import java.util.Objects;
import java.util.Optional;
import org.apache.http.impl.client.CloseableHttpClient;
+ import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.cmp.CMPCertificate;
import org.bouncycastle.asn1.cmp.CertRepMessage;
import org.bouncycastle.asn1.cmp.CertResponse;
private static final String DEFAULT_CA_NAME = "Certification Authority";
private static final String DEFAULT_PROFILE = CaMode.RA.getProfile();
+ private static final ASN1ObjectIdentifier PASSWORD_BASED_MAC = new ASN1ObjectIdentifier("1.2.840.113533.7.66.13");
public CmpClientImpl(CloseableHttpClient httpClient) {
this.httpClient = httpClient;
validate(csrModel, server, httpClient, notBefore, notAfter);
KeyPair keyPair = new KeyPair(csrModel.getPublicKey(), csrModel.getPrivateKey());
+ final String iak = server.getAuthentication().getIak();
+ final PkiMessageProtection pkiMessageProtection = new PasswordBasedProtection(iak);
final CreateCertRequest certRequest =
CmpMessageBuilder.of(CreateCertRequest::new)
.with(CreateCertRequest::setIssuerDn, server.getIssuerDN())
.with(CreateCertRequest::setSubjectKeyPair, keyPair)
.with(CreateCertRequest::setNotBefore, notBefore)
.with(CreateCertRequest::setNotAfter, notAfter)
- .with(CreateCertRequest::setInitAuthPassword, server.getAuthentication().getIak())
.with(CreateCertRequest::setSenderKid, server.getAuthentication().getRv())
+ .with(CreateCertRequest::setProtection, pkiMessageProtection)
.build();
final PKIMessage pkiMessage = certRequest.generateCertReq();
final PKIHeader header = respPkiMessage.getHeader();
final AlgorithmIdentifier protectionAlgo = header.getProtectionAlg();
verifySignatureWithPublicKey(respPkiMessage, publicKey);
- verifyProtectionWithProtectionAlgo(respPkiMessage, initAuthPassword, header, protectionAlgo);
+ if (isPasswordBasedMacAlgorithm(protectionAlgo)) {
+ LOG.info("CMP response is protected by Password Base Mac Algorithm. Attempt to verify protection");
+ verifyPasswordBasedMacProtection(respPkiMessage, initAuthPassword, header, protectionAlgo);
+ }
+ }
+
+ private boolean isPasswordBasedMacAlgorithm(AlgorithmIdentifier protectionAlgo) throws CmpClientException {
+ if (Objects.isNull(protectionAlgo)) {
+ LOG.error("CMP response does not contain Protection Algorithm field");
+ throw new CmpClientException("CMP response does not contain Protection Algorithm field");
+ }
+ return PASSWORD_BASED_MAC.equals(protectionAlgo.getAlgorithm());
}
private void verifySignatureWithPublicKey(PKIMessage respPkiMessage, PublicKey publicKey)
}
}
- private void verifyProtectionWithProtectionAlgo(
- PKIMessage respPkiMessage,
- String initAuthPassword,
- PKIHeader header,
- AlgorithmIdentifier protectionAlgo)
- throws CmpClientException {
- if (Objects.nonNull(protectionAlgo)) {
- LOG.debug("Verifying PasswordBased Protection of the Response.");
- verifyPasswordBasedProtection(respPkiMessage, initAuthPassword, protectionAlgo);
- checkImplicitConfirm(header);
- } else {
- LOG.error(
- "Protection Algorithm is not available when expecting PBE protected response containing protection algorithm");
- throw new CmpClientException(
- "Protection Algorithm is not available when expecting PBE protected response containing protection algorithm");
- }
+ private void verifyPasswordBasedMacProtection(PKIMessage respPkiMessage, String initAuthPassword,
+ PKIHeader header, AlgorithmIdentifier protectionAlgo)
+ throws CmpClientException {
+ LOG.debug("Verifying PasswordBased Protection of the Response.");
+ verifyPasswordBasedProtection(respPkiMessage, initAuthPassword, protectionAlgo);
+ checkImplicitConfirm(header);
}
private Cmpv2CertificationModel checkCmpCertRepMessage(final PKIMessage respPkiMessage)
}
private void logServerResponse(CertResponse certResponse) {
- LOG.info("Response status code: {}", certResponse.getStatus().getStatus().toString());
+ if (LOG.isInfoEnabled()) {
+ LOG.info("Response status code: {}", certResponse.getStatus().getStatus());
+ }
if (certResponse.getStatus().getStatusString() != null) {
String serverMessage = certResponse.getStatus().getStatusString().getStringAt(0).getString();
LOG.warn("Response status text: {}", serverMessage);
}
- if (certResponse.getStatus().getFailInfo() != null) {
- LOG.warn("Response fail info: {}", certResponse.getStatus().getFailInfo().toString());
+ if (LOG.isWarnEnabled() && certResponse.getStatus().getFailInfo() != null) {
+ LOG.warn("Response fail info: {}", certResponse.getStatus().getFailInfo());
}
}