diff options
Diffstat (limited to 'pki/base/util/src/com/netscape/cmsutil/scep/CRSPKIMessage.java')
-rw-r--r-- | pki/base/util/src/com/netscape/cmsutil/scep/CRSPKIMessage.java | 571 |
1 files changed, 300 insertions, 271 deletions
diff --git a/pki/base/util/src/com/netscape/cmsutil/scep/CRSPKIMessage.java b/pki/base/util/src/com/netscape/cmsutil/scep/CRSPKIMessage.java index a65620e9..16406e2a 100644 --- a/pki/base/util/src/com/netscape/cmsutil/scep/CRSPKIMessage.java +++ b/pki/base/util/src/com/netscape/cmsutil/scep/CRSPKIMessage.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cmsutil.scep; + import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.CharConversionException; @@ -48,53 +49,70 @@ import org.mozilla.jss.pkix.cert.Certificate; import org.mozilla.jss.pkix.cert.CertificateInfo; import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier; -public class CRSPKIMessage { +public class CRSPKIMessage { + // OIDs for authenticated attributes - public static OBJECT_IDENTIFIER CRS_MESSAGETYPE = new OBJECT_IDENTIFIER( - new long[] { 2, 16, 840, 1, 113733, 1, 9, 2 }); - public static OBJECT_IDENTIFIER CRS_PKISTATUS = new OBJECT_IDENTIFIER( - new long[] { 2, 16, 840, 1, 113733, 1, 9, 3 }); - public static OBJECT_IDENTIFIER CRS_FAILINFO = new OBJECT_IDENTIFIER( - new long[] { 2, 16, 840, 1, 113733, 1, 9, 4 }); - public static OBJECT_IDENTIFIER CRS_SENDERNONCE = new OBJECT_IDENTIFIER( - new long[] { 2, 16, 840, 1, 113733, 1, 9, 5 }); - public static OBJECT_IDENTIFIER CRS_RECIPIENTNONCE = new OBJECT_IDENTIFIER( - new long[] { 2, 16, 840, 1, 113733, 1, 9, 6 }); - public static OBJECT_IDENTIFIER CRS_TRANSID = new OBJECT_IDENTIFIER( - new long[] { 2, 16, 840, 1, 113733, 1, 9, 7 }); - public static OBJECT_IDENTIFIER CRS_EXTENSIONREQ = new OBJECT_IDENTIFIER( - new long[] { 2, 16, 840, 1, 113733, 1, 9, 8 }); - + public static OBJECT_IDENTIFIER CRS_MESSAGETYPE = + new OBJECT_IDENTIFIER(new long[] {2, 16, 840, 1, 113733, 1, 9, 2} + ); + public static OBJECT_IDENTIFIER CRS_PKISTATUS = + new OBJECT_IDENTIFIER(new long[] {2, 16, 840, 1, 113733, 1, 9, 3} + ); + public static OBJECT_IDENTIFIER CRS_FAILINFO = + new OBJECT_IDENTIFIER(new long[] {2, 16, 840, 1, 113733, 1, 9, 4} + ); + public static OBJECT_IDENTIFIER CRS_SENDERNONCE = + new OBJECT_IDENTIFIER(new long[] {2, 16, 840, 1, 113733, 1, 9, 5} + ); + public static OBJECT_IDENTIFIER CRS_RECIPIENTNONCE = + new OBJECT_IDENTIFIER(new long[] {2, 16, 840, 1, 113733, 1, 9, 6} + ); + public static OBJECT_IDENTIFIER CRS_TRANSID = + new OBJECT_IDENTIFIER(new long[] {2, 16, 840, 1, 113733, 1, 9, 7} + ); + public static OBJECT_IDENTIFIER CRS_EXTENSIONREQ = + new OBJECT_IDENTIFIER(new long[] {2, 16, 840, 1, 113733, 1, 9, 8} + ); + // PKCS9 defined OIDs - public static OBJECT_IDENTIFIER PKCS9_CONTENT_TYPE = new OBJECT_IDENTIFIER( - new long[] { 1, 2, 840, 113549, 1, 9, 3 }); + public static OBJECT_IDENTIFIER PKCS9_CONTENT_TYPE = + new OBJECT_IDENTIFIER(new long[] {1, 2, 840, 113549, 1, 9, 3} + ); - public static OBJECT_IDENTIFIER PKCS9_MESSAGE_DIGEST = new OBJECT_IDENTIFIER( - new long[] { 1, 2, 840, 113549, 1, 9, 4 }); + public static OBJECT_IDENTIFIER PKCS9_MESSAGE_DIGEST = + new OBJECT_IDENTIFIER(new long[] {1, 2, 840, 113549, 1, 9, 4} + ); /* PKCS 1 - rsaEncryption */ - public static OBJECT_IDENTIFIER RSA_ENCRYPTION = new OBJECT_IDENTIFIER( - new long[] { 1, 2, 840, 113549, 1, 1, 1 }); - - public static OBJECT_IDENTIFIER DES_CBC_ENCRYPTION = new OBJECT_IDENTIFIER( - new long[] { 1, 3, 14, 3, 2, 7 }); - - public static OBJECT_IDENTIFIER DES_EDE3_CBC_ENCRYPTION = new OBJECT_IDENTIFIER( - new long[] { 1, 2, 840, 113549, 3, 7 }); - - public static OBJECT_IDENTIFIER MD5_DIGEST = new OBJECT_IDENTIFIER( - new long[] { 1, 2, 840, 113549, 2, 5 }); - - public static