Package org.ejbca.core.model.ca.caadmin

Examples of org.ejbca.core.model.ca.caadmin.CAInfo

81
82
83
84
85
86
87
88
89
90
91
92
        if (first) {
          first = false;         
        } else {
          existingCasInfo += ", ";
        }
        CAInfo info = ejb.getCAAdminSession().getCAInfo(getAdmin(), caid);
        existingCasInfo += info.getName();       
      }
    } catch (Exception e) {
      existingCasInfo += "<unable to fetch available CA>";
    }
    getLogger().info(existingCasInfo);
View Full Code Here
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
            getLogger().info("Certificate profile: "+profileName);
            //getLogger().info("Certificate profile id: "+profileId);
            getLogger().info("CA token properties: "+catokenproperties);
            getLogger().info("Signed by: "+(signedByCAId == CAInfo.SELFSIGNED ? "self signed " : signedByCAId));
            if (signedByCAId != CAInfo.SELFSIGNED) {
              CAInfo signedBy = ejb.getCAAdminSession().getCAInfo(getAdmin(), signedByCAId);
              if (signedBy == null) {
                  throw new IllegalArgumentException("CA with id "+signedByCAId+" does not exist.");               
              }
            }
                           
            initAuthorizationModule(dn.hashCode(), superAdminCN);
            // Define CAToken type (soft token or hsm).
            CATokenInfo catokeninfo = null;
            if ( catokentype.equals("soft")) {
              SoftCATokenInfo softcatokeninfo = new SoftCATokenInfo();
              if (!catokenpassword.equalsIgnoreCase("null")) {
              softcatokeninfo.setAuthenticationCode(catokenpassword);               
              }
              softcatokeninfo.setSignKeySpec(keyspec);
              softcatokeninfo.setSignKeyAlgorithm(keytype);
              softcatokeninfo.setSignatureAlgorithm(signAlg);
              softcatokeninfo.setEncKeySpec("2048");
              softcatokeninfo.setEncKeyAlgorithm(AlgorithmConstants.KEYALGORITHM_RSA);
              softcatokeninfo.setEncryptionAlgorithm(AlgorithmConstants.SIGALG_SHA1_WITH_RSA);
              catokeninfo = softcatokeninfo;
            } else {
              HardCATokenInfo hardcatokeninfo = new HardCATokenInfo();
              hardcatokeninfo.setAuthenticationCode(catokenpassword);
              hardcatokeninfo.setCATokenStatus(ICAToken.STATUS_ACTIVE);
              hardcatokeninfo.setClassPath(catokentype);
              hardcatokeninfo.setEncryptionAlgorithm(AlgorithmConstants.SIGALG_SHA1_WITH_RSA);
              hardcatokeninfo.setProperties(catokenproperties);
              hardcatokeninfo.setSignatureAlgorithm(signAlg);
              catokeninfo = hardcatokeninfo;
            }
           
            // Create and active OSCP CA Service.
            ArrayList extendedcaservices = new ArrayList();
            String keySpec = keyspec;
            if (keytype.equals(AlgorithmConstants.KEYALGORITHM_RSA)) {
              // Never use larger keys than 2048 bit RSA for OCSP signing
              int len = Integer.parseInt(keySpec);
              if (len > 2048) {
                keySpec = "2048";        
              }
            }
            extendedcaservices.add(new OCSPCAServiceInfo(ExtendedCAServiceInfo.STATUS_ACTIVE));
            extendedcaservices.add(
                    new XKMSCAServiceInfo(ExtendedCAServiceInfo.STATUS_INACTIVE,
                                          "CN=XKMSCertificate, " + dn,
                                          "",
                                          keySpec,
                                          keytype));
            extendedcaservices.add(
                    new CmsCAServiceInfo(ExtendedCAServiceInfo.STATUS_INACTIVE,
                                          "CN=CmsCertificate, " + dn,
                                          "",
                                          keySpec,
                                          keytype));
             
