List of usage examples for org.bouncycastle.asn1.cmp PKIFailureInfo systemFailure
int systemFailure
To view the source code for org.bouncycastle.asn1.cmp PKIFailureInfo systemFailure.
Click Source Link
From source file:org.jnotary.service.dvcs.DvcsHandler.java
License:Open Source License
private DVCSResponse handleVpkc(DVCSRequest request) throws DVCSException { PKIStatusInfo dvStatus = null;/*ww w . j a va 2 s .com*/ byte[] certData = null; try { try { java.security.cert.X509Certificate certificate = getCertificate(request); certData = request.getData().toASN1Primitive().getEncoded(); cryptoService.verifyCerificate(certificate, true); dvStatus = StatusInfoFactory.getInstance(PKIStatus.GRANTED, null, null); } catch (DVCSException e) { dvStatus = StatusInfoFactory.getInstance(e.getPkiStatus(), e.getFreeText(), e.getPkiFailInfo()); } } catch (Exception e) { throw new DVCSException(PKIStatus.REJECTION, e.getLocalizedMessage(), PKIFailureInfo.systemFailure); } DvcsResponseHelper response = new DvcsResponseHelper(globalResources.getSerialNumber(), globalResources.getServiceConfig()); byte[] digestData = response.getDigest(certData); DigestInfo messageImprint = response.getDigestInfo(digestData); return response.createResponse(request, messageImprint, dvStatus); }
From source file:org.jnotary.service.dvcs.DvcsResponseHelper.java
License:Open Source License
protected byte[] getDigest(byte[] data) throws DVCSException { byte[] digestData = null; try {/* ww w. j a v a2s . c o m*/ digestData = Hasher.makeHash(config.getHashAlgorithm(), data); } catch (Exception e) { throw new DVCSException(PKIStatus.REJECTION, e.getLocalizedMessage(), PKIFailureInfo.systemFailure); } return digestData; }
From source file:org.jnotary.service.util.CryptoService.java
License:Open Source License
public byte[] sign(byte[] data) throws DVCSException { Signer.Parameters signerParameters = signer.getDefaultParameters(); signerParameters.setAddSignerSertificate(globalResources.getServiceConfig().isAddSignCertificate()); signerParameters.setDetached(false); try {/* w ww.j a va 2 s.c o m*/ return signer.sign(globalResources.getMyKeyStore(), data, signerParameters); } catch (Exception e) { throw new DVCSException(PKIStatus.REJECTION, e.getLocalizedMessage(), PKIFailureInfo.systemFailure); } }
From source file:org.xipki.ca.client.impl.X509CmpRequestor.java
License:Open Source License
private EnrollCertResultType intern_requestCertificate(final PKIMessage reqMessage, final Map<BigInteger, String> reqIdIdMap, final int expectedBodyType, final RequestResponseDebug debug) throws CmpRequestorException, PKIErrorException { PKIResponse response = signAndSend(reqMessage, debug); checkProtection(response);//from ww w .j a v a 2 s . co m PKIBody respBody = response.getPkiMessage().getBody(); int bodyType = respBody.getType(); if (PKIBody.TYPE_ERROR == bodyType) { ErrorMsgContent content = (ErrorMsgContent) respBody.getContent(); throw new PKIErrorException(content.getPKIStatusInfo()); } else if (expectedBodyType != bodyType) { throw new CmpRequestorException("unknown PKI body type " + bodyType + " instead the exceptected [" + expectedBodyType + ", " + PKIBody.TYPE_ERROR + "]"); } CertRepMessage certRep = (CertRepMessage) respBody.getContent(); CertResponse[] certResponses = certRep.getResponse(); EnrollCertResultType result = new EnrollCertResultType(); // CA certificates CMPCertificate[] caPubs = certRep.getCaPubs(); if (caPubs != null && caPubs.length > 0) { for (int i = 0; i < caPubs.length; i++) { if (caPubs[i] != null) { result.addCACertificate(caPubs[i]); } } } boolean