStoreException(e.getMessage(), e); } byte[] encodedKey = bcCaCert.getSubjectPublicKeyInfo().getPublicKeyData().getBytes(); Map<HashAlgoType, IssuerHashNameAndKey> newIssuerHashMap = new ConcurrentHashMap<>(); for (HashAlgoType hashAlgo : HashAlgoType.values()) { byte[] issuerNameHash = HashCalculator.hash(hashAlgo, encodedName); byte[] issuerKeyHash = HashCalculator.hash(hashAlgo, encodedKey); IssuerHashNameAndKey issuerHash = new IssuerHashNameAndKey(hashAlgo, issuerNameHash, issuerKeyHash); newIssuerHashMap.put(hashAlgo, issuerHash); } X500Name caName = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded()); // extract the certificate, only in full CRL, not in delta CRL boolean certsIncluded = false; Set<CertWithInfo> certs = new HashSet<>(); String oidExtnCerts = ObjectIdentifiers.id_xipki_ext_crlCertset.getId(); byte[] extnValue = crl.getExtensionValue(oidExtnCerts); if (extnValue == null) { // try the legacy OID extnValue = crl.getExtensionValue("1.3.6.1.4.1.12655.100"); } if (extnValue != null) { extnValue = removeTagAndLenFromExtensionValue(extnValue); certsIncluded = true; ASN1Set asn1Set = DERSet.getInstance(extnValue); int n = asn1Set.size(); for (int i = 0; i < n; i++) { ASN1Encodable asn1 = asn1Set.getObjectAt(i); Certificate bcCert; String profileName = null; try { ASN1Sequence seq = ASN1Sequence.getInstance(asn1); bcCert = Certificate.getInstance(seq.getObjectAt(0)); if (seq.size() > 1) { profileName = DERUTF8String.getInstance(seq.getObjectAt(1)).getString(); } } catch (IllegalArgumentException e) { // backwards compatibility bcCert = Certificate.getInstance(asn1); } if (caName.equals(bcCert.getIssuer()) == false) { throw new CertStatusStoreException("invalid entry in CRL Extension certs"); } if (profileName == null) { profileName = "UNKNOWN"; } certs.add(new CertWithInfo(bcCert, profileName)); } } if (certsDirname != null) { if (extnValue != null) { LOG.warn("ignore certsDir '{}', since certificates are included in CRL Extension certs", certsDirname); } else { certsIncluded = true; Set<CertWithInfo> tmpCerts = readCertWithInfosFromDir(caCert, certsDirname); certs.addAll(tmpCerts); } } Map<BigInteger, CrlCertStatusInfo> newCertStatusInfoMap = new ConcurrentHashMap<>(); // First consider only full CRL Set<? extends X509CRLEntry> revokedCertListInFullCRL = crl.getRevokedCertificates(); if (revokedCertListInFullCRL != null) { for (X509CRLEntry revokedCert : revokedCertListInFullCRL) { X500Principal thisIssuer = revokedCert.getCertificateIssuer(); if (thisIssuer != null && caCert.getSubjectX500Principal().equals(thisIssuer) == false) { throw new CertStatusStoreException("invalid CRLEntry"); } } } Set<? extends X509CRLEntry> revokedCertListInDeltaCRL = null; if (deltaCrl != null) { revokedCertListInDeltaCRL = deltaCrl.getRevokedCertificates(); if (revokedCertListInDeltaCRL != null) { for (X509CRLEntry revokedCert : revokedCertListInDeltaCRL) { X500Principal thisIssuer = revokedCert.getCertificateIssuer(); if (thisIssuer != null && caCert.getSubjectX500Principal().equals(thisIssuer) == false) { throw new CertStatusStoreException("invalid CRLEntry"); } } } } Map<BigInteger, X509CRLEntry> revokedCertMap = null; // merge the revoked list if (CollectionUtil.isNotEmpty(revokedCertListInDeltaCRL)) { revokedCertMap = new HashMap<BigInteger, X509CRLEntry>(); for (X509CRLEntry entry : revokedCertListInFullCRL) { revokedCertMap.put(entry.getSerialNumber(), entry); } for (X509CRLEntry entry : revokedCertListInDeltaCRL) { BigInteger serialNumber = entry.getSerialNumber(); java.security.cert.CRLReason reason = entry.getRevocationReason(); if (reason == java.security.cert.CRLReason.REMOVE_FROM_CRL) { revokedCertMap.remove(serialNumber); } else { revokedCertMap.put(serialNumber, entry); } } } Iterator<? extends X509CRLEntry> it = null; if (revokedCertMap != null) { it = revokedCertMap.values().iterator(); } else if (revokedCertListInFullCRL != null) { it = revokedCertListInFullCRL.iterator(); } if (it != null) { while (it.hasNext()) { X509CRLEntry revokedCert = it.next(); BigInteger serialNumber = revokedCert.getSerialNumber(); byte[] encodedExtnValue = revokedCert.getExtensionValue(Extension.reasonCode.getId()); int reasonCode; if (encodedExtnValue != null) { ASN1Enumerated enumerated = ASN1Enumerated .getInstance(removeTagAndLenFromExtensionValue(encodedExtnValue)); reasonCode = enumerated.getValue().intValue(); } else { reasonCode = CRLReason.UNSPECIFIED.getCode(); } Date revTime = revokedCert.getRevocationDate(); Date invalidityTime = null; extnValue = revokedCert.getExtensionValue(Extension.invalidityDate.getId()); if (extnValue != null) { extnValue = removeTagAndLenFromExtensionValue(extnValue); ASN1GeneralizedTime gTime = DERGeneralizedTime.getInstance(extnValue); try { invalidityTime = gTime.getDate(); } catch (ParseException e) { throw new CertStatusStoreException(e.getMessage(), e); } if (revTime.equals(invalidityTime)) { invalidityTime = null; } } CertWithInfo cert = null; if (certsIncluded) { for (CertWithInfo bcCert : certs) { if (bcCert.cert.getIssuer().equals(caName) && bcCert.cert.getSerialNumber().getPositiveValue().equals(serialNumber)) { cert = bcCert; break; } } if (cert == null) { LOG.info("could not find certificate (issuer = '{}', serialNumber = '{}'", X509Util.getRFC4519Name(caName), serialNumber); } else { certs.remove(cert); } } Map<HashAlgoType, byte[]> certHashes = (cert == null) ? null : getCertHashes(cert.cert); CertRevocationInfo revocationInfo = new CertRevocationInfo(reasonCode, revTime, invalidityTime); CrlCertStatusInfo