// --- BEGIN COPYRIGHT BLOCK --- // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by // the Free Software Foundation; version 2 of the License. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License along // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. // // (C) 2007 Red Hat, Inc. // All rights reserved. // --- END COPYRIGHT BLOCK --- package com.netscape.ca; import java.io.ByteArrayInputStream; import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.IOException; import java.math.BigInteger; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.PublicKey; import java.security.cert.CRLException; import java.security.cert.CertificateException; import java.security.cert.CertificateParsingException; import java.util.Date; import java.util.Enumeration; import java.util.Hashtable; import java.util.Vector; import netscape.security.util.DerOutputStream; import netscape.security.util.DerValue; import netscape.security.x509.AlgorithmId; import netscape.security.x509.CertificateChain; import netscape.security.x509.CertificateVersion; import netscape.security.x509.X500Name; import netscape.security.x509.X509CRLImpl; import netscape.security.x509.X509CertImpl; import netscape.security.x509.X509CertInfo; import netscape.security.x509.X509ExtensionException; import netscape.security.x509.X509Key; import org.mozilla.jss.CryptoManager; import org.mozilla.jss.asn1.ASN1Util; import org.mozilla.jss.asn1.GeneralizedTime; import org.mozilla.jss.asn1.INTEGER; import org.mozilla.jss.asn1.InvalidBERException; import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; import org.mozilla.jss.asn1.OCTET_STRING; import org.mozilla.jss.crypto.SignatureAlgorithm; import org.mozilla.jss.crypto.TokenException; import org.mozilla.jss.pkix.cert.Extension; import org.mozilla.jss.pkix.primitive.Name; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authority.ICertAuthority; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.EPropertyNotFound; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.ISubsystem; import com.netscape.certsrv.base.Nonces; import com.netscape.certsrv.ca.ECAException; import com.netscape.certsrv.ca.ICRLIssuingPoint; import com.netscape.certsrv.ca.ICertificateAuthority; import com.netscape.certsrv.dbs.IDBSubsystem; import com.netscape.certsrv.dbs.certdb.ICertRecord; import com.netscape.certsrv.dbs.certdb.ICertificateRepository; import com.netscape.certsrv.dbs.crldb.ICRLRepository; import com.netscape.certsrv.dbs.replicadb.IReplicaIDRepository; import com.netscape.certsrv.ldap.ELdapException; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.ocsp.IOCSPService; import com.netscape.certsrv.policy.IPolicyProcessor; import com.netscape.certsrv.publish.ICRLPublisher; import com.netscape.certsrv.publish.IPublisherProcessor; import com.netscape.certsrv.request.ARequestNotifier; import com.netscape.certsrv.request.IPolicy; import com.netscape.certsrv.request.IRequestListener; import com.netscape.certsrv.request.IRequestNotifier; import com.netscape.certsrv.request.IRequestQueue; import com.netscape.certsrv.request.IRequestScheduler; import com.netscape.certsrv.request.IService; import com.netscape.certsrv.security.ISigningUnit; import com.netscape.certsrv.util.IStatsSubsystem; import com.netscape.cmscore.dbs.CRLRepository; import com.netscape.cmscore.dbs.CertRecord; import com.netscape.cmscore.dbs.CertificateRepository; import com.netscape.cmscore.dbs.DBSubsystem; import com.netscape.cmscore.dbs.ReplicaIDRepository; import com.netscape.cmscore.ldap.PublisherProcessor; import com.netscape.cmscore.listeners.ListenerPlugin; import com.netscape.cmscore.request.RequestSubsystem; import com.netscape.cmscore.security.KeyCertUtil; import com.netscape.cmscore.util.Debug; import com.netscape.cmsutil.ocsp.BasicOCSPResponse; import com.netscape.cmsutil.ocsp.CertID; import com.netscape.cmsutil.ocsp.CertStatus; import com.netscape.cmsutil.ocsp.GoodInfo; import com.netscape.cmsutil.ocsp.KeyHashID; import