Search in sources :

Example 11 with PKIHeader

use of org.bouncycastle.asn1.cmp.PKIHeader in project xipki by xipki.

the class CmpRequestor method signAndSend.

protected PkiResponse signAndSend(PKIMessage request, RequestResponseDebug debug) throws CmpRequestorException {
    ParamUtil.requireNonNull("request", request);
    PKIMessage tmpRequest = (signRequest) ? sign(request) : request;
    byte[] encodedRequest;
    try {
        encodedRequest = tmpRequest.getEncoded();
    } catch (IOException ex) {
        LOG.error("could not encode the PKI request {}", tmpRequest);
        throw new CmpRequestorException(ex.getMessage(), ex);
    }
    RequestResponsePair reqResp = null;
    if (debug != null) {
        reqResp = new RequestResponsePair();
        debug.add(reqResp);
        if (debug.saveRequest()) {
            reqResp.setRequest(encodedRequest);
        }
    }
    byte[] encodedResponse;
    try {
        encodedResponse = send(encodedRequest);
    } catch (IOException ex) {
        LOG.error("could not send the PKI request {} to server", tmpRequest);
        throw new CmpRequestorException("TRANSPORT_ERROR", ex);
    }
    if (reqResp != null && debug.saveResponse()) {
        reqResp.setResponse(encodedResponse);
    }
    GeneralPKIMessage response;
    try {
        response = new GeneralPKIMessage(encodedResponse);
    } catch (IOException ex) {
        LOG.error("could not decode the received PKI message: {}", Hex.encode(encodedResponse));
        throw new CmpRequestorException(ex.getMessage(), ex);
    }
    PKIHeader reqHeader = request.getHeader();
    PKIHeader respHeader = response.getHeader();
    ASN1OctetString tid = reqHeader.getTransactionID();
    ASN1OctetString respTid = respHeader.getTransactionID();
    if (!tid.equals(respTid)) {
        LOG.warn("Response contains different tid ({}) than requested {}", respTid, tid);
        throw new CmpRequestorException("Response contains differnt tid than the request");
    }
    ASN1OctetString senderNonce = reqHeader.getSenderNonce();
    ASN1OctetString respRecipientNonce = respHeader.getRecipNonce();
    if (!senderNonce.equals(respRecipientNonce)) {
        LOG.warn("tid {}: response.recipientNonce ({}) != request.senderNonce ({})", tid, respRecipientNonce, senderNonce);
        throw new CmpRequestorException("Response contains differnt tid than the request");
    }
    GeneralName rec = respHeader.getRecipient();
    if (!sender.equals(rec)) {
        LOG.warn("tid={}: unknown CMP requestor '{}'", tid, rec);
    }
    PkiResponse ret = new PkiResponse(response);
    if (response.hasProtection()) {
        try {
            ProtectionVerificationResult verifyProtection = verifyProtection(Hex.encode(tid.getOctets()), response);
            ret.setProtectionVerificationResult(verifyProtection);
        } catch (InvalidKeyException | OperatorCreationException | CMPException ex) {
            throw new CmpRequestorException(ex.getMessage(), ex);
        }
    } else if (signRequest) {
        PKIBody respBody = response.getBody();
        int bodyType = respBody.getType();
        if (bodyType != PKIBody.TYPE_ERROR) {
            throw new CmpRequestorException("response is not signed");
        }
    }
    return ret;
}
Also used : ProtectedPKIMessage(org.bouncycastle.cert.cmp.ProtectedPKIMessage) PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage) GeneralPKIMessage(org.bouncycastle.cert.cmp.GeneralPKIMessage) RequestResponsePair(org.xipki.common.RequestResponsePair) PKIHeader(org.bouncycastle.asn1.cmp.PKIHeader) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) PkiResponse(org.xipki.cmp.PkiResponse) PKIBody(org.bouncycastle.asn1.cmp.PKIBody) ProtectionVerificationResult(org.xipki.cmp.ProtectionVerificationResult) IOException(java.io.IOException) InvalidKeyException(java.security.InvalidKeyException) GeneralPKIMessage(org.bouncycastle.cert.cmp.GeneralPKIMessage) CMPException(org.bouncycastle.cert.cmp.CMPException) GeneralName(org.bouncycastle.asn1.x509.GeneralName) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)

