org.bouncycastle.asn1.cmp.PKIFailureInfo Java Examples

private PKIMessage addProtection(PKIMessage pkiMessage, AuditEvent event,
    CmpRequestorInfo requestor) {
  CmpControl control = getCmpControl();
  try {
    if (requestor.getCert() != null) {
      return CmpUtil.addProtection(pkiMessage, getSigner(), getSender(),
          control.isSendResponderCert());
    } else {
      PBMParameter parameter = new PBMParameter(randomSalt(), control.getResponsePbmOwf(),
          control.getResponsePbmIterationCount(), control.getResponsePbmMac());
      return CmpUtil.addProtection(pkiMessage, requestor.getPassword(), parameter,
          getSender(), requestor.getKeyId());
    }
  } catch (Exception ex) {
    LogUtil.error(LOG, ex, "could not add protection to the PKI message");
    PKIStatusInfo status = generateRejectionStatus(
        PKIFailureInfo.systemFailure, "could not sign the PKIMessage");

    event.setLevel(AuditLevel.ERROR);
    event.setStatus(AuditStatus.FAILED);
    event.addEventData(CaAuditConstants.NAME_message, "could not sign the PKIMessage");
    PKIBody body = new PKIBody(PKIBody.TYPE_ERROR, new ErrorMsgContent(status));
    return new PKIMessage(pkiMessage.getHeader(), body);
  }
}
 

@Override
public Map<String, CertIdOrError> unrevokeCerts(UnrevokeOrRemoveCertRequest request,
    ReqRespDebug debug) throws CmpClientException, PkiErrorException {
  Args.notNull(request, "request");

  initIfNotInitialized();
  List<UnrevokeOrRemoveCertRequest.Entry> requestEntries = request.getRequestEntries();
  if (CollectionUtil.isEmpty(requestEntries)) {
    return Collections.emptyMap();
  }

  X500Name issuer = requestEntries.get(0).getIssuer();
  for (int i = 1; i < requestEntries.size(); i++) {
    if (!issuer.equals(requestEntries.get(i).getIssuer())) {
      throw new PkiErrorException(PKIStatus.REJECTION, PKIFailureInfo.badRequest,
          "unrevoking certificates issued by more than one CA is not allowed");
    }
  }

  final String caName = getCaNameByIssuer(issuer);
  CmpAgent agent = casMap.get(caName).getAgent();
  RevokeCertResponse result = agent.unrevokeCertificate(request, debug);
  return parseRevokeCertResult(result);
}
 

@Override
public Map<String, CertIdOrError> removeCerts(UnrevokeOrRemoveCertRequest request,
    ReqRespDebug debug) throws CmpClientException, PkiErrorException {
  Args.notNull(request, "request");

  initIfNotInitialized();
  List<UnrevokeOrRemoveCertRequest.Entry> requestEntries = request.getRequestEntries();
  if (CollectionUtil.isEmpty(requestEntries)) {
    return Collections.emptyMap();
  }

  X500Name issuer = requestEntries.get(0).getIssuer();
  for (int i = 1; i < requestEntries.size(); i++) {
    if (!issuer.equals(requestEntries.get(i).getIssuer())) {
      throw new PkiErrorException(PKIStatus.REJECTION, PKIFailureInfo.badRequest,
          "removing certificates issued by more than one CA is not allowed");
    }
  }

  final String caName = getCaNameByIssuer(issuer);
  CmpAgent agent = casMap.get(caName).getAgent();
  RevokeCertResponse result = agent.removeCertificate(request, debug);
  return parseRevokeCertResult(result);
}
 

private void checkProtection(VerifiedPkiMessage response) throws PkiErrorException {
  Args.notNull(response, "response");

  if (!response.hasProtection()) {
    return;
  }

  ProtectionVerificationResult protectionVerificationResult =
      response.getProtectionVerificationResult();

  boolean valid;
  if (protectionVerificationResult == null) {
    valid = false;
  } else {
    ProtectionResult protectionResult = protectionVerificationResult.getProtectionResult();
    valid = protectionResult == ProtectionResult.MAC_VALID
        || protectionResult == ProtectionResult.SIGNATURE_VALID;
  }
  if (!valid) {
    throw new PkiErrorException(PKISTATUS_RESPONSE_ERROR,
        PKIFailureInfo.badMessageCheck, "message check of the response failed");
  }
}
 

private static PKIBody buildErrorMsgPkiBody(PKIStatus pkiStatus, int failureInfo,
    String statusMessage) {
  PKIFreeText pkiStatusMsg = (statusMessage == null) ? null : new PKIFreeText(statusMessage);
  ErrorMsgContent emc = new ErrorMsgContent(
      new PKIStatusInfo(pkiStatus, pkiStatusMsg, new PKIFailureInfo(failureInfo)));
  return new PKIBody(PKIBody.TYPE_ERROR, emc);
}
 

