List of usage examples for org.bouncycastle.asn1.x509 Certificate getInstance
public static Certificate getInstance(Object obj)
From source file:org.xipki.pki.ca.dbtool.diffdb.io.EjbcaCaInfo.java
License:Open Source License
public EjbcaCaInfo(final int caId, final byte[] certBytes, final String caDirname) { ParamUtil.requireNonNull("certBytes", certBytes); this.caId = caId; this.hexSha1 = HashAlgoType.SHA1.hexHash(certBytes).toLowerCase(); this.subject = Certificate.getInstance(certBytes).getSubject(); this.caDirname = ParamUtil.requireNonNull("caDirname", caDirname); }
From source file:org.xipki.pki.ca.dbtool.diffdb.XipkiDigestExporter.java
License:Open Source License
private Map<Integer, String> getCaIds() throws DataAccessException, IOException { Map<Integer, String> caIdDirMap = new HashMap<>(); final String sql = dbControl.getCaSql(); Statement stmt = null;// w w w . j a v a 2 s . c om ResultSet rs = null; try { stmt = createStatement(); rs = stmt.executeQuery(sql); while (rs.next()) { String b64Cert = rs.getString("CERT"); byte[] certBytes = Base64.decode(b64Cert); Certificate cert = Certificate.getInstance(certBytes); String commonName = X509Util.getCommonName(cert.getSubject()); String fn = toAsciiFilename("ca-" + commonName); File caDir = new File(baseDir, fn); int idx = 2; while (caDir.exists()) { caDir = new File(baseDir, fn + "." + (idx++)); } File caCertFile = new File(caDir, "ca.der"); caDir.mkdirs(); IoUtil.save(caCertFile, certBytes); int id = rs.getInt("ID"); caIdDirMap.put(id, caDir.getName()); } } catch (SQLException ex) { throw translate(sql, ex); } finally { releaseResources(stmt, rs); } return caIdDirMap; }
From source file:org.xipki.pki.ca.dbtool.port.CaCertStoreDbImporter.java
License:Open Source License
private void importCa(final Cas cas) throws DataAccessException, CertificateException, IOException { final String sql = "INSERT INTO CS_CA (ID,SUBJECT,SHA1_CERT,CERT) VALUES (?,?,?,?)"; System.out.println("importing table CS_CA"); PreparedStatement ps = prepareStatement(sql); try {//w w w . jav a2 s .com for (CertstoreCaType m : cas.getCa()) { try { byte[] encodedCert = getBinary(m.getCert()); Certificate cert = Certificate.getInstance(encodedCert); String b64Sha1FpCert = HashAlgoType.SHA1.base64Hash(encodedCert); int idx = 1; ps.setInt(idx++, (int) m.getId()); ps.setString(idx++, X509Util.cutX500Name(cert.getSubject(), maxX500nameLen)); ps.setString(idx++, b64Sha1FpCert); ps.setString(idx++, Base64.toBase64String(encodedCert)); ps.execute(); } catch (SQLException ex) { System.err.println( "could not import CS_CA with ID=" + m.getId() + ", message: " + ex.getMessage()); throw translate(sql, ex); } catch (IllegalArgumentException | IOException ex) { System.err.println( "could not import CS_CA with ID=" + m.getId() + ", message: " + ex.getMessage()); throw ex; } } } finally { releaseResources(ps, null); } System.out.println(" imported table CS_CA"); }
From source file:org.xipki.pki.ca.dbtool.port.CaCertStoreDbImporter.java
License:Open Source License
private long doImportEntries(final CaDbEntryType type, final String entriesZipFile, final long minId, final File processLogFile, final ProcessLog processLog, final int numProcessedInLastProcess, final PreparedStatement[] statements, final String[] sqls) throws Exception { final int numEntriesPerCommit = Math.max(1, Math.round(type.getSqlBatchFactor() * numCertsPerCommit)); ZipFile zipFile = new ZipFile(new File(entriesZipFile)); ZipEntry entriesXmlEntry = zipFile.getEntry("overview.xml"); DbiXmlReader entries;/* www .j a v a 2 s . c o m*/ try { entries = createReader(type, zipFile.getInputStream(entriesXmlEntry)); } catch (Exception ex) { try { zipFile.close(); } catch (Exception e2) { LOG.error("could not close ZIP file {}: {}", entriesZipFile, e2.getMessage()); LOG.debug("could not close ZIP file " + entriesZipFile, e2); } throw ex; } disableAutoCommit(); try { int numEntriesInBatch = 0; long lastSuccessfulEntryId = 0; while (entries.hasNext()) { if (stopMe.get()) { throw new InterruptedException("interrupted by the user"); } IdentifidDbObjectType entry = (IdentifidDbObjectType) entries.next(); long id = entry.getId(); if (id < minId) { continue; } numEntriesInBatch++; if (CaDbEntryType.CERT == type) { CaCertType cert = (CaCertType) entry; int certArt = (cert.getArt() == null) ? 