Example 12 with PKIHeader

use of org.bouncycastle.asn1.cmp.PKIHeader in project xipki by xipki.

the class CmpRequestor method buildPkiHeader.

protected PKIHeader buildPkiHeader(boolean addImplictConfirm, ASN1OctetString tid, CmpUtf8Pairs utf8Pairs, InfoTypeAndValue... additionalGeneralInfos) {
    if (additionalGeneralInfos != null) {
        for (InfoTypeAndValue itv : additionalGeneralInfos) {
            ASN1ObjectIdentifier type = itv.getInfoType();
            if (CMPObjectIdentifiers.it_implicitConfirm.equals(type)) {
                throw new IllegalArgumentException("additionGeneralInfos contains not-permitted ITV implicitConfirm");
            }
            if (CMPObjectIdentifiers.regInfo_utf8Pairs.equals(type)) {
                throw new IllegalArgumentException("additionGeneralInfos contains not-permitted ITV utf8Pairs");
            }
        }
    }
    PKIHeaderBuilder hdrBuilder = new PKIHeaderBuilder(PKIHeader.CMP_2000, sender, recipient);
    hdrBuilder.setMessageTime(new ASN1GeneralizedTime(new Date()));
    ASN1OctetString tmpTid = (tid == null) ? new DEROctetString(randomTransactionId()) : tid;
    hdrBuilder.setTransactionID(tmpTid);
    hdrBuilder.setSenderNonce(randomSenderNonce());
    List<InfoTypeAndValue> itvs = new ArrayList<>(2);
    if (addImplictConfirm) {
        itvs.add(CmpUtil.getImplictConfirmGeneralInfo());
    }
    if (utf8Pairs != null) {
        itvs.add(CmpUtil.buildInfoTypeAndValue(utf8Pairs));
    }
    if (additionalGeneralInfos != null) {
        for (InfoTypeAndValue itv : additionalGeneralInfos) {
            if (itv != null) {
                itvs.add(itv);
            }
        }
    }
    if (CollectionUtil.isNonEmpty(itvs)) {
        hdrBuilder.setGeneralInfo(itvs.toArray(new InfoTypeAndValue[0]));
    }
    return hdrBuilder.build();
}
Also used : ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) PKIHeaderBuilder(org.bouncycastle.asn1.cmp.PKIHeaderBuilder) InfoTypeAndValue(org.bouncycastle.asn1.cmp.InfoTypeAndValue) ArrayList(java.util.ArrayList) ASN1GeneralizedTime(org.bouncycastle.asn1.ASN1GeneralizedTime) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) Date(java.util.Date) DEROctetString(org.bouncycastle.asn1.DEROctetString)

Example 13 with PKIHeader

use of org.bouncycastle.asn1.cmp.PKIHeader in project xipki by xipki.

the class CmpRequestor method verifyProtection.

