Search in sources :

Example 1 with ScepHashAlgo

use of org.xipki.scep.crypto.ScepHashAlgo in project xipki by xipki.

the class ScepResponder method servicePkiOperation0.

private PkiMessage servicePkiOperation0(DecodedPkiMessage req, AuditEvent event) throws MessageDecodingException, CaException {
    TransactionId tid = req.getTransactionId();
    PkiMessage rep = new PkiMessage(tid, MessageType.CertRep, Nonce.randomNonce());
    rep.setPkiStatus(PkiStatus.SUCCESS);
    rep.setRecipientNonce(req.getSenderNonce());
    if (req.getFailureMessage() != null) {
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
    }
    Boolean bo = req.isSignatureValid();
    if (bo != null && !bo.booleanValue()) {
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badMessageCheck);
    }
    bo = req.isDecryptionSuccessful();
    if (bo != null && !bo.booleanValue()) {
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
    }
    Date signingTime = req.getSigningTime();
    if (maxSigningTimeBiasInMs > 0) {
        boolean isTimeBad = false;
        if (signingTime == null) {
            isTimeBad = true;
        } else {
            long now = System.currentTimeMillis();
            long diff = now - signingTime.getTime();
            if (diff < 0) {
                diff = -1 * diff;
            }
            isTimeBad = diff > maxSigningTimeBiasInMs;
        }
        if (isTimeBad) {
            return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badTime);
        }
    }
    // check the digest algorithm
    String oid = req.getDigestAlgorithm().getId();
    ScepHashAlgo hashAlgo = ScepHashAlgo.forNameOrOid(oid);
    if (hashAlgo == null) {
        LOG.warn("tid={}: unknown digest algorithm {}", tid, oid);
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
    }
    // end if
    boolean supported = false;
    if (hashAlgo == ScepHashAlgo.SHA1) {
        if (caCaps.containsCapability(CaCapability.SHA1)) {
            supported = true;
        }
    } else if (hashAlgo == ScepHashAlgo.SHA256) {
        if (caCaps.containsCapability(CaCapability.SHA256)) {
            supported = true;
        }
    } else if (hashAlgo == ScepHashAlgo.SHA512) {
        if (caCaps.containsCapability(CaCapability.SHA512)) {
            supported = true;
        }
    } else if (hashAlgo == ScepHashAlgo.MD5) {
        if (control.isUseInsecureAlg()) {
            supported = true;
        }
    }
    if (!supported) {
        LOG.warn("tid={}: unsupported digest algorithm {}", tid, oid);
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
    }
    // end if
    // check the content encryption algorithm
    ASN1ObjectIdentifier encOid = req.getContentEncryptionAlgorithm();
    if (CMSAlgorithm.DES_EDE3_CBC.equals(encOid)) {
        if (!caCaps.containsCapability(CaCapability.DES3)) {
            LOG.warn("tid={}: encryption with DES3 algorithm is not permitted", tid, encOid);
            return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
        }
    } else if (AES_ENC_ALGS.contains(encOid)) {
        if (!caCaps.containsCapability(CaCapability.AES)) {
            LOG.warn("tid={}: encryption with AES algorithm {} is not permitted", tid, encOid);
            return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
        }
    } else if (CMSAlgorithm.DES_CBC.equals(encOid)) {
        if (!control.isUseInsecureAlg()) {
            LOG.warn("tid={}: encryption with DES algorithm {} is not permitted", tid, encOid);
            return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
        }
    } else {
        LOG.warn("tid={}: encryption with algorithm {} is not permitted", tid, encOid);
        return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg);
    }
    if (rep.getPkiStatus() == PkiStatus.FAILURE) {
        return rep;
    }
    MessageType messageType = req.getMessageType();
    switch(messageType) {
        case PKCSReq:
            boolean selfSigned = req.getSignatureCert().getIssuerX500Principal().equals(req.getSignatureCert().getIssuerX500Principal());
            CertificationRequest csr = CertificationRequest.getInstance(req.getMessageData());
            if (selfSigned) {
                X500Name name = X500Name.getInstance(req.getSignatureCert().getSubjectX500Principal().getEncoded());
                if (!name.equals(csr.getCertificationRequestInfo().getSubject())) {
                    LOG.warn("tid={}: self-signed cert.subject != CSR.subject", tid);
                    return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
                }
            }
            String challengePwd = getChallengePassword(csr.getCertificationRequestInfo());
            if (challengePwd == null || !control.getSecret().equals(challengePwd)) {
