Examples of com.novosec.pkix.asn1.crmf.CertTemplate

• com.novosec.pkix.asn1.cmp.PKIStatusInfo
  ASN.1 structure DER En/DeCoder.

   CertTemplate ::= SEQUENCE { version      [0] Version               OPTIONAL, serialNumber [1] INTEGER               OPTIONAL, signingAlg   [2] AlgorithmIdentifier   OPTIONAL, issuer       [3] Name                  OPTIONAL, validity     [4] OptionalValidity      OPTIONAL, subject      [5] Name                  OPTIONAL, publicKey    [6] SubjectPublicKeyInfo  OPTIONAL, issuerUID    [7] UniqueIdentifier      OPTIONAL, subjectUID   [8] UniqueIdentifier      OPTIONAL, extensions   [9] Extensions            OPTIONAL } 

    Date notBefore = new Date();
    Date notAfter = new Date(new Date().getTime()+24*3600*1000);
    KeyPair keys = KeyTools.genKeys("512", AlgorithmConstants.KEYALGORITHM_RSA);
    String username = "cmpRaThrowAwayTestUser" + RND.nextLong();  // This is what we expect from the CMP configuration
    String subjectDN = "CN=" + username;
        PKIMessage one = genCertReq(CertTools.getSubjectDN(caCertificate), subjectDN, keys, caCertificate, nonce, transid, true, null, notBefore, notAfter, null);
        PKIMessage req = protectPKIMessage(one, false, PBE_SECRET, "unusedKeyId", 567);
    assertNotNull("Request was not created properly.", req);
        int reqId = req.getBody().getIr().getCertReqMsg(0).getCertReq().getCertReqId().getValue().intValue();
    ByteArrayOutputStream bao = new ByteArrayOutputStream();
    new DEROutputStream(bao).writeObject(req);
    byte[] resp = sendCmpHttp(bao.toByteArray(), 200);
    checkCmpResponseGeneral(resp, CertTools.getSubjectDN(caCertificate), subjectDN, caCertificate, nonce, transid, false, PBE_SECRET);
    X509Certificate cert = checkCmpCertRepMessage(subjectDN, caCertificate, resp, reqId);
    assertEquals("Certificate history data was or wasn't stored: ", useCertReqHistory, InterfaceCache.getCertificateStoreSession().getCertReqHistory(ADMIN, CertTools.getSerialNumber(cert), CertTools.getIssuerDN(cert))!=null);
    assertEquals("User data was or wasn't stored: ", useUserStorage, InterfaceCache.getUserAdminSession().existsUser(ADMIN, username));
    assertEquals("Certificate data was or wasn't stored: ", useCertificateStorage, InterfaceCache.getCertificateStoreSession().findCertificateByFingerprint(ADMIN, CertTools.getFingerprintAsString(cert))!=null);

    // Send a confirm message to the CA
    String hash = "foo123";
        PKIMessage confirm = genCertConfirm(subjectDN, caCertificate, nonce, transid, hash, reqId);
    assertNotNull("Could not create confirmation message.", confirm);
        PKIMessage req1 = protectPKIMessage(confirm, false, PBE_SECRET, "unusedKeyId", 567);
    bao = new ByteArrayOutputStream();
    new DEROutputStream(bao).writeObject(req1);
    resp = sendCmpHttp(bao.toByteArray(), 200);
    checkCmpResponseGeneral(resp, CertTools.getSubjectDN(caCertificate), subjectDN, caCertificate, nonce, transid, false, PBE_SECRET);
    checkCmpPKIConfirmMessage(subjectDN, caCertificate, resp);

