List of usage examples for org.bouncycastle.asn1.crmf CertReqMsg getCertReq
public CertRequest getCertReq()
From source file:org.ejbca.core.protocol.cmp.authentication.DnPartPasswordExtractor.java
License:Open Source License
@Override /*//from w ww.j a v a 2s .c o m * Extracts the value of 'dnPart' from the subjectDN of the certificate request template. */ public boolean verifyOrExtract(final PKIMessage msg, final String username) { CertReqMsg req = getReq(msg); if (req == null) { this.errorMessage = "No request was found in the PKIMessage"; return false; } final String dnString = req.getCertReq().getCertTemplate().getSubject().toString(); if (log.isDebugEnabled()) { log.debug("Extracting password from SubjectDN '" + dnString + "' and DN part '" + dnPart + "'"); } if (dnString != null) { password = CertTools.getPartFromDN(dnString, dnPart); } if (password == null) { this.errorMessage = "Could not extract password from CRMF request using the " + getName() + " authentication module"; return false; } return true; }
From source file:org.ejbca.core.protocol.cmp.authentication.RegTokenPasswordExtractor.java
License:Open Source License
@Override /*// w w w . j av a2 s . c om * Extracts password from the CMRF request message parameters */ public boolean verifyOrExtract(final PKIMessage msg, final String username) { CertReqMsg req = getReq(msg); if (req == null) { this.errorMessage = "No request was found in the PKIMessage"; return false; } String pwd = null; // If there is "Registration Token Control" in the CertReqMsg regInfo containing a password, we can use that AttributeTypeAndValue[] avs = req.getRegInfo(); if (avs != null) { AttributeTypeAndValue av = null; int i = 0; do { av = avs[i]; if (av != null) { if (log.isDebugEnabled()) { log.debug("Found AttributeTypeAndValue (in CertReqMsg): " + av.getType().getId()); } if (StringUtils.equals(CRMFObjectIdentifiers.id_regCtrl_regToken.getId(), av.getType().getId())) { final ASN1Encodable enc = av.getValue(); final DERUTF8String str = DERUTF8String.getInstance(enc); pwd = str.getString(); if (log.isDebugEnabled()) { log.debug("Found a request password in CRMF request regCtrl_regToken"); } } } i++; } while ((av != null) && (pwd == null)); } if (pwd == null) { // If there is "Registration Token Control" in the CertRequest controls containing a password, we can use that // Note, this is the correct way to use the regToken according to RFC4211, section "6.1. Registration Token Control" if (req.getCertReq().getControls() != null) { avs = req.getCertReq().getControls().toAttributeTypeAndValueArray(); AttributeTypeAndValue av = null; int i = 0; do { av = avs[i]; if (av != null) { if (log.isDebugEnabled()) { log.debug("Found AttributeTypeAndValue (in CertReq): " + av.getType().getId()); } if (StringUtils.equals(CRMFObjectIdentifiers.id_regCtrl_regToken.getId(), av.getType().getId())) { final ASN1Encodable enc = av.getValue(); final DERUTF8String str = DERUTF8String.getInstance(enc); pwd = str.getString(); if (log.isDebugEnabled()) { log.debug("Found a request password in CRMF request regCtrl_regToken"); } } } i++; } while ((av != null) && (pwd == null)); } } if (pwd == null) { this.errorMessage = "Could not extract password from CRMF request using the " + getName() + " authentication module"; return false; } this.password = pwd; return this.password != null; }
From source file:org.ejbca.core.protocol.cmp.CrmfKeyUpdateHandler.java
License:Open Source License