com.netscape.cmsutil.ocsp.NameID; import com.netscape.cmsutil.ocsp.OCSPRequest; import com.netscape.cmsutil.ocsp.OCSPResponse; import com.netscape.cmsutil.ocsp.OCSPResponseStatus; import com.netscape.cmsutil.ocsp.ResponderID; import com.netscape.cmsutil.ocsp.ResponseBytes; import com.netscape.cmsutil.ocsp.ResponseData; import com.netscape.cmsutil.ocsp.RevokedInfo; import com.netscape.cmsutil.ocsp.SingleResponse; import com.netscape.cmsutil.ocsp.TBSRequest; import com.netscape.cmsutil.ocsp.UnknownInfo; /** * A class represents a Certificate Authority that is * responsible for certificate specific operations. *
*
* @author lhsiao
* @version $Revision$, $Date$
*/
public class CertificateAuthority implements ICertificateAuthority, ICertAuthority, IOCSPService {
public static final String OFFICIAL_NAME = "Certificate Manager";
public final static OBJECT_IDENTIFIER OCSP_NONCE = new OBJECT_IDENTIFIER("1.3.6.1.5.5.7.48.1.2");
protected ISubsystem mOwner = null;
protected IConfigStore mConfig = null;
protected ILogger mLogger = CMS.getLogger();
protected Hashtable
*
* @param owner owner of this subsystem
* @param config configuration of this subsystem
* @exception EBaseException failed to initialize this CA
*/
public void init(ISubsystem owner, IConfigStore config) throws
EBaseException {
try {
CMS.debug("CertificateAuthority init ");
mOwner = owner;
mConfig = config;
// init cert & crl database.
initCaDatabases();
// init signing unit & CA cert.
try {
initSigUnit();
// init default CA attributes like cert version, validity.
initDefCaAttrs();
} catch (EBaseException e) {
if (CMS.isPreOpMode())
;
else
throw e;
}
// init web gateway.
initWebGateway();
mUseNonces = mConfig.getBoolean("enableNonces", true);
mMaxNonces = mConfig.getInteger("maxNumberOfNonces", 100);
if (mUseNonces) {
mNonces = new Nonces(mMaxNonces);
CMS.debug("CertificateAuthority init: Nonces enabled. (" + mNonces.size() + ")");
}
// init request queue and related modules.
CMS.debug("CertificateAuthority init: initRequestQueue");
initRequestQueue();
if (CMS.isPreOpMode())
return;
// set certificate status to 10 minutes
mCertRepot.setCertStatusUpdateInterval(
mRequestQueue.getRequestRepository(),
mConfig.getInteger("certStatusUpdateInterval", 10 * 60),
mConfig.getBoolean("listenToCloneModifications", false));
mCertRepot.setConsistencyCheck(
mConfig.getBoolean("ConsistencyCheck", false));
mCertRepot.setSkipIfInConsistent(
mConfig.getBoolean("SkipIfInConsistent", false));
mService.init(config.getSubStore("connector"));
initMiscellaneousListeners();
// instantiate CRL publisher
IConfigStore cpStore = null;
mByName = config.getBoolean("byName", true);
cpStore = config.getSubStore("crlPublisher");
if (cpStore != null && cpStore.size() > 0) {
String publisherClass = cpStore.getString("class");
if (publisherClass != null) {
try {
@SuppressWarnings("unchecked")
Class
*/
public void shutdown() {
Enumeration
*/
public IConfigStore getConfigStore() {
return mConfig;
}
/**
* Retrieves logger.
*/
public ILogger getLogger() {
return CMS.getLogger();
}
/**
* Retrieves database services.
*/
public IDBSubsystem getDBSubsystem() {
return DBSubsystem.getInstance();
}
public void setValidity(String enableCAPast) throws EBaseException {
if (enableCAPast.equals("true"))
mEnablePastCATime = true;
else
mEnablePastCATime = false;
mConfig.putString(PROP_ENABLE_PAST_CATIME, enableCAPast);
}
public long getDefaultValidity() {
return mDefaultValidity;
}
public SignatureAlgorithm getDefaultSignatureAlgorithm() {
return mSigningUnit.getDefaultSignatureAlgorithm();
}
public String getDefaultAlgorithm() {
return mSigningUnit.getDefaultAlgorithm();
}
public void setDefaultAlgorithm(String algorithm) throws EBaseException {
mSigningUnit.setDefaultAlgorithm(algorithm);
}
public String getStartSerial() {
try {
BigInteger serial =
mCertRepot.getTheSerialNumber();
if (serial == null)
return "";
else
return serial.toString(16);
} catch (EBaseException e) {
// shouldn't get here.