1 : cert.getArt(); String filename = cert.getFile(); // rawcert ZipEntry certZipEnty = zipFile.getEntry(filename); // rawcert byte[] encodedCert = IoUtil.read(zipFile.getInputStream(certZipEnty)); TBSCertificate tbsCert; try { Certificate cc = Certificate.getInstance(encodedCert); tbsCert = cc.getTBSCertificate(); } catch (RuntimeException ex) { LOG.error("could not parse certificate in file {}", filename); LOG.debug("could not parse certificate in file " + filename, ex); throw new CertificateException(ex.getMessage(), ex); } byte[] encodedKey = tbsCert.getSubjectPublicKeyInfo().getPublicKeyData().getBytes(); String b64Sha1FpCert = HashAlgoType.SHA1.base64Hash(encodedCert); // cert String subjectText = X509Util.cutX500Name(tbsCert.getSubject(), maxX500nameLen); PreparedStatement psCert = statements[0]; PreparedStatement psRawcert = statements[1]; try { int idx = 1; psCert.setLong(idx++, id); psCert.setInt(idx++, certArt); psCert.setLong(idx++, cert.getUpdate()); psCert.setString(idx++, tbsCert.getSerialNumber().getPositiveValue().toString(16)); psCert.setString(idx++, subjectText); long fpSubject = X509Util.fpCanonicalizedName(tbsCert.getSubject()); psCert.setLong(idx++, fpSubject); if (cert.getFpRs() != null) { psCert.setLong(idx++, cert.getFpRs()); } else { psCert.setNull(idx++, Types.BIGINT); } psCert.setLong(idx++, tbsCert.getStartDate().getDate().getTime() / 1000); psCert.setLong(idx++, tbsCert.getEndDate().getDate().getTime() / 1000); setBoolean(psCert, idx++, cert.getRev()); setInt(psCert, idx++, cert.getRr()); setLong(psCert, idx++, cert.getRt()); setLong(psCert, idx++, cert.getRit()); setInt(psCert, idx++, cert.getPid()); setInt(psCert, idx++, cert.getCaId()); setInt(psCert, idx++, cert.getRid()); psCert.setString(idx++, cert.getUser()); psCert.setLong(idx++, FpIdCalculator.hash(encodedKey)); Extension extension = tbsCert.getExtensions().getExtension(Extension.basicConstraints); boolean ee = true; if (extension != null) { ASN1Encodable asn1 = extension.getParsedValue(); ee = !BasicConstraints.getInstance(asn1).isCA(); } psCert.setInt(idx++, ee ? 1 : 0); psCert.setInt(idx++, cert.getReqType()); String tidS = null; if (cert.getTid() != null) { tidS = cert.getTid(); } psCert.setString(idx++, tidS); psCert.addBatch(); } catch (SQLException ex) { throw translate(SQL_ADD_CERT, ex); } try { int idx = 1; psRawcert.setLong(idx++, cert.getId()); psRawcert.setString(idx++, b64Sha1FpCert); psRawcert.setString(idx++, cert.getRs()); psRawcert.setString(idx++, Base64.toBase64String(encodedCert)); psRawcert.addBatch(); } catch (SQLException ex) { throw translate(SQL_ADD_CRAW, ex); } } else if (CaDbEntryType.CRL == type) { PreparedStatement psAddCrl = statements[0]; CaCrlType crl = (CaCrlType) entry; String filename = crl.getFile(); // CRL ZipEntry zipEnty = zipFile.getEntry(filename); // rawcert byte[] encodedCrl = IoUtil.read(zipFile.getInputStream(zipEnty)); X509CRL x509crl = null; try { x509crl = X509Util.parseCrl(encodedCrl); } catch (Exception ex) { LOG.error("could not parse CRL in file {}", filename); LOG.debug("could not parse CRL in file " + filename, ex); if (ex instanceof CRLException) { throw (CRLException) ex; } else { throw new CRLException(ex.getMessage(), ex); } } try { byte[] octetString = x509crl.getExtensionValue(Extension.cRLNumber.getId()); if (octetString == null) { LOG.warn("CRL without CRL number, ignore it"); continue; } byte[] extnValue = DEROctetString.getInstance(octetString).getOctets(); // CHECKSTYLE:SKIP BigInteger crlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue(); BigInteger baseCrlNumber = null; octetString = x509crl.getExtensionValue(Extension.deltaCRLIndicator.getId()); if (octetString != null) { extnValue = DEROctetString.getInstance(octetString).getOctets(); baseCrlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue(); } int