PKIHeader header = pkiMessage.getHeader(); ProtectedPKIMessageBuilder builder = new ProtectedPKIMessageBuilder( sender, header.getRecipient()); PKIFreeText freeText = header.getFreeText(); if (freeText != null) { builder.setFreeText(freeText); InfoTypeAndValue[] generalInfo = header.getGeneralInfo(); if (generalInfo != null) { for (InfoTypeAndValue gi : generalInfo) { ASN1OctetString octet = header.getRecipKID(); if (octet != null) { builder.setRecipKID(octet.getOctets()); octet = header.getRecipNonce(); if (octet != null) { builder.setRecipNonce(octet.getOctets()); octet = header.getSenderNonce(); if (octet != null) { builder.setSenderNonce(octet.getOctets()); octet = header.getTransactionID(); if (octet != null) { builder.setTransactionID(octet.getOctets()); if (header.getMessageTime() != null) { builder.setMessageTime(new Date());
@Override protected boolean verifyProtection(GeneralPKIMessage pkiMessage) throws CMPException, InvalidKeyException { ProtectedPKIMessage protectedMsg = new ProtectedPKIMessage(pkiMessage); if (protectedMsg.hasPasswordBasedMacProtection()) { LOG.warn("protection is not signature based: " + pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId()); return false; } PKIHeader header = protectedMsg.getHeader(); if (!header.getSender().equals(responderSubject)) { LOG.warn("not authorized responder '{}'", header.getSender()); return false; } String algOid = protectedMsg.getHeader().getProtectionAlg().getAlgorithm().getId(); if (!trustedProtectionAlgOids.contains(algOid)) { LOG.warn("PKI protection algorithm is untrusted '{}'", algOid); return false; } ContentVerifierProvider verifierProvider = getContentVerifierProvider( responderCert.getPublicKey()); if (verifierProvider == null) { LOG.warn("not authorized responder '{}'", header.getSender()); return false; } return protectedMsg.verify(verifierProvider); } // method verifyProtection
protected PKIMessage buildErrorPkiMessage(ASN1OctetString tid, PKIHeader requestHeader, int failureCode, String statusText) { GeneralName respRecipient = requestHeader.getSender(); PKIHeaderBuilder respHeader = new PKIHeaderBuilder( requestHeader.getPvno().getValue().intValue(), getSender(), respRecipient); respHeader.setMessageTime(new ASN1GeneralizedTime(new Date())); if (tid != null) { respHeader.setTransactionID(tid); } ASN1OctetString senderNonce = requestHeader.getSenderNonce(); if (senderNonce != null) { respHeader.setRecipNonce(senderNonce); } PKIStatusInfo status = generateRejectionStatus(failureCode, statusText); ErrorMsgContent error = new ErrorMsgContent(status); PKIBody body = new PKIBody(PKIBody.TYPE_ERROR, error); return new PKIMessage(respHeader.build(), body); } // method buildErrorPkiMessage
ASN1OctetString tid = reqHeader.getTransactionID(); if (!tid.equals(respHeader.getTransactionID())) { throw new Exception("response.transactionId != request.transactionId"); ASN1OctetString senderNonce = reqHeader.getSenderNonce(); if (!senderNonce.equals(respHeader.getRecipNonce())) { throw new Exception("response.recipientNonce != request.senderNonce"); GeneralName rec = respHeader.getRecipient(); if (!requestorSubject.equals(rec)) { throw new Exception("unknown CMP requestor " + rec.toString());
ASN1OctetString tid = reqHeader.getTransactionID(); int reqPvno = reqHeader.getPvno().getValue().intValue(); if (reqPvno != PVNO_CMP2000) { if (event != null) { if (reqHeader.getMessageTime() != null) { try { messageTime = reqHeader.getMessageTime().getDate(); } catch (ParseException ex) { LogUtil.error(LOG, ex, "tid=" + tidStr + ": could not parse messageTime"); GeneralName recipient = reqHeader.getRecipient(); boolean intentMe = (recipient == null) ? true : intendsMe(recipient); if (!intentMe) { LOG.warn("tid={}: I am not the intended recipient, but '{}'", tid, reqHeader.getRecipient()); failureCode = PKIFailureInfo.badRequest; statusText = "I am not the intended recipient";