@Override /*/* w w w . j a va 2 s. c o m*/ * Handles the CMP message * * Expects the CMP message to be a CrmfRequestMessage. The message is authenticated using * EndEntityCertificateAuthenticationModule in client mode. It used the attached certificate * to find then End Entity which this certificate belongs to and requesting for a new certificate * to be generated. * * If automatic update of the key (same as certificate renewal), the end entity's status is set to * 'NEW' before processing the request. If using the same old keys in the new certificate is not allowed, * a check is made to insure the the key specified in the request is not the same as the key of the attached * certificate. * * The KeyUpdateRequet is processed only in client mode. */ public ResponseMessage handleMessage(final BaseCmpMessage msg, boolean authenticated) { if (LOG.isTraceEnabled()) { LOG.trace(">handleMessage"); } if (LOG.isDebugEnabled()) { LOG.debug("CMP running on RA mode: " + this.cmpConfiguration.getRAMode(this.confAlias)); } ResponseMessage resp = null; try { CrmfRequestMessage crmfreq = null; if (msg instanceof CrmfRequestMessage) { crmfreq = (CrmfRequestMessage) msg; crmfreq.getMessage(); EndEntityCertificateAuthenticationModule eecmodule = null; X509Certificate oldCert = null; // Find the subjectDN to look for String subjectDN = null; String issuerDN = null; if (this.cmpConfiguration.getRAMode(this.confAlias)) { // Check that EndEntityCertificate authentication module is set if (!cmpConfiguration.isInAuthModule(confAlias, CmpConfiguration.AUTHMODULE_ENDENTITY_CERTIFICATE)) { String errmsg = "EndEnityCertificate authentication module is not configured. For a KeyUpdate request to be authentication in RA mode, EndEntityCertificate " + "authentication module has to be set and configured"; LOG.info(errmsg); return CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_REQUEST, errmsg); } // Check PKIMessage authentication String authparameter = cmpConfiguration.getAuthenticationParameter( CmpConfiguration.AUTHMODULE_ENDENTITY_CERTIFICATE, confAlias); eecmodule = new EndEntityCertificateAuthenticationModule(admin, authparameter, confAlias, cmpConfiguration, authenticated, caSession, certStoreSession, authorizationSession, endEntityProfileSession, endEntityAccessSession, authenticationProviderSession, endEntityManagementSession); if (!eecmodule.verifyOrExtract(crmfreq.getPKIMessage(), null)) { LOG.info(eecmodule.getErrorMessage()); return CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_REQUEST, eecmodule.getErrorMessage()); } else { if (LOG.isDebugEnabled()) { LOG.debug("The CMP KeyUpdate request for SubjectDN '" + crmfreq.getSubjectDN() + "' was verified successfully"); } } oldCert = (X509Certificate) eecmodule.getExtraCert(); CertReqMessages kur = (CertReqMessages) crmfreq.getPKIMessage().getBody().getContent(); CertReqMsg certmsg; try { certmsg = kur.toCertReqMsgArray()[0]; } catch (Exception e) { LOG.debug( "Could not parse the revocation request. Trying to parse it as novosec generated message."); certmsg = CmpMessageHelper.getNovosecCertReqMsg(kur); LOG.debug("Succeeded in parsing the novosec generated request."); } X500Name dn = certmsg.getCertReq().getCertTemplate().getSubject(); if (dn != null) { subjectDN = dn.toString(); } dn = certmsg.getCertReq().getCertTemplate().getIssuer(); if (dn != null) { issuerDN = dn.toString(); } } else { // client mode eecmodule = new EndEntityCertificateAuthenticationModule(admin, null, confAlias, cmpConfiguration, authenticated, caSession, certStoreSession, authorizationSession, endEntityProfileSession, endEntityAccessSession, authenticationProviderSession, endEntityManagementSession); if (!eecmodule.verifyOrExtract(crmfreq.getPKIMessage(), null)) { LOG.info(eecmodule.getErrorMessage()); return CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_REQUEST, eecmodule.getErrorMessage()); } oldCert = (X509Certificate) eecmodule.getExtraCert(); subjectDN = oldCert.getSubjectDN().toString(); issuerDN = oldCert.getIssuerDN().toString(); } if (subjectDN == null) { final String errMsg = "Cannot find a SubjectDN in the