List of usage examples for org.bouncycastle.cms CMSSignedData CMSSignedData
public CMSSignedData(ContentInfo sigData) throws CMSException
From source file:org.signserver.module.tsa.MSAuthCodeTimeStampSignerTest.java
License:Open Source License
/** * Performs test using specified signature algorithm, digest algorithm and with the optional SigningCertificate attribute included or not included. * //from www . j a va2 s . c om * The SigningCertificate attribute is specified in RFC 2634. * * SigningCertificate ::= SEQUENCE { * certs SEQUENCE OF ESSCertID, * policies SEQUENCE OF PolicyInformation OPTIONAL * } * * id-aa-signingCertificate OBJECT IDENTIFIER ::= { iso(1) * member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) * smime(16) id-aa(2) 12 } * * ESSCertID ::= SEQUENCE { * certHash Hash, * issuerSerial IssuerSerial OPTIONAL * } * Hash ::= OCTET STRING -- SHA1 hash of entire certificate * * IssuerSerial ::= SEQUENCE { * issuer GeneralNames, * serialNumber CertificateSerialNumber * } * * @param signingAlgo Signature algorithm to use * @param expectedDigestOID Expected digest OID * @param requestData Request data to test with * @param includeSigningCertAttr If true, include and test the SigningCertificate attribute * @throws Exception */ private void testProcessDataWithAlgo(final String signingAlgo, final String expectedDigestOID, final byte[] requestData, final boolean includeSigningCertAttr, final String includeCertificateLevels) throws Exception { SignServerUtil.installBCProvider(); final String CRYPTOTOKEN_CLASSNAME = "org.signserver.server.cryptotokens.HardCodedCryptoToken"; final ProcessRequest signRequest; final GlobalConfigurationSessionMock globalConfig = new GlobalConfigurationSessionMock(); final WorkerSessionMock workerMock = new WorkerSessionMock(globalConfig); final WorkerConfig config = new WorkerConfig(); config.setProperty("NAME", "TestMSAuthCodeTimeStampSigner"); config.setProperty("AUTHTYPE", "NOAUTH"); config.setProperty("TIMESOURCE", "org.signserver.server.ZeroTimeSource"); config.setProperty("SIGNATUREALGORITHM", signingAlgo); config.setProperty("DEFAULTKEY", HardCodedCryptoTokenAliases.KEY_ALIAS_1); if (includeSigningCertAttr) { config.setProperty("INCLUDE_SIGNING_CERTIFICATE_ATTRIBUTE", "true"); } if (includeCertificateLevels != null) { config.setProperty(WorkerConfig.PROPERTY_INCLUDE_CERTIFICATE_LEVELS, includeCertificateLevels); } final MSAuthCodeTimeStampSigner worker = new MSAuthCodeTimeStampSigner() { @Override protected IGlobalConfigurationSession.IRemote getGlobalConfigurationSession() { return globalConfig; } }; workerMock.setupWorker(SIGNER_ID, CRYPTOTOKEN_CLASSNAME, config, worker); workerMock.reloadConfiguration(SIGNER_ID); // if the INCLUDE_CERTIFICATE_LEVELS property has been set, // check that it gives a not supported error if (includeCertificateLevels != null) { final List<String> errors = worker.getFatalErrors(); assertTrue("Should contain config error", errors.contains(WorkerConfig.PROPERTY_INCLUDE_CERTIFICATE_LEVELS + " is not supported.")); return; } // create sample hard-coded request signRequest = new GenericSignRequest(REQUEST_ID, requestData); final RequestContext requestContext = new RequestContext(); GenericSignResponse resp = (GenericSignResponse) workerMock.process(SIGNER_ID, signRequest, requestContext); // check that the response contains the needed attributes byte[] buf = resp.getProcessedData(); ASN1Sequence asn1seq = ASN1Sequence.getInstance(Base64.decode(buf)); ASN1ObjectIdentifier oid = ASN1ObjectIdentifier.getInstance(asn1seq.getObjectAt(0)); ASN1TaggedObject ato = ASN1TaggedObject.getInstance(asn1seq.getObjectAt(1)); assertEquals("Invalid OID in response", SIGNED_DATA_OID, oid.getId()); ASN1Sequence asn1seq1 = ASN1Sequence.getInstance(ato.getObject()); ASN1Set asn1set = ASN1Set.getInstance(asn1seq1.getObjectAt(4)); ASN1Sequence asn1seq2 = ASN1Sequence.getInstance(asn1set.getObjectAt(0)); ASN1TaggedObject ato1 = ASN1TaggedObject.getInstance(asn1seq2.getObjectAt(3)); ASN1Sequence asn1seq3 = ASN1Sequence.getInstance(ato1.getObject()); ASN1Sequence asn1seq4 = ASN1Sequence.getInstance(asn1seq3.getObjectAt(0)); ASN1Sequence asn1seq5 = ASN1Sequence.getInstance(asn1seq3.getObjectAt(1)); ASN1Sequence asn1seq6 = ASN1Sequence.getInstance(asn1seq3.getObjectAt(2)); final X509Certificate cert = (X509Certificate) CertTools .getCertfromByteArray(HardCodedCryptoToken.certbytes1); // expected serial number final BigInteger sn = cert.getSerialNumber(); // if INCLUDE_SIGNING_CERTIFICATE_ATTRIBUTE is set to false, the attribute should not be included if (!includeSigningCertAttr) { assertEquals("Number of attributes", 3, asn1seq3.size()); } else { final ASN1Sequence scAttr = ASN1Sequence.getInstance(asn1seq3.getObjectAt(3)); TestUtils.checkSigningCertificateAttribute(scAttr, cert); } ASN1ObjectIdentifier ctOID = ASN1ObjectIdentifier.getInstance(asn1seq4.getObjectAt(0)); assertEquals("Invalid OID for content type", CONTENT_TYPE_OID, ctOID.getId()); ASN1ObjectIdentifier stOID = ASN1ObjectIdentifier.getInstance(asn1seq5.getObjectAt(0)); assertEquals("Invalid OID for signing time", SIGNING_TIME_OID, stOID.getId()); ASN1ObjectIdentifier mdOID = ASN1ObjectIdentifier.getInstance(asn1seq6.getObjectAt(0)); assertEquals("Invalid OID for content type", MESSAGE_DIGEST_OID, mdOID.getId()); // get signing time from response ASN1Set set = ASN1Set.getInstance(asn1seq5.getObjectAt(1)); ASN1Encodable t = set.getObjectAt(0); Time t2 = Time.getInstance(t); Date d = t2.getDate(); // the expected time (the "starting point" of time according to java.util.Date, consistent with the behavior of ZeroTimeSource Date d0 = new Date(0); assertEquals("Unexpected signing time in response", d0, d); // check expected signing algo ASN1Set set1 = ASN1Set.getInstance(asn1seq1.getObjectAt(1)); ASN1Sequence asn1seq7 = ASN1Sequence.getInstance(set1.getObjectAt(0)); ASN1ObjectIdentifier algOid = ASN1ObjectIdentifier.getInstance(asn1seq7.getObjectAt(0)); assertEquals("Unexpected digest OID in response", expectedDigestOID, algOid.getId()); // check that the request is included final CMSSignedData signedData = new CMSSignedData(asn1seq.getEncoded()); final byte[] content = (byte[]) signedData.getSignedContent().getContent(); final ASN1Sequence seq = ASN1Sequence.getInstance(Base64.decode(requestData)); final ASN1Sequence seq2 = ASN1Sequence.getInstance(seq.getObjectAt(1)); final ASN1TaggedObject tag = ASN1TaggedObject.getInstance(seq2.getObjectAt(1)); final ASN1OctetString data = ASN1OctetString.getInstance(tag.getObject()); assertTrue("Contains request data", Arrays.equals(data.getOctets(), content)); // check the signing certificate final X509Certificate signercert = (X509Certificate) resp.getSignerCertificate(); assertEquals("Serial number", sn, signercert.getSerialNumber()); assertEquals("Issuer", cert.getIssuerDN(), signercert.getIssuerDN()); // check ContentInfo, according to the Microsoft specification, the contentInfo in the response is // identical to the contentInfo in the request final ContentInfo expCi = new ContentInfo(seq2); final ContentInfo ci = new ContentInfo(ASN1Sequence.getInstance(asn1seq1.getObjectAt(2))); assertEquals("Content info should match the request", expCi, ci); // Get signers final Collection signers = signedData.getSignerInfos().getSigners(); final SignerInformation signer = (SignerInformation) signers.iterator().next(); // Verify using the signer's certificate assertTrue("Verification using signer certificate", signer.verify(signercert.getPublicKey(), "BC")); // Check that the time source is being logged LogMap logMap = LogMap.getInstance(requestContext); assertEquals("timesource", ZeroTimeSource.class.getSimpleName(), logMap.get("TSA_TIMESOURCE")); assertNotNull("response", logMap.get(ITimeStampLogger.LOG_TSA_TIMESTAMPRESPONSE_ENCODED)); assertEquals("log line doesn't contain newlines", -1, logMap.get(ITimeStampLogger.LOG_TSA_TIMESTAMPRESPONSE_ENCODED).lastIndexOf('\n')); }
