Examples with PKIMessage - org.bouncycastle.asn1.cmp.PKIMessage

Example 16 with PKIMessage

use of org.bouncycastle.asn1.cmp.PKIMessage in project xipki by xipki.

the class ScepImpl method encodeResponse.

// method getCrl
private ContentInfo encodeResponse(PkiMessage response, DecodedPkiMessage request) throws OperationException {
    ParamUtil.requireNonNull("response", response);
    ParamUtil.requireNonNull("request", request);
    String signatureAlgorithm = getSignatureAlgorithm(responderKey, request.getDigestAlgorithm());
    ContentInfo ci;
    try {
        X509Certificate[] cmsCertSet = control.isIncludeSignerCert() ? new X509Certificate[] { responderCert } : null;
        ci = response.encode(responderKey, signatureAlgorithm, responderCert, cmsCertSet, request.getSignatureCert(), request.getContentEncryptionAlgorithm());
    } catch (MessageEncodingException ex) {
        LogUtil.error(LOG, ex, "could not encode response");
        throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
    }
    return ci;
}

Also used : ContentInfo(org.bouncycastle.asn1.cms.ContentInfo) MessageEncodingException(org.xipki.scep.exception.MessageEncodingException) X509Certificate(java.security.cert.X509Certificate) OperationException(org.xipki.ca.api.OperationException)

Example 17 with PKIMessage

use of org.bouncycastle.asn1.cmp.PKIMessage in project xipki by xipki.

the class CmpRequestor method signAndSend.

protected PkiResponse signAndSend(PKIMessage request, RequestResponseDebug debug) throws CmpRequestorException {
    ParamUtil.requireNonNull("request", request);
    PKIMessage tmpRequest = (signRequest) ? sign(request) : request;
    byte[] encodedRequest;
    try {
        encodedRequest = tmpRequest.getEncoded();
    } catch (IOException ex) {
        LOG.error("could not encode the PKI request {}", tmpRequest);
        throw new CmpRequestorException(ex.getMessage(), ex);
    }
    RequestResponsePair reqResp = null;
    if (debug != null) {
        reqResp = new RequestResponsePair();
        debug.add(reqResp);
        if (debug.saveRequest()) {
            reqResp.setRequest(encodedRequest);
        }
    }
    byte[] encodedResponse;
    try {
        encodedResponse = send(encodedRequest);
    } catch (IOException ex) {
        LOG.error("could not send the PKI request {} to server", tmpRequest);
        throw new CmpRequestorException("TRANSPORT_ERROR", ex);
    }
    if (reqResp != null && debug.saveResponse()) {
        reqResp.setResponse(encodedResponse);
    }
    GeneralPKIMessage response;
    try {
        response = new GeneralPKIMessage(encodedResponse);
    } catch (IOException ex) {
        LOG.error("could not decode the received PKI message: {}", Hex.encode(encodedResponse));
        throw new CmpRequestorException(ex.getMessage(), ex);
    }
    PKIHeader reqHeader = request.getHeader();
    PKIHeader respHeader = response.getHeader();
    ASN1OctetString tid = reqHeader.getTransactionID();
    ASN1OctetString respTid = respHeader.getTransactionID();
    if (!tid.equals(respTid)) {
        LOG.warn("Response contains different tid ({}) than requested {}", respTid, tid);
        throw new CmpRequestorException("Response contains differnt tid than the request");
    }
    ASN1OctetString senderNonce = reqHeader.getSenderNonce();
    ASN1OctetString respRecipientNonce = respHeader.getRecipNonce();
    if (!senderNonce.equals(respRecipientNonce)) {
        LOG.warn("tid {}: response.recipientNonce ({}) != request.senderNonce ({})", tid, respRecipientNonce, senderNonce);
        throw new CmpRequestorException("Response contains differnt tid than the request");
    }
    GeneralName rec = respHeader.getRecipient();
    if (!sender.equals(rec)) {
        LOG.warn("tid={}: unknown CMP requestor '{}'", tid, rec);
    }
    PkiResponse ret = new PkiResponse(response);
    if (response.hasProtection()) {
        try {
            ProtectionVerificationResult verifyProtection = verifyProtection(Hex.encode(tid.getOctets()), response);
            ret.setProtectionVerificationResult(verifyProtection);
        } catch (InvalidKeyException | OperatorCreationException | CMPException ex) {
            throw new CmpRequestorException(ex.getMessage(), ex);
        }
    } else if (signRequest) {
        PKIBody respBody = response.getBody();
        int bodyType = respBody.getType();
        if (bodyType != PKIBody.TYPE_ERROR) {
            throw new CmpRequestorException("response is not signed");
        }
    }
    return ret;
}

