Package org.ejbca.core.model.ca

Examples of org.ejbca.core.model.ca.SignRequestSignatureException

604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
            // because it may be so that only revoked certificates is in the (external) OCSP database.
            if ( status.equals(CertificateStatus.REVOKED) ) {
              String serno = signercertSerNo.toString(16);
              String infoMsg = intres.getLocalizedMessage("ocsp.infosigner.revoked", signercertSubjectName, signercertIssuerName, serno);
              m_log.info(infoMsg);
              throw new SignRequestSignatureException(infoMsg);
            }

            if (m_reqRestrictSignatures) {
              loadTrustDir();
              if ( m_reqRestrictMethod == OcspConfiguration.RESTRICTONSIGNER) {
                if (!OCSPUtil.checkCertInList(signercert, mTrustedReqSigSigners)) {
                  String infoMsg = intres.getLocalizedMessage("ocsp.infosigner.notallowed", signercertSubjectName, signercertIssuerName, signercertSerNo.toString(16));
                  m_log.info(infoMsg);
                  throw new SignRequestSignatureException(infoMsg);
                }
              } else if (m_reqRestrictMethod == OcspConfiguration.RESTRICTONISSUER) {
                X509Certificate signerca = this.data.m_caCertCache.findLatestBySubjectDN(HashID.getFromDN(signercertIssuerName));
                if ((signerca == null) || (!OCSPUtil.checkCertInList(signerca, mTrustedReqSigIssuers)) ) {
                  String infoMsg = intres.getLocalizedMessage("ocsp.infosigner.notallowed", signercertSubjectName, signercertIssuerName, signercertSerNo.toString(16));
                  m_log.info(infoMsg);
                  throw new SignRequestSignatureException(infoMsg);
                }
              } else {
                throw new Exception("m_reqRestrictMethod="+m_reqRestrictMethod); // there must be an internal error. We do not want to send a response, just to be safe.
              }
            }
View Full Code Here
121
122
123
124
125
126
127
128
129
130
131
        // Verify POPO, we don't care about the challenge, it's not important.
        nscr.setChallenge("challenge");

