diff options
Diffstat (limited to 'pki/base/util/src/com/netscape/cmsutil/scep/CRSPKIMessage.java')
| -rw-r--r-- | pki/base/util/src/com/netscape/cmsutil/scep/CRSPKIMessage.java | 571 |
1 files changed, 271 insertions, 300 deletions
diff --git a/pki/base/util/src/com/netscape/cmsutil/scep/CRSPKIMessage.java b/pki/base/util/src/com/netscape/cmsutil/scep/CRSPKIMessage.java index 16406e2a..a65620e9 100644 --- a/pki/base/util/src/com/netscape/cmsutil/scep/CRSPKIMessage.java +++ b/pki/base/util/src/com/netscape/cmsutil/scep/CRSPKIMessage.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cmsutil.scep; - import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.CharConversionException; @@ -49,70 +48,53 @@ import org.mozilla.jss.pkix.cert.Certificate; import org.mozilla.jss.pkix.cert.CertificateInfo; import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier; - public class CRSPKIMessage { - + // OIDs for authenticated attributes - public static OBJECT_IDENTIFIER CRS_MESSAGETYPE = - new OBJECT_IDENTIFIER(new long[] {2, 16, 840, 1, 113733, 1, 9, 2} - ); - public static OBJECT_IDENTIFIER CRS_PKISTATUS = - new OBJECT_IDENTIFIER(new long[] {2, 16, 840, 1, 113733, 1, 9, 3} - ); - public static OBJECT_IDENTIFIER CRS_FAILINFO = - new OBJECT_IDENTIFIER(new long[] {2, 16, 840, 1, 113733, 1, 9, 4} - ); - public static OBJECT_IDENTIFIER CRS_SENDERNONCE = - new OBJECT_IDENTIFIER(new long[] {2, 16, 840, 1, 113733, 1, 9, 5} - ); - public static OBJECT_IDENTIFIER CRS_RECIPIENTNONCE = - new OBJECT_IDENTIFIER(new long[] {2, 16, 840, 1, 113733, 1, 9, 6} - ); - public static OBJECT_IDENTIFIER CRS_TRANSID = - new OBJECT_IDENTIFIER(new long[] {2, 16, 840, 1, 113733, 1, 9, 7} - ); - public static OBJECT_IDENTIFIER CRS_EXTENSIONREQ = - new OBJECT_IDENTIFIER(new long[] {2, 16, 840, 1, 113733, 1, 9, 8} - ); - + public static OBJECT_IDENTIFIER CRS_MESSAGETYPE = new OBJECT_IDENTIFIER( + new long[] { 2, 16, 840, 1, 113733, 1, 9, 2 }); + public static OBJECT_IDENTIFIER CRS_PKISTATUS = new OBJECT_IDENTIFIER( + new long[] { 2, 16, 840, 1, 113733, 1, 9, 3 }); + public static OBJECT_IDENTIFIER CRS_FAILINFO = new OBJECT_IDENTIFIER( + new long[] { 2, 16, 840, 1, 113733, 1, 9, 4 }); + public static OBJECT_IDENTIFIER CRS_SENDERNONCE = new OBJECT_IDENTIFIER( + new long[] { 2, 16, 840, 1, 113733, 1, 9, 5 }); + public static OBJECT_IDENTIFIER CRS_RECIPIENTNONCE = new OBJECT_IDENTIFIER( + new long[] { 2, 16, 840, 1, 113733, 1, 9, 6 }); + public static OBJECT_IDENTIFIER CRS_TRANSID = new OBJECT_IDENTIFIER( + new long[] { 2, 16, 840, 1, 113733, 1, 9, 7 }); + public static OBJECT_IDENTIFIER CRS_EXTENSIONREQ = new OBJECT_IDENTIFIER( + new long[] { 2, 16, 840, 1, 113733, 1, 9, 8 }); + // PKCS9 defined OIDs - public static OBJECT_IDENTIFIER PKCS9_CONTENT_TYPE = - new OBJECT_IDENTIFIER(new long[] {1, 2, 840, 113549, 1, 9, 3} - ); + public static OBJECT_IDENTIFIER PKCS9_CONTENT_TYPE = new OBJECT_IDENTIFIER( + new long[] { 1, 2, 840, 113549, 1, 9, 3 }); - public static OBJECT_IDENTIFIER PKCS9_MESSAGE_DIGEST = - new OBJECT_IDENTIFIER(new long[] {1, 2, 840, 113549, 1, 9, 4} - ); + public static OBJECT_IDENTIFIER PKCS9_MESSAGE_DIGEST = new OBJECT_IDENTIFIER( + new long[] { 1, 2, 840, 113549, 1, 9, 4 }); /* PKCS 1 - rsaEncryption */ - public static OBJECT_IDENTIFIER RSA_ENCRYPTION = - new OBJECT_IDENTIFIER(new long[] {1, 2, 840, 113549, 1, 1, 1} - ); - - public static OBJECT_IDENTIFIER DES_CBC_ENCRYPTION = - new OBJECT_IDENTIFIER(new long[] {1, 3, 14, 3, 2, 7} - ); - - public static OBJECT_IDENTIFIER DES_EDE3_CBC_ENCRYPTION = - new OBJECT_IDENTIFIER(new long[] {1, 2, 840, 113549, 3, 7} - ); - - public static OBJECT_IDENTIFIER MD5_DIGEST = - new OBJECT_IDENTIFIER(new long[] {1, 2, 840, 113549, 2, 5} - ); - - public static OBJECT_IDENTIFIER SHA1_DIGEST = - new OBJECT_IDENTIFIER(new long[] {1, 3, 14, 3, 2, 26} - ); - - public static OBJECT_IDENTIFIER SHA256_DIGEST = - new OBJECT_IDENTIFIER(new long[] {2, 16, 840, 1, 101, 3, 4, 2, 1} - ); - - public static OBJECT_IDENTIFIER SHA512_DIGEST = - new OBJECT_IDENTIFIER(new long[] {2, 16, 840, 1, 101, 3, 4, 2, 3} - ); + public static OBJECT_IDENTIFIER RSA_ENCRYPTION = new OBJECT_IDENTIFIER( + new long[] { 1, 2, 840, 113549, 1, 1, 1 }); + + public static OBJECT_IDENTIFIER DES_CBC_ENCRYPTION = new OBJECT_IDENTIFIER( + new long[] { 1, 3, 14, 3, 2, 7 }); + + public static OBJECT_IDENTIFIER DES_EDE3_CBC_ENCRYPTION = new OBJECT_IDENTIFIER( + new long[] { 1, 2, 840, 113549, 3, 7 }); + + public static OBJECT_IDENTIFIER MD5_DIGEST = new OBJECT_IDENTIFIER( + new long[] { 1, 2, 840, 113549, 2, 5 }); + + public static OBJECT_IDENTIFIER SHA1_DIGEST = new OBJECT_IDENTIFIER( + new long[] { 1, 3, 14, 3, 2, 26 }); + + public static OBJECT_IDENTIFIER SHA256_DIGEST = new OBJECT_IDENTIFIER( + new long[] { 2, 16, 840, 1, 101, 3, 4, 2, 1 }); + + public static OBJECT_IDENTIFIER SHA512_DIGEST = new OBJECT_IDENTIFIER( + new long[] { 2, 16, 840, 1, 101, 3, 4, 2, 3 }); // Strings given in 'messageType' authenticated attribute public final static String mType_PKCSReq = "19"; @@ -120,12 +102,12 @@ public class CRSPKIMessage { public final static String mType_GetCertInitial = "20"; public final static String mType_GetCert = "21"; public final static String mType_GetCRL = "22"; - + // Strings given in 'PKIStatus' authenticated attribute public final static String mStatus_SUCCESS = "0"; public final static String mStatus_FAILURE = "2"; public final static String mStatus_PENDING = "3"; - + // Strings given in 'failInfo' authenticated attribute public final static String mFailInfo_badAlg = "0"; public final static String mFailInfo_badMessageCheck = "1"; @@ -140,65 +122,66 @@ public class CRSPKIMessage { public final static String mFailInfo_noKeyReuse = "10"; public final static String mFailInfo_internalCAError = "11"; public final static String mFailInfo_tryLater = "12"; - + // ************************************************************************ // These private members represent the flattened structure of the PKIMessage // ************************************************************************ - + // top level is just a ContentInfo - private ContentInfo crsci; + private ContentInfo crsci; // it's content is a signedData - private SignedData sd; + private SignedData sd; // In the signed data, we have: - private int sdv; // Version - private ContentInfo data; // The data to be digested - private EnvelopedData sded; // Enveloped data inside of signed data - private byte[] signerCertBytes; + private int sdv; // Version + private ContentInfo data; // The data to be digested + private EnvelopedData sded; // Enveloped data inside of signed data + private byte[] signerCertBytes; org.mozilla.jss.pkix.cert.Certificate signerCert; - private SET sis; // set of SignerInfos - private SignerInfo si; // First SignerInfo + private SET sis; // set of SignerInfos + private SignerInfo si; // First SignerInfo private AlgorithmIdentifier digestAlgorithmId = null; - private int siv; // Version - private SET aa; // Authenticated Attributes - private SET aa_old; // Authenticated Attributes - private IssuerAndSerialNumber sgnIASN; // Signer's Issuer Name and Serialnum - private OCTET_STRING aa_digest; // digest of the authenticated attrs - - private String messageType; // these are all authenticated attributes - private String failInfo; - private String pkiStatus; - private String transactionID; - private byte[] senderNonce; - private byte[] recipientNonce; + private int siv; // Version + private SET aa; // Authenticated Attributes + private SET