CMP through RSA BSAFE(R) Share for JavaTM Platform

Help
Roman
2013-10-22
2013-10-22
  • Roman

    Roman - 2013-10-22

    Does anybody have an experience how to configure CMP and using RSA BSAFE(R) Share for JavaTM Platform as a CMP client?

    I would like to use EJBCA CMP in Client mode so I configured conf/cmp.properties:
    cmp.defaultca=
    cmp.extractusernamecomponent=CN
    cmp.operationmode=normal
    cmp.authenticationmodule=RegTokenPwd;HMAC
    cmp.authenticationparameters=-;-
    cmp.ra.authenticationsecret=
    cmp.checkadminauthorization=false
    cmp.allowautomatickeyupdate=false
    cmp.allowupdatewithsamekey=true
    cmp.allowraverifypopo=false
    cmp.responseprotection=signature
    #cmp.ra.namegenerationscheme=DN
    #cmp.racertificatepath=/tmp/racerts
    #cmp.ra.namegenerationparameters=CN
    #cmp.ra.namegenerationprefix=
    #cmp.ra.namegenerationpostfix=
    #cmp.ra.passwordgenparams=
    #cmp.ra.allowcustomcertserno=false
    #cmp.ra.endentityprofile=EMPTY
    #cmp.ra.certificateprofile=ENDUSER
    #cmp.ra.caname=AdminCA1
    #cmp.tcp.enabled=false
    #cmp.tcp.portno=829
    #cmp.tcp.logdir=./log
    #cmp.tcp.conffile=
    #cmp.tcp.bindadress=0.0.0.0
    #cmp.certreqhandler.class=org.ejbca.core.protocol.unid.UnidFnrHandler
    #cmp.uniddatasource=java:/UnidDS

    I have only one CA installed named TestAdminCA01 and I have create end entity named TestC with the following DN and attributes:

    Username: TestC
    Password TestC
    End Entity Profile: EMPTY
    Batch generation: No
    E-mail address: test@test.com
    DN: CN=TestC
    Certificate Profile: ENDUSER
    CA: TestAdminCA01
    Token: User Generated

    In the Certification Authorities I set for the TestAdminCA01 the CMP RA Authentication Secret as "password". This is the whole configuration I made on the EJBCA side.

    Now I installed RSA BSAFE(R) Share for JavaTM Platform and tried to use the following class to request the certificate for end entity TestC:

    /*
     * Copyright (c) 1997-2012 EMC Corporation. All rights reserved.
     *
     * This file shall only be used to demonstrate how to interface to an
     * EMC Corporation licensed development product.
     *
     * You have a royalty-free right to use, reproduce and distribute this
     * demonstration file, provided that you agree that EMC Corporation has no
     * warranty, implied or otherwise, or liability for this demonstration file
     * (including any modified version).  This software is provided "as is"
     * without warranties or representations of any kind. EMC Corporation
     * disclaims all conditions and warranties, statutory and otherwise, both
     * express and implied, with respect to the software, its quality and
     * performance, including but not limited to, all implied warranties of
     * merchantability, fitness for a particular purpose, title and
     * noninfringement of third party rights. Without limiting the foregoing,
     * EMC Corporation does not warrant that the software is error-free or that
     * errors in the product will be corrected. You agree that EMC Corporation
     * shall not be liable for any direct, indirect, incidental, special,
     * consequential, punitive or other damages whatsoever resulting from your use
     * of this software or any modified version.
     *
     */
    package jce.cmp;
    
    import java.math.BigInteger;
    import java.net.UnknownHostException;
    import java.security.GeneralSecurityException;
    import java.security.PrivateKey;
    import java.security.PublicKey;
    import java.security.SecureRandom;
    import java.security.cert.X509Certificate;
    
    import javax.security.auth.x500.X500Principal;
    
    import jce.common.CertUtil;
    import jce.common.JCESample;
    import jce.common.RSAKeyUtil;
    import util.Print;
    import util.SampleFailedException;
    
    import com.rsa.jsafe.cert.CertRequest;
    import com.rsa.jsafe.cert.CertRequestFactory;
    import com.rsa.jsafe.cert.GeneralName;
    import com.rsa.jsafe.cert.cmp.CMPController;
    import com.rsa.jsafe.cert.cmp.CMPException;
    import com.rsa.jsafe.cert.cmp.CMPMessage;
    import com.rsa.jsafe.cert.cmp.CMPRequestMessage;
    import com.rsa.jsafe.cert.cmp.CMPResponseMessage;
    import com.rsa.jsafe.cert.cmp.CertConfirmationMessageImpl;
    import com.rsa.jsafe.cert.cmp.CertRequestMessageImpl;
    import com.rsa.jsafe.cert.cmp.CertResponse;
    import com.rsa.jsafe.cert.cmp.CertResponseMessage;
    import com.rsa.jsafe.cert.cmp.HttpCMPServerConfig;
    import com.rsa.jsafe.cert.cmp.MACProtection;
    import com.rsa.jsafe.cert.cmp.MessageHeaderInfo;
    import com.rsa.jsafe.cert.cmp.StatusInfo;
    import com.rsa.jsafe.cert.crmf.CRMFParameterSpec;
    import com.rsa.jsafe.cert.crmf.CertTemplateSpec;
    import com.rsa.jsafe.cert.crmf.ControlsSpec;
    
