package org.bouncycastle.cert.crmf;


import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.DERUTF8String;
import org.bouncycastle.asn1.crmf.AttributeTypeAndValue;
import org.bouncycastle.asn1.crmf.CRMFObjectIdentifiers;
import org.bouncycastle.asn1.crmf.CertReqMsg;
import org.bouncycastle.asn1.crmf.CertTemplate;
import org.bouncycastle.asn1.crmf.Controls;
import org.bouncycastle.asn1.crmf.PKIArchiveOptions;
import org.bouncycastle.asn1.crmf.PKMACValue;
import org.bouncycastle.asn1.crmf.POPOSigningKey;
import org.bouncycastle.asn1.crmf.ProofOfPossession;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.operator.ContentVerifier;
import org.bouncycastle.operator.ContentVerifierProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.util.Encodable;

Carrier for a CRMF CertReqMsg.
/** * Carrier for a CRMF CertReqMsg. */
public class CertificateRequestMessage implements Encodable { public static final int popRaVerified = ProofOfPossession.TYPE_RA_VERIFIED; public static final int popSigningKey = ProofOfPossession.TYPE_SIGNING_KEY; public static final int popKeyEncipherment = ProofOfPossession.TYPE_KEY_ENCIPHERMENT; public static final int popKeyAgreement = ProofOfPossession.TYPE_KEY_AGREEMENT; private final CertReqMsg certReqMsg; private final Controls controls; private static CertReqMsg parseBytes(byte[] encoding) throws IOException { try { return CertReqMsg.getInstance(ASN1Primitive.fromByteArray(encoding)); } catch (ClassCastException e) { throw new CertIOException("malformed data: " + e.getMessage(), e); } catch (IllegalArgumentException e) { throw new CertIOException("malformed data: " + e.getMessage(), e); } }
Create a CertificateRequestMessage from the passed in bytes.
  • certReqMsg – BER/DER encoding of the CertReqMsg structure.
  • IOException – in the event of corrupted data, or an incorrect structure.
/** * Create a CertificateRequestMessage from the passed in bytes. * * @param certReqMsg BER/DER encoding of the CertReqMsg structure. * @throws IOException in the event of corrupted data, or an incorrect structure. */
public CertificateRequestMessage(byte[] certReqMsg) throws IOException { this(parseBytes(certReqMsg)); } public CertificateRequestMessage(CertReqMsg certReqMsg) { this.certReqMsg = certReqMsg; this.controls = certReqMsg.getCertReq().getControls(); }
Return the underlying ASN.1 object defining this CertificateRequestMessage object.
Returns:a CertReqMsg.
/** * Return the underlying ASN.1 object defining this CertificateRequestMessage object. * * @return a CertReqMsg. */
public CertReqMsg toASN1Structure() { return certReqMsg; }
Return the certificate template contained in this message.
Returns: a CertTemplate structure.
/** * Return the certificate template contained in this message. * * @return a CertTemplate structure. */
public CertTemplate getCertTemplate() { return this.certReqMsg.getCertReq().getCertTemplate(); }
Return whether or not this request has control values associated with it.
Returns:true if there are control values present, false otherwise.
/** * Return whether or not this request has control values associated with it. * * @return true if there are control values present, false otherwise. */
public boolean hasControls() { return controls != null; }
Return whether or not this request has a specific type of control value.
  • type – the type OID for the control value we are checking for.
Returns:true if a control value of type is present, false otherwise.
/** * Return whether or not this request has a specific type of control value. * * @param type the type OID for the control value we are checking for. * @return true if a control value of type is present, false otherwise. */
public boolean hasControl(ASN1ObjectIdentifier type) { return findControl(type) != null; }
Return a control value of the specified type.
  • type – the type OID for the control value we are checking for.
Returns:the control value if present, null otherwise.
/** * Return a control value of the specified type. * * @param type the type OID for the control value we are checking for. * @return the control value if present, null otherwise. */
public Control getControl(ASN1ObjectIdentifier type) { AttributeTypeAndValue found = findControl(type); if (found != null) { if (found.getType().equals(CRMFObjectIdentifiers.id_regCtrl_pkiArchiveOptions)) { return new PKIArchiveControl(PKIArchiveOptions.getInstance(found.getValue())); } if (found.getType().equals(CRMFObjectIdentifiers.id_regCtrl_regToken)) { return new RegTokenControl(DERUTF8String.getInstance(found.getValue())); } if (found.getType().equals(CRMFObjectIdentifiers.id_regCtrl_authenticator)) { return new AuthenticatorControl(DERUTF8String.getInstance(found.getValue())); } } return null; } private AttributeTypeAndValue findControl(ASN1ObjectIdentifier type) { if (controls == null) { return null; } AttributeTypeAndValue[] tAndVs = controls.toAttributeTypeAndValueArray(); AttributeTypeAndValue found = null; for (int i = 0; i != tAndVs.length; i++) { if (tAndVs[i].getType().equals(type)) { found = tAndVs[i]; break; } } return found; }
Return whether or not this request message has a proof-of-possession field in it.
Returns:true if proof-of-possession is present, false otherwise.
