Search in sources :

Example 11 with PKIHeader

use of com.github.zhenwei.pkix.util.asn1.cmp.PKIHeader in project xipki by xipki.

the class X509CmpRequestor method buildPkiMessage.

// method buildPkiMessage
private PKIMessage buildPkiMessage(CertRequest req, ProofOfPossession pop, String profileName) {
    PKIHeader header = buildPkiHeader(implicitConfirm, null);
    CmpUtf8Pairs utf8Pairs = new CmpUtf8Pairs(CmpUtf8Pairs.KEY_CERTPROFILE, profileName);
    AttributeTypeAndValue certprofileInfo = CmpUtil.buildAttributeTypeAndValue(utf8Pairs);
    CertReqMsg[] certReqMsgs = new CertReqMsg[1];
    certReqMsgs[0] = new CertReqMsg(req, pop, new AttributeTypeAndValue[] { certprofileInfo });
    PKIBody body = new PKIBody(PKIBody.TYPE_CERT_REQ, new CertReqMessages(certReqMsgs));
    return new PKIMessage(header, body);
}
Also used : PKIHeader(org.bouncycastle.asn1.cmp.PKIHeader) PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage) PKIBody(org.bouncycastle.asn1.cmp.PKIBody) CertReqMessages(org.bouncycastle.asn1.crmf.CertReqMessages) CmpUtf8Pairs(org.xipki.cmp.CmpUtf8Pairs) CertReqMsg(org.bouncycastle.asn1.crmf.CertReqMsg) AttributeTypeAndValue(org.bouncycastle.asn1.crmf.AttributeTypeAndValue)

Example 12 with PKIHeader

use of com.github.zhenwei.pkix.util.asn1.cmp.PKIHeader in project xipki by xipki.

the class SignatureCmpCaClient method verifyProtection.

// constructor
@Override
protected boolean verifyProtection(GeneralPKIMessage pkiMessage) throws CMPException, InvalidKeyException {
    ProtectedPKIMessage protectedMsg = new ProtectedPKIMessage(pkiMessage);
    if (protectedMsg.hasPasswordBasedMacProtection()) {
        LOG.warn("protection is not signature based: " + pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId());
        return false;
    }
    PKIHeader header = protectedMsg.getHeader();
    if (!header.getSender().equals(responderSubject)) {
        LOG.warn("not authorized responder '{}'", header.getSender());
        return false;
    }
    String algOid = protectedMsg.getHeader().getProtectionAlg().getAlgorithm().getId();
    if (!trustedProtectionAlgOids.contains(algOid)) {
        LOG.warn("PKI protection algorithm is untrusted '{}'", algOid);
        return false;
    }
    ContentVerifierProvider verifierProvider = getContentVerifierProvider(responderCert.getPublicKey());
    if (verifierProvider == null) {
        LOG.warn("not authorized responder '{}'", header.getSender());
        return false;
    }
    return protectedMsg.verify(verifierProvider);
}
Also used : PKIHeader(org.bouncycastle.asn1.cmp.PKIHeader) ProtectedPKIMessage(org.bouncycastle.cert.cmp.ProtectedPKIMessage)

Example 13 with PKIHeader

use of com.github.zhenwei.pkix.util.asn1.cmp.PKIHeader in project LinLong-Java by zhenwei1108.

the class ProtectedPKIMessageBuilder method build.

/**
 * Build a protected PKI message which has MAC based integrity protection.
 *
 * @param macCalculator MAC calculator.
 * @return the resulting protected PKI message.
 * @throws CMPException if the protection MAC cannot be calculated.
 */
public ProtectedPKIMessage build(MacCalculator macCalculator) throws CMPException {
    if (null == body) {
        throw new IllegalStateException("body must be set before building");
    }
    finaliseHeader(macCalculator.getAlgorithmIdentifier());
    PKIHeader header = hdrBuilder.build();
    try {
        DERBitString protection = new DERBitString(calculateMac(macCalculator, header, body));
        return finaliseMessage(header, protection);
    } catch (IOException e) {
        throw new CMPException("unable to encode MAC input: " + e.getMessage(), e);
    }
}
Also used : PKIHeader(com.github.zhenwei.pkix.util.asn1.cmp.PKIHeader) DERBitString(com.github.zhenwei.core.asn1.DERBitString) IOException(java.io.IOException)

Example 14 with PKIHeader

use of com.github.zhenwei.pkix.util.asn1.cmp.PKIHeader in project xipki by xipki.

the class X509CaCmpResponderImpl method processPkiMessage0.

