Package org.ejbca.core.model.ca.catoken

Examples of org.ejbca.core.model.ca.catoken.CATokenContainer

546
547
548
549
550
551
552
553
554
555
556
557
                // Otherwise we will only waste resources
                if (log.isDebugEnabled()) {
                    log.debug("Making test signature with CAs token. CA=" + ca.getName() + ", doSignTest=" + doSignTest + ", CA status=" + status
                            + ", includeInHealthCheck=" + includeInHealthCheck);
                }
                CATokenContainer catoken = ca.getCAToken();
                tokenstatus = catoken.getCATokenInfo().getCATokenStatus();
            } else {
                // if (log.isDebugEnabled()) {
                // log.debug("Not making test signature with CAs token. doSignTest="+doSignTest+", CA status="+status+", includeInHealthCheck="+includeInHealthCheck);
                // }
                tokenstatus = cainfo.getCATokenInfo().getCATokenStatus();
View Full Code Here
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
            if (tinfo != null) {
                signAlg = tinfo.getSignatureAlgorithm();
            }
            log.debug("Using signing algorithm: " + signAlg + " for the CSR.");

            CATokenContainer caToken = ca.getCAToken();
            if (regenerateKeys) {
                log.debug("Generating new keys.");
                keystorepass = getDefaultKeyStorePassIfSWAndEmpty(keystorepass, caToken.getCATokenInfo());
                caToken.generateKeys(keystorepass, true, activatekey);
                ca.setCAToken(caToken);
                // In order to generate a certificate with this keystore we must
                // make sure it is activated
                ca.getCAToken().activate(keystorepass);
            }
View Full Code Here
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
                    tmpchain.addAll(reqchain);
                    Collection<Certificate> chain = CertTools.createCertChain(tmpchain);
                    log.debug("Storing certificate chain of size: " + chain.size());
                    // Before importing the certificate we want to make sure
                    // that the public key matches the CAs private key
                    CATokenContainer catoken = ca.getCAToken();
                    // If it is a DV certificate signed by a CVCA, enrich the
                    // public key for EC parameters from the CVCA's certificate
                    PublicKey pk = cacert.getPublicKey();
                    if (StringUtils.equals(cacert.getType(), "CVC")) {
                        if (pk.getAlgorithm().equals("ECDSA")) {
                            CardVerifiableCertificate cvccert = (CardVerifiableCertificate) cacert;
                            try {
                                if ((cvccert.getCVCertificate().getCertificateBody().getAuthorizationTemplate().getAuthorizationField().getRole() == AuthorizationRoleEnum.DV_D)
                                        || (cvccert.getCVCertificate().getCertificateBody().getAuthorizationTemplate().getAuthorizationField().getRole() == AuthorizationRoleEnum.DV_F)) {
                                    log.debug("Enriching DV public key with EC parameters from CVCA");
                                    Certificate cvcacert = (Certificate) reqchain.iterator().next();
                                    pk = KeyTools.getECPublicKeyWithParams(pk, cvcacert.getPublicKey());
                                }
                            } catch (InvalidKeySpecException e) {
                                log.debug("Strange CVCA certificate that we can't get the key from, continuing anyway...", e);
                            } catch (NoSuchFieldException e) {
                                log.debug("Strange DV certificate with no AutheorizationRole, continuing anyway...", e);
                            }
                        } else {
                            log.debug("Key is not ECDSA, don't try to enrich with EC parameters.");
                        }
                    } else {
                        log.debug("Cert is not CVC, no need to enrich with EC parameters.");
                    }
                    try {
                        KeyTools.testKey(catoken.getPrivateKey(SecConst.CAKEYPURPOSE_CERTSIGN), pk, catoken.getProvider());
                    } catch (Exception e1) {
                        log.debug("The received certificate response does not match the CAs private signing key for purpose CAKEYPURPOSE_CERTSIGN, trying CAKEYPURPOSE_CERTSIGN_NEXT...");
                        if (e1 instanceof InvalidKeyException) {
                            log.trace(e1);
                        } else {
                            // If it's not invalid key, we want to see more of
                            // the error
                            log.debug("Error: ", e1);
                        }
                        try {
                            KeyTools.testKey(catoken.getPrivateKey(SecConst.CAKEYPURPOSE_CERTSIGN_NEXT), pk, catoken.getProvider());
                            // This was OK, so we must also activate the next
                            // signing key when importing this certificate
                            catoken.activateNextSignKey(tokenAuthenticationCode);
                            ca.setCAToken(catoken);
                            // In order to generate a certificate with this
                            // keystore we must make sure it is activated
                            ca.getCAToken().activate(tokenAuthenticationCode);
                        } catch (Exception e2) {
View Full Code Here
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
                            ca = new CVCCA(cvccainfo);
                        } else {
                            ca = null;
                        }
                        ca.setCertificateChain(certchain);
                        CATokenContainer token = new CATokenContainerImpl(new NullCATokenInfo(), cainfo.getCAId());
                        ca.setCAToken(token);

