Package com.novosec.pkix.asn1.crmf

Examples of com.novosec.pkix.asn1.crmf.CertRequest

775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
        //
        // Parse response message
        //
        PKIMessage respObject = PKIMessage.getInstance(new ASN1InputStream(new ByteArrayInputStream(retMsg)).readObject());
        assertNotNull(respObject);
        PKIHeader header = respObject.getHeader();
        assertEquals(header.getSender().getTagNo(), 4);
        X509Name name = X509Name.getInstance(header.getSender().getName());
        assertEquals(name.toString(), sender);
        name = X509Name.getInstance(header.getRecipient().getName());
        assertEquals(name.toString(), recipient);

        PKIBody body = respObject.getBody();
        int tag = body.getTagNo();
        assertEquals(tag, 23);
View Full Code Here
133
134
135
136
137
138
139
140
141
142
143
        PKIHeader myPKIHeader = new PKIHeader(new DERInteger(2), new GeneralName(new X509Name("CN=bogusSubject")), new GeneralName(new X509Name("CN=bogusIssuer")));
        myPKIHeader.setMessageTime(new DERGeneralizedTime(new Date()));
        myPKIHeader.setSenderNonce(new DEROctetString(CmpMessageHelper.createSenderNonce()));
        myPKIHeader.setTransactionID(new DEROctetString(CmpMessageHelper.createSenderNonce()));
        PKIBody myPKIBody = new PKIBody(myCertReqMessages, 0);
        PKIMessage myPKIMessage = new PKIMessage(myPKIHeader, myPKIBody);
      // Create a bogus CrmfRequestMessage
      CrmfRequestMessage crmf = new CrmfRequestMessage(myPKIMessage, "CN=SomeCA", true, null);
      crmf.setPbeParameters("keyId", "key", "digestAlg", "macAlg", 100);
      // Serialize it
      ByteArrayOutputStream baos = new ByteArrayOutputStream();
View Full Code Here
154
155
156
157
158
159
160
161
162
163
164
    public void testNovosecRARequest() throws IOException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException, CertificateEncodingException, SignatureException, IllegalStateException {
      // Check that we can parse a request from  Novosec (patched by EJBCA).
      // Read an initialization request with RAVerifiedPOP and PBE protection to see that we can process it
      ASN1InputStream in = new ASN1InputStream(novosecrapopir);
      DERObject derObject = in.readObject();
      PKIMessage req = PKIMessage.getInstance(derObject);
      //log.info(req.toString());
      // Verify should be false if we do not allow RA verify POP here, since we don't have any normal POP
      CrmfRequestMessage msg = new CrmfRequestMessage(req, "CN=AdminCA1", false, "CN");
      assertFalse(msg.verify());
      // Verify should be ok when we allow RA verified POP
View Full Code Here
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
      // Check that we can parse a request from  Novosec (patched by EJBCA).
      // Read an initialization request with a signature POP and signature protection to see that we can process it
      {
        ASN1InputStream in = new ASN1InputStream(novosecsigpopir);
        DERObject derObject = in.readObject();
        PKIMessage req = PKIMessage.getInstance(derObject);
        //log.info(req.toString());
        // Verify should be ok if we do not allow RA verify POP here
        CrmfRequestMessage msg = new CrmfRequestMessage(req, "CN=AdminCA1", false, "CN");
        assertTrue(msg.verify());
        // Since we don't have RA POP we can't test for that...
        assertEquals("CN=AdminCA1,O=EJBCA Sample,C=SE", msg.getIssuerDN());
        assertEquals("CN=abc123rry2942812801980668853,O=PrimeKey Solutions AB,C=SE", msg.getRequestDN());
        assertEquals("abc123rry2942812801980668853", msg.getUsername());
        assertEquals("foo123", msg.getPassword());
        // Verify signature protection
        AlgorithmIdentifier algId = msg.getMessage().getProtectedPart().getHeader().getProtectionAlg();
        String oid = algId.getObjectId().getId();
        assertEquals(PKCSObjectIdentifiers.sha1WithRSAEncryption.getId(), oid);
        // Check that this is an old message, created before ECA-2104, using null instead of DERNull as algorithm parameters.
        DEREncodable pp = algId.getParameters();
        assertNull(pp);
        // Try to verify, it should work good even though the small bug in ECA-2104, since we don't use algorithm parameters for RSA-PKCS signatures
        PublicKey pubKey = msg.getRequestPublicKey();
        assertTrue(CmpMessageHelper.verifyCertBasedPKIProtection(msg.getMessage(), pubKey));
        // Verify that our verification routine does not give positive result for any other keys
        KeyPair keys = KeyTools.genKeys("512", "RSA");
        assertFalse(CmpMessageHelper.verifyCertBasedPKIProtection(msg.getMessage(), keys.getPublic()));
      }
      // Re-protect the message, now fixed by ECA-2104
      {
        ASN1InputStream in = new ASN1InputStream(novosecsigpopir);
        DERObject derObject = in.readObject();
        PKIMessage myPKIMessage = PKIMessage.getInstance(derObject);
        KeyPair keys = KeyTools.genKeys("512", "RSA");
