List of usage examples for org.bouncycastle.asn1.crmf CertId CertId
public CertId(GeneralName issuer, ASN1Integer serialNumber)
From source file:org.cryptable.pki.communication.PKICMPMessagesTest.java
License:Open Source License
private byte[] createRevocationRespons1(byte[] senderNonce, byte[] transactionId) throws CRLException, CMPException, CertificateEncodingException, OperatorCreationException, PKICMPMessageException, IOException { RevRepContentBuilder revRepContentBuilder = new RevRepContentBuilder(); revRepContentBuilder.add(new PKIStatusInfo(PKIStatus.granted), new CertId(new GeneralName(JcaX500NameUtil.getIssuer(pki.getRevokedCert())), pki.getRevokedCert().getSerialNumber())); revRepContentBuilder.addCrl(new JcaX509CRLHolder(pki.getX509CRL()).toASN1Structure()); PKIBody pkiBody = new PKIBody(PKIBody.TYPE_REVOCATION_REP, revRepContentBuilder.build()); return createProtectedPKIMessage(senderNonce, transactionId, pkiBody); }
From source file:org.xipki.ca.client.impl.X509CmpRequestor.java
License:Open Source License
private RevokeCertResultType parse(final PKIResponse response, final List<? extends IssuerSerialEntryType> reqEntries) throws CmpRequestorException, PKIErrorException { checkProtection(response);/*from w w w . j a v a2 s .c o m*/ PKIBody respBody = response.getPkiMessage().getBody(); int bodyType = respBody.getType(); if (PKIBody.TYPE_ERROR == bodyType) { ErrorMsgContent content = (ErrorMsgContent) respBody.getContent(); throw new PKIErrorException(content.getPKIStatusInfo()); } else if (PKIBody.TYPE_REVOCATION_REP != bodyType) { throw new CmpRequestorException("unknown PKI body type " + bodyType + " instead the exceptected [" + PKIBody.TYPE_REVOCATION_REP + ", " + PKIBody.TYPE_ERROR + "]"); } RevRepContent content = (RevRepContent) respBody.getContent(); PKIStatusInfo[] statuses = content.getStatus(); if (statuses == null || statuses.length != reqEntries.size()) { throw new CmpRequestorException("incorrect number of status entries in response '" + statuses.length + "' instead the exceptected '" + reqEntries.size() + "'"); } CertId[] revCerts = content.getRevCerts(); RevokeCertResultType result = new RevokeCertResultType(); for (int i = 0; i < statuses.length; i++) { PKIStatusInfo statusInfo = statuses[i]; int status = statusInfo.getStatus().intValue(); IssuerSerialEntryType re = reqEntries.get(i); if (status != PKIStatus.GRANTED && status != PKIStatus.GRANTED_WITH_MODS) { PKIFreeText text = statusInfo.getStatusString(); String statusString = text == null ? null : text.getStringAt(0).getString(); ResultEntryType resultEntry = new ErrorResultEntryType(re.getId(), status, statusInfo.getFailInfo().intValue(), statusString); result.addResultEntry(resultEntry); continue; } CertId certId = null; if (revCerts != null) { for (CertId _certId : revCerts) { if (re.getIssuer().equals(_certId.getIssuer().getName()) && re.getSerialNumber().equals(_certId.getSerialNumber().getValue())) { certId = _certId; break; } } } if (certId == null) { LOG.warn("certId is not present in response for (issuer='{}', serialNumber={})", X509Util.getRFC4519Name(re.getIssuer()), re.getSerialNumber()); certId = new CertId(new GeneralName(re.getIssuer()), re.getSerialNumber()); continue; } ResultEntryType resultEntry = new RevokeCertResultEntryType(re.getId(), certId); result.addResultEntry(resultEntry); } return result; }
From source file:org.xipki.ca.server.impl.X509CACmpResponder.java
License:Open Source License
