List of usage examples for org.bouncycastle.asn1.cmp PKIHeader getSenderNonce
public ASN1OctetString getSenderNonce()
From source file:org.ejbca.core.protocol.cmp.CmpMessageHelper.java
License:Open Source License
public static PKIHeaderBuilder getHeaderBuilder(PKIHeader head) { PKIHeaderBuilder builder = new PKIHeaderBuilder(head.getPvno().getValue().intValue(), head.getSender(), head.getRecipient());//from w w w. java2 s .co m builder.setFreeText(head.getFreeText()); builder.setGeneralInfo(head.getGeneralInfo()); builder.setMessageTime(head.getMessageTime()); builder.setRecipKID((DEROctetString) head.getRecipKID()); builder.setRecipNonce(head.getRecipNonce()); builder.setSenderKID(head.getSenderKID()); builder.setSenderNonce(head.getSenderNonce()); builder.setTransactionID(head.getTransactionID()); return builder; }
From source file:org.ejbca.core.protocol.cmp.CmpTestCase.java
License:Open Source License
protected static void checkCmpResponseGeneral(byte[] retMsg, String issuerDN, X500Name userDN, Certificate cacert, byte[] senderNonce, byte[] transId, boolean signed, String pbeSecret, String expectedSignAlg)/*from w ww .j av a2s. c o m*/ throws IOException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException { assertNotNull("No response from server.", retMsg); assertTrue("Response was of 0 length.", retMsg.length > 0); boolean pbe = (pbeSecret != null); // // Parse response message // ASN1InputStream asn1InputStream = new ASN1InputStream(new ByteArrayInputStream(retMsg)); PKIMessage respObject = null; try { respObject = PKIMessage.getInstance(asn1InputStream.readObject()); } finally { asn1InputStream.close(); } assertNotNull(respObject); // The signer, i.e. the CA, check it's the right CA PKIHeader header = respObject.getHeader(); // Check that the message is signed with the correct digest alg if (StringUtils.isEmpty(expectedSignAlg)) { expectedSignAlg = PKCSObjectIdentifiers.sha1WithRSAEncryption.getId(); } // if cacert is ECDSA we should expect an ECDSA signature alg //if (AlgorithmTools.getSignatureAlgorithm(cacert).contains("ECDSA")) { // expectedSignAlg = X9ObjectIdentifiers.ecdsa_with_SHA1.getId(); //} else if(AlgorithmTools.getSignatureAlgorithm(cacert).contains("ECGOST3410")) { // expectedSignAlg = CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_2001.getId(); //} else if(AlgorithmTools.getSignatureAlgorithm(cacert).contains("DSTU4145")) { // expectedSignAlg = (new ASN1ObjectIdentifier(CesecoreConfiguration.getOidDstu4145())).getId(); //} if (signed) { AlgorithmIdentifier algId = header.getProtectionAlg(); assertNotNull( "Protection algorithm was null when expecting a signed response, this was propably an unprotected error message: " + header.getFreeText(), algId); assertEquals(expectedSignAlg, algId.getAlgorithm().getId()); } if (pbe) { AlgorithmIdentifier algId = header.getProtectionAlg(); assertNotNull( "Protection algorithm was null when expecting a pbe protected response, this was propably an unprotected error message: " + header.getFreeText(), algId); assertEquals("Protection algorithm id: " + algId.getAlgorithm().getId(), CMPObjectIdentifiers.passwordBasedMac.getId(), algId.getAlgorithm().getId()); // 1.2.840.113549.1.1.5 - SHA-1 with RSA Encryption } // Check that the signer is the expected CA assertEquals(header.getSender().getTagNo(), 4); X500Name expissuer = new X500Name(issuerDN); X500Name actissuer = new X500Name(header.getSender().getName().toString()); assertEquals(expissuer, actissuer); if (signed) { // Verify the signature byte[] protBytes = CmpMessageHelper.getProtectedBytes(respObject); DERBitString bs = respObject.getProtection(); Signature sig; try { sig = Signature.getInstance(expectedSignAlg, "BC"); sig.initVerify(cacert); sig.update(protBytes); boolean ret = sig.verify(bs.getBytes()); assertTrue(ret); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); assertTrue(false); } catch (NoSuchProviderException e) { e.printStackTrace(); assertTrue(false); } catch (InvalidKeyException e) { e.printStackTrace(); assertTrue(false); } catch (SignatureException e) { e.printStackTrace(); assertTrue(false); } } if (pbe) { ASN1OctetString os = header.getSenderKID(); assertNotNull(os); String keyId = CmpMessageHelper.getStringFromOctets(os); log.debug("Found a sender keyId: " + keyId); // Verify the PasswordBased protection of the message byte[] protectedBytes = CmpMessageHelper.getProtectedBytes(respObject); DERBitString protection = respObject.getProtection(); AlgorithmIdentifier pAlg = header.getProtectionAlg(); log.debug("Protection type is: " + pAlg.getAlgorithm().getId()); PBMParameter pp = PBMParameter.getInstance(pAlg.getParameters()); int iterationCount = pp.getIterationCount().getPositiveValue().intValue(); log.debug("Iteration count is: " + iterationCount); AlgorithmIdentifier owfAlg = pp.getOwf(); // Normal OWF alg is 1.3.14.3.2.26 - SHA1 log.debug("Owf type is: " + owfAlg.getAlgorithm().getId()); AlgorithmIdentifier macAlg = pp.getMac(); // Normal mac alg is 1.3.6.1.5.5.8.1.2 - HMAC/SHA1 log.debug("Mac type is: " + macAlg.getAlgorithm().getId()); byte[] salt = pp.getSalt().getOctets(); // log.info("Salt is: "+new String(salt)); byte[] raSecret = pbeSecret != null ? pbeSecret.getBytes() : new byte[0]; byte[] basekey = new byte[raSecret.length + salt.length]; System.arraycopy(raSecret, 0, basekey, 0, raSecret.length); for (int i = 0; i < salt.length; i++) { basekey[raSecret.length + i] = salt[i]; } // Construct the base key according to rfc4210, section 5.1.3.1 MessageDigest dig = MessageDigest.getInstance(owfAlg.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME); for (int i = 0; i < iterationCount; i++) { basekey = dig.digest(basekey); dig.reset(); } // HMAC/SHA1 os normal 1.3.6.1.5.5.8.1.2 or 1.2.840.113549.2.7 String macOid = macAlg.getAlgorithm().getId(); Mac mac = Mac.getInstance(macOid, BouncyCastleProvider.PROVIDER_NAME); SecretKey key = new SecretKeySpec(basekey, macOid); mac.init(key); mac.reset(); mac.update(protectedBytes, 0, protectedBytes.length); byte[] out = mac.doFinal(); // My out should now be the same as the protection bits byte[] pb = protection.getBytes(); boolean ret = Arrays.equals(out, pb); assertTrue(ret); } // --SenderNonce // SenderNonce is something the server came up with, but it should be 16 // chars byte[] nonce = header.getSenderNonce().getOctets(); assertEquals(nonce.length, 16); // --Recipient Nonce // recipient nonce should be the same as we sent away as sender nonce nonce = header.getRecipNonce().getOctets(); assertEquals(new String(nonce), new String(senderNonce)); // --Transaction ID // transid should be the same as the one we sent nonce = header.getTransactionID().getOctets(); assertEquals(new String(nonce), new String(transId)); }
From source file:org.ejbca.core.protocol.cmp.CrmfRequestMessage.java
License:Open Source License
private void init() { final PKIBody body = getPKIMessage().getBody(); final PKIHeader header = getPKIMessage().getHeader(); requestType = body.getType();// www.j a v a 2 s. com final CertReqMessages msgs = getCertReqFromTag(body, requestType); try { this.req = msgs.toCertReqMsgArray()[0]; } catch (Exception e) { this.req = CmpMessageHelper.getNovosecCertReqMsg(msgs); } requestId = this.req.getCertReq().getCertReqId().getValue().intValue(); ASN1OctetString os = header.getTransactionID(); if (os != null) { byte[] val = os.getOctets(); if (val != null) { setTransactionId(new String(Base64.encode(val))); } } os = header.getSenderNonce(); if (os != null) { byte[] val = os.getOctets(); if (val != null) { setSenderNonce(new String(Base64.encode(val))); } } setRecipient(header.getRecipient()); setSender(header.getSender()); }
From source file:org.ejbca.core.protocol.cmp.GeneralCmpMessage.java
