Package org.ejbca.core.protocol.cmp

Source Code of org.ejbca.core.protocol.cmp.CmpResponseMessage

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
/*************************************************************************
*                                                                       *
*  EJBCA: The OpenSource Certificate Authority                          *
*                                                                       *
*  This software is free software; you can redistribute it and/or       *
*  modify it under the terms of the GNU Lesser General Public           *
*  License as published by the Free Software Foundation; either         *
*  version 2.1 of the License, or any later version.                    *
*                                                                       *
*  See terms of license at gnu.org.                                     *
*                                                                       *
*************************************************************************/

package org.ejbca.core.protocol.cmp;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.SignatureException;
import java.security.cert.CRL;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;

import org.apache.log4j.Logger;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.DERInteger;
import org.bouncycastle.asn1.DERUTF8String;
import org.bouncycastle.asn1.x509.X509CertificateStructure;
import org.bouncycastle.asn1.x509.X509Name;
import org.bouncycastle.cms.CMSSignedGenerator;
import org.ejbca.core.protocol.FailInfo;
import org.ejbca.core.protocol.IRequestMessage;
import org.ejbca.core.protocol.IResponseMessage;
import org.ejbca.core.protocol.ResponseStatus;

import com.novosec.pkix.asn1.cmp.CertOrEncCert;
import com.novosec.pkix.asn1.cmp.CertRepMessage;
import com.novosec.pkix.asn1.cmp.CertResponse;
import com.novosec.pkix.asn1.cmp.CertifiedKeyPair;
import com.novosec.pkix.asn1.cmp.ErrorMsgContent;
import com.novosec.pkix.asn1.cmp.PKIBody;
import com.novosec.pkix.asn1.cmp.PKIFreeText;
import com.novosec.pkix.asn1.cmp.PKIHeader;
import com.novosec.pkix.asn1.cmp.PKIMessage;
import com.novosec.pkix.asn1.cmp.PKIStatusInfo;

/**
* CMP certificate response message
* @author tomas
* @version $Id: CmpResponseMessage.java 12039 2011-05-19 17:19:35Z primelars $
*/
public class CmpResponseMessage implements IResponseMessage {
 
  /**
   * Determines if a de-serialized file is compatible with this class.
   *
   * Maintainers must change this value if and only if the new version
   * of this class is not compatible with old versions. See Sun docs
   * for <a href=http://java.sun.com/products/jdk/1.1/docs/guide
   * /serialization/spec/version.doc.html> details. </a>
   *
   */
  static final long serialVersionUID = 10003L;
 
  private static final Logger log = Logger.getLogger(CmpResponseMessage.class);
 
    /** The encoded response message */
    private byte[] responseMessage = null;

    /** status for the response */
  private ResponseStatus status = ResponseStatus.SUCCESS;
 
  /** Possible fail information in the response. Defaults to 'badRequest (2)'. */
  private FailInfo failInfo = FailInfo.BAD_REQUEST;
 
    /** Possible clear text error information in the response. Defaults to null. */
    private String failText = null;

    /**
   * SenderNonce. This is base64 encoded bytes
   */
  private String senderNonce = null;
  /**
   * RecipientNonce in a response is the senderNonce from the request. This is base64 encoded bytes
   */
  private String recipientNonce = null;
 
  /** transaction id */
  private String transactionId = null;
 
  /** Default digest algorithm for SCEP response message, can be overridden */
  private String digestAlg = CMSSignedGenerator.DIGEST_SHA1;
  /** The default provider is BC, if nothing else is specified when setting SignKeyInfo */
  private String provider = "BC";

  /** Certificate to be in certificate response message, not serialized */
  private transient Certificate cert = null;
  /** Certificate for the signer of the response message (CA) */
  private transient Certificate signCert = null;
  /** Private key used to sign the response message */
  private transient PrivateKey signKey = null;
  /** used to choose response body type */
  private transient int requestType;
  /** used to match request with response */
  private transient int requestId;
 
  private transient int pbeIterationCount = 1024;
  private transient String pbeDigestAlg = null;
  private transient String pbeMacAlg = null;
  private transient String pbeKeyId = null;
  private transient String pbeKey = null;
 
  public void setCertificate(Certificate cert) {
    this.cert = cert;
  }
 
  public void setCrl(CRL crl) {
   
  }
 
  public void setIncludeCACert(boolean incCACert) {
  }
  public void setCACert(Certificate cACert) {
  }
 
  public byte[] getResponseMessage() throws IOException, CertificateEncodingException {
        return responseMessage;
  }
 