request"; LOG.info(errMsg); return CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_REQUEST, errMsg); } // Find the end entity that the certificate belongs to if (LOG.isDebugEnabled()) { LOG.debug("Looking for an end entity with subjectDN: " + subjectDN); } EndEntityInformation userdata = null; if (issuerDN == null) { if (LOG.isDebugEnabled()) { LOG.debug("The CMP KeyUpdateRequest did not specify an issuer"); } List<EndEntityInformation> userdataList = endEntityAccessSession.findUserBySubjectDN(admin, subjectDN); if (userdataList.size() > 0) { userdata = userdataList.get(0); } if (userdataList.size() > 1) { LOG.warn("Multiple end entities with subject DN " + subjectDN + " were found. This may lead to unexpected behavior."); } } else { List<EndEntityInformation> userdataList = endEntityAccessSession .findUserBySubjectAndIssuerDN(admin, subjectDN, issuerDN); if (userdataList.size() > 0) { userdata = userdataList.get(0); } if (userdataList.size() > 1) { LOG.warn("Multiple end entities with subject DN " + subjectDN + " and issuer DN" + issuerDN + " were found. This may lead to unexpected behavior."); } } if (userdata == null) { final String errMsg = INTRES.getLocalizedMessage("cmp.infonouserfordn", subjectDN); LOG.info(errMsg); return CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_MESSAGE_CHECK, errMsg); } if (LOG.isDebugEnabled()) { LOG.debug("Found user '" + userdata.getUsername() + "'"); } // The password that should be used to obtain the new certificate String password = StringUtils.isNotEmpty(userdata.getPassword()) ? userdata.getPassword() : eecmodule.getAuthenticationString(); // Set the appropriate parameters in the end entity userdata.setPassword(password); endEntityManagementSession.changeUser(admin, userdata, true); if (this.cmpConfiguration.getKurAllowAutomaticUpdate(this.confAlias)) { if (LOG.isDebugEnabled()) { LOG.debug("Setting the end entity status to 'NEW'. Username: " + userdata.getUsername()); } endEntityManagementSession.setUserStatus(admin, userdata.getUsername(), EndEntityConstants.STATUS_NEW); } // Set the appropriate parameters in the request crmfreq.setUsername(userdata.getUsername()); crmfreq.setPassword(password); if (crmfreq.getHeader().getProtectionAlg() != null) { crmfreq.setPreferredDigestAlg(AlgorithmTools .getDigestFromSigAlg(crmfreq.getHeader().getProtectionAlg().getAlgorithm().getId())); } // Check the public key, whether it is allowed to use the old keys or not. if (!this.cmpConfiguration.getKurAllowSameKey(this.confAlias)) { PublicKey certPublicKey = oldCert.getPublicKey(); PublicKey requestPublicKey = crmfreq.getRequestPublicKey(); if (LOG.isDebugEnabled()) { LOG.debug("Not allowing update with same key, comparing keys."); if (LOG.isTraceEnabled()) { LOG.trace("OldKey: " + certPublicKey.toString()); LOG.trace("NewKey: " + requestPublicKey.toString()); } } if (certPublicKey.equals(requestPublicKey)) { final String errMsg = "Invalid key. The public key in the KeyUpdateRequest is the same as the public key in the existing end entity certificate"; LOG.info(errMsg); return CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_MESSAGE_CHECK, errMsg); } } // Process the request resp = signSession.createCertificate(admin, crmfreq, org.ejbca.core.protocol.cmp.CmpResponseMessage.class, userdata); if (resp == null) { final String errMsg = INTRES.getLocalizedMessage("cmp.errornullresp"); LOG.info(errMsg); resp = CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_MESSAGE_CHECK, errMsg); } } else { final String errMsg = INTRES.getLocalizedMessage("cmp.errornocmrfreq"); LOG.info(errMsg); resp = CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_MESSAGE_CHECK, errMsg); } } catch (AuthorizationDeniedException e) { final String errMsg = INTRES.getLocalizedMessage(CMP_ERRORGENERAL, e.getMessage()); LOG.info(errMsg, e); resp = CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_REQUEST, e.getMessage()); } catch (CADoesntExistsException e) { final String errMsg = INTRES.getLocalizedMessage(CMP_ERRORGENERAL, e.getMessage()); LOG.info(errMsg, e); resp = CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_REQUEST, e.getMessage()); } catch (UserDoesntFullfillEndEntityProfile e) { final String errMsg = INTRES.getLocalizedMessage(CMP_ERRORGENERAL, e.getMessage()); LOG.info(errMsg, e); resp = CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_REQUEST, e.getMessage()); } catch (WaitingForApprovalException e) { final String errMsg = INTRES.getLocalizedMessage(CMP_ERRORGENERAL, e.getMessage()); LOG.info(errMsg, e); resp = CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_REQUEST, e.getMessage()); } catch (EjbcaException e) { final String errMsg = INTRES.getLocalizedMessage(CMP_ERRORGENERAL, e.getMessage()); LOG.info(errMsg, e); resp = CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_REQUEST, e.getMessage()); } catch (FinderException e) { final String errMsg = INTRES.getLocalizedMessage(CMP_ERRORGENERAL, e.getMessage()); LOG.info(errMsg, e); resp = CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_REQUEST, e.getMessage()); } catch (CesecoreException e) { final String errMsg = INTRES.getLocalizedMessage(CMP_ERRORGENERAL, e.getMessage()); LOG.info(errMsg, e); resp = CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_REQUEST, e.getMessage()); } catch (InvalidKeyException e) { final String errMsg = INTRES.getLocalizedMessage(CMP_ERRORGENERAL, e.getMessage()); LOG.info("Error while reading the public key of the extraCert attached to the CMP request"); LOG.info(errMsg, e); resp = CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_REQUEST, e.getMessage()); } catch (NoSuchAlgorithmException e) { final String errMsg = INTRES.getLocalizedMessage(CMP_ERRORGENERAL, e.getMessage()); LOG.info("Error while reading the public key of the extraCert attached to the CMP request"); LOG.info(errMsg, e); resp = CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_REQUEST, e.getMessage()); } catch (NoSuchProviderException e) { final String errMsg = INTRES.getLocalizedMessage(CMP_ERRORGENERAL, e.getMessage()); LOG.info("Error while reading the public key of the extraCert attached to the CMP request"); LOG.info(errMsg, e); resp = CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_REQUEST, e.getMessage()); } catch (CertificateExtensionException e) { final String errMsg = INTRES.getLocalizedMessage(CMP_ERRORGENERAL, e.getMessage()); LOG.info(errMsg, e); resp = CmpMessageHelper.createUnprotectedErrorMessage(msg, ResponseStatus.FAILURE, FailInfo.BAD_REQUEST, e.getMessage()); } if (LOG.isTraceEnabled()) { LOG.trace("<handleMessage"); } return resp; }
From source file:org.xipki.ca.server.impl.X509CACmpResponder.java
License:Open Source License
private CertRepMessage processCertReqMessages(final CmpRequestorInfo requestor, final String user, final ASN1OctetString tid, final PKIHeader reqHeader, final CertReqMessages kur, final boolean keyUpdate, final long confirmWaitTime, final boolean sendCaCert, final AuditEvent auditEvent) throws InsuffientPermissionException { CmpRequestorInfo _requestor = (CmpRequestorInfo) requestor; CertReqMsg[] certReqMsgs = kur.toCertReqMsgArray(); CertResponse[] certResponses = new CertResponse[certReqMsgs.length]; for (int i = 0; i < certReqMsgs.length; i++) { AuditChildEvent childAuditEvent = null; if (auditEvent != null) { childAuditEvent = new AuditChildEvent(); auditEvent.addChildAuditEvent(childAuditEvent); }/*from w w w . j av a 2s .co m*/ CertReqMsg reqMsg = certReqMsgs[i]; CertificateRequestMessage req = new CertificateRequestMessage(reqMsg); ASN1Integer certReqId = reqMsg.getCertReq().getCertReqId(); if (childAuditEvent != null) { childAuditEvent .addEventData(new AuditEventData("certReqId", certReqId.getPositiveValue().toString())); } if (req.hasProofOfPossession() == false) { PKIStatusInfo status = generateCmpRejectionStatus(PKIFailureInfo.badPOP, null); certResponses[i] = new CertResponse(certReqId, status); if (childAuditEvent != null) { childAuditEvent.setStatus(AuditStatus.FAILED); childAuditEvent.addEventData(new AuditEventData("message", "no POP")); } continue; } if (verifyPOP(req, _requestor.isRA()) == false) { LOG.warn("could not validate POP for requst {}", certReqId.getValue()); PKIStatusInfo status = generateCmpRejectionStatus(PKIFailureInfo.badPOP, null); certResponses[i] = new CertResponse(certReqId, status); if (childAuditEvent != null) { childAuditEvent.setStatus(AuditStatus.FAILED); childAuditEvent.addEventData(new AuditEventData("message", "invalid POP")); } continue; } CertTemplate certTemp = req.getCertTemplate(); Extensions extensions = certTemp.getExtensions(); X500Name subject = certTemp.getSubject(); SubjectPublicKeyInfo publicKeyInfo = certTemp.getPublicKey(); OptionalValidity validity = certTemp.getValidity(); try { CmpUtf8Pairs keyvalues = CmpUtil.extract(reqMsg.getRegInfo()); String certprofileName = keyvalues == null ? null : keyvalues.getValue(CmpUtf8Pairs.KEY_CERT_PROFILE); if (certprofileName == null) { throw new CMPException("no certificate profile is specified"); } if (childAuditEvent != null) { childAuditEvent.addEventData(new AuditEventData("certprofile", certprofileName)); } checkPermission(_requestor, certprofileName); certResponses[i] = generateCertificate(_requestor, user, tid, certReqId, subject, publicKeyInfo, validity, extensions, certprofileName, keyUpdate, confirmWaitTime, childAuditEvent); } catch (CMPException e) { final String message = "generateCertificate"; if (LOG.isWarnEnabled()) { LOG.warn(LogUtil.buildExceptionLogFormat(message), e.getClass().getName(), e.getMessage()); } LOG.debug(message, e); certResponses[i] = new CertResponse(certReqId, generateCmpRejectionStatus(PKIFailureInfo.badCertTemplate, e.getMessage())); if (childAuditEvent != null) { childAuditEvent.setStatus(AuditStatus.FAILED); childAuditEvent.addEventData(new AuditEventData("message", "badCertTemplate")); } } // end try } // end for CMPCertificate[] caPubs = sendCaCert ? new CMPCertificate[] { getCA().getCAInfo().getCertInCMPFormat() } : null; return new CertRepMessage(caPubs, certResponses); }
From source file:org.xipki.pki.ca.server.impl.cmp.X509CaCmpResponder.java
License:Open Source License
private CertRepMessage processCertReqMessages(final PKIMessage request, final CmpRequestorInfo requestor, final String user, final ASN1OctetString tid, final PKIHeader reqHeader, final CertReqMessages kur, final boolean keyUpdate, final CmpControl cmpControl, final String msgId, final AuditEvent event) { CmpRequestorInfo tmpRequestor = (CmpRequestorInfo) requestor; CertReqMsg[] certReqMsgs = kur.toCertReqMsgArray(); final int n = certReqMsgs.length; Map<Integer, CertTemplateData> certTemplateDatas = new HashMap<>(n * 10 / 6); Map<Integer, CertResponse> certResponses = new HashMap<>(n * 10 / 6); Map<Integer, ASN1Integer> certReqIds = new HashMap<>(n * 10 / 6); // pre-process requests for (int i = 0; i < n; i++) { if (cmpControl.isGroupEnroll() && certTemplateDatas.size() != i) { // last certReqMsg cannot be used to enroll certificate break; }/*from w w w .j a v a2 s .c om*/ CertReqMsg reqMsg = certReqMsgs[i]; CertificateRequestMessage req = new CertificateRequestMessage(reqMsg); ASN1Integer certReqId = reqMsg.getCertReq().getCertReqId(); certReqIds.put(i, certReqId); if (!req.hasProofOfPossession()) { certResponses.put(i, buildErrorCertResponse(certReqId, PKIFailureInfo.badPOP, "no