OBJECT_IDENTIFIER SHA1_DIGEST = new OBJECT_IDENTIFIER( - new long[] { 1, 3, 14, 3, 2, 26 }); - - public static OBJECT_IDENTIFIER SHA256_DIGEST = new OBJECT_IDENTIFIER( - new long[] { 2, 16, 840, 1, 101, 3, 4, 2, 1 }); - - public static OBJECT_IDENTIFIER SHA512_DIGEST = new OBJECT_IDENTIFIER( - new long[] { 2, 16, 840, 1, 101, 3, 4, 2, 3 }); + public static OBJECT_IDENTIFIER RSA_ENCRYPTION = + new OBJECT_IDENTIFIER(new long[] {1, 2, 840, 113549, 1, 1, 1} + ); + + public static OBJECT_IDENTIFIER DES_CBC_ENCRYPTION = + new OBJECT_IDENTIFIER(new long[] {1, 3, 14, 3, 2, 7} + ); + + public static OBJECT_IDENTIFIER DES_EDE3_CBC_ENCRYPTION = + new OBJECT_IDENTIFIER(new long[] {1, 2, 840, 113549, 3, 7} + ); + + public static OBJECT_IDENTIFIER MD5_DIGEST = + new OBJECT_IDENTIFIER(new long[] {1, 2, 840, 113549, 2, 5} + ); + + public static OBJECT_IDENTIFIER SHA1_DIGEST = + new OBJECT_IDENTIFIER(new long[] {1, 3, 14, 3, 2, 26} + ); + + public static OBJECT_IDENTIFIER SHA256_DIGEST = + new OBJECT_IDENTIFIER(new long[] {2, 16, 840, 1, 101, 3, 4, 2, 1} + ); + + public static OBJECT_IDENTIFIER SHA512_DIGEST = + new OBJECT_IDENTIFIER(new long[] {2, 16, 840, 1, 101, 3, 4, 2, 3} + ); // Strings given in 'messageType' authenticated attribute public final static String mType_PKCSReq = "19"; @@ -102,12 +120,12 @@ public class CRSPKIMessage { public final static String mType_GetCertInitial = "20"; public final static String mType_GetCert = "21"; public final static String mType_GetCRL = "22"; - + // Strings given in 'PKIStatus' authenticated attribute public final static String mStatus_SUCCESS = "0"; public final static String mStatus_FAILURE = "2"; public final static String mStatus_PENDING = "3"; - + // Strings given in 'failInfo' authenticated attribute public final static String mFailInfo_badAlg = "0"; public final static String mFailInfo_badMessageCheck = "1"; @@ -122,66 +140,65 @@ public class CRSPKIMessage { public final static String mFailInfo_noKeyReuse = "10"; public final static String mFailInfo_internalCAError = "11"; public final static String mFailInfo_tryLater = "12"; - + // ************************************************************************ // These private members represent the flattened structure of the PKIMessage // ************************************************************************ - + // top level is just a ContentInfo - private ContentInfo crsci; + private ContentInfo crsci; // it's content is a signedData - private SignedData sd; + private SignedData sd; // In the signed data, we have: - private int sdv; // Version - private ContentInfo data; // The data to be digested - private EnvelopedData sded; // Enveloped data inside of signed data - private byte[] signerCertBytes; + private int sdv; // Version + private ContentInfo data; // The data to be digested + private EnvelopedData sded; // Enveloped data inside of signed data + private byte[] signerCertBytes; org.mozilla.jss.pkix.cert.Certificate signerCert; - private SET sis; // set of SignerInfos - private SignerInfo si; // First SignerInfo + private SET sis; // set of SignerInfos + private SignerInfo si; // First SignerInfo private AlgorithmIdentifier digestAlgorithmId = null; - private int siv; // Version - private SET aa; // Authenticated Attributes - private SET aa_old; // Authenticated Attributes - private IssuerAndSerialNumber sgnIASN; // Signer's Issuer Name and Serialnum - private OCTET_STRING aa_digest; // digest of the authenticated attrs - - private String messageType; // these are all authenticated attributes - private String failInfo; - private String pkiStatus; - private String transactionID; - private byte[] senderNonce; - private byte[] recipientNonce; + private int siv; // Version + private SET aa; // Authenticated Attributes + private SET aa_old; // Authenticated Attributes + private IssuerAndSerialNumber sgnIASN; // Signer's Issuer Name and Serialnum + private OCTET_STRING aa_digest; // digest of the authenticated attrs + + private String messageType; // these are all authenticated attributes + private String failInfo; + private String pkiStatus; + private String transactionID; + private byte[] senderNonce; + private byte[] recipientNonce; private OCTET_STRING msg_digest; // digest of the message // Inside the sded Enveloped data - private RecipientInfo ri; // First RecipientInfo - private int riv; // Version - private AlgorithmIdentifier riAlgid; // alg that the bulk key is wrapped - // with - private byte[] riKey; // bulk key, wrapped with above algorithm - private byte[] cKey; // * 'clear', unwrapped key (not in ASN.1) * - private IssuerAndSerialNumber rcpIASN; // Recipient's Issuer Name and Serial - // Number + private RecipientInfo ri; // First RecipientInfo + private int riv; // Version + private AlgorithmIdentifier riAlgid; // alg that the bulk key is wrapped with + private byte[] riKey; // bulk key, wrapped with above algorithm + private byte[] cKey; // * 'clear', unwrapped key (not in ASN.1) * + private IssuerAndSerialNumber rcpIASN; // Recipient's Issuer Name and Serial Number private EncryptedContentInfo eci; - private byte[] iv; // initialization vector for above key - private byte[] ec; // encrypted content (P10, in case of request) - private byte[] cc; // * 'clear' content (not in ASN.1) * - private String encryptionAlgorithm = null; + private byte[] iv; // initialization vector for above key + private byte[] ec; // encrypted content (P10, in case of request) + private byte[] cc; // * 'clear' content (not in ASN.1) * + private String encryptionAlgorithm = null; // For the CertRep, the enveloped content is another signed Data: - private SignedData crsd; - private int rsdVersion; - private byte[] rsdCert; // certificate to send in response + private SignedData crsd; + private int rsdVersion; + private byte[] rsdCert; // certificate to send in response + + private Object myP10; - private Object myP10; + private Hashtable attrs; // miscellanous - private Hashtable attrs; // miscellanous + // *** END *** // - // *** END *** // public void debug() { } @@ -194,28 +211,30 @@ public class CRSPKIMessage { return attrs.get(a); } - private SignatureAlgorithm getSignatureAlgorithm(String hashAlgorithm) { + private SignatureAlgorithm getSignatureAlgorithm (String hashAlgorithm) + { SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.RSASignatureWithMD5Digest; if (hashAlgorithm != null) { if (hashAlgorithm.equals("SHA1")) { signatureAlgorithm = SignatureAlgorithm.RSASignatureWithSHA1Digest; } else if (hashAlgorithm.equals("SHA256")) { signatureAlgorithm = SignatureAlgorithm.RSASignatureWithSHA256Digest; - } else if (hashAlgorithm.equals("SHA512")) { + } else if (hashAlgorithm.equals("SHA512")) { signatureAlgorithm = SignatureAlgorithm.RSASignatureWithSHA512Digest; } } return signatureAlgorithm; } - private OBJECT_IDENTIFIER getAlgorithmOID(String hashAlgorithm) { + private OBJECT_IDENTIFIER getAlgorithmOID (String hashAlgorithm) + { OBJECT_IDENTIFIER oid = MD5_DIGEST; if (hashAlgorithm != null) { if (hashAlgorithm.equals("SHA1")) { oid = SHA1_DIGEST; } else if (hashAlgorithm.equals("SHA256")) { oid = SHA256_DIGEST; - } else if (hashAlgorithm.equals("SHA512")) { + } else if (hashAlgorithm.equals("SHA512")) { oid = SHA512_DIGEST; } } @@ -223,7 +242,8 @@ public class CRSPKIMessage { } // getHashAlgorithm is added to work around issue 636217 - private String getHashAlgorithm(OBJECT_IDENTIFIER algorithmOID) { + private String getHashAlgorithm (OBJECT_IDENTIFIER algorithmOID) + { String hashAlgorithm = null; OBJECT_IDENTIFIER