Example 1 with ErrorMsgContent
use of org.bouncycastle.asn1.cmp.ErrorMsgContent in project xipki by xipki.
the class CmpCaClient method parseEnrollCertResult.
private X509Certificate parseEnrollCertResult(PKIMessage response) throws Exception {
PKIBody respBody = response.getBody();
final int bodyType = respBody.getType();
if (PKIBody.TYPE_ERROR == bodyType) {
ErrorMsgContent content = ErrorMsgContent.getInstance(respBody.getContent());
throw new Exception("Server returned PKIStatus: " + buildText(content.getPKIStatusInfo()));
} else if (PKIBody.TYPE_CERT_REP != bodyType) {
throw new Exception(String.format("unknown PKI body type %s instead the expected [%s, %s]", bodyType, PKIBody.TYPE_CERT_REP, PKIBody.TYPE_ERROR));
}
CertRepMessage certRep = CertRepMessage.getInstance(respBody.getContent());
CertResponse[] certResponses = certRep.getResponse();
if (certResponses.length != 1) {
throw new Exception("expected 1 CertResponse, but returned " + certResponses.length);
}
// We only accept the certificates which are requested.
CertResponse certResp = certResponses[0];
PKIStatusInfo statusInfo = certResp.getStatus();
int status = statusInfo.getStatus().intValue();
if (status != PKIStatus.GRANTED && status != PKIStatus.GRANTED_WITH_MODS) {
throw new Exception("Server returned PKIStatus: " + buildText(statusInfo));
}
CertifiedKeyPair cvk = certResp.getCertifiedKeyPair();
if (cvk != null) {
CMPCertificate cmpCert = cvk.getCertOrEncCert().getCertificate();
if (cmpCert != null) {
X509Certificate cert = SdkUtil.parseCert(cmpCert.getX509v3PKCert().getEncoded());
if (!verify(caCert, cert)) {
throw new Exception("The returned certificate is not issued by the given CA");
}
return cert;
}
}
throw new Exception("Server did not return any certificate");
}
Also used :
CMPCertificate(org.bouncycastle.asn1.cmp.CMPCertificate)
PKIBody(org.bouncycastle.asn1.cmp.PKIBody)
CertResponse(org.bouncycastle.asn1.cmp.CertResponse)
PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo)
CertRepMessage(org.bouncycastle.asn1.cmp.CertRepMessage)
ErrorMsgContent(org.bouncycastle.asn1.cmp.ErrorMsgContent)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
CMPException(org.bouncycastle.cert.cmp.CMPException)
InvalidKeyException(java.security.InvalidKeyException)
IOException(java.io.IOException)
X509Certificate(java.security.cert.X509Certificate)
CertifiedKeyPair(org.bouncycastle.asn1.cmp.CertifiedKeyPair)
Example 2 with ErrorMsgContent
use of org.bouncycastle.asn1.cmp.ErrorMsgContent in project xipki by xipki.
the class CmpCaClient method extractGeneralRepContent.
private ASN1Encodable extractGeneralRepContent(PKIMessage response, String expectedType) throws Exception {
PKIBody respBody = response.getBody();
int bodyType = respBody.getType();
if (PKIBody.TYPE_ERROR == bodyType) {
ErrorMsgContent content = ErrorMsgContent.getInstance(respBody.getContent());
throw new Exception("Server returned PKIStatus: " + buildText(content.getPKIStatusInfo()));
} else if (PKIBody.TYPE_GEN_REP != bodyType) {
throw new Exception(String.format("unknown PKI body type %s instead the expected [%s, %s]", bodyType, PKIBody.TYPE_GEN_REP, PKIBody.TYPE_ERROR));
}
GenRepContent genRep = GenRepContent.getInstance(respBody.getContent());
InfoTypeAndValue[] itvs = genRep.toInfoTypeAndValueArray();
InfoTypeAndValue itv = null;
if (itvs != null && itvs.length > 0) {
for (InfoTypeAndValue entry : itvs) {
if (expectedType.equals(entry.getInfoType().getId())) {
itv = entry;
break;
}
}
}
if (itv == null) {
throw new Exception("the response does not contain InfoTypeAndValue " + expectedType);
}
return itv.getInfoValue();
}
Also used :
PKIBody(org.bouncycastle.asn1.cmp.PKIBody)
GenRepContent(org.bouncycastle.asn1.cmp.GenRepContent)
InfoTypeAndValue(org.bouncycastle.asn1.cmp.InfoTypeAndValue)
ErrorMsgContent(org.bouncycastle.asn1.cmp.ErrorMsgContent)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
CMPException(org.bouncycastle.cert.cmp.CMPException)
InvalidKeyException(java.security.InvalidKeyException)
IOException(java.io.IOException)
Example 3 with ErrorMsgContent
use of org.bouncycastle.asn1.cmp.ErrorMsgContent in project xipki by xipki.
