Example 1 with ScepClientException
use of org.xipki.scep.client.exception.ScepClientException in project xipki by xipki.
the class Client method decode.
private DecodedPkiMessage decode(CMSSignedData pkiMessage, PrivateKey recipientKey, X509Certificate recipientCert) throws ScepClientException {
DecodedPkiMessage resp;
try {
resp = DecodedPkiMessage.decode(pkiMessage, recipientKey, recipientCert, responseSignerCerts);
} catch (MessageDecodingException ex) {
throw new ScepClientException(ex);
}
if (resp.getFailureMessage() != null) {
throw new ScepClientException("Error: " + resp.getFailureMessage());
}
Boolean bo = resp.isSignatureValid();
if (bo != null && !bo.booleanValue()) {
throw new ScepClientException("Signature is invalid");
}
bo = resp.isDecryptionSuccessful();
if (bo != null && !bo.booleanValue()) {
throw new ScepClientException("Decryption failed");
}
Date signingTime = resp.getSigningTime();
long maxSigningTimeBias = getMaxSigningTimeBiasInMs();
if (maxSigningTimeBias > 0) {
if (signingTime == null) {
throw new ScepClientException("CMS signingTime attribute is not present");
}
long now = System.currentTimeMillis();
long diff = now - signingTime.getTime();
if (diff < 0) {
diff = -1 * diff;
}
if (diff > maxSigningTimeBias) {
throw new ScepClientException("CMS signingTime is out of permitted period");
}
}
if (!resp.getSignatureCert().equals(authorityCertStore.getSignatureCert())) {
throw new ScepClientException("the signature certificate must not be trusted");
}
return resp;
}
Also used :
MessageDecodingException(org.xipki.scep.exception.MessageDecodingException)
ScepClientException(org.xipki.scep.client.exception.ScepClientException)
DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage)
Date(java.util.Date)
Example 2 with ScepClientException
use of org.xipki.scep.client.exception.ScepClientException in project xipki by xipki.
the class Client method encryptThenSign.
private ContentInfo encryptThenSign(PkiMessage request, PrivateKey identityKey, X509Certificate identityCert) throws ScepClientException {
ScepHashAlgo hashAlgo = caCaps.mostSecureHashAlgo();
if (hashAlgo == ScepHashAlgo.MD5 && !useInsecureAlgorithms) {
throw new ScepClientException("Scep server supports only MD5 but it not permitted in client");
}
String signatureAlgorithm = ScepUtil.getSignatureAlgorithm(identityKey, hashAlgo);
ASN1ObjectIdentifier encAlgId;
if (caCaps.containsCapability(CaCapability.AES)) {
encAlgId = CMSAlgorithm.AES128_CBC;
} else if (caCaps.containsCapability(CaCapability.DES3)) {
encAlgId = CMSAlgorithm.DES_EDE3_CBC;
} else if (useInsecureAlgorithms) {
encAlgId = CMSAlgorithm.DES_CBC;
} else {
// no support of DES
throw new ScepClientException("DES will not be supported by this client");
}
try {
return request.encode(identityKey, signatureAlgorithm, identityCert, new X509Certificate[] { identityCert }, authorityCertStore.getEncryptionCert(), encAlgId);
} catch (MessageEncodingException ex) {
throw new ScepClientException(ex);
}
}
Also used :
ScepClientException(org.xipki.scep.client.exception.ScepClientException)
ScepHashAlgo(org.xipki.scep.crypto.ScepHashAlgo)
MessageEncodingException(org.xipki.scep.exception.MessageEncodingException)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 3 with ScepClientException
use of org.xipki.scep.client.exception.ScepClientException in project xipki by xipki.
the class Client method scepGetCrl.
