Example 46 with PKIMessage
use of org.bouncycastle.asn1.cmp.PKIMessage in project xipki by xipki.
the class CmpUtil method addProtection.
public static PKIMessage addProtection(PKIMessage pkiMessage, ConcurrentContentSigner signer, GeneralName signerName, boolean addSignerCert) throws CMPException, NoIdleSignerException {
ParamUtil.requireNonNull("pkiMessage", pkiMessage);
ParamUtil.requireNonNull("signer", signer);
final GeneralName tmpSignerName;
if (signerName != null) {
tmpSignerName = signerName;
} else {
if (signer.getCertificate() == null) {
throw new IllegalArgumentException("signer without certificate is not allowed");
}
X500Name x500Name = X500Name.getInstance(signer.getCertificate().getSubjectX500Principal().getEncoded());
tmpSignerName = new GeneralName(x500Name);
}
PKIHeader header = pkiMessage.getHeader();
ProtectedPKIMessageBuilder builder = new ProtectedPKIMessageBuilder(tmpSignerName, header.getRecipient());
PKIFreeText freeText = header.getFreeText();
if (freeText != null) {
builder.setFreeText(freeText);
}
InfoTypeAndValue[] generalInfo = header.getGeneralInfo();
if (generalInfo != null) {
for (InfoTypeAndValue gi : generalInfo) {
builder.addGeneralInfo(gi);
}
}
ASN1OctetString octet = header.getRecipKID();
if (octet != null) {
builder.setRecipKID(octet.getOctets());
}
octet = header.getRecipNonce();
if (octet != null) {
builder.setRecipNonce(octet.getOctets());
}
octet = header.getSenderKID();
if (octet != null) {
builder.setSenderKID(octet.getOctets());
}
octet = header.getSenderNonce();
if (octet != null) {
builder.setSenderNonce(octet.getOctets());
}
octet = header.getTransactionID();
if (octet != null) {
builder.setTransactionID(octet.getOctets());
}
if (header.getMessageTime() != null) {
builder.setMessageTime(new Date());
}
builder.setBody(pkiMessage.getBody());
if (addSignerCert) {
X509CertificateHolder signerCert = signer.getBcCertificate();
builder.addCMPCertificate(signerCert);
}
ConcurrentBagEntrySigner signer0 = signer.borrowSigner();
ProtectedPKIMessage signedMessage;
try {
signedMessage = builder.build(signer0.value());
} finally {
signer.requiteSigner(signer0);
}
return signedMessage.toASN1Structure();
}
Also used :
PKIHeader(org.bouncycastle.asn1.cmp.PKIHeader)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
ProtectedPKIMessage(org.bouncycastle.cert.cmp.ProtectedPKIMessage)
X500Name(org.bouncycastle.asn1.x500.X500Name)
ConcurrentBagEntrySigner(org.xipki.security.ConcurrentBagEntrySigner)
Date(java.util.Date)
PKIFreeText(org.bouncycastle.asn1.cmp.PKIFreeText)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
InfoTypeAndValue(org.bouncycastle.asn1.cmp.InfoTypeAndValue)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
ProtectedPKIMessageBuilder(org.bouncycastle.cert.cmp.ProtectedPKIMessageBuilder)
Example 47 with PKIMessage
use of org.bouncycastle.asn1.cmp.PKIMessage in project xipki by xipki.
the class HttpCmpServlet method service.