@Override
public Map<String, CertIdOrError> revokeCerts(RevokeCertRequest request, ReqRespDebug debug)
    throws CmpClientException, PkiErrorException {
  List<RevokeCertRequest.Entry> requestEntries =
        Args.notNull(request, "request").getRequestEntries();
  if (CollectionUtil.isEmpty(requestEntries)) {
    return Collections.emptyMap();
  }

  X500Name issuer = requestEntries.get(0).getIssuer();
  for (int i = 1; i < requestEntries.size(); i++) {
    if (!issuer.equals(requestEntries.get(i).getIssuer())) {
      throw new PkiErrorException(PKIStatus.REJECTION, PKIFailureInfo.badRequest,
          "revoking certificates issued by more than one CA is not allowed");
    }
  }

  initIfNotInitialized();

  final String caName = getCaNameByIssuer(issuer);
  CaConf caConf = casMap.get(caName);
  if (caConf.getCmpControl().isRrAkiRequired()) {
    byte[] aki = caConf.getSubjectKeyIdentifier();
    List<RevokeCertRequest.Entry> entries = request.getRequestEntries();
    for (RevokeCertRequest.Entry entry : entries) {
      if (entry.getAuthorityKeyIdentifier() == null) {
        entry.setAuthorityKeyIdentifier(aki);
      }
    }
  }

  RevokeCertResponse result = caConf.getAgent().revokeCertificate(request, debug);
  return parseRevokeCertResult(result);
}
 

/**
 * handle the PKI body with the choice {@code p10cr}<br/>
 * Since it is not possible to add attribute to the PKCS#10 request (CSR), the certificate
 * profile must be specified in the attribute regInfo-utf8Pairs (1.3.6.1.5.5.7.5.2.1) within
 * PKIHeader.generalInfo
 *
 */
private PKIBody processP10cr(String dfltCertprofileName, PKIMessage request,
    CmpRequestorInfo requestor, ASN1OctetString tid, PKIHeader reqHeader,
    CertificationRequest p10cr, CmpControl cmpControl, String msgId, AuditEvent event) {
  // verify the POP first
  CertResponse certResp = null;
  ASN1Integer certReqId = new ASN1Integer(-1);

  boolean certGenerated = false;
  X509Ca ca = getCa();

  if (!ca.verifyCsr(p10cr)) {
    LOG.warn("could not validate POP for the pkcs#10 requst");
    certResp = buildErrorCertResponse(certReqId, PKIFailureInfo.badPOP, "invalid POP");
  } else {
    CertificationRequestInfo certTemp = p10cr.getCertificationRequestInfo();

    Extensions extensions;
    try {
      extensions = CaUtil.getExtensions(certTemp);
    } catch (IllegalArgumentException ex) {
      extensions = null;
      LOG.warn("could not parse extensions of the pkcs#10 requst");
      certResp = buildErrorCertResponse(certReqId, PKIFailureInfo.badCertTemplate,
                  "invalid extensions");
    }

    if (certResp == null) {
      X500Name subject = certTemp.getSubject();
      SubjectPublicKeyInfo publicKeyInfo = certTemp.getSubjectPublicKeyInfo();

      CmpUtf8Pairs keyvalues = CmpUtil.extract(reqHeader.getGeneralInfo());
      Date notBefore = null;
      Date notAfter = null;
      String certprofileName = null;
      if (keyvalues != null) {
        certprofileName = keyvalues.value(CmpUtf8Pairs.KEY_CERTPROFILE);

        String str = keyvalues.value(CmpUtf8Pairs.KEY_NOTBEFORE);
        if (str != null) {
          notBefore = DateUtil.parseUtcTimeyyyyMMddhhmmss(str);
        }

        str = keyvalues.value(CmpUtf8Pairs.KEY_NOTAFTER);
        if (str != null) {
          notAfter = DateUtil.parseUtcTimeyyyyMMddhhmmss(str);
        }
      }

      if (certprofileName == null) {
        certprofileName = dfltCertprofileName;
      }

      if (certprofileName == null) {
        LOG.warn("no certprofile is specified");
        certResp = buildErrorCertResponse(certReqId, PKIFailureInfo.badCertTemplate,
            "badCertTemplate");
      } else {
        certprofileName = certprofileName.toLowerCase();
        if (!requestor.isCertprofilePermitted(certprofileName)) {
          String msg = "certprofile " + certprofileName + " is not allowed";
          certResp = buildErrorCertResponse(certReqId, PKIFailureInfo.notAuthorized, msg);
        } else {
          CertTemplateData certTemplateData = new CertTemplateData(subject, publicKeyInfo,
              notBefore, notAfter, extensions, certprofileName, certReqId, false);

          certResp = generateCertificates(Arrays.asList(certTemplateData),
              requestor, tid, false, request, cmpControl, msgId, event).get(0);
          certGenerated = true;
        }
      }
    }
  }