    // We only expect revocation to work if we store certificate data and user data
    // TODO: ECA-1916 should remove dependency on useUserStorage
    if (useCertificateStorage && useUserStorage) {
      // Now revoke the bastard using the CMPv1 reason code!
      PKIMessage rev = genRevReq(CertTools.getSubjectDN(caCertificate), subjectDN, cert.getSerialNumber(), caCertificate, nonce, transid, false);
          PKIMessage revReq = protectPKIMessage(rev, false, PBE_SECRET, "unusedKeyId", 567);
      assertNotNull("Could not create revocation message.", revReq);
      bao = new ByteArrayOutputStream();
      new DEROutputStream(bao).writeObject(revReq);
      resp = sendCmpHttp(bao.toByteArray(), 200);
      checkCmpResponseGeneral(resp, CertTools.getSubjectDN(caCertificate), subjectDN, caCertificate, nonce, transid, false, PBE_SECRET);

        final byte[] nonce = CmpMessageHelper.createSenderNonce();
        final byte[] transid = CmpMessageHelper.createSenderNonce();
        final int reqId;
        {
            final PKIMessage one = genCertReq(issuerDN, userDN, keys, cacert, nonce, transid, true, null, null, null, customCertSerno);
            final PKIMessage req = protectPKIMessage(one, false, PBEPASSWORD, 567);

            reqId = req.getBody().getIr().getCertReqMsg(0).getCertReq().getCertReqId().getValue().intValue();
            assertNotNull(req);
            final ByteArrayOutputStream bao = new ByteArrayOutputStream();
            final DEROutputStream out = new DEROutputStream(bao);
            out.writeObject(req);
            final byte[] ba = bao.toByteArray();
            // Send request and receive response
            final byte[] resp = sendCmpHttp(ba, 200);
            // do not check signing if we expect a failure (sFailMessage==null)
            checkCmpResponseGeneral(resp, issuerDN, userDN, cacert, nonce, transid, sFailMessage == null, null);
            if (sFailMessage == null) {
                X509Certificate cert = checkCmpCertRepMessage(userDN, cacert, resp, reqId);
                // verify if custom cert serial number was used
                if (customCertSerno != null) {
                  assertTrue(cert.getSerialNumber().toString(16)+" is not same as expected "+customCertSerno.toString(16), cert.getSerialNumber().equals(customCertSerno));
                }
            } else {
                checkCmpFailMessage(resp, sFailMessage, CmpPKIBodyConstants.ERRORMESSAGE, reqId, FailInfo.BAD_REQUEST.hashCode());
            }
        }
        {
            // Send a confirm message to the CA
            final String hash = "foo123";
            final PKIMessage con = genCertConfirm(userDN, cacert, nonce, transid, hash, reqId);
            assertNotNull(con);
            PKIMessage confirm = protectPKIMessage(con, false, PBEPASSWORD, 567);
            final ByteArrayOutputStream bao = new ByteArrayOutputStream();
            final DEROutputStream out = new DEROutputStream(bao);
            out.writeObject(confirm);
            final byte[] ba = bao.toByteArray();
            // Send request and receive response

              }
              break;
            case CertificateRequestRequest.REQUEST_TYPE_CRMF:
              // Extract request in a format that EJBCA can process
          CertReqMessages certReqMessages = CertReqMessages.getInstance(new ASN1InputStream(submessage.getRequestData()).readObject());
          PKIMessage msg = new PKIMessage(new PKIHeader(
              new DERInteger(2), new GeneralName(new X509Name("CN=unused")), new GeneralName(new X509Name("CN=unused"))),
              new PKIBody(certReqMessages, 2)); // [2] CertReqMessages --Certification Request
              CrmfRequestMessage crmfReq = new CrmfRequestMessage(msg, null, true, null);
              crmfReq.setUsername(submessage.getUsername());
              crmfReq.setPassword(submessage.getPassword());

    final int reqId;
    final String unid;
    {
      // In this test SUBJECT_DN contains special, escaped characters to verify
      // that that works with CMP RA as well
      final PKIMessage one = genCertReq(this.issuerDN, SUBJECT_DN, this.keys, this.cacert, nonce, transid, true, null, null, null, null);
      final PKIMessage req = protectPKIMessage(one, false, PBEPASSWORD, CPNAME, 567);
      assertNotNull(req);