the class CmpCaClient method parseRevocationResult.
private boolean parseRevocationResult(PKIMessage response, BigInteger serialNumber) throws Exception {
PKIBody respBody = response.getBody();
final int bodyType = respBody.getType();
if (PKIBody.TYPE_ERROR == bodyType) {
ErrorMsgContent content = ErrorMsgContent.getInstance(respBody.getContent());
throw new Exception("Server returned PKIStatus: " + content.getPKIStatusInfo());
} else if (PKIBody.TYPE_REVOCATION_REP != bodyType) {
throw new Exception(String.format("unknown PKI body type %s instead the expected [%s, %s]", bodyType, PKIBody.TYPE_REVOCATION_REP, PKIBody.TYPE_ERROR));
}
RevRepContent content = RevRepContent.getInstance(respBody.getContent());
PKIStatusInfo[] statuses = content.getStatus();
int statusesLen = (statuses == null) ? 0 : statuses.length;
if (statusesLen != 1) {
throw new Exception(String.format("incorrect number of status entries in response '%s'" + " instead the expected '1'", statusesLen));
}
PKIStatusInfo statusInfo = statuses[0];
int status = statusInfo.getStatus().intValue();
if (status != PKIStatus.GRANTED && status != PKIStatus.GRANTED_WITH_MODS) {
LOG.warn("Server returned error: " + buildText(statusInfo));
return false;
}
CertId[] revCerts = content.getRevCerts();
if (revCerts == null) {
return true;
}
CertId revCert = revCerts[0];
return caSubject.equals(revCert.getIssuer().getName()) && serialNumber.equals(revCert.getSerialNumber().getValue());
}
Also used :
PKIBody(org.bouncycastle.asn1.cmp.PKIBody)
CertId(org.bouncycastle.asn1.crmf.CertId)
PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo)
ErrorMsgContent(org.bouncycastle.asn1.cmp.ErrorMsgContent)
RevRepContent(org.bouncycastle.asn1.cmp.RevRepContent)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
CMPException(org.bouncycastle.cert.cmp.CMPException)
InvalidKeyException(java.security.InvalidKeyException)
IOException(java.io.IOException)
Example 4 with ErrorMsgContent
use of org.bouncycastle.asn1.cmp.ErrorMsgContent in project xipki by xipki.
the class CmpResponder method buildErrorPkiMessage.
// method addProtection
protected PKIMessage buildErrorPkiMessage(ASN1OctetString tid, PKIHeader requestHeader, int failureCode, String statusText) {
GeneralName respRecipient = requestHeader.getSender();
PKIHeaderBuilder respHeader = new PKIHeaderBuilder(requestHeader.getPvno().getValue().intValue(), getSender(), respRecipient);
respHeader.setMessageTime(new ASN1GeneralizedTime(new Date()));
if (tid != null) {
respHeader.setTransactionID(tid);
}
ASN1OctetString senderNonce = requestHeader.getSenderNonce();
if (senderNonce != null) {
respHeader.setRecipNonce(senderNonce);
}
PKIStatusInfo status = generateRejectionStatus(failureCode, statusText);
ErrorMsgContent error = new ErrorMsgContent(status);
PKIBody body = new PKIBody(PKIBody.TYPE_ERROR, error);
return new PKIMessage(respHeader.build(), body);
}
Also used :
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
ProtectedPKIMessage(org.bouncycastle.cert.cmp.ProtectedPKIMessage)
PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage)
GeneralPKIMessage(org.bouncycastle.cert.cmp.GeneralPKIMessage)
PKIBody(org.bouncycastle.asn1.cmp.PKIBody)
PKIHeaderBuilder(org.bouncycastle.asn1.cmp.PKIHeaderBuilder)
PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo)
ASN1GeneralizedTime(org.bouncycastle.asn1.ASN1GeneralizedTime)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
ErrorMsgContent(org.bouncycastle.asn1.cmp.ErrorMsgContent)
Date(java.util.Date)
Example 5 with ErrorMsgContent
use of org.bouncycastle.asn1.cmp.ErrorMsgContent in project xipki by xipki.
the class X509CaCmpResponderImpl method cmpUnRevokeRemoveCertificates.
