List of usage examples for org.bouncycastle.asn1.x500 X500Name getInstance
public static X500Name getInstance(Object obj)
From source file:org.xipki.pki.ca.server.impl.cmp.X509CaCmpResponder.java
License:Open Source License
@Override protected boolean intendsMe(final GeneralName requestRecipient) { if (requestRecipient == null) { return false; }//from ww w . j ava2s .c o m if (getSender().equals(requestRecipient)) { return true; } if (requestRecipient.getTagNo() == GeneralName.directoryName) { X500Name x500Name = X500Name.getInstance(requestRecipient.getName()); if (x500Name.equals(caManager.getCmpResponderWrapper(getResponderName()).getSubjectAsX500Name())) { return true; } } return false; }
From source file:org.xipki.pki.ca.server.impl.IdentifiedX509Certprofile.java
License:Open Source License
public ExtensionValues getExtensions(@NonNull final X500Name requestedSubject, @NonNull final X500Name grantedSubject, @Nullable final Extensions requestedExtensions, @NonNull final SubjectPublicKeyInfo publicKeyInfo, @NonNull final PublicCaInfo publicCaInfo, @Nullable final X509Certificate crlSignerCert, @NonNull final Date notBefore, @NonNull final Date notAfter) throws CertprofileException, BadCertTemplateException { ParamUtil.requireNonNull("publicKeyInfo", publicKeyInfo); ExtensionValues values = new ExtensionValues(); Map<ASN1ObjectIdentifier, ExtensionControl> controls = new HashMap<>(certprofile.getExtensionControls()); Set<ASN1ObjectIdentifier> neededExtTypes = new HashSet<>(); Set<ASN1ObjectIdentifier> wantedExtTypes = new HashSet<>(); if (requestedExtensions != null) { Extension reqExtension = requestedExtensions .getExtension(ObjectIdentifiers.id_xipki_ext_cmpRequestExtensions); if (reqExtension != null) { ExtensionExistence ee = ExtensionExistence.getInstance(reqExtension.getParsedValue()); neededExtTypes.addAll(ee.getNeedExtensions()); wantedExtTypes.addAll(ee.getWantExtensions()); }//from ww w .jav a 2s . c o m for (ASN1ObjectIdentifier oid : neededExtTypes) { if (wantedExtTypes.contains(oid)) { wantedExtTypes.remove(oid); } if (!controls.containsKey(oid)) { throw new BadCertTemplateException("could not add needed extension " + oid.getId()); } } } // SubjectKeyIdentifier ASN1ObjectIdentifier extType = Extension.subjectKeyIdentifier; ExtensionControl extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { byte[] encodedSpki = publicKeyInfo.getPublicKeyData().getBytes(); byte[] skiValue = HashAlgoType.SHA1.hash(encodedSpki); SubjectKeyIdentifier value = new SubjectKeyIdentifier(skiValue); addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } // Authority key identifier extType = Extension.authorityKeyIdentifier; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { byte[] ikiValue = publicCaInfo.getSubjectKeyIdentifer(); AuthorityKeyIdentifier value = null; if (ikiValue != null) { if (certprofile.includeIssuerAndSerialInAki()) { GeneralNames x509CaSubject = new GeneralNames(new GeneralName(publicCaInfo.getX500Subject())); value = new AuthorityKeyIdentifier(ikiValue, x509CaSubject, publicCaInfo.getSerialNumber()); } else { value = new AuthorityKeyIdentifier(ikiValue); } } addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } // IssuerAltName extType = Extension.issuerAlternativeName; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { GeneralNames value = publicCaInfo.getSubjectAltName(); addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } // AuthorityInfoAccess extType = Extension.authorityInfoAccess; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { AuthorityInfoAccessControl aiaControl = certprofile.getAiaControl(); List<String> caIssuers = null; if (aiaControl == null || aiaControl.includesCaIssuers()) { caIssuers = publicCaInfo.getCaCertUris(); } List<String> ocspUris = null; if (aiaControl == null || aiaControl.includesOcsp()) { ocspUris = publicCaInfo.getOcspUris(); } if (CollectionUtil.isNonEmpty(caIssuers) || CollectionUtil.isNonEmpty(ocspUris)) { AuthorityInformationAccess value = CaUtil.createAuthorityInformationAccess(caIssuers, ocspUris); addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } } if (controls.containsKey(Extension.cRLDistributionPoints) || controls.containsKey(Extension.freshestCRL)) { X500Name crlSignerSubject = (crlSignerCert == null) ? null : X500Name.getInstance(crlSignerCert.getSubjectX500Principal().getEncoded()); X500Name x500CaPrincipal = publicCaInfo.getX500Subject(); // CRLDistributionPoints extType = Extension.cRLDistributionPoints; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { if (CollectionUtil.isNonEmpty(publicCaInfo.getCrlUris())) { CRLDistPoint value = CaUtil.createCrlDistributionPoints(publicCaInfo.getCrlUris(), x500CaPrincipal, crlSignerSubject); addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } } // FreshestCRL extType = Extension.freshestCRL; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { if (CollectionUtil.isNonEmpty(publicCaInfo.getDeltaCrlUris())) { CRLDistPoint value = CaUtil.createCrlDistributionPoints(publicCaInfo.getDeltaCrlUris(), x500CaPrincipal, crlSignerSubject); addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } } } // BasicConstraints extType = Extension.basicConstraints; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { BasicConstraints value = CaUtil.createBasicConstraints(certprofile.getCertLevel(), certprofile.getPathLenBasicConstraint()); addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } // KeyUsage extType = Extension.keyUsage; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { Set<KeyUsage> usages = new HashSet<>(); Set<KeyUsageControl> usageOccs = certprofile.getKeyUsage(); for (KeyUsageControl k : usageOccs) { if (k.isRequired()) { usages.add(k.getKeyUsage()); } } // the optional KeyUsage will only be set if requested explicitly if (requestedExtensions != null && extControl.isRequest()) { addRequestedKeyusage(usages, requestedExtensions, usageOccs); } org.bouncycastle.asn1.x509.KeyUsage value = X509Util.createKeyUsage(usages); addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } // ExtendedKeyUsage extType = Extension.extendedKeyUsage; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { List<ASN1ObjectIdentifier> usages = new LinkedList<>(); Set<ExtKeyUsageControl> usageOccs = certprofile.getExtendedKeyUsages(); for (ExtKeyUsageControl k : usageOccs) { if (k.isRequired()) { usages.add(k.getExtKeyUsage()); } } // the optional ExtKeyUsage will only be set if requested explicitly if (requestedExtensions != null && extControl.isRequest()) { addRequestedExtKeyusage(usages, requestedExtensions, usageOccs); } if (extControl.isCritical() && usages.contains(ObjectIdentifiers.id_anyExtendedKeyUsage)) { extControl = new ExtensionControl(false, extControl.isRequired(), extControl.isRequest()); } ExtendedKeyUsage value = X509Util.createExtendedUsage(usages); addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } // ocsp-nocheck extType = ObjectIdentifiers.id_extension_pkix_ocsp_nocheck; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { // the extension ocsp-nocheck will only be set if requested explicitly DERNull value = DERNull.INSTANCE; addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } // SubjectInfoAccess extType = Extension.subjectInfoAccess; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtTypes, wantedExtTypes)) { ASN1Sequence value = null; if (requestedExtensions != null && extControl.isRequest()) { value = createSubjectInfoAccess(requestedExtensions, certprofile.getSubjectInfoAccessModes()); } addExtension(values, extType, value, extControl, neededExtTypes, wantedExtTypes); } ExtensionValues subvalues = certprofile.getExtensions(Collections.unmodifiableMap(controls), requestedSubject, grantedSubject, requestedExtensions, notBefore, notAfter); Set<ASN1ObjectIdentifier> extTypes = new HashSet<>(controls.keySet()); for (ASN1ObjectIdentifier type : extTypes) { extControl = controls.remove(type); boolean addMe = addMe(type, extControl, neededExtTypes, wantedExtTypes); if (addMe) { ExtensionValue value = null; if (requestedExtensions != null && extControl.isRequest()) { Extension reqExt = requestedExtensions.getExtension(type); if (reqExt != null) { value = new ExtensionValue(reqExt.isCritical(), reqExt.getParsedValue()); } } if (value == null) { value = subvalues.getExtensionValue(type); } addExtension(values, type, value, extControl, neededExtTypes, wantedExtTypes); } } Set<ASN1ObjectIdentifier> unprocessedExtTypes = new HashSet<>(); for (ASN1ObjectIdentifier type : controls.keySet()) { if (controls.get(type).isRequired()) { unprocessedExtTypes.add(type); } } if (CollectionUtil.isNonEmpty(unprocessedExtTypes)) { throw new CertprofileException("could not add required extensions " + toString(unprocessedExtTypes)); } if (CollectionUtil.isNonEmpty(neededExtTypes)) { throw new BadCertTemplateException("could not add requested extensions " + toString(neededExtTypes)); } return values; }
From source file:org.xipki.pki.ca.server.impl.PublicCaInfo.java
License:Open Source License
PublicCaInfo(final X509Certificate caCertificate, final List<String> caCertUris, final List<String> ocspUris, final List<String> crlUris, final List<String> deltaCrlUris) throws OperationException { ParamUtil.requireNonNull("caCertificate", caCertificate); this.caCertificate = new X509Cert(caCertificate); this.serialNumber = caCertificate.getSerialNumber(); this.subject = caCertificate.getSubjectX500Principal(); this.x500Subject = X500Name.getInstance(subject.getEncoded()); this.c14nSubject = X509Util.canonicalizName(x500Subject); try {//w ww . jav a2 s.com this.subjectKeyIdentifier = X509Util.extractSki(caCertificate); } catch (CertificateEncodingException ex) { throw new OperationException(ErrorCode.INVALID_EXTENSION, ex); } this.caCertUris = CollectionUtil.unmodifiableList(caCertUris); this.ocspUris = CollectionUtil.unmodifiableList(ocspUris); this.crlUris = CollectionUtil.unmodifiableList(crlUris); this.deltaCrlUris = CollectionUtil.unmodifiableList(deltaCrlUris); byte[] encodedSubjectAltName = caCertificate.getExtensionValue(Extension.subjectAlternativeName.getId()); if (encodedSubjectAltName == null) { subjectAltName = null; } else { try { subjectAltName = GeneralNames .getInstance(X509ExtensionUtil.fromExtensionValue(encodedSubjectAltName)); } catch (IOException ex) { throw new OperationException(ErrorCode.INVALID_EXTENSION, "invalid SubjectAltName extension in CA certificate"); } } }
From source file:org.xipki.pki.ca.server.impl.scep.Scep.java
License:Open Source License
private PkiMessage doServicePkiOperation(final CMSSignedData requestContent, final DecodedPkiMessage req, final String certProfileName, final String msgId, final AuditEvent event) throws MessageDecodingException, OperationException { ParamUtil.requireNonNull("requestContent", requestContent); ParamUtil.requireNonNull("req", req); String tid = req.getTransactionId().getId(); // verify and decrypt the request audit(event, CaAuditConstants.NAME_tid, tid); if (req.getFailureMessage() != null) { audit(event, CaAuditConstants.NAME_SCEP_failureMessage, req.getFailureMessage()); }//from w w w. jav a 2 s. com Boolean bo = req.isSignatureValid(); if (bo != null && !bo.booleanValue()) { audit(event, CaAuditConstants.NAME_SCEP_signature, "invalid"); } bo = req.isDecryptionSuccessful(); if (bo != null && !bo.booleanValue()) { audit(event, CaAuditConstants.NAME_SCEP_decryption, "failed"); } PkiMessage rep = new PkiMessage(req.getTransactionId(), MessageType.CertRep, Nonce.randomNonce()); rep.setRecipientNonce(req.getSenderNonce()); if (req.getFailureMessage() != null) { rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badRequest); } bo = req.isSignatureValid(); if (bo != null && !bo.booleanValue()) { rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badMessageCheck); } bo = req.isDecryptionSuccessful(); if (bo != null && !bo.booleanValue()) { rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badRequest); } Date signingTime = req.getSigningTime(); if (maxSigningTimeBiasInMs > 0) { boolean isTimeBad = false; if (signingTime == null) { isTimeBad = true; } else { long now = System.currentTimeMillis(); long diff = now - signingTime.getTime(); if (diff < 0) { diff = -1 * diff; } isTimeBad = diff > maxSigningTimeBiasInMs; } if (isTimeBad) { rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badTime); } } // end if // check the digest algorithm String oid = req.getDigestAlgorithm().getId(); ScepHashAlgoType hashAlgoType = ScepHashAlgoType.forNameOrOid(oid); if (hashAlgoType == null) { LOG.warn("tid={}: unknown digest algorithm {}", tid, oid); rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badAlg); } else { boolean supported = false; if (hashAlgoType == ScepHashAlgoType.SHA1) { if (caCaps.containsCapability(CaCapability.SHA1)) { supported = true; } } else if (hashAlgoType == ScepHashAlgoType.SHA256) { if (caCaps.containsCapability(CaCapability.SHA256)) { supported = true; } } else if (hashAlgoType == ScepHashAlgoType.SHA512) { if (caCaps.containsCapability(CaCapability.SHA512)) { supported = true; } } if (!supported) { LOG.warn("tid={}: unsupported digest algorithm {}", tid, oid); rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badAlg); } } // check the content encryption algorithm ASN1ObjectIdentifier encOid = req.getContentEncryptionAlgorithm(); if (CMSAlgorithm.DES_EDE3_CBC.equals(encOid)) { if (!caCaps.containsCapability(CaCapability.DES3)) { LOG.warn("tid={}: encryption with DES3 algorithm is not permitted", tid, encOid); rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badAlg); } } else if (AES_ENC_ALGOS.contains(encOid)) { if (!caCaps.containsCapability(CaCapability.AES)) { LOG.warn("tid={}: encryption with AES algorithm {} is not permitted", tid, encOid); rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badAlg); } } else { LOG.warn("tid={}: encryption with algorithm {} is not permitted", tid, encOid); rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badAlg); } if (rep.getPkiStatus() == PkiStatus.FAILURE) { return rep; } X509Ca ca; try { ca = caManager.getX509Ca(caName); } catch (CaMgmtException ex) { LogUtil.error(LOG, ex, tid + "=" + tid + ",could not get X509CA"); throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex); } X500Name caX500Name = ca.getCaInfo().getCertificate().getSubjectAsX500Name(); try { SignedData signedData; MessageType mt = req.getMessageType(); audit(event, CaAuditConstants.NAME_SCEP_messageType, mt.toString()); switch (mt) { case PKCSReq: case RenewalReq: case UpdateReq: CertificationRequest csr = CertificationRequest.getInstance(req.getMessageData()); X500Name reqSubject = csr.getCertificationRequestInfo().getSubject(); String reqSubjectText = X509Util.getRfc4519Name(reqSubject); LOG.info("tid={}, subject={}", tid, reqSubjectText); CmpControl cmpControl = caManager.getCmpControlObject(ca.getCaInfo().getCmpControlName()); if (!caManager.getSecurityFactory().verifyPopo(csr, cmpControl.getPopoAlgoValidator())) { LOG.warn("tid={}, POPO verification failed", tid); throw FailInfoException.BAD_MESSAGE_CHECK; } CertificationRequestInfo csrReqInfo = csr.getCertificationRequestInfo(); X509Certificate reqSignatureCert = req.getSignatureCert(); boolean selfSigned = reqSignatureCert.getSubjectX500Principal() .equals(reqSignatureCert.getIssuerX500Principal()); String cn = X509Util.getCommonName(csrReqInfo.getSubject()); if (cn == null) { throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "tid=" + tid + ": no CommonName in requested subject"); } String user = null; boolean authenticatedByPwd = false; String challengePwd = CaUtil.getChallengePassword(csrReqInfo); if (challengePwd != null) { String[] strs = challengePwd.split(":"); if (strs != null && strs.length == 2) { user = strs[0]; String password = strs[1]; authenticatedByPwd = ca.authenticateUser(user, password.getBytes()); if (!authenticatedByPwd) { LOG.warn("tid={}: could not verify the challengePassword", tid); throw FailInfoException.BAD_REQUEST; } } else { LOG.warn("tid={}: ignore challengePassword since it does not has the" + " format <user>:<password>", tid); } } // end if if (selfSigned) { if (MessageType.PKCSReq != mt) { LOG.warn("tid={}: self-signed certificate is not permitted for" + " messageType {}", tid, mt); throw FailInfoException.BAD_REQUEST; } if (user == null) { LOG.warn("tid={}: could not extract user & password from challengePassword" + ", which are required for self-signed signature certificate", tid); throw FailInfoException.BAD_REQUEST; } checkCommonName(ca, user, cn); } else { if (user == null) { // up to draft-nourse-scep-23 the client sends all messages to enroll // certificate via MessageType PKCSReq KnowCertResult knowCertRes = ca.knowsCertificate(reqSignatureCert); if (!knowCertRes.isKnown()) { LOG.warn("tid={}: signature certificate is not trusted by the CA", tid); throw FailInfoException.BAD_REQUEST; } user = knowCertRes.getUser(); } // end if // only the same subject is permitted String cnInSignatureCert = X509Util.getCommonName( X500Name.getInstance(reqSignatureCert.getSubjectX500Principal().getEncoded())); boolean b2 = cn.equals(cnInSignatureCert); if (!b2) { if (user != null) { checkCommonName(ca, user, cn); } else { LOG.warn("tid={}: signature certificate is not trusted and {}", tid, "no challengePassword is contained in the request"); throw FailInfoException.BAD_REQUEST; } } // end