Examples of PKIMessage


Examples of com.novosec.pkix.asn1.cmp.PKIMessage

        PKIHeader myPKIHeader = new PKIHeader(new DERInteger(2), new GeneralName(new X509Name("CN=bogusSubject")), new GeneralName(new X509Name("CN=bogusIssuer")));
        myPKIHeader.setMessageTime(new DERGeneralizedTime(new Date()));
        myPKIHeader.setSenderNonce(new DEROctetString(CmpMessageHelper.createSenderNonce()));
        myPKIHeader.setTransactionID(new DEROctetString(CmpMessageHelper.createSenderNonce()));
        PKIBody myPKIBody = new PKIBody(myCertReqMessages, 0);
        PKIMessage myPKIMessage = new PKIMessage(myPKIHeader, myPKIBody);
      // Create a bogus CrmfRequestMessage
      CrmfRequestMessage crmf = new CrmfRequestMessage(myPKIMessage, "CN=SomeCA", true, null);
      crmf.setPbeParameters("keyId", "key", "digestAlg", "macAlg", 100);
      // Serialize it
      ByteArrayOutputStream baos = new ByteArrayOutputStream();
View Full Code Here

Examples of com.novosec.pkix.asn1.cmp.PKIMessage

    public void testNovosecRARequest() throws IOException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException, CertificateEncodingException, SignatureException, IllegalStateException {
      // Check that we can parse a request from  Novosec (patched by EJBCA).
      // Read an initialization request with RAVerifiedPOP and PBE protection to see that we can process it
      ASN1InputStream in = new ASN1InputStream(novosecrapopir);
      DERObject derObject = in.readObject();
      PKIMessage req = PKIMessage.getInstance(derObject);
      //log.info(req.toString());
      // Verify should be false if we do not allow RA verify POP here, since we don't have any normal POP
      CrmfRequestMessage msg = new CrmfRequestMessage(req, "CN=AdminCA1", false, "CN");
      assertFalse(msg.verify());
      // Verify should be ok when we allow RA verified POP
View Full Code Here

Examples of com.novosec.pkix.asn1.cmp.PKIMessage

      // Check that we can parse a request from  Novosec (patched by EJBCA).
      // Read an initialization request with a signature POP and signature protection to see that we can process it
      {
        ASN1InputStream in = new ASN1InputStream(novosecsigpopir);
        DERObject derObject = in.readObject();
        PKIMessage req = PKIMessage.getInstance(derObject);
        //log.info(req.toString());
        // Verify should be ok if we do not allow RA verify POP here
        CrmfRequestMessage msg = new CrmfRequestMessage(req, "CN=AdminCA1", false, "CN");
        assertTrue(msg.verify());
        // Since we don't have RA POP we can't test for that...
        assertEquals("CN=AdminCA1,O=EJBCA Sample,C=SE", msg.getIssuerDN());
        assertEquals("CN=abc123rry2942812801980668853,O=PrimeKey Solutions AB,C=SE", msg.getRequestDN());
        assertEquals("abc123rry2942812801980668853", msg.getUsername());
        assertEquals("foo123", msg.getPassword());
        // Verify signature protection
        AlgorithmIdentifier algId = msg.getMessage().getProtectedPart().getHeader().getProtectionAlg();
        String oid = algId.getObjectId().getId();
        assertEquals(PKCSObjectIdentifiers.sha1WithRSAEncryption.getId(), oid);
        // Check that this is an old message, created before ECA-2104, using null instead of DERNull as algorithm parameters.
        DEREncodable pp = algId.getParameters();
        assertNull(pp);
        // Try to verify, it should work good even though the small bug in ECA-2104, since we don't use algorithm parameters for RSA-PKCS signatures
        PublicKey pubKey = msg.getRequestPublicKey();
        assertTrue(CmpMessageHelper.verifyCertBasedPKIProtection(msg.getMessage(), pubKey));
        // Verify that our verification routine does not give positive result for any other keys
        KeyPair keys = KeyTools.genKeys("512", "RSA");
        assertFalse(CmpMessageHelper.verifyCertBasedPKIProtection(msg.getMessage(), keys.getPublic()));
      }
      // Re-protect the message, now fixed by ECA-2104
      {
        ASN1InputStream in = new ASN1InputStream(novosecsigpopir);
        DERObject derObject = in.readObject();
        PKIMessage myPKIMessage = PKIMessage.getInstance(derObject);
        KeyPair keys = KeyTools.genKeys("512", "RSA");
        X509Certificate signCert = CertTools.genSelfCert("CN=CMP Sign Test", 3650, null, keys.getPrivate(), keys.getPublic(), "SHA1WithRSA", false);
        // Re-sign the message
        byte[] newmsg = CmpMessageHelper.signPKIMessage(myPKIMessage, signCert, keys.getPrivate(), CMSSignedGenerator.DIGEST_SHA1, "BC");
        in = new ASN1InputStream(newmsg);
        derObject = in.readObject();
        PKIMessage pkimsg = PKIMessage.getInstance(derObject);
        // We have to do this twice, because Novosec caches ProtectedBytes in the PKIMessage object, so we need to
        // encode it and re-decode it again to get the changes from ECA-2104 encoded correctly.
        // Not needed when simply signing a new message that you create, only when re-signing
        newmsg = CmpMessageHelper.signPKIMessage(pkimsg, signCert, keys.getPrivate(), CMSSignedGenerator.DIGEST_SHA1, "BC");
        in = new ASN1InputStream(newmsg);
        derObject = in.readObject();
        pkimsg = PKIMessage.getInstance(derObject);
        AlgorithmIdentifier algId = pkimsg.getProtectedPart().getHeader().getProtectionAlg();
        String oid = algId.getObjectId().getId();
        assertEquals(PKCSObjectIdentifiers.sha1WithRSAEncryption.getId(), oid);
        // Check that we have DERNull and not plain java null as algorithm parameters.
        DEREncodable pp = algId.getParameters();
        assertNotNull(pp);
View Full Code Here

