List of usage examples for org.bouncycastle.asn1.cmp PKIFailureInfo unacceptedPolicy
int unacceptedPolicy
To view the source code for org.bouncycastle.asn1.cmp PKIFailureInfo unacceptedPolicy.
Click Source Link
From source file:be.fedict.eid.applet.service.signer.time.TSPTimeStampService.java
License:Open Source License
public byte[] timeStamp(byte[] data, RevocationData revocationData) throws Exception { // digest the message MessageDigest messageDigest = MessageDigest.getInstance(this.digestAlgo); byte[] digest = messageDigest.digest(data); // generate the TSP request BigInteger nonce = new BigInteger(128, new SecureRandom()); TimeStampRequestGenerator requestGenerator = new TimeStampRequestGenerator(); requestGenerator.setCertReq(true);//from ww w . ja va 2s .c o m if (null != this.requestPolicy) { requestGenerator.setReqPolicy(this.requestPolicy); } TimeStampRequest request = requestGenerator.generate(this.digestAlgoOid, digest, nonce); byte[] encodedRequest = request.getEncoded(); // create the HTTP client HttpClient httpClient = new HttpClient(); if (null != this.username) { Credentials credentials = new UsernamePasswordCredentials(this.username, this.password); httpClient.getState().setCredentials(AuthScope.ANY, credentials); } if (null != this.proxyHost) { httpClient.getHostConfiguration().setProxy(this.proxyHost, this.proxyPort); } // create the HTTP POST request PostMethod postMethod = new PostMethod(this.tspServiceUrl); RequestEntity requestEntity = new ByteArrayRequestEntity(encodedRequest, "application/timestamp-query"); postMethod.addRequestHeader("User-Agent", this.userAgent); postMethod.setRequestEntity(requestEntity); // invoke TSP service int statusCode = httpClient.executeMethod(postMethod); if (HttpStatus.SC_OK != statusCode) { LOG.error("Error contacting TSP server " + this.tspServiceUrl); throw new Exception("Error contacting TSP server " + this.tspServiceUrl); } // HTTP input validation Header responseContentTypeHeader = postMethod.getResponseHeader("Content-Type"); if (null == responseContentTypeHeader) { throw new RuntimeException("missing Content-Type header"); } String contentType = responseContentTypeHeader.getValue(); if (!contentType.startsWith("application/timestamp-reply")) { LOG.debug("response content: " + postMethod.getResponseBodyAsString()); throw new RuntimeException("invalid Content-Type: " + contentType); } if (0 == postMethod.getResponseContentLength()) { throw new RuntimeException("Content-Length is zero"); } // TSP response parsing and validation InputStream inputStream = postMethod.getResponseBodyAsStream(); TimeStampResponse timeStampResponse = new TimeStampResponse(inputStream); timeStampResponse.validate(request); if (0 != timeStampResponse.getStatus()) { LOG.debug("status: " + timeStampResponse.getStatus()); LOG.debug("status string: " + timeStampResponse.getStatusString()); PKIFailureInfo failInfo = timeStampResponse.getFailInfo(); if (null != failInfo) { LOG.debug("fail info int value: " + failInfo.intValue()); if (PKIFailureInfo.unacceptedPolicy == failInfo.intValue()) { LOG.debug("unaccepted policy"); } } throw new RuntimeException("timestamp response status != 0: " + timeStampResponse.getStatus()); } TimeStampToken timeStampToken = timeStampResponse.getTimeStampToken(); SignerId signerId = timeStampToken.getSID(); BigInteger signerCertSerialNumber = signerId.getSerialNumber(); X500Principal signerCertIssuer = signerId.getIssuer(); LOG.debug("signer cert serial number: " + signerCertSerialNumber); LOG.debug("signer cert issuer: " + signerCertIssuer); // TSP signer certificates retrieval CertStore certStore = timeStampToken.getCertificatesAndCRLs("Collection", BouncyCastleProvider.PROVIDER_NAME); Collection<? extends Certificate> certificates = certStore.getCertificates(null); X509Certificate signerCert = null; Map<String, X509Certificate> certificateMap = new HashMap<String, X509Certificate>(); for (Certificate certificate : certificates) { X509Certificate x509Certificate = (X509Certificate) certificate; if (signerCertIssuer.equals(x509Certificate.getIssuerX500Principal()) && signerCertSerialNumber.equals(x509Certificate.getSerialNumber())) { signerCert = x509Certificate; } String ski = Hex.encodeHexString(getSubjectKeyId(x509Certificate)); certificateMap.put(ski, x509Certificate); LOG.debug("embedded certificate: " + x509Certificate.getSubjectX500Principal() + "; SKI=" + ski); } // TSP signer cert path building if (null == signerCert) { throw new RuntimeException("TSP response token has no signer certificate"); } List<X509Certificate> tspCertificateChain = new LinkedList<X509Certificate>(); X509Certificate certificate = signerCert; do { LOG.debug("adding to certificate chain: " + certificate.getSubjectX500Principal()); tspCertificateChain.add(certificate); if (certificate.getSubjectX500Principal().equals(certificate.getIssuerX500Principal())) { break; } String aki = Hex.encodeHexString(getAuthorityKeyId(certificate)); certificate = certificateMap.get(aki); } while (null != certificate); // verify TSP signer signature timeStampToken.validate(tspCertificateChain.get(0), BouncyCastleProvider.PROVIDER_NAME); // verify TSP signer certificate this.validator.validate(tspCertificateChain, revocationData); LOG.debug("time-stamp token time: " + timeStampToken.getTimeStampInfo().getGenTime()); byte[] timestamp = timeStampToken.getEncoded(); return timestamp; }
From source file:org.signserver.module.tsa.RequestedPolicyDispatcher.java
License:Open Source License
@Override public ProcessResponse processData(final ProcessRequest signRequest, final RequestContext context) throws IllegalRequestException, CryptoTokenOfflineException, SignServerException { final GenericSignResponse result; // Log values final LogMap logMap = LogMap.getInstance(context); // Check context final RequestContext nextContext = context; if (context.get(this.getClass().getName()) != null) { throw new SignServerException("Dispatcher called more then one time for the same request. Aborting."); } else {/*from w ww. ja va 2 s . c o m*/ context.put(this.getClass().getName(), "called"); } // Check that the request contains a valid TimeStampRequest object. if (!(signRequest instanceof GenericSignRequest)) { throw new IllegalRequestException("Recieved request wasn't a expected GenericSignRequest."); } final ISignRequest sReq = (ISignRequest) signRequest; // Get TimeStampRequest final TimeStampRequest timeStampRequest; if (sReq.getRequestData() instanceof TimeStampRequest) { timeStampRequest = (TimeStampRequest) sReq.getRequestData(); } else if (sReq.getRequestData() instanceof byte[]) { try { timeStampRequest = new TimeStampRequest((byte[]) sReq.getRequestData()); } catch (IOException ex) { throw new IllegalRequestException("Could not parse TimeStampRequest", ex); } } else { throw new IllegalRequestException("Expected a TimeStampRequest"); } try { // Add to context if (timeStampRequest.getReqPolicy() != null) { nextContext.put(TSA_REQUESTEDPOLICYOID, timeStampRequest.getReqPolicy().getId()); } // Find to which worker the request should be dispatched final String toWorker = lookupWorkerToDispatchTo(timeStampRequest, context); if (toWorker == null) { final TimeStampResponseGenerator gen = new TimeStampResponseGenerator(null, null); final String statusString = includeStatusString ? "request contains unknown policy." : null; final TimeStampResponse resp = gen.generateFailResponse(PKIStatus.REJECTION, PKIFailureInfo.unacceptedPolicy, statusString); // Auditlog logMap.put(IWorkerLogger.LOG_CLIENT_AUTHORIZED, "false"); logMap.put(IWorkerLogger.LOG_EXCEPTION, "requested policy not supported"); result = new GenericServletResponse(sReq.getRequestID(), resp.getEncoded(), null, null, null, RESPONSE_CONTENT_TYPE); } else { int toWorkerId = 0; try { toWorkerId = Integer.parseInt(toWorker); } catch (NumberFormatException ignored) { } if (toWorkerId < 1) { toWorkerId = getWorkerSession().getWorkerId(toWorker); } // Mark request comming from a dispatcher so the DispatchedAuthorizer can be used context.put(RequestContext.DISPATCHER_AUTHORIZED_CLIENT, true); HttpServletRequest httpRequest = null; if (sReq instanceof GenericServletRequest) { httpRequest = ((GenericServletRequest) sReq).getHttpServletRequest(); } ProcessRequest newRequest = new GenericServletRequest(sReq.getRequestID(), (byte[]) sReq.getRequestData(), httpRequest); result = (GenericSignResponse) getWorkerSession().process(toWorkerId, newRequest, context); } } catch (IOException e) { logMap.put(ITimeStampLogger.LOG_TSA_EXCEPTION, e.getMessage()); throw new SignServerException("Response message could not be constructed", e); } catch (TSPException e) { throw new SignServerException("Response message could not be constructed", e); } return result; }
