Examples with PKIMessage org.bouncycastle.asn1.cmp.PKIMessage used on opensource projects

Search in sources :

Example 51 with PKIMessage

use of org.bouncycastle.asn1.cmp.PKIMessage in project xipki by xipki.

the class Client method scepCertPoll.

public EnrolmentResponse scepCertPoll(PrivateKey identityKey, X509Certificate identityCert, TransactionId transactionId, X500Name issuer, X500Name subject) throws ScepClientException {
    ScepUtil.requireNonNull("identityKey", identityKey);
    ScepUtil.requireNonNull("identityCert", identityCert);
    ScepUtil.requireNonNull("issuer", issuer);
    ScepUtil.requireNonNull("transactionId", transactionId);
    initIfNotInited();
    PkiMessage pkiMessage = new PkiMessage(transactionId, MessageType.CertPoll);
    IssuerAndSubject is = new IssuerAndSubject(issuer, subject);
    pkiMessage.setMessageData(is);
    ContentInfo envRequest = encryptThenSign(pkiMessage, identityKey, identityCert);
    ScepHttpResponse httpResp = httpSend(Operation.PKIOperation, envRequest);
    CMSSignedData cmsSignedData = parsePkiMessage(httpResp.getContentBytes());
    DecodedPkiMessage response = decode(cmsSignedData, identityKey, identityCert);
    assertSameNonce(pkiMessage, response);
    return new EnrolmentResponse(response);
}
Also used : DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage) PkiMessage(org.xipki.scep.message.PkiMessage) ContentInfo(org.bouncycastle.asn1.cms.ContentInfo) DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage) CMSSignedData(org.bouncycastle.cms.CMSSignedData) IssuerAndSubject(org.xipki.scep.message.IssuerAndSubject)

Example 52 with PKIMessage

use of org.bouncycastle.asn1.cmp.PKIMessage in project xipki by xipki.

the class Client method enroll.

private EnrolmentResponse enroll(MessageType messageType, CertificationRequest csr, PrivateKey identityKey, X509Certificate identityCert) throws ScepClientException {
    TransactionId tid;
    try {
        tid = TransactionId.sha1TransactionId(csr.getCertificationRequestInfo().getSubjectPublicKeyInfo());
    } catch (InvalidKeySpecException ex) {
        throw new ScepClientException(ex.getMessage(), ex);
    }
    PkiMessage pkiMessage = new PkiMessage(tid, messageType);
    pkiMessage.setMessageData(csr);
    ContentInfo envRequest = encryptThenSign(pkiMessage, identityKey, identityCert);
    ScepHttpResponse httpResp = httpSend(Operation.PKIOperation, envRequest);
    CMSSignedData cmsSignedData = parsePkiMessage(httpResp.getContentBytes());
    DecodedPkiMessage response = decode(cmsSignedData, identityKey, identityCert);
    assertSameNonce(pkiMessage, response);
    return new EnrolmentResponse(response);
}
Also used : ScepClientException(org.xipki.scep.client.exception.ScepClientException) DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage) PkiMessage(org.xipki.scep.message.PkiMessage) ContentInfo(org.bouncycastle.asn1.cms.ContentInfo) DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage) InvalidKeySpecException(java.security.spec.InvalidKeySpecException) CMSSignedData(org.bouncycastle.cms.CMSSignedData) TransactionId(org.xipki.scep.transaction.TransactionId)

Example 53 with PKIMessage

use of org.bouncycastle.asn1.cmp.PKIMessage in project xipki by xipki.

the class DecodedNextCaMessage method decode.

