Search in sources :

Example 6 with ScepClient

use of org.xipki.scep.client.ScepClient in project xipki by xipki.

the class CertPollCmd method execute0.

@Override
protected Object execute0() throws Exception {
    CertificationRequest csr = CertificationRequest.getInstance(IoUtil.read(csrFile));
    ScepClient client = getScepClient();
    X509Certificate caCert = client.getAuthorityCertStore().getCaCert();
    X500Name caSubject = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded());
    EnrolmentResponse resp = client.scepCertPoll(getIdentityKey(), getIdentityCert(), csr, caSubject);
    if (resp.isFailure()) {
        throw new CmdFailure("server returned 'failure'");
    }
    if (resp.isPending()) {
        throw new CmdFailure("server returned 'pending'");
    }
    List<X509Certificate> certs = resp.getCertificates();
    if (certs == null || certs.isEmpty()) {
        throw new CmdFailure("received no certficate from server");
    }
    saveVerbose("saved certificate to file", new File(outputFile), certs.get(0).getEncoded());
    return null;
}
Also used : CmdFailure(org.xipki.console.karaf.CmdFailure) ScepClient(org.xipki.scep.client.ScepClient) EnrolmentResponse(org.xipki.scep.client.EnrolmentResponse) X500Name(org.bouncycastle.asn1.x500.X500Name) File(java.io.File) CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest) X509Certificate(java.security.cert.X509Certificate)

Example 7 with ScepClient

use of org.xipki.scep.client.ScepClient in project xipki by xipki.

the class GetCertCmd method execute0.

@Override
protected Object execute0() throws Exception {
    ScepClient client = getScepClient();
    BigInteger serial = toBigInt(serialNumber);
    X509Certificate caCert = client.getAuthorityCertStore().getCaCert();
    X500Name caSubject = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded());
    List<X509Certificate> certs = client.scepGetCert(getIdentityKey(), getIdentityCert(), caSubject, serial);
    if (certs == null || certs.isEmpty()) {
        throw new CmdFailure("received no certficate from server");
    }
    saveVerbose("saved certificate to file", new File(outputFile), certs.get(0).getEncoded());
    return null;
}
Also used : CmdFailure(org.xipki.console.karaf.CmdFailure) ScepClient(org.xipki.scep.client.ScepClient) BigInteger(java.math.BigInteger) X500Name(org.bouncycastle.asn1.x500.X500Name) File(java.io.File) X509Certificate(java.security.cert.X509Certificate)

Example 8 with ScepClient

use of org.xipki.scep.client.ScepClient in project xipki by xipki.

the class AbstractCaTest method test.

