com.iplanet.trustbase.initiator.dsms
Class CSCEngine

java.lang.Object
  |
  +--com.iplanet.trustbase.initiator.dsms.CSCEngine

public class CSCEngine

extends java.lang.Object

The CSCEngine is the driver class for the CSC framework it selects a suitable Protocol Adapter based on the preferred or default protocol specified in the Config Adapter. The Config Adapter property it uses is "csc.preferred.oid" If no specification is made in the Config Adapter then it checks for a resource in "com/iplanet/trustbase/identrus/dsms/dsms.properties" called "csc.preferred.oid.default". Finally if that is not specified it uses "1.2.840.114021.4.1" - which is the standard TC oid.

See Also:

ConfigAdapter, InitiatorException, ConfigAdapterException, TransportAdapterException, TransportAdapter, StatusCheckData, CertStatus, ProtocolAdapter, ExceptionCodes, PropertyCodes

Field Summary

static java.lang.String	IDENTRUS_OID
static java.lang.String	IDENTRUS_PROTOCOL
static java.lang.String	OCSP_OID
static java.lang.String	OCSP_PROTOCOL

Constructor Summary

CSCEngine(ConfigAdapter configAdapter)
Construct a CSCEngine The config information used is summarised below.

Method Summary

static java.util.Collection	getCertificateFromPkcs7(byte[] pkcs7SignedBlock, byte[] signText) Convenience method provided for full complience with Identrus DSMS specification see IT-DSMSSP Version 2.0 for details.
static java.lang.String	getResourceProperty(java.lang.String key) Get a resource property from the the classpath resource.
protected StatusCheckData[]	getStatus(java.security.cert.X509Certificate[] certificatePath, boolean acquireProof, boolean generateNonce, java.lang.StringBuffer nonceValue)
StatusCheckData[]	getStatus(java.security.cert.X509Certificate[] certificatePath, boolean aquireProof, byte[] bnonceValue) Get the status of a certificate uses a nonce value that the user specified.
StatusCheckData[]	getStatus(java.security.cert.X509Certificate[] certificatePath, boolean acquireProof, java.lang.StringBuffer nonceValue) Get the status of a certificate as above except the engine generates its own nonce and fills in the nonceValue parameter with it.
boolean	validateStatus(StatusCheckData[] statusCheckData, java.security.cert.X509Certificate[] certificatePath, boolean acquireProof, byte[] nonceValue) Validate the StatusCheckData according to the specified parameters.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

IDENTRUS_PROTOCOL

public static java.lang.String IDENTRUS_PROTOCOL

OCSP_PROTOCOL

public static java.lang.String OCSP_PROTOCOL

IDENTRUS_OID

public static java.lang.String IDENTRUS_OID

OCSP_OID

public static java.lang.String OCSP_OID

Constructor Detail

CSCEngine

public CSCEngine(ConfigAdapter configAdapter)

Construct a CSCEngine The config information used is summarised below.

Property	Description	Default
csc.preferred.protocol	The protocol name to use when conduction transactions - this is a short hand version of csc.preferred.oid. The values that are acceptable are "identrus" and "ocsp".
csc.preferred.oid	The protocol oid to use when conducting transactions.	1.2.840.114021.4.1
csc.preferred.version	The version of the protocol to use when conduction transactions - version 0 means the latest.	0
csc.location.default	The default URL to use for status checks.	none
csc.location.forceDefault	("true" or "false") Whether to ignore the AIA extension in a certificate (if present)	false
csc.maxProofResponseAge	The length of time in seconds that a freshness proof is considered valid for, under the XML wrapped OCSP protocol A re-request is carried out if the freshness proof is older then this. The age of the freshness proof is determined by the OCSP produced at time.
csc.createSignedOCSP	Controls whether the DSMS generates signed OCSP messages - this setting is overriden for XML transactions.	false
csc.verifySignedOCSP	Controls whether the DSMS demands that OCSP responses be signed - this setting is overriden for XML transactions.	false
csc.location.rpResponderProxy	Controls where to send requests for the RP's Signing certificate - if this is not set then these checks are sent to the same location as the the client requests.	none
csc.messageFactory.<objectIdentifier>	The message factory to use for the specified OID
csc.transport.defaultProtocol	The default protocol to use (e.g. "http")
csc.transport.	The transport adapter to use for the specified protocol (e.g. csc.transport.https=com.acme.transport.HTTPSTransportAdapter)
csc.clipBase64Lines	Defines whether or to clip base64 lines.

Parameters:

configAdapter - the interface to the config information that will be used in constructing the request.

Method Detail

getCertificateFromPkcs7

public static java.util.Collection getCertificateFromPkcs7(byte[] pkcs7SignedBlock,
                                                           byte[] signText)
                                                    throws CSCException

Convenience method provided for full complience with Identrus DSMS specification see IT-DSMSSP Version 2.0 for details. The Routine extracts the certificate from a signed pkcs7 signed block and checks that it actually signed the text you supplied in the signText parameter. Exceptions codes that can be Thrown from this method are :-

Code	Description
ExceptionCodes.CSC_NO_CERTIFICATES_TO_CHECK	indicating that no certificates where contained within the signed block
ExceptionCodes.CSC_INVALID_SIGNATURE_ON_PKCS7_SIGNED_BLOCK	indicating an invalid signature on the pkcs7 block

Parameters:

pkcs7SignedBlock - The base64 raw data block.

signText - The data that is alledged to have been signed during creation of the signedDataBlock.

Returns:

A collection which has in it the certificate that signed the data.