Also used : ProtectedPKIMessage(org.bouncycastle.cert.cmp.ProtectedPKIMessage) PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage) GeneralPKIMessage(org.bouncycastle.cert.cmp.GeneralPKIMessage) RequestResponsePair(org.xipki.common.RequestResponsePair) PKIHeader(org.bouncycastle.asn1.cmp.PKIHeader) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) PkiResponse(org.xipki.cmp.PkiResponse) PKIBody(org.bouncycastle.asn1.cmp.PKIBody) ProtectionVerificationResult(org.xipki.cmp.ProtectionVerificationResult) IOException(java.io.IOException) InvalidKeyException(java.security.InvalidKeyException) GeneralPKIMessage(org.bouncycastle.cert.cmp.GeneralPKIMessage) CMPException(org.bouncycastle.cert.cmp.CMPException) GeneralName(org.bouncycastle.asn1.x509.GeneralName) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)

Example 18 with PKIMessage

use of org.bouncycastle.asn1.cmp.PKIMessage in project xipki by xipki.

the class CmpRequestor method verifyProtection.

private ProtectionVerificationResult verifyProtection(String tid, GeneralPKIMessage pkiMessage) throws CMPException, InvalidKeyException, OperatorCreationException {
    ProtectedPKIMessage protectedMsg = new ProtectedPKIMessage(pkiMessage);
    if (protectedMsg.hasPasswordBasedMacProtection()) {
        LOG.warn("NOT_SIGNAUTRE_BASED: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId());
        return new ProtectionVerificationResult(null, ProtectionResult.NOT_SIGNATURE_BASED);
    }
    PKIHeader header = protectedMsg.getHeader();
    if (recipientName != null) {
        boolean authorizedResponder = true;
        if (header.getSender().getTagNo() != GeneralName.directoryName) {
            authorizedResponder = false;
        } else {
            X500Name msgSender = X500Name.getInstance(header.getSender().getName());
            authorizedResponder = recipientName.equals(msgSender);
        }
        if (!authorizedResponder) {
            LOG.warn("tid={}: not authorized responder '{}'", tid, header.getSender());
            return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED);
        }
    }
    AlgorithmIdentifier protectionAlgo = protectedMsg.getHeader().getProtectionAlg();
    if (!responder.getSigAlgoValidator().isAlgorithmPermitted(protectionAlgo)) {
        String algoName;
        try {
            algoName = AlgorithmUtil.getSignatureAlgoName(protectionAlgo);
        } catch (NoSuchAlgorithmException ex) {
            algoName = protectionAlgo.getAlgorithm().getId();
        }
        LOG.warn("tid={}: response protected by untrusted protection algorithm '{}'", tid, algoName);
        return new ProtectionVerificationResult(null, ProtectionResult.INVALID);
    }
    X509Certificate cert = responder.getCert();
    ContentVerifierProvider verifierProvider = securityFactory.getContentVerifierProvider(cert);
    if (verifierProvider == null) {
        LOG.warn("tid={}: not authorized responder '{}'", tid, header.getSender());
        return new ProtectionVerificationResult(cert, ProtectionResult.SENDER_NOT_AUTHORIZED);
    }
    boolean signatureValid = protectedMsg.verify(verifierProvider);
    ProtectionResult protRes = signatureValid ? ProtectionResult.VALID : ProtectionResult.INVALID;
    return new ProtectionVerificationResult(cert, protRes);
}

Also used : PKIHeader(org.bouncycastle.asn1.cmp.PKIHeader) ProtectionResult(org.xipki.cmp.ProtectionResult) ProtectedPKIMessage(org.bouncycastle.cert.cmp.ProtectedPKIMessage) ProtectionVerificationResult(org.xipki.cmp.ProtectionVerificationResult) X500Name(org.bouncycastle.asn1.x500.X500Name) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DEROctetString(org.bouncycastle.asn1.DEROctetString) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) X509Certificate(java.security.cert.X509Certificate) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider)

Example 19 with PKIMessage

use of org.bouncycastle.asn1.cmp.PKIMessage in project xipki by xipki.

the class X509CmpRequestor method requestCertificate.

