1 13 14 package org.ejbca.core.protocol.cmp; 15 16 import java.io.IOException ; 17 import java.rmi.RemoteException ; 18 import java.security.InvalidKeyException ; 19 import java.security.NoSuchAlgorithmException ; 20 import java.security.NoSuchProviderException ; 21 import java.util.Properties ; 22 23 import javax.ejb.CreateException ; 24 import javax.ejb.FinderException ; 25 26 import org.apache.commons.lang.StringUtils; 27 import org.apache.log4j.Logger; 28 import org.bouncycastle.asn1.DERBitString; 29 import org.bouncycastle.asn1.DERInteger; 30 import org.bouncycastle.asn1.DEROctetString; 31 import org.bouncycastle.asn1.x509.X509Name; 32 import org.ejbca.core.ejb.ServiceLocator; 33 import org.ejbca.core.ejb.ca.store.ICertificateStoreSessionHome; 34 import org.ejbca.core.ejb.ca.store.ICertificateStoreSessionRemote; 35 import org.ejbca.core.ejb.ra.IUserAdminSessionHome; 36 import org.ejbca.core.ejb.ra.IUserAdminSessionRemote; 37 import org.ejbca.core.model.InternalResources; 38 import org.ejbca.core.model.authorization.AuthorizationDeniedException; 39 import org.ejbca.core.model.ca.SignRequestException; 40 import org.ejbca.core.model.log.Admin; 41 import org.ejbca.core.model.ra.NotFoundException; 42 import org.ejbca.core.protocol.FailInfo; 43 import org.ejbca.core.protocol.IResponseMessage; 44 import org.ejbca.core.protocol.ResponseStatus; 45 import org.ejbca.util.Base64; 46 import org.ejbca.util.CertTools; 47 48 import com.novosec.pkix.asn1.cmp.PKIBody; 49 import com.novosec.pkix.asn1.cmp.PKIHeader; 50 import com.novosec.pkix.asn1.cmp.PKIMessage; 51 import com.novosec.pkix.asn1.cmp.RevDetails; 52 import com.novosec.pkix.asn1.cmp.RevReqContent; 53 import com.novosec.pkix.asn1.crmf.CertTemplate; 54 55 60 public class RevocationMessageHandler implements ICmpMessageHandler { 61 62 private static Logger log = Logger.getLogger(RevocationMessageHandler.class); 63 64 private static final InternalResources intres = InternalResources.getInstance(); 65 66 67 private String raAuthenticationSecret = null; 68 69 private String responseProtection = null; 70 71 private Admin admin; 72 private IUserAdminSessionRemote usersession = null; 73 private ICertificateStoreSessionRemote storesession = null; 74 75 public RevocationMessageHandler(Admin admin, Properties prop) throws CreateException , RemoteException { 76 String str = prop.getProperty("raAuthenticationSecret"); 77 if (StringUtils.isNotEmpty(str)) { 78 log.debug("raAuthenticationSecret is not null"); 79 raAuthenticationSecret = str; 80 } 81 str = prop.getProperty("responseProtection"); 82 if (StringUtils.isNotEmpty(str)) { 83 log.debug("responseProtection="+str); 84 responseProtection = str; 85 } 86 this.admin = admin; 87 IUserAdminSessionHome userHome = (IUserAdminSessionHome) ServiceLocator.getInstance().getRemoteHome(IUserAdminSessionHome.JNDI_NAME, IUserAdminSessionHome.class); 89 ICertificateStoreSessionHome storeHome = (ICertificateStoreSessionHome) ServiceLocator.getInstance().getRemoteHome(ICertificateStoreSessionHome.JNDI_NAME, ICertificateStoreSessionHome.class); 90 this.usersession = userHome.create(); 91 this.storesession = storeHome.create(); 92 93 } 94 public IResponseMessage handleMessage(BaseCmpMessage msg) { 95 log.debug(">handleMessage"); 96 IResponseMessage resp = null; 97 String owfAlg = null; 100 String macAlg = null; 101 String keyId = null; 102 int iterationCount = 1024; 103 PKIHeader head = msg.getHeader(); 104 DEROctetString os = head.getSenderKID(); 105 if (os != null) { 106 keyId = new String (os.getOctets()); 107 log.debug("Found a sender keyId: "+keyId); 108 try { 109 ResponseStatus status = ResponseStatus.FAILURE; 110 FailInfo failInfo = FailInfo.BAD_MESSAGE_CHECK; 111 String failText = null; 112 CmpPbeVerifyer verifyer = new CmpPbeVerifyer(raAuthenticationSecret, msg.getMessage()); 113 boolean ret = verifyer.verify(); 114 owfAlg = verifyer.getOwfOid(); 115 macAlg = verifyer.getMacOid(); 116 iterationCount = verifyer.getIterationCount(); 117 if (ret) { 118 PKIMessage pkimsg = msg.getMessage(); 120 PKIBody body = pkimsg.getBody(); 121 RevReqContent rr = body.getRr(); 122 RevDetails rd = rr.getRevDetails(0); 123 CertTemplate ct = rd.getCertDetails(); 124 DERInteger serno = ct.getSerialNumber(); 125 X509Name issuer = ct.getIssuer(); 126 DERBitString reasonbits = rd.getRevocationReason(); 127 int reason = CertTools.bitStringToRevokedCertInfo(reasonbits); 128 if ( (serno != null) && (issuer != null) ) { 129 String iMsg = intres.getLocalizedMessage("cmp.receivedrevreq", issuer.toString(), serno.getValue().toString(16)); 130 log.info(iMsg); 131 try { 132 String username = storesession.findUsernameByCertSerno(admin, serno.getValue(), issuer.toString()); 133 usersession.revokeCert(admin, serno.getValue(), issuer.toString(), username, reason); 134 status = ResponseStatus.SUCCESS; 135 } catch (AuthorizationDeniedException e) { 136 failInfo = FailInfo.NOT_AUTHORIZED; 137 String errMsg = intres.getLocalizedMessage("cmp.errornotauthrevoke", issuer.toString(), serno.getValue().toString(16)); 138 failText = errMsg; 139 log.error(failText); 140 } catch (FinderException e) { 141 failInfo = FailInfo.BAD_CERTIFICATE_ID; 142 String errMsg = intres.getLocalizedMessage("cmp.errorcertnofound", issuer.toString(), serno.getValue().toString(16)); 143 failText = errMsg; 144 log.error(failText); 145 } 146 } else { 147 failInfo = FailInfo.BAD_CERTIFICATE_ID; 148 String errMsg = intres.getLocalizedMessage("cmp.errormissingissuerrevoke", issuer.toString(), serno.getValue().toString(16)); 149 failText = errMsg; 150 log.error(failText); 151 } 152 } else { 153 String errMsg = intres.getLocalizedMessage("cmp.errorauthmessage"); 154 log.error(errMsg); 155 failText = errMsg; 156 if (verifyer.getErrMsg() != null) { 157 failText = verifyer.getErrMsg(); 158 } 159 } 160 log.debug("Creating a PKI revocation message response"); 161 CmpRevokeResponseMessage rresp = new CmpRevokeResponseMessage(); 162 rresp.setRecipientNonce(msg.getSenderNonce()); 163 rresp.setSenderNonce(new String (Base64.encode(CmpMessageHelper.createSenderNonce()))); 164 rresp.setSender(msg.getRecipient()); 165 rresp.setRecipient(msg.getSender()); 166 rresp.setTransactionId(msg.getTransactionId()); 167 rresp.setFailInfo(failInfo); 168 rresp.setFailText(failText); 169 rresp.setStatus(status); 170 log.debug(responseProtection+", "+owfAlg+", "+macAlg+", "+keyId+", "+raAuthenticationSecret); 172 if (StringUtils.equals(responseProtection, "pbe") && (owfAlg != null) && (macAlg != null) && (keyId != null) && (raAuthenticationSecret != null) ) { 173 rresp.setPbeParameters(keyId, raAuthenticationSecret, owfAlg, macAlg, iterationCount); 174 } 175 resp = rresp; 176 try { 177 resp.create(); 178 } catch (InvalidKeyException e) { 179 String errMsg = intres.getLocalizedMessage("cmp.errorgeneral"); 180 log.error(errMsg, e); 181 } catch (NoSuchAlgorithmException e) { 182 String errMsg = intres.getLocalizedMessage("cmp.errorgeneral"); 183 log.error(errMsg, e); 184 } catch (NoSuchProviderException e) { 185 String errMsg = intres.getLocalizedMessage("cmp.errorgeneral"); 186 log.error(errMsg, e); 187 } catch (SignRequestException e) { 188 String errMsg = intres.getLocalizedMessage("cmp.errorgeneral"); 189 log.error(errMsg, e); 190 } catch (NotFoundException e) { 191 String errMsg = intres.getLocalizedMessage("cmp.errorgeneral"); 192 log.error(errMsg, e); 193 } catch (IOException e) { 194 String errMsg = intres.getLocalizedMessage("cmp.errorgeneral"); 195 log.error(errMsg, e); 196 } 197 198 } catch (NoSuchAlgorithmException e) { 199 String errMsg = intres.getLocalizedMessage("cmp.errorcalcprotection"); 200 log.error(errMsg, e); 201 resp = CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_MESSAGE_CHECK, e.getMessage()); 202 } catch (NoSuchProviderException e) { 203 String errMsg = intres.getLocalizedMessage("cmp.errorcalcprotection"); 204 log.error(errMsg, e); 205 resp = CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_MESSAGE_CHECK, e.getMessage()); 206 } catch (InvalidKeyException e) { 207 String errMsg = intres.getLocalizedMessage("cmp.errorcalcprotection"); 208 log.error(errMsg, e); 209 resp = CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_MESSAGE_CHECK, e.getMessage()); 210 } catch (RemoteException e) { 211 String errMsg = intres.getLocalizedMessage("cmp.errorrevoke"); 213 log.error(errMsg, e); 214 resp = null; 215 } 216 } else { 217 String errMsg = intres.getLocalizedMessage("cmp.errornoprot"); 219 resp = CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_MESSAGE_CHECK, errMsg); 220 } 221 222 return resp; 223 } 224 225 } 226 | Popular Tags |