Example 1 with CaCaps
use of org.xipki.scep.message.CaCaps in project xipki by xipki.
the class ScepServlet method service.
@Override
protected void service(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
boolean post;
String method = req.getMethod();
if ("GET".equals(method)) {
post = false;
} else if ("POST".equals(method)) {
post = true;
} else {
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
return;
}
AuditEvent event = new AuditEvent();
event.setName(ScepAuditConstants.NAME_PERF);
event.putEventData(ScepAuditConstants.NAME_servletPath, req.getServletPath());
AuditLevel auditLevel = AuditLevel.INFO;
String auditMessage = null;
try {
CaCaps caCaps = responder.getCaCaps();
if (post && !caCaps.containsCapability(CaCapability.POSTPKIOperation)) {
auditMessage = "HTTP POST is not supported";
auditLevel = AuditLevel.ERROR;
resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
return;
}
String operation = req.getParameter("operation");
event.putEventData(ScepAuditConstants.NAME_operation, operation);
if ("PKIOperation".equalsIgnoreCase(operation)) {
CMSSignedData reqMessage;
// parse the request
try {
byte[] content = post ? ScepUtil.read(req.getInputStream()) : Base64.decode(req.getParameter("message"));
reqMessage = new CMSSignedData(content);
} catch (Exception ex) {
auditMessage = "invalid request";
auditLevel = AuditLevel.ERROR;
resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
return;
}
ContentInfo ci;
try {
ci = responder.servicePkiOperation(reqMessage, event);
} catch (MessageDecodingException ex) {
auditMessage = "could not decrypt and/or verify the request";
auditLevel = AuditLevel.ERROR;
resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
return;
} catch (CaException ex) {
auditMessage = "system internal error";
auditLevel = AuditLevel.ERROR;
resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
return;
}
byte[] respBytes = ci.getEncoded();
sendToResponse(resp, CT_RESPONSE, respBytes);
} else if (Operation.GetCACaps.getCode().equalsIgnoreCase(operation)) {
// CA-Ident is ignored
byte[] caCapsBytes = responder.getCaCaps().getBytes();
sendToResponse(resp, ScepConstants.CT_TEXT_PLAIN, caCapsBytes);
} else if (Operation.GetCACert.getCode().equalsIgnoreCase(operation)) {
// CA-Ident is ignored
byte[] respBytes;
String ct;
if (responder.getRaEmulator() == null) {
ct = ScepConstants.CT_X509_CA_CERT;
respBytes = responder.getCaEmulator().getCaCertBytes();
} else {
ct = ScepConstants.CT_X509_CA_RA_CERT;
CMSSignedDataGenerator cmsSignedDataGen = new CMSSignedDataGenerator();
try {
cmsSignedDataGen.addCertificate(new X509CertificateHolder(responder.getCaEmulator().getCaCert()));
ct = ScepConstants.CT_X509_CA_RA_CERT;
cmsSignedDataGen.addCertificate(new X509CertificateHolder(responder.getRaEmulator().getRaCert()));
CMSSignedData degenerateSignedData = cmsSignedDataGen.generate(new CMSAbsentContent());
respBytes = degenerateSignedData.getEncoded();
} catch (CMSException ex) {
auditMessage = "system internal error";
auditLevel = AuditLevel.ERROR;
resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
return;
}
}
sendToResponse(resp, ct, respBytes);
} else if (Operation.GetNextCACert.getCode().equalsIgnoreCase(operation)) {
if (responder.getNextCaAndRa() == null) {
auditMessage = "SCEP operation '" + operation + "' is not permitted";
auditLevel = AuditLevel.ERROR;
resp.sendError(HttpServletResponse.SC_FORBIDDEN);
return;
}
try {
NextCaMessage nextCaMsg = new NextCaMessage();
nextCaMsg.setCaCert(ScepUtil.toX509Cert(responder.getNextCaAndRa().getCaCert()));
if (responder.getNextCaAndRa().getRaCert() != null) {
X509Certificate raCert = ScepUtil.toX509Cert(responder.getNextCaAndRa().getRaCert());
nextCaMsg.setRaCerts(Arrays.asList(raCert));
}
ContentInfo signedData = responder.encode(nextCaMsg);
byte[] respBytes = signedData.getEncoded();
sendToResponse(resp, ScepConstants.CT_X509_NEXT_CA_CERT, respBytes);
} catch (Exception ex) {
auditMessage = "system internal error";
auditLevel = AuditLevel.ERROR;
resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
}
} else {
auditMessage = "unknown SCEP operation '" + operation + "'";
auditLevel = AuditLevel.ERROR;
resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
}
// end if ("PKIOperation".equalsIgnoreCase(operation))
} catch (EOFException ex) {
LOG.warn("connection reset by peer", ex);
resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
} catch (Throwable th) {
LOG.error("Throwable thrown, this should not happen!", th);
auditLevel = AuditLevel.ERROR;
auditMessage = "internal error";
resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
} finally {
if (event.getLevel() != AuditLevel.ERROR) {
event.setLevel(auditLevel);
}
if (auditMessage != null) {
event.putEventData("error", auditMessage);
}
event.log(LOG);
}
// end try
}
Also used :
CMSSignedDataGenerator(org.bouncycastle.cms.CMSSignedDataGenerator)
CMSAbsentContent(org.bouncycastle.cms.CMSAbsentContent)
AuditLevel(org.xipki.scep.serveremulator.AuditEvent.AuditLevel)
CMSSignedData(org.bouncycastle.cms.CMSSignedData)
NextCaMessage(org.xipki.scep.message.NextCaMessage)
ServletException(javax.servlet.ServletException)
CMSException(org.bouncycastle.cms.CMSException)
MessageDecodingException(org.xipki.scep.exception.MessageDecodingException)
IOException(java.io.IOException)
EOFException(java.io.EOFException)
X509Certificate(java.security.cert.X509Certificate)
MessageDecodingException(org.xipki.scep.exception.MessageDecodingException)
CaCaps(org.xipki.scep.message.CaCaps)
ContentInfo(org.bouncycastle.asn1.cms.ContentInfo)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
EOFException(java.io.EOFException)
CMSException(org.bouncycastle.cms.CMSException)
Example 2 with CaCaps
use of org.xipki.scep.message.CaCaps in project xipki by xipki.
the class AbstractCaTest method test.
@Test
public void test() throws Exception {
CaIdentifier caId = new CaIdentifier("http://localhost:" + port + "/scep/pkiclient.exe", null);
CaCertValidator caCertValidator = new PreprovisionedCaCertValidator(ScepUtil.toX509Cert(scepServer.getCaCert()));
ScepClient client = new ScepClient(caId, caCertValidator);
client.setUseInsecureAlgorithms(useInsecureAlgorithms());
client.refresh();
CaCaps expCaCaps = getExpectedCaCaps();
// CACaps
CaCaps caCaps = client.getCaCaps();
Assert.assertEquals("CACaps", expCaCaps, caCaps);
// CA certificate
Certificate expCaCert = scepServer.getCaCert();
X509Certificate caCert = client.getAuthorityCertStore().getCaCert();
if (!equals(expCaCert, caCert)) {
Assert.fail("Configured and received CA certificate not the same");
}
boolean withRa = isWithRa();
// RA
if (withRa) {
Certificate expRaCert = scepServer.getRaCert();
X509Certificate raSigCert = client.getAuthorityCertStore().getSignatureCert();
X509Certificate raEncCert = client.getAuthorityCertStore().getEncryptionCert();
Assert.assertEquals("RA certificate", raSigCert, raEncCert);
if (!equals(expRaCert, raSigCert)) {
Assert.fail("Configured and received RA certificate not the same");
}
}
// getNextCA
if (isWithNextCa()) {
AuthorityCertStore nextCa = client.scepNextCaCert();
Certificate expNextCaCert = scepServer.getNextCaCert();
X509Certificate nextCaCert = nextCa.getCaCert();
if (!equals(expNextCaCert, nextCaCert)) {
Assert.fail("Configured and received next CA certificate not the same");
}
if (withRa) {
Certificate expNextRaCert = scepServer.getNextRaCert();
X509Certificate nextRaSigCert = nextCa.getSignatureCert();
X509Certificate nextRaEncCert = nextCa.getEncryptionCert();
Assert.assertEquals("Next RA certificate", nextRaSigCert, nextRaEncCert);
if (!equals(expNextRaCert, nextRaSigCert)) {
Assert.fail("Configured and received next RA certificate not the same");
}
}
}
// enroll
CertificationRequest csr;
X509Certificate selfSignedCert;
X509Certificate enroledCert;
X500Name issuerName = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded());
PrivateKey privKey;
{
KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA");
kpGen.initialize(2048);
KeyPair keypair = kpGen.generateKeyPair();
