summaryrefslogtreecommitdiffstats
path: root/base/java-tools
diff options
context:
space:
mode:
authorChristina Fu <cfu@redhat.com>2017-03-10 19:50:13 -0800
committerChristina Fu <cfu@redhat.com>2017-03-28 09:13:43 -0400
commit58b0563caac110e6950657eb9894c6981f179452 (patch)
tree11d7fbec8a513b85e1f11146476fc819dd7189a1 /base/java-tools
parent5f2d025962afa34deca93c3b46ff374376c0ea43 (diff)
downloadpki-58b0563caac110e6950657eb9894c6981f179452.tar.gz
pki-58b0563caac110e6950657eb9894c6981f179452.tar.xz
pki-58b0563caac110e6950657eb9894c6981f179452.zip
Bug 1419742: CMC RFE: provide Proof of Possession for encryption cert requests CMC encryptedPOP and decrypedPOP (Phase 1) also disable lraPOPwitness This patch implements the Proof of Possession for encryption only keys. This is a preliminary implementation with limitations. It does not support more than one request. ECC keys are untested. This version only uses default algorithms at some internal places. Not all limitations are listed here.
Diffstat (limited to 'base/java-tools')
-rw-r--r--base/java-tools/src/com/netscape/cmstools/CMCRequest.java892
-rw-r--r--base/java-tools/src/com/netscape/cmstools/CMCResponse.java26
-rw-r--r--base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java7
3 files changed, 683 insertions, 242 deletions
diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
index bca569bab..a2aca8ad1 100644
--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
+++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
@@ -31,6 +31,8 @@ import java.io.PrintStream;
import java.math.BigInteger;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
+import java.text.SimpleDateFormat;
+import java.util.Arrays;
import java.util.Date;
import java.util.StringTokenizer;
@@ -50,22 +52,33 @@ import org.mozilla.jss.asn1.UTF8String;
import org.mozilla.jss.crypto.CryptoToken;
import org.mozilla.jss.crypto.DigestAlgorithm;
import org.mozilla.jss.crypto.ObjectNotFoundException;
+import org.mozilla.jss.crypto.PrivateKey;
import org.mozilla.jss.crypto.SignatureAlgorithm;
+import org.mozilla.jss.crypto.SymmetricKey;
import org.mozilla.jss.crypto.X509Certificate;
import org.mozilla.jss.pkcs10.CertificationRequest;
import org.mozilla.jss.pkix.cmc.CMCCertId;
+import org.mozilla.jss.pkix.cmc.CMCStatusInfo;
+import org.mozilla.jss.pkix.cmc.DecryptedPOP;
+import org.mozilla.jss.pkix.cmc.EncryptedPOP;
import org.mozilla.jss.pkix.cmc.GetCert;
import org.mozilla.jss.pkix.cmc.IdentityProofV2;
import org.mozilla.jss.pkix.cmc.LraPopWitness;
+import org.mozilla.jss.pkix.cmc.OtherInfo;
import org.mozilla.jss.pkix.cmc.OtherMsg;
import org.mozilla.jss.pkix.cmc.PKIData;
+import org.mozilla.jss.pkix.cmc.PendInfo;
+import org.mozilla.jss.pkix.cmc.ResponseBody;
import org.mozilla.jss.pkix.cmc.TaggedAttribute;
import org.mozilla.jss.pkix.cmc.TaggedCertificationRequest;
import org.mozilla.jss.pkix.cmc.TaggedRequest;
import org.mozilla.jss.pkix.cmmf.RevRequest;
import org.mozilla.jss.pkix.cms.ContentInfo;
import org.mozilla.jss.pkix.cms.EncapsulatedContentInfo;
+import org.mozilla.jss.pkix.cms.EncryptedContentInfo;
+import org.mozilla.jss.pkix.cms.EnvelopedData;
import org.mozilla.jss.pkix.cms.IssuerAndSerialNumber;
+import org.mozilla.jss.pkix.cms.RecipientInfo;
import org.mozilla.jss.pkix.cms.SignedData;
import org.mozilla.jss.pkix.cms.SignerIdentifier;
import org.mozilla.jss.pkix.cms.SignerInfo;
@@ -129,33 +142,31 @@ public class CMCRequest {
X509Certificate cert = getCertificate(tokenName, nickname);
if (cert != null)
- System.out.println("got signing cert");
+ System.out.println("getPrivateKey: got signing cert");
return CryptoManager.getInstance().findPrivKeyByCert(cert);
}
/**
- * getCMCBlob create and return the enrollment request.
- * <P>
+ * signData signs the request PKIData
*
* @param signerCert the certificate of the authorized signer of the CMC revocation request.
* @param nickname the nickname of the certificate inside the token.
- * @param rValue CRMF/PKCS10 request.
- * @param format either crmf or pkcs10
- * @return the CMC enrollment request encoded in base64
+ * @param pkidata the request PKIData to be signed
+ *
+ * @return the SignedData
+ *
*/
- static ContentInfo getCMCBlob(X509Certificate signerCert, String tokenName, String nickname,
- String[] rValue, String format, CryptoManager manager, String transactionMgtEnable,
- String transactionMgtId,
- String identificationEnable, String identification,
- String identityProofEnable, String identityProofSharedSecret,
- String identityProofV2Enable, String identityProofV2SharedSecret,
- String identityProofV2hashAlg, String identityProofV2macAlg,
- SEQUENCE controlSeq, SEQUENCE otherMsgSeq, int bpid) {
-
- System.out.println("in getCMCBlob");
+ static SignedData signData(
+ X509Certificate signerCert,
+ String tokenName,
+ String nickname,
+ CryptoManager manager,
+ PKIData pkidata) {
+ String method = "signData: ";
+ SignedData req = null;
+ System.out.println(method + "begins: ");
- ContentInfo fullEnrollmentReq = null;
try {
java.security.PrivateKey privKey = null;
SignerIdentifier si = null;
@@ -175,8 +186,122 @@ public class CMCRequest {
SignerIdentifier.ISSUER_AND_SERIALNUMBER, ias, null);
privKey = getPrivateKey(tokenName, nickname);
if (privKey != null)
- System.out.println("getCMCBlob: got privKey");
+ System.out.println(method + " got signer privKey");
+
+ EncapsulatedContentInfo ci = new EncapsulatedContentInfo(OBJECT_IDENTIFIER.id_cct_PKIData, pkidata);
+ DigestAlgorithm digestAlg = null;
+ SignatureAlgorithm signAlg = null;
+ org.mozilla.jss.crypto.PrivateKey.Type signingKeyType = ((org.mozilla.jss.crypto.PrivateKey) privKey)
+ .getType();
+ if (signingKeyType.equals(org.mozilla.jss.crypto.PrivateKey.Type.RSA)) {
+ signAlg = SignatureAlgorithm.RSASignatureWithSHA256Digest;
+ } else if (signingKeyType.equals(org.mozilla.jss.crypto.PrivateKey.Type.EC)) {
+ signAlg = SignatureAlgorithm.ECSignatureWithSHA256Digest;
+ } else {
+ System.out.println("Algorithm not supported");
+ return null;
+ }
+
+ MessageDigest SHADigest = null;
+
+ byte[] digest = null;
+ try {
+ SHADigest = MessageDigest.getInstance("SHA256");
+ digestAlg = DigestAlgorithm.SHA256;
+
+ ByteArrayOutputStream ostream = new ByteArrayOutputStream();
+
+ pkidata.encode(ostream);
+ digest = SHADigest.digest(ostream.toByteArray());
+ } catch (NoSuchAlgorithmException e) {
+ System.out.println(e); System.exit(1);}
+ System.out.println(method + "digest created for pkidata");
+
+ SignerInfo signInfo = new SignerInfo(si, null, null, OBJECT_IDENTIFIER.id_cct_PKIData, digest, signAlg,
+ (org.mozilla.jss.crypto.PrivateKey) privKey);
+ SET signInfos = new SET();
+ signInfos.addElement(signInfo);
+
+ SET digestAlgs = new SET();
+
+ if (digestAlg != null) {
+ AlgorithmIdentifier ai = new AlgorithmIdentifier(digestAlg.toOID(), null);
+ digestAlgs.addElement(ai);
+ }
+
+ org.mozilla.jss.crypto.X509Certificate[] agentChain = manager.buildCertificateChain(signerCert);
+ SET certs = new SET();
+
+ for (int i = 0; i < agentChain.length; i++) {
+ ANY cert = new ANY(agentChain[i].getEncoded());
+ certs.addElement(cert);
+ }
+
+ req = new SignedData(digestAlgs, ci, certs, null, signInfos);
+ System.out.println(method + "signed request generated.");
+ } catch (Exception e) {
+ e.printStackTrace();
+ System.exit(1);
+ }
+
+ return req;
+ }
+
+ /**
+ * getCMCBlob create and return the enrollment request.
