List of usage examples for org.bouncycastle.asn1.crmf CertRequest getInstance
public static CertRequest getInstance(Object o)
From source file:org.cesecore.certificates.certificate.request.RequestMessageUtils.java
License:Open Source License
public static RequestMessage getSimpleRequestMessageFromType(final String username, final String password, final String req, final int reqType) throws SignRequestSignatureException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, IOException, SignatureException, InvalidKeySpecException, ParseException, ConstructionException, NoSuchFieldException { RequestMessage ret = null;/*from w ww. j a va 2s . c o m*/ if (reqType == CertificateConstants.CERT_REQ_TYPE_PKCS10) { final RequestMessage pkcs10req = RequestMessageUtils.genPKCS10RequestMessage(req.getBytes()); final PublicKey pubKey = pkcs10req.getRequestPublicKey(); SimpleRequestMessage simplereq = new SimpleRequestMessage(pubKey, username, password); final Extensions ext = pkcs10req.getRequestExtensions(); simplereq.setRequestExtensions(ext); ret = simplereq; } else if (reqType == CertificateConstants.CERT_REQ_TYPE_SPKAC) { byte[] reqBytes = req.getBytes(); if (reqBytes != null) { if (log.isDebugEnabled()) { log.debug("Received NS request: " + new String(reqBytes)); } byte[] buffer = Base64.decode(reqBytes); if (buffer == null) { return null; } ASN1InputStream in = new ASN1InputStream(new ByteArrayInputStream(buffer)); ASN1Sequence spkacSeq = (ASN1Sequence) in.readObject(); in.close(); NetscapeCertRequest nscr = new NetscapeCertRequest(spkacSeq); // Verify POPO, we don't care about the challenge, it's not important. nscr.setChallenge("challenge"); if (nscr.verify("challenge") == false) { if (log.isDebugEnabled()) { log.debug("SPKAC POPO verification Failed"); } throw new SignRequestSignatureException( "Invalid signature in NetscapeCertRequest, popo-verification failed."); } if (log.isDebugEnabled()) { log.debug("POPO verification successful"); } PublicKey pubKey = nscr.getPublicKey(); ret = new SimpleRequestMessage(pubKey, username, password); } } else if (reqType == CertificateConstants.CERT_REQ_TYPE_CRMF) { byte[] request = Base64.decode(req.getBytes()); ASN1InputStream in = new ASN1InputStream(request); try { ASN1Sequence crmfSeq = (ASN1Sequence) in.readObject(); ASN1Sequence reqSeq = (ASN1Sequence) ((ASN1Sequence) crmfSeq.getObjectAt(0)).getObjectAt(0); CertRequest certReq = CertRequest.getInstance(reqSeq); SubjectPublicKeyInfo pKeyInfo = certReq.getCertTemplate().getPublicKey(); KeyFactory keyFact = KeyFactory.getInstance("RSA", "BC"); KeySpec keySpec = new X509EncodedKeySpec(pKeyInfo.getEncoded()); PublicKey pubKey = keyFact.generatePublic(keySpec); // just check it's ok SimpleRequestMessage simplereq = new SimpleRequestMessage(pubKey, username, password); Extensions ext = certReq.getCertTemplate().getExtensions(); simplereq.setRequestExtensions(ext); ret = simplereq; } finally { in.close(); } // a simple crmf is not a complete PKI message, as desired by the CrmfRequestMessage class //PKIMessage msg = PKIMessage.getInstance(new ASN1InputStream(new ByteArrayInputStream(request)).readObject()); //CrmfRequestMessage reqmsg = new CrmfRequestMessage(msg, null, true, null); //imsg = reqmsg; } else if (reqType == CertificateConstants.CERT_REQ_TYPE_PUBLICKEY) { byte[] request; // Request can be Base64 encoded or in PEM format try { request = FileTools.getBytesFromPEM(req.getBytes(), CertTools.BEGIN_PUBLIC_KEY, CertTools.END_PUBLIC_KEY); } catch (IOException ex) { try { request = Base64.decode(req.getBytes()); if (request == null) { throw new IOException("Base64 decode of buffer returns null"); } } catch (DecoderException de) { throw new IOException("Base64 decode fails, message not base64 