List of usage examples for org.bouncycastle.asn1 ASN1Integer getPositiveValue
public BigInteger getPositiveValue()
From source file:org.xipki.ca.qa.impl.X509CertprofileQAImpl.java
License:Open Source License
private void checkExtensionInhibitAnyPolicy(final StringBuilder failureMsg, final byte[] extensionValue, final Extensions requestExtensions, final ExtensionControl extControl) { QaInhibitAnyPolicy conf = inhibitAnyPolicy; if (conf == null) { byte[] expected = getExpectedExtValue(Extension.inhibitAnyPolicy, requestExtensions, extControl); if (Arrays.equals(expected, extensionValue) == false) { failureMsg.append("extension valus is '").append(hex(extensionValue)); failureMsg.append("' but expected '").append(expected == null ? "not present" : hex(expected)) .append("'"); failureMsg.append("; "); }//from w ww .j a va2s . c o m return; } ASN1Integer asn1Int = ASN1Integer.getInstance(extensionValue); int iSkipCerts = asn1Int.getPositiveValue().intValue(); if (iSkipCerts != conf.getSkipCerts()) { failureMsg.append("skipCerts is '" + iSkipCerts + "' but expected '" + conf.getSkipCerts() + "'"); failureMsg.append("; "); } }
From source file:org.xipki.ca.server.impl.X509CACmpResponder.java
License:Open Source License
private CertRepMessage processCertReqMessages(final CmpRequestorInfo requestor, final String user, final ASN1OctetString tid, final PKIHeader reqHeader, final CertReqMessages kur, final boolean keyUpdate, final long confirmWaitTime, final boolean sendCaCert, final AuditEvent auditEvent) throws InsuffientPermissionException { CmpRequestorInfo _requestor = (CmpRequestorInfo) requestor; CertReqMsg[] certReqMsgs = kur.toCertReqMsgArray(); CertResponse[] certResponses = new CertResponse[certReqMsgs.length]; for (int i = 0; i < certReqMsgs.length; i++) { AuditChildEvent childAuditEvent = null; if (auditEvent != null) { childAuditEvent = new AuditChildEvent(); auditEvent.addChildAuditEvent(childAuditEvent); }// w w w .j a v a 2 s. c o m CertReqMsg reqMsg = certReqMsgs[i]; CertificateRequestMessage req = new CertificateRequestMessage(reqMsg); ASN1Integer certReqId = reqMsg.getCertReq().getCertReqId(); if (childAuditEvent != null) { childAuditEvent .addEventData(new AuditEventData("certReqId", certReqId.getPositiveValue().toString())); } if (req.hasProofOfPossession() == false) { PKIStatusInfo status = generateCmpRejectionStatus(PKIFailureInfo.badPOP, null); certResponses[i] = new CertResponse(certReqId, status); if (childAuditEvent != null) { childAuditEvent.setStatus(AuditStatus.FAILED); childAuditEvent.addEventData(new AuditEventData("message", "no POP")); } continue; } if (verifyPOP(req, _requestor.isRA()) == false) { LOG.warn("could not validate POP for requst {}", certReqId.getValue()); PKIStatusInfo status = generateCmpRejectionStatus(PKIFailureInfo.badPOP, null); certResponses[i] = new CertResponse(certReqId, status); if (childAuditEvent != null) { childAuditEvent.setStatus(AuditStatus.FAILED); childAuditEvent.addEventData(new AuditEventData("message", "invalid POP")); } continue; } CertTemplate certTemp = req.getCertTemplate(); Extensions extensions = certTemp.getExtensions(); X500Name subject = certTemp.getSubject(); SubjectPublicKeyInfo publicKeyInfo = certTemp.getPublicKey(); OptionalValidity validity = certTemp.getValidity(); try { CmpUtf8Pairs keyvalues = CmpUtil.extract(reqMsg.getRegInfo()); String certprofileName = keyvalues == null ? null : keyvalues.getValue(CmpUtf8Pairs.KEY_CERT_PROFILE); if (certprofileName == null) { throw new CMPException("no certificate profile is specified"); } if (childAuditEvent != null) { childAuditEvent.addEventData(new AuditEventData("certprofile", certprofileName)); } checkPermission(_requestor, certprofileName); certResponses[i] = generateCertificate(_requestor, user, tid, certReqId, subject, publicKeyInfo, validity, extensions, certprofileName, keyUpdate, confirmWaitTime, childAuditEvent); } catch (CMPException e) { final String message = "generateCertificate"; if (LOG.isWarnEnabled()) { LOG.warn(LogUtil.buildExceptionLogFormat(message), e.getClass().getName(), e.getMessage()); } LOG.debug(message, e); certResponses[i] = new CertResponse(certReqId, generateCmpRejectionStatus(PKIFailureInfo.badCertTemplate, e.getMessage())); if (childAuditEvent != null) { childAuditEvent.setStatus(AuditStatus.FAILED); childAuditEvent.addEventData(new AuditEventData("message", "badCertTemplate")); } } // end try } // end for CMPCertificate[] caPubs = sendCaCert ? new CMPCertificate[] { getCA().getCAInfo().getCertInCMPFormat() } : null; return new CertRepMessage(caPubs, certResponses); }