    /*
     * This sample demonstrates how an uninitialized end-entity can request its
     * (first) certificate for a signing key from a CA, and process the response.
     *
     * The message exchange shall typically consist of four messages:
     * 1. End-entity -> CA: Initialization Request
     * 2. CA -> End-entity: Initialization Response
     * 3. End-entity -> CA: Certificate Confirmation
     * 4. CA -> End-entity: Confirmation Message.
     *
     * However, the CA may respond with an Error Message if there
     * is a problem processing a request message from the End-entity.
     */
    public class CMPCertRequestCAGenKey extends JCESample {
    
        public static void main(String[] args) throws Exception {
            Print.jdkVersion();
            CMPCertRequestCAGenKey sample = new CMPCertRequestCAGenKey();
    
            // The sample as written shall not complete as it uses
            // a dummy server address.
            try {
                sample.runSample();
            } catch (CMPException e) {
                if (e.getCause() instanceof UnknownHostException) {
                    Print.println("CMP server requires configuration.");
                } else {
                    throw e;
                }
            }
        }
    
        public void runSample() throws Exception {
    
            Print.beginSample("CMPCertRequestCAGenKey");
    
            // Add the JsafeJCE provider.
            Print.println("Creating and adding JsafeJCE provider.");
            addJsafeJCE();
    
            /*
             * The successful completion of this CMP message exchange
             * requires the following:
             *  - Sender has the CA (server) certificate.
             *  - Sender has received an Initial Authentication Key (IAK)
             *    from the CA. This is the shared secret between entities.
             *  - Sender has received reference number from the CA, which
             *    is used by server to identify the IAK.
             *  - Sender has an encryption key pair to use for encrypting/decrypting
             *    of the CA-generated private key.
             */
            X509Certificate caCert = (X509Certificate) CertUtil.loadCertificate(
                    "/data/certs/TestAdminCA01.cacert.crt");
            byte[] senderId = "CN=TestC".getBytes();
            char[] sharedSecret = "password".toCharArray();
    
            PublicKey encryptionKey = RSAKeyUtil.getPublic();
            PrivateKey decryptionKey = RSAKeyUtil.getPrivate();
    
            /*
             * A random number generator will be used for random bytes required for
             * the certificate request transaction.
             */
            SecureRandom random = SecureRandom.getInstance("ECDRBG", "JsafeJCE");
    
            /*
             * Specify the URL address of the CMP CA Server running over TCP using
             * the TcpCMPServerConfig object.
             * If the server runs over HTTP, then HttpCMPServerConfig can be used.
             * Note that since this is a sample, a dummy address is given.
             * This should be replaced with a valid CMP server address.
             */
            //TcpCMPServerConfig serverConfig = new TcpCMPServerConfig(
            //        "<sample-cmp-server-address>", DEFAULT_TCP_CMP_PORT);
    
            HttpCMPServerConfig serverConfig = new HttpCMPServerConfig("http://localhost:8080/ejbca/publicweb/cmp");
    
            /*
             * Create a CMP controller with the server information. This controller
             * is responsible for sending and receiving CMP messages.
             *
             * The random number generator is also specified here. It will be
             * used to generate any random bytes required in the construction
             * of the CMP message. For example:
             *  - sender nonce
             *  - generating protection bits (if required)
             */
            CMPController cmpController = new CMPController(serverConfig, random);
    
            /*
             * Specify the message protection information. For Certification
             * Request messages, either MAC protection or Signature protection.
             * This sample illustrates MAC protection using PBM with HMAC-SHA1.
             *
             * Currently, only PBM with HMAC-SHA1 is supported for this purpose.
             */
            MACProtection messageProtection =
                    new MACProtection("PBMHmacSha1", sharedSecret);
    
            // Create the CRMF request.
            CertRequest req = createCertRequest(encryptionKey);
    
            /*
             * Create the message header information.
             *  - recipient = subject name of CA.
             *  - sender key ID = reference number from CA
             *  - transaction ID = 128-bits random data.
             */
            MessageHeaderInfo header = new MessageHeaderInfo();
            header.setRecipient(new GeneralName(caCert.getSubjectX500Principal()));
            header.setSenderKeyID(senderId);
            byte[] transId = new byte[16];
            random.nextBytes(transId);
            header.setTransactionID(transId);
    