return "";
}
}
public void setStartSerial(String serial) throws EBaseException {
mCertRepot.setTheSerialNumber(new BigInteger(serial));
}
public String getMaxSerial() {
String serial = mCertRepot.getMaxSerial();
if (serial != null)
return serial;
else
return "";
}
public void setMaxSerial(String serial) throws EBaseException {
mCertRepot.setMaxSerial(serial);
}
/**
* Retrieves certificate repository.
*
*
* @return certificate repository
*/
public ICertificateRepository getCertificateRepository() {
return mCertRepot;
}
/**
* Retrieves replica repository.
*
*
* @return replica repository
*/
public IReplicaIDRepository getReplicaRepository() {
return mReplicaRepot;
}
/**
* Retrieves CRL repository.
*/
public ICRLRepository getCRLRepository() {
return mCRLRepot;
}
public IPublisherProcessor getPublisherProcessor() {
return mPublisherProcessor;
}
/**
* Retrieves the CRL issuing point by id.
*
*
* @param id string id of the CRL issuing point
* @return CRL issuing point
*/
public ICRLIssuingPoint getCRLIssuingPoint(String id) {
return mCRLIssuePoints.get(id);
}
/**
* Enumerates CRL issuing points
*
*
* @return security service
*/
public Enumeration
*
* @return CA name
*/
public X500Name getX500Name() {
return mName;
}
public X500Name getCRLX500Name() {
return mCRLName;
}
public X500Name getOCSPX500Name() {
return mOCSPName;
}
/**
* Returns nickname of CA's signing cert.
*
*
* @return CA signing cert nickname.
*/
public String getNickname() {
return mNickname;
}
/**
* Returns nickname of OCSP's signing cert.
*
*
* @return OCSP signing cert nickname.
*/
public String getOCSPNickname() {
return mOCSPNickname;
}
/**
* Returns default signing unit used by this CA
*
*
* @return request identifier
*/
public ISigningUnit getSigningUnit() {
return mSigningUnit;
}
public ISigningUnit getCRLSigningUnit() {
return mCRLSigningUnit;
}
public ISigningUnit getOCSPSigningUnit() {
return mOCSPSigningUnit;
}
public void setBasicConstraintMaxLen(int num) {
mConfig.putString("Policy.rule.BasicConstraintsExt.maxPathLen", "" + num);
}
/**
* Signs CRL using the specified signature algorithm.
* If no algorithm is specified the CA's default signing algorithm
* is used.
*
*
* @param crl the CRL to be signed.
* @param algname the algorithm name to use. This is a JCA name such
* as MD5withRSA, etc. If set to null the default signing algorithm
* is used.
*
* @return the signed CRL
*/
public X509CRLImpl sign(X509CRLImpl crl, String algname)
throws EBaseException {
X509CRLImpl signedcrl = null;
IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats");
if (statsSub != null) {
statsSub.startTiming("signing");
}
try {
DerOutputStream out = new DerOutputStream();
DerOutputStream tmp = new DerOutputStream();
if (algname == null) {
algname = mSigningUnit.getDefaultAlgorithm();
}
crl.encodeInfo(tmp);
AlgorithmId.get(algname).encode(tmp);
byte[] tbsCertList = crl.getTBSCertList();
byte[] signature = mCRLSigningUnit.sign(tbsCertList, algname);
if (crl.setSignature(signature)) {
tmp.putBitString(signature);
out.write(DerValue.tag_Sequence, tmp);
if (crl.setSignedCRL(out.toByteArray())) {
signedcrl = crl;
// signedcrl = new X509CRLImpl(out.toByteArray());
} else {
CMS.debug("Failed to add signed-CRL to CRL object.");
}
} else {
CMS.debug("Failed to add signature to CRL object.");
}
} catch (CRLException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CRL", e.toString(), e.getMessage()));
throw new ECAException(
CMS.getUserMessage("CMS_CA_SIGNING_CRL_FAILED", e.getMessage()));
} catch (X509ExtensionException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CRL", e.toString(), e.getMessage()));
throw new ECAException(
CMS.getUserMessage("CMS_CA_SIGNING_CRL_FAILED", e.getMessage()));
} catch (NoSuchAlgorithmException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CRL", e.toString(), e.getMessage()));
throw new ECAException(
CMS.getUserMessage("CMS_CA_SIGNING_CRL_FAILED", e.getMessage()));
} catch (IOException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CRL", e.toString(), e.getMessage()));
throw new ECAException(
CMS.getUserMessage("CMS_CA_SIGNING_CRL_FAILED", e.getMessage()));
} finally {
if (statsSub != null) {
statsSub.endTiming("signing");
}
}
return signedcrl;
}
/**
* Signs the given certificate info using specified signing algorithm
* If no algorithm is specified the CA's default algorithm is used.
