use of org.bouncycastle.asn1.cmp.InfoTypeAndValue in project xipki by xipki.
the class CmpCaClient method requestCertViaCsr.
// method parseEnrollCertResult
public X509Certificate requestCertViaCsr(String certProfile, CertificationRequest csr) throws Exception {
ProtectedPKIMessageBuilder builder = new ProtectedPKIMessageBuilder(PKIHeader.CMP_2000, requestorSubject, responderSubject);
builder.setMessageTime(new Date());
builder.setTransactionID(randomTransactionId());
builder.setSenderNonce(randomSenderNonce());
builder.addGeneralInfo(new InfoTypeAndValue(CMPObjectIdentifiers.it_implicitConfirm, DERNull.INSTANCE));
builder.addGeneralInfo(new InfoTypeAndValue(CMPObjectIdentifiers.regInfo_utf8Pairs, new DERUTF8String("CERT-PROFILE?" + certProfile + "%")));
builder.setBody(new PKIBody(PKIBody.TYPE_P10_CERT_REQ, csr));
ProtectedPKIMessage request = builder.build(requestorSigner);
PKIMessage response = transmit(request);
return parseEnrollCertResult(response);
}
use of org.bouncycastle.asn1.cmp.InfoTypeAndValue in project xipki by xipki.
the class CmpCaClient method extractGeneralRepContent.
private ASN1Encodable extractGeneralRepContent(PKIMessage response, String expectedType) throws Exception {
PKIBody respBody = response.getBody();
int bodyType = respBody.getType();
if (PKIBody.TYPE_ERROR == bodyType) {
ErrorMsgContent content = ErrorMsgContent.getInstance(respBody.getContent());
throw new Exception("Server returned PKIStatus: " + buildText(content.getPKIStatusInfo()));
} else if (PKIBody.TYPE_GEN_REP != bodyType) {
throw new Exception(String.format("unknown PKI body type %s instead the expected [%s, %s]", bodyType, PKIBody.TYPE_GEN_REP, PKIBody.TYPE_ERROR));
}
GenRepContent genRep = GenRepContent.getInstance(respBody.getContent());
InfoTypeAndValue[] itvs = genRep.toInfoTypeAndValueArray();
InfoTypeAndValue itv = null;
if (itvs != null && itvs.length > 0) {
for (InfoTypeAndValue entry : itvs) {
if (expectedType.equals(entry.getInfoType().getId())) {
itv = entry;
break;
}
}
}
if (itv == null) {
throw new Exception("the response does not contain InfoTypeAndValue " + expectedType);
}
return itv.getInfoValue();
}
use of org.bouncycastle.asn1.cmp.InfoTypeAndValue in project xipki by xipki.
the class X509CaCmpResponderImpl method cmpGeneralMsg.
// method cmpRevokeOrUnrevokeOrRemoveCertificates
private PKIBody cmpGeneralMsg(PKIHeaderBuilder respHeader, CmpControl cmpControl, PKIHeader reqHeader, PKIBody reqBody, CmpRequestorInfo requestor, ASN1OctetString tid, String msgId, AuditEvent event) throws InsuffientPermissionException {
GenMsgContent genMsgBody = GenMsgContent.getInstance(reqBody.getContent());
InfoTypeAndValue[] itvs = genMsgBody.toInfoTypeAndValueArray();
InfoTypeAndValue itv = null;
if (itvs != null && itvs.length > 0) {
for (InfoTypeAndValue entry : itvs) {
String itvType = entry.getInfoType().getId();
if (KNOWN_GENMSG_IDS.contains(itvType)) {
itv = entry;
break;
}
}
}
if (itv == null) {
String statusMessage = "PKIBody type " + PKIBody.TYPE_GEN_MSG + " is only supported with the sub-types " + KNOWN_GENMSG_IDS.toString();
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, statusMessage);
}
InfoTypeAndValue itvResp = null;
ASN1ObjectIdentifier infoType = itv.getInfoType();
int failureInfo;
try {
X509Ca ca = getCa();
if (CMPObjectIdentifiers.it_currentCRL.equals(infoType)) {
event.addEventType(CaAuditConstants.TYPE_CMP_genm_currentCrl);
checkPermission(requestor, PermissionConstants.GET_CRL);
CertificateList crl = ca.getBcCurrentCrl();
if (itv.getInfoValue() == null) {
// as defined in RFC 4210
crl = ca.getBcCurrentCrl();
} else {
// xipki extension
ASN1Integer crlNumber = ASN1Integer.getInstance(itv.getInfoValue());
crl = ca.getBcCrl(crlNumber.getPositiveValue());
}
if (crl == null) {
String statusMessage = "no CRL is available";
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage);
}
itvResp = new InfoTypeAndValue(infoType, crl);
} else if (ObjectIdentifiers.id_xipki_cmp_cmpGenmsg.equals(infoType)) {
ASN1Encodable asn1 = itv.getInfoValue();
ASN1Integer asn1Code = null;
ASN1Encodable reqValue = null;
try {
ASN1Sequence seq = ASN1Sequence.getInstance(asn1);
asn1Code = ASN1Integer.getInstance(seq.getObjectAt(0));
if (seq.size() > 1) {
reqValue = seq.getObjectAt(1);
}
} catch (IllegalArgumentException ex) {
String statusMessage = "invalid value of the InfoTypeAndValue for " + ObjectIdentifiers.id_xipki_cmp_cmpGenmsg.getId();
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, statusMessage);
}
ASN1Encodable respValue;
int action = asn1Code.getPositiveValue().intValue();
switch(action) {
case XiSecurityConstants.CMP_ACTION_GEN_CRL:
event.addEventType(CaAuditConstants.TYPE_CMP_genm_genCrl);
