Example 1 with PKIStatus
use of org.bouncycastle.asn1.cmp.PKIStatus in project xipki by xipki.
the class CmpCaClient method parseEnrollCertResult.
private X509Certificate parseEnrollCertResult(PKIMessage response) throws Exception {
PKIBody respBody = response.getBody();
final int bodyType = respBody.getType();
if (PKIBody.TYPE_ERROR == bodyType) {
ErrorMsgContent content = ErrorMsgContent.getInstance(respBody.getContent());
throw new Exception("Server returned PKIStatus: " + buildText(content.getPKIStatusInfo()));
} else if (PKIBody.TYPE_CERT_REP != bodyType) {
throw new Exception(String.format("unknown PKI body type %s instead the expected [%s, %s]", bodyType, PKIBody.TYPE_CERT_REP, PKIBody.TYPE_ERROR));
}
CertRepMessage certRep = CertRepMessage.getInstance(respBody.getContent());
CertResponse[] certResponses = certRep.getResponse();
if (certResponses.length != 1) {
throw new Exception("expected 1 CertResponse, but returned " + certResponses.length);
}
// We only accept the certificates which are requested.
CertResponse certResp = certResponses[0];
PKIStatusInfo statusInfo = certResp.getStatus();
int status = statusInfo.getStatus().intValue();
if (status != PKIStatus.GRANTED && status != PKIStatus.GRANTED_WITH_MODS) {
throw new Exception("Server returned PKIStatus: " + buildText(statusInfo));
}
CertifiedKeyPair cvk = certResp.getCertifiedKeyPair();
if (cvk != null) {
CMPCertificate cmpCert = cvk.getCertOrEncCert().getCertificate();
if (cmpCert != null) {
X509Certificate cert = SdkUtil.parseCert(cmpCert.getX509v3PKCert().getEncoded());
if (!verify(caCert, cert)) {
throw new Exception("The returned certificate is not issued by the given CA");
}
return cert;
}
}
throw new Exception("Server did not return any certificate");
}
Also used :
CMPCertificate(org.bouncycastle.asn1.cmp.CMPCertificate)
PKIBody(org.bouncycastle.asn1.cmp.PKIBody)
CertResponse(org.bouncycastle.asn1.cmp.CertResponse)
PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo)
CertRepMessage(org.bouncycastle.asn1.cmp.CertRepMessage)
ErrorMsgContent(org.bouncycastle.asn1.cmp.ErrorMsgContent)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
CMPException(org.bouncycastle.cert.cmp.CMPException)
InvalidKeyException(java.security.InvalidKeyException)
IOException(java.io.IOException)
X509Certificate(java.security.cert.X509Certificate)
CertifiedKeyPair(org.bouncycastle.asn1.cmp.CertifiedKeyPair)
Example 2 with PKIStatus
use of org.bouncycastle.asn1.cmp.PKIStatus in project xipki by xipki.
the class CmpCaClient method extractGeneralRepContent.
private ASN1Encodable extractGeneralRepContent(PKIMessage response, String expectedType) throws Exception {
PKIBody respBody = response.getBody();
int bodyType = respBody.getType();
if (PKIBody.TYPE_ERROR == bodyType) {
ErrorMsgContent content = ErrorMsgContent.getInstance(respBody.getContent());
throw new Exception("Server returned PKIStatus: " + buildText(content.getPKIStatusInfo()));
} else if (PKIBody.TYPE_GEN_REP != bodyType) {
throw new Exception(String.format("unknown PKI body type %s instead the expected [%s, %s]", bodyType, PKIBody.TYPE_GEN_REP, PKIBody.TYPE_ERROR));
}
GenRepContent genRep = GenRepContent.getInstance(respBody.getContent());
InfoTypeAndValue[] itvs = genRep.toInfoTypeAndValueArray();
InfoTypeAndValue itv = null;
if (itvs != null && itvs.length > 0) {
for (InfoTypeAndValue entry : itvs) {
if (expectedType.equals(entry.getInfoType().getId())) {
itv = entry;
break;
}
}
}
if (itv == null) {
throw new Exception("the response does not contain InfoTypeAndValue " + expectedType);
}
return itv.getInfoValue();
}
Also used :
PKIBody(org.bouncycastle.asn1.cmp.PKIBody)
GenRepContent(org.bouncycastle.asn1.cmp.GenRepContent)
InfoTypeAndValue(org.bouncycastle.asn1.cmp.InfoTypeAndValue)
ErrorMsgContent(org.bouncycastle.asn1.cmp.ErrorMsgContent)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
CMPException(org.bouncycastle.cert.cmp.CMPException)
InvalidKeyException(java.security.InvalidKeyException)
IOException(java.io.IOException)
Example 3 with PKIStatus
use of org.bouncycastle.asn1.cmp.PKIStatus in project xipki by xipki.