@Override
public FullHttpResponse service(FullHttpRequest request, ServletURI servletUri, SSLSession sslSession, SslReverseProxyMode sslReverseProxyMode) throws Exception {
HttpVersion httpVersion = request.protocolVersion();
HttpMethod method = request.method();
if (method != HttpMethod.POST) {
return createErrorResponse(httpVersion, HttpResponseStatus.METHOD_NOT_ALLOWED);
}
X509Certificate clientCert = getClientCert(request, sslSession, sslReverseProxyMode);
AuditService auditService = auditServiceRegister.getAuditService();
AuditEvent event = new AuditEvent(new Date());
event.setApplicationName(CaAuditConstants.APPNAME);
event.setName(CaAuditConstants.NAME_PERF);
event.addEventData(CaAuditConstants.NAME_reqType, RequestType.CMP.name());
AuditLevel auditLevel = AuditLevel.INFO;
AuditStatus auditStatus = AuditStatus.SUCCESSFUL;
String auditMessage = null;
try {
if (responderManager == null) {
String message = "responderManager in servlet not configured";
LOG.error(message);
throw new HttpRespAuditException(HttpResponseStatus.INTERNAL_SERVER_ERROR, message, AuditLevel.ERROR, AuditStatus.FAILED);
}
String reqContentType = request.headers().get("Content-Type");
if (!CT_REQUEST.equalsIgnoreCase(reqContentType)) {
String message = "unsupported media type " + reqContentType;
throw new HttpRespAuditException(HttpResponseStatus.UNSUPPORTED_MEDIA_TYPE, message, AuditLevel.INFO, AuditStatus.FAILED);
}
String caName = null;
X509CaCmpResponder responder = null;
if (servletUri.getPath().length() > 1) {
// skip the first char which is always '/'
String caAlias = servletUri.getPath().substring(1);
caName = responderManager.getCaNameForAlias(caAlias);
if (caName == null) {
caName = caAlias.toLowerCase();
}
responder = responderManager.getX509CaResponder(caName);
}
if (caName == null || responder == null || !responder.isOnService()) {
String message;
if (caName == null) {
message = "no CA is specified";
} else if (responder == null) {
message = "unknown CA '" + caName + "'";
} else {
message = "CA '" + caName + "' is out of service";
}
LOG.warn(message);
throw new HttpRespAuditException(HttpResponseStatus.NOT_FOUND, message, AuditLevel.INFO, AuditStatus.FAILED);
}
event.addEventData(CaAuditConstants.NAME_ca, responder.getCaName());
byte[] reqContent = readContent(request);
PKIMessage pkiReq;
try {
pkiReq = PKIMessage.getInstance(reqContent);
} catch (Exception ex) {
LogUtil.error(LOG, ex, "could not parse the request (PKIMessage)");
throw new HttpRespAuditException(HttpResponseStatus.BAD_REQUEST, "bad request", AuditLevel.INFO, AuditStatus.FAILED);
}
PKIMessage pkiResp = responder.processPkiMessage(pkiReq, clientCert, event);
byte[] encodedPkiResp = pkiResp.getEncoded();
return createOKResponse(httpVersion, CT_RESPONSE, encodedPkiResp);
} catch (HttpRespAuditException ex) {
auditStatus = ex.getAuditStatus();
auditLevel = ex.getAuditLevel();
auditMessage = ex.getAuditMessage();
return createErrorResponse(httpVersion, ex.getHttpStatus());
} catch (Throwable th) {
if (th instanceof EOFException) {
LogUtil.warn(LOG, th, "connection reset by peer");
} else {
LOG.error("Throwable thrown, this should not happen!", th);
}
auditLevel = AuditLevel.ERROR;
auditStatus = AuditStatus.FAILED;
auditMessage = "internal error";
return createErrorResponse(httpVersion, HttpResponseStatus.INTERNAL_SERVER_ERROR);
} finally {
audit(auditService, event, auditLevel, auditStatus, auditMessage);
}
}
Also used :
PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage)
AuditLevel(org.xipki.audit.AuditLevel)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
EOFException(java.io.EOFException)
AuditStatus(org.xipki.audit.AuditStatus)
X509CaCmpResponder(org.xipki.ca.server.api.X509CaCmpResponder)
EOFException(java.io.EOFException)
AuditEvent(org.xipki.audit.AuditEvent)
HttpVersion(io.netty.handler.codec.http.HttpVersion)
AuditService(org.xipki.audit.AuditService)
HttpMethod(io.netty.handler.codec.http.HttpMethod)
Example 48 with PKIMessage
use of org.bouncycastle.asn1.cmp.PKIMessage in project xipki by xipki.
the class HttpCmpServlet method doPost.
