use of com.github.zhenwei.pkix.util.asn1.cmp.PKIHeader in project xipki by xipki.
the class X509CmpRequestor method buildPkiMessage.
// method buildPkiMessage
private PKIMessage buildPkiMessage(CertRequest req, ProofOfPossession pop, String profileName) {
PKIHeader header = buildPkiHeader(implicitConfirm, null);
CmpUtf8Pairs utf8Pairs = new CmpUtf8Pairs(CmpUtf8Pairs.KEY_CERTPROFILE, profileName);
AttributeTypeAndValue certprofileInfo = CmpUtil.buildAttributeTypeAndValue(utf8Pairs);
CertReqMsg[] certReqMsgs = new CertReqMsg[1];
certReqMsgs[0] = new CertReqMsg(req, pop, new AttributeTypeAndValue[] { certprofileInfo });
PKIBody body = new PKIBody(PKIBody.TYPE_CERT_REQ, new CertReqMessages(certReqMsgs));
return new PKIMessage(header, body);
}
use of com.github.zhenwei.pkix.util.asn1.cmp.PKIHeader in project xipki by xipki.
the class SignatureCmpCaClient method verifyProtection.
// constructor
@Override
protected boolean verifyProtection(GeneralPKIMessage pkiMessage) throws CMPException, InvalidKeyException {
ProtectedPKIMessage protectedMsg = new ProtectedPKIMessage(pkiMessage);
if (protectedMsg.hasPasswordBasedMacProtection()) {
LOG.warn("protection is not signature based: " + pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId());
return false;
}
PKIHeader header = protectedMsg.getHeader();
if (!header.getSender().equals(responderSubject)) {
LOG.warn("not authorized responder '{}'", header.getSender());
return false;
}
String algOid = protectedMsg.getHeader().getProtectionAlg().getAlgorithm().getId();
if (!trustedProtectionAlgOids.contains(algOid)) {
LOG.warn("PKI protection algorithm is untrusted '{}'", algOid);
return false;
}
ContentVerifierProvider verifierProvider = getContentVerifierProvider(responderCert.getPublicKey());
if (verifierProvider == null) {
LOG.warn("not authorized responder '{}'", header.getSender());
return false;
}
return protectedMsg.verify(verifierProvider);
}
use of com.github.zhenwei.pkix.util.asn1.cmp.PKIHeader in project LinLong-Java by zhenwei1108.
the class ProtectedPKIMessageBuilder method build.
/**
* Build a protected PKI message which has MAC based integrity protection.
*
* @param macCalculator MAC calculator.
* @return the resulting protected PKI message.
* @throws CMPException if the protection MAC cannot be calculated.
*/
public ProtectedPKIMessage build(MacCalculator macCalculator) throws CMPException {
if (null == body) {
throw new IllegalStateException("body must be set before building");
}
finaliseHeader(macCalculator.getAlgorithmIdentifier());
PKIHeader header = hdrBuilder.build();
try {
DERBitString protection = new DERBitString(calculateMac(macCalculator, header, body));
return finaliseMessage(header, protection);
} catch (IOException e) {
throw new CMPException("unable to encode MAC input: " + e.getMessage(), e);
}
}
use of com.github.zhenwei.pkix.util.asn1.cmp.PKIHeader in project xipki by xipki.
the class X509CaCmpResponderImpl method processPkiMessage0.