crlCertStatusInfo = CrlCertStatusInfo.getRevokedCertStatusInfo(revocationInfo, (cert == null) ? null : cert.profileName, certHashes); newCertStatusInfoMap.put(serialNumber, crlCertStatusInfo); } // end while(it.hasNext()) } // end if(it) for (CertWithInfo cert : certs) { Map<HashAlgoType, byte[]> certHashes = getCertHashes(cert.cert); CrlCertStatusInfo crlCertStatusInfo = CrlCertStatusInfo.getGoodCertStatusInfo(cert.profileName, certHashes); newCertStatusInfoMap.put(cert.cert.getSerialNumber().getPositiveValue(), crlCertStatusInfo); } this.initialized = false; this.lastmodifiedOfCrlFile = newLastModifed; this.fpOfCrlFile = newFp; this.lastModifiedOfDeltaCrlFile = newLastModifedOfDeltaCrl; this.fpOfDeltaCrlFile = newFpOfDeltaCrl; this.issuerHashMap.clear(); this.issuerHashMap.putAll(newIssuerHashMap); this.certStatusInfoMap.clear(); this.certStatusInfoMap.putAll(newCertStatusInfoMap); this.thisUpdate = newThisUpdate; this.nextUpdate = newNextUpdate; this.initializationFailed = false; this.initialized = true; updateCRLSuccessfull = true; LOG.info("updated CertStore {}", getName()); } catch (Exception e) { final String message = "could not execute initializeStore()"; if (LOG.isErrorEnabled()) { LOG.error(LogUtil.buildExceptionLogFormat(message), e.getClass().getName(), e.getMessage()); } LOG.debug(message, e); initializationFailed = true; initialized = true; } finally { if (updateCRLSuccessfull != null) { AuditLevel auditLevel; AuditStatus auditStatus; String eventType = "UPDATE_CRL"; if (updateCRLSuccessfull) { auditLevel = AuditLevel.INFO; auditStatus = AuditStatus.FAILED; } else { auditLevel = AuditLevel.ERROR; auditStatus = AuditStatus.SUCCESSFUL; } auditLogPCIEvent(auditLevel, eventType, auditStatus.name()); } } }
From source file:org.xipki.pki.ca.api.profile.x509.BaseX509Certprofile.java
License:Open Source License
@Override public SubjectPublicKeyInfo checkPublicKey(final SubjectPublicKeyInfo publicKey) throws BadCertTemplateException { ParamUtil.requireNonNull("publicKey", publicKey); Map<ASN1ObjectIdentifier, KeyParametersOption> keyAlgorithms = getKeyAlgorithms(); if (CollectionUtil.isEmpty(keyAlgorithms)) { return publicKey; }// ww w. j av a 2 s . c o m ASN1ObjectIdentifier keyType = publicKey.getAlgorithm().getAlgorithm(); if (!keyAlgorithms.containsKey(keyType)) { throw new BadCertTemplateException("key type " + keyType.getId() + " is not permitted"); } KeyParametersOption keyParamsOption = keyAlgorithms.get(keyType); if (keyParamsOption instanceof AllowAllParametersOption) { return publicKey; } else if (keyParamsOption instanceof ECParamatersOption) { ECParamatersOption ecOption = (ECParamatersOption) keyParamsOption; // parameters ASN1Encodable algParam = publicKey.getAlgorithm().getParameters(); ASN1ObjectIdentifier curveOid; if (algParam instanceof ASN1ObjectIdentifier) { curveOid = (ASN1ObjectIdentifier) algParam; if (!ecOption.allowsCurve(curveOid)) { throw new BadCertTemplateException(String.format("EC curve %s (OID: %s) is not allowed", AlgorithmUtil.getCurveName(curveOid), curveOid.getId())); } } else { throw new BadCertTemplateException("only namedCurve EC public key is supported"); } // point encoding if (ecOption.getPointEncodings() != null) { byte[] keyData = publicKey.getPublicKeyData().getBytes(); if (keyData.length < 1) { throw new BadCertTemplateException("invalid publicKeyData"); } byte pointEncoding = keyData[0]; if (!ecOption.getPointEncodings().contains(pointEncoding)) { throw new BadCertTemplateException( String.format("not accepted EC point encoding '%s'", pointEncoding)); } } byte[] keyData = publicKey.getPublicKeyData().getBytes(); try { checkEcSubjectPublicKeyInfo(curveOid, keyData); } catch (BadCertTemplateException ex) { throw ex; } catch (Exception ex) { LogUtil.warn(LOG, ex, "checkEcSubjectPublicKeyInfo"); throw new BadCertTemplateException(String.format("invalid public key: %s", ex.getMessage())); } return publicKey; } else if (keyParamsOption instanceof RSAParametersOption) { RSAParametersOption rsaOption = (RSAParametersOption) keyParamsOption; ASN1Integer modulus; try { ASN1Sequence seq = ASN1Sequence.getInstance(publicKey.getPublicKeyData().getBytes()); modulus = ASN1Integer.getInstance(seq.getObjectAt(0)); } catch (IllegalArgumentException ex) { throw new BadCertTemplateException("invalid publicKeyData"); } int modulusLength = modulus.getPositiveValue().bitLength(); if ((rsaOption.allowsModulusLength(modulusLength))) { return publicKey; } } else if (keyParamsOption instanceof DSAParametersOption) { DSAParametersOption dsaOption = (DSAParametersOption) keyParamsOption; ASN1Encodable params = publicKey.getAlgorithm().getParameters(); if (params == null) { throw new BadCertTemplateException("null Dss-Parms is not permitted"); } int plength; int qlength; try { ASN1Sequence seq = ASN1Sequence.getInstance(params); ASN1Integer rsaP = ASN1Integer.getInstance(seq.getObjectAt(0)); ASN1Integer rsaQ = ASN1Integer.getInstance(seq.getObjectAt(1)); plength = rsaP.getPositiveValue().bitLength(); qlength = rsaQ.getPositiveValue().bitLength(); } catch (IllegalArgumentException | ArrayIndexOutOfBoundsException ex) { throw new BadCertTemplateException("illegal Dss-Parms"); } boolean match = dsaOption.allowsPlength(plength); if (match) { match = dsaOption.allowsQlength(qlength); } if (match) { return publicKey; } } else { throw new RuntimeException( String.format("should not reach here, unknown KeyParametersOption %s", keyParamsOption)); } throw new BadCertTemplateException("the given publicKey is not permitted"); }
