private PKIMessage addProtection(PKIMessage pkiMessage, AuditEvent event) { try { return CmpUtil.addProtection(pkiMessage, getSigner(), getSender(), getCmpControl().sendResponderCert()); } catch (Exception ex) { LogUtil.error(LOG, ex, "could not add protection to the PKI message"); PKIStatusInfo status = generateRejectionStatus( PKIFailureInfo.systemFailure, "could not sign the PKIMessage"); event.setLevel(AuditLevel.ERROR); event.setStatus(AuditStatus.FAILED); event.addEventData(CaAuditConstants.NAME_message, "could not sign the PKIMessage"); PKIBody body = new PKIBody(PKIBody.TYPE_ERROR, new ErrorMsgContent(status)); return new PKIMessage(pkiMessage.getHeader(), body); } }
private void unacceptableResponseParse( byte[] response) throws Exception { TimeStampResponse resp = new TimeStampResponse(response); if (resp.getStatus() != PKIStatus.REJECTION) { fail("request not rejected."); } if (resp.getFailInfo().intValue() != PKIFailureInfo.unacceptedPolicy) { fail("request not rejected."); } }
public void performTest() throws IOException { BitStringConstantTester.testFlagValueCorrect(0, PKIFailureInfo.badAlg); BitStringConstantTester.testFlagValueCorrect(1, PKIFailureInfo.badMessageCheck); BitStringConstantTester.testFlagValueCorrect(2, PKIFailureInfo.badRequest); BitStringConstantTester.testFlagValueCorrect(3, PKIFailureInfo.badTime); BitStringConstantTester.testFlagValueCorrect(4, PKIFailureInfo.badCertId); BitStringConstantTester.testFlagValueCorrect(5, PKIFailureInfo.badDataFormat); BitStringConstantTester.testFlagValueCorrect(6, PKIFailureInfo.wrongAuthority); BitStringConstantTester.testFlagValueCorrect(7, PKIFailureInfo.incorrectData); BitStringConstantTester.testFlagValueCorrect(8, PKIFailureInfo.missingTimeStamp); BitStringConstantTester.testFlagValueCorrect(9, PKIFailureInfo.badPOP); BitStringConstantTester.testFlagValueCorrect(14, PKIFailureInfo.timeNotAvailable); BitStringConstantTester.testFlagValueCorrect(15, PKIFailureInfo.unacceptedPolicy); BitStringConstantTester.testFlagValueCorrect(16, PKIFailureInfo.unacceptedExtension); BitStringConstantTester.testFlagValueCorrect(17, PKIFailureInfo.addInfoNotAvailable); BitStringConstantTester.testFlagValueCorrect(25, PKIFailureInfo.systemFailure); testEncoding(); }
public PKIFailureInfo getFailInfo() { if (resp.getStatus().getFailInfo() != null) { return new PKIFailureInfo(resp.getStatus().getFailInfo()); } return null; }
/** * Generate a generic rejection response based on a TSPValidationException or * an Exception. Exceptions which are not an instance of TSPValidationException * will be treated as systemFailure. The return value of exception.getMessage() will * be used as the status string for the response. * * @param exception the exception thrown on validating the request. * @return a TimeStampResponse. * @throws TSPException if a failure response cannot be generated. */ public TimeStampResponse generateRejectedResponse(Exception exception) throws TSPException { if (exception instanceof TSPValidationException) { return generateFailResponse(PKIStatus.REJECTION, ((TSPValidationException)exception).getFailureCode(), exception.getMessage()); } else { return generateFailResponse(PKIStatus.REJECTION, PKIFailureInfo.systemFailure, exception.getMessage()); } }
private static PKIBody buildErrorMsgPkiBody(PKIStatus pkiStatus, int failureInfo, String statusMessage) { PKIFreeText pkiStatusMsg = (statusMessage == null) ? null : new PKIFreeText(statusMessage); ErrorMsgContent emc = new ErrorMsgContent( new PKIStatusInfo(pkiStatus, pkiStatusMsg, new PKIFailureInfo(failureInfo))); return new PKIBody(PKIBody.TYPE_ERROR, emc); }
private void testEncoding() throws IOException { DERBitString bitString = (DERBitString)new ASN1InputStream(CORRECT_FAILURE_INFO).readObject(); PKIFailureInfo correct = new PKIFailureInfo(bitString); PKIFailureInfo bug = new PKIFailureInfo(PKIFailureInfo.badRequest | PKIFailureInfo.badTime |PKIFailureInfo.badDataFormat | PKIFailureInfo.incorrectData); if (!areEqual(correct.getEncoded(ASN1Encoding.DER),bug.getEncoded(ASN1Encoding.DER))) { fail("encoding doesn't match"); } }