           
            X509CAInfo cainfo = new X509CAInfo(dn,
                                             caname, SecConst.CA_ACTIVE, new Date(),
                                             "", profileId,
                                             validity,
                                             null, // Expiretime                                            
                                             CAInfo.CATYPE_X509,
                                             signedByCAId,
                                             (Collection) null,
                                             catokeninfo,
                                             "Initial CA",
                                             -1, null,
                                             policies, // PolicyId
                                             24 * SimpleTime.MILLISECONDS_PER_HOUR, // CRLPeriod
                                             0 * SimpleTime.MILLISECONDS_PER_HOUR, // CRLIssueInterval
                                             10 * SimpleTime.MILLISECONDS_PER_HOUR, // CRLOverlapTime
                                             0 * SimpleTime.MILLISECONDS_PER_HOUR, // DeltaCRLPeriod
                                             new ArrayList(),
                                             true, // Authority Key Identifier
                                             false, // Authority Key Identifier Critical
                                             true, // CRL Number
                                             false, // CRL Number Critical
                                             "", // Default CRL Dist Point
                                             "", // Default CRL Issuer
                                             "", // Default OCSP Service Locator
                                             "", // CA defined freshest CRL
                                             true, // Finish User
                                             extendedcaservices,
                                       false, // use default utf8 settings
                                       new ArrayList(), // Approvals Settings
                                       1, // Number of Req approvals
                                       false, // Use UTF8 subject DN by default
                                       true, // Use LDAP DN order by default
                                       false, // Use CRL Distribution Point on CRL
                                       false,  // CRL Distribution Point on CRL critical
                                       true, // include in health check
                                       true, // isDoEnforceUniquePublicKeys
                                       true, // isDoEnforceUniqueDistinguishedName
                                       false, // isDoEnforceUniqueSubjectDNSerialnumber
                                       true, // useCertReqHistory
                                       true, // useUserStorage
                                       true, // useCertificateStorage
                                       null //cmpRaAuthSecret
                                       );
           
            getLogger().info("Creating CA...");
            ejb.getCAAdminSession().createCA(getAdmin(), cainfo);
           
            CAInfo newInfo = ejb.getCAAdminSession().getCAInfo(getAdmin(), caname);
            int caid = newInfo.getCAId();
            getLogger().info("CAId for created CA: " + caid);
            getLogger().info("-Created and published initial CRL.");
            getLogger().info("CA initialized");
        } catch (Exception e) {
          getLogger().debug("An error occured: ", e);
View Full Code Here
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
                // For example: "Content-Type:application/x-x509-ca-cert\n\n"<BER-encoded X509>
               
                // CA_IDENT is the message for this request to indicate which CA we are talking about
                log.debug("Got SCEP cert request for CA '" + message + "'");
                Collection certs = null;
                CAInfo cainfo = casession.getCAInfo(administrator, message);
                if (cainfo != null) {
                    certs = cainfo.getCertificateChain();
                }
                if ((certs != null) && (certs.size() > 0)) {
                    // CAs certificate is in the first position in the Collection
                    Iterator iter = certs.iterator();
                    X509Certificate cert = (X509Certificate) iter.next();
                    log.debug("Sent certificate for CA '" + message + "' to SCEP client.");
                    RequestHelper.sendNewX509CaCert(cert.getEncoded(), response);
                iMsg = intres.getLocalizedMessage("scep.sentresponsemsg", "GetCACert", remoteAddr);
              log.info(iMsg);
                } else {
                String errMsg = intres.getLocalizedMessage("scep.errorunknownca", "cert");
                    log.error(errMsg);
                    response.sendError(HttpServletResponse.SC_NOT_FOUND, "No CA certificates found.");
                }
            } else if (operation.equals("GetCACertChain")) {
                // The response for GetCACertChain is a certificates-only PKCS#7
                // SignedDatato carry the certificates to the end entity, with a
                // Content-Type of application/x-x509-ca-ra-cert-chain.
               
