@Override public void addCert(final P11ObjectIdentifier objectId, final X509Certificate cert) throws P11TokenException, CertificateException { addCert0(objectId, cert); certificates.put(objectId, new X509Cert(cert)); updateCaCertsOfIdentities(); LOG.info("added certificate {}", objectId); }
private boolean verifySignature(X509Certificate cert) { Args.notNull(cert, "cert"); PublicKey caPublicKey = caCert.getCert().getPublicKey(); try { cert.verify(caPublicKey); return true; } catch (SignatureException | InvalidKeyException | CertificateException | NoSuchAlgorithmException | NoSuchProviderException ex) { LOG.debug("{} while verifying signature: {}", ex.getClass().getName(), ex.getMessage()); return false; } } // method verifySignature
void addIssuer(X509Cert issuerCert) throws DataAccessException { if (issuerStore.getIdForCert(issuerCert.getEncodedCert()) != null) { return; String sha1FpCert = HashAlgo.SHA1.base64Hash(issuerCert.getEncodedCert()); long maxId = datasource.getMax(null, "ISSUER", "ID"); int id = (int) maxId + 1; byte[] encodedCert = issuerCert.getEncodedCert(); long notBeforeSeconds = issuerCert.getCert().getNotBefore().getTime() / 1000; long notAfterSeconds = issuerCert.getCert().getNotAfter().getTime() / 1000; String subject = issuerCert.getSubject(); int idx = 1; ps.setInt(idx++, id);
private void refreshCa() throws OperationException { try { X509Ca ca = caManager.getX509Ca(caIdent); X509Cert currentCaCert = ca.getCaInfo().getCert(); if (currentCaCert.equals(caCert)) { return; } caCert = currentCaCert; caCertRespBytes = new ScepCaCertRespBytes(currentCaCert.getCert(), responderCert); } catch (CaMgmtException | CertificateException | CMSException ex) { throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex.getMessage()); } }
private void logAndAudit(String issuer, X509Cert cert, Exception ex, String messagePrefix) { String subjectText = cert.getSubject(); String serialText = LogUtil.formatCsn(cert.getCert().getSerialNumber()); LOG.error("{} (issuser='{}': subject='{}', serialNumber={}). Message: {}", messagePrefix, issuer, subjectText, serialText, ex.getMessage()); LOG.debug("error", ex); AuditEvent event = new AuditEvent(new Date()); event.setApplicationName("CAPublisher"); event.setName("SYSTEM"); event.setLevel(AuditLevel.ERROR); event.setStatus(AuditStatus.FAILED); if (cert instanceof CertWithDbId) { Long certId = ((CertWithDbId) cert).getCertId(); if (certId != null) { event.addEventData("id", certId); } } event.addEventData("issuer", issuer); event.addEventData("subject", subjectText); event.addEventData("serial", serialText); event.addEventData("message", messagePrefix); Audits.getAuditService().logEvent(event); } // method logAndAudit
@Override public boolean caAdded(X509Cert issuer) { try { queryExecutor.addIssuer(issuer); return true; } catch (Exception ex) { logAndAudit(issuer.getSubject(), issuer, ex, "could not publish issuer"); return false; } }
if (setCertAttributes.contains(PKCS11Constants.CKA_SUBJECT)) { newCertTemp.getSubject().setByteArrayValue( cert.getCert().getSubjectX500Principal().getEncoded()); cert.getCert().getIssuerX500Principal().getEncoded()); cert.getCert().getSerialNumber().toByteArray()); newCertTemp.getStartDate().setDateValue(cert.getCert().getNotBefore()); newCertTemp.getStartDate().setDateValue(cert.getCert().getNotAfter()); newCertTemp.getValue().setByteArrayValue(cert.getEncodedCert()); return newCertTemp;
this.certstore = Args.notNull(certstore, "certstore"); SubjectPublicKeyInfo caSpki = this.caCert.getCertHolder().getSubjectPublicKeyInfo(); ASN1ObjectIdentifier caSpkiAlgId = caSpki.getAlgorithm().getAlgorithm(); if (caSpkiAlgId.equals(PKCSObjectIdentifiers.rsaEncryption)) { java.security.interfaces.RSAPublicKey pubKey = (java.security.interfaces.RSAPublicKey) caCert.getCert().getPublicKey(); this.keypairGenControlByImplictCA = new KeypairGenControl.RSAKeypairGenControl( pubKey.getModulus().bitLength(), pubKey.getPublicExponent(), caSpkiAlgId); } else { crlSignerCert = caCert.getCert();
private int getIssuerId(X509Cert issuerCert) throws DataAccessException { Args.notNull(issuerCert, "issuerCert"); Integer id = issuerStore.getIdForCert(issuerCert.getEncodedCert()); if (id == null) { throw new IllegalStateException("could not find issuer, " + "please start XiPKI in master mode first the restart this XiPKI system"); } return id.intValue(); }