/** * Validate the timestamp request, checking the digest to see if it is of an * accepted type and whether it is of the correct length for the algorithm specified. * * @param algorithms a set of OIDs giving accepted algorithms. * @param policies if non-null a set of policies OIDs we are willing to sign under. * @param extensions if non-null a set of extensions OIDs we are willing to accept. * @throws TSPException if the request is invalid, or processing fails. */ public void validate( Set algorithms, Set policies, Set extensions) throws TSPException { algorithms = convert(algorithms); policies = convert(policies); extensions = convert(extensions); if (!algorithms.contains(this.getMessageImprintAlgOID())) { throw new TSPValidationException("request contains unknown algorithm.", PKIFailureInfo.badAlg); } if (policies != null && this.getReqPolicy() != null && !policies.contains(this.getReqPolicy())) { throw new TSPValidationException("request contains unknown policy.", PKIFailureInfo.unacceptedPolicy); } if (this.getExtensions() != null && extensions != null) { Enumeration en = this.getExtensions().oids(); while(en.hasMoreElements()) { String oid = ((DERObjectIdentifier)en.nextElement()).getId(); if (!extensions.contains(oid)) { throw new TSPValidationException("request contains unknown extension.", PKIFailureInfo.unacceptedExtension); } } } int digestLength = TSPUtil.getDigestLength(this.getMessageImprintAlgOID().getId()); if (digestLength != this.getMessageImprintDigest().length) { throw new TSPValidationException("imprint digest the wrong length.", PKIFailureInfo.badDataFormat); } }
/** * Validate the timestamp request, checking the digest to see if it is of an * accepted type and whether it is of the correct length for the algorithm specified. * * @param algorithms a set of OIDs giving accepted algorithms. * @param policies if non-null a set of policies OIDs we are willing to sign under. * @param extensions if non-null a set of extensions OIDs we are willing to accept. * @throws TSPException if the request is invalid, or processing fails. */ public void validate( Set algorithms, Set policies, Set extensions) throws TSPException { algorithms = convert(algorithms); policies = convert(policies); extensions = convert(extensions); if (!algorithms.contains(this.getMessageImprintAlgOID())) { throw new TSPValidationException("request contains unknown algorithm.", PKIFailureInfo.badAlg); } if (policies != null && this.getReqPolicy() != null && !policies.contains(this.getReqPolicy())) { throw new TSPValidationException("request contains unknown policy.", PKIFailureInfo.unacceptedPolicy); } if (this.getExtensions() != null && extensions != null) { Enumeration en = this.getExtensions().oids(); while(en.hasMoreElements()) { String oid = ((ASN1ObjectIdentifier)en.nextElement()).getId(); if (!extensions.contains(oid)) { throw new TSPValidationException("request contains unknown extension.", PKIFailureInfo.unacceptedExtension); } } } int digestLength = TSPUtil.getDigestLength(this.getMessageImprintAlgOID().getId()); if (digestLength != this.getMessageImprintDigest().length) { throw new TSPValidationException("imprint digest the wrong length.", PKIFailureInfo.badDataFormat); } }
