Examples with PKIBody org.bouncycastle.asn1.cmp.PKIBody used on opensource projects

Example 1 with PKIBody

use of org.bouncycastle.asn1.cmp.PKIBody in project xipki by xipki.

the class CmpCaClient method transmit.

private PKIMessage transmit(ProtectedPKIMessage request) throws Exception {
    byte[] encodedResponse = send(request.toASN1Structure().getEncoded());
    GeneralPKIMessage response = new GeneralPKIMessage(encodedResponse);
    PKIHeader reqHeader = request.getHeader();
    PKIHeader respHeader = response.getHeader();
    ASN1OctetString tid = reqHeader.getTransactionID();
    if (!tid.equals(respHeader.getTransactionID())) {
        throw new Exception("response.transactionId != request.transactionId");
    }
    ASN1OctetString senderNonce = reqHeader.getSenderNonce();
    if (!senderNonce.equals(respHeader.getRecipNonce())) {
        throw new Exception("response.recipientNonce != request.senderNonce");
    }
    GeneralName rec = respHeader.getRecipient();
    if (!requestorSubject.equals(rec)) {
        throw new Exception("unknown CMP requestor " + rec.toString());
    }
    if (!response.hasProtection()) {
        PKIBody respBody = response.getBody();
        int bodyType = respBody.getType();
        if (bodyType != PKIBody.TYPE_ERROR) {
            throw new Exception("response is not signed");
        }
    }
    if (verifyProtection(response)) {
        return response.toASN1Structure();
    }
    throw new Exception("invalid signature in PKI protection");
}

Example 2 with PKIBody

use of org.bouncycastle.asn1.cmp.PKIBody in project xipki by xipki.

the class CmpCaClient method requestCertViaCsr.

// method parseEnrollCertResult
public X509Certificate requestCertViaCsr(String certProfile, CertificationRequest csr) throws Exception {
    ProtectedPKIMessageBuilder builder = new ProtectedPKIMessageBuilder(PKIHeader.CMP_2000, requestorSubject, responderSubject);
    builder.setMessageTime(new Date());
    builder.setTransactionID(randomTransactionId());
    builder.setSenderNonce(randomSenderNonce());
    builder.addGeneralInfo(new InfoTypeAndValue(CMPObjectIdentifiers.it_implicitConfirm, DERNull.INSTANCE));
    builder.addGeneralInfo(new InfoTypeAndValue(CMPObjectIdentifiers.regInfo_utf8Pairs, new DERUTF8String("CERT-PROFILE?" + certProfile + "%")));
    builder.setBody(new PKIBody(PKIBody.TYPE_P10_CERT_REQ, csr));
    ProtectedPKIMessage request = builder.build(requestorSigner);
    PKIMessage response = transmit(request);
    return parseEnrollCertResult(response);
}

Example 3 with PKIBody

use of org.bouncycastle.asn1.cmp.PKIBody in project xipki by xipki.

the class CmpCaClient method parseEnrollCertResult.

private X509Certificate parseEnrollCertResult(PKIMessage response) throws Exception {
    PKIBody respBody = response.getBody();
    final int bodyType = respBody.getType();
    if (PKIBody.TYPE_ERROR == bodyType) {
        ErrorMsgContent content = ErrorMsgContent.getInstance(respBody.getContent());
        throw new Exception("Server returned PKIStatus: " + buildText(content.getPKIStatusInfo()));
    } else if (PKIBody.TYPE_CERT_REP != bodyType) {
        throw new Exception(String.format("unknown PKI body type %s instead the expected [%s, %s]", bodyType, PKIBody.TYPE_CERT_REP, PKIBody.TYPE_ERROR));
    }
    CertRepMessage certRep = CertRepMessage.getInstance(respBody.getContent());
    CertResponse[] certResponses = certRep.getResponse();
    if (certResponses.length != 1) {
        throw new Exception("expected 1 CertResponse, but returned " + certResponses.length);
    }
    // We only accept the certificates which are requested.
    CertResponse certResp = certResponses[0];
    PKIStatusInfo statusInfo = certResp.getStatus();
    int status = statusInfo.getStatus().intValue();
    if (status != PKIStatus.GRANTED && status != PKIStatus.GRANTED_WITH_MODS) {
        throw new Exception("Server returned PKIStatus: " + buildText(statusInfo));
    }
    CertifiedKeyPair cvk = certResp.getCertifiedKeyPair();
    if (cvk != null) {
        CMPCertificate cmpCert = cvk.getCertOrEncCert().getCertificate();
        if (cmpCert != null) {
            X509Certificate cert = SdkUtil.parseCert(cmpCert.getX509v3PKCert().getEncoded());
            if (!verify(caCert, cert)) {
                throw new Exception("The returned certificate is not issued by the given CA");
            }
            return cert;
        }
    }
    throw new Exception("Server did not return any certificate");
}