+ *
+ * @return the CMC enrollment request encoded in base64
+ *
+ */
+ static ContentInfo getCMCBlob(SignedData req) {
+ String method = "getCMCBlob: ";
+ System.out.println(method + "begins");
+ ContentInfo fullEnrollmentReq = new ContentInfo(req);
+ try {
+ ByteArrayOutputStream bs = new ByteArrayOutputStream();
+ PrintStream ps = new PrintStream(bs);
+
+ if (fullEnrollmentReq != null) {
+ ByteArrayOutputStream os = new ByteArrayOutputStream();
+ fullEnrollmentReq.encode(os);
+ ps.print(Utils.base64encode(os.toByteArray()));
+ }
+ String asciiBASE64Blob = bs.toString();
+
+ System.out.println("");
+ System.out.println("The CMC enrollment request in base-64 encoded format:");
+ System.out.println("");
+ System.out.println(asciiBASE64Blob);
+ } catch (Exception e) {
+ System.out.println(method + " Exception:" + e.toString());
+ System.exit(1);
+ }
+ return fullEnrollmentReq;
+ }
+
+ /**
+ * createPKIData creates PKIData
+ *
+ * @param rValue CRMF/PKCS10 request.
+ * @param format either crmf or pkcs10
+ * @return request in PKIData
+ */
+ static PKIData createPKIData(
+ String[] rValue, String format, String transactionMgtEnable,
+ String transactionMgtId,
+ String identificationEnable, String identification,
+ String identityProofEnable, String identityProofSharedSecret,
+ String identityProofV2Enable, String witnessSharedSecret,
+ String identityProofV2hashAlg, String identityProofV2macAlg,
+ SEQUENCE controlSeq, SEQUENCE otherMsgSeq, int bpid) {
+
+ String method = "createPKIData: ";
+
+ System.out.println(method + "begins");
+ PKIData pkidata = null;
+
+ try {
TaggedRequest trq = null;
PKCS10 pkcs = null;
CertReqMsg certReqMsg = null;
@@ -185,20 +310,18 @@ public class CMCRequest {
SEQUENCE reqSequence = new SEQUENCE();
try {
for (int k = 0; k < rValue.length; k++) {
- System.out.println("k="+ k);
+ System.out.println("k=" + k);
String asciiBASE64Blob = rValue[k];
byte[] decodedBytes = Utils.base64decode(asciiBASE64Blob);
if (format.equals("crmf")) {
- System.out.println("getCMCBlob: format: crmf");
- ByteArrayInputStream reqBlob =
- new ByteArrayInputStream(decodedBytes);
+ System.out.println(method + " format: crmf");
+ ByteArrayInputStream reqBlob = new ByteArrayInputStream(decodedBytes);
SEQUENCE crmfMsgs = null;
try {
- crmfMsgs = (SEQUENCE) new SEQUENCE.OF_Template(new
- CertReqMsg.Template()).decode(reqBlob);
+ crmfMsgs = (SEQUENCE) new SEQUENCE.OF_Template(new CertReqMsg.Template()).decode(reqBlob);
} catch (InvalidBERException ee) {
- System.out.println("getCMCBlob: This is not a crmf request. Or this request has an error.");
+ System.out.println(method + " This is not a crmf request. Or this request has an error.");
System.exit(1);
}
certReqMsg = (CertReqMsg) crmfMsgs.elementAt(0);
@@ -208,25 +331,24 @@ public class CMCRequest {
try {
pkcs = new PKCS10(decodedBytes, true);
} catch (Exception e2) {
- System.out.println("getCMCBlob: Excception:"+e2.toString());
+ System.out.println(method + " Excception:" + e2.toString());
System.exit(1);
}
ByteArrayInputStream crInputStream = new ByteArrayInputStream(
pkcs.toByteArray());
- CertificationRequest cr = (CertificationRequest)
- CertificationRequest.getTemplate().decode(crInputStream);
+ CertificationRequest cr = (CertificationRequest) CertificationRequest.getTemplate()
+ .decode(crInputStream);
TaggedCertificationRequest tcr = new TaggedCertificationRequest(
new INTEGER(bpid++), cr);
- trq = new
- TaggedRequest(TaggedRequest.PKCS10, tcr, null);
+ trq = new TaggedRequest(TaggedRequest.PKCS10, tcr, null);
} else {
- System.out.println("getCMCBlob: Unrecognized request format: " + format);
+ System.out.println(method + " Unrecognized request format: " + format);
System.exit(1);
}
reqSequence.addElement(trq);
}
} catch (Exception e) {
- System.out.println("getCMCBlob: Exception:"+ e.toString());
+ System.out.println(method + " Exception:" + e.toString());
System.exit(1);
}
@@ -242,7 +364,7 @@ public class CMCRequest {
// if both, V2 takes precedence
if (identityProofV2Enable.equals("true")) {
bpid = addIdentityProofV2Attr(bpid, controlSeq, reqSequence,
- identityProofV2SharedSecret,
+ witnessSharedSecret,
(identificationEnable.equals("true")) ? identification : null,
identityProofV2hashAlg, identityProofV2macAlg);
} else if (identityProofEnable.equals("true")) {
@@ -250,77 +372,12 @@ public class CMCRequest {
identityProofSharedSecret);
}
- PKIData pkidata = new PKIData(controlSeq, reqSequence, new SEQUENCE(), otherMsgSeq);
-
- EncapsulatedContentInfo ci = new
- EncapsulatedContentInfo(OBJECT_IDENTIFIER.id_cct_PKIData, pkidata);
- // SHA1 is the default digest Alg for now.
