Example 21 with ContentInfo
use of org.gudy.bouncycastle.asn1.cms.ContentInfo in project xipki by xipki.
the class Client method retrieveCaCertStore.
private static AuthorityCertStore retrieveCaCertStore(ScepHttpResponse resp, CaCertValidator caValidator) throws ScepClientException {
String ct = resp.getContentType();
X509Certificate caCert = null;
List<X509Certificate> raCerts = new LinkedList<X509Certificate>();
if (ScepConstants.CT_X509_CA_CERT.equalsIgnoreCase(ct)) {
caCert = parseCert(resp.getContentBytes());
} else if (ScepConstants.CT_X509_CA_RA_CERT.equalsIgnoreCase(ct)) {
ContentInfo contentInfo = ContentInfo.getInstance(resp.getContentBytes());
SignedData signedData;
try {
signedData = SignedData.getInstance(contentInfo.getContent());
} catch (IllegalArgumentException ex) {
throw new ScepClientException("invalid SignedData message: " + ex.getMessage(), ex);
}
List<X509Certificate> certs;
try {
certs = ScepUtil.getCertsFromSignedData(signedData);
} catch (CertificateException ex) {
throw new ScepClientException(ex.getMessage(), ex);
}
final int n = certs.size();
if (n < 2) {
throw new ScepClientException("at least 2 certificates are expected, but only " + n + " is available");
}
for (int i = 0; i < n; i++) {
X509Certificate cert = certs.get(i);
if (cert.getBasicConstraints() > -1) {
if (caCert != null) {
throw new ScepClientException("multiple CA certificates is returned, but exactly 1 is expected");
}
caCert = cert;
} else {
raCerts.add(cert);
}
}
if (caCert == null) {
throw new ScepClientException("no CA certificate is returned");
}
} else {
throw new ScepClientException("invalid Content-Type '" + ct + "'");
}
if (!caValidator.isTrusted(caCert)) {
throw new ScepClientException("CA certificate '" + caCert.getSubjectX500Principal() + "' is not trusted");
}
if (raCerts.isEmpty()) {
return AuthorityCertStore.getInstance(caCert);
} else {
AuthorityCertStore cs = AuthorityCertStore.getInstance(caCert, raCerts.toArray(new X509Certificate[0]));
X509Certificate raEncCert = cs.getEncryptionCert();
X509Certificate raSignCert = cs.getSignatureCert();
try {
if (!ScepUtil.issues(caCert, raEncCert)) {
throw new ScepClientException("RA certificate '" + raEncCert.getSubjectX500Principal() + " is not issued by the CA");
}
if (raSignCert != raEncCert && ScepUtil.issues(caCert, raSignCert)) {
throw new ScepClientException("RA certificate '" + raSignCert.getSubjectX500Principal() + " is not issued by the CA");
}
} catch (CertificateException ex) {
throw new ScepClientException("invalid certificate: " + ex.getMessage(), ex);
}
return cs;
}
}
Also used :
SignedData(org.bouncycastle.asn1.cms.SignedData)
CMSSignedData(org.bouncycastle.cms.CMSSignedData)
ScepClientException(org.xipki.scep.client.exception.ScepClientException)
ContentInfo(org.bouncycastle.asn1.cms.ContentInfo)
LinkedList(java.util.LinkedList)
List(java.util.List)
CertificateException(java.security.cert.CertificateException)
AuthorityCertStore(org.xipki.scep.message.AuthorityCertStore)
X509Certificate(java.security.cert.X509Certificate)
LinkedList(java.util.LinkedList)
Example 22 with ContentInfo
use of org.gudy.bouncycastle.asn1.cms.ContentInfo in project xipki by xipki.
the class Client method scepGetCert.
