📄 scepresponsemessage.java
字号:
certList.add(crl); } else if (cert != null) { log.debug("Adding certificates to response message"); certList.add(cert); // Add the CA cert, it's optional but Cisco VPN client complains if it isn't there if (includeCACert) { certList.add(signCert); } } CertStore certs = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList), "BC"); // Create the signed CMS message to be contained inside the envelope // this message does not contain any message, and no signerInfo CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); gen.addCertificatesAndCRLs(certs); s = gen.generate(null, false, "BC"); // Envelope the CMS message if (recipientKeyInfo != null) { try { X509Certificate rec = CertTools.getCertfromByteArray(recipientKeyInfo); log.debug("Added recipient information - issuer: '" + CertTools.getIssuerDN(rec) + "', serno: '" + rec.getSerialNumber().toString(16)); edGen.addKeyTransRecipient(rec); } catch (CertificateException e) { throw new IOException("Can not decode recipients self signed certificate!"); } } else { edGen.addKeyTransRecipient((X509Certificate) cert); } CMSEnvelopedData ed = edGen.generate(new CMSProcessableByteArray(s.getEncoded()), SMIMECapability.dES_CBC.getId(), "BC"); log.debug("Enveloped data is " + ed.getEncoded().length + " bytes long"); msg = new CMSProcessableByteArray(ed.getEncoded()); } else { // Create an empty message here msg = new CMSProcessableByteArray("PrimeKey".getBytes()); } // Create the outermost signed data CMSSignedDataGenerator gen1 = new CMSSignedDataGenerator(); // add authenticated attributes...status, transactionId, sender- and recipientNonce and more... Hashtable attributes = new Hashtable(); DERObjectIdentifier oid; Attribute attr; DERSet value; // Content Type /* Added automagically by CMSSignedDataGenerator oid = PKCSObjectIdentifiers.pkcs_9_at_contentType; value = new DERSet(PKCSObjectIdentifiers.data); attr = new Attribute(oid, value); attributes.put(attr.getAttrType(), attr); */ // Message digest /* Added automagically by CMSSignedDataGenerator byte[] digest = null; if (s != null) { MessageDigest md = MessageDigest.getInstance("SHA1"); digest = md.digest(s.getEncoded()); } else { digest = new byte[]{0}; } oid = PKCSObjectIdentifiers.pkcs_9_at_messageDigest; value = new DERSet(new DEROctetString(digest)); attr = new Attribute(oid, value); attributes.put(attr.getAttrType(), attr); */ // Message type (certrep) oid = new DERObjectIdentifier(ScepRequestMessage.id_messageType); value = new DERSet(new DERPrintableString("3")); attr = new Attribute(oid, value); attributes.put(attr.getAttrType(), attr); // TransactionId if (transactionId != null) { oid = new DERObjectIdentifier(ScepRequestMessage.id_transId); log.debug("Added transactionId: " + transactionId); value = new DERSet(new DERPrintableString(transactionId)); attr = new Attribute(oid, value); attributes.put(attr.getAttrType(), attr); } // status oid = new DERObjectIdentifier(ScepRequestMessage.id_pkiStatus); value = new DERSet(new DERPrintableString(status.getValue())); attr = new Attribute(oid, value); attributes.put(attr.getAttrType(), attr); if (status.equals(ResponseStatus.FAILURE)) { oid = new DERObjectIdentifier(ScepRequestMessage.id_failInfo); log.debug("Added failInfo: " + failInfo.getValue()); value = new DERSet(new DERPrintableString(failInfo.getValue())); attr = new Attribute(oid, value); attributes.put(attr.getAttrType(), attr); } // senderNonce if (senderNonce != null) { oid = new DERObjectIdentifier(ScepRequestMessage.id_senderNonce); log.debug("Added senderNonce: " + senderNonce); value = new DERSet(new DEROctetString(Base64.decode(senderNonce.getBytes()))); attr = new Attribute(oid, value); attributes.put(attr.getAttrType(), attr); } // recipientNonce if (recipientNonce != null) { oid = new DERObjectIdentifier(ScepRequestMessage.id_recipientNonce); log.debug("Added recipientNonce: " + recipientNonce); value = new DERSet(new DEROctetString(Base64.decode(recipientNonce.getBytes()))); attr = new Attribute(oid, value); attributes.put(attr.getAttrType(), attr); } // Add our signer info and sign the message gen1.addSigner(signKey, signCert, digestAlg, new AttributeTable(attributes), null); signedData = gen1.generate(msg, true, provider); responseMessage = signedData.getEncoded(); if (responseMessage != null) { ret = true; } } catch (InvalidAlgorithmParameterException e) { log.error("Error creating CertStore: ", e); } catch (CertStoreException e) { log.error("Error creating CertStore: ", e); } catch (CMSException e) { log.error("Error creating CMS message: ", e); } return ret; } /** * indicates if this message needs recipients public and private key to sign. If this returns * true, setSignKeyInfo() should be called. * * @return True if public and private key is needed. */ public boolean requireSignKeyInfo() { return true; } /** * indicates if this message needs recipients public and private key to encrypt. If this * returns true, setEncKeyInfo() should be called. * * @return True if public and private key is needed. */ public boolean requireEncKeyInfo() { return false; } /** * Sets the public and private key needed to sign the message. Must be set if * requireSignKeyInfo() returns true. * * @param cert certificate containing the public key. * @param key private key. * @param provider the provider to use, if the private key is on a HSM you must use a special provider. If null is given, the default BC provider is used. * * @see #requireSignKeyInfo() */ public void setSignKeyInfo(X509Certificate cert, PrivateKey key, String prov) { this.signCert = cert; this.signKey = key; if (prov != null) { this.provider = prov; } } /** * Sets the public and private key needed to encrypt the message. Must be set if * requireEncKeyInfo() returns true. * * @param cert certificate containing the public key. * @param key private key. * @param provider the provider to use, if the private key is on a HSM you must use a special provider. If null is given, the default BC provider is used. * * @see #requireEncKeyInfo() */ public void setEncKeyInfo(X509Certificate cert, PrivateKey key, String provider) { // We don't need these. } /** * Sets a senderNonce if it should be present in the response * * @param senderNonce a string of base64 encoded bytes */ public void setSenderNonce(String senderNonce) { this.senderNonce = senderNonce; } /** * Sets a recipient if it should be present in the response * * @param recipientNonce a string of base64 encoded bytes */ public void setRecipientNonce(String recipientNonce) { this.recipientNonce = recipientNonce; } /** * Sets a transaction identifier if it should be present in the response * * @param transactionId transaction id */ public void setTransactionId(String transactionId) { this.transactionId = transactionId; } /** * Sets recipient key info, key id or similar. This is the requestors self-signed cert from the request message. * * @param recipientKeyInfo key info */ public void setRecipientKeyInfo(byte[] recipientKeyInfo) { this.recipientKeyInfo = recipientKeyInfo; } /** @see org.ejca.core.protocol.IResponseMessage */ public void setPreferredDigestAlg(String digest) { this.digestAlg = digest; } /** @see org.ejca.core.protocol.IResponseMessage */ public void setRequestType(int reqtype) { } /** @see org.ejca.core.protocol.IResponseMessage */ public void setRequestId(int reqid) { } /** @see org.ejca.core.protocol.IResponseMessage */ public void setProtectionParamsFromRequest(IRequestMessage reqMsg) { }}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -