Package org.ejbca.core.model.ca.caadmin

Examples of org.ejbca.core.model.ca.caadmin.CA


     */
    private byte[] createPKCS7(int caId, Certificate cert, boolean includeChain) throws CADoesntExistsException, SignRequestSignatureException {
      if (log.isTraceEnabled()) {
            log.trace(">createPKCS7(" + caId + ", " + CertTools.getIssuerDN(cert) + ")");
      }
        CA ca = caSession.getCA(Admin.getInternalAdmin(), caId);
        byte[] returnval = ca.createPKCS7(cert, includeChain);
      if (log.isTraceEnabled()) {
        log.trace("<createPKCS7()");
      }
        return returnval;
    }
View Full Code Here


        log.trace(">createCertificate(IRequestMessage)");
      }
        // Get CA that will receive request
        UserDataVO data = null;
        IResponseMessage ret = null;
        CA ca;
        if (suppliedUserData == null) {
          ca = getCAFromRequest(admin, req);
        } else {
          ca = caSession.getCA(admin, suppliedUserData.getCAId()); // Take the CAId from the supplied userdata, if any
        }
        try {
            CATokenContainer catoken = ca.getCAToken();
           
            // See if we need some key material to decrypt request
            if (req.requireKeyInfo()) {
                // You go figure...scep encrypts message with the public CA-cert
                req.setKeyInfo(ca.getCACertificate(), catoken.getPrivateKey(SecConst.CAKEYPURPOSE_CERTSIGN), catoken.getJCEProvider());
            }
            // Verify the request
            if (req.verify() == false) {
              String msg = intres.getLocalizedMessage("signsession.popverificationfailed");
              logSession.log(admin, ca.getCAId(), LogConstants.MODULE_CA, new java.util.Date(), req.getUsername(), null, LogConstants.EVENT_ERROR_CREATECERTIFICATE, msg);
                throw new SignRequestSignatureException(msg);
            }
           
            if (ca.isUseUserStorage() && req.getUsername() == null) {
              String msg = intres.getLocalizedMessage("signsession.nouserinrequest", req.getRequestDN());
              logSession.log(admin, ca.getCAId(), LogConstants.MODULE_CA, new java.util.Date(), req.getUsername(), null, LogConstants.EVENT_ERROR_CREATECERTIFICATE, msg);
                throw new SignRequestException(msg);
                //ret.setFailInfo(FailInfo.BAD_REQUEST);
                //ret.setStatus(ResponseStatus.FAILURE);
            } else if (ca.isUseUserStorage() && req.getPassword() == null) {
              String msg = intres.getLocalizedMessage("signsession.nopasswordinrequest");
                logSession.log(admin, ca.getCAId(), LogConstants.MODULE_CA, new java.util.Date(), req.getUsername(), null, LogConstants.EVENT_ERROR_CREATECERTIFICATE, msg);
                throw new SignRequestException(msg);
            } else {       
              ResponseStatus status = ResponseStatus.SUCCESS;
              FailInfo failInfo = null;
              String failText = null;
                Certificate cert = null;
              try {
            // If we haven't done so yet, authenticate user. (Only if we store UserData for this CA.)
                if (ca.isUseUserStorage()) {
                    data = authUser(admin, req.getUsername(), req.getPassword());
                } else {
                  data = suppliedUserData;
                }
                    PublicKey reqpk = req.getRequestPublicKey();
                    if (reqpk == null) {
                        logSession.log(admin, ca.getCAId(), LogConstants.MODULE_CA, new java.util.Date(), req.getUsername(), null, LogConstants.EVENT_ERROR_CREATECERTIFICATE, intres.getLocalizedMessage("signsession.nokeyinrequest"));
                        throw new InvalidKeyException("Key is null!");
                    }
                    // We need to make sure we use the users registered CA here
                    if (data.getCAId() != ca.getCAId()) {
                      failText = intres.getLocalizedMessage("signsession.wrongauthority", Integer.valueOf(ca.getCAId()), Integer.valueOf(data.getCAId()));
                        status = ResponseStatus.FAILURE;
                        failInfo = FailInfo.WRONG_AUTHORITY;
                        logSession.log(admin, ca.getCAId(), LogConstants.MODULE_CA, new java.util.Date(), req.getUsername(), null, LogConstants.EVENT_ERROR_CREATECERTIFICATE, failText);
                    }