if } // end if byte[] tidBytes = getTransactionIdBytes(tid); Extensions extensions = CaUtil.getExtensions(csrReqInfo); CertTemplateData certTemplateData = new CertTemplateData(csrReqInfo.getSubject(), csrReqInfo.getSubjectPublicKeyInfo(), (Date) null, (Date) null, extensions, certProfileName); X509CertificateInfo cert = ca.generateCertificate(certTemplateData, true, null, user, RequestType.SCEP, tidBytes, msgId); /* Don't save SCEP message, since it contains password in plaintext if (ca.getCaInfo().isSaveRequest() && cert.getCert().getCertId() != null) { byte[] encodedRequest; try { encodedRequest = requestContent.getEncoded(); } catch (IOException ex) { LOG.warn("could not encode request"); encodedRequest = null; } if (encodedRequest != null) { long reqId = ca.addRequest(encodedRequest); ca.addRequestCert(reqId, cert.getCert().getCertId()); } }*/ signedData = buildSignedData(cert.getCert().getCert()); break; case CertPoll: IssuerAndSubject is = IssuerAndSubject.getInstance(req.getMessageData()); audit(event, CaAuditConstants.NAME_issuer, X509Util.getRfc4519Name(is.getIssuer())); audit(event, CaAuditConstants.NAME_subject, X509Util.getRfc4519Name(is.getSubject())); ensureIssuedByThisCa(caX500Name, is.getIssuer()); signedData = pollCert(ca, is.getSubject(), req.getTransactionId()); break; case GetCert: IssuerAndSerialNumber isn = IssuerAndSerialNumber.getInstance(req.getMessageData()); BigInteger serial = isn.getSerialNumber().getPositiveValue(); audit(event, CaAuditConstants.NAME_issuer, X509Util.getRfc4519Name(isn.getName())); audit(event, CaAuditConstants.NAME_serial, LogUtil.formatCsn(serial)); ensureIssuedByThisCa(caX500Name, isn.getName()); signedData = getCert(ca, isn.getSerialNumber().getPositiveValue()); break; case GetCRL: isn = IssuerAndSerialNumber.getInstance(req.getMessageData()); serial = isn.getSerialNumber().getPositiveValue(); audit(event, CaAuditConstants.NAME_issuer, X509Util.getRfc4519Name(isn.getName())); audit(event, CaAuditConstants.NAME_serial, LogUtil.formatCsn(serial)); ensureIssuedByThisCa(caX500Name, isn.getName()); signedData = getCrl(ca, serial); break; default: LOG.error("unknown SCEP messageType '{}'", req.getMessageType()); throw FailInfoException.BAD_REQUEST; } // end switch ContentInfo ci = new ContentInfo(CMSObjectIdentifiers.signedData, signedData); rep.setMessageData(ci); rep.setPkiStatus(PkiStatus.SUCCESS); } catch (FailInfoException ex) { LogUtil.error(LOG, ex); rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(ex.getFailInfo()); } return rep; }
From source file:org.xipki.pki.ca.server.impl.X509Ca.java
License:Open Source License
private X509CRL doGenerateCrl(final boolean deltaCrl, final Date thisUpdate, final Date nextUpdate, final AuditEvent event, final String msgId) throws OperationException { X509CrlSignerEntryWrapper crlSigner = getCrlSigner(); if (crlSigner == null) { throw new OperationException(ErrorCode.NOT_PERMITTED, "CRL generation is not allowed"); }/* ww w.j a va2 s. c om*/ String caName = caInfo.getName(); LOG.info(" START generateCrl: ca={}, deltaCRL={}, nextUpdate={}", caName, deltaCrl, nextUpdate); event.addEventData(CaAuditConstants.NAME_crlType, deltaCrl ? "DELTA_CRL" : "FULL_CRL"); if (nextUpdate == null) { event.addEventData(CaAuditConstants.NAME_nextUpdate, "null"); } else { event.addEventData(CaAuditConstants.NAME_nextUpdate, DateUtil.toUtcTimeyyyyMMddhhmmss(nextUpdate)); if (nextUpdate.getTime() - thisUpdate.getTime() < 10 * 60 * MS_PER_SECOND) { // less than 10 minutes throw new OperationException(ErrorCode.CRL_FAILURE, "nextUpdate and thisUpdate are too close"); } } CrlControl crlControl = crlSigner.getCrlControl(); boolean successful = false; try { ConcurrentContentSigner tmpCrlSigner = crlSigner.getSigner(); CrlControl control = crlSigner.getCrlControl(); boolean directCrl; X500Name crlIssuer; if (tmpCrlSigner == null) { directCrl = true; crlIssuer = caInfo.getPublicCaInfo().getX500Subject(); } else { directCrl = false; crlIssuer = X500Name .getInstance(tmpCrlSigner.getCertificate().getSubjectX500Principal().getEncoded()); } X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(crlIssuer, thisUpdate); if (nextUpdate != null) { crlBuilder.setNextUpdate(nextUpdate); } final int numEntries = 100; X509Cert caCert = caInfo.getCertificate(); List<CertRevInfoWithSerial> revInfos; boolean isFirstCrlEntry = true; Date notExpireAt; if (control.isIncludeExpiredCerts()) { notExpireAt = new Date(0); } else { // 10 minutes buffer notExpireAt = new Date(thisUpdate.getTime() - 600L * MS_PER_SECOND); } long startId = 1; do { if (deltaCrl) { revInfos = certstore.getCertsForDeltaCrl(caCert, startId, numEntries, control.isOnlyContainsCaCerts(), control.isOnlyContainsUserCerts()); } else { revInfos = certstore.getRevokedCerts(caCert, notExpireAt, startId, numEntries, control.isOnlyContainsCaCerts(), control.isOnlyContainsUserCerts()); } long maxId = 1; for (CertRevInfoWithSerial revInfo : revInfos) { if (revInfo.getId() > maxId) { maxId = revInfo.getId(); } CrlReason reason = revInfo.getReason(); if (crlControl.isExcludeReason() && reason != CrlReason.REMOVE_FROM_CRL) { reason = CrlReason.UNSPECIFIED; } Date revocationTime = revInfo.getRevocationTime(); Date invalidityTime = revInfo.getInvalidityTime(); switch (crlControl.getInvalidityDateMode()) { case FORBIDDEN: invalidityTime = null; break; case OPTIONAL: break; case REQUIRED: if (invalidityTime == null) { invalidityTime = revocationTime; } break; default: throw new RuntimeException("unknown TripleState: " + crlControl.getInvalidityDateMode()); } BigInteger serial = revInfo.getSerial(); LOG.debug("added cert ca={} serial={} to CRL", caName, serial); if (directCrl || !isFirstCrlEntry) { if (invalidityTime != null) { crlBuilder.addCRLEntry(serial, revocationTime, reason.getCode(), invalidityTime); } else { crlBuilder.addCRLEntry(serial, revocationTime, reason.getCode()); } continue; } List<Extension> extensions = new ArrayList<>(3); if (reason != CrlReason.UNSPECIFIED) { Extension ext = createReasonExtension(reason.getCode()); extensions.add(ext); } if (invalidityTime != null) { Extension ext = createInvalidityDateExtension(invalidityTime); extensions.add(ext); } Extension ext = createCertificateIssuerExtension(caInfo.getPublicCaInfo().getX500Subject()); extensions.add(ext); crlBuilder.addCRLEntry(serial, revocationTime, new Extensions(extensions.toArray(new Extension[0]))); isFirstCrlEntry = false; } // end for startId = maxId + 1; } while (revInfos.size() >= numEntries); // end do BigInteger crlNumber = caInfo.nextCrlNumber(); event.addEventData(CaAuditConstants.NAME_crlNumber, crlNumber); boolean onlyUserCerts = crlControl.isOnlyContainsUserCerts(); boolean onlyCaCerts = crlControl.isOnlyContainsCaCerts(); if (onlyUserCerts && onlyCaCerts) { throw new RuntimeException("should not reach here, onlyUserCerts and onlyCACerts are both true"); } try { // AuthorityKeyIdentifier byte[] akiValues = directCrl ? caInfo.getPublicCaInfo().getSubjectKeyIdentifer() : crlSigner.getSubjectKeyIdentifier(); AuthorityKeyIdentifier aki = new AuthorityKeyIdentifier(akiValues); crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, aki); // add extension CRL Number crlBuilder.addExtension(Extension.cRLNumber, false, new ASN1Integer(crlNumber)); // IssuingDistributionPoint if (onlyUserCerts || onlyCaCerts || !directCrl) { IssuingDistributionPoint idp = new IssuingDistributionPoint((DistributionPointName) null, // distributionPoint, onlyUserCerts, // onlyContainsUserCerts, onlyCaCerts, // onlyContainsCACerts, (ReasonFlags) null, // onlySomeReasons, !directCrl, // indirectCRL, false); // onlyContainsAttributeCerts crlBuilder.addExtension(Extension.issuingDistributionPoint, true, idp); } // freshestCRL List<String> deltaCrlUris = getCaInfo().getPublicCaInfo().getDeltaCrlUris(); if (control.getDeltaCrlIntervals() > 0 && CollectionUtil.isNonEmpty(deltaCrlUris)) { CRLDistPoint cdp = CaUtil.createCrlDistributionPoints(deltaCrlUris, caInfo.getPublicCaInfo().getX500Subject(), crlIssuer); crlBuilder.addExtension(Extension.freshestCRL, false, cdp); } } catch (CertIOException ex) { LogUtil.error(LOG, ex, "crlBuilder.addExtension"); throw new OperationException(ErrorCode.INVALID_EXTENSION, ex); } addXipkiCertset(crlBuilder, deltaCrl, control, caCert, notExpireAt, onlyCaCerts, onlyUserCerts); ConcurrentContentSigner concurrentSigner = (tmpCrlSigner == null) ? caInfo.getSigner(null) : tmpCrlSigner; X509CRLHolder crlHolder; try { crlHolder = concurrentSigner.build(crlBuilder); } catch (NoIdleSignerException ex) { throw new OperationException(ErrorCode.SYSTEM_FAILURE, "NoIdleSignerException: " + ex.getMessage()); } try { X509CRL crl = X509Util.toX509Crl(crlHolder.toASN1Structure()); caInfo.getCaEntry().setNextCrlNumber(crlNumber.longValue() + 1); caInfo.commitNextCrlNo(); publishCrl(crl); successful = true; LOG.info("SUCCESSFUL generateCrl: ca={}, crlNumber={}, thisUpdate={}", caName, crlNumber, crl.getThisUpdate()); if (!deltaCrl) { // clean up the CRL cleanupCrlsWithoutException(msgId); } return crl; } catch (CRLException | CertificateException ex) { throw new OperationException(ErrorCode.CRL_FAILURE, ex); } } finally { if (!successful) { LOG.info(" FAILED generateCrl: ca={}", caName); } } }
From source file:org.xipki.pki.ocsp.client.shell.BaseOcspStatusCommandSupport.java
License:Open Source License
@Override protected final Object doExecute() throws Exception { if (StringUtil.isBlank(serialNumberList) && isEmpty(certFiles)) { throw new IllegalCmdParamException("Neither serialNumbers nor certFiles is set"); }/*from w w w. j ava 2 s . c o m*/ X509Certificate issuerCert = X509Util.parseCert(issuerCertFile); Map<BigInteger, byte[]> encodedCerts = null; List<BigInteger> sns = new LinkedList<>(); if (isNotEmpty(certFiles)) { encodedCerts = new HashMap<>(certFiles.size()); String ocspUrl = null; X500Name issuerX500Name = null; if (isAttrCert) { issuerX500Name = X500Name.getInstance(issuerCert.getSubjectX500Principal().getEncoded()); } for (String certFile : certFiles) { BigInteger sn; List<String> ocspUrls; if (isAttrCert) { X509AttributeCertificateHolder cert = new X509AttributeCertificateHolder(IoUtil.read(certFile)); // no signature validation AttributeCertificateIssuer reqIssuer = cert.getIssuer(); if (reqIssuer != null && issuerX500Name != null) { X500Name reqIssuerName = reqIssuer.getNames()[0]; if (!issuerX500Name.equals(reqIssuerName)) { throw new IllegalCmdParamException( "certificate " + certFile + " is not issued by the given issuer"); } } ocspUrls = extractOcspUrls(cert); sn = cert.getSerialNumber(); } else { X509Certificate cert = X509Util.parseCert(certFile); if (!X509Util.issues(issuerCert, cert)) { throw new IllegalCmdParamException( "certificate " + certFile + " is not issued by the given issuer"); } ocspUrls = extractOcspUrls(cert); sn = cert.getSerialNumber(); } if (isBlank(serverUrl)) { if (CollectionUtil.isEmpty(ocspUrls)) { throw new IllegalCmdParamException("could not extract OCSP responder URL"); } else { String url = ocspUrls.get(0); if (ocspUrl != null && !ocspUrl.equals(url)) { throw new IllegalCmdParamException( "given certificates have different" + " OCSP responder URL in certificate"); } else { ocspUrl = url; } } } // end if sns.add(sn); byte[] encodedCert = IoUtil.read(certFile); encodedCerts.put(sn, encodedCert); } // end for if (isBlank(serverUrl)) { serverUrl = ocspUrl; } } else { StringTokenizer st = new StringTokenizer(serialNumberList, ", "); while (st.hasMoreTokens()) { String token = st.nextToken(); StringTokenizer st2 = new