Search in sources :

Example 96 with Request

use of org.bouncycastle.asn1.ocsp.Request in project xipki by xipki.

the class HttpCmpServlet method service.

@Override
public FullHttpResponse service(FullHttpRequest request, ServletURI servletUri, SSLSession sslSession, SslReverseProxyMode sslReverseProxyMode) throws Exception {
    HttpVersion httpVersion = request.protocolVersion();
    HttpMethod method = request.method();
    if (method != HttpMethod.POST) {
        return createErrorResponse(httpVersion, HttpResponseStatus.METHOD_NOT_ALLOWED);
    }
    X509Certificate clientCert = getClientCert(request, sslSession, sslReverseProxyMode);
    AuditService auditService = auditServiceRegister.getAuditService();
    AuditEvent event = new AuditEvent(new Date());
    event.setApplicationName(CaAuditConstants.APPNAME);
    event.setName(CaAuditConstants.NAME_PERF);
    event.addEventData(CaAuditConstants.NAME_reqType, RequestType.CMP.name());
    AuditLevel auditLevel = AuditLevel.INFO;
    AuditStatus auditStatus = AuditStatus.SUCCESSFUL;
    String auditMessage = null;
    try {
        if (responderManager == null) {
            String message = "responderManager in servlet not configured";
            LOG.error(message);
            throw new HttpRespAuditException(HttpResponseStatus.INTERNAL_SERVER_ERROR, message, AuditLevel.ERROR, AuditStatus.FAILED);
        }
        String reqContentType = request.headers().get("Content-Type");
        if (!CT_REQUEST.equalsIgnoreCase(reqContentType)) {
            String message = "unsupported media type " + reqContentType;
            throw new HttpRespAuditException(HttpResponseStatus.UNSUPPORTED_MEDIA_TYPE, message, AuditLevel.INFO, AuditStatus.FAILED);
        }
        String caName = null;
        X509CaCmpResponder responder = null;
        if (servletUri.getPath().length() > 1) {
            // skip the first char which is always '/'
            String caAlias = servletUri.getPath().substring(1);
            caName = responderManager.getCaNameForAlias(caAlias);
            if (caName == null) {
                caName = caAlias.toLowerCase();
            }
            responder = responderManager.getX509CaResponder(caName);
        }
        if (caName == null || responder == null || !responder.isOnService()) {
            String message;
            if (caName == null) {
                message = "no CA is specified";
            } else if (responder == null) {
                message = "unknown CA '" + caName + "'";
            } else {
                message = "CA '" + caName + "' is out of service";
            }
            LOG.warn(message);
            throw new HttpRespAuditException(HttpResponseStatus.NOT_FOUND, message, AuditLevel.INFO, AuditStatus.FAILED);
        }
        event.addEventData(CaAuditConstants.NAME_ca, responder.getCaName());
        byte[] reqContent = readContent(request);
        PKIMessage pkiReq;
        try {
            pkiReq = PKIMessage.getInstance(reqContent);
        } catch (Exception ex) {
            LogUtil.error(LOG, ex, "could not parse the request (PKIMessage)");
            throw new HttpRespAuditException(HttpResponseStatus.BAD_REQUEST, "bad request", AuditLevel.INFO, AuditStatus.FAILED);
        }
        PKIMessage pkiResp = responder.processPkiMessage(pkiReq, clientCert, event);
        byte[] encodedPkiResp = pkiResp.getEncoded();
        return createOKResponse(httpVersion, CT_RESPONSE, encodedPkiResp);
    } catch (HttpRespAuditException ex) {
        auditStatus = ex.getAuditStatus();
        auditLevel = ex.getAuditLevel();
        auditMessage = ex.getAuditMessage();
        return createErrorResponse(httpVersion, ex.getHttpStatus());
    } catch (Throwable th) {
        if (th instanceof EOFException) {
            LogUtil.warn(LOG, th, "connection reset by peer");
        } else {
            LOG.error("Throwable thrown, this should not happen!", th);
        }
        auditLevel = AuditLevel.ERROR;
        auditStatus = AuditStatus.FAILED;
        auditMessage = "internal error";
        return createErrorResponse(httpVersion, HttpResponseStatus.INTERNAL_SERVER_ERROR);
    } finally {
        audit(auditService, event, auditLevel, auditStatus, auditMessage);
    }
}
Also used : PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage) AuditLevel(org.xipki.audit.AuditLevel) X509Certificate(java.security.cert.X509Certificate) Date(java.util.Date) EOFException(java.io.EOFException) AuditStatus(org.xipki.audit.AuditStatus) X509CaCmpResponder(org.xipki.ca.server.api.X509CaCmpResponder) EOFException(java.io.EOFException) AuditEvent(org.xipki.audit.AuditEvent) HttpVersion(io.netty.handler.codec.http.HttpVersion) AuditService(org.xipki.audit.AuditService) HttpMethod(io.netty.handler.codec.http.HttpMethod)