      reqId = req.getBody().getIr().getCertReqMsg(0).getCertReq().getCertReqId().getValue().intValue();
      final ByteArrayOutputStream bao = new ByteArrayOutputStream();
      final DEROutputStream out = new DEROutputStream(bao);
      out.writeObject(req);
      final byte[] ba = bao.toByteArray();
      // Send request and receive response
      final byte[] resp = sendCmpHttp(ba, 200);
      checkCmpResponseGeneral(resp, this.issuerDN, SUBJECT_DN, this.cacert, nonce, transid, false, PBEPASSWORD);
      final X509Certificate cert = checkCmpCertRepMessage(SUBJECT_DN, this.cacert, resp, reqId);
      unid = (String)new X509Principal( cert.getSubjectX500Principal().getEncoded() ).getValues(X509Name.SN).get(0);
      log.debug("Unid: "+unid);
    }
    {
      final PreparedStatement ps = dbConn.prepareStatement("select fnr from UnidFnrMapping where unid=?");
      ps.setString(1, unid);
      final ResultSet result = ps.executeQuery();
      assertTrue("Unid '"+unid+"' not found in DB.", result.next());
      final String fnr = result.getString(1);
      log.debug("FNR read from DB: "+fnr);
      assertEquals("Right FNR not found in DB.", FNR, fnr);
    }
    {
      // Send a confirm message to the CA
      final String hash = "foo123";
      final PKIMessage confirm = genCertConfirm(SUBJECT_DN, this.cacert, nonce, transid, hash, reqId);
      assertNotNull(confirm);
      final PKIMessage req1 = protectPKIMessage(confirm, false, PBEPASSWORD, 567);
      final ByteArrayOutputStream bao = new ByteArrayOutputStream();
      final DEROutputStream out = new DEROutputStream(bao);
      out.writeObject(req1);
      final byte[] ba = bao.toByteArray();
      // Send request and receive response

    byte[] transid = CmpMessageHelper.createSenderNonce();
    Date notBefore = new Date();
    Date notAfter = new Date(new Date().getTime()+24*3600*1000);
    KeyPair keys = KeyTools.genKeys("512", AlgorithmConstants.KEYALGORITHM_RSA);
    String subjectDN = "CN=cmpRAAuthenticationTestUser" + RND.nextLong();
        PKIMessage one = genCertReq(CertTools.getSubjectDN(caCertificate), subjectDN, keys, caCertificate, nonce, transid, true, null, notBefore, notAfter, null);
        PKIMessage req = protectPKIMessage(one, false, pbeSecret, keyId, 567);
    assertNotNull("Request was not created properly.", req);
        int reqId = req.getBody().getIr().getCertReqMsg(0).getCertReq().getCertReqId().getValue().intValue();
    ByteArrayOutputStream bao = new ByteArrayOutputStream();
    new DEROutputStream(bao).writeObject(req);
    byte[] ba = bao.toByteArray();
    byte[] resp = sendCmpHttp(ba, 200);
    checkCmpResponseGeneral(resp, CertTools.getSubjectDN(caCertificate), subjectDN, caCertificate, nonce, transid, false, pbeSecret);
    X509Certificate cert = checkCmpCertRepMessage(subjectDN, caCertificate, resp, reqId);

    // Send a confirm message to the CA
    String hash = "foo123";
        PKIMessage confirm = genCertConfirm(subjectDN, caCertificate, nonce, transid, hash, reqId);
    assertNotNull("Could not create confirmation message.", confirm);
        PKIMessage req1 = protectPKIMessage(confirm, false, pbeSecret, keyId, 567);
    bao = new ByteArrayOutputStream();
    new DEROutputStream(bao).writeObject(req1);
    ba = bao.toByteArray();
    resp = sendCmpHttp(ba, 200);
    checkCmpResponseGeneral(resp, CertTools.getSubjectDN(caCertificate), subjectDN, caCertificate, nonce, transid, false, pbeSecret);
    checkCmpPKIConfirmMessage(subjectDN, caCertificate, resp);

    // Now revoke the bastard using the CMPv1 reason code!
    PKIMessage rev = genRevReq(CertTools.getSubjectDN(caCertificate), subjectDN, cert.getSerialNumber(), caCertificate, nonce, transid, false);
        PKIMessage revReq = protectPKIMessage(rev, false, pbeSecret, keyId, 567);
    assertNotNull("Could not create revocation message.", revReq);
    bao = new ByteArrayOutputStream();
    new DEROutputStream(bao).writeObject(revReq);
    ba = bao.toByteArray();
    resp = sendCmpHttp(ba, 200);

        // myPKIFreeText.addString(new DERUTF8String("free text string"));
        // myPKIHeader.setFreeText(myPKIFreeText);