StringTokenizer(token, "-"); BigInteger from = toBigInt(st2.nextToken(), hex); BigInteger to = st2.hasMoreTokens() ? toBigInt(st2.nextToken(), hex) : null; if (to == null) { sns.add(from); } else { BigIntegerRange range = new BigIntegerRange(from, to); if (range.getDiff().compareTo(BigInteger.valueOf(10)) > 0) { throw new IllegalCmdParamException("to many serial numbers"); } BigInteger sn = range.getFrom(); while (range.isInRange(sn)) { sns.add(sn); sn = sn.add(BigInteger.ONE); } } } } if (isBlank(serverUrl)) { throw new IllegalCmdParamException("could not get URL for the OCSP responder"); } X509Certificate respIssuer = null; if (respIssuerFile != null) { respIssuer = X509Util.parseCert(IoUtil.expandFilepath(respIssuerFile)); } URL serverUrlObj = new URL(serverUrl); RequestOptions options = getRequestOptions(); checkParameters(respIssuer, sns, encodedCerts); boolean saveReq = isNotBlank(reqout); boolean saveResp = isNotBlank(respout); RequestResponseDebug debug = null; if (saveReq || saveResp) { debug = new RequestResponseDebug(); } IssuerHash issuerHash = new IssuerHash(HashAlgoType.getNonNullHashAlgoType(options.getHashAlgorithmId()), Certificate.getInstance(issuerCert.getEncoded())); OCSPResp response; try { response = requestor.ask(issuerCert, sns.toArray(new BigInteger[0]), serverUrlObj, options, debug); } finally { if (debug != null && debug.size() > 0) { RequestResponsePair reqResp = debug.get(0); if (saveReq) { byte[] bytes = reqResp.getRequest(); if (bytes != null) { IoUtil.save(reqout, bytes); } } if (saveResp) { byte[] bytes = reqResp.getResponse(); if (bytes != null) { IoUtil.save(respout, bytes); } } } // end if } // end finally return processResponse(response, respIssuer, issuerHash, sns, encodedCerts); }
From source file:org.xipki.pki.ocsp.server.impl.store.crl.CrlCertStatusStore.java
License:Open Source License
private synchronized void initializeStore(final boolean force) { Boolean updateCrlSuccessful = null; try {//w ww . ja v a 2 s . c o m File fullCrlFile = new File(crlFilename); if (!fullCrlFile.exists()) { // file does not exist LOG.warn("CRL File {} does not exist", crlFilename); return; } long newLastModifed = fullCrlFile.lastModified(); long newLastModifedOfDeltaCrl; boolean deltaCrlExists; File deltaCrlFile = null; if (deltaCrlFilename != null) { deltaCrlFile = new File(deltaCrlFilename); deltaCrlExists = deltaCrlFile.exists(); newLastModifedOfDeltaCrl = deltaCrlExists ? deltaCrlFile.lastModified() : 0; } else { deltaCrlExists = false; newLastModifedOfDeltaCrl = 0; } if (!force) { long now = System.currentTimeMillis(); if (newLastModifed != lastmodifiedOfCrlFile && now - newLastModifed < 5000) { return; // still in copy process } if (deltaCrlExists) { if (newLastModifedOfDeltaCrl != lastModifiedOfDeltaCrlFile && now - newLastModifed < 5000) { return; // still in copy process } } } // end if (force) byte[] newFp = sha1Fp(fullCrlFile); boolean crlFileChanged = !Arrays.equals(newFp, fpOfCrlFile); byte[] newFpOfDeltaCrl = deltaCrlExists ? sha1Fp(deltaCrlFile) : null; boolean deltaCrlFileChanged = !Arrays.equals(newFpOfDeltaCrl, fpOfDeltaCrlFile); if (!crlFileChanged && !deltaCrlFileChanged) { return; } if (crlFileChanged) { LOG.info("CRL file {} has changed, update of the CertStore required", crlFilename); } if (deltaCrlFileChanged) { LOG.info("DeltaCRL file {} has changed, update of the CertStore required", deltaCrlFilename); } auditPciEvent(AuditLevel.INFO, "UPDATE_CERTSTORE", "a newer CRL is available"); updateCrlSuccessful = false; X509CRL crl = X509Util.parseCrl(crlFilename); byte[] octetString = crl.getExtensionValue(Extension.cRLNumber.getId()); if (octetString == null) { throw new OcspStoreException("CRL without CRLNumber is not supported"); } BigInteger newCrlNumber = ASN1Integer.getInstance(DEROctetString.getInstance(octetString).getOctets()) .getPositiveValue(); if (crlNumber != null && newCrlNumber.compareTo(crlNumber) <= 0) { throw new OcspStoreException( String.format("CRLNumber of new CRL (%s) <= current CRL (%s)", newCrlNumber, crlNumber)); } X500Principal issuer = crl.getIssuerX500Principal(); boolean caAsCrlIssuer = true; if (!caCert.getSubjectX500Principal().equals(issuer)) { caAsCrlIssuer = false; if (issuerCert == null) { throw new IllegalArgumentException("issuerCert must not be null"); } if (!issuerCert.getSubjectX500Principal().equals(issuer)) { throw new IllegalArgumentException("issuerCert and CRL do not match"); } } X509Certificate crlSignerCert = caAsCrlIssuer ? caCert : issuerCert; try { crl.verify(crlSignerCert.getPublicKey()); } catch (Exception ex) { throw new OcspStoreException(ex.getMessage(), ex); } X509CRL deltaCrl = null; BigInteger deltaCrlNumber = null; BigInteger baseCrlNumber = null; if (deltaCrlExists) { if (newCrlNumber == null) { throw new OcspStoreException("baseCRL does not contains CRLNumber"); } deltaCrl = X509Util.parseCrl(deltaCrlFilename); octetString = deltaCrl.getExtensionValue(Extension.deltaCRLIndicator.getId()); if (octetString == null) { deltaCrl = null; LOG.warn("{} is a full CRL instead of delta CRL, ignore it", deltaCrlFilename); } else { byte[] extnValue = DEROctetString.getInstance(octetString).getOctets(); baseCrlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue(); if (!baseCrlNumber.equals(newCrlNumber)) { deltaCrl = null; LOG.info("{} is not a deltaCRL for the CRL {}, ignore it", deltaCrlFilename, crlFilename); } else { octetString = deltaCrl.getExtensionValue(Extension.cRLNumber.getId()); extnValue = DEROctetString.getInstance(octetString).getOctets(); deltaCrlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue(); } } // end if(octetString == null) } // end if(deltaCrlExists) Date newThisUpdate; Date newNextUpdate; if (deltaCrl != null) { LOG.info("try to update CRL with CRLNumber={} and