From source file:org.signserver.server.cryptotokens.P11SignTest.java
License:Open Source License
private void msauthTSSigner(final int workerId) throws Exception { // Generate CSR PKCS10CertReqInfo certReqInfo = new PKCS10CertReqInfo("SHA1WithRSA", "CN=Worker" + workerId, null); Base64SignerCertReqData reqData = (Base64SignerCertReqData) getWorkerSession() .getCertificateRequest(workerId, certReqInfo, false); // Issue certificate PKCS10CertificationRequest csr = new PKCS10CertificationRequest(Base64.decode(reqData.getBase64CertReq())); KeyPair issuerKeyPair = CryptoUtils.generateRSA(512); X509CertificateHolder cert = new X509v3CertificateBuilder(new X500Name("CN=TestP11 Issuer"), BigInteger.ONE, new Date(), new Date(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(365)), csr.getSubject(), csr.getSubjectPublicKeyInfo()) .addExtension(org.bouncycastle.asn1.x509.X509Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_timeStamping)) .build(new JcaContentSignerBuilder("SHA256WithRSA").setProvider("BC") .build(issuerKeyPair.getPrivate())); // Install certificate and chain workerSession.uploadSignerCertificate(workerId, cert.getEncoded(), GlobalConfiguration.SCOPE_GLOBAL); workerSession.uploadSignerCertificateChain(workerId, Arrays.asList(cert.getEncoded()), GlobalConfiguration.SCOPE_GLOBAL); workerSession.reloadConfiguration(workerId); // Test active List<String> errors = workerSession.getStatus(workerId).getFatalErrors(); assertEquals("errors: " + errors, 0, errors.size()); // Test signing GenericSignRequest signRequest = new GenericSignRequest(678, MSAUTHCODE_REQUEST_DATA.getBytes()); final GenericSignResponse res = (GenericSignResponse) workerSession.process(workerId, signRequest, new RequestContext()); Certificate signercert = res.getSignerCertificate(); assertNotNull(signercert);/*from ww w . j a v a 2 s .c o m*/ byte[] buf = res.getProcessedData(); CMSSignedData s = new CMSSignedData(Base64.decode(buf)); int verified = 0; Store certStore = s.getCertificates(); SignerInformationStore signers = s.getSignerInfos(); Collection c = signers.getSigners(); Iterator it = c.iterator(); while (it.hasNext()) { SignerInformation signer = (SignerInformation) it.next(); Collection certCollection = certStore.getMatches(signer.getSID()); Iterator certIt = certCollection.iterator(); X509CertificateHolder signerCert = (X509CertificateHolder) certIt.next(); if (signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(signerCert))) { verified++; } } assertEquals("signer verified", 1, verified); }
From source file:org.votingsystem.callable.AccessRequestDataSender.java
License:Open Source License
@Override public ResponseVS call() throws Exception { log.info("doInBackground - accessServiceURL: " + ContextVS.getInstance().getAccessControl().getAccessServiceURL()); TimeStampRequest timeStampRequest = smimeMessage.getTimeStampRequest(); ResponseVS responseVS = HttpHelper.getInstance().sendData(timeStampRequest.getEncoded(), ContentTypeVS.TIMESTAMP_QUERY, ContextVS.getInstance().getAccessControl().getTimeStampServiceURL()); if (ResponseVS.SC_OK == responseVS.getStatusCode()) { byte[] bytesToken = responseVS.getMessageBytes(); TimeStampToken timeStampToken = new TimeStampToken(new CMSSignedData(bytesToken)); X509Certificate timeStampCert = ContextVS.getInstance().getAccessControl().getTimeStampCert(); SignerInformationVerifier timeStampSignerInfoVerifier = new JcaSimpleSignerInfoVerifierBuilder() .setProvider(ContextVS.PROVIDER).build(timeStampCert); timeStampToken.validate(timeStampSignerInfoVerifier); smimeMessage.setTimeStampToken(timeStampToken); //byte[] encryptedCSRBytes = Encryptor.encryptMessage(certificationRequest.getCsrPEM(),destinationCert); //byte[] accessRequestEncryptedBytes = Encryptor.encryptSMIME(smimeMessage, destinationCert); Map<String, Object> mapToSend = new HashMap<String, Object>(); mapToSend.put(ContextVS.CSR_FILE_NAME, certificationRequest.getCsrPEM()); mapToSend.put(ContextVS.ACCESS_REQUEST_FILE_NAME, smimeMessage.getBytes()); responseVS = HttpHelper.getInstance().sendObjectMap(mapToSend, ContextVS.getInstance().getAccessControl().getAccessServiceURL()); if (ResponseVS.SC_OK == responseVS.getStatusCode()) { /*byte[] encryptedData = responseVS.getMessageBytes(); byte[] decryptedData = Encryptor.decryptFile(encryptedData, certificationRequest.getPublicKey(), certificationRequest.getPrivateKey());*/ certificationRequest.initSigner(responseVS.getMessageBytes()); responseVS.setData(certificationRequest); } else {//from ww w .j a v a 2s . com responseVS.setData(null); } } return responseVS; }
From source file:org.votingsystem.callable.MessageTimeStamper.java
License:Open Source License
@Override public SMIMEMessage call() throws Exception { ResponseVS responseVS = HttpHelper.getInstance().sendData(timeStampRequest.getEncoded(), ContentTypeVS.TIMESTAMP_QUERY, timeStampServerURL); if (ResponseVS.SC_OK == responseVS.getStatusCode()) { byte[] bytesToken = responseVS.getMessageBytes(); timeStampToken = new TimeStampToken(new CMSSignedData(bytesToken)); X509Certificate timeStampCert = ContextVS.getInstance().getTimeStampServerCert(); if (timeStampCert != null) { SignerInformationVerifier timeStampSignerInfoVerifier = new JcaSimpleSignerInfoVerifierBuilder() .build(timeStampCert); timeStampToken.validate(timeStampSignerInfoVerifier); } else// w ww.j a v a 2 s. c o m log.info("TIMESTAMP RESPONSE NOT VALIDATED"); if (smimeMessage != null) smimeMessage.setTimeStampToken(timeStampToken); return smimeMessage; } else throw new ExceptionVS(responseVS.getMessage()); }
From source file:org.votingsystem.signature.smime.SMIMEMessage.java
License:Open Source License
private TimeStampToken checkTimeStampToken(SignerInformation signer) throws Exception { TimeStampToken timeStampToken = null; AttributeTable unsignedAttributes = signer.getUnsignedAttributes(); if (unsignedAttributes != null) { Attribute timeStampAttribute = unsignedAttributes .get(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken); if (timeStampAttribute != null) { DEREncodable dob = timeStampAttribute.getAttrValues().getObjectAt(0); CMSSignedData signedData = new CMSSignedData(dob.getDERObject().getEncoded()); timeStampToken = new TimeStampToken(signedData); return timeStampToken; }//from w w w .j a v a 2 s . com } else log.info("checkTimeStampToken - without unsignedAttributes"); return timeStampToken; }
From source file:org.votingsystem.web.ejb.TimeStampBean.java
License:Open Source License
public SMIMEMessage timeStampSMIME(SMIMEMessage smimeMessage) throws Exception { ResponseVS responseVS = HttpHelper.getInstance().sendData(smimeMessage.getTimeStampRequest().getEncoded(), ContentTypeVS.TIMESTAMP_QUERY, timeStampServiceURL); if (ResponseVS.SC_OK == responseVS.getStatusCode()) { byte[] bytesToken = responseVS.getMessageBytes(); TimeStampToken timeStampToken = new TimeStampToken(new CMSSignedData(bytesToken)); SignerInformationVerifier timeStampSignerInfoVerifier = new JcaSimpleSignerInfoVerifierBuilder() .build(x509TimeStampServerCert); timeStampToken.validate(timeStampSignerInfoVerifier); smimeMessage.setTimeStampToken(timeStampToken); return smimeMessage; } else//from w w w. ja v a2s. c om throw new ExceptionVS(responseVS.getMessage()); }
