public IResponseMessage handleMessage(BaseCmpMessage msg) {
if (LOG.isTraceEnabled()) {
LOG.trace(">handleMessage");
}
int version = msg.getHeader().getPvno().getValue().intValue();
IResponseMessage resp = null;
// if version == 1 it is cmp1999 and we should not return a message back
if (version > 1) {
// Try to find a HMAC/SHA1 protection key
String owfAlg = null;
String macAlg = null;
int iterationCount = 1024;
String cmpRaAuthSecret = null;
String keyId = getSenderKeyId(msg.getHeader());
if (keyId != null) {
try {
CmpPbeVerifyer verifyer = new CmpPbeVerifyer(msg.getMessage());
owfAlg = verifyer.getOwfOid();
macAlg = verifyer.getMacOid();
iterationCount = verifyer.getIterationCount();
// If we use a globally configured shared secret for all CAs we check it right away
if (raAuthenticationSecret != null) {
if (!verifyer.verify(raAuthenticationSecret)) {
String err = "Protection verified false on ConformationMessage";
LOG.error(err);
return CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_MESSAGE_CHECK, err);
}
cmpRaAuthSecret = raAuthenticationSecret;
} else {
// Get the correct profiles' and CA ids based on current configuration.
CAInfo caInfo;
try {
int eeProfileId = getUsedEndEntityProfileId(keyId);
int caId = getUsedCaId(keyId, eeProfileId);
caInfo = caAdminSession.getCAInfo(admin, caId);
} catch (NotFoundException e) {
LOG.info(INTRES.getLocalizedMessage(CMP_ERRORGENERAL, e.getMessage()), e);
return CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.INCORRECT_DATA, e.getMessage());
} catch (EJBException e) {
final String errMsg = INTRES.getLocalizedMessage(CMP_ERRORADDUSER);
LOG.error(errMsg, e);
return null; // Fatal error
}
if (caInfo instanceof X509CAInfo) {
cmpRaAuthSecret = ((X509CAInfo) caInfo).getCmpRaAuthSecret();
}
// Now we know which CA the request is for, if we didn't use a global shared secret we can check it now!
if (cmpRaAuthSecret == null || !verifyer.verify(cmpRaAuthSecret)) {
String errMsg = INTRES.getLocalizedMessage("cmp.errorauthmessage");
LOG.info(errMsg); // info because this is something we should expect and we handle it
if (verifyer.getErrMsg() != null) {
errMsg = verifyer.getErrMsg();
}
return CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_MESSAGE_CHECK, errMsg);
}
}
} catch (NoSuchAlgorithmException e) {
LOG.error("Exception calculating protection: ", e);
return CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_MESSAGE_CHECK, e.getMessage());
} catch (NoSuchProviderException e) {
LOG.error("Exception calculating protection: ", e);
return CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_MESSAGE_CHECK, e.getMessage());
} catch (InvalidKeyException e) {
LOG.error("Exception calculating protection: ", e);
return CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_MESSAGE_CHECK, e.getMessage());
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("Creating a PKI confirm message response");
}
CmpConfirmResponseMessage cresp = new CmpConfirmResponseMessage();
cresp.setRecipientNonce(msg.getSenderNonce());
cresp.setSenderNonce(new String(Base64.encode(CmpMessageHelper.createSenderNonce())));
cresp.setSender(msg.getRecipient());
cresp.setRecipient(msg.getSender());
cresp.setTransactionId(msg.getTransactionId());
// Set all protection parameters
if (LOG.isDebugEnabled()) {
LOG.debug(responseProtection+", "+owfAlg+", "+macAlg+", "+keyId+", "+cmpRaAuthSecret);
}
if (StringUtils.equals(responseProtection, "pbe") && (owfAlg != null) && (macAlg != null) && (keyId != null) && (cmpRaAuthSecret != null) ) {
cresp.setPbeParameters(keyId, cmpRaAuthSecret, owfAlg, macAlg, iterationCount);
}
resp = cresp;
try {
resp.create();
} catch (InvalidKeyException e) {
LOG.error("Exception during CMP processing: ", e);
} catch (NoSuchAlgorithmException e) {
LOG.error("Exception during CMP processing: ", e);
} catch (NoSuchProviderException e) {