Example 1 with EnrolmentResponse
use of org.xipki.scep.client.EnrolmentResponse in project xipki by xipki.
the class ScepClientExample method main.
public static void main(String[] args) {
try {
X509Certificate caCert = ScepUtil.parseCert(ScepUtil.read(new FileInputStream(expandPath(CA_CERT_FILE))));
CaIdentifier tmpCaId = new CaIdentifier(CA_URL, null);
CaCertValidator caCertValidator = new PreprovisionedCaCertValidator(caCert);
ScepClient client = new ScepClient(tmpCaId, caCertValidator);
client.init();
// Self-Signed Identity Certificate
MyKeypair keypair = generateRsaKeypair();
CertificationRequest csr = genCsr(keypair, getSubject(), challengePassword);
// self-signed cert must use the same subject as in CSR
X500Name subjectDn = csr.getCertificationRequestInfo().getSubject();
X509v3CertificateBuilder certGenerator = new X509v3CertificateBuilder(subjectDn, BigInteger.valueOf(1), new Date(), new Date(System.currentTimeMillis() + 24 * 3600 * 1000), subjectDn, keypair.getPublic());
ContentSigner signer = new JcaContentSignerBuilder("SHA256withRSA").build(keypair.getPrivate());
X509Certificate selfSignedCert = ScepUtil.parseCert(certGenerator.build(signer).getEncoded());
// Enroll certificate - RSA
EnrolmentResponse resp = (EnrolmentResponse) client.scepEnrol(csr, keypair.getPrivate(), selfSignedCert);
if (resp.isFailure()) {
throw new Exception("server returned 'failure'");
}
if (resp.isPending()) {
throw new Exception("server returned 'pending'");
}
X509Certificate cert = resp.getCertificates().get(0);
printCert("SCEP (RSA, Self-Signed Identity Cert)", cert);
// Use the CA signed identity certificate
X509Certificate identityCert = cert;
PrivateKey identityKey = keypair.getPrivate();
keypair = generateRsaKeypair();
csr = genCsr(keypair, getSubject(), challengePassword);
// Enroll certificate - RSA
resp = (EnrolmentResponse) client.scepEnrol(csr, identityKey, identityCert);
if (resp.isFailure()) {
throw new Exception("server returned 'failure'");
}
if (resp.isPending()) {
throw new Exception("server returned 'pending'");
}
cert = resp.getCertificates().get(0);
printCert("SCEP (RSA, CA issued identity Cert)", cert);
client.destroy();
} catch (Exception ex) {
ex.printStackTrace();
System.exit(-1);
}
}
Also used :
PrivateKey(java.security.PrivateKey)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
CaIdentifier(org.xipki.scep.client.CaIdentifier)
ContentSigner(org.bouncycastle.operator.ContentSigner)
ScepClient(org.xipki.scep.client.ScepClient)
X500Name(org.bouncycastle.asn1.x500.X500Name)
X509Certificate(java.security.cert.X509Certificate)
FileInputStream(java.io.FileInputStream)
Date(java.util.Date)
CaCertValidator(org.xipki.scep.client.CaCertValidator)
PreprovisionedCaCertValidator(org.xipki.scep.client.PreprovisionedCaCertValidator)
PreprovisionedCaCertValidator(org.xipki.scep.client.PreprovisionedCaCertValidator)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
EnrolmentResponse(org.xipki.scep.client.EnrolmentResponse)
CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest)
Example 2 with EnrolmentResponse
use of org.xipki.scep.client.EnrolmentResponse in project xipki by xipki.
the class EnrollCertCmd method execute0.
@Override
protected Object execute0() throws Exception {
ScepClient client = getScepClient();
CertificationRequest csr = CertificationRequest.getInstance(IoUtil.read(csrFile));
EnrolmentResponse resp;
PrivateKey key0 = getIdentityKey();
X509Certificate cert0 = getIdentityCert();
if (StringUtil.isBlank(method)) {
resp = client.scepEnrol(csr, key0, cert0);
} else if ("pkcs".equalsIgnoreCase(method)) {
resp = client.scepPkcsReq(csr, key0, cert0);
} else if ("renewal".equalsIgnoreCase(method)) {
resp = client.scepRenewalReq(csr, key0, cert0);
} else if ("update".equalsIgnoreCase(method)) {
resp = client.scepUpdateReq(csr, key0, cert0);
} else {
throw new CmdFailure("invalid enroll method");
}
if (resp.isFailure()) {
throw new CmdFailure("server returned 'failure'");
}
if (resp.isPending()) {
throw new CmdFailure("server returned 'pending'");
}
X509Certificate cert = resp.getCertificates().get(0);
saveVerbose("saved enrolled certificate to file", new File(outputFile), cert.getEncoded());
return null;
}
Also used :
PrivateKey(java.security.PrivateKey)
CmdFailure(org.xipki.console.karaf.CmdFailure)
ScepClient(org.xipki.scep.client.ScepClient)
EnrolmentResponse(org.xipki.scep.client.EnrolmentResponse)
File(java.io.File)
CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest)
X509Certificate(java.security.cert.X509Certificate)
Example 3 with EnrolmentResponse
use of org.xipki.scep.client.EnrolmentResponse in project xipki by xipki.
the class CertPollCmd method execute0.