License:Open Source License
public GeneralCmpMessage(final PKIMessage msg) { final PKIBody body = msg.getBody(); final int tag = body.getType(); if (tag == 19) { // this is a PKIConfirmContent if (log.isDebugEnabled()) { log.debug("Received a PKIConfirm message"); }/*from w ww . j a v a 2s.c om*/ // This is a null message, so there is nothing to get here //DERNull obj = body.getConf(); } if (tag == 24) { // this is a CertConfirmContent if (log.isDebugEnabled()) { log.debug("Received a Cert Confirm message"); } final CertConfirmContent obj = (CertConfirmContent) body.getContent(); CertStatus cs; try { cs = CertStatus.getInstance(obj.toASN1Primitive()); } catch (Exception e) { cs = CertStatus.getInstance(((DERSequence) obj.toASN1Primitive()).getObjectAt(0)); } final PKIStatusInfo status = cs.getStatusInfo(); if (status != null) { final int st = status.getStatus().intValue(); if (st != 0) { final String errMsg = intres.getLocalizedMessage("cmp.errorcertconfirmstatus", Integer.valueOf(st)); log.error(errMsg); // TODO: if it is rejected, we should revoke the cert? } } } if (tag == 11) { // this is a RevReqContent, if (log.isDebugEnabled()) { log.debug("Received a RevReqContent"); } final RevReqContent rr = (RevReqContent) body.getContent(); RevDetails rd; try { rd = rr.toRevDetailsArray()[0]; } catch (Exception e) { log.debug( "Could not parse the revocation request. Trying to parse it as novosec generated message."); rd = CmpMessageHelper.getNovosecRevDetails(rr); log.debug("Succeeded in parsing the novosec generated request."); } final CertTemplate ct = rd.getCertDetails(); final ASN1Integer serno = ct.getSerialNumber(); final X500Name issuer = ct.getIssuer(); if ((serno != null) && (issuer != null)) { final String errMsg = intres.getLocalizedMessage("cmp.receivedrevreq", issuer.toString(), serno.getValue().toString(16)); log.info(errMsg); } else { final String errMsg = intres.getLocalizedMessage("cmp.receivedrevreqnoissuer"); log.info(errMsg); } } setMessage(msg); final PKIHeader header = msg.getHeader(); if (header.getTransactionID() != null) { final byte[] val = header.getTransactionID().getOctets(); if (val != null) { setTransactionId(new String(Base64.encode(val))); } } if (header.getSenderNonce() != null) { final byte[] val = header.getSenderNonce().getOctets(); if (val != null) { setSenderNonce(new String(Base64.encode(val))); } } setRecipient(header.getRecipient()); setSender(header.getSender()); }
From source file:org.ejbca.core.protocol.cmp.NestedMessageContent.java
License:Open Source License
private void init() { final PKIHeader header = getPKIMessage().getHeader(); ASN1OctetString os = header.getTransactionID(); if (os != null) { final byte[] val = os.getOctets(); if (val != null) { setTransactionId(new String(Base64.encode(val))); }/*from w ww.ja va 2 s .co m*/ } os = header.getSenderNonce(); if (os != null) { final byte[] val = os.getOctets(); if (val != null) { setSenderNonce(new String(Base64.encode(val))); } } setRecipient(header.getRecipient()); setSender(header.getSender()); }
From source file:org.ejbca.ui.cmpclient.CmpClientMessageHelper.java
License:Open Source License
private PKIHeaderBuilder getHeaderBuilder(PKIHeader head) { PKIHeaderBuilder builder = new PKIHeaderBuilder(head.getPvno().getValue().intValue(), head.getSender(), head.getRecipient());/* w w w . j a v a 2s . c o m*/ builder.setFreeText(head.getFreeText()); builder.setGeneralInfo(head.getGeneralInfo()); builder.setMessageTime(head.getMessageTime()); builder.setRecipKID((DEROctetString) head.getRecipKID()); builder.setRecipNonce(head.getRecipNonce()); builder.setSenderKID(head.getSenderKID()); builder.setSenderNonce(head.getSenderNonce()); builder.setTransactionID(head.getTransactionID()); return builder; }
From source file:org.xipki.ca.common.cmp.CmpUtil.java
License:Open Source License