  public void setStatus(ResponseStatus status) {
        this.status = status;
  }
 
  public ResponseStatus getStatus() {
        return status;
  }
 
  public void setFailInfo(FailInfo failInfo) {
        this.failInfo = failInfo;
  }
 
  public FailInfo getFailInfo() {
        return failInfo;
  }
 
    public void setFailText(String failText) {
      this.failText = failText;
    }

    public String getFailText() {
      return this.failText;
    }

    public boolean create() throws IOException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException {
    boolean ret = false;
    // Some general stuff, common for all types of messages
    String issuer = null;
    String subject = null;
    if (cert != null) {
      X509Certificate x509cert = (X509Certificate)cert;
      issuer = x509cert.getIssuerDN().getName();
      subject = x509cert.getSubjectDN().getName();
    } else if (signCert != null) {
      issuer = ((X509Certificate)signCert).getSubjectDN().getName();
      subject = "CN=fooSubject";
    } else {
      issuer = "CN=fooIssuer";
      subject = "CN=fooSubject";
    }
   
    X509Name issuerName = new X509Name(issuer);
    X509Name subjectName = new X509Name(subject);
    PKIHeader myPKIHeader = CmpMessageHelper.createPKIHeader(issuerName, subjectName, senderNonce, recipientNonce, transactionId);

    try {
      if (status.equals(ResponseStatus.SUCCESS)) {
        if (cert != null) {
            if (log.isDebugEnabled()) {         
              log.debug("Creating a CertRepMessage 'accepted'");
            }
          PKIStatusInfo myPKIStatusInfo = new PKIStatusInfo(new DERInteger(0)); // 0 = accepted
          CertResponse myCertResponse = new CertResponse(new DERInteger(requestId), myPKIStatusInfo);
         
          X509CertificateStructure struct = X509CertificateStructure.getInstance(new ASN1InputStream(new ByteArrayInputStream(cert.getEncoded())).readObject());
          CertOrEncCert retCert = new CertOrEncCert(struct, 0);
          CertifiedKeyPair myCertifiedKeyPair = new CertifiedKeyPair(retCert);
          myCertResponse.setCertifiedKeyPair(myCertifiedKeyPair);
          //myCertResponse.setRspInfo(new DEROctetString(new byte[] { 101, 111, 121 }));
         
          CertRepMessage myCertRepMessage = new CertRepMessage(myCertResponse);
         
          int respType = requestType + 1; // 1 = intitialization response, 3 = certification response etc
            if (log.isDebugEnabled()) {
              log.debug("Creating response body of type " + respType);
            }
          PKIBody myPKIBody = new PKIBody(myCertRepMessage, respType);
          PKIMessage myPKIMessage = new PKIMessage(myPKIHeader, myPKIBody);
         
          if ( (pbeKeyId != null) && (pbeKey != null) && (pbeDigestAlg != null) && (pbeMacAlg != null) ) {
            responseMessage = CmpMessageHelper.protectPKIMessageWithPBE(myPKIMessage, pbeKeyId, pbeKey, pbeDigestAlg, pbeMacAlg, pbeIterationCount);
          } else {
            responseMessage = CmpMessageHelper.signPKIMessage(myPKIMessage, (X509Certificate)signCert, signKey, digestAlg, provider);
          }
          ret = true
        }
      } else if (status.equals(ResponseStatus.FAILURE)) {
          if (log.isDebugEnabled()) {
            log.debug("Creating a CertRepMessage 'rejected'");
          }
        // Create a failure message
        PKIStatusInfo myPKIStatusInfo = new PKIStatusInfo(new DERInteger(2)); // 2 = rejection
        myPKIStatusInfo.setFailInfo(failInfo.getAsBitString());
        if (failText != null) {
          myPKIStatusInfo.setStatusString(new PKIFreeText(new DERUTF8String(failText)));         
        }
        PKIBody myPKIBody = CmpMessageHelper.createCertRequestRejectBody(myPKIHeader, myPKIStatusInfo, requestId, requestType);
        PKIMessage myPKIMessage = new PKIMessage(myPKIHeader, myPKIBody);
       
