List of usage examples for javax.ejb FinderException FinderException
public FinderException(String message)
From source file:org.ejbca.core.ejb.ca.store.CertificateStoreSessionBean.java
/** * Helper method to set the status of certificate to revoked or active. Re-activating (unrevoking) a certificate have two limitations. * 1. A password (for for example AD) will not be restored if deleted, only the certificate and certificate status and associated info will be restored * 2. ExtendedInformation, if used by a publisher will not be used when re-activating a certificate * * The method leaves up to the caller to find the correct publishers and userDataDN. * //from www . j a v a2 s.co m * @param admin Administrator performing the operation * @param certificate the certificate to revoke or activate. * @param publishers and array of publiserids (Integer) of publishers to revoke/re-publish the certificate in. * @param reason the reason of the revocation. (One of the RevokedCertInfo.REVOCATION_REASON constants.) * @param userDataDN if an DN object is not found in the certificate use object from user data instead. * @throws FinderException */ private void setRevokeStatus(Admin admin, Certificate certificate, Date revokedate, Collection<Integer> publishers, int reason, String userDataDN) throws FinderException { if (certificate == null) { return; } if (log.isTraceEnabled()) { log.trace(">private setRevokeStatus(Certificate), issuerdn=" + CertTools.getIssuerDN(certificate) + ", serno=" + CertTools.getSerialNumberAsString(certificate)); } CertificateData rev = CertificateData.findByFingerprint(entityManager, CertTools.getFingerprintAsString(certificate)); if (rev == null) { throw new FinderException( "No certificate with fingerprint " + CertTools.getFingerprintAsString(certificate)); } String username = rev.getUsername(); String cafp = rev.getCaFingerprint(); int type = rev.getType(); Date now = new Date(); final int caid = rev.getIssuerDN().hashCode(); // A normal revocation if ((rev.getStatus() != SecConst.CERT_REVOKED) && (reason != RevokedCertInfo.NOT_REVOKED) && (reason != RevokedCertInfo.REVOCATION_REASON_REMOVEFROMCRL)) { rev.setStatus(SecConst.CERT_REVOKED); rev.setRevocationDate(revokedate); rev.setUpdateTime(now.getTime()); rev.setRevocationReason(reason); String msg = intres.getLocalizedMessage("store.revokedcert", Integer.valueOf(reason)); logSession.log(admin, caid, LogConstants.MODULE_CA, new Date(), null, certificate, LogConstants.EVENT_INFO_REVOKEDCERT, msg); // Revoke in all related publishers publisherSession.revokeCertificate(admin, publishers, certificate, username, userDataDN, cafp, type, reason, revokedate.getTime(), rev.getTag(), rev.getCertificateProfileId(), now.getTime()); // Unrevoke, can only be done when the certificate was previously revoked with reason CertificateHold } else if (((reason == RevokedCertInfo.NOT_REVOKED) || (reason == RevokedCertInfo.REVOCATION_REASON_REMOVEFROMCRL)) && (rev.getRevocationReason() == RevokedCertInfo.REVOCATION_REASON_CERTIFICATEHOLD)) { // Only allow unrevocation if the certificate is revoked and the revocation reason is CERTIFICATE_HOLD int status = SecConst.CERT_ACTIVE; rev.setStatus(status); long revocationDate = -1L; // A null Date to setRevocationDate will result in -1 stored in long column rev.setRevocationDate(null); rev.setUpdateTime(now.getTime()); final int revocationReason = RevokedCertInfo.REVOCATION_REASON_REMOVEFROMCRL; rev.setRevocationReason(revocationReason); // Republish the certificate if possible // Republishing will not restore a password, for example in AD, it will only re-activate the certificate. String password = null; boolean published = publisherSession.storeCertificate(admin, publishers, certificate, username, password, userDataDN, cafp, status, type, revocationDate, revocationReason, rev.getTag(), rev.getCertificateProfileId(), now.getTime(), null); if (published) { final String msg = intres.getLocalizedMessage("store.republishunrevokedcert", Integer.valueOf(reason)); logSession.log(admin, caid, LogConstants.MODULE_CA, new Date(), null, certificate, LogConstants.EVENT_INFO_NOTIFICATION, msg); } else { // If it is not possible, only log error but continue the operation of not revoking the certificate final String msg = "Unrevoked cert:" + CertTools.getSerialNumberAsString(certificate) + " reason: " + reason + " Could not be republished."; logSession.log(admin, caid, LogConstants.MODULE_CA, new Date(), null, certificate, LogConstants.EVENT_INFO_NOTIFICATION, msg); } } else { String msg = intres.getLocalizedMessage("store.ignorerevoke", CertTools.getSerialNumberAsString(certificate), Integer.valueOf(rev.getStatus()), Integer.valueOf(reason)); logSession.log(admin, caid, LogConstants.MODULE_CA, new Date(), null, certificate, LogConstants.EVENT_INFO_NOTIFICATION, msg); } if (log.isTraceEnabled()) { log.trace("<private setRevokeStatus(), issuerdn=" + CertTools.getIssuerDN(certificate) + ", serno=" + CertTools.getSerialNumberAsString(certificate)); } }
From source file:org.ejbca.core.ejb.ra.EndEntityManagementSessionBean.java
@Override public void resetRemainingLoginAttempts(String username) throws FinderException { if (log.isTraceEnabled()) { log.trace(">resetRamainingLoginAttempts(" + username + ")"); }/*from ww w. j a va 2 s. c om*/ int resetValue = -1; final UserData data1 = UserData.findByUsername(entityManager, username); if (data1 != null) { final int caid = data1.getCaId(); final ExtendedInformation ei = data1.getExtendedInformation(); if (ei != null) { resetRemainingLoginAttemptsInternal(ei, username, caid); data1.setTimeModified(new Date().getTime()); data1.setExtendedInformation(ei); } } else { log.info(intres.getLocalizedMessage("ra.errorentitynotexist", username)); // This exception message is used to not leak information to the user String msg = intres.getLocalizedMessage("ra.wrongusernameorpassword"); log.info(msg); throw new FinderException(msg); } if (log.isTraceEnabled()) { log.trace("<resetRamainingLoginAttempts(" + username + "): " + resetValue); } }
From source file:org.ejbca.core.ejb.ra.EndEntityManagementSessionBean.java
@Override public void decRemainingLoginAttempts(String username) throws FinderException { if (log.isTraceEnabled()) { log.trace(">decRemainingLoginAttempts(" + username + ")"); }//www . j ava2 s . c o m int counter = Integer.MAX_VALUE; UserData data1 = UserData.findByUsername(entityManager, username); if (data1 != null) { final int caid = data1.getCaId(); final ExtendedInformation ei = data1.getExtendedInformation(); if (ei != null) { counter = ei.getRemainingLoginAttempts(); // If we get to 0 we must set status to generated if (counter == 0) { // if it isn't already if (data1.getStatus() != EndEntityConstants.STATUS_GENERATED) { data1.setStatus(EndEntityConstants.STATUS_GENERATED); final String msg = intres.getLocalizedMessage("ra.decreasedloginattemptscounter", username, counter); log.info(msg); resetRemainingLoginAttemptsInternal(ei, username, caid); data1.setTimeModified(new Date().getTime()); data1.setExtendedInformation(ei); } } else if (counter != -1) { if (log.isDebugEnabled()) { log.debug("Found a remaining login counter with value " + counter); } ei.setRemainingLoginAttempts(--counter); data1.setExtendedInformation(ei); String msg = intres.getLocalizedMessage("ra.decreasedloginattemptscounter", username, counter); log.info(msg); } else { if (log.isDebugEnabled()) { log.debug("Found a remaining login counter with value UNLIMITED, not decreased in db."); } counter = Integer.MAX_VALUE; } } } else { log.info(intres.getLocalizedMessage("ra.errorentitynotexist", username)); // This exception message is used to not leak information to the user String msg = intres.getLocalizedMessage("ra.wrongusernameorpassword"); throw new FinderException(msg); } if (log.isTraceEnabled()) { log.trace("<decRemainingLoginAttempts(" + username + "): " + counter); } }