                // CA_IDENT is the message for this request to indicate which CA we are talking about
                log.debug("Got SCEP pkcs7 request for CA '" + message + "'");
 
                CAInfo cainfo = casession.getCAInfo(administrator, message);
                byte[] pkcs7 = signsession.createPKCS7(administrator, cainfo.getCAId(), true);
                if ((pkcs7 != null) && (pkcs7.length > 0)) {
                    log.debug("Sent PKCS7 for CA '" + message + "' to SCEP client.");
                    RequestHelper.sendBinaryBytes(pkcs7, response, "application/x-x509-ca-ra-cert-chain", null);
                iMsg = intres.getLocalizedMessage("scep.sentresponsemsg", "GetCACertChain", remoteAddr);
              log.info(iMsg);
View Full Code Here
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
      return;
    }

    try {
      String caName = args[1];
      CAInfo cainfo = ejb.getCAAdminSession().getCAInfo(getAdmin(), caName);
      String signAlg = args[2];
      getLogger().info("Setting new signature algorithm: " + signAlg);
      CATokenInfo tokeninfo = cainfo.getCATokenInfo();
      tokeninfo.setSignatureAlgorithm(signAlg);
      if (args.length > 3) {
        String keyspec = args[3];
        if (tokeninfo instanceof SoftCATokenInfo) {
          SoftCATokenInfo sinfo = (SoftCATokenInfo) tokeninfo;
          getLogger().info("Setting new signature keyspec: " + keyspec);
          sinfo.setSignKeySpec(keyspec);
        } else {
          getLogger().info("CA token is not a soft token, not setting keyspec.");
        }
      }
      cainfo.setCATokenInfo(tokeninfo);
      ejb.getCAAdminSession().editCA(getAdmin(), cainfo);
      getLogger().info("CA token signature algorithm for CA changed.");
    } catch (Exception e) {
      getLogger().error(e.getMessage());
      usage();
View Full Code Here
76
77
78
79
80
81
82
83
84
85
86
87
    getLogger().info(" Existing CAs: ");
    try {
      // Print available CAs
      Collection<Integer> cas = ejb.getCaSession().getAvailableCAs(getAdmin());
      for (Integer caid : cas) {
        CAInfo info = ejb.getCAAdminSession().getCAInfo(getAdmin(), caid);
        getLogger().info("    "+info.getName()+": "+info.getCATokenInfo().getSignatureAlgorithm());       
      }
    } catch (Exception e) {
      e.printStackTrace();
      getLogger().error("<unable to fetch available CA>");
    }
View Full Code Here
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
                return;
            }
            String caname = args[1];
            CryptoProviderTools.installBCProvider();
            // Get the CAs info and id
            CAInfo cainfo = ejb.getCAAdminSession().getCAInfo(getAdmin(), caname);
            if(cainfo == null){
              getLogger().error("CA " + caname + " cannot be found")
              return;             
            }
            if(cainfo.getStatus() == SecConst.CA_ACTIVE){
              ejb.getCAAdminSession().deactivateCAToken(getAdmin(), cainfo.getCAId());                       
              getLogger().info("CA token deactivated.");
            }else{
              getLogger().error("CA or CAToken must be active to be put offline.");
            }
        } catch (Exception e) {
View Full Code Here
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
      final String caname = args[1];
      final String crl_file = args[2];
      final boolean strict = args[3].equalsIgnoreCase(STRICT_OP);
      final boolean adaptive = args[3].equalsIgnoreCase(ADAPTIVE_OP);
      // Fetch CA and related info
      final CAInfo cainfo = getCAInfo(caname);
      final X509Certificate cacert = (X509Certificate) cainfo.getCertificateChain().iterator().next();
      final String issuer = CertTools.stringToBCDNString(cacert.getSubjectDN().toString());
      getLogger().info("CA: " + issuer);
      // Read the supplied CRL and verify that it is issued by the specified CA
      final X509CRL x509crl = (X509CRL) CertTools.getCertificateFactory().generateCRL(new FileInputStream (crl_file));
          if (!x509crl.getIssuerX500Principal().getName().equals(cacert.getSubjectX500Principal().getName())){
            throw new IOException ("CRL wasn't issued by this CA");
          }
          x509crl.verify(cacert.getPublicKey());
          int crl_no = CrlExtensions.getCrlNumber(x509crl).intValue();
          getLogger().info("Processing CRL #" + crl_no);
          int miss_count = 0// Number of certs not already in database
          int revoked = 0// Number of certs activly revoked by this algorithm
          int already_revoked = 0// Number of certs already revoked in database and ignored in non-strict mode
          final String missing_user_name = "*** Missing During CRL Import to: " + caname;
          for (final X509CRLEntry entry : (Set<X509CRLEntry>) x509crl.getRevokedCertificates()) {
            final BigInteger serialNr = entry.getSerialNumber();
            final String serialHex = serialNr.toString(16).toUpperCase();
            final String username = ejb.getCertStoreSession().findUsernameByCertSerno(getAdmin(), serialNr, issuer);
            // If this certificate exists and has an assigned username, we keep using that. Otherwise we create this coupling to a user.
            if (username == null) {
              getLogger().info ("Certificate '"+ serialHex +"' missing in the database");
              if (strict) {
                throw new IOException ("Aborted! Running in strict mode and is missing certificate in database.");
              }
              miss_count++;
              if (!adaptive) {
                continue;
              }
              final Date time = new Date();              // time from which certificate is valid
              final KeyPair key_pair = KeyTools.genKeys("1024", AlgorithmConstants.KEYALGORITHM_RSA);   
              final X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
              final X500Principal dnName = new X500Principal("CN=Dummy Missing in Imported CRL, serialNumber=" + serialHex);
              certGen.setSerialNumber(serialNr);
              certGen.setIssuerDN(cacert.getSubjectX500Principal());
              certGen.setNotBefore(time);
              certGen.setNotAfter(new Date (time.getTime() + 1000L * 60 * 60 * 24 * 365 * 10))// 10 years of life
              certGen.setSubjectDN(dnName);                       // note: same as issuer
              certGen.setPublicKey(key_pair.getPublic());
              certGen.setSignatureAlgorithm("SHA1withRSA");
              final X509Certificate certificate = certGen.generate(key_pair.getPrivate(), "BC");
              final String fingerprint = CertTools.getFingerprintAsString(certificate);
              // We add all certificates that does not have a user already to "missing_user_name"
              final UserDataVO missingUserDataVO = ejb.getUserAdminSession().findUser(getAdmin(), missing_user_name);
              if (missingUserDataVO == null) {
                // Add the user and change status to REVOKED
                getLogger().debug("Loading/updating user " + missing_user_name);
                final UserDataVO userdataNew = new UserDataVO(missing_user_name, CertTools.getSubjectDN(certificate), cainfo.getCAId(), null, null,
                    UserDataConstants.STATUS_NEW, SecConst.USER_ENDUSER, SecConst.EMPTY_ENDENTITYPROFILE,
                    SecConst.CERTPROFILE_FIXED_ENDUSER, null, null, SecConst.TOKEN_SOFT_BROWSERGEN, SecConst.NO_HARDTOKENISSUER, null);
                userdataNew.setPassword("foo123");
                ejb.getUserAdminSession().addUser(getAdmin(), userdataNew, false);
                getLogger().info("User '" + missing_user_name + "' has been added.");
View Full Code Here
479
480
481
482
483
484
485
486
487
488
489
490
491
 