                    if (status.equals(ResponseStatus.SUCCESS)) {
                      Date notBefore = req.getRequestValidityNotBefore(); // Optionally requested validity
                      Date notAfter = req.getRequestValidityNotAfter(); // Optionally requested validity
                      X509Extensions exts = req.getRequestExtensions(); // Optionally requested extensions
                      int keyusage = -1;
                      if (exts != null) {
                          if (log.isDebugEnabled()) {
                            log.debug("we have extensions, see if we can override KeyUsage by looking for a KeyUsage extension in request");
                          }
                        X509Extension ext = exts.getExtension(X509Extensions.KeyUsage);
                        if (ext != null) {
                          ASN1OctetString os = ext.getValue();
                          ByteArrayInputStream bIs = new ByteArrayInputStream(os.getOctets());
                          ASN1InputStream dIs = new ASN1InputStream(bIs);
                          DERObject dob = dIs.readObject();
                          DERBitString bs = DERBitString.getInstance(dob);
                          keyusage = bs.intValue();                                                           
                          if (log.isDebugEnabled()) {
                            log.debug("We have a key usage request extension: "+keyusage);
                          }
                        }
                      }
              String sequence = null;
              byte[] ki = req.getRequestKeyInfo();
              if ( (ki != null) && (ki.length > 0) ) {
                  sequence = new String(ki);               
              }
                      cert = createCertificate(admin, data, req.getRequestX509Name(), ca, reqpk, keyusage, notBefore, notAfter, exts, sequence);
                    }
              } catch (ObjectNotFoundException oe) {
                // If we didn't find the entity return error message
                log.error("User not found: ", oe);
                  failText = intres.getLocalizedMessage("signsession.nosuchuser", req.getUsername());
                    status = ResponseStatus.FAILURE;
                    failInfo = FailInfo.INCORRECT_DATA;
                    logSession.log(admin, ca.getCAId(), LogConstants.MODULE_CA, new java.util.Date(), req.getUsername(), null, LogConstants.EVENT_ERROR_CREATECERTIFICATE, failText);
              }
               
                //Create the response message with all nonces and checks etc
                ret = req.createResponseMessage(responseClass, req, ca.getCACertificate(), catoken.getPrivateKey(SecConst.CAKEYPURPOSE_CERTSIGN), catoken.getProvider());
       
        if ( (cert == null) && (status == ResponseStatus.SUCCESS) ) {
          status = ResponseStatus.FAILURE;
          failInfo = FailInfo.BAD_REQUEST;
                } else {
                    ret.setCertificate(cert);
                }
                ret.setStatus(status);
                if (failInfo != null) {
                    ret.setFailInfo(failInfo);
                    ret.setFailText(failText);
                }
            }
            ret.create();
            // Call authentication session and tell that we are finished with this user. (Only if we store UserData for this CA.)
            if (ca.isUseUserStorage() && data!=null) {
            finishUser(ca, data);
            }             
        } catch (NoUniqueCertSerialNumberIndexException e) {
        cleanUserCertDataSN(data);
            throw e.ejbcaException;
        } catch (IllegalKeyException ke) {
            log.error("Key is of unknown type: ", ke);
            throw ke;
        } catch (CATokenOfflineException ctoe) {
          String msg = intres.getLocalizedMessage("error.catokenoffline", ca.getSubjectDN());
          CATokenOfflineException ex = new CATokenOfflineException(msg);
          ex.initCause(ctoe);
          throw ex;
        } catch (EjbcaException e) {
            throw e;
View Full Code Here

      }
    if (log.isDebugEnabled()) {
          log.debug("User type=" + data.getType());
    }
      // Get CA object and make sure it's active
      CA ca = caSession.getCA(admin, data.getCAId());
      if (ca.getStatus() != SecConst.CA_ACTIVE) {
        String msg = intres.getLocalizedMessage("signsession.canotactive", ca.getSubjectDN());
        logSession.log(admin, data.getCAId(), LogConstants.MODULE_CA, new java.util.Date(), null, null, LogConstants.EVENT_ERROR_CREATECERTIFICATE, msg);
        throw new EJBException(msg);
      }
      Certificate cert;
      try {
View Full Code Here