*
*
* @param certInfo the certificate info to be signed.
* @param algname the signing algorithm to use. These are names defined
* in JCA, such as MD5withRSA, etc. If null the CA's default
* signing algorithm will be used.
* @return signed certificate
*/
public X509CertImpl sign(X509CertInfo certInfo, String algname)
throws EBaseException {
X509CertImpl signedcert = null;
IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats");
if (statsSub != null) {
statsSub.startTiming("signing");
}
try {
DerOutputStream out = new DerOutputStream();
DerOutputStream tmp = new DerOutputStream();
if (certInfo == null) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NO_CERTINFO"));
return null;
}
if (algname == null) {
algname = mSigningUnit.getDefaultAlgorithm();
}
CMS.debug("sign cert get algorithm");
AlgorithmId alg = AlgorithmId.get(algname);
// encode certificate info
CMS.debug("sign cert encoding cert");
certInfo.encode(tmp);
byte[] rawCert = tmp.toByteArray();
// encode algorithm identifier
CMS.debug("sign cert encoding algorithm");
alg.encode(tmp);
CMS.debug("CA cert signing: signing cert");
byte[] signature = mSigningUnit.sign(rawCert, algname);
tmp.putBitString(signature);
// Wrap the signed data in a SEQUENCE { data, algorithm, sig }
out.write(DerValue.tag_Sequence, tmp);
//log(ILogger.LL_INFO, "CertificateAuthority: done signing");
switch (mFastSigning) {
case FASTSIGNING_DISABLED:
signedcert = new X509CertImpl(out.toByteArray());
break;
case FASTSIGNING_ENABLED:
signedcert = new X509CertImpl(out.toByteArray(), certInfo);
break;
default:
break;
}
} catch (NoSuchAlgorithmException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CERT", e.toString(), e.getMessage()));
throw new ECAException(
CMS.getUserMessage("CMS_CA_SIGNING_CERT_FAILED", e.getMessage()));
} catch (IOException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CERT", e.toString(), e.getMessage()));
throw new ECAException(
CMS.getUserMessage("CMS_CA_SIGNING_CERT_FAILED", e.getMessage()));
} catch (CertificateException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_SIGN_CERT", e.toString(), e.getMessage()));
throw new ECAException(
CMS.getUserMessage("CMS_CA_SIGNING_CERT_FAILED", e.getMessage()));
} finally {
if (statsSub != null) {
statsSub.endTiming("signing");
}
}
return signedcert;
}
/**
* Sign a byte array using the specified algorithm.
* If algorithm is null the CA's default algorithm is used.
*
*
* @param data the data to be signed in a byte array.
* @param algname the algorithm to use.
* @return the signature in a byte array.
*/
public byte[] sign(byte[] data, String algname)
throws EBaseException {
return mSigningUnit.sign(data, algname);
}
/**
* logs a message in the CA area.
*
* @param level the debug level.
* @param msg the message to debug.
*/
public void log(int level, String msg) {
mLogger.log(ILogger.EV_SYSTEM, ILogger.S_CA,
level, msg);
}
/**
* Retrieves certificate chains of this CA.