isImplicitConfirm = CmpUtil.isImplictConfirm(response.getPkiMessage().getHeader()); CertificateConfirmationContentBuilder certConfirmBuilder = isImplicitConfirm ? null : new CertificateConfirmationContentBuilder(); boolean requireConfirm = false; // We only accept the certificates which are requested. for (CertResponse certResp : certResponses) { PKIStatusInfo statusInfo = certResp.getStatus(); int status = statusInfo.getStatus().intValue(); BigInteger certReqId = certResp.getCertReqId().getValue(); String thisId = reqIdIdMap.get(certReqId); if (thisId != null) { reqIdIdMap.remove(certReqId); } else if (reqIdIdMap.size() == 1) { thisId = reqIdIdMap.values().iterator().next(); reqIdIdMap.clear(); } if (thisId == null) { continue; // ignore it. this cert is not requested by me } ResultEntryType resultEntry; if (status == PKIStatus.GRANTED || status == PKIStatus.GRANTED_WITH_MODS) { CertifiedKeyPair cvk = certResp.getCertifiedKeyPair(); if (cvk == null) { return null; } CMPCertificate cmpCert = cvk.getCertOrEncCert().getCertificate(); if (cmpCert == null) { return null; } resultEntry = new EnrollCertResultEntryType(thisId, cmpCert, status); if (isImplicitConfirm == false) { requireConfirm = true; X509CertificateHolder certHolder = null; try { certHolder = new X509CertificateHolder(cmpCert.getEncoded()); } catch (IOException e) { resultEntry = new ErrorResultEntryType(thisId, ClientErrorCode.PKIStatus_RESPONSE_ERROR, PKIFailureInfo.systemFailure, "error while decode the certificate"); } if (certHolder != null) { certConfirmBuilder.addAcceptedCertificate(certHolder, certReqId); } } } else { PKIFreeText statusString = statusInfo.getStatusString(); String errorMessage = statusString == null ? null : statusString.getStringAt(0).getString(); int failureInfo = statusInfo.getFailInfo().intValue(); resultEntry = new ErrorResultEntryType(thisId, status, failureInfo, errorMessage); } result.addResultEntry(resultEntry); } if (CollectionUtil.isNotEmpty(reqIdIdMap)) { for (BigInteger reqId : reqIdIdMap.keySet()) { ErrorResultEntryType ere = new ErrorResultEntryType(reqIdIdMap.get(reqId), ClientErrorCode.PKIStatus_NO_ANSWER); result.addResultEntry(ere); } } if (requireConfirm == false) { return result; } PKIMessage confirmRequest = buildCertConfirmRequest(response.getPkiMessage().getHeader().getTransactionID(), certConfirmBuilder); response = signAndSend(confirmRequest, debug); checkProtection(response); if (PKIBody.TYPE_ERROR == bodyType) { ErrorMsgContent content = (ErrorMsgContent) respBody.getContent(); throw new PKIErrorException(content.getPKIStatusInfo()); } return result; }
From source file:org.xipki.ca.server.impl.CmpResponder.java
License:Open Source License
private PKIMessage addProtection(final PKIMessage pkiMessage, final AuditEvent auditEvent) { try {//from w w w . ja v a 2s . com return CmpUtil.addProtection(pkiMessage, getSigner(), getSender(), getCmpControl().isSendResponderCert()); } catch (Exception e) { final String message = "error while add protection to the PKI message"; if (LOG.isErrorEnabled()) { LOG.error(LogUtil.buildExceptionLogFormat(message), e.getClass().getName(), e.getMessage()); } LOG.debug(message, e); PKIStatusInfo status = generateCmpRejectionStatus(PKIFailureInfo.systemFailure, "could not sign the PKIMessage"); PKIBody body = new PKIBody(PKIBody.TYPE_ERROR, new ErrorMsgContent(status)); if (auditEvent != null) { auditEvent.setLevel(AuditLevel.ERROR); auditEvent.setStatus(AuditStatus.FAILED); auditEvent.addEventData(new AuditEventData("message", "could not sign the PKIMessage")); } return new PKIMessage(pkiMessage.getHeader(), body); } }