Examples of com.novosec.pkix.asn1.cmp.PKIMessage

    public void testBc146RARequest() throws IOException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException {
      // Check that we can parse request from BouncyCastle version 1.46.
      // Read an initialization request with RAVerifiedPOP with PBE protection to see that we can process it
      ASN1InputStream in = new ASN1InputStream(bc146rapopir);
      DERObject derObject = in.readObject();
      PKIMessage req = PKIMessage.getInstance(derObject);
      //log.info(req.toString());
      // Verify should be false if we do not allow RA verify POP here, since we don't have any normal POP
      CrmfRequestMessage msg = new CrmfRequestMessage(req, "CN=AdminCA1", false, "CN");
      assertFalse(msg.verify());
      // Verify should be ok when we allow RA verified POP
View Full Code Here

Examples of com.novosec.pkix.asn1.cmp.PKIMessage

    public void testBc146ClientRequest() throws IOException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException {
      // Check that we can parse request from BouncyCastle version 1.46.     
      // Read an initialization request with a signature POP, and signature protection, to see that we can process it
      ASN1InputStream in = new ASN1InputStream(bc146sigpopir);
      DERObject derObject = in.readObject();
      PKIMessage req = PKIMessage.getInstance(derObject);
      //log.info(req.toString());
      // Verify should be ok if we do not allow RA verify POP here
      CrmfRequestMessage msg = new CrmfRequestMessage(req, "CN=AdminCA1", false, "CN");
      // BC messages in BC1.46 uses POPOSigningKeyInput for POPO, not the 3rd case in RFC4211 section 4.1, like everyone else...
      assertTrue(msg.verify());
View Full Code Here