@SuppressWarnings("unchecked")
public static DecodedNextCaMessage decode(CMSSignedData pkiMessage, CollectionStore<X509CertificateHolder> certStore) throws MessageDecodingException {
    ScepUtil.requireNonNull("pkiMessage", pkiMessage);
    SignerInformationStore signerStore = pkiMessage.getSignerInfos();
    Collection<SignerInformation> signerInfos = signerStore.getSigners();
    if (signerInfos.size() != 1) {
        throw new MessageDecodingException("number of signerInfos is not 1, but " + signerInfos.size());
    }
    SignerInformation signerInfo = signerInfos.iterator().next();
    SignerId sid = signerInfo.getSID();
    Collection<?> signedDataCerts = null;
    if (certStore != null) {
        signedDataCerts = certStore.getMatches(sid);
    }
    if (signedDataCerts == null || signedDataCerts.isEmpty()) {
        signedDataCerts = pkiMessage.getCertificates().getMatches(signerInfo.getSID());
    }
    if (signedDataCerts == null || signedDataCerts.size() != 1) {
        throw new MessageDecodingException("could not find embedded certificate to verify the signature");
    }
    AttributeTable signedAttrs = signerInfo.getSignedAttributes();
    if (signedAttrs == null) {
        throw new MessageDecodingException("missing signed attributes");
    }
    Date signingTime = null;
    // signingTime
    ASN1Encodable attrValue = ScepUtil.getFirstAttrValue(signedAttrs, CMSAttributes.signingTime);
    if (attrValue != null) {
        signingTime = Time.getInstance(attrValue).getDate();
    }
    DecodedNextCaMessage ret = new DecodedNextCaMessage();
    if (signingTime != null) {
        ret.setSigningTime(signingTime);
    }
    ASN1ObjectIdentifier digestAlgOid = signerInfo.getDigestAlgorithmID().getAlgorithm();
    ret.setDigestAlgorithm(digestAlgOid);
    String sigAlgOid = signerInfo.getEncryptionAlgOID();
    if (!PKCSObjectIdentifiers.rsaEncryption.getId().equals(sigAlgOid)) {
        ASN1ObjectIdentifier tmpDigestAlgOid;
        try {
            tmpDigestAlgOid = ScepUtil.extractDigesetAlgorithmIdentifier(signerInfo.getEncryptionAlgOID(), signerInfo.getEncryptionAlgParams());
        } catch (Exception ex) {
            final String msg = "could not extract digest algorithm from signerInfo.signatureAlgorithm: " + ex.getMessage();
            LOG.error(msg);
            LOG.debug(msg, ex);
            ret.setFailureMessage(msg);
            return ret;
        }
        if (!digestAlgOid.equals(tmpDigestAlgOid)) {
            ret.setFailureMessage("digestAlgorithm and encryptionAlgorithm do not use" + " the same digestAlgorithm");
            return ret;
        }
    }
    // end if
    X509CertificateHolder tmpSignerCert = (X509CertificateHolder) signedDataCerts.iterator().next();
    X509Certificate signerCert;
    try {
        signerCert = ScepUtil.toX509Cert(tmpSignerCert.toASN1Structure());
    } catch (CertificateException ex) {
        final String msg = "could not construct X509CertificateObject: " + ex.getMessage();
        LOG.error(msg);
        LOG.debug(msg, ex);
        ret.setFailureMessage(msg);
        return ret;
    }
    ret.setSignatureCert(signerCert);
    // validate the signature
    SignerInformationVerifier verifier;
    try {
        verifier = new JcaSimpleSignerInfoVerifierBuilder().build(signerCert.getPublicKey());
    } catch (OperatorCreationException ex) {
        final String msg = "could not build signature verifier: " + ex.getMessage();
        LOG.error(msg);
        LOG.debug(msg, ex);
        ret.setFailureMessage(msg);
        return ret;
    }
    boolean signatureValid;
    try {
        signatureValid = signerInfo.verify(verifier);
    } catch (CMSException ex) {
        final String msg = "could not verify the signature: " + ex.getMessage();
        LOG.error(msg);
        LOG.debug(msg, ex);
        ret.setFailureMessage(msg);
        return ret;
    }
    ret.setSignatureValid(signatureValid);
    if (!signatureValid) {
        return ret;
    }
    // MessageData
    CMSTypedData signedContent = pkiMessage.getSignedContent();
    ASN1ObjectIdentifier signedContentType = signedContent.getContentType();
    if (!CMSObjectIdentifiers.signedData.equals(signedContentType)) {
        // fall back: some SCEP client use id-data
        if (!CMSObjectIdentifiers.data.equals(signedContentType)) {
            ret.setFailureMessage("either id-signedData or id-data is excepted, but not '" + signedContentType.getId());
            return ret;
        }
    }
    ContentInfo contentInfo = ContentInfo.getInstance((byte[]) signedContent.getContent());
    SignedData signedData = SignedData.getInstance(contentInfo.getContent());
    List<X509Certificate> certs;
    try {
        certs = ScepUtil.getCertsFromSignedData(signedData);
    } catch (CertificateException ex) {
        final String msg = "could not extract Certificates from the message: " + ex.getMessage();
        LOG.error(msg);
        LOG.debug(msg, ex);
        ret.setFailureMessage(msg);
        return ret;
    }
    final int n = certs.size();
    X509Certificate caCert = null;
    List<X509Certificate> raCerts = new LinkedList<X509Certificate>();
    for (int i = 0; i < n; i++) {
        X509Certificate cert = certs.get(i);
        if (cert.getBasicConstraints() > -1) {
            if (caCert != null) {
                final String msg = "multiple CA certificates is returned, but exactly 1 is expected";
                LOG.error(msg);
                ret.setFailureMessage(msg);
                return ret;
            }
            caCert = cert;
        } else {
            raCerts.add(cert);
        }
    }
    if (caCert == null) {
        final String msg = "no CA certificate is returned";
        LOG.error(msg);
        ret.setFailureMessage(msg);
        return ret;
    }
    X509Certificate[] locaRaCerts = raCerts.isEmpty() ? null : raCerts.toArray(new X509Certificate[0]);
    AuthorityCertStore authorityCertStore = AuthorityCertStore.getInstance(caCert, locaRaCerts);
    ret.setAuthorityCertStore(authorityCertStore);
    return ret;
}
Also used : AttributeTable(org.bouncycastle.asn1.cms.AttributeTable) SignerInformation(org.bouncycastle.cms.SignerInformation) CertificateException(java.security.cert.CertificateException) SignerInformationStore(org.bouncycastle.cms.SignerInformationStore) ContentInfo(org.bouncycastle.asn1.cms.ContentInfo) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) SignerInformationVerifier(org.bouncycastle.cms.SignerInformationVerifier) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) CMSTypedData(org.bouncycastle.cms.CMSTypedData) SignedData(org.bouncycastle.asn1.cms.SignedData) CMSSignedData(org.bouncycastle.cms.CMSSignedData) JcaSimpleSignerInfoVerifierBuilder(org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder) Date(java.util.Date) CMSException(org.bouncycastle.cms.CMSException) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) MessageDecodingException(org.xipki.scep.exception.MessageDecodingException) CertificateException(java.security.cert.CertificateException) X509Certificate(java.security.cert.X509Certificate) LinkedList(java.util.LinkedList) MessageDecodingException(org.xipki.scep.exception.MessageDecodingException) SignerId(org.bouncycastle.cms.SignerId) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) CMSException(org.bouncycastle.cms.CMSException)