From source file:org.wso2.carbon.certificate.mgt.core.impl.CertificateGenerator.java
License:Open Source License
public byte[] getPKIMessage(InputStream inputStream) throws KeystoreException { try {//from w w w. j a va2 s .c o m CMSSignedData signedData = new CMSSignedData(inputStream); Store reqStore = signedData.getCertificates(); @SuppressWarnings("unchecked") Collection<X509CertificateHolder> reqCerts = reqStore.getMatches(null); KeyStoreReader keyStoreReader = new KeyStoreReader(); PrivateKey privateKeyRA = keyStoreReader.getRAPrivateKey(); PrivateKey privateKeyCA = keyStoreReader.getCAPrivateKey(); X509Certificate certRA = (X509Certificate) keyStoreReader.getRACertificate(); X509Certificate certCA = (X509Certificate) keyStoreReader.getCACertificate(); CertificateFactory certificateFactory = CertificateFactory.getInstance(CertificateManagementConstants.X_509); X509CertificateHolder holder = reqCerts.iterator().next(); ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(holder.getEncoded()); X509Certificate reqCert = (X509Certificate) certificateFactory.generateCertificate(byteArrayInputStream); PkcsPkiEnvelopeDecoder envelopeDecoder = new PkcsPkiEnvelopeDecoder(certRA, privateKeyRA); PkiMessageDecoder messageDecoder = new PkiMessageDecoder(reqCert, envelopeDecoder); PkiMessage<?> pkiMessage = messageDecoder.decode(signedData); Object msgData = pkiMessage.getMessageData(); Nonce senderNonce = Nonce.nextNonce(); TransactionId transId = pkiMessage.getTransactionId(); Nonce recipientNonce = pkiMessage.getSenderNonce(); CertRep certRep; PKCS10CertificationRequest certRequest = (PKCS10CertificationRequest) msgData; X509Certificate generatedCert = generateCertificateFromCSR( privateKeyCA, certRequest, certCA.getIssuerX500Principal().getName()); List<X509Certificate> issued = new ArrayList<X509Certificate>(); issued.add(generatedCert); if (issued.size() == 0) { certRep = new CertRep(transId, senderNonce, recipientNonce, FailInfo.badCertId); } else { CMSSignedData messageData = getMessageData(issued); certRep = new CertRep(transId, senderNonce, recipientNonce, messageData); } PkcsPkiEnvelopeEncoder envEncoder = new PkcsPkiEnvelopeEncoder(reqCert, CertificateManagementConstants.DES_EDE); PkiMessageEncoder encoder = new PkiMessageEncoder(privateKeyRA, certRA, envEncoder); CMSSignedData cmsSignedData = encoder.encode(certRep); return cmsSignedData.getEncoded(); } catch (CertificateException e) { String errorMsg = "Certificate issue occurred when generating getPKIMessage"; throw new KeystoreException(errorMsg, e); } catch (MessageEncodingException e) { String errorMsg = "Message encoding issue occurred when generating getPKIMessage"; throw new KeystoreException(errorMsg, e); } catch (IOException e) { String errorMsg = "Input output issue occurred when generating getPKIMessage"; throw new KeystoreException(errorMsg, e); } catch (MessageDecodingException e) { String errorMsg = "Message decoding issue occurred when generating getPKIMessage"; throw new KeystoreException(errorMsg, e); } catch (CMSException e) { String errorMsg = "CMS issue occurred when generating getPKIMessage"; throw new KeystoreException(errorMsg, e); } }
From source file:org.wso2.carbon.certificate.mgt.core.impl.CertificateGenerator.java
License:Open Source License