@Override
protected PKIMessage processPkiMessage0(PKIMessage request, RequestorInfo requestor, ASN1OctetString tid, GeneralPKIMessage message, String msgId, AuditEvent event) {
    if (!(requestor instanceof CmpRequestorInfo)) {
        throw new IllegalArgumentException("unknown requestor type " + requestor.getClass().getName());
    }
    CmpRequestorInfo tmpRequestor = (CmpRequestorInfo) requestor;
    event.addEventData(CaAuditConstants.NAME_requestor, tmpRequestor.getIdent().getName());
    PKIHeader reqHeader = message.getHeader();
    PKIHeaderBuilder respHeader = new PKIHeaderBuilder(reqHeader.getPvno().getValue().intValue(), getSender(), reqHeader.getSender());
    respHeader.setTransactionID(tid);
    ASN1OctetString senderNonce = reqHeader.getSenderNonce();
    if (senderNonce != null) {
        respHeader.setRecipNonce(senderNonce);
    }
    PKIBody respBody;
    PKIBody reqBody = message.getBody();
    final int type = reqBody.getType();
    CmpControl cmpControl = getCmpControl();
    try {
        switch(type) {
            case PKIBody.TYPE_CERT_REQ:
            case PKIBody.TYPE_KEY_UPDATE_REQ:
            case PKIBody.TYPE_P10_CERT_REQ:
            case PKIBody.TYPE_CROSS_CERT_REQ:
                String eventType = null;
                if (PKIBody.TYPE_CERT_REQ == type) {
                    eventType = CaAuditConstants.TYPE_CMP_cr;
                } else if (PKIBody.TYPE_KEY_UPDATE_REQ == type) {
                    eventType = CaAuditConstants.TYPE_CMP_kur;
                } else if (PKIBody.TYPE_P10_CERT_REQ == type) {
                    eventType = CaAuditConstants.TYPE_CMP_p10Cr;
                } else if (PKIBody.TYPE_CROSS_CERT_REQ == type) {
                    eventType = CaAuditConstants.TYPE_CMP_ccr;
                }
                if (eventType != null) {
                    event.addEventType(eventType);
                }
                respBody = cmpEnrollCert(request, respHeader, cmpControl, reqHeader, reqBody, tmpRequestor, tid, msgId, event);
                break;
            case PKIBody.TYPE_CERT_CONFIRM:
                event.addEventType(CaAuditConstants.TYPE_CMP_certConf);
                CertConfirmContent certConf = (CertConfirmContent) reqBody.getContent();
                respBody = confirmCertificates(tid, certConf, msgId);
                break;
            case PKIBody.TYPE_REVOCATION_REQ:
                respBody = cmpUnRevokeRemoveCertificates(request, respHeader, cmpControl, reqHeader, reqBody, tmpRequestor, msgId, event);
                break;
            case PKIBody.TYPE_CONFIRM:
                event.addEventType(CaAuditConstants.TYPE_CMP_pkiConf);
                respBody = new PKIBody(PKIBody.TYPE_CONFIRM, DERNull.INSTANCE);
                break;
            case PKIBody.TYPE_GEN_MSG:
                respBody = cmpGeneralMsg(respHeader, cmpControl, reqHeader, reqBody, tmpRequestor, tid, msgId, event);
                break;
            case PKIBody.TYPE_ERROR:
                event.addEventType(CaAuditConstants.TYPE_CMP_error);
                revokePendingCertificates(tid, msgId);
                respBody = new PKIBody(PKIBody.TYPE_CONFIRM, DERNull.INSTANCE);
                break;
            default:
                event.addEventType("PKIBody." + type);
                respBody = buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, "unsupported type " + type);
                break;
        }
    // end switch (type)
    } catch (InsuffientPermissionException ex) {
        ErrorMsgContent emc = new ErrorMsgContent(new PKIStatusInfo(PKIStatus.rejection, new PKIFreeText(ex.getMessage()), new PKIFailureInfo(PKIFailureInfo.notAuthorized)));
        respBody = new PKIBody(PKIBody.TYPE_ERROR, emc);
    }
    if (respBody.getType() == PKIBody.TYPE_ERROR) {
        ErrorMsgContent errorMsgContent = (ErrorMsgContent) respBody.getContent();
        AuditStatus auditStatus = AuditStatus.FAILED;
        org.xipki.cmp.PkiStatusInfo pkiStatus = new org.xipki.cmp.PkiStatusInfo(errorMsgContent.getPKIStatusInfo());
        if (pkiStatus.pkiFailureInfo() == PKIFailureInfo.systemFailure) {
            auditStatus = AuditStatus.FAILED;
        }
        event.setStatus(auditStatus);
        String statusString = pkiStatus.statusMessage();
        if (statusString != null) {
            event.addEventData(CaAuditConstants.NAME_message, statusString);
        }
    } else if (event.getStatus() == null) {
        event.setStatus(AuditStatus.SUCCESSFUL);
    }
    return new PKIMessage(respHeader.build(), respBody);
}
Also used : PKIHeader(org.bouncycastle.asn1.cmp.PKIHeader) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage) GeneralPKIMessage(org.bouncycastle.cert.cmp.GeneralPKIMessage) PKIBody(org.bouncycastle.asn1.cmp.PKIBody) PKIHeaderBuilder(org.bouncycastle.asn1.cmp.PKIHeaderBuilder) PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo) InsuffientPermissionException(org.xipki.ca.api.InsuffientPermissionException) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) PKIFreeText(org.bouncycastle.asn1.cmp.PKIFreeText) PKIFailureInfo(org.bouncycastle.asn1.cmp.PKIFailureInfo) CertConfirmContent(org.bouncycastle.asn1.cmp.CertConfirmContent) AuditStatus(org.xipki.audit.AuditStatus) CmpControl(org.xipki.ca.server.mgmt.api.CmpControl) ErrorMsgContent(org.bouncycastle.asn1.cmp.ErrorMsgContent)