From source file:org.ejbca.core.ejb.ra.EndEntityManagementSessionBean.java
@Override public int decRequestCounter(String username) throws FinderException, ApprovalException, WaitingForApprovalException { if (log.isTraceEnabled()) { log.trace(">decRequestCounter(" + username + ")"); }/*from w w w.j a va 2 s. c o m*/ // Default return value is as if the optional value does not exist for // the user, i.e. the default values is 0 // because the default number of allowed requests are 1 int counter = 0; // Check if administrator is authorized to edit user. UserData data1 = UserData.findByUsername(entityManager, username); if (data1 != null) { // Do the work of decreasing the counter ExtendedInformation ei = data1.getExtendedInformation(); if (ei != null) { String counterstr = ei.getCustomData(ExtendedInformationFields.CUSTOM_REQUESTCOUNTER); boolean serialNumberCleared = false; if (StringUtils.isNotEmpty(counterstr)) { try { counter = Integer.valueOf(counterstr); if (log.isDebugEnabled()) { log.debug("Found a counter with value " + counter); } // decrease the counter, if we get to 0 we must set // status to generated counter--; if (counter >= 0) { ei.setCustomData(ExtendedInformationFields.CUSTOM_REQUESTCOUNTER, String.valueOf(counter)); ei.setCertificateSerialNumber(null);// cert serial number should also be cleared after successful command. data1.setExtendedInformation(ei); serialNumberCleared = true; final Date now = new Date(); if (counter > 0) { // if 0 then update when changing type data1.setTimeModified(now.getTime()); } String msg = intres.getLocalizedMessage("ra.decreasedentityrequestcounter", username, counter); log.info(msg); } else { if (log.isDebugEnabled()) { log.debug("Counter value was already 0, not decreased in db."); } } } catch (NumberFormatException e) { String msg = intres.getLocalizedMessage("ra.errorrequestcounterinvalid", username, counterstr, e.getMessage()); log.error(msg, e); } } else { if (log.isDebugEnabled()) { log.debug("No (optional) request counter exists for end entity: " + username); } } if (!serialNumberCleared && ei.certificateSerialNumber() != null) { ei.setCertificateSerialNumber(null);// cert serial number should also be cleared after successful command. data1.setExtendedInformation(ei); } } else { if (log.isDebugEnabled()) { log.debug("No extended information exists for user: " + data1.getUsername()); } } } else { log.info(intres.getLocalizedMessage("ra.errorentitynotexist", username)); // This exception message is used to not leak information to the user String msg = intres.getLocalizedMessage("ra.wrongusernameorpassword"); log.info(msg); throw new FinderException(msg); } if (counter <= 0) { AuthenticationToken admin = new AlwaysAllowLocalAuthenticationToken( new UsernamePrincipal("Local admin call from EndEntityManagementSession.decRequestCounter")); try { setUserStatus(admin, data1, EndEntityConstants.STATUS_GENERATED); } catch (AuthorizationDeniedException e) { log.error("Authorization was denied for an AlwaysAllowLocalAuthenticationToken", e); } } if (log.isTraceEnabled()) { log.trace("<decRequestCounter(" + username + "): " + counter); } return counter; }
From source file:org.ejbca.core.ejb.ra.EndEntityManagementSessionBean.java
@Override public void cleanUserCertDataSN(String username) throws FinderException, ApprovalException, WaitingForApprovalException { if (log.isTraceEnabled()) { log.trace(">cleanUserCertDataSN(" + username + ")"); }// w w w . j ava2s . co m try { // Check if administrator is authorized to edit user. UserData data1 = UserData.findByUsername(entityManager, username); if (data1 != null) { final ExtendedInformation ei = data1.getExtendedInformation(); if (ei == null) { if (log.isDebugEnabled()) { log.debug("No extended information exists for user: " + data1.getUsername()); } } else { ei.setCertificateSerialNumber(null); data1.setExtendedInformation(ei); } } else { log.info(intres.getLocalizedMessage("ra.errorentitynotexist", username)); // This exception message is used to not leak information to the user String msg = intres.getLocalizedMessage("ra.wrongusernameorpassword"); log.info(msg); throw new FinderException(msg); } } finally { if (log.isTraceEnabled()) { log.trace("<cleanUserCertDataSN(" + username + ")"); } } }
