Example 6 with ScepClient
use of org.xipki.scep.client.ScepClient in project xipki by xipki.
the class CertPollCmd method execute0.
@Override
protected Object execute0() throws Exception {
CertificationRequest csr = CertificationRequest.getInstance(IoUtil.read(csrFile));
ScepClient client = getScepClient();
X509Certificate caCert = client.getAuthorityCertStore().getCaCert();
X500Name caSubject = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded());
EnrolmentResponse resp = client.scepCertPoll(getIdentityKey(), getIdentityCert(), csr, caSubject);
if (resp.isFailure()) {
throw new CmdFailure("server returned 'failure'");
}
if (resp.isPending()) {
throw new CmdFailure("server returned 'pending'");
}
List<X509Certificate> certs = resp.getCertificates();
if (certs == null || certs.isEmpty()) {
throw new CmdFailure("received no certficate from server");
}
saveVerbose("saved certificate to file", new File(outputFile), certs.get(0).getEncoded());
return null;
}
Also used :
CmdFailure(org.xipki.console.karaf.CmdFailure)
ScepClient(org.xipki.scep.client.ScepClient)
EnrolmentResponse(org.xipki.scep.client.EnrolmentResponse)
X500Name(org.bouncycastle.asn1.x500.X500Name)
File(java.io.File)
CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest)
X509Certificate(java.security.cert.X509Certificate)
Example 7 with ScepClient
use of org.xipki.scep.client.ScepClient in project xipki by xipki.
the class GetCertCmd method execute0.
@Override
protected Object execute0() throws Exception {
ScepClient client = getScepClient();
BigInteger serial = toBigInt(serialNumber);
X509Certificate caCert = client.getAuthorityCertStore().getCaCert();
X500Name caSubject = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded());
List<X509Certificate> certs = client.scepGetCert(getIdentityKey(), getIdentityCert(), caSubject, serial);
if (certs == null || certs.isEmpty()) {
throw new CmdFailure("received no certficate from server");
}
saveVerbose("saved certificate to file", new File(outputFile), certs.get(0).getEncoded());
return null;
}
Also used :
CmdFailure(org.xipki.console.karaf.CmdFailure)
ScepClient(org.xipki.scep.client.ScepClient)
BigInteger(java.math.BigInteger)
X500Name(org.bouncycastle.asn1.x500.X500Name)
File(java.io.File)
X509Certificate(java.security.cert.X509Certificate)
Example 8 with ScepClient
use of org.xipki.scep.client.ScepClient in project xipki by xipki.
the class AbstractCaTest method test.
@Test
public void test() throws Exception {
CaIdentifier caId = new CaIdentifier("http://localhost:" + port + "/scep/pkiclient.exe", null);
CaCertValidator caCertValidator = new PreprovisionedCaCertValidator(ScepUtil.toX509Cert(scepServer.getCaCert()));
ScepClient client = new ScepClient(caId, caCertValidator);
client.setUseInsecureAlgorithms(useInsecureAlgorithms());
client.refresh();
CaCaps expCaCaps = getExpectedCaCaps();
// CACaps
CaCaps caCaps = client.getCaCaps();
Assert.assertEquals("CACaps", expCaCaps, caCaps);
// CA certificate
Certificate expCaCert = scepServer.getCaCert();
X509Certificate caCert = client.getAuthorityCertStore().getCaCert();
if (!equals(expCaCert, caCert)) {
Assert.fail("Configured and received CA certificate not the same");
}
boolean withRa = isWithRa();
// RA
if (withRa) {
Certificate expRaCert = scepServer.getRaCert();
X509Certificate raSigCert = client.getAuthorityCertStore().getSignatureCert();
X509Certificate raEncCert = client.getAuthorityCertStore().getEncryptionCert();
Assert.assertEquals("RA certificate", raSigCert, raEncCert);
if (!equals(expRaCert, raSigCert)) {
Assert.fail("Configured and received RA certificate not the same");
}
}
// getNextCA
if (isWithNextCa()) {
AuthorityCertStore nextCa = client.scepNextCaCert();
Certificate expNextCaCert = scepServer.getNextCaCert();
X509Certificate nextCaCert = nextCa.getCaCert();
if (!equals(expNextCaCert, nextCaCert)) {
Assert.fail("Configured and received next CA certificate not the same");
}
if (withRa) {
Certificate expNextRaCert = scepServer.getNextRaCert();
X509Certificate nextRaSigCert = nextCa.getSignatureCert();
X509Certificate nextRaEncCert = nextCa.getEncryptionCert();
Assert.assertEquals("Next RA certificate", nextRaSigCert, nextRaEncCert);
if (!equals(expNextRaCert, nextRaSigCert)) {
Assert.fail("Configured and received next RA certificate not the same");
}
}
}
// enroll
CertificationRequest csr;
X509Certificate selfSignedCert;
X509Certificate enroledCert;
X500Name issuerName = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded());
PrivateKey privKey;
{
KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA");
kpGen.initialize(2048);
KeyPair keypair = kpGen.generateKeyPair();
privKey = keypair.getPrivate();
SubjectPublicKeyInfo subjectPublicKeyInfo = ScepUtil.createSubjectPublicKeyInfo(keypair.getPublic());
