Package com.novosec.pkix.asn1.cmp

Examples of com.novosec.pkix.asn1.cmp.PKIHeader


    private static final InternalResources INTRES = InternalResources.getInstance();

  private static final String CMP_ERRORGENERAL = "cmp.errorgeneral";

  public static PKIHeader createPKIHeader(X509Name sender, X509Name recipient, String senderNonce, String recipientNonce, String transactionId) {
    PKIHeader myPKIHeader =
      new PKIHeader(
          new DERInteger(2),
          new GeneralName(sender),
          new GeneralName(recipient));
    myPKIHeader.setMessageTime(new DERGeneralizedTime(new Date()));
    if (senderNonce != null) {
      myPKIHeader.setSenderNonce(new DEROctetString(Base64.decode(senderNonce.getBytes())));         
    }
    if (recipientNonce != null) {
      myPKIHeader.setRecipNonce(new DEROctetString(Base64.decode(recipientNonce.getBytes())));
    }
    if (transactionId != null) {
      myPKIHeader.setTransactionID(new DEROctetString(Base64.decode(transactionId.getBytes())));
    }
    return myPKIHeader;
  }
View Full Code Here


  public static byte[] protectPKIMessageWithPBE(PKIMessage msg, String keyId, String raSecret, String digestAlgId, String macAlgId, int iterationCount) throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException, IOException {
      if (LOG.isTraceEnabled()) {
        LOG.trace(">protectPKIMessageWithPBE()");
      }
    // Create the PasswordBased protection of the message
    PKIHeader head = msg.getHeader();
    byte[] keyIdBytes;
    try {
      keyIdBytes = keyId.getBytes("UTF-8");     
    } catch (UnsupportedEncodingException e) {
      keyIdBytes = keyId.getBytes();
      LOG.info("UTF-8 not available, using platform default encoding for keyIdBytes.");
    }
    head.setSenderKID(new DEROctetString(keyIdBytes));
    // SHA1
    //AlgorithmIdentifier owfAlg = new AlgorithmIdentifier("1.3.14.3.2.26");
    AlgorithmIdentifier owfAlg = new AlgorithmIdentifier(digestAlgId);
    // iterations, usually something like 1024
    DERInteger iteration = new DERInteger(iterationCount);
    // HMAC/SHA1
    //AlgorithmIdentifier macAlg = new AlgorithmIdentifier("1.2.840.113549.2.7");
    AlgorithmIdentifier macAlg = new AlgorithmIdentifier(macAlgId);
    // We need some random bytes for the nonce
    byte[] saltbytes = createSenderNonce();
    DEROctetString derSalt = new DEROctetString(saltbytes);
   
    // Create the new protected return message
    //String objectId = "1.2.840.113533.7.66.13" = passwordBasedMac;
    String objectId = CMPObjectIdentifiers.passwordBasedMac.getId();
    PBMParameter pp = new PBMParameter(derSalt, owfAlg, iteration, macAlg);
    AlgorithmIdentifier pAlg = new AlgorithmIdentifier(new DERObjectIdentifier(objectId), pp);
    head.setProtectionAlg(pAlg);
    PKIBody body = msg.getBody();
    PKIMessage ret = new PKIMessage(head, body);

    // Calculate the protection bits
    byte[] rasecret = raSecret.getBytes();
View Full Code Here

        String errMsg = intres.getLocalizedMessage("cmp.receivedrevreqnoissuer");
        log.info(errMsg);
      }
    }
    setMessage(msg);
    PKIHeader header = msg.getHeader();
    DEROctetString os = header.getTransactionID();
    if (os != null) {
      byte[] val = os.getOctets();
      if (val != null) {
        setTransactionId(new String(Base64.encode(val)));             
      }
    }
    os = header.getSenderNonce();
    if (os != null) {
      byte[] val = os.getOctets();
      if (val != null) {
        setSenderNonce(new String(Base64.encode(val)));             
      }
    }
    setRecipient(header.getRecipient());
    setSender(header.getSender());
  }
View Full Code Here

      NoSuchAlgorithmException, NoSuchProviderException,
      SignRequestException, NotFoundException {

    X509Name sender = X509Name.getInstance(getSender().getName());
    X509Name recipient = X509Name.getInstance(getRecipient().getName());
    PKIHeader myPKIHeader = CmpMessageHelper.createPKIHeader(sender, recipient, getSenderNonce(), getRecipientNonce(), getTransactionId());
    PKIBody myPKIBody = new PKIBody(new DERNull(), 19);
    PKIMessage myPKIMessage = new PKIMessage(myPKIHeader, myPKIBody);

    if ((getPbeDigestAlg() != null) && (getPbeMacAlg() != null) && (getPbeKeyId() != null) && (getPbeKey() != null) ) {
      responseMessage = CmpMessageHelper.protectPKIMessageWithPBE(myPKIMessage, getPbeKeyId(), getPbeKey(), getPbeDigestAlg(), getPbeMacAlg(), getPbeIterationCount());
View Full Code Here