        PKIBody myPKIBody = new PKIBody(myCertReqMessages, 0); // initialization
                                                               // request
        PKIMessage myPKIMessage = new PKIMessage(myPKIHeader, myPKIBody);
        return myPKIMessage;
    }

        // TransactionId
        myPKIHeader.setTransactionID(new DEROctetString(transid));

        PKIBody myPKIBody = new PKIBody(myRevReqContent, 11); // revocation
                                                              // request
        PKIMessage myPKIMessage = new PKIMessage(myPKIHeader, myPKIBody);
        return myPKIMessage;
    }

        // TransactionId
        myPKIHeader.setTransactionID(new DEROctetString(transid));

        CertConfirmContent cc = new CertConfirmContent(new DEROctetString(hash.getBytes()), new DERInteger(certReqId));
        PKIBody myPKIBody = new PKIBody(cc, 24); // Cert Confirm
        PKIMessage myPKIMessage = new PKIMessage(myPKIHeader, myPKIBody);
        return myPKIMessage;
    }

      NoSuchAlgorithmException, NoSuchProviderException,
      SignRequestException, NotFoundException {
    X509Name sender = X509Name.getInstance(getSender().getName());
    X509Name recipient = X509Name.getInstance(getRecipient().getName());
    PKIHeader myPKIHeader = CmpMessageHelper.createPKIHeader(sender, recipient, getSenderNonce(), getRecipientNonce(), getTransactionId());
    PKIStatusInfo myPKIStatusInfo = new PKIStatusInfo(new DERInteger(2)); // 2 = rejection
    if (failInfo != null) {
      myPKIStatusInfo.setFailInfo(failInfo.getAsBitString());
    }
    if (failText != null) {
      myPKIStatusInfo.setStatusString(new PKIFreeText(new DERUTF8String(failText)));
    }
    PKIBody myPKIBody = null;
    log.debug("Create error message from requestType: "+requestType);
    if (requestType==0 || requestType==2) {
      myPKIBody = CmpMessageHelper.createCertRequestRejectBody(myPKIHeader, myPKIStatusInfo, requestId, requestType);

        assertNotNull(respObject);

        final PKIBody body = respObject.getBody();
        final int tag = body.getTagNo();
        assertEquals(exptag, tag);
        final PKIStatusInfo info;
        if (exptag == CmpPKIBodyConstants.ERRORMESSAGE) {
            ErrorMsgContent c = body.getError();
            assertNotNull(c);
            info = c.getPKIStatus();
            assertNotNull(info);
            assertEquals(ResponseStatus.FAILURE.getIntValue(), info.getStatus().getValue().intValue());
            int i = info.getFailInfo().intValue();
            assertEquals(i, 1 << err);
        } else if (exptag == CmpPKIBodyConstants.REVOCATIONRESPONSE) {
            RevRepContent rrc = body.getRp();
            assertNotNull(rrc);
            info = rrc.getPKIStatusInfo(0);
            assertNotNull(info);
            assertEquals(ResponseStatus.FAILURE.getIntValue(), info.getStatus().getValue().intValue());
            assertEquals(FailInfo.BAD_REQUEST.getAsBitString(), info.getFailInfo());
        } else {
            CertRepMessage c = null;
            if (exptag == CmpPKIBodyConstants.INITIALIZATIONRESPONSE) {
                c = body.getIp();
            } else if (exptag == CmpPKIBodyConstants.CERTIFICATIONRESPONSE) {
                c = body.getCp();
            }
            assertNotNull(c);
            CertResponse resp = c.getResponse(0);
            assertNotNull(resp);
            assertEquals(resp.getCertReqId().getValue().intValue(), requestId);
            info = resp.getStatus();
            assertNotNull(info);
            int error = info.getStatus().getValue().intValue();
            assertEquals(ResponseStatus.FAILURE.getIntValue(), error); // 2 is
                                                                       // rejection
            assertEquals(FailInfo.INCORRECT_DATA.getAsBitString(), info.getFailInfo());
        }
        log.debug("expected fail message: '" + failMsg + "'. received fail message: '" + info.getStatusString().getString(0).getString() + "'.");
        assertEquals(failMsg, info.getStatusString().getString(0).getString());
    }