public static CaCaps getInstance(String scepMessage) { CaCaps ret = new CaCaps(); if (scepMessage == null || scepMessage.isEmpty()) { return ret; } StringTokenizer st = new StringTokenizer(scepMessage, "\r\n"); List<CaCapability> caps = new ArrayList<>(st.countTokens()); while (st.hasMoreTokens()) { String token = st.nextToken(); try { CaCapability cap = CaCapability.forValue(token); caps.add(cap); } catch (IllegalArgumentException ex) { LOG.warn("ignore unknown CACap '{}'", token); } } if (!caps.isEmpty()) { ret.addCapabilities(caps.toArray(new CaCapability[0])); } return ret; }
private boolean isGutmannScep() { return caCaps.containsCapability(CaCapability.AES) || caCaps.containsCapability(CaCapability.Update); }
public CaCaps(Set<CaCapability> capabilities) { this.capabilities = ((capabilities == null || capabilities.isEmpty())) ? new HashSet<CaCapability>() : new HashSet<CaCapability>(capabilities); refresh(); }
public ScepResponder(CaCaps caCaps, CaEmulator caEmulator, RaEmulator raEmulator, NextCaAndRa nextCaAndRa, ScepControl control) throws Exception { this.caCaps = ScepUtil.requireNonNull("caCaps", caCaps); this.caEmulator = ScepUtil.requireNonNull("caEmulator", caEmulator); this.control = ScepUtil.requireNonNull("control", control); this.raEmulator = raEmulator; this.nextCaAndRa = nextCaAndRa; CaCaps caps = caCaps; if (nextCaAndRa == null) { caps.removeCapabilities(CaCapability.GetNextCACert); } else { caps.addCapabilities(CaCapability.GetNextCACert); } }
private ContentInfo encryptThenSign(PkiMessage request, PrivateKey identityKey, X509Certificate identityCert) throws ScepClientException { ScepHashAlgo hashAlgo = caCaps.mostSecureHashAlgo(); if (hashAlgo == ScepHashAlgo.MD5 && !useInsecureAlgorithms) { throw new ScepClientException("Scep server supports only MD5 but it not permitted in client"); } String signatureAlgorithm = ScepUtil.getSignatureAlgorithm(identityKey, hashAlgo); ASN1ObjectIdentifier encAlgId; if (caCaps.containsCapability(CaCapability.AES)) { encAlgId = CMSAlgorithm.AES128_CBC; } else if (caCaps.containsCapability(CaCapability.DES3)) { encAlgId = CMSAlgorithm.DES_EDE3_CBC; } else if (useInsecureAlgorithms) { encAlgId = CMSAlgorithm.DES_CBC; } else { // no support of DES throw new ScepClientException("DES will not be supported by this client"); } try { return request.encode(identityKey, signatureAlgorithm, identityCert, new X509Certificate[]{identityCert}, authorityCertStore.getEncryptionCert(), encAlgId); } catch (MessageEncodingException ex) { throw new ScepClientException(ex); } }
if (post && !caCaps.containsCapability(CaCapability.POSTPKIOperation)) { auditMessage = "HTTP POST is not supported"; auditLevel = AuditLevel.ERROR; } else if (Operation.GetCACaps.getCode().equalsIgnoreCase(operation)) { byte[] caCapsBytes = responder.getCaCaps().getBytes(); sendToResponse(resp, ScepConstants.CT_TEXT_PLAIN, caCapsBytes); } else if (Operation.GetCACert.getCode().equalsIgnoreCase(operation)) {
@Override public String toString() { return toScepMessage(); }
public void refresh() throws ScepClientException { // getCACaps ScepHttpResponse getCaCapsResp = httpSend(Operation.GetCACaps); this.caCaps = CaCaps.getInstance(new String(getCaCapsResp.getContentBytes())); // getCACert ScepHttpResponse getCaCertResp = httpSend(Operation.GetCACert); this.authorityCertStore = retrieveCaCertStore(getCaCertResp, caCertValidator); X509CertificateHolder certHolder; try { certHolder = new X509CertificateHolder(this.authorityCertStore.getSignatureCert().getEncoded()); } catch (CertificateEncodingException ex) { throw new ScepClientException(ex); } catch (IOException ex) { throw new ScepClientException(ex); } this.responseSignerCerts = new CollectionStore<X509CertificateHolder>( Arrays.asList(certHolder)); }
@Override public int hashCode() { return toScepMessage().hashCode(); }
public EnrolmentResponse scepUpdateReq(CertificationRequest csr, PrivateKey identityKey, X509Certificate identityCert) throws ScepClientException { initIfNotInited(); if (!caCaps.containsCapability(CaCapability.Update)) { throw new OperationNotSupportedException( "unsupported messageType '" + MessageType.UpdateReq + "'"); } boolean selfSigned = ScepUtil.isSelfSigned(identityCert); if (selfSigned) { throw new IllegalArgumentException("identityCert must not be self-signed"); } return enroll(MessageType.UpdateReq, csr, identityKey, identityCert); }
public ScepResponder(CaManagerImpl caManager, MgmtEntry.Ca caEntry) throws CaMgmtException { this.caManager = Args.notNull(caManager, "caManager"); this.caIdent = Args.notNull(caEntry, "caEntry").getIdent(); this.control = caEntry.getScepControl(); String responderName = caEntry.getScepResponderName(); SignerEntryWrapper responder = caManager.getSignerWrapper(responderName); if (responder == null) { throw new CaMgmtException("Unknown responder " + responderName); } // CACaps CaCaps caps = new CaCaps(); caps.addCapabilities(CaCapability.AES, CaCapability.DES3, CaCapability.POSTPKIOperation, CaCapability.Renewal, CaCapability.SHA1, CaCapability.SHA256, CaCapability.SHA512); this.caCaps = caps; setResponder(responder); }