  CMPCertificate[] caPubs = null;
  if (certGenerated && cmpControl.isSendCaCert()) {
    caPubs = new CMPCertificate[]{ca.getCaInfo().getCertInCmpFormat()};
  }

  if (event.getStatus() == null || event.getStatus() != AuditStatus.FAILED) {
    int status = certResp.getStatus().getStatus().intValue();
    if (status != PKIStatus.GRANTED && status != PKIStatus.GRANTED_WITH_MODS
        && status != PKIStatus.WAITING) {
      event.setStatus(AuditStatus.FAILED);
      PKIFreeText statusStr = certResp.getStatus().getStatusString();
      if (statusStr != null) {
        event.addEventData(CaAuditConstants.NAME_message, statusStr.getStringAt(0).getString());
      }
    }
  }

  CertRepMessage repMessage = new CertRepMessage(caPubs, new CertResponse[]{certResp});

  return new PKIBody(PKIBody.TYPE_CERT_REP, repMessage);
}
 

private int getPKiFailureInfo(OperationException ex) {
  ErrorCode code = ex.getErrorCode();

  int failureInfo;
  switch (code) {
    case ALREADY_ISSUED:
      failureInfo = PKIFailureInfo.badRequest;
      break;
    case BAD_CERT_TEMPLATE:
      failureInfo = PKIFailureInfo.badCertTemplate;
      break;
    case BAD_REQUEST:
      failureInfo = PKIFailureInfo.badRequest;
      break;
    case CERT_REVOKED:
      failureInfo = PKIFailureInfo.certRevoked;
      break;
    case CERT_UNREVOKED:
      failureInfo = PKIFailureInfo.notAuthorized;
      break;
    case BAD_POP:
      failureInfo = PKIFailureInfo.badPOP;
      break;
    case CRL_FAILURE:
      failureInfo = PKIFailureInfo.systemFailure;
      break;
    case DATABASE_FAILURE:
      failureInfo = PKIFailureInfo.systemFailure;
      break;
    case NOT_PERMITTED:
      failureInfo = PKIFailureInfo.notAuthorized;
      break;
    case INVALID_EXTENSION:
      failureInfo = PKIFailureInfo.badRequest;
      break;
    case SYSTEM_FAILURE:
      failureInfo = PKIFailureInfo.systemFailure;
      break;
    case SYSTEM_UNAVAILABLE:
      failureInfo = PKIFailureInfo.systemUnavail;
      break;
    case UNKNOWN_CERT:
      failureInfo = PKIFailureInfo.badCertId;
      break;
    case UNKNOWN_CERT_PROFILE:
      failureInfo = PKIFailureInfo.badCertTemplate;
      break;
    default:
      failureInfo = PKIFailureInfo.systemFailure;
      break;
  } // end switch (code)

  return failureInfo;
}
 

private PKIBody confirmCertificates(ASN1OctetString transactionId, CertConfirmContent certConf,
    String msgId) {
  CertStatus[] certStatuses = certConf.toCertStatusArray();

  boolean successful = true;
  for (CertStatus certStatus : certStatuses) {
    ASN1Integer certReqId = certStatus.getCertReqId();
    byte[] certHash = certStatus.getCertHash().getOctets();
    CertificateInfo certInfo = pendingCertPool.removeCertificate(
        transactionId.getOctets(), certReqId.getPositiveValue(), certHash);
    if (certInfo == null) {
      if (LOG.isWarnEnabled()) {
        LOG.warn("no cert under transactionId={}, certReqId={} and certHash=0X{}",
            transactionId, certReqId.getPositiveValue(), Hex.encode(certHash));
      }
      continue;
    }

