List of usage examples for org.bouncycastle.asn1.crmf CertRequest getCertTemplate
public CertTemplate getCertTemplate()
From source file:org.cesecore.certificates.certificate.request.RequestMessageUtils.java
License:Open Source License
public static RequestMessage getSimpleRequestMessageFromType(final String username, final String password, final String req, final int reqType) throws SignRequestSignatureException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, IOException, SignatureException, InvalidKeySpecException, ParseException, ConstructionException, NoSuchFieldException { RequestMessage ret = null;//from w w w . ja v a 2 s. c o m if (reqType == CertificateConstants.CERT_REQ_TYPE_PKCS10) { final RequestMessage pkcs10req = RequestMessageUtils.genPKCS10RequestMessage(req.getBytes()); final PublicKey pubKey = pkcs10req.getRequestPublicKey(); SimpleRequestMessage simplereq = new SimpleRequestMessage(pubKey, username, password); final Extensions ext = pkcs10req.getRequestExtensions(); simplereq.setRequestExtensions(ext); ret = simplereq; } else if (reqType == CertificateConstants.CERT_REQ_TYPE_SPKAC) { byte[] reqBytes = req.getBytes(); if (reqBytes != null) { if (log.isDebugEnabled()) { log.debug("Received NS request: " + new String(reqBytes)); } byte[] buffer = Base64.decode(reqBytes); if (buffer == null) { return null; } ASN1InputStream in = new ASN1InputStream(new ByteArrayInputStream(buffer)); ASN1Sequence spkacSeq = (ASN1Sequence) in.readObject(); in.close(); NetscapeCertRequest nscr = new NetscapeCertRequest(spkacSeq); // Verify POPO, we don't care about the challenge, it's not important. nscr.setChallenge("challenge"); if (nscr.verify("challenge") == false) { if (log.isDebugEnabled()) { log.debug("SPKAC POPO verification Failed"); } throw new SignRequestSignatureException( "Invalid signature in NetscapeCertRequest, popo-verification failed."); } if (log.isDebugEnabled()) { log.debug("POPO verification successful"); } PublicKey pubKey = nscr.getPublicKey(); ret = new SimpleRequestMessage(pubKey, username, password); } } else if (reqType == CertificateConstants.CERT_REQ_TYPE_CRMF) { byte[] request = Base64.decode(req.getBytes()); ASN1InputStream in = new ASN1InputStream(request); try { ASN1Sequence crmfSeq = (ASN1Sequence) in.readObject(); ASN1Sequence reqSeq = (ASN1Sequence) ((ASN1Sequence) crmfSeq.getObjectAt(0)).getObjectAt(0); CertRequest certReq = CertRequest.getInstance(reqSeq); SubjectPublicKeyInfo pKeyInfo = certReq.getCertTemplate().getPublicKey(); KeyFactory keyFact = KeyFactory.getInstance("RSA", "BC"); KeySpec keySpec = new X509EncodedKeySpec(pKeyInfo.getEncoded()); PublicKey pubKey = keyFact.generatePublic(keySpec); // just check it's ok SimpleRequestMessage simplereq = new SimpleRequestMessage(pubKey, username, password); Extensions ext = certReq.getCertTemplate().getExtensions(); simplereq.setRequestExtensions(ext); ret = simplereq; } finally { in.close(); } // a simple crmf is not a complete PKI message, as desired by the CrmfRequestMessage class //PKIMessage msg = PKIMessage.getInstance(new ASN1InputStream(new ByteArrayInputStream(request)).readObject()); //CrmfRequestMessage reqmsg = new CrmfRequestMessage(msg, null, true, null); //imsg = reqmsg; } else if (reqType == CertificateConstants.CERT_REQ_TYPE_PUBLICKEY) { byte[] request; // Request can be Base64 encoded or in PEM format try { request = FileTools.getBytesFromPEM(req.getBytes(), CertTools.BEGIN_PUBLIC_KEY, CertTools.END_PUBLIC_KEY); } catch (IOException ex) { try { request = Base64.decode(req.getBytes()); if (request == null) { throw new IOException("Base64 decode of buffer returns null"); } } catch (DecoderException de) { throw new IOException("Base64 decode fails, message not base64 encoded: " + de.getMessage()); } } final PublicKey pubKey = KeyTools.getPublicKeyFromBytes(request); ret = new SimpleRequestMessage(pubKey, username, password); } else if (reqType == CertificateConstants.CERT_REQ_TYPE_CVC) { CVCObject parsedObject = CertificateParser.parseCVCObject(Base64.decode(req.getBytes())); // We will handle both the case if the request is an authenticated request, i.e. with an outer signature // and when the request is missing the (optional) outer signature. CVCertificate cvccert = null; if (parsedObject instanceof CVCAuthenticatedRequest) { CVCAuthenticatedRequest cvcreq = (CVCAuthenticatedRequest) parsedObject; cvccert = cvcreq.getRequest(); } else { cvccert = (CVCertificate) parsedObject; } CVCRequestMessage reqmsg = new CVCRequestMessage(cvccert.getDEREncoded()); reqmsg.setUsername(username); reqmsg.setPassword(password); // Popo is really actually verified by the CA (in SignSessionBean) as well if (reqmsg.verify() == false) { if (log.isDebugEnabled()) { log.debug("CVC POPO verification Failed"); } throw new SignRequestSignatureException( "Invalid inner signature in CVCRequest, popo-verification failed."); } else { if (log.isDebugEnabled()) { log.debug("POPO verification successful"); } } ret = reqmsg; } return ret; }