@Test
public void test() throws Exception {
    CaIdentifier caId = new CaIdentifier("http://localhost:" + port + "/scep/pkiclient.exe", null);
    CaCertValidator caCertValidator = new PreprovisionedCaCertValidator(ScepUtil.toX509Cert(scepServer.getCaCert()));
    ScepClient client = new ScepClient(caId, caCertValidator);
    client.setUseInsecureAlgorithms(useInsecureAlgorithms());
    client.refresh();
    CaCaps expCaCaps = getExpectedCaCaps();
    // CACaps
    CaCaps caCaps = client.getCaCaps();
    Assert.assertEquals("CACaps", expCaCaps, caCaps);
    // CA certificate
    Certificate expCaCert = scepServer.getCaCert();
    X509Certificate caCert = client.getAuthorityCertStore().getCaCert();
    if (!equals(expCaCert, caCert)) {
        Assert.fail("Configured and received CA certificate not the same");
    }
    boolean withRa = isWithRa();
    // RA
    if (withRa) {
        Certificate expRaCert = scepServer.getRaCert();
        X509Certificate raSigCert = client.getAuthorityCertStore().getSignatureCert();
        X509Certificate raEncCert = client.getAuthorityCertStore().getEncryptionCert();
        Assert.assertEquals("RA certificate", raSigCert, raEncCert);
        if (!equals(expRaCert, raSigCert)) {
            Assert.fail("Configured and received RA certificate not the same");
        }
    }
    // getNextCA
    if (isWithNextCa()) {
        AuthorityCertStore nextCa = client.scepNextCaCert();
        Certificate expNextCaCert = scepServer.getNextCaCert();
        X509Certificate nextCaCert = nextCa.getCaCert();
        if (!equals(expNextCaCert, nextCaCert)) {
            Assert.fail("Configured and received next CA certificate not the same");
        }
        if (withRa) {
            Certificate expNextRaCert = scepServer.getNextRaCert();
            X509Certificate nextRaSigCert = nextCa.getSignatureCert();
            X509Certificate nextRaEncCert = nextCa.getEncryptionCert();
            Assert.assertEquals("Next RA certificate", nextRaSigCert, nextRaEncCert);
            if (!equals(expNextRaCert, nextRaSigCert)) {
                Assert.fail("Configured and received next RA certificate not the same");
            }
        }
    }
    // enroll
    CertificationRequest csr;
    X509Certificate selfSignedCert;
    X509Certificate enroledCert;
    X500Name issuerName = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded());
    PrivateKey privKey;
    {
        KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA");
        kpGen.initialize(2048);
        KeyPair keypair = kpGen.generateKeyPair();
        privKey = keypair.getPrivate();
        SubjectPublicKeyInfo subjectPublicKeyInfo = ScepUtil.createSubjectPublicKeyInfo(keypair.getPublic());
        X500Name subject = new X500Name("CN=EE1, OU=emulator, O=xipki.org, C=DE");
        // first try without secret
        PKCS10CertificationRequest p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, null, null);
        csr = p10Req.toASN1Structure();
        selfSignedCert = ScepUtil.generateSelfsignedCert(p10Req.toASN1Structure(), privKey);
        EnrolmentResponse enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
        PkiStatus status = enrolResp.getPkcsRep().getPkiStatus();
        Assert.assertEquals("PkiStatus without secret", PkiStatus.FAILURE, status);
        // then try invalid secret
        p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, "invalid-" + secret, null);
        csr = p10Req.toASN1Structure();
        selfSignedCert = ScepUtil.generateSelfsignedCert(p10Req.toASN1Structure(), privKey);
        enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
        status = enrolResp.getPkcsRep().getPkiStatus();
        Assert.assertEquals("PkiStatus with invalid secret", PkiStatus.FAILURE, status);
        // try with valid secret
        p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, secret, null);
        csr = p10Req.toASN1Structure();
        selfSignedCert = ScepUtil.generateSelfsignedCert(p10Req.toASN1Structure(), privKey);
        enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
        List<X509Certificate> certs = enrolResp.getCertificates();
        Assert.assertTrue("number of received certificates", certs.size() > 0);
        X509Certificate cert = certs.get(0);
        Assert.assertNotNull("enroled certificate", cert);
        enroledCert = cert;
        // try :: self-signed certificate's subject different from the one of CSR
        p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, secret, null);
        csr = p10Req.toASN1Structure();
        selfSignedCert = ScepUtil.generateSelfsignedCert(new X500Name("CN=dummy"), csr.getCertificationRequestInfo().getSubjectPublicKeyInfo(), privKey);
        enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
        status = enrolResp.getPkcsRep().getPkiStatus();
        Assert.assertEquals("PkiStatus with invalid secret", PkiStatus.FAILURE, status);
    }
    // certPoll
    EnrolmentResponse enrolResp = client.scepCertPoll(privKey, selfSignedCert, csr, issuerName);
    List<X509Certificate> certs = enrolResp.getCertificates();
    Assert.assertTrue("number of received certificates", certs.size() > 0);
    X509Certificate cert = certs.get(0);
    Assert.assertNotNull("enrolled certificate", cert);
    // getCert
    certs = client.scepGetCert(privKey, selfSignedCert, issuerName, enroledCert.getSerialNumber());
    Assert.assertTrue("number of received certificates", certs.size() > 0);
    cert = certs.get(0);
    Assert.assertNotNull("received certificate", cert);
    // getCRL
    X509CRL crl = client.scepGetCrl(privKey, enroledCert, issuerName, enroledCert.getSerialNumber());
    Assert.assertNotNull("received CRL", crl);
    // getNextCA
    AuthorityCertStore nextCa = client.scepNextCaCert();
    Assert.assertNotNull("nextCa", nextCa);
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) PkiStatus(org.xipki.scep.transaction.PkiStatus) KeyPair(java.security.KeyPair) PrivateKey(java.security.PrivateKey) X509CRL(java.security.cert.X509CRL) CaIdentifier(org.xipki.scep.client.CaIdentifier) ScepClient(org.xipki.scep.client.ScepClient) X500Name(org.bouncycastle.asn1.x500.X500Name) KeyPairGenerator(java.security.KeyPairGenerator) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) X509Certificate(java.security.cert.X509Certificate) CaCertValidator(org.xipki.scep.client.CaCertValidator) PreprovisionedCaCertValidator(org.xipki.scep.client.PreprovisionedCaCertValidator) CaCaps(org.xipki.scep.message.CaCaps) PreprovisionedCaCertValidator(org.xipki.scep.client.PreprovisionedCaCertValidator) EnrolmentResponse(org.xipki.scep.client.EnrolmentResponse) AuthorityCertStore(org.xipki.scep.message.AuthorityCertStore) List(java.util.List) PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest) X509Certificate(java.security.cert.X509Certificate) Certificate(org.bouncycastle.asn1.x509.Certificate) Test(org.junit.Test)

Aggregations

ScepClient (org.xipki.scep.client.ScepClient)8 X509Certificate (java.security.cert.X509Certificate)7 File (java.io.File)5 CmdFailure (org.xipki.console.karaf.CmdFailure)5 CertificationRequest (org.bouncycastle.asn1.pkcs.CertificationRequest)4 X500Name (org.bouncycastle.asn1.x500.X500Name)4 CaCertValidator (org.xipki.scep.client.CaCertValidator)4 CaIdentifier (org.xipki.scep.client.CaIdentifier)4 EnrolmentResponse (org.xipki.scep.client.EnrolmentResponse)4 PrivateKey (java.security.PrivateKey)3 PreprovisionedCaCertValidator (org.xipki.scep.client.PreprovisionedCaCertValidator)3 X509CRL (java.security.cert.X509CRL)2 Certificate (org.bouncycastle.asn1.x509.Certificate)2 FileInputStream (java.io.FileInputStream)1 BigInteger (java.math.BigInteger)1 KeyPair (java.security.KeyPair)1 KeyPairGenerator (java.security.KeyPairGenerator)1 Date (java.util.Date)1 List (java.util.List)1 SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)1