Examples of com.novosec.pkix.asn1.cmp.PKIMessage

    public void testHuaweiEnodeBClientRequest() throws IOException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException {
      // Read an initialization request to see that we can process it
      ASN1InputStream in = new ASN1InputStream(huaweiir);
    DERObject derObject = in.readObject();
    PKIMessage req = PKIMessage.getInstance(derObject);
    //log.info(req.toString());
      CrmfRequestMessage msg = new CrmfRequestMessage(req, null, false, "CN");
      // This message does not have an issuerDN in the cert template
      assertNull(msg.getIssuerDN());
      // Use a default CA instead
      msg = new CrmfRequestMessage(req, "CN=AdminCA1", false, "CN");
      assertTrue(msg.verify());
      assertEquals("CN=AdminCA1", msg.getIssuerDN());
      assertEquals("CN=21030533610000000012 eNodeB", msg.getRequestDN());
      assertEquals("21030533610000000012 eNodeB", msg.getUsername());
      // We would like a password here...
    assertNull(msg.getPassword());
    // Verify signature properties
    AlgorithmIdentifier algId = msg.getMessage().getProtectedPart().getHeader().getProtectionAlg();
    String oid = algId.getObjectId().getId();
    assertEquals(PKCSObjectIdentifiers.sha1WithRSAEncryption.getId(), oid);
    // Check that we have DERNull and not plain java null as algorithm parameters.
    DEREncodable pp = algId.getParameters();
    assertNotNull(pp);
    assertEquals(DERNull.class.getName(), pp.getClass().getName());
    // Try to verify message protection
    // Does not work for this Huawei message, is it signed by the same key as in the request at all?
    // We will wait for another huawei message to test
    //PublicKey pubKey = msg.getRequestPublicKey();
    //assertTrue(CmpMessageHelper.verifyCertBasedPKIProtection(msg.getMessage(), pubKey));

      // Read the CertConf (certificate confirmation) CMP message that the client sends to
    // the CA after receiving the certificate. RFC4210 section "5.3.18.  Certificate Confirmation Content".
      in = new ASN1InputStream(huaweicertconf);
    derObject = in.readObject();
    PKIMessage certconf = PKIMessage.getInstance(derObject);
    //log.info(certconf.toString());
    GeneralCmpMessage conf = new GeneralCmpMessage(certconf);
    // Verify signature properties
    algId = conf.getMessage().getProtectedPart().getHeader().getProtectionAlg();
    oid = algId.getObjectId().getId();
View Full Code Here

Examples of com.novosec.pkix.asn1.cmp.PKIMessage

            ret = false;
          }
        }
        if (ret) {
          // If authentication was correct, we will now try to find the certificate to revoke
          PKIMessage pkimsg = msg.getMessage();
          PKIBody body = pkimsg.getBody();
          RevReqContent rr = body.getRr();
          RevDetails rd = rr.getRevDetails(0);
          CertTemplate ct = rd.getCertDetails();
          DERInteger serno = ct.getSerialNumber();
          X509Name issuer = ct.getIssuer();
View Full Code Here

Examples of com.novosec.pkix.asn1.cmp.PKIMessage

      myPKIBody = CmpMessageHelper.createCertRequestRejectBody(myPKIHeader, myPKIStatusInfo, requestId, requestType);
    } else {
      ErrorMsgContent myErrorContent = new ErrorMsgContent(myPKIStatusInfo);
      myPKIBody = new PKIBody(myErrorContent, 23); // 23 = error           
    }
    PKIMessage myPKIMessage = new PKIMessage(myPKIHeader, myPKIBody);
    if ((getPbeDigestAlg() != null) && (getPbeMacAlg() != null) && (getPbeKeyId() != null) && (getPbeKey() != null) ) {
      responseMessage = CmpMessageHelper.protectPKIMessageWithPBE(myPKIMessage, getPbeKeyId(), getPbeKey(), getPbeDigestAlg(), getPbeMacAlg(), getPbeIterationCount());
    } else {
      responseMessage = CmpMessageHelper.pkiMessageToByteArray(myPKIMessage);     
    }
View Full Code Here

Examples of com.novosec.pkix.asn1.cmp.PKIMessage

   *
   * @param message der encoded CMP message
   * @return IResponseMessage containing the CMP response message or null if there is no message to send back or some internal error has occurred
   */
  private IResponseMessage dispatch(Admin admin, DERObject derObject) {
    final PKIMessage req;
    try {
      req = PKIMessage.getInstance(derObject);
      if ( req==null ) {
        throw new Exception("No CMP message could be parsed from received Der object.");
      }
    } catch (Throwable t) {
      final String eMsg = intres.getLocalizedMessage("cmp.errornotcmpmessage");
      log.error(eMsg, t);
      // If we could not read the message, we should return an error BAD_REQUEST
      return CmpMessageHelper.createUnprotectedErrorMessage(null, ResponseStatus.FAILURE, FailInfo.BAD_REQUEST, eMsg);
    }
    try {
      PKIHeader header = req.getHeader();
      PKIBody body = req.getBody();
     
      int tagno = body.getTagNo();
      if (log.isDebugEnabled()) {
        log.debug("Received CMP message with pvno="+header.getPvno()+", sender="+header.getSender().toString()+", recipient="+header.getRecipient().toString());
        log.debug("Body is of type: "+tagno);
View Full Code Here

