diff options
author | Christina Fu <cfu@redhat.com> | 2013-01-15 23:59:24 -0800 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2013-01-15 23:58:46 -0500 |
commit | 7a0252247e860806d6456e997149602c9750206a (patch) | |
tree | cb72b43ee39d7bf777dcf09702dbc7bc7bd4e51c /base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java | |
parent | 3dc5d33f394c30071b3c8794c8adb2e7dcd54e5c (diff) | |
download | pki-7a0252247e860806d6456e997149602c9750206a.tar.gz pki-7a0252247e860806d6456e997149602c9750206a.tar.xz pki-7a0252247e860806d6456e997149602c9750206a.zip |
https://fedorahosted.org/pki/ticket/362 RFE: CMC ECC
Diffstat (limited to 'base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java')
-rw-r--r-- | base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java | 558 |
1 files changed, 324 insertions, 234 deletions
diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java index 5c4110b1d..204d234c0 100644 --- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java @@ -20,15 +20,18 @@ package com.netscape.cmstools; import java.io.BufferedReader; import java.io.ByteArrayOutputStream; import java.io.FileReader; +import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; +import java.io.PrintStream; import java.net.URL; import java.net.URLConnection; import java.net.URLEncoder; import java.security.KeyPair; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; +import java.util.Date; import netscape.security.x509.X500Name; @@ -40,12 +43,14 @@ import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; import org.mozilla.jss.asn1.OCTET_STRING; import org.mozilla.jss.asn1.PrintableString; import org.mozilla.jss.asn1.SEQUENCE; +import org.mozilla.jss.crypto.AlreadyInitializedException; import org.mozilla.jss.crypto.CryptoToken; import org.mozilla.jss.crypto.IVParameterSpec; import org.mozilla.jss.crypto.KeyGenAlgorithm; import org.mozilla.jss.crypto.KeyGenerator; import org.mozilla.jss.crypto.KeyPairAlgorithm; import org.mozilla.jss.crypto.KeyPairGenerator; +import org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.*; import org.mozilla.jss.crypto.KeyWrapAlgorithm; import org.mozilla.jss.crypto.KeyWrapper; import org.mozilla.jss.crypto.Signature; @@ -68,52 +73,13 @@ import org.mozilla.jss.util.Password; import com.netscape.cmsutil.util.HMACDigest; import com.netscape.cmsutil.util.Utils; +import com.netscape.cmsutil.crypto.CryptoUtil; +import com.netscape.certsrv.apps.CMS; /** * A command-line utility used to generate a Certificate Request Message * Format (CRMF) request with proof of possesion (POP). * - * Usage: - * - * <pre> - * CRMFPopClient TOKEN_PWD - * PROFILE_NAME HOST PORT USER_NAME REQUESTOR_NAME - * POP_OPTION - * SUBJECT_DN [OUTPUT_CERT_REQ] - * - * --- or --- - * - * CRMFPopClient TOKEN_PWD - * POP_OPTION - * OUTPUT_CERT_REQ SUBJECT_DN - * - * - * where POP_OPTION can be [POP_SUCCESS or POP_FAIL or POP_NONE] - * </pre> - * <p> - * Examples: - * - * <pre> - * CRMFPopClient password123 - * caEncUserCert host.example.com 1026 MyUid MyUid - * [POP_SUCCESS or POP_FAIL or POP_NONE] - * CN=MyTest,C=US,UID=MyUid - * - * --- or --- - * - * CRMFPopClient password123 - * caEncUserCert host.example.com 1026 joe joe - * [POP_SUCCESS or POP_FAIL or POP_NONE] - * CN=MyTest,C=US,UID=MyUid OUTPUT_CERT_REQ - * - * --- or --- - * - * CRMFPopClient password123 - * [POP_SUCCESS or POP_FAIL or POP_NONE] - * OUTPUT_CERT_REQ CN=MyTest,C=US,UID=MyUid - * </pre> - * <p> - * * <pre> * IMPORTANT: The file "transport.txt" needs to be created to contain the * transport certificate in its base64 encoded format. This @@ -127,36 +93,17 @@ import com.netscape.cmsutil.util.Utils; public class CRMFPopClient { private static void usage() { - System.out.println(""); - System.out.println("Description: A command-line utility used to generate a"); - System.out.println(" Certificate Request Message Format (CRMF)"); - System.out.println(" request with proof of possesion (POP).\n\n"); - System.out.println("Usage:"); - System.out.println(""); - System.out.println(" CRMFPopClient TOKEN_PWD"); - System.out.println(" PROFILE_NAME HOST PORT USER_NAME REQUESTOR_NAME"); - System.out.println(" POP_OPTION"); - System.out.println(" SUBJECT_DN [OUTPUT_CERT_REQ] \n"); - System.out.println(" --- or ---\n"); - System.out.println(" CRMFPopClient TOKEN_PWD"); - System.out.println(" POP_OPTION"); - System.out.println(" OUTPUT_CERT_REQ SUBJECT_DN\n\n"); - System.out.println(" where POP_OPTION can be [POP_SUCCESS or POP_FAIL or POP_NONE]\n\n"); - System.out.println("Examples:"); - System.out.println(""); - System.out.println(" CRMFPopClient password123"); - System.out.println(" caEncUserCert host.example.com 1026 MyUid MyUid"); - System.out.println(" [POP_SUCCESS or POP_FAIL or POP_NONE]"); - System.out.println(" CN=MyTest,C=US,UID=MyUid\n"); - System.out.println(" --- or ---\n"); - System.out.println(" CRMFPopClient password123"); - System.out.println(" caEncUserCert host.example.com 1026 MyUid myUid"); - System.out.println(" [POP_SUCCESS or POP_FAIL or POP_NONE]"); - System.out.println(" CN=MyTest,C=US,UID=MyUid OUTPUT_CERT_REQ\n"); - System.out.println(" --- or ---\n"); - System.out.println(" CRMFPopClient password123"); - System.out.println(" [POP_SUCCESS or POP_FAIL or POP_NONE]"); - System.out.println(" OUTPUT_CERT_REQ CN=MyTest,C=US,UID=MyUid"); + + System.out.println("Usage: CRMFPopClient -d <location of certdb> -p <token password> -h <tokenname> -o <output file which saves the base64 CRMF request> -n <subjectDN> -a <algorithm: 'rsa' or 'ec'> -l <rsa key length> -c <ec curve name> -m <hostname:port> -f <profile name; rsa default caEncUserCert; ec default caEncECUserCert> -u <user name> -r <requestor name> -q <POP_NONE, POP_SUCCESS, or POP_FAIL; default POP_SUCCESS> \n"); + System.out.println(" Optionally, for ECC key generation per definition in JSS pkcs11.PK11KeyPairGenerator:\n"); + System.out.println(" -t <true for temporary(session); false for permanent(token); default is true>\n"); + System.out.println(" -s <1 for sensitive; 0 for non-sensitive; -1 temporaryPairMode dependent; default is -1>\n"); + System.out.println(" -e <1 for extractable; 0 for non-extractable; -1 token dependent; default is -1>\n"); + System.out.println(" Also optional for ECC key generation:\n"); + System.out.println(" -x <true for SSL cert that does ECDH ECDSA; false otherwise; default false>\n"); + System.out.println(" note: '-x true' can only be used with POP_NONE"); + System.out.println(" available ECC curve names (if provided by the crypto module): nistp256 (secp256r1),nistp384 (secp384r1),nistp521 (secp521r1),nistk163 (sect163k1),sect163r1,nistb163 (sect163r2),sect193r1,sect193r2,nistk233 (sect233k1),nistb233 (sect233r1),sect239k1,nistk283 (sect283k1),nistb283 (sect283r1),nistk409 (sect409k1),nistb409 (sect409r1),nistk571 (sect571k1),nistb571 (sect571r1),secp160k1,secp160r1,secp160r2,secp192k1,nistp192 (secp192r1, prime192v1),secp224k1,nistp224 (secp224r1),secp256k1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2\n"); + System.out.println("\n"); System.out.println("IMPORTANT: The file \"transport.txt\" needs to be created to contain the"); System.out.println(" transport certificate in its base64 encoded format. This"); @@ -193,73 +140,138 @@ public class CRMFPopClient { public static void main(String args[]) { - int argsLen = getRealArgsLength(args); - - // System.out.println("args length " + argsLen); +// int argsLen = getRealArgsLength(args); - System.out.println("\n\nProof Of Possession Utility...."); + System.out.println("\n\nCRMF Proof Of Possession Utility...."); System.out.println(""); - if (argsLen == 0 || (argsLen != 8 && argsLen != 9 && argsLen != 10 && argsLen != 4)) { - usage(); - return; + if (args.length < 4) + { + usage(); + System.exit(1); } String DB_DIR = "./"; - String TOKEN_PWD = args[0]; - int KEY_LEN = 1024; + String TOKEN_PWD = null; + String TOKEN_NAME = null; + + // "rsa" or "ec" + String alg = "rsa"; + + /* default RSA key size */ + int RSA_keylen = 2048; + /* default ECC key curve name */ + String ECC_curve = "nistp256"; + boolean ec_temporary = true; /* session if true; token if false */ + int ec_sensitive = -1; /* -1, 0, or 1 */ + int ec_extractable = -1; /* -1, 0, or 1 */ + boolean ec_ssl_ecdh = false; int PORT = 0; String USER_NAME = null; String REQUESTOR_NAME = null; String PROFILE_NAME = null; - - String HOST = null; + + // format: "host:port" + String HOST_PORT = null; String SUBJ_DN = null; + int doServerHit = 0; - if (argsLen >= 8) { - PROFILE_NAME = args[1]; - HOST = args[2]; - - PORT = Integer.parseInt(args[3]); - - USER_NAME = args[4]; - REQUESTOR_NAME = args[5]; - - SUBJ_DN = args[7]; - - } - - String POP_OPTION = null; - String OUTPUT_CERT_REQ = null; - - if (argsLen == 4) - POP_OPTION = args[1]; - else - POP_OPTION = args[6]; - - int doServerHit = 1; - - if (argsLen >= 9) { - OUTPUT_CERT_REQ = args[8]; - } - - if (argsLen == 4) { - doServerHit = 0; - OUTPUT_CERT_REQ = args[2]; - SUBJ_DN = args[3]; - } - + // POP_NONE, POP_SUCCESS, or POP_FAIL + String POP_OPTION = "POP_SUCCESS"; int dont_do_pop = 0; - if (POP_OPTION.equals("POP_NONE")) { - dont_do_pop = 1; - } + String REQ_OUT_FILE = null; + + for (int i=0; i<args.length; i+=2) { + String name = args[i]; + + if (name.equals("-p")) { + TOKEN_PWD = args[i+1]; + } else if (name.equals("-d")) { + DB_DIR = args[i+1]; + } else if (name.equals("-h")) { + TOKEN_NAME = args[i+1]; + } else if (name.equals("-a")) { + alg = args[i+1]; + if (!alg.equals("rsa") && !alg.equals("ec")) { + System.out.println("CRMFPopClient: ERROR: invalid algorithm: " + alg); + System.exit(1); + } + } else if (name.equals("-x")) { + String temp = args[i+1]; + if (temp.equals("true")) + ec_ssl_ecdh = true; + else + ec_ssl_ecdh = false; + } else if (name.equals("-t")) { + String temp = args[i+1]; + if (temp.equals("true")) + ec_temporary = true; + else + ec_temporary = false; + } else if (name.equals("-s")) { + String ec_sensitive_s = args[i+1]; + ec_sensitive = Integer.parseInt(ec_sensitive_s); + if ((ec_sensitive != 0) && + (ec_sensitive != 1) && + (ec_sensitive != -1)) { + System.out.println("PKCS10Client: Illegal input parameters for -s."); + usage(); + System.exit(1); + } + } else if (name.equals("-e")) { + String ec_extractable_s = args[i+1]; + ec_extractable = Integer.parseInt(ec_extractable_s); + if ((ec_extractable != 0) && + (ec_extractable != 1) && + (ec_extractable != -1)) { + System.out.println("PKCS10Client: Illegal input parameters for -e."); + usage(); + System.exit(1); + } + } else if (name.equals("-l")) { + RSA_keylen = Integer.parseInt(args[i+1]); + } else if (name.equals("-c")) { + ECC_curve = args[i+1]; + } else if (name.equals("-m")) { + HOST_PORT = args[i+1]; + doServerHit = 1; + } else if (name.equals("-f")) { + PROFILE_NAME = args[i+1]; + } else if (name.equals("-u")) { + USER_NAME = args[i+1]; + } else if (name.equals("-r")) { + REQUESTOR_NAME = args[i+1]; + } else if (name.equals("-n")) { + SUBJ_DN = args[i+1]; + } else if (name.equals("-q")) { + POP_OPTION = args[i+1]; + if (!POP_OPTION.equals("POP_SUCCESS") && + !POP_OPTION.equals("POP_FAIL") && + !POP_OPTION.equals("POP_NONE")) { + System.out.println("CRMFPopClient: ERROR: invalid POP option: "+ POP_OPTION); + System.exit(1); + } + if (POP_OPTION.equals("POP_NONE")) + dont_do_pop = 1; + } else if (name.equals("-o")) { + REQ_OUT_FILE = args[i+1]; + } else { + System.out.println("Unrecognized argument(" + i + "): " + + name); + usage(); + System.exit(1); + } + } //for URL url = null; URLConnection conn = null; InputStream is = null; BufferedReader reader = null; + boolean success = false; + int num = 1; + long total_time = 0; KeyPair pair = null; boolean foundTransport = false; @@ -270,54 +282,101 @@ public class CRMFPopClient { transportCert = br.readLine(); foundTransport = true; } catch (Exception e) { - System.out.println("ERROR: cannot find ./transport.txt, so no key archival"); + System.out.println("CRMFPopClient: ERROR: cannot find ./transport.txt, so no key archival"); - return; + System.exit(1); } finally { - if (br != null) { - try { - br.close(); - } catch (IOException e) { - e.printStackTrace(); - } - } + if (br != null) { + try { + br.close(); + } catch (IOException e) { + e.printStackTrace(); + } + } } - try { - CryptoManager.initialize(DB_DIR); - } catch (Exception e) { - // it is ok if it is already initialized - System.out.println("INITIALIZATION ERROR: " + e.toString()); - // return; + try { + CryptoManager.initialize( DB_DIR ); + } catch (AlreadyInitializedException ae) { + // it is ok if it is already initialized + System.out.println("CRMFPopClient: already initialized, continue"); + } catch (Exception e) { + System.out.println("CRMFPopClient: INITIALIZATION ERROR: " + e.toString()); + System.exit(1); } try { - CryptoManager manager = CryptoManager.getInstance(); + CryptoManager manager = CryptoManager.getInstance(); String token_pwd = TOKEN_PWD; - CryptoToken token = manager.getInternalKeyStorageToken(); - Password password = new Password(token_pwd.toCharArray()); + if (token_pwd == null) { + System.out.println("missing password"); + usage(); + System.exit(1); + } + CryptoToken token = null; + if (TOKEN_NAME == null) { + token = manager.getInternalKeyStorageToken(); + TOKEN_NAME = "NSS Certificate DB"; + } else { + token = manager.getTokenByName(TOKEN_NAME); + } + System.out.println("CRMFPopClient: getting token: "+TOKEN_NAME); + manager.setThreadToken(token); + Password password = new Password(token_pwd.toCharArray()); try { - token.login(password); + token.login(password); } catch (Exception e) { - //System.out.println("login Exception: " + e.toString()); - if (!token.isLoggedIn()) { - token.initPassword(password, password); - } + System.out.println("CRMFPopClient: login Exception: " + e.toString()); + System.exit(1); } System.out.println("."); //"done with cryptomanager"); - KeyPairGenerator kg = token.getKeyPairGenerator( - KeyPairAlgorithm.RSA); - kg.initialize(KEY_LEN); - String profileName = PROFILE_NAME; - pair = kg.genKeyPair(); + if (profileName == null) { + if (alg.equals("rsa")) + profileName = "caEncUserCert"; + else if (alg.equals("ec")) + profileName = "caEncECUserCert"; + else { + System.out.println("CRMFPopClient: unsupported algorithm: " + alg); + usage(); + System.exit(1); + } + } - System.out.println("."); //key pair generated"); + if (alg.equals("rsa")) { + KeyPairGenerator kg = token.getKeyPairGenerator( + KeyPairAlgorithm.RSA); + kg.initialize(RSA_keylen); + + pair = kg.genKeyPair(); + } else if (alg.equals("ec")) { + /* + * used with SSL server cert that does ECDH ECDSA + * ** can only be used with POP_NONE ** + */ + org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask_ECDH[] = { + org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN, + org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN_RECOVER + }; + + /* used for other certs including SSL server cert that does ECDHE ECDSA */ + org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask[] = { + org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.DERIVE + }; + + pair = CryptoUtil.generateECCKeyPair(TOKEN_NAME, ECC_curve, + null, + (ec_ssl_ecdh==true) ? usages_mask_ECDH: usages_mask, + ec_temporary /*temporary*/, + ec_sensitive /*sensitive*/, ec_extractable /*extractable*/); + } + + System.out.println("CRMFPopClient: key pair generated."); //key pair generated"); // wrap private key - byte transport[] = Utils.base64decode(transportCert); + byte transport[] = CMS.AtoB(transportCert); X509Certificate tcert = manager.importCACertPackage(transport); @@ -326,34 +385,36 @@ public class CRMFPopClient { KeyGenerator kg1 = token.getKeyGenerator(KeyGenAlgorithm.DES3); SymmetricKey sk = kg1.generate(); - System.out.println("."); //before KeyWrapper"); + System.out.println(".before KeyWrapper"); // wrap private key using session - KeyWrapper wrapper1 = - token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); + KeyWrapper wrapper1 = + token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); - System.out.println("."); //key wrapper created"); + System.out.println(".key wrapper created"); wrapper1.initWrap(sk, new IVParameterSpec(iv)); - System.out.println("."); //key wrapper inited"); + System.out.println(".key wrapper inited"); byte key_data[] = wrapper1.wrap((org.mozilla.jss.crypto.PrivateKey) pair.getPrivate()); - System.out.println("."); //key wrapper wrapped"); + System.out.println(".key wrapper wrapped"); - // wrap session using transport + // wrap session key using DRM transport cert + // currently, a transport cert has to be an RSA cert, + // regardless of the key you are wrapping