From source file:org.xipki.ca.server.impl.X509CACmpResponder.java
License:Open Source License
@Override protected PKIMessage intern_processPKIMessage(final RequestorInfo requestor, final String user, final ASN1OctetString tid, final GeneralPKIMessage message, final AuditEvent auditEvent) throws ConfigurationException { if (requestor instanceof CmpRequestorInfo == false) { throw new IllegalArgumentException("unknown requestor type " + requestor.getClass().getName()); }/*w w w .j a va2 s . co m*/ CmpRequestorInfo _requestor = (CmpRequestorInfo) requestor; if (_requestor != null && auditEvent != null) { auditEvent.addEventData(new AuditEventData("requestor", _requestor.getCert().getSubject())); } PKIHeader reqHeader = message.getHeader(); PKIHeaderBuilder respHeader = new PKIHeaderBuilder(reqHeader.getPvno().getValue().intValue(), getSender(), reqHeader.getSender()); respHeader.setTransactionID(tid); PKIBody respBody; PKIBody reqBody = message.getBody(); final int type = reqBody.getType(); CmpControl cmpControl = getCmpControl(); try { switch (type) { case PKIBody.TYPE_CERT_REQ: case PKIBody.TYPE_KEY_UPDATE_REQ: case PKIBody.TYPE_P10_CERT_REQ: case PKIBody.TYPE_CROSS_CERT_REQ: { respBody = cmpEnrollCert(respHeader, cmpControl, reqHeader, reqBody, _requestor, user, tid, auditEvent); break; } case PKIBody.TYPE_CERT_CONFIRM: { addAutitEventType(auditEvent, "CERT_CONFIRM"); CertConfirmContent certConf = (CertConfirmContent) reqBody.getContent(); respBody = confirmCertificates(tid, certConf); break; } case PKIBody.TYPE_REVOCATION_REQ: { respBody = cmpRevokeOrUnrevokeOrRemoveCertificates(respHeader, cmpControl, reqHeader, reqBody, _requestor, user, tid, auditEvent); break; } case PKIBody.TYPE_CONFIRM: { addAutitEventType(auditEvent, "CONFIRM"); respBody = new PKIBody(PKIBody.TYPE_CONFIRM, DERNull.INSTANCE); } case PKIBody.TYPE_ERROR: { addAutitEventType(auditEvent, "ERROR"); revokePendingCertificates(tid); respBody = new PKIBody(PKIBody.TYPE_CONFIRM, DERNull.INSTANCE); break; } case PKIBody.TYPE_GEN_MSG: { respBody = cmpGeneralMsg(respHeader, cmpControl, reqHeader, reqBody, _requestor, user, tid, auditEvent); break; } default: { addAutitEventType(auditEvent, "PKIBody." + type); respBody = createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badRequest, "unsupported type " + type); break; } } // end switch(type) } catch (InsuffientPermissionException e) { ErrorMsgContent emc = new ErrorMsgContent(new PKIStatusInfo(PKIStatus.rejection, new PKIFreeText(e.getMessage()), new PKIFailureInfo(PKIFailureInfo.notAuthorized))); respBody = new PKIBody(PKIBody.TYPE_ERROR, emc); } if (auditEvent != null) { if (respBody.getType() == PKIBody.TYPE_ERROR) { ErrorMsgContent errorMsgContent = (ErrorMsgContent) respBody.getContent(); AuditStatus auditStatus = AuditStatus.FAILED; org.xipki.ca.common.cmp.PKIStatusInfo pkiStatus = new org.xipki.ca.common.cmp.PKIStatusInfo( errorMsgContent.getPKIStatusInfo()); if (pkiStatus.getPkiFailureInfo() == PKIFailureInfo.systemFailure) { auditStatus = AuditStatus.FAILED; } auditEvent.setStatus(auditStatus); String statusString = pkiStatus.getStatusMessage(); if (statusString != null) { auditEvent.addEventData(new AuditEventData("message", statusString)); } } else if (auditEvent.getStatus() == null) { auditEvent.setStatus(AuditStatus.SUCCESSFUL); } } return new PKIMessage(respHeader.build(), respBody); }
From source file:org.xipki.ca.server.impl.X509CACmpResponder.java
