/** * Build a protected PKI message which has MAC based integrity protection. * * @param macCalculator MAC calculator. * @return the resulting protected PKI message. * @throws CMPException if the protection MAC cannot be calculated. */ public ProtectedPKIMessage build(MacCalculator macCalculator) throws CMPException { finaliseHeader(macCalculator.getAlgorithmIdentifier()); PKIHeader header = hdrBuilder.build(); try { DERBitString protection = new DERBitString(calculateMac(macCalculator, header, body)); return finaliseMessage(header, protection); } catch (IOException e) { throw new CMPException("unable to encode MAC input: " + e.getMessage(), e); } }
/** * Build a protected PKI message which has MAC based integrity protection. * * @param signer the ContentSigner to be used to calculate the signature. * @return the resulting protected PKI message. * @throws CMPException if the protection signature cannot be calculated. */ public ProtectedPKIMessage build(ContentSigner signer) throws CMPException { finaliseHeader(signer.getAlgorithmIdentifier()); PKIHeader header = hdrBuilder.build(); try { DERBitString protection = new DERBitString(calculateSignature(signer, header, body)); return finaliseMessage(header, protection); } catch (IOException e) { throw new CMPException("unable to encode signature input: " + e.getMessage(), e); } }
private ProtectedPKIMessage finaliseMessage(PKIHeader header, DERBitString protection) { if (!extraCerts.isEmpty()) { CMPCertificate[] cmpCerts = new CMPCertificate[extraCerts.size()]; for (int i = 0; i != cmpCerts.length; i++) { cmpCerts[i] = new CMPCertificate(((X509CertificateHolder)extraCerts.get(i)).toASN1Structure()); } return new ProtectedPKIMessage(new PKIMessage(header, body, protection, cmpCerts)); } else { return new ProtectedPKIMessage(new PKIMessage(header, body, protection)); } }
protected PKIMessage buildErrorPkiMessage(ASN1OctetString tid, PKIHeader requestHeader, int failureCode, String statusText) { GeneralName respRecipient = requestHeader.getSender(); PKIHeaderBuilder respHeader = new PKIHeaderBuilder( requestHeader.getPvno().getValue().intValue(), getSender(), respRecipient); respHeader.setMessageTime(new ASN1GeneralizedTime(new Date())); if (tid != null) { respHeader.setTransactionID(tid); } ASN1OctetString senderNonce = requestHeader.getSenderNonce(); if (senderNonce != null) { respHeader.setRecipNonce(senderNonce); } PKIStatusInfo status = generateRejectionStatus(failureCode, statusText); ErrorMsgContent error = new ErrorMsgContent(status); PKIBody body = new PKIBody(PKIBody.TYPE_ERROR, error); return new PKIMessage(respHeader.build(), body); }
public static boolean isImplictConfirm(PKIHeader header) { ParamUtil.requireNonNull("header", header); InfoTypeAndValue[] regInfos = header.getGeneralInfo(); if (regInfos == null) { return false; } for (InfoTypeAndValue regInfo : regInfos) { if (CMPObjectIdentifiers.it_implicitConfirm.equals(regInfo.getInfoType())) { return true; } } return false; }
/** * handle the PKI body with the choice {@code cr}. * */ private PKIBody processCr(PKIMessage request, CmpRequestorInfo requestor, ASN1OctetString tid, PKIHeader reqHeader, CertReqMessages cr, CmpControl cmpControl, String msgId, AuditEvent event) { CertRepMessage repMessage = processCertReqMessages(request, requestor, tid, reqHeader, cr, false, cmpControl, msgId, event); return new PKIBody(PKIBody.TYPE_CERT_REP, repMessage); }
private PKIBody processKur(PKIMessage request, CmpRequestorInfo requestor, ASN1OctetString tid, PKIHeader reqHeader, CertReqMessages kur, CmpControl cmpControl, String msgId, AuditEvent event) { CertRepMessage repMessage = processCertReqMessages(request, requestor, tid, reqHeader, kur, true, cmpControl, msgId, event); return new PKIBody(PKIBody.TYPE_KEY_UPDATE_REP, repMessage); }
