List of usage examples for org.bouncycastle.asn1.cmp PKIHeader getSenderKID
public ASN1OctetString getSenderKID()
From source file:org.ejbca.core.protocol.cmp.CmpMessageHelper.java
License:Open Source License
public static PKIHeaderBuilder getHeaderBuilder(PKIHeader head) { PKIHeaderBuilder builder = new PKIHeaderBuilder(head.getPvno().getValue().intValue(), head.getSender(), head.getRecipient());/*from w w w .j a va 2 s. com*/ builder.setFreeText(head.getFreeText()); builder.setGeneralInfo(head.getGeneralInfo()); builder.setMessageTime(head.getMessageTime()); builder.setRecipKID((DEROctetString) head.getRecipKID()); builder.setRecipNonce(head.getRecipNonce()); builder.setSenderKID(head.getSenderKID()); builder.setSenderNonce(head.getSenderNonce()); builder.setTransactionID(head.getTransactionID()); return builder; }
From source file:org.ejbca.core.protocol.cmp.CmpTestCase.java
License:Open Source License
protected static void checkCmpResponseGeneral(byte[] retMsg, String issuerDN, X500Name userDN, Certificate cacert, byte[] senderNonce, byte[] transId, boolean signed, String pbeSecret, String expectedSignAlg)//from w w w .j a v a 2 s . c o m throws IOException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException { assertNotNull("No response from server.", retMsg); assertTrue("Response was of 0 length.", retMsg.length > 0); boolean pbe = (pbeSecret != null); // // Parse response message // ASN1InputStream asn1InputStream = new ASN1InputStream(new ByteArrayInputStream(retMsg)); PKIMessage respObject = null; try { respObject = PKIMessage.getInstance(asn1InputStream.readObject()); } finally { asn1InputStream.close(); } assertNotNull(respObject); // The signer, i.e. the CA, check it's the right CA PKIHeader header = respObject.getHeader(); // Check that the message is signed with the correct digest alg if (StringUtils.isEmpty(expectedSignAlg)) { expectedSignAlg = PKCSObjectIdentifiers.sha1WithRSAEncryption.getId(); } // if cacert is ECDSA we should expect an ECDSA signature alg //if (AlgorithmTools.getSignatureAlgorithm(cacert).contains("ECDSA")) { // expectedSignAlg = X9ObjectIdentifiers.ecdsa_with_SHA1.getId(); //} else if(AlgorithmTools.getSignatureAlgorithm(cacert).contains("ECGOST3410")) { // expectedSignAlg = CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_2001.getId(); //} else if(AlgorithmTools.getSignatureAlgorithm(cacert).contains("DSTU4145")) { // expectedSignAlg = (new ASN1ObjectIdentifier(CesecoreConfiguration.getOidDstu4145())).getId(); //} if (signed) { AlgorithmIdentifier algId = header.getProtectionAlg(); assertNotNull( "Protection algorithm was null when expecting a signed response, this was propably an unprotected error message: " + header.getFreeText(), algId); assertEquals(expectedSignAlg, algId.getAlgorithm().getId()); } if (pbe) { AlgorithmIdentifier algId = header.getProtectionAlg(); assertNotNull( "Protection algorithm was null when expecting a pbe protected response, this was propably an unprotected error message: " + header.getFreeText(), algId); assertEquals("Protection algorithm id: " + algId.getAlgorithm().getId(), CMPObjectIdentifiers.passwordBasedMac.getId(), algId.getAlgorithm().getId()); // 1.2.840.113549.1.1.5 - SHA-1 with RSA Encryption } // Check that the signer is the expected CA assertEquals(header.getSender().getTagNo(), 4); X500Name expissuer = new X500Name(issuerDN); X500Name actissuer = new X500Name(header.getSender().getName().toString()); assertEquals(expissuer, actissuer); if (signed) { // Verify the signature byte[] protBytes = CmpMessageHelper.getProtectedBytes(respObject); DERBitString bs = respObject.getProtection(); Signature sig; try { sig = Signature.getInstance(expectedSignAlg, "BC"); sig.initVerify(cacert); sig.update(protBytes); boolean ret = sig.verify(bs.getBytes()); assertTrue(ret); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); assertTrue(false); } catch (NoSuchProviderException e) { e.printStackTrace(); assertTrue(false); } catch (InvalidKeyException e) { e.printStackTrace(); assertTrue(false); } catch (SignatureException e) { e.printStackTrace(); assertTrue(false); } } if (pbe) { ASN1OctetString os = header.getSenderKID(); assertNotNull(os); String keyId = CmpMessageHelper.getStringFromOctets(os); log.debug("Found a sender keyId: " + keyId); // Verify the PasswordBased protection of the message byte[] protectedBytes = CmpMessageHelper.getProtectedBytes(respObject); DERBitString protection = respObject.getProtection(); AlgorithmIdentifier pAlg = header.getProtectionAlg(); log.debug("Protection type is: " + pAlg.getAlgorithm().getId()); PBMParameter pp = PBMParameter.getInstance(pAlg.getParameters()); int iterationCount = pp.getIterationCount().getPositiveValue().intValue(); log.debug("Iteration count is: " + iterationCount); AlgorithmIdentifier owfAlg = pp.getOwf(); // Normal OWF alg is 1.3.14.3.2.26 - SHA1 log.debug("Owf type is: " + owfAlg.getAlgorithm().getId()); AlgorithmIdentifier macAlg = pp.getMac(); // Normal mac alg is 1.3.6.1.5.5.8.1.2 - HMAC/SHA1 log.debug("Mac type is: " + macAlg.getAlgorithm().getId()); byte[] salt = pp.getSalt().getOctets(); // log.info("Salt is: "+new String(salt)); byte[] raSecret = pbeSecret != null ? pbeSecret.getBytes() : new byte[0]; byte[] basekey = new byte[raSecret.length + salt.length]; System.arraycopy(raSecret, 0, basekey, 0, raSecret.length); for (int i = 0; i < salt.length; i++) { basekey[raSecret.length + i] = salt[i]; } // Construct the base key according to rfc4210, section 5.1.3.1 MessageDigest dig = MessageDigest.getInstance(owfAlg.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME); for (int i = 0; i < iterationCount; i++) { basekey = dig.digest(basekey); dig.reset(); } // HMAC/SHA1 os normal 1.3.6.1.5.5.8.1.2 or 1.2.840.113549.2.7 String macOid = macAlg.getAlgorithm().getId(); Mac mac = Mac.getInstance(macOid, BouncyCastleProvider.PROVIDER_NAME); SecretKey key = new SecretKeySpec(basekey, macOid); mac.init(key); mac.reset(); mac.update(protectedBytes, 0, protectedBytes.length); byte[] out = mac.doFinal(); // My out should now be the same as the protection bits byte[] pb = protection.getBytes(); boolean ret = Arrays.equals(out, pb); assertTrue(ret); } // --SenderNonce // SenderNonce is something the server came up with, but it should be 16 // chars byte[] nonce = header.getSenderNonce().getOctets(); assertEquals(nonce.length, 16); // --Recipient Nonce // recipient nonce should be the same as we sent away as sender nonce nonce = header.getRecipNonce().getOctets(); assertEquals(new String(nonce), new String(senderNonce)); // --Transaction ID // transid should be the same as the one we sent nonce = header.getTransactionID().getOctets(); assertEquals(new String(nonce), new String(transId)); }
From source file:org.ejbca.core.protocol.cmp.CrmfRequestMessageTest.java
License:Open Source License
@Test public void testNovosecRARequest() throws IOException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException, CertificateEncodingException, SignatureException, IllegalStateException { // Check that we can parse a request from Novosec (patched by EJBCA). // Read an initialization request with RAVerifiedPOP and PBE protection to see that we can process it ASN1InputStream in = new ASN1InputStream(novosecrapopir); try {/*from www. ja v a 2 s . co m*/ ASN1Primitive derObject = in.readObject(); PKIMessage req = PKIMessage.getInstance(derObject); //log.info(req.toString()); // Verify should be false if we do not allow RA verify POP here, since we don't have any normal POP CrmfRequestMessage msg = new CrmfRequestMessage(req, "CN=AdminCA1", false, "CN"); assertFalse(msg.verify()); // Verify should