Added additional methods to SimplePKIResponse and builder class, relates to github #1452

dghgit · dghgit · commit 22e9e8d47ca3 · 2026-05-03T15:19:50.000+10:00
diff --git a/docs/releasenotes.html b/docs/releasenotes.html
@@ -40,6 +40,7 @@ <h3>2.2.3 Additional Features and Functionality</h3>
 <li>X509v3CertificateBuilder now exposes setters for the constructor arguments (setIssuer, setSerialNumber, setNotBefore, setNotAfter, setSubject, setSubjectPublicKeyInfo) to support equivalence-comparison use cases (issue #1545).</li>
 <li>CMS EnvelopedData now supports RFC 8418 ECDH key agreement using X25519 or X448 with HKDF (SHA-256/384/512). Three CMSAlgorithm constants (ECDH_HKDF_SHA256, ECDH_HKDF_SHA384, ECDH_HKDF_SHA512) and the corresponding KeyAgreement registrations (XDHwithSHA256HKDF / XDHwithSHA384HKDF / XDHwithSHA512HKDF) have been added (issue #1845).</li>
 <li>The SM2 JCE Cipher now accepts a ciphertext-format mode in the transformation string. Cipher.getInstance("SM2/C1C3C2/NoPadding", "BC") and Cipher.getInstance("SM2/C1C2C3/NoPadding", "BC") select between the two SM2Engine modes; the previous "SM2"/"SM2/NONE/NoPadding" forms continue to default to C1C2C3 (issue #1302).</li>
+<li>SimplePKIResponse now also accepts the unsigned Full PKI Response variant used for EST server-generated errors (RFC 7030 4.2.3 / 4.4.2): a CMS SignedData with no SignerInfos whose encapsulated content is an id-cct-PKIResponse PKIResponse SEQUENCE. New accessors getPKIResponse(), getControlAttributes(), getCmsContents() and getStatusInfoV2() expose the embedded PKIResponse content as structured TaggedAttribute / TaggedContentInfo / CMCStatusInfoV2 objects so callers no longer need to walk the raw ASN.1. A new PKIResponseBuilder produces SimplePKIResponse instances directly, with addControlAttribute / addStatusInfoV2 / addCmsContent / addOtherMsg helpers so EST error responses can be assembled without manually composing the SignedData and PKIResponse SEQUENCE. CMSSignedData has a new getSignedContentType() returning the encapsulated content type as an ASN1ObjectIdentifier alongside the existing getSignedContentTypeOID() (issue #1452).</li>
 </ul>
 