- DigestAlgorithm digestAlg = null;
- SignatureAlgorithm signAlg = null;
- org.mozilla.jss.crypto.PrivateKey.Type signingKeyType = ((org.mozilla.jss.crypto.PrivateKey) privKey).getType();
- if (signingKeyType.equals(org.mozilla.jss.crypto.PrivateKey.Type.RSA)) {
- signAlg = SignatureAlgorithm.RSASignatureWithSHA1Digest;
- } else if (signingKeyType.equals(org.mozilla.jss.crypto.PrivateKey.Type.EC)) {
- signAlg = SignatureAlgorithm.ECSignatureWithSHA1Digest;
- } else if (signingKeyType.equals(org.mozilla.jss.crypto.PrivateKey.Type.DSA)) {
- signAlg = SignatureAlgorithm.DSASignatureWithSHA1Digest;
- }
-
- MessageDigest SHADigest = null;
-
- byte[] digest = null;
- try {
- SHADigest = MessageDigest.getInstance("SHA1");
- digestAlg = DigestAlgorithm.SHA1;
-
- ByteArrayOutputStream ostream = new ByteArrayOutputStream();
-
- pkidata.encode(ostream);
- digest = SHADigest.digest(ostream.toByteArray());
- } catch (NoSuchAlgorithmException e) {
- }
- SignerInfo signInfo = new
- SignerInfo(si, null, null, OBJECT_IDENTIFIER.id_cct_PKIData, digest, signAlg,
- (org.mozilla.jss.crypto.PrivateKey) privKey);
- SET signInfos = new SET();
- signInfos.addElement(signInfo);
-
- SET digestAlgs = new SET();
-
- if (digestAlg != null) {
- AlgorithmIdentifier ai = new AlgorithmIdentifier(digestAlg.toOID(), null);
- digestAlgs.addElement(ai);
- }
-
- org.mozilla.jss.crypto.X509Certificate[] agentChain = manager.buildCertificateChain(signerCert);
- SET certs = new SET();
-
- for (int i = 0; i < agentChain.length; i++) {
- ANY cert = new ANY(agentChain[i].getEncoded());
- certs.addElement(cert);
- }
- SignedData req = new SignedData(digestAlgs, ci, certs, null, signInfos);
- fullEnrollmentReq = new ContentInfo(req);
- ByteArrayOutputStream bs = new ByteArrayOutputStream();
- PrintStream ps = new PrintStream(bs);
-
- if (fullEnrollmentReq != null) {
- ByteArrayOutputStream os = new ByteArrayOutputStream();
-
- fullEnrollmentReq.encode(os);
- ps.print(Utils.base64encode(os.toByteArray()));
- }
- String asciiBASE64Blob = bs.toString();
-
- System.out.println("");
- System.out.println("The CMC enrollment request in base-64 encoded format:");
- System.out.println("");
- System.out.println(asciiBASE64Blob);
+ pkidata = new PKIData(controlSeq, reqSequence, new SEQUENCE(), otherMsgSeq);
} catch (Exception e) {
e.printStackTrace();
System.exit(1);
}
- return fullEnrollmentReq;
+ return pkidata;
}
static void printUsage() {
@@ -330,16 +387,29 @@ public class CMCRequest {
System.out.println("");
System.out.println("The configuration file should look like as follows:");
System.out.println("");
+ System.out.println("#decryptedPop.enable: if true, this is in response to an encryptedPOP request from the server from previous request;");
+ System.out.println("# most all options other than the following are ignored:");
+ System.out.println("# encryptedPopResponseFile, privKeyId, decryptedPopRequestFile");
+ System.out.println("# where");
+ System.out.println("# encryptPopResponse was the output from previous request, and is now an input to the new request that is about to be generated");
+ System.out.println("# decryptedPopRequestFile is the output that is to be sent to the server as 2nd trip request in response to encryptedPOP");
+ System.out.println("# privKeyId: used for decrypting the encryptedPOP and creating decryptedPOP");
+ System.out.println("");
+ System.out.println("decryptedPop.enable=false");
+ System.out.println("encryptedPopResponseFile=cmc.resp");
+ System.out.println("request.privKeyId=");
+ System.out.println("decryptedPopRequestFile=cmc.decreyptedPOP.req");
+ System.out.println("");
System.out.println("#numRequests: Total number of PKCS10 requests or CRMF requests.");
System.out.println("numRequests=1");
System.out.println("");
System.out.println("#input: full path for the PKCS10 request or CRMF request,");
System.out.println("#the content must be in Base-64 encoded format");
System.out.println("#Multiple files are supported. They must be separated by space.");
- System.out.println("input=crmf1");
+ System.out.println("input=crmf.req");
System.out.println("");
System.out.println("#output: full path for the CMC request in binary format");
- System.out.println("output=/u/doc/cmcReq");
+ System.out.println("output=cmc.req");
System.out.println("");
System.out.println("#tokenname: name of token where agent signing cert can be found (default is internal)");
System.out.println("tokenname=internal");
@@ -349,7 +419,7 @@ public class CMCRequest {
System.out.println("nickname=CMS Agent Certificate");
System.out.println("");
System.out.println("#dbdir: directory for cert8.db, key3.db and secmod.db");
- System.out.println("dbdir=/u/smith/.netscape");
+ System.out.println("dbdir=./");
System.out.println("");
System.out.println("#password: password for cert8.db which stores the agent");
System.out.println("#certificate");
@@ -360,7 +430,7 @@ public class CMCRequest {
System.out.println("");
System.out.println("#confirmCertAcceptance.enable: if true, then the request will");
System.out.println("#contain this control. Otherwise, false.");
- System.out.println("confirmCertAcceptance.enable=true");
+ System.out.println("confirmCertAcceptance.enable=false");
System.out.println("");
System.out.println("#confirmCertAcceptance.serial: The serial number for");
System.out.println("#confirmCertAcceptance control");
@@ -372,7 +442,7 @@ public class CMCRequest {
System.out.println("");
System.out.println("#getCert.enable: if true, then the request will contain this");
System.out.println("#control. Otherwise, false.");
- System.out.println("getCert.enable=true");
+ System.out.println("getCert.enable=false");
System.out.println("");
System.out.println("#getCert.serial: The serial number for getCert control");
System.out.println("getCert.serial=3");
@@ -382,14 +452,14 @@ public class CMCRequest {
System.out.println("");
System.out.println("#dataReturn.enable: if true, then the request will contain");
