List of usage examples for org.bouncycastle.cert.cmp ProtectedPKIMessage getHeader
public PKIHeader getHeader()
From source file:org.cryptable.pki.communication.PKICMPMessages.java
License:Open Source License
/** * The message to decode a certification response * * @param message//from w w w . j ava 2 s . c o m * @return response message * @throws IOException * @throws PKICMPMessageException */ PKICMPResponse processResponse(byte[] message) throws IOException, PKICMPMessageException, CertificateException, OperatorCreationException, CMPException, PKIKeyStoreException, ParseException { CertificationResult certificationResult = new CertificationResult(); ProtectedPKIMessage pkiMessage = new ProtectedPKIMessage(new GeneralPKIMessage(message)); /* Verify Signature */ ContentVerifierProvider verifierProvider = new JcaContentVerifierProviderBuilder() .setProvider(pkiKeyStore.getProvider()).build(pkiKeyStore.getRecipientCertificate()); if (!pkiMessage.verify(verifierProvider)) { throw new PKICMPMessageException("E: Verification failed this is an untrusted Message [" + pkiMessage.getHeader().getSender() + "]"); } if (!Arrays.equals(senderNonce, pkiMessage.getHeader().getRecipNonce().getOctets())) throw new PKICMPMessageException( "E: Recipient Nonce in response does not correspond with Sender Nonce in request!"); if (pkiMessage.getHeader().getMessageTime() != null) { pkiKeyStore.verifyCertificate(pkiKeyStore.getRecipientCertificate(), pkiMessage.getHeader().getMessageTime().getDate()); } else { pkiKeyStore.verifyCertificate(pkiKeyStore.getRecipientCertificate(), new Date()); } PKICMPResponse pkicmpResponse = new PKICMPResponse(); pkicmpResponse.setPkiBody(pkiMessage.getBody()); pkicmpResponse.setPkiHeader(pkiMessage.getHeader()); X509CertificateHolder[] x509CertificateHolders = pkiMessage.getCertificates(); JcaX509CertificateConverter jcaX509CertificateConverter = new JcaX509CertificateConverter(); for (X509CertificateHolder x509CertificateHolder : x509CertificateHolders) { pkicmpResponse.getX509CertifificateList() .add(jcaX509CertificateConverter.getCertificate(x509CertificateHolder)); } return pkicmpResponse; }
From source file:org.xipki.ca.client.impl.CmpRequestor.java
License:Open Source License
private ProtectionVerificationResult verifyProtection(final String tid, final GeneralPKIMessage pkiMessage, final X509Certificate cert) throws CMPException, InvalidKeyException, OperatorCreationException { ProtectedPKIMessage pMsg = new ProtectedPKIMessage(pkiMessage); if (pMsg.hasPasswordBasedMacProtection()) { LOG.warn("NOT_SIGNAUTRE_BASED: " + pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId()); return new ProtectionVerificationResult(null, ProtectionResult.NOT_SIGNATURE_BASED); }// ww w . j av a 2s.co m PKIHeader h = pMsg.getHeader(); if (c14nRecipientName != null) { boolean authorizedResponder = true; if (h.getSender().getTagNo() != GeneralName.directoryName) { authorizedResponder = false; } else { String c14nMsgSender = getSortedRFC4519Name((X500Name) h.getSender().getName()); authorizedResponder = c14nRecipientName.equalsIgnoreCase(c14nMsgSender); } if (authorizedResponder == false) { LOG.warn("tid={}: not authorized responder '{}'", tid, h.getSender()); return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED); } } ContentVerifierProvider verifierProvider = securityFactory.getContentVerifierProvider(cert); if (verifierProvider == null) { LOG.warn("tid={}: not authorized responder '{}'", tid, h.getSender()); return new ProtectionVerificationResult(cert, ProtectionResult.SENDER_NOT_AUTHORIZED); } boolean signatureValid = pMsg.verify(verifierProvider); return new ProtectionVerificationResult(cert, signatureValid ? ProtectionResult.VALID : ProtectionResult.INVALID); }
From source file:org.xipki.ca.server.impl.CmpResponder.java
License:Open Source License
private ProtectionVerificationResult verifyProtection(final String tid, final GeneralPKIMessage pkiMessage, final CmpControl cmpControl) throws CMPException, InvalidKeyException, OperatorCreationException { ProtectedPKIMessage pMsg = new ProtectedPKIMessage(pkiMessage); if (pMsg.hasPasswordBasedMacProtection()) { LOG.warn("NOT_SIGNAUTRE_BASED: " + pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId()); return new ProtectionVerificationResult(null, ProtectionResult.NOT_SIGNATURE_BASED); }/*from w w w. j av a2 s. c o m*/ PKIHeader h = pMsg.getHeader(); AlgorithmIdentifier protectionAlg = h.getProtectionAlg(); if (cmpControl.isSigAlgoPermitted(protectionAlg) == false) { LOG.warn("SIG_ALGO_FORBIDDEN: " + pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId()); return new ProtectionVerificationResult(null, ProtectionResult.SIGALGO_FORBIDDEN); } CmpRequestorInfo requestor = getRequestor(h); if (requestor == null) { LOG.warn("tid={}: not authorized requestor '{}'", tid, h.getSender()); return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED); } ContentVerifierProvider verifierProvider = securityFactory .getContentVerifierProvider(requestor.getCert().getCert()); if (verifierProvider == null) { LOG.warn("tid={}: not authorized requestor '{}'", tid, h.getSender()); return new ProtectionVerificationResult(requestor, ProtectionResult.SENDER_NOT_AUTHORIZED); } boolean signatureValid = pMsg.verify(verifierProvider); return new ProtectionVerificationResult(requestor, signatureValid ? ProtectionResult.VALID : ProtectionResult.INVALID); }
From source file:org.xipki.pki.ca.client.impl.CmpRequestor.java
License:Open Source License
private ProtectionVerificationResult verifyProtection(final String tid, final GeneralPKIMessage pkiMessage) throws CMPException, InvalidKeyException, OperatorCreationException { ProtectedPKIMessage protectedMsg = new ProtectedPKIMessage(pkiMessage); if (protectedMsg.hasPasswordBasedMacProtection()) { LOG.warn("NOT_SIGNAUTRE_BASED: " + pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId()); return new ProtectionVerificationResult(null, ProtectionResult.NOT_SIGNATURE_BASED); }/*from w ww . j a v a2s . c o m*/ PKIHeader header = protectedMsg.getHeader(); if (recipientName != null) { boolean authorizedResponder = true; if (header.getSender().getTagNo() != GeneralName.directoryName) { authorizedResponder = false; } else { X500Name msgSender = X500Name.getInstance(header.getSender().getName()); authorizedResponder = recipientName.equals(msgSender); } if (!authorizedResponder) { LOG.warn("tid={}: not authorized responder '{}'", tid, header.getSender()); return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED); } } AlgorithmIdentifier protectionAlgo = protectedMsg.getHeader().getProtectionAlg(); if (!responder.getSigAlgoValidator().isAlgorithmPermitted(protectionAlgo)) { String algoName; try { algoName = AlgorithmUtil.getSignatureAlgoName(protectionAlgo); } catch (NoSuchAlgorithmException ex) { algoName = protectionAlgo.getAlgorithm().getId(); } LOG.warn("tid={}: response protected by untrusted protection algorithm '{}'", tid, algoName); return new ProtectionVerificationResult(null, ProtectionResult.INVALID); } X509Certificate cert = responder.getCert(); ContentVerifierProvider verifierProvider = securityFactory.getContentVerifierProvider(cert); if (verifierProvider == null) { LOG.warn("tid={}: not authorized responder '{}'", tid, header.getSender()); return new ProtectionVerificationResult(cert, ProtectionResult.SENDER_NOT_AUTHORIZED); } boolean signatureValid = protectedMsg.verify(verifierProvider); ProtectionResult protRes = signatureValid ? ProtectionResult.VALID : ProtectionResult.INVALID; return new ProtectionVerificationResult(cert, protRes); }
From source file:org.xipki.pki.ca.server.impl.cmp.CmpResponder.java
License:Open Source License
private ProtectionVerificationResult verifyProtection(final String tid, final GeneralPKIMessage pkiMessage, final CmpControl cmpControl) throws CMPException, InvalidKeyException, OperatorCreationException { ProtectedPKIMessage protectedMsg = new ProtectedPKIMessage(pkiMessage); if (protectedMsg.hasPasswordBasedMacProtection()) { LOG.warn("NOT_SIGNAUTRE_BASED: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId()); return new ProtectionVerificationResult(null, ProtectionResult.NOT_SIGNATURE_BASED); }/*from w w w . ja va 2 s . com*/ PKIHeader header = protectedMsg.getHeader(); AlgorithmIdentifier protectionAlg = header.getProtectionAlg(); if (!cmpControl.getSigAlgoValidator().isAlgorithmPermitted(protectionAlg)) { LOG.warn("SIG_ALGO_FORBIDDEN: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId()); return new ProtectionVerificationResult(null, ProtectionResult.SIGALGO_FORBIDDEN); } CmpRequestorInfo requestor = getRequestor(header); if (requestor == null) { LOG.warn("tid={}: not authorized requestor '{}'", tid, header.getSender()); return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED); } ContentVerifierProvider verifierProvider = securityFactory .getContentVerifierProvider(requestor.getCert().getCert()); if (verifierProvider == null) { LOG.warn("tid={}: not authorized requestor '{}'", tid, header.getSender()); return new ProtectionVerificationResult(requestor, ProtectionResult.SENDER_NOT_AUTHORIZED); } boolean signatureValid = protectedMsg.verify(verifierProvider); return new ProtectionVerificationResult(requestor, signatureValid ? ProtectionResult.VALID : ProtectionResult.INVALID); }