        PKIHeader myPKIHeader = new PKIHeader(new DERInteger(2), new GeneralName(new X509Name("CN=bogusSubject")), new GeneralName(new X509Name("CN=bogusIssuer")));
        myPKIHeader.setMessageTime(new DERGeneralizedTime(new Date()));
        myPKIHeader.setSenderNonce(new DEROctetString(CmpMessageHelper.createSenderNonce()));
        myPKIHeader.setTransactionID(new DEROctetString(CmpMessageHelper.createSenderNonce()));
        PKIBody myPKIBody = new PKIBody(myCertReqMessages, 0);
        PKIMessage myPKIMessage = new PKIMessage(myPKIHeader, myPKIBody);
      // Create a bogus CrmfRequestMessage
      CrmfRequestMessage crmf = new CrmfRequestMessage(myPKIMessage, "CN=SomeCA", true, null);
      crmf.setPbeParameters("keyId", "key", "digestAlg", "macAlg", 100);
      // Serialize it
      ByteArrayOutputStream baos = new ByteArrayOutputStream();
View Full Code Here

    public void testNovosecRARequest() throws IOException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException, CertificateEncodingException, SignatureException, IllegalStateException {
      // Check that we can parse a request from  Novosec (patched by EJBCA).
      // Read an initialization request with RAVerifiedPOP and PBE protection to see that we can process it
      ASN1InputStream in = new ASN1InputStream(novosecrapopir);
      DERObject derObject = in.readObject();
      PKIMessage req = PKIMessage.getInstance(derObject);
      //log.info(req.toString());
      // Verify should be false if we do not allow RA verify POP here, since we don't have any normal POP
      CrmfRequestMessage msg = new CrmfRequestMessage(req, "CN=AdminCA1", false, "CN");
      assertFalse(msg.verify());
      // Verify should be ok when we allow RA verified POP
View Full Code Here

      // Check that we can parse a request from  Novosec (patched by EJBCA).
      // Read an initialization request with a signature POP and signature protection to see that we can process it
      {
        ASN1InputStream in = new ASN1InputStream(novosecsigpopir);
        DERObject derObject = in.readObject();
        PKIMessage req = PKIMessage.getInstance(derObject);
        //log.info(req.toString());
        // Verify should be ok if we do not allow RA verify POP here
        CrmfRequestMessage msg = new CrmfRequestMessage(req, "CN=AdminCA1", false, "CN");
        assertTrue(msg.verify());
        // Since we don't have RA POP we can't test for that...
        assertEquals("CN=AdminCA1,O=EJBCA Sample,C=SE", msg.getIssuerDN());
        assertEquals("CN=abc123rry2942812801980668853,O=PrimeKey Solutions AB,C=SE", msg.getRequestDN());
        assertEquals("abc123rry2942812801980668853", msg.getUsername());
        assertEquals("foo123", msg.getPassword());
        // Verify signature protection
        AlgorithmIdentifier algId = msg.getMessage().getProtectedPart().getHeader().getProtectionAlg();
        String oid = algId.getObjectId().getId();
        assertEquals(PKCSObjectIdentifiers.sha1WithRSAEncryption.getId(), oid);
        // Check that this is an old message, created before ECA-2104, using null instead of DERNull as algorithm parameters.
        DEREncodable pp = algId.getParameters();
        assertNull(pp);
        // Try to verify, it should work good even though the small bug in ECA-2104, since we don't use algorithm parameters for RSA-PKCS signatures
        PublicKey pubKey = msg.getRequestPublicKey();
        assertTrue(CmpMessageHelper.verifyCertBasedPKIProtection(msg.getMessage(), pubKey));
        // Verify that our verification routine does not give positive result for any other keys
        KeyPair keys = KeyTools.genKeys("512", "RSA");
        assertFalse(CmpMessageHelper.verifyCertBasedPKIProtection(msg.getMessage(), keys.getPublic()));
      }
      // Re-protect the message, now fixed by ECA-2104
      {
        ASN1InputStream in = new ASN1InputStream(novosecsigpopir);
        DERObject derObject = in.readObject();
        PKIMessage myPKIMessage = PKIMessage.getInstance(derObject);
        KeyPair keys = KeyTools.genKeys("512", "RSA");
        X509Certificate signCert = CertTools.genSelfCert("CN=CMP Sign Test", 3650, null, keys.getPrivate(), keys.getPublic(), "SHA1WithRSA", false);
        // Re-sign the message
        byte[] newmsg = CmpMessageHelper.signPKIMessage(myPKIMessage, signCert, keys.getPrivate(), CMSSignedGenerator.DIGEST_SHA1, "BC");
        in = new ASN1InputStream(newmsg);
        derObject = in.readObject();
        PKIMessage pkimsg = PKIMessage.getInstance(derObject);
        // We have to do this twice, because Novosec caches ProtectedBytes in the PKIMessage object, so we need to
        // encode it and re-decode it again to get the changes from ECA-2104 encoded correctly.
        // Not needed when simply signing a new message that you create, only when re-signing
        newmsg = CmpMessageHelper.signPKIMessage(pkimsg, signCert, keys.getPrivate(), CMSSignedGenerator.DIGEST_SHA1, "BC");
        in = new ASN1InputStream(newmsg);
        derObject = in.readObject();
        pkimsg = PKIMessage.getInstance(derObject);
        AlgorithmIdentifier algId = pkimsg.getProtectedPart().getHeader().getProtectionAlg();
        String oid = algId.getObjectId().getId();
        assertEquals(PKCSObjectIdentifiers.sha1WithRSAEncryption.getId(), oid);
        // Check that we have DERNull and not plain java null as algorithm parameters.
        DEREncodable pp = algId.getParameters();
        assertNotNull(pp);
View Full Code Here

