org.bouncycastle.est

Class ESTService

java.lang.Object

org.bouncycastle.est.ESTService

public class ESTService
extends java.lang.Object

ESTService provides unified access to an EST server which is defined as implementing RFC7030.

Field Summary

Fields

Modifier and Type	Field and Description
protected static java.lang.String	CACERTS
protected static java.lang.String	CSRATTRS
protected static java.lang.String	FULLCMC
protected static java.util.Set<java.lang.String>	illegalParts
protected static java.lang.String	SERVERGEN
protected static java.lang.String	SIMPLE_ENROLL
protected static java.lang.String	SIMPLE_REENROLL

Method Summary

Modifier and Type	Method and Description
protected EnrollmentResponse	enroll(boolean reenroll, PKCS10CertificationRequest certificationRequest, ESTAuth auth, boolean certGen) Perform a simple enrollment operation.
EnrollmentResponse	enrollPop(boolean reEnroll, PKCS10CertificationRequestBuilder builder, ContentSigner contentSigner, ESTAuth auth, boolean certGen) Implements Enroll with PoP.
CACertsResponse	getCACerts() Query the EST server for ca certificates.
CSRRequestResponse	getCSRAttributes() Fetch he CSR Attributes from the server.
protected EnrollmentResponse	handleEnrollResponse(ESTResponse resp) Handles an enrollment response, deals with status codes and setting of delays.
EnrollmentResponse	simpleEnroll(boolean reenroll, PKCS10CertificationRequest certificationRequest, ESTAuth auth) Perform a simple enrollment operation.
EnrollmentResponse	simpleEnroll(EnrollmentResponse priorResponse) Reissue an existing request where the server had previously returned a 202.
EnrollmentResponse	simpleEnrollPoP(boolean reEnroll, PKCS10CertificationRequestBuilder builder, ContentSigner contentSigner, ESTAuth auth) Implements Enroll with PoP.
EnrollmentResponse	simpleEnrollPopWithServersideCreation(PKCS10CertificationRequestBuilder builder, ContentSigner contentSigner, ESTAuth auth) Simple enrollment with PoP and server side creation of keys.
EnrollmentResponse	simpleEnrollWithServersideCreation(PKCS10CertificationRequest certificationRequest, ESTAuth auth) Perform a simple enrollment operation.
static X509CertificateHolder[]	storeToArray(org.bouncycastle.util.Store<X509CertificateHolder> store) Utility method to extract all the X509Certificates from a store and return them in an array.
static X509CertificateHolder[]	storeToArray(org.bouncycastle.util.Store<X509CertificateHolder> store, org.bouncycastle.util.Selector<X509CertificateHolder> selector) Utility method to extract all the X509Certificates from a store using a filter and to return them as an array.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CACERTS

protected static final java.lang.String CACERTS

See Also:

Constant Field Values

SIMPLE_ENROLL

protected static final java.lang.String SIMPLE_ENROLL

See Also:

Constant Field Values

SIMPLE_REENROLL

protected static final java.lang.String SIMPLE_REENROLL

See Also:

Constant Field Values

FULLCMC

protected static final java.lang.String FULLCMC

See Also:

Constant Field Values

SERVERGEN

protected static final java.lang.String SERVERGEN

See Also:

Constant Field Values

CSRATTRS

protected static final java.lang.String CSRATTRS

See Also:

Constant Field Values

illegalParts

protected static final java.util.Set<java.lang.String> illegalParts

Method Detail

storeToArray

public static X509CertificateHolder[] storeToArray(org.bouncycastle.util.Store<X509CertificateHolder> store)

Utility method to extract all the X509Certificates from a store and return them in an array.

Parameters:

store - The store.

Returns:

An arrar of certificates/

storeToArray

public static X509CertificateHolder[] storeToArray(org.bouncycastle.util.Store<X509CertificateHolder> store,
                                                   org.bouncycastle.util.Selector<X509CertificateHolder> selector)

Utility method to extract all the X509Certificates from a store using a filter and to return them as an array.

Parameters:

store - The store.

selector - The selector.

Returns:

An array of X509Certificates.

getCACerts

public CACertsResponse getCACerts()
                           throws ESTException

Query the EST server for ca certificates.

RFC7030 leans heavily on the verification phases of TLS for both client and server verification.

It does however define a bootstrapping mode where if the client does not have the necessary ca certificates to validate the server it can defer to an external source, such as a human, to formally accept the ca certs.