Throws:

CSCException - if it cannot decode / extract / validate the pkcs7 block

getStatus

public StatusCheckData[] getStatus(java.security.cert.X509Certificate[] certificatePath,
                                   boolean aquireProof,
                                   byte[] bnonceValue)
                            throws CSCException,
                                   TransportAdapterException,
                                   ConfigAdapterException

Get the status of a certificate uses a nonce value that the user specified. Exception codes generated in this class are as follows:

Code	Arguments	Description
ExceptionCodes.CSC_OCSP_X509_ERROR		There was an error decoding a certificate
ExceptionCodes.CSC_MALFORMED_URL	String:url	Malformed location URL
ExceptionCodes.CSC_TRANSPORT_UNSPECIFIED	String:location	Could not find a transport adapter for the location
ExceptionCodes.CSC_INVALID_TRANSPORT_ADAPTER	String:className	Specified class not a TransportAdapter
ExceptionCodes.CSC_NO_DEFAULT_MESSAGE_FACTORY	String: defaultType	Cannot determine which MessageFactory to use
ExceptionCodes.CSC_INVALID_MESSAGE_FACTORY	String:className	Specified class not a MessageFactory to use
ExceptionCodes.CSC_CLASS_LOAD	String:className	Error loading / instantiating specified class
ExceptionCodes.CSC_NO_DEFAULT_LOCATION		No location could be determined

Parameters:

certificatePath - the chain to be checked, in the identrus protocol this means a check is performed on all certificates in the chain excluding the root certificate. In the OCSP protocol only the leaf certificate is checked.

acquireProof - are status proofs required for the delivered signing certificates. This setting is not applied when operating using the OCSP protocol.

nonceValue - the nonce value to use for the check.

Returns:

the status information pertaining to the check

Throws:

ConfigAdapterException - if the supplied config adapter is unable to retrieve a property, and wishes to stop execution. The message in this exception is generated by the host system.

CSCException - if there is an error performing the check.

See Also:

com.iplanet.trustbase.identrus.dsms.CSCException, com.iplanet.trustbase.identrus.dsms.ConfigAdapterException

getStatus

public StatusCheckData[] getStatus(java.security.cert.X509Certificate[] certificatePath,
                                   boolean acquireProof,
                                   java.lang.StringBuffer nonceValue)
                            throws CSCException,
                                   ConfigAdapterException,
                                   TransportAdapterException

Get the status of a certificate as above except the engine generates its own nonce and fills in the nonceValue parameter with it. Exception codes generated are as above.

Parameters:

certificatePath - the chain to be checked, in the identrus protocol this means a check is performed on all certificates in the chain excluding the root certificate. In the OCSP protocol only the leaf certificate is checked.

acquireProof - are status proofs required for the delivered signing certificates. This setting is not applied when operating using the OCSP protocol.

nonceValue - this StringBuffer is filled in with the value of the nonce used.

Throws:

ConfigAdapterException - if the supplied config adapter is unable to retrieve a property and wishes to terminate execution.

CSCException - if there is an error performing the check.

See Also:

com.iplanet.trustbase.identrus.dsms.ConfigAdapterException, com.iplanet.trustbase.identrus.dsms.CSCException

validateStatus

public boolean validateStatus(StatusCheckData[] statusCheckData,
                              java.security.cert.X509Certificate[] certificatePath,
                              boolean acquireProof,
                              byte[] nonceValue)
                       throws CSCException,
                              TransportAdapterException,
                              ConfigAdapterException

Validate the StatusCheckData according to the specified parameters. The Exception codes generated by this call are as follows :
*

Code	Description
ExceptionCodes.CSC_UNIMPLEMENTED	An operation has been requested that the protocol does not support.
ExceptionCodes.CSC_NO_STATUSES_RECEIVED	No statuses where given to the validate method.
ExceptionCodes.CSC_NO_CERTIFICATES_TO_CHECK	No Certificates where provided to check status of.
ExceptionCodes.CSC_RECEIVED_ERROR_CERT_STATUS	One of more the statuses was a CertStatus.ERROR.
ExceptionCodes.CSC_RECEIVED_MISMATCHED_NONCE	The nonce sent is not the same as the nonce received.
ExceptionCodes.CSC_MISSING_SIGNINGCHAIN_FROM_RESPONSE	No signing chain could be extracted from the response.
ExceptionCodes.CSC_STATUS_MISSING_FOR_REQUEST_CERT	One or more of the request certs has not been returned with a status.
ExceptionCodes.CSC_RECEIVED_BAD_STATUS_REQUEST_CERT	One or more of the requested certs has a bad status ie CertStatus.UNKNOWN or CertStatus.REVOKED.
ExceptionCodes.CSC_RECEIVED_BAD_STATUS_PROOF_CERT	The signing cert proof has a bad status ie CertStatus.UNKNOWN or CertStatus.REVOKED.
ExceptionCodes.CSC_STATUS_MISSING_FOR_PROOF_CERT	The status for the signing cert is not present in the request.

Parameters:

statusCheckData - the status data produced by a getStatus call.

certificatePath - the certificatePath that was checked with the getStatus call.

acquireProof - do we require proofs for the delivered signing certificate.

nonceValue - the nonce value that was used in the getStatus call.

Throws:

ConfigAdapterException - if the supplied Config Adapter cannot retrieve a property and wishes to terminate execution.

CSCException - If the check does not validate.

getStatus

protected StatusCheckData[] getStatus(java.security.cert.X509Certificate[] certificatePath,
                                      boolean acquireProof,
                                      boolean generateNonce,
                                      java.lang.StringBuffer nonceValue)
                               throws CSCException,
                                      TransportAdapterException,
                                      ConfigAdapterException

getResourceProperty

public static java.lang.String getResourceProperty(java.lang.String key)

Get a resource property from the the classpath resource.

Parameters:

key - the key to retrieve from the resource.