 <a id="r1rv84"><h3>2.2.1 Version</h3></a>
diff --git a/pkix/src/main/java/org/bouncycastle/cmc/PKIResponseBuilder.java b/pkix/src/main/java/org/bouncycastle/cmc/PKIResponseBuilder.java
@@ -0,0 +1,91 @@
+package org.bouncycastle.cmc;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.bouncycastle.asn1.DEROctetString;
+import org.bouncycastle.asn1.DERSet;
+import org.bouncycastle.asn1.cmc.BodyPartID;
+import org.bouncycastle.asn1.cmc.CMCObjectIdentifiers;
+import org.bouncycastle.asn1.cmc.CMCStatusInfoV2;
+import org.bouncycastle.asn1.cmc.OtherMsg;
+import org.bouncycastle.asn1.cmc.PKIResponse;
+import org.bouncycastle.asn1.cmc.TaggedAttribute;
+import org.bouncycastle.asn1.cmc.TaggedContentInfo;
+import org.bouncycastle.asn1.cms.CMSObjectIdentifiers;
+import org.bouncycastle.asn1.cms.ContentInfo;
+import org.bouncycastle.asn1.cms.SignedData;
+
+/**
+ * Builder for an unsigned Full PKI Response (RFC 5272 / RFC 7030 4.2.3 / 4.4.2):
+ * a CMS SignedData with no SignerInfos and no certificates whose encapsulated
+ * content is an id-cct-PKIResponse PKIResponse SEQUENCE. The product is
+ * delivered as a {@link SimplePKIResponse}, whose structured accessors expose
+ * the embedded PKIResponse content.
+ */
+public class PKIResponseBuilder
+{
+    private final List<TaggedAttribute> controlAttributes = new ArrayList<TaggedAttribute>();
+    private final List<TaggedContentInfo> cmsContents = new ArrayList<TaggedContentInfo>();
+    private final List<OtherMsg> otherMsgs = new ArrayList<OtherMsg>();
+
+    public PKIResponseBuilder addControlAttribute(TaggedAttribute attr)
+    {
+        controlAttributes.add(attr);
+        return this;
+    }
+
+    /**
+     * Convenience for the EST server-generated error case: wrap the supplied
+     * CMCStatusInfoV2 in a TaggedAttribute keyed by id-cmc-statusInfoV2 and
+     * append it to the controlSequence.
+     */
+    public PKIResponseBuilder addStatusInfoV2(BodyPartID bodyPartID, CMCStatusInfoV2 statusInfo)
+    {
+        controlAttributes.add(new TaggedAttribute(
+            bodyPartID, CMCObjectIdentifiers.id_cmc_statusInfoV2, new DERSet(statusInfo)));
+        return this;
+    }
+
+    public PKIResponseBuilder addCmsContent(TaggedContentInfo cmsContent)
+    {
+        cmsContents.add(cmsContent);
+        return this;
+    }
+
+    public PKIResponseBuilder addOtherMsg(OtherMsg otherMsg)
+    {
+        otherMsgs.add(otherMsg);
+        return this;
+    }
+
+    public SimplePKIResponse build()
+        throws CMCException
+    {
+        PKIResponse pkiResponse = new PKIResponse(
+            controlAttributes.toArray(new TaggedAttribute[0]),
+            cmsContents.toArray(new TaggedContentInfo[0]),
+            otherMsgs.toArray(new OtherMsg[0]));
+
+        ContentInfo encap;
+        try
+        {
+            encap = new ContentInfo(CMCObjectIdentifiers.id_cct_PKIResponse,
+                new DEROctetString(pkiResponse.getEncoded()));
+        }
+        catch (IOException e)
+        {
+            throw new CMCException("unable to encode PKIResponse: " + e.getMessage(), e);
+        }
+
+        SignedData signedData = new SignedData(
+            new DERSet(),    // digestAlgorithms
+            encap,
+            null,            // certificates
+            null,            // crls
+            new DERSet());   // signerInfos
+
+        return new SimplePKIResponse(new ContentInfo(CMSObjectIdentifiers.signedData, signedData));
+    }
+}
diff --git a/pkix/src/main/java/org/bouncycastle/cmc/SimplePKIResponse.java b/pkix/src/main/java/org/bouncycastle/cmc/SimplePKIResponse.java
@@ -3,6 +3,11 @@
 import java.io.IOException;
 
 import org.bouncycastle.asn1.ASN1Primitive;
+import org.bouncycastle.asn1.cmc.CMCObjectIdentifiers;
+import org.bouncycastle.asn1.cmc.CMCStatusInfoV2;
+import org.bouncycastle.asn1.cmc.PKIResponse;
+import org.bouncycastle.asn1.cmc.TaggedAttribute;
+import org.bouncycastle.asn1.cmc.TaggedContentInfo;
 import org.bouncycastle.asn1.cms.ContentInfo;
 import org.bouncycastle.cert.X509CRLHolder;
 import org.bouncycastle.cert.X509CertificateHolder;
@@ -15,13 +20,18 @@
  * Carrier for a Simple PKI Response.
  * <p>
  * A Simple PKI Response is defined in RFC 5272 as a CMS SignedData object with no EncapsulatedContentInfo
- * and no SignerInfos attached.
+ * and no SignerInfos attached. As a convenience this class also recognises the unsigned Full PKI Response
+ * variant used for EST server-generated errors (RFC 7030 4.2.3 / 4.4.2): a CMS SignedData with no
+ * SignerInfos whose encapsulated content is an id-cct-PKIResponse PKIResponse SEQUENCE. The structured
+ * accessors {@link #getPKIResponse()}, {@link #getControlAttributes()}, {@link #getCmsContents()} and
+ * {@link #getStatusInfoV2()} return the embedded PKIResponse content when present.
  * </p>
  */
 public class SimplePKIResponse
     implements Encodable
 {
     private final CMSSignedData certificateResponse;
+    private final PKIResponse pkiResponse;
 