/** * handle the PKI body with the choice {@code cr}. * */ private PKIBody processCcp(PKIMessage request, CmpRequestorInfo requestor, ASN1OctetString tid, PKIHeader reqHeader, CertReqMessages cr, CmpControl cmpControl, String msgId, AuditEvent event) { CertRepMessage repMessage = processCertReqMessages(request, requestor, tid, reqHeader, cr, false, cmpControl, msgId, event); return new PKIBody(PKIBody.TYPE_CROSS_CERT_REP, repMessage); }
private CmpRequestorInfo getRequestor(PKIHeader reqHeader) { GeneralName requestSender = reqHeader.getSender(); if (requestSender.getTagNo() != GeneralName.directoryName) { return null; } return getRequestor((X500Name) requestSender.getName()); }
private ProtectionVerificationResult verifyProtection(String tid, GeneralPKIMessage pkiMessage, CmpControl cmpControl) throws CMPException, InvalidKeyException, OperatorCreationException { ProtectedPKIMessage protectedMsg = new ProtectedPKIMessage(pkiMessage); if (protectedMsg.hasPasswordBasedMacProtection()) { LOG.warn("NOT_SIGNAUTRE_BASED: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId()); return new ProtectionVerificationResult(null, ProtectionResult.NOT_SIGNATURE_BASED); } PKIHeader header = protectedMsg.getHeader(); AlgorithmIdentifier protectionAlg = header.getProtectionAlg(); if (!cmpControl.sigAlgoValidator().isAlgorithmPermitted(protectionAlg)) { LOG.warn("SIG_ALGO_FORBIDDEN: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId()); return new ProtectionVerificationResult(null, ProtectionResult.SIGALGO_FORBIDDEN); } CmpRequestorInfo requestor = getRequestor(header); if (requestor == null) { LOG.warn("tid={}: not authorized requestor '{}'", tid, header.getSender()); return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED); } ContentVerifierProvider verifierProvider = securityFactory.getContentVerifierProvider( requestor.cert().cert()); if (verifierProvider == null) { LOG.warn("tid={}: not authorized requestor '{}'", tid, header.getSender()); return new ProtectionVerificationResult(requestor, ProtectionResult.SENDER_NOT_AUTHORIZED); } boolean signatureValid = protectedMsg.verify(verifierProvider); return new ProtectionVerificationResult(requestor, signatureValid ? ProtectionResult.VALID : ProtectionResult.INVALID); }
public PKIHeader getHeader() { return pkiMessage.getHeader(); }
private byte[] calculateSignature(ContentSigner signer, PKIHeader header, PKIBody body) throws IOException { ASN1EncodableVector v = new ASN1EncodableVector(); v.add(header); v.add(body); OutputStream sOut = signer.getOutputStream(); sOut.write(new DERSequence(v).getEncoded(ASN1Encoding.DER)); sOut.close(); return signer.getSignature(); }
private byte[] calculateMac(MacCalculator macCalculator, PKIHeader header, PKIBody body) throws IOException { ASN1EncodableVector v = new ASN1EncodableVector(); v.add(header); v.add(body); OutputStream sOut = macCalculator.getOutputStream(); sOut.write(new DERSequence(v).getEncoded(ASN1Encoding.DER)); sOut.close(); return macCalculator.getMac(); }
/** * handle the PKI body with the choice {@code p10cr}<br/> * Since it is not possible to add attribute to the PKCS#10 request (CSR), the certificate * profile must be specified in the attribute regInfo-utf8Pairs (1.3.6.1.5.5.7.5.2.1) within * PKIHeader.generalInfo * */ private PKIBody processP10cr(PKIMessage request, CmpRequestorInfo requestor, ASN1OctetString tid, PKIHeader reqHeader, CertificationRequest p10cr, CmpControl cmpControl, String msgId, AuditEvent event) { // verify the POP first CertResponse certResp; ASN1Integer certReqId = new ASN1Integer(-1); boolean certGenerated = false; X509Ca ca = getCa(); if (!securityFactory.verifyPopo(p10cr, getCmpControl().popoAlgoValidator())) { LOG.warn("could not validate POP for the pkcs#10 requst"); certResp = buildErrorCertResponse(certReqId, PKIFailureInfo.badPOP, "invalid POP"); } else { CertificationRequestInfo certTemp = p10cr.getCertificationRequestInfo(); Extensions extensions = CaUtil.getExtensions(certTemp); X500Name subject = certTemp.getSubject(); SubjectPublicKeyInfo publicKeyInfo = certTemp.getSubjectPublicKeyInfo(); CmpUtf8Pairs