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
AuditServiceRegister auditServiceRegister = ServletHelper.getAuditServiceRegister();
if (auditServiceRegister == null) {
LOG.error("ServletHelper.auditServiceRegister not configured");
sendError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
return;
}
ResponderManager responderManager = ServletHelper.getResponderManager();
if (responderManager == null) {
LOG.error("ServletHelper.responderManager not configured");
sendError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
return;
}
X509Certificate clientCert = ClientCertCache.getTlsClientCert(req);
AuditService auditService = auditServiceRegister.getAuditService();
AuditEvent event = new AuditEvent(new Date());
event.setApplicationName(CaAuditConstants.APPNAME);
event.setName(CaAuditConstants.NAME_PERF);
event.addEventData(CaAuditConstants.NAME_reqType, RequestType.CMP.name());
AuditLevel auditLevel = AuditLevel.INFO;
AuditStatus auditStatus = AuditStatus.SUCCESSFUL;
String auditMessage = null;
try {
String reqContentType = req.getHeader("Content-Type");
if (!CT_REQUEST.equalsIgnoreCase(reqContentType)) {
String message = "unsupported media type " + reqContentType;
throw new HttpRespAuditException(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, message, AuditLevel.INFO, AuditStatus.FAILED);
}
String caName = null;
X509CaCmpResponder responder = null;
String path = StringUtil.getRelativeRequestUri(req.getServletPath(), req.getRequestURI());
if (path.length() > 1) {
// skip the first char which is always '/'
String caAlias = path.substring(1);
caName = responderManager.getCaNameForAlias(caAlias);
if (caName == null) {
caName = caAlias.toLowerCase();
}
responder = responderManager.getX509CaResponder(caName);
}
if (caName == null || responder == null || !responder.isOnService()) {
String message;
if (caName == null) {
message = "no CA is specified";
} else if (responder == null) {
message = "unknown CA '" + caName + "'";
} else {
message = "CA '" + caName + "' is out of service";
}
LOG.warn(message);
throw new HttpRespAuditException(HttpServletResponse.SC_NOT_FOUND, message, AuditLevel.INFO, AuditStatus.FAILED);
}
event.addEventData(CaAuditConstants.NAME_ca, responder.getCaName());
byte[] reqContent = IoUtil.read(req.getInputStream());
PKIMessage pkiReq;
try {
pkiReq = PKIMessage.getInstance(reqContent);
} catch (Exception ex) {
LogUtil.error(LOG, ex, "could not parse the request (PKIMessage)");
throw new HttpRespAuditException(HttpServletResponse.SC_BAD_REQUEST, "bad request", AuditLevel.INFO, AuditStatus.FAILED);
}
PKIMessage pkiResp = responder.processPkiMessage(pkiReq, clientCert, event);
byte[] encodedPkiResp = pkiResp.getEncoded();
resp.setContentType(CT_RESPONSE);
resp.setContentLength(encodedPkiResp.length);
resp.getOutputStream().write(encodedPkiResp);
} catch (HttpRespAuditException ex) {
auditStatus = ex.getAuditStatus();
auditLevel = ex.getAuditLevel();
auditMessage = ex.getAuditMessage();
sendError(resp, ex.getHttpStatus());
} catch (Throwable th) {
if (th instanceof EOFException) {
LogUtil.warn(LOG, th, "connection reset by peer");
} else {
LOG.error("Throwable thrown, this should not happen!", th);
}
auditLevel = AuditLevel.ERROR;
auditStatus = AuditStatus.FAILED;
auditMessage = "internal error";
sendError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
} finally {
resp.flushBuffer();
audit(auditService, event, auditLevel, auditStatus, auditMessage);
}
}
Also used :
PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage)
AuditLevel(org.xipki.audit.AuditLevel)
ResponderManager(org.xipki.ca.server.api.ResponderManager)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
ServletException(javax.servlet.ServletException)
IOException(java.io.IOException)
EOFException(java.io.EOFException)
AuditStatus(org.xipki.audit.AuditStatus)
X509CaCmpResponder(org.xipki.ca.server.api.X509CaCmpResponder)
EOFException(java.io.EOFException)
AuditEvent(org.xipki.audit.AuditEvent)
AuditServiceRegister(org.xipki.audit.AuditServiceRegister)
AuditService(org.xipki.audit.AuditService)
Example 49 with PKIMessage
use of org.bouncycastle.asn1.cmp.PKIMessage in project xipki by xipki.
the class DecodedPkiMessage method decode.