private ProtectionVerificationResult verifyProtection(String tid, GeneralPKIMessage pkiMessage) throws CMPException, InvalidKeyException, OperatorCreationException {
    ProtectedPKIMessage protectedMsg = new ProtectedPKIMessage(pkiMessage);
    if (protectedMsg.hasPasswordBasedMacProtection()) {
        LOG.warn("NOT_SIGNAUTRE_BASED: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId());
        return new ProtectionVerificationResult(null, ProtectionResult.NOT_SIGNATURE_BASED);
    }
    PKIHeader header = protectedMsg.getHeader();
    if (recipientName != null) {
        boolean authorizedResponder = true;
        if (header.getSender().getTagNo() != GeneralName.directoryName) {
            authorizedResponder = false;
        } else {
            X500Name msgSender = X500Name.getInstance(header.getSender().getName());
            authorizedResponder = recipientName.equals(msgSender);
        }
        if (!authorizedResponder) {
            LOG.warn("tid={}: not authorized responder '{}'", tid, header.getSender());
            return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED);
        }
    }
    AlgorithmIdentifier protectionAlgo = protectedMsg.getHeader().getProtectionAlg();
    if (!responder.getSigAlgoValidator().isAlgorithmPermitted(protectionAlgo)) {
        String algoName;
        try {
            algoName = AlgorithmUtil.getSignatureAlgoName(protectionAlgo);
        } catch (NoSuchAlgorithmException ex) {
            algoName = protectionAlgo.getAlgorithm().getId();
        }
        LOG.warn("tid={}: response protected by untrusted protection algorithm '{}'", tid, algoName);
        return new ProtectionVerificationResult(null, ProtectionResult.INVALID);
    }
    X509Certificate cert = responder.getCert();
    ContentVerifierProvider verifierProvider = securityFactory.getContentVerifierProvider(cert);
    if (verifierProvider == null) {
        LOG.warn("tid={}: not authorized responder '{}'", tid, header.getSender());
        return new ProtectionVerificationResult(cert, ProtectionResult.SENDER_NOT_AUTHORIZED);
    }
    boolean signatureValid = protectedMsg.verify(verifierProvider);
    ProtectionResult protRes = signatureValid ? ProtectionResult.VALID : ProtectionResult.INVALID;
    return new ProtectionVerificationResult(cert, protRes);
}
Also used : PKIHeader(org.bouncycastle.asn1.cmp.PKIHeader) ProtectionResult(org.xipki.cmp.ProtectionResult) ProtectedPKIMessage(org.bouncycastle.cert.cmp.ProtectedPKIMessage) ProtectionVerificationResult(org.xipki.cmp.ProtectionVerificationResult) X500Name(org.bouncycastle.asn1.x500.X500Name) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DEROctetString(org.bouncycastle.asn1.DEROctetString) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) X509Certificate(java.security.cert.X509Certificate) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider)

Example 14 with PKIHeader

use of org.bouncycastle.asn1.cmp.PKIHeader in project xipki by xipki.

the class X509CmpRequestor method buildPkiMessage.

private PKIMessage buildPkiMessage(EnrollCertRequest req) {
    PKIHeader header = buildPkiHeader(implicitConfirm, null);
    List<EnrollCertRequestEntry> reqEntries = req.getRequestEntries();
    CertReqMsg[] certReqMsgs = new CertReqMsg[reqEntries.size()];
    for (int i = 0; i < reqEntries.size(); i++) {
        EnrollCertRequestEntry reqEntry = reqEntries.get(i);
        CmpUtf8Pairs utf8Pairs = new CmpUtf8Pairs(CmpUtf8Pairs.KEY_CERTPROFILE, reqEntry.getCertprofile());
        AttributeTypeAndValue certprofileInfo = CmpUtil.buildAttributeTypeAndValue(utf8Pairs);
        AttributeTypeAndValue[] atvs = (certprofileInfo == null) ? null : new AttributeTypeAndValue[] { certprofileInfo };
        certReqMsgs[i] = new CertReqMsg(reqEntry.getCertReq(), reqEntry.getPopo(), atvs);
    }
    int bodyType;
    switch(req.getType()) {
        case CERT_REQ:
            bodyType = PKIBody.TYPE_CERT_REQ;
            break;
        case KEY_UPDATE:
            bodyType = PKIBody.TYPE_KEY_UPDATE_REQ;
            break;
        default:
            bodyType = PKIBody.TYPE_CROSS_CERT_REQ;
    }
    PKIBody body = new PKIBody(bodyType, new CertReqMessages(certReqMsgs));
    return new PKIMessage(header, body);
}
Also used : PKIHeader(org.bouncycastle.asn1.cmp.PKIHeader) PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage) PKIBody(org.bouncycastle.asn1.cmp.PKIBody) CertReqMessages(org.bouncycastle.asn1.crmf.CertReqMessages) CmpUtf8Pairs(org.xipki.cmp.CmpUtf8Pairs) CertReqMsg(org.bouncycastle.asn1.crmf.CertReqMsg) EnrollCertRequestEntry(org.xipki.ca.client.api.dto.EnrollCertRequestEntry) AttributeTypeAndValue(org.bouncycastle.asn1.crmf.AttributeTypeAndValue)

Example 15 with PKIHeader

use of org.bouncycastle.asn1.cmp.PKIHeader in project xipki by xipki.

the class X509CmpRequestor method buildUnrevokeOrRemoveCertRequest.

