DecodedPkiMessage resp; try { resp = DecodedPkiMessage.decode(pkiMessage, recipientKey, recipientCert, responseSignerCerts); } catch (MessageDecodingException ex) { throw new ScepClientException(ex); if (resp.getFailureMessage() != null) { throw new ScepClientException("Error: " + resp.getFailureMessage()); Boolean bo = resp.isSignatureValid(); if (bo != null && !bo.booleanValue()) { throw new ScepClientException("Signature is invalid"); bo = resp.isDecryptionSuccessful(); if (bo != null && !bo.booleanValue()) { throw new ScepClientException("Decryption failed"); Date signingTime = resp.getSigningTime(); long maxSigningTimeBias = getMaxSigningTimeBiasInMs(); if (maxSigningTimeBias > 0) { if (!resp.getSignatureCert().equals(authorityCertStore.getSignatureCert())) { throw new ScepClientException("the signature certificate must not be trusted");
private ContentInfo encodeResponse(PkiMessage response, DecodedPkiMessage request) throws OperationException { Args.notNull(response, "response"); Args.notNull(request, "request"); String signatureAlgorithm = getSignatureAlgorithm(responderKey, request.getDigestAlgorithm()); ContentInfo ci; try { X509Certificate[] cmsCertSet = control.isIncludeSignerCert() ? new X509Certificate[]{responderCert} : null; ci = response.encode(responderKey, signatureAlgorithm, responderCert, cmsCertSet, request.getSignatureCert(), request.getContentEncryptionAlgorithm()); } catch (MessageEncodingException ex) { LogUtil.error(LOG, ex, "could not encode response"); throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex); } return ci; } // method encodeResponse
private PkiMessage servicePkiOperation0(DecodedPkiMessage req, AuditEvent event) throws MessageDecodingException, CaException { TransactionId tid = req.getTransactionId(); PkiMessage rep = new PkiMessage(tid, MessageType.CertRep, Nonce.randomNonce()); rep.setPkiStatus(PkiStatus.SUCCESS); rep.setRecipientNonce(req.getSenderNonce()); if (req.getFailureMessage() != null) { return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest); Boolean bo = req.isSignatureValid(); if (bo != null && !bo.booleanValue()) { return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badMessageCheck); bo = req.isDecryptionSuccessful(); if (bo != null && !bo.booleanValue()) { return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest); Date signingTime = req.getSigningTime(); if (maxSigningTimeBiasInMs > 0) { boolean isTimeBad = false; String oid = req.getDigestAlgorithm().getId(); ScepHashAlgo hashAlgo = ScepHashAlgo.forNameOrOid(oid); if (hashAlgo == null) { ASN1ObjectIdentifier encOid = req.getContentEncryptionAlgorithm(); if (CMSAlgorithm.DES_EDE3_CBC.equals(encOid)) { if (!caCaps.containsCapability(CaCapability.DES3)) {
EnvelopedDataDecryptor recipient = new EnvelopedDataDecryptor(decInstance); DecodedPkiMessage req = DecodedPkiMessage.decode(requestContent, recipient, null); ScepHashAlgo.forNameOrOid(req.getDigestAlgorithm().getId())); req.getSignatureCert(), req.getContentEncryptionAlgorithm()); } catch (Exception ex) { throw new CaException(ex);
public static DecodedPkiMessage decode(CMSSignedData pkiMessage, PrivateKey recipientKey, X509Certificate recipientCert, CollectionStore<X509CertificateHolder> certStore) throws MessageDecodingException { EnvelopedDataDecryptorInstance decInstance = new EnvelopedDataDecryptorInstance( recipientCert, recipientKey); EnvelopedDataDecryptor recipient = new EnvelopedDataDecryptor(decInstance); return decode(pkiMessage, recipient, certStore); }
public List<X509Certificate> scepGetCert(PrivateKey identityKey, X509Certificate identityCert, X500Name issuer, BigInteger serialNumber) throws ScepClientException { ScepUtil.requireNonNull("identityKey", identityKey); ScepUtil.requireNonNull("identityCert", identityCert); ScepUtil.requireNonNull("issuer", issuer); ScepUtil.requireNonNull("serialNumber", serialNumber); initIfNotInited(); PkiMessage request = new PkiMessage(TransactionId.randomTransactionId(), MessageType.GetCert); IssuerAndSerialNumber isn = new IssuerAndSerialNumber(issuer, serialNumber); request.setMessageData(isn); ContentInfo envRequest = encryptThenSign(request, identityKey, identityCert); ScepHttpResponse httpResp = httpSend(Operation.PKIOperation, envRequest); CMSSignedData cmsSignedData = parsePkiMessage(httpResp.getContentBytes()); DecodedPkiMessage response = decode(cmsSignedData, identityKey, identityCert); if (response.getPkiStatus() != PkiStatus.SUCCESS) { throw new ScepClientException("server returned " + response.getPkiStatus()); } ContentInfo messageData = ContentInfo.getInstance(response.getMessageData()); try { return ScepUtil.getCertsFromSignedData(SignedData.getInstance(messageData.getContent())); } catch (CertificateException ex) { throw new ScepClientException(ex.getMessage(), ex); } }
String tid = Args.notNull(req, "req").getTransactionId().getId(); if (req.getFailureMessage() != null) { audit(event, CaAuditConstants.NAME_SCEP_failure_message, req.getFailureMessage()); Boolean bo = req.isSignatureValid(); if (bo != null && !bo.booleanValue()) { audit(event, CaAuditConstants.NAME_SCEP_signature, "invalid"); bo = req.isDecryptionSuccessful(); if (bo != null && !bo.booleanValue()) { audit(event, CaAuditConstants.NAME_SCEP_decryption, "failed"); new PkiMessage(req.getTransactionId(), MessageType.CertRep, Nonce.randomNonce()); rep.setRecipientNonce(req.getSenderNonce()); if (req.getFailureMessage() != null) { rep.setPkiStatus(PkiStatus.FAILURE); rep.setFailInfo(FailInfo.badRequest); bo = req.isSignatureValid(); if (bo != null && !bo.booleanValue()) { rep.setPkiStatus(PkiStatus.FAILURE); bo = req.isDecryptionSuccessful(); if (bo != null && !bo.booleanValue()) { rep.setPkiStatus(PkiStatus.FAILURE); Date signingTime = req.getSigningTime();
public ContentInfo servicePkiOperation(CMSSignedData requestContent, String certprofileName, String msgId, AuditEvent event) throws MessageDecodingException, OperationException { if (!isOnService()) { LOG.warn("SCEP {} is not active", caIdent.getName()); throw new OperationException(ErrorCode.SYSTEM_UNAVAILABLE); } DecodedPkiMessage req = DecodedPkiMessage.decode(requestContent, envelopedDataDecryptor, null); PkiMessage rep = servicePkiOperation0(requestContent, req, certprofileName, msgId, event); audit(event, CaAuditConstants.NAME_SCEP_pki_status, rep.getPkiStatus().toString()); if (rep.getPkiStatus() == PkiStatus.FAILURE) { event.setStatus(AuditStatus.FAILED); } if (rep.getFailInfo() != null) { audit(event, CaAuditConstants.NAME_SCEP_fail_info, rep.getFailInfo().toString()); } return encodeResponse(rep, req); } // method servicePkiOperation