idx = 1; psAddCrl.setLong(idx++, crl.getId()); psAddCrl.setInt(idx++, crl.getCaId()); psAddCrl.setLong(idx++, crlNumber.longValue()); psAddCrl.setLong(idx++, x509crl.getThisUpdate().getTime() / 1000); if (x509crl.getNextUpdate() != null) { psAddCrl.setLong(idx++, x509crl.getNextUpdate().getTime() / 1000); } else { psAddCrl.setNull(idx++, Types.INTEGER); } if (baseCrlNumber == null) { setBoolean(psAddCrl, idx++, false); psAddCrl.setNull(idx++, Types.BIGINT); } else { setBoolean(psAddCrl, idx++, true); psAddCrl.setLong(idx++, baseCrlNumber.longValue()); } String str = Base64.toBase64String(encodedCrl); psAddCrl.setString(idx++, str); psAddCrl.addBatch(); } catch (SQLException ex) { System.err.println( "could not import CRL with ID=" + crl.getId() + ", message: " + ex.getMessage()); throw ex; } } else if (CaDbEntryType.USER == type) { PreparedStatement psAddUser = statements[0]; CaUserType user = (CaUserType) entry; try { int idx = 1; psAddUser.setLong(idx++, user.getId()); psAddUser.setString(idx++, user.getName()); psAddUser.setString(idx++, user.getPassword()); psAddUser.setString(idx++, user.getCnRegex()); psAddUser.addBatch(); } catch (SQLException ex) { System.err.println("could not import USERNAME with ID=" + user.getId() + ", message: " + ex.getMessage()); throw ex; } } else if (CaDbEntryType.REQUEST == type) { PreparedStatement psAddRequest = statements[0]; CaRequestType request = (CaRequestType) entry; String filename = request.getFile(); ZipEntry zipEnty = zipFile.getEntry(filename); byte[] encodedRequest = IoUtil.read(zipFile.getInputStream(zipEnty)); try { int idx = 1; psAddRequest.setLong(idx++, request.getId()); psAddRequest.setLong(idx++, request.getUpdate()); psAddRequest.setString(idx++, Base64.toBase64String(encodedRequest)); psAddRequest.addBatch(); } catch (SQLException ex) { System.err.println("could not import REQUEST with ID=" + request.getId() + ", message: " + ex.getMessage()); throw ex; } } else if (CaDbEntryType.REQCERT == type) { PreparedStatement psAddReqCert = statements[0]; CaRequestCertType reqCert = (CaRequestCertType) entry; try { int idx = 1; psAddReqCert.setLong(idx++, reqCert.getId()); psAddReqCert.setLong(idx++, reqCert.getRid()); psAddReqCert.setLong(idx++, reqCert.getCid()); psAddReqCert.addBatch(); } catch (SQLException ex) { System.err.println("could not import REQUEST with ID=" + reqCert.getId() + ", message: " + ex.getMessage()); throw ex; } } else { throw new RuntimeException("Unknown CaDbEntryType " + type); } boolean isLastBlock = !entries.hasNext(); if (numEntriesInBatch > 0 && (numEntriesInBatch % numEntriesPerCommit == 0 || isLastBlock)) { if (evaulateOnly) { for (PreparedStatement m : statements) { m.clearBatch(); } } else { String sql = null; try { for (int i = 0; i < sqls.length; i++) { sql = sqls[i]; statements[i].executeBatch(); } sql = null; commit("(commit import to CA)"); } catch (Throwable th) { rollback(); deleteFromTableWithLargerId(type.getTableName(), "ID", id, LOG); if (CaDbEntryType.CERT == type) { deleteFromTableWithLargerId("CRAW", "CID", id, LOG); } if (th instanceof SQLException) { throw translate(sql, (SQLException) th); } else if (th instanceof Exception) { throw (Exception) th; } else { throw new Exception(th); } } } lastSuccessfulEntryId = id; processLog.addNumProcessed(numEntriesInBatch); numEntriesInBatch = 0; echoToFile(type + ":" + (numProcessedInLastProcess + processLog.getNumProcessed()) + ":" + lastSuccessfulEntryId, processLogFile); processLog.printStatus(); } } // end while return lastSuccessfulEntryId; } finally { recoverAutoCommit(); zipFile.close(); } }
From source file:org.xipki.pki.ca.dbtool.port.OcspCertStoreDbImporter.java
License:Open Source License