Example 15 with PKIHeader

use of com.github.zhenwei.pkix.util.asn1.cmp.PKIHeader in project xipki by xipki.

the class CmpRequestor method buildMessageWithGeneralMsgContent.

protected PKIMessage buildMessageWithGeneralMsgContent(ASN1ObjectIdentifier type, ASN1Encodable value) throws CmpRequestorException {
    ParamUtil.requireNonNull("type", type);
    PKIHeader header = buildPkiHeader(null);
    InfoTypeAndValue itv = (value != null) ? new InfoTypeAndValue(type, value) : new InfoTypeAndValue(type);
    GenMsgContent genMsgContent = new GenMsgContent(itv);
    PKIBody body = new PKIBody(PKIBody.TYPE_GEN_MSG, genMsgContent);
    return new PKIMessage(header, body);
}
Also used : PKIHeader(org.bouncycastle.asn1.cmp.PKIHeader) ProtectedPKIMessage(org.bouncycastle.cert.cmp.ProtectedPKIMessage) PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage) GeneralPKIMessage(org.bouncycastle.cert.cmp.GeneralPKIMessage) PKIBody(org.bouncycastle.asn1.cmp.PKIBody) GenMsgContent(org.bouncycastle.asn1.cmp.GenMsgContent) InfoTypeAndValue(org.bouncycastle.asn1.cmp.InfoTypeAndValue)

Aggregations

PKIHeader (org.bouncycastle.asn1.cmp.PKIHeader)19 PKIBody (org.bouncycastle.asn1.cmp.PKIBody)13 PKIMessage (org.bouncycastle.asn1.cmp.PKIMessage)12 ProtectedPKIMessage (org.bouncycastle.cert.cmp.ProtectedPKIMessage)9 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)8 IOException (java.io.IOException)6 GeneralPKIMessage (org.bouncycastle.cert.cmp.GeneralPKIMessage)6 DEROctetString (org.bouncycastle.asn1.DEROctetString)5 InfoTypeAndValue (org.bouncycastle.asn1.cmp.InfoTypeAndValue)4 GeneralName (org.bouncycastle.asn1.x509.GeneralName)4 CMPException (org.bouncycastle.cert.cmp.CMPException)4 ProtectionVerificationResult (org.xipki.cmp.ProtectionVerificationResult)4 InvalidKeyException (java.security.InvalidKeyException)3 Date (java.util.Date)3 ASN1Integer (org.bouncycastle.asn1.ASN1Integer)3 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)3 PKIFreeText (org.bouncycastle.asn1.cmp.PKIFreeText)3 ContentVerifierProvider (org.bouncycastle.operator.ContentVerifierProvider)3 OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)3 DERBitString (com.github.zhenwei.core.asn1.DERBitString)2