KeyWrapper rsaWrap = token.getKeyWrapper( - KeyWrapAlgorithm.RSA); + KeyWrapAlgorithm.RSA); - System.out.println("."); //got rsaWrapper"); + System.out.println(".got rsaWrapper"); - rsaWrap.initWrap(tcert.getPublicKey(), null); + rsaWrap.initWrap(tcert.getPublicKey(), null); - System.out.println("."); //rsaWrap inited"); + System.out.println(".rsaWrap inited"); byte session_data[] = rsaWrap.wrap(sk); - System.out.println("."); //rsaWrapped"); + System.out.println(".rsaWrapped"); try { // create CRMF @@ -362,11 +423,11 @@ public class CRMFPopClient { Name n1 = getJssName(SUBJ_DN); - Name n = new Name(); + Name n = new Name(); - n.addCommonName("Me"); - n.addCountryName("US"); - n.addElement(new AVA(new OBJECT_IDENTIFIER("0.9.2342.19200300.100.1.1"), new PrintableString("MyUid"))); + n.addCommonName("Me"); + n.addCountryName("US"); + n.addElement(new AVA(new OBJECT_IDENTIFIER("0.9.2342.19200300.100.1.1"), new PrintableString("MyUid"))); if (n1 != null) certTemplate.setSubject(n1); @@ -375,11 +436,14 @@ public class CRMFPopClient { certTemplate.setPublicKey(new SubjectPublicKeyInfo(pair.getPublic())); // set extension - AlgorithmIdentifier algS = - new AlgorithmIdentifier(new OBJECT_IDENTIFIER("1.2.840.113549.3.7"), new OCTET_STRING(iv)); - EncryptedValue encValue = - new EncryptedValue(null, algS, new BIT_STRING(session_data, 0), null, null, new BIT_STRING( - key_data, 0)); + AlgorithmIdentifier algS = null; + if (alg.equals("rsa")) { + algS = new AlgorithmIdentifier(new OBJECT_IDENTIFIER("1.2.840.113549.3.7"), new OCTET_STRING(iv)); + } else { // ec + algS = new AlgorithmIdentifier(new OBJECT_IDENTIFIER("1.2.840.10045.2.1"), new OCTET_STRING(iv)); + } + + EncryptedValue encValue = new EncryptedValue(null, algS, new BIT_STRING(session_data, 0),null, null,new BIT_STRING(key_data, 0)); EncryptedKey key = new EncryptedKey(encValue); PKIArchiveOptions opt = new PKIArchiveOptions(key); SEQUENCE seq = new SEQUENCE(); @@ -395,18 +459,19 @@ public class CRMFPopClient { MessageDigest SHA1Digest = MessageDigest.getInstance("SHA1"); key1 = SHA1Digest.digest(secretValue.getBytes()); } catch (NoSuchAlgorithmException ex) { + System.exit(1); } /* Example of adding the POP link witness control to CRMF */ - byte[] b = + byte[] b = { 0x10, 0x53, 0x42, 0x24, 0x1a, 0x2a, 0x35, 0x3c, - 0x7a, 0x52, 0x54, 0x56, 0x71, 0x65, 0x66, 0x4c, - 0x51, 0x34, 0x35, 0x23, 0x3c, 0x42, 0x43, 0x45, - 0x61, 0x4f, 0x6e, 0x43, 0x1e, 0x2a, 0x2b, 0x31, - 0x32, 0x34, 0x35, 0x36, 0x55, 0x51, 0x48, 0x14, - 0x16, 0x29, 0x41, 0x42, 0x43, 0x7b, 0x63, 0x44, - 0x6a, 0x12, 0x6b, 0x3c, 0x4c, 0x3f, 0x00, 0x14, - 0x51, 0x61, 0x15, 0x22, 0x23, 0x5f, 0x5e, 0x69 }; + 0x7a, 0x52, 0x54, 0x56, 0x71, 0x65, 0x66, 0x4c, + 0x51, 0x34, 0x35, 0x23, 0x3c, 0x42, 0x43, 0x45, + 0x61, 0x4f, 0x6e, 0x43, 0x1e, 0x2a, 0x2b, 0x31, + 0x32, 0x34, 0x35, 0x36, 0x55, 0x51, 0x48, 0x14, + 0x16, 0x29, 0x41, 0x42, 0x43, 0x7b, 0x63, 0x44, + 0x6a, 0x12, 0x6b, 0x3c, 0x4c, 0x3f, 0x00, 0x14, + 0x51, 0x61, 0x15, 0x22, 0x23, 0x5f, 0x5e, 0x69 }; try { MessageDigest SHA1Digest = MessageDigest.getInstance("SHA1"); @@ -414,122 +479,147 @@ public class CRMFPopClient { hmacDigest.update(b); finalDigest = hmacDigest.digest(); } catch (NoSuchAlgorithmException ex) { + System.exit(1); } OCTET_STRING ostr = new OCTET_STRING(finalDigest); seq.addElement(new