oid = MD5_DIGEST; if (algorithmOID != null) { @@ -233,7 +253,7 @@ public class CRSPKIMessage { hashAlgorithm = "SHA1"; } else if (algorithmOID.equals(SHA256_DIGEST)) { hashAlgorithm = "SHA256"; - } else if (algorithmOID.equals(SHA512_DIGEST)) { + } else if (algorithmOID.equals(SHA512_DIGEST)) { hashAlgorithm = "SHA512"; } } @@ -242,38 +262,38 @@ public class CRSPKIMessage { // These functions are used to initialize the various blobs - public void makeSignedData(int version, byte[] certificate, - String hashAlgorithm) { + public void makeSignedData(int version, + byte[] certificate, String hashAlgorithm) { try { SET digest_algs = new SET(); - digest_algs.addElement(new AlgorithmIdentifier( - getAlgorithmOID(hashAlgorithm), new NULL())); - - // SET certs = new SET(); - // certs.addElement(new ANY(certificate)); - + digest_algs.addElement(new AlgorithmIdentifier(getAlgorithmOID(hashAlgorithm), new NULL())); + + // SET certs = new SET(); + // certs.addElement(new ANY(certificate)); + SET sis = new SET(); sis.addElement(si); - + ContentInfo data = this.data; - this.sd = new SignedData(digest_algs, data, null, // don't send the - // certs, he - // already has - // them - null, // crl's - sis); + this.sd = new SignedData( + digest_algs, + data, + null, // don't send the certs, he already has them + null, // crl's + sis); } catch (Exception e) { } } - + public byte[] getResponse() throws IOException, InvalidBERException { - crsci = new ContentInfo(ContentInfo.SIGNED_DATA, sd); + crsci = new ContentInfo(ContentInfo.SIGNED_DATA, + sd); return ASN1Util.encode(crsci); @@ -282,35 +302,39 @@ public class CRSPKIMessage { } /* - * public void makeSignerInfo_old(int version, // issuer and serialnumber - * byte[] digest) { - * - * si = new SignerInfo(new INTEGER(version), sgnIASN, // issuer and - * serialnum new AlgorithmIdentifier(MD5_DIGEST, new NULL()), // digest - * algorithm this.aa, // Authenticated Attributes new - * AlgorithmIdentifier(RSA_ENCRYPTION,new NULL()), // digest encryption - * algorithm new OCTET_STRING(digest), // digest null); // unauthenticated - * attributes - * - * } + public void makeSignerInfo_old(int version, + // issuer and serialnumber + byte[] digest) { + + si = new SignerInfo(new INTEGER(version), + sgnIASN, // issuer and serialnum + new AlgorithmIdentifier(MD5_DIGEST, new NULL()), // digest algorithm + this.aa, // Authenticated Attributes + new AlgorithmIdentifier(RSA_ENCRYPTION,new NULL()), // digest encryption algorithm + new OCTET_STRING(digest), // digest + null); // unauthenticated attributes + + } */ public void makeSignerInfo(int version, - // issuer and serialnumber - org.mozilla.jss.crypto.PrivateKey pk, String hashAlgorithm) - throws java.security.NoSuchAlgorithmException, TokenException, + // issuer and serialnumber + org.mozilla.jss.crypto.PrivateKey pk, String hashAlgorithm) + throws java.security.NoSuchAlgorithmException, + TokenException, java.security.InvalidKeyException, - java.security.SignatureException, + java.security.SignatureException, org.mozilla.jss.CryptoManager.NotInitializedException { - si = new SignerInfo(sgnIASN, // issuer and serialnum - this.aa, // Authenticated Attributes - null, // Unauthenticated Attrs - ContentInfo.ENVELOPED_DATA, // content type - msg_digest.toByteArray(), // digest - getSignatureAlgorithm(hashAlgorithm), pk); + si = new SignerInfo(sgnIASN, // issuer and serialnum + this.aa, // Authenticated Attributes + null, // Unauthenticated Attrs + ContentInfo.ENVELOPED_DATA, // content type + msg_digest.toByteArray(), // digest + getSignatureAlgorithm(hashAlgorithm), + pk); } - + public void makeAuthenticatedAttributes() { aa = new SET(); @@ -322,28 +346,28 @@ public class CRSPKIMessage { tidset.addElement((new PrintableString(transactionID))); aa.addElement(new