aa_old; // Authenticated Attributes + private IssuerAndSerialNumber sgnIASN; // Signer's Issuer Name and Serialnum + private OCTET_STRING aa_digest; // digest of the authenticated attrs + + private String messageType; // these are all authenticated attributes + private String failInfo; + private String pkiStatus; + private String transactionID; + private byte[] senderNonce; + private byte[] recipientNonce; private OCTET_STRING msg_digest; // digest of the message // Inside the sded Enveloped data - private RecipientInfo ri; // First RecipientInfo - private int riv; // Version - private AlgorithmIdentifier riAlgid; // alg that the bulk key is wrapped with - private byte[] riKey; // bulk key, wrapped with above algorithm - private byte[] cKey; // * 'clear', unwrapped key (not in ASN.1) * - private IssuerAndSerialNumber rcpIASN; // Recipient's Issuer Name and Serial Number + private RecipientInfo ri; // First RecipientInfo + private int riv; // Version + private AlgorithmIdentifier riAlgid; // alg that the bulk key is wrapped + // with + private byte[] riKey; // bulk key, wrapped with above algorithm + private byte[] cKey; // * 'clear', unwrapped key (not in ASN.1) * + private IssuerAndSerialNumber rcpIASN; // Recipient's Issuer Name and Serial + // Number private EncryptedContentInfo eci; - private byte[] iv; // initialization vector for above key - private byte[] ec; // encrypted content (P10, in case of request) - private byte[] cc; // * 'clear' content (not in ASN.1) * - private String encryptionAlgorithm = null; + private byte[] iv; // initialization vector for above key + private byte[] ec; // encrypted content (P10, in case of request) + private byte[] cc; // * 'clear' content (not in ASN.1) * + private String encryptionAlgorithm = null; // For the CertRep, the enveloped content is another signed Data: - private SignedData crsd; - private int rsdVersion; - private byte[] rsdCert; // certificate to send in response - - private Object myP10; + private SignedData crsd; + private int rsdVersion; + private byte[] rsdCert; // certificate to send in response - private Hashtable attrs; // miscellanous + private Object myP10; - // *** END *** // + private Hashtable attrs; // miscellanous + // *** END *** // public void debug() { } @@ -211,30 +194,28 @@ public class CRSPKIMessage { return attrs.get(a); } - private SignatureAlgorithm getSignatureAlgorithm (String hashAlgorithm) - { + private SignatureAlgorithm getSignatureAlgorithm(String hashAlgorithm) { SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.RSASignatureWithMD5Digest; if (hashAlgorithm != null) { if (hashAlgorithm.equals("SHA1")) { signatureAlgorithm = SignatureAlgorithm.RSASignatureWithSHA1Digest; } else if (hashAlgorithm.equals("SHA256")) { signatureAlgorithm = SignatureAlgorithm.RSASignatureWithSHA256Digest; - } else if (hashAlgorithm.equals("SHA512")) { + } else if (hashAlgorithm.equals("SHA512")) { signatureAlgorithm = SignatureAlgorithm.RSASignatureWithSHA512Digest; } } return signatureAlgorithm; } - private OBJECT_IDENTIFIER getAlgorithmOID (String hashAlgorithm) - { + private OBJECT_IDENTIFIER getAlgorithmOID(String hashAlgorithm) { OBJECT_IDENTIFIER oid = MD5_DIGEST; if (hashAlgorithm != null) { if (hashAlgorithm.equals("SHA1")) { oid = SHA1_DIGEST; } else if (hashAlgorithm.equals("SHA256")) { oid = SHA256_DIGEST; - } else if (hashAlgorithm.equals("SHA512")) { + } else if (hashAlgorithm.equals("SHA512")) { oid = SHA512_DIGEST; } } @@ -242,8 +223,7 @@ public class CRSPKIMessage { } // getHashAlgorithm is added to work around issue 636217 - private String getHashAlgorithm (OBJECT_IDENTIFIER algorithmOID) - { + private String getHashAlgorithm(OBJECT_IDENTIFIER algorithmOID) { String hashAlgorithm = null; OBJECT_IDENTIFIER oid = MD5_DIGEST; if (algorithmOID != null) { @@ -253,7 +233,7 @@ public class CRSPKIMessage { hashAlgorithm = "SHA1"; } else if (algorithmOID.equals(SHA256_DIGEST)) { hashAlgorithm = "SHA256"; - } else if (algorithmOID.equals(SHA512_DIGEST)) { + } else if (algorithmOID.equals(SHA512_DIGEST)) { hashAlgorithm = "SHA512"; } } @@ -262,38 +242,38 @@ public class CRSPKIMessage { // These functions are used to initialize the various blobs - public void makeSignedData(int version, - byte[] certificate, String hashAlgorithm) { + public void makeSignedData(int version, byte[] certificate, + String hashAlgorithm) { try { SET digest_algs = new SET(); - digest_algs.addElement(new AlgorithmIdentifier(getAlgorithmOID(hashAlgorithm), new NULL())); - - // SET certs = new SET(); - // certs.addElement(new ANY(certificate)); - + digest_algs.addElement(new AlgorithmIdentifier( + getAlgorithmOID(hashAlgorithm), new NULL())); + + // SET certs = new SET(); + // certs.addElement(new ANY(certificate)); + SET sis = new SET(); sis.addElement(si); - + ContentInfo data = this.data; - this.sd = new SignedData( - digest_algs, - data, - null, // don't send the certs, he already has them - null, // crl's - sis); + this.sd = new SignedData(digest_algs, data, null, // don't send the + // certs, he + // already has + // them + null, // crl's + sis); } catch (Exception e) { } } - + public byte[] getResponse() throws IOException, InvalidBERException { - crsci = new ContentInfo(ContentInfo.SIGNED_DATA, - sd); + crsci = new ContentInfo(ContentInfo.SIGNED_DATA, sd); return ASN1Util.encode(crsci); @@ -302,39 +282,35 @@ public class CRSPKIMessage { } /* - public void makeSignerInfo_old(int version, - // issuer and serialnumber - byte[] digest) { - - si = new SignerInfo(new INTEGER(version), - sgnIASN, // issuer and serialnum - new AlgorithmIdentifier(MD5_DIGEST, new NULL()), // digest algorithm - this.aa, // Authenticated Attributes - new AlgorithmIdentifier(RSA_ENCRYPTION,new NULL()), // digest encryption algorithm - new OCTET_STRING(digest), // digest - null); // unauthenticated attributes - - } + * public void makeSignerInfo_old(int version, // issuer and serialnumber + * byte[] digest) { + * + * si = new SignerInfo(new INTEGER(version), sgnIASN, // issuer and + * serialnum new AlgorithmIdentifier(MD5_DIGEST, new NULL()), // digest + * algorithm this.aa, // Authenticated Attributes new + * AlgorithmIdentifier(RSA_ENCRYPTION,new NULL()), // digest encryption + * algorithm new OCTET_STRING(digest), // digest null); // unauthenticated + * attributes + * + * } */ public void makeSignerInfo(int version, - // issuer and serialnumber - org.mozilla.jss.crypto.PrivateKey pk, String hashAlgorithm) - throws java.security.NoSuchAlgorithmException, - TokenException, + // issuer and serialnumber + org.mozilla.jss.crypto.PrivateKey pk, String hashAlgorithm) + throws java.security.NoSuchAlgorithmException, TokenException, java.security.InvalidKeyException, - java.security.SignatureException, + java.security.SignatureException, org.mozilla.jss.CryptoManager.NotInitializedException { - si = new SignerInfo(sgnIASN, // issuer and serialnum - this.aa, // Authenticated Attributes - null, // Unauthenticated Attrs - ContentInfo.ENVELOPED_DATA, // content type - msg_digest.toByteArray(), // digest - getSignatureAlgorithm(hashAlgorithm), - pk); + si = new SignerInfo(sgnIASN, // issuer and serialnum + this.aa, // Authenticated Attributes + null, // Unauthenticated Attrs + ContentInfo.ENVELOPED_DATA, // content type + msg_digest.toByteArray(), // digest + getSignatureAlgorithm(hashAlgorithm), pk); } - + public void makeAuthenticatedAttributes() { aa = new SET(); @@ -346,28 +322,28 @@ public class CRSPKIMessage { tidset.addElement((new PrintableString(transactionID))); aa.addElement(new