        if ( (pbeKeyId != null) && (pbeKey != null) && (pbeDigestAlg != null) && (pbeMacAlg != null) ) {
          responseMessage = CmpMessageHelper.protectPKIMessageWithPBE(myPKIMessage, pbeKeyId, pbeKey, pbeDigestAlg, pbeMacAlg, pbeIterationCount);
        } else {
          responseMessage = CmpMessageHelper.signPKIMessage(myPKIMessage, (X509Certificate)signCert, signKey, digestAlg, provider);
        }
        ret = true
      } else {
          if (log.isDebugEnabled()) {
            log.debug("Creating a 'waiting' message?");
          }
        // Not supported, lets create a PKIError failure instead
        // Create a failure message
        PKIStatusInfo myPKIStatusInfo = new PKIStatusInfo(new DERInteger(2)); // 2 = rejection
        myPKIStatusInfo.setFailInfo(failInfo.getAsBitString());
        if (failText != null) {
          myPKIStatusInfo.setStatusString(new PKIFreeText(new DERUTF8String(failText)));         
        }
        ErrorMsgContent myErrorContent = new ErrorMsgContent(myPKIStatusInfo);
        PKIBody myPKIBody = new PKIBody(myErrorContent, 23); // 23 = error
        PKIMessage myPKIMessage = new PKIMessage(myPKIHeader, myPKIBody);
        if ( (pbeKeyId != null) && (pbeKey != null) && (pbeDigestAlg != null) && (pbeMacAlg != null) ) {
          responseMessage = CmpMessageHelper.protectPKIMessageWithPBE(myPKIMessage, pbeKeyId, pbeKey, pbeDigestAlg, pbeMacAlg, pbeIterationCount);
        } else {
          responseMessage = CmpMessageHelper.signPKIMessage(myPKIMessage, (X509Certificate)signCert, signKey, digestAlg, provider);
        }
        ret = true
      }
    } catch (CertificateEncodingException e) {
      log.error("Error creating CertRepMessage: ", e);
    } catch (InvalidKeyException e) {
      log.error("Error creating CertRepMessage: ", e);
    } catch (NoSuchProviderException e) {
      log.error("Error creating CertRepMessage: ", e);
    } catch (NoSuchAlgorithmException e) {
      log.error("Error creating CertRepMessage: ", e);
    } catch (SecurityException e) {
      log.error("Error creating CertRepMessage: ", e);
    } catch (SignatureException e) {
      log.error("Error creating CertRepMessage: ", e);
    }
   
    return ret;
  }
 
  public boolean requireSignKeyInfo() {
    return true;
  }
 
  public void setSignKeyInfo(Certificate cert, PrivateKey key, String provider) {
    this.signCert = cert;
    this.signKey = key;
    if (provider != null) {
      this.provider = provider;
    }
  }
 
  public void setSenderNonce(String senderNonce) {
    this.senderNonce = senderNonce;
  }
 
  public void setRecipientNonce(String recipientNonce) {
    this.recipientNonce = recipientNonce;
  }
 
  public void setTransactionId(String transactionId) {
    this.transactionId = transactionId;
  }
 
  public void setRecipientKeyInfo(byte[] recipientKeyInfo) {
  }
 
  public void setPreferredDigestAlg(String digest) {
    this.digestAlg = digest;
  }

    /** @see org.ejca.core.protocol.IResponseMessage
     */
  public void setRequestType(int reqtype) {
    this.requestType = reqtype;
  }

    /** @see org.ejca.core.protocol.IResponseMessage
     */
    public void setRequestId(int reqid) {
      this.requestId = reqid;
    }
   
    @Override
  public void setProtectionParamsFromRequest(IRequestMessage reqMsg) {
      if (reqMsg instanceof ICrmfRequestMessage) {
        ICrmfRequestMessage crmf = (ICrmfRequestMessage) reqMsg;
      this.pbeIterationCount = crmf.getPbeIterationCount();
      this.pbeDigestAlg = crmf.getPbeDigestAlg();
      this.pbeMacAlg = crmf.getPbeMacAlg();
      this.pbeKeyId = crmf.getPbeKeyId();
      this.pbeKey = crmf.getPbeKey();
    }
    }

}
TOP

Related Classes of org.ejbca.core.protocol.cmp.CmpResponseMessage

  • com.novosec.pkix.asn1.cmp.CertifiedKeyPair
  • com.novosec.pkix.asn1.cmp.CertOrEncCert
  • com.novosec.pkix.asn1.cmp.CertRepMessage
  • com.novosec.pkix.asn1.cmp.CertResponse
  • com.novosec.pkix.asn1.cmp.ErrorMsgContent
  • com.novosec.pkix.asn1.cmp.PKIBody
  • com.novosec.pkix.asn1.cmp.PKIFreeText
  • com.novosec.pkix.asn1.cmp.PKIHeader
  • com.novosec.pkix.asn1.cmp.PKIMessage
  • com.novosec.pkix.asn1.cmp.PKIStatusInfo
    • TOP
    Copyright © 2018 www.massapi.com. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.