                        // set status to active
                        entityManager.persist(new CAData(cainfo.getSubjectDN(), cainfo.getName(), SecConst.CA_EXTERNAL, ca));
                        //cadatahome.create(cainfo.getSubjectDN(), cainfo.getName(), SecConst.CA_EXTERNAL, ca);
View Full Code Here
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
            log.info("Creating a CVC CA (process request)");
            CVCCAInfo cvccainfo = (CVCCAInfo) cainfo;
            ca = new CVCCA(cvccainfo);
        }
        ca.setCertificateChain(certificates);
        CATokenContainer token = new CATokenContainerImpl(new NullCATokenInfo(), cainfo.getCAId());
        ca.setCAToken(token);
        // set status to active
        entityManager.persist(new CAData(cainfo.getSubjectDN(), cainfo.getName(), SecConst.CA_EXTERNAL, ca));
        // Publish CA certificates.
        publishCACertificate(admin, certificates, null, ca.getSubjectDN());
View Full Code Here
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
            if (ca.getStatus() == SecConst.CA_OFFLINE) {
                String msg = intres.getLocalizedMessage("error.catokenoffline", cadata.getName());
                throw new CATokenOfflineException(msg);
            }

            CATokenContainer caToken = ca.getCAToken();
            if (regenerateKeys) {
                boolean renew = true;
                keystorepass = getDefaultKeyStorePassIfSWAndEmpty(keystorepass, caToken.getCATokenInfo());
                // for internal CAs the new keys are always activated
                caToken.generateKeys(keystorepass, renew, true);
                // We need to save all this
                ca.setCAToken(caToken);
                cadata.setCA(ca);
                // After this we need to reload all CAs?
                // Make sure we store the new CA and token and reload or update
                // the caches
                Provider prov = Security.getProvider(caToken.getProvider());
                if (log.isDebugEnabled() && (prov != null)) {
                    log.debug("Provider classname: " + prov.getClass().getName());
                }
                if ((prov != null) && StringUtils.contains(prov.getClass().getName(), "iaik")) {
                    // This is because IAIK PKCS#11 provider cuts ALL PKCS#11
                    // sessions when I generate new keys for one CA
                    CACacheManager.instance().removeAll();
                    CATokenManager.instance().removeAll();
                } else {
                    // Using the Sun provider we don't have to reload every CA,
                    // just update values in the caches
                    CACacheManager.instance().removeCA(ca.getCAId());
                    CATokenManager.instance().removeCAToken(ca.getCAId());
                }
              cadata = CAData.findByIdOrThrow(entityManager, Integer.valueOf(caid));
                ca = cadata.getCA();
                // In order to generate a certificate with this keystore we must
                // make sure it is activated
                caToken = ca.getCAToken();
                caToken.activate(keystorepass);
            }

            // if issuer is insystem CA or selfsigned, then generate new
            // certificate.
            if (ca.getSignedBy() != CAInfo.SIGNEDBYEXTERNALCA) {
                if (ca.getSignedBy() == CAInfo.SELFSIGNED) {
                    // create selfsigned certificate
                    String subjectAltName = null;
                    if (ca instanceof X509CA) {
                        X509CA x509ca = (X509CA) ca;
                        subjectAltName = x509ca.getSubjectAltName();
                    }
                    UserDataVO cainfodata = new UserDataVO("nobody", ca.getSubjectDN(), ca.getSubjectDN().hashCode(), subjectAltName, null, 0, 0, 0, ca
                            .getCertificateProfileId(), null, null, 0, 0, null);

                    CertificateProfile certprofile = certificateProfileSession.getCertificateProfile(admin, ca.getCertificateProfileId());
                    // get from CAtoken to make sure it is fresh
                    String sequence = caToken.getCATokenInfo().getKeySequence();
                    cacertificate = ca.generateCertificate(cainfodata, ca.getCAToken().getPublicKey(SecConst.CAKEYPURPOSE_CERTSIGN), -1, ca.getValidity(),
                            certprofile, sequence);
                    // Build Certificate Chain
                    cachain = new ArrayList<Certificate>();
                    cachain.add(cacertificate);