X500Name caSubject = getCa().getCaInfo().getCert().getSubjectAsX500Name(); byte[] caSki = getCa().getCaInfo().getCert().getSubjectKeyIdentifier(); if (!Arrays.equals(caSki, aki.getKeyIdentifier())) { issuerMatched = false; X500Name caSubject = getCa().getCaInfo().getCert().getSubjectAsX500Name(); BigInteger snBigInt = serialNumber.getPositiveValue(); CertId certId = new CertId(new GeneralName(caSubject), serialNumber);
public byte[] getSubjectKeyIdentifer() { if (caCert != null) { return caCert.getSubjectKeyIdentifier(); } else { return (subjectKeyIdentifier == null) ? null : Arrays.copyOf(subjectKeyIdentifier, subjectKeyIdentifier.length); } }
private X509Certificate getIssuerForCert(final X509Certificate cert) { try { if (X509Util.isSelfSigned(cert)) { return null; } for (X509Cert cert2 : certificates.values()) { if (cert2.cert() == cert) { continue; } if (X509Util.issues(cert2.cert(), cert)) { return cert2.cert(); } } } catch (CertificateEncodingException ex) { LOG.warn("invalid encoding of certificate {}", ex.getMessage()); } return null; }
private static X509PublicKeyCertificate createPkcs11Template(final X509Cert cert, final byte[] keyId, final char[] label) { if (label == null || label.length == 0) { throw new IllegalArgumentException("label must not be null or empty"); } X509PublicKeyCertificate newCertTemp = new X509PublicKeyCertificate(); newCertTemp.getId().setByteArrayValue(keyId); newCertTemp.getLabel().setCharArrayValue(label); newCertTemp.getToken().setBooleanValue(true); newCertTemp.getCertificateType().setLongValue(CertificateType.X_509_PUBLIC_KEY); newCertTemp.getSubject().setByteArrayValue( cert.cert().getSubjectX500Principal().getEncoded()); newCertTemp.getIssuer().setByteArrayValue( cert.cert().getIssuerX500Principal().getEncoded()); newCertTemp.getSerialNumber().setByteArrayValue( cert.cert().getSerialNumber().toByteArray()); newCertTemp.getValue().setByteArrayValue(cert.encodedCert()); return newCertTemp; }
@Override public P11ObjectIdentifier addCert(final X509Certificate cert) throws P11TokenException, CertificateException { ParamUtil.requireNonNull("cert", cert); assertWritable("addCert"); byte[] encodedCert = cert.getEncoded(); for (P11ObjectIdentifier objectId : certificates.keySet()) { X509Cert tmpCert = certificates.get(objectId); if (Arrays.equals(encodedCert, tmpCert.encodedCert())) { return objectId; } } byte[] id = generateId(); String cn = X509Util.getCommonName(cert.getSubjectX500Principal()); String label = generateLabel(cn); P11ObjectIdentifier objectId = new P11ObjectIdentifier(id, label); addCert(objectId, cert); return objectId; }
@Override public boolean certificateRevoked(X509Cert caCert, CertWithDbId cert, String certprofile, CertRevocationInfo revInfo) { try { queryExecutor.revokeCert(caCert, cert, revInfo); return true; } catch (Exception ex) { logAndAudit(caCert.getSubject(), cert, ex, "could not publish revoked certificate"); return false; } }
void removeCert(X509Cert issuer, CertWithDbId cert) throws DataAccessException { Args.notNull(issuer, "issuer"); Args.notNull(cert, "cert"); Integer issuerId = issuerStore.getIdForCert(issuer.getEncodedCert()); if (issuerId == null) { return; } final String sql = "DELETE FROM CERT WHERE IID=? AND SN=?"; PreparedStatement ps = datasource.prepareStatement(sql); try { ps.setInt(1, issuerId); ps.setString(2, cert.getCert().getSerialNumber().toString(16)); ps.executeUpdate(); } catch (SQLException ex) { throw datasource.translate(sql, ex); } finally { datasource.releaseResources(ps, null); } } // method removeCert
sb.append("\tCert-").append(i + 1).append(". ").append(objectId.label()); sb.append(" (").append("id: ").append(objectId.label()).append(")\n"); formatString(null, verbose, sb, certificates.get(objectId).cert());
public void setCrlSignerCert(X509Certificate crlSignerCert) { this.crlSignerCert = caCert.getCert().equals(crlSignerCert) ? null : crlSignerCert; }
private X509Cert readCertificate(byte[] keyId) throws CertificateException, IOException { byte[] encoded = IoUtil.read(new File(certDir, hex(keyId) + VALUE_FILE_SUFFIX)); X509Certificate cert = X509Util.parseCert(encoded); return new X509Cert(cert, encoded); }
@Override public boolean certificateUnrevoked(X509Cert caCert, CertWithDbId cert) { try { queryExecutor.unrevokeCert(caCert, cert); return true; } catch (Exception ex) { logAndAudit(caCert.getSubject(), cert, ex, "could not publish unrevocation of certificate"); return false; } }