Examples of com.novosec.pkix.asn1.cmp.PKIMessage

    Date notBefore = new Date();
    Date notAfter = new Date(new Date().getTime()+24*3600*1000);
    KeyPair keys = KeyTools.genKeys("512", AlgorithmConstants.KEYALGORITHM_RSA);
    String username = "cmpRaThrowAwayTestUser" + RND.nextLong()// This is what we expect from the CMP configuration
    String subjectDN = "CN=" + username;
        PKIMessage one = genCertReq(CertTools.getSubjectDN(caCertificate), subjectDN, keys, caCertificate, nonce, transid, true, null, notBefore, notAfter, null);
        PKIMessage req = protectPKIMessage(one, false, PBE_SECRET, "unusedKeyId", 567);
    assertNotNull("Request was not created properly.", req);
        int reqId = req.getBody().getIr().getCertReqMsg(0).getCertReq().getCertReqId().getValue().intValue();
    ByteArrayOutputStream bao = new ByteArrayOutputStream();
    new DEROutputStream(bao).writeObject(req);
    byte[] resp = sendCmpHttp(bao.toByteArray(), 200);
    checkCmpResponseGeneral(resp, CertTools.getSubjectDN(caCertificate), subjectDN, caCertificate, nonce, transid, false, PBE_SECRET);
    X509Certificate cert = checkCmpCertRepMessage(subjectDN, caCertificate, resp, reqId);
    assertEquals("Certificate history data was or wasn't stored: ", useCertReqHistory, InterfaceCache.getCertificateStoreSession().getCertReqHistory(ADMIN, CertTools.getSerialNumber(cert), CertTools.getIssuerDN(cert))!=null);
    assertEquals("User data was or wasn't stored: ", useUserStorage, InterfaceCache.getUserAdminSession().existsUser(ADMIN, username));
    assertEquals("Certificate data was or wasn't stored: ", useCertificateStorage, InterfaceCache.getCertificateStoreSession().findCertificateByFingerprint(ADMIN, CertTools.getFingerprintAsString(cert))!=null);

    // Send a confirm message to the CA
    String hash = "foo123";
        PKIMessage confirm = genCertConfirm(subjectDN, caCertificate, nonce, transid, hash, reqId);
    assertNotNull("Could not create confirmation message.", confirm);
        PKIMessage req1 = protectPKIMessage(confirm, false, PBE_SECRET, "unusedKeyId", 567);
    bao = new ByteArrayOutputStream();
    new DEROutputStream(bao).writeObject(req1);
    resp = sendCmpHttp(bao.toByteArray(), 200);
    checkCmpResponseGeneral(resp, CertTools.getSubjectDN(caCertificate), subjectDN, caCertificate, nonce, transid, false, PBE_SECRET);
    checkCmpPKIConfirmMessage(subjectDN, caCertificate, resp);

    // We only expect revocation to work if we store certificate data and user data
    // TODO: ECA-1916 should remove dependency on useUserStorage
    if (useCertificateStorage && useUserStorage) {
      // Now revoke the bastard using the CMPv1 reason code!
      PKIMessage rev = genRevReq(CertTools.getSubjectDN(caCertificate), subjectDN, cert.getSerialNumber(), caCertificate, nonce, transid, false);
          PKIMessage revReq = protectPKIMessage(rev, false, PBE_SECRET, "unusedKeyId", 567);
      assertNotNull("Could not create revocation message.", revReq);
      bao = new ByteArrayOutputStream();
      new DEROutputStream(bao).writeObject(revReq);
      resp = sendCmpHttp(bao.toByteArray(), 200);
      checkCmpResponseGeneral(resp, CertTools.getSubjectDN(caCertificate), subjectDN, caCertificate, nonce, transid, false, PBE_SECRET);
View Full Code Here
TOP
Copyright © 2018 www.massapi.com. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.