Example 97 with Request

use of org.bouncycastle.asn1.ocsp.Request in project xipki by xipki.

the class HttpScepServlet method service.

@Override
public FullHttpResponse service(FullHttpRequest request, ServletURI servletUri, SSLSession sslSession, SslReverseProxyMode sslReverseProxyMode) throws Exception {
    HttpVersion version = request.protocolVersion();
    HttpMethod method = request.method();
    boolean viaPost;
    if (method == HttpMethod.POST) {
        viaPost = true;
    } else if (method == HttpMethod.GET) {
        viaPost = false;
    } else {
        return createErrorResponse(version, HttpResponseStatus.METHOD_NOT_ALLOWED);
    }
    String scepName = null;
    String certProfileName = null;
    if (servletUri.getPath().length() > 1) {
        String scepPath = servletUri.getPath();
        if (scepPath.endsWith(CGI_PROGRAM)) {
            // skip also the first char (which is always '/')
            String path = scepPath.substring(1, scepPath.length() - CGI_PROGRAM_LEN);
            String[] tokens = path.split("/");
            if (tokens.length == 2) {
                scepName = tokens[0];
                certProfileName = tokens[1].toLowerCase();
            }
        }
    // end if
    }
    if (scepName == null || certProfileName == null) {
        return createErrorResponse(version, HttpResponseStatus.NOT_FOUND);
    }
    AuditService auditService = auditServiceRegister.getAuditService();
    AuditEvent event = new AuditEvent(new Date());
    event.setApplicationName("SCEP");
    event.setName(CaAuditConstants.NAME_PERF);
    event.addEventData(CaAuditConstants.NAME_SCEP_name, scepName + "/" + certProfileName);
    event.addEventData(CaAuditConstants.NAME_reqType, RequestType.SCEP.name());
    String msgId = RandomUtil.nextHexLong();
    event.addEventData(CaAuditConstants.NAME_mid, msgId);
    AuditLevel auditLevel = AuditLevel.INFO;
    AuditStatus auditStatus = AuditStatus.SUCCESSFUL;
    String auditMessage = null;
    try {
        if (responderManager == null) {
            auditMessage = "responderManager in servlet not configured";
            LOG.error(auditMessage);
            auditLevel = AuditLevel.ERROR;
            auditStatus = AuditStatus.FAILED;
            return createErrorResponse(version, HttpResponseStatus.INTERNAL_SERVER_ERROR);
        }
        Scep responder = responderManager.getScep(scepName);
        if (responder == null || !responder.isOnService() || !responder.supportsCertProfile(certProfileName)) {
            auditMessage = "unknown SCEP '" + scepName + "/" + certProfileName + "'";
            LOG.warn(auditMessage);
            auditStatus = AuditStatus.FAILED;
            return createErrorResponse(version, HttpResponseStatus.NOT_FOUND);
        }
        String operation = servletUri.getParameter("operation");
        event.addEventData(CaAuditConstants.NAME_SCEP_operation, operation);
        if ("PKIOperation".equalsIgnoreCase(operation)) {
            CMSSignedData reqMessage;
            // parse the request
            try {
                byte[] content;
                if (viaPost) {
                    content = readContent(request);
                } else {
                    String b64 = servletUri.getParameter("message");
                    content = Base64.decode(b64);
                }
                reqMessage = new CMSSignedData(content);
            } catch (Exception ex) {
                final String msg = "invalid request";
                LogUtil.error(LOG, ex, msg);
                auditMessage = msg;
                auditStatus = AuditStatus.FAILED;
                return createErrorResponse(version, HttpResponseStatus.BAD_REQUEST);
            }
            ContentInfo ci;
            try {
                ci = responder.servicePkiOperation(reqMessage, certProfileName, msgId, event);
            } catch (MessageDecodingException ex) {
                final String msg = "could not decrypt and/or verify the request";
                LogUtil.error(LOG, ex, msg);
                auditMessage = msg;
                auditStatus = AuditStatus.FAILED;
                return createErrorResponse(version, HttpResponseStatus.BAD_REQUEST);
            } catch (OperationException ex) {
                ErrorCode code = ex.getErrorCode();