@Override
protected PKIMessage processPkiMessage0(PKIMessage request, RequestorInfo requestor, ASN1OctetString tid, GeneralPKIMessage message, String msgId, AuditEvent event) {
if (!(requestor instanceof CmpRequestorInfo)) {
throw new IllegalArgumentException("unknown requestor type " + requestor.getClass().getName());
}
CmpRequestorInfo tmpRequestor = (CmpRequestorInfo) requestor;
event.addEventData(CaAuditConstants.NAME_requestor, tmpRequestor.getIdent().getName());
PKIHeader reqHeader = message.getHeader();
PKIHeaderBuilder respHeader = new PKIHeaderBuilder(reqHeader.getPvno().getValue().intValue(), getSender(), reqHeader.getSender());
respHeader.setTransactionID(tid);
ASN1OctetString senderNonce = reqHeader.getSenderNonce();
if (senderNonce != null) {
respHeader.setRecipNonce(senderNonce);
}
PKIBody respBody;
PKIBody reqBody = message.getBody();
final int type = reqBody.getType();
CmpControl cmpControl = getCmpControl();
try {
switch(type) {
case PKIBody.TYPE_CERT_REQ:
case PKIBody.TYPE_KEY_UPDATE_REQ:
case PKIBody.TYPE_P10_CERT_REQ:
case PKIBody.TYPE_CROSS_CERT_REQ:
String eventType = null;
if (PKIBody.TYPE_CERT_REQ == type) {
eventType = CaAuditConstants.TYPE_CMP_cr;
} else if (PKIBody.TYPE_KEY_UPDATE_REQ == type) {
eventType = CaAuditConstants.TYPE_CMP_kur;
} else if (PKIBody.TYPE_P10_CERT_REQ == type) {
eventType = CaAuditConstants.TYPE_CMP_p10Cr;
} else if (PKIBody.TYPE_CROSS_CERT_REQ == type) {
eventType = CaAuditConstants.TYPE_CMP_ccr;
}
if (eventType != null) {
event.addEventType(eventType);
}
respBody = cmpEnrollCert(request, respHeader, cmpControl, reqHeader, reqBody, tmpRequestor, tid, msgId, event);
break;
case PKIBody.TYPE_CERT_CONFIRM:
event.addEventType(CaAuditConstants.TYPE_CMP_certConf);
CertConfirmContent certConf = (CertConfirmContent) reqBody.getContent();
respBody = confirmCertificates(tid, certConf, msgId);
break;
case PKIBody.TYPE_REVOCATION_REQ:
respBody = cmpUnRevokeRemoveCertificates(request, respHeader, cmpControl, reqHeader, reqBody, tmpRequestor, msgId, event);
break;
case PKIBody.TYPE_CONFIRM:
event.addEventType(CaAuditConstants.TYPE_CMP_pkiConf);
respBody = new PKIBody(PKIBody.TYPE_CONFIRM, DERNull.INSTANCE);
break;
case PKIBody.TYPE_GEN_MSG:
respBody = cmpGeneralMsg(respHeader, cmpControl, reqHeader, reqBody, tmpRequestor, tid, msgId, event);
break;
case PKIBody.TYPE_ERROR:
event.addEventType(CaAuditConstants.TYPE_CMP_error);
revokePendingCertificates(tid, msgId);
respBody = new PKIBody(PKIBody.TYPE_CONFIRM, DERNull.INSTANCE);
break;
default:
event.addEventType("PKIBody." + type);
respBody = buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, "unsupported type " + type);
break;
}
// end switch (type)
} catch (InsuffientPermissionException ex) {
ErrorMsgContent emc = new ErrorMsgContent(new PKIStatusInfo(PKIStatus.rejection, new PKIFreeText(ex.getMessage()), new PKIFailureInfo(PKIFailureInfo.notAuthorized)));
respBody = new PKIBody(PKIBody.TYPE_ERROR, emc);
}
if (respBody.getType() == PKIBody.TYPE_ERROR) {
ErrorMsgContent errorMsgContent = (ErrorMsgContent) respBody.getContent();
AuditStatus auditStatus = AuditStatus.FAILED;
org.xipki.cmp.PkiStatusInfo pkiStatus = new org.xipki.cmp.PkiStatusInfo(errorMsgContent.getPKIStatusInfo());
if (pkiStatus.pkiFailureInfo() == PKIFailureInfo.systemFailure) {
auditStatus = AuditStatus.FAILED;
}
event.setStatus(auditStatus);
String statusString = pkiStatus.statusMessage();
if (statusString != null) {
event.addEventData(CaAuditConstants.NAME_message, statusString);
}
} else if (event.getStatus() == null) {
event.setStatus(AuditStatus.SUCCESSFUL);
}
return new PKIMessage(respHeader.build(), respBody);
}
use of com.github.zhenwei.pkix.util.asn1.cmp.PKIHeader in project xipki by xipki.
the class CmpRequestor method buildMessageWithGeneralMsgContent.
protected PKIMessage buildMessageWithGeneralMsgContent(ASN1ObjectIdentifier type, ASN1Encodable value) throws CmpRequestorException {
ParamUtil.requireNonNull("type", type);
PKIHeader header = buildPkiHeader(null);
InfoTypeAndValue itv = (value != null) ? new InfoTypeAndValue(type, value) : new InfoTypeAndValue(type);
GenMsgContent genMsgContent = new GenMsgContent(itv);
PKIBody body = new PKIBody(PKIBody.TYPE_GEN_MSG, genMsgContent);
return new PKIMessage(header, body);
}
Aggregations