            // Create the Certification Request message.
            CMPRequestMessage msg = new CertRequestMessageImpl(
                    header, CMPMessage.Type.CERTIFICATION_REQUEST, req);
    
            // Now send the request.
            Print.println("Sending certification request message...");
            CMPResponseMessage response = cmpController.sendRequest(
                    msg, messageProtection);
            if (response.getMessageType() == CMPMessage.Type.ERROR_MESSAGE) {
                throw new SampleFailedException(
                        "CMP Error Message received: " + response.toString());
            }
            Print.println("Certification response received.");
    
            /*
             * Now the contents of the message need to be examined to
             * decide whether to approve the certificate.
             */
            CertResponseMessage certRespMsg = (CertResponseMessage) response;
            StatusInfo certStatus =
                    determineCertificateStatus(certRespMsg, decryptionKey);
    
            /*
             * Create the Certificate Confirmation message to send to the server.
             * To create the message, the previous response message and
             * the status are used to construct the message to send.
             */
            CMPRequestMessage conf = new CertConfirmationMessageImpl(
                    (CertResponseMessage) response, certStatus);
            Print.print("Sending confirmation message...");
            CMPResponseMessage confResp = cmpController.sendRequest(
                    conf, messageProtection);
            if (confResp.getMessageType() == CMPMessage.Type.ERROR_MESSAGE) {
                throw new SampleFailedException(
                        "Error message received: " + confResp.toString());
            }
            Print.println("Confirmation received.");
        }
    
        /*
         * Determine the status of the certificate in the response.
         *
         * @param responseMsg The CMP response message.
         * @param protocolDecryptionKey The key with which to decrypt private key.
         * @return The status of the certificate.
         *
         * @throws SampleFailedException The certificate request was not accepted.
         */
        private StatusInfo determineCertificateStatus(
                CertResponseMessage responseMsg, PrivateKey protocolDecryptionKey)
                throws SampleFailedException {
    
            CertResponse resp = responseMsg.getCertResponse();
            if (resp.getStatusInfo().getStatus() != StatusInfo.Status.ACCEPTED
                    && resp.getStatusInfo().getStatus() !=
                    StatusInfo.Status.GRANTED_WITH_MOD) {
                throw new SampleFailedException(
                        "CMP certificate request was not accepted.");
            }
    
            X509Certificate certificate = resp.getCertificate();
            Print.println("The certificate in the CMP response: ");
            Print.println(certificate.toString());
    
            PrivateKey privateKey = null;
            try {
                privateKey = resp.getPrivateKey(protocolDecryptionKey);
                Print.keyData("The decrypted private key in the CMP response: ",
                        privateKey.getEncoded());
            } catch (GeneralSecurityException e) {
                throw new SampleFailedException("Error decrypting private key", e);
            }
    
            /*
             * Return either ACCEPTED or REJECTION based on the contents
             * of the certificate and private key
             */
            if (!isCertificateSatisfactory(privateKey, certificate)) {
                return new StatusInfo(StatusInfo.Status.REJECTION);
            }
            return new StatusInfo(StatusInfo.Status.ACCEPTED);
        }
    
        private boolean isCertificateSatisfactory(PrivateKey privKey,
                X509Certificate cert) {
            /*
             * Insert code to determine whether the certificate is satisfactory.
             * For this sample, we assume the certificate is satisfactory.
             */
            return true;
        }
    
        /*
         * Create the CRMF request to be sent to a CA.
         * The request is for a certificate for a CA-generated key key.
         *
         * The request must contain the following information:
         * <ul><li>Request ID set to 0, as required by CMP specification.
         * <li>Empty subject public key field.
         * <li>Protocol encryption key Control to indicate the key with
         * which to encrypt the private key generated.
         * </ul>
         *
         * Additionally, the request shall contain:
         * <ul><li> the requested certificate subject name
         * </ul>
         */
        private CertRequest createCertRequest(PublicKey protocolEncryptionKey)
                throws Exception {
    
            //X500Principal subject = new X500Principal("CN = Sample CMP End-Entity");
            X500Principal subject = new X500Principal("CN=TestC");
    
            /*
             * Specify the certificate template information. For this sample
             * only the subject name are specified. The subject public key
             * must be empty to indicate to the server that it should generate a
             * key pair.
             */
            CertTemplateSpec template = new CertTemplateSpec();
            template.setSubject(subject);
    