POP", null)); continue; } if (!verifyPopo(req, tmpRequestor.isRa())) { LOG.warn("could not validate POP for request {}", certReqId.getValue()); certResponses.put(i, buildErrorCertResponse(certReqId, PKIFailureInfo.badPOP, "invalid POP", null)); continue; } CmpUtf8Pairs keyvalues = CmpUtil.extract(reqMsg.getRegInfo()); String certprofileName = (keyvalues == null) ? null : keyvalues.getValue(CmpUtf8Pairs.KEY_CERT_PROFILE); if (certprofileName == null) { String msg = "no certificate profile"; certResponses.put(i, buildErrorCertResponse(certReqId, PKIFailureInfo.badCertTemplate, msg)); continue; } if (!isCertProfilePermitted(tmpRequestor, certprofileName)) { String msg = "certprofile " + certprofileName + " is not allowed"; certResponses.put(i, buildErrorCertResponse(certReqId, PKIFailureInfo.notAuthorized, msg)); continue; } CertTemplate certTemp = req.getCertTemplate(); OptionalValidity validity = certTemp.getValidity(); Date notBefore = null; Date notAfter = null; if (validity != null) { Time time = validity.getNotBefore(); if (time != null) { notBefore = time.getDate(); } time = validity.getNotAfter(); if (time != null) { notAfter = time.getDate(); } } CertTemplateData certTempData = new CertTemplateData(certTemp.getSubject(), certTemp.getPublicKey(), notBefore, notAfter, certTemp.getExtensions(), certprofileName); certTemplateDatas.put(i, certTempData); } // end for if (certResponses.size() == n) { // all error CertResponse[] certResps = new CertResponse[n]; for (int i = 0; i < n; i++) { certResps[i] = certResponses.get(i); } return new CertRepMessage(null, certResps); } if (cmpControl.isGroupEnroll() && certTemplateDatas.size() != n) { // at least one certRequest cannot be used to enroll certificate int lastFailureIndex = certTemplateDatas.size(); BigInteger failCertReqId = certReqIds.get(lastFailureIndex).getPositiveValue(); CertResponse failCertResp = certResponses.get(lastFailureIndex); PKIStatus failStatus = PKIStatus.getInstance(new ASN1Integer(failCertResp.getStatus().getStatus())); PKIFailureInfo failureInfo = new PKIFailureInfo(failCertResp.getStatus().getFailInfo()); CertResponse[] certResps = new CertResponse[n]; for (int i = 0; i < n; i++) { if (i == lastFailureIndex) { certResps[i] = failCertResp; continue; } ASN1Integer certReqId = certReqIds.get(i); String msg = "error in certReq " + failCertReqId; PKIStatusInfo tmpStatus = generateRejectionStatus(failStatus, failureInfo.intValue(), msg); certResps[i] = new CertResponse(certReqId, tmpStatus); } return new CertRepMessage(null, certResps); } final int k = certTemplateDatas.size(); List<CertTemplateData> certTemplateList = new ArrayList<>(k); List<ASN1Integer> certReqIdList = new ArrayList<>(k); Map<Integer, Integer> reqIndexToCertIndexMap = new HashMap<>(k * 10 / 6); for (int i = 0; i < n; i++) { if (!certTemplateDatas.containsKey(i)) { continue; } certTemplateList.add(certTemplateDatas.get(i)); certReqIdList.add(certReqIds.get(i)); reqIndexToCertIndexMap.put(i, certTemplateList.size() - 1); } List<CertResponse> generateCertResponses = generateCertificates(certTemplateList, certReqIdList, tmpRequestor, user, tid, keyUpdate, request, cmpControl, msgId, event); boolean anyCertEnrolled = false; CertResponse[] certResps = new CertResponse[n]; for (int i = 0; i < n; i++) { if (certResponses.containsKey(i)) { certResps[i] = certResponses.get(i); } else { int respIndex = reqIndexToCertIndexMap.get(i); certResps[i] = generateCertResponses.get(respIndex); if (!anyCertEnrolled && certResps[i].getCertifiedKeyPair() != null) { anyCertEnrolled = true; } } } CMPCertificate[] caPubs = null; if (anyCertEnrolled && cmpControl.isSendCaCert()) { caPubs = new CMPCertificate[] { getCa().getCaInfo().getCertInCmpFormat() }; } return new CertRepMessage(caPubs, certResps); }