private void doImportIssuer(final IssuerType issuer, final PreparedStatement ps) throws DataAccessException, CertificateException, IOException { try {//from w w w. j ava2s. c o m String certFilename = issuer.getCertFile(); String b64Cert = new String(IoUtil.read(new File(baseDir, certFilename))); byte[] encodedCert = Base64.decode(b64Cert); Certificate cert; try { cert = Certificate.getInstance(encodedCert); } catch (Exception ex) { LOG.error("could not parse certificate of issuer {}", issuer.getId()); LOG.debug("could not parse certificate of issuer " + issuer.getId(), ex); if (ex instanceof CertificateException) { throw (CertificateException) ex; } else { throw new CertificateException(ex.getMessage(), ex); } } int idx = 1; ps.setInt(idx++, issuer.getId()); ps.setString(idx++, X509Util.cutX500Name(cert.getSubject(), maxX500nameLen)); ps.setLong(idx++, cert.getTBSCertificate().getStartDate().getDate().getTime() / 1000); ps.setLong(idx++, cert.getTBSCertificate().getEndDate().getDate().getTime() / 1000); ps.setString(idx++, sha1(encodedCert)); setBoolean(ps, idx++, issuer.isRevoked()); setInt(ps, idx++, issuer.getRevReason()); setLong(ps, idx++, issuer.getRevTime()); setLong(ps, idx++, issuer.getRevInvTime()); ps.setString(idx++, b64Cert); ps.execute(); } catch (SQLException ex) { System.err.println("could not import issuer with id=" + issuer.getId()); throw translate(SQL_ADD_ISSUER, ex); } catch (CertificateException ex) { System.err.println("could not import issuer with id=" + issuer.getId()); throw ex; } }
From source file:org.xipki.pki.ca.dbtool.port.OcspCertStoreDbImporter.java
License:Open Source License
private long doImportCert(final PreparedStatement psCert, final PreparedStatement psCerthash, final PreparedStatement psRawcert, final String certsZipFile, final long minId, final File processLogFile, final ProcessLog processLog, final int numProcessedInLastProcess) throws Exception { ZipFile zipFile = new ZipFile(new File(certsZipFile)); ZipEntry certsXmlEntry = zipFile.getEntry("certs.xml"); OcspCertsReader certs;//from w w w . ja va 2 s . co m try { certs = new OcspCertsReader(zipFile.getInputStream(certsXmlEntry)); } catch (Exception ex) { try { zipFile.close(); } catch (Exception e2) { LOG.error("could not close ZIP file {}: {}", certsZipFile, e2.getMessage()); LOG.debug("could not close ZIP file " + certsZipFile, e2); } throw ex; } disableAutoCommit(); try { int numEntriesInBatch = 0; long lastSuccessfulCertId = 0; while (certs.hasNext()) { if (stopMe.get()) { throw new InterruptedException("interrupted by the user"); } OcspCertType cert = (OcspCertType) certs.next(); long id = cert.getId(); if (id < minId) { continue; } numEntriesInBatch++; String filename = cert.getFile(); // rawcert ZipEntry certZipEnty = zipFile.getEntry(filename); // rawcert byte[] encodedCert = IoUtil.read(zipFile.getInputStream(certZipEnty)); TBSCertificate tbsCert; try { Certificate cc = Certificate.getInstance(encodedCert); tbsCert = cc.getTBSCertificate(); } catch (RuntimeException ex) { LOG.error("could not parse certificate in file {}", filename); LOG.debug("could not parse certificate in file " + filename, ex); throw new CertificateException(ex.getMessage(), ex); } // cert try { int idx = 1; psCert.setLong(idx++, id); psCert.setInt(idx++, cert.getIid()); psCert.setString(idx++, tbsCert.getSerialNumber().getPositiveValue().toString(16)); psCert.setLong(idx++, cert.getUpdate()); psCert.setLong(idx++, tbsCert.getStartDate().getDate().getTime() / 1000); psCert.setLong(idx++, tbsCert.getEndDate().getDate().getTime() / 1000); setBoolean(psCert, idx++, cert.getRev().booleanValue()); setInt(psCert, idx++, cert.getRr()); setLong(psCert, idx++, cert.getRt()); setLong(psCert, idx++, cert.getRit()); psCert.setString(idx++, cert.getProfile()); psCert.addBatch(); } catch (SQLException ex) { throw translate(SQL_ADD_CERT, ex); } // certhash try { int idx = 1; psCerthash.setLong(idx++, cert.getId()); psCerthash.setString(idx++, sha1(encodedCert)); psCerthash.setString(idx++, sha224(encodedCert)); psCerthash.setString(idx++, sha256(encodedCert)); psCerthash.setString(idx++, sha384(encodedCert)); psCerthash.setString(idx++, sha512(encodedCert)); psCerthash.addBatch(); } catch (SQLException ex) { throw translate(SQL_ADD_CHASH, ex); } // rawcert try { int idx = 