/**
* delete a certificate from the revocation list
*
* @param serialIds list of certificate serial ids
* @throws CRLException if there is a problem updating the CRL object
* @throws IOException if there is a problem reading the crl file
*/
@DELETE
@Produces(MediaType.APPLICATION_JSON)
public void unrevoke(@QueryParam("serial") String[] serialIds) throws CRLException, IOException {
String filePath = getCrlFilePath();
File crlFile = new File(filePath);
try {
X509CRL crl = crlFileUtil.readCRLFile(crlFile);
// get crl file if it exists
// lookup entitlement, find CertificateSerial
List<CertificateSerial> serials = certificateSerialCurator.listBySerialIds(serialIds);
crl = crlGenerator.removeEntries(crl, serials);
crlFileUtil.writeCRLFile(crlFile, crl);
} catch (CertificateException e) {
throw new IseException(e.getMessage(), e);
}
}
private EntitlementCertificate generateEntitlementCert(
Entitlement entitlement, Subscription sub, Product product, boolean thisIsUeberCert)
throws GeneralSecurityException, IOException {
log.info("Generating entitlement cert.");
KeyPair keyPair = keyPairCurator.getConsumerKeyPair(entitlement.getConsumer());
CertificateSerial serial = new CertificateSerial(entitlement.getEndDate());
// We need the sequence generated id before we create the EntitlementCertificate,
// otherwise we could have used cascading create
serial = serialCurator.create(serial);
Set<Product> products = new HashSet<Product>(getProvidedProducts(entitlement.getPool(), sub));
// If creating a certificate for a distributor, we need
// to add any derived products as well so that their content
// is available in the upstream certificate.
products.addAll(getDerivedProductsForDistributor(sub, entitlement));
log.info("Creating X509 cert.");
X509Certificate x509Cert =
createX509Certificate(
entitlement,
product,
products,
BigInteger.valueOf(serial.getId()),
keyPair,
!thisIsUeberCert);
EntitlementCertificate cert = new EntitlementCertificate();
cert.setSerial(serial);
cert.setKeyAsBytes(pki.getPemEncoded(keyPair.getPrivate()));
products.add(product);
Map<String, EnvironmentContent> promotedContent = getPromotedContent(entitlement);
String contentPrefix = getContentPrefix(entitlement, !thisIsUeberCert);
log.info("Getting PEM encoded cert.");
String pem = new String(this.pki.getPemEncoded(x509Cert));
if (shouldGenerateV3(entitlement)) {
byte[] payloadBytes =
v3extensionUtil.createEntitlementDataPayload(
products, entitlement, contentPrefix, promotedContent);
String payload = "-----BEGIN ENTITLEMENT DATA-----\n";
payload += Util.toBase64(payloadBytes);
payload += "-----END ENTITLEMENT DATA-----\n";
byte[] bytes = pki.getSHA256WithRSAHash(new ByteArrayInputStream(payloadBytes));
String signature = "-----BEGIN RSA SIGNATURE-----\n";
signature += Util.toBase64(bytes);
signature += "-----END RSA SIGNATURE-----\n";
pem += payload + signature;
}
cert.setCert(pem);
cert.setEntitlement(entitlement);
if (log.isDebugEnabled()) {
log.debug("Generated cert serial number: " + serial.getId());
log.debug("Key: " + cert.getKey());
log.debug("Cert: " + cert.getCert());
}
log.info("Persisting cert.");
entitlement.getCertificates().add(cert);
entCertCurator.create(cert);
return cert;
}