        X509Certificate signCert = CertTools.genSelfCert("CN=CMP Sign Test", 3650, null, keys.getPrivate(), keys.getPublic(), "SHA1WithRSA", false);
        // Re-sign the message
        byte[] newmsg = CmpMessageHelper.signPKIMessage(myPKIMessage, signCert, keys.getPrivate(), CMSSignedGenerator.DIGEST_SHA1, "BC");
        in = new ASN1InputStream(newmsg);
        derObject = in.readObject();
        PKIMessage pkimsg = PKIMessage.getInstance(derObject);
        // We have to do this twice, because Novosec caches ProtectedBytes in the PKIMessage object, so we need to
        // encode it and re-decode it again to get the changes from ECA-2104 encoded correctly.
        // Not needed when simply signing a new message that you create, only when re-signing
        newmsg = CmpMessageHelper.signPKIMessage(pkimsg, signCert, keys.getPrivate(), CMSSignedGenerator.DIGEST_SHA1, "BC");
        in = new ASN1InputStream(newmsg);
        derObject = in.readObject();
        pkimsg = PKIMessage.getInstance(derObject);
        AlgorithmIdentifier algId = pkimsg.getProtectedPart().getHeader().getProtectionAlg();
        String oid = algId.getObjectId().getId();
        assertEquals(PKCSObjectIdentifiers.sha1WithRSAEncryption.getId(), oid);
        // Check that we have DERNull and not plain java null as algorithm parameters.
        DEREncodable pp = algId.getParameters();
        assertNotNull(pp);
View Full Code Here
247
248
249
250
251
252
253
254
255
256
257
    public void testBc146RARequest() throws IOException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException {
      // Check that we can parse request from BouncyCastle version 1.46.
      // Read an initialization request with RAVerifiedPOP with PBE protection to see that we can process it
      ASN1InputStream in = new ASN1InputStream(bc146rapopir);
      DERObject derObject = in.readObject();
      PKIMessage req = PKIMessage.getInstance(derObject);
      //log.info(req.toString());
      // Verify should be false if we do not allow RA verify POP here, since we don't have any normal POP
      CrmfRequestMessage msg = new CrmfRequestMessage(req, "CN=AdminCA1", false, "CN");
      assertFalse(msg.verify());
      // Verify should be ok when we allow RA verified POP
View Full Code Here
275
276
277
278
279
280
281
282
283
284
285
    public void testBc146ClientRequest() throws IOException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException {
      // Check that we can parse request from BouncyCastle version 1.46.     
      // Read an initialization request with a signature POP, and signature protection, to see that we can process it
      ASN1InputStream in = new ASN1InputStream(bc146sigpopir);
      DERObject derObject = in.readObject();
      PKIMessage req = PKIMessage.getInstance(derObject);
      //log.info(req.toString());
      // Verify should be ok if we do not allow RA verify POP here
      CrmfRequestMessage msg = new CrmfRequestMessage(req, "CN=AdminCA1", false, "CN");
      // BC messages in BC1.46 uses POPOSigningKeyInput for POPO, not the 3rd case in RFC4211 section 4.1, like everyone else...
      assertTrue(msg.verify());
View Full Code Here
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
    public void testHuaweiEnodeBClientRequest() throws IOException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException {
      // Read an initialization request to see that we can process it
      ASN1InputStream in = new ASN1InputStream(huaweiir);
    DERObject derObject = in.readObject();
    PKIMessage req = PKIMessage.getInstance(derObject);
    //log.info(req.toString());
      CrmfRequestMessage msg = new CrmfRequestMessage(req, null, false, "CN");
      // This message does not have an issuerDN in the cert template
      assertNull(msg.getIssuerDN());
      // Use a default CA instead
      msg = new CrmfRequestMessage(req, "CN=AdminCA1", false, "CN");
      assertTrue(msg.verify());
      assertEquals("CN=AdminCA1", msg.getIssuerDN());
      assertEquals("CN=21030533610000000012 eNodeB", msg.getRequestDN());
      assertEquals("21030533610000000012 eNodeB", msg.getUsername());
      // We would like a password here...
    assertNull(msg.getPassword());
    // Verify signature properties
    AlgorithmIdentifier algId = msg.getMessage().getProtectedPart().getHeader().getProtectionAlg();
    String oid = algId.getObjectId().getId();
    assertEquals(PKCSObjectIdentifiers.sha1WithRSAEncryption.getId(), oid);
    // Check that we have DERNull and not plain java null as algorithm parameters.
    DEREncodable pp = algId.getParameters();
    assertNotNull(pp);
    assertEquals(DERNull.class.getName(), pp.getClass().getName());
    // Try to verify message protection
    // Does not work for this Huawei message, is it signed by the same key as in the request at all?
    // We will wait for another huawei message to test
    //PublicKey pubKey = msg.getRequestPublicKey();
    //assertTrue(CmpMessageHelper.verifyCertBasedPKIProtection(msg.getMessage(), pubKey));