From source file:org.xipki.ca.server.impl.X509CACmpResponder.java
License:Open Source License
private CertResponse generateCertificate(final CmpRequestorInfo requestor, final String user, final ASN1OctetString tid, final ASN1Integer certReqId, final X500Name subject, final SubjectPublicKeyInfo publicKeyInfo, final OptionalValidity validity, final Extensions extensions, final String certprofileName, final boolean keyUpdate, final long confirmWaitTime, final AuditChildEvent childAuditEvent) throws InsuffientPermissionException { checkPermission(requestor, certprofileName); Date notBefore = null;/* w w w.ja va2s .com*/ Date notAfter = null; if (validity != null) { Time t = validity.getNotBefore(); if (t != null) { notBefore = t.getDate(); } t = validity.getNotAfter(); if (t != null) { notAfter = t.getDate(); } } try { X509CA ca = getCA(); X509CertificateInfo certInfo; if (keyUpdate) { certInfo = ca.regenerateCertificate(requestor.isRA(), requestor, certprofileName, user, subject, publicKeyInfo, notBefore, notAfter, extensions); } else { certInfo = ca.generateCertificate(requestor.isRA(), requestor, certprofileName, user, subject, publicKeyInfo, notBefore, notAfter, extensions); } certInfo.setRequestor(requestor); certInfo.setUser(user); if (childAuditEvent != null) { childAuditEvent.addEventData(new AuditEventData("subject", certInfo.getCert().getSubject())); } pendingCertPool.addCertificate(tid.getOctets(), certReqId.getPositiveValue(), certInfo, System.currentTimeMillis() + confirmWaitTime); String warningMsg = certInfo.getWarningMessage(); PKIStatusInfo statusInfo; if (StringUtil.isBlank(warningMsg)) { if (certInfo.isAlreadyIssued()) { statusInfo = new PKIStatusInfo(PKIStatus.grantedWithMods, new PKIFreeText("ALREADY_ISSUED")); } else { statusInfo = new PKIStatusInfo(PKIStatus.granted); } } else { statusInfo = new PKIStatusInfo(PKIStatus.grantedWithMods, new PKIFreeText(warningMsg)); } if (childAuditEvent != null) { childAuditEvent.setStatus(AuditStatus.SUCCESSFUL); } CertOrEncCert cec = new CertOrEncCert(CMPCertificate.getInstance(certInfo.getCert().getEncodedCert())); CertifiedKeyPair kp = new CertifiedKeyPair(cec); CertResponse certResp = new CertResponse(certReqId, statusInfo, kp, null); return certResp; } catch (OperationException e) { ErrorCode code = e.getErrorCode(); LOG.warn("generate certificate, OperationException: code={}, message={}", code.name(), e.getErrorMessage()); String auditMessage; int failureInfo; switch (code) { case ALREADY_ISSUED: failureInfo = PKIFailureInfo.badRequest; auditMessage = "ALREADY_ISSUED"; break; case BAD_CERT_TEMPLATE: failureInfo = PKIFailureInfo.badCertTemplate; auditMessage = "BAD_CERT_TEMPLATE"; break; case BAD_REQUEST: failureInfo = PKIFailureInfo.badRequest; auditMessage = "BAD_REQUEST"; case CERT_REVOKED: failureInfo = PKIFailureInfo.certRevoked; auditMessage = "CERT_REVOKED"; break; case CRL_FAILURE: failureInfo = PKIFailureInfo.systemFailure; auditMessage = "CRL_FAILURE"; break; case DATABASE_FAILURE: failureInfo = PKIFailureInfo.systemFailure; auditMessage = "DATABASE_FAILURE"; break; case NOT_PERMITTED: failureInfo = PKIFailureInfo.notAuthorized; auditMessage = "NOT_PERMITTED"; break; case INSUFFICIENT_PERMISSION: failureInfo = PKIFailureInfo.notAuthorized; auditMessage = "INSUFFICIENT_PERMISSION"; break; case INVALID_EXTENSION: failureInfo = PKIFailureInfo.systemFailure; auditMessage = "INVALID_EXTENSION"; break; case