From source file:org.ejbca.core.ejb.ra.EndEntityManagementSessionBean.java
@Override public void setUserStatus(final AuthenticationToken admin, final String username, final int status) throws AuthorizationDeniedException, FinderException, ApprovalException, WaitingForApprovalException { if (log.isTraceEnabled()) { log.trace(">setUserStatus(" + username + ", " + status + ")"); }/*from w w w .jav a 2 s. co m*/ // Check if administrator is authorized to edit user. final UserData data = UserData.findByUsername(entityManager, username); if (data == null) { log.info(intres.getLocalizedMessage("ra.errorentitynotexist", username)); // This exception message is used to not leak information to the user final String msg = intres.getLocalizedMessage("ra.wrongusernameorpassword"); log.info(msg); throw new FinderException(msg); } // Check authorization final int caid = data.getCaId(); assertAuthorizedToCA(admin, caid); if (getGlobalConfiguration().getEnableEndEntityProfileLimitations()) { assertAuthorizedToEndEntityProfile(admin, data.getEndEntityProfileId(), AccessRulesConstants.EDIT_END_ENTITY, caid); } setUserStatus(admin, data, status); }
From source file:org.ejbca.core.ejb.ra.EndEntityManagementSessionBean.java
/** * Sets a password, hashed or clear text, for a user. * //from w ww. j a v a 2s. co m * @param admin the administrator performing the action * @param username the unique username. * @param password the new password to be stored in clear text. Setting password to 'null' effectively deletes any previous clear text password. * @param cleartext true gives cleartext password, false hashed */ private void setPassword(final AuthenticationToken admin, final String username, final String password, final boolean cleartext) throws UserDoesntFullfillEndEntityProfile, AuthorizationDeniedException, FinderException { if (log.isTraceEnabled()) { log.trace(">setPassword(" + username + ", hiddenpwd), " + cleartext); } // Find user String newpasswd = password; final UserData data = UserData.findByUsername(entityManager, username); if (data == null) { throw new FinderException("Could not find user " + username); } final int caid = data.getCaId(); final String dn = data.getSubjectDN(); final int endEntityProfileId = data.getEndEntityProfileId(); final EndEntityProfile profile = endEntityProfileSession.getEndEntityProfileNoClone(endEntityProfileId); if (profile.useAutoGeneratedPasswd()) { newpasswd = profile.getAutoGeneratedPasswd(); } if (getGlobalConfiguration().getEnableEndEntityProfileLimitations()) { // Check if user fulfills it's profile. try { profile.doesPasswordFulfillEndEntityProfile(password, true); } catch (UserDoesntFullfillEndEntityProfile ufe) { final String msg = intres.getLocalizedMessage("ra.errorfullfillprofile", Integer.valueOf(endEntityProfileId), dn, ufe.getMessage()); Map<String, Object> details = new LinkedHashMap<String, Object>(); details.put("msg", msg); auditSession.log(EjbcaEventTypes.RA_EDITENDENTITY, EventStatus.FAILURE, EjbcaModuleTypes.RA, ServiceTypes.CORE, admin.toString(), String.valueOf(caid), null, username, details); throw ufe; } // Check if administrator is authorized to edit user. assertAuthorizedToEndEntityProfile(admin, data.getEndEntityProfileId(), AccessRulesConstants.EDIT_END_ENTITY, caid); } assertAuthorizedToCA(admin, caid); try { final Date now = new Date(); if ((newpasswd == null) && (cleartext)) { data.setClearPassword(""); data.setPasswordHash(""); data.setTimeModified(now.getTime()); } else { if (cleartext) { data.setOpenPassword(newpasswd); } else { data.setPassword(newpasswd); } data.setTimeModified(now.getTime()); } final String msg = intres.getLocalizedMessage("ra.editpwdentity", username); Map<String, Object> details = new LinkedHashMap<String, Object>(); details.put("msg", msg); auditSession.log(EjbcaEventTypes.RA_EDITENDENTITY, EventStatus.SUCCESS, EjbcaModuleTypes.RA, ServiceTypes.CORE, admin.toString(), String.valueOf(caid), null, username, details); } catch (NoSuchAlgorithmException nsae) { log.error("NoSuchAlgorithmException while setting password for user " + username); throw new EJBException(nsae); } if (log.isTraceEnabled()) { log.trace("<setPassword(" + username + ", hiddenpwd), " + cleartext); } }