Attribute(CRS_TRANSID, tidset)); } - + if (pkiStatus != null) { SET pkistatusset = new SET(); pkistatusset.addElement(new PrintableString(pkiStatus)); aa.addElement(new Attribute(CRS_PKISTATUS, pkistatusset)); } - + if (messageType != null) { SET aaset = new SET(); aaset.addElement(new PrintableString(messageType)); - aa.addElement(new Attribute(CRS_MESSAGETYPE, aaset)); + aa.addElement(new Attribute(CRS_MESSAGETYPE, aaset)); } if (failInfo != null) { SET fiset = new SET(); fiset.addElement(new PrintableString(failInfo)); - aa.addElement(new Attribute(CRS_FAILINFO, fiset)); + aa.addElement(new Attribute(CRS_FAILINFO, fiset)); } - + if (senderNonce != null) { SET snset = new SET(); @@ -359,27 +383,31 @@ public class CRSPKIMessage { } // XXX sender nonce - + } catch (CharConversionException e) { } } - + public byte[] makeEnvelopedData(int version) { byte[] r; try { - + if (this.ri != null) { ContentInfo ci; SET ris = new SET(); ris.addElement(this.ri); - - this.sded = new EnvelopedData(new INTEGER(version), ris, eci); - - ci = new ContentInfo(ContentInfo.ENVELOPED_DATA, sded); + + this.sded = new EnvelopedData( + new INTEGER(version), + ris, + eci); + + ci = new ContentInfo(ContentInfo.ENVELOPED_DATA, + sded); ByteArrayOutputStream ba = new ByteArrayOutputStream(); ci.encode(ba); @@ -388,11 +416,12 @@ public class CRSPKIMessage { r = new byte[0]; } - this.data = new ContentInfo(ContentInfo.DATA, new OCTET_STRING(r)); + this.data = new ContentInfo(ContentInfo.DATA, + new OCTET_STRING(r)); return r; - // return this.sded.getEncodedContents(); + // return this.sded.getEncodedContents(); } catch (Exception e) { return null; } @@ -403,10 +432,14 @@ public class CRSPKIMessage { this.riv = version; this.riAlgid = new AlgorithmIdentifier(RSA_ENCRYPTION, new NULL()); - this.riKey = riKey; - - this.ri = new RecipientInfo(new INTEGER(this.riv), rcpIASN, - this.riAlgid, new OCTET_STRING(this.riKey)); + this.riKey = riKey; + + this.ri = new RecipientInfo( + new INTEGER(this.riv), + rcpIASN, + this.riAlgid, + new OCTET_STRING(this.riKey) + ); } public void makeEncryptedContentInfo(byte[] iv, byte[] ec, String algorithm) { @@ -418,13 +451,13 @@ public class CRSPKIMessage { if (algorithm != null && algorithm.equals("DES3")) oid = DES_EDE3_CBC_ENCRYPTION; - AlgorithmIdentifier aid = new AlgorithmIdentifier(oid, - new OCTET_STRING(iv)); + AlgorithmIdentifier aid = new AlgorithmIdentifier(oid, new OCTET_STRING(iv)); - // eci = - // EncryptedContentInfo.createCRSCompatibleEncryptedContentInfo( - eci = new EncryptedContentInfo(ContentInfo.DATA, aid, - new OCTET_STRING(ec)); + //eci = EncryptedContentInfo.createCRSCompatibleEncryptedContentInfo( + eci = new EncryptedContentInfo(ContentInfo.DATA, + aid, + new OCTET_STRING(ec) + ); } catch (Exception e) { } @@ -436,28 +469,33 @@ public class CRSPKIMessage { try { SET certs = new SET(); ANY cert = new ANY(certificate); - + certs.addElement(cert); - - crsd = new SignedData(new SET(), // empty set of digestAlgorithmID's - new ContentInfo(new OBJECT_IDENTIFIER(new long[] { 1, 2, - 840, 113549, 1, 7, 1 }), null), // empty content - certs, null, // no CRL's - new SET() // empty SignerInfos - ); - ContentInfo wrap = new ContentInfo(ContentInfo.SIGNED_DATA, crsd); + + crsd = new SignedData( + new SET(), // empty set of digestAlgorithmID's + new ContentInfo( + new OBJECT_IDENTIFIER(new long[] {1, 2, 840, 113549, 1, 7, 1} + ), + null), //empty content + certs, + null, // no CRL's + new SET() // empty SignerInfos + ); + ContentInfo wrap = new ContentInfo(ContentInfo.SIGNED_DATA, + crsd); ByteArrayOutputStream baos = new ByteArrayOutputStream(); wrap.encode(baos); return baos.toByteArray(); - // return crsd.getEncodedContents(); + // return crsd.getEncodedContents(); } catch (Exception e) { return null; } } - + public String toString() { StringBuffer sb = new StringBuffer(); sb.append("{ messageType="); @@ -469,15 +507,15 @@ public class CRSPKIMessage { sb.append(", transactionID="); sb.append(getTransactionID()); sb.append(", senderNonce="); - sb.append(Arrays.toString(getSenderNonce())); + sb.append( Arrays.toString( getSenderNonce() ) ); sb.append(", recipientNonce="); - sb.append(Arrays.toString(getRecipientNonce())); + sb.append( Arrays.toString( getRecipientNonce() ) ); sb.append(" }"); - + String s = sb.toString(); return s; } - + public String getMessageType() { return messageType; } @@ -521,7 +559,7 @@ public class CRSPKIMessage { public String getDigestAlgorithmName() { String name = null; if (digestAlgorithmId != null) { - name = getHashAlgorithm(digestAlgorithmId.getOID()); + name = getHashAlgorithm(digestAlgorithmId.getOID()); } return name; } @@ -529,13 +567,12 @@ public class CRSPKIMessage { public PublicKey getSignerPublicKey() { try { - org.mozilla.jss.pkix.cert.Certificate.Template ct = new org.mozilla.jss.pkix.cert.Certificate.Template(); - - ByteArrayInputStream bais = new ByteArrayInputStream( - this.signerCertBytes); - - signerCert = (org.mozilla.jss.pkix.cert.Certificate) ct - .decode(bais); + org.mozilla.jss.pkix.cert.Certificate.Template ct = new + org.mozilla.jss.pkix.cert.Certificate.Template(); + + ByteArrayInputStream bais = new ByteArrayInputStream(this.signerCertBytes); + + signerCert = (org.mozilla.jss.pkix.cert.Certificate) ct.decode(bais); return signerCert.getInfo().getSubjectPublicKeyInfo().toPublicKey(); } catch (Exception e) { return null; @@ -554,7 +591,7 @@ public class CRSPKIMessage { } - public void setAA_old(SET auth_attrs) { + public void setAA_old( SET auth_attrs ) { aa_old = auth_attrs; } @@ -574,15 +611,15 @@ public class CRSPKIMessage { public byte[] getAADigest() { return aa_digest.toByteArray(); } - + public Object getP10() { return myP10; } - + public void setP10(Object p10) { myP10 = p10; } - + public void setSgnIssuerAndSerialNumber(IssuerAndSerialNumber iasn) { this.sgnIASN = iasn; } @@ -592,7 +629,7 @@ public class CRSPKIMessage { } public IssuerAndSerialNumber getSgnIssuerAndSerialNumber() { - return this.sgnIASN; + return this.sgnIASN; } public IssuerAndSerialNumber getRcpIssuerAndSerialNumber() { @@ -623,7 +660,8 @@ public class CRSPKIMessage { this.senderNonce = sn; } - // public void setCertificate(byte [] cert) { this.certificate = cert; } + // public void setCertificate(byte [] cert) { this.certificate = cert; } + public void setMsgDigest(byte[] digest) { this.msg_digest = new OCTET_STRING(digest); @@ -635,91 +673,88 @@ public class CRSPKIMessage { public void setPending() { // setIssuerAndSerialNumber(); - + setMessageType(mType_CertRep); setPKIStatus(mStatus_PENDING); }; - + public void setFailure(String failInfo) { setMessageType(mType_CertRep); setPKIStatus(mStatus_FAILURE); setFailInfo(failInfo); } - + // Should add a Certificate to this call public void setSuccess() { setMessageType(mType_CertRep); setPKIStatus(mStatus_SUCCESS); } - + /** - * Gets a byte array which is the der-encoded blob which gets sent back to - * the router. + * Gets a byte array which is the der-encoded blob + * which gets sent back to the router. */ - + public byte[] getEncoded() { - // Assert.assert(messageType != null); - // Assert.assert(pkiStatus != null); - - return new byte[1]; // blagh + //Assert.assert(messageType != null); + //Assert.assert(pkiStatus != null); + + return new byte[1]; // blagh } + - private void decodeCRSPKIMessage(ByteArrayInputStream bais) - throws InvalidBERException, Exception { + private void decodeCRSPKIMessage (ByteArrayInputStream bais) throws InvalidBERException, Exception { org.mozilla.jss.pkcs7.ContentInfo.Template crscit; crscit = new ContentInfo.Template(); crsci = (ContentInfo) crscit.decode(bais); - - if (!ContentInfo.SIGNED_DATA.equals(crsci.getContentType())) { - throw new Exception("ContentType wasn't signed data, it was" - + crsci.getContentType()); + + if (!ContentInfo.SIGNED_DATA.equals(crsci.getContentType())) { + throw new Exception("ContentType wasn't signed data, it was" + crsci.getContentType()); } - - // Now that we know that the contentInfo is a SignedData, we can decode - // it + + // Now that we know that the contentInfo is a SignedData, we can decode it SignedData.Template sdt = new SignedData.Template(); - - sd = (SignedData) sdt.decode(new ByteArrayInputStream(((ANY) crsci - .getContent()).getEncoded())); + + sd = (SignedData) sdt.decode( + new ByteArrayInputStream( + ((ANY) crsci.getContent()).getEncoded() + )); this.decodeSD(); } public CRSPKIMessage() { attrs = new Hashtable(); } - - public CRSPKIMessage(ByteArrayInputStream bais) throws InvalidBERException, - Exception { + + public CRSPKIMessage (ByteArrayInputStream bais) throws InvalidBERException, Exception { attrs = new Hashtable(); decodeCRSPKIMessage(bais); } private void decodeSD() throws Exception { - ContentInfo sdci; + ContentInfo sdci; sis = sd.getSignerInfos(); - + decodeSI(); sdci = sd.getContentInfo(); - + // HACK to work with CRS ANY a = (ANY) sdci.getContent(); ByteArrayInputStream s = new ByteArrayInputStream(a.getEncoded()); - OCTET_STRING os = (OCTET_STRING) (new OCTET_STRING.Template()) - .decode(s); - + OCTET_STRING os = (OCTET_STRING) (new OCTET_STRING.Template()).decode(s); + ByteArrayInputStream s2 = new ByteArrayInputStream(os.toByteArray()); ContentInfo ci = (ContentInfo) (new ContentInfo.Template()).decode(s2); - ByteArrayInputStream s3 = new ByteArrayInputStream( - ((ANY) ci.getContent()).getEncoded()); - + ByteArrayInputStream s3 = new ByteArrayInputStream(((ANY) ci.getContent()).getEncoded()); + EnvelopedData.Template edt = new EnvelopedData.Template(); sded = (EnvelopedData) edt.decode(s3); - + SET signerCerts = (SET) sd.getCertificates(); Certificate firstCert = (Certificate) signerCerts.elementAt(0); @@ -728,11 +763,11 @@ public class CRSPKIMessage { CertificateInfo firstCertInfo = firstCert.getInfo(); sgnIASN = new IssuerAndSerialNumber(firstCertInfo.getIssuer(), - firstCertInfo.getSerialNumber()); - + firstCertInfo.getSerialNumber()); + decodeED(); } - + private void decodeSI() throws Exception { if (sis.size() == 0) { throw new Exception("SignerInfos is empty"); @@ -745,51 +780,51 @@ public class CRSPKIMessage { aa_digest = new OCTET_STRING(si.getEncryptedDigest()); } - + private void decodeED() throws Exception { SET ris; ris = (SET) sded.getRecipientInfos(); - + if (ris.size() == 0) { throw new Exception("RecipientInfos is empty"); } ri = (RecipientInfo) ris.elementAt(0); eci = sded.getEncryptedContentInfo(); - if (eci.getContentEncryptionAlgorithm().getOID() - .equals(DES_EDE3_CBC_ENCRYPTION)) { + if (eci.getContentEncryptionAlgorithm().getOID().equals(DES_EDE3_CBC_ENCRYPTION)) { encryptionAlgorithm = "DES3"; - } else if (eci.getContentEncryptionAlgorithm().getOID() - .equals(DES_CBC_ENCRYPTION)) { + } else if (eci.getContentEncryptionAlgorithm().getOID().equals(DES_CBC_ENCRYPTION)) { encryptionAlgorithm = "DES"; } else { - throw new Exception( - "P10 encrypted alg is not supported (not DES): " - + eci.getContentEncryptionAlgorithm().getOID()); + throw new Exception("P10 encrypted alg is not supported (not DES): " + eci.getContentEncryptionAlgorithm().getOID()); } - + ec = eci.getEncryptedContent().toByteArray(); OCTET_STRING.Template ost = new OCTET_STRING.Template(); - - OCTET_STRING os = (OCTET_STRING) ost.decode(new