From source file:org.signserver.module.tsa.RequestedPolicyDispatcherTest.java
License:Open Source License
/** * Tests that the signers only accepts requests with their profile. *//*w w w .ja v a2 s . co m*/ @Test public void test02AcceptedProfiles() throws Exception { TimeStampRequestGenerator gen = new TimeStampRequestGenerator(); TimeStampRequest req; TimeStampResponse res; resetDispatchedAuthorizerForAllWorkers(); // Test that worker1 accepts its profile but not the other gen.setReqPolicy(WORKER1_PROFILE); req = gen.generate(TSPAlgorithms.SHA1, new byte[20], createNounce()); res = requestTimeStamp(WORKER1, req); assertEquals("token granted", PKIStatus.GRANTED, res.getStatus()); assertEquals("right profile", WORKER1_PROFILE, res.getTimeStampToken().getTimeStampInfo().getPolicy().getId()); assertValid(req, res); gen.setReqPolicy(WORKER2_PROFILE); req = gen.generate(TSPAlgorithms.SHA1, new byte[20], createNounce()); res = requestTimeStamp(WORKER1, req); assertEquals("token rejection", PKIStatus.REJECTION, res.getStatus()); assertEquals(new PKIFailureInfo(PKIFailureInfo.unacceptedPolicy), res.getFailInfo()); assertValid(req, res); gen.setReqPolicy(WORKER3_PROFILE); req = gen.generate(TSPAlgorithms.SHA1, new byte[20], createNounce()); res = requestTimeStamp(WORKER1, req); assertEquals("token rejection", PKIStatus.REJECTION, res.getStatus()); assertEquals(new PKIFailureInfo(PKIFailureInfo.unacceptedPolicy), res.getFailInfo()); assertValid(req, res); // Test that worker2 accepts its profile but not the other gen.setReqPolicy(WORKER2_PROFILE); req = gen.generate(TSPAlgorithms.SHA1, new byte[20], createNounce()); res = requestTimeStamp(WORKER2, req); assertEquals("token granted", PKIStatus.GRANTED, res.getStatus()); assertEquals("right profile", WORKER2_PROFILE, res.getTimeStampToken().getTimeStampInfo().getPolicy().getId()); assertValid(req, res); gen.setReqPolicy(WORKER1_PROFILE); req = gen.generate(TSPAlgorithms.SHA1, new byte[20], createNounce()); res = requestTimeStamp(WORKER2, req); assertEquals("token rejection", PKIStatus.REJECTION, res.getStatus()); assertEquals(new PKIFailureInfo(PKIFailureInfo.unacceptedPolicy), res.getFailInfo()); gen.setReqPolicy(WORKER3_PROFILE); req = gen.generate(TSPAlgorithms.SHA1, new byte[20], createNounce()); res = requestTimeStamp(WORKER2, req); assertEquals("token rejection", PKIStatus.REJECTION, res.getStatus()); assertEquals(new PKIFailureInfo(PKIFailureInfo.unacceptedPolicy), res.getFailInfo()); // Test that worker3 accepts its profile but not the other gen.setReqPolicy(WORKER3_PROFILE); req = gen.generate(TSPAlgorithms.SHA1, new byte[20], createNounce()); res = requestTimeStamp(WORKER3, req); assertEquals("token granted", PKIStatus.GRANTED, res.getStatus()); assertEquals("right profile", WORKER3_PROFILE, res.getTimeStampToken().getTimeStampInfo().getPolicy().getId()); assertValid(req, res); gen.setReqPolicy(WORKER1_PROFILE); req = gen.generate(TSPAlgorithms.SHA1, new byte[20], createNounce()); res = requestTimeStamp(WORKER3, req); assertEquals("token rejection", PKIStatus.REJECTION, res.getStatus()); assertEquals(new PKIFailureInfo(PKIFailureInfo.unacceptedPolicy), res.getFailInfo()); gen.setReqPolicy(WORKER2_PROFILE); req = gen.generate(TSPAlgorithms.SHA1, new byte[20], createNounce()); res = requestTimeStamp(WORKER3, req); assertEquals("token rejection", PKIStatus.REJECTION, res.getStatus()); assertEquals(new PKIFailureInfo(PKIFailureInfo.unacceptedPolicy), res.getFailInfo()); }
From source file:org.signserver.module.tsa.RequestedPolicyDispatcherTest.java
License:Open Source License