            /*
             * The CA requires an encryption key to use to encrypt
             * the generated private key which will be included in
             * the response. This is indicated using the Protocol
             * Encryption Key CRMF Control.
             */
            ControlsSpec controls = new ControlsSpec();
            controls.setProtocolEncryptionKey(protocolEncryptionKey);
            controls.setRegistrationToken("TestC");
    
            /*
             * Create the CRMF parameters, and generate the request.
             * A certificate request ID of 0 must be used to
             * comply with the CMP request message specification.
             * No Proof-of-possession is required for a CA-generated key.
             *
             */
            CRMFParameterSpec params =
                    new CRMFParameterSpec(BigInteger.ZERO, template, controls);
            CertRequestFactory factory = CertRequestFactory.getInstance("CRMF");
            return factory.generateRequest(params);
        }
    }
    

    I always receive the following exception and I could't figure out where is the problem:

    2013-10-22 13:45:35,938 ERROR [org.ejbca.core.protocol.cmp.CmpMessageDispatcherSessionBean] Exception during CMP processing:
    javax.ejb.EJBTransactionRolledbackException
    at org.jboss.ejb3.tx.Ejb3TxPolicy.handleInCallerTx(Ejb3TxPolicy.java:115)
    at org.jboss.aspects.tx.TxPolicy.invokeInCallerTx(TxPolicy.java:130)
    at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:194)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:201)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:176)
    at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:216)
    at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:207)
    at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:164)
    at sun.proxy.$Proxy388.createCertificate(Unknown Source)
    at org.ejbca.core.protocol.cmp.CrmfMessageHandler.handleMessage(CrmfMessageHandler.java:236)
    at org.ejbca.core.protocol.cmp.CmpMessageDispatcherSessionBean.dispatch(CmpMessageDispatcherSessionBean.java:218)
    at org.ejbca.core.protocol.cmp.CmpMessageDispatcherSessionBean.dispatch(CmpMessageDispatcherSessionBean.java:112)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:616)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
    at org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainerInvocationWrapper.java:69)
    at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:73)
    at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:59)
    at sun.reflect.GeneratedMethodAccessor312.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:616)
    at org.jboss.aop.advice.PerJoinpointAdvice.invoke(PerJoinpointAdvice.java:174)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.fillMethod(InvocationContextInterceptor.java:72)
    at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_fillMethod_1986151844.invoke(InvocationContextInterceptor_z_fillMethod_1986151844.java)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.setup(InvocationContextInterceptor.java:88)
    at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_setup_1986151844.invoke(InvocationContextInterceptor_z_setup_1986151844.java)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:62)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:56)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:68)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:79)
    at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:190)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:201)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:176)
    at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:216)
    at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:207)
    at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:164)
    at sun.proxy.$Proxy462.dispatch(Unknown Source)
    at org.ejbca.ui.web.protocol.CmpServlet.service(CmpServlet.java:131)
    at org.ejbca.ui.web.protocol.CmpServlet.doPost(CmpServlet.java:93)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
    at java.lang.Thread.run(Thread.java:679)
    Caused by: java.lang.NullPointerException
    at org.ejbca.core.protocol.cmp.CrmfRequestMessage.verify(CrmfRequestMessage.java:410)
    at org.ejbca.core.ejb.ca.sign.RSASignSessionBean.createCertificate(RSASignSessionBean.java:262)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:616)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
    at org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainerInvocationWrapper.java:69)
    at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:73)
    at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:59)
    at sun.reflect.GeneratedMethodAccessor312.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:616)
    at org.jboss.aop.advice.PerJoinpointAdvice.invoke(PerJoinpointAdvice.java:174)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.fillMethod(InvocationContextInterceptor.java:72)
    at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_fillMethod_1986151844.invoke(InvocationContextInterceptor_z_fillMethod_1986151844.java)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.setup(InvocationContextInterceptor.java:88)
    at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_setup_1986151844.invoke(InvocationContextInterceptor_z_setup_1986151844.java)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:62)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:56)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:68)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.aspects.tx.TxPolicy.invokeInCallerTx(TxPolicy.java:126)
    ... 101 more

    I will appreciate any help.

     
  • Tomas Gustavsson

    There are several organizations using BSafe, so it should work. Nowadays it should be rare imho. Why not use BouncyCastle for CMP? It is now really good at CMP, open source, has professional support if you want, and of course there is sample code available...

    http://www.bouncycastle.org/
    http://www.cryptoworkshop.com/

    If you want to pay money, better to do it for open source imho.

    Anyhow, CrmfRequestMessage.java line 411 says:
    log.debug("pop.getRaVerified(): "+(pop.getRaVerified() != null));

    So it seems you have no POP (Proof Of Possession) in your message.

    Cheers,
    Tomas


    PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact info@primekey.se for more information.
    http://www.primekey.se/Services/Support/
    http://www.primekey.se/Services/Training/

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks