diff --git a/README.md b/README.md index 54424398..ee395a56 100644 --- a/README.md +++ b/README.md @@ -85,7 +85,7 @@ The callback handler is used to verify the CA certificate being sent by the SCEP ### Default Callback Mechanism -The default callback mechanism provides a `DefaultCallbackHandler` which delegates verification to a `CertificateVerifier` implementation. jscep supports several strategies for verifying a certificate, including pre-provisioned certificates or digests, and an interactive console verifier. The following example shows the steps necessary to configure the console verifier: +The default callback mechanism provides a `DefaultCallbackHandler` which delegates verification to a `CertificateVerifier` implementation and uses `PasswordCallback` for challengePassword fetching. jscep supports several strategies for verifying a certificate, including pre-provisioned certificates or digests, and an interactive console verifier. The following example shows the steps necessary to configure the console verifier: ```java CertificateVerifier verifier = new ConsoleCertificateVerifier(); @@ -99,10 +99,21 @@ By default, jscep will request verification before each operation. If you are p CertificateVerifier verifier = new CachingCertificateVerifier(consoleVerifier); CallbackHandler handler = new DefaultCallbackHandler(verifier); ``` +In SCEP, according to RFC8894 Section 3.1, if the key is encryption capable (for example, RSA), then the messageData is encrypted using the recipient's public key with the CMS KeyTransRecipientInfo mechanism. If the key is not encryption capable (for example, DSA or ECDSA), then the messageData is encrypted using the challengePassword with the CMS PasswordRecipientInfo mechanism. + +Therefore, if the CA certificate contains an EC or DSA key, it is necessary to provide an extra challengePassword. This can be done by defining a hash table in which the key is the CA profile name and the value is the challengePassword value. This approach allows you to define many separate challenge passwords for different CA profiles. + +```java + CertificateVerifier verifier = new ConsoleCertificateVerifier(); + Map passwords = new HashMap<>(); + passwords.put("CA1", "secret1"); + passwords.put("CA2", "secret2"); + CallbackHandler handler = new DefaultCallbackHandler(verifier, passwords); +``` ### Providing Your Own Callback Handler -If you wish to use your own `CallbackHandler`, you must handle the `CertificateVerificationCallback`. +If you wish to use your own `CallbackHandler`, you must handle the `CertificateVerificationCallback` and `PasswordCallback` as well. # Creating the Client diff --git a/src/main/java/org/jscep/client/Client.java b/src/main/java/org/jscep/client/Client.java index 3340a45a..b9b3f9bf 100644 --- a/src/main/java/org/jscep/client/Client.java +++ b/src/main/java/org/jscep/client/Client.java @@ -37,6 +37,7 @@ import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.callback.PasswordCallback; import javax.security.auth.callback.UnsupportedCallbackException; import javax.security.auth.x500.X500Principal; @@ -703,10 +704,11 @@ private PkiMessageEncoder getEncoder(final X509Certificate identity, Capabilities caps = getCaCapabilities(profile); CertStoreInspector certs = inspectorFactory.getInstance(store); X509Certificate recipientCertificate = certs.getRecipient(); + String challengePassword = getChallengePassword(profile); PkcsPkiEnvelopeEncoder envEncoder = new PkcsPkiEnvelopeEncoder( - recipientCertificate, caps.getStrongestCipher()); + recipientCertificate, challengePassword, caps.getStrongestCipher()); - String sigAlg = caps.getStrongestSignatureAlgorithm(); + String sigAlg = caps.getStrongestSignatureAlgorithm(priKey.getAlgorithm()); return new PkiMessageEncoder(priKey, identity, envEncoder, sigAlg); } @@ -715,8 +717,9 @@ private PkiMessageDecoder getDecoder(final X509Certificate identity, final CertStore store = getCaCertificate(profile); CertStoreInspector certs = inspectorFactory.getInstance(store); X509Certificate signer = certs.getSigner(); + String challengePassword = getChallengePassword(profile); PkcsPkiEnvelopeDecoder envDecoder = new PkcsPkiEnvelopeDecoder( - identity, key); + identity, key, challengePassword); return new PkiMessageDecoder(signer, envDecoder); } @@ -736,6 +739,27 @@ private Transport createTransport(final String profile) { } } + /** + * Get challenge password using CallbackHandler and PasswordCallback + * @param profile the SCEP server profile + * @return challenge password or null + */ + private String getChallengePassword(String profile) throws ClientException { + try { + LOGGER.debug("Requesting challenge password."); + PasswordCallback callback = new PasswordCallback("Enter challenge password" + + (profile != null ? " for " + profile : ""), false); + Callback[] callbacks = new Callback[1]; + callbacks[0] = callback; + handler.handle(callbacks); + char[] password = callback.getPassword(); + return password != null ? new String(password) : null; + } catch (Exception e) { + LOGGER.debug("Requesting challenge password failed."); + throw new ClientException(e); + } + } + private void verifyCA(final X509Certificate cert) throws ClientException { CertificateVerificationCallback callback = new CertificateVerificationCallback( cert); diff --git a/src/main/java/org/jscep/client/DefaultCallbackHandler.java b/src/main/java/org/jscep/client/DefaultCallbackHandler.java index dbbda318..db359ba4 100644 --- a/src/main/java/org/jscep/client/DefaultCallbackHandler.java +++ b/src/main/java/org/jscep/client/DefaultCallbackHandler.java @@ -1,9 +1,12 @@ package org.jscep.client; import java.io.IOException; +import java.util.HashMap; +import java.util.Map; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.callback.PasswordCallback; import javax.security.auth.callback.UnsupportedCallbackException; import org.jscep.client.verification.CertificateVerifier; @@ -16,6 +19,7 @@ public final class DefaultCallbackHandler implements CallbackHandler { * The verifier. */ private final CertificateVerifier verifier; + private final Map passwords; /** * Default callback handler that delegates verification to a verifier. @@ -23,8 +27,19 @@ public final class DefaultCallbackHandler implements CallbackHandler { * @param verifier * the verifier to use. */ - public DefaultCallbackHandler(final CertificateVerifier verifier) { + public DefaultCallbackHandler(final CertificateVerifier verifier, final Map passwords) { this.verifier = verifier; + this.passwords = passwords; + } + + /** + * Default callback handler that delegates verification to a verifier. + * + * @param verifier + * the verifier to use. + */ + public DefaultCallbackHandler(final CertificateVerifier verifier) { + this(verifier, new HashMap<>()); } /** @@ -36,6 +51,8 @@ public void handle(final Callback[] callbacks) throws IOException, for (Callback callback : callbacks) { if (callback instanceof CertificateVerificationCallback) { verify(CertificateVerificationCallback.class.cast(callback)); + } else if (callback instanceof PasswordCallback) { + handle(PasswordCallback.class.cast(callback)); } else { throw new UnsupportedCallbackException(callback); } @@ -52,4 +69,28 @@ private void verify(final CertificateVerificationCallback callback) { callback.setVerified(verifier.verify(callback.getCertificate())); } + /** + * Provide specific password based on profile name in callback's prompt. + * + * @param callback the callback to handle + */ + private void handle(final PasswordCallback callback) { + if (passwords == null) { + return; + } + if (passwords.size() == 1) { + // we have only one password, just return it + String password = passwords.get(passwords.keySet().iterator().next()); + if (password != null) { + callback.setPassword(password.toCharArray()); + } + } else { + // if we have many passwords, return one selected by profile name included in prompt + for (String key : passwords.keySet()) { + if (callback.getPrompt().contains(key)) { + callback.setPassword(passwords.get(key).toCharArray()); + } + } + } + } } diff --git a/src/main/java/org/jscep/message/PkcsPkiEnvelopeDecoder.java b/src/main/java/org/jscep/message/PkcsPkiEnvelopeDecoder.java index 8635cf50..4c1b7817 100644 --- a/src/main/java/org/jscep/message/PkcsPkiEnvelopeDecoder.java +++ b/src/main/java/org/jscep/message/PkcsPkiEnvelopeDecoder.java @@ -18,11 +18,8 @@ import org.bouncycastle.asn1.ASN1OctetString; import org.bouncycastle.asn1.cms.EnvelopedData; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.cms.CMSEnvelopedData; -import org.bouncycastle.cms.CMSException; -import org.bouncycastle.cms.RecipientInformation; -import org.bouncycastle.cms.RecipientInformationStore; -import org.bouncycastle.cms.RecipientOperator; +import org.bouncycastle.cms.*; +import org.bouncycastle.cms.bc.BcPasswordEnvelopedRecipient; import org.bouncycastle.cms.jcajce.JceKeyTransEnvelopedRecipient; import org.bouncycastle.cms.jcajce.JceKeyTransRecipientId; import org.bouncycastle.operator.InputDecryptor; @@ -38,6 +35,7 @@ public final class PkcsPkiEnvelopeDecoder { private static final Logger LOGGER = getLogger(PkcsPkiEnvelopeDecoder.class); private final X509Certificate recipient; private final PrivateKey privKey; + private final String challengePassword; /** * Creates a {@code PkcsPkiEnveloperDecoder} for the provided certificate @@ -52,9 +50,10 @@ public final class PkcsPkiEnvelopeDecoder { * the key to unwrap the symmetric encrypting key. */ public PkcsPkiEnvelopeDecoder(final X509Certificate recipient, - final PrivateKey privKey) { + final PrivateKey privKey, final String challengePassword) { this.recipient = recipient; this.privKey = privKey; + this.challengePassword = challengePassword; } /** @@ -81,15 +80,27 @@ public byte[] decode(final CMSEnvelopedData pkcsPkiEnvelope) .get(new JceKeyTransRecipientId(recipient)); if (info == null) { - throw new MessageDecodingException( + info = recipientInfos.get(new PasswordRecipientId()); + + if (info == null) { + throw new MessageDecodingException( "Missing expected key transfer recipient " + recipient.getSubjectX500Principal()); + } } LOGGER.debug("pkcsPkiEnvelope encryption algorithm: {}", info .getKeyEncryptionAlgorithm().getAlgorithm()); try { - byte[] messageData = info.getContent(getKeyTransRecipient()); + byte[] messageData; + if (info.getRID().getType() == RecipientId.keyTrans) { + messageData = info.getContent(getKeyTransRecipient()); + } else if (info.getRID().getType() == RecipientId.password) { + messageData = info.getContent(getPasswordRecipient()); + } else { + throw new MessageDecodingException( + "Unsupported recipient type: " + info.getRID().getType()); + } LOGGER.debug("Finished decoding pkcsPkiEnvelope"); return messageData; } catch (CMSException e) { @@ -101,6 +112,10 @@ private JceKeyTransEnvelopedRecipient getKeyTransRecipient() { return new InternalKeyTransEnvelopedRecipient(privKey); } + private Recipient getPasswordRecipient() { + return new BcPasswordEnvelopedRecipient(challengePassword.toCharArray()); + } + private void validate(final CMSEnvelopedData pkcsPkiEnvelope) { EnvelopedData ed = EnvelopedData.getInstance(pkcsPkiEnvelope .toASN1Structure().getContent()); @@ -108,7 +123,7 @@ private void validate(final CMSEnvelopedData pkcsPkiEnvelope) { LOGGER.debug("pkcsPkiEnvelope encryptedContentInfo contentType: {}", ed .getEncryptedContentInfo().getContentType()); } - + private static class InternalKeyTransEnvelopedRecipient extends JceKeyTransEnvelopedRecipient { private static final String RSA = "RSA/ECB/PKCS1Padding"; private static final String DES = "DES"; diff --git a/src/main/java/org/jscep/message/PkcsPkiEnvelopeEncoder.java b/src/main/java/org/jscep/message/PkcsPkiEnvelopeEncoder.java index a9f8acce..e9a3b219 100644 --- a/src/main/java/org/jscep/message/PkcsPkiEnvelopeEncoder.java +++ b/src/main/java/org/jscep/message/PkcsPkiEnvelopeEncoder.java @@ -18,6 +18,7 @@ import org.bouncycastle.cms.RecipientInfoGenerator; import org.bouncycastle.cms.jcajce.JceCMSContentEncryptorBuilder; import org.bouncycastle.cms.jcajce.JceKeyTransRecipientInfoGenerator; +import org.bouncycastle.cms.jcajce.JcePasswordRecipientInfoGenerator; import org.bouncycastle.operator.OutputEncryptor; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -32,6 +33,7 @@ public final class PkcsPkiEnvelopeEncoder { private static final Logger LOGGER = LoggerFactory .getLogger(PkcsPkiEnvelopeEncoder.class); private final X509Certificate recipient; + private final String challengePassword; private final ASN1ObjectIdentifier encAlgId; /** @@ -43,7 +45,7 @@ public final class PkcsPkiEnvelopeEncoder { */ @Deprecated public PkcsPkiEnvelopeEncoder(final X509Certificate recipient) { - this(recipient, "DES"); + this(recipient, null, "DES"); } /** @@ -56,8 +58,10 @@ public PkcsPkiEnvelopeEncoder(final X509Certificate recipient) { * the encryption algorithm to use. */ public PkcsPkiEnvelopeEncoder(final X509Certificate recipient, + final String challengePassword, final String encAlg) { this.recipient = recipient; + this.challengePassword = challengePassword; this.encAlgId = getAlgorithmId(encAlg); } @@ -77,8 +81,13 @@ public CMSEnvelopedData encode(final byte[] messageData) CMSTypedData envelopable = new CMSProcessableByteArray(messageData); RecipientInfoGenerator recipientGenerator; try { - recipientGenerator = new JceKeyTransRecipientInfoGenerator( + if (isRecipientEncryptionCapable()) { + recipientGenerator = new JceKeyTransRecipientInfoGenerator( recipient); + } else { + recipientGenerator = new JcePasswordRecipientInfoGenerator( + encAlgId, challengePassword.toCharArray()); + } } catch (CertificateEncodingException e) { throw new MessageEncodingException(e); } @@ -124,4 +133,16 @@ else if ("DESede".equals(encAlg)) { throw new IllegalArgumentException("Unknown algorithm: " + encAlg); } } + + /** + * Check if recipient's key can encrypt data. + * @return true if it can encrypt data + */ + private boolean isRecipientEncryptionCapable() { + // RFC8894 Section 3.1: If the key is encryption capable (for example, RSA), then the + // messageData is encrypted using the recipient's public key with the CMS KeyTransRecipientInfo + // mechanism. If the key is not encryption capable (for example, DSA or ECDSA), then the messageData is + // encrypted using the challengePassword with the CMS PasswordRecipientInfo mechanism. + return recipient != null && recipient.getPublicKey().getAlgorithm().equals("RSA"); + } } diff --git a/src/main/java/org/jscep/server/ScepServlet.java b/src/main/java/org/jscep/server/ScepServlet.java index 2de8a8e0..ea56114a 100644 --- a/src/main/java/org/jscep/server/ScepServlet.java +++ b/src/main/java/org/jscep/server/ScepServlet.java @@ -200,7 +200,7 @@ public final void service(final HttpServletRequest req, PkiMessage msg; try { PkcsPkiEnvelopeDecoder envDecoder = new PkcsPkiEnvelopeDecoder( - getRecipient(), getRecipientKey()); + getRecipient(), getRecipientKey(), getChallengePassword()); PkiMessageDecoder decoder = new PkiMessageDecoder(reqCert, envDecoder); msg = decoder.decode(sd); @@ -313,7 +313,7 @@ public final void service(final HttpServletRequest req, } PkcsPkiEnvelopeEncoder envEncoder = new PkcsPkiEnvelopeEncoder( - reqCert, "DESede"); + reqCert, getChallengePassword(), "DESede"); PkiMessageEncoder encoder = new PkiMessageEncoder(getSignerKey(), getSigner(), getSignerCertificateChain(), envEncoder); CMSSignedData signedData; @@ -571,6 +571,13 @@ protected abstract List doEnrol( final X509Certificate sender, final TransactionId transId) throws Exception; + /** + * Returns challenge password. + * + * @return challenge password + */ + protected abstract String getChallengePassword(); + /** * Returns the private key of the recipient entity represented by this SCEP * server. diff --git a/src/main/java/org/jscep/transport/response/Capabilities.java b/src/main/java/org/jscep/transport/response/Capabilities.java index fffad669..3b6a6fc9 100644 --- a/src/main/java/org/jscep/transport/response/Capabilities.java +++ b/src/main/java/org/jscep/transport/response/Capabilities.java @@ -165,23 +165,39 @@ public MessageDigest getStrongestMessageDigest() { return null; } - public String getStrongestSignatureAlgorithm() { - if (sigExists("SHA512") && caps.contains(Capability.SHA_512)) { - return "SHA512withRSA"; - } else if (sigExists("SHA256") && caps.contains(Capability.SHA_256)) { - return "SHA256withRSA"; - } else if (sigExists("SHA1") && caps.contains(Capability.SHA_1)) { - return "SHA1withRSA"; - } else if (sigExists("MD5")) { - return "MD5withRSA"; + /** + * Return the strongest signature algorithm supported by the server for the specified key algorithm + * @param keyAlgorithm signing key algorithm name (as returned from PrivateKey.getAlgorithm() function) + * @return signature algorithm name + */ + public String getStrongestSignatureAlgorithm(String keyAlgorithm) { + if (keyAlgorithm.equals("EC")) { + keyAlgorithm = "ECDSA"; + } + if (sigExists("SHA512", keyAlgorithm) && caps.contains(Capability.SHA_512)) { + return "SHA512with" + keyAlgorithm; + } else if (sigExists("SHA256", keyAlgorithm) && caps.contains(Capability.SHA_256)) { + return "SHA256with" + keyAlgorithm; + } else if (sigExists("SHA1", keyAlgorithm) && caps.contains(Capability.SHA_1)) { + return "SHA1with" + keyAlgorithm; + } else if (sigExists("MD5", keyAlgorithm)) { + return "MD5with" + keyAlgorithm; } return null; } - private boolean sigExists(final String sig) { - return (algorithmExists("Signature", sig + "withRSA") - || algorithmExists("Signature", sig + "WithRSAEncryption")) - && digestExists(sig); + /** + * Return the strongest signature algorithm supported by the server for the RSA key + * @return signature algorithm name + */ + public String getStrongestSignatureAlgorithm() { + return getStrongestSignatureAlgorithm("RSA"); + } + + private boolean sigExists(final String dig, final String sig) { + return (algorithmExists("Signature", dig + "with" + sig) + || algorithmExists("Signature", dig + "With" + sig + "Encryption")) + && digestExists(dig); } private boolean digestExists(final String digest) { diff --git a/src/test/java/org/jscep/message/PkiMessageEncoderTest.java b/src/test/java/org/jscep/message/PkiMessageEncoderTest.java index dbe4af69..2df09c8f 100644 --- a/src/test/java/org/jscep/message/PkiMessageEncoderTest.java +++ b/src/test/java/org/jscep/message/PkiMessageEncoderTest.java @@ -145,6 +145,7 @@ public void invalidSignatureTest() throws Exception { KeyPair caPair = KeyPairGenerator.getInstance("RSA").generateKeyPair(); X509Certificate ca = X509Certificates.createEphemeral( new X500Principal("CN=CA"), caPair); + String challengePassword = "secret"; KeyPair clientPair = KeyPairGenerator.getInstance("RSA") .generateKeyPair(); @@ -153,12 +154,12 @@ public void invalidSignatureTest() throws Exception { // Everything below this line only available to client PkcsPkiEnvelopeEncoder envEncoder = new PkcsPkiEnvelopeEncoder(ca, - "DES"); + challengePassword, "DES"); PkiMessageEncoder encoder = new PkiMessageEncoder( clientPair.getPrivate(), client, envEncoder); PkcsPkiEnvelopeDecoder envDecoder = new PkcsPkiEnvelopeDecoder(ca, - caPair.getPrivate()); + caPair.getPrivate(), challengePassword); PkiMessageDecoder decoder = new PkiMessageDecoder(client, envDecoder); @@ -238,6 +239,7 @@ public PkiMessage encodeAndDecodeEnvelope(String cipherAlgorithm) throws Exce KeyPair caPair = KeyPairGenerator.getInstance("RSA").generateKeyPair(); X509Certificate ca = X509Certificates.createEphemeral( new X500Principal("CN=CA"), caPair); + String challengePassword = "secret"; KeyPair clientPair = KeyPairGenerator.getInstance("RSA") .generateKeyPair(); @@ -246,12 +248,12 @@ public PkiMessage encodeAndDecodeEnvelope(String cipherAlgorithm) throws Exce // Everything below this line only available to client PkcsPkiEnvelopeEncoder envEncoder = new PkcsPkiEnvelopeEncoder(ca, - cipherAlgorithm); + challengePassword, cipherAlgorithm); PkiMessageEncoder encoder = new PkiMessageEncoder( clientPair.getPrivate(), client, envEncoder); PkcsPkiEnvelopeDecoder envDecoder = new PkcsPkiEnvelopeDecoder(ca, - caPair.getPrivate()); + caPair.getPrivate(), challengePassword); PkiMessageDecoder decoder = new PkiMessageDecoder(client, envDecoder); PkiMessage actual = decoder.decode(encoder.encode(message)); diff --git a/src/test/java/org/jscep/server/ScepServletImpl.java b/src/test/java/org/jscep/server/ScepServletImpl.java index 99a6851e..4089e254 100644 --- a/src/test/java/org/jscep/server/ScepServletImpl.java +++ b/src/test/java/org/jscep/server/ScepServletImpl.java @@ -60,6 +60,7 @@ public class ScepServletImpl extends ScepServlet { private X500Name name; private X500Name pollName; private BigInteger caSerial; + private String challengePassword; public void init(ServletContext context) { LOGGER.debug("INIT"); @@ -70,6 +71,7 @@ public void init() throws ServletException { name = new X500Name("CN=Certification Authority"); pollName = new X500Name("CN=Poll"); caSerial = BigInteger.TEN; + challengePassword = "password"; try { KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); @@ -130,7 +132,7 @@ protected List doEnrol(PKCS10CertificationRequest csr, String password = CertificationRequestUtils.getChallengePassword(csr); if (password == null) { authorizeRenewal(sender); - } else if (!password.equals("password")) { + } else if (!password.equals(challengePassword)) { LOGGER.debug("Invalid password"); throw new OperationFailureException(FailInfo.badRequest); } @@ -227,6 +229,11 @@ protected List getNextCaCertificate(String identifier) { return Collections.emptyList(); } + @Override + protected String getChallengePassword() { + return challengePassword; + } + @Override protected PrivateKey getRecipientKey() { return priKey; diff --git a/src/test/java/org/jscep/server/ScepServletTest.java b/src/test/java/org/jscep/server/ScepServletTest.java index f6afbc51..fe0f4600 100644 --- a/src/test/java/org/jscep/server/ScepServletTest.java +++ b/src/test/java/org/jscep/server/ScepServletTest.java @@ -89,6 +89,7 @@ public class ScepServletTest { private String goodIdentifier; private String badIdentifier; private TransportFactory transportFactory; + private String challengePassword; @Before public void configureFixtures() throws Exception { @@ -103,6 +104,7 @@ public void configureFixtures() throws Exception { pubKey = keyPair.getPublic(); sender = generateCertificate(); transportFactory = new UrlConnectionTransportFactory(); + challengePassword = "secret"; } @@ -194,12 +196,12 @@ public void getNextCaCertificateBad() throws Exception { public void testGetCRL() throws Exception { IssuerAndSerialNumber iasn = new IssuerAndSerialNumber(name, goodSerial); PkcsPkiEnvelopeEncoder envEncoder = new PkcsPkiEnvelopeEncoder( - getRecipient(), "DESede"); + getRecipient(), challengePassword, "DESede"); PkiMessageEncoder encoder = new PkiMessageEncoder(priKey, sender, envEncoder); PkcsPkiEnvelopeDecoder envDecoder = new PkcsPkiEnvelopeDecoder(sender, - priKey); + priKey, challengePassword); PkiMessageDecoder decoder = new PkiMessageDecoder(getRecipient(), envDecoder); @@ -215,12 +217,12 @@ public void testGetCRL() throws Exception { public void testGetCertBad() throws Exception { IssuerAndSerialNumber iasn = new IssuerAndSerialNumber(name, badSerial); PkcsPkiEnvelopeEncoder envEncoder = new PkcsPkiEnvelopeEncoder( - getRecipient(), "DES"); + getRecipient(), challengePassword, "DES"); PkiMessageEncoder encoder = new PkiMessageEncoder(priKey, sender, envEncoder); PkcsPkiEnvelopeDecoder envDecoder = new PkcsPkiEnvelopeDecoder(sender, - priKey); + priKey, challengePassword); PkiMessageDecoder decoder = new PkiMessageDecoder(getRecipient(), envDecoder); @@ -238,12 +240,12 @@ public void testEnrollmentGet() throws Exception { "password".toCharArray()); PkcsPkiEnvelopeEncoder envEncoder = new PkcsPkiEnvelopeEncoder( - getRecipient(), "DESede"); + getRecipient(), challengePassword, "DESede"); PkiMessageEncoder encoder = new