      // Read the CertConf (certificate confirmation) CMP message that the client sends to
    // the CA after receiving the certificate. RFC4210 section "5.3.18.  Certificate Confirmation Content".
      in = new ASN1InputStream(huaweicertconf);
    derObject = in.readObject();
    PKIMessage certconf = PKIMessage.getInstance(derObject);
    //log.info(certconf.toString());
    GeneralCmpMessage conf = new GeneralCmpMessage(certconf);
    // Verify signature properties
    algId = conf.getMessage().getProtectedPart().getHeader().getProtectionAlg();
    oid = algId.getObjectId().getId();
View Full Code Here
136
137
138
139
140
141
142
143
144
145
146
147
            ret = false;
          }
        }
        if (ret) {
          // If authentication was correct, we will now try to find the certificate to revoke
          PKIMessage pkimsg = msg.getMessage();
          PKIBody body = pkimsg.getBody();
          RevReqContent rr = body.getRr();
          RevDetails rd = rr.getRevDetails(0);
          CertTemplate ct = rd.getCertDetails();
          DERInteger serno = ct.getSerialNumber();
          X509Name issuer = ct.getIssuer();
View Full Code Here
126
127
128
129
130
131
132
133
134
135
136
      myPKIBody = CmpMessageHelper.createCertRequestRejectBody(myPKIHeader, myPKIStatusInfo, requestId, requestType);
    } else {
      ErrorMsgContent myErrorContent = new ErrorMsgContent(myPKIStatusInfo);
      myPKIBody = new PKIBody(myErrorContent, 23); // 23 = error           
    }
    PKIMessage myPKIMessage = new PKIMessage(myPKIHeader, myPKIBody);
    if ((getPbeDigestAlg() != null) && (getPbeMacAlg() != null) && (getPbeKeyId() != null) && (getPbeKey() != null) ) {
      responseMessage = CmpMessageHelper.protectPKIMessageWithPBE(myPKIMessage, getPbeKeyId(), getPbeKey(), getPbeDigestAlg(), getPbeMacAlg(), getPbeIterationCount());
    } else {
      responseMessage = CmpMessageHelper.pkiMessageToByteArray(myPKIMessage);     
    }
View Full Code Here
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
   *
   * @param message der encoded CMP message
   * @return IResponseMessage containing the CMP response message or null if there is no message to send back or some internal error has occurred
   */
  private IResponseMessage dispatch(Admin admin, DERObject derObject) {
    final PKIMessage req;
    try {
      req = PKIMessage.getInstance(derObject);
      if ( req==null ) {
        throw new Exception("No CMP message could be parsed from received Der object.");
      }
    } catch (Throwable t) {
      final String eMsg = intres.getLocalizedMessage("cmp.errornotcmpmessage");
      log.error(eMsg, t);
      // If we could not read the message, we should return an error BAD_REQUEST
      return CmpMessageHelper.createUnprotectedErrorMessage(null, ResponseStatus.FAILURE, FailInfo.BAD_REQUEST, eMsg);
    }
    try {
      PKIHeader header = req.getHeader();
      PKIBody body = req.getBody();
     
      int tagno = body.getTagNo();
      if (log.isDebugEnabled()) {
        log.debug("Received CMP message with pvno="+header.getPvno()+", sender="+header.getSender().toString()+", recipient="+header.getRecipient().toString());
        log.debug("Body is of type: "+tagno);
View Full Code Here
TOP

Related Classes of com.novosec.pkix.asn1.crmf.CertRequest

  • org.bouncycastle.asn1.ASN1EncodableVector
  • org.bouncycastle.asn1.ASN1Integer
  • org.bouncycastle.asn1.ASN1Sequence
  • org.bouncycastle.asn1.ASN1TaggedObject
  • org.bouncycastle.asn1.DERNull
  • org.bouncycastle.asn1.DERObjectIdentifier
  • org.bouncycastle.asn1.DEROutputStream
  • org.bouncycastle.asn1.DERSequence
  • org.bouncycastle.asn1.DERTaggedObject
  • org.bouncycastle.asn1.x509.CertificateList
    • Copyright © 2018 www.massapicom. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.