CMSProcessable msg;
// Create encrypted response if this is success and NOT a CRL response message
if (status.equals(ResponseStatus.SUCCESS)) {
CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator();
// Add the issued certificate to the signed portion of the CMS (as signer, degenerate case)
ArrayList certList = new ArrayList();
if (crl != null) {
log.debug("Adding CRL to response message (inner signer)");
certList.add(crl);
} else if (cert != null) {
log.debug("Adding certificates to response message");
certList.add(cert);
// Add the CA cert, it's optional but Cisco VPN client complains if it isn't there
if (includeCACert) {
if (caCert != null) {
// If we have an explicit CAcertificate
log.debug("Including explicitly set CA certificate in SCEP response.");
certList.add(caCert);
} else {
// If we don't have an explicit caCert, we think that the signCert is the CA cert
// If we have an explicit caCert, the signCert is probably the RA certificate, and we don't include that one
log.debug("Including message signer certificate in SCEP response.");
certList.add(signCert);
}
}
}
CertStore certs = CertStore.getInstance("Collection",
new CollectionCertStoreParameters(certList), "BC");
// Create the signed CMS message to be contained inside the envelope
// this message does not contain any message, and no signerInfo
CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
gen.addCertificatesAndCRLs(certs);
CMSSignedData s = gen.generate(null, false, "BC");
// Envelope the CMS message
if (recipientKeyInfo != null) {
try {
X509Certificate rec = (X509Certificate)CertTools.getCertfromByteArray(recipientKeyInfo);
log.debug("Added recipient information - issuer: '" + CertTools.getIssuerDN(rec) + "', serno: '" + CertTools.getSerialNumberAsString(rec));
edGen.addKeyTransRecipient(rec);
} catch (CertificateException e) {
throw new IOException("Can not decode recipients self signed certificate!");
}
} else {
edGen.addKeyTransRecipient((X509Certificate) cert);
}
CMSEnvelopedData ed = edGen.generate(new CMSProcessableByteArray(s.getEncoded()),
SMIMECapability.dES_CBC.getId(), "BC");
log.debug("Enveloped data is " + ed.getEncoded().length + " bytes long");
msg = new CMSProcessableByteArray(ed.getEncoded());
} else {