// method buildRevokeCertRequest
private PKIMessage buildUnrevokeOrRemoveCertRequest(UnrevokeOrRemoveCertRequest request, int reasonCode) throws CmpRequestorException {
    PKIHeader header = buildPkiHeader(null);
    List<UnrevokeOrRemoveCertEntry> requestEntries = request.getRequestEntries();
    List<RevDetails> revDetailsArray = new ArrayList<>(requestEntries.size());
    for (UnrevokeOrRemoveCertEntry requestEntry : requestEntries) {
        CertTemplateBuilder certTempBuilder = new CertTemplateBuilder();
        certTempBuilder.setIssuer(requestEntry.getIssuer());
        certTempBuilder.setSerialNumber(new ASN1Integer(requestEntry.getSerialNumber()));
        byte[] aki = requestEntry.getAuthorityKeyIdentifier();
        if (aki != null) {
            Extensions certTempExts = getCertTempExtensions(aki);
            certTempBuilder.setExtensions(certTempExts);
        }
        Extension[] extensions = new Extension[1];
        try {
            ASN1Enumerated reason = new ASN1Enumerated(reasonCode);
            extensions[0] = new Extension(Extension.reasonCode, true, new DEROctetString(reason.getEncoded()));
        } catch (IOException ex) {
            throw new CmpRequestorException(ex.getMessage(), ex);
        }
        Extensions exts = new Extensions(extensions);
        RevDetails revDetails = new RevDetails(certTempBuilder.build(), exts);
        revDetailsArray.add(revDetails);
    }
    RevReqContent content = new RevReqContent(revDetailsArray.toArray(new RevDetails[0]));
    PKIBody body = new PKIBody(PKIBody.TYPE_REVOCATION_REQ, content);
    return new PKIMessage(header, body);
}
Also used : PKIHeader(org.bouncycastle.asn1.cmp.PKIHeader) PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage) PKIBody(org.bouncycastle.asn1.cmp.PKIBody) ArrayList(java.util.ArrayList) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) IOException(java.io.IOException) Extensions(org.bouncycastle.asn1.x509.Extensions) RevReqContent(org.bouncycastle.asn1.cmp.RevReqContent) DEROctetString(org.bouncycastle.asn1.DEROctetString) Extension(org.bouncycastle.asn1.x509.Extension) CertTemplateBuilder(org.bouncycastle.asn1.crmf.CertTemplateBuilder) ASN1Enumerated(org.bouncycastle.asn1.ASN1Enumerated) UnrevokeOrRemoveCertEntry(org.xipki.ca.client.api.dto.UnrevokeOrRemoveCertEntry) RevDetails(org.bouncycastle.asn1.cmp.RevDetails)

Aggregations

PKIBody (org.bouncycastle.asn1.cmp.PKIBody)16 PKIHeader (org.bouncycastle.asn1.cmp.PKIHeader)16 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)12 PKIMessage (org.bouncycastle.asn1.cmp.PKIMessage)12 ProtectedPKIMessage (org.bouncycastle.cert.cmp.ProtectedPKIMessage)9 Date (java.util.Date)8 InfoTypeAndValue (org.bouncycastle.asn1.cmp.InfoTypeAndValue)8 ASN1Integer (org.bouncycastle.asn1.ASN1Integer)7 GeneralPKIMessage (org.bouncycastle.cert.cmp.GeneralPKIMessage)7 DEROctetString (org.bouncycastle.asn1.DEROctetString)6 ASN1GeneralizedTime (org.bouncycastle.asn1.ASN1GeneralizedTime)5 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)5 GeneralName (org.bouncycastle.asn1.x509.GeneralName)5 CmpUtf8Pairs (org.xipki.cmp.CmpUtf8Pairs)5 IOException (java.io.IOException)4 ArrayList (java.util.ArrayList)4 PKIStatusInfo (org.bouncycastle.asn1.cmp.PKIStatusInfo)4 Extensions (org.bouncycastle.asn1.x509.Extensions)4 CMPException (org.bouncycastle.cert.cmp.CMPException)4 ProtectionVerificationResult (org.xipki.cmp.ProtectionVerificationResult)4