the class CmpCaClient method parseRevocationResult.
private boolean parseRevocationResult(PKIMessage response, BigInteger serialNumber) throws Exception {
PKIBody respBody = response.getBody();
final int bodyType = respBody.getType();
if (PKIBody.TYPE_ERROR == bodyType) {
ErrorMsgContent content = ErrorMsgContent.getInstance(respBody.getContent());
throw new Exception("Server returned PKIStatus: " + content.getPKIStatusInfo());
} else if (PKIBody.TYPE_REVOCATION_REP != bodyType) {
throw new Exception(String.format("unknown PKI body type %s instead the expected [%s, %s]", bodyType, PKIBody.TYPE_REVOCATION_REP, PKIBody.TYPE_ERROR));
}
RevRepContent content = RevRepContent.getInstance(respBody.getContent());
PKIStatusInfo[] statuses = content.getStatus();
int statusesLen = (statuses == null) ? 0 : statuses.length;
if (statusesLen != 1) {
throw new Exception(String.format("incorrect number of status entries in response '%s'" + " instead the expected '1'", statusesLen));
}
PKIStatusInfo statusInfo = statuses[0];
int status = statusInfo.getStatus().intValue();
if (status != PKIStatus.GRANTED && status != PKIStatus.GRANTED_WITH_MODS) {
LOG.warn("Server returned error: " + buildText(statusInfo));
return false;
}
CertId[] revCerts = content.getRevCerts();
if (revCerts == null) {
return true;
}
CertId revCert = revCerts[0];
return caSubject.equals(revCert.getIssuer().getName()) && serialNumber.equals(revCert.getSerialNumber().getValue());
}
Also used :
PKIBody(org.bouncycastle.asn1.cmp.PKIBody)
CertId(org.bouncycastle.asn1.crmf.CertId)
PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo)
ErrorMsgContent(org.bouncycastle.asn1.cmp.ErrorMsgContent)
RevRepContent(org.bouncycastle.asn1.cmp.RevRepContent)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
CMPException(org.bouncycastle.cert.cmp.CMPException)
InvalidKeyException(java.security.InvalidKeyException)
IOException(java.io.IOException)
Example 4 with PKIStatus
use of org.bouncycastle.asn1.cmp.PKIStatus in project xipki by xipki.
the class X509CaCmpResponderImpl method processCertReqMessages.