DeltaCRL with CRLNumber={}", newCrlNumber, deltaCrlNumber); newThisUpdate = deltaCrl.getThisUpdate(); newNextUpdate = deltaCrl.getNextUpdate(); } else { newThisUpdate = crl.getThisUpdate(); newNextUpdate = crl.getNextUpdate(); } // Construct CrlID ASN1EncodableVector vec = new ASN1EncodableVector(); if (StringUtil.isNotBlank(crlUrl)) { vec.add(new DERTaggedObject(true, 0, new DERIA5String(crlUrl, true))); } byte[] extValue = ((deltaCrl != null) ? deltaCrl : crl).getExtensionValue(Extension.cRLNumber.getId()); if (extValue != null) { ASN1Integer asn1CrlNumber = ASN1Integer.getInstance(extractCoreValue(extValue)); vec.add(new DERTaggedObject(true, 1, asn1CrlNumber)); } vec.add(new DERTaggedObject(true, 2, new DERGeneralizedTime(newThisUpdate))); this.crlId = CrlID.getInstance(new DERSequence(vec)); byte[] encodedCaCert; try { encodedCaCert = caCert.getEncoded(); } catch (CertificateEncodingException ex) { throw new OcspStoreException(ex.getMessage(), ex); } Certificate bcCaCert = Certificate.getInstance(encodedCaCert); byte[] encodedName; try { encodedName = bcCaCert.getSubject().getEncoded("DER"); } catch (IOException ex) { throw new OcspStoreException(ex.getMessage(), ex); } byte[] encodedKey = bcCaCert.getSubjectPublicKeyInfo().getPublicKeyData().getBytes(); Map<HashAlgoType, IssuerHashNameAndKey> newIssuerHashMap = new ConcurrentHashMap<>(); for (HashAlgoType hashAlgo : HashAlgoType.values()) { byte[] issuerNameHash = hashAlgo.hash(encodedName); byte[] issuerKeyHash = hashAlgo.hash(encodedKey); IssuerHashNameAndKey issuerHash = new IssuerHashNameAndKey(hashAlgo, issuerNameHash, issuerKeyHash); newIssuerHashMap.put(hashAlgo, issuerHash); } X500Name caName = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded()); // extract the certificate, only in full CRL, not in delta CRL String oidExtnCerts = ObjectIdentifiers.id_xipki_ext_crlCertset.getId(); byte[] extnValue = crl.getExtensionValue(oidExtnCerts); boolean certsConsidered = false; Map<BigInteger, CertWithInfo> certsMap; if (extnValue != null) { extnValue = extractCoreValue(extnValue); certsConsidered = true; certsMap = extractCertsFromExtCrlCertSet(extnValue, caName); } else { certsMap = new HashMap<>(); } if (certsDirname != null) { if (extnValue != null) { LOG.warn("ignore certsDir '{}', since certificates are included in {}", certsDirname, " CRL Extension certs"); } else { certsConsidered = true; readCertWithInfosFromDir(caCert, certsDirname, certsMap); } } Map<BigInteger, CrlCertStatusInfo> newCertStatusInfoMap = new ConcurrentHashMap<>(); // First consider only full CRL Set<? extends X509CRLEntry> revokedCertListInFullCrl = crl.getRevokedCertificates(); if (revokedCertListInFullCrl != null) { for (X509CRLEntry revokedCert : revokedCertListInFullCrl) { X500Principal rcIssuer = revokedCert.getCertificateIssuer(); if (rcIssuer != null && !caCert.getSubjectX500Principal().equals(rcIssuer)) { throw new OcspStoreException("invalid CRLEntry"); } } } Set<? extends X509CRLEntry> revokedCertListInDeltaCrl = (deltaCrl == null) ? null : deltaCrl.getRevokedCertificates(); if (revokedCertListInDeltaCrl != null) { for (X509CRLEntry revokedCert : revokedCertListInDeltaCrl) { X500Principal rcIssuer = revokedCert.getCertificateIssuer(); if (rcIssuer != null && !caCert.getSubjectX500Principal().equals(rcIssuer)) { throw new OcspStoreException("invalid CRLEntry"); } } } Map<BigInteger, X509CRLEntry> revokedCertMap = null; // merge the revoked list if (revokedCertListInDeltaCrl != null && !revokedCertListInDeltaCrl.isEmpty()) { revokedCertMap = new HashMap<BigInteger, X509CRLEntry>(); if (revokedCertListInFullCrl != null) { for (X509CRLEntry entry : revokedCertListInFullCrl) { revokedCertMap.put(entry.getSerialNumber(), entry); } } for (X509CRLEntry entry : revokedCertListInDeltaCrl) { BigInteger serialNumber = entry.getSerialNumber(); CRLReason reason = entry.getRevocationReason(); if (reason == CRLReason.REMOVE_FROM_CRL) { revokedCertMap.remove(serialNumber); } else { revokedCertMap.put(serialNumber, entry); } } } Iterator<? extends X509CRLEntry> it = null; if (revokedCertMap != null) { it = revokedCertMap.values().iterator(); } else if (revokedCertListInFullCrl != null) { it = revokedCertListInFullCrl.iterator(); } while (it != null && it.hasNext()) { X509CRLEntry revokedCert = it.next(); BigInteger serialNumber = revokedCert.getSerialNumber(); byte[] encodedExtnValue = revokedCert.getExtensionValue(Extension.reasonCode.getId()); int reasonCode; if (encodedExtnValue != null) { ASN1Enumerated enumerated = ASN1Enumerated.getInstance(extractCoreValue(encodedExtnValue)); reasonCode = enumerated.getValue().intValue(); } else { reasonCode = CrlReason.UNSPECIFIED.getCode(); } Date revTime = revokedCert.getRevocationDate(); Date invalidityTime = null; extnValue = revokedCert.getExtensionValue(Extension.invalidityDate.getId()); if (extnValue != null) { extnValue = extractCoreValue(extnValue); ASN1GeneralizedTime genTime = DERGeneralizedTime.getInstance(extnValue); try { invalidityTime = genTime.getDate(); } catch (ParseException ex) { throw new OcspStoreException(ex.getMessage(), ex); } if (revTime.equals(invalidityTime)) { invalidityTime = null; } } CertWithInfo cert = null; if (certsConsidered) { cert = certsMap.remove(serialNumber); if (cert == null && LOG.isInfoEnabled()) { LOG.info("could not find certificate (serialNumber='{}')", LogUtil.formatCsn(serialNumber)); } } Certificate bcCert = (cert == null) ? null : cert.getCert(); Map<HashAlgoType, byte[]> certHashes = (bcCert == null) ? null : getCertHashes(bcCert); Date notBefore = (bcCert == null) ? null : bcCert.getTBSCertificate().getStartDate().getDate(); Date notAfter = (bcCert == null) ? null : bcCert.getTBSCertificate().getEndDate().getDate(); CertRevocationInfo revocationInfo = new CertRevocationInfo(reasonCode, revTime, invalidityTime); String profileName = (cert == null) ? null : cert.getProfileName(); CrlCertStatusInfo crlCertStatusInfo = CrlCertStatusInfo.getRevokedCertStatusInfo(revocationInfo, profileName, certHashes, notBefore, notAfter); newCertStatusInfoMap.put(serialNumber, crlCertStatusInfo); } // end while for (BigInteger serialNumber : certsMap.keySet()) { CertWithInfo cert = certsMap.get(serialNumber); Certificate bcCert = cert.getCert(); Map<HashAlgoType, byte[]> certHashes = (bcCert == null) ? null : getCertHashes(bcCert); Date notBefore = (bcCert == null) ? null : bcCert.getTBSCertificate().getStartDate().getDate(); Date notAfter = (bcCert == null) ? null : bcCert.getTBSCertificate().getEndDate().getDate(); CrlCertStatusInfo crlCertStatusInfo = CrlCertStatusInfo.getGoodCertStatusInfo(cert.getProfileName(), certHashes, notBefore, notAfter); newCertStatusInfoMap.put(cert.getSerialNumber(), crlCertStatusInfo); } this.initialized = false; this.lastmodifiedOfCrlFile = newLastModifed; this.fpOfCrlFile = newFp; this.lastModifiedOfDeltaCrlFile = newLastModifedOfDeltaCrl; this.fpOfDeltaCrlFile = newFpOfDeltaCrl; this.issuerHashMap.clear(); this.issuerHashMap.putAll(newIssuerHashMap); this.certStatusInfoMap.clear(); this.certStatusInfoMap.putAll(newCertStatusInfoMap); this.thisUpdate = newThisUpdate; this.nextUpdate = newNextUpdate; this.crlNumber = newCrlNumber; this.initializationFailed = false; this.initialized = true; updateCrlSuccessful = true; LOG.info("updated CertStore {}", name); } catch (Exception ex) { LogUtil.error(LOG, ex, "could not execute initializeStore()"); initializationFailed = true; initialized = true; } finally { if (updateCrlSuccessful != null) { AuditLevel auditLevel = updateCrlSuccessful ? AuditLevel.INFO : AuditLevel.ERROR; AuditStatus auditStatus = updateCrlSuccessful ? AuditStatus.SUCCESSFUL : AuditStatus.FAILED; auditPciEvent(auditLevel, "UPDATE_CRL", auditStatus.name()); } } }
From source file:org.xipki.pki.ocsp.server.impl.store.crl.CrlCertStatusStore.java
License:Open Source License
private void readCertWithInfosFromDir(final X509Certificate caCert, final String certsDirname, final Map<BigInteger, CertWithInfo> certsMap) throws CertificateEncodingException { File certsDir = new File(certsDirname); if (!certsDir.exists()) { LOG.warn("the folder " + certsDirname + " does not exist, ignore it"); return;//from w ww. j av a 2 s .c o m } if (!certsDir.isDirectory()) { LOG.warn("the path " + certsDirname + " does not point to a folder, ignore it"); return; } if (!certsDir.canRead()) { LOG.warn("the folder " + certsDirname + " must not be read, ignore it"); return; } File[] certFiles = certsDir.listFiles(new FilenameFilter() { @Override public boolean accept(final File dir, final String name) { return name.endsWith(".der") || name.endsWith(".crt"); } }); if (certFiles == null || certFiles.length == 0) { return; } X500Name issuer = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded()); byte[] issuerSki = X509Util.extractSki(caCert); final String profileName = "UNKNOWN"; final boolean needsCert = !certHashAlgos.isEmpty(); for (File certFile : certFiles) { Certificate bcCert; try { byte[] encoded = IoUtil.read(certFile); bcCert = Certificate.getInstance(encoded); } catch (IllegalArgumentException | IOException ex) { LOG.warn("could not parse certificate {}, ignore it", certFile.getPath()); continue; } BigInteger serialNumber = bcCert.getSerialNumber().getValue(); if (certsMap.containsKey(serialNumber)) { continue; } // not issued by the given issuer if (!issuer.equals(bcCert.getIssuer())) { continue; } if (issuerSki != null) { byte[] aki = null; try { aki = X509Util.extractAki(bcCert); } catch (CertificateEncodingException ex) { LogUtil.error(LOG, ex, "could not extract AuthorityKeyIdentifier"); } if (aki == null || !Arrays.equals(issuerSki, aki)) { continue; } } // end if CertWithInfo entry = new CertWithInfo(serialNumber); entry.setProfileName(profileName); if (needsCert) { entry.setCert(bcCert); } certsMap.put(serialNumber, entry); } // end for }
From source file:org.xipki.pki.scep.client.shell.CertPollCmd.java
License:Open Source License
@Override protected Object doExecute() throws Exception { CertificationRequest csr = CertificationRequest.getInstance(IoUtil.read(csrFile)); ScepClient client = getScepClient(); X509Certificate caCert = client.getAuthorityCertStore().getCaCert(); X500Name caSubject = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded()); EnrolmentResponse resp = client.scepCertPoll(getIdentityKey(), getIdentityCert(), csr, caSubject); if (resp.isFailure()) { throw new CmdFailure("server returned 'failure'"); }/*from w w w . jav a 2s .c o m*/ if (resp.isPending()) { throw new CmdFailure("server returned 'pending'"); } List<X509Certificate> certs = resp.getCertificates(); if (certs == null || certs.isEmpty()) { throw new CmdFailure("received no certficate from server"); } saveVerbose("saved certificate to file", new File(outputFile), certs.get(0).getEncoded()); return null; }
From source file:org.xipki.pki.scep.client.shell.GetCertCmd.java
License:Open Source License
@Override protected Object doExecute() throws Exception { ScepClient client = getScepClient(); BigInteger serial = toBigInt(serialNumber); X509Certificate caCert = client.getAuthorityCertStore().getCaCert(); X500Name caSubject = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded()); List<X509Certificate> certs = client.scepGetCert(getIdentityKey(), getIdentityCert(), caSubject, serial); if (certs == null || certs.isEmpty()) { throw new CmdFailure("received no certficate from server"); }//from w ww . jav a 2s. c om saveVerbose("saved certificate to file", new File(outputFile), certs.get(0).getEncoded()); return null; }