        if (nscr.verify("challenge") == false) {
            throw new SignRequestSignatureException(
                "Invalid signature in NetscapeCertRequest, popo-verification failed.");
        }
        if (log.isDebugEnabled()) {
          log.debug("POPO verification successful");
        }
View Full Code Here
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
          NetscapeCertRequest nscr = new NetscapeCertRequest(spkacSeq);
          // Verify POPO, we don't care about the challenge, it's not important.
          nscr.setChallenge("challenge");
          if (nscr.verify("challenge") == false) {
            log.debug("SPKAC POPO verification Failed");
            throw new SignRequestSignatureException("Invalid signature in NetscapeCertRequest, popo-verification failed.");
          }
          log.debug("POPO verification successful");
          PublicKey pubKey = nscr.getPublicKey();
          imsg = new SimpleRequestMessage(pubKey, username, password);
        }   
      } else if (reqType == REQTYPE_CRMF) {
        byte[] request = Base64.decode(req.getBytes());
        ASN1InputStream in = new ASN1InputStream(request);
        ASN1Sequence    crmfSeq = (ASN1Sequence) in.readObject();
        ASN1Sequence reqSeq =  (ASN1Sequence) ((ASN1Sequence) crmfSeq.getObjectAt(0)).getObjectAt(0);
        CertRequest certReq = new CertRequest( reqSeq );
        SubjectPublicKeyInfo pKeyInfo = certReq.getCertTemplate().getPublicKey();
        KeyFactory keyFact = KeyFactory.getInstance("RSA", "BC");
        KeySpec keySpec = new X509EncodedKeySpec( pKeyInfo.getEncoded() );
        PublicKey pubKey = keyFact.generatePublic(keySpec); // just check it's ok
        imsg = new SimpleRequestMessage(pubKey, username, password);
        // a simple crmf is not a complete PKI message, as desired by the CrmfRequestMessage class
        //PKIMessage msg = PKIMessage.getInstance(new ASN1InputStream(new ByteArrayInputStream(request)).readObject());
        //CrmfRequestMessage reqmsg = new CrmfRequestMessage(msg, null, true, null);
        //imsg = reqmsg;
      } else if (reqType == REQTYPE_CVC) {
        CVCObject parsedObject = CertificateParser.parseCVCObject(Base64.decode(req.getBytes()));
        // We will handle both the case if the request is an authenticated request, i.e. with an outer signature
        // and when the request is missing the (optional) outer signature.
        CVCertificate cvccert = null;
        if (parsedObject instanceof CVCAuthenticatedRequest) {
          CVCAuthenticatedRequest cvcreq = (CVCAuthenticatedRequest)parsedObject;
          cvccert = cvcreq.getRequest();
        } else {
          cvccert = (CVCertificate)parsedObject;
        }
        CVCRequestMessage reqmsg = new CVCRequestMessage(cvccert.getDEREncoded());
        reqmsg.setUsername(username);
        reqmsg.setPassword(password);
        // Popo is really actually verified by the CA (in RSASignSessionBean) as well
        if (reqmsg.verify() == false) {
          log.debug("CVC POPO verification Failed");
          throw new SignRequestSignatureException("Invalid inner signature in CVCRequest, popo-verification failed.");
        } else {
          log.debug("POPO verification successful");         
        }
        imsg = reqmsg;
      }
View Full Code Here
284
285
286
287
288
289
290
291
292
293
294
                        }
                        // Verify the request
                        if (reqmsg.verify() == false) {
                          String msg = "POPO verification failed.";
                            log.error(msg);
                            throw new SignRequestSignatureException(msg);
                        }
                        String username = reqmsg.getUsername();
                        if (username == null) {
                          String msg = "No username in request, request DN: "+reqmsg.getRequestDN();
                            log.error(msg);
View Full Code Here
156
157
158
159
160
161
162
163
164
165
166
          NetscapeCertRequest nscr = new NetscapeCertRequest(spkacSeq);
          // Verify POPO, we don't care about the challenge, it's not important.
          nscr.setChallenge("challenge");
          if (nscr.verify("challenge") == false) {
            log.debug("POPO verification Failed");
            throw new SignRequestSignatureException("Invalid signature in NetscapeCertRequest, popo-verification failed.");
          }
          log.debug("POPO verification successful");
          PublicKey pubKey = nscr.getPublicKey();
          imsg = new SimpleRequestMessage(pubKey, username, password);
        }   
View Full Code Here
352
353
354
355
356
357
358
359
360
361
        }
      }
      if (!verifyOK) {
        String errMsg = intres.getLocalizedMessage("ocsp.errorinvalidsignature", signer);
        m_log.info(errMsg);
        throw new SignRequestSignatureException(errMsg);
      }
     