Attribute(CRS_TRANSID, tidset)); } - + if (pkiStatus != null) { SET pkistatusset = new SET(); pkistatusset.addElement(new PrintableString(pkiStatus)); aa.addElement(new Attribute(CRS_PKISTATUS, pkistatusset)); } - + if (messageType != null) { SET aaset = new SET(); aaset.addElement(new PrintableString(messageType)); - aa.addElement(new Attribute(CRS_MESSAGETYPE, aaset)); + aa.addElement(new Attribute(CRS_MESSAGETYPE, aaset)); } if (failInfo != null) { SET fiset = new SET(); fiset.addElement(new PrintableString(failInfo)); - aa.addElement(new Attribute(CRS_FAILINFO, fiset)); + aa.addElement(new Attribute(CRS_FAILINFO, fiset)); } - + if (senderNonce != null) { SET snset = new SET(); @@ -383,31 +359,27 @@ public class CRSPKIMessage { } // XXX sender nonce - + } catch (CharConversionException e) { } } - + public byte[] makeEnvelopedData(int version) { byte[] r; try { - + if (this.ri != null) { ContentInfo ci; SET ris = new SET(); ris.addElement(this.ri); - - this.sded = new EnvelopedData( - new INTEGER(version), - ris, - eci); - - ci = new ContentInfo(ContentInfo.ENVELOPED_DATA, - sded); + + this.sded = new EnvelopedData(new INTEGER(version), ris, eci); + + ci = new ContentInfo(ContentInfo.ENVELOPED_DATA, sded); ByteArrayOutputStream ba = new ByteArrayOutputStream(); ci.encode(ba); @@ -416,12 +388,11 @@ public class CRSPKIMessage { r = new byte[0]; } - this.data = new ContentInfo(ContentInfo.DATA, - new OCTET_STRING(r)); + this.data = new ContentInfo(ContentInfo.DATA, new OCTET_STRING(r)); return r; - // return this.sded.getEncodedContents(); + // return this.sded.getEncodedContents(); } catch (Exception e) { return null; } @@ -432,14 +403,10 @@ public class CRSPKIMessage { this.riv = version; this.riAlgid = new AlgorithmIdentifier(RSA_ENCRYPTION, new NULL()); - this.riKey = riKey; - - this.ri = new RecipientInfo( - new INTEGER(this.riv), - rcpIASN, - this.riAlgid, - new OCTET_STRING(this.riKey) - ); + this.riKey = riKey; + + this.ri = new RecipientInfo(new INTEGER(this.riv), rcpIASN, + this.riAlgid, new OCTET_STRING(this.riKey)); } public void makeEncryptedContentInfo(byte[] iv, byte[] ec, String algorithm) { @@ -451,13 +418,13 @@ public class CRSPKIMessage { if (algorithm != null && algorithm.equals("DES3")) oid = DES_EDE3_CBC_ENCRYPTION; - AlgorithmIdentifier aid = new AlgorithmIdentifier(oid, new OCTET_STRING(iv)); + AlgorithmIdentifier aid = new AlgorithmIdentifier(oid, + new OCTET_STRING(iv)); - //eci = EncryptedContentInfo.createCRSCompatibleEncryptedContentInfo( - eci = new EncryptedContentInfo(ContentInfo.DATA, - aid, - new OCTET_STRING(ec) - ); + // eci = + // EncryptedContentInfo.createCRSCompatibleEncryptedContentInfo( + eci = new EncryptedContentInfo(ContentInfo.DATA, aid, + new OCTET_STRING(ec)); } catch (Exception e) { } @@ -469,33 +436,28 @@ public class CRSPKIMessage { try { SET certs = new SET(); ANY cert = new ANY(certificate); - + certs.addElement(cert); - - crsd = new SignedData( - new SET(), // empty set of digestAlgorithmID's - new ContentInfo( - new OBJECT_IDENTIFIER(new long[] {1, 2, 840, 113549, 1, 7, 1} - ), - null), //empty content - certs, - null, // no CRL's - new SET() // empty SignerInfos - ); - ContentInfo wrap = new ContentInfo(ContentInfo.SIGNED_DATA, - crsd); + + crsd = new SignedData(new SET(), // empty set of digestAlgorithmID's + new ContentInfo(new OBJECT_IDENTIFIER(new long[] { 1, 2, + 840, 113549, 1, 7, 1 }), null), // empty content + certs, null, // no CRL's + new SET() // empty SignerInfos + ); + ContentInfo wrap = new ContentInfo(ContentInfo.SIGNED_DATA, crsd); ByteArrayOutputStream baos = new ByteArrayOutputStream(); wrap.encode(baos); return baos.toByteArray(); - // return crsd.getEncodedContents(); + // return crsd.getEncodedContents(); } catch (Exception e) { return null; } } - + public String toString() { StringBuffer sb = new StringBuffer(); sb.append("{ messageType="); @@ -507,15 +469,15 @@ public class CRSPKIMessage { sb.append(", transactionID="); sb.append(getTransactionID()); sb.append(", senderNonce="); - sb.append( Arrays.toString( getSenderNonce() ) ); + sb.append(Arrays.toString(getSenderNonce())); sb.append(", recipientNonce="); - sb.append( Arrays.toString( getRecipientNonce() ) ); + sb.append(Arrays.toString(getRecipientNonce())); sb.append(" }"); - + String s = sb.toString(); return s; } - + public String getMessageType() { return messageType; } @@ -559,7 +521,7 @@ public class CRSPKIMessage { public String getDigestAlgorithmName() { String name = null; if (digestAlgorithmId != null) { - name = getHashAlgorithm(digestAlgorithmId.getOID()); + name = getHashAlgorithm(digestAlgorithmId.getOID()); } return name; } @@ -567,12 +529,13 @@ public class CRSPKIMessage { public PublicKey getSignerPublicKey() { try { - org.mozilla.jss.pkix.cert.Certificate.Template ct = new - org.mozilla.jss.pkix.cert.Certificate.Template(); - - ByteArrayInputStream bais = new ByteArrayInputStream(this.signerCertBytes); - - signerCert = (org.mozilla.jss.pkix.cert.Certificate) ct.decode(bais); + org.mozilla.jss.pkix.cert.Certificate.Template ct = new org.mozilla.jss.pkix.cert.Certificate.Template(); + + ByteArrayInputStream bais = new ByteArrayInputStream( + this.signerCertBytes); + + signerCert = (org.mozilla.jss.pkix.cert.Certificate) ct + .decode(bais); return signerCert.getInfo().getSubjectPublicKeyInfo().toPublicKey(); } catch (Exception e) { return null; @@ -591,7 +554,7 @@ public class CRSPKIMessage { } - public void setAA_old( SET auth_attrs ) { + public void setAA_old(SET auth_attrs) { aa_old = auth_attrs; } @@ -611,15 +574,15 @@ public class CRSPKIMessage { public byte[] getAADigest() { return aa_digest.toByteArray(); } - + public Object getP10() { return myP10; } - + public void setP10(Object p10) { myP10 = p10; } - + public void setSgnIssuerAndSerialNumber(IssuerAndSerialNumber iasn) { this.sgnIASN = iasn; } @@ -629,7 +592,7 @@ public class CRSPKIMessage { } public IssuerAndSerialNumber getSgnIssuerAndSerialNumber() { - return this.sgnIASN; + return this.sgnIASN; } public IssuerAndSerialNumber getRcpIssuerAndSerialNumber() { @@ -660,8 +623,7 @@ public class CRSPKIMessage { this.senderNonce = sn; } - // public void setCertificate(byte [] cert) { this.certificate = cert; } - + // public void setCertificate(byte [] cert) { this.certificate = cert; } public void setMsgDigest(byte[] digest) { this.msg_digest = new OCTET_STRING(digest); @@ -673,88 +635,91 @@ public class CRSPKIMessage { public void setPending() { // setIssuerAndSerialNumber(); - + setMessageType(mType_CertRep); setPKIStatus(mStatus_PENDING); }; - + public void setFailure(String failInfo) { setMessageType(mType_CertRep); setPKIStatus(mStatus_FAILURE); setFailInfo(failInfo); } - + // Should add a Certificate to this call public void setSuccess() { setMessageType(mType_CertRep); setPKIStatus(mStatus_SUCCESS); } - + /** - * Gets a byte array which is the der-encoded blob - * which gets sent back to the router. + * Gets a byte array which is the der-encoded blob which gets sent back to + * the router. */ - + public byte[] getEncoded() { - //Assert.assert(messageType != null); - //Assert.assert(pkiStatus != null); - - return new byte[1]; // blagh + // Assert.assert(messageType != null); + // Assert.assert(pkiStatus != null); + + return new byte[1]; // blagh } - - private void decodeCRSPKIMessage (ByteArrayInputStream bais) throws InvalidBERException, Exception { + private void decodeCRSPKIMessage(ByteArrayInputStream bais) + throws InvalidBERException, Exception { org.mozilla.jss.pkcs7.ContentInfo.Template crscit; crscit = new ContentInfo.Template(); crsci = (ContentInfo) crscit.decode(bais); - - if (!ContentInfo.SIGNED_DATA.equals(crsci.getContentType())) { - throw new Exception("ContentType wasn't signed data, it was" + crsci.getContentType()); + + if (!ContentInfo.SIGNED_DATA.equals(crsci.getContentType())) { + throw new Exception("ContentType wasn't signed data, it was" + + crsci.getContentType()); } - - // Now that we know that the contentInfo is a SignedData, we can decode it + + // Now that we know that the contentInfo is a SignedData, we can decode + // it SignedData.Template sdt = new SignedData.Template(); - - sd = (SignedData) sdt.decode( - new ByteArrayInputStream( - ((ANY) crsci.getContent()).getEncoded() - )); + + sd = (SignedData) sdt.decode(new ByteArrayInputStream(((ANY) crsci + .getContent()).getEncoded())); this.decodeSD(); } public CRSPKIMessage() { attrs = new Hashtable(); } - - public CRSPKIMessage (ByteArrayInputStream bais) throws InvalidBERException, Exception { + + public CRSPKIMessage(ByteArrayInputStream bais) throws InvalidBERException, + Exception { attrs = new Hashtable(); decodeCRSPKIMessage(bais); } private void decodeSD() throws Exception { - ContentInfo sdci; + ContentInfo sdci; sis = sd.getSignerInfos(); - + decodeSI(); sdci = sd.getContentInfo(); - + // HACK to work with CRS ANY a = (ANY) sdci.getContent(); ByteArrayInputStream s = new ByteArrayInputStream(a.getEncoded()); - OCTET_STRING os = (OCTET_STRING) (new OCTET_STRING.Template()).decode(s); - + OCTET_STRING os = (OCTET_STRING) (new OCTET_STRING.Template()) + .decode(s); + ByteArrayInputStream s2 = new ByteArrayInputStream(os.toByteArray()); ContentInfo ci = (ContentInfo) (new ContentInfo.Template()).decode(s2); - ByteArrayInputStream s3 = new ByteArrayInputStream(((ANY) ci.getContent()).getEncoded()); - + ByteArrayInputStream s3 = new ByteArrayInputStream( + ((ANY) ci.getContent()).getEncoded()); + EnvelopedData.Template edt = new EnvelopedData.Template(); sded = (EnvelopedData) edt.decode(s3); - + SET signerCerts = (SET) sd.getCertificates(); Certificate firstCert = (Certificate) signerCerts.elementAt(0); @@ -763,11 +728,11 @@ public class CRSPKIMessage { CertificateInfo firstCertInfo = firstCert.getInfo(); sgnIASN = new IssuerAndSerialNumber(firstCertInfo.getIssuer(), - firstCertInfo.getSerialNumber()); - + firstCertInfo.getSerialNumber()); + decodeED(); } - + private void decodeSI() throws Exception { if (sis.size() == 0) { throw new Exception("SignerInfos is empty"); @@ -780,51 +745,51 @@ public class CRSPKIMessage { aa_digest = new OCTET_STRING(si.getEncryptedDigest()); } - + private void decodeED() throws Exception { SET ris; ris = (SET) sded.getRecipientInfos(); - + if (ris.size() == 0) { throw new Exception("RecipientInfos is empty"); } ri = (RecipientInfo) ris.elementAt(0); eci = sded.getEncryptedContentInfo(); - if (eci.getContentEncryptionAlgorithm().getOID().equals(DES_EDE3_CBC_ENCRYPTION)) { + if (eci.getContentEncryptionAlgorithm().getOID() + .equals(DES_EDE3_CBC_ENCRYPTION)) { encryptionAlgorithm = "DES3"; - } else if (eci.getContentEncryptionAlgorithm().getOID().equals(DES_CBC_ENCRYPTION)) { + } else if (eci.getContentEncryptionAlgorithm().getOID() + .equals(DES_CBC_ENCRYPTION)) { encryptionAlgorithm = "DES"; } else { - throw new Exception("P10 encrypted alg is not supported (not DES): " + eci.getContentEncryptionAlgorithm().getOID()); + throw new Exception( + "P10 encrypted alg is not supported (not DES): " + + eci.getContentEncryptionAlgorithm().getOID()); } - + ec = eci.getEncryptedContent().toByteArray(); OCTET_STRING.Template ost = new OCTET_STRING.Template(); - - OCTET_STRING os = (OCTET_STRING) - ost.decode(new