Example 4 with PKIBody

use of org.bouncycastle.asn1.cmp.PKIBody in project xipki by xipki.

the class CmpCaClient method extractGeneralRepContent.

private ASN1Encodable extractGeneralRepContent(PKIMessage response, String expectedType) throws Exception {
    PKIBody respBody = response.getBody();
    int bodyType = respBody.getType();
    if (PKIBody.TYPE_ERROR == bodyType) {
        ErrorMsgContent content = ErrorMsgContent.getInstance(respBody.getContent());
        throw new Exception("Server returned PKIStatus: " + buildText(content.getPKIStatusInfo()));
    } else if (PKIBody.TYPE_GEN_REP != bodyType) {
        throw new Exception(String.format("unknown PKI body type %s instead the expected [%s, %s]", bodyType, PKIBody.TYPE_GEN_REP, PKIBody.TYPE_ERROR));
    }
    GenRepContent genRep = GenRepContent.getInstance(respBody.getContent());
    InfoTypeAndValue[] itvs = genRep.toInfoTypeAndValueArray();
    InfoTypeAndValue itv = null;
    if (itvs != null && itvs.length > 0) {
        for (InfoTypeAndValue entry : itvs) {
            if (expectedType.equals(entry.getInfoType().getId())) {
                itv = entry;
                break;
            }
        }
    }
    if (itv == null) {
        throw new Exception("the response does not contain InfoTypeAndValue " + expectedType);
    }
    return itv.getInfoValue();
}

Example 5 with PKIBody

use of org.bouncycastle.asn1.cmp.PKIBody in project xipki by xipki.

the class CmpCaClient method parseRevocationResult.

private boolean parseRevocationResult(PKIMessage response, BigInteger serialNumber) throws Exception {
    PKIBody respBody = response.getBody();
    final int bodyType = respBody.getType();
    if (PKIBody.TYPE_ERROR == bodyType) {
        ErrorMsgContent content = ErrorMsgContent.getInstance(respBody.getContent());
        throw new Exception("Server returned PKIStatus: " + content.getPKIStatusInfo());
    } else if (PKIBody.TYPE_REVOCATION_REP != bodyType) {
        throw new Exception(String.format("unknown PKI body type %s instead the expected [%s, %s]", bodyType, PKIBody.TYPE_REVOCATION_REP, PKIBody.TYPE_ERROR));
    }
    RevRepContent content = RevRepContent.getInstance(respBody.getContent());
    PKIStatusInfo[] statuses = content.getStatus();
    int statusesLen = (statuses == null) ? 0 : statuses.length;
    if (statusesLen != 1) {
        throw new Exception(String.format("incorrect number of status entries in response '%s'" + " instead the expected '1'", statusesLen));
    }
    PKIStatusInfo statusInfo = statuses[0];
    int status = statusInfo.getStatus().intValue();
    if (status != PKIStatus.GRANTED && status != PKIStatus.GRANTED_WITH_MODS) {
        LOG.warn("Server returned error: " + buildText(statusInfo));
        return false;
    }
    CertId[] revCerts = content.getRevCerts();
    if (revCerts == null) {
        return true;
    }
    CertId revCert = revCerts[0];
    return caSubject.equals(revCert.getIssuer().getName()) && serialNumber.equals(revCert.getSerialNumber().getValue());
}