PkiMessageEncoder(priKey, sender, envEncoder); PkcsPkiEnvelopeDecoder envDecoder = new PkcsPkiEnvelopeDecoder(sender, - priKey); + priKey, challengePassword); PkiMessageDecoder decoder = new PkiMessageDecoder(getRecipient(), envDecoder); @@ -261,12 +263,12 @@ public void testEnrollmentPost() throws Exception { "password".toCharArray()); PkcsPkiEnvelopeEncoder envEncoder = new PkcsPkiEnvelopeEncoder( - getRecipient(), "DES"); + getRecipient(), challengePassword, "DES"); PkiMessageEncoder encoder = new PkiMessageEncoder(priKey, sender, envEncoder); PkcsPkiEnvelopeDecoder envDecoder = new PkcsPkiEnvelopeDecoder(sender, - priKey); + priKey, challengePassword); PkiMessageDecoder decoder = new PkiMessageDecoder(getRecipient(), envDecoder); @@ -284,12 +286,12 @@ public void testEnrollmentWithPoll() throws Exception { "password".toCharArray()); PkcsPkiEnvelopeEncoder envEncoder = new PkcsPkiEnvelopeEncoder( - getRecipient(), "DES"); + getRecipient(), challengePassword, "DES"); PkiMessageEncoder encoder = new PkiMessageEncoder(priKey, sender, envEncoder); PkcsPkiEnvelopeDecoder envDecoder = new PkcsPkiEnvelopeDecoder(sender, - priKey); + priKey, challengePassword); PkiMessageDecoder decoder = new PkiMessageDecoder(getRecipient(), envDecoder); @@ -312,12 +314,12 @@ public void testEnrollmentNotAuthorized() throws Exception { PKCS10CertificationRequest csr = getCsr(name, pubKey, priKey); PkcsPkiEnvelopeEncoder envEncoder = new PkcsPkiEnvelopeEncoder( - getRecipient(), "DES"); + getRecipient(), challengePassword, "DES"); PkiMessageEncoder encoder = new PkiMessageEncoder(priKey, sender, envEncoder); PkcsPkiEnvelopeDecoder envDecoder = new PkcsPkiEnvelopeDecoder(sender, - priKey); + priKey, challengePassword); PkiMessageDecoder decoder = new PkiMessageDecoder(getRecipient(), envDecoder); @@ -336,12 +338,12 @@ public void testRenewal() throws Exception { "password".toCharArray()); PkcsPkiEnvelopeEncoder envEncoder = new PkcsPkiEnvelopeEncoder( - getRecipient(), "DES"); + getRecipient(), challengePassword, "DES"); PkiMessageEncoder encoder = new PkiMessageEncoder(priKey, sender, envEncoder); PkcsPkiEnvelopeDecoder envDecoder = new PkcsPkiEnvelopeDecoder(sender, - priKey); + priKey, challengePassword); PkiMessageDecoder decoder = new PkiMessageDecoder(getRecipient(), envDecoder); @@ -362,7 +364,7 @@ public void testRenewal() throws Exception { PublicKey newPubKey = keyPair.getPublic(); csr = getCsr(name, newPubKey, newPriKey); encoder = new PkiMessageEncoder(priKey, prevCertificate, envEncoder); - envDecoder = new PkcsPkiEnvelopeDecoder(prevCertificate, priKey); + envDecoder = new PkcsPkiEnvelopeDecoder(prevCertificate, priKey, challengePassword); decoder = new PkiMessageDecoder(getRecipient(), envDecoder); t = new EnrollmentTransaction(transport, encoder, decoder, csr); State renewalSate = t.send(); diff --git a/src/test/java/org/jscep/transport/AbstractTransportTest.java b/src/test/java/org/jscep/transport/AbstractTransportTest.java index 82f88e53..f23642db 100644 --- a/src/test/java/org/jscep/transport/AbstractTransportTest.java +++ b/src/test/java/org/jscep/transport/AbstractTransportTest.java @@ -32,6 +32,7 @@ abstract public class AbstractTransportTest { protected Proxy proxy; protected Transport transport; private Server server; + private String challengePassword; @Before public void setUp() throws Exception { @@ -41,6 +42,7 @@ public void setUp() throws Exception { + server.getConnectors()[0].getLocalPort() + "/"); proxy = Proxy.NO_PROXY; transport = getTransport(url); + challengePassword = "secret"; } abstract protected Transport getTransport(URL url); @@ -55,7 +57,7 @@ public void test404() throws Exception { KeyPair keyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair(); PkcsPkiEnvelopeEncoder envEnc = new PkcsPkiEnvelopeEncoder( - getCertificate(keyPair), "DES"); + getCertificate(keyPair), challengePassword, "DES"); PkiMessageEncoder enc = new PkiMessageEncoder(keyPair.getPrivate(), getCertificate(keyPair), envEnc);