License:Open Source License
private CertResponse generateCertificate(final CmpRequestorInfo requestor, final String user, final ASN1OctetString tid, final ASN1Integer certReqId, final X500Name subject, final SubjectPublicKeyInfo publicKeyInfo, final OptionalValidity validity, final Extensions extensions, final String certprofileName, final boolean keyUpdate, final long confirmWaitTime, final AuditChildEvent childAuditEvent) throws InsuffientPermissionException { checkPermission(requestor, certprofileName); Date notBefore = null;/*from ww w .j ava 2s . c o m*/ Date notAfter = null; if (validity != null) { Time t = validity.getNotBefore(); if (t != null) { notBefore = t.getDate(); } t = validity.getNotAfter(); if (t != null) { notAfter = t.getDate(); } } try { X509CA ca = getCA(); X509CertificateInfo certInfo; if (keyUpdate) { certInfo = ca.regenerateCertificate(requestor.isRA(), requestor, certprofileName, user, subject, publicKeyInfo, notBefore, notAfter, extensions); } else { certInfo = ca.generateCertificate(requestor.isRA(), requestor, certprofileName, user, subject, publicKeyInfo, notBefore, notAfter, extensions); } certInfo.setRequestor(requestor); certInfo.setUser(user); if (childAuditEvent != null) { childAuditEvent.addEventData(new AuditEventData("subject", certInfo.getCert().getSubject())); } pendingCertPool.addCertificate(tid.getOctets(), certReqId.getPositiveValue(), certInfo, System.currentTimeMillis() + confirmWaitTime); String warningMsg = certInfo.getWarningMessage(); PKIStatusInfo statusInfo; if (StringUtil.isBlank(warningMsg)) { if (certInfo.isAlreadyIssued()) { statusInfo = new PKIStatusInfo(PKIStatus.grantedWithMods, new PKIFreeText("ALREADY_ISSUED")); } else { statusInfo = new PKIStatusInfo(PKIStatus.granted); } } else { statusInfo = new PKIStatusInfo(PKIStatus.grantedWithMods, new PKIFreeText(warningMsg)); } if (childAuditEvent != null) { childAuditEvent.setStatus(AuditStatus.SUCCESSFUL); } CertOrEncCert cec = new CertOrEncCert(CMPCertificate.getInstance(certInfo.getCert().getEncodedCert())); CertifiedKeyPair kp = new CertifiedKeyPair(cec); CertResponse certResp = new CertResponse(certReqId, statusInfo, kp, null); return certResp; } catch (OperationException e) { ErrorCode code = e.getErrorCode(); LOG.warn("generate certificate, OperationException: code={}, message={}", code.name(), e.getErrorMessage()); String auditMessage; int failureInfo; switch (code) { case ALREADY_ISSUED: failureInfo = PKIFailureInfo.badRequest; auditMessage = "ALREADY_ISSUED"; break; case BAD_CERT_TEMPLATE: failureInfo = PKIFailureInfo.badCertTemplate; auditMessage = "BAD_CERT_TEMPLATE"; break; case BAD_REQUEST: failureInfo = PKIFailureInfo.badRequest; auditMessage = "BAD_REQUEST"; case CERT_REVOKED: failureInfo = PKIFailureInfo.certRevoked; auditMessage = "CERT_REVOKED"; break; case CRL_FAILURE: failureInfo = PKIFailureInfo.systemFailure; auditMessage = "CRL_FAILURE"; break; case DATABASE_FAILURE: failureInfo = PKIFailureInfo.systemFailure; auditMessage = "DATABASE_FAILURE"; break; case NOT_PERMITTED: failureInfo = PKIFailureInfo.notAuthorized; auditMessage = "NOT_PERMITTED"; break; case INSUFFICIENT_PERMISSION: failureInfo = PKIFailureInfo.notAuthorized; auditMessage = "INSUFFICIENT_PERMISSION"; break; case INVALID_EXTENSION: failureInfo = PKIFailureInfo.systemFailure; auditMessage = "INVALID_EXTENSION"; break; case SYSTEM_FAILURE: failureInfo = PKIFailureInfo.systemFailure; auditMessage = "System_Failure"; break; case SYSTEM_UNAVAILABLE: failureInfo = PKIFailureInfo.systemUnavail; auditMessage = "System_Unavailable"; break; case UNKNOWN_CERT: failureInfo = PKIFailureInfo.badCertId; auditMessage = "UNKNOWN_CERT"; break; case UNKNOWN_CERT_PROFILE: failureInfo = PKIFailureInfo.badCertTemplate; auditMessage = "UNKNOWN_CERT_PROFILE"; break; default: failureInfo = PKIFailureInfo.systemFailure; auditMessage = "InternalErrorCode " + e.getErrorCode(); break; } // end switch(code) if (childAuditEvent != null) { childAuditEvent.setStatus(AuditStatus.FAILED); childAuditEvent.addEventData(new AuditEventData("message", auditMessage)); } String errorMessage; switch (code) { case DATABASE_FAILURE: case SYSTEM_FAILURE: errorMessage = code.name(); break; default: errorMessage = code.name() + ": " + e.getErrorMessage(); break; } // end switch code PKIStatusInfo status = generateCmpRejectionStatus(failureInfo, errorMessage); return new CertResponse(certReqId, status); } }
From source file:org.xipki.ca.server.impl.X509CACmpResponder.java
License:Open Source License
private PKIBody revokeOrUnrevokeOrRemoveCertificates(final RevReqContent rr, final AuditEvent auditEvent, final Permission permission) { RevDetails[] revContent = rr.toRevDetailsArray(); RevRepContentBuilder repContentBuilder = new RevRepContentBuilder(); final int n = revContent.length; // test the reques for (int i = 0; i < n; i++) { RevDetails revDetails = revContent[i]; CertTemplate certDetails = revDetails.getCertDetails(); X500Name issuer = certDetails.getIssuer(); ASN1Integer serialNumber = certDetails.getSerialNumber(); try {//from w w w .j a v a 2 s . c o m X500Name caSubject = getCA().getCAInfo().getCertificate().getSubjectAsX500Name(); if (issuer == null) { return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer is not present"); } else if (issuer.equals(caSubject) == false) { return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer not targets at the CA"); } else if (serialNumber == null) { return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "serialNumber is not present"); } else if (certDetails.getSigningAlg() != null || certDetails.getValidity() != null || certDetails.getSubject() != null || certDetails.getPublicKey() != null || certDetails.getIssuerUID() != null || certDetails.getSubjectUID() != null || certDetails.getExtensions() != null) { return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "only version, issuer and serialNumber in RevDetails.certDetails are allowed, " + "but more is specified"); } } catch (IllegalArgumentException e) { return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badRequest, "the request is not invalid"); } } for (int i = 0; i < n; i++) { AuditChildEvent childAuditEvent = null; if (auditEvent != null) { childAuditEvent = new AuditChildEvent(); auditEvent.addChildAuditEvent(childAuditEvent); } RevDetails revDetails = revContent[i]; CertTemplate certDetails = revDetails.getCertDetails(); ASN1Integer serialNumber = certDetails.getSerialNumber(); // serialNumber is not null due to the check in the previous for-block. X500Name caSubject = getCA().getCAInfo().getCertificate().getSubjectAsX500Name(); BigInteger snBigInt = serialNumber.getPositiveValue(); CertId certId = new CertId(new GeneralName(caSubject), serialNumber); if (childAuditEvent != null) { AuditEventData eventData = new AuditEventData("serialNumber", snBigInt.toString()); childAuditEvent.addEventData(eventData); } PKIStatusInfo status; try { Object returnedObj = null; X509CA ca = getCA(); if (Permission.UNREVOKE_CERT == permission) { // unrevoke returnedObj = ca.unrevokeCertificate(snBigInt); } else if (Permission.REMOVE_CERT == permission) { // remove returnedObj = ca.removeCertificate(snBigInt); } else { // revoke Date invalidityDate = null; CRLReason reason = null; Extensions crlDetails = revDetails.getCrlEntryDetails(); if (crlDetails != null) { ASN1ObjectIdentifier extId = Extension.reasonCode; ASN1Encodable extValue = crlDetails.getExtensionParsedValue(extId); if (extValue != null) { int reasonCode = ((ASN1Enumerated) extValue).getValue().intValue(); reason = CRLReason.forReasonCode(reasonCode); } extId = Extension.invalidityDate; extValue = crlDetails.getExtensionParsedValue(extId); if (extValue != null) { try { invalidityDate = ((ASN1GeneralizedTime) extValue).getDate(); } catch (ParseException e) { throw new OperationException(ErrorCode.INVALID_EXTENSION, "invalid extension " + extId.getId()); } } } // end if(crlDetails) if (reason == null) { reason = CRLReason.UNSPECIFIED; } if (childAuditEvent != null) { childAuditEvent.addEventData(new AuditEventData("reason", reason.getDescription())); if (invalidityDate != null) { String value; synchronized (dateFormat) { value = dateFormat.format(invalidityDate); } childAuditEvent.addEventData(new AuditEventData("invalidityDate", value)); } } returnedObj = ca.revokeCertificate(snBigInt, reason, invalidityDate); } // end if(permission) if (returnedObj == null) { throw new OperationException(ErrorCode.UNKNOWN_CERT, "cert not exists"); } status = new PKIStatusInfo(PKIStatus.granted); if (childAuditEvent != null) { childAuditEvent.setStatus(AuditStatus.SUCCESSFUL); } } catch (OperationException e) { ErrorCode code = e.getErrorCode(); LOG.warn("{} certificate, OperationException: code={}, message={}", new Object[] { permission.name(), code.name(), e.getErrorMessage() }); String auditMessage; int failureInfo; switch (code) { case BAD_REQUEST: failureInfo = PKIFailureInfo.badRequest; auditMessage = "BAD_REQUEST"; break; case CERT_REVOKED: failureInfo = PKIFailureInfo.certRevoked; auditMessage = "CERT_REVOKED"; break; case CERT_UNREVOKED: failureInfo = PKIFailureInfo.notAuthorized; auditMessage = "CERT_UNREVOKED"; break; case DATABASE_FAILURE: failureInfo = PKIFailureInfo.systemFailure; auditMessage = "DATABASE_FAILURE"; break; case INVALID_EXTENSION: failureInfo = PKIFailureInfo.unacceptedExtension; auditMessage = "INVALID_EXTENSION"; break; case INSUFFICIENT_PERMISSION: failureInfo = PKIFailureInfo.notAuthorized; auditMessage = "INSUFFICIENT_PERMISSION"; break; case NOT_PERMITTED: failureInfo = PKIFailureInfo.notAuthorized; auditMessage = "NOT_PERMITTED"; break; case SYSTEM_FAILURE: failureInfo = PKIFailureInfo.systemFailure; auditMessage = "System_Failure"; break; case SYSTEM_UNAVAILABLE: failureInfo = PKIFailureInfo.systemUnavail; auditMessage = "System_Unavailable"; break; case UNKNOWN_CERT: failureInfo = PKIFailureInfo.badCertId; auditMessage = "UNKNOWN_CERT"; break; default: failureInfo = PKIFailureInfo.systemFailure; auditMessage = "InternalErrorCode " + e.getErrorCode(); break; } // end switch(code) if (childAuditEvent != null) { childAuditEvent.setStatus(AuditStatus.FAILED); childAuditEvent.addEventData(new AuditEventData("message", auditMessage)); } String errorMessage; switch (code) { case DATABASE_FAILURE: case SYSTEM_FAILURE: errorMessage = code.name(); break; default: errorMessage = code.name() + ": " + e.getErrorMessage(); break; } // end switch(code) status = generateCmpRejectionStatus(failureInfo, errorMessage); } // end try repContentBuilder.add(status, certId); } // end for return new PKIBody(PKIBody.TYPE_REVOCATION_REP, repContentBuilder.build()); }