privKey = keypair.getPrivate();
SubjectPublicKeyInfo subjectPublicKeyInfo = ScepUtil.createSubjectPublicKeyInfo(keypair.getPublic());
X500Name subject = new X500Name("CN=EE1, OU=emulator, O=xipki.org, C=DE");
// first try without secret
PKCS10CertificationRequest p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, null, null);
csr = p10Req.toASN1Structure();
selfSignedCert = ScepUtil.generateSelfsignedCert(p10Req.toASN1Structure(), privKey);
EnrolmentResponse enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
PkiStatus status = enrolResp.getPkcsRep().getPkiStatus();
Assert.assertEquals("PkiStatus without secret", PkiStatus.FAILURE, status);
// then try invalid secret
p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, "invalid-" + secret, null);
csr = p10Req.toASN1Structure();
selfSignedCert = ScepUtil.generateSelfsignedCert(p10Req.toASN1Structure(), privKey);
enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
status = enrolResp.getPkcsRep().getPkiStatus();
Assert.assertEquals("PkiStatus with invalid secret", PkiStatus.FAILURE, status);
// try with valid secret
p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, secret, null);
csr = p10Req.toASN1Structure();
selfSignedCert = ScepUtil.generateSelfsignedCert(p10Req.toASN1Structure(), privKey);
enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
List<X509Certificate> certs = enrolResp.getCertificates();
Assert.assertTrue("number of received certificates", certs.size() > 0);
X509Certificate cert = certs.get(0);
Assert.assertNotNull("enroled certificate", cert);
enroledCert = cert;
// try :: self-signed certificate's subject different from the one of CSR
p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, secret, null);
csr = p10Req.toASN1Structure();
selfSignedCert = ScepUtil.generateSelfsignedCert(new X500Name("CN=dummy"), csr.getCertificationRequestInfo().getSubjectPublicKeyInfo(), privKey);
enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert);
status = enrolResp.getPkcsRep().getPkiStatus();
Assert.assertEquals("PkiStatus with invalid secret", PkiStatus.FAILURE, status);
}
// certPoll
EnrolmentResponse enrolResp = client.scepCertPoll(privKey, selfSignedCert, csr, issuerName);
List<X509Certificate> certs = enrolResp.getCertificates();
Assert.assertTrue("number of received certificates", certs.size() > 0);
X509Certificate cert = certs.get(0);
Assert.assertNotNull("enrolled certificate", cert);
// getCert
certs = client.scepGetCert(privKey, selfSignedCert, issuerName, enroledCert.getSerialNumber());
Assert.assertTrue("number of received certificates", certs.size() > 0);
cert = certs.get(0);
Assert.assertNotNull("received certificate", cert);
// getCRL
X509CRL crl = client.scepGetCrl(privKey, enroledCert, issuerName, enroledCert.getSerialNumber());
Assert.assertNotNull("received CRL", crl);
// getNextCA
AuthorityCertStore nextCa = client.scepNextCaCert();
Assert.assertNotNull("nextCa", nextCa);
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
PkiStatus(org.xipki.scep.transaction.PkiStatus)
KeyPair(java.security.KeyPair)
PrivateKey(java.security.PrivateKey)
X509CRL(java.security.cert.X509CRL)
CaIdentifier(org.xipki.scep.client.CaIdentifier)
ScepClient(org.xipki.scep.client.ScepClient)
X500Name(org.bouncycastle.asn1.x500.X500Name)
KeyPairGenerator(java.security.KeyPairGenerator)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
X509Certificate(java.security.cert.X509Certificate)
CaCertValidator(org.xipki.scep.client.CaCertValidator)
PreprovisionedCaCertValidator(org.xipki.scep.client.PreprovisionedCaCertValidator)
CaCaps(org.xipki.scep.message.CaCaps)
PreprovisionedCaCertValidator(org.xipki.scep.client.PreprovisionedCaCertValidator)
EnrolmentResponse(org.xipki.scep.client.EnrolmentResponse)
AuthorityCertStore(org.xipki.scep.message.AuthorityCertStore)
List(java.util.List)
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Test(org.junit.Test)
Example 3 with CaCaps
use of org.xipki.scep.message.CaCaps in project xipki by xipki.