  protected boolean certIsValid(X509Certificate cert) {
    boolean retval = false;
   
    try {
      CAInfo cAInfo = caadminsession.getCAInfo(pubAdmin, CertTools.getIssuerDN(cert).hashCode());
      if(cAInfo != null){   
        Collection caCertChain = cAInfo.getCertificateChain();
        Iterator iter = caCertChain.iterator();
       
        boolean revoked = false;       
        if (certificateStoreSession.isRevoked(CertTools.getIssuerDN(cert), cert.getSerialNumber())) {
          revoked = true;
View Full Code Here
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
                // console
                authorizationcode = String.valueOf(System.console().readPassword());
            }
            CryptoProviderTools.installBCProvider();
            // Get the CAs info and id
            CAInfo cainfo = ejb.getCAAdminSession().getCAInfo(getAdmin(), caname);
            if (cainfo == null) {
                getLogger().error("Error: CA " + caname + " cannot be found");
                return;
            }
            // Check that CA has correct status.
            if ((cainfo.getStatus() == SecConst.CA_OFFLINE) || (cainfo.getCATokenInfo().getCATokenStatus() == ICAToken.STATUS_OFFLINE)) {
                try {
                    ejb.getCAAdminSession().activateCAToken(getAdmin(), cainfo.getCAId(), authorizationcode, ejb.getGlobalConfigurationSession().getCachedGlobalConfiguration(getAdmin()));
                    getLogger().info("CA token activated.");