public List<X509Certificate> scepGetCert(PrivateKey identityKey, X509Certificate identityCert, X500Name issuer, BigInteger serialNumber) throws ScepClientException {
ScepUtil.requireNonNull("identityKey", identityKey);
ScepUtil.requireNonNull("identityCert", identityCert);
ScepUtil.requireNonNull("issuer", issuer);
ScepUtil.requireNonNull("serialNumber", serialNumber);
initIfNotInited();
PkiMessage request = new PkiMessage(TransactionId.randomTransactionId(), MessageType.GetCert);
IssuerAndSerialNumber isn = new IssuerAndSerialNumber(issuer, serialNumber);
request.setMessageData(isn);
ContentInfo envRequest = encryptThenSign(request, identityKey, identityCert);
ScepHttpResponse httpResp = httpSend(Operation.PKIOperation, envRequest);
CMSSignedData cmsSignedData = parsePkiMessage(httpResp.getContentBytes());
DecodedPkiMessage response = decode(cmsSignedData, identityKey, identityCert);
if (response.getPkiStatus() != PkiStatus.SUCCESS) {
throw new ScepClientException("server returned " + response.getPkiStatus());
}
ContentInfo messageData = ContentInfo.getInstance(response.getMessageData());
try {
return ScepUtil.getCertsFromSignedData(SignedData.getInstance(messageData.getContent()));
} catch (CertificateException ex) {
throw new ScepClientException(ex.getMessage(), ex);
}
}
Also used :
IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber)
ScepClientException(org.xipki.scep.client.exception.ScepClientException)
DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage)
PkiMessage(org.xipki.scep.message.PkiMessage)
ContentInfo(org.bouncycastle.asn1.cms.ContentInfo)
DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage)
CertificateException(java.security.cert.CertificateException)
CMSSignedData(org.bouncycastle.cms.CMSSignedData)
Example 23 with ContentInfo
use of org.gudy.bouncycastle.asn1.cms.ContentInfo in project xipki by xipki.
the class Client method scepCertPoll.
public EnrolmentResponse scepCertPoll(PrivateKey identityKey, X509Certificate identityCert, TransactionId transactionId, X500Name issuer, X500Name subject) throws ScepClientException {
ScepUtil.requireNonNull("identityKey", identityKey);
ScepUtil.requireNonNull("identityCert", identityCert);
ScepUtil.requireNonNull("issuer", issuer);
ScepUtil.requireNonNull("transactionId", transactionId);
initIfNotInited();
PkiMessage pkiMessage = new PkiMessage(transactionId, MessageType.CertPoll);
IssuerAndSubject is = new IssuerAndSubject(issuer, subject);
pkiMessage.setMessageData(is);
ContentInfo envRequest = encryptThenSign(pkiMessage, identityKey, identityCert);
ScepHttpResponse httpResp = httpSend(Operation.PKIOperation, envRequest);
CMSSignedData cmsSignedData = parsePkiMessage(httpResp.getContentBytes());
DecodedPkiMessage response = decode(cmsSignedData, identityKey, identityCert);
assertSameNonce(pkiMessage, response);
return new EnrolmentResponse(response);
}
Also used :
DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage)
PkiMessage(org.xipki.scep.message.PkiMessage)
ContentInfo(org.bouncycastle.asn1.cms.ContentInfo)
DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage)
CMSSignedData(org.bouncycastle.cms.CMSSignedData)
IssuerAndSubject(org.xipki.scep.message.IssuerAndSubject)
Example 24 with ContentInfo
use of org.gudy.bouncycastle.asn1.cms.ContentInfo in project xipki by xipki.
the class Client method enroll.
private EnrolmentResponse enroll(MessageType messageType, CertificationRequest csr, PrivateKey identityKey, X509Certificate identityCert) throws ScepClientException {
TransactionId tid;
try {
tid = TransactionId.sha1TransactionId(csr.getCertificationRequestInfo().getSubjectPublicKeyInfo());
} catch (InvalidKeySpecException ex) {
throw new ScepClientException(ex.getMessage(), ex);
}
PkiMessage pkiMessage = new PkiMessage(tid, messageType);
pkiMessage.setMessageData(csr);
ContentInfo envRequest = encryptThenSign(pkiMessage, identityKey, identityCert);
ScepHttpResponse httpResp = httpSend(Operation.PKIOperation, envRequest);
CMSSignedData cmsSignedData = parsePkiMessage(httpResp.getContentBytes());
DecodedPkiMessage response = decode(cmsSignedData, identityKey, identityCert);
assertSameNonce(pkiMessage, response);
return new EnrolmentResponse(response);
}
Also used :
ScepClientException(org.xipki.scep.client.exception.ScepClientException)
DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage)
PkiMessage(org.xipki.scep.message.PkiMessage)
ContentInfo(org.bouncycastle.asn1.cms.ContentInfo)
DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage)
InvalidKeySpecException(java.security.spec.InvalidKeySpecException)
CMSSignedData(org.bouncycastle.cms.CMSSignedData)
TransactionId(org.xipki.scep.transaction.TransactionId)
Example 25 with ContentInfo
use of org.gudy.bouncycastle.asn1.cms.ContentInfo in project xipki by xipki.
the class DecodedNextCaMessage method decode.