From source file:org.xipki.pki.ca.client.impl.CmpRequestor.java
License:Open Source License
protected ASN1Encodable extractXipkiActionContent(final ASN1Encodable itvValue, final int action) throws CmpRequestorException { ParamUtil.requireNonNull("itvValue", itvValue); ASN1Sequence seq;/*from w w w .j a v a2s .c o m*/ try { seq = ASN1Sequence.getInstance(itvValue); } catch (IllegalArgumentException ex) { throw new CmpRequestorException("invalid syntax of the response"); } int size = seq.size(); if (size != 1 && size != 2) { throw new CmpRequestorException("invalid syntax of the response"); } int tmpAction; try { tmpAction = ASN1Integer.getInstance(seq.getObjectAt(0)).getPositiveValue().intValue(); } catch (IllegalArgumentException ex) { throw new CmpRequestorException("invalid syntax of the response"); } if (action != tmpAction) { throw new CmpRequestorException( "received XiPKI action '" + tmpAction + "' instead the expected '" + action + "'"); } return (size == 1) ? null : seq.getObjectAt(1); }
From source file:org.xipki.pki.ca.client.shell.GetCrlCmd.java
License:Open Source License
@Override protected Object doExecute() throws Exception { Set<String> caNames = caClient.getCaNames(); if (isEmpty(caNames)) { throw new IllegalCmdParamException("no CA is configured"); }/* w w w. j a v a 2s. c o m*/ if (caName != null && !caNames.contains(caName)) { throw new IllegalCmdParamException("CA " + caName + " is not within the configured CAs " + caNames); } if (caName == null) { if (caNames.size() == 1) { caName = caNames.iterator().next(); } else { throw new IllegalCmdParamException("no CA is specified, one of " + caNames + " is required"); } } X509CRL crl = null; try { crl = retrieveCrl(); } catch (PkiErrorException ex) { throw new CmdFailure("received no CRL from server: " + ex.getMessage()); } if (crl == null) { throw new CmdFailure("received no CRL from server"); } saveVerbose("saved CRL to file", new File(outFile), crl.getEncoded()); if (!withBaseCrl.booleanValue()) { return null; } byte[] octetString = crl.getExtensionValue(Extension.deltaCRLIndicator.getId()); if (octetString == null) { return null; } if (baseCrlOut == null) { baseCrlOut = outFile + "-baseCRL"; } byte[] extnValue = DEROctetString.getInstance(octetString).getOctets(); BigInteger baseCrlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue(); RequestResponseDebug debug = getRequestResponseDebug(); try { crl = caClient.downloadCrl(caName, baseCrlNumber, debug); } catch (PkiErrorException ex) { throw new CmdFailure("received no baseCRL from server: " + ex.getMessage()); } finally { saveRequestResponse(debug); } if (crl == null) { throw new CmdFailure("received no baseCRL from server"); } saveVerbose("saved baseCRL to file", new File(baseCrlOut), crl.getEncoded()); return null; }
From source file:org.xipki.pki.ca.dbtool.port.CaCertStoreDbExporter.java
License:Open Source License
private void doExportEntries(final CaDbEntryType type, final CertStoreType certstore, final File processLogFile, final FileOutputStream filenameListOs, final Long idProcessedInLastProcess) throws Exception { final int numEntriesPerSelect = Math.max(1, Math.round(type.getSqlBatchFactor() * numCertsPerSelect)); final int numEntriesPerZip = Math.max(1, Math.round(type.getSqlBatchFactor() * numCertsInBundle)); final File entriesDir = new File(baseDir, type.getDirName()); final String tableName = type.getTableName(); int numProcessedBefore; String coreSql;/*from ww w . j a v a 2 s .com*/ switch (type) { case CERT: numProcessedBefore = certstore.getCountCerts(); coreSql = "ID,SN,CA_ID,PID,RID,ART,RTYPE,TID,UNAME,LUPDATE,REV,RR,RT,RIT,FP_RS," + "REQ_SUBJECT,CERT FROM CERT INNER JOIN CRAW ON CERT.ID>=? " + "AND CERT.ID=CRAW.CID"; break; case CRL: numProcessedBefore = certstore.getCountCrls(); coreSql = "ID,CA_ID,CRL FROM CRL WHERE ID>=?"; break; case USER: numProcessedBefore = certstore.getCountUsers(); coreSql = "ID,NAME,PASSWORD,CN_REGEX FROM USERNAME WHERE ID>=?"; break; case REQUEST: numProcessedBefore = certstore.getCountRequests(); coreSql = "ID,LUPDATE,DATA FROM REQUEST WHERE ID>=?"; break; case REQCERT: numProcessedBefore = certstore.getCountReqCerts(); coreSql = "ID,RID,CID FROM REQCERT WHERE ID>=?"; break; default: throw new RuntimeException("unknown CaDbEntryType " + type); } Long minId = null; if (idProcessedInLastProcess != null) { minId = idProcessedInLastProcess + 1; } else { minId = getMin(tableName, "ID"); } String tablesText = (CaDbEntryType.CERT == type) ? "tables " + tableName + " and CRAW" : "table " + type.getTableName(); System.out.println(getExportingText() + tablesText + " from ID " + minId); final long maxId = getMax(tableName, "ID"); long total = getCount(tableName) - numProcessedBefore; if (total < 1) { total = 1; // to avoid exception } String sql = datasource.buildSelectFirstSql(coreSql, numEntriesPerSelect, "ID ASC"); DbiXmlWriter entriesInCurrentFile = createWriter(type); PreparedStatement ps = prepareStatement(sql.toString()); int numEntriesInCurrentFile = 0; int sum = 0; File currentEntriesZipFile = new File(baseDir, "tmp-" + type.getDirName() + "-" + System.currentTimeMillis() + ".zip"); ZipOutputStream currentEntriesZip = getZipOutputStream(currentEntriesZipFile); long minIdOfCurrentFile = -1; long maxIdOfCurrentFile = -1; ProcessLog processLog = new ProcessLog(total); processLog.printHeader(); try { Long id = null; boolean interrupted = false; long lastMaxId = minId - 1; while (true) { if (stopMe.get()) { interrupted = true; break; } ps.setLong(1, lastMaxId + 1); ResultSet rs = ps.executeQuery(); // no entries anymore if (!rs.next()) { break; } do { id = rs.getLong("ID"); if (lastMaxId < id) { lastMaxId = id; } if (minIdOfCurrentFile == -1) { minIdOfCurrentFile = id; } else if (minIdOfCurrentFile > id) { minIdOfCurrentFile = id; } if (maxIdOfCurrentFile == -1) { maxIdOfCurrentFile = id; } else if (maxIdOfCurrentFile < id) { maxIdOfCurrentFile = id; } if (CaDbEntryType.CERT == type) { String b64Cert = rs.getString("CERT"); byte[] certBytes = Base64.decode(b64Cert); String sha1 = HashAlgoType.SHA1.hexHash(certBytes); String certFileName = sha1 + ".der"; if (!evaulateOnly) { ZipEntry certZipEntry = new ZipEntry(certFileName); currentEntriesZip.putNextEntry(certZipEntry); try { currentEntriesZip.write(certBytes); } finally { currentEntriesZip.closeEntry(); } } CaCertType cert = new CaCertType(); cert.setId(id); byte[] tid = null; int art = rs.getInt("ART"); int reqType = rs.getInt("RTYPE"); String str = rs.getString("TID"); if (StringUtil.isNotBlank(str)) { tid = Base64.decode(str); } cert.setArt(art); cert.setReqType(reqType); if (tid != null) { cert.setTid(Base64.toBase64String(tid)); } int cainfoId = rs.getInt("CA_ID"); cert.setCaId(cainfoId); String serial = rs.getString("SN"); cert.setSn(serial); int certprofileId = rs.getInt("PID"); cert.setPid(certprofileId); int requestorinfoId = rs.getInt("RID"); if (requestorinfoId != 0) { cert.setRid(requestorinfoId); } long lastUpdate = rs.getLong("LUPDATE"); cert.setUpdate(lastUpdate); boolean revoked = rs.getBoolean("REV"); cert.setRev(revoked); if (revoked) { int revReason = rs.getInt("RR"); long revTime = rs.getLong("RT"); long revInvTime = rs.getLong("RIT"); cert.setRr(revReason); cert.setRt(revTime); if (revInvTime != 0) { cert.setRit(revInvTime); } } String user = rs.getString("UNAME"); if (user != null) { cert.setUser(user); } cert.setFile(certFileName); long fpReqSubject = rs.getLong("FP_RS"); if (fpReqSubject != 0) { cert.setFpRs(fpReqSubject); String reqSubject = rs.getString("REQ_SUBJECT"); cert.setRs(reqSubject); } ((CaCertsWriter) entriesInCurrentFile).add(cert); } else if (CaDbEntryType.CRL == type) { String b64Crl = rs.getString("CRL"); byte[] crlBytes = Base64.decode(b64Crl); X509CRL x509Crl = null; try { x509Crl = X509Util.parseCrl(crlBytes); } catch (Exception ex) { LogUtil.error(LOG, ex, "could not parse CRL with id " + id); if (ex instanceof CRLException) { throw (CRLException) ex; } else { throw new CRLException(ex.getMessage(), ex); } } byte[] octetString = x509Crl.getExtensionValue(Extension.cRLNumber.getId()); if (octetString == null) { LOG.warn("CRL without CRL number, ignore it"); continue; } String sha1 = HashAlgoType.SHA1.hexHash(crlBytes); final String crlFilename = sha1 + ".crl"; if (!evaulateOnly) { ZipEntry certZipEntry = new ZipEntry(crlFilename); currentEntriesZip.putNextEntry(certZipEntry); try { currentEntriesZip.write(crlBytes); } finally { currentEntriesZip.closeEntry(); } } CaCrlType crl = new CaCrlType(); crl.setId(id); int caId = rs.getInt("CA_ID"); crl.setCaId(caId); byte[] extnValue = DEROctetString.getInstance(octetString).getOctets(); BigInteger crlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue(); crl.setCrlNo(crlNumber.toString()); crl.setFile(crlFilename); ((CaCrlsWriter) entriesInCurrentFile).add(crl); } else if (CaDbEntryType.USER == type) { String name = rs.getString("NAME"); CaUserType user = new CaUserType(); user.setId(id); user.setName(name); String password = rs.getString("PASSWORD"); user.setPassword(password); String cnRegex = rs.getString("CN_REGEX"); user.setCnRegex(cnRegex); ((CaUsersWriter) entriesInCurrentFile).add(user); } else if (CaDbEntryType.REQUEST == type) { long update = rs.getLong("LUPDATE"); String b64Data = rs.getString("DATA"); byte[] dataBytes = Base64.decode(b64Data); String sha1 = HashAlgoType.SHA1.hexHash(dataBytes); final String dataFilename = sha1 + ".req"; if (!evaulateOnly) { ZipEntry certZipEntry = new ZipEntry(dataFilename); currentEntriesZip.putNextEntry(certZipEntry); try { currentEntriesZip.write(dataBytes); } finally { currentEntriesZip.closeEntry(); } } CaRequestType entry = new CaRequestType(); entry.setId(id); entry.setUpdate(update); entry.setFile(dataFilename); ((CaRequestsWriter) entriesInCurrentFile).add(entry); } else if (CaDbEntryType.REQCERT == type) { long cid = rs.getLong("CID"); long rid = rs.getLong("RID"); CaRequestCertType entry = new CaRequestCertType(); entry.setId(id); entry.setCid(cid); entry.setRid(rid); ((CaRequestCertsWriter) entriesInCurrentFile).add(entry); } else { throw new RuntimeException("unknown CaDbEntryType " + type); } numEntriesInCurrentFile++; sum++; if (numEntriesInCurrentFile == numEntriesPerZip) { String currentEntriesFilename = buildFilename(type.getDirName() + "_", ".zip", minIdOfCurrentFile, maxIdOfCurrentFile, maxId); finalizeZip(currentEntriesZip, "overview.xml", entriesInCurrentFile); currentEntriesZipFile.renameTo(new File(entriesDir, currentEntriesFilename)); writeLine(filenameListOs, currentEntriesFilename); setCount(type, certstore, numProcessedBefore + sum); echoToFile(tableName + ":" + Long.toString(id), processLogFile); processLog.addNumProcessed(numEntriesInCurrentFile); processLog.printStatus(); // reset entriesInCurrentFile = createWriter(type); numEntriesInCurrentFile = 0; minIdOfCurrentFile = -1; maxIdOfCurrentFile = -1; currentEntriesZipFile = new File(baseDir, "tmp-" + type.getDirName() + "-" + System.currentTimeMillis() + ".zip"); currentEntriesZip = getZipOutputStream(currentEntriesZipFile); } } while (rs.next()); rs.close(); } // end