System.out.println("#this control. Otherwise, false.");
- System.out.println("dataReturn.enable=true");
+ System.out.println("dataReturn.enable=false");
System.out.println("");
System.out.println("#dataReturn.data: data contained in the control.");
System.out.println("dataReturn.data=test");
System.out.println("");
System.out.println("#transactionMgt.enable: if true, then the request will contain");
System.out.println("#this control. Otherwise, false.");
- System.out.println("transactionMgt.enable=true");
+ System.out.println("transactionMgt.enable=false");
System.out.println("");
System.out.println("#transactionMgt.id: transaction identifier. Verisign recommend");
System.out.println("#transactionId to be MD5 hash of publicKey.");
@@ -397,14 +467,14 @@ public class CMCRequest {
System.out.println("");
System.out.println("#senderNonce.enable: if true, then the request will contain this");
System.out.println("#control. Otherwise, false.");
- System.out.println("senderNonce.enable=true");
+ System.out.println("senderNonce.enable=false");
System.out.println("");
System.out.println("#senderNonce.id: sender nonce");
System.out.println("senderNonce.id=");
System.out.println("");
System.out.println("#revRequest.enable: if true, then the request will contain this");
System.out.println("#control. Otherwise, false.");
- System.out.println("revRequest.enable=true");
+ System.out.println("revRequest.enable=false");
System.out.println("");
System.out.println("#revRequest.nickname: The nickname for the revoke certificate");
System.out.println("revRequest.nickname=newuser's 102504a ID");
@@ -439,15 +509,15 @@ public class CMCRequest {
System.out.println("#Note that if both identityProof and identityProofV2");
System.out.println("# are enabled, identityProofV2 takes precedence; Only one of them can be active at a time");
System.out.println("#Supported hashAlg are:");
- System.out.println("# SHA-1, SHA-256, SHA-384, and SHA-512");
+ System.out.println("# SHA-256, SHA-384, and SHA-512");
System.out.println("#Supported macAlg are:");
- System.out.println("# SHA-1-HMAC, SHA-256-HMAC, SHA-384-HMAC, and SHA-512-HMAC");
+ System.out.println("# SHA-256-HMAC, SHA-384-HMAC, and SHA-512-HMAC");
System.out.println("identityProofV2.enable=false");
System.out.println("identityProofV2.hashAlg=SHA-256");
System.out.println("identityProofV2.macAlg=SHA-256-HMAC");
System.out.println("");
- System.out.println("#identityProofV2.sharedSecret: Shared Secret");
- System.out.println("identityProofV2.sharedSecret=testing");
+ System.out.println("#witness.sharedSecret: Shared Secret");
+ System.out.println("witness.sharedSecret=testing");
System.out.println("");
System.out.println("#identification works with identityProofV2");
System.out.println("identification.enable=false");
@@ -471,7 +541,7 @@ public class CMCRequest {
System.out.println("");
System.out.println("#LraPopWitness.enable: if true, then the request will contain this");
System.out.println("#control. Otherwise, false.");
- System.out.println("LraPopWitness.enable=true");
+ System.out.println("LraPopWitness.enable=false");
System.out.println("");
System.out.println("#LraPopWitness.bodyPartIDs: List of body part IDs");
System.out.println("#Each id is separated by space.");
@@ -550,7 +620,7 @@ public class CMCRequest {
* @param sharedSecret shared secret
* @param hashAlgString hash algorithm
* @param macAlgString mac algorithm
- * cfu
+ * @author cfu
*/
private static int addIdentityProofV2Attr(int bpid,
SEQUENCE seq, SEQUENCE reqSequence,
@@ -926,7 +996,7 @@ public class CMCRequest {
* @param seq
* @param ident
* @return
- * cfu
+ * @author cfu
*/
private static int addIdentificationAttr(int bpid, SEQUENCE seq, String ident) {
UTF8String ident_s = null;
@@ -973,11 +1043,273 @@ public class CMCRequest {
return bpid;
}
+ /**
+ * processEncryptedPopResponse parses previous CMC response
+ * and returns the encryptedPop
+ *
+ * @param prevResponse file
+ * @param privKey
+ * @return encryptedPop and reqIdString in Object[]
+ * @author cfu
+ */
+ private static Object[] processEncryptedPopResponse(
+ String prevResponse) {
+ // the values to be returned
+ EncryptedPOP encryptedPop = null;
+ String reqIdString = null; // capture the requestId;
+
+ String method = "processEncryptedPopResponse: ";
+ System.out.println(method + " begins.");
+
+ byte[] bb = new byte[10000];
+ FileInputStream fis = null;
+ try {
+ fis = new FileInputStream(prevResponse);
+ while (fis.available() > 0)
+ fis.read(bb, 0, 10000);
+ } catch (Exception e) {
+ System.out.println(method + "Error reading the response. Exception: " + e.toString());
+ System.exit(1);
+ }
+ System.out.println(method + " previous response read.");
+
+ org.mozilla.jss.pkix.cms.SignedData cmcFullResp = null;
+ try {
+ ByteArrayInputStream bis = new ByteArrayInputStream(bb);
+ org.mozilla.jss.pkix.cms.ContentInfo cii = (org.mozilla.jss.pkix.cms.ContentInfo) org.mozilla.jss.pkix.cms.ContentInfo
+ .getTemplate().decode(bis);
+
+ cmcFullResp = (org.mozilla.jss.pkix.cms.SignedData) cii.getInterpretedContent();
+ EncapsulatedContentInfo ci = cmcFullResp.getContentInfo();
+ OBJECT_IDENTIFIER id = ci.getContentType();
+ OBJECT_IDENTIFIER dataid = new OBJECT_IDENTIFIER("1.2.840.113549.1.7.1");
+ if (!id.equals(OBJECT_IDENTIFIER.id_cct_PKIResponse) && !id.equals(dataid)) {
+ System.out.println(method + "Invalid CMC Response Format");
+ }
+
+ if (!ci.hasContent())
+ return null;
+
+ OCTET_STRING content1 = ci.getContent();
+ ByteArrayInputStream bbis = new ByteArrayInputStream(content1.toByteArray());
+ ResponseBody responseBody = (ResponseBody) (new ResponseBody.Template()).decode(bbis);
+ SEQUENCE controlSequence = responseBody.getControlSequence();
+ int numControls = controlSequence.size();
+ System.out.println(method + "Number of controls is " + numControls);
+
+ for (int i = 0; i < numControls; i++) {
+ TaggedAttribute taggedAttr = (TaggedAttribute) controlSequence.elementAt(i);
+ OBJECT_IDENTIFIER type = taggedAttr.getType();
+