private CertRepMessage processCertReqMessages(PKIMessage request, CmpRequestorInfo requestor, ASN1OctetString tid, PKIHeader reqHeader, CertReqMessages kur, boolean keyUpdate, CmpControl cmpControl, String msgId, AuditEvent event) {
CmpRequestorInfo tmpRequestor = (CmpRequestorInfo) requestor;
CertReqMsg[] certReqMsgs = kur.toCertReqMsgArray();
final int n = certReqMsgs.length;
Map<Integer, CertTemplateData> certTemplateDatas = new HashMap<>(n * 10 / 6);
Map<Integer, CertResponse> certResponses = new HashMap<>(n * 10 / 6);
Map<Integer, ASN1Integer> certReqIds = new HashMap<>(n * 10 / 6);
// pre-process requests
for (int i = 0; i < n; i++) {
if (cmpControl.isGroupEnroll() && certTemplateDatas.size() != i) {
// last certReqMsg cannot be used to enroll certificate
break;
}
CertReqMsg reqMsg = certReqMsgs[i];
CertificateRequestMessage req = new CertificateRequestMessage(reqMsg);
ASN1Integer certReqId = reqMsg.getCertReq().getCertReqId();
certReqIds.put(i, certReqId);
if (!req.hasProofOfPossession()) {
certResponses.put(i, buildErrorCertResponse(certReqId, PKIFailureInfo.badPOP, "no POP", null));
continue;
}
if (!verifyPopo(req, tmpRequestor.isRa())) {
LOG.warn("could not validate POP for request {}", certReqId.getValue());
certResponses.put(i, buildErrorCertResponse(certReqId, PKIFailureInfo.badPOP, "invalid POP", null));
continue;
}
CmpUtf8Pairs keyvalues = CmpUtil.extract(reqMsg.getRegInfo());
String certprofileName = (keyvalues == null) ? null : keyvalues.value(CmpUtf8Pairs.KEY_CERTPROFILE);
if (certprofileName == null) {
String msg = "no certificate profile";
certResponses.put(i, buildErrorCertResponse(certReqId, PKIFailureInfo.badCertTemplate, msg));
continue;
}
certprofileName = certprofileName.toLowerCase();
if (!tmpRequestor.isCertProfilePermitted(certprofileName)) {
String msg = "certprofile " + certprofileName + " is not allowed";
certResponses.put(i, buildErrorCertResponse(certReqId, PKIFailureInfo.notAuthorized, msg));
continue;
}
CertTemplate certTemp = req.getCertTemplate();
OptionalValidity validity = certTemp.getValidity();
Date notBefore = null;
Date notAfter = null;
if (validity != null) {
Time time = validity.getNotBefore();
if (time != null) {
notBefore = time.getDate();
}
time = validity.getNotAfter();
if (time != null) {
notAfter = time.getDate();
}
}
CertTemplateData certTempData = new CertTemplateData(certTemp.getSubject(), certTemp.getPublicKey(), notBefore, notAfter, certTemp.getExtensions(), certprofileName);
certTemplateDatas.put(i, certTempData);
}
if (certResponses.size() == n) {
// all error
CertResponse[] certResps = new CertResponse[n];
for (int i = 0; i < n; i++) {
certResps[i] = certResponses.get(i);
}
return new CertRepMessage(null, certResps);
}
if (cmpControl.isGroupEnroll() && certTemplateDatas.size() != n) {
// at least one certRequest cannot be used to enroll certificate
int lastFailureIndex = certTemplateDatas.size();
BigInteger failCertReqId = certReqIds.get(lastFailureIndex).getPositiveValue();
CertResponse failCertResp = certResponses.get(lastFailureIndex);
PKIStatus failStatus = PKIStatus.getInstance(new ASN1Integer(failCertResp.getStatus().getStatus()));
PKIFailureInfo failureInfo = new PKIFailureInfo(failCertResp.getStatus().getFailInfo());
CertResponse[] certResps = new CertResponse[n];
for (int i = 0; i < n; i++) {
if (i == lastFailureIndex) {
certResps[i] = failCertResp;
continue;
}
ASN1Integer certReqId = certReqIds.get(i);
String msg = "error in certReq " + failCertReqId;
PKIStatusInfo tmpStatus = generateRejectionStatus(failStatus, failureInfo.intValue(), msg);
certResps[i] = new CertResponse(certReqId, tmpStatus);
}
return new CertRepMessage(null, certResps);
}
final int k = certTemplateDatas.size();
List<CertTemplateData> certTemplateList = new ArrayList<>(k);
List<ASN1Integer> certReqIdList = new ArrayList<>(k);
Map<Integer, Integer> reqIndexToCertIndexMap = new HashMap<>(k * 10 / 6);
for (int i = 0; i < n; i++) {
