Search in sources :

Example 1 with CaCertValidator

use of org.xipki.scep.client.CaCertValidator in project xipki by xipki.

the class ScepClientExample method main.

public static void main(String[] args) {
    try {
        X509Certificate caCert = ScepUtil.parseCert(ScepUtil.read(new FileInputStream(expandPath(CA_CERT_FILE))));
        CaIdentifier tmpCaId = new CaIdentifier(CA_URL, null);
        CaCertValidator caCertValidator = new PreprovisionedCaCertValidator(caCert);
        ScepClient client = new ScepClient(tmpCaId, caCertValidator);
        client.init();
        // Self-Signed Identity Certificate
        MyKeypair keypair = generateRsaKeypair();
        CertificationRequest csr = genCsr(keypair, getSubject(), challengePassword);
        // self-signed cert must use the same subject as in CSR
        X500Name subjectDn = csr.getCertificationRequestInfo().getSubject();
        X509v3CertificateBuilder certGenerator = new X509v3CertificateBuilder(subjectDn, BigInteger.valueOf(1), new Date(), new Date(System.currentTimeMillis() + 24 * 3600 * 1000), subjectDn, keypair.getPublic());
        ContentSigner signer = new JcaContentSignerBuilder("SHA256withRSA").build(keypair.getPrivate());
        X509Certificate selfSignedCert = ScepUtil.parseCert(certGenerator.build(signer).getEncoded());
        // Enroll certificate - RSA
        EnrolmentResponse resp = (EnrolmentResponse) client.scepEnrol(csr, keypair.getPrivate(), selfSignedCert);
        if (resp.isFailure()) {
            throw new Exception("server returned 'failure'");
        }
        if (resp.isPending()) {
            throw new Exception("server returned 'pending'");
        }
        X509Certificate cert = resp.getCertificates().get(0);
        printCert("SCEP (RSA, Self-Signed Identity Cert)", cert);
        // Use the CA signed identity certificate
        X509Certificate identityCert = cert;
        PrivateKey identityKey = keypair.getPrivate();
        keypair = generateRsaKeypair();
        csr = genCsr(keypair, getSubject(), challengePassword);
        // Enroll certificate - RSA
        resp = (EnrolmentResponse) client.scepEnrol(csr, identityKey, identityCert);
        if (resp.isFailure()) {
            throw new Exception("server returned 'failure'");
        }
        if (resp.isPending()) {
            throw new Exception("server returned 'pending'");
        }
        cert = resp.getCertificates().get(0);
        printCert("SCEP (RSA, CA issued identity Cert)", cert);
        client.destroy();
    } catch (Exception ex) {
        ex.printStackTrace();
        System.exit(-1);
    }
}
Also used : PrivateKey(java.security.PrivateKey) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) CaIdentifier(org.xipki.scep.client.CaIdentifier) ContentSigner(org.bouncycastle.operator.ContentSigner) ScepClient(org.xipki.scep.client.ScepClient) X500Name(org.bouncycastle.asn1.x500.X500Name) X509Certificate(java.security.cert.X509Certificate) FileInputStream(java.io.FileInputStream) Date(java.util.Date) CaCertValidator(org.xipki.scep.client.CaCertValidator) PreprovisionedCaCertValidator(org.xipki.scep.client.PreprovisionedCaCertValidator) PreprovisionedCaCertValidator(org.xipki.scep.client.PreprovisionedCaCertValidator) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) EnrolmentResponse(org.xipki.scep.client.EnrolmentResponse) CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest)

Example 2 with CaCertValidator

use of org.xipki.scep.client.CaCertValidator in project xipki by xipki.

the class ClientAction method getScepClient.

protected ScepClient getScepClient() throws CertificateException, IOException {
    if (scepClient == null) {
        X509Certificate caCert = X509Util.parseCert(caCertFile);
        CaIdentifier tmpCaId = new CaIdentifier(url, caId);
        CaCertValidator caCertValidator = new PreprovisionedCaCertValidator(caCert);
        scepClient = new ScepClient(tmpCaId, caCertValidator);
    }
    return scepClient;
}
Also used : CaCertValidator(org.xipki.scep.client.CaCertValidator) PreprovisionedCaCertValidator(org.xipki.scep.client.PreprovisionedCaCertValidator) PreprovisionedCaCertValidator(org.xipki.scep.client.PreprovisionedCaCertValidator) CaIdentifier(org.xipki.scep.client.CaIdentifier) ScepClient(org.xipki.scep.client.ScepClient) X509Certificate(java.security.cert.X509Certificate)

Example 3 with CaCertValidator

use of org.xipki.scep.client.CaCertValidator in project xipki by xipki.

the class GetCaCertCmd method execute0.