// method parse
public EnrollCertResultResp requestCertificate(CsrEnrollCertRequest csr, Date notBefore, Date notAfter, RequestResponseDebug debug) throws CmpRequestorException, PkiErrorException {
    ParamUtil.requireNonNull("csr", csr);
    PKIMessage request = buildPkiMessage(csr, notBefore, notAfter);
    Map<BigInteger, String> reqIdIdMap = new HashMap<>();
    reqIdIdMap.put(MINUS_ONE, csr.getId());
    return requestCertificate0(request, reqIdIdMap, PKIBody.TYPE_CERT_REP, debug);
}

Also used : PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage) HashMap(java.util.HashMap) BigInteger(java.math.BigInteger) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) DEROctetString(org.bouncycastle.asn1.DEROctetString)

Example 20 with PKIMessage

use of org.bouncycastle.asn1.cmp.PKIMessage in project xipki by xipki.

the class X509CmpRequestor method requestCertificate.

public EnrollCertResultResp requestCertificate(EnrollCertRequest req, RequestResponseDebug debug) throws CmpRequestorException, PkiErrorException {
    ParamUtil.requireNonNull("req", req);
    PKIMessage request = buildPkiMessage(req);
    Map<BigInteger, String> reqIdIdMap = new HashMap<>();
    List<EnrollCertRequestEntry> reqEntries = req.getRequestEntries();
    for (EnrollCertRequestEntry reqEntry : reqEntries) {
        reqIdIdMap.put(reqEntry.getCertReq().getCertReqId().getValue(), reqEntry.getId());
    }
    int exptectedBodyType;
    switch(req.getType()) {
        case CERT_REQ:
            exptectedBodyType = PKIBody.TYPE_CERT_REP;
            break;
        case KEY_UPDATE:
            exptectedBodyType = PKIBody.TYPE_KEY_UPDATE_REP;
            break;
        default:
            exptectedBodyType = PKIBody.TYPE_CROSS_CERT_REP;
    }
    return requestCertificate0(request, reqIdIdMap, exptectedBodyType, debug);
}

Also used : PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage) HashMap(java.util.HashMap) EnrollCertRequestEntry(org.xipki.ca.client.api.dto.EnrollCertRequestEntry) BigInteger(java.math.BigInteger) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) DEROctetString(org.bouncycastle.asn1.DEROctetString)

Aggregations

PKIMessage (org.bouncycastle.asn1.cmp.PKIMessage)31 PKIBody (org.bouncycastle.asn1.cmp.PKIBody)24 Date (java.util.Date)18 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)16 PKIHeader (org.bouncycastle.asn1.cmp.PKIHeader)16 IOException (java.io.IOException)14 ProtectedPKIMessage (org.bouncycastle.cert.cmp.ProtectedPKIMessage)13 X509Certificate (java.security.cert.X509Certificate)12 ASN1Integer (org.bouncycastle.asn1.ASN1Integer)11 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)11 GeneralPKIMessage (org.bouncycastle.cert.cmp.GeneralPKIMessage)11 DEROctetString (org.bouncycastle.asn1.DEROctetString)10 InfoTypeAndValue (org.bouncycastle.asn1.cmp.InfoTypeAndValue)9 ContentInfo (org.bouncycastle.asn1.cms.ContentInfo)9 BigInteger (java.math.BigInteger)8 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)8 X500Name (org.bouncycastle.asn1.x500.X500Name)7 Extensions (org.bouncycastle.asn1.x509.Extensions)7 InvalidKeyException (java.security.InvalidKeyException)6 CertificateException (java.security.cert.CertificateException)6