public X509CRL scepGetCrl(PrivateKey identityKey, X509Certificate identityCert, X500Name issuer, BigInteger serialNumber) throws ScepClientException {
ScepUtil.requireNonNull("identityKey", identityKey);
ScepUtil.requireNonNull("identityCert", identityCert);
ScepUtil.requireNonNull("issuer", issuer);
ScepUtil.requireNonNull("serialNumber", serialNumber);
initIfNotInited();
PkiMessage pkiMessage = new PkiMessage(TransactionId.randomTransactionId(), MessageType.GetCRL);
IssuerAndSerialNumber isn = new IssuerAndSerialNumber(issuer, serialNumber);
pkiMessage.setMessageData(isn);
ContentInfo request = encryptThenSign(pkiMessage, identityKey, identityCert);
ScepHttpResponse httpResp = httpSend(Operation.PKIOperation, request);
CMSSignedData cmsSignedData = parsePkiMessage(httpResp.getContentBytes());
PkiMessage response = decode(cmsSignedData, identityKey, identityCert);
if (response.getPkiStatus() != PkiStatus.SUCCESS) {
throw new ScepClientException("server returned " + response.getPkiStatus());
}
ContentInfo messageData = ContentInfo.getInstance(response.getMessageData());
try {
return ScepUtil.getCrlFromPkiMessage(SignedData.getInstance(messageData.getContent()));
} catch (CRLException ex) {
throw new ScepClientException(ex.getMessage(), ex);
}
}
Also used :
IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber)
ScepClientException(org.xipki.scep.client.exception.ScepClientException)
DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage)
PkiMessage(org.xipki.scep.message.PkiMessage)
ContentInfo(org.bouncycastle.asn1.cms.ContentInfo)
CMSSignedData(org.bouncycastle.cms.CMSSignedData)
CRLException(java.security.cert.CRLException)
Example 4 with ScepClientException
use of org.xipki.scep.client.exception.ScepClientException in project xipki by xipki.
the class Client method scepCertPoll.
public EnrolmentResponse scepCertPoll(PrivateKey identityKey, X509Certificate identityCert, CertificationRequest csr, X500Name issuer) throws ScepClientException {
ScepUtil.requireNonNull("csr", csr);
TransactionId tid;
try {
tid = TransactionId.sha1TransactionId(csr.getCertificationRequestInfo().getSubjectPublicKeyInfo());
} catch (InvalidKeySpecException ex) {
throw new ScepClientException(ex.getMessage(), ex);
}
return scepCertPoll(identityKey, identityCert, tid, issuer, csr.getCertificationRequestInfo().getSubject());
}
Also used :
ScepClientException(org.xipki.scep.client.exception.ScepClientException)
InvalidKeySpecException(java.security.spec.InvalidKeySpecException)
TransactionId(org.xipki.scep.transaction.TransactionId)
Example 5 with ScepClientException
use of org.xipki.scep.client.exception.ScepClientException in project xipki by xipki.
the class ScepClient method parseResponse.
protected ScepHttpResponse parseResponse(HttpURLConnection conn) throws ScepClientException {
ScepUtil.requireNonNull("conn", conn);
try {
InputStream inputstream = conn.getInputStream();
if (conn.getResponseCode() != HttpURLConnection.HTTP_OK) {
inputstream.close();
throw new ScepClientException("bad response: " + conn.getResponseCode() + " " + conn.getResponseMessage());
}
String contentType = conn.getContentType();
int contentLength = conn.getContentLength();
ScepHttpResponse resp = new ScepHttpResponse(contentType, contentLength, inputstream);
String contentEncoding = conn.getContentEncoding();
if (contentEncoding != null && !contentEncoding.isEmpty()) {
resp.setContentEncoding(contentEncoding);
}
return resp;
} catch (IOException ex) {
throw new ScepClientException(ex);
}
}
Also used :
ScepClientException(org.xipki.scep.client.exception.ScepClientException)
InputStream(java.io.InputStream)
IOException(java.io.IOException)
Aggregations
ScepClientException (org.xipki.scep.client.exception.ScepClientException)13
IOException (java.io.IOException)5
CMSSignedData (org.bouncycastle.cms.CMSSignedData)5
ContentInfo (org.bouncycastle.asn1.cms.ContentInfo)4
DecodedPkiMessage (org.xipki.scep.message.DecodedPkiMessage)4
PkiMessage (org.xipki.scep.message.PkiMessage)3
HttpURLConnection (java.net.HttpURLConnection)2
URL (java.net.URL)2
CertificateException (java.security.cert.CertificateException)2
InvalidKeySpecException (java.security.spec.InvalidKeySpecException)2
Date (java.util.Date)2
IssuerAndSerialNumber (org.bouncycastle.asn1.cms.IssuerAndSerialNumber)2
MessageDecodingException (org.xipki.scep.exception.MessageDecodingException)2
TransactionId (org.xipki.scep.transaction.TransactionId)2
ByteArrayOutputStream (java.io.ByteArrayOutputStream)1
InputStream (java.io.InputStream)1
OutputStream (java.io.OutputStream)1
CRLException (java.security.cert.CRLException)1
CertificateEncodingException (java.security.cert.CertificateEncodingException)1
X509Certificate (java.security.cert.X509Certificate)1