                LOG.warn("challengePassword is not trusted");
                return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
            }
            Certificate cert;
            try {
                cert = caEmulator.generateCert(csr);
            } catch (Exception ex) {
                throw new CaException("system failure: " + ex.getMessage(), ex);
            }
            if (cert != null && control.isPendingCert()) {
                rep.setPkiStatus(PkiStatus.PENDING);
            } else if (cert != null) {
                ContentInfo messageData = createSignedData(cert);
                rep.setMessageData(messageData);
            } else {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
            }
            break;
        case CertPoll:
            IssuerAndSubject is = IssuerAndSubject.getInstance(req.getMessageData());
            cert = caEmulator.pollCert(is.getIssuer(), is.getSubject());
            if (cert != null) {
                rep.setMessageData(createSignedData(cert));
            } else {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
            }
            break;
        case GetCert:
            IssuerAndSerialNumber isn = IssuerAndSerialNumber.getInstance(req.getMessageData());
            cert = caEmulator.getCert(isn.getName(), isn.getSerialNumber().getValue());
            if (cert != null) {
                rep.setMessageData(createSignedData(cert));
            } else {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
            }
            break;
        case RenewalReq:
            if (!caCaps.containsCapability(CaCapability.Renewal)) {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
            } else {
                csr = CertificationRequest.getInstance(req.getMessageData());
                try {
                    cert = caEmulator.generateCert(csr);
                } catch (Exception ex) {
                    throw new CaException("system failure: " + ex.getMessage(), ex);
                }
                if (cert != null) {
                    rep.setMessageData(createSignedData(cert));
                } else {
                    rep.setPkiStatus(PkiStatus.FAILURE);
                    rep.setFailInfo(FailInfo.badCertId);
                }
            }
            break;
        case UpdateReq:
            if (!caCaps.containsCapability(CaCapability.Update)) {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
            } else {
                csr = CertificationRequest.getInstance(req.getMessageData());
                try {
                    cert = caEmulator.generateCert(csr);
                } catch (Exception ex) {
                    throw new CaException("system failure: " + ex.getMessage(), ex);
                }
                if (cert != null) {
                    rep.setMessageData(createSignedData(cert));
                } else {
                    buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
                }
            }
            break;
        case GetCRL:
            isn = IssuerAndSerialNumber.getInstance(req.getMessageData());
            CertificateList crl;
            try {
                crl = caEmulator.getCrl(isn.getName(), isn.getSerialNumber().getValue());
            } catch (Exception ex) {
                throw new CaException("system failure: " + ex.getMessage(), ex);
            }
            if (crl != null) {
                rep.setMessageData(createSignedData(crl));
            } else {
                buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badCertId);
            }
            break;
        default:
            buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest);
    }
    return rep;
}
Also used : IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber) ScepHashAlgo(org.xipki.scep.crypto.ScepHashAlgo) CertificateList(org.bouncycastle.asn1.x509.CertificateList) ASN1String(org.bouncycastle.asn1.ASN1String) X500Name(org.bouncycastle.asn1.x500.X500Name) Date(java.util.Date) CMSException(org.bouncycastle.cms.CMSException) MessageDecodingException(org.xipki.scep.exception.MessageDecodingException) CertificateException(java.security.cert.CertificateException) IssuerAndSubject(org.xipki.scep.message.IssuerAndSubject) TransactionId(org.xipki.scep.transaction.TransactionId) DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage) PkiMessage(org.xipki.scep.message.PkiMessage) ContentInfo(org.bouncycastle.asn1.cms.ContentInfo) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) MessageType(org.xipki.scep.transaction.MessageType) CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest) X509Certificate(java.security.cert.X509Certificate) Certificate(org.bouncycastle.asn1.x509.Certificate)