*
* @return this CA's cert chain.
*/
public CertificateChain getCACertChain() {
return mCACertChain;
}
public X509CertImpl getCACert() {
if (mCaCert != null) {
return mCaCert;
}
// during configuration
try {
String cert = mConfig.getString("signing.cert", null);
if (cert != null) {
return new X509CertImpl(CMS.AtoB(cert));
}
} catch (EBaseException e) {
CMS.debug(e);
} catch (CertificateException e) {
CMS.debug(e);
}
return null;
}
public org.mozilla.jss.crypto.X509Certificate getCaX509Cert() {
return mCaX509Cert;
}
public String[] getCASigningAlgorithms() {
if (mCASigningAlgorithms != null)
return mCASigningAlgorithms;
if (mCaCert == null)
return null; // CA not inited yet.
X509Key caPubKey = null;
try {
caPubKey = (X509Key) mCaCert.get(X509CertImpl.PUBLIC_KEY);
} catch (CertificateParsingException e) {
}
if (caPubKey == null)
return null; // something seriously wrong.
AlgorithmId alg = caPubKey.getAlgorithmId();
if (alg == null)
return null; // something seriously wrong.
mCASigningAlgorithms = AlgorithmId.getSigningAlgorithms(alg);
if (mCASigningAlgorithms == null) {
CMS.debug(
"CA - no signing algorithms for " + alg.getName());
} else {
CMS.debug(
"CA First signing algorithm is " + mCASigningAlgorithms[0]);
}
return mCASigningAlgorithms;
}
//////////
// Initialization routines.
//
/**
* init CA signing unit & cert chain.
*/
private void initSigUnit()
throws EBaseException {
try {
// init signing unit
mSigningUnit = new SigningUnit();
IConfigStore caSigningCfg =
mConfig.getSubStore(PROP_SIGNING_SUBSTORE);
mSigningUnit.init(this, caSigningCfg);
CMS.debug("CA signing unit inited");
// for identrus
IConfigStore CrlStore = mConfig.getSubStore(PROP_CRL_SIGNING_SUBSTORE);
if (CrlStore != null && CrlStore.size() > 0) {
mCRLSigningUnit = new SigningUnit();
mCRLSigningUnit.init(this, mConfig.getSubStore(PROP_CRL_SIGNING_SUBSTORE));
} else {
mCRLSigningUnit = mSigningUnit;
}
// init cert chain
CryptoManager manager = CryptoManager.getInstance();
int caChainNum =
caSigningCfg.getInteger(PROP_CA_CHAIN_NUM, 0);
CMS.debug("cachainNum= " + caChainNum);
if (caChainNum > 0) {
// custom build chain (for cross cert chain)
// audit here ***
IConfigStore chainStore =
caSigningCfg.getSubStore(PROP_CA_CHAIN);
if (chainStore == null) {
log(ILogger.LL_FAILURE,
CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN",
"ca cert chain config error"));
throw new ECAException(
CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED",
"ca cert chain config error"));
}
java.security.cert.X509Certificate[] implchain =
new java.security.cert.X509Certificate[caChainNum];
for (int i = 0; i < caChainNum; i++) {
String subtreeName = PROP_CA_CERT + i;
// cert file name must be full path
String certFileName =
chainStore.getString(subtreeName, null);
if ((certFileName == null) || certFileName.equals("")) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", "cert file config error"));
throw new ECAException(
CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED",
"cert file config error"));
}
byte[] b64Bytes = getCertFromFile(certFileName);
String b64String = new String(b64Bytes);
byte[] certBytes = KeyCertUtil.convertB64EToByteArray(b64String);
implchain[i] = new X509CertImpl(certBytes);
} // for
mCACertChain = new CertificateChain(implchain);
CMS.debug("in init - custom built CA cert chain.");
} else {
// build ca chain the traditional way
org.mozilla.jss.crypto.X509Certificate[] chain =
manager.buildCertificateChain(mSigningUnit.getCert());
// do this in case other subsyss expect a X509CertImpl
java.security.cert.X509Certificate[] implchain =
new java.security.cert.X509Certificate[chain.length];
for (int i = 0; i < chain.length; i++) {