AVA(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness, ostr)); CertRequest certReq = new CertRequest(new INTEGER(1), certTemplate, seq); - System.out.println("."); //CertRequest created"); + System.out.println(".CertRequest created"); ByteArrayOutputStream bo = new ByteArrayOutputStream(); certReq.encode(bo); byte[] toBeVerified = bo.toByteArray(); - + + byte popdata[] = ASN1Util.encode(certReq); byte signature[]; - System.out.println("."); //CertRequest encoded"); + System.out.println(".CertRequest encoded"); - Signature signer = token.getSignatureContext( + Signature signer = null; + if (alg.equals("rsa")) { + signer = token.getSignatureContext( SignatureAlgorithm.RSASignatureWithMD5Digest); + } else { //ec + signer = token.getSignatureContext( + SignatureAlgorithm.ECSignatureWithSHA1Digest); + } - System.out.println("."); //signer created"); + System.out.println(". signer created"); signer.initSign((org.mozilla.jss.crypto.PrivateKey) pair.getPrivate()); - System.out.println("."); //signer inited"); + System.out.println(".signer inited"); System.out.println("."); //FAIL_OR_SUCC " + FAIL_OR_SUCC); if (POP_OPTION.equals("POP_SUCCESS")) { - System.out.println("Generating Legal POP Data....."); + System.out.println("CRMFPopClient: Generating Legal POP Data....."); signer.update(toBeVerified); } else if (POP_OPTION.equals("POP_FAIL")) { - System.out.println("Generating Illegal POP Data....."); + System.out.println("CRMFPopClient: Generating Illegal POP Data....."); signer.update(iv); } else if (dont_do_pop == 1) { - System.out.println("Generating NO POP Data....."); + System.out.println("CRMFPopClient: Generating NO POP Data....."); } System.out.println("."); //signer updated"); CertReqMsg crmfMsg = null; - if (dont_do_pop == 0) { + if (dont_do_pop == 0) + { signature = signer.sign(); - System.out.println("Signature completed..."); + System.out.println("CRMFPopClient: Signature completed..."); System.out.println(""); - AlgorithmIdentifier algID = - new AlgorithmIdentifier(SignatureAlgorithm.RSASignatureWithMD5Digest.toOID(), null); - POPOSigningKey popoKey = new POPOSigningKey(null, algID, new BIT_STRING(signature, 0)); + AlgorithmIdentifier algID = null; + if (alg.equals("rsa")) { + algID = new AlgorithmIdentifier(SignatureAlgorithm.RSASignatureWithMD5Digest.toOID(), null ); + } else { // "ec" + algID = new AlgorithmIdentifier(SignatureAlgorithm.ECSignatureWithSHA1Digest.toOID(), null ); + } + POPOSigningKey popoKey = new POPOSigningKey(null,algID, new BIT_STRING(signature,0)); ProofOfPossession pop = ProofOfPossession.createSignature(popoKey); crmfMsg = new CertReqMsg(certReq, pop, null); - } else { crmfMsg = new CertReqMsg(certReq, null, null); - } //crmfMsg.verify(); SEQUENCE s1 = new SEQUENCE(); s1.addElement(crmfMsg); - byte encoded[] = ASN1Util.encode(s1); + byte encoded[] = ASN1Util.encode(s1); - String Req1 = Utils.base64encode(encoded); + String Req1 = CMS.BtoA(encoded); - if (OUTPUT_CERT_REQ != null) { - System.out.println("Generated Cert Request: ...... "); + if (REQ_OUT_FILE != null) + { + System.out.println("CRMFPopClient: Generated Cert Request: ...... "); System.out.println(""); System.out.println(Req1); System.out.println(""); - System.out.println("End Request:"); + System.out.println("CRMFPopClient: End Request:"); + + PrintStream ps = null; + ps = new