Example 2 with ScepHashAlgo

use of org.xipki.scep.crypto.ScepHashAlgo in project xipki by xipki.

the class Client method encryptThenSign.

private ContentInfo encryptThenSign(PkiMessage request, PrivateKey identityKey, X509Certificate identityCert) throws ScepClientException {
    ScepHashAlgo hashAlgo = caCaps.mostSecureHashAlgo();
    if (hashAlgo == ScepHashAlgo.MD5 && !useInsecureAlgorithms) {
        throw new ScepClientException("Scep server supports only MD5 but it not permitted in client");
    }
    String signatureAlgorithm = ScepUtil.getSignatureAlgorithm(identityKey, hashAlgo);
    ASN1ObjectIdentifier encAlgId;
    if (caCaps.containsCapability(CaCapability.AES)) {
        encAlgId = CMSAlgorithm.AES128_CBC;
    } else if (caCaps.containsCapability(CaCapability.DES3)) {
        encAlgId = CMSAlgorithm.DES_EDE3_CBC;
    } else if (useInsecureAlgorithms) {
        encAlgId = CMSAlgorithm.DES_CBC;
    } else {
        // no support of DES
        throw new ScepClientException("DES will not be supported by this client");
    }
    try {
        return request.encode(identityKey, signatureAlgorithm, identityCert, new X509Certificate[] { identityCert }, authorityCertStore.getEncryptionCert(), encAlgId);
    } catch (MessageEncodingException ex) {
        throw new ScepClientException(ex);
    }
}
Also used : ScepClientException(org.xipki.scep.client.exception.ScepClientException) ScepHashAlgo(org.xipki.scep.crypto.ScepHashAlgo) MessageEncodingException(org.xipki.scep.exception.MessageEncodingException) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 3 with ScepHashAlgo

use of org.xipki.scep.crypto.ScepHashAlgo in project xipki by xipki.

the class ScepImpl method servicePkiOperation0.