From source file:org.xipki.ca.server.impl.X509CACmpResponder.java
License:Open Source License
private PKIBody confirmCertificates(final ASN1OctetString transactionId, final CertConfirmContent certConf) { CertStatus[] certStatuses = certConf.toCertStatusArray(); boolean successfull = true; for (CertStatus certStatus : certStatuses) { ASN1Integer certReqId = certStatus.getCertReqId(); byte[] certHash = certStatus.getCertHash().getOctets(); X509CertificateInfo certInfo = pendingCertPool.removeCertificate(transactionId.getOctets(), certReqId.getPositiveValue(), certHash); if (certInfo == null) { LOG.warn("no cert under transactionId={}, certReqId={} and certHash=0X{}", new Object[] { transactionId, certReqId.getPositiveValue(), Hex.toHexString(certHash) }); continue; }/*from ww w .j ava2s.c o m*/ PKIStatusInfo statusInfo = certStatus.getStatusInfo(); boolean accept = true; if (statusInfo != null) { int status = statusInfo.getStatus().intValue(); if (PKIStatus.GRANTED != status && PKIStatus.GRANTED_WITH_MODS != status) { accept = false; } } if (accept) { continue; } BigInteger serialNumber = certInfo.getCert().getCert().getSerialNumber(); X509CA ca = getCA(); try { ca.revokeCertificate(serialNumber, CRLReason.CESSATION_OF_OPERATION, new Date()); } catch (OperationException e) { final String msg = "could not revoke certificate ca=" + ca.getCAInfo().getName() + " serialNumber=" + serialNumber; if (LOG.isWarnEnabled()) { LOG.warn(LogUtil.buildExceptionLogFormat(msg), e.getClass().getName(), e.getMessage()); } LOG.debug(msg, e); } successfull = false; } // all other certificates should be revoked if (revokePendingCertificates(transactionId)) { successfull = false; } if (successfull) { return new PKIBody(PKIBody.TYPE_CONFIRM, DERNull.INSTANCE); } ErrorMsgContent emc = new ErrorMsgContent( new PKIStatusInfo(PKIStatus.rejection, null, new PKIFailureInfo(PKIFailureInfo.systemFailure))); return new PKIBody(PKIBody.TYPE_ERROR, emc); }
From source file:org.xipki.ca.server.impl.X509CACmpResponder.java
License:Open Source License
private PKIBody cmpGeneralMsg(final PKIHeaderBuilder respHeader, final CmpControl cmpControl, final PKIHeader reqHeader, final PKIBody reqBody, final CmpRequestorInfo requestor, final String user, final ASN1OctetString tid, final AuditEvent auditEvent) throws InsuffientPermissionException { GenMsgContent genMsgBody = (GenMsgContent) reqBody.getContent(); InfoTypeAndValue[] itvs = genMsgBody.toInfoTypeAndValueArray(); InfoTypeAndValue itv = null;/* w w w. ja v a2 s .c o m*/ if (itvs != null && itvs.length > 0) { for (InfoTypeAndValue _itv : itvs) { String itvType = _itv.getInfoType().getId(); if (knownGenMsgIds.contains(itvType)) { itv = _itv; break; } } } if (itv == null) { String statusMessage = "PKIBody type " + PKIBody.TYPE_GEN_MSG + " is only supported with the sub-types " + knownGenMsgIds.toString(); return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badRequest, statusMessage); } InfoTypeAndValue itvResp = null; ASN1ObjectIdentifier infoType = itv.getInfoType(); int failureInfo; try { X509CA ca = getCA(); if (CMPObjectIdentifiers.it_currentCRL.equals(infoType)) { addAutitEventType(auditEvent, "CRL_DOWNLOAD"); checkPermission(requestor, Permission.GET_CRL); CertificateList crl = ca.getCurrentCRL(); if (itv.getInfoValue() == null) { // as defined in RFC 4210 crl = ca.getCurrentCRL(); } else { // xipki extension ASN1Integer crlNumber = ASN1Integer.getInstance(itv.getInfoValue()); crl = ca.getCRL(crlNumber.getPositiveValue()); } if (crl == null) { String statusMessage = "no