@SuppressWarnings("unchecked")
public static DecodedNextCaMessage decode(CMSSignedData pkiMessage, CollectionStore<X509CertificateHolder> certStore) throws MessageDecodingException {
ScepUtil.requireNonNull("pkiMessage", pkiMessage);
SignerInformationStore signerStore = pkiMessage.getSignerInfos();
Collection<SignerInformation> signerInfos = signerStore.getSigners();
if (signerInfos.size() != 1) {
throw new MessageDecodingException("number of signerInfos is not 1, but " + signerInfos.size());
}
SignerInformation signerInfo = signerInfos.iterator().next();
SignerId sid = signerInfo.getSID();
Collection<?> signedDataCerts = null;
if (certStore != null) {
signedDataCerts = certStore.getMatches(sid);
}
if (signedDataCerts == null || signedDataCerts.isEmpty()) {
signedDataCerts = pkiMessage.getCertificates().getMatches(signerInfo.getSID());
}
if (signedDataCerts == null || signedDataCerts.size() != 1) {
throw new MessageDecodingException("could not find embedded certificate to verify the signature");
}
AttributeTable signedAttrs = signerInfo.getSignedAttributes();
if (signedAttrs == null) {
throw new MessageDecodingException("missing signed attributes");
}
Date signingTime = null;
// signingTime
ASN1Encodable attrValue = ScepUtil.getFirstAttrValue(signedAttrs, CMSAttributes.signingTime);
if (attrValue != null) {
signingTime = Time.getInstance(attrValue).getDate();
}
DecodedNextCaMessage ret = new DecodedNextCaMessage();
if (signingTime != null) {
ret.setSigningTime(signingTime);
}
ASN1ObjectIdentifier digestAlgOid = signerInfo.getDigestAlgorithmID().getAlgorithm();
ret.setDigestAlgorithm(digestAlgOid);
String sigAlgOid = signerInfo.getEncryptionAlgOID();
if (!PKCSObjectIdentifiers.rsaEncryption.getId().equals(sigAlgOid)) {
ASN1ObjectIdentifier tmpDigestAlgOid;
try {
tmpDigestAlgOid = ScepUtil.extractDigesetAlgorithmIdentifier(signerInfo.getEncryptionAlgOID(), signerInfo.getEncryptionAlgParams());
} catch (Exception ex) {
final String msg = "could not extract digest algorithm from signerInfo.signatureAlgorithm: " + ex.getMessage();
LOG.error(msg);
LOG.debug(msg, ex);
ret.setFailureMessage(msg);
return ret;
}
if (!digestAlgOid.equals(tmpDigestAlgOid)) {
ret.setFailureMessage("digestAlgorithm and encryptionAlgorithm do not use" + " the same digestAlgorithm");
return ret;
}
}
// end if
X509CertificateHolder tmpSignerCert = (X509CertificateHolder) signedDataCerts.iterator().next();
X509Certificate signerCert;
try {
signerCert = ScepUtil.toX509Cert(tmpSignerCert.toASN1Structure());
} catch (CertificateException ex) {
final String msg = "could not construct X509CertificateObject: " + ex.getMessage();
LOG.error(msg);
LOG.debug(msg, ex);
ret.setFailureMessage(msg);
return ret;
}
ret.setSignatureCert(signerCert);
// validate the signature
SignerInformationVerifier verifier;
try {
verifier = new JcaSimpleSignerInfoVerifierBuilder().build(signerCert.getPublicKey());
} catch (OperatorCreationException ex) {
final String msg = "could not build signature verifier: " + ex.getMessage();
LOG.error(msg);
LOG.debug(msg, ex);
ret.setFailureMessage(msg);
return ret;
}
boolean signatureValid;
try {
signatureValid = signerInfo.verify(verifier);
} catch (CMSException ex) {
final String msg = "could not verify the signature: " + ex.getMessage();
LOG.error(msg);
LOG.debug(msg, ex);
ret.setFailureMessage(msg);
return ret;
}
ret.setSignatureValid(signatureValid);
if (!signatureValid) {
return ret;
}
// MessageData
CMSTypedData signedContent = pkiMessage.getSignedContent();
ASN1ObjectIdentifier signedContentType = signedContent.getContentType();
if (!CMSObjectIdentifiers.signedData.equals(signedContentType)) {
// fall back: some SCEP client use id-data
if (!CMSObjectIdentifiers.data.equals(signedContentType)) {