// method servicePkiOperation
private PkiMessage servicePkiOperation0(CMSSignedData requestContent, DecodedPkiMessage req, String certProfileName, String msgId, AuditEvent event) throws MessageDecodingException, OperationException {
    ParamUtil.requireNonNull("requestContent", requestContent);
    ParamUtil.requireNonNull("req", req);
    String tid = req.getTransactionId().getId();
    // verify and decrypt the request
    audit(event, CaAuditConstants.NAME_tid, tid);
    if (req.getFailureMessage() != null) {
        audit(event, CaAuditConstants.NAME_SCEP_failureMessage, req.getFailureMessage());
    }
    Boolean bo = req.isSignatureValid();
    if (bo != null && !bo.booleanValue()) {
        audit(event, CaAuditConstants.NAME_SCEP_signature, "invalid");
    }
    bo = req.isDecryptionSuccessful();
    if (bo != null && !bo.booleanValue()) {
        audit(event, CaAuditConstants.NAME_SCEP_decryption, "failed");
    }
    PkiMessage rep = new PkiMessage(req.getTransactionId(), MessageType.CertRep, Nonce.randomNonce());
    rep.setRecipientNonce(req.getSenderNonce());
    if (req.getFailureMessage() != null) {
        rep.setPkiStatus(PkiStatus.FAILURE);
        rep.setFailInfo(FailInfo.badRequest);
        return rep;
    }
    bo = req.isSignatureValid();
    if (bo != null && !bo.booleanValue()) {
        rep.setPkiStatus(PkiStatus.FAILURE);
        rep.setFailInfo(FailInfo.badMessageCheck);
        return rep;
    }
    bo = req.isDecryptionSuccessful();
    if (bo != null && !bo.booleanValue()) {
        rep.setPkiStatus(PkiStatus.FAILURE);
        rep.setFailInfo(FailInfo.badRequest);
        return rep;
    }
    Date signingTime = req.getSigningTime();
    if (maxSigningTimeBiasInMs > 0) {
        boolean isTimeBad = false;
        if (signingTime == null) {
            isTimeBad = true;
        } else {
            long now = System.currentTimeMillis();
            long diff = now - signingTime.getTime();
            if (diff < 0) {
                diff = -1 * diff;
            }
            isTimeBad = diff > maxSigningTimeBiasInMs;
        }
        if (isTimeBad) {
            rep.setPkiStatus(PkiStatus.FAILURE);
            rep.setFailInfo(FailInfo.badTime);
            return rep;
        }
    }
    // end if
    // check the digest algorithm
    String oid = req.getDigestAlgorithm().getId();
    ScepHashAlgo hashAlgo = ScepHashAlgo.forNameOrOid(oid);
    if (hashAlgo == null) {
        LOG.warn("tid={}: unknown digest algorithm {}", tid, oid);
        rep.setPkiStatus(PkiStatus.FAILURE);
        rep.setFailInfo(FailInfo.badAlg);
        return rep;
    }
    boolean supported = false;
    if (hashAlgo == ScepHashAlgo.SHA1) {
        if (caCaps.containsCapability(CaCapability.SHA1)) {
            supported = true;
        }
    } else if (hashAlgo == ScepHashAlgo.SHA256) {
        if (caCaps.containsCapability(CaCapability.SHA256)) {
            supported = true;
        }
    } else if (hashAlgo == ScepHashAlgo.SHA512) {
        if (caCaps.containsCapability(CaCapability.SHA512)) {
            supported = true;
        }
    }
    if (!supported) {
        LOG.warn("tid={}: unsupported digest algorithm {}", tid, oid);
        rep.setPkiStatus(PkiStatus.FAILURE);
        rep.setFailInfo(FailInfo.badAlg);
        return rep;
    }
    // check the content encryption algorithm
    ASN1ObjectIdentifier encOid = req.getContentEncryptionAlgorithm();
    if (CMSAlgorithm.DES_EDE3_CBC.equals(encOid)) {
        if (!caCaps.containsCapability(CaCapability.DES3)) {
            LOG.warn("tid={}: encryption with DES3 algorithm is not permitted", tid, encOid);
            rep.setPkiStatus(PkiStatus.FAILURE);
            rep.setFailInfo(FailInfo.badAlg);
            return rep;
        }
    } else if (AES_ENC_ALGOS.contains(encOid)) {
        if (!caCaps.containsCapability(CaCapability.AES)) {
            LOG.warn("tid={}: encryption with AES algorithm {} is not permitted", tid, encOid);
            rep.setPkiStatus(PkiStatus.FAILURE);
            rep.setFailInfo(FailInfo.badAlg);
            return rep;
        }
    } else {
        LOG.warn("tid={}: encryption with algorithm {} is not permitted", tid, encOid);
        rep.setPkiStatus(PkiStatus.FAILURE);
        rep.setFailInfo(FailInfo.badAlg);
        return rep;
    }
    X509Ca ca;
    try {
        ca = caManager.getX509Ca(caIdent);
    } catch (CaMgmtException ex) {
        LogUtil.error(LOG, ex, tid + "=" + tid + ",could not get X509CA");
        throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
    }
    X500Name caX500Name = ca.getCaInfo().getCert().getSubjectAsX500Name();