If callers are using bootstrapping they must examine the CACertsResponse and validate it externally.

Returns:

A store of X509Certificates.

Throws:

ESTException

simpleEnroll

public EnrollmentResponse simpleEnroll(EnrollmentResponse priorResponse)
                                throws java.lang.Exception

Reissue an existing request where the server had previously returned a 202.

Parameters:

priorResponse - The prior response.

Returns:

A new ESTEnrollmentResponse

Throws:

java.lang.Exception

enroll

protected EnrollmentResponse enroll(boolean reenroll,
                                    PKCS10CertificationRequest certificationRequest,
                                    ESTAuth auth,
                                    boolean certGen)
                             throws java.io.IOException

Perform a simple enrollment operation.

This method accepts an ESPHttpAuth instance to provide basic or digest authentication.

If authentication is to be performed as part of TLS then this instances client keystore and their keystore password need to be specified.

Parameters:

certificationRequest - The certification request.

auth - The http auth provider, basic auth or digest auth, can be null.

certGen - if true, request server key generation

Returns:

The enrolled certificate.

Throws:

java.io.IOException

simpleEnroll

public EnrollmentResponse simpleEnroll(boolean reenroll,
                                       PKCS10CertificationRequest certificationRequest,
                                       ESTAuth auth)
                                throws java.io.IOException

Perform a simple enrollment operation.

This method accepts an ESPHttpAuth instance to provide basic or digest authentication.

If authentication is to be performed as part of TLS then this instances client keystore and their keystore password need to be specified.

Parameters:

reenroll - true for enrollment.

certificationRequest - The certification request.

auth - The http auth provider, basic auth or digest auth, can be null.

Returns:

The enrolled certificate.

Throws:

java.io.IOException

simpleEnrollWithServersideCreation

public EnrollmentResponse simpleEnrollWithServersideCreation(PKCS10CertificationRequest certificationRequest,
                                                             ESTAuth auth)
                                                      throws java.io.IOException

Perform a simple enrollment operation.

This method accepts an ESPHttpAuth instance to provide basic or digest authentication.

If authentication is to be performed as part of TLS then this instances client keystore and their keystore password need to be specified.

Parameters:

certificationRequest - The certification request.

auth - The http auth provider, basic auth or digest auth, can be null.

Returns:

The enrolled certificate.

Throws:

java.io.IOException

enrollPop

public EnrollmentResponse enrollPop(boolean reEnroll,
                                    PKCS10CertificationRequestBuilder builder,
                                    ContentSigner contentSigner,
                                    ESTAuth auth,
                                    boolean certGen)
                             throws java.io.IOException

Implements Enroll with PoP. Request will have the tls-unique attribute added to it before it is signed and completed.

Parameters:

reEnroll - True = re enroll.

builder - The request builder.

contentSigner - The content signer.

auth - Auth modes.

certGen - if true will request server key generation.

Returns:

Enrollment response.

Throws:

java.io.IOException

simpleEnrollPoP

public EnrollmentResponse simpleEnrollPoP(boolean reEnroll,
                                          PKCS10CertificationRequestBuilder builder,
                                          ContentSigner contentSigner,
                                          ESTAuth auth)
                                   throws java.io.IOException

Implements Enroll with PoP. Request will have the tls-unique attribute added to it before it is signed and completed.

Parameters:

reEnroll - True = re enroll.

builder - The request builder.

contentSigner - The content signer.

auth - Auth modes.

Returns:

Enrollment response.

Throws:

java.io.IOException

simpleEnrollPopWithServersideCreation

public EnrollmentResponse simpleEnrollPopWithServersideCreation(PKCS10CertificationRequestBuilder builder,
                                                                ContentSigner contentSigner,
                                                                ESTAuth auth)
                                                         throws java.io.IOException

Simple enrollment with PoP and server side creation of keys.

Parameters:

builder - The request builder.

contentSigner - The content signer

auth - Auth modes

Returns:

Enrollment Response

Throws:

java.io.IOException

handleEnrollResponse

protected EnrollmentResponse handleEnrollResponse(ESTResponse resp)
                                           throws java.io.IOException

Handles an enrollment response, deals with status codes and setting of delays.

Parameters:

resp - The response.

Returns:

An EnrollmentResponse.

Throws:

java.io.IOException

getCSRAttributes

public CSRRequestResponse getCSRAttributes()
                                    throws ESTException

Fetch he CSR Attributes from the server.

Returns:

A CSRRequestResponse with the attributes.

Throws:

ESTException