if (!certTemplateDatas.containsKey(i)) {
continue;
}
certTemplateList.add(certTemplateDatas.get(i));
certReqIdList.add(certReqIds.get(i));
reqIndexToCertIndexMap.put(i, certTemplateList.size() - 1);
}
List<CertResponse> generateCertResponses = generateCertificates(certTemplateList, certReqIdList, tmpRequestor, tid, keyUpdate, request, cmpControl, msgId, event);
boolean anyCertEnrolled = false;
CertResponse[] certResps = new CertResponse[n];
for (int i = 0; i < n; i++) {
if (certResponses.containsKey(i)) {
certResps[i] = certResponses.get(i);
} else {
int respIndex = reqIndexToCertIndexMap.get(i);
certResps[i] = generateCertResponses.get(respIndex);
if (!anyCertEnrolled && certResps[i].getCertifiedKeyPair() != null) {
anyCertEnrolled = true;
}
}
}
CMPCertificate[] caPubs = null;
if (anyCertEnrolled && cmpControl.isSendCaCert()) {
caPubs = new CMPCertificate[] { getCa().getCaInfo().getCertInCmpFormat() };
}
return new CertRepMessage(caPubs, certResps);
}
Also used :
CmpUtf8Pairs(org.xipki.cmp.CmpUtf8Pairs)
HashMap(java.util.HashMap)
CertificateRequestMessage(org.bouncycastle.cert.crmf.CertificateRequestMessage)
PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo)
ArrayList(java.util.ArrayList)
ASN1GeneralizedTime(org.bouncycastle.asn1.ASN1GeneralizedTime)
Time(org.bouncycastle.asn1.x509.Time)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
CertTemplateData(org.xipki.ca.server.impl.CertTemplateData)
CMPCertificate(org.bouncycastle.asn1.cmp.CMPCertificate)
CertTemplate(org.bouncycastle.asn1.crmf.CertTemplate)
CertReqMsg(org.bouncycastle.asn1.crmf.CertReqMsg)
CertResponse(org.bouncycastle.asn1.cmp.CertResponse)
CertRepMessage(org.bouncycastle.asn1.cmp.CertRepMessage)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
Date(java.util.Date)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
BigInteger(java.math.BigInteger)
PKIFailureInfo(org.bouncycastle.asn1.cmp.PKIFailureInfo)
OptionalValidity(org.bouncycastle.asn1.crmf.OptionalValidity)
PKIStatus(org.bouncycastle.asn1.cmp.PKIStatus)
BigInteger(java.math.BigInteger)
Example 5 with PKIStatus
use of org.bouncycastle.asn1.cmp.PKIStatus in project xipki by xipki.
the class X509CaCmpResponderImpl method buildErrorMsgPkiBody.
private static PKIBody buildErrorMsgPkiBody(PKIStatus pkiStatus, int failureInfo, String statusMessage) {
PKIFreeText pkiStatusMsg = (statusMessage == null) ? null : new PKIFreeText(statusMessage);
ErrorMsgContent emc = new ErrorMsgContent(new PKIStatusInfo(pkiStatus, pkiStatusMsg, new PKIFailureInfo(failureInfo)));
return new PKIBody(PKIBody.TYPE_ERROR, emc);
}
Also used :
PKIFailureInfo(org.bouncycastle.asn1.cmp.PKIFailureInfo)
PKIBody(org.bouncycastle.asn1.cmp.PKIBody)
PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo)
ErrorMsgContent(org.bouncycastle.asn1.cmp.ErrorMsgContent)
PKIFreeText(org.bouncycastle.asn1.cmp.PKIFreeText)
Aggregations
PKIStatusInfo (org.bouncycastle.asn1.cmp.PKIStatusInfo)6
ErrorMsgContent (org.bouncycastle.asn1.cmp.ErrorMsgContent)5
PKIBody (org.bouncycastle.asn1.cmp.PKIBody)5
PKIFailureInfo (org.bouncycastle.asn1.cmp.PKIFailureInfo)5
IOException (java.io.IOException)4
InvalidKeyException (java.security.InvalidKeyException)3
X509Certificate (java.security.cert.X509Certificate)3
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)3
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)3
PKIFreeText (org.bouncycastle.asn1.cmp.PKIFreeText)3
CMPException (org.bouncycastle.cert.cmp.CMPException)3
OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)3
BigInteger (java.math.BigInteger)2
Date (java.util.Date)2
DERPrintableString (org.bouncycastle.asn1.DERPrintableString)2
DERUTF8String (org.bouncycastle.asn1.DERUTF8String)2
CMPCertificate (org.bouncycastle.asn1.cmp.CMPCertificate)2
CertRepMessage (org.bouncycastle.asn1.cmp.CertRepMessage)2
CertResponse (org.bouncycastle.asn1.cmp.CertResponse)2
AttributeTable (org.bouncycastle.asn1.cms.AttributeTable)2