    try {
        SignedData signedData;
        MessageType mt = req.getMessageType();
        audit(event, CaAuditConstants.NAME_SCEP_messageType, mt.toString());
        switch(mt) {
            case PKCSReq:
            case RenewalReq:
            case UpdateReq:
                CertificationRequest csr = CertificationRequest.getInstance(req.getMessageData());
                X500Name reqSubject = csr.getCertificationRequestInfo().getSubject();
                if (LOG.isInfoEnabled()) {
                    LOG.info("tid={}, subject={}", tid, X509Util.getRfc4519Name(reqSubject));
                }
                try {
                    ca.checkCsr(csr);
                } catch (OperationException ex) {
                    LogUtil.warn(LOG, ex, "tid=" + tid + " POPO verification failed");
                    throw FailInfoException.BAD_MESSAGE_CHECK;
                }
                CertificationRequestInfo csrReqInfo = csr.getCertificationRequestInfo();
                X509Certificate reqSignatureCert = req.getSignatureCert();
                X500Principal reqSigCertSubject = reqSignatureCert.getSubjectX500Principal();
                boolean selfSigned = reqSigCertSubject.equals(reqSignatureCert.getIssuerX500Principal());
                if (selfSigned) {
                    X500Name tmp = X500Name.getInstance(reqSigCertSubject.getEncoded());
                    if (!tmp.equals(csrReqInfo.getSubject())) {
                        LOG.warn("tid={}, self-signed identityCert.subject != csr.subject");
                        throw FailInfoException.BAD_REQUEST;
                    }
                }
                if (X509Util.getCommonName(csrReqInfo.getSubject()) == null) {
                    throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "tid=" + tid + ": no CommonName in requested subject");
                }
                NameId userIdent = null;
                String challengePwd = CaUtil.getChallengePassword(csrReqInfo);
                if (challengePwd != null) {
                    String[] strs = challengePwd.split(":");
                    if (strs == null || strs.length != 2) {
                        LOG.warn("tid={}: challengePassword does not have the format <user>:<password>", tid);
                        throw FailInfoException.BAD_REQUEST;
                    }
                    String user = strs[0];
                    String password = strs[1];
                    userIdent = ca.authenticateUser(user, password.getBytes());
                    if (userIdent == null) {
                        LOG.warn("tid={}: could not authenticate user {}", tid, user);
                        throw FailInfoException.BAD_REQUEST;
                    }
                }
                if (selfSigned) {
                    if (MessageType.PKCSReq != mt) {
                        LOG.warn("tid={}: self-signed certificate is not permitted for" + " messageType {}", tid, mt);
                        throw FailInfoException.BAD_REQUEST;
                    }
                    if (userIdent == null) {
                        LOG.warn("tid={}: could not extract user & password from challengePassword" + ", which are required for self-signed signature certificate", tid);
                        throw FailInfoException.BAD_REQUEST;
                    }
                } else {
                    // certificate is known by the CA
                    if (userIdent == null) {
                        // up to draft-nourse-scep-23 the client sends all messages to enroll
                        // certificate via MessageType PKCSReq
                        KnowCertResult knowCertRes = ca.knowsCertificate(reqSignatureCert);
                        if (!knowCertRes.isKnown()) {
                            LOG.warn("tid={}: signature certificate is not trusted by the CA", tid);
                            throw FailInfoException.BAD_REQUEST;
                        }
                        Integer userId = knowCertRes.getUserId();
                        if (userId == null) {
                            LOG.warn("tid={}: could not extract user from the signature cert", tid);
                            throw FailInfoException.BAD_REQUEST;
                        }
                        userIdent = ca.getUserIdent(userId);
                    }
                // end if
                }
                // end if
                ByUserRequestorInfo requestor = ca.getByUserRequestor(userIdent);
                checkUserPermission(requestor, certProfileName);