+ if (type.equals(OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo)) {
+ System.out.println(method + "Control #" + i + ": CMCStatusInfo");
+ System.out.println(method + " OID: " + type.toString());
+ SET sts = taggedAttr.getValues();
+ int numSts = sts.size();
+ for (int j = 0; j < numSts; j++) {
+ CMCStatusInfo cst = (CMCStatusInfo) ASN1Util.decode(CMCStatusInfo.getTemplate(),
+ ASN1Util.encode(sts.elementAt(j)));
+ SEQUENCE seq = cst.getBodyList();
+ StringBuilder s = new StringBuilder(" BodyList: ");
+ for (int k = 0; k < seq.size(); k++) {
+ INTEGER n = (INTEGER) seq.elementAt(k);
+ s.append(n.toString() + " ");
+ }
+ System.out.println(method + s);
+ int st = cst.getStatus();
+ if (st != CMCStatusInfo.SUCCESS && st != CMCStatusInfo.CONFIRM_REQUIRED) {
+ String stString = cst.getStatusString();
+ if (stString != null)
+ System.out.println(method + " Status String: " + stString);
+ OtherInfo oi = cst.getOtherInfo();
+ OtherInfo.Type t = oi.getType();
+ if (t == OtherInfo.FAIL) {
+ System.out.println(method + " OtherInfo type: FAIL");
+ System.out.println(method
+ + " not what we expected, because encryptedPOP.enable is true!!!! exit now");
+ System.exit(1);
+ } else if (t == OtherInfo.PEND) {
+ System.out.println(method + " OtherInfo type: PEND");
+ PendInfo pi = oi.getPendInfo();
+ if (pi == null) {
+ System.out.println(method + "PendInfo null...skipping");
+ continue;
+ } else
+ System.out.println(method + "PendInfo present...processing...");
+ if (pi.getPendTime() != null) {
+ String datePattern = "dd/MMM/yyyy:HH:mm:ss z";
+ SimpleDateFormat dateFormat = new SimpleDateFormat(datePattern);
+ Date d = pi.getPendTime().toDate();
+ System.out.println(method + " Date: " + dateFormat.format(d));
+ }
+ OCTET_STRING pendToken = pi.getPendToken();
+ if (pendToken != null) {
+ byte reqId[] = pendToken.toByteArray();
+ reqIdString = new String(reqId);
+ System.out.println(method + " Pending request id: " + reqIdString);
+ } else {
+ System.out.println(method + "missing pendToken in response");
+ System.exit(1);
+ }
+ System.out.println(method + " what we expected, as encryptedPOP.enable is true;");
+ }
+ } else if (st == CMCStatusInfo.SUCCESS) {
+ System.out.println(method + " Status: SUCCESS");
+ System.out.println(
+ method + " not what we expected, because encryptedPOP.enable is true!!!! exit now");
+ System.exit(1);
+ }
+ }
+ } else if (type.equals(OBJECT_IDENTIFIER.id_cmc_encryptedPOP)) {
+ // bingo
+ System.out.println(method + "Control #" + i + ": CMC encrypted POP");
+ System.out.println(method + " OID: " + type.toString());
+ SET encryptedPOPvals = taggedAttr.getValues();
+
+ encryptedPop = (EncryptedPOP) (ASN1Util.decode(EncryptedPOP.getTemplate(),
+ ASN1Util.encode(encryptedPOPvals.elementAt(0))));
+ System.out.println(method + "encryptedPOP decoded successfully");
+
+ } // we don't expect any other controls
+ } //for
+ } catch (Exception e) {
+ System.out.println(method + e);
+ System.exit(1);
+ }
+
+ System.out.println(method + "ends");
+ return new Object[] { encryptedPop, reqIdString };
+ }
+
+ /**
+ * constructDecryptedPopRequest constructs request PKIData for DecryptedPOP
+ *
+ * @param encryptedPopInfo {EncryptedPOP, reqIdString}
+ * @param privKey
+ * @return request PKIData
+ * @author cfu
+ */
+ private static PKIData constructDecryptedPopRequest(
+ Object[] encryptedPopInfo,
+ String tokenName,
+ PrivateKey privKey) {
+ PKIData pkidata = null;
+ DecryptedPOP decryptedPop = null;
+
+ String method = "constructDecryptedPopRequest: ";
+ System.out.println(method + "begins");
+ if ((encryptedPopInfo == null) || (privKey == null)) {
+ System.out.println(method + "input params encryptedPopInfo and privKey cannot be null");
+ System.exit(1);
+ }
+
+ EncryptedPOP encryptedPop = (EncryptedPOP) encryptedPopInfo[0];
+ String reqIdString = (String) encryptedPopInfo[1];
+ if ((encryptedPop == null) || (reqIdString == null)) {
+ System.out.println(method + "encryptedPopInfo content encryptedPop and reqIdString cannot be null");
+ System.exit(1);
+ }
+
+ try {
+ TaggedRequest request = encryptedPop.getRequest();
+ AlgorithmIdentifier thePOPAlgID = encryptedPop.getThePOPAlgID();
+ AlgorithmIdentifier witnessAlgID = encryptedPop.getWitnessAlgID();
+ OCTET_STRING witness = encryptedPop.getWitness();
+ ContentInfo cms = encryptedPop.getContentInfo();
+ EnvelopedData envData = (EnvelopedData) cms.getInterpretedContent();
+ EncryptedContentInfo encCI = envData.getEncryptedContentInfo();
+ SET recipients = envData.getRecipientInfos();
+ RecipientInfo recipient = (RecipientInfo) (ASN1Util.decode(RecipientInfo.getTemplate(),
+ ASN1Util.encode(recipients.elementAt(0))));
+ System.out.println(method + " previous response parsed.");
+
+ CryptoToken token = CryptoUtil.getKeyStorageToken(tokenName);
+ SymmetricKey symKey = CryptoUtil.unwrap(
+ token,
+ SymmetricKey.Usage.DECRYPT,
+ privKey,
+ recipient.getEncryptedKey().toByteArray());
+ if (symKey == null) {
+ System.out.println(method + "symKey returned null from CryptoUtil.unwrap(). Abort!");
+ System.exit(1);
+ }
+ System.out.println(method + "symKey unwrapped.");
+
+ byte challenge[] = CryptoUtil.decryptUsingSymmetricKey(
+ token,
+ encCI.getEncryptedContent().toByteArray(),
+ symKey);
+ if (challenge == null) {
+ System.out
+ .println(method + "challenge returned null from CryptoUtil.decryptUsingSymmetricKey(). Abort!");
+ System.exit(1);
+ }
+ System.out.println(method + "challenge decrypted.");
+
+ // now verify the witness
+ try {
+ MessageDigest hash = MessageDigest.getInstance(CryptoUtil.getNameFromHashAlgorithm(witnessAlgID));
+ byte[] digest = hash.digest(challenge);
+ boolean witnessChecked = Arrays.equals(digest, witness.toByteArray());
+ if (witnessChecked) {
+ System.out.println(method + "Yay! witness verified");
+ } else {
+ System.out.println(method + "Oops! witness failed to verify. Must abort!");
+ System.exit(1);
+ }
+ } catch (Exception ex) {
+ System.out.println(method + ex);
+ System.exit(1);
+ }
+