      return signercert;
    }
View Full Code Here
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
        try {
            if (cert != null) {
                cert.verify(getCAToken().getPublicKey(SecConst.CAKEYPURPOSE_CERTSIGN));
            }
        } catch (Exception e) {
            throw new SignRequestSignatureException("Cannot verify certificate in createPKCS7(), did I sign this?");
        }
        Collection<Certificate> chain = getCertificateChain();
        ArrayList<Certificate> certList = new ArrayList<Certificate>();
        if (cert != null) {
            certList.add(cert);
        }
        if (includeChain) {
            certList.addAll(chain);
        }
        try {
            CMSProcessable msg = new CMSProcessableByteArray("EJBCA".getBytes());
            CertStore certs = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList), "BC");
            CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
            if (getCAToken().getPrivateKey(SecConst.CAKEYPURPOSE_CERTSIGN) == null) {
              String msg1 = "createPKCS7: Private key does not exist!";
              log.debug(msg1);
              throw new SignRequestSignatureException(msg1);
            }
            gen.addSigner(getCAToken().getPrivateKey(SecConst.CAKEYPURPOSE_CERTSIGN), (X509Certificate)getCACertificate(), CMSSignedGenerator.DIGEST_SHA1);
            gen.addCertificatesAndCRLs(certs);
            CMSSignedData s = null;
            CATokenContainer catoken = getCAToken();
            CATokenInfo tokeninfo = getCAInfo().getCATokenInfo();
            if (catoken != null && !(tokeninfo instanceof NullCATokenInfo)) {
              log.debug("createPKCS7: Provider="+catoken.getProvider()+" using algorithm "+getCAToken().getPrivateKey(SecConst.CAKEYPURPOSE_CERTSIGN).getAlgorithm());
              s = gen.generate(msg, true, catoken.getProvider());
            } else {
              String msg1 = "CA Token does not exist!";
              log.debug(msg);
              throw new SignRequestSignatureException(msg1);
            }
            return s.getEncoded();
        } catch (CATokenOfflineException e) {
          throw new RuntimeException(e);         
        } catch (Exception e) {
View Full Code Here
225
226
227
228
229
230
231
232
233
234
235
            Certificate bccert = CertTools.getCertfromByteArray(incert.getEncoded());
            bccert.verify(cert.getPublicKey());
        } catch (Exception e) {
          log.debug("Exception verify POPO: ", e);
          String msg = intres.getLocalizedMessage("signsession.popverificationfailed");
            throw new SignRequestSignatureException(msg);
        }
        Certificate ret = createCertificate(admin, username, password, cert.getPublicKey(), CertTools.sunKeyUsageToBC(cert.getKeyUsage()), null, null);
        if (log.isTraceEnabled()) {
          log.trace("<createCertificate(cert)");
        }
View Full Code Here
260
261
262
263
264
265
266
267
268
269
270
            }
            // Verify the request
            if (req.verify() == false) {
              String msg = intres.getLocalizedMessage("signsession.popverificationfailed");
              logSession.log(admin, ca.getCAId(), LogConstants.MODULE_CA, new java.util.Date(), req.getUsername(), null, LogConstants.EVENT_ERROR_CREATECERTIFICATE, msg);
                throw new SignRequestSignatureException(msg);
            }
           
            if (ca.isUseUserStorage() && req.getUsername() == null) {
              String msg = intres.getLocalizedMessage("signsession.nouserinrequest", req.getRequestDN());
              logSession.log(admin, ca.getCAId(), LogConstants.MODULE_CA, new java.util.Date(), req.getUsername(), null, LogConstants.EVENT_ERROR_CREATECERTIFICATE, msg);
View Full Code Here
449
450
451
452
453
454
455
456
457
458
459
            }
            // Verify the request
            if (req.verify() == false) {
              String msg = intres.getLocalizedMessage("signsession.popverificationfailed");
              logSession.log(admin, ca.getCAId(), LogConstants.MODULE_CA, new java.util.Date(), req.getUsername(), null, LogConstants.EVENT_ERROR_CREATECERTIFICATE, intres.getLocalizedMessage("signsession.popverificationfailed"));
                throw new SignRequestSignatureException(msg);
            }
            //Create the response message with all nonces and checks etc
            ret = req.createResponseMessage(responseClass, req, ca.getCACertificate(), catoken.getPrivateKey(SecConst.CAKEYPURPOSE_CERTSIGN), catoken.getProvider());
            ret.setStatus(ResponseStatus.FAILURE);
            ret.setFailInfo(FailInfo.BAD_REQUEST);
View Full Code Here
TOP

Related Classes of org.ejbca.core.model.ca.SignRequestSignatureException

  • org.ejbca.core.ejb.ca.sign.RSASignSessionBean
  • org.ejbca.core.ejb.ra.CertificateRequestSessionBean
  • org.ejbca.core.model.ca.caadmin.X509CA
  • org.ejbca.core.protocol.ocsp.OCSPUtil
  • org.ejbca.core.protocol.ws.EjbcaWS
  • org.ejbca.extra.ra.ScepRAServlet
  • org.ejbca.ui.web.protocol.OCSPServletBase
  • org.ejbca.ui.web.RequestHelper
    • Copyright © 2018 www.massapicom. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.