implchain[i] = new X509CertImpl(chain[i].getEncoded());
}
mCACertChain = new CertificateChain(implchain);
CMS.debug("in init - got CA chain from JSS.");
}
IConfigStore OCSPStore = mConfig.getSubStore(PROP_OCSP_SIGNING_SUBSTORE);
if (OCSPStore != null && OCSPStore.size() > 0) {
mOCSPSigningUnit = new SigningUnit();
mOCSPSigningUnit.init(this, mConfig.getSubStore(PROP_OCSP_SIGNING_SUBSTORE));
CMS.debug("Separate OCSP signing unit inited");
} else {
mOCSPSigningUnit = mSigningUnit;
CMS.debug("Shared OCSP signing unit inited");
}
org.mozilla.jss.crypto.X509Certificate[] ocspChain =
manager.buildCertificateChain(mOCSPSigningUnit.getCert());
// do this in case other subsyss expect a X509CertImpl
java.security.cert.X509Certificate[] ocspImplchain =
new java.security.cert.X509Certificate[ocspChain.length];
for (int i = 0; i < ocspChain.length; i++) {
ocspImplchain[i] = new X509CertImpl(ocspChain[i].getEncoded());
}
mOCSPCertChain = new CertificateChain(ocspImplchain);
CMS.debug("in init - got OCSP chain from JSS.");
// init issuer name - take name from the cert.
mCaX509Cert = mSigningUnit.getCert();
mCaCert = new X509CertImpl(mCaX509Cert.getEncoded());
getCASigningAlgorithms();
mName = (X500Name) mCaCert.getSubjectDN();
mCRLX509Cert = mCRLSigningUnit.getCert();
mCRLCert = new X509CertImpl(mCRLX509Cert.getEncoded());
mCRLName = (X500Name) mCRLCert.getSubjectDN();
mOCSPX509Cert = mOCSPSigningUnit.getCert();
mOCSPNickname = mOCSPSigningUnit.getNickname();
mOCSPCert = new X509CertImpl(mOCSPX509Cert.getEncoded());
mOCSPName = (X500Name) mOCSPCert.getSubjectDN();
mNickname = mSigningUnit.getNickname();
CMS.debug("in init - got CA name " + mName);
} catch (CryptoManager.NotInitializedException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_SIGNING", e.toString()));
throw new ECAException(CMS.getUserMessage("CMS_CA_CRYPTO_NOT_INITIALIZED"));
} catch (CertificateException e) {
if (Debug.ON)
e.printStackTrace();
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", e.toString()));
throw new ECAException(
CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", e.toString()));
} catch (FileNotFoundException e) {
if (Debug.ON)
e.printStackTrace();
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", e.toString()));
throw new ECAException(
CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", e.toString()));
} catch (IOException e) {
if (Debug.ON)
e.printStackTrace();
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", e.toString()));
throw new ECAException(
CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", e.toString()));
} catch (TokenException e) {
if (Debug.ON)
e.printStackTrace();
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_OCSP_CHAIN", e.toString()));
throw new ECAException(
CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", e.toString()));
}
}
/**
* read ca cert from path, converts and bytes
*/
byte[] getCertFromFile(String path)
throws FileNotFoundException, IOException {
File file = new File(path);
Long l = Long.valueOf(file.length());
byte[] b = new byte[l.intValue()];
FileInputStream in = null;
try {
in = new FileInputStream(path);
in.read(b);
} finally {
if (in != null)
in.close();
}
return b;
}
/**
* init default cert attributes.
*/
private void initDefCaAttrs()
throws EBaseException {
int version = mConfig.getInteger(PROP_X509CERT_VERSION,
CertificateVersion.V3);
if (version != CertificateVersion.V1 &&
version != CertificateVersion.V3) {
throw new ECAException(
CMS.getUserMessage("CMS_CA_X509CERT_VERSION_NOT_SUPPORTED"));
}
try {
mDefaultCertVersion = new CertificateVersion(version - 1);
} catch (IOException e) {
// should never occur.