@Override
protected Object execute0() throws Exception {
    CaIdentifier tmpCaId = new CaIdentifier(url, caId);
    CaCertValidator caCertValidator = new CaCertValidator() {

        @Override
        public boolean isTrusted(X509Certificate cert) {
            return true;
        }
    };
    ScepClient client = new ScepClient(tmpCaId, caCertValidator);
    client.init();
    X509Certificate caCert = client.getCaCert();
    if (caCert == null) {
        throw new CmdFailure("received no CA certficate from server");
    }
    saveVerbose("saved certificate to file", new File(outFile), caCert.getEncoded());
    return null;
}
Also used : CaCertValidator(org.xipki.scep.client.CaCertValidator) CmdFailure(org.xipki.console.karaf.CmdFailure) CaIdentifier(org.xipki.scep.client.CaIdentifier) ScepClient(org.xipki.scep.client.ScepClient) File(java.io.File) X509Certificate(java.security.cert.X509Certificate)

Example 4 with CaCertValidator

use of org.xipki.scep.client.CaCertValidator in project xipki by xipki.

the class AbstractCaTest method test.

@Test
public void test() throws Exception {
    CaIdentifier caId = new CaIdentifier("http://localhost:" + port + "/scep/pkiclient.exe", null);
    CaCertValidator caCertValidator = new PreprovisionedCaCertValidator(ScepUtil.toX509Cert(scepServer.getCaCert()));
    ScepClient client = new ScepClient(caId, caCertValidator);
    client.setUseInsecureAlgorithms(useInsecureAlgorithms());
    client.refresh();
    CaCaps expCaCaps = getExpectedCaCaps();
    // CACaps
    CaCaps caCaps = client.getCaCaps();
    Assert.assertEquals("CACaps", expCaCaps, caCaps);
    // CA certificate
    Certificate expCaCert = scepServer.getCaCert();
    X509Certificate caCert = client.getAuthorityCertStore().getCaCert();
    if (!equals(expCaCert, caCert)) {
        Assert.fail("Configured and received CA certificate not the same");
    }
    boolean withRa = isWithRa();
    // RA
    if (withRa) {
        Certificate expRaCert = scepServer.getRaCert();
        X509Certificate raSigCert = client.getAuthorityCertStore().getSignatureCert();
        X509Certificate raEncCert = client.getAuthorityCertStore().getEncryptionCert();
        Assert.assertEquals("RA certificate", raSigCert, raEncCert);
        if (!equals(expRaCert, raSigCert)) {
            Assert.fail("Configured and received RA certificate not the same");
        }
    }
    // getNextCA
    if (isWithNextCa()) {
        AuthorityCertStore nextCa = client.scepNextCaCert();
        Certificate expNextCaCert = scepServer.getNextCaCert();
        X509Certificate nextCaCert = nextCa.getCaCert();
        if (!equals(expNextCaCert, nextCaCert)) {
            Assert.fail("Configured and received next CA certificate not the same");
        }
        if (withRa) {
            Certificate expNextRaCert = scepServer.getNextRaCert();
            X509Certificate nextRaSigCert = nextCa.getSignatureCert();
            X509Certificate nextRaEncCert = nextCa.getEncryptionCert();
            Assert.assertEquals("Next RA certificate", nextRaSigCert, nextRaEncCert);
            if (!equals(expNextRaCert, nextRaSigCert)) {
                Assert.fail("Configured and received next RA certificate not the same");
            }
        }
    }
    // enroll
    CertificationRequest csr;
    X509Certificate selfSignedCert;
    X509Certificate enroledCert;
    X500Name issuerName = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded());
    PrivateKey privKey;
    {
        KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA");
        kpGen.initialize(2048);
        KeyPair keypair = kpGen.generateKeyPair();
        privKey = keypair.getPrivate();
        SubjectPublicKeyInfo subjectPublicKeyInfo = ScepUtil.createSubjectPublicKeyInfo(keypair.getPublic());
        X500Name subject = new X500Name("CN=EE1, OU=emulator, O=xipki.org, C=DE");
        // first try without secret
        PKCS10CertificationRequest p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, null, null);
        csr = p10Req.toASN1Structure();
        selfSignedCert = ScepUtil.generateSelfsignedCert(p10Req.toASN1Structure(), privKey);
        EnrolmentResponse enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
        PkiStatus status = enrolResp.getPkcsRep().getPkiStatus();
        Assert.assertEquals("PkiStatus without secret", PkiStatus.FAILURE, status);
        // then try invalid secret
        p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, "invalid-" + secret, null);