From source file:org.ejbca.core.ejb.ra.EndEntityManagementSessionBean.java
@Override public boolean verifyPassword(AuthenticationToken admin, String username, String password) throws UserDoesntFullfillEndEntityProfile, AuthorizationDeniedException, FinderException { if (log.isTraceEnabled()) { log.trace(">verifyPassword(" + username + ", hiddenpwd)"); }//from w w w. j av a2 s . co m boolean ret = false; // Find user final UserData data = UserData.findByUsername(entityManager, username); if (data == null) { throw new FinderException("Could not find user " + username); } final int caid = data.getCaId(); if (getGlobalConfiguration().getEnableEndEntityProfileLimitations()) { // Check if administrator is authorized to edit user. assertAuthorizedToEndEntityProfile(admin, data.getEndEntityProfileId(), AccessRulesConstants.EDIT_END_ENTITY, caid); } assertAuthorizedToCA(admin, caid); try { ret = data.comparePassword(password); } catch (NoSuchAlgorithmException nsae) { log.debug("NoSuchAlgorithmException while verifying password for user " + username); throw new EJBException(nsae); } if (log.isTraceEnabled()) { log.trace("<verifyPassword(" + username + ", hiddenpwd)"); } return ret; }
From source file:org.ejbca.core.ejb.ra.EndEntityManagementSessionBean.java
@Override public void revokeUser(AuthenticationToken admin, String username, int reason) throws AuthorizationDeniedException, FinderException, ApprovalException, WaitingForApprovalException, AlreadyRevokedException {//from ww w. ja v a2s .c om if (log.isTraceEnabled()) { log.trace(">revokeUser(" + username + ")"); } final UserData userData = UserData.findByUsername(entityManager, username); if (userData == null) { throw new FinderException("Could not find user " + username); } final int caid = userData.getCaId(); assertAuthorizedToCA(admin, caid); if (getGlobalConfiguration().getEnableEndEntityProfileLimitations()) { assertAuthorizedToEndEntityProfile(admin, userData.getEndEntityProfileId(), AccessRulesConstants.REVOKE_END_ENTITY, caid); } if ((userData.getStatus() == EndEntityConstants.STATUS_REVOKED) && ((reason == RevokedCertInfo.NOT_REVOKED) || (reason == RevokedCertInfo.REVOCATION_REASON_REMOVEFROMCRL))) { final String msg = intres.getLocalizedMessage("ra.errorinvalidrevokereason", userData.getUsername(), reason); log.info(msg); throw new AlreadyRevokedException(msg); } // Check if approvals is required. final int numOfReqApprovals = getNumOfApprovalRequired(CAInfo.REQ_APPROVAL_REVOCATION, caid, userData.getCertificateProfileId()); if (numOfReqApprovals > 0) { final RevocationApprovalRequest ar = new RevocationApprovalRequest(false, username, reason, admin, numOfReqApprovals, caid, userData.getEndEntityProfileId()); if (ApprovalExecutorUtil.requireApproval(ar, NONAPPROVABLECLASSNAMES_REVOKEUSER)) { approvalSession.addApprovalRequest(admin, ar); throw new WaitingForApprovalException(intres.getLocalizedMessage("ra.approvalrevoke")); } } // Revoke all certs, one at the time final Collection<Certificate> certs = certificateStoreSession.findCertificatesByUsername(username); for (final Certificate cert : certs) { try { revokeCert(admin, CertTools.getSerialNumber(cert), CertTools.getIssuerDN(cert), reason); } catch (AlreadyRevokedException e) { if (log.isDebugEnabled()) { log.debug("Certificate from issuer '" + CertTools.getIssuerDN(cert) + "' with serial " + CertTools.getSerialNumber(cert) + " was already revoked."); } } } // Finally set revoke status on the user as well try { setUserStatus(admin, userData, EndEntityConstants.STATUS_REVOKED); } catch (ApprovalException e) { throw new EJBException("This should never happen", e); } catch (WaitingForApprovalException e) { throw new EJBException("This should never happen", e); } final String msg = intres.getLocalizedMessage("ra.revokedentity", username); Map<String, Object> details = new LinkedHashMap<String, Object>(); details.put("msg", msg); auditSession.log(EjbcaEventTypes.RA_REVOKEDENDENTITY, EventStatus.SUCCESS, EjbcaModuleTypes.RA, ServiceTypes.CORE, admin.toString(), String.valueOf(caid), null, username, details); if (log.isTraceEnabled()) { log.trace("<revokeUser()"); } }
From source file:org.ejbca.core.ejb.ra.EndEntityManagementSessionBean.java
@Override public void revokeCert(AuthenticationToken admin, BigInteger certserno, Date revocationdate, String issuerdn, int reason, boolean checkDate) throws AuthorizationDeniedException, FinderException, ApprovalException, WaitingForApprovalException, RevokeBackDateNotAllowedForProfileException, AlreadyRevokedException { if (log.isTraceEnabled()) { log.trace(">revokeCert(" + certserno.toString(16) + ", IssuerDN: " + issuerdn + ")"); }//from w w w . j av a2 s. c om // Check that the admin has revocation rights. if (!authorizationSession.isAuthorizedNoLogging(admin, AccessRulesConstants.REGULAR_REVOKEENDENTITY)) { String msg = intres.getLocalizedMessage("ra.errorauthrevoke"); Map<String, Object> details = new LinkedHashMap<String, Object>(); details.put("msg", msg); auditSession.log(EventTypes.ACCESS_CONTROL, EventStatus.FAILURE, EjbcaModuleTypes.RA, ServiceTypes.CORE, admin.toString(), null, certserno.toString(16).toUpperCase(), null, details); throw new AuthorizationDeniedException(msg); } // To be fully backwards compatible we just use the first fingerprint found.. final CertificateInfo info = certificateStoreSession.findFirstCertificateInfo(issuerdn, certserno); if (info == null) { final String msg = intres.getLocalizedMessage("ra.errorfindentitycert", issuerdn, certserno.toString(16)); log.info(msg); throw new FinderException(msg); } final int caid = info.getIssuerDN().hashCode(); final String username = info.getUsername(); assertAuthorizedToCA(admin, caid); int certificateProfileId = info.getCertificateProfileId(); String userDataDN = info.getSubjectDN(); final CertReqHistory certReqHistory = certreqHistorySession.retrieveCertReqHistory(certserno, issuerdn); UserData data = null; if (certReqHistory == null || XkmsConfiguration.getEnabled()) { // We could use userdata later, so try to find it data = UserData.findByUsername(entityManager, username); } int endEntityProfileId = -1; if (certReqHistory != null) { // Get the EEP that was used in the original issuance, if we can find it endEntityProfileId = certReqHistory.getEndEntityInformation().getEndEntityProfileId(); // Republish with the same user DN that was used in the original publication, if we can find it userDataDN = certReqHistory.getEndEntityInformation().getCertificateDN(); // If for some reason the certificate profile id was not set in the certificate data, try to get it from the certreq history if (certificateProfileId == CertificateProfileConstants.CERTPROFILE_NO_PROFILE) { certificateProfileId = certReqHistory.getEndEntityInformation().getCertificateProfileId(); } } else if (data != null) { // Get the EEP that is currently used as a fallback, if we can find it endEntityProfileId = data.getEndEntityProfileId(); // Republish with the same user DN that is currently used as a fallback, if we can find it userDataDN = data.toEndEntityInformation().getCertificateDN(); // If for some reason the certificate profile id was not set in the certificate data, try to get it from current userdata if (certificateProfileId == CertificateProfileConstants.CERTPROFILE_NO_PROFILE) { certificateProfileId = data.getCertificateProfileId(); } } if (endEntityProfileId != -1) { // We can only perform this check if we have a trail of what eep was used.. if (getGlobalConfiguration().getEnableEndEntityProfileLimitations()) { assertAuthorizedToEndEntityProfile(admin, endEntityProfileId, AccessRulesConstants.REVOKE_END_ENTITY, caid); } } // Check that unrevocation is not done on anything that can not be unrevoked if (reason == RevokedCertInfo.NOT_REVOKED || reason == RevokedCertInfo.REVOCATION_REASON_REMOVEFROMCRL) { if (info.getRevocationReason() != RevokedCertInfo.REVOCATION_REASON_CERTIFICATEHOLD) { final String msg = intres.getLocalizedMessage("ra.errorunrevokenotonhold", issuerdn, certserno.toString(16)); log.info(msg); throw new AlreadyRevokedException(msg); } } else { if (info.getRevocationReason() != RevokedCertInfo.NOT_REVOKED && // it should be possible to revoke a certificate on hold for good. info.getRevocationReason() != RevokedCertInfo.REVOCATION_REASON_CERTIFICATEHOLD && // a valid certificate could have reason "REVOCATION_REASON_REMOVEFROMCRL" if it has been revoked in the past. info.getRevocationReason() != RevokedCertInfo.REVOCATION_REASON_REMOVEFROMCRL) { final String msg = intres.getLocalizedMessage("ra.errorrevocationexists", issuerdn, certserno.toString(16)); log.info(msg); throw new AlreadyRevokedException(msg); } } if (endEntityProfileId != -1 && certificateProfileId != CertificateProfileConstants.CERTPROFILE_NO_PROFILE) { // We can only perform this check if we have a trail of what eep and cp was used.. // Check if approvals is required. final int numOfReqApprovals = getNumOfApprovalRequired(CAInfo.REQ_APPROVAL_REVOCATION, caid, certificateProfileId); if (numOfReqApprovals > 0) { final RevocationApprovalRequest ar = new RevocationApprovalRequest(certserno, issuerdn, username, reason, admin, numOfReqApprovals, caid, endEntityProfileId); if (ApprovalExecutorUtil.requireApproval(ar, NONAPPROVABLECLASSNAMES_REVOKECERT)) { approvalSession.addApprovalRequest(admin, ar); throw new WaitingForApprovalException(intres.getLocalizedMessage("ra.approvalrevoke")); } } } // Finally find the publishers for the certificate profileId that we found Collection<Integer> publishers = new ArrayList<Integer>(0); final CertificateProfile certificateProfile = certificateProfileSession .getCertificateProfile(certificateProfileId); if (certificateProfile != null) { publishers = certificateProfile.getPublisherList(); if (publishers == null || publishers.size() == 0) { if (log.isDebugEnabled()) { log.debug("No publishers defined for certificate with serial #" + certserno.toString(16) + " issued by " + issuerdn); } } } else { log.warn("No certificate profile for certificate with serial #" + certserno.toString(16) + " issued by " + issuerdn); } if (checkDate && revocationdate != null && (certificateProfile == null || !certificateProfile.getAllowBackdatedRevocation())) { final String profileName = this.certificateProfileSession .getCertificateProfileName(certificateProfileId); final String m = intres.getLocalizedMessage("ra.norevokebackdate", profileName, certserno.toString(16), issuerdn); throw new RevokeBackDateNotAllowedForProfileException(m); } // Revoke certificate in database and all publishers try { this.revocationSession.revokeCertificate(admin, issuerdn, certserno, revocationdate != null ? revocationdate : new Date(), publishers, reason, userDataDN); } catch (CertificateRevokeException e) { final String msg = intres.getLocalizedMessage("ra.errorfindentitycert", issuerdn, certserno.toString(16)); log.info(msg); throw new FinderException(msg); } if (XkmsConfiguration.getEnabled() && data != null) { // Reset the revocation code identifier used in XKMS final ExtendedInformation inf = data.getExtendedInformation(); if (inf != null && inf.getRevocationCodeIdentifier() != null) { inf.setRevocationCodeIdentifier(null); data.setExtendedInformation(inf); } } if (log.isTraceEnabled()) { log.trace("<revokeCert()"); } }