encoded: " + de.getMessage()); } } final PublicKey pubKey = KeyTools.getPublicKeyFromBytes(request); ret = new SimpleRequestMessage(pubKey, username, password); } else if (reqType == CertificateConstants.CERT_REQ_TYPE_CVC) { CVCObject parsedObject = CertificateParser.parseCVCObject(Base64.decode(req.getBytes())); // We will handle both the case if the request is an authenticated request, i.e. with an outer signature // and when the request is missing the (optional) outer signature. CVCertificate cvccert = null; if (parsedObject instanceof CVCAuthenticatedRequest) { CVCAuthenticatedRequest cvcreq = (CVCAuthenticatedRequest) parsedObject; cvccert = cvcreq.getRequest(); } else { cvccert = (CVCertificate) parsedObject; } CVCRequestMessage reqmsg = new CVCRequestMessage(cvccert.getDEREncoded()); reqmsg.setUsername(username); reqmsg.setPassword(password); // Popo is really actually verified by the CA (in SignSessionBean) as well if (reqmsg.verify() == false) { if (log.isDebugEnabled()) { log.debug("CVC POPO verification Failed"); } throw new SignRequestSignatureException( "Invalid inner signature in CVCRequest, popo-verification failed."); } else { if (log.isDebugEnabled()) { log.debug("POPO verification successful"); } } ret = reqmsg; } return ret; }
From source file:org.ejbca.core.protocol.cmp.CmpMessageHelper.java
License:Open Source License
/** * Parses a CRMF request created with novosec library classes and return a bouncycastle CertReqMsg object * /*from w w w . j a va 2 s .co m*/ * @param messages * @return */ public static CertReqMsg getNovosecCertReqMsg(CertReqMessages messages) { // The encoding of the ProofOfPosession in bouncycastle and novosec is different. // Novosec generator explicitly tags the PopoSigningKey while it should be implicitly tagged. // Through novosec, the ProofOfPosession comes through as: // Sequence // DERSequence // DERSequence // ObjectIdentifier(1.2.840.113549.1.1.5) // DERBitString[64,0] // // But it should be: // DERSequence // DERSequence // ObjectIdentifier(1.2.840.113549.1.1.5) // DERBitString[64,0] // // The bouncycastle parser expects an implicit tag, so to it, it looks like the sequence is containing a single element. //-------------------------------------- // A comment from bouncycastle that might not effect anything here but maybe effect something else in the future: // What's happened is the novosec generator has explicitly tagged the PopoSigningKey structure, it should be // implicitly tagged (this isn't true if it's a POPOPrivKey, but that's because it's a CHOICE item so the tag // has to be preserved, but that is a different story). // Reconstructing the CertRequest ASN1Encodable o2 = ((DERSequence) messages.toASN1Primitive()).getObjectAt(0); ASN1Encodable o3 = ((DERSequence) o2).getObjectAt(0); CertRequest cr = CertRequest.getInstance(o3); // Reconstructing the proof-of-posession ASN1TaggedObject o4 = (ASN1TaggedObject) ((DERSequence) o2).getObjectAt(1); ProofOfPossession pp; int tagnr = o4.getTagNo(); ASN1Encodable o5; switch (tagnr) { case 0: o5 = DERNull.INSTANCE; pp = new ProofOfPossession(); break; case 1: o5 = POPOSigningKey.getInstance(o4.getObject()); pp = new ProofOfPossession((POPOSigningKey) o5); break; case 2: case 3: o5 = POPOPrivKey.getInstance(o4, false); pp = new ProofOfPossession(tagnr, (POPOPrivKey) o5); break; default: throw new IllegalArgumentException("unknown tag: " + tagnr); } // Reconstructing the regToken ASN1Sequence o6 = (ASN1Sequence) ((ASN1Sequence) o2.toASN1Primitive()).getObjectAt(2); final AttributeTypeAndValue av = AttributeTypeAndValue.getInstance(((ASN1Sequence) o6).getObjectAt(0)); final AttributeTypeAndValue[] avs = { av }; // finally, recreating the CertReqMsg object return new CertReqMsg(cr, pp, avs); }