+ // now calculate the POP Proof Value
+ byte[] popProofValue = null;
+ try {
+ System.out.println(method + "calculating POP Proof Value");
+ MessageDigest SHA2Digest = MessageDigest.getInstance("SHA256");
+ HMACDigest hmacDigest = new HMACDigest(SHA2Digest, challenge);
+ hmacDigest.update(ASN1Util.encode(request));
+ popProofValue = hmacDigest.digest();
+ } catch (Exception ex) {
+ System.out.println(method + "calculating POP Proof Value failed: " + ex);
+ System.exit(1);
+ }
+
+ int bpid = 1;
+ // now construct DecryptedPOP
+ System.out.println(method + "constructing DecryptedPOP...");
+ decryptedPop = new DecryptedPOP(new INTEGER(reqIdString), thePOPAlgID, new OCTET_STRING(popProofValue));
+ System.out.println(method + "DecryptedPOP constructed successfully");
+ System.out.println(method + "adding decryptedPop control");
+ TaggedAttribute decPop = new TaggedAttribute(new INTEGER(bpid++),
+ OBJECT_IDENTIFIER.id_cmc_decryptedPOP,
+ decryptedPop);
+
+ SEQUENCE reqSequence = new SEQUENCE();
+ reqSequence.addElement(request); //stuff original req
+
+ SEQUENCE controlSeq = new SEQUENCE();
+ controlSeq.addElement(decPop);
+ System.out.println(method + "decryptedPop control added");
+
+ SEQUENCE otherMsgSeq = new SEQUENCE();
+
+ pkidata = new PKIData(controlSeq, reqSequence, new SEQUENCE(), otherMsgSeq);
+ } catch (Exception e) {
+ System.out.println(method + e);
+ System.exit(1);
+ }
+
+ System.out.println(method + " completes.");
+ return pkidata;
+ }
+
public static void main(String[] s) {
String numRequests = null;
String dbdir = null, nickname = null;
String tokenName = null;
String ifilename = null, ofilename = null, password = null, format = null;
+ String decryptedPopEnable = "false", encryptedPopResponseFile=null, privKeyId = null, decryptedPopRequestFile= null;
String confirmCertEnable = "false", confirmCertIssuer = null, confirmCertSerial = null;
String getCertEnable = "false", getCertIssuer = null, getCertSerial = null;
String dataReturnEnable = "false", dataReturnData = null;
@@ -989,7 +1321,7 @@ public class CMCRequest {
String revRequestInvalidityDatePresent = "false";
String identificationEnable = "false", identification = null;
String identityProofEnable = "false", identityProofSharedSecret = null;
- String identityProofV2Enable = "false", identityProofV2SharedSecret = null, identityProofV2hashAlg = "SHA256", identityProofV2macAlg = "SHA256";
+ String identityProofV2Enable = "false", witnessSharedSecret = null, identityProofV2hashAlg = "SHA256", identityProofV2macAlg = "SHA256";
String popLinkWitnessEnable = "false";
String bodyPartIDs = null, lraPopWitnessEnable = "false";
@@ -1046,6 +1378,14 @@ public class CMCRequest {
ofilename = val;
} else if (name.equals("input")) {
ifilename = val;
+ } else if (name.equals("decryptedPop.enable")) {
+ decryptedPopEnable = val;
+ } else if (name.equals("encryptedPopResponseFile")) {
+ encryptedPopResponseFile = val;
+ } else if (name.equals("request.privKeyId")) {
+ privKeyId = val;
+ } else if (name.equals("decryptedPopRequestFile")) {
+ decryptedPopRequestFile = val;
} else if (name.equals("confirmCertAcceptance.serial")) {
confirmCertSerial = val;
} else if (name.equals("confirmCertAcceptance.issuer")) {
@@ -1092,8 +1432,8 @@ public class CMCRequest {
identification = val;
} else if (name.equals("identityProofV2.enable")) {
identityProofV2Enable = val;
- } else if (name.equals("identityProofV2.sharedSecret")) {
- identityProofV2SharedSecret = val;
+ } else if (name.equals("witness.sharedSecret")) {
+ witnessSharedSecret = val;
} else if (name.equals("identityProofV2.hashAlg")) {
identityProofV2hashAlg = val;
} else if (name.equals("identityProofV2.macAlg")) {
@@ -1118,45 +1458,6 @@ public class CMCRequest {
printUsage();
}
- if (ifilename == null) {
- System.out.println("Missing input filename for PKCS10 or CRMF.");
- printUsage();
- }
-
- int num = 0;
- if (numRequests == null) {
- System.out.println("Missing numRequests.");
- printUsage();
- } else {
- try {
- num = Integer.parseInt(numRequests);
- } catch (Exception ee) {
- System.out.println("numRequests must be integer");
- System.exit(1);
- }
- }
-
- StringTokenizer tokenizer = new StringTokenizer(ifilename, " ");
- String[] ifiles = new String[num];
- for (int i = 0; i < num; i++) {
- String ss = tokenizer.nextToken();
- ifiles[i] = ss;
- if (ss == null) {
- System.out.println("Missing input file for the request.");
- System.exit(1);
- }
- }
-
- if (ofilename == null) {
- System.out.println("Missing output filename for the CMC request.");
- printUsage();
- }
-
- if (format == null) {
- System.out.println("Missing format.");
- printUsage();
- }
-
if (password == null) {
System.out.println("Missing password.");
printUsage();
@@ -1214,116 +1515,223 @@ public class CMCRequest {
System.out.println("got signerCert: "+ certname.toString());
}
- String[] requests = new String[num];
- for (int i = 0; i < num; i++) {
- BufferedReader inputBlob = null;
- try {
- inputBlob = new BufferedReader(new InputStreamReader(
- new BufferedInputStream(new FileInputStream(ifiles[i]))));
- } catch (FileNotFoundException e) {
- System.out.println("CMCRequest: can't find file " +
- ifiles[i] + ":\n" + e);
- } catch (Exception e) {
- e.printStackTrace();
- System.exit(1);
- }
- // (3) Read the entire contents of the specified BASE 64 encoded
- // blob into a String() object throwing away any
- // headers beginning with HEADER and any trailers beginning
- // with TRAILER
- String asciiBASE64BlobChunk = "";
- StringBuffer asciiBASE64Blob = new StringBuffer();
-
- try {
- while ((asciiBASE64BlobChunk = inputBlob.readLine()) != null) {
- if (!(asciiBASE64BlobChunk.startsWith(HEADER)) &&
- !(asciiBASE64BlobChunk.startsWith(TRAILER))) {
- asciiBASE64Blob.append(asciiBASE64BlobChunk.trim());
- }
+ //cfu
+ ContentInfo cmcblob = null;
+ PKIData pkidata = null;
+ if (decryptedPopEnable.equalsIgnoreCase("true")) {
+ PrivateKey privk = null;
+ if (privKeyId == null) {