}
int validity_in_days = mConfig.getInteger(PROP_DEF_VALIDITY, 2 * 365);
mDefaultValidity = validity_in_days * DAY; // days in config file.
mEnablePastCATime =
mConfig.getBoolean(PROP_ENABLE_PAST_CATIME, false);
mEnableOCSP =
mConfig.getBoolean(PROP_ENABLE_OCSP, true);
String fs = mConfig.getString(PROP_FAST_SIGNING, "");
if (fs.equals("enabled") || fs.equals("enable")) {
mFastSigning = FASTSIGNING_ENABLED;
} else {
mFastSigning = FASTSIGNING_DISABLED;
}
}
/**
* init cert & crl database
*/
private void initCaDatabases()
throws EBaseException {
int certdb_inc = mConfig.getInteger(PROP_CERTDB_INC, 5);
String certReposDN = mConfig.getString(PROP_CERT_REPOS_DN, null);
if (certReposDN == null) {
certReposDN = "ou=certificateRepository, ou=" + getId() +
", " + getDBSubsystem().getBaseDN();
}
String reposDN = mConfig.getString(PROP_REPOS_DN, null);
if (reposDN == null) {
reposDN = "ou=certificateRepository, ou=" + getId() +
", " + getDBSubsystem().getBaseDN();
}
int transitMaxRecords = mConfig.getInteger(PROP_CERTDB_TRANS_MAXRECORDS, 1000000);
int transitRecordPageSize = mConfig.getInteger(PROP_CERTDB_TRANS_PAGESIZE, 200);
mCertRepot = new CertificateRepository(
DBSubsystem.getInstance(),
certReposDN, certdb_inc, reposDN);
mCertRepot.setTransitMaxRecords(transitMaxRecords);
mCertRepot.setTransitRecordPageSize(transitRecordPageSize);
CMS.debug("Cert Repot inited");
// init crl repot.
int crldb_inc = mConfig.getInteger(PROP_CRLDB_INC, 5);
mCRLRepot = new CRLRepository(
DBSubsystem.getInstance(),
crldb_inc,
"ou=crlIssuingPoints, ou=" + getId() + ", " +
getDBSubsystem().getBaseDN());
CMS.debug("CRL Repot inited");
String replicaReposDN = mConfig.getString(PROP_REPLICAID_DN, null);
if (replicaReposDN == null) {
replicaReposDN = "ou=Replica," + getDBSubsystem().getBaseDN();
}
mReplicaRepot = new ReplicaIDRepository(
DBSubsystem.getInstance(), 1, replicaReposDN);
CMS.debug("Replica Repot inited");
}
/**
* init web gateway - just gets the ee gateway for this CA.
*/
private void initWebGateway()
throws EBaseException {
}
private void startPublish()
throws EBaseException {
//xxx Note that CMS411 only support ca cert publishing to ldap
// if ldap publishing is not enabled while publishing isenabled
// there will be a lot of problem.
try {
if (mPublisherProcessor.enabled()) {
mPublisherProcessor.publishCACert(mCaCert);
CMS.debug("published ca cert");
}
} catch (ELdapException e) {
// exception not thrown - not seen as a fatal error.
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_PUBLISH", e.toString()));
}
}
/**
* init publishing
*/
private void initPublish()
throws EBaseException {
IConfigStore c = null;
try {
c = mConfig.getSubStore(PROP_PUBLISH_SUBSTORE);
if (c != null && c.size() > 0) {
mPublisherProcessor = new PublisherProcessor(
getId() + "pp");
mPublisherProcessor.init(this, c);
CMS.debug("Publishing inited");
} else {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_NO_PUBLISH"));
throw new ECAException(
CMS.getUserMessage("CMS_CA_INIT_PUBLISH_MODULE_FAILED"));
}
} catch (ELdapException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_CA_ERROR_PUBLISH_MODULE", e.toString()));
//throw new ECAException(
// CAResources.INIT_PUBLISH_MODULE_FAILED, e);
}
}
private void initMiscellaneousListeners() {
IConfigStore lc = null;
IConfigStore implc = null;
IConfigStore instc = null;
mListenerPlugins = new Hashtable