public X509Certificate extractCertificateFromSignature(String headerSignature) throws KeystoreException { if (headerSignature == null || headerSignature.isEmpty()) { return null; }//from w w w. ja v a 2 s . co m try { KeyStoreReader keyStoreReader = new KeyStoreReader(); CMSSignedData signedData = new CMSSignedData(Base64.decodeBase64(headerSignature.getBytes())); Store reqStore = signedData.getCertificates(); @SuppressWarnings("unchecked") Collection<X509CertificateHolder> reqCerts = reqStore.getMatches(null); if (reqCerts != null && reqCerts.size() > 0) { CertificateFactory certificateFactory = CertificateFactory.getInstance(CertificateManagementConstants.X_509); X509CertificateHolder holder = reqCerts.iterator().next(); ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(holder.getEncoded()); X509Certificate reqCert = (X509Certificate) certificateFactory. generateCertificate(byteArrayInputStream); if (reqCert != null && reqCert.getSerialNumber() != null) { Certificate lookUpCertificate = keyStoreReader.getCertificateByAlias( reqCert.getSerialNumber().toString()); if (lookUpCertificate instanceof X509Certificate) { return (X509Certificate) lookUpCertificate; } } } } catch (CMSException e) { String errorMsg = "CMSException when decoding certificate signature"; throw new KeystoreException(errorMsg, e); } catch (IOException e) { String errorMsg = "IOException when decoding certificate signature"; throw new KeystoreException(errorMsg, e); } catch (CertificateException e) { String errorMsg = "CertificateException when decoding certificate signature"; throw new KeystoreException(errorMsg, e); } return null; }
From source file:org.wso2.carbon.identity.certificateauthority.endpoint.scep.ScepEndpoint.java
License:Open Source License
private Response pkiOperation(int tenantId, HttpServletRequest request) { try {//from w ww . java 2 s . c o m byte[] body = getMessageBytes(request); CMSSignedData sd = new CMSSignedData(body); Store reqStore = sd.getCertificates(); Collection<X509CertificateHolder> reqCerts = reqStore.getMatches(null); CertificateFactory factory = CertificateFactory.getInstance("X.509"); X509CertificateHolder holder = reqCerts.iterator().next(); ByteArrayInputStream bais = new ByteArrayInputStream(holder.getEncoded()); X509Certificate reqCert = (X509Certificate) factory.generateCertificate(bais); PkcsPkiEnvelopeDecoder envDecoder = new PkcsPkiEnvelopeDecoder(getRecipient(tenantId), getRecipientKey(tenantId)); PkiMessageDecoder decoder = new PkiMessageDecoder(reqCert, envDecoder); PkiMessage<?> msg = decoder.decode(sd); MessageType msgType = msg.getMessageType(); Object msgData = msg.getMessageData(); Nonce senderNonce = Nonce.nextNonce(); TransactionId transId = msg.getTransactionId(); Nonce recipientNonce = msg.getSenderNonce(); CertRep certRep; if (msgType == MessageType.GET_CERT) { final IssuerAndSerialNumber iasn = (IssuerAndSerialNumber) msgData; final X509Name principal = iasn.getName(); final BigInteger serial = iasn.getSerialNumber().getValue(); List<X509Certificate> issued = doGetCert(principal, serial); if (issued.size() == 0) { certRep = new CertRep(transId, senderNonce, recipientNonce, FailInfo.badCertId); } else { CMSSignedData messageData = getMessageData(issued); certRep = new CertRep(transId, senderNonce, recipientNonce, messageData); } } else if (msgType == MessageType.GET_CERT_INITIAL) { final IssuerAndSubject ias = (IssuerAndSubject) msgData; final X500Name issuer = X500Name.getInstance(ias.getIssuer()); final X500Name subject = X500Name.getInstance(ias.getSubject()); try { List<X509Certificate> issued = doGetCertInitial(tenantId, issuer, subject, transId); if (issued.size() == 0) { certRep = new CertRep(transId, senderNonce, recipientNonce); } else { CMSSignedData messageData = getMessageData(issued); certRep = new CertRep(transId, senderNonce, recipientNonce, messageData); } } catch (Exception e) { throw new ServletException(e); } } else if (msgType == MessageType.GET_CRL) { final IssuerAndSerialNumber iasn = (IssuerAndSerialNumber) msgData; final