    PKIStatusInfo statusInfo = certStatus.getStatusInfo();
    boolean accept = true;
    if (statusInfo != null) {
      int status = statusInfo.getStatus().intValue();
      if (PKIStatus.GRANTED != status && PKIStatus.GRANTED_WITH_MODS != status) {
        accept = false;
      }
    }

    if (accept) {
      continue;
    }

    BigInteger serialNumber = certInfo.getCert().getCert().getSerialNumber();
    X509Ca ca = getCa();
    try {
      ca.revokeCert(serialNumber, CrlReason.CESSATION_OF_OPERATION, new Date(), msgId);
    } catch (OperationException ex) {
      LogUtil.warn(LOG, ex, "could not revoke certificate ca=" + ca.getCaInfo().getIdent()
          + " serialNumber=" + LogUtil.formatCsn(serialNumber));
    }

    successful = false;
  }

  // all other certificates should be revoked
  if (revokePendingCertificates(transactionId, msgId)) {
    successful = false;
  }

  if (successful) {
    return new PKIBody(PKIBody.TYPE_CONFIRM, DERNull.INSTANCE);
  }

  return new PKIBody(PKIBody.TYPE_ERROR,
      new ErrorMsgContent(new PKIStatusInfo(PKIStatus.rejection, null,
              new PKIFailureInfo(PKIFailureInfo.systemFailure))));
}
 

private PKIBody cmpUnRevokeRemoveCertificates(PKIMessage request, PKIHeaderBuilder respHeader,
    CmpControl cmpControl, PKIHeader reqHeader, PKIBody reqBody, CmpRequestorInfo requestor,
    String msgId, AuditEvent event) {
  Integer requiredPermission = null;
  boolean allRevdetailsOfSameType = true;

  RevReqContent rr = RevReqContent.getInstance(reqBody.getContent());
  RevDetails[] revContent = rr.toRevDetailsArray();

  int len = revContent.length;
  for (int i = 0; i < len; i++) {
    RevDetails revDetails = revContent[i];
    Extensions crlDetails = revDetails.getCrlEntryDetails();
    int reasonCode = CrlReason.UNSPECIFIED.getCode();
    if (crlDetails != null) {
      ASN1ObjectIdentifier extId = Extension.reasonCode;
      ASN1Encodable extValue = crlDetails.getExtensionParsedValue(extId);
      if (extValue != null) {
        reasonCode = ASN1Enumerated.getInstance(extValue).getValue().intValue();
      }
    }

    if (reasonCode == XiSecurityConstants.CMP_CRL_REASON_REMOVE) {
      if (requiredPermission == null) {
        event.addEventType(CaAuditConstants.Cmp.TYPE_rr_remove);
        requiredPermission = PermissionConstants.REMOVE_CERT;
      } else if (requiredPermission != PermissionConstants.REMOVE_CERT) {
        allRevdetailsOfSameType = false;
        break;
      }
    } else if (reasonCode == CrlReason.REMOVE_FROM_CRL.getCode()) {
      if (requiredPermission == null) {
        event.addEventType(CaAuditConstants.Cmp.TYPE_rr_unrevoke);
        requiredPermission = PermissionConstants.UNREVOKE_CERT;
      } else if (requiredPermission != PermissionConstants.UNREVOKE_CERT) {
        allRevdetailsOfSameType = false;
        break;
      }
    } else {
      if (requiredPermission == null) {
        event.addEventType(CaAuditConstants.Cmp.TYPE_rr_revoke);
        requiredPermission = PermissionConstants.REVOKE_CERT;
      } else if (requiredPermission != PermissionConstants.REVOKE_CERT) {
        allRevdetailsOfSameType = false;
        break;
      }
    }
  } // end for

  if (!allRevdetailsOfSameType) {
    ErrorMsgContent emc = new ErrorMsgContent(
        new PKIStatusInfo(PKIStatus.rejection,
        new PKIFreeText("not all revDetails are of the same type"),
        new PKIFailureInfo(PKIFailureInfo.badRequest)));

    return new PKIBody(PKIBody.TYPE_ERROR, emc);
  }

  try {
    checkPermission(requestor, requiredPermission);
  } catch (InsuffientPermissionException ex) {
    event.setStatus(AuditStatus.FAILED);
    event.addEventData(CaAuditConstants.NAME_message, "NOT_PERMITTED");
    return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.notAuthorized, null);
  }

  return unRevokeRemoveCertificates(request, rr, requiredPermission, cmpControl, msgId, event);
}
 

protected PKIStatusInfo generateRejectionStatus(PKIStatus status, Integer info,
    String errorMessage) {
  PKIFreeText statusMessage = (errorMessage == null) ? null : new PKIFreeText(errorMessage);
  PKIFailureInfo failureInfo = (info == null) ? null : new PKIFailureInfo(info);
  return new PKIStatusInfo(status, statusMessage, failureInfo);
}