Search in sources :

Example 1 with NextCaMessage

use of org.xipki.scep.message.NextCaMessage in project xipki by xipki.

the class ScepServlet method service.

@Override
protected void service(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    boolean post;
    String method = req.getMethod();
    if ("GET".equals(method)) {
        post = false;
    } else if ("POST".equals(method)) {
        post = true;
    } else {
        resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
        return;
    }
    AuditEvent event = new AuditEvent();
    event.setName(ScepAuditConstants.NAME_PERF);
    event.putEventData(ScepAuditConstants.NAME_servletPath, req.getServletPath());
    AuditLevel auditLevel = AuditLevel.INFO;
    String auditMessage = null;
    try {
        CaCaps caCaps = responder.getCaCaps();
        if (post && !caCaps.containsCapability(CaCapability.POSTPKIOperation)) {
            auditMessage = "HTTP POST is not supported";
            auditLevel = AuditLevel.ERROR;
            resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
            return;
        }
        String operation = req.getParameter("operation");
        event.putEventData(ScepAuditConstants.NAME_operation, operation);
        if ("PKIOperation".equalsIgnoreCase(operation)) {
            CMSSignedData reqMessage;
            // parse the request
            try {
                byte[] content = post ? ScepUtil.read(req.getInputStream()) : Base64.decode(req.getParameter("message"));
                reqMessage = new CMSSignedData(content);
            } catch (Exception ex) {
                auditMessage = "invalid request";
                auditLevel = AuditLevel.ERROR;
                resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
                return;
            }
            ContentInfo ci;
            try {
                ci = responder.servicePkiOperation(reqMessage, event);
            } catch (MessageDecodingException ex) {
                auditMessage = "could not decrypt and/or verify the request";
                auditLevel = AuditLevel.ERROR;
                resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
                return;
            } catch (CaException ex) {
                auditMessage = "system internal error";
                auditLevel = AuditLevel.ERROR;
                resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
                return;
            }
            byte[] respBytes = ci.getEncoded();
            sendToResponse(resp, CT_RESPONSE, respBytes);
        } else if (Operation.GetCACaps.getCode().equalsIgnoreCase(operation)) {
            // CA-Ident is ignored
            byte[] caCapsBytes = responder.getCaCaps().getBytes();
            sendToResponse(resp, ScepConstants.CT_TEXT_PLAIN, caCapsBytes);
        } else if (Operation.GetCACert.getCode().equalsIgnoreCase(operation)) {
            // CA-Ident is ignored
            byte[] respBytes;
            String ct;
            if (responder.getRaEmulator() == null) {
                ct = ScepConstants.CT_X509_CA_CERT;
                respBytes = responder.getCaEmulator().getCaCertBytes();
            } else {
                ct = ScepConstants.CT_X509_CA_RA_CERT;
                CMSSignedDataGenerator cmsSignedDataGen = new CMSSignedDataGenerator();
                try {
                    cmsSignedDataGen.addCertificate(new X509CertificateHolder(responder.getCaEmulator().getCaCert()));
                    ct = ScepConstants.CT_X509_CA_RA_CERT;
                    cmsSignedDataGen.addCertificate(new X509CertificateHolder(responder.getRaEmulator().getRaCert()));
                    CMSSignedData degenerateSignedData = cmsSignedDataGen.generate(new CMSAbsentContent());
                    respBytes = degenerateSignedData.getEncoded();
                } catch (CMSException ex) {
                    auditMessage = "system internal error";
                    auditLevel = AuditLevel.ERROR;
                    resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
                    return;
                }
            }
            sendToResponse(resp, ct, respBytes);
        } else if (Operation.GetNextCACert.getCode().equalsIgnoreCase(operation)) {
            if (responder.getNextCaAndRa() == null) {
                auditMessage = "SCEP operation '" + operation + "' is not permitted";
                auditLevel = AuditLevel.ERROR;
                resp.sendError(HttpServletResponse.SC_FORBIDDEN);
                return;
            }
            try {
                NextCaMessage nextCaMsg = new NextCaMessage();
                nextCaMsg.setCaCert(ScepUtil.toX509Cert(responder.getNextCaAndRa().getCaCert()));
                if (responder.getNextCaAndRa().getRaCert() != null) {
                    X509Certificate raCert = ScepUtil.toX509Cert(responder.getNextCaAndRa().getRaCert());
                    nextCaMsg.setRaCerts(Arrays.asList(raCert));
                }
                ContentInfo signedData = responder.encode(nextCaMsg);
                byte[] respBytes = signedData.getEncoded();
                sendToResponse(resp, ScepConstants.CT_X509_NEXT_CA_CERT, respBytes);
            } catch (Exception ex) {
                auditMessage = "system internal error";
                auditLevel = AuditLevel.ERROR;
                resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
            }
        } else {
            auditMessage = "unknown SCEP operation '" + operation + "'";
            auditLevel = AuditLevel.ERROR;
            resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
        }
    // end if ("PKIOperation".equalsIgnoreCase(operation))
    } catch (EOFException ex) {
        LOG.warn("connection reset by peer", ex);
        resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
    } catch (Throwable th) {
        LOG.error("Throwable thrown, this should not happen!", th);
        auditLevel = AuditLevel.ERROR;
        auditMessage = "internal error";
        resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
    } finally {
        if (event.getLevel() != AuditLevel.ERROR) {
            event.setLevel(auditLevel);
        }
        if (auditMessage != null) {
            event.putEventData("error", auditMessage);
        }
        event.log(LOG);
    }
// end try
}
Also used : CMSSignedDataGenerator(org.bouncycastle.cms.CMSSignedDataGenerator) CMSAbsentContent(org.bouncycastle.cms.CMSAbsentContent) AuditLevel(org.xipki.scep.serveremulator.AuditEvent.AuditLevel) CMSSignedData(org.bouncycastle.cms.CMSSignedData) NextCaMessage(org.xipki.scep.message.NextCaMessage) ServletException(javax.servlet.ServletException) CMSException(org.bouncycastle.cms.CMSException) MessageDecodingException(org.xipki.scep.exception.MessageDecodingException) IOException(java.io.IOException) EOFException(java.io.EOFException) X509Certificate(java.security.cert.X509Certificate) MessageDecodingException(org.xipki.scep.exception.MessageDecodingException) CaCaps(org.xipki.scep.message.CaCaps) ContentInfo(org.bouncycastle.asn1.cms.ContentInfo) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) EOFException(java.io.EOFException) CMSException(org.bouncycastle.cms.CMSException)

Aggregations

EOFException (java.io.EOFException)1 IOException (java.io.IOException)1 X509Certificate (java.security.cert.X509Certificate)1 ServletException (javax.servlet.ServletException)1 ContentInfo (org.bouncycastle.asn1.cms.ContentInfo)1 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)1 CMSAbsentContent (org.bouncycastle.cms.CMSAbsentContent)1 CMSException (org.bouncycastle.cms.CMSException)1 CMSSignedData (org.bouncycastle.cms.CMSSignedData)1 CMSSignedDataGenerator (org.bouncycastle.cms.CMSSignedDataGenerator)1 MessageDecodingException (org.xipki.scep.exception.MessageDecodingException)1 CaCaps (org.xipki.scep.message.CaCaps)1 NextCaMessage (org.xipki.scep.message.NextCaMessage)1 AuditLevel (org.xipki.scep.serveremulator.AuditEvent.AuditLevel)1