                } catch (CATokenAuthenticationFailedException e) {
                    getLogger().error("CA Token authentication failed.");
                    getLogger().error(e.getMessage());
View Full Code Here
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
          getLogger().error("Certificate Profile " + certificateprofile + " doesn't exists.");
          throw new Exception("Certificate Profile '" + certificateprofile + "' doesn't exists.");
        }
      }
     
      CAInfo cainfo = getCAInfo(caname);
     
      getLogger().info("Trying to add user:");
      getLogger().info("Username: " + username);
      getLogger().info("Password (hashed only): " + password);
      getLogger().info("Email: " + email);
      getLogger().info("DN: " + CertTools.getSubjectDN(certificate));
      getLogger().info("CA Name: " + caname);
      getLogger().info("Certificate Profile: " + ejb.getCertificateProfileSession().getCertificateProfileName(getAdmin(), certificateprofileid));
      getLogger().info("End Entity Profile: " +
              ejb.getEndEntityProfileSession().getEndEntityProfileName(getAdmin(), endentityprofileid));
     
      String subjectAltName = CertTools.getSubjectAlternativeName(certificate);
      if (subjectAltName != null) {
        getLogger().info("SubjectAltName: " + subjectAltName);
      }
      getLogger().info("Type: " + type);
     
      getLogger().debug("Loading/updating user " + username);
      if (userdata == null) {
        ejb.getUserAdminSession().addUser(getAdmin(),
            username, password,
            CertTools.getSubjectDN(certificate),
            subjectAltName, email,
            false,
            endentityprofileid,
            certificateprofileid,
            type,
            SecConst.TOKEN_SOFT_BROWSERGEN,
            SecConst.NO_HARDTOKENISSUER,
            cainfo.getCAId());
        if (status == SecConst.CERT_ACTIVE) {
          ejb.getUserAdminSession().setUserStatus(getAdmin(), username, UserDataConstants.STATUS_GENERATED);
        }
        else {
          ejb.getUserAdminSession().setUserStatus(getAdmin(), username, UserDataConstants.STATUS_REVOKED);
        }
        getLogger().info("User '" + username + "' has been added.");
      }
      else {
        ejb.getUserAdminSession().changeUser(getAdmin(),
            username, password,
            CertTools.getSubjectDN(certificate),
            subjectAltName, email,
            false,
            endentityprofileid,
            certificateprofileid,
            type,
            SecConst.TOKEN_SOFT_BROWSERGEN,
            SecConst.NO_HARDTOKENISSUER,
            (status == SecConst.CERT_ACTIVE ?
                UserDataConstants.STATUS_GENERATED :
                  UserDataConstants.STATUS_REVOKED),
                  cainfo.getCAId());
        getLogger().info("User '" + username + "' has been updated.");
      }
     
      ejb.getCertStoreSession().storeCertificate(getAdmin(),
          certificate, username,
View Full Code Here
TOP

Related Classes of org.ejbca.core.model.ca.caadmin.CAInfo

  • org.cesecore.core.ejb.ca.crl.CrlCreateSessionBean
  • org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean
  • org.ejbca.core.ejb.ca.caadmin.CAKeystoreExportRemoveRestoreTest
  • org.ejbca.core.ejb.ca.caadmin.CAsTest
  • org.ejbca.core.ejb.ca.CaTestCase
  • org.ejbca.core.ejb.ca.crl.CreateCRLSessionTest
  • org.ejbca.core.ejb.ca.sign.CustomCertSerialnumberTest
  • org.ejbca.core.ejb.ca.sign.ExtendedKeyUsageTest
  • org.ejbca.core.ejb.ca.sign.SignLotsOfCertsTest
  • org.ejbca.core.ejb.ca.sign.SignSessionTest
    • Copyright © 2018 www.massapicom. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.