                HttpResponseStatus httpCode;
                switch(code) {
                    case ALREADY_ISSUED:
                    case CERT_REVOKED:
                    case CERT_UNREVOKED:
                        httpCode = HttpResponseStatus.FORBIDDEN;
                        break;
                    case BAD_CERT_TEMPLATE:
                    case BAD_REQUEST:
                    case BAD_POP:
                    case INVALID_EXTENSION:
                    case UNKNOWN_CERT:
                    case UNKNOWN_CERT_PROFILE:
                        httpCode = HttpResponseStatus.BAD_REQUEST;
                        break;
                    case NOT_PERMITTED:
                        httpCode = HttpResponseStatus.UNAUTHORIZED;
                        break;
                    case SYSTEM_UNAVAILABLE:
                        httpCode = HttpResponseStatus.SERVICE_UNAVAILABLE;
                        break;
                    case CRL_FAILURE:
                    case DATABASE_FAILURE:
                    case SYSTEM_FAILURE:
                        httpCode = HttpResponseStatus.INTERNAL_SERVER_ERROR;
                        break;
                    default:
                        httpCode = HttpResponseStatus.INTERNAL_SERVER_ERROR;
                        break;
                }
                auditMessage = ex.getMessage();
                LogUtil.error(LOG, ex, auditMessage);
                auditStatus = AuditStatus.FAILED;
                return createErrorResponse(version, httpCode);
            }
            byte[] bodyBytes = ci.getEncoded();
            return createOKResponse(version, CT_RESPONSE, bodyBytes);
        } else if (Operation.GetCACaps.getCode().equalsIgnoreCase(operation)) {
            // CA-Ident is ignored
            byte[] caCapsBytes = responder.getCaCaps().getBytes();
            return createOKResponse(version, ScepConstants.CT_TEXT_PLAIN, caCapsBytes);
        } else if (Operation.GetCACert.getCode().equalsIgnoreCase(operation)) {
            // CA-Ident is ignored
            byte[] respBytes = responder.getCaCertResp().getBytes();
            return createOKResponse(version, ScepConstants.CT_X509_CA_RA_CERT, respBytes);
        } else if (Operation.GetNextCACert.getCode().equalsIgnoreCase(operation)) {
            auditMessage = "SCEP operation '" + operation + "' is not permitted";
            auditStatus = AuditStatus.FAILED;
            return createErrorResponse(version, HttpResponseStatus.FORBIDDEN);
        } else {
            auditMessage = "unknown SCEP operation '" + operation + "'";
            auditStatus = AuditStatus.FAILED;
            return createErrorResponse(version, HttpResponseStatus.BAD_REQUEST);
        }
    } catch (Throwable th) {
        if (th instanceof EOFException) {
            final String msg = "connection reset by peer";
            if (LOG.isWarnEnabled()) {
                LogUtil.warn(LOG, th, msg);
            }
            LOG.debug(msg, th);
        } else {
            LOG.error("Throwable thrown, this should not happen!", th);
        }
        auditLevel = AuditLevel.ERROR;
        auditStatus = AuditStatus.FAILED;
        auditMessage = "internal error";
        return createErrorResponse(version, HttpResponseStatus.INTERNAL_SERVER_ERROR);
    } finally {
        audit(auditService, event, auditLevel, auditStatus, auditMessage);
    }
}
Also used : HttpResponseStatus(io.netty.handler.codec.http.HttpResponseStatus) AuditLevel(org.xipki.audit.AuditLevel) CMSSignedData(org.bouncycastle.cms.CMSSignedData) Date(java.util.Date) MessageDecodingException(org.xipki.scep.exception.MessageDecodingException) IOException(java.io.IOException) EOFException(java.io.EOFException) OperationException(org.xipki.ca.api.OperationException) AuditStatus(org.xipki.audit.AuditStatus) MessageDecodingException(org.xipki.scep.exception.MessageDecodingException) ContentInfo(org.bouncycastle.asn1.cms.ContentInfo) EOFException(java.io.EOFException) AuditEvent(org.xipki.audit.AuditEvent) ErrorCode(org.xipki.ca.api.OperationException.ErrorCode) Scep(org.xipki.ca.server.api.Scep) HttpVersion(io.netty.handler.codec.http.HttpVersion) AuditService(org.xipki.audit.AuditService) HttpMethod(io.netty.handler.codec.http.HttpMethod) OperationException(org.xipki.ca.api.OperationException)

Example 98 with Request

use of org.bouncycastle.asn1.ocsp.Request in project xipki by xipki.

the class HttpCmpServlet method doPost.

@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    AuditServiceRegister auditServiceRegister = ServletHelper.getAuditServiceRegister();
    if (auditServiceRegister == null) {
        LOG.error("ServletHelper.auditServiceRegister not configured");
        sendError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
        return;
    }
    ResponderManager responderManager = ServletHelper.getResponderManager();
    if (responderManager == null) {
        LOG.error("ServletHelper.responderManager not configured");
        sendError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
        return;
    }
    X509Certificate clientCert = ClientCertCache.getTlsClientCert(req);
    AuditService auditService = auditServiceRegister.getAuditService();
    AuditEvent event = new AuditEvent(new Date());
    event.setApplicationName(CaAuditConstants.APPNAME);
    event.setName(CaAuditConstants.NAME_PERF);
    event.addEventData(CaAuditConstants.NAME_reqType, RequestType.CMP.name());
    AuditLevel auditLevel = AuditLevel.INFO;
    AuditStatus auditStatus = AuditStatus.SUCCESSFUL;
    String auditMessage = null;
    try {
        String reqContentType = req.getHeader("Content-Type");
        if (!CT_REQUEST.equalsIgnoreCase(reqContentType)) {
            String message = "unsupported media type " + reqContentType;
            throw new HttpRespAuditException(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, message, AuditLevel.INFO, AuditStatus.FAILED);
        }
        String caName = null;
        X509CaCmpResponder responder = null;
        String path = StringUtil.getRelativeRequestUri(req.getServletPath(), req.getRequestURI());
        if (path.length() > 1) {
            // skip the first char which is always '/'
            String caAlias = path.substring(1);
            caName = responderManager.getCaNameForAlias(caAlias);
            if (caName == null) {
                caName = caAlias.toLowerCase();
            }
            responder = responderManager.getX509CaResponder(caName);
        }
        if (caName == null || responder == null || !responder.isOnService()) {
            String message;
            if (caName == null) {
                message = "no CA is specified";
            } else if (responder == null) {
                message = "unknown CA '" + caName + "'";
            } else {
                message = "CA '" + caName + "' is out of service";
            }
            LOG.warn(message);
            throw new HttpRespAuditException(HttpServletResponse.SC_NOT_FOUND, message, AuditLevel.INFO, AuditStatus.FAILED);
        }
        event.addEventData(CaAuditConstants.NAME_ca, responder.getCaName());
        byte[] reqContent = IoUtil.read(req.getInputStream());
        PKIMessage pkiReq;
        try {
            pkiReq = PKIMessage.getInstance(reqContent);
        } catch (Exception ex) {
            LogUtil.error(LOG, ex, "could not parse the request (PKIMessage)");
            throw new HttpRespAuditException(HttpServletResponse.SC_BAD_REQUEST, "bad request", AuditLevel.INFO, AuditStatus.FAILED);
        }
        PKIMessage pkiResp = responder.processPkiMessage(pkiReq, clientCert, event);
        byte[] encodedPkiResp = pkiResp.getEncoded();
        resp.setContentType(CT_RESPONSE);
        resp.setContentLength(encodedPkiResp.length);
        resp.getOutputStream().write(encodedPkiResp);
    } catch (HttpRespAuditException ex) {
        auditStatus = ex.getAuditStatus();
        auditLevel = ex.getAuditLevel();
        auditMessage = ex.getAuditMessage();
        sendError(resp, ex.getHttpStatus());
    } catch (Throwable th) {
        if (th instanceof EOFException) {
            LogUtil.warn(LOG, th, "connection reset by peer");
        } else {
            LOG.error("Throwable thrown, this should not happen!", th);
        }
        auditLevel = AuditLevel.ERROR;
        auditStatus = AuditStatus.FAILED;
        auditMessage = "internal error";
        sendError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
    } finally {
        resp.flushBuffer();
        audit(auditService, event, auditLevel, auditStatus, auditMessage);
    }
}
Also used : PKIMessage(org.bouncycastle.asn1.cmp.PKIMessage) AuditLevel(org.xipki.audit.AuditLevel) ResponderManager(org.xipki.ca.server.api.ResponderManager) X509Certificate(java.security.cert.X509Certificate) Date(java.util.Date) ServletException(javax.servlet.ServletException) IOException(java.io.IOException) EOFException(java.io.EOFException) AuditStatus(org.xipki.audit.AuditStatus) X509CaCmpResponder(org.xipki.ca.server.api.X509CaCmpResponder) EOFException(java.io.EOFException) AuditEvent(org.xipki.audit.AuditEvent) AuditServiceRegister(org.xipki.audit.AuditServiceRegister) AuditService(org.xipki.audit.AuditService)

Example 99 with Request

use of org.bouncycastle.asn1.ocsp.Request in project xipki by xipki.

the class ScepServlet method service.

@Override
protected void service(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    boolean post;
    String method = req.getMethod();
    if ("GET".equals(method)) {
        post = false;
    } else if ("POST".equals(method)) {
        post = true;
    } else {
        resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
        return;
    }
    AuditEvent event = new AuditEvent();
    event.setName(ScepAuditConstants.NAME_PERF);
    event.putEventData(ScepAuditConstants.NAME_servletPath, req.getServletPath());
    AuditLevel auditLevel = AuditLevel.INFO;
    String auditMessage = null;
    try {
        CaCaps caCaps = responder.getCaCaps();
        if (post && !caCaps.containsCapability(CaCapability.POSTPKIOperation)) {
            auditMessage = "HTTP POST is not supported";
            auditLevel = AuditLevel.ERROR;
            resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
            return;
        }
        String operation = req.getParameter("operation");
        event.putEventData(ScepAuditConstants.NAME_operation, operation);
        if ("PKIOperation".equalsIgnoreCase(operation)) {
            CMSSignedData reqMessage;
            // parse the request
            try {
                byte[] content = post ? ScepUtil.read(req.getInputStream()) : Base64.decode(req.getParameter("message"));
                reqMessage = new CMSSignedData(content);
            } catch (Exception ex) {
                auditMessage = "invalid request";
                auditLevel = AuditLevel.ERROR;
                resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
                return;
            }
            ContentInfo ci;
            try {
                ci = responder.servicePkiOperation(reqMessage, event);
            } catch (MessageDecodingException ex) {
                auditMessage = "could not decrypt and/or verify the request";
                auditLevel = AuditLevel.ERROR;
                resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
                return;
            } catch (CaException ex) {
                auditMessage = "system internal error";
                auditLevel = AuditLevel.ERROR;
                resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
                return;
            }
            byte[] respBytes = ci.getEncoded();
            sendToResponse(resp, CT_RESPONSE, respBytes);
        } else if (Operation.GetCACaps.getCode().equalsIgnoreCase(operation)) {
            // CA-Ident is ignored
            byte[] caCapsBytes = responder.getCaCaps().getBytes();
            sendToResponse(resp, ScepConstants.CT_TEXT_PLAIN, caCapsBytes);
        } else if (Operation.GetCACert.getCode().equalsIgnoreCase(operation)) {
            // CA-Ident is ignored
            byte[] respBytes;
            String ct;
            if (responder.getRaEmulator() == null) {
                ct = ScepConstants.CT_X509_CA_CERT;
                respBytes = responder.getCaEmulator().getCaCertBytes();
            } else {
                ct = ScepConstants.CT_X509_CA_RA_CERT;
                CMSSignedDataGenerator cmsSignedDataGen = new CMSSignedDataGenerator();
                try {
                    cmsSignedDataGen.addCertificate(new X509CertificateHolder(responder.getCaEmulator().getCaCert()));
                    ct = ScepConstants.CT_X509_CA_RA_CERT;
                    cmsSignedDataGen.addCertificate(new X509CertificateHolder(responder.getRaEmulator().getRaCert()));
                    CMSSignedData degenerateSignedData = cmsSignedDataGen.generate(new CMSAbsentContent());
                    respBytes = degenerateSignedData.getEncoded();
                } catch (CMSException ex) {
                    auditMessage = "system internal error";
                    auditLevel = AuditLevel.ERROR;
                    resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
                    return;
                }
            }
            sendToResponse(resp, ct, respBytes);
        } else if (Operation.GetNextCACert.getCode().equalsIgnoreCase(operation)) {
            if (responder.getNextCaAndRa() == null) {
                auditMessage = "SCEP operation '" + operation + "' is not permitted";
                auditLevel = AuditLevel.ERROR;
                resp.sendError(HttpServletResponse.SC_FORBIDDEN);
                return;
            }
            try {
                NextCaMessage nextCaMsg = new NextCaMessage();
                nextCaMsg.setCaCert(ScepUtil.toX509Cert(responder.getNextCaAndRa().getCaCert()));
                if (responder.getNextCaAndRa().getRaCert() != null) {
                    X509Certificate raCert = ScepUtil.toX509Cert(responder.getNextCaAndRa().getRaCert());
                    nextCaMsg.setRaCerts(Arrays.asList(raCert));
                }
                ContentInfo signedData = responder.encode(nextCaMsg);
                byte[] respBytes = signedData.getEncoded();
                sendToResponse(resp, ScepConstants.CT_X509_NEXT_CA_CERT, respBytes);
            } catch (Exception ex) {
                auditMessage = "system internal error";
                auditLevel = AuditLevel.ERROR;
                resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
            }
        } else {
            auditMessage = "unknown SCEP operation '" + operation + "'";
            auditLevel = AuditLevel.ERROR;
            resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
        }
    // end if ("PKIOperation".equalsIgnoreCase(operation))
    } catch (EOFException ex) {
        LOG.warn("connection reset by peer", ex);
        resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
    } catch (Throwable th) {
        LOG.error("Throwable thrown, this should not happen!", th);
        auditLevel = AuditLevel.ERROR;
        auditMessage = "internal error";
        resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
    } finally {
        if (event.getLevel() != AuditLevel.ERROR) {
            event.setLevel(auditLevel);
        }
        if (auditMessage != null) {
            event.putEventData("error", auditMessage);
        }
        event.log(LOG);
    }
// end try
}
Also used : CMSSignedDataGenerator(org.bouncycastle.cms.CMSSignedDataGenerator) CMSAbsentContent(org.bouncycastle.cms.CMSAbsentContent) AuditLevel(org.xipki.scep.serveremulator.AuditEvent.AuditLevel) CMSSignedData(org.bouncycastle.cms.CMSSignedData) NextCaMessage(org.xipki.scep.message.NextCaMessage) ServletException(javax.servlet.ServletException) CMSException(org.bouncycastle.cms.CMSException) MessageDecodingException(org.xipki.scep.exception.MessageDecodingException) IOException(java.io.IOException) EOFException(java.io.EOFException) X509Certificate(java.security.cert.X509Certificate) MessageDecodingException(org.xipki.scep.exception.MessageDecodingException) CaCaps(org.xipki.scep.message.CaCaps) ContentInfo(org.bouncycastle.asn1.cms.ContentInfo) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) EOFException(java.io.EOFException) CMSException(org.bouncycastle.cms.CMSException)

Example 100 with Request

use of org.bouncycastle.asn1.ocsp.Request in project xipki by xipki.

the class Client method scepGetCert.

public List<X509Certificate> scepGetCert(PrivateKey identityKey, X509Certificate identityCert, X500Name issuer, BigInteger serialNumber) throws ScepClientException {
    ScepUtil.requireNonNull("identityKey", identityKey);
    ScepUtil.requireNonNull("identityCert", identityCert);
    ScepUtil.requireNonNull("issuer", issuer);
    ScepUtil.requireNonNull("serialNumber", serialNumber);
    initIfNotInited();
    PkiMessage request = new PkiMessage(TransactionId.randomTransactionId(), MessageType.GetCert);
    IssuerAndSerialNumber isn = new IssuerAndSerialNumber(issuer, serialNumber);
    request.setMessageData(isn);
    ContentInfo envRequest = encryptThenSign(request, identityKey, identityCert);
    ScepHttpResponse httpResp = httpSend(Operation.PKIOperation, envRequest);
    CMSSignedData cmsSignedData = parsePkiMessage(httpResp.getContentBytes());
    DecodedPkiMessage response = decode(cmsSignedData, identityKey, identityCert);
    if (response.getPkiStatus() != PkiStatus.SUCCESS) {
        throw new ScepClientException("server returned " + response.getPkiStatus());
    }
    ContentInfo messageData = ContentInfo.getInstance(response.getMessageData());
    try {
        return ScepUtil.getCertsFromSignedData(SignedData.getInstance(messageData.getContent()));
    } catch (CertificateException ex) {
        throw new ScepClientException(ex.getMessage(), ex);
    }
}
Also used : IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber) ScepClientException(org.xipki.scep.client.exception.ScepClientException) DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage) PkiMessage(org.xipki.scep.message.PkiMessage) ContentInfo(org.bouncycastle.asn1.cms.ContentInfo) DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage) CertificateException(java.security.cert.CertificateException) CMSSignedData(org.bouncycastle.cms.CMSSignedData)

Aggregations

IOException (java.io.IOException)47 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)30 Date (java.util.Date)27 DEROctetString (org.bouncycastle.asn1.DEROctetString)26 BigInteger (java.math.BigInteger)23 X509Certificate (java.security.cert.X509Certificate)22 PKIMessage (org.bouncycastle.asn1.cmp.PKIMessage)22 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)20 CertificateException (java.security.cert.CertificateException)18 ArrayList (java.util.ArrayList)17 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)17 X500Name (org.bouncycastle.asn1.x500.X500Name)16 Extension (org.bouncycastle.asn1.x509.Extension)16 Extensions (org.bouncycastle.asn1.x509.Extensions)16 ASN1Integer (org.bouncycastle.asn1.ASN1Integer)15 DERIA5String (org.bouncycastle.asn1.DERIA5String)15 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)14 PKIBody (org.bouncycastle.asn1.cmp.PKIBody)13 ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)12 GeneralName (org.bouncycastle.asn1.x509.GeneralName)11