@SuppressWarnings("unchecked")
public static DecodedPkiMessage decode(CMSSignedData pkiMessage, EnvelopedDataDecryptor recipient, CollectionStore<X509CertificateHolder> certStore) throws MessageDecodingException {
ScepUtil.requireNonNull("pkiMessage", pkiMessage);
ScepUtil.requireNonNull("recipient", recipient);
SignerInformationStore signerStore = pkiMessage.getSignerInfos();
Collection<SignerInformation> signerInfos = signerStore.getSigners();
if (signerInfos.size() != 1) {
throw new MessageDecodingException("number of signerInfos is not 1, but " + signerInfos.size());
}
SignerInformation signerInfo = signerInfos.iterator().next();
SignerId sid = signerInfo.getSID();
Collection<?> signedDataCerts = null;
if (certStore != null) {
signedDataCerts = certStore.getMatches(sid);
}
if (signedDataCerts == null || signedDataCerts.isEmpty()) {
signedDataCerts = pkiMessage.getCertificates().getMatches(signerInfo.getSID());
}
if (signedDataCerts == null || signedDataCerts.size() != 1) {
throw new MessageDecodingException("could not find embedded certificate to verify the signature");
}
AttributeTable signedAttrs = signerInfo.getSignedAttributes();
if (signedAttrs == null) {
throw new MessageDecodingException("missing SCEP attributes");
}
Date signingTime = null;
// signingTime
ASN1Encodable attrValue = ScepUtil.getFirstAttrValue(signedAttrs, CMSAttributes.signingTime);
if (attrValue != null) {
signingTime = Time.getInstance(attrValue).getDate();
}
// transactionId
String str = getPrintableStringAttrValue(signedAttrs, ScepObjectIdentifiers.ID_TRANSACTION_ID);
if (str == null || str.isEmpty()) {
throw new MessageDecodingException("missing required SCEP attribute transactionId");
}
TransactionId transactionId = new TransactionId(str);
// messageType
Integer intValue = getIntegerPrintStringAttrValue(signedAttrs, ScepObjectIdentifiers.ID_MESSAGE_TYPE);
if (intValue == null) {
throw new MessageDecodingException("tid " + transactionId.getId() + ": missing required SCEP attribute messageType");
}
MessageType messageType;
try {
messageType = MessageType.forValue(intValue);
} catch (IllegalArgumentException ex) {
throw new MessageDecodingException("tid " + transactionId.getId() + ": invalid messageType '" + intValue + "'");
}
// senderNonce
Nonce senderNonce = getNonceAttrValue(signedAttrs, ScepObjectIdentifiers.ID_SENDER_NONCE);
if (senderNonce == null) {
throw new MessageDecodingException("tid " + transactionId.getId() + ": missing required SCEP attribute senderNonce");
}
DecodedPkiMessage ret = new DecodedPkiMessage(transactionId, messageType, senderNonce);
if (signingTime != null) {
ret.setSigningTime(signingTime);
}
Nonce recipientNonce = null;
try {
recipientNonce = getNonceAttrValue(signedAttrs, ScepObjectIdentifiers.ID_RECIPIENT_NONCE);
} catch (MessageDecodingException ex) {
ret.setFailureMessage("could not parse recipientNonce: " + ex.getMessage());
}
if (recipientNonce != null) {
ret.setRecipientNonce(recipientNonce);
}
PkiStatus pkiStatus = null;
FailInfo failInfo = null;
if (MessageType.CertRep == messageType) {
// pkiStatus
try {
intValue = getIntegerPrintStringAttrValue(signedAttrs, ScepObjectIdentifiers.ID_PKI_STATUS);
} catch (MessageDecodingException ex) {
ret.setFailureMessage("could not parse pkiStatus: " + ex.getMessage());
return ret;
}
if (intValue == null) {
ret.setFailureMessage("missing required SCEP attribute pkiStatus");
return ret;
}
try {
pkiStatus = PkiStatus.forValue(intValue);
} catch (IllegalArgumentException ex) {
ret.setFailureMessage("invalid pkiStatus '" + intValue + "'");
return ret;
}
ret.setPkiStatus(pkiStatus);
// failureInfo
if (pkiStatus == PkiStatus.FAILURE) {