SYSTEM_FAILURE: failureInfo = PKIFailureInfo.systemFailure; auditMessage = "System_Failure"; break; case SYSTEM_UNAVAILABLE: failureInfo = PKIFailureInfo.systemUnavail; auditMessage = "System_Unavailable"; break; case UNKNOWN_CERT: failureInfo = PKIFailureInfo.badCertId; auditMessage = "UNKNOWN_CERT"; break; case UNKNOWN_CERT_PROFILE: failureInfo = PKIFailureInfo.badCertTemplate; auditMessage = "UNKNOWN_CERT_PROFILE"; break; default: failureInfo = PKIFailureInfo.systemFailure; auditMessage = "InternalErrorCode " + e.getErrorCode(); break; } // end switch(code) if (childAuditEvent != null) { childAuditEvent.setStatus(AuditStatus.FAILED); childAuditEvent.addEventData(new AuditEventData("message", auditMessage)); } String errorMessage; switch (code) { case DATABASE_FAILURE: case SYSTEM_FAILURE: errorMessage = code.name(); break; default: errorMessage = code.name() + ": " + e.getErrorMessage(); break; } // end switch code PKIStatusInfo status = generateCmpRejectionStatus(failureInfo, errorMessage); return new CertResponse(certReqId, status); } }
From source file:org.xipki.ca.server.impl.X509CACmpResponder.java
License:Open Source License
private PKIBody revokeOrUnrevokeOrRemoveCertificates(final RevReqContent rr, final AuditEvent auditEvent, final Permission permission) { RevDetails[] revContent = rr.toRevDetailsArray(); RevRepContentBuilder repContentBuilder = new RevRepContentBuilder(); final int n = revContent.length; // test the reques for (int i = 0; i < n; i++) { RevDetails revDetails = revContent[i]; CertTemplate certDetails = revDetails.getCertDetails(); X500Name issuer = certDetails.getIssuer(); ASN1Integer serialNumber = certDetails.getSerialNumber(); try {/*from w w w. j a v a2 s.c o m*/ X500Name caSubject = getCA().getCAInfo().getCertificate().getSubjectAsX500Name(); if (issuer == null) { return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer is not present"); } else if (issuer.equals(caSubject) == false) { return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer not targets at the CA"); } else if (serialNumber == null) { return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "serialNumber is not present"); } else if (certDetails.getSigningAlg() != null || certDetails.getValidity() != null || certDetails.getSubject() != null || certDetails.getPublicKey() != null || certDetails.getIssuerUID() != null || certDetails.getSubjectUID() != null || certDetails.getExtensions() != null) { return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "only version, issuer and serialNumber in RevDetails.certDetails are allowed, " + "but more is specified"); } } catch (IllegalArgumentException e) { return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badRequest, "the request is not invalid"); } } for (int i = 0; i < n; i++) { AuditChildEvent childAuditEvent = null; if (auditEvent != null) { childAuditEvent = new AuditChildEvent(); auditEvent.addChildAuditEvent(childAuditEvent); } RevDetails revDetails = revContent[i]; CertTemplate certDetails = revDetails.getCertDetails(); ASN1Integer serialNumber = certDetails.getSerialNumber(); // serialNumber is not null due to the check in the previous for-block. X500Name caSubject = getCA().getCAInfo().getCertificate().getSubjectAsX500Name(); BigInteger snBigInt = serialNumber.getPositiveValue(); CertId certId = new CertId(new GeneralName(caSubject), serialNumber); if (childAuditEvent != null) { AuditEventData eventData = new AuditEventData("serialNumber", snBigInt.toString()); childAuditEvent.addEventData(eventData); } PKIStatusInfo status; try { Object returnedObj = null; X509CA ca = getCA(); if (Permission.UNREVOKE_CERT == permission) { // unrevoke returnedObj = ca.unrevokeCertificate(snBigInt); } else if (Permission.REMOVE_CERT == permission) { // remove returnedObj = ca.removeCertificate(snBigInt); } else { // revoke Date invalidityDate = null; CRLReason reason = null; Extensions crlDetails = revDetails.getCrlEntryDetails(); if (crlDetails != null) { ASN1ObjectIdentifier extId = Extension.reasonCode; ASN1Encodable extValue = crlDetails.getExtensionParsedValue(extId); if (extValue != null) { int reasonCode = ((ASN1Enumerated) extValue).getValue().intValue(); reason = CRLReason.forReasonCode(reasonCode); } extId = Extension.invalidityDate; extValue = crlDetails.getExtensionParsedValue(extId); if (extValue != null) { try { invalidityDate = ((ASN1GeneralizedTime) extValue).getDate(); } catch (ParseException e) { throw new OperationException(ErrorCode.INVALID_EXTENSION, "invalid extension " + extId.getId()); } } } // end if(crlDetails) if (reason == null) { reason = CRLReason.UNSPECIFIED; } if (childAuditEvent != null) { childAuditEvent.addEventData(new AuditEventData("reason", reason.getDescription())); if (invalidityDate != null) { String value; synchronized (dateFormat) { value = dateFormat.format(invalidityDate); } childAuditEvent.addEventData(new AuditEventData("invalidityDate", value)); } } returnedObj = ca.revokeCertificate(snBigInt, reason, invalidityDate); } // end if(permission) if (returnedObj == null) { throw new OperationException(ErrorCode.UNKNOWN_CERT, "cert not exists"); } status = new PKIStatusInfo(PKIStatus.granted); if (childAuditEvent != null) { childAuditEvent.setStatus(AuditStatus.SUCCESSFUL); } } catch (OperationException e) { ErrorCode code = e.getErrorCode(); LOG.warn("{} certificate, OperationException: code={}, message={}", new Object[] { permission.name(), code.name(), e.getErrorMessage() }); String auditMessage; int failureInfo; switch (code) { case BAD_REQUEST: failureInfo = PKIFailureInfo.badRequest; auditMessage = "BAD_REQUEST"; break; case CERT_REVOKED: failureInfo = PKIFailureInfo.certRevoked; auditMessage = "CERT_REVOKED"; break; case CERT_UNREVOKED: failureInfo = PKIFailureInfo.notAuthorized; auditMessage = "CERT_UNREVOKED"; break; case DATABASE_FAILURE: failureInfo = PKIFailureInfo.systemFailure; auditMessage = "DATABASE_FAILURE"; break; case INVALID_EXTENSION: failureInfo = PKIFailureInfo.unacceptedExtension; auditMessage = "INVALID_EXTENSION"; break; case INSUFFICIENT_PERMISSION: failureInfo = PKIFailureInfo.notAuthorized; auditMessage = "INSUFFICIENT_PERMISSION"; break; case NOT_PERMITTED: failureInfo = PKIFailureInfo.notAuthorized; auditMessage = "NOT_PERMITTED"; break; case SYSTEM_FAILURE: failureInfo = PKIFailureInfo.systemFailure; auditMessage = "System_Failure"; break; case SYSTEM_UNAVAILABLE: failureInfo = PKIFailureInfo.systemUnavail; auditMessage = "System_Unavailable"; break; case UNKNOWN_CERT: failureInfo = PKIFailureInfo.badCertId; auditMessage = "UNKNOWN_CERT"; break; default: failureInfo = PKIFailureInfo.systemFailure; auditMessage = "InternalErrorCode " + e.getErrorCode(); break; } // end switch(code) if (childAuditEvent != null) { childAuditEvent.setStatus(AuditStatus.FAILED); childAuditEvent.addEventData(new AuditEventData("message", auditMessage)); } String errorMessage; switch (code) { case DATABASE_FAILURE: case SYSTEM_FAILURE: errorMessage = code.name(); break; default: errorMessage = code.name() + ": " + e.getErrorMessage(); break; } // end switch(code) status = generateCmpRejectionStatus(failureInfo, errorMessage); } // end try repContentBuilder.add(status, certId); } // end for return new PKIBody(PKIBody.TYPE_REVOCATION_REP, repContentBuilder.build()); }
From source file:org.xipki.ca.server.impl.X509CACmpResponder.java
License:Open Source License
private PKIBody confirmCertificates(final ASN1OctetString transactionId, final CertConfirmContent certConf) { CertStatus[] certStatuses = certConf.toCertStatusArray(); boolean successfull = true; for (CertStatus certStatus : certStatuses) { ASN1Integer certReqId = certStatus.getCertReqId(); byte[] certHash = certStatus.getCertHash().getOctets(); X509CertificateInfo certInfo = pendingCertPool.removeCertificate(transactionId.getOctets(), certReqId.getPositiveValue(), certHash); if (certInfo == null) { LOG.warn("no cert under transactionId={}, certReqId={} and certHash=0X{}", new