X509Name issuer = iasn.getName(); final BigInteger serialNumber = iasn.getSerialNumber().getValue(); try { CMSSignedData messageData = getMessageData(doGetCrl(tenantId, issuer, serialNumber)); certRep = new CertRep(transId, senderNonce, recipientNonce, messageData); } catch (Exception e) { throw new ServletException(e); } } else if (msgType == MessageType.PKCS_REQ) { final PKCS10CertificationRequest certReq = (PKCS10CertificationRequest) msgData; try { List<X509Certificate> issued = doEnrol(certReq, transId, tenantId); if (issued.size() == 0) { certRep = new CertRep(transId, senderNonce, recipientNonce); } else { CMSSignedData messageData = getMessageData(issued); certRep = new CertRep(transId, senderNonce, recipientNonce, messageData); } } catch (Exception e) { throw new ServletException(e); } } else { log.error("Unknown message for operation"); return ResponseUtils.badRequest("Unknown message for operation"); } PkcsPkiEnvelopeEncoder envEncoder = new PkcsPkiEnvelopeEncoder(reqCert, "DESede"); PkiMessageEncoder encoder = new PkiMessageEncoder(getSignerKey(tenantId), getSigner(tenantId), envEncoder); CMSSignedData signedData = encoder.encode(certRep); return Response.ok().type("application/x-pki-message").entity(signedData.getEncoded()).build(); } catch (Exception e) { log.error(e); return ResponseUtils.serverError(); } }
From source file:org.xipki.pki.ca.server.impl.scep.ScepServlet.java
License:Open Source License
private void service(final HttpServletRequest request, final HttpServletResponse response, final boolean post) throws ServletException, IOException { String requestUri = request.getRequestURI(); String servletPath = request.getServletPath(); int len = servletPath.length(); String scepName = null;//from w w w.j a va 2s . c o m String certProfileName = null; if (requestUri.length() > len + 1) { String scepPath = URLDecoder.decode(requestUri.substring(len + 1), "UTF-8"); if (scepPath.endsWith(CGI_PROGRAM)) { String path = scepPath.substring(0, scepPath.length() - CGI_PROGRAM_LEN); String[] tokens = path.split("/"); if (tokens.length == 2) { scepName = tokens[0]; certProfileName = tokens[1]; } } // end if } // end if if (scepName == null) { response.sendError(HttpServletResponse.SC_NOT_FOUND); return; } AuditService auditService = auditServiceRegister.getAuditService(); AuditEvent event = new AuditEvent(new Date()); event.setApplicationName("SCEP"); event.setName(CaAuditConstants.NAME_PERF); event.addEventData(CaAuditConstants.NAME_SCEP_name, scepName + "/" + certProfileName); event.addEventData(CaAuditConstants.NAME_reqType, RequestType.SCEP.name()); String msgId = RandomUtil.nextHexLong(); event.addEventData(CaAuditConstants.NAME_mid, msgId); AuditLevel auditLevel = AuditLevel.INFO; AuditStatus auditStatus = AuditStatus.SUCCESSFUL; String auditMessage = null; try { if (responderManager == null) { auditMessage = "responderManager in servlet not configured"; LOG.error(auditMessage); response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); response.setContentLength(0); auditLevel = AuditLevel.ERROR; auditStatus = AuditStatus.FAILED; return; } String realScepName = responderManager.getCaNameForAlias(scepName); if (realScepName != null) { scepName = realScepName; } Scep responder = responderManager.getScep(scepName); if (responder == null || responder.getStatus() != CaStatus.ACTIVE || !responder.supportsCertProfile(certProfileName)) { auditMessage = "unknown SCEP '" + scepName + "/" + certProfileName + "'"; LOG.warn(auditMessage); response.setStatus(HttpServletResponse.SC_NOT_FOUND); response.setContentLength(0); auditStatus = AuditStatus.FAILED; return; } String operation = request.getParameter("operation"); event.addEventData(CaAuditConstants.NAME_SCEP_operation, operation); if ("PKIOperation".equalsIgnoreCase(operation)) { CMSSignedData reqMessage; // parse the request try { byte[] content; if (post) { content = IoUtil.read(request.getInputStream()); } else { String b64 = request.getParameter("message"); content = Base64.decode(b64); } reqMessage = new CMSSignedData(content); } catch (Exception ex) { final String msg = "invalid request"; LogUtil.error(LOG, ex, msg); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); response.setContentLength(0); auditMessage = msg; auditStatus = AuditStatus.FAILED; return; } ContentInfo ci; try { ci = responder.servicePkiOperation(reqMessage, certProfileName, msgId, event); } catch (MessageDecodingException ex) { final String msg = "could not decrypt and/or verify the request"; LogUtil.error(LOG, ex, msg); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); response.setContentLength(0); auditMessage = msg; auditStatus = AuditStatus.FAILED; return; } catch (OperationException ex) { ErrorCode code = ex.getErrorCode(); int httpCode; switch (code) { case ALREADY_ISSUED: case CERT_REVOKED: case CERT_UNREVOKED: httpCode = HttpServletResponse.SC_FORBIDDEN; break; case BAD_CERT_TEMPLATE: case BAD_REQUEST: case BAD_POP: case INVALID_EXTENSION: case UNKNOWN_CERT: case UNKNOWN_CERT_PROFILE: httpCode = HttpServletResponse.SC_BAD_REQUEST; break; case NOT_PERMITTED: httpCode = HttpServletResponse.SC_UNAUTHORIZED; break; case SYSTEM_UNAVAILABLE: httpCode = HttpServletResponse.SC_SERVICE_UNAVAILABLE; break; case CRL_FAILURE: case DATABASE_FAILURE: case SYSTEM_FAILURE: httpCode = HttpServletResponse.SC_INTERNAL_SERVER_ERROR; break; default: httpCode = HttpServletResponse.SC_INTERNAL_SERVER_ERROR; break; } final String msg = ex.getMessage(); LogUtil.error(LOG, ex, msg); response.setStatus(httpCode); response.setContentLength(0); auditMessage = msg; auditStatus = AuditStatus.FAILED; return; } response.setContentType(CT_RESPONSE); ASN1OutputStream asn1Out = new ASN1OutputStream(response.getOutputStream()); asn1Out.writeObject(ci); asn1Out.flush(); } else if (Operation.GetCACaps.getCode().equalsIgnoreCase(operation)) { // CA-Ident is ignored response.setContentType(ScepConstants.CT_TEXT_PLAIN); byte[] caCapsBytes = responder.getCaCaps().getBytes(); response.getOutputStream().write(caCapsBytes); } else if (Operation.GetCACert.getCode().equalsIgnoreCase(operation)) { // CA-Ident is ignored byte[] respBytes = responder.getCaCertResp().getBytes(); response.setContentType(ScepConstants.CT_X509_CA_RA_CERT); response.setContentLength(respBytes.length); response.getOutputStream().write(respBytes); } else if (Operation.GetNextCACert.getCode().equalsIgnoreCase(operation)) { response.setStatus(HttpServletResponse.SC_FORBIDDEN); response.setContentLength(0); auditMessage = "SCEP operation '" + operation + "' is not permitted"; auditStatus = AuditStatus.FAILED; return; } else { response.setStatus(HttpServletResponse.SC_BAD_REQUEST); response.setContentLength(0); auditMessage = "unknown SCEP operation '" + operation + "'"; auditStatus = AuditStatus.FAILED; return; } } catch (EOFException ex) { final String msg = "connection reset by peer"; if (LOG.isWarnEnabled()) { LogUtil.warn(LOG, ex, msg); } LOG.debug(msg, ex); response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); response.setContentLength(0); } catch (Throwable th) { final String message = "Throwable thrown, this should not happen!"; LogUtil.error(LOG, th, message); response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); response.setContentLength(0); auditLevel = AuditLevel.ERROR; auditStatus = AuditStatus.FAILED; auditMessage = "internal error"; } finally { try { response.flushBuffer(); } finally { audit(auditService, event, auditLevel, auditStatus, auditMessage); } } }