be ok when we allow RA verified POP msg = new CrmfRequestMessage(req, "CN=AdminCA1", true, "CN"); assertTrue(msg.verify()); assertEquals("CN=AdminCA1,O=EJBCA Sample,C=SE", msg.getIssuerDN()); assertEquals("CN=abc123rry-4371939543913639881,O=PrimeKey Solutions AB,C=SE", msg.getRequestDN()); assertEquals("abc123rry-4371939543913639881", msg.getUsername()); assertEquals("foo123", msg.getPassword()); // Verify PBE protection PKIHeader head = msg.getHeader(); final ASN1OctetString os = head.getSenderKID(); String keyId = CmpMessageHelper.getStringFromOctets(os); assertEquals("mykeyid", keyId); final CmpPbeVerifyer verifyer = new CmpPbeVerifyer(msg.getMessage()); assertTrue(verifyer.verify("foo123")); assertFalse(verifyer.verify("bar123")); } finally { in.close(); } }
From source file:org.ejbca.core.protocol.cmp.CrmfRequestMessageTest.java
License:Open Source License
private void internalBcRARequestTest(byte[] message) throws IOException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException { // Check that we can parse request from BouncyCastle version 1.46. // Read an initialization request with RAVerifiedPOP with PBE protection to see that we can process it ASN1InputStream in = new ASN1InputStream(message); try {//from w w w .java 2 s. c om ASN1Primitive derObject = in.readObject(); PKIMessage req = PKIMessage.getInstance(derObject); //log.info(req.toString()); // Verify should be false if we do not allow RA verify POP here, since we don't have any normal POP CrmfRequestMessage msg = new CrmfRequestMessage(req, "CN=AdminCA1", false, "CN"); assertFalse(msg.verify()); // Verify should be ok when we allow RA verified POP msg = new CrmfRequestMessage(req, "CN=AdminCA1", true, "CN"); assertTrue(msg.verify()); assertEquals("CN=AdminCA1", msg.getIssuerDN()); assertEquals("CN=user", msg.getRequestDN()); assertEquals("user", msg.getUsername()); // We should want a password assertEquals("foo123", msg.getPassword()); // Verify PBE protection PKIHeader head = msg.getHeader(); final ASN1OctetString os = head.getSenderKID(); String keyId = CmpMessageHelper.getStringFromOctets(os); assertEquals("KeyId", keyId); final CmpPbeVerifyer verifyer = new CmpPbeVerifyer(msg.getMessage()); assertTrue(verifyer.verify("password")); assertFalse(verifyer.verify("foo123")); } finally { in.close(); } }
From source file:org.ejbca.core.protocol.cmp.CrmfRequestTest.java
License:Open Source License
@Test public void test09KeyIdTest() { log.trace(">test09KeyIdTest()"); DEROctetString octs = new DEROctetString("foo123".getBytes()); String keyid = CmpMessageHelper.getStringFromOctets(octs); assertEquals("foo123", keyid); PKIHeaderBuilder headerbuilder = new PKIHeaderBuilder(2, new GeneralName(new X500Name("CN=Sender")), new GeneralName(new X500Name("CN=Recipient"))); headerbuilder.setSenderKID(new DEROctetString("foo123".getBytes())); PKIHeader header = headerbuilder.build(); keyid = CmpMessageHelper.getStringFromOctets(header.getSenderKID()); assertEquals("foo123", keyid); log.trace("<test09KeyIdTest()"); }
From source file:org.ejbca.ui.cmpclient.CmpClientMessageHelper.java
License:Open Source License
private PKIHeaderBuilder getHeaderBuilder(PKIHeader head) { PKIHeaderBuilder builder = new PKIHeaderBuilder(head.getPvno().getValue().intValue(), head.getSender(), head.getRecipient());//from ww w. j a va 2s . c o m builder.setFreeText(head.getFreeText()); builder.setGeneralInfo(head.getGeneralInfo()); builder.setMessageTime(head.getMessageTime()); builder.setRecipKID((DEROctetString) head.getRecipKID()); builder.setRecipNonce(head.getRecipNonce()); builder.setSenderKID(head.getSenderKID()); builder.setSenderNonce(head.getSenderNonce()); builder.setTransactionID(head.getTransactionID()); return builder; }
From source file:org.xipki.ca.common.cmp.CmpUtil.java
License:Open Source License