/** * handle the PKI body with the choice {@code p10cr}<br/> * Since it is not possible to add attribute to the PKCS#10 request (CSR), the certificate * profile must be specified in the attribute regInfo-utf8Pairs (1.3.6.1.5.5.7.5.2.1) within * PKIHeader.generalInfo * */ private PKIBody processP10cr(PKIMessage request, CmpRequestorInfo requestor, ASN1OctetString tid, PKIHeader reqHeader, CertificationRequest p10cr, CmpControl cmpControl, String msgId, AuditEvent event) { // verify the POP first CertResponse certResp; ASN1Integer certReqId = new ASN1Integer(-1); boolean certGenerated = false; X509Ca ca = getCa(); if (!securityFactory.verifyPopo(p10cr, getCmpControl().popoAlgoValidator())) { LOG.warn("could not validate POP for the pkcs#10 requst"); certResp = buildErrorCertResponse(certReqId, PKIFailureInfo.badPOP, "invalid POP"); } else { CertificationRequestInfo certTemp = p10cr.getCertificationRequestInfo(); Extensions extensions = CaUtil.getExtensions(certTemp); X500Name subject = certTemp.getSubject(); SubjectPublicKeyInfo publicKeyInfo = certTemp.getSubjectPublicKeyInfo(); CmpUtf8Pairs keyvalues = CmpUtil.extract(reqHeader.getGeneralInfo()); String certprofileName = null; Date notBefore = null; Date notAfter = null; if (keyvalues != null) { certprofileName = keyvalues.value(CmpUtf8Pairs.KEY_CERT_PROFILE); String str = keyvalues.value(CmpUtf8Pairs.KEY_NOT_BEFORE); if (str != null) { notBefore = DateUtil.parseUtcTimeyyyyMMddhhmmss(str); } str = keyvalues.value(CmpUtf8Pairs.KEY_NOT_AFTER); if (str != null) { notAfter = DateUtil.parseUtcTimeyyyyMMddhhmmss(str); } } if (certprofileName == null) { certResp = buildErrorCertResponse(certReqId, PKIFailureInfo.badCertTemplate, "badCertTemplate", null); } else { certprofileName = certprofileName.toUpperCase(); if (!requestor.isCertProfilePermitted(certprofileName)) { String msg = "certprofile " + certprofileName + " is not allowed"; certResp = buildErrorCertResponse(certReqId, PKIFailureInfo.notAuthorized, msg); } else { CertTemplateData certTemplateData = new CertTemplateData(subject, publicKeyInfo, notBefore, notAfter, extensions, certprofileName); certResp = generateCertificates(Arrays.asList(certTemplateData), Arrays.asList(certReqId), requestor, tid, false, request, cmpControl, msgId, event).get(0); certGenerated = true; } } } CMPCertificate[] caPubs = null; if (certGenerated && cmpControl.sendCaCert()) { caPubs = new CMPCertificate[]{ca.caInfo().certInCmpFormat()}; } CertRepMessage repMessage = new CertRepMessage(caPubs, new CertResponse[]{certResp}); return new PKIBody(PKIBody.TYPE_CERT_REP, repMessage); }
private int getPKiFailureInfo(OperationException ex) { ErrorCode code = ex.errorCode(); int failureInfo; switch (code) { case ALREADY_ISSUED: failureInfo = PKIFailureInfo.badRequest; break; case BAD_CERT_TEMPLATE: failureInfo = PKIFailureInfo.badCertTemplate; break; case BAD_REQUEST: failureInfo = PKIFailureInfo.badRequest; break; case CERT_REVOKED: failureInfo = PKIFailureInfo.certRevoked; break; case CERT_UNREVOKED: failureInfo = PKIFailureInfo.notAuthorized; break; case BAD_POP: failureInfo = PKIFailureInfo.badPOP; break; case CRL_FAILURE: failureInfo = PKIFailureInfo.systemFailure; break; case DATABASE_FAILURE: failureInfo = PKIFailureInfo.systemFailure; break; case NOT_PERMITTED: failureInfo = PKIFailureInfo.notAuthorized; break; case INVALID_EXTENSION: failureInfo = PKIFailureInfo.badRequest; break; case SYSTEM_FAILURE: failureInfo = PKIFailureInfo.systemFailure; break; case SYSTEM_UNAVAILABLE: failureInfo = PKIFailureInfo.systemUnavail; break; case UNKNOWN_CERT: failureInfo = PKIFailureInfo.badCertId; break; case UNKNOWN_CERT_PROFILE: failureInfo = PKIFailureInfo.badCertTemplate; break; default: failureInfo = PKIFailureInfo.systemFailure; break; } // end switch (code) return failureInfo; }
private PKIBody confirmCertificates(ASN1OctetString transactionId, CertConfirmContent certConf, String msgId) { CertStatus[] certStatuses = certConf.toCertStatusArray(); boolean successful = true; for (CertStatus certStatus : certStatuses) { ASN1Integer certReqId = certStatus.getCertReqId(); byte[] certHash = certStatus.getCertHash().getOctets(); X509CertificateInfo certInfo = pendingCertPool.removeCertificate( transactionId.getOctets(), certReqId.getPositiveValue(), certHash); if (certInfo == null) { if (LOG.isWarnEnabled()) { LOG.warn("no cert under transactionId={}, certReqId={} and