the class AbstractCaTest method getDefaultCaCaps.
protected CaCaps getDefaultCaCaps() {
final CaCaps caCaps = new CaCaps();
caCaps.addCapabilities(CaCapability.DES3, CaCapability.AES, CaCapability.SHA1, CaCapability.SHA256, CaCapability.POSTPKIOperation);
return caCaps;
}
Also used :
CaCaps(org.xipki.scep.message.CaCaps)
Example 4 with CaCaps
use of org.xipki.scep.message.CaCaps in project xipki by xipki.
the class AbstractCaTest method getExpectedCaCaps.
private CaCaps getExpectedCaCaps() {
CaCaps caCaps = getDefaultCaCaps();
CaCapability[] excludedCaCaps = getExcludedCaCaps();
if (excludedCaCaps != null) {
caCaps.removeCapabilities(excludedCaCaps);
}
if (isWithNextCa()) {
if (!caCaps.containsCapability(CaCapability.GetNextCACert)) {
caCaps.addCapabilities(CaCapability.GetNextCACert);
}
} else {
caCaps.removeCapabilities(CaCapability.GetNextCACert);
}
return caCaps;
}
Also used :
CaCaps(org.xipki.scep.message.CaCaps)
CaCapability(org.xipki.scep.transaction.CaCapability)
Example 5 with CaCaps
use of org.xipki.scep.message.CaCaps in project xipki by xipki.
the class AbstractCaTest method startScepServer.
@Before
public synchronized void startScepServer() throws Exception {
if (scepServerContainer == null) {
CaCaps caCaps = getExpectedCaCaps();
ScepControl control = new ScepControl(isSendCaCert(), isPendingCert(), sendSignerCert(), useInsecureAlgorithms(), secret);
this.scepServer = new ScepServer("scep", caCaps, isWithRa(), isWithNextCa(), isGenerateCrl(), control);
this.scepServerContainer = new ScepServerContainer(port, scepServer);
}
this.scepServerContainer.start();
}
Also used :
ScepServer(org.xipki.scep.serveremulator.ScepServer)
ScepControl(org.xipki.scep.serveremulator.ScepControl)
CaCaps(org.xipki.scep.message.CaCaps)
ScepServerContainer(org.xipki.scep.serveremulator.ScepServerContainer)
Before(org.junit.Before)
Aggregations
CaCaps (org.xipki.scep.message.CaCaps)5
X509Certificate (java.security.cert.X509Certificate)2
EOFException (java.io.EOFException)1
IOException (java.io.IOException)1
KeyPair (java.security.KeyPair)1
KeyPairGenerator (java.security.KeyPairGenerator)1
PrivateKey (java.security.PrivateKey)1
X509CRL (java.security.cert.X509CRL)1
List (java.util.List)1
ServletException (javax.servlet.ServletException)1
ContentInfo (org.bouncycastle.asn1.cms.ContentInfo)1
CertificationRequest (org.bouncycastle.asn1.pkcs.CertificationRequest)1
X500Name (org.bouncycastle.asn1.x500.X500Name)1
Certificate (org.bouncycastle.asn1.x509.Certificate)1
SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)1
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)1
CMSAbsentContent (org.bouncycastle.cms.CMSAbsentContent)1
CMSException (org.bouncycastle.cms.CMSException)1
CMSSignedData (org.bouncycastle.cms.CMSSignedData)1
CMSSignedDataGenerator (org.bouncycastle.cms.CMSSignedDataGenerator)1