    @Override
    public IResponseMessage createRequestFailedResponse(Admin admin, IRequestMessage req,  Class responseClass) throws  AuthLoginException, AuthStatusException, IllegalKeyException, CADoesntExistsException, SignRequestSignatureException, SignRequestException, CATokenOfflineException {
      log.trace(">createRequestFailedResponse(IRequestMessage)");
        IResponseMessage ret = null;           
        CA ca = getCAFromRequest(admin, req);
        try {
            CATokenContainer catoken = ca.getCAToken();
            // See if we need some key material to decrypt request
            if (req.requireKeyInfo()) {
                // You go figure...scep encrypts message with the public CA-cert
                req.setKeyInfo(ca.getCACertificate(), catoken.getPrivateKey(SecConst.CAKEYPURPOSE_CERTSIGN), catoken.getProvider());
            }
            // Verify the request
            if (req.verify() == false) {
              String msg = intres.getLocalizedMessage("signsession.popverificationfailed");
              logSession.log(admin, ca.getCAId(), LogConstants.MODULE_CA, new java.util.Date(), req.getUsername(), null, LogConstants.EVENT_ERROR_CREATECERTIFICATE, intres.getLocalizedMessage("signsession.popverificationfailed"));
                throw new SignRequestSignatureException(msg);
            }
            //Create the response message with all nonces and checks etc
            ret = req.createResponseMessage(responseClass, req, ca.getCACertificate(), catoken.getPrivateKey(SecConst.CAKEYPURPOSE_CERTSIGN), catoken.getProvider());
            ret.setStatus(ResponseStatus.FAILURE);
            ret.setFailInfo(FailInfo.BAD_REQUEST);
            ret.create();
        } catch (IllegalKeyStoreException e) {
            throw new IllegalKeyException(e);
        } catch (NotFoundException e) {
          // This can actually not happen here?
            throw new CADoesntExistsException(e);
        } catch (NoSuchProviderException e) {
            log.error("NoSuchProvider provider: ", e);
        } catch (InvalidKeyException e) {
            log.error("Invalid key in request: ", e);
        } catch (NoSuchAlgorithmException e) {
            log.error("No such algorithm: ", e);
        } catch (IOException e) {
            log.error("Cannot create response message: ", e);
        } catch (CATokenOfflineException ctoe) {
          String msg = intres.getLocalizedMessage("error.catokenoffline", ca.getSubjectDN());
            log.warn(msg, ctoe);
            logSession.log(admin, ca.getCAId(), LogConstants.MODULE_CA, new java.util.Date(), null, null, LogConstants.EVENT_ERROR_CREATECERTIFICATE, msg, ctoe);
            throw ctoe;
        }
        log.trace("<createRequestFailedResponse(IRequestMessage)");
        return ret;
    }
View Full Code Here