1; psRawcert.setLong(idx++, cert.getId()); psRawcert.setString(idx++, X509Util.cutX500Name(tbsCert.getSubject(), maxX500nameLen)); psRawcert.setString(idx++, Base64.toBase64String(encodedCert)); psRawcert.addBatch(); } catch (SQLException ex) { throw translate(SQL_ADD_CRAW, ex); } boolean isLastBlock = !certs.hasNext(); if (numEntriesInBatch > 0 && (numEntriesInBatch % this.numCertsPerCommit == 0 || isLastBlock)) { if (evaulateOnly) { psCert.clearBatch(); psCerthash.clearBatch(); psRawcert.clearBatch(); } else { String sql = null; try { sql = SQL_ADD_CERT; psCert.executeBatch(); sql = SQL_ADD_CHASH; psCerthash.executeBatch(); sql = SQL_ADD_CRAW; psRawcert.executeBatch(); sql = null; commit("(commit import cert to OCSP)"); } catch (Throwable th) { rollback(); deleteCertGreatherThan(lastSuccessfulCertId, LOG); if (th instanceof SQLException) { throw translate(sql, (SQLException) th); } else if (th instanceof Exception) { throw (Exception) th; } else { throw new Exception(th); } } } lastSuccessfulCertId = id; processLog.addNumProcessed(numEntriesInBatch); numEntriesInBatch = 0; echoToFile( (numProcessedInLastProcess + processLog.getNumProcessed()) + ":" + lastSuccessfulCertId, processLogFile); processLog.printStatus(); } } // end for return lastSuccessfulCertId; } finally { recoverAutoCommit(); zipFile.close(); } }
From source file:org.xipki.pki.ca.dbtool.port.OcspCertStoreFromCaDbImporter.java
License:Open Source License
private void doImportIssuer(final CertstoreCaType issuer, final String sql, final PreparedStatement ps, final List<CaType> cas, final List<Integer> relatedCaIds) throws IOException, DataAccessException, CertificateException { try {/*from w w w . j a v a 2s . c om*/ byte[] encodedCert = getBinary(issuer.getCert()); // retrieve the revocation information of the CA, if possible CaType ca = null; for (CaType caType : cas) { if (Arrays.equals(encodedCert, getBinary(caType.getCert()))) { ca = caType; break; } } if (ca == null) { return; } relatedCaIds.add(issuer.getId()); Certificate cert; try { cert = Certificate.getInstance(encodedCert); } catch (Exception ex) { String msg = "could not parse certificate of issuer " + issuer.getId(); LogUtil.error(LOG, ex, msg); if (ex instanceof CertificateException) { throw (CertificateException) ex; } else { throw new CertificateException(ex.getMessage(), ex); } } int idx = 1; ps.setInt(idx++, issuer.getId()); ps.setString(idx++, X509Util.cutX500Name(cert.getSubject(), maxX500nameLen)); ps.setLong(idx++, cert.getTBSCertificate().getStartDate().getDate().getTime() / 1000); ps.setLong(idx++, cert.getTBSCertificate().getEndDate().getDate().getTime() / 1000); ps.setString(idx++, HashAlgoType.SHA1.base64Hash(encodedCert)); setBoolean(ps, idx++, ca.isRevoked()); setInt(ps, idx++, ca.getRevReason()); setLong(ps, idx++, ca.getRevTime()); setLong(ps, idx++, ca.getRevInvTime()); ps.setString(idx++, Base64.toBase64String(encodedCert)); ps.execute(); } catch (SQLException ex) { System.err.println("could not import issuer with id=" + issuer.getId()); throw translate(sql, ex); } catch (CertificateException ex) { System.err.println("could not import issuer with id=" + issuer.getId()); throw ex; } }
From source file:org.xipki.pki.ca.dbtool.port.OcspCertStoreFromCaDbImporter.java
License:Open Source License
private long doImportCert(final ImportStatements statments, final String certsZipFile, final Map<Integer, String> profileMap, final boolean revokedOnly, final List<Integer> caIds, final long minId, final File processLogFile, final ProcessLog processLog, final int numProcessedInLastProcess, final ProcessLog importLog) throws Exception { ZipFile zipFile = new ZipFile(new File(certsZipFile)); ZipEntry certsXmlEntry = zipFile.getEntry("overview.xml"); CaCertsReader certs;/* w ww.j a va 2 s . c om*/ try { certs = new CaCertsReader(zipFile.getInputStream(certsXmlEntry)); } catch (Exception ex) { try { zipFile.close(); } catch (Exception ex2) { LOG.error("could not close ZIP file {}: {}", certsZipFile, ex2.getMessage()); LOG.debug("could not close ZIP file " + certsZipFile, ex2); } throw ex; } disableAutoCommit(); PreparedStatement psCert = statments.psCert; PreparedStatement psCerthash = statments.psCerthash; PreparedStatement psRawCert = statments.psRawCert; try { int numProcessedEntriesInBatch = 0; int numImportedEntriesInBatch = 0; long lastSuccessfulCertId = 0; while (certs.hasNext()) { if (stopMe.get()) { throw new InterruptedException("interrupted by the user"); } CaCertType cert = (CaCertType) certs.next(); long id = cert.getId(); lastSuccessfulCertId = id; if (id < minId) { continue; } numProcessedEntriesInBatch++; if (!revokedOnly || cert.getRev().booleanValue()) { int caId = cert.getCaId(); if (caIds.contains(caId)) { numImportedEntriesInBatch++; String filename = cert.getFile(); // rawcert ZipEntry certZipEnty = zipFile.getEntry(filename); // rawcert byte[] encodedCert = IoUtil.read(zipFile.getInputStream(certZipEnty)); TBSCertificate tbsCert; try { Certificate cc = Certificate.getInstance(encodedCert); tbsCert = cc.getTBSCertificate(); } catch (RuntimeException ex) { LOG.error("could not parse certificate in file {}", filename); LOG.debug("could not parse certificate in file " + filename, ex); throw new CertificateException(ex.getMessage(), ex); } // cert try { int idx = 1; psCert.setLong(idx++, id); psCert.setInt(idx++, caId); psCert.setString(idx++, tbsCert.getSerialNumber().getPositiveValue().toString(16)); psCert.setLong(idx++, cert.getUpdate()); psCert.setLong(idx++, tbsCert.getStartDate().getDate().getTime() / 1000); psCert.setLong(idx++, tbsCert.getEndDate().getDate().getTime() / 1000); setBoolean(psCert, idx++, cert.getRev()); setInt(psCert, idx++, cert.getRr()); setLong(psCert, idx++, cert.getRt()); setLong(psCert, idx++, cert.getRit()); int certprofileId = cert.getPid(); String certprofileName = profileMap.get(certprofileId); psCert.setString(idx++, certprofileName); psCert.addBatch(); } catch (SQLException ex) { throw translate(SQL_ADD_CERT, ex); } // certhash try { int idx = 1; psCerthash.setLong(idx++, id); psCerthash.setString(idx++, HashAlgoType.SHA1.base64Hash(encodedCert)); psCerthash.setString(idx++, HashAlgoType.SHA224.base64Hash(encodedCert)); psCerthash.setString(idx++, HashAlgoType.SHA256.base64Hash(encodedCert)); psCerthash.setString(idx++, HashAlgoType.SHA384.base64Hash(encodedCert)); psCerthash.setString(idx++, HashAlgoType.SHA512.base64Hash(encodedCert)); psCerthash.addBatch(); } catch (SQLException ex) { throw translate(SQL_ADD_CHASH, ex); } // rawcert try { int idx = 1; psRawCert.setLong(idx++, id); psRawCert.setString(idx++, X509Util.cutX500Name(tbsCert.getSubject(), maxX500nameLen)); psRawCert.setString(idx++, Base64.toBase64String(encodedCert)); psRawCert.addBatch(); } catch (SQLException ex) { throw translate(SQL_ADD_CRAW, ex); } } // end if (caIds.contains(caId)) } // end if (revokedOnly boolean isLastBlock = !certs.hasNext(); if (numImportedEntriesInBatch > 0 && (numImportedEntriesInBatch % this.numCertsPerCommit == 0 || isLastBlock)) { if (evaulateOnly) { psCert.clearBatch(); psCerthash.clearBatch(); psRawCert.clearBatch(); } else { String sql = null; try { sql = SQL_ADD_CERT; psCert.executeBatch(); sql = SQL_ADD_CHASH; psCerthash.executeBatch(); sql = SQL_ADD_CRAW; psRawCert.executeBatch(); sql = null; commit("(commit import cert to OCSP)"); } catch (Throwable th) { rollback(); deleteCertGreatherThan(lastSuccessfulCertId, LOG); if (th instanceof SQLException) { throw translate(sql, (SQLException) th); } else if (th instanceof Exception) { throw (Exception) th; } else { throw new Exception(th); } } } lastSuccessfulCertId = id; processLog.addNumProcessed(numProcessedEntriesInBatch); importLog.addNumProcessed(numImportedEntriesInBatch); numProcessedEntriesInBatch = 0; numImportedEntriesInBatch = 0; String filename = (numProcessedInLastProcess + processLog.getNumProcessed()) + ":" + lastSuccessfulCertId; echoToFile(filename, processLogFile); processLog.printStatus(); } else if (isLastBlock) { lastSuccessfulCertId = id; processLog.addNumProcessed(numProcessedEntriesInBatch); importLog.addNumProcessed(numImportedEntriesInBatch); numProcessedEntriesInBatch = 0; numImportedEntriesInBatch = 0; String filename = (numProcessedInLastProcess + processLog.getNumProcessed()) + ":" + lastSuccessfulCertId; echoToFile(filename, processLogFile); processLog.printStatus(); } // if (numImportedEntriesInBatch) } // end for return lastSuccessfulCertId; } finally { recoverAutoCommit(); zipFile.close(); } }