public static PKIMessage addProtection(final PKIMessage pkiMessage, final ConcurrentContentSigner signer, GeneralName signerName, final boolean addSignerCert) throws CMPException, NoIdleSignerException { if (signerName == null) { X500Name x500Name = X500Name .getInstance(signer.getCertificate().getSubjectX500Principal().getEncoded()); signerName = new GeneralName(x500Name); }//from w w w . j av a2 s .co m PKIHeader header = pkiMessage.getHeader(); ProtectedPKIMessageBuilder builder = new ProtectedPKIMessageBuilder(signerName, header.getRecipient()); PKIFreeText freeText = header.getFreeText(); if (freeText != null) { builder.setFreeText(freeText); } InfoTypeAndValue[] generalInfo = header.getGeneralInfo(); if (generalInfo != null) { for (InfoTypeAndValue gi : generalInfo) { builder.addGeneralInfo(gi); } } ASN1OctetString octet = header.getRecipKID(); if (octet != null) { builder.setRecipKID(octet.getOctets()); } octet = header.getRecipNonce(); if (octet != null) { builder.setRecipNonce(octet.getOctets()); } octet = header.getSenderKID(); if (octet != null) { builder.setSenderKID(octet.getOctets()); } octet = header.getSenderNonce(); if (octet != null) { builder.setSenderNonce(octet.getOctets()); } octet = header.getTransactionID(); if (octet != null) { builder.setTransactionID(octet.getOctets()); } if (header.getMessageTime() != null) { builder.setMessageTime(new Date()); } builder.setBody(pkiMessage.getBody()); if (addSignerCert) { X509CertificateHolder signerCert = signer.getCertificateAsBCObject(); builder.addCMPCertificate(signerCert); } ContentSigner realSigner = signer.borrowContentSigner(); try { ProtectedPKIMessage signedMessage = builder.build(realSigner); return signedMessage.toASN1Structure(); } finally { signer.returnContentSigner(realSigner); } }
From source file:org.xipki.pki.ca.common.cmp.CmpUtil.java
License:Open Source License
public static PKIMessage addProtection(final PKIMessage pkiMessage, final ConcurrentContentSigner signer, final GeneralName signerName, final boolean addSignerCert) throws CMPException, NoIdleSignerException { ParamUtil.requireNonNull("pkiMessage", pkiMessage); ParamUtil.requireNonNull("signer", signer); final GeneralName tmpSignerName; if (signerName != null) { tmpSignerName = signerName;//from w w w. j av a 2 s. co m } else { if (signer.getCertificate() == null) { throw new IllegalArgumentException("signer without certificate is not allowed"); } X500Name x500Name = X500Name .getInstance(signer.getCertificate().getSubjectX500Principal().getEncoded()); tmpSignerName = new GeneralName(x500Name); } PKIHeader header = pkiMessage.getHeader(); ProtectedPKIMessageBuilder builder = new ProtectedPKIMessageBuilder(tmpSignerName, header.getRecipient()); PKIFreeText freeText = header.getFreeText(); if (freeText != null) { builder.setFreeText(freeText); } InfoTypeAndValue[] generalInfo = header.getGeneralInfo(); if (generalInfo != null) { for (InfoTypeAndValue gi : generalInfo) { builder.addGeneralInfo(gi); } } ASN1OctetString octet = header.getRecipKID(); if (octet != null) { builder.setRecipKID(octet.getOctets()); } octet = header.getRecipNonce(); if (octet != null) { builder.setRecipNonce(octet.getOctets()); } octet = header.getSenderKID(); if (octet != null) { builder.setSenderKID(octet.getOctets()); } octet = header.getSenderNonce(); if (octet != null) { builder.setSenderNonce(octet.getOctets()); } octet = header.getTransactionID(); if (octet != null) { builder.setTransactionID(octet.getOctets()); } if (header.getMessageTime() != null) { builder.setMessageTime(new Date()); } builder.setBody(pkiMessage.getBody()); if (addSignerCert) { X509CertificateHolder signerCert = signer.getCertificateAsBcObject(); builder.addCMPCertificate(signerCert); } ProtectedPKIMessage signedMessage = signer.build(builder); return signedMessage.toASN1Structure(); }