private PKIBody revokeOrUnrevokeOrRemoveCertificates(final RevReqContent rr, final AuditEvent auditEvent, final Permission permission) { RevDetails[] revContent = rr.toRevDetailsArray(); RevRepContentBuilder repContentBuilder = new RevRepContentBuilder(); final int n = revContent.length; // test the reques for (int i = 0; i < n; i++) { RevDetails revDetails = revContent[i]; CertTemplate certDetails = revDetails.getCertDetails(); X500Name issuer = certDetails.getIssuer(); ASN1Integer serialNumber = certDetails.getSerialNumber(); try {//w ww . j a va 2 s . c o m X500Name caSubject = getCA().getCAInfo().getCertificate().getSubjectAsX500Name(); if (issuer == null) { return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer is not present"); } else if (issuer.equals(caSubject) == false) { return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer not targets at the CA"); } else if (serialNumber == null) { return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "serialNumber is not present"); } else if (certDetails.getSigningAlg() != null || certDetails.getValidity() != null || certDetails.getSubject() != null || certDetails.getPublicKey() != null || certDetails.getIssuerUID() != null || certDetails.getSubjectUID() != null || certDetails.getExtensions() != null) { return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "only version, issuer and serialNumber in RevDetails.certDetails are allowed, " + "but more is specified"); } } catch (IllegalArgumentException e) { return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badRequest, "the request is not invalid"); } } for (int i = 0; i < n; i++) { AuditChildEvent childAuditEvent = null; if (auditEvent != null) { childAuditEvent = new AuditChildEvent(); auditEvent.addChildAuditEvent(childAuditEvent); } RevDetails revDetails = revContent[i]; CertTemplate certDetails = revDetails.getCertDetails(); ASN1Integer serialNumber = certDetails.getSerialNumber(); // serialNumber is not null due to the check in the previous for-block. X500Name caSubject = getCA().getCAInfo().getCertificate().getSubjectAsX500Name(); BigInteger snBigInt = serialNumber.getPositiveValue(); CertId certId = new CertId(new GeneralName(caSubject), serialNumber); if (childAuditEvent != null) { AuditEventData eventData = new AuditEventData("serialNumber", snBigInt.toString()); childAuditEvent.addEventData(eventData); } PKIStatusInfo status; try { Object returnedObj = null; X509CA ca = getCA(); if (Permission.UNREVOKE_CERT == permission) { // unrevoke returnedObj = ca.unrevokeCertificate(snBigInt); } else if (Permission.REMOVE_CERT == permission) { // remove returnedObj = ca.removeCertificate(snBigInt); } else { // revoke Date invalidityDate = null; CRLReason reason = null; Extensions crlDetails = revDetails.getCrlEntryDetails(); if (crlDetails != null) { ASN1ObjectIdentifier extId = Extension.reasonCode; ASN1Encodable extValue = crlDetails.getExtensionParsedValue(extId); if (extValue != null) { int reasonCode = ((ASN1Enumerated) extValue).getValue().intValue(); reason = CRLReason.forReasonCode(reasonCode); } extId = Extension.invalidityDate; extValue = crlDetails.getExtensionParsedValue(extId); if (extValue != null) { try { invalidityDate = ((ASN1GeneralizedTime) extValue).getDate(); } catch (ParseException e) { throw new OperationException(ErrorCode.INVALID_EXTENSION, "invalid extension " + extId.getId()); } } } // end if(crlDetails) if (reason == null) { reason = CRLReason.UNSPECIFIED; } if (childAuditEvent != null) { childAuditEvent.addEventData(new AuditEventData("reason", reason.getDescription())); if (invalidityDate != null) { String value; synchronized (dateFormat) { value = dateFormat.format(invalidityDate); } childAuditEvent.addEventData(new AuditEventData("invalidityDate", value)); } } returnedObj = ca.revokeCertificate(snBigInt, reason, invalidityDate); } // end if(permission) if (returnedObj == null) { throw new OperationException(ErrorCode.UNKNOWN_CERT, "cert not exists"); } status = new