private static X500Name getX500Sender(PKIHeader reqHeader) { GeneralName requestSender = reqHeader.getSender(); if (requestSender.getTagNo() != GeneralName.directoryName) { return null; } return (X500Name) requestSender.getName(); }
protected PKIMessage buildErrorPkiMessage(ASN1OctetString tid, PKIHeader requestHeader, int failureCode, String statusText) { GeneralName respRecipient = requestHeader.getSender(); PKIHeaderBuilder respHeader = new PKIHeaderBuilder( requestHeader.getPvno().getValue().intValue(), getSender(), respRecipient); respHeader.setMessageTime(new ASN1GeneralizedTime(new Date())); if (tid != null) { respHeader.setTransactionID(tid); } ASN1OctetString senderNonce = requestHeader.getSenderNonce(); if (senderNonce != null) { respHeader.setRecipNonce(senderNonce); } PKIStatusInfo status = generateRejectionStatus(failureCode, statusText); ErrorMsgContent error = new ErrorMsgContent(status); PKIBody body = new PKIBody(PKIBody.TYPE_ERROR, error); return new PKIMessage(respHeader.build(), body); } // method buildErrorPkiMessage
CmpRequestorInfo requestor = (x500Sender == null) ? null : getRequestor(x500Sender); if (requestor == null) { LOG.warn("tid={}: not authorized requestor '{}'", tid, header.getSender()); return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED);
reqHeader.getPvno().getValue().intValue(), getSender(), reqHeader.getSender()); respHeader.setTransactionID(tid); ASN1OctetString senderNonce = reqHeader.getSenderNonce();
@Override protected boolean verifyProtection(GeneralPKIMessage pkiMessage) throws CMPException, InvalidKeyException { ProtectedPKIMessage protectedMsg = new ProtectedPKIMessage(pkiMessage); if (protectedMsg.hasPasswordBasedMacProtection()) { LOG.warn("protection is not signature based: " + pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId()); return false; } PKIHeader header = protectedMsg.getHeader(); if (!header.getSender().equals(responderSubject)) { LOG.warn("not authorized responder '{}'", header.getSender()); return false; } String algOid = protectedMsg.getHeader().getProtectionAlg().getAlgorithm().getId(); if (!trustedProtectionAlgOids.contains(algOid)) { LOG.warn("PKI protection algorithm is untrusted '{}'", algOid); return false; } ContentVerifierProvider verifierProvider = getContentVerifierProvider( responderCert.getPublicKey()); if (verifierProvider == null) { LOG.warn("not authorized responder '{}'", header.getSender()); return false; } return protectedMsg.verify(verifierProvider); } // method verifyProtection
if (header.getSender().getTagNo() != GeneralName.directoryName) { authorizedResponder = false; } else { X500Name msgSender = X500Name.getInstance(header.getSender().getName()); authorizedResponder = recipientName.equals(msgSender); LOG.warn("tid={}: not authorized responder '{}'", tid, header.getSender()); return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED); ContentVerifierProvider verifierProvider = securityFactory.getContentVerifierProvider(cert); if (verifierProvider == null) { LOG.warn("tid={}: not authorized responder '{}'", tid, header.getSender()); return new ProtectionVerificationResult(cert, ProtectionResult.SENDER_NOT_AUTHORIZED);