                byte[] tidBytes = getTransactionIdBytes(tid);
                Extensions extensions = CaUtil.getExtensions(csrReqInfo);
                CertTemplateData certTemplateData = new CertTemplateData(csrReqInfo.getSubject(), csrReqInfo.getSubjectPublicKeyInfo(), (Date) null, (Date) null, extensions, certProfileName);
                X509CertificateInfo cert = ca.generateCertificate(certTemplateData, requestor, RequestType.SCEP, tidBytes, msgId);
                /* Don't save SCEP message, since it contains password in plaintext
          if (ca.getCaInfo().isSaveRequest() && cert.getCert().getCertId() != null) {
            byte[] encodedRequest;
            try {
              encodedRequest = requestContent.getEncoded();
            } catch (IOException ex) {
              LOG.warn("could not encode request");
              encodedRequest = null;
            }
            if (encodedRequest != null) {
              long reqId = ca.addRequest(encodedRequest);
              ca.addRequestCert(reqId, cert.getCert().getCertId());
            }
          }*/
                signedData = buildSignedData(cert.getCert().getCert());
                break;
            case CertPoll:
                IssuerAndSubject is = IssuerAndSubject.getInstance(req.getMessageData());
                audit(event, CaAuditConstants.NAME_issuer, X509Util.getRfc4519Name(is.getIssuer()));
                audit(event, CaAuditConstants.NAME_subject, X509Util.getRfc4519Name(is.getSubject()));
                ensureIssuedByThisCa(caX500Name, is.getIssuer());
                signedData = pollCert(ca, is.getSubject(), req.getTransactionId());
                break;
            case GetCert:
                IssuerAndSerialNumber isn = IssuerAndSerialNumber.getInstance(req.getMessageData());
                BigInteger serial = isn.getSerialNumber().getPositiveValue();
                audit(event, CaAuditConstants.NAME_issuer, X509Util.getRfc4519Name(isn.getName()));
                audit(event, CaAuditConstants.NAME_serial, LogUtil.formatCsn(serial));
                ensureIssuedByThisCa(caX500Name, isn.getName());
                signedData = getCert(ca, isn.getSerialNumber().getPositiveValue());
                break;
            case GetCRL:
                isn = IssuerAndSerialNumber.getInstance(req.getMessageData());
                serial = isn.getSerialNumber().getPositiveValue();
                audit(event, CaAuditConstants.NAME_issuer, X509Util.getRfc4519Name(isn.getName()));
                audit(event, CaAuditConstants.NAME_serial, LogUtil.formatCsn(serial));
                ensureIssuedByThisCa(caX500Name, isn.getName());
                signedData = getCrl(ca, serial);
                break;
            default:
                LOG.error("unknown SCEP messageType '{}'", req.getMessageType());
                throw FailInfoException.BAD_REQUEST;
        }
        // end switch<
        ContentInfo ci = new ContentInfo(CMSObjectIdentifiers.signedData, signedData);
        rep.setMessageData(ci);
        rep.setPkiStatus(PkiStatus.SUCCESS);
    } catch (FailInfoException ex) {
        LogUtil.error(LOG, ex);
        rep.setPkiStatus(PkiStatus.FAILURE);
        rep.setFailInfo(ex.getFailInfo());
    }
    return rep;
}
Also used : IssuerAndSerialNumber(org.bouncycastle.asn1.cms.IssuerAndSerialNumber) CertificationRequestInfo(org.bouncycastle.asn1.pkcs.CertificationRequestInfo) NameId(org.xipki.ca.api.NameId) X509Ca(org.xipki.ca.server.impl.X509Ca) X500Name(org.bouncycastle.asn1.x500.X500Name) KnowCertResult(org.xipki.ca.server.impl.KnowCertResult) Extensions(org.bouncycastle.asn1.x509.Extensions) IssuerAndSubject(org.xipki.scep.message.IssuerAndSubject) CertTemplateData(org.xipki.ca.server.impl.CertTemplateData) ContentInfo(org.bouncycastle.asn1.cms.ContentInfo) OperationException(org.xipki.ca.api.OperationException) MessageType(org.xipki.scep.transaction.MessageType) SignedData(org.bouncycastle.asn1.cms.SignedData) CMSSignedData(org.bouncycastle.cms.CMSSignedData) ScepHashAlgo(org.xipki.scep.crypto.ScepHashAlgo) X509CertificateInfo(org.xipki.ca.api.publisher.x509.X509CertificateInfo) Date(java.util.Date) X509Certificate(java.security.cert.X509Certificate) BigInteger(java.math.BigInteger) CaMgmtException(org.xipki.ca.server.mgmt.api.CaMgmtException) DecodedPkiMessage(org.xipki.scep.message.DecodedPkiMessage) PkiMessage(org.xipki.scep.message.PkiMessage) X500Principal(javax.security.auth.x500.X500Principal) BigInteger(java.math.BigInteger) ByUserRequestorInfo(org.xipki.ca.server.impl.ByUserRequestorInfo) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest)

