/**
* Generate a certificate signing request (PKCS#10).
*
* @param info A PKCS10CertReqInfo
* @param privateKey Private key for signing the request
* @param signatureProvider Name of provider to sign with
* @param publicKey Public key to include in the request
* @param explicitEccParameters True if the EC domain parameters should be included (ie. not a
* named curve)
* @return the certificate request data
*/
public static ICertReqData genCertificateRequest(
ISignerCertReqInfo info,
final PrivateKey privateKey,
final String signatureProvider,
PublicKey publicKey,
final boolean explicitEccParameters)
throws IllegalArgumentException {
LOG.debug(">genCertificateRequest");
final Base64SignerCertReqData retval;
if (info instanceof PKCS10CertReqInfo) {
PKCS10CertReqInfo reqInfo = (PKCS10CertReqInfo) info;
PKCS10CertificationRequest pkcs10;
if (LOG.isDebugEnabled()) {
LOG.debug("signatureAlgorithm: " + reqInfo.getSignatureAlgorithm());
LOG.debug("subjectDN: " + reqInfo.getSubjectDN());
LOG.debug("explicitEccParameters: " + explicitEccParameters);
}
try {
// Handle ECDSA key with explicit parameters
if (explicitEccParameters && publicKey.getAlgorithm().contains("EC")) {
publicKey = ECKeyUtil.publicToExplicitParameters(publicKey, "BC");
}
if (LOG.isDebugEnabled()) {
LOG.debug("Public key SHA1: " + createKeyHash(publicKey));
LOG.debug("Public key SHA256: " + KeyUsageCounterHash.create(publicKey));
}
// Generate request
final JcaPKCS10CertificationRequestBuilder builder =
new JcaPKCS10CertificationRequestBuilder(
new X500Name(CertTools.stringToBCDNString(reqInfo.getSubjectDN())), publicKey);
final ContentSigner contentSigner =
new JcaContentSignerBuilder(reqInfo.getSignatureAlgorithm())
.setProvider(signatureProvider)
.build(privateKey);
pkcs10 = builder.build(contentSigner);
retval = new Base64SignerCertReqData(Base64.encode(pkcs10.getEncoded()));
} catch (IOException e) {
throw new IllegalArgumentException("Certificate request error: " + e.getMessage(), e);
} catch (OperatorCreationException e) {
throw new IllegalArgumentException("Certificate request error: " + e.getMessage(), e);
} catch (NoSuchAlgorithmException e) {
throw new IllegalArgumentException("Certificate request error: " + e.getMessage(), e);
} catch (NoSuchProviderException e) {
throw new IllegalArgumentException("Certificate request error: " + e.getMessage(), e);
}
LOG.debug("<genCertificateRequest");
return retval;
} else {
throw new IllegalArgumentException(
"Unsupported certificate request info type: " + info.getClass().getName());
}
}
@Override
public CommandResult execute(ParameterContainer parameters) {
final String issuerDNStr = parameters.get(DN_KEY);
final String issuerDN = CertTools.stringToBCDNString(issuerDNStr);
final String certserno = parameters.get(SERIAL_NUMBER_KEY);
final BigInteger serno;
try {
serno = new BigInteger(certserno, 16);
} catch (NumberFormatException e) {
log.error("ERROR: Invalid hexadecimal certificate serial number string: " + certserno);
return CommandResult.FUNCTIONAL_FAILURE;
}
int reason;
try {
reason = Integer.parseInt(parameters.get(REASON_KEY));
} catch (NumberFormatException e) {
log.error("ERROR: " + parameters.get(REASON_KEY) + " was not a number.");
return CommandResult.FUNCTIONAL_FAILURE;
}
if ((reason == 7) || (reason < 0) || (reason > 10)) {
getLogger().error("ERROR: Reason must be an integer between 0 and 10 except 7.");
return CommandResult.FUNCTIONAL_FAILURE;
} else {
Certificate cert =
EjbRemoteHelper.INSTANCE
.getRemoteSession(CertificateStoreSessionRemote.class)
.findCertificateByIssuerAndSerno(issuerDN, serno);
if (cert != null) {
getLogger().info("Found certificate:");
getLogger().info("Subject DN=" + CertTools.getSubjectDN(cert));
// We need the user this cert is connected with
// Revoke or unrevoke, will throw appropriate exceptions if parameters are wrong, such as
// trying to unrevoke a certificate
// that was permanently revoked
try {
try {
EjbRemoteHelper.INSTANCE
.getRemoteSession(EndEntityManagementSessionRemote.class)
.revokeCert(getAuthenticationToken(), serno, issuerDN, reason);
} catch (ApprovalException e) {
log.error(e.getMessage(), e);
return CommandResult.FUNCTIONAL_FAILURE;
} catch (AuthorizationDeniedException e) {
log.error("ERROR: CLI user not authorized to revoke certificate.");
return CommandResult.FUNCTIONAL_FAILURE;
} catch (FinderException e) {
log.error("ERROR: " + e.getMessage());
return CommandResult.FUNCTIONAL_FAILURE;
} catch (WaitingForApprovalException e) {
log.error("ERROR: " + e.getMessage());
return CommandResult.FUNCTIONAL_FAILURE;
}
getLogger()
.info(
(reason == 8 ? "Unrevoked" : "Revoked")
+ " certificate with issuerDN '"
+ issuerDN
+ "' and serialNumber "
+ certserno
+ ". Revocation reason="
+ reason);
} catch (AlreadyRevokedException e) {
if (reason == 8) {
getLogger()
.info(
"Certificate with issuerDN '"
+ issuerDN
+ "' and serialNumber "
+ certserno
+ " is not revoked, nothing was done.");
} else {
getLogger()
.info(
"Certificate with issuerDN '"
+ issuerDN
+ "' and serialNumber "
+ certserno
+ " is already revoked, nothing was done.");
}
getLogger().info(e.getMessage());
}
} else {
getLogger()
.info(
"No certificate found with issuerDN '"
+ issuerDN
+ "' and serialNumber "
+ certserno);
}
}
return CommandResult.SUCCESS;
}