for if (interrupted) { currentEntriesZip.close(); throw new InterruptedException("interrupted by the user"); } if (numEntriesInCurrentFile > 0) { finalizeZip(currentEntriesZip, "overview.xml", entriesInCurrentFile); String currentEntriesFilename = buildFilename(type.getDirName() + "_", ".zip", minIdOfCurrentFile, maxIdOfCurrentFile, maxId); currentEntriesZipFile.renameTo(new File(entriesDir, currentEntriesFilename)); writeLine(filenameListOs, currentEntriesFilename); setCount(type, certstore, numProcessedBefore + sum); if (id != null) { echoToFile(Long.toString(id), processLogFile); } processLog.addNumProcessed(numEntriesInCurrentFile); } else { currentEntriesZip.close(); currentEntriesZipFile.delete(); } } catch (SQLException ex) { throw translate(null, ex); } finally { releaseResources(ps, null); } // end try processLog.printTrailer(); // all successful, delete the processLogFile processLogFile.delete(); System.out.println(getExportedText() + sum + " entries from " + tablesText); }
From source file:org.xipki.pki.ca.dbtool.port.CaCertStoreDbImporter.java
License:Open Source License
private long doImportEntries(final CaDbEntryType type, final String entriesZipFile, final long minId, final File processLogFile, final ProcessLog processLog, final int numProcessedInLastProcess, final PreparedStatement[] statements, final String[] sqls) throws Exception { final int numEntriesPerCommit = Math.max(1, Math.round(type.getSqlBatchFactor() * numCertsPerCommit)); ZipFile zipFile = new ZipFile(new File(entriesZipFile)); ZipEntry entriesXmlEntry = zipFile.getEntry("overview.xml"); DbiXmlReader entries;// w ww . ja v a 2 s . co m try { entries = createReader(type, zipFile.getInputStream(entriesXmlEntry)); } catch (Exception ex) { try { zipFile.close(); } catch (Exception e2) { LOG.error("could not close ZIP file {}: {}", entriesZipFile, e2.getMessage()); LOG.debug("could not close ZIP file " + entriesZipFile, e2); } throw ex; } disableAutoCommit(); try { int numEntriesInBatch = 0; long lastSuccessfulEntryId = 0; while (entries.hasNext()) { if (stopMe.get()) { throw new InterruptedException("interrupted by the user"); } IdentifidDbObjectType entry = (IdentifidDbObjectType) entries.next(); long id = entry.getId(); if (id < minId) { continue; } numEntriesInBatch++; if (CaDbEntryType.CERT == type) { CaCertType cert = (CaCertType) entry; int certArt = (cert.getArt() == null) ? 1 : cert.getArt(); String filename = cert.getFile(); // rawcert ZipEntry certZipEnty = zipFile.getEntry(filename); // rawcert byte[] encodedCert = IoUtil.read(zipFile.getInputStream(certZipEnty)); TBSCertificate tbsCert; try { Certificate cc = Certificate.getInstance(encodedCert); tbsCert = cc.getTBSCertificate(); } catch (RuntimeException ex) { LOG.error("could not parse certificate in file {}", filename); LOG.debug("could not parse certificate in file " + filename, ex); throw new CertificateException(ex.getMessage(), ex); } byte[] encodedKey = tbsCert.getSubjectPublicKeyInfo().getPublicKeyData().getBytes(); String b64Sha1FpCert = HashAlgoType.SHA1.base64Hash(encodedCert); // cert String subjectText = X509Util.cutX500Name(tbsCert.getSubject(), maxX500nameLen); PreparedStatement psCert = statements[0]; PreparedStatement psRawcert = statements[1]; try { int idx = 1; psCert.setLong(idx++, id); psCert.setInt(idx++, certArt); psCert.setLong(idx++, cert.getUpdate()); psCert.setString(idx++, tbsCert.getSerialNumber().getPositiveValue().toString(16)); psCert.setString(idx++, subjectText); long fpSubject = X509Util.fpCanonicalizedName(tbsCert.getSubject()); psCert.setLong(idx++, fpSubject); if (cert.getFpRs() != null) { psCert.setLong(idx++, cert.getFpRs()); } else { psCert.setNull(idx++, Types.BIGINT); } psCert.setLong(idx++, tbsCert.getStartDate().getDate().getTime() / 1000); psCert.setLong(idx++, tbsCert.getEndDate().getDate().getTime() / 1000); setBoolean(psCert, idx++, cert.getRev()); setInt(psCert, idx++, cert.getRr()); setLong(psCert, idx++, cert.getRt()); setLong(psCert, idx++, cert.getRit()); setInt(psCert, idx++, cert.getPid()); setInt(psCert, idx++, cert.getCaId()); setInt(psCert, idx++, cert.getRid()); psCert.setString(idx++, cert.getUser()); psCert.setLong(idx++, FpIdCalculator.hash(encodedKey)); Extension extension = tbsCert.getExtensions().getExtension(Extension.basicConstraints); boolean ee = true; if (extension != null) { ASN1Encodable asn1 = extension.getParsedValue(); ee = !BasicConstraints.getInstance(asn1).isCA(); } psCert.setInt(idx++, ee ? 1 : 0); psCert.setInt(idx++, cert.getReqType()); String tidS = null; if (cert.getTid() != null) { tidS = cert.getTid(); } psCert.setString(idx++, tidS); psCert.addBatch(); } catch (SQLException ex) { throw translate(SQL_ADD_CERT, ex); } try { int idx = 1; psRawcert.setLong(idx++, cert.getId()); psRawcert.setString(idx++, b64Sha1FpCert); psRawcert.setString(idx++, cert.getRs()); psRawcert.setString(idx++, Base64.toBase64String(encodedCert)); psRawcert.addBatch(); } catch (SQLException ex) { throw translate(SQL_ADD_CRAW, ex); } } else if (CaDbEntryType.CRL == type) { PreparedStatement psAddCrl = statements[0]; CaCrlType crl = (CaCrlType) entry; String filename = crl.getFile(); // CRL ZipEntry zipEnty = zipFile.getEntry(filename); // rawcert byte[] encodedCrl = IoUtil.read(zipFile.getInputStream(zipEnty)); X509CRL x509crl = null; try { x509crl = X509Util.parseCrl(encodedCrl); } catch (Exception ex) { LOG.error("could not parse CRL in file {}", filename); LOG.debug("could not parse CRL in file " + filename, ex); if (ex instanceof CRLException) { throw (CRLException) ex; } else { throw new CRLException(ex.getMessage(), ex); } } try { byte[] octetString = x509crl.getExtensionValue(Extension.cRLNumber.getId()); if (octetString == null) { LOG.warn("CRL without CRL number, ignore it"); continue; } byte[] extnValue = DEROctetString.getInstance(octetString).getOctets(); // CHECKSTYLE:SKIP BigInteger crlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue(); BigInteger baseCrlNumber = null; octetString = x509crl.getExtensionValue(Extension.deltaCRLIndicator.getId()); if (octetString != null) { extnValue = DEROctetString.getInstance(octetString).getOctets(); baseCrlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue(); } int idx = 1; psAddCrl.setLong(idx++, crl.getId()); psAddCrl.setInt(idx++, crl.getCaId()); psAddCrl.setLong(idx++, crlNumber.longValue()); psAddCrl.setLong(idx++, x509crl.getThisUpdate().getTime() / 1000); if (x509crl.getNextUpdate() != null) { psAddCrl.setLong(idx++, x509crl.getNextUpdate().getTime() / 1000); } else { psAddCrl.setNull(idx++, Types.INTEGER); } if (baseCrlNumber == null) { setBoolean(psAddCrl, idx++, false); psAddCrl.setNull(idx++, Types.BIGINT); } else { setBoolean(psAddCrl, idx++, true); psAddCrl.setLong(idx++, baseCrlNumber.longValue()); } String str = Base64.toBase64String(encodedCrl); psAddCrl.setString(idx++, str); psAddCrl.addBatch(); } catch (SQLException ex) { System.err.println( "could not import CRL with ID=" + crl.getId() + ", message: " + ex.getMessage()); throw ex; } } else if (CaDbEntryType.USER == type) { PreparedStatement psAddUser = statements[0]; CaUserType user = (CaUserType) entry; try { int idx = 1; psAddUser.setLong(idx++, user.getId()); psAddUser.setString(idx++, user.getName()); psAddUser.setString(idx++, user.getPassword()); psAddUser.setString(idx++, user.getCnRegex()); psAddUser.addBatch(); } catch (SQLException ex) { System.err.println("could not import USERNAME with ID=" + user.getId() + ", message: " + ex.getMessage()); throw ex; } } else if (CaDbEntryType.REQUEST == type) { PreparedStatement psAddRequest = statements[0]; CaRequestType request = (CaRequestType) entry; String filename = request.getFile(); ZipEntry zipEnty = zipFile.getEntry(filename); byte[] encodedRequest = IoUtil.read(zipFile.getInputStream(zipEnty)); try { int idx = 1; psAddRequest.setLong(idx++, request.getId()); psAddRequest.setLong(idx++, request.getUpdate()); psAddRequest.setString(idx++, Base64.toBase64String(encodedRequest)); psAddRequest.addBatch(); } catch (SQLException ex) { System.err.println("could not import REQUEST with ID=" + request.getId() + ", message: " + ex.getMessage()); throw ex; } } else if (CaDbEntryType.REQCERT == type) { PreparedStatement psAddReqCert = statements[0]; CaRequestCertType reqCert = (CaRequestCertType) entry; try { int idx = 1; psAddReqCert.setLong(idx++, reqCert.getId()); psAddReqCert.setLong(idx++, reqCert.getRid()); psAddReqCert.setLong(idx++, reqCert.getCid()); psAddReqCert.addBatch(); } catch (SQLException ex) { System.err.println("could not import REQUEST with ID=" + reqCert.getId() + ", message: " + ex.getMessage()); throw ex; } } else { throw new RuntimeException("Unknown CaDbEntryType " + type); } boolean isLastBlock = !entries.hasNext(); if (numEntriesInBatch > 0 && (numEntriesInBatch % numEntriesPerCommit == 0 || isLastBlock)) { if (evaulateOnly) { for (PreparedStatement m : statements) { m.clearBatch(); } } else { String sql = null; try { for (int i = 0; i < sqls.length; i++) { sql = sqls[i]; statements[i].executeBatch(); } sql = null; commit("(commit import to CA)"); } catch (Throwable th) { rollback(); deleteFromTableWithLargerId(type.getTableName(), "ID", id, LOG); if (CaDbEntryType.CERT == type) { deleteFromTableWithLargerId("CRAW", "CID", id, LOG); } if (th instanceof SQLException) { throw translate(sql, (SQLException) th); } else if (th instanceof Exception) { throw (Exception) th; } else { throw new Exception(th); } } } lastSuccessfulEntryId = id; processLog.addNumProcessed(numEntriesInBatch); numEntriesInBatch = 0; echoToFile(type + ":" + (numProcessedInLastProcess + processLog.getNumProcessed()) + ":" + lastSuccessfulEntryId, processLogFile); processLog.printStatus(); } } // end while return lastSuccessfulEntryId; } finally { recoverAutoCommit(); zipFile.close(); } }
From source file:org.xipki.pki.ca.qa.ExtensionsChecker.java
License:Open Source License
private void checkExtensionTlsFeature(final StringBuilder failureMsg, final byte[] extensionValue, final Extensions requestedExtensions, final ExtensionControl extControl) { QaTlsFeature conf = tlsFeature;//from w w w . ja va 2 s .c o m if (conf == null) { byte[] expected = getExpectedExtValue(ObjectIdentifiers.id_pe_tlsfeature, requestedExtensions, extControl); if (!Arrays.equals(expected, extensionValue)) { addViolation(failureMsg, "extension values", hex(extensionValue), (expected == null) ? "not present" : hex(expected)); } return; } Set<String> isFeatures = new HashSet<>(); ASN1Sequence seq = ASN1Sequence.getInstance(extensionValue); final int n = seq.size(); for (int i = 0; i < n; i++) { ASN1Integer asn1Feature = ASN1Integer.getInstance(seq.getObjectAt(i)); isFeatures.add(asn1Feature.getPositiveValue().toString()); } Set<String> expFeatures = new HashSet<>(); for (Integer m : conf.getFeatures()) { expFeatures.add(m.toString()); } Set<String> diffs = strInBnotInA(expFeatures, isFeatures); if (CollectionUtil.isNonEmpty(diffs)) { failureMsg.append("features ").append(diffs.toString()).append(" are present but not expected; "); } diffs = strInBnotInA(isFeatures, expFeatures); if (CollectionUtil.isNonEmpty(diffs)) { failureMsg.append("features ").append(diffs.toString()).append(" are absent but are required; "); } }