    @Override
    public IRequestMessage decryptAndVerifyRequest(Admin admin, IRequestMessage req) throws ObjectNotFoundException, AuthStatusException, AuthLoginException, IllegalKeyException, CADoesntExistsException, SignRequestException, SignRequestSignatureException {
      log.trace(">decryptAndVerifyRequest(IRequestMessage)");
        // Get CA that will receive request
        CA ca = getCAFromRequest(admin, req);
        try {
            CATokenContainer catoken = ca.getCAToken();
            // See if we need some key material to decrypt request
            if (req.requireKeyInfo()) {
                // You go figure...scep encrypts message with the public CA-cert
                req.setKeyInfo(ca.getCACertificate(), catoken.getPrivateKey(SecConst.CAKEYPURPOSE_CERTSIGN), catoken.getProvider());
            }
            // Verify the request
            if (req.verify() == false) {
              String msg = intres.getLocalizedMessage("signsession.popverificationfailed");
              logSession.log(admin, ca.getCAId(), LogConstants.MODULE_CA, new java.util.Date(), req.getUsername(), null, LogConstants.EVENT_ERROR_CREATECERTIFICATE, msg);
                throw new SignRequestSignatureException(msg);
            }
        } catch (IllegalKeyStoreException e) {
            throw new IllegalKeyException(e);
        } catch (NoSuchProviderException e) {
            log.error("NoSuchProvider provider: ", e);
        } catch (InvalidKeyException e) {
            log.error("Invalid key in request: ", e);
        } catch (NoSuchAlgorithmException e) {
            log.error("No such algorithm: ", e);
        catch (CATokenOfflineException ctoe) {
          String msg = intres.getLocalizedMessage("error.catokenoffline", ca.getSubjectDN());
            log.error(msg, ctoe);
            logSession.log(admin, ca.getCAId(), LogConstants.MODULE_CA, new java.util.Date(), null, null, LogConstants.EVENT_ERROR_CREATECERTIFICATE, msg, ctoe);
            throw new CADoesntExistsException(msg);
        }
        log.trace("<decryptAndVerifyRequest(IRequestMessage)");
        return req;
    }
View Full Code Here

    @Override
    public IResponseMessage getCRL(Admin admin, IRequestMessage req, Class responseClass) throws AuthStatusException, AuthLoginException, IllegalKeyException, CADoesntExistsException, SignRequestException, SignRequestSignatureException, UnsupportedEncodingException {
        log.trace(">getCRL(IRequestMessage)");
        IResponseMessage ret = null;
        // Get CA that will receive request
        CA ca = getCAFromRequest(admin, req);
        try {
            CATokenContainer catoken = ca.getCAToken();
            if (ca.getStatus() != SecConst.CA_ACTIVE) {
              String msg = intres.getLocalizedMessage("signsession.canotactive", ca.getSubjectDN());
              logSession.log(admin, ca.getCAId(), LogConstants.MODULE_CA, new java.util.Date(), null, null, LogConstants.EVENT_ERROR_GETLASTCRL, msg);
                throw new EJBException(msg);
            }
            // See if we need some key material to decrypt request
            if (req.requireKeyInfo()) {
                // You go figure...scep encrypts message with the public CA-cert
                req.setKeyInfo(ca.getCACertificate(), catoken.getPrivateKey(SecConst.CAKEYPURPOSE_CERTSIGN), catoken.getProvider());
            }
            //Create the response message with all nonces and checks etc
            ret = req.createResponseMessage(responseClass, req, ca.getCACertificate(), catoken.getPrivateKey(SecConst.CAKEYPURPOSE_CERTSIGN), catoken.getProvider());
           
            // Get the Full CRL, don't even bother digging into the encrypted CRLIssuerDN...since we already
            // know that we are the CA (SCEP is soooo stupid!)
            final String certSubjectDN = CertTools.getSubjectDN(ca.getCACertificate());
            byte[] crl = crlSession.getLastCRL(admin, certSubjectDN, false);
            if (crl != null) {
                ret.setCrl(CertTools.getCRLfromByteArray(crl));
                ret.setStatus(ResponseStatus.SUCCESS);
            } else {
                ret.setStatus(ResponseStatus.FAILURE);
                ret.setFailInfo(FailInfo.BAD_REQUEST);
            }
            ret.create();
            // TODO: handle returning errors as response message,
            // javax.ejb.ObjectNotFoundException and the others thrown...
        } catch (NotFoundException e) {
          // This actually can not happen here
            throw new CADoesntExistsException(e);
        } catch (IllegalKeyStoreException e) {
            throw new IllegalKeyException(e);
        } catch (NoSuchProviderException e) {
            log.error("NoSuchProvider provider: ", e);
        } catch (InvalidKeyException e) {
            log.error("Invalid key in request: ", e);
        } catch (NoSuchAlgorithmException e) {
            log.error("No such algorithm: ", e);
        } catch (CRLException e) {
            log.error("Cannot create response message: ", e);
        } catch (IOException e) {
            log.error("Cannot create response message: ", e);
        } catch (CATokenOfflineException ctoe) {
          String msg = intres.getLocalizedMessage("error.catokenoffline", ca.getSubjectDN());
          log.error(msg, ctoe);
            logSession.log(admin, ca.getCAId(), LogConstants.MODULE_CA, new java.util.Date(), null, null, LogConstants.EVENT_ERROR_GETLASTCRL, msg, ctoe);
            throw new CADoesntExistsException(msg);
        }
        log.trace("<getCRL(IRequestMessage)");
        return ret;
    }
View Full Code Here