+ System.out.println("ecryptedPop.enable = true, but privKeyId not specified.");
+ printUsage();
+ } else {
+ System.out.println("got privKeyId: " + privKeyId);
+
+ byte[] keyIDb = CryptoUtil.string2byte(privKeyId);
+
+ privk = CryptoUtil.findPrivateKeyFromID(keyIDb);
+
+ if (privk != null) {
+ System.out.println("got private key");
+ // now we can use this to decrypt encryptedPOP
+ } else {
+ System.out.println("error getting private key null");
+ System.exit(1);
}
- requests[i] = asciiBASE64Blob.toString();
- } catch (IOException e) {
- System.out.println("CMCRequest: Unexpected BASE64 " +
- "encoded error encountered in readLine():\n" +
- e);
}
- // (4) Close the DataInputStream() object
- try {
- inputBlob.close();
- } catch (IOException e) {
- System.out.println("CMCRequest(): Unexpected BASE64 " +
- "encoded error encountered in close():\n" + e);
+
+ if (encryptedPopResponseFile == null) {
+ System.out.println("ecryptedPop.enable = true, but encryptedPopResponseFile is not specified.");
+ printUsage();
}
- }
- SEQUENCE controlSeq = new SEQUENCE();
- int bpid = 1;
- if (confirmCertEnable.equalsIgnoreCase("true")) {
- if (confirmCertIssuer.length() == 0 || confirmCertSerial.length() == 0) {
- System.out.println("Illegal parameters for confirm certificate acceptance control");
+ if (decryptedPopRequestFile == null) {
+ System.out.println("ecryptedPop.enable = true, but decryptedPopRequestFile is not specified.");
printUsage();
+ }
+ ofilename = decryptedPopRequestFile;
+
+ // now start processing decryptedPOP
+ Object[] encryptedPopInfo = processEncryptedPopResponse(encryptedPopResponseFile);
+ if (encryptedPopInfo == null) {
+ System.out.println("processEncryptedPopResponse() returns null");
System.exit(1);
}
- bpid = addConfirmCertAttr(bpid, controlSeq, confirmCertIssuer, confirmCertSerial);
- }
+ pkidata = constructDecryptedPopRequest(encryptedPopInfo, tokenName, privk);
- if (lraPopWitnessEnable.equalsIgnoreCase("true")) {
- if (bodyPartIDs.length() == 0) {
- System.out.println("Illegal parameters for Lra Pop Witness control");
- printUsage();
+ if (pkidata == null) {
+ System.out.println("after constructDecryptedPopRequest, pkidata null. no good");
System.exit(1);
}
+ } else { // !decryptedPopEnable
- bpid = addLraPopWitnessAttr(bpid, controlSeq, bodyPartIDs);
- }
+ if (ifilename == null) {
+ System.out.println("Missing input filename for PKCS10 or CRMF.");
+ printUsage();
+ }
- if (getCertEnable.equalsIgnoreCase("true")) {
- if (getCertIssuer.length() == 0 || getCertSerial.length() == 0) {
- System.out.println("Illegal parameters for get certificate control");
+ int num = 0;
+ if (numRequests == null) {
+ System.out.println("Missing numRequests.");
printUsage();
- System.exit(1);
+ } else {
+ try {
+ num = Integer.parseInt(numRequests);
+ } catch (Exception ee) {
+ System.out.println("numRequests must be integer");
+ System.exit(1);
+ }
}
- bpid = addGetCertAttr(bpid, controlSeq, getCertIssuer, getCertSerial);
- }
+ StringTokenizer tokenizer = new StringTokenizer(ifilename, " ");
+ String[] ifiles = new String[num];
+ for (int i = 0; i < num; i++) {
+ String ss = tokenizer.nextToken();
+ ifiles[i] = ss;
+ if (ss == null) {
+ System.out.println("Missing input file for the request.");
+ System.exit(1);
+ }
+ }
- if (dataReturnEnable.equalsIgnoreCase("true")) {
- if (dataReturnData.length() == 0) {
- System.out.println("Illegal parameters for data return control");
+ if (ofilename == null) {
+ System.out.println("Missing output filename for the CMC request.");
printUsage();
- System.exit(1);
}
- bpid = addDataReturnAttr(bpid, controlSeq, dataReturnData);
- }
+ if (format == null) {
+ System.out.println("Missing format.");
+ printUsage();
+ }
+ String[] requests = new String[num];
+ for (int i = 0; i < num; i++) {
+ BufferedReader inputBlob = null;
+ try {
+ inputBlob = new BufferedReader(new InputStreamReader(
+ new BufferedInputStream(new FileInputStream(ifiles[i]))));
+ } catch (FileNotFoundException e) {
+ System.out.println("CMCRequest: can't find file " +
+ ifiles[i] + ":\n" + e);
+ } catch (Exception e) {
+ e.printStackTrace();
+ System.exit(1);
+ }
+ // (3) Read the entire contents of the specified BASE 64 encoded
+ // blob into a String() object throwing away any
+ // headers beginning with HEADER and any trailers beginning
+ // with TRAILER
+ String asciiBASE64BlobChunk = "";
+ StringBuffer asciiBASE64Blob = new StringBuffer();
+
+ try {
+ while ((asciiBASE64BlobChunk = inputBlob.readLine()) != null) {
+ if (!(asciiBASE64BlobChunk.startsWith(HEADER)) &&
+ !(asciiBASE64BlobChunk.startsWith(TRAILER))) {
+ asciiBASE64Blob.append(asciiBASE64BlobChunk.trim());
+ }
+ }
+ requests[i] = asciiBASE64Blob.toString();
+ } catch (IOException e) {
+ System.out.println("CMCRequest: Unexpected BASE64 " +
+ "encoded error encountered in readLine():\n" +
+ e);
+ }
+ // (4) Close the DataInputStream() object
+ try {
+ inputBlob.close();
+ } catch (IOException e) {
+ System.out.println("CMCRequest(): Unexpected BASE64 " +
+ "encoded error encountered in close():\n" + e);
+ }
+ }
- if (senderNonceEnable.equalsIgnoreCase("true"))
- bpid = addSenderNonceAttr(bpid, controlSeq, senderNonce);
+ SEQUENCE controlSeq = new SEQUENCE();
+ int bpid = 1;
+ if (confirmCertEnable.equalsIgnoreCase("true")) {
+ if (confirmCertIssuer.length() == 0 || confirmCertSerial.length() == 0) {
+ System.out.println("Illegal parameters for confirm certificate acceptance control");
+ printUsage();
+ System.exit(1);
+ }
+ bpid = addConfirmCertAttr(bpid, controlSeq, confirmCertIssuer, confirmCertSerial);
+ }
- if (popLinkWitnessEnable.equalsIgnoreCase("true"))
- bpid = addPopLinkWitnessAttr(bpid, controlSeq);
+ if (lraPopWitnessEnable.equalsIgnoreCase("true")) {
+ if (bodyPartIDs.length() == 0) {
+ System.out.println("Illegal parameters for Lra Pop Witness control");
+ printUsage();
+ System.exit(1);
+ }
- SEQUENCE otherMsgSeq = new SEQUENCE();
- if (revRequestEnable.equalsIgnoreCase("true")) {
- if (revRequestIssuer.length() == 0 || revRequestSerial.length() == 0 ||