try {
intValue = getIntegerPrintStringAttrValue(signedAttrs, ScepObjectIdentifiers.ID_FAILINFO);
} catch (MessageDecodingException ex) {
ret.setFailureMessage("could not parse failInfo: " + ex.getMessage());
return ret;
}
if (intValue == null) {
ret.setFailureMessage("missing required SCEP attribute failInfo");
return ret;
}
try {
failInfo = FailInfo.forValue(intValue);
} catch (IllegalArgumentException ex) {
ret.setFailureMessage("invalid failInfo '" + intValue + "'");
return ret;
}
ret.setFailInfo(failInfo);
}
// end if(pkiStatus == PkiStatus.FAILURE)
}
// end if (MessageType.CertRep == messageType)
// other signedAttributes
Attribute[] attrs = signedAttrs.toASN1Structure().getAttributes();
for (Attribute attr : attrs) {
ASN1ObjectIdentifier type = attr.getAttrType();
if (!SCEP_ATTR_TYPES.contains(type)) {
ret.addSignendAttribute(type, attr.getAttrValues().getObjectAt(0));
}
}
// unsignedAttributes
AttributeTable unsignedAttrs = signerInfo.getUnsignedAttributes();
attrs = (unsignedAttrs == null) ? null : unsignedAttrs.toASN1Structure().getAttributes();
if (attrs != null) {
for (Attribute attr : attrs) {
ASN1ObjectIdentifier type = attr.getAttrType();
ret.addUnsignendAttribute(type, attr.getAttrValues().getObjectAt(0));
}
}
ASN1ObjectIdentifier digestAlgOid = signerInfo.getDigestAlgorithmID().getAlgorithm();
ret.setDigestAlgorithm(digestAlgOid);
String sigAlgOid = signerInfo.getEncryptionAlgOID();
if (!PKCSObjectIdentifiers.rsaEncryption.getId().equals(sigAlgOid)) {
ASN1ObjectIdentifier tmpDigestAlgOid;
try {
tmpDigestAlgOid = ScepUtil.extractDigesetAlgorithmIdentifier(signerInfo.getEncryptionAlgOID(), signerInfo.getEncryptionAlgParams());
} catch (Exception ex) {
final String msg = "could not extract digest algorithm from signerInfo.signatureAlgorithm: " + ex.getMessage();
LOG.error(msg);
LOG.debug(msg, ex);
ret.setFailureMessage(msg);
return ret;
}
if (!digestAlgOid.equals(tmpDigestAlgOid)) {
ret.setFailureMessage("digestAlgorithm and encryptionAlgorithm do not use the same digestAlgorithm");
return ret;
}
// end if
}
// end if
X509CertificateHolder tmpSignerCert = (X509CertificateHolder) signedDataCerts.iterator().next();
X509Certificate signerCert;
try {
signerCert = ScepUtil.toX509Cert(tmpSignerCert.toASN1Structure());
} catch (CertificateException ex) {
final String msg = "could not construct X509Certificate: " + ex.getMessage();
LOG.error(msg);
LOG.debug(msg, ex);
ret.setFailureMessage(msg);
return ret;
}
ret.setSignatureCert(signerCert);
// validate the signature
SignerInformationVerifier verifier;
try {
verifier = new JcaSimpleSignerInfoVerifierBuilder().build(tmpSignerCert);
} catch (OperatorCreationException | CertificateException ex) {
final String msg = "could not build signature verifier: " + ex.getMessage();
LOG.error(msg);
LOG.debug(msg, ex);
ret.setFailureMessage(msg);
return ret;
}
boolean signatureValid;
try {
signatureValid = signerInfo.verify(verifier);
} catch (CMSException ex) {
final String msg = "could not verify the signature: " + ex.getMessage();
LOG.error(msg);
LOG.debug(msg, ex);
ret.setFailureMessage(msg);
return ret;
}
ret.setSignatureValid(signatureValid);
if (!signatureValid) {
return ret;
}
if (MessageType.CertRep == messageType && (pkiStatus == PkiStatus.FAILURE | pkiStatus == PkiStatus.PENDING)) {
return ret;
}
// MessageData
CMSTypedData signedContent = pkiMessage.getSignedContent();
ASN1ObjectIdentifier signedContentType = signedContent.getContentType();
if (!CMSObjectIdentifiers.envelopedData.equals(signedContentType)) {
// fall back: some SCEP client, such as JSCEP use id-data
if (!CMSObjectIdentifiers.data.equals(signedContentType)) {