/** * Tests that requests going through the dispatcher gets the right profiles. *//*from w w w. j av a 2 s . c o m*/ @Test public void test03AcceptedProfilesThroughDispatcher() throws Exception { try { TimeStampRequestGenerator gen = new TimeStampRequestGenerator(); TimeStampRequest req; TimeStampResponse res; setDispatchedAuthorizerForAllWorkers(); // Test that a request with WORKER1_PROFILE is accepted gen.setReqPolicy(WORKER1_PROFILE); req = gen.generate(TSPAlgorithms.SHA256, new byte[32], createNounce()); res = requestTimeStamp(DISPATCHER0, req); assertEquals("token granted", PKIStatus.GRANTED, res.getStatus()); assertEquals("right profile", WORKER1_PROFILE, res.getTimeStampToken().getTimeStampInfo().getPolicy().getId()); assertValid(req, res); // Test that a request with WORKER2_PROFILE is accepted gen.setReqPolicy(WORKER2_PROFILE); req = gen.generate(TSPAlgorithms.SHA256, new byte[32], createNounce()); res = requestTimeStamp(DISPATCHER0, req); assertEquals("token granted", PKIStatus.GRANTED, res.getStatus()); assertEquals("right profile", WORKER2_PROFILE, res.getTimeStampToken().getTimeStampInfo().getPolicy().getId()); assertValid(req, res); // Test that a request with WORKER3_PROFILE is accepted gen.setReqPolicy(WORKER3_PROFILE); req = gen.generate(TSPAlgorithms.SHA256, new byte[32], createNounce()); res = requestTimeStamp(DISPATCHER0, req); assertEquals("token granted", PKIStatus.GRANTED, res.getStatus()); assertEquals("right profile", WORKER3_PROFILE, res.getTimeStampToken().getTimeStampInfo().getPolicy().getId()); assertValid(req, res); // Test that an unknown profile is not accepted (USEDEFAULTIFMISMATCH=false) gen.setReqPolicy(UNSUPPORTED_PROFILE); req = gen.generate(TSPAlgorithms.SHA256, new byte[32], createNounce()); res = requestTimeStamp(DISPATCHER0, req); assertEquals("token rejection", PKIStatus.REJECTION, res.getStatus()); assertEquals(new PKIFailureInfo(PKIFailureInfo.unacceptedPolicy), res.getFailInfo()); // Test that an unknown profile is not accepted (USEDEFAULTIFMISMATCH=true but profile not known by the default worker) gen.setReqPolicy(UNSUPPORTED_PROFILE); req = gen.generate(TSPAlgorithms.SHA256, new byte[32], createNounce()); res = requestTimeStamp(DISPATCHER9, req); assertEquals("token rejection", PKIStatus.REJECTION, res.getStatus()); assertEquals(new PKIFailureInfo(PKIFailureInfo.unacceptedPolicy), res.getFailInfo()); } finally { resetDispatchedAuthorizerForAllWorkers(); } }
From source file:org.signserver.module.tsa.RequestedPolicyDispatcherTest.java
License:Open Source License
/** * Tests the USEDEFAULTIFMISMATCH option which dispatches requests to the * default worker if no mapping matched. *///from w w w. java 2 s. co m @Test public void test05UseDefaultIfMisMatch() throws Exception { try { TimeStampRequestGenerator gen = new TimeStampRequestGenerator(); TimeStampRequest req; TimeStampResponse res; setDispatchedAuthorizerForAllWorkers(); // Test that an profile not known by DISPATCHER0 but by a TSUnit1 is not accepted (USEDEFAULTIFMISMATCH=false) gen.setReqPolicy(WORKER1_ALTERNATIVE_PROFILE); req = gen.generate(TSPAlgorithms.SHA256, new byte[32], createNounce()); res = requestTimeStamp(DISPATCHER0, req); assertEquals("token rejection", PKIStatus.REJECTION, res.getStatus()); assertEquals(new PKIFailureInfo(PKIFailureInfo.unacceptedPolicy), res.getFailInfo()); // Test that an profile not known by DISPATCHER9 but by a TSUnit1 is accepted (USEDEFAULTIFMISMATCH=true) gen.setReqPolicy(WORKER1_ALTERNATIVE_PROFILE); req = gen.generate(TSPAlgorithms.SHA256, new byte[32], createNounce()); res = requestTimeStamp(DISPATCHER9, req); assertEquals("token granted", PKIStatus.GRANTED, res.getStatus()); assertEquals("right profile", WORKER1_ALTERNATIVE_PROFILE, res.getTimeStampToken().getTimeStampInfo().getPolicy().getId()); // Test that an profile not known by DISPATCHER9 and not by a TSUnit1 is rejected even though USEDEFAULTIFMISMATCH=true gen.setReqPolicy(UNSUPPORTED_PROFILE); req = gen.generate(TSPAlgorithms.SHA256, new byte[32], createNounce()); res = requestTimeStamp(DISPATCHER9, req); assertEquals("token rejection", PKIStatus.REJECTION, res.getStatus()); assertEquals(new PKIFailureInfo(PKIFailureInfo.unacceptedPolicy), res.getFailInfo()); } finally { resetDispatchedAuthorizerForAllWorkers(); } }