X500Name subject = new X500Name("CN=EE1, OU=emulator, O=xipki.org, C=DE");
// first try without secret
PKCS10CertificationRequest p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, null, null);
csr = p10Req.toASN1Structure();
selfSignedCert = ScepUtil.generateSelfsignedCert(p10Req.toASN1Structure(), privKey);
EnrolmentResponse enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
PkiStatus status = enrolResp.getPkcsRep().getPkiStatus();
Assert.assertEquals("PkiStatus without secret", PkiStatus.FAILURE, status);
// then try invalid secret
p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, "invalid-" + secret, null);
csr = p10Req.toASN1Structure();
selfSignedCert = ScepUtil.generateSelfsignedCert(p10Req.toASN1Structure(), privKey);
enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
status = enrolResp.getPkcsRep().getPkiStatus();
Assert.assertEquals("PkiStatus with invalid secret", PkiStatus.FAILURE, status);
// try with valid secret
p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, secret, null);
csr = p10Req.toASN1Structure();
selfSignedCert = ScepUtil.generateSelfsignedCert(p10Req.toASN1Structure(), privKey);
enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
List<X509Certificate> certs = enrolResp.getCertificates();
Assert.assertTrue("number of received certificates", certs.size() > 0);
X509Certificate cert = certs.get(0);
Assert.assertNotNull("enroled certificate", cert);
enroledCert = cert;
// try :: self-signed certificate's subject different from the one of CSR
p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, secret, null);
csr = p10Req.toASN1Structure();
selfSignedCert = ScepUtil.generateSelfsignedCert(new X500Name("CN=dummy"), csr.getCertificationRequestInfo().getSubjectPublicKeyInfo(), privKey);
enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
status = enrolResp.getPkcsRep().getPkiStatus();
Assert.assertEquals("PkiStatus with invalid secret", PkiStatus.FAILURE, status);
}
// certPoll
EnrolmentResponse enrolResp = client.scepCertPoll(privKey, selfSignedCert, csr, issuerName);
List<X509Certificate> certs = enrolResp.getCertificates();
Assert.assertTrue("number of received certificates", certs.size() > 0);
X509Certificate cert = certs.get(0);
Assert.assertNotNull("enrolled certificate", cert);
// getCert
certs = client.scepGetCert(privKey, selfSignedCert, issuerName, enroledCert.getSerialNumber());
Assert.assertTrue("number of received certificates", certs.size() > 0);
cert = certs.get(0);
Assert.assertNotNull("received certificate", cert);
// getCRL
X509CRL crl = client.scepGetCrl(privKey, enroledCert, issuerName, enroledCert.getSerialNumber());
Assert.assertNotNull("received CRL", crl);
// getNextCA
AuthorityCertStore nextCa = client.scepNextCaCert();
Assert.assertNotNull("nextCa", nextCa);
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
PkiStatus(org.xipki.scep.transaction.PkiStatus)
KeyPair(java.security.KeyPair)
PrivateKey(java.security.PrivateKey)
X509CRL(java.security.cert.X509CRL)
CaIdentifier(org.xipki.scep.client.CaIdentifier)
ScepClient(org.xipki.scep.client.ScepClient)
X500Name(org.bouncycastle.asn1.x500.X500Name)
KeyPairGenerator(java.security.KeyPairGenerator)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
X509Certificate(java.security.cert.X509Certificate)
CaCertValidator(org.xipki.scep.client.CaCertValidator)
PreprovisionedCaCertValidator(org.xipki.scep.client.PreprovisionedCaCertValidator)
CaCaps(org.xipki.scep.message.CaCaps)
PreprovisionedCaCertValidator(org.xipki.scep.client.PreprovisionedCaCertValidator)
EnrolmentResponse(org.xipki.scep.client.EnrolmentResponse)
AuthorityCertStore(org.xipki.scep.message.AuthorityCertStore)
List(java.util.List)
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Test(org.junit.Test)
Aggregations
ScepClient (org.xipki.scep.client.ScepClient)8
X509Certificate (java.security.cert.X509Certificate)7
File (java.io.File)5
CmdFailure (org.xipki.console.karaf.CmdFailure)5
CertificationRequest (org.bouncycastle.asn1.pkcs.CertificationRequest)4
X500Name (org.bouncycastle.asn1.x500.X500Name)4
CaCertValidator (org.xipki.scep.client.CaCertValidator)4
CaIdentifier (org.xipki.scep.client.CaIdentifier)4
EnrolmentResponse (org.xipki.scep.client.EnrolmentResponse)4
PrivateKey (java.security.PrivateKey)3
PreprovisionedCaCertValidator (org.xipki.scep.client.PreprovisionedCaCertValidator)3
X509CRL (java.security.cert.X509CRL)2
Certificate (org.bouncycastle.asn1.x509.Certificate)2
FileInputStream (java.io.FileInputStream)1
BigInteger (java.math.BigInteger)1
KeyPair (java.security.KeyPair)1
KeyPairGenerator (java.security.KeyPairGenerator)1
Date (java.util.Date)1
List (java.util.List)1
SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)1