Example 4 with ScepHashAlgo

use of org.xipki.scep.crypto.ScepHashAlgo in project xipki by xipki.

the class ScepImpl method getSignatureAlgorithm.

private static String getSignatureAlgorithm(PrivateKey key, ASN1ObjectIdentifier digestOid) {
    ScepHashAlgo hashAlgo = ScepHashAlgo.forNameOrOid(digestOid.getId());
    if (hashAlgo == null) {
        hashAlgo = ScepHashAlgo.SHA256;
    }
    String algorithm = key.getAlgorithm();
    if ("RSA".equalsIgnoreCase(algorithm)) {
        return hashAlgo.getName() + "withRSA";
    } else {
        throw new UnsupportedOperationException("getSignatureAlgorithm() for non-RSA is not supported yet.");
    }
}
Also used : ScepHashAlgo(org.xipki.scep.crypto.ScepHashAlgo)

Example 5 with ScepHashAlgo

use of org.xipki.scep.crypto.ScepHashAlgo in project xipki by xipki.

the class FingerprintCertificateValidator method isTrusted.

@Override
public boolean isTrusted(X509Certificate cert) {
    ScepHashAlgo algo = (hashAlgo == null) ? DEFAULT_HASHALGO : hashAlgo;
    byte[] actual;
    try {
        actual = algo.digest(cert.getEncoded());
    } catch (CertificateEncodingException ex) {
        return false;
    }
    return isCertTrusted(algo, actual);
}
Also used : ScepHashAlgo(org.xipki.scep.crypto.ScepHashAlgo) CertificateEncodingException(java.security.cert.CertificateEncodingException)

Aggregations

ScepHashAlgo (org.xipki.scep.crypto.ScepHashAlgo)5 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)3 X509Certificate (java.security.cert.X509Certificate)2 Date (java.util.Date)2 ContentInfo (org.bouncycastle.asn1.cms.ContentInfo)2 IssuerAndSerialNumber (org.bouncycastle.asn1.cms.IssuerAndSerialNumber)2 CertificationRequest (org.bouncycastle.asn1.pkcs.CertificationRequest)2 X500Name (org.bouncycastle.asn1.x500.X500Name)2 DecodedPkiMessage (org.xipki.scep.message.DecodedPkiMessage)2 IssuerAndSubject (org.xipki.scep.message.IssuerAndSubject)2 PkiMessage (org.xipki.scep.message.PkiMessage)2 MessageType (org.xipki.scep.transaction.MessageType)2 BigInteger (java.math.BigInteger)1 CertificateEncodingException (java.security.cert.CertificateEncodingException)1 CertificateException (java.security.cert.CertificateException)1 X500Principal (javax.security.auth.x500.X500Principal)1 ASN1String (org.bouncycastle.asn1.ASN1String)1 SignedData (org.bouncycastle.asn1.cms.SignedData)1 CertificationRequestInfo (org.bouncycastle.asn1.pkcs.CertificationRequestInfo)1 Certificate (org.bouncycastle.asn1.x509.Certificate)1