Object[] { transactionId, certReqId.getPositiveValue(), Hex.toHexString(certHash) }); continue; }/*from w ww . j a v a2 s . c o m*/ PKIStatusInfo statusInfo = certStatus.getStatusInfo(); boolean accept = true; if (statusInfo != null) { int status = statusInfo.getStatus().intValue(); if (PKIStatus.GRANTED != status && PKIStatus.GRANTED_WITH_MODS != status) { accept = false; } } if (accept) { continue; } BigInteger serialNumber = certInfo.getCert().getCert().getSerialNumber(); X509CA ca = getCA(); try { ca.revokeCertificate(serialNumber, CRLReason.CESSATION_OF_OPERATION, new Date()); } catch (OperationException e) { final String msg = "could not revoke certificate ca=" + ca.getCAInfo().getName() + " serialNumber=" + serialNumber; if (LOG.isWarnEnabled()) { LOG.warn(LogUtil.buildExceptionLogFormat(msg), e.getClass().getName(), e.getMessage()); } LOG.debug(msg, e); } successfull = false; } // all other certificates should be revoked if (revokePendingCertificates(transactionId)) { successfull = false; } if (successfull) { return new PKIBody(PKIBody.TYPE_CONFIRM, DERNull.INSTANCE); } ErrorMsgContent emc = new ErrorMsgContent( new PKIStatusInfo(PKIStatus.rejection, null, new PKIFailureInfo(PKIFailureInfo.systemFailure))); return new PKIBody(PKIBody.TYPE_ERROR, emc); }
From source file:org.xipki.ca.server.impl.X509CACmpResponder.java
License:Open Source License
private PKIBody cmpGeneralMsg(final PKIHeaderBuilder respHeader, final CmpControl cmpControl, final PKIHeader reqHeader, final PKIBody reqBody, final CmpRequestorInfo requestor, final String user, final ASN1OctetString tid, final AuditEvent auditEvent) throws InsuffientPermissionException { GenMsgContent genMsgBody = (GenMsgContent) reqBody.getContent(); InfoTypeAndValue[] itvs = genMsgBody.toInfoTypeAndValueArray(); InfoTypeAndValue itv = null;//from w w w . j a v a 2s .co m if (itvs != null && itvs.length > 0) { for (InfoTypeAndValue _itv : itvs) { String itvType = _itv.getInfoType().getId(); if (knownGenMsgIds.contains(itvType)) { itv = _itv; break; } } } if (itv == null) { String statusMessage = "PKIBody type " + PKIBody.TYPE_GEN_MSG + " is only supported with the sub-types " + knownGenMsgIds.toString(); return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badRequest, statusMessage); } InfoTypeAndValue itvResp = null; ASN1ObjectIdentifier infoType = itv.getInfoType(); int failureInfo; try { X509CA ca = getCA(); if (CMPObjectIdentifiers.it_currentCRL.equals(infoType)) { addAutitEventType(auditEvent, "CRL_DOWNLOAD"); checkPermission(requestor, Permission.GET_CRL); CertificateList crl = ca.getCurrentCRL(); if (itv.getInfoValue() == null) { // as defined in RFC 4210 crl = ca.getCurrentCRL(); } else { // xipki extension ASN1Integer crlNumber = ASN1Integer.getInstance(itv.getInfoValue()); crl = ca.getCRL(crlNumber.getPositiveValue()); } if (crl == null) { String statusMessage = "no CRL is available"; return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage); } itvResp = new InfoTypeAndValue(infoType, crl); } else if (ObjectIdentifiers.id_xipki_cmp.equals(infoType)) { ASN1Encodable asn1 = itv.getInfoValue(); ASN1Integer asn1Code = null; ASN1Encodable reqValue = null; try { ASN1Sequence seq = ASN1Sequence.getInstance(asn1); asn1Code = ASN1Integer.getInstance(seq.getObjectAt(0)); if (seq.size() > 1) { reqValue = seq.getObjectAt(1); } } catch (IllegalArgumentException e) { String statusMessage = "invalid value of the InfoTypeAndValue for " + ObjectIdentifiers.id_xipki_cmp.getId(); return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badRequest, statusMessage); } ASN1Encodable respValue; int action = asn1Code.getPositiveValue().intValue(); switch (action) { case XipkiCmpConstants.ACTION_GEN_CRL: addAutitEventType(auditEvent, "CRL_GEN_ONDEMAND"); checkPermission(requestor, Permission.GEN_CRL); X509CRL _crl = ca.generateCRLonDemand(auditEvent); if (_crl == null) { String statusMessage = "CRL generation is not activated"; return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage); } else { respValue = CertificateList.getInstance(_crl.getEncoded()); } break; case XipkiCmpConstants.ACTION_GET_CRL_WITH_SN: addAutitEventType(auditEvent, "CRL_DOWNLOAD_WITH_SN"); checkPermission(requestor, Permission.GET_CRL); ASN1Integer crlNumber = ASN1Integer.getInstance(reqValue); respValue = ca.getCRL(crlNumber.getPositiveValue()); if (respValue == null) { String statusMessage = "no CRL is available"; return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage); } break; case XipkiCmpConstants.ACTION_GET_CAINFO: addAutitEventType(auditEvent, "GET_SYSTEMINFO"); Set<Integer> acceptVersions = new HashSet<>(); if (reqValue != null) { ASN1Sequence seq = DERSequence.getInstance(reqValue); int size = seq.size(); for (int i = 0; i < size; i++) { ASN1Integer a = ASN1Integer.getInstance(seq.getObjectAt(i)); acceptVersions.add(a.getPositiveValue().intValue()); } } if (CollectionUtil.isEmpty(acceptVersions)) { acceptVersions.add(1); } String systemInfo = getSystemInfo(requestor, acceptVersions); respValue = new DERUTF8String(systemInfo); break; case XipkiCmpConstants.ACTION_REMOVE_EXPIRED_CERTS: checkPermission(requestor, Permission.REMOVE_CERT); String info = removeExpiredCerts(requestor, itv.getInfoValue()); respValue = new DERUTF8String(info); break; default: String statusMessage = "unsupported XiPKI action code '" + action + "'"; return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badRequest, statusMessage); } // end switch(action) ASN1EncodableVector v = new ASN1EncodableVector(); v.add(asn1Code); if (respValue != null) { v.add(respValue); } itvResp = new InfoTypeAndValue(infoType, new DERSequence(v)); } GenRepContent genRepContent = new GenRepContent(itvResp); return new PKIBody(PKIBody.TYPE_GEN_REP, genRepContent); } catch (OperationException e) { failureInfo = PKIFailureInfo.systemFailure; String statusMessage = null; ErrorCode code = e.getErrorCode(); switch (code) { case BAD_REQUEST: failureInfo = PKIFailureInfo.badRequest; statusMessage = e.getErrorMessage(); break; case DATABASE_FAILURE: case SYSTEM_FAILURE: statusMessage = code.name(); break; default: statusMessage = code.name() + ": " + e.getErrorMessage(); break; } // end switch(code) return createErrorMsgPKIBody(PKIStatus.rejection, failureInfo, statusMessage); } catch (CRLException e) { String statusMessage = "CRLException: " + e.getMessage(); return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage); } }
From source file:org.xipki.pki.ca.api.profile.x509.BaseX509Certprofile.java
License:Open Source License
@Override public SubjectPublicKeyInfo checkPublicKey(final SubjectPublicKeyInfo publicKey) throws BadCertTemplateException { ParamUtil.requireNonNull("publicKey", publicKey); Map<ASN1ObjectIdentifier, KeyParametersOption> keyAlgorithms = getKeyAlgorithms(); if (CollectionUtil.isEmpty(keyAlgorithms)) { return publicKey; }//from w w w .j a v a2 s . c om ASN1ObjectIdentifier keyType = publicKey.getAlgorithm().getAlgorithm(); if (!keyAlgorithms.containsKey(keyType)) { throw new BadCertTemplateException("key type " + keyType.getId() + " is not permitted"); } KeyParametersOption keyParamsOption = keyAlgorithms.get(keyType); if (keyParamsOption instanceof AllowAllParametersOption) { return publicKey; } else if (keyParamsOption instanceof ECParamatersOption) { ECParamatersOption ecOption = (ECParamatersOption) keyParamsOption; // parameters ASN1Encodable algParam = publicKey.getAlgorithm().getParameters(); ASN1ObjectIdentifier curveOid; if (algParam instanceof ASN1ObjectIdentifier) { curveOid = (ASN1ObjectIdentifier) algParam; if (!ecOption.allowsCurve(curveOid)) { throw new BadCertTemplateException(String.format("EC curve %s (OID: %s) is not allowed", AlgorithmUtil.getCurveName(curveOid), curveOid.getId())); } } else { throw new BadCertTemplateException("only namedCurve EC public key is supported"); } // point encoding if (ecOption.getPointEncodings() != null) { byte[] keyData = publicKey.getPublicKeyData().getBytes(); if (keyData.length < 1) { throw new BadCertTemplateException("invalid publicKeyData"); } byte pointEncoding = keyData[0]; if (!ecOption.getPointEncodings().contains(pointEncoding)) { throw new BadCertTemplateException( String.format("not accepted EC point encoding '%s'", pointEncoding)); } } byte[] keyData = publicKey.getPublicKeyData().getBytes(); try { checkEcSubjectPublicKeyInfo(curveOid, keyData); } catch (BadCertTemplateException ex) { throw ex; } catch (Exception ex) { LogUtil.warn(LOG, ex, "checkEcSubjectPublicKeyInfo"); throw new BadCertTemplateException(String.format("invalid public key: %s", ex.getMessage())); } return publicKey; } else if (keyParamsOption instanceof RSAParametersOption) { RSAParametersOption rsaOption = (RSAParametersOption) keyParamsOption; ASN1Integer modulus; try { ASN1Sequence seq = ASN1Sequence.getInstance(publicKey.getPublicKeyData().getBytes()); modulus = ASN1Integer.getInstance(seq.getObjectAt(0)); } catch (IllegalArgumentException ex) { throw new BadCertTemplateException("invalid publicKeyData"); } int modulusLength = modulus.getPositiveValue().bitLength(); if ((rsaOption.allowsModulusLength(modulusLength))) { return publicKey; } } else if (keyParamsOption instanceof DSAParametersOption) { DSAParametersOption dsaOption = (DSAParametersOption) keyParamsOption; ASN1Encodable params = publicKey.getAlgorithm().getParameters(); if (params == null) { throw new BadCertTemplateException("null Dss-Parms is not permitted"); } int plength; int qlength; try { ASN1Sequence seq = ASN1Sequence.getInstance(params); ASN1Integer rsaP = ASN1Integer.getInstance(seq.getObjectAt(0)); ASN1Integer rsaQ = ASN1Integer.getInstance(seq.getObjectAt(1)); plength = rsaP.getPositiveValue().bitLength(); qlength = rsaQ.getPositiveValue().bitLength(); } catch (IllegalArgumentException | ArrayIndexOutOfBoundsException ex) { throw new BadCertTemplateException("illegal Dss-Parms"); } boolean match = dsaOption.allowsPlength(plength); if (match) { match = dsaOption.allowsQlength(qlength); } if (match) { return publicKey; } } else { throw new RuntimeException( String.format("should not reach here, unknown KeyParametersOption %s", keyParamsOption)); } throw new BadCertTemplateException("the given publicKey is not permitted"); }
From source file:org.xipki.pki.ca.qa.ExtensionsChecker.java
License:Open Source License
private void checkExtensionTlsFeature(final StringBuilder failureMsg, final byte[] extensionValue, final Extensions requestedExtensions, final ExtensionControl extControl) { QaTlsFeature conf = tlsFeature;//from www . ja v a2 s .com if (conf == null) { byte[] expected = getExpectedExtValue(ObjectIdentifiers.id_pe_tlsfeature, requestedExtensions, extControl); if (!Arrays.equals(expected, extensionValue)) { addViolation(failureMsg, "extension values", hex(extensionValue), (expected == null) ? "not present" : hex(expected)); } return; } Set<String> isFeatures = new HashSet<>(); ASN1Sequence seq = ASN1Sequence.getInstance(extensionValue); final int n = seq.size(); for (int i = 0; i < n; i++) { ASN1Integer asn1Feature = ASN1Integer.getInstance(seq.getObjectAt(i)); isFeatures.add(asn1Feature.getPositiveValue().toString()); } Set<String> expFeatures = new HashSet<>(); for (Integer m : conf.getFeatures()) { expFeatures.add(m.toString()); } Set<String> diffs = strInBnotInA(expFeatures, isFeatures); if (CollectionUtil.isNonEmpty(diffs)) { failureMsg.append("features ").append(diffs.toString()).append(" are present but not expected; "); } diffs = strInBnotInA(isFeatures, expFeatures); if (CollectionUtil.isNonEmpty(diffs)) { failureMsg.append("features ").append(diffs.toString()).append(" are absent but are required; "); } }
From source file:org.xipki.pki.ca.qa.ExtensionsChecker.java
License:Open Source License