                } else {
                    // Resign with CA above.
                    if (ca.getSignedBy() > CAInfo.SPECIALCAIDBORDER || ca.getSignedBy() < 0) {
                        // Create CA signed by other internal CA.
                      CAData signcadata = CAData.findByIdOrThrow(entityManager, Integer.valueOf(ca.getSignedBy()));
                        CA signca = signcadata.getCA();
                        // Check that the signer is valid
                        checkSignerValidity(admin, signcadata);
                        // Create cacertificate
                        String subjectAltName = null;
                        if (ca instanceof X509CA) {
                            X509CA x509ca = (X509CA) ca;
                            subjectAltName = x509ca.getSubjectAltName();
                        }
                        UserDataVO cainfodata = new UserDataVO("nobody", ca.getSubjectDN(), ca.getSubjectDN().hashCode(), subjectAltName, null, 0, 0, 0, ca
                                .getCertificateProfileId(), null, null, 0, 0, null);

                        CertificateProfile certprofile = certificateProfileSession.getCertificateProfile(admin, ca.getCertificateProfileId());
                        String sequence = caToken.getCATokenInfo().getKeySequence(); // get from CAtoken to make sure it is fresh
                        cacertificate = signca.generateCertificate(cainfodata, ca.getCAToken().getPublicKey(SecConst.CAKEYPURPOSE_CERTSIGN), -1, ca
                                .getValidity(), certprofile, sequence);
                        // Build Certificate Chain
                        Collection<Certificate> rootcachain = signca.getCertificateChain();
                        cachain = new ArrayList<Certificate>();
View Full Code Here
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
                    Authorizer.throwAuthorizationException(admin, AccessRulesConstants.ROLE_SUPERADMINISTRATOR, null);
                }
            }
            CAData caData = CAData.findByNameOrThrow(entityManager, caname);
            CA thisCa = caData.getCA();
            CATokenContainer thisCAToken = thisCa.getCAToken();
            int tokentype = thisCAToken.getCATokenType();
            if (tokentype != CATokenConstants.CATOKENTYPE_P12 && thisCAToken.getCATokenInfo() instanceof SoftCATokenInfo) {
                throw new Exception("Cannot export anything but a soft token.");
            }
            // Create a new CAToken with the same properties but OFFLINE and
            // without keystore
            SoftCATokenInfo thisCATokenInfo = (SoftCATokenInfo) thisCAToken.getCATokenInfo();
            thisCATokenInfo.setCATokenStatus(ICAToken.STATUS_OFFLINE);
            CATokenContainer emptyToken = new CATokenContainerImpl(thisCATokenInfo, caData.getCaId());
            thisCa.setCAToken(emptyToken);
            // Save to database
            caData.setCA(thisCa);
            // Log
            String msg = intres.getLocalizedMessage("caadmin.removedcakeystore", Integer.valueOf(thisCa.getCAId()));
View Full Code Here
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
            }

            CAData caData = CAData.findByNameOrThrow(entityManager, caname);
            CA thisCa = caData.getCA();

            CATokenContainer thisCAToken = thisCa.getCAToken();
            int tokentype = thisCAToken.getCATokenType();
            if (tokentype != CATokenConstants.CATOKENTYPE_P12 && thisCAToken.getCATokenInfo() instanceof SoftCATokenInfo) {
                throw new Exception("Cannot restore anything but a soft token.");
            }

            // Only restore to an offline CA
            if (thisCAToken.getCATokenInfo().getCATokenStatus() != ICAToken.STATUS_OFFLINE) {
                throw new Exception("The CA already has an active CA token.");
            }

            // load keystore
            KeyStore keystore = KeyStore.getInstance("PKCS12", "BC");
            keystore.load(new ByteArrayInputStream(p12file), keystorepass.toCharArray());
            // Extract signature keys
            if (privateSignatureKeyAlias == null || !keystore.isKeyEntry(privateSignatureKeyAlias)) {
                throw new Exception("Alias \"" + privateSignatureKeyAlias + "\" not found.");
            }
            Certificate[] signatureCertChain = KeyTools.getCertChain(keystore, privateSignatureKeyAlias);
            if (signatureCertChain.length < 1) {
                String msg = "Cannot load certificate chain with alias " + privateSignatureKeyAlias;
                log.error(msg);
                throw new Exception(msg);
            }
            Certificate caSignatureCertificate = (Certificate) signatureCertChain[0];
            PublicKey p12PublicSignatureKey = caSignatureCertificate.getPublicKey();
            PrivateKey p12PrivateSignatureKey = null;
            p12PrivateSignatureKey = (PrivateKey) keystore.getKey(privateSignatureKeyAlias, privkeypass.toCharArray());