/** * Return whether or not this request message has a proof-of-possession field in it. * * @return true if proof-of-possession is present, false otherwise. */
public boolean hasProofOfPossession() { return this.certReqMsg.getPopo() != null; }
Return the type of the proof-of-possession this request message provides.
Returns:one of: popRaVerified, popSigningKey, popKeyEncipherment, popKeyAgreement
/** * Return the type of the proof-of-possession this request message provides. * * @return one of: popRaVerified, popSigningKey, popKeyEncipherment, popKeyAgreement */
public int getProofOfPossessionType() { return this.certReqMsg.getPopo().getType(); }
Return whether or not the proof-of-possession (POP) is of the type popSigningKey and it has a public key MAC associated with it.
Returns:true if POP is popSigningKey and a PKMAC is present, false otherwise.
/** * Return whether or not the proof-of-possession (POP) is of the type popSigningKey and * it has a public key MAC associated with it. * * @return true if POP is popSigningKey and a PKMAC is present, false otherwise. */
public boolean hasSigningKeyProofOfPossessionWithPKMAC() { ProofOfPossession pop = certReqMsg.getPopo(); if (pop.getType() == popSigningKey) { POPOSigningKey popoSign = POPOSigningKey.getInstance(pop.getObject()); return popoSign.getPoposkInput().getPublicKeyMAC() != null; } return false; }
Return whether or not a signing key proof-of-possession (POP) is valid.
  • verifierProvider – a provider that can produce content verifiers for the signature contained in this POP.
Returns:true if the POP is valid, false otherwise.
/** * Return whether or not a signing key proof-of-possession (POP) is valid. * * @param verifierProvider a provider that can produce content verifiers for the signature contained in this POP. * @return true if the POP is valid, false otherwise. * @throws CRMFException if there is a problem in verification or content verifier creation. * @throws IllegalStateException if POP not appropriate. */
public boolean isValidSigningKeyPOP(ContentVerifierProvider verifierProvider) throws CRMFException, IllegalStateException { ProofOfPossession pop = certReqMsg.getPopo(); if (pop.getType() == popSigningKey) { POPOSigningKey popoSign = POPOSigningKey.getInstance(pop.getObject()); if (popoSign.getPoposkInput() != null && popoSign.getPoposkInput().getPublicKeyMAC() != null) { throw new IllegalStateException("verification requires password check"); } return verifySignature(verifierProvider, popoSign); } else { throw new IllegalStateException("not Signing Key type of proof of possession"); } }
Return whether or not a signing key proof-of-possession (POP), with an associated PKMAC, is valid.
  • verifierProvider – a provider that can produce content verifiers for the signature contained in this POP.
  • macBuilder – a suitable PKMACBuilder to create the MAC verifier.
  • password – the password used to key the MAC calculation.
Returns:true if the POP is valid, false otherwise.
/** * Return whether or not a signing key proof-of-possession (POP), with an associated PKMAC, is valid. * * @param verifierProvider a provider that can produce content verifiers for the signature contained in this POP. * @param macBuilder a suitable PKMACBuilder to create the MAC verifier. * @param password the password used to key the MAC calculation. * @return true if the POP is valid, false otherwise. * @throws CRMFException if there is a problem in verification or content verifier creation. * @throws IllegalStateException if POP not appropriate. */
public boolean isValidSigningKeyPOP(ContentVerifierProvider verifierProvider, PKMACBuilder macBuilder, char[] password) throws CRMFException, IllegalStateException { ProofOfPossession pop = certReqMsg.getPopo(); if (pop.getType() == popSigningKey) { POPOSigningKey popoSign = POPOSigningKey.getInstance(pop.getObject()); if (popoSign.getPoposkInput() == null || popoSign.getPoposkInput().getSender() != null) { throw new IllegalStateException("no PKMAC present in proof of possession"); } PKMACValue pkMAC = popoSign.getPoposkInput().getPublicKeyMAC(); PKMACValueVerifier macVerifier = new PKMACValueVerifier(macBuilder); if (macVerifier.isValid(pkMAC, password, this.getCertTemplate().getPublicKey())) { return verifySignature(verifierProvider, popoSign); } return false; } else { throw new IllegalStateException("not Signing Key type of proof of possession"); } } private boolean verifySignature(ContentVerifierProvider verifierProvider, POPOSigningKey popoSign) throws CRMFException { ContentVerifier verifier; try { verifier = verifierProvider.get(popoSign.getAlgorithmIdentifier()); } catch (OperatorCreationException e) { throw new CRMFException("unable to create verifier: " + e.getMessage(), e); } if (popoSign.getPoposkInput() != null) { CRMFUtil.derEncodeToStream(popoSign.getPoposkInput(), verifier.getOutputStream()); } else { CRMFUtil.derEncodeToStream(certReqMsg.getCertReq(), verifier.getOutputStream()); } return verifier.verify(popoSign.getSignature().getOctets()); }
Return the ASN.1 encoding of the certReqMsg we wrap.
  • IOException – if there is an exception creating the encoding.
Returns:a byte array containing the binary encoding of the certReqMsg.
/** * Return the ASN.1 encoding of the certReqMsg we wrap. * * @return a byte array containing the binary encoding of the certReqMsg. * @throws IOException if there is an exception creating the encoding. */
public byte[] getEncoded() throws IOException { return certReqMsg.getEncoded(); } }