keyvalues = CmpUtil.extract(reqHeader.getGeneralInfo()); String certprofileName = null; Date notBefore = null; Date notAfter = null; if (keyvalues != null) { certprofileName = keyvalues.value(CmpUtf8Pairs.KEY_CERT_PROFILE); String str = keyvalues.value(CmpUtf8Pairs.KEY_NOT_BEFORE); if (str != null) { notBefore = DateUtil.parseUtcTimeyyyyMMddhhmmss(str); } str = keyvalues.value(CmpUtf8Pairs.KEY_NOT_AFTER); if (str != null) { notAfter = DateUtil.parseUtcTimeyyyyMMddhhmmss(str); } } if (certprofileName == null) { certResp = buildErrorCertResponse(certReqId, PKIFailureInfo.badCertTemplate, "badCertTemplate", null); } else { certprofileName = certprofileName.toUpperCase(); if (!requestor.isCertProfilePermitted(certprofileName)) { String msg = "certprofile " + certprofileName + " is not allowed"; certResp = buildErrorCertResponse(certReqId, PKIFailureInfo.notAuthorized, msg); } else { CertTemplateData certTemplateData = new CertTemplateData(subject, publicKeyInfo, notBefore, notAfter, extensions, certprofileName); certResp = generateCertificates(Arrays.asList(certTemplateData), Arrays.asList(certReqId), requestor, tid, false, request, cmpControl, msgId, event).get(0); certGenerated = true; } } } CMPCertificate[] caPubs = null; if (certGenerated && cmpControl.sendCaCert()) { caPubs = new CMPCertificate[]{ca.caInfo().certInCmpFormat()}; } CertRepMessage repMessage = new CertRepMessage(caPubs, new CertResponse[]{certResp}); return new PKIBody(PKIBody.TYPE_CERT_REP, repMessage); }
private PKIBody cmpUnRevokeRemoveCertificates(PKIMessage request, PKIHeaderBuilder respHeader, CmpControl cmpControl, PKIHeader reqHeader, PKIBody reqBody, CmpRequestorInfo requestor, String msgId, AuditEvent event) { Integer requiredPermission = null; boolean allRevdetailsOfSameType = true; RevReqContent rr = RevReqContent.getInstance(reqBody.getContent()); RevDetails[] revContent = rr.toRevDetailsArray(); int len = revContent.length; for (int i = 0; i < len; i++) { RevDetails revDetails = revContent[i]; Extensions crlDetails = revDetails.getCrlEntryDetails(); int reasonCode = CrlReason.UNSPECIFIED.code(); if (crlDetails != null) { ASN1ObjectIdentifier extId = Extension.reasonCode; ASN1Encodable extValue = crlDetails.getExtensionParsedValue(extId); if (extValue != null) { reasonCode = ASN1Enumerated.getInstance(extValue).getValue().intValue(); } } if (reasonCode == XiSecurityConstants.CMP_CRL_REASON_REMOVE) { if (requiredPermission == null) { event.addEventType(CaAuditConstants.TYPE_CMP_rr_remove); requiredPermission = PermissionConstants.REMOVE_CERT; } else if (requiredPermission != PermissionConstants.REMOVE_CERT) { allRevdetailsOfSameType = false; break; } } else if (reasonCode == CrlReason.REMOVE_FROM_CRL.code()) { if (requiredPermission == null) { event.addEventType(CaAuditConstants.TYPE_CMP_rr_unrevoke); requiredPermission = PermissionConstants.UNREVOKE_CERT; } else if (requiredPermission != PermissionConstants.UNREVOKE_CERT) { allRevdetailsOfSameType = false; break; } } else { if (requiredPermission == null) { event.addEventType(CaAuditConstants.TYPE_CMP_rr_revoke); requiredPermission = PermissionConstants.REVOKE_CERT; } else if (requiredPermission != PermissionConstants.REVOKE_CERT) { allRevdetailsOfSameType = false; break; } } } // end for if (!allRevdetailsOfSameType) { ErrorMsgContent emc = new ErrorMsgContent( new PKIStatusInfo(PKIStatus.rejection, new PKIFreeText("not all revDetails are of the same type"), new PKIFailureInfo(PKIFailureInfo.badRequest))); return new PKIBody(PKIBody.TYPE_ERROR, emc); } else { try { checkPermission(requestor, requiredPermission); } catch (InsuffientPermissionException ex) { event.setStatus(AuditStatus.FAILED); event.addEventData(CaAuditConstants.NAME_message, "NOT_PERMITTED"); return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.notAuthorized, null); } return unRevokeRemoveCertificates(request, rr, requiredPermission, cmpControl, msgId); } }