// method cmpEnrollCert
private PKIBody cmpUnRevokeRemoveCertificates(PKIMessage request, PKIHeaderBuilder respHeader, CmpControl cmpControl, PKIHeader reqHeader, PKIBody reqBody, CmpRequestorInfo requestor, String msgId, AuditEvent event) {
Integer requiredPermission = null;
boolean allRevdetailsOfSameType = true;
RevReqContent rr = RevReqContent.getInstance(reqBody.getContent());
RevDetails[] revContent = rr.toRevDetailsArray();
int len = revContent.length;
for (int i = 0; i < len; i++) {
RevDetails revDetails = revContent[i];
Extensions crlDetails = revDetails.getCrlEntryDetails();
int reasonCode = CrlReason.UNSPECIFIED.getCode();
if (crlDetails != null) {
ASN1ObjectIdentifier extId = Extension.reasonCode;
ASN1Encodable extValue = crlDetails.getExtensionParsedValue(extId);
if (extValue != null) {
reasonCode = ASN1Enumerated.getInstance(extValue).getValue().intValue();
}
}
if (reasonCode == XiSecurityConstants.CMP_CRL_REASON_REMOVE) {
if (requiredPermission == null) {
event.addEventType(CaAuditConstants.TYPE_CMP_rr_remove);
requiredPermission = PermissionConstants.REMOVE_CERT;
} else if (requiredPermission != PermissionConstants.REMOVE_CERT) {
allRevdetailsOfSameType = false;
break;
}
} else if (reasonCode == CrlReason.REMOVE_FROM_CRL.getCode()) {
if (requiredPermission == null) {
event.addEventType(CaAuditConstants.TYPE_CMP_rr_unrevoke);
requiredPermission = PermissionConstants.UNREVOKE_CERT;
} else if (requiredPermission != PermissionConstants.UNREVOKE_CERT) {
allRevdetailsOfSameType = false;
break;
}
} else {
if (requiredPermission == null) {
event.addEventType(CaAuditConstants.TYPE_CMP_rr_revoke);
requiredPermission = PermissionConstants.REVOKE_CERT;
} else if (requiredPermission != PermissionConstants.REVOKE_CERT) {
allRevdetailsOfSameType = false;
break;
}
}
}
if (!allRevdetailsOfSameType) {
ErrorMsgContent emc = new ErrorMsgContent(new PKIStatusInfo(PKIStatus.rejection, new PKIFreeText("not all revDetails are of the same type"), new PKIFailureInfo(PKIFailureInfo.badRequest)));
return new PKIBody(PKIBody.TYPE_ERROR, emc);
} else {
try {
checkPermission(requestor, requiredPermission);
} catch (InsuffientPermissionException ex) {
event.setStatus(AuditStatus.FAILED);
event.addEventData(CaAuditConstants.NAME_message, "NOT_PERMITTED");
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.notAuthorized, null);
}
return unRevokeRemoveCertificates(request, rr, requiredPermission, cmpControl, msgId);
}
}
Also used :
PKIBody(org.bouncycastle.asn1.cmp.PKIBody)
PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo)
InsuffientPermissionException(org.xipki.ca.api.InsuffientPermissionException)
Extensions(org.bouncycastle.asn1.x509.Extensions)
RevReqContent(org.bouncycastle.asn1.cmp.RevReqContent)
PKIFreeText(org.bouncycastle.asn1.cmp.PKIFreeText)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
BigInteger(java.math.BigInteger)
PKIFailureInfo(org.bouncycastle.asn1.cmp.PKIFailureInfo)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
ErrorMsgContent(org.bouncycastle.asn1.cmp.ErrorMsgContent)
RevDetails(org.bouncycastle.asn1.cmp.RevDetails)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Aggregations
ErrorMsgContent (org.bouncycastle.asn1.cmp.ErrorMsgContent)12
PKIBody (org.bouncycastle.asn1.cmp.PKIBody)12
PKIStatusInfo (org.bouncycastle.asn1.cmp.PKIStatusInfo)9
PKIFreeText (org.bouncycastle.asn1.cmp.PKIFreeText)5
IOException (java.io.IOException)4
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)4
PKIFailureInfo (org.bouncycastle.asn1.cmp.PKIFailureInfo)4
BigInteger (java.math.BigInteger)3
InvalidKeyException (java.security.InvalidKeyException)3
DERUTF8String (org.bouncycastle.asn1.DERUTF8String)3
GenRepContent (org.bouncycastle.asn1.cmp.GenRepContent)3
InfoTypeAndValue (org.bouncycastle.asn1.cmp.InfoTypeAndValue)3
PKIMessage (org.bouncycastle.asn1.cmp.PKIMessage)3
CMPException (org.bouncycastle.cert.cmp.CMPException)3
OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)3
PkiErrorException (org.xipki.ca.client.api.PkiErrorException)3
Date (java.util.Date)2
ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)2
ASN1Integer (org.bouncycastle.asn1.ASN1Integer)2
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)2