ret.setFailureMessage("either id-envelopedData or id-data is excepted, but not '" + signedContentType.getId());
return ret;
}
}
CMSEnvelopedData envData;
try {
envData = new CMSEnvelopedData((byte[]) signedContent.getContent());
} catch (CMSException ex) {
final String msg = "could not create the CMSEnvelopedData: " + ex.getMessage();
LOG.error(msg);
LOG.debug(msg, ex);
ret.setFailureMessage(msg);
return ret;
}
ret.setContentEncryptionAlgorithm(envData.getContentEncryptionAlgorithm().getAlgorithm());
byte[] encodedMessageData;
try {
encodedMessageData = recipient.decrypt(envData);
} catch (MessageDecodingException ex) {
final String msg = "could not create the CMSEnvelopedData: " + ex.getMessage();
LOG.error(msg);
LOG.debug(msg, ex);
ret.setFailureMessage(msg);
ret.setDecryptionSuccessful(false);
return ret;
}
ret.setDecryptionSuccessful(true);
try {
if (MessageType.PKCSReq == messageType || MessageType.RenewalReq == messageType || MessageType.UpdateReq == messageType) {
CertificationRequest messageData = CertificationRequest.getInstance(encodedMessageData);
ret.setMessageData(messageData);
} else if (MessageType.CertPoll == messageType) {
IssuerAndSubject messageData = IssuerAndSubject.getInstance(encodedMessageData);
ret.setMessageData(messageData);
} else if (MessageType.GetCert == messageType || MessageType.GetCRL == messageType) {
IssuerAndSerialNumber messageData = IssuerAndSerialNumber.getInstance(encodedMessageData);
ret.setMessageData(messageData);
ret.setMessageData(messageData);
} else if (MessageType.CertRep == messageType) {
ContentInfo ci = ContentInfo.getInstance(encodedMessageData);
ret.setMessageData(ci);
} else {
throw new RuntimeException("should not reach here, unknown messageType " + messageType);
}
} catch (Exception ex) {
final String msg = "could not parse the messageData: " + ex.getMessage();
LOG.error(msg);
LOG.debug(msg, ex);
ret.setFailureMessage(msg);
return ret;
}
return ret;
}
Also used :
IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber)
Attribute(org.bouncycastle.asn1.cms.Attribute)
AttributeTable(org.bouncycastle.asn1.cms.AttributeTable)
SignerInformation(org.bouncycastle.cms.SignerInformation)
CertificateException(java.security.cert.CertificateException)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
SignerInformationStore(org.bouncycastle.cms.SignerInformationStore)
ContentInfo(org.bouncycastle.asn1.cms.ContentInfo)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
FailInfo(org.xipki.scep.transaction.FailInfo)
SignerInformationVerifier(org.bouncycastle.cms.SignerInformationVerifier)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
MessageType(org.xipki.scep.transaction.MessageType)
PkiStatus(org.xipki.scep.transaction.PkiStatus)
CMSEnvelopedData(org.bouncycastle.cms.CMSEnvelopedData)
CMSTypedData(org.bouncycastle.cms.CMSTypedData)
JcaSimpleSignerInfoVerifierBuilder(org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder)
Date(java.util.Date)
CMSException(org.bouncycastle.cms.CMSException)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
MessageDecodingException(org.xipki.scep.exception.MessageDecodingException)
CertificateException(java.security.cert.CertificateException)
X509Certificate(java.security.cert.X509Certificate)
TransactionId(org.xipki.scep.transaction.TransactionId)
Nonce(org.xipki.scep.transaction.Nonce)
MessageDecodingException(org.xipki.scep.exception.MessageDecodingException)
SignerId(org.bouncycastle.cms.SignerId)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest)
CMSException(org.bouncycastle.cms.CMSException)
Example 50 with PKIMessage
use of org.bouncycastle.asn1.cmp.PKIMessage in project xipki by xipki.