From source file:org.xipki.pki.ca.qa.X509CertprofileQa.java
License:Open Source License
public ValidationResult checkCert(final byte[] certBytes, final X509IssuerInfo issuerInfo, final X500Name requestedSubject, final SubjectPublicKeyInfo requestedPublicKey, final Extensions requestedExtensions) { ParamUtil.requireNonNull("certBytes", certBytes); ParamUtil.requireNonNull("issuerInfo", issuerInfo); ParamUtil.requireNonNull("requestedSubject", requestedSubject); ParamUtil.requireNonNull("requestedPublicKey", requestedPublicKey); List<ValidationIssue> resultIssues = new LinkedList<ValidationIssue>(); Certificate bcCert;/*from ww w.ja v a2 s .c o m*/ TBSCertificate tbsCert; X509Certificate cert; ValidationIssue issue; // certificate size issue = new ValidationIssue("X509.SIZE", "certificate size"); resultIssues.add(issue); Integer maxSize = certProfile.getMaxSize(); if (maxSize != 0) { int size = certBytes.length; if (size > maxSize) { issue.setFailureMessage( String.format("certificate exceeds the maximal allowed size: %d > %d", size, maxSize)); } } // certificate encoding issue = new ValidationIssue("X509.ENCODING", "certificate encoding"); resultIssues.add(issue); try { bcCert = Certificate.getInstance(certBytes); tbsCert = bcCert.getTBSCertificate(); cert = X509Util.parseCert(certBytes); } catch (CertificateException ex) { issue.setFailureMessage("certificate is not corrected encoded"); return new ValidationResult(resultIssues); } // syntax version issue = new ValidationIssue("X509.VERSION", "certificate version"); resultIssues.add(issue); int versionNumber = tbsCert.getVersionNumber(); X509CertVersion expVersion = certProfile.getVersion(); if (versionNumber != expVersion.getVersionNumber()) { issue.setFailureMessage( "is '" + versionNumber + "' but expected '" + expVersion.getVersionNumber() + "'"); } // serialNumber issue = new ValidationIssue("X509.serialNumber", "certificate serial number"); resultIssues.add(issue); BigInteger serialNumber = tbsCert.getSerialNumber().getValue(); if (serialNumber.signum() != 1) { issue.setFailureMessage("not positive"); } else { if (serialNumber.bitLength() >= 160) { issue.setFailureMessage("serial number has more than 20 octets"); } } // signatureAlgorithm List<String> signatureAlgorithms = certProfile.getSignatureAlgorithms(); if (CollectionUtil.isNonEmpty(signatureAlgorithms)) { issue = new ValidationIssue("X509.SIGALG", "signature algorithm"); resultIssues.add(issue); AlgorithmIdentifier sigAlgId = bcCert.getSignatureAlgorithm(); AlgorithmIdentifier tbsSigAlgId = tbsCert.getSignature(); if (!tbsSigAlgId.equals(sigAlgId)) { issue.setFailureMessage("Certificate.tbsCertificate.signature != Certificate.signatureAlgorithm"); } try { String sigAlgo = AlgorithmUtil.getSignatureAlgoName(sigAlgId); if (!issue.isFailed()) { if (!signatureAlgorithms.contains(sigAlgo)) { issue.setFailureMessage("signatureAlgorithm '" + sigAlgo + "' is not allowed"); } } // check parameters if (!issue.isFailed()) { AlgorithmIdentifier expSigAlgId = AlgorithmUtil.getSigAlgId(sigAlgo); if (!expSigAlgId.equals(sigAlgId)) { issue.setFailureMessage("invalid parameters"); } } } catch (NoSuchAlgorithmException ex) { issue.setFailureMessage("unsupported signature algorithm " + sigAlgId.getAlgorithm().getId()); } } // notBefore encoding issue = new ValidationIssue("X509.NOTBEFORE.ENCODING", "notBefore encoding"); checkTime(tbsCert.getStartDate(), issue); // notAfter encoding issue = new ValidationIssue("X509.NOTAFTER.ENCODING", "notAfter encoding"); checkTime(tbsCert.getStartDate(), issue); // notBefore if (certProfile.isNotBeforeMidnight()) { issue = new ValidationIssue("X509.NOTBEFORE", "notBefore midnight"); resultIssues.add(issue); Calendar cal = Calendar.getInstance(UTC); cal.setTime(cert.getNotBefore()); int