From source file:org.ejbca.core.protocol.cmp.CrmfRequestMessage.java
License:Open Source License
@Override public PublicKey getRequestPublicKey() throws InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException { final CertRequest request = getReq().getCertReq(); final CertTemplate templ = request.getCertTemplate(); final SubjectPublicKeyInfo keyInfo = templ.getPublicKey(); final PublicKey pk = getPublicKey(keyInfo, "BC"); return pk;//from w w w . j a va 2 s. co m }
From source file:org.ejbca.core.protocol.cmp.CrmfRequestMessage.java
License:Open Source License
/** Gets a requested certificate serial number of the subject. This is a standard field in the CertTemplate in the request. * However the standard RFC 4211, section 5 (CertRequest syntax) says it MUST not be used. * Requesting custom certificate serial numbers is a very non-standard procedure anyhow, so we use it anyway. * // ww w . j ava 2 s . c om * @return BigInteger the requested custom certificate serial number or null, normally this should return null. */ public BigInteger getSubjectCertSerialNo() { BigInteger ret = null; final CertRequest request = getReq().getCertReq(); final CertTemplate templ = request.getCertTemplate(); final ASN1Integer serno = templ.getSerialNumber(); if (serno != null) { ret = serno.getValue(); } return ret; }
From source file:org.ejbca.core.protocol.cmp.CrmfRequestMessage.java
License:Open Source License
@Override public boolean verify() throws InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException { boolean ret = false; final ProofOfPossession pop = getReq().getPopo(); if (log.isDebugEnabled()) { log.debug("allowRaVerifyPopo: " + allowRaVerifyPopo); log.debug("pop.getRaVerified(): " + (pop.getType() == ProofOfPossession.TYPE_RA_VERIFIED)); }// www. ja v a2 s .c o m if (allowRaVerifyPopo && (pop.getType() == ProofOfPossession.TYPE_RA_VERIFIED)) { ret = true; } else if (pop.getType() == ProofOfPossession.TYPE_SIGNING_KEY) { try { final POPOSigningKey sk = (POPOSigningKey) pop.getObject(); final POPOSigningKeyInput pski = sk.getPoposkInput(); ASN1Encodable protObject = pski; // Use of POPOSigningKeyInput or not, as described in RFC4211, section 4.1. if (pski == null) { if (log.isDebugEnabled()) { log.debug("Using CertRequest as POPO input because POPOSigningKeyInput is missing."); } protObject = getReq().getCertReq(); } else { // Assume POPOSigningKeyInput with the public key and name, MUST be the same as in the request according to RFC4211 if (log.isDebugEnabled()) { log.debug("Using POPOSigningKeyInput as POPO input."); } final CertRequest req = getReq().getCertReq(); // If subject is present in cert template it must be the same as in POPOSigningKeyInput final X500Name subject = req.getCertTemplate().getSubject(); if (subject != null && !subject.toString().equals(pski.getSender().getName().toString())) { log.info("Subject '" + subject.toString() + "', is not equal to '" + pski.getSender().toString() + "'."); protObject = null; // pski is not a valid protection object } // If public key is present in cert template it must be the same as in POPOSigningKeyInput final SubjectPublicKeyInfo pk = req.getCertTemplate().getPublicKey(); if (pk != null && !Arrays.areEqual(pk.getEncoded(), pski.getPublicKey().getEncoded())) { log.info( "Subject key in cert template, is not equal to subject key in POPOSigningKeyInput."); protObject = null; // pski is not a valid protection object } } // If a protectObject is present we extract the bytes and verify it if (protObject != null) { final ByteArrayOutputStream bao = new ByteArrayOutputStream(); new DEROutputStream(bao).writeObject(protObject); final byte[] protBytes = bao.toByteArray(); final AlgorithmIdentifier algId = sk.getAlgorithmIdentifier(); if (log.isDebugEnabled()) { log.debug( "POP protection bytes length: " + (protBytes != null ? protBytes.length : "null")); log.debug("POP algorithm identifier is: " + algId.getAlgorithm().getId()); } final Signature sig = Signature.getInstance(algId.getAlgorithm().getId(), "BC"); sig.initVerify(getRequestPublicKey()); sig.update(protBytes); final DERBitString bs = sk.getSignature(); ret = sig.verify(bs.getBytes()); if (log.isDebugEnabled()) { log.debug("POP verify returns: " + ret); } } } catch (IOException e) { log.error("Error encoding CertReqMsg: ", e); } catch (SignatureException e) { log.error("SignatureException verifying POP: ", e); } } return ret; }