scepresponsemessage.java

一套JAVA的CA证书签发系统.

                msg = new CMSProcessableByteArray("PrimeKey".getBytes());
                CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
                gen.addSigner(signKey, signCert, CMSSignedDataGenerator.DIGEST_SHA1);
                gen.addCertificatesAndCRLs(certs);
                s = gen.generate(msg, true, "BC");

                // Envelope the CMS message
                if (recipientKeyInfo != null) {
                    try {
                    X509Certificate rec = CertTools.getCertfromByteArray(recipientKeyInfo);
                    log.debug("Added recipient information - issuer: '"+CertTools.getIssuerDN(rec)+"', serno: '"+rec.getSerialNumber().toString(16));
                    edGen.addKeyTransRecipient(rec);
                    } catch (CertificateException e) {
                        throw new IOException("Can not decode recipients self signed certificate!");
                    }
                } else {
                    edGen.addKeyTransRecipient((X509Certificate) cert);
                }
                CMSEnvelopedData ed = edGen.generate(new CMSProcessableByteArray(s.getEncoded()),
                                    SMIMECapability.dES_CBC.getId(), "BC");

                log.debug("Signed data is " + ed.getEncoded().length +" bytes long");
                msg = new CMSProcessableByteArray(ed.getEncoded());
            } else {
                // Create an empty message here
                msg = new CMSProcessableByteArray("PrimeKey".getBytes());
            }

            // Create the outermost signed data
            CMSSignedDataGenerator gen1 = new CMSSignedDataGenerator();

            // add authenticated attributes...status, transactionId, sender- and recipientNonce and more...
            Hashtable attributes = new Hashtable();
            DERObjectIdentifier oid;
            Attribute attr;
            DERSet value;
            
            // Content Type
            /* Added automagically by CMSSignedDataGenerator
            oid = PKCSObjectIdentifiers.pkcs_9_at_contentType;
            value = new DERSet(PKCSObjectIdentifiers.data);
            attr = new Attribute(oid, value);
            attributes.put(attr.getAttrType(), attr);
            */

            // Message digest
            /* Added automagically by CMSSignedDataGenerator
            byte[] digest = null;
            if (s != null) {
                MessageDigest md = MessageDigest.getInstance("SHA1");
                digest = md.digest(s.getEncoded());
            } else {
                digest = new byte[]{0};
            }
            oid = PKCSObjectIdentifiers.pkcs_9_at_messageDigest;
            value = new DERSet(new DEROctetString(digest));
            attr = new Attribute(oid, value);
            attributes.put(attr.getAttrType(), attr);
            */

            // Message type (certrep)
            oid = new DERObjectIdentifier(ScepRequestMessage.id_messageType);
            value = new DERSet(new DERPrintableString("3"));
            attr = new Attribute(oid, value);
            attributes.put(attr.getAttrType(), attr);

            // TransactionId
            if (transactionId != null) {
                oid = new DERObjectIdentifier(ScepRequestMessage.id_transId);
                value = new DERSet(new DERPrintableString(transactionId));
                attr = new Attribute(oid, value);
                attributes.put(attr.getAttrType(), attr);
            }

            // status
            oid = new DERObjectIdentifier(ScepRequestMessage.id_pkiStatus);
            value = new DERSet(new DERPrintableString(status.getValue()));
            attr = new Attribute(oid, value);
            attributes.put(attr.getAttrType(), attr);

            if (status.equals(ResponseStatus.FAILURE)) {
                oid = new DERObjectIdentifier(ScepRequestMessage.id_failInfo);
                log.debug("Added failInfo: "+failInfo.getValue());
                value = new DERSet(new DERPrintableString(failInfo.getValue()));
                attr = new Attribute(oid, value);
                attributes.put(attr.getAttrType(), attr);
            }

            // senderNonce
            if (senderNonce != null) {
                oid = new DERObjectIdentifier(ScepRequestMessage.id_senderNonce);
                log.debug("Added senderNonce: "+senderNonce);
                value = new DERSet(new DEROctetString(Base64.decode(senderNonce.getBytes())));
                attr = new Attribute(oid, value);
                attributes.put(attr.getAttrType(), attr);
            }

            // recipientNonce
            if (recipientNonce != null) {
                oid = new DERObjectIdentifier(ScepRequestMessage.id_recipientNonce);
                log.debug("Added recipientNonce: "+recipientNonce);                
                value = new DERSet(new DEROctetString(Base64.decode(recipientNonce.getBytes())));
                attr = new Attribute(oid, value);
                attributes.put(attr.getAttrType(), attr);
            }

            // Add our signer info and sign the message
            gen1.addSigner(signKey, signCert, CMSSignedDataGenerator.DIGEST_SHA1,
                new AttributeTable(attributes), null);
            signedData = gen1.generate(msg, true, "BC");
            responseMessage = signedData.getEncoded();
            if (responseMessage != null) {
                ret = true;
            }
        } catch (InvalidAlgorithmParameterException e) {
            log.error("Error creating CertStore: ", e);
        } catch (CertStoreException e) {
            log.error("Error creating CertStore: ", e);
        } catch (CMSException e) {
            log.error("Error creating CMS message: ", e);
        }

        return ret;
    }

    /**
     * indicates if this message needs recipients public and private key to sign. If this returns
     * true, setSignKeyInfo() should be called.
     *
     * @return True if public and private key is needed.
     */
    public boolean requireSignKeyInfo() {
        return true;
    }

    /**
     * indicates if this message needs recipients public and private key to encrypt. If this
     * returns true, setEncKeyInfo() should be called.
     *
     * @return True if public and private key is needed.
     */
    public boolean requireEncKeyInfo() {
        return false;
    }

    /**
     * Sets the public and private key needed to sign the message. Must be set if
     * requireSignKeyInfo() returns true.
     *
     * @param cert certificate containing the public key.
     * @param key private key.
     *
     * @see #requireSignKeyInfo()
     */
    public void setSignKeyInfo(X509Certificate cert, PrivateKey key) {
        signCert = cert;
        signKey = key;
    }

    /**
     * Sets the public and private key needed to encrypt the message. Must be set if
     * requireEncKeyInfo() returns true.
     *
     * @param cert certificate containing the public key.
     * @param key private key.
     *
     * @see #requireEncKeyInfo()
     */
    public void setEncKeyInfo(X509Certificate cert, PrivateKey key) {
        // We don't need these.
    }

    /**
     * Sets a senderNonce if it should be present in the response
     *
     * @param senderNonce a string of base64 encoded bytes
     */
    public void setSenderNonce(String senderNonce) {
        this.senderNonce = senderNonce;
    }
    /**
     * Sets a recipient if it should be present in the response
     *
     * @param recipientNonce a string of base64 encoded bytes
     */
    public void setRecipientNonce(String recipientNonce) {
        this.recipientNonce = recipientNonce;
    }

    /**
     * Sets a transaction identifier if it should be present in the response
     *
     * @param transactionId transaction id
     */
    public void setTransactionId(String transactionId) {
        this.transactionId = transactionId;
    }
    
    /**
     * Sets recipient key info, key id or similar. This is the requestors self-signed cert from the request message.
     *
     * @param recipientKeyInfo key info
     */
    public void setRecipientKeyInfo(byte[] recipientKeyInfo) {
        this.recipientKeyInfo = recipientKeyInfo;
    }
    
}