public void addCapabilities(CaCapability... caps) { ScepUtil.requireNonNull("caps", caps); for (CaCapability m : caps) { capabilities.add(m); } refresh(); }
public EnrolmentResponse scepRenewalReq(CertificationRequest csr, PrivateKey identityKey, X509Certificate identityCert) throws ScepClientException { initIfNotInited(); if (!caCaps.containsCapability(CaCapability.Renewal)) { throw new OperationNotSupportedException( "unsupported messageType '" + MessageType.RenewalReq + "'"); } boolean selfSigned = ScepUtil.isSelfSigned(identityCert); if (selfSigned) { throw new IllegalArgumentException("identityCert must not be self-signed"); } return enroll(MessageType.RenewalReq, csr, identityKey, identityCert); }
public void removeCapabilities(CaCaps caCaps) { ScepUtil.requireNonNull("caCaps", caCaps); this.capabilities.retainAll(caCaps.capabilities); refresh(); }
public AuthorityCertStore scepNextCaCert() throws ScepClientException { initIfNotInited(); if (!this.caCaps.containsCapability(CaCapability.GetNextCACert)) { throw new OperationNotSupportedException( "unsupported operation '" + Operation.GetNextCACert.getCode() + "'"); } ScepHttpResponse resp = httpSend(Operation.GetNextCACert); return retrieveNextCaAuthorityCertStore(resp); }
public void removeCapabilities(CaCapability... caps) { ScepUtil.requireNonNull("caps", caps); for (CaCapability m : caps) { capabilities.remove(m); } refresh(); }
public EnrolmentResponse scepEnrol(CertificationRequest csr, PrivateKey identityKey, X509Certificate identityCert) throws ScepClientException { ScepUtil.requireNonNull("csr", csr); ScepUtil.requireNonNull("identityKey", identityKey); ScepUtil.requireNonNull("identityCert", identityCert); initIfNotInited(); // draft-nourse-scep if (!isGutmannScep()) { return scepPkcsReq(csr, identityKey, identityCert); } // draft-gutmann-scep if (!ScepUtil.isSelfSigned(identityCert)) { X509Certificate caCert = authorityCertStore.getCaCert(); if (identityCert.getIssuerX500Principal().equals(caCert.getSubjectX500Principal())) { if (caCaps.containsCapability(CaCapability.Renewal)) { return scepRenewalReq(csr, identityKey, identityCert); } } else { if (caCaps.containsCapability(CaCapability.Update)) { return scepUpdateReq(csr, identityKey, identityCert); } } } // end if return scepPkcsReq(csr, identityKey, identityCert); }
private ScepHttpResponse httpSend(Operation operation, ContentInfo pkiMessage) throws ScepClientException { byte[] request = null; if (pkiMessage != null) { try { request = pkiMessage.getEncoded(); } catch (IOException ex) { throw new ScepClientException(ex); } } if (Operation.GetCACaps == operation || Operation.GetCACert == operation || Operation.GetNextCACert == operation) { String url = caId.buildGetUrl(operation, caId.getProfile()); return httpGet(url); } else { if (!httpGetOnly && caCaps.containsCapability(CaCapability.POSTPKIOperation)) { String url = caId.buildPostUrl(operation); return httpPost(url, REQ_CONTENT_TYPE, request); } else { String url = caId.buildGetUrl(operation, (request == null) ? null : new String(Base64.encode(request))); return httpGet(url); } } // end if }
if (caCaps.containsCapability(CaCapability.SHA1)) { supported = true; if (caCaps.containsCapability(CaCapability.SHA256)) { supported = true; if (caCaps.containsCapability(CaCapability.SHA512)) { supported = true; if (!caCaps.containsCapability(CaCapability.DES3)) { LOG.warn("tid={}: encryption with DES3 algorithm is not permitted", tid, encOid); return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg); if (!caCaps.containsCapability(CaCapability.AES)) { LOG.warn("tid={}: encryption with AES algorithm {} is not permitted", tid, encOid); return buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badAlg); if (!caCaps.containsCapability(CaCapability.Renewal)) { buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest); } else { if (!caCaps.containsCapability(CaCapability.Update)) { buildPkiMessage(rep, PkiStatus.FAILURE, FailInfo.badRequest); } else {
if (caCaps.containsCapability(CaCapability.SHA1)) { supported = true; if (caCaps.containsCapability(CaCapability.SHA256)) { supported = true; if (caCaps.containsCapability(CaCapability.SHA512)) { supported = true; if (!caCaps.containsCapability(CaCapability.DES3)) { LOG.warn("tid={}: encryption with DES3 algorithm is not permitted", tid, encOid); rep.setPkiStatus(PkiStatus.FAILURE); if (!caCaps.containsCapability(CaCapability.AES)) { LOG.warn("tid={}: encryption with AES algorithm {} is not permitted", tid, encOid); rep.setPkiStatus(PkiStatus.FAILURE);