ByteArrayInputStream( - ((ANY) eci.getContentEncryptionAlgorithm().getParameters()) - .getEncoded())); + + OCTET_STRING os = (OCTET_STRING) + ost.decode(new ByteArrayInputStream( + ((ANY) eci.getContentEncryptionAlgorithm().getParameters()).getEncoded() + ) + ); iv = os.toByteArray(); decodeRI(); } - + /** - * The PKCS10 request is encrypt with a symmetric key. This key in turn is - * encrypted with the RSA key in the CA certificate. - * - * riAlgid is the algorithm the symm key is encrypted with. It had better be - * RSA riKey is the encrypted symmetric key + * The PKCS10 request is encrypt with a symmetric key. + * This key in turn is encrypted with the RSA key in the + * CA certificate. + * + * riAlgid is the algorithm the symm key is encrypted with. It had + * better be RSA + * riKey is the encrypted symmetric key */ - + private void decodeRI() throws Exception { // really should get issuer and serial number of our RI, as this @@ -797,19 +832,18 @@ public class CRSPKIMessage { // going to assume that the key is the Signing cert for the server. riAlgid = ri.getKeyEncryptionAlgorithmID(); - + if (!riAlgid.getOID().equals(RSA_ENCRYPTION)) { - throw new Exception( - "Request is protected by a key which we can't decrypt"); + throw new Exception("Request is protected by a key which we can't decrypt"); } - + riKey = ri.getEncryptedKey().toByteArray(); - + } - + private void decodeAA() throws InvalidBERException, IOException { aa = si.getAuthenticatedAttributes(); - + int count; for (count = 0; count < aa.size(); count++) { @@ -819,48 +853,42 @@ public class CRSPKIMessage { PrintableString ps; PrintableString.Template pst = new PrintableString.Template(); OCTET_STRING.Template ost = new OCTET_STRING.Template(); - + OBJECT_IDENTIFIER oid = a.getType(); if (oid.equals(CRS_MESSAGETYPE)) { - ps = (PrintableString) pst.decode(new ByteArrayInputStream(f - .getEncoded())); + ps = (PrintableString) pst.decode(new ByteArrayInputStream(f.getEncoded())); // We make a new string here messageType = ps.toString(); - + } else if (oid.equals(CRS_PKISTATUS)) { - ps = (PrintableString) pst.decode(new ByteArrayInputStream(f - .getEncoded())); - pkiStatus = new String(ps.toString()); + ps = (PrintableString) pst.decode(new ByteArrayInputStream(f.getEncoded())); + pkiStatus = new String (ps.toString()); } else if (oid.equals(CRS_FAILINFO)) { - ps = (PrintableString) pst.decode(new ByteArrayInputStream(f - .getEncoded())); - failInfo = new String(ps.toString()); + ps = (PrintableString) pst.decode(new ByteArrayInputStream(f.getEncoded())); + failInfo = new String (ps.toString()); } else if (oid.equals(CRS_SENDERNONCE)) { - OCTET_STRING oss = (OCTET_STRING) ost - .decode(new ByteArrayInputStream(f.getEncoded())); + OCTET_STRING oss = (OCTET_STRING) ost.decode(new ByteArrayInputStream(f.getEncoded())); senderNonce = oss.toByteArray(); } else if (oid.equals(CRS_RECIPIENTNONCE)) { - OCTET_STRING osr = (OCTET_STRING) ost - .decode(new ByteArrayInputStream(f.getEncoded())); + OCTET_STRING osr = (OCTET_STRING) ost.decode(new ByteArrayInputStream(f.getEncoded())); recipientNonce = osr.toByteArray(); } else if (oid.equals(CRS_TRANSID)) { - ps = (PrintableString) pst.decode(new ByteArrayInputStream(f - .getEncoded())); - transactionID = new String(ps.toString()); + ps = (PrintableString) pst.decode(new ByteArrayInputStream(f.getEncoded())); + transactionID = new String (ps.toString()); } - + } - - } // end of decodeAA(); - + + } // end of decodeAA(); + public String getMessageTypeString() { if (messageType == null) { return null; } - + if (messageType.equals(mType_PKCSReq)) { return "PKCSReq"; } @@ -877,7 +905,8 @@ public class CRSPKIMessage { return "GetCRL"; } // messageType should match one of the above - // Assert.assert(false); + //Assert.assert(false); return null; } -} +} + |