            // Extract encryption keys
            PrivateKey p12PrivateEncryptionKey = null;
            PublicKey p12PublicEncryptionKey = null;
            Certificate caEncryptionCertificate = null;
            if (privateEncryptionKeyAlias != null) {
                if (!keystore.isKeyEntry(privateEncryptionKeyAlias)) {
                    throw new Exception("Alias \"" + privateEncryptionKeyAlias + "\" not found.");
                }
                Certificate[] encryptionCertChain = KeyTools.getCertChain(keystore, privateEncryptionKeyAlias);
                if (encryptionCertChain.length < 1) {
                    String msg = "Cannot load certificate chain with alias " + privateEncryptionKeyAlias;
                    log.error(msg);
                    throw new Exception(msg);
                }
                caEncryptionCertificate = (Certificate) encryptionCertChain[0];
                p12PrivateEncryptionKey = (PrivateKey) keystore.getKey(privateEncryptionKeyAlias, privkeypass.toCharArray());
                p12PublicEncryptionKey = caEncryptionCertificate.getPublicKey();
            } else {
                throw new Exception("Missing encryption key");
            }

            // Sign something to see that we are restoring the right private
            // signature key
            String testSigAlg = (String) AlgorithmTools.getSignatureAlgorithms(thisCa.getCACertificate().getPublicKey()).iterator().next();
            if (testSigAlg == null) {
                testSigAlg = "SHA1WithRSA";
            }
            // Sign with imported private key
            byte[] input = "Test data...".getBytes();
            Signature signature = Signature.getInstance(testSigAlg, "BC");
            signature.initSign(p12PrivateSignatureKey);
            signature.update(input);
            byte[] signed = signature.sign();
            // Verify with public key from CA certificate
            signature = Signature.getInstance(testSigAlg, "BC");
            signature.initVerify(thisCa.getCACertificate().getPublicKey());
            signature.update(input);
            if (!signature.verify(signed)) {
                throw new Exception("Could not use private key for verification. Wrong p12-file for this CA?");
            }

            // Import the keys and save to database
            thisCAToken.importKeys(keystorepass, p12PrivateSignatureKey, p12PublicSignatureKey, p12PrivateEncryptionKey, p12PublicEncryptionKey,
                    signatureCertChain);
            thisCa.setCAToken(thisCAToken);
            caData.setCA(thisCa);

            // Log
View Full Code Here
262
263
264
265
266
267
268
269
270
271
272
     *
     * @return The CAs token, be it soft or hard.
     * @throws IllegalKeyStoreException If the token keystore is invalid (crypto error thrown by crypto provider), or the CA token type is undefined.
     */
    public CATokenContainer getCAToken(int caid) throws IllegalKeyStoreException {
        CATokenContainer ret = CATokenManager.instance().getCAToken(caid);
        if (ret == null) {
          Integer tokentype = (Integer) ((HashMap)data.get(CATOKENDATA)).get(CATokenContainer.CATOKENTYPE);
            switch(tokentype.intValue()) {
            case CATokenConstants.CATOKENTYPE_P12:
                ret = new CATokenContainerImpl((HashMap)data.get(CATOKENDATA), caid);
View Full Code Here
534
535
536
537
538
539
540
541
542
543
544
545
546
      data.put(APPROVALSETTINGS,cainfo.getApprovalSettings());
        data.put(NUMBEROFREQAPPROVALS,Integer.valueOf(cainfo.getNumOfReqApprovals()));
        if (cainfo.getCertificateProfileId() > 0) {
            data.put(CERTIFICATEPROFILEID,Integer.valueOf(cainfo.getCertificateProfileId()));         
        }
      CATokenContainer token = getCAToken();
      if (token != null) {
        token.updateCATokenInfo(cainfo.getCATokenInfo());
        setCAToken(token);
      }
      setFinishUser(cainfo.getFinishUser());
      setIncludeInHealthCheck(cainfo.getIncludeInHealthCheck());
        setDoEnforceUniquePublicKeys(cainfo.isDoEnforceUniquePublicKeys());
View Full Code Here
TOP

Related Classes of org.ejbca.core.model.ca.catoken.CATokenContainer

  • org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean
  • org.ejbca.core.ejb.ca.sign.RSASignSessionBean
  • org.ejbca.core.model.ca.caadmin.CA
  • org.ejbca.core.model.ca.caadmin.CVCCA
  • org.ejbca.core.model.ca.caadmin.X509CA
    • Copyright © 2018 www.massapicom. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.