certHash=0X{}", transactionId, certReqId.getPositiveValue(), Hex.encode(certHash)); } continue; } PKIStatusInfo statusInfo = certStatus.getStatusInfo(); boolean accept = true; if (statusInfo != null) { int status = statusInfo.getStatus().intValue(); if (PKIStatus.GRANTED != status && PKIStatus.GRANTED_WITH_MODS != status) { accept = false; } } if (accept) { continue; } BigInteger serialNumber = certInfo.cert().cert().getSerialNumber(); X509Ca ca = getCa(); try { ca.revokeCertificate(serialNumber, CrlReason.CESSATION_OF_OPERATION, new Date(), msgId); } catch (OperationException ex) { LogUtil.warn(LOG, ex, "could not revoke certificate ca=" + ca.caInfo().ident() + " serialNumber=" + LogUtil.formatCsn(serialNumber)); } successful = false; } // all other certificates should be revoked if (revokePendingCertificates(transactionId, msgId)) { successful = false; } if (successful) { return new PKIBody(PKIBody.TYPE_CONFIRM, DERNull.INSTANCE); } ErrorMsgContent emc = new ErrorMsgContent( new PKIStatusInfo(PKIStatus.rejection, null, new PKIFailureInfo(PKIFailureInfo.systemFailure))); return new PKIBody(PKIBody.TYPE_ERROR, emc); }
private PKIBody cmpUnRevokeRemoveCertificates(PKIMessage request, PKIHeaderBuilder respHeader, CmpControl cmpControl, PKIHeader reqHeader, PKIBody reqBody, CmpRequestorInfo requestor, String msgId, AuditEvent event) { Integer requiredPermission = null; boolean allRevdetailsOfSameType = true; RevReqContent rr = RevReqContent.getInstance(reqBody.getContent()); RevDetails[] revContent = rr.toRevDetailsArray(); int len = revContent.length; for (int i = 0; i < len; i++) { RevDetails revDetails = revContent[i]; Extensions crlDetails = revDetails.getCrlEntryDetails(); int reasonCode = CrlReason.UNSPECIFIED.code(); if (crlDetails != null) { ASN1ObjectIdentifier extId = Extension.reasonCode; ASN1Encodable extValue = crlDetails.getExtensionParsedValue(extId); if (extValue != null) { reasonCode = ASN1Enumerated.getInstance(extValue).getValue().intValue(); } } if (reasonCode == XiSecurityConstants.CMP_CRL_REASON_REMOVE) { if (requiredPermission == null) { event.addEventType(CaAuditConstants.TYPE_CMP_rr_remove); requiredPermission = PermissionConstants.REMOVE_CERT; } else if (requiredPermission != PermissionConstants.REMOVE_CERT) { allRevdetailsOfSameType = false; break; } } else if (reasonCode == CrlReason.REMOVE_FROM_CRL.code()) { if (requiredPermission == null) { event.addEventType(CaAuditConstants.TYPE_CMP_rr_unrevoke); requiredPermission = PermissionConstants.UNREVOKE_CERT; } else if (requiredPermission != PermissionConstants.UNREVOKE_CERT) { allRevdetailsOfSameType = false; break; } } else { if (requiredPermission == null) { event.addEventType(CaAuditConstants.TYPE_CMP_rr_revoke); requiredPermission = PermissionConstants.REVOKE_CERT; } else if (requiredPermission != PermissionConstants.REVOKE_CERT) { allRevdetailsOfSameType = false; break; } } } // end for if (!allRevdetailsOfSameType) { ErrorMsgContent emc = new ErrorMsgContent( new PKIStatusInfo(PKIStatus.rejection, new PKIFreeText("not all revDetails are of the same type"), new PKIFailureInfo(PKIFailureInfo.badRequest))); return new PKIBody(PKIBody.TYPE_ERROR, emc); } else { try { checkPermission(requestor, requiredPermission); } catch (InsuffientPermissionException ex) { event.setStatus(AuditStatus.FAILED); event.addEventData(CaAuditConstants.NAME_message, "NOT_PERMITTED"); return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.notAuthorized, null); } return unRevokeRemoveCertificates(request, rr, requiredPermission, cmpControl, msgId); } }
protected PKIStatusInfo generateRejectionStatus(PKIStatus status, Integer info, String errorMessage) { PKIFreeText statusMessage = (errorMessage == null) ? null : new PKIFreeText(errorMessage); PKIFailureInfo failureInfo = (info == null) ? null : new PKIFailureInfo(info); return new PKIStatusInfo(status, statusMessage, failureInfo); }