private void checkExtensionInhibitAnyPolicy(final StringBuilder failureMsg, final byte[] extensionValue, final Extensions requestedExtensions, final ExtensionControl extControl) { QaInhibitAnyPolicy conf = inhibitAnyPolicy; if (conf == null) { byte[] expected = getExpectedExtValue(Extension.inhibitAnyPolicy, requestedExtensions, extControl); if (!Arrays.equals(expected, extensionValue)) { addViolation(failureMsg, "extension values", extensionValue, (expected == null) ? "not present" : hex(expected)); }/*w w w. j a va 2 s .c o m*/ return; } ASN1Integer asn1Int = ASN1Integer.getInstance(extensionValue); int isSkipCerts = asn1Int.getPositiveValue().intValue(); if (isSkipCerts != conf.getSkipCerts()) { addViolation(failureMsg, "skipCerts", isSkipCerts, conf.getSkipCerts()); } }
From source file:org.xipki.pki.ca.qa.PublicKeyChecker.java
License:Open Source License
private void checkPublicKey(final SubjectPublicKeyInfo publicKey) throws BadCertTemplateException { if (CollectionUtil.isEmpty(keyAlgorithms)) { return;// ww w . j a va 2 s. c o m } ASN1ObjectIdentifier keyType = publicKey.getAlgorithm().getAlgorithm(); if (!keyAlgorithms.containsKey(keyType)) { throw new BadCertTemplateException("key type " + keyType.getId() + " is not permitted"); } KeyParametersOption keyParamsOption = keyAlgorithms.get(keyType); if (keyParamsOption instanceof AllowAllParametersOption) { return; } else if (keyParamsOption instanceof ECParamatersOption) { ECParamatersOption ecOption = (ECParamatersOption) keyParamsOption; // parameters ASN1Encodable algParam = publicKey.getAlgorithm().getParameters(); ASN1ObjectIdentifier curveOid; if (algParam instanceof ASN1ObjectIdentifier) { curveOid = (ASN1ObjectIdentifier) algParam; if (!ecOption.allowsCurve(curveOid)) { throw new BadCertTemplateException("EC curve " + AlgorithmUtil.getCurveName(curveOid) + " (OID: " + curveOid.getId() + ") is not allowed"); } } else { throw new BadCertTemplateException("only namedCurve EC public key is supported"); } // point encoding if (ecOption.getPointEncodings() != null) { byte[] keyData = publicKey.getPublicKeyData().getBytes(); if (keyData.length < 1) { throw new BadCertTemplateException("invalid publicKeyData"); } byte pointEncoding = keyData[0]; if (!ecOption.getPointEncodings().contains(pointEncoding)) { throw new BadCertTemplateException("not-accepted EC point encoding " + pointEncoding); } } try { checkECSubjectPublicKeyInfo(curveOid, publicKey.getPublicKeyData().getBytes()); } catch (BadCertTemplateException ex) { throw ex; } catch (Exception ex) { LOG.debug("checkECSubjectPublicKeyInfo", ex); throw new BadCertTemplateException("invalid public key: " + ex.getMessage()); } return; } else if (keyParamsOption instanceof RSAParametersOption) { RSAParametersOption rsaOption = (RSAParametersOption) keyParamsOption; ASN1Integer modulus; try { ASN1Sequence seq = ASN1Sequence.getInstance(publicKey.getPublicKeyData().getBytes()); modulus = ASN1Integer.getInstance(seq.getObjectAt(0)); } catch (IllegalArgumentException ex) { throw new BadCertTemplateException("invalid publicKeyData"); } int modulusLength = modulus.getPositiveValue().bitLength(); if ((rsaOption.allowsModulusLength(modulusLength))) { return; } } else if (keyParamsOption instanceof DSAParametersOption) { DSAParametersOption dsaOption = (DSAParametersOption) keyParamsOption; ASN1Encodable params = publicKey.getAlgorithm().getParameters(); if (params == null) { throw new BadCertTemplateException("null Dss-Parms is not permitted"); } int plength; int qlength; try { ASN1Sequence seq = ASN1Sequence.getInstance(params); // CHECKSTYLE:SKIP ASN1Integer p = ASN1Integer.getInstance(seq.getObjectAt(0)); // CHECKSTYLE:SKIP ASN1Integer q = ASN1Integer.getInstance(seq.getObjectAt(1)); plength = p.getPositiveValue().bitLength(); qlength = q.getPositiveValue().bitLength(); } catch (IllegalArgumentException | ArrayIndexOutOfBoundsException ex) { throw new BadCertTemplateException("illegal Dss-Parms"); } boolean match = dsaOption.allowsPlength(plength); if (match) { match = dsaOption.allowsQlength(qlength); } if (match) { return; } } else { String txt = (keyParamsOption == null) ? "null" : keyParamsOption.getClass().getName(); throw new RuntimeException("should not reach here, unknown keyParamsOption " + txt); } throw new BadCertTemplateException("the given publicKey is not permitted"); }