    public void testBc146RARequest() throws IOException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException {
      // Check that we can parse request from BouncyCastle version 1.46.
      // Read an initialization request with RAVerifiedPOP with PBE protection to see that we can process it
      ASN1InputStream in = new ASN1InputStream(bc146rapopir);
      DERObject derObject = in.readObject();
      PKIMessage req = PKIMessage.getInstance(derObject);
      //log.info(req.toString());
      // Verify should be false if we do not allow RA verify POP here, since we don't have any normal POP
      CrmfRequestMessage msg = new CrmfRequestMessage(req, "CN=AdminCA1", false, "CN");
      assertFalse(msg.verify());
      // Verify should be ok when we allow RA verified POP
View Full Code Here

    public void testBc146ClientRequest() throws IOException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException {
      // Check that we can parse request from BouncyCastle version 1.46.     
      // Read an initialization request with a signature POP, and signature protection, to see that we can process it
      ASN1InputStream in = new ASN1InputStream(bc146sigpopir);
      DERObject derObject = in.readObject();
      PKIMessage req = PKIMessage.getInstance(derObject);
      //log.info(req.toString());
      // Verify should be ok if we do not allow RA verify POP here
      CrmfRequestMessage msg = new CrmfRequestMessage(req, "CN=AdminCA1", false, "CN");
      // BC messages in BC1.46 uses POPOSigningKeyInput for POPO, not the 3rd case in RFC4211 section 4.1, like everyone else...
      assertTrue(msg.verify());
View Full Code Here

    public void testHuaweiEnodeBClientRequest() throws IOException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException {
      // Read an initialization request to see that we can process it
      ASN1InputStream in = new ASN1InputStream(huaweiir);
    DERObject derObject = in.readObject();
    PKIMessage req = PKIMessage.getInstance(derObject);
    //log.info(req.toString());
      CrmfRequestMessage msg = new CrmfRequestMessage(req, null, false, "CN");
      // This message does not have an issuerDN in the cert template
      assertNull(msg.getIssuerDN());
      // Use a default CA instead
      msg = new CrmfRequestMessage(req, "CN=AdminCA1", false, "CN");
      assertTrue(msg.verify());
      assertEquals("CN=AdminCA1", msg.getIssuerDN());
      assertEquals("CN=21030533610000000012 eNodeB", msg.getRequestDN());
      assertEquals("21030533610000000012 eNodeB", msg.getUsername());
      // We would like a password here...
    assertNull(msg.getPassword());
    // Verify signature properties
    AlgorithmIdentifier algId = msg.getMessage().getProtectedPart().getHeader().getProtectionAlg();
    String oid = algId.getObjectId().getId();
    assertEquals(PKCSObjectIdentifiers.sha1WithRSAEncryption.getId(), oid);
    // Check that we have DERNull and not plain java null as algorithm parameters.
    DEREncodable pp = algId.getParameters();
    assertNotNull(pp);
    assertEquals(DERNull.class.getName(), pp.getClass().getName());
    // Try to verify message protection
    // Does not work for this Huawei message, is it signed by the same key as in the request at all?
    // We will wait for another huawei message to test
    //PublicKey pubKey = msg.getRequestPublicKey();
    //assertTrue(CmpMessageHelper.verifyCertBasedPKIProtection(msg.getMessage(), pubKey));

      // Read the CertConf (certificate confirmation) CMP message that the client sends to
    // the CA after receiving the certificate. RFC4210 section "5.3.18.  Certificate Confirmation Content".
      in = new ASN1InputStream(huaweicertconf);
    derObject = in.readObject();
    PKIMessage certconf = PKIMessage.getInstance(derObject);
    //log.info(certconf.toString());
    GeneralCmpMessage conf = new GeneralCmpMessage(certconf);
    // Verify signature properties
    algId = conf.getMessage().getProtectedPart().getHeader().getProtectionAlg();
    oid = algId.getObjectId().getId();
View Full Code Here

TOP

Related Classes of com.novosec.pkix.asn1.cmp.PKIHeader

Copyright © 2018 www.massapicom. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.