PKIStatusInfo(PKIStatus.granted); if (childAuditEvent != null) { childAuditEvent.setStatus(AuditStatus.SUCCESSFUL); } } catch (OperationException e) { ErrorCode code = e.getErrorCode(); LOG.warn("{} certificate, OperationException: code={}, message={}", new Object[] { permission.name(), code.name(), e.getErrorMessage() }); String auditMessage; int failureInfo; switch (code) { case BAD_REQUEST: failureInfo = PKIFailureInfo.badRequest; auditMessage = "BAD_REQUEST"; break; case CERT_REVOKED: failureInfo = PKIFailureInfo.certRevoked; auditMessage = "CERT_REVOKED"; break; case CERT_UNREVOKED: failureInfo = PKIFailureInfo.notAuthorized; auditMessage = "CERT_UNREVOKED"; break; case DATABASE_FAILURE: failureInfo = PKIFailureInfo.systemFailure; auditMessage = "DATABASE_FAILURE"; break; case INVALID_EXTENSION: failureInfo = PKIFailureInfo.unacceptedExtension; auditMessage = "INVALID_EXTENSION"; break; case INSUFFICIENT_PERMISSION: failureInfo = PKIFailureInfo.notAuthorized; auditMessage = "INSUFFICIENT_PERMISSION"; break; case NOT_PERMITTED: failureInfo = PKIFailureInfo.notAuthorized; auditMessage = "NOT_PERMITTED"; break; case SYSTEM_FAILURE: failureInfo = PKIFailureInfo.systemFailure; auditMessage = "System_Failure"; break; case SYSTEM_UNAVAILABLE: failureInfo = PKIFailureInfo.systemUnavail; auditMessage = "System_Unavailable"; break; case UNKNOWN_CERT: failureInfo = PKIFailureInfo.badCertId; auditMessage = "UNKNOWN_CERT"; break; default: failureInfo = PKIFailureInfo.systemFailure; auditMessage = "InternalErrorCode " + e.getErrorCode(); break; } // end switch(code) if (childAuditEvent != null) { childAuditEvent.setStatus(AuditStatus.FAILED); childAuditEvent.addEventData(new AuditEventData("message", auditMessage)); } String errorMessage; switch (code) { case DATABASE_FAILURE: case SYSTEM_FAILURE: errorMessage = code.name(); break; default: errorMessage = code.name() + ": " + e.getErrorMessage(); break; } // end switch(code) status = generateCmpRejectionStatus(failureInfo, errorMessage); } // end try repContentBuilder.add(status, certId); } // end for return new PKIBody(PKIBody.TYPE_REVOCATION_REP, repContentBuilder.build()); }
From source file:org.xipki.pki.ca.client.impl.X509CmpRequestor.java
License:Open Source License
private RevokeCertResultType parse(final PkiResponse response, final List<? extends IssuerSerialEntry> reqEntries) throws CmpRequestorException, PkiErrorException { ParamUtil.requireNonNull("response", response); checkProtection(response);//from ww w. j av a2 s .c o m PKIBody respBody = response.getPkiMessage().getBody(); int bodyType = respBody.getType(); if (PKIBody.TYPE_ERROR == bodyType) { ErrorMsgContent content = ErrorMsgContent.getInstance(respBody.getContent()); throw new PkiErrorException(content.getPKIStatusInfo()); } else if (PKIBody.TYPE_REVOCATION_REP != bodyType) { throw new CmpRequestorException(String.format("unknown PKI body type %s instead the expected [%s, %s]", bodyType, PKIBody.TYPE_REVOCATION_REP, PKIBody.TYPE_ERROR)); } RevRepContent content = RevRepContent.getInstance(respBody.getContent()); PKIStatusInfo[] statuses = content.getStatus(); if (statuses == null || statuses.length != reqEntries.size()) { int statusesLen = 0; if (statuses != null) { statusesLen = statuses.length; } throw new CmpRequestorException( String.format("incorrect number of status entries in response '%s' instead the expected '%s'", statusesLen, reqEntries.size())); } CertId[] revCerts = content.getRevCerts(); RevokeCertResultType result = new RevokeCertResultType(); for (int i = 0; i < statuses.length; i++) { PKIStatusInfo statusInfo = statuses[i]; int status = statusInfo.getStatus().intValue(); IssuerSerialEntry re = reqEntries.get(i); if (status != PKIStatus.GRANTED && status != PKIStatus.GRANTED_WITH_MODS) { PKIFreeText text = statusInfo.getStatusString(); String statusString = (text == null) ? null : text.getStringAt(0).getString(); ResultEntry resultEntry = new ErrorResultEntry(re.getId(), status, statusInfo.getFailInfo().intValue(), statusString); result.addResultEntry(resultEntry); continue; } CertId certId = null; if (revCerts != null) { for (CertId entry : revCerts) { if (re.getIssuer().equals(entry.getIssuer().getName()) && re.getSerialNumber().equals(entry.getSerialNumber().getValue())) { certId = entry; break; } } } if (certId == null) { LOG.warn("certId is not present in response for (issuer='{}', serialNumber={})", X509Util.getRfc4519Name(re.getIssuer()), LogUtil.formatCsn(re.getSerialNumber())); certId = new CertId(new GeneralName(re.getIssuer()), re.getSerialNumber()); continue; } ResultEntry resultEntry = new RevokeCertResultEntry(re.getId(), certId); result.addResultEntry(resultEntry); } return result; }
From source file:org.xipki.pki.ca.server.impl.cmp.X509CaCmpResponder.java
License:Open Source License
private PKIBody unRevokeRemoveCertificates(final PKIMessage request, final RevReqContent rr, final Permission permission, final CmpControl cmpControl, final String msgId) { RevDetails[] revContent = rr.toRevDetailsArray(); RevRepContentBuilder repContentBuilder = new RevRepContentBuilder(); final int n = revContent.length; // test the request for (int i = 0; i < n; i++) { RevDetails revDetails = revContent[i]; CertTemplate certDetails = revDetails.getCertDetails(); X500Name issuer = certDetails.getIssuer(); ASN1Integer serialNumber = certDetails.getSerialNumber(); try {/*ww w. j a v a 2s . c o m*/ X500Name caSubject = getCa().getCaInfo().getCertificate().getSubjectAsX500Name(); if (issuer == null) { return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer is not present"); } if (!issuer.equals(caSubject)) { return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer does not target at the CA"); } if (serialNumber == null) { return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "serialNumber is not present"); } if (certDetails.getSigningAlg() != null || certDetails.getValidity() != null || certDetails.getSubject() != null || certDetails.getPublicKey() != null || certDetails.getIssuerUID() != null || certDetails.getSubjectUID() != null) { return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "only version, issuer and serialNumber in RevDetails.certDetails are " + "allowed, but more is specified"); } if (certDetails.getExtensions() == null) { if (cmpControl.isRrAkiRequired()) { return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer's AKI not present"); } } else { Extensions exts = certDetails.getExtensions(); ASN1ObjectIdentifier[] oids = exts.getCriticalExtensionOIDs(); if (oids != null) { for (ASN1ObjectIdentifier oid : oids) { if (!Extension.authorityKeyIdentifier.equals(oid)) { return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "unknown critical extension " + oid.getId()); } } } Extension ext = exts.getExtension(Extension.authorityKeyIdentifier); if (ext == null) { return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer's AKI not present"); } else { AuthorityKeyIdentifier aki = AuthorityKeyIdentifier.getInstance(ext.getParsedValue()); if (aki.getKeyIdentifier() == null) { return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer's AKI not present"); } boolean issuerMatched = true; byte[] caSki = getCa().getCaInfo().getCertificate().getSubjectKeyIdentifier(); if (Arrays.equals(caSki, aki.getKeyIdentifier())) { issuerMatched = false; } if (issuerMatched && aki.getAuthorityCertSerialNumber() != null) { BigInteger caSerial = getCa().getCaInfo().getSerialNumber(); if (!caSerial.equals(aki.getAuthorityCertSerialNumber())) { issuerMatched = false; } } if (issuerMatched && aki.getAuthorityCertIssuer() != null) { GeneralName[] names = aki.getAuthorityCertIssuer().getNames(); for (GeneralName name : names) { if (name.getTagNo() != GeneralName.directoryName) { issuerMatched = false; break; } if (!caSubject.equals(name.getName())) { issuerMatched = false; break; } } } if (!issuerMatched) { return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer does not target at the CA"); } } } } catch (IllegalArgumentException ex) { return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, "the request is not invalid"); } } // end for byte[] encodedRequest = null; if (getCa().getCaInfo().isSaveRequest()) { try { encodedRequest = request.getEncoded(); } catch (IOException ex) { LOG.warn("could not encode request"); } } Long reqDbId = null; for (int i = 0; i < n; i++) { RevDetails revDetails = revContent[i]; CertTemplate certDetails = revDetails.getCertDetails(); ASN1Integer serialNumber = certDetails.getSerialNumber(); // serialNumber is not null due to the check in the previous for-block. X500Name caSubject = getCa().getCaInfo().getCertificate().getSubjectAsX500Name(); BigInteger snBigInt = serialNumber.getPositiveValue(); CertId certId = new CertId(new GeneralName(caSubject), serialNumber); PKIStatusInfo status; try { Object returnedObj = null; Long certDbId = null; X509Ca ca = getCa(); if (Permission.UNREVOKE_CERT == permission) { // unrevoke returnedObj = ca.unrevokeCertificate(snBigInt, msgId); if (returnedObj != null) { certDbId = ((X509CertWithDbId) returnedObj).getCertId(); } } else if (Permission.REMOVE_CERT == permission) { // remove returnedObj = ca.removeCertificate(snBigInt, msgId); } else { // revoke Date invalidityDate = null; CrlReason reason = null; Extensions crlDetails = revDetails.getCrlEntryDetails(); if (crlDetails != null) { ASN1ObjectIdentifier extId = Extension.reasonCode; ASN1Encodable extValue = crlDetails.getExtensionParsedValue(extId); if (extValue != null) { int reasonCode = ASN1Enumerated.getInstance(extValue).getValue().intValue(); reason = CrlReason.forReasonCode(reasonCode); } extId = Extension.invalidityDate; extValue = crlDetails.getExtensionParsedValue(extId); if (extValue != null) { try { invalidityDate = ASN1GeneralizedTime.getInstance(extValue).getDate(); } catch (ParseException ex) { throw new OperationException(ErrorCode.INVALID_EXTENSION, "invalid extension " + extId.getId()); } } } // end if (crlDetails) if (reason == null) { reason = CrlReason.UNSPECIFIED; } returnedObj = ca.revokeCertificate(snBigInt, reason, invalidityDate, msgId); if (returnedObj != null) { certDbId = ((X509CertWithRevocationInfo) returnedObj).getCert().getCertId(); } } // end if (permission) if (returnedObj == null) { throw new OperationException(ErrorCode.UNKNOWN_CERT, "cert not exists"); } if (certDbId != null && ca.getCaInfo().isSaveRequest()) { if (reqDbId == null) { reqDbId = ca.addRequest(encodedRequest); } ca.addRequestCert(reqDbId, certDbId); } status = new PKIStatusInfo(PKIStatus.granted); } catch (OperationException ex) { ErrorCode code = ex.getErrorCode(); LOG.warn("{} certificate, OperationException: code={}, message={}", permission.name(), code.name(), ex.getErrorMessage()); String errorMessage; switch (code) { case DATABASE_FAILURE: case SYSTEM_FAILURE: errorMessage = code.name(); break; default: errorMessage = code.name() + ": " + ex.getErrorMessage(); break; } // end switch code int failureInfo = getPKiFailureInfo(ex); status = generateRejectionStatus(failureInfo, errorMessage); } // end try repContentBuilder.add(status, certId); } // end for return new PKIBody(PKIBody.TYPE_REVOCATION_REP, repContentBuilder.build()); }