AlgorithmIdentifier protectionAlg = header.getProtectionAlg(); PBMParameter.getInstance(pkiMessage.getHeader().getProtectionAlg().getParameters()); AlgorithmIdentifier algId = parameter.getOwf(); if (!cmpControl.isRequestPbmOwfPermitted(algId)) { ASN1OctetString asn1 = header.getSenderKID(); if (!cmpControl.getSigAlgoValidator().isAlgorithmPermitted(protectionAlg)) { LOG.warn("SIG_ALGO_FORBIDDEN: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId()); return new ProtectionVerificationResult(null, ProtectionResult.SIGNATURE_ALGO_FORBIDDEN); CmpRequestorInfo requestor = (x500Sender == null) ? null : getRequestor(x500Sender); if (requestor == null) { LOG.warn("tid={}: not authorized requestor '{}'", tid, header.getSender()); return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED);
public static boolean isImplictConfirm(PKIHeader header) { Args.notNull(header, "header"); InfoTypeAndValue[] regInfos = header.getGeneralInfo(); if (regInfos != null) { for (InfoTypeAndValue regInfo : regInfos) { if (CMPObjectIdentifiers.it_implicitConfirm.equals(regInfo.getInfoType())) { return true; } } } return false; }
@Override protected boolean verifyProtection(GeneralPKIMessage pkiMessage) throws CMPException, InvalidKeyException { ProtectedPKIMessage protectedMsg = new ProtectedPKIMessage(pkiMessage); if (!protectedMsg.hasPasswordBasedMacProtection()) { LOG.warn("NOT_MAC_BASED: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId()); return false; } PBMParameter parameter = PBMParameter.getInstance(pkiMessage.getHeader().getProtectionAlg().getParameters()); ASN1ObjectIdentifier algOid = parameter.getOwf().getAlgorithm(); if (!trustedOwfOids.contains(algOid)) { LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.owf: {})", algOid); return false; } algOid = parameter.getMac().getAlgorithm(); if (!trustedMacOids.contains(algOid)) { LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.mac: {})", algOid); return false; } PKMACBuilder pkMacBuilder = new PKMACBuilder(new JcePKMACValuesCalculator()); return protectedMsg.verify(pkMacBuilder, password); }
response.getPkiMessage().getHeader().getTransactionID(), certConfirmBuilder);
private static X500Name getX500Sender(PKIHeader reqHeader) { GeneralName requestSender = reqHeader.getSender(); if (requestSender.getTagNo() != GeneralName.directoryName) { return null; } return (X500Name) requestSender.getName(); }
PKIHeader respHeader = response.getHeader(); ASN1OctetString tid = reqHeader.getTransactionID(); ASN1OctetString respTid = respHeader.getTransactionID(); if (!tid.equals(respTid)) { LOG.warn("Response contains different tid ({}) than requested {}", respTid, tid); ASN1OctetString senderNonce = reqHeader.getSenderNonce(); ASN1OctetString respRecipientNonce = respHeader.getRecipNonce(); if (!senderNonce.equals(respRecipientNonce)) { LOG.warn("tid {}: response.recipientNonce ({}) != request.senderNonce ({})", GeneralName rec = respHeader.getRecipient(); if (!requestor.getName().equals(rec)) { LOG.warn("tid={}: unknown CMP requestor '{}'", tid, rec);
reqHeader.getPvno().getValue().intValue(), getSender(), reqHeader.getSender()); respHeader.setTransactionID(tid); ASN1OctetString senderNonce = reqHeader.getSenderNonce(); if (senderNonce != null) { respHeader.setRecipNonce(senderNonce);
public static boolean isImplictConfirm(PKIHeader header) { ParamUtil.requireNonNull("header", header); InfoTypeAndValue[] regInfos = header.getGeneralInfo(); if (regInfos != null) { for (InfoTypeAndValue regInfo : regInfos) { if (CMPObjectIdentifiers.it_implicitConfirm.equals(regInfo.getInfoType())) { return true; } } } return false; }
PKIHeader header = pkiMessage.getHeader(); ProtectedPKIMessageBuilder builder = new ProtectedPKIMessageBuilder( sender, header.getRecipient()); PKIFreeText freeText = header.getFreeText(); if (freeText != null) { builder.setFreeText(freeText); InfoTypeAndValue[] generalInfo = header.getGeneralInfo(); if (generalInfo != null) { for (InfoTypeAndValue gi : generalInfo) { ASN1OctetString octet = header.getRecipKID(); if (octet != null) { builder.setRecipKID(octet.getOctets()); octet = header.getRecipNonce(); if (octet != null) { builder.setRecipNonce(octet.getOctets()); octet = header.getSenderNonce(); if (octet != null) { builder.setSenderNonce(octet.getOctets()); octet = header.getTransactionID(); if (octet != null) { builder.setTransactionID(octet.getOctets()); if (header.getMessageTime() != null) { builder.setMessageTime(new Date());
if (!protectedMsg.hasPasswordBasedMacProtection()) { LOG.warn("NOT_MAC_BASED: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId()); return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED); PBMParameter.getInstance(pkiMessage.getHeader().getProtectionAlg().getParameters()); AlgorithmIdentifier algId = parameter.getOwf(); if (!macResponder.isPbmOwfPermitted(algId)) { if (protectedMsg.hasPasswordBasedMacProtection()) { LOG.warn("NOT_SIGNATURE_BASED: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId()); return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED); if (header.getSender().getTagNo() != GeneralName.directoryName) { authorizedResponder = false; } else { X500Name msgSender = X500Name.getInstance(header.getSender().getName()); authorizedResponder = recipientName.equals(msgSender); LOG.warn("tid={}: not authorized responder '{}'", tid, header.getSender()); return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED); AlgorithmIdentifier protectionAlgo = protectedMsg.getHeader().getProtectionAlg(); if (!sigResponder.getSigAlgoValidator().isAlgorithmPermitted(protectionAlgo)) { String algoName; ContentVerifierProvider verifierProvider = securityFactory.getContentVerifierProvider(cert); if (verifierProvider == null) {
public static boolean isImplictConfirm(final PKIHeader header) { ParamUtil.requireNonNull("header", header); InfoTypeAndValue[] regInfos = header.getGeneralInfo(); if (regInfos == null) { return false; } for (InfoTypeAndValue regInfo : regInfos) { if (CMPObjectIdentifiers.it_implicitConfirm.equals(regInfo.getInfoType())) { return true; } } return false; }
tmpSignerName, header.getRecipient()); PKIFreeText freeText = header.getFreeText(); if (freeText != null) { builder.setFreeText(freeText); InfoTypeAndValue[] generalInfo = header.getGeneralInfo(); if (generalInfo != null) { for (InfoTypeAndValue gi : generalInfo) { ASN1OctetString octet = header.getRecipKID(); if (octet != null) { builder.setRecipKID(octet.getOctets()); octet = header.getRecipNonce(); if (octet != null) { builder.setRecipNonce(octet.getOctets()); octet = header.getSenderKID(); if (octet != null) { builder.setSenderKID(octet.getOctets()); octet = header.getSenderNonce(); if (octet != null) { builder.setSenderNonce(octet.getOctets()); octet = header.getTransactionID(); if (octet != null) { builder.setTransactionID(octet.getOctets());
SubjectPublicKeyInfo publicKeyInfo = certTemp.getSubjectPublicKeyInfo(); CmpUtf8Pairs keyvalues = CmpUtil.extract(reqHeader.getGeneralInfo()); Date notBefore = null; Date notAfter = null;