Example 54 with PKIMessage

use of org.bouncycastle.asn1.cmp.PKIMessage in project xipki by xipki.

the class CaClientImpl method envelopeRevocation.

// method verify
@Override
public byte[] envelopeRevocation(X500Name issuer, BigInteger serial, int reason) throws CaClientException {
    ParamUtil.requireNonNull("issuer", issuer);
    init0(false);
    final String id = "cert-1";
    RevokeCertRequestEntry entry = new RevokeCertRequestEntry(id, issuer, serial, reason, null);
    RevokeCertRequest request = new RevokeCertRequest();
    request.addRequestEntry(entry);
    String caName = getCaNameByIssuer(issuer);
    X509CmpRequestor cmpRequestor = casMap.get(caName).getRequestor();
    try {
        PKIMessage pkiMessage = cmpRequestor.envelopeRevocation(request);
        return pkiMessage.getEncoded();
    } catch (CmpRequestorException | IOException ex) {
        throw new CaClientException(ex.getMessage(), ex);
    }
}
Also used : PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage) RevokeCertRequestEntry(org.xipki.ca.client.api.dto.RevokeCertRequestEntry) IOException(java.io.IOException) RevokeCertRequest(org.xipki.ca.client.api.dto.RevokeCertRequest) CaClientException(org.xipki.ca.client.api.CaClientException)

Example 55 with PKIMessage

use of org.bouncycastle.asn1.cmp.PKIMessage in project xipki by xipki.

the class CaClientImpl method envelope.

@Override
public byte[] envelope(CertRequest certRequest, ProofOfPossession pop, String profileName, String caName) throws CaClientException {
    ParamUtil.requireNonNull("certRequest", certRequest);
    ParamUtil.requireNonNull("pop", pop);
    profileName = ParamUtil.requireNonNull("profileName", profileName).toLowerCase();
    init0(false);
    if (caName == null) {
        // detect the CA name
        caName = getCaNameForProfile(profileName);
        if (caName == null) {
            throw new CaClientException("certprofile " + profileName + " is not supported by any CA");
        }
    } else {
        caName = caName.toLowerCase();
        checkCertprofileSupportInCa(profileName, caName);
    }
    CaConf ca = casMap.get(caName);
    if (ca == null) {
        throw new CaClientException("could not find CA named " + caName);
    }
    PKIMessage pkiMessage;
    try {
        pkiMessage = ca.getRequestor().envelope(certRequest, pop, profileName);
    } catch (CmpRequestorException ex) {
        throw new CaClientException("CmpRequestorException: " + ex.getMessage(), ex);
    }
    try {
        return pkiMessage.getEncoded();
    } catch (IOException ex) {
        throw new CaClientException("IOException: " + ex.getMessage(), ex);
    }
}
Also used : PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage) IOException(java.io.IOException) CaClientException(org.xipki.ca.client.api.CaClientException)

Aggregations

PKIMessage (org.bouncycastle.asn1.cmp.PKIMessage)31 PKIBody (org.bouncycastle.asn1.cmp.PKIBody)24 Date (java.util.Date)18 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)16 PKIHeader (org.bouncycastle.asn1.cmp.PKIHeader)16 IOException (java.io.IOException)14 ProtectedPKIMessage (org.bouncycastle.cert.cmp.ProtectedPKIMessage)13 X509Certificate (java.security.cert.X509Certificate)12 ASN1Integer (org.bouncycastle.asn1.ASN1Integer)11 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)11 GeneralPKIMessage (org.bouncycastle.cert.cmp.GeneralPKIMessage)11 DEROctetString (org.bouncycastle.asn1.DEROctetString)10 InfoTypeAndValue (org.bouncycastle.asn1.cmp.InfoTypeAndValue)9 ContentInfo (org.bouncycastle.asn1.cms.ContentInfo)9 BigInteger (java.math.BigInteger)8 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)8 X500Name (org.bouncycastle.asn1.x500.X500Name)7 Extensions (org.bouncycastle.asn1.x509.Extensions)7 InvalidKeyException (java.security.InvalidKeyException)6 CertificateException (java.security.cert.CertificateException)6
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial