Search in sources :

Example 16 with ContentInfo

use of org.bouncycastle.asn1.pkcs.ContentInfo in project xipki by xipki.

the class ScepResponder method servicePkiOperation0.

private PkiMessage servicePkiOperation0(DecodedPkiMessage req, AuditEvent event) throws MessageDecodingException, CaException {
    TransactionId tid = req.getTransactionId();
    PkiMessage rep = new PkiMessage(tid, MessageType.CertRep, Nonce.randomNonce());
    rep.setPkiStatus(PkiStatus.SUCCESS);
    rep.setRecipientNonce(req.getSenderNonce());
    if (req.getFailureMessage() != null) {
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
    }
    Boolean bo = req.isSignatureValid();
    if (bo != null && !bo.booleanValue()) {
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badMessageCheck);
    }
    bo = req.isDecryptionSuccessful();
    if (bo != null && !bo.booleanValue()) {
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
    }
    Date signingTime = req.getSigningTime();
    if (maxSigningTimeBiasInMs > 0) {
        boolean isTimeBad = false;
        if (signingTime == null) {
            isTimeBad = true;
        } else {
            long now = System.currentTimeMillis();
            long diff = now - signingTime.getTime();
            if (diff < 0) {
                diff = -1 * diff;
            }
            isTimeBad = diff > maxSigningTimeBiasInMs;
        }
        if (isTimeBad) {
            return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badTime);
        }
    }
    // check the digest algorithm
    String oid = req.getDigestAlgorithm().getId();
    ScepHashAlgo hashAlgo = ScepHashAlgo.forNameOrOid(oid);
    if (hashAlgo == null) {
        LOG.warn("tid={}: unknown digest algorithm {}", tid, oid);
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
    }
    // end if
    boolean supported = false;
    if (hashAlgo == ScepHashAlgo.SHA1) {
        if (caCaps.containsCapability(CaCapability.SHA1)) {
            supported = true;
        }
    } else if (hashAlgo == ScepHashAlgo.SHA256) {
        if (caCaps.containsCapability(CaCapability.SHA256)) {
            supported = true;
        }
    } else if (hashAlgo == ScepHashAlgo.SHA512) {
        if (caCaps.containsCapability(CaCapability.SHA512)) {
            supported = true;
        }
    } else if (hashAlgo == ScepHashAlgo.MD5) {
        if (control.isUseInsecureAlg()) {
            supported = true;
        }
    }
    if (!supported) {
        LOG.warn("tid={}: unsupported digest algorithm {}", tid, oid);
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
    }
    // end if
    // check the content encryption algorithm
    ASN1ObjectIdentifier encOid = req.getContentEncryptionAlgorithm();
    if (CMSAlgorithm.DES_EDE3_CBC.equals(encOid)) {
        if (!caCaps.containsCapability(CaCapability.DES3)) {
            LOG.warn("tid={}: encryption with DES3 algorithm is not permitted", tid, encOid);
            return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
        }
    } else if (AES_ENC_ALGS.contains(encOid)) {
        if (!caCaps.containsCapability(CaCapability.AES)) {
            LOG.warn("tid={}: encryption with AES algorithm {} is not permitted", tid, encOid);
            return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
        }
    } else if (CMSAlgorithm.DES_CBC.equals(encOid)) {
        if (!control.isUseInsecureAlg()) {
            LOG.warn("tid={}: encryption with DES algorithm {} is not permitted", tid, encOid);
            return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
        }
    } else {
        LOG.warn("tid={}: encryption with algorithm {} is not permitted", tid, encOid);
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
    }
    if (rep.getPkiStatus() == PkiStatus.FAILURE) {
        return rep;
    }
    MessageType messageType = req.getMessageType();
    switch(messageType) {
        case PKCSReq:
            boolean selfSigned = req.getSignatureCert().getIssuerX500Principal().equals(req.getSignatureCert().getIssuerX500Principal());
            CertificationRequest csr = CertificationRequest.getInstance(req.getMessageData());
            if (selfSigned) {
                X500Name name = X500Name.getInstance(req.getSignatureCert().getSubjectX500Principal().getEncoded());
                if (!name.equals(csr.getCertificationRequestInfo().getSubject())) {
                    LOG.warn("tid={}: self-signed cert.subject != CSR.subject", tid);
                    return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
                }
            }
            String challengePwd = getChallengePassword(csr.getCertificationRequestInfo());
            if (challengePwd == null || !control.getSecret().equals(challengePwd)) {
                LOG.warn("challengePassword is not trusted");
                return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
            }
            Certificate cert;
            try {
                cert = caEmulator.generateCert(csr);
            } catch (Exception ex) {
                throw new CaException("system failure: " + ex.getMessage(), ex);
            }
            if (cert != null && control.isPendingCert()) {
                rep.setPkiStatus(PkiStatus.PENDING);
            } else if (cert != null) {
                ContentInfo messageData = createSignedData(cert);
                rep.setMessageData(messageData);
            } else {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
            }
            break;
        case CertPoll:
            IssuerAndSubject is = IssuerAndSubject.getInstance(req.getMessageData());
            cert = caEmulator.pollCert(is.getIssuer(), is.getSubject());
            if (cert != null) {
                rep.setMessageData(createSignedData(cert));
            } else {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
            }
            break;
        case GetCert:
            IssuerAndSerialNumber isn = IssuerAndSerialNumber.getInstance(req.getMessageData());
            cert = caEmulator.getCert(isn.getName(), isn.getSerialNumber().getValue());
            if (cert != null) {
                rep.setMessageData(createSignedData(cert));
            } else {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
            }
            break;
        case RenewalReq:
            if (!caCaps.containsCapability(CaCapability.Renewal)) {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
            } else {
                csr = CertificationRequest.getInstance(req.getMessageData());
                try {
                    cert = caEmulator.generateCert(csr);
                } catch (Exception ex) {
                    throw new CaException("system failure: " + ex.getMessage(), ex);
                }
                if (cert != null) {
                    rep.setMessageData(createSignedData(cert));
                } else {
                    rep.setPkiStatus(PkiStatus.FAILURE);
                    rep.setFailInfo(FailInfo.badCertId);
                }
            }
            break;
        case UpdateReq:
            if (!caCaps.containsCapability(CaCapability.Update)) {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
            } else {
                csr = CertificationRequest.getInstance(req.getMessageData());
                try {
                    cert = caEmulator.generateCert(csr);
                } catch (Exception ex) {
                    throw new CaException("system failure: " + ex.getMessage(), ex);
                }
                if (cert != null) {
                    rep.setMessageData(createSignedData(cert));
                } else {
                    buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
                }
            }
            break;
        case GetCRL:
            isn = IssuerAndSerialNumber.getInstance(req.getMessageData());
            CertificateList crl;
            try {
                crl = caEmulator.getCrl(isn.getName(), isn.getSerialNumber().getValue());
            } catch (Exception ex) {
                throw new CaException("system failure: " + ex.getMessage(), ex);
            }
            if (crl != null) {
                rep.setMessageData(createSignedData(crl));
            } else {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
            }
            break;
        default:
            buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
    }
    return rep;
}
Also used : IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber) ScepHashAlgo(org.xipki.scep.crypto.ScepHashAlgo) CertificateList(org.bouncycastle.asn1.x509.CertificateList) ASN1String(org.bouncycastle.asn1.ASN1String) X500Name(org.bouncycastle.asn1.x500.X500Name) Date(java.util.Date) CMSException(org.bouncycastle.cms.CMSException) MessageDecodingException(org.xipki.scep.exception.MessageDecodingException) CertificateException(java.security.cert.CertificateException) IssuerAndSubject(org.xipki.scep.message.IssuerAndSubject) TransactionId(org.xipki.scep.transaction.TransactionId) DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage) PkiMessage(org.xipki.scep.message.PkiMessage) ContentInfo(org.bouncycastle.asn1.cms.ContentInfo) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) MessageType(org.xipki.scep.transaction.MessageType) CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest) X509Certificate(java.security.cert.X509Certificate) Certificate(org.bouncycastle.asn1.x509.Certificate)

Example 17 with ContentInfo

use of org.bouncycastle.asn1.pkcs.ContentInfo in project xipki by xipki.

the class Client method encryptThenSign.

private ContentInfo encryptThenSign(PkiMessage request, PrivateKey identityKey, X509Certificate identityCert) throws ScepClientException {
    ScepHashAlgo hashAlgo = caCaps.mostSecureHashAlgo();
    if (hashAlgo == ScepHashAlgo.MD5 && !useInsecureAlgorithms) {
        throw new ScepClientException("Scep server supports only MD5 but it not permitted in client");
    }
    String signatureAlgorithm = ScepUtil.getSignatureAlgorithm(identityKey, hashAlgo);
    ASN1ObjectIdentifier encAlgId;
    if (caCaps.containsCapability(CaCapability.AES)) {
        encAlgId = CMSAlgorithm.AES128_CBC;
    } else if (caCaps.containsCapability(CaCapability.DES3)) {
        encAlgId = CMSAlgorithm.DES_EDE3_CBC;
    } else if (useInsecureAlgorithms) {
        encAlgId = CMSAlgorithm.DES_CBC;
    } else {
        // no support of DES
        throw new ScepClientException("DES will not be supported by this client");
    }
    try {
        return request.encode(identityKey, signatureAlgorithm, identityCert, new X509Certificate[] { identityCert }, authorityCertStore.getEncryptionCert(), encAlgId);
    } catch (MessageEncodingException ex) {
        throw new ScepClientException(ex);
    }
}
Also used : ScepClientException(org.xipki.scep.client.exception.ScepClientException) ScepHashAlgo(org.xipki.scep.crypto.ScepHashAlgo) MessageEncodingException(org.xipki.scep.exception.MessageEncodingException) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 18 with ContentInfo

use of org.bouncycastle.asn1.pkcs.ContentInfo in project xipki by xipki.

the class Client method scepGetCrl.

public X509CRL scepGetCrl(PrivateKey identityKey, X509Certificate identityCert, X500Name issuer, BigInteger serialNumber) throws ScepClientException {
    ScepUtil.requireNonNull("identityKey", identityKey);
    ScepUtil.requireNonNull("identityCert", identityCert);
    ScepUtil.requireNonNull("issuer", issuer);
    ScepUtil.requireNonNull("serialNumber", serialNumber);
    initIfNotInited();
    PkiMessage pkiMessage = new PkiMessage(TransactionId.randomTransactionId(), MessageType.GetCRL);
    IssuerAndSerialNumber isn = new IssuerAndSerialNumber(issuer, serialNumber);
    pkiMessage.setMessageData(isn);
    ContentInfo request = encryptThenSign(pkiMessage, identityKey, identityCert);
    ScepHttpResponse httpResp = httpSend(Operation.PKIOperation, request);
    CMSSignedData cmsSignedData = parsePkiMessage(httpResp.getContentBytes());
    PkiMessage response = decode(cmsSignedData, identityKey, identityCert);
    if (response.getPkiStatus() != PkiStatus.SUCCESS) {
        throw new ScepClientException("server returned " + response.getPkiStatus());
    }
    ContentInfo messageData = ContentInfo.getInstance(response.getMessageData());
    try {
        return ScepUtil.getCrlFromPkiMessage(SignedData.getInstance(messageData.getContent()));
    } catch (CRLException ex) {
        throw new ScepClientException(ex.getMessage(), ex);
    }
}
Also used : IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber) ScepClientException(org.xipki.scep.client.exception.ScepClientException) DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage) PkiMessage(org.xipki.scep.message.PkiMessage) ContentInfo(org.bouncycastle.asn1.cms.ContentInfo) CMSSignedData(org.bouncycastle.cms.CMSSignedData) CRLException(java.security.cert.CRLException)

Example 19 with ContentInfo

use of org.bouncycastle.asn1.pkcs.ContentInfo in project xipki by xipki.

the class PkiMessage method encode.

public ContentInfo encode(ContentSigner signer, X509Certificate signerCert, X509Certificate[] cmsCertSet, X509Certificate recipientCert, ASN1ObjectIdentifier encAlgId) throws MessageEncodingException {
    ScepUtil.requireNonNull("signer", signer);
    ScepUtil.requireNonNull("signerCert", signerCert);
    if (messageData != null) {
        ScepUtil.requireNonNull("recipientCert", recipientCert);
        ScepUtil.requireNonNull("encAlgId", encAlgId);
    }
    CMSTypedData content;
    if (messageData == null) {
        content = new CMSAbsentContent();
    } else {
        CMSEnvelopedData envelopedData = encrypt(recipientCert, encAlgId);
        byte[] encoded;
        try {
            encoded = envelopedData.getEncoded();
        } catch (IOException ex) {
            throw new MessageEncodingException(ex);
        }
        content = new CMSProcessableByteArray(CMSObjectIdentifiers.envelopedData, encoded);
    }
    try {
        CMSSignedDataGenerator generator = new CMSSignedDataGenerator();
        // signerInfo
        JcaSignerInfoGeneratorBuilder signerInfoBuilder = new JcaSignerInfoGeneratorBuilder(new BcDigestCalculatorProvider());
        signerInfoBuilder.setSignedAttributeGenerator(new DefaultSignedAttributeTableGenerator(getSignedAttributes()));
        AttributeTable attrTable = getUnsignedAttributes();
        if (attrTable != null) {
            signerInfoBuilder.setUnsignedAttributeGenerator(new SimpleAttributeTableGenerator(attrTable));
        }
        // certificateSet
        ScepUtil.addCmsCertSet(generator, cmsCertSet);
        SignerInfoGenerator signerInfo;
        try {
            signerInfo = signerInfoBuilder.build(signer, signerCert);
        } catch (Exception ex) {
            throw new MessageEncodingException(ex);
        }
        generator.addSignerInfoGenerator(signerInfo);
        CMSSignedData signedData = generator.generate(content, true);
        return signedData.toASN1Structure();
    } catch (CMSException ex) {
        throw new MessageEncodingException(ex);
    } catch (Exception ex) {
        throw new MessageEncodingException(ex);
    }
}
Also used : BcDigestCalculatorProvider(org.bouncycastle.operator.bc.BcDigestCalculatorProvider) CMSEnvelopedData(org.bouncycastle.cms.CMSEnvelopedData) CMSSignedDataGenerator(org.bouncycastle.cms.CMSSignedDataGenerator) CMSProcessableByteArray(org.bouncycastle.cms.CMSProcessableByteArray) DefaultSignedAttributeTableGenerator(org.bouncycastle.cms.DefaultSignedAttributeTableGenerator) CMSTypedData(org.bouncycastle.cms.CMSTypedData) CMSAbsentContent(org.bouncycastle.cms.CMSAbsentContent) AttributeTable(org.bouncycastle.asn1.cms.AttributeTable) IOException(java.io.IOException) MessageEncodingException(org.xipki.scep.exception.MessageEncodingException) CMSSignedData(org.bouncycastle.cms.CMSSignedData) CMSException(org.bouncycastle.cms.CMSException) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) MessageEncodingException(org.xipki.scep.exception.MessageEncodingException) IOException(java.io.IOException) CertificateEncodingException(java.security.cert.CertificateEncodingException) SimpleAttributeTableGenerator(org.bouncycastle.cms.SimpleAttributeTableGenerator) JcaSignerInfoGeneratorBuilder(org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder) SignerInfoGenerator(org.bouncycastle.cms.SignerInfoGenerator) CMSException(org.bouncycastle.cms.CMSException)

Example 20 with ContentInfo

use of org.bouncycastle.asn1.pkcs.ContentInfo in project webcert by sklintyg.

the class ASN1UtilImpl method getValue.

@Override
public String getValue(String identifier, InputStream asn1Signature) {
    ByteArrayInputStream bais = null;
    ASN1InputStream asn1InputStream = null;
    try {
        bais = convertStream(asn1Signature);
        asn1InputStream = new ASN1InputStream(bais);
        DERObject obj = asn1InputStream.readObject();
        ContentInfo contentInfo = ContentInfo.getInstance(obj);
        // Extract certificates
        SignedData signedData = SignedData.getInstance(contentInfo.getContent());
        return findInCertificate(identifier, (DERObject) signedData.getCertificates().getObjectAt(0));
    } catch (IOException e) {
        LOG.error("Error parsing signature: {}", e.getMessage());
        throw new IllegalStateException(e);
    } finally {
        IOUtils.closeQuietly(bais);
        IOUtils.closeQuietly(asn1InputStream);
    }
}
Also used : ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream) DERObject(org.bouncycastle.asn1.DERObject) SignedData(org.bouncycastle.asn1.pkcs.SignedData) ByteArrayInputStream(java.io.ByteArrayInputStream) ContentInfo(org.bouncycastle.asn1.pkcs.ContentInfo) IOException(java.io.IOException)

Aggregations

ContentInfo (org.bouncycastle.asn1.cms.ContentInfo)24 ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)22 IOException (java.io.IOException)20 X509Certificate (java.security.cert.X509Certificate)18 CMSSignedData (org.bouncycastle.cms.CMSSignedData)14 CertificateException (java.security.cert.CertificateException)12 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)12 BERSequence (org.bouncycastle.asn1.BERSequence)12 CertificateEncodingException (java.security.cert.CertificateEncodingException)11 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)9 ASN1Set (org.bouncycastle.asn1.ASN1Set)9 SignedData (org.bouncycastle.asn1.cms.SignedData)9 CMSException (org.bouncycastle.cms.CMSException)9 PrivateKey (java.security.PrivateKey)8 ASN1InputStream (org.bouncycastle.asn1.ASN1InputStream)8 DERSet (org.bouncycastle.asn1.DERSet)8 ContentInfo (org.bouncycastle.asn1.pkcs.ContentInfo)8 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)7 ByteArrayInputStream (java.io.ByteArrayInputStream)6 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)6