Example 6 with ScepClientException
use of org.xipki.scep.client.exception.ScepClientException in project xipki by xipki.
the class ScepClient method httpPost.
@Override
protected ScepHttpResponse httpPost(String url, String requestContentType, byte[] request) throws ScepClientException {
ScepUtil.requireNonNull("url", url);
try {
HttpURLConnection httpConn = openHttpConn(new URL(url));
httpConn.setDoOutput(true);
httpConn.setUseCaches(false);
httpConn.setRequestMethod("POST");
if (request != null) {
if (requestContentType != null) {
httpConn.setRequestProperty("Content-Type", requestContentType);
}
httpConn.setRequestProperty("Content-Length", Integer.toString(request.length));
OutputStream outputstream = httpConn.getOutputStream();
outputstream.write(request);
outputstream.flush();
}
return parseResponse(httpConn);
} catch (IOException ex) {
throw new ScepClientException(ex.getMessage(), ex);
}
}
Also used :
HttpURLConnection(java.net.HttpURLConnection)
ScepClientException(org.xipki.scep.client.exception.ScepClientException)
OutputStream(java.io.OutputStream)
IOException(java.io.IOException)
URL(java.net.URL)
Example 7 with ScepClientException
use of org.xipki.scep.client.exception.ScepClientException in project xipki by xipki.
the class Client method refresh.
public void refresh() throws ScepClientException {
// getCACaps
ScepHttpResponse getCaCapsResp = httpSend(Operation.GetCACaps);
this.caCaps = CaCaps.getInstance(new String(getCaCapsResp.getContentBytes()));
// getCACert
ScepHttpResponse getCaCertResp = httpSend(Operation.GetCACert);
this.authorityCertStore = retrieveCaCertStore(getCaCertResp, caCertValidator);
X509CertificateHolder certHolder;
try {
certHolder = new X509CertificateHolder(this.authorityCertStore.getSignatureCert().getEncoded());
} catch (CertificateEncodingException ex) {
throw new ScepClientException(ex);
} catch (IOException ex) {
throw new ScepClientException(ex);
}
this.responseSignerCerts = new CollectionStore<X509CertificateHolder>(Arrays.asList(certHolder));
}
Also used :
ScepClientException(org.xipki.scep.client.exception.ScepClientException)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
IOException(java.io.IOException)
Example 8 with ScepClientException
use of org.xipki.scep.client.exception.ScepClientException in project xipki by xipki.
the class Client method retrieveCaCertStore.
private static AuthorityCertStore retrieveCaCertStore(ScepHttpResponse resp, CaCertValidator caValidator) throws ScepClientException {
String ct = resp.getContentType();
X509Certificate caCert = null;
List<X509Certificate> raCerts = new LinkedList<X509Certificate>();
if (ScepConstants.CT_X509_CA_CERT.equalsIgnoreCase(ct)) {
caCert = parseCert(resp.getContentBytes());
} else if (ScepConstants.CT_X509_CA_RA_CERT.equalsIgnoreCase(ct)) {
ContentInfo contentInfo = ContentInfo.getInstance(resp.getContentBytes());
SignedData signedData;
try {
signedData = SignedData.getInstance(contentInfo.getContent());
} catch (IllegalArgumentException ex) {
throw new ScepClientException("invalid SignedData message: " + ex.getMessage(), ex);
}
List<X509Certificate> certs;
try {
certs = ScepUtil.getCertsFromSignedData(signedData);
} catch (CertificateException ex) {
throw new ScepClientException(ex.getMessage(), ex);
}
final int n = certs.size();
if (n < 2) {
throw new ScepClientException("at least 2 certificates are expected, but only " + n + " is available");
}
for (int i = 0; i < n; i++) {
X509Certificate cert = certs.get(i);
if (cert.getBasicConstraints() > -1) {
if (caCert != null) {
throw new ScepClientException("multiple CA certificates is returned, but exactly 1 is expected");
}
caCert = cert;
} else {
raCerts.add(cert);
}
}
if (caCert == null) {
throw new ScepClientException("no CA certificate is returned");
}
} else {
throw new ScepClientException("invalid Content-Type '" + ct + "'");
}
if (!caValidator.isTrusted(caCert)) {
throw new ScepClientException("CA certificate '" + caCert.getSubjectX500Principal() + "' is not trusted");
}
if (raCerts.isEmpty()) {
return AuthorityCertStore.getInstance(caCert);
} else {
AuthorityCertStore cs = AuthorityCertStore.getInstance(caCert, raCerts.toArray(new X509Certificate[0]));
X509Certificate raEncCert = cs.getEncryptionCert();
X509Certificate raSignCert = cs.getSignatureCert();
try {
if (!ScepUtil.issues(caCert, raEncCert)) {
throw new ScepClientException("RA certificate '" + raEncCert.getSubjectX500Principal() + " is not issued by the CA");
}
if (raSignCert != raEncCert && ScepUtil.issues(caCert, raSignCert)) {
throw new ScepClientException("RA certificate '" + raSignCert.getSubjectX500Principal() + " is not issued by the CA");
}
} catch (CertificateException ex) {
throw new ScepClientException("invalid certificate: " + ex.getMessage(), ex);
}
return cs;
}
}
Also used :
SignedData(org.bouncycastle.asn1.cms.SignedData)
CMSSignedData(org.bouncycastle.cms.CMSSignedData)
ScepClientException(org.xipki.scep.client.exception.ScepClientException)
ContentInfo(org.bouncycastle.asn1.cms.ContentInfo)
LinkedList(java.util.LinkedList)
List(java.util.List)
CertificateException(java.security.cert.CertificateException)
AuthorityCertStore(org.xipki.scep.message.AuthorityCertStore)
X509Certificate(java.security.cert.X509Certificate)
LinkedList(java.util.LinkedList)
Example 9 with ScepClientException
use of org.xipki.scep.client.exception.ScepClientException in project xipki by xipki.
