List of usage examples for org.bouncycastle.cms CMSAlgorithm DES_CBC
ASN1ObjectIdentifier DES_CBC
To view the source code for org.bouncycastle.cms CMSAlgorithm DES_CBC.
Click Source Link
From source file:org.xipki.pki.scep.client.Client.java
License:Open Source License
private ContentInfo encryptThenSign(final PkiMessage request, final PrivateKey identityKey, final X509Certificate identityCert) throws ScepClientException { ScepHashAlgoType hashAlgo = caCaps.getMostSecureHashAlgo(); if (hashAlgo == ScepHashAlgoType.MD5 && !useInsecureAlgorithms) { throw new ScepClientException("Scep server supports only MD5 but it not permitted in client"); }//from www . j a v a 2s.co m String signatureAlgorithm = ScepUtil.getSignatureAlgorithm(identityKey, hashAlgo); ASN1ObjectIdentifier encAlgId; if (caCaps.containsCapability(CaCapability.AES)) { encAlgId = CMSAlgorithm.AES128_CBC; } else if (caCaps.containsCapability(CaCapability.DES3)) { encAlgId = CMSAlgorithm.DES_EDE3_CBC; } else if (useInsecureAlgorithms) { encAlgId = CMSAlgorithm.DES_CBC; } else { // no support of DES throw new ScepClientException("DES will not be supported by this client"); } try { return request.encode(identityKey, signatureAlgorithm, identityCert, new X509Certificate[] { identityCert }, authorityCertStore.getEncryptionCert(), encAlgId); } catch (MessageEncodingException ex) { throw new ScepClientException(ex); } }
From source file:org.xipki.pki.scep.serveremulator.ScepResponder.java
License:Open Source License
private PkiMessage doServicePkiOperation(final DecodedPkiMessage req, final AuditEvent event) throws MessageDecodingException, CaException { TransactionId tid = req.getTransactionId(); PkiMessage rep = new PkiMessage(tid, MessageType.CertRep, Nonce.randomNonce()); rep.setPkiStatus(PkiStatus.SUCCESS); rep.setRecipientNonce(req.getSenderNonce()); if (req.getFailureMessage() != null) { rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badRequest); }// w w w . jav a2 s.c o m Boolean bo = req.isSignatureValid(); if (bo != null && !bo.booleanValue()) { rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badMessageCheck); } bo = req.isDecryptionSuccessful(); if (bo != null && !bo.booleanValue()) { rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badRequest); } Date signingTime = req.getSigningTime(); if (maxSigningTimeBiasInMs > 0) { boolean isTimeBad = false; if (signingTime == null) { isTimeBad = true; } else { long now = System.currentTimeMillis(); long diff = now - signingTime.getTime(); if (diff < 0) { diff = -1 * diff; } isTimeBad = diff > maxSigningTimeBiasInMs; } if (isTimeBad) { rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badTime); } } // check the digest algorithm String oid = req.getDigestAlgorithm().getId(); ScepHashAlgoType hashAlgoType = ScepHashAlgoType.forNameOrOid(oid); if (hashAlgoType == null) { LOG.warn("tid={}: unknown digest algorithm {}", tid, oid); rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badAlg); } else { boolean supported = false; if (hashAlgoType == ScepHashAlgoType.SHA1) { if (caCaps.containsCapability(CaCapability.SHA1)) { supported = true; } } else if (hashAlgoType == ScepHashAlgoType.SHA256) { if (caCaps.containsCapability(CaCapability.SHA256)) { supported = true; } } else if (hashAlgoType == ScepHashAlgoType.SHA512) { if (caCaps.containsCapability(CaCapability.SHA512)) { supported = true; } } else if (hashAlgoType == ScepHashAlgoType.MD5) { if (control.isUseInsecureAlg()) { supported = true; } } if (!supported) { LOG.warn("tid={}: unsupported digest algorithm {}", tid, oid); rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badAlg); } // end if } // end if // check the content encryption algorithm ASN1ObjectIdentifier encOid = req.getContentEncryptionAlgorithm(); if (CMSAlgorithm.DES_EDE3_CBC.equals(encOid)) { if (!caCaps.containsCapability(CaCapability.DES3)) { LOG.warn("tid={}: encryption with DES3 algorithm is not permitted", tid, encOid); rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badAlg); } } else if (AES_ENC_ALGS.contains(encOid)) { if (!caCaps.containsCapability(CaCapability.AES)) { LOG.warn("tid={}: encryption with AES algorithm {} is not permitted", tid, encOid); rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badAlg); } } else if (CMSAlgorithm.DES_CBC.equals(encOid)) { if (!control.isUseInsecureAlg()) { LOG.warn("tid={}: encryption with DES algorithm {} is not permitted", tid, encOid); rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badAlg); } } else { LOG.warn("tid={}: encryption with algorithm {} is not permitted", tid, encOid); rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badAlg); } if (rep.getPkiStatus() == PkiStatus.FAILURE) { return rep; } MessageType messageType = req.getMessageType(); switch (messageType) { case PKCSReq: CertificationRequest csr = CertificationRequest.getInstance(req.getMessageData()); String challengePwd = getChallengePassword(csr.getCertificationRequestInfo()); if (challengePwd == null || !control.getSecret().equals(challengePwd)) { LOG.warn("challengePassword is not trusted"); rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badRequest); } Certificate cert; try { cert = caEmulator.generateCert(csr); } catch (Exception ex) { throw new CaException("system failure: " + ex.getMessage(), ex); } if (cert != null && control.isPendingCert()) { rep.setPkiStatus(PkiStatus.PENDING); } else if (cert != null) { ContentInfo messageData = createSignedData(cert); rep.setMessageData(messageData); } else { rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badCertId); } break; case CertPoll: IssuerAndSubject is = IssuerAndSubject.getInstance(req.getMessageData()); cert = caEmulator.pollCert(is.getIssuer(), is.getSubject()); if (cert != null) { rep.setMessageData(createSignedData(cert)); } else { rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badCertId); } break; case GetCert: IssuerAndSerialNumber isn = IssuerAndSerialNumber.getInstance(req.getMessageData()); cert = caEmulator.getCert(isn.getName(), isn.getSerialNumber().getValue()); if (cert != null) { rep.setMessageData(createSignedData(cert)); } else { rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badCertId); } break; case RenewalReq: if (!caCaps.containsCapability(CaCapability.Renewal)) { rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badRequest); } else { csr = CertificationRequest.getInstance(req.getMessageData()); try { cert = caEmulator.generateCert(csr); } catch (Exception ex) { throw new CaException("system failure: " + ex.getMessage(), ex); } if (cert != null) { rep.setMessageData(createSignedData(cert)); } else { rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badCertId); } } break; case UpdateReq: if (!caCaps.containsCapability(CaCapability.Update)) { rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badRequest); } else { csr = CertificationRequest.getInstance(req.getMessageData()); try { cert = caEmulator.generateCert(csr); } catch (Exception ex) { throw new CaException("system failure: " + ex.getMessage(), ex); } if (cert != null) { rep.setMessageData(createSignedData(cert)); } else { rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badCertId); } } break; case GetCRL: isn = IssuerAndSerialNumber.getInstance(req.getMessageData()); CertificateList crl; try { crl = caEmulator.getCrl(isn.getName(), isn.getSerialNumber().getValue()); } catch (Exception ex) { throw new CaException("system failure: " + ex.getMessage(), ex); } if (crl != null) { rep.setMessageData(createSignedData(crl)); } else { rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badCertId); } break; default: rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badRequest); } // end switch return rep; }