public static PKIMessage addProtection(final PKIMessage pkiMessage, final ConcurrentContentSigner signer, GeneralName signerName, final boolean addSignerCert) throws CMPException, NoIdleSignerException { if (signerName == null) { X500Name x500Name = X500Name .getInstance(signer.getCertificate().getSubjectX500Principal().getEncoded()); signerName = new GeneralName(x500Name); }/*from w ww . j a v a 2 s.c o m*/ PKIHeader header = pkiMessage.getHeader(); ProtectedPKIMessageBuilder builder = new ProtectedPKIMessageBuilder(signerName, header.getRecipient()); PKIFreeText freeText = header.getFreeText(); if (freeText != null) { builder.setFreeText(freeText); } InfoTypeAndValue[] generalInfo = header.getGeneralInfo(); if (generalInfo != null) { for (InfoTypeAndValue gi : generalInfo) { builder.addGeneralInfo(gi); } } ASN1OctetString octet = header.getRecipKID(); if (octet != null) { builder.setRecipKID(octet.getOctets()); } octet = header.getRecipNonce(); if (octet != null) { builder.setRecipNonce(octet.getOctets()); } octet = header.getSenderKID(); if (octet != null) { builder.setSenderKID(octet.getOctets()); } octet = header.getSenderNonce(); if (octet != null) { builder.setSenderNonce(octet.getOctets()); } octet = header.getTransactionID(); if (octet != null) { builder.setTransactionID(octet.getOctets()); } if (header.getMessageTime() != null) { builder.setMessageTime(new Date()); } builder.setBody(pkiMessage.getBody()); if (addSignerCert) { X509CertificateHolder signerCert = signer.getCertificateAsBCObject(); builder.addCMPCertificate(signerCert); } ContentSigner realSigner = signer.borrowContentSigner(); try { ProtectedPKIMessage signedMessage = builder.build(realSigner); return signedMessage.toASN1Structure(); } finally { signer.returnContentSigner(realSigner); } }
From source file:org.xipki.pki.ca.common.cmp.CmpUtil.java
License:Open Source License
public static PKIMessage addProtection(final PKIMessage pkiMessage, final ConcurrentContentSigner signer, final GeneralName signerName, final boolean addSignerCert) throws CMPException, NoIdleSignerException { ParamUtil.requireNonNull("pkiMessage", pkiMessage); ParamUtil.requireNonNull("signer", signer); final GeneralName tmpSignerName; if (signerName != null) { tmpSignerName = signerName;/*www . j a va2 s . co m*/ } else { if (signer.getCertificate() == null) { throw new IllegalArgumentException("signer without certificate is not allowed"); } X500Name x500Name = X500Name .getInstance(signer.getCertificate().getSubjectX500Principal().getEncoded()); tmpSignerName = new GeneralName(x500Name); } PKIHeader header = pkiMessage.getHeader(); ProtectedPKIMessageBuilder builder = new ProtectedPKIMessageBuilder(tmpSignerName, header.getRecipient()); PKIFreeText freeText = header.getFreeText(); if (freeText != null) { builder.setFreeText(freeText); } InfoTypeAndValue[] generalInfo = header.getGeneralInfo(); if (generalInfo != null) { for (InfoTypeAndValue gi : generalInfo) { builder.addGeneralInfo(gi); } } ASN1OctetString octet = header.getRecipKID(); if (octet != null) { builder.setRecipKID(octet.getOctets()); } octet = header.getRecipNonce(); if (octet != null) { builder.setRecipNonce(octet.getOctets()); } octet = header.getSenderKID(); if (octet != null) { builder.setSenderKID(octet.getOctets()); } octet = header.getSenderNonce(); if (octet != null) { builder.setSenderNonce(octet.getOctets()); } octet = header.getTransactionID(); if (octet != null) { builder.setTransactionID(octet.getOctets()); } if (header.getMessageTime() != null) { builder.setMessageTime(new Date()); } builder.setBody(pkiMessage.getBody()); if (addSignerCert) { X509CertificateHolder signerCert = signer.getCertificateAsBcObject(); builder.addCMPCertificate(signerCert); } ProtectedPKIMessage signedMessage = signer.build(builder); return signedMessage.toASN1Structure(); }