- revRequestReason.length() == 0) {
- System.out.println("Illegal parameters for revRequest control");
- printUsage();
- System.exit(1);
+ bpid = addLraPopWitnessAttr(bpid, controlSeq, bodyPartIDs);
+ }
+
+ if (getCertEnable.equalsIgnoreCase("true")) {
+ if (getCertIssuer.length() == 0 || getCertSerial.length() == 0) {
+ System.out.println("Illegal parameters for get certificate control");
+ printUsage();
+ System.exit(1);
+ }
+
+ bpid = addGetCertAttr(bpid, controlSeq, getCertIssuer, getCertSerial);
}
- bpid = addRevRequestAttr(bpid, controlSeq, otherMsgSeq, token, tokenName, revCertNickname,
- revRequestIssuer, revRequestSerial, revRequestReason, revRequestSharedSecret,
- revRequestComment, revRequestInvalidityDatePresent, cm);
+ if (dataReturnEnable.equalsIgnoreCase("true")) {
+ if (dataReturnData.length() == 0) {
+ System.out.println("Illegal parameters for data return control");
+ printUsage();
+ System.exit(1);
+ }
+
+ bpid = addDataReturnAttr(bpid, controlSeq, dataReturnData);
+ }
+
+ if (senderNonceEnable.equalsIgnoreCase("true"))
+ bpid = addSenderNonceAttr(bpid, controlSeq, senderNonce);
+
+ if (popLinkWitnessEnable.equalsIgnoreCase("true"))
+ bpid = addPopLinkWitnessAttr(bpid, controlSeq);
+
+ SEQUENCE otherMsgSeq = new SEQUENCE();
+ if (revRequestEnable.equalsIgnoreCase("true")) {
+ if (revRequestIssuer.length() == 0 || revRequestSerial.length() == 0 ||
+ revRequestReason.length() == 0) {
+ System.out.println("Illegal parameters for revRequest control");
+ printUsage();
+ System.exit(1);
+ }
+
+ bpid = addRevRequestAttr(bpid, controlSeq, otherMsgSeq, token, tokenName, revCertNickname,
+ revRequestIssuer, revRequestSerial, revRequestReason, revRequestSharedSecret,
+ revRequestComment, revRequestInvalidityDatePresent, cm);
+ }
+
+ // create the request PKIData
+ pkidata = createPKIData(
+ requests,
+ format, transactionMgtEnable, transactionMgtId,
+ identificationEnable, identification,
+ identityProofEnable, identityProofSharedSecret,
+ identityProofV2Enable, witnessSharedSecret,
+ identityProofV2hashAlg, identityProofV2macAlg,
+ controlSeq, otherMsgSeq, bpid);
+
+ if (pkidata == null) {
+ System.out.println("pkidata null after createPKIData(). Exiting with error");
+ System.exit(1);
+ }
}
- ContentInfo cmcblob = getCMCBlob(signerCert, tokenName, nickname, requests, format,
- cm, transactionMgtEnable, transactionMgtId,
- identificationEnable, identification,
- identityProofEnable, identityProofSharedSecret,
- identityProofV2Enable, identityProofV2SharedSecret,
- identityProofV2hashAlg, identityProofV2macAlg,
- controlSeq, otherMsgSeq, bpid);
+ // sign the request
+ SignedData signedData = signData(signerCert, tokenName, nickname, cm, pkidata);
+ if (signedData == null) {
+ System.out.println("signData() returns null. Exiting with error");
+ System.exit(1);
+ }
+ cmcblob = getCMCBlob(signedData);
+ if (cmcblob == null) {
+ System.out.println("getCMCBlob() returns null. Exiting with error");
+ System.exit(1);
+ }
// (6) Finally, print the actual CMC blob to the
// specified output file
diff --git a/base/java-tools/src/com/netscape/cmstools/CMCResponse.java b/base/java-tools/src/com/netscape/cmstools/CMCResponse.java
index 7bbba8797..4c7493443 100644
--- a/base/java-tools/src/com/netscape/cmstools/CMCResponse.java
+++ b/base/java-tools/src/com/netscape/cmstools/CMCResponse.java
@@ -34,6 +34,7 @@ import org.mozilla.jss.asn1.SEQUENCE;
import org.mozilla.jss.asn1.SET;
import org.mozilla.jss.pkix.cert.Certificate;
import org.mozilla.jss.pkix.cmc.CMCStatusInfo;
+import org.mozilla.jss.pkix.cmc.EncryptedPOP;
import org.mozilla.jss.pkix.cmc.OtherInfo;
import org.mozilla.jss.pkix.cmc.PendInfo;
import org.mozilla.jss.pkix.cmc.ResponseBody;
@@ -140,12 +141,27 @@ public class CMCResponse {
else if (t == OtherInfo.PEND) {
System.out.println(" OtherInfo type: PEND");
PendInfo pi = oi.getPendInfo();
+ if (pi == null) {
+ System.out.println("PendInfo null...skipping");
+ continue;
+ } else
+ System.out.println("PendInfo present...processing...");
if (pi.getPendTime() != null) {
String datePattern = "dd/MMM/yyyy:HH:mm:ss z";
SimpleDateFormat dateFormat = new SimpleDateFormat(datePattern);
Date d = pi.getPendTime().toDate();
System.out.println(" Date: " + dateFormat.format(d));
}
+ OCTET_STRING pendToken = pi.getPendToken();
+ if (pendToken != null) {
+ byte reqId[] = pendToken.toByteArray();
+ String reqIdString = new String(reqId);
+ System.out.println(" Pending request id: " + reqIdString);
+ } else {
+ System.out.println("pendToken not in response");
+ System.exit(1);
+ }
+
}
} else if (st == CMCStatusInfo.SUCCESS) {
System.out.println(" Status: SUCCESS");
@@ -200,6 +216,16 @@ public class CMCResponse {
s.append(" ");
}
System.out.println(s);
+ } else if (type.equals(OBJECT_IDENTIFIER.id_cmc_encryptedPOP)) {
+ System.out.println("Control #" + i + ": CMC encrypted POP");
+ System.out.println(" OID: " + type.toString());
+ SET encryptedPOPvals = taggedAttr.getValues();
+
+ EncryptedPOP encryptedPOP =
+ (EncryptedPOP) (ASN1Util.decode(EncryptedPOP.getTemplate(),
+ ASN1Util.encode(encryptedPOPvals.elementAt(0))));
+ System.out.println("after encryptedPOP encode");
+
}
}
} catch (Exception e) {
diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
index 5e53bee67..fafe956e7 100644
--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
@@ -433,6 +433,13 @@ public class CRMFPopClient {
throw new Exception("Unknown algorithm: " + algorithm);
}
+ // print out keyid to be used in cmc decryptPOP
+ PrivateKey privateKey = (PrivateKey) keyPair.getPrivate();
+ @SuppressWarnings("deprecation")
+ byte id[] = privateKey.getUniqueID();
+ String kid = CryptoUtil.byte2string(id);
+ System.out.println("Keypair private key id: " + kid);
+
if (verbose) System.out.println("Creating certificate request");
CertRequest certRequest = client.createCertRequest(token, transportCert, algorithm, keyPair, subject);
generated by cgit (git 2.34.1) at 2026-01-06 00:25:45 +0000