     private static ContentInfo parseBytes(byte[] responseEncoding)
         throws CMCException
@@ -69,7 +79,24 @@ public SimplePKIResponse(ContentInfo signedData)
         {
             throw new CMCException("malformed response: SignerInfo structures found");
         }
-        if (certificateResponse.getSignedContent() != null)
+
+        if (certificateResponse.getSignedContent() == null)
+        {
+            this.pkiResponse = null;
+        }
+        else if (CMCObjectIdentifiers.id_cct_PKIResponse.equals(certificateResponse.getSignedContentType()))
+        {
+            try
+            {
+                this.pkiResponse = PKIResponse.getInstance(
+                    ASN1Primitive.fromByteArray((byte[])certificateResponse.getSignedContent().getContent()));
+            }
+            catch (Exception e)
+            {
+                throw new CMCException("malformed response: " + e.getMessage(), e);
+            }
+        }
+        else
         {
             throw new CMCException("malformed response: Signed Content found");
         }
@@ -95,6 +122,76 @@ public Store<X509CRLHolder> getCRLs()
         return certificateResponse.getCRLs();
     }
 
+    /**
+     * Return the embedded PKIResponse content, if present.
+     *
+     * @return the parsed PKIResponse, or null if the SignedData has no encapsulated PKIResponse.
+     */
+    public PKIResponse getPKIResponse()
+    {
+        return pkiResponse;
+    }
+
+    /**
+     * Return the controlSequence of the embedded PKIResponse as an array of TaggedAttribute, or
+     * an empty array if no PKIResponse is present.
+     */
+    public TaggedAttribute[] getControlAttributes()
+    {
+        if (pkiResponse == null)
+        {
+            return new TaggedAttribute[0];
+        }
+
+        int size = pkiResponse.getControlSequence().size();
+        TaggedAttribute[] attrs = new TaggedAttribute[size];
+        for (int i = 0; i != size; i++)
+        {
+            attrs[i] = TaggedAttribute.getInstance(pkiResponse.getControlSequence().getObjectAt(i));
+        }
+        return attrs;
+    }
+
+    /**
+     * Return the cmsSequence of the embedded PKIResponse as an array of TaggedContentInfo, or
+     * an empty array if no PKIResponse is present.
+     */
+    public TaggedContentInfo[] getCmsContents()
+    {
+        if (pkiResponse == null)
+        {
+            return new TaggedContentInfo[0];
+        }
+
+        int size = pkiResponse.getCmsSequence().size();
+        TaggedContentInfo[] arr = new TaggedContentInfo[size];
+        for (int i = 0; i != size; i++)
+        {
+            arr[i] = TaggedContentInfo.getInstance(pkiResponse.getCmsSequence().getObjectAt(i));
+        }
+        return arr;
+    }
+
+    /**
+     * Convenience accessor for the first id-cmc-statusInfoV2 attribute in the PKIResponse
+     * controlSequence (typical of an EST server-generated error response).
+     *
+     * @return the CMCStatusInfoV2 if present, otherwise null.
+     */
+    public CMCStatusInfoV2 getStatusInfoV2()
+    {
+        TaggedAttribute[] attrs = getControlAttributes();
+        for (int i = 0; i != attrs.length; i++)
+        {
+            if (CMCObjectIdentifiers.id_cmc_statusInfoV2.equals(attrs[i].getAttrType())
+                && attrs[i].getAttrValues().size() != 0)
+            {
+                return CMCStatusInfoV2.getInstance(attrs[i].getAttrValues().getObjectAt(0));
+            }
+        }
+        return null;
+    }
+
     /**
      * return the ASN.1 encoded representation of this object.
      */
diff --git a/pkix/src/main/java/org/bouncycastle/cms/CMSSignedData.java b/pkix/src/main/java/org/bouncycastle/cms/CMSSignedData.java
@@ -365,6 +365,17 @@ public String getSignedContentTypeOID()
         return signedData.getEncapContentInfo().getContentType().getId();
     }
 