the class Client method scepGetCert.
public List<X509Certificate> scepGetCert(PrivateKey identityKey, X509Certificate identityCert, X500Name issuer, BigInteger serialNumber) throws ScepClientException {
ScepUtil.requireNonNull("identityKey", identityKey);
ScepUtil.requireNonNull("identityCert", identityCert);
ScepUtil.requireNonNull("issuer", issuer);
ScepUtil.requireNonNull("serialNumber", serialNumber);
initIfNotInited();
PkiMessage request = new PkiMessage(TransactionId.randomTransactionId(), MessageType.GetCert);
IssuerAndSerialNumber isn = new IssuerAndSerialNumber(issuer, serialNumber);
request.setMessageData(isn);
ContentInfo envRequest = encryptThenSign(request, identityKey, identityCert);
ScepHttpResponse httpResp = httpSend(Operation.PKIOperation, envRequest);
CMSSignedData cmsSignedData = parsePkiMessage(httpResp.getContentBytes());
DecodedPkiMessage response = decode(cmsSignedData, identityKey, identityCert);
if (response.getPkiStatus() != PkiStatus.SUCCESS) {
throw new ScepClientException("server returned " + response.getPkiStatus());
}
ContentInfo messageData = ContentInfo.getInstance(response.getMessageData());
try {
return ScepUtil.getCertsFromSignedData(SignedData.getInstance(messageData.getContent()));
} catch (CertificateException ex) {
throw new ScepClientException(ex.getMessage(), ex);
}
}
Also used :
IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber)
ScepClientException(org.xipki.scep.client.exception.ScepClientException)
DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage)
PkiMessage(org.xipki.scep.message.PkiMessage)
ContentInfo(org.bouncycastle.asn1.cms.ContentInfo)
DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage)
CertificateException(java.security.cert.CertificateException)
CMSSignedData(org.bouncycastle.cms.CMSSignedData)
Aggregations
PKIMessage (org.bouncycastle.asn1.cmp.PKIMessage)31
PKIBody (org.bouncycastle.asn1.cmp.PKIBody)24
Date (java.util.Date)18
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)16
PKIHeader (org.bouncycastle.asn1.cmp.PKIHeader)16
IOException (java.io.IOException)14
ProtectedPKIMessage (org.bouncycastle.cert.cmp.ProtectedPKIMessage)13
X509Certificate (java.security.cert.X509Certificate)12
ASN1Integer (org.bouncycastle.asn1.ASN1Integer)11
DERUTF8String (org.bouncycastle.asn1.DERUTF8String)11
GeneralPKIMessage (org.bouncycastle.cert.cmp.GeneralPKIMessage)11
DEROctetString (org.bouncycastle.asn1.DEROctetString)10
InfoTypeAndValue (org.bouncycastle.asn1.cmp.InfoTypeAndValue)9
ContentInfo (org.bouncycastle.asn1.cms.ContentInfo)9
BigInteger (java.math.BigInteger)8
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)8
X500Name (org.bouncycastle.asn1.x500.X500Name)7
Extensions (org.bouncycastle.asn1.x509.Extensions)7
InvalidKeyException (java.security.InvalidKeyException)6
CertificateException (java.security.cert.CertificateException)6