the class Client method scepGetCert.
public List<X509Certificate> scepGetCert(PrivateKey identityKey, X509Certificate identityCert, X500Name issuer, BigInteger serialNumber) throws ScepClientException {
ScepUtil.requireNonNull("identityKey", identityKey);
ScepUtil.requireNonNull("identityCert", identityCert);
ScepUtil.requireNonNull("issuer", issuer);
ScepUtil.requireNonNull("serialNumber", serialNumber);
initIfNotInited();
PkiMessage request = new PkiMessage(TransactionId.randomTransactionId(), MessageType.GetCert);
IssuerAndSerialNumber isn = new IssuerAndSerialNumber(issuer, serialNumber);
request.setMessageData(isn);
ContentInfo envRequest = encryptThenSign(request, identityKey, identityCert);
ScepHttpResponse httpResp = httpSend(Operation.PKIOperation, envRequest);
CMSSignedData cmsSignedData = parsePkiMessage(httpResp.getContentBytes());
DecodedPkiMessage response = decode(cmsSignedData, identityKey, identityCert);
if (response.getPkiStatus() != PkiStatus.SUCCESS) {
throw new ScepClientException("server returned " + response.getPkiStatus());
}
ContentInfo messageData = ContentInfo.getInstance(response.getMessageData());
try {
return ScepUtil.getCertsFromSignedData(SignedData.getInstance(messageData.getContent()));
} catch (CertificateException ex) {
throw new ScepClientException(ex.getMessage(), ex);
}
}
Also used :
IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber)
ScepClientException(org.xipki.scep.client.exception.ScepClientException)
DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage)
PkiMessage(org.xipki.scep.message.PkiMessage)
ContentInfo(org.bouncycastle.asn1.cms.ContentInfo)
DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage)
CertificateException(java.security.cert.CertificateException)
CMSSignedData(org.bouncycastle.cms.CMSSignedData)
Example 10 with ScepClientException
use of org.xipki.scep.client.exception.ScepClientException in project xipki by xipki.
the class Client method enroll.
private EnrolmentResponse enroll(MessageType messageType, CertificationRequest csr, PrivateKey identityKey, X509Certificate identityCert) throws ScepClientException {
TransactionId tid;
try {
tid = TransactionId.sha1TransactionId(csr.getCertificationRequestInfo().getSubjectPublicKeyInfo());
} catch (InvalidKeySpecException ex) {
throw new ScepClientException(ex.getMessage(), ex);
}
PkiMessage pkiMessage = new PkiMessage(tid, messageType);
pkiMessage.setMessageData(csr);
ContentInfo envRequest = encryptThenSign(pkiMessage, identityKey, identityCert);
ScepHttpResponse httpResp = httpSend(Operation.PKIOperation, envRequest);
CMSSignedData cmsSignedData = parsePkiMessage(httpResp.getContentBytes());
DecodedPkiMessage response = decode(cmsSignedData, identityKey, identityCert);
assertSameNonce(pkiMessage, response);
return new EnrolmentResponse(response);
}
Also used :
ScepClientException(org.xipki.scep.client.exception.ScepClientException)
DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage)
PkiMessage(org.xipki.scep.message.PkiMessage)
ContentInfo(org.bouncycastle.asn1.cms.ContentInfo)
DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage)
InvalidKeySpecException(java.security.spec.InvalidKeySpecException)
CMSSignedData(org.bouncycastle.cms.CMSSignedData)
TransactionId(org.xipki.scep.transaction.TransactionId)
Aggregations
ScepClientException (org.xipki.scep.client.exception.ScepClientException)13
IOException (java.io.IOException)5
CMSSignedData (org.bouncycastle.cms.CMSSignedData)5
ContentInfo (org.bouncycastle.asn1.cms.ContentInfo)4
DecodedPkiMessage (org.xipki.scep.message.DecodedPkiMessage)4
PkiMessage (org.xipki.scep.message.PkiMessage)3
HttpURLConnection (java.net.HttpURLConnection)2
URL (java.net.URL)2
CertificateException (java.security.cert.CertificateException)2
InvalidKeySpecException (java.security.spec.InvalidKeySpecException)2
Date (java.util.Date)2
IssuerAndSerialNumber (org.bouncycastle.asn1.cms.IssuerAndSerialNumber)2
MessageDecodingException (org.xipki.scep.exception.MessageDecodingException)2
TransactionId (org.xipki.scep.transaction.TransactionId)2
ByteArrayOutputStream (java.io.ByteArrayOutputStream)1
InputStream (java.io.InputStream)1
OutputStream (java.io.OutputStream)1
CRLException (java.security.cert.CRLException)1
CertificateEncodingException (java.security.cert.CertificateEncodingException)1
X509Certificate (java.security.cert.X509Certificate)1