ret.setFailureMessage("either id-signedData or id-data is excepted, but not '" + signedContentType.getId());
return ret;
}
}
ContentInfo contentInfo = ContentInfo.getInstance((byte[]) signedContent.getContent());
SignedData signedData = SignedData.getInstance(contentInfo.getContent());
List<X509Certificate> certs;
try {
certs = ScepUtil.getCertsFromSignedData(signedData);
} catch (CertificateException ex) {
final String msg = "could not extract Certificates from the message: " + ex.getMessage();
LOG.error(msg);
LOG.debug(msg, ex);
ret.setFailureMessage(msg);
return ret;
}
final int n = certs.size();
X509Certificate caCert = null;
List<X509Certificate> raCerts = new LinkedList<X509Certificate>();
for (int i = 0; i < n; i++) {
X509Certificate cert = certs.get(i);
if (cert.getBasicConstraints() > -1) {
if (caCert != null) {
final String msg = "multiple CA certificates is returned, but exactly 1 is expected";
LOG.error(msg);
ret.setFailureMessage(msg);
return ret;
}
caCert = cert;
} else {
raCerts.add(cert);
}
}
if (caCert == null) {
final String msg = "no CA certificate is returned";
LOG.error(msg);
ret.setFailureMessage(msg);
return ret;
}
X509Certificate[] locaRaCerts = raCerts.isEmpty() ? null : raCerts.toArray(new X509Certificate[0]);
AuthorityCertStore authorityCertStore = AuthorityCertStore.getInstance(caCert, locaRaCerts);
ret.setAuthorityCertStore(authorityCertStore);
return ret;
}
Also used :
AttributeTable(org.bouncycastle.asn1.cms.AttributeTable)
SignerInformation(org.bouncycastle.cms.SignerInformation)
CertificateException(java.security.cert.CertificateException)
SignerInformationStore(org.bouncycastle.cms.SignerInformationStore)
ContentInfo(org.bouncycastle.asn1.cms.ContentInfo)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
SignerInformationVerifier(org.bouncycastle.cms.SignerInformationVerifier)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
CMSTypedData(org.bouncycastle.cms.CMSTypedData)
SignedData(org.bouncycastle.asn1.cms.SignedData)
CMSSignedData(org.bouncycastle.cms.CMSSignedData)
JcaSimpleSignerInfoVerifierBuilder(org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder)
Date(java.util.Date)
CMSException(org.bouncycastle.cms.CMSException)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
MessageDecodingException(org.xipki.scep.exception.MessageDecodingException)
CertificateException(java.security.cert.CertificateException)
X509Certificate(java.security.cert.X509Certificate)
LinkedList(java.util.LinkedList)
MessageDecodingException(org.xipki.scep.exception.MessageDecodingException)
SignerId(org.bouncycastle.cms.SignerId)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
CMSException(org.bouncycastle.cms.CMSException)
Aggregations
ContentInfo (org.bouncycastle.asn1.cms.ContentInfo)24
IOException (java.io.IOException)13
X509Certificate (java.security.cert.X509Certificate)12
CMSSignedData (org.bouncycastle.cms.CMSSignedData)12
SignedData (org.bouncycastle.asn1.cms.SignedData)9
CertificateException (java.security.cert.CertificateException)7
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)7
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)6
CMSException (org.bouncycastle.cms.CMSException)6
CertificateEncodingException (java.security.cert.CertificateEncodingException)5
Date (java.util.Date)5
ASN1Set (org.bouncycastle.asn1.ASN1Set)5
IssuerAndSerialNumber (org.bouncycastle.asn1.cms.IssuerAndSerialNumber)5
MessageDecodingException (org.xipki.scep.exception.MessageDecodingException)5
BigInteger (java.math.BigInteger)4
ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)4
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)4
DERSet (org.bouncycastle.asn1.DERSet)4
DecodedPkiMessage (org.xipki.scep.message.DecodedPkiMessage)4
PkiMessage (org.xipki.scep.message.PkiMessage)4
