/** * Generate a certificate signing request (PKCS#10). * * @param info A PKCS10CertReqInfo * @param privateKey Private key for signing the request * @param signatureProvider Name of provider to sign with * @param publicKey Public key to include in the request * @param explicitEccParameters True if the EC domain parameters should be included (ie. not a * named curve) * @return the certificate request data */ public static ICertReqData genCertificateRequest( ISignerCertReqInfo info, final PrivateKey privateKey, final String signatureProvider, PublicKey publicKey, final boolean explicitEccParameters) throws IllegalArgumentException { LOG.debug(">genCertificateRequest"); final Base64SignerCertReqData retval; if (info instanceof PKCS10CertReqInfo) { PKCS10CertReqInfo reqInfo = (PKCS10CertReqInfo) info; PKCS10CertificationRequest pkcs10; if (LOG.isDebugEnabled()) { LOG.debug("signatureAlgorithm: " + reqInfo.getSignatureAlgorithm()); LOG.debug("subjectDN: " + reqInfo.getSubjectDN()); LOG.debug("explicitEccParameters: " + explicitEccParameters); } try { // Handle ECDSA key with explicit parameters if (explicitEccParameters && publicKey.getAlgorithm().contains("EC")) { publicKey = ECKeyUtil.publicToExplicitParameters(publicKey, "BC"); } if (LOG.isDebugEnabled()) { LOG.debug("Public key SHA1: " + createKeyHash(publicKey)); LOG.debug("Public key SHA256: " + KeyUsageCounterHash.create(publicKey)); } // Generate request final JcaPKCS10CertificationRequestBuilder builder = new JcaPKCS10CertificationRequestBuilder( new X500Name(CertTools.stringToBCDNString(reqInfo.getSubjectDN())), publicKey); final ContentSigner contentSigner = new JcaContentSignerBuilder(reqInfo.getSignatureAlgorithm()) .setProvider(signatureProvider) .build(privateKey); pkcs10 = builder.build(contentSigner); retval = new Base64SignerCertReqData(Base64.encode(pkcs10.getEncoded())); } catch (IOException e) { throw new IllegalArgumentException("Certificate request error: " + e.getMessage(), e); } catch (OperatorCreationException e) { throw new IllegalArgumentException("Certificate request error: " + e.getMessage(), e); } catch (NoSuchAlgorithmException e) { throw new IllegalArgumentException("Certificate request error: " + e.getMessage(), e); } catch (NoSuchProviderException e) { throw new IllegalArgumentException("Certificate request error: " + e.getMessage(), e); } LOG.debug("<genCertificateRequest"); return retval; } else { throw new IllegalArgumentException( "Unsupported certificate request info type: " + info.getClass().getName()); } }
@Override public CommandResult execute(ParameterContainer parameters) { final String issuerDNStr = parameters.get(DN_KEY); final String issuerDN = CertTools.stringToBCDNString(issuerDNStr); final String certserno = parameters.get(SERIAL_NUMBER_KEY); final BigInteger serno; try { serno = new BigInteger(certserno, 16); } catch (NumberFormatException e) { log.error("ERROR: Invalid hexadecimal certificate serial number string: " + certserno); return CommandResult.FUNCTIONAL_FAILURE; } int reason; try { reason = Integer.parseInt(parameters.get(REASON_KEY)); } catch (NumberFormatException e) { log.error("ERROR: " + parameters.get(REASON_KEY) + " was not a number."); return CommandResult.FUNCTIONAL_FAILURE; } if ((reason == 7) || (reason < 0) || (reason > 10)) { getLogger().error("ERROR: Reason must be an integer between 0 and 10 except 7."); return CommandResult.FUNCTIONAL_FAILURE; } else { Certificate cert = EjbRemoteHelper.INSTANCE .getRemoteSession(CertificateStoreSessionRemote.class) .findCertificateByIssuerAndSerno(issuerDN, serno); if (cert != null) { getLogger().info("Found certificate:"); getLogger().info("Subject DN=" + CertTools.getSubjectDN(cert)); // We need the user this cert is connected with // Revoke or unrevoke, will throw appropriate exceptions if parameters are wrong, such as // trying to unrevoke a certificate // that was permanently revoked try { try { EjbRemoteHelper.INSTANCE .getRemoteSession(EndEntityManagementSessionRemote.class) .revokeCert(getAuthenticationToken(), serno, issuerDN, reason); } catch (ApprovalException e) { log.error(e.getMessage(), e); return CommandResult.FUNCTIONAL_FAILURE; } catch (AuthorizationDeniedException e) { log.error("ERROR: CLI user not authorized to revoke certificate."); return CommandResult.FUNCTIONAL_FAILURE; } catch (FinderException e) { log.error("ERROR: " + e.getMessage()); return CommandResult.FUNCTIONAL_FAILURE; } catch (WaitingForApprovalException e) { log.error("ERROR: " + e.getMessage()); return CommandResult.FUNCTIONAL_FAILURE; } getLogger() .info( (reason == 8 ? "Unrevoked" : "Revoked") + " certificate with issuerDN '" + issuerDN + "' and serialNumber " + certserno + ". Revocation reason=" + reason); } catch (AlreadyRevokedException e) { if (reason == 8) { getLogger() .info( "Certificate with issuerDN '" + issuerDN + "' and serialNumber " + certserno + " is not revoked, nothing was done."); } else { getLogger() .info( "Certificate with issuerDN '" + issuerDN + "' and serialNumber " + certserno + " is already revoked, nothing was done."); } getLogger().info(e.getMessage()); } } else { getLogger() .info( "No certificate found with issuerDN '" + issuerDN + "' and serialNumber " + certserno); } } return CommandResult.SUCCESS; }