@Override
protected Object execute0() throws Exception {
CertificationRequest csr = CertificationRequest.getInstance(IoUtil.read(csrFile));
ScepClient client = getScepClient();
X509Certificate caCert = client.getAuthorityCertStore().getCaCert();
X500Name caSubject = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded());
EnrolmentResponse resp = client.scepCertPoll(getIdentityKey(), getIdentityCert(), csr, caSubject);
if (resp.isFailure()) {
throw new CmdFailure("server returned 'failure'");
}
if (resp.isPending()) {
throw new CmdFailure("server returned 'pending'");
}
List<X509Certificate> certs = resp.getCertificates();
if (certs == null || certs.isEmpty()) {
throw new CmdFailure("received no certficate from server");
}
saveVerbose("saved certificate to file", new File(outputFile), certs.get(0).getEncoded());
return null;
}
Also used :
CmdFailure(org.xipki.console.karaf.CmdFailure)
ScepClient(org.xipki.scep.client.ScepClient)
EnrolmentResponse(org.xipki.scep.client.EnrolmentResponse)
X500Name(org.bouncycastle.asn1.x500.X500Name)
File(java.io.File)
CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest)
X509Certificate(java.security.cert.X509Certificate)
Example 4 with EnrolmentResponse
use of org.xipki.scep.client.EnrolmentResponse in project xipki by xipki.
the class AbstractCaTest method test.
@Test
public void test() throws Exception {
CaIdentifier caId = new CaIdentifier("http://localhost:" + port + "/scep/pkiclient.exe", null);
CaCertValidator caCertValidator = new PreprovisionedCaCertValidator(ScepUtil.toX509Cert(scepServer.getCaCert()));
ScepClient client = new ScepClient(caId, caCertValidator);
client.setUseInsecureAlgorithms(useInsecureAlgorithms());
client.refresh();
CaCaps expCaCaps = getExpectedCaCaps();
// CACaps
CaCaps caCaps = client.getCaCaps();
Assert.assertEquals("CACaps", expCaCaps, caCaps);
// CA certificate
Certificate expCaCert = scepServer.getCaCert();
X509Certificate caCert = client.getAuthorityCertStore().getCaCert();
if (!equals(expCaCert, caCert)) {
Assert.fail("Configured and received CA certificate not the same");
}
boolean withRa = isWithRa();
// RA
if (withRa) {
Certificate expRaCert = scepServer.getRaCert();
X509Certificate raSigCert = client.getAuthorityCertStore().getSignatureCert();
X509Certificate raEncCert = client.getAuthorityCertStore().getEncryptionCert();
Assert.assertEquals("RA certificate", raSigCert, raEncCert);
if (!equals(expRaCert, raSigCert)) {
Assert.fail("Configured and received RA certificate not the same");
}
}
// getNextCA
if (isWithNextCa()) {
AuthorityCertStore nextCa = client.scepNextCaCert();
Certificate expNextCaCert = scepServer.getNextCaCert();
X509Certificate nextCaCert = nextCa.getCaCert();
if (!equals(expNextCaCert, nextCaCert)) {
Assert.fail("Configured and received next CA certificate not the same");
}
if (withRa) {
Certificate expNextRaCert = scepServer.getNextRaCert();
X509Certificate nextRaSigCert = nextCa.getSignatureCert();
X509Certificate nextRaEncCert = nextCa.getEncryptionCert();
Assert.assertEquals("Next RA certificate", nextRaSigCert, nextRaEncCert);
if (!equals(expNextRaCert, nextRaSigCert)) {
Assert.fail("Configured and received next RA certificate not the same");
}
}
}
// enroll
CertificationRequest csr;
X509Certificate selfSignedCert;
X509Certificate enroledCert;
X500Name issuerName = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded());
PrivateKey privKey;
{
KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA");
kpGen.initialize(2048);
KeyPair keypair = kpGen.generateKeyPair();
privKey = keypair.getPrivate();
SubjectPublicKeyInfo subjectPublicKeyInfo = ScepUtil.createSubjectPublicKeyInfo(keypair.getPublic());
X500Name subject = new X500Name("CN=EE1, OU=emulator, O=xipki.org, C=DE");
// first try without secret
PKCS10CertificationRequest p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, null, null);
csr = p10Req.toASN1Structure();
selfSignedCert = ScepUtil.generateSelfsignedCert(p10Req.toASN1Structure(), privKey);
EnrolmentResponse enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
PkiStatus status = enrolResp.getPkcsRep().getPkiStatus();
Assert.assertEquals("PkiStatus without secret", PkiStatus.FAILURE, status);