hourOfDay = cal.get(Calendar.HOUR_OF_DAY); int minute = cal.get(Calendar.MINUTE); int second = cal.get(Calendar.SECOND); if (hourOfDay != 0 || minute != 0 || second != 0) { issue.setFailureMessage(" '" + cert.getNotBefore() + "' is not midnight time (UTC)"); } } // validity issue = new ValidationIssue("X509.VALIDITY", "cert validity"); resultIssues.add(issue); if (cert.getNotAfter().before(cert.getNotBefore())) { issue.setFailureMessage("notAfter must not be before notBefore"); } else if (cert.getNotBefore().before(issuerInfo.getCaNotBefore())) { issue.setFailureMessage("notBefore must not be before CA's notBefore"); } else { CertValidity validity = certProfile.getValidity(); Date expectedNotAfter = validity.add(cert.getNotBefore()); if (expectedNotAfter.getTime() > MAX_CERT_TIME_MS) { expectedNotAfter = new Date(MAX_CERT_TIME_MS); } if (issuerInfo.isCutoffNotAfter() && expectedNotAfter.after(issuerInfo.getCaNotAfter())) { expectedNotAfter = issuerInfo.getCaNotAfter(); } if (Math.abs(expectedNotAfter.getTime() - cert.getNotAfter().getTime()) > 60 * SECOND) { issue.setFailureMessage("cert validity is not within " + validity.toString()); } } // subjectPublicKeyInfo resultIssues.addAll(publicKeyChecker.checkPublicKey(bcCert.getSubjectPublicKeyInfo(), requestedPublicKey)); // Signature issue = new ValidationIssue("X509.SIG", "whether certificate is signed by CA"); resultIssues.add(issue); try { cert.verify(issuerInfo.getCert().getPublicKey(), "BC"); } catch (Exception ex) { issue.setFailureMessage("invalid signature"); } // issuer issue = new ValidationIssue("X509.ISSUER", "certificate issuer"); resultIssues.add(issue); if (!cert.getIssuerX500Principal().equals(issuerInfo.getCert().getSubjectX500Principal())) { issue.setFailureMessage("issue in certificate does not equal the subject of CA certificate"); } // subject resultIssues.addAll(subjectChecker.checkSubject(bcCert.getSubject(), requestedSubject)); // issuerUniqueID issue = new ValidationIssue("X509.IssuerUniqueID", "issuerUniqueID"); resultIssues.add(issue); if (tbsCert.getIssuerUniqueId() != null) { issue.setFailureMessage("is present but not permitted"); } // subjectUniqueID issue = new ValidationIssue("X509.SubjectUniqueID", "subjectUniqueID"); resultIssues.add(issue); if (tbsCert.getSubjectUniqueId() != null) { issue.setFailureMessage("is present but not permitted"); } // extensions issue = new ValidationIssue("X509.GrantedSubject", "grantedSubject"); resultIssues.add(issue); resultIssues.addAll( extensionsChecker.checkExtensions(bcCert, issuerInfo, requestedExtensions, requestedSubject)); return new ValidationResult(resultIssues); }
From source file:org.xipki.pki.ca.qa.X509IssuerInfo.java
License:Open Source License
public X509IssuerInfo(final List<String> caIssuerUrls, final List<String> ocspUrls, final List<String> crlUrls, final List<String> deltaCrlUrls, final byte[] certBytes, final boolean cutoffNotAfter) throws CertificateException { ParamUtil.requireNonNull("certBytes", certBytes); this.cutoffNotAfter = cutoffNotAfter; if (CollectionUtil.isEmpty(caIssuerUrls)) { this.caIssuerUrls = null; } else {/*from www .ja va2s . co m*/ Set<String> set = new HashSet<>(); set.addAll(caIssuerUrls); this.caIssuerUrls = Collections.unmodifiableSet(set); } if (CollectionUtil.isEmpty(ocspUrls)) { this.ocspUrls = null; } else { Set<String> set = new HashSet<>(); set.addAll(ocspUrls); this.ocspUrls = Collections.unmodifiableSet(set); } if (CollectionUtil.isEmpty(crlUrls)) { this.crlUrls = null; } else { Set<String> set = new HashSet<>(); set.addAll(crlUrls); this.crlUrls = Collections.unmodifiableSet(set); } if (CollectionUtil.isEmpty(deltaCrlUrls)) { this.deltaCrlUrls = null; } else { Set<String> set = new HashSet<>(); set.addAll(deltaCrlUrls); this.deltaCrlUrls = Collections.unmodifiableSet(set); } this.cert = X509Util.parseCert(certBytes); this.bcCert = Certificate.getInstance(certBytes); this.ski = X509Util.extractSki(cert); this.caNotBefore = this.cert.getNotBefore(); this.caNotAfter = this.cert.getNotAfter(); }