        return ret;
    }
   
    /** Help Method that extracts the CA specified in the request. */
    private CA getCAFromRequest(Admin admin, IRequestMessage req) throws AuthStatusException, AuthLoginException, CADoesntExistsException {
        CA ca = null;
        try {
            // See if we can get issuerDN directly from request
            if (req.getIssuerDN() != null) {
              String dn = req.getIssuerDN();
              if (log.isDebugEnabled()) {
                log.debug("Got an issuerDN: "+dn);
              }
              // If we have issuer and serialNo, we must find the CA certificate, to get the CAs subject name
              // If we don't have a serialNumber, we take a chance that it was actually the subjectDN (for example a RootCA)
              BigInteger serno = req.getSerialNo();
              if (serno != null) {
                if (log.isDebugEnabled()) {
                  log.debug("Got a serialNumber: "+serno.toString(16));
                }
                  
                Certificate cert = certificateStoreSession.findCertificateByIssuerAndSerno(admin, dn, serno);
                if (cert != null) {
                  dn = CertTools.getSubjectDN(cert);
                }
              }
              if (log.isDebugEnabled()) {
                log.debug("Using DN: "+dn);
              }
              try {
                ca = caSession.getCA(admin, dn.hashCode());
                if (log.isDebugEnabled()) {
                  log.debug("Using CA (from issuerDN) with id: " + ca.getCAId() + " and DN: " + ca.getSubjectDN());
                }
              } catch (CADoesntExistsException e) {
                // We could not find a CA from that DN, so it might not be a CA. Try to get from username instead
                if (req.getUsername() != null) {
                  ca = getCAFromUsername(admin, req);
                      if (log.isDebugEnabled()) {
                        log.debug("Using CA from username: "+req.getUsername());
                      }
                    } else {
                        String msg = intres.getLocalizedMessage("signsession.canotfoundissuerusername", dn, "null");         
                        throw new CADoesntExistsException(msg);
                    }
              }
            } else if (req.getUsername() != null) {
                ca = getCAFromUsername(admin, req);
              if (log.isDebugEnabled()) {
                log.debug("Using CA from username: "+req.getUsername());
              }
            } else {
                throw new CADoesntExistsException(intres.getLocalizedMessage("signsession.canotfoundissuerusername", req.getIssuerDN(), req.getUsername()));
            }
        } catch (ObjectNotFoundException e) {
            throw new CADoesntExistsException(intres.getLocalizedMessage("signsession.canotfoundissuerusername", req.getIssuerDN(), req.getUsername()));
    }
       
        if (ca.getStatus() != SecConst.CA_ACTIVE) {
          String msg = intres.getLocalizedMessage("signsession.canotactive", ca.getSubjectDN());
          logSession.log(admin, ca.getCAId(), LogConstants.MODULE_CA, new java.util.Date(), null, null, LogConstants.EVENT_ERROR_CREATECERTIFICATE, msg);
          throw new EJBException(msg);
        }
        return ca;
    }
View Full Code Here

      throws ObjectNotFoundException, AuthStatusException, AuthLoginException, CADoesntExistsException {
    // See if we can get username and password directly from request
    String username = req.getUsername();
    String password = req.getPassword();
    UserDataVO data = authUser(admin, username, password);
    CA ca = caSession.getCA(admin, data.getCAId());
    if (log.isDebugEnabled()) {
      log.debug("Using CA (from username) with id: " + ca.getCAId() + " and DN: " + ca.getSubjectDN());
    }
    return ca;
  }
View Full Code Here

TOP

Related Classes of org.ejbca.core.model.ca.caadmin.CA

Copyright © 2018 www.massapicom. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.