From source file:org.xipki.pki.ca.qa.ExtensionsChecker.java
License:Open Source License
private void checkExtensionInhibitAnyPolicy(final StringBuilder failureMsg, final byte[] extensionValue, final Extensions requestedExtensions, final ExtensionControl extControl) { QaInhibitAnyPolicy conf = inhibitAnyPolicy; if (conf == null) { byte[] expected = getExpectedExtValue(Extension.inhibitAnyPolicy, requestedExtensions, extControl); if (!Arrays.equals(expected, extensionValue)) { addViolation(failureMsg, "extension values", extensionValue, (expected == null) ? "not present" : hex(expected)); }//from w w w. ja v a 2s . com return; } ASN1Integer asn1Int = ASN1Integer.getInstance(extensionValue); int isSkipCerts = asn1Int.getPositiveValue().intValue(); if (isSkipCerts != conf.getSkipCerts()) { addViolation(failureMsg, "skipCerts", isSkipCerts, conf.getSkipCerts()); } }
From source file:org.xipki.pki.ca.qa.ExtensionsChecker.java
License:Open Source License
private void checkExtensionQcStatements(final StringBuilder failureMsg, final byte[] extensionValue, final Extensions requestedExtensions, final ExtensionControl extControl) { QcStatements conf = qcStatements;/*from w ww . j a va 2 s . c om*/ if (conf == null) { byte[] expected = getExpectedExtValue(Extension.qCStatements, requestedExtensions, extControl); if (!Arrays.equals(expected, extensionValue)) { addViolation(failureMsg, "extension values", extensionValue, (expected == null) ? "not present" : hex(expected)); } return; } final int expSize = conf.getQcStatement().size(); ASN1Sequence extValue = ASN1Sequence.getInstance(extensionValue); final int isSize = extValue.size(); if (isSize != expSize) { addViolation(failureMsg, "number of statements", isSize, expSize); return; } // extract the euLimit and pdsLocations data from request Map<String, int[]> reqQcEuLimits = new HashMap<>(); Extension reqExtension = (requestedExtensions == null) ? null : requestedExtensions.getExtension(Extension.qCStatements); if (reqExtension != null) { ASN1Sequence seq = ASN1Sequence.getInstance(reqExtension.getParsedValue()); final int n = seq.size(); for (int j = 0; j < n; j++) { QCStatement stmt = QCStatement.getInstance(seq.getObjectAt(j)); if (ObjectIdentifiers.id_etsi_qcs_QcLimitValue.equals(stmt.getStatementId())) { MonetaryValue monetaryValue = MonetaryValue.getInstance(stmt.getStatementInfo()); int amount = monetaryValue.getAmount().intValue(); int exponent = monetaryValue.getExponent().intValue(); Iso4217CurrencyCode currency = monetaryValue.getCurrency(); String currencyS = currency.isAlphabetic() ? currency.getAlphabetic().toUpperCase() : Integer.toString(currency.getNumeric()); reqQcEuLimits.put(currencyS, new int[] { amount, exponent }); } } } for (int i = 0; i < expSize; i++) { QCStatement is = QCStatement.getInstance(extValue.getObjectAt(i)); QcStatementType exp = conf.getQcStatement().get(i); if (!is.getStatementId().getId().equals(exp.getStatementId().getValue())) { addViolation(failureMsg, "statmentId[" + i + "]", is.getStatementId().getId(), exp.getStatementId().getValue()); continue; } if (exp.getStatementValue() == null) { if (is.getStatementInfo() != null) { addViolation(failureMsg, "statmentInfo[" + i + "]", "present", "absent"); } continue; } if (is.getStatementInfo() == null) { addViolation(failureMsg, "statmentInfo[" + i + "]", "absent", "present"); continue; } QcStatementValueType expStatementValue = exp.getStatementValue(); try { if (expStatementValue.getConstant() != null) { byte[] expValue = expStatementValue.getConstant().getValue(); byte[] isValue = is.getStatementInfo().toASN1Primitive().getEncoded(); if (!Arrays.equals(isValue, expValue)) { addViolation(failureMsg, "statementInfo[" + i + "]", hex(isValue), hex(expValue)); } } else if (expStatementValue.getQcRetentionPeriod() != null) { String isValue = ASN1Integer.getInstance(is.getStatementInfo()).toString(); String expValue = expStatementValue.getQcRetentionPeriod().toString(); if (!isValue.equals(expValue)) { addViolation(failureMsg, "statementInfo[" + i + "]", isValue, expValue); } } else if (expStatementValue.getPdsLocations() != null) { Set<String> pdsLocations = new HashSet<>(); ASN1Sequence pdsLocsSeq = ASN1Sequence.getInstance(is.getStatementInfo()); int size = pdsLocsSeq.size(); for (int k = 0; k < size; k++) { ASN1Sequence pdsLocSeq = ASN1Sequence.getInstance(pdsLocsSeq.getObjectAt(k)); int size2 = pdsLocSeq.size(); if (size2 != 2) { throw new IllegalArgumentException("sequence size is " + size2 + " but expected 2"); } String url = DERIA5String.getInstance(pdsLocSeq.getObjectAt(0)).getString(); String lang = DERPrintableString.getInstance(pdsLocSeq.getObjectAt(1)).getString(); pdsLocations.add("url=" + url + ",lang=" + lang); } PdsLocationsType pdsLocationsConf = expStatementValue.getPdsLocations(); Set<String> expectedPdsLocations = new HashSet<>(); for (PdsLocationType m : pdsLocationsConf.getPdsLocation()) { expectedPdsLocations.add("url=" + m.getUrl() + ",lang=" + m.getLanguage()); } Set<String> diffs = strInBnotInA(expectedPdsLocations, pdsLocations); if (CollectionUtil.isNonEmpty(diffs)) { failureMsg.append("statementInfo[" + i + "]: ").append(diffs.toString()); failureMsg.append(" are present but not expected; "); } diffs = strInBnotInA(pdsLocations, expectedPdsLocations); if (CollectionUtil.isNonEmpty(diffs)) { failureMsg.append("statementInfo[" + i + "]: ").append(diffs.toString()); failureMsg.append(" are absent but are required; "); } } else if (expStatementValue.getQcEuLimitValue() != null) { QcEuLimitValueType euLimitConf = expStatementValue.getQcEuLimitValue(); String expCurrency = euLimitConf.getCurrency().toUpperCase(); int[] expAmountExp = reqQcEuLimits.get(expCurrency); Range2Type range = euLimitConf.getAmount(); int value; if (range.getMin() == range.getMax()) { value = range.getMin(); } else if (expAmountExp != null) { value = expAmountExp[0]; } else { failureMsg.append("found no QcEuLimit for currency '").append(expCurrency).append("'; "); return; } // CHECKSTYLE:SKIP String expAmount = Integer.toString(value); range = euLimitConf.getExponent(); if (range.getMin() == range.getMax()) { value = range.getMin(); } else if (expAmountExp != null) { value = expAmountExp[1]; } else { failureMsg.append("found no QcEuLimit for currency '").append(expCurrency).append("'; "); return; } String expExponent = Integer.toString(value); MonetaryValue monterayValue = MonetaryValue.getInstance(is.getStatementInfo()); Iso4217CurrencyCode currency = monterayValue.getCurrency(); String isCurrency = currency.isAlphabetic() ? currency.getAlphabetic() : Integer.toString(currency.getNumeric()); String isAmount = monterayValue.getAmount().toString(); String isExponent = monterayValue.getExponent().toString(); if (!isCurrency.equals(expCurrency)) { addViolation(failureMsg, "statementInfo[" + i + "].qcEuLimit.currency", isCurrency, expCurrency); } if (!isAmount.equals(expAmount)) { addViolation(failureMsg, "statementInfo[" + i + "].qcEuLimit.amount", isAmount, expAmount); } if (!isExponent.equals(expExponent)) { addViolation(failureMsg, "statementInfo[" + i + "].qcEuLimit.exponent", isExponent, expExponent); } } else { throw new RuntimeException("statementInfo[" + i + "]should not reach here"); } } catch (IOException ex) { failureMsg.append("statementInfo[").append(i).append("] has incorrect syntax; "); } } }
From source file:org.xipki.pki.ca.qa.PublicKeyChecker.java
License:Open Source License
private void checkPublicKey(final SubjectPublicKeyInfo publicKey) throws BadCertTemplateException { if (CollectionUtil.isEmpty(keyAlgorithms)) { return;//from ww w .ja v a 2s .co m } ASN1ObjectIdentifier keyType = publicKey.getAlgorithm().getAlgorithm(); if (!keyAlgorithms.containsKey(keyType)) { throw new BadCertTemplateException("key type " + keyType.getId() + " is not permitted"); } KeyParametersOption keyParamsOption = keyAlgorithms.get(keyType); if (keyParamsOption instanceof AllowAllParametersOption) { return; } else if (keyParamsOption instanceof ECParamatersOption) { ECParamatersOption ecOption = (ECParamatersOption) keyParamsOption; // parameters ASN1Encodable algParam = publicKey.getAlgorithm().getParameters(); ASN1ObjectIdentifier curveOid; if (algParam instanceof ASN1ObjectIdentifier) { curveOid = (ASN1ObjectIdentifier) algParam; if (!ecOption.allowsCurve(curveOid)) { throw new BadCertTemplateException("EC curve " + AlgorithmUtil.getCurveName(curveOid) + " (OID: " + curveOid.getId() + ") is not allowed"); } } else { throw new BadCertTemplateException("only namedCurve EC public key is supported"); } // point encoding if (ecOption.getPointEncodings() != null) { byte[] keyData = publicKey.getPublicKeyData().getBytes(); if (keyData.length < 1) { throw new BadCertTemplateException("invalid publicKeyData"); } byte pointEncoding = keyData[0]; if (!ecOption.getPointEncodings().contains(pointEncoding)) { throw new BadCertTemplateException("not-accepted EC point encoding " + pointEncoding); } } try { checkECSubjectPublicKeyInfo(curveOid, publicKey.getPublicKeyData().getBytes()); } catch (BadCertTemplateException ex) { throw ex; } catch (Exception ex) { LOG.debug("checkECSubjectPublicKeyInfo", ex); throw new BadCertTemplateException("invalid public key: " + ex.getMessage()); } return; } else if (keyParamsOption instanceof RSAParametersOption) { RSAParametersOption rsaOption = (RSAParametersOption) keyParamsOption; ASN1Integer modulus; try { ASN1Sequence seq = ASN1Sequence.getInstance(publicKey.getPublicKeyData().getBytes()); modulus = ASN1Integer.getInstance(seq.getObjectAt(0)); } catch (IllegalArgumentException ex) { throw new BadCertTemplateException("invalid publicKeyData"); } int modulusLength = modulus.getPositiveValue().bitLength(); if ((rsaOption.allowsModulusLength(modulusLength))) { return; } } else if (keyParamsOption instanceof DSAParametersOption) { DSAParametersOption dsaOption = (DSAParametersOption) keyParamsOption; ASN1Encodable params = publicKey.getAlgorithm().getParameters(); if (params == null) { throw new BadCertTemplateException("null Dss-Parms is not permitted"); } int plength; int qlength; try { ASN1Sequence seq = ASN1Sequence.getInstance(params); // CHECKSTYLE:SKIP ASN1Integer p = ASN1Integer.getInstance(seq.getObjectAt(0)); // CHECKSTYLE:SKIP ASN1Integer q = ASN1Integer.getInstance(seq.getObjectAt(1)); plength = p.getPositiveValue().bitLength(); qlength = q.getPositiveValue().bitLength(); } catch (IllegalArgumentException | ArrayIndexOutOfBoundsException ex) { throw new BadCertTemplateException("illegal Dss-Parms"); } boolean match = dsaOption.allowsPlength(plength); if (match) { match = dsaOption.allowsQlength(qlength); } if (match) { return; } } else { String txt = (keyParamsOption == null) ? "null" : keyParamsOption.getClass().getName(); throw new RuntimeException("should not reach here, unknown keyParamsOption " + txt); } throw new BadCertTemplateException("the given publicKey is not permitted"); }