PrintStream(new FileOutputStream(REQ_OUT_FILE)); + ps.println("-----BEGIN NEW CERTIFICATE REQUEST-----"); + ps.println(Req1); + ps.println("-----END NEW CERTIFICATE REQUEST-----"); + ps.flush(); + ps.close(); + System.out.println("CRMFPopClient: done output request to file: "+ REQ_OUT_FILE); if (doServerHit == 0) return; - } - - String Req = URLEncoder.encode(Req1, "UTF-8"); - - // post PKCS10 + } + + String Req = URLEncoder.encode(Req1); - url = - new URL("http://" - + HOST + ":" + PORT + "/ca/ee/ca/profileSubmit?cert_request_type=crmf&cert_request=" + url = + new URL("http://" + + HOST_PORT + "/ca/ee/ca/profileSubmit?cert_request_type=crmf&cert_request=" + Req + "&renewal=false&uid=" + USER_NAME + "&xmlOutput=false&&profileId=" - + profileName + "&sn_uid=" + USER_NAME + "&SubId=profile&requestor_name=" + + profileName + "&sn_uid=" + USER_NAME +"&SubId=profile&requestor_name=" + REQUESTOR_NAME); - //System.out.println("Posting " + url); - - System.out.println(""); - System.out.println("Server Response....."); - System.out.println("--------------------"); - System.out.println(""); - - conn = url.openConnection(); - is = conn.getInputStream(); - reader = new BufferedReader(new InputStreamReader(is)); - String line = null; - while ((line = reader.readLine()) != null) { - System.out.println(line); - if (line.equals("CMS Enroll Request Success")) { - System.out.println("Enrollment Successful: ......"); - System.out.println(""); - } - } /* while */ - } catch (Exception e) { - System.out.println("WARNING: " + e.toString()); + System.out.println("CRMFPopClient: Posting " + url); + + System.out.println(""); + System.out.println("CRMFPopClient: Server Response....."); + System.out.println("--------------------"); + System.out.println(""); + + long start_time = (new Date()).getTime(); + conn = url.openConnection(); + is = conn.getInputStream(); + reader = new BufferedReader(new InputStreamReader(is)); + String line = null; + + while ((line = reader.readLine()) != null) { + System.out.println(line); + if (line.equals("CMS Enroll Request Success")) { + success = true; + System.out.println("CRMFPopClient: Enrollment Successful: ......"); + System.out.println(""); + } + } /* while */ + + long end_time = (new Date()).getTime(); + total_time += (end_time - start_time); + } catch (Exception e) { + System.out.println("CRMFPopClient: WARNING: " + e.toString()); + e.printStackTrace(); + } + } catch (Exception e) { + System.out.println("CRMFPopClient: ERROR: " + e.toString()); e.printStackTrace(); - } - } catch (Exception e) { - System.out.println("ERROR: " + e.toString()); - e.printStackTrace(); } } @@ -542,8 +632,8 @@ public class CRMFPopClient { } catch (IOException e) { - System.out.println("Illegal Subject Name: " + dn + " Error: " + e.toString()); - System.out.println("Filling in default Subject Name......"); + System.out.println("CRMFPopClient: Illegal Subject Name: " + dn + " Error: " + e.toString()); + System.out.println("CRMFPopClient: Filling in default Subject Name......"); return null; } @@ -616,7 +706,7 @@ public class CRMFPopClient { continue; } } catch (Exception e) { - System.out.println("Error constructing RDN: " + rdnStr + " Error: " + e.toString()); + System.out.println("CRMFPopClient: Error constructing RDN: " + rdnStr + " Error: " + e.toString()); continue; } |