        csr = p10Req.toASN1Structure();
        selfSignedCert = ScepUtil.generateSelfsignedCert(p10Req.toASN1Structure(), privKey);
        enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
        status = enrolResp.getPkcsRep().getPkiStatus();
        Assert.assertEquals("PkiStatus with invalid secret", PkiStatus.FAILURE, status);
        // try with valid secret
        p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, secret, null);
        csr = p10Req.toASN1Structure();
        selfSignedCert = ScepUtil.generateSelfsignedCert(p10Req.toASN1Structure(), privKey);
        enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
        List<X509Certificate> certs = enrolResp.getCertificates();
        Assert.assertTrue("number of received certificates", certs.size() > 0);
        X509Certificate cert = certs.get(0);
        Assert.assertNotNull("enroled certificate", cert);
        enroledCert = cert;
        // try :: self-signed certificate's subject different from the one of CSR
        p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, secret, null);
        csr = p10Req.toASN1Structure();
        selfSignedCert = ScepUtil.generateSelfsignedCert(new X500Name("CN=dummy"), csr.getCertificationRequestInfo().getSubjectPublicKeyInfo(), privKey);
        enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
        status = enrolResp.getPkcsRep().getPkiStatus();
        Assert.assertEquals("PkiStatus with invalid secret", PkiStatus.FAILURE, status);
    }
    // certPoll
    EnrolmentResponse enrolResp = client.scepCertPoll(privKey, selfSignedCert, csr, issuerName);
    List<X509Certificate> certs = enrolResp.getCertificates();
    Assert.assertTrue("number of received certificates", certs.size() > 0);
    X509Certificate cert = certs.get(0);
    Assert.assertNotNull("enrolled certificate", cert);
    // getCert
    certs = client.scepGetCert(privKey, selfSignedCert, issuerName, enroledCert.getSerialNumber());
    Assert.assertTrue("number of received certificates", certs.size() > 0);
    cert = certs.get(0);
    Assert.assertNotNull("received certificate", cert);
    // getCRL
    X509CRL crl = client.scepGetCrl(privKey, enroledCert, issuerName, enroledCert.getSerialNumber());
    Assert.assertNotNull("received CRL", crl);
    // getNextCA
    AuthorityCertStore nextCa = client.scepNextCaCert();
    Assert.assertNotNull("nextCa", nextCa);
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) PkiStatus(org.xipki.scep.transaction.PkiStatus) KeyPair(java.security.KeyPair) PrivateKey(java.security.PrivateKey) X509CRL(java.security.cert.X509CRL) CaIdentifier(org.xipki.scep.client.CaIdentifier) ScepClient(org.xipki.scep.client.ScepClient) X500Name(org.bouncycastle.asn1.x500.X500Name) KeyPairGenerator(java.security.KeyPairGenerator) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) X509Certificate(java.security.cert.X509Certificate) CaCertValidator(org.xipki.scep.client.CaCertValidator) PreprovisionedCaCertValidator(org.xipki.scep.client.PreprovisionedCaCertValidator) CaCaps(org.xipki.scep.message.CaCaps) PreprovisionedCaCertValidator(org.xipki.scep.client.PreprovisionedCaCertValidator) EnrolmentResponse(org.xipki.scep.client.EnrolmentResponse) AuthorityCertStore(org.xipki.scep.message.AuthorityCertStore) List(java.util.List) PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest) X509Certificate(java.security.cert.X509Certificate) Certificate(org.bouncycastle.asn1.x509.Certificate) Test(org.junit.Test)

Aggregations

X509Certificate (java.security.cert.X509Certificate)4 CaCertValidator (org.xipki.scep.client.CaCertValidator)4 CaIdentifier (org.xipki.scep.client.CaIdentifier)4 ScepClient (org.xipki.scep.client.ScepClient)4 PreprovisionedCaCertValidator (org.xipki.scep.client.PreprovisionedCaCertValidator)3 PrivateKey (java.security.PrivateKey)2 CertificationRequest (org.bouncycastle.asn1.pkcs.CertificationRequest)2 X500Name (org.bouncycastle.asn1.x500.X500Name)2 EnrolmentResponse (org.xipki.scep.client.EnrolmentResponse)2 File (java.io.File)1 FileInputStream (java.io.FileInputStream)1 KeyPair (java.security.KeyPair)1 KeyPairGenerator (java.security.KeyPairGenerator)1 X509CRL (java.security.cert.X509CRL)1 Date (java.util.Date)1 List (java.util.List)1 Certificate (org.bouncycastle.asn1.x509.Certificate)1 SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)1 X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)1 ContentSigner (org.bouncycastle.operator.ContentSigner)1