checkPermission(requestor, PermissionConstants.GEN_CRL);
X509CRL tmpCrl = ca.generateCrlOnDemand(msgId);
if (tmpCrl == null) {
String statusMessage = "CRL generation is not activated";
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage);
} else {
respValue = CertificateList.getInstance(tmpCrl.getEncoded());
}
break;
case XiSecurityConstants.CMP_ACTION_GET_CRL_WITH_SN:
event.addEventType(CaAuditConstants.TYPE_CMP_genm_crlForNumber);
checkPermission(requestor, PermissionConstants.GET_CRL);
ASN1Integer crlNumber = ASN1Integer.getInstance(reqValue);
respValue = ca.getBcCrl(crlNumber.getPositiveValue());
if (respValue == null) {
String statusMessage = "no CRL is available";
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage);
}
break;
case XiSecurityConstants.CMP_ACTION_GET_CAINFO:
event.addEventType(CaAuditConstants.TYPE_CMP_genm_cainfo);
Set<Integer> acceptVersions = new HashSet<>();
if (reqValue != null) {
ASN1Sequence seq = DERSequence.getInstance(reqValue);
int size = seq.size();
for (int i = 0; i < size; i++) {
ASN1Integer ai = ASN1Integer.getInstance(seq.getObjectAt(i));
acceptVersions.add(ai.getPositiveValue().intValue());
}
}
if (CollectionUtil.isEmpty(acceptVersions)) {
acceptVersions.add(1);
}
String systemInfo = getSystemInfo(requestor, acceptVersions);
respValue = new DERUTF8String(systemInfo);
break;
default:
String statusMessage = "unsupported XiPKI action code '" + action + "'";
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, statusMessage);
}
// end switch (action)
ASN1EncodableVector vec = new ASN1EncodableVector();
vec.add(asn1Code);
if (respValue != null) {
vec.add(respValue);
}
itvResp = new InfoTypeAndValue(infoType, new DERSequence(vec));
} else if (ObjectIdentifiers.id_xipki_cmp_cacerts.equals(infoType)) {
event.addEventType(CaAuditConstants.TYPE_CMP_genm_cacerts);
CMPCertificate caCert = ca.getCaInfo().getCertInCmpFormat();
itvResp = new InfoTypeAndValue(infoType, new DERSequence(caCert));
}
GenRepContent genRepContent = new GenRepContent(itvResp);
return new PKIBody(PKIBody.TYPE_GEN_REP, genRepContent);
} catch (OperationException ex) {
failureInfo = getPKiFailureInfo(ex);
ErrorCode code = ex.getErrorCode();
String errorMessage;
switch(code) {
case DATABASE_FAILURE:
case SYSTEM_FAILURE:
errorMessage = code.name();
break;
default:
errorMessage = code.name() + ": " + ex.getErrorMessage();
break;
}
return buildErrorMsgPkiBody(PKIStatus.rejection, failureInfo, errorMessage);
} catch (CRLException ex) {
String statusMessage = "CRLException: " + ex.getMessage();
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage);
}
}
use of org.bouncycastle.asn1.cmp.InfoTypeAndValue in project xipki by xipki.
the class CmpUtil method isImplictConfirm.
// method addProtection
public static boolean isImplictConfirm(PKIHeader header) {
ParamUtil.requireNonNull("header", header);
InfoTypeAndValue[] regInfos = header.getGeneralInfo();
if (regInfos != null) {
for (InfoTypeAndValue regInfo : regInfos) {
if (CMPObjectIdentifiers.it_implicitConfirm.equals(regInfo.getInfoType())) {
return true;
}
}
}
return false;
}
use of org.bouncycastle.asn1.cmp.InfoTypeAndValue in project xipki by xipki.
the class CmpRequestor method buildPkiHeader.
protected PKIHeader buildPkiHeader(boolean addImplictConfirm, ASN1OctetString tid, CmpUtf8Pairs utf8Pairs, InfoTypeAndValue... additionalGeneralInfos) {
if (additionalGeneralInfos != null) {
for (InfoTypeAndValue itv : additionalGeneralInfos) {
ASN1ObjectIdentifier type = itv.getInfoType();
if (CMPObjectIdentifiers.it_implicitConfirm.equals(type)) {
throw new IllegalArgumentException("additionGeneralInfos contains not-permitted ITV implicitConfirm");
}
if (CMPObjectIdentifiers.regInfo_utf8Pairs.equals(type)) {
throw new IllegalArgumentException("additionGeneralInfos contains not-permitted ITV utf8Pairs");
}
}
}
PKIHeaderBuilder hdrBuilder = new PKIHeaderBuilder(PKIHeader.CMP_2000, sender, recipient);
hdrBuilder.setMessageTime(new ASN1GeneralizedTime(new Date()));
ASN1OctetString tmpTid = (tid == null) ? new DEROctetString(randomTransactionId()) : tid;
hdrBuilder.setTransactionID(tmpTid);
hdrBuilder.setSenderNonce(randomSenderNonce());
List<InfoTypeAndValue> itvs = new ArrayList<>(2);
if (addImplictConfirm) {
itvs.add(CmpUtil.getImplictConfirmGeneralInfo());
}
if (utf8Pairs != null) {
itvs.add(CmpUtil.buildInfoTypeAndValue(utf8Pairs));
}
if (additionalGeneralInfos != null) {
for (InfoTypeAndValue itv : additionalGeneralInfos) {
if (itv != null) {
itvs.add(itv);
}
}
}
if (CollectionUtil.isNonEmpty(itvs)) {
hdrBuilder.setGeneralInfo(itvs.toArray(new InfoTypeAndValue[0]));
}
return hdrBuilder.build();
}
Aggregations