ByteArrayInputStream( - ((ANY) eci.getContentEncryptionAlgorithm().getParameters()).getEncoded() - ) - ); + + OCTET_STRING os = (OCTET_STRING) ost.decode(new ByteArrayInputStream( + ((ANY) eci.getContentEncryptionAlgorithm().getParameters()) + .getEncoded())); iv = os.toByteArray(); decodeRI(); } - + /** - * The PKCS10 request is encrypt with a symmetric key. - * This key in turn is encrypted with the RSA key in the - * CA certificate. - * - * riAlgid is the algorithm the symm key is encrypted with. It had - * better be RSA - * riKey is the encrypted symmetric key + * The PKCS10 request is encrypt with a symmetric key. This key in turn is + * encrypted with the RSA key in the CA certificate. + * + * riAlgid is the algorithm the symm key is encrypted with. It had better be + * RSA riKey is the encrypted symmetric key */ - + private void decodeRI() throws Exception { // really should get issuer and serial number of our RI, as this @@ -832,18 +797,19 @@ public class CRSPKIMessage { // going to assume that the key is the Signing cert for the server. riAlgid = ri.getKeyEncryptionAlgorithmID(); - + if (!riAlgid.getOID().equals(RSA_ENCRYPTION)) { - throw new Exception("Request is protected by a key which we can't decrypt"); + throw new Exception( + "Request is protected by a key which we can't decrypt"); } - + riKey = ri.getEncryptedKey().toByteArray(); - + } - + private void decodeAA() throws InvalidBERException, IOException { aa = si.getAuthenticatedAttributes(); - + int count; for (count = 0; count < aa.size(); count++) { @@ -853,42 +819,48 @@ public class CRSPKIMessage { PrintableString ps; PrintableString.Template pst = new PrintableString.Template(); OCTET_STRING.Template ost = new OCTET_STRING.Template(); - + OBJECT_IDENTIFIER oid = a.getType(); if (oid.equals(CRS_MESSAGETYPE)) { - ps = (PrintableString) pst.decode(new ByteArrayInputStream(f.getEncoded())); + ps = (PrintableString) pst.decode(new ByteArrayInputStream(f + .getEncoded())); // We make a new string here messageType = ps.toString(); - + } else if (oid.equals(CRS_PKISTATUS)) { - ps = (PrintableString) pst.decode(new ByteArrayInputStream(f.getEncoded())); - pkiStatus = new String (ps.toString()); + ps = (PrintableString) pst.decode(new ByteArrayInputStream(f + .getEncoded())); + pkiStatus = new String(ps.toString()); } else if (oid.equals(CRS_FAILINFO)) { - ps = (PrintableString) pst.decode(new ByteArrayInputStream(f.getEncoded())); - failInfo = new String (ps.toString()); + ps = (PrintableString) pst.decode(new ByteArrayInputStream(f + .getEncoded())); + failInfo = new String(ps.toString()); } else if (oid.equals(CRS_SENDERNONCE)) { - OCTET_STRING oss = (OCTET_STRING) ost.decode(new ByteArrayInputStream(f.getEncoded())); + OCTET_STRING oss = (OCTET_STRING) ost + .decode(new ByteArrayInputStream(f.getEncoded())); senderNonce = oss.toByteArray(); } else if (oid.equals(CRS_RECIPIENTNONCE)) { - OCTET_STRING osr = (OCTET_STRING) ost.decode(new ByteArrayInputStream(f.getEncoded())); + OCTET_STRING osr = (OCTET_STRING) ost + .decode(new ByteArrayInputStream(f.getEncoded())); recipientNonce = osr.toByteArray(); } else if (oid.equals(CRS_TRANSID)) { - ps = (PrintableString) pst.decode(new ByteArrayInputStream(f.getEncoded())); - transactionID = new String (ps.toString()); + ps = (PrintableString) pst.decode(new ByteArrayInputStream(f + .getEncoded())); + transactionID = new String(ps.toString()); } - + } - - } // end of decodeAA(); - + + } // end of decodeAA(); + public String getMessageTypeString() { if (messageType == null) { return null; } - + if (messageType.equals(mType_PKCSReq)) { return "PKCSReq"; } @@ -905,8 +877,7 @@ public class CRSPKIMessage { return "GetCRL"; } // messageType should match one of the above - //Assert.assert(false); + // Assert.assert(false); return null; } -} - +} |