// then try invalid secret
p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, "invalid-" + secret, null);
csr = p10Req.toASN1Structure();
selfSignedCert = ScepUtil.generateSelfsignedCert(p10Req.toASN1Structure(), privKey);
enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
status = enrolResp.getPkcsRep().getPkiStatus();
Assert.assertEquals("PkiStatus with invalid secret", PkiStatus.FAILURE, status);
// try with valid secret
p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, secret, null);
csr = p10Req.toASN1Structure();
selfSignedCert = ScepUtil.generateSelfsignedCert(p10Req.toASN1Structure(), privKey);
enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
List<X509Certificate> certs = enrolResp.getCertificates();
Assert.assertTrue("number of received certificates", certs.size() > 0);
X509Certificate cert = certs.get(0);
Assert.assertNotNull("enroled certificate", cert);
enroledCert = cert;
// try :: self-signed certificate's subject different from the one of CSR
p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, secret, null);
csr = p10Req.toASN1Structure();
selfSignedCert = ScepUtil.generateSelfsignedCert(new X500Name("CN=dummy"), csr.getCertificationRequestInfo().getSubjectPublicKeyInfo(), privKey);
enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
status = enrolResp.getPkcsRep().getPkiStatus();
Assert.assertEquals("PkiStatus with invalid secret", PkiStatus.FAILURE, status);
}
// certPoll
EnrolmentResponse enrolResp = client.scepCertPoll(privKey, selfSignedCert, csr, issuerName);
List<X509Certificate> certs = enrolResp.getCertificates();
Assert.assertTrue("number of received certificates", certs.size() > 0);
X509Certificate cert = certs.get(0);
Assert.assertNotNull("enrolled certificate", cert);
// getCert
certs = client.scepGetCert(privKey, selfSignedCert, issuerName, enroledCert.getSerialNumber());
Assert.assertTrue("number of received certificates", certs.size() > 0);
cert = certs.get(0);
Assert.assertNotNull("received certificate", cert);
// getCRL
X509CRL crl = client.scepGetCrl(privKey, enroledCert, issuerName, enroledCert.getSerialNumber());
Assert.assertNotNull("received CRL", crl);
// getNextCA
AuthorityCertStore nextCa = client.scepNextCaCert();
Assert.assertNotNull("nextCa", nextCa);
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
PkiStatus(org.xipki.scep.transaction.PkiStatus)
KeyPair(java.security.KeyPair)
PrivateKey(java.security.PrivateKey)
X509CRL(java.security.cert.X509CRL)
CaIdentifier(org.xipki.scep.client.CaIdentifier)
ScepClient(org.xipki.scep.client.ScepClient)
X500Name(org.bouncycastle.asn1.x500.X500Name)
KeyPairGenerator(java.security.KeyPairGenerator)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
X509Certificate(java.security.cert.X509Certificate)
CaCertValidator(org.xipki.scep.client.CaCertValidator)
PreprovisionedCaCertValidator(org.xipki.scep.client.PreprovisionedCaCertValidator)
CaCaps(org.xipki.scep.message.CaCaps)
PreprovisionedCaCertValidator(org.xipki.scep.client.PreprovisionedCaCertValidator)
EnrolmentResponse(org.xipki.scep.client.EnrolmentResponse)
AuthorityCertStore(org.xipki.scep.message.AuthorityCertStore)
List(java.util.List)
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Test(org.junit.Test)
Aggregations
X509Certificate (java.security.cert.X509Certificate)4
CertificationRequest (org.bouncycastle.asn1.pkcs.CertificationRequest)4
EnrolmentResponse (org.xipki.scep.client.EnrolmentResponse)4
ScepClient (org.xipki.scep.client.ScepClient)4
PrivateKey (java.security.PrivateKey)3
X500Name (org.bouncycastle.asn1.x500.X500Name)3
File (java.io.File)2
CmdFailure (org.xipki.console.karaf.CmdFailure)2
CaCertValidator (org.xipki.scep.client.CaCertValidator)2
CaIdentifier (org.xipki.scep.client.CaIdentifier)2
PreprovisionedCaCertValidator (org.xipki.scep.client.PreprovisionedCaCertValidator)2
FileInputStream (java.io.FileInputStream)1
KeyPair (java.security.KeyPair)1
KeyPairGenerator (java.security.KeyPairGenerator)1
X509CRL (java.security.cert.X509CRL)1
Date (java.util.Date)1
List (java.util.List)1
Certificate (org.bouncycastle.asn1.x509.Certificate)1
SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)1
X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)1