CRL is available"; return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage); } itvResp = new InfoTypeAndValue(infoType, crl); } else if (ObjectIdentifiers.id_xipki_cmp.equals(infoType)) { ASN1Encodable asn1 = itv.getInfoValue(); ASN1Integer asn1Code = null; ASN1Encodable reqValue = null; try { ASN1Sequence seq = ASN1Sequence.getInstance(asn1); asn1Code = ASN1Integer.getInstance(seq.getObjectAt(0)); if (seq.size() > 1) { reqValue = seq.getObjectAt(1); } } catch (IllegalArgumentException e) { String statusMessage = "invalid value of the InfoTypeAndValue for " + ObjectIdentifiers.id_xipki_cmp.getId(); return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badRequest, statusMessage); } ASN1Encodable respValue; int action = asn1Code.getPositiveValue().intValue(); switch (action) { case XipkiCmpConstants.ACTION_GEN_CRL: addAutitEventType(auditEvent, "CRL_GEN_ONDEMAND"); checkPermission(requestor, Permission.GEN_CRL); X509CRL _crl = ca.generateCRLonDemand(auditEvent); if (_crl == null) { String statusMessage = "CRL generation is not activated"; return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage); } else { respValue = CertificateList.getInstance(_crl.getEncoded()); } break; case XipkiCmpConstants.ACTION_GET_CRL_WITH_SN: addAutitEventType(auditEvent, "CRL_DOWNLOAD_WITH_SN"); checkPermission(requestor, Permission.GET_CRL); ASN1Integer crlNumber = ASN1Integer.getInstance(reqValue); respValue = ca.getCRL(crlNumber.getPositiveValue()); if (respValue == null) { String statusMessage = "no CRL is available"; return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage); } break; case XipkiCmpConstants.ACTION_GET_CAINFO: addAutitEventType(auditEvent, "GET_SYSTEMINFO"); Set<Integer> acceptVersions = new HashSet<>(); if (reqValue != null) { ASN1Sequence seq = DERSequence.getInstance(reqValue); int size = seq.size(); for (int i = 0; i < size; i++) { ASN1Integer a = ASN1Integer.getInstance(seq.getObjectAt(i)); acceptVersions.add(a.getPositiveValue().intValue()); } } if (CollectionUtil.isEmpty(acceptVersions)) { acceptVersions.add(1); } String systemInfo = getSystemInfo(requestor, acceptVersions); respValue = new DERUTF8String(systemInfo); break; case XipkiCmpConstants.ACTION_REMOVE_EXPIRED_CERTS: checkPermission(requestor, Permission.REMOVE_CERT); String info = removeExpiredCerts(requestor, itv.getInfoValue()); respValue = new DERUTF8String(info); break; default: String statusMessage = "unsupported XiPKI action code '" + action + "'"; return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badRequest, statusMessage); } // end switch(action) ASN1EncodableVector v = new ASN1EncodableVector(); v.add(asn1Code); if (respValue != null) { v.add(respValue); } itvResp = new InfoTypeAndValue(infoType, new DERSequence(v)); } GenRepContent genRepContent = new GenRepContent(itvResp); return new PKIBody(PKIBody.TYPE_GEN_REP, genRepContent); } catch (OperationException e) { failureInfo = PKIFailureInfo.systemFailure; String statusMessage = null; ErrorCode code = e.getErrorCode(); switch (code) { case BAD_REQUEST: failureInfo = PKIFailureInfo.badRequest; statusMessage = e.getErrorMessage(); break; case DATABASE_FAILURE: case SYSTEM_FAILURE: statusMessage = code.name(); break; default: statusMessage = code.name() + ": " + e.getErrorMessage(); break; } // end switch(code) return createErrorMsgPKIBody(PKIStatus.rejection, failureInfo, statusMessage); } catch (CRLException e) { String statusMessage = "CRLException: " + e.getMessage(); return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage); } }