Ejemplo n.º 1
0
  /**
   * Generate a certificate signing request (PKCS#10).
   *
   * @param info A PKCS10CertReqInfo
   * @param privateKey Private key for signing the request
   * @param signatureProvider Name of provider to sign with
   * @param publicKey Public key to include in the request
   * @param explicitEccParameters True if the EC domain parameters should be included (ie. not a
   *     named curve)
   * @return the certificate request data
   */
  public static ICertReqData genCertificateRequest(
      ISignerCertReqInfo info,
      final PrivateKey privateKey,
      final String signatureProvider,
      PublicKey publicKey,
      final boolean explicitEccParameters)
      throws IllegalArgumentException {
    LOG.debug(">genCertificateRequest");
    final Base64SignerCertReqData retval;
    if (info instanceof PKCS10CertReqInfo) {
      PKCS10CertReqInfo reqInfo = (PKCS10CertReqInfo) info;
      PKCS10CertificationRequest pkcs10;

      if (LOG.isDebugEnabled()) {
        LOG.debug("signatureAlgorithm: " + reqInfo.getSignatureAlgorithm());
        LOG.debug("subjectDN: " + reqInfo.getSubjectDN());
        LOG.debug("explicitEccParameters: " + explicitEccParameters);
      }

      try {
        // Handle ECDSA key with explicit parameters
        if (explicitEccParameters && publicKey.getAlgorithm().contains("EC")) {
          publicKey = ECKeyUtil.publicToExplicitParameters(publicKey, "BC");
        }

        if (LOG.isDebugEnabled()) {
          LOG.debug("Public key SHA1: " + createKeyHash(publicKey));
          LOG.debug("Public key SHA256: " + KeyUsageCounterHash.create(publicKey));
        }

        // Generate request
        final JcaPKCS10CertificationRequestBuilder builder =
            new JcaPKCS10CertificationRequestBuilder(
                new X500Name(CertTools.stringToBCDNString(reqInfo.getSubjectDN())), publicKey);
        final ContentSigner contentSigner =
            new JcaContentSignerBuilder(reqInfo.getSignatureAlgorithm())
                .setProvider(signatureProvider)
                .build(privateKey);
        pkcs10 = builder.build(contentSigner);
        retval = new Base64SignerCertReqData(Base64.encode(pkcs10.getEncoded()));
      } catch (IOException e) {
        throw new IllegalArgumentException("Certificate request error: " + e.getMessage(), e);
      } catch (OperatorCreationException e) {
        throw new IllegalArgumentException("Certificate request error: " + e.getMessage(), e);
      } catch (NoSuchAlgorithmException e) {
        throw new IllegalArgumentException("Certificate request error: " + e.getMessage(), e);
      } catch (NoSuchProviderException e) {
        throw new IllegalArgumentException("Certificate request error: " + e.getMessage(), e);
      }
      LOG.debug("<genCertificateRequest");
      return retval;
    } else {
      throw new IllegalArgumentException(
          "Unsupported certificate request info type: " + info.getClass().getName());
    }
  }
  @Override
  public CommandResult execute(ParameterContainer parameters) {

    final String issuerDNStr = parameters.get(DN_KEY);
    final String issuerDN = CertTools.stringToBCDNString(issuerDNStr);
    final String certserno = parameters.get(SERIAL_NUMBER_KEY);
    final BigInteger serno;
    try {
      serno = new BigInteger(certserno, 16);
    } catch (NumberFormatException e) {
      log.error("ERROR: Invalid hexadecimal certificate serial number string: " + certserno);
      return CommandResult.FUNCTIONAL_FAILURE;
    }
    int reason;
    try {
      reason = Integer.parseInt(parameters.get(REASON_KEY));
    } catch (NumberFormatException e) {
      log.error("ERROR: " + parameters.get(REASON_KEY) + " was not a number.");
      return CommandResult.FUNCTIONAL_FAILURE;
    }
    if ((reason == 7) || (reason < 0) || (reason > 10)) {
      getLogger().error("ERROR: Reason must be an integer between 0 and 10 except 7.");
      return CommandResult.FUNCTIONAL_FAILURE;
    } else {
      Certificate cert =
          EjbRemoteHelper.INSTANCE
              .getRemoteSession(CertificateStoreSessionRemote.class)
              .findCertificateByIssuerAndSerno(issuerDN, serno);
      if (cert != null) {
        getLogger().info("Found certificate:");
        getLogger().info("Subject DN=" + CertTools.getSubjectDN(cert));
        // We need the user this cert is connected with
        // Revoke or unrevoke, will throw appropriate exceptions if parameters are wrong, such as
        // trying to unrevoke a certificate
        // that was permanently revoked
        try {
          try {
            EjbRemoteHelper.INSTANCE
                .getRemoteSession(EndEntityManagementSessionRemote.class)
                .revokeCert(getAuthenticationToken(), serno, issuerDN, reason);
          } catch (ApprovalException e) {
            log.error(e.getMessage(), e);
            return CommandResult.FUNCTIONAL_FAILURE;
          } catch (AuthorizationDeniedException e) {
            log.error("ERROR: CLI user not authorized to revoke certificate.");
            return CommandResult.FUNCTIONAL_FAILURE;
          } catch (FinderException e) {
            log.error("ERROR: " + e.getMessage());
            return CommandResult.FUNCTIONAL_FAILURE;
          } catch (WaitingForApprovalException e) {
            log.error("ERROR: " + e.getMessage());
            return CommandResult.FUNCTIONAL_FAILURE;
          }
          getLogger()
              .info(
                  (reason == 8 ? "Unrevoked" : "Revoked")
                      + " certificate with issuerDN '"
                      + issuerDN
                      + "' and serialNumber "
                      + certserno
                      + ". Revocation reason="
                      + reason);
        } catch (AlreadyRevokedException e) {
          if (reason == 8) {
            getLogger()
                .info(
                    "Certificate with issuerDN '"
                        + issuerDN
                        + "' and serialNumber "
                        + certserno
                        + " is not revoked, nothing was done.");
          } else {
            getLogger()
                .info(
                    "Certificate with issuerDN '"
                        + issuerDN
                        + "' and serialNumber "
                        + certserno
                        + " is already revoked, nothing was done.");
          }
          getLogger().info(e.getMessage());
        }
      } else {
        getLogger()
            .info(
                "No certificate found with issuerDN '"
                    + issuerDN
                    + "' and serialNumber "
                    + certserno);
      }
    }
    return CommandResult.SUCCESS;
  }