+    /**
+     * Return the ASN1ObjectIdentifier associated with the encapsulated content info structure
+     * carried in the signed data.
+     *
+     * @return the OID for the content type.
+     */
+    public ASN1ObjectIdentifier getSignedContentType()
+    {
+        return signedData.getEncapContentInfo().getContentType();
+    }
+
     public CMSTypedData getSignedContent()
     {
         return signedContent;
diff --git a/pkix/src/test/java/org/bouncycastle/est/test/ESTParsingTest.java b/pkix/src/test/java/org/bouncycastle/est/test/ESTParsingTest.java
@@ -6,12 +6,20 @@
 import junit.framework.TestCase;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.bouncycastle.asn1.ASN1String;
+import org.bouncycastle.asn1.cmc.BodyPartID;
+import org.bouncycastle.asn1.cmc.CMCFailInfo;
+import org.bouncycastle.asn1.cmc.CMCObjectIdentifiers;
+import org.bouncycastle.asn1.cmc.CMCStatus;
+import org.bouncycastle.asn1.cmc.CMCStatusInfoV2;
+import org.bouncycastle.asn1.cmc.CMCStatusInfoV2Builder;
+import org.bouncycastle.asn1.cmc.TaggedAttribute;
 import org.bouncycastle.asn1.pkcs.Attribute;
 import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
 import org.bouncycastle.asn1.x500.X500Name;
 import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
 import org.bouncycastle.cert.X509CertificateHolder;
 import org.bouncycastle.cert.selector.X509CertificateHolderSelector;
+import org.bouncycastle.cmc.PKIResponseBuilder;
 import org.bouncycastle.cmc.SimplePKIResponse;
 import org.bouncycastle.est.CSRAttributesResponse;
 import org.bouncycastle.pkcs.PKCS10CertificationRequest;
@@ -214,4 +222,39 @@ public void testParsingSimpleEnrolResponse()
 
         assertEquals(1, certs.getMatches(new X509CertificateHolderSelector(new X500Name("CN=estExampleCA NwN"), new BigInteger("21"))).size());
     }
+
+    public void testParsingFullPKIErrorResponse()
+        throws Exception
+    {
+        // Build the unsigned Full PKI Response (RFC 7030 server-generated error) containing
+        // a CMCStatusInfoV2 attribute via PKIResponseBuilder, then round-trip it through
+        // SimplePKIResponse(byte[]) to check the structured accessors expose the same
+        // content. See github #1452.
+        BodyPartID bodyPartID = new BodyPartID(1);
+        CMCStatusInfoV2 statusInfo = new CMCStatusInfoV2Builder(CMCStatus.failed, bodyPartID)
+            .setOtherInfo(CMCFailInfo.badIdentity)
+            .setStatusString("bad identity")
+            .build();
+
+        SimplePKIResponse built = new PKIResponseBuilder()
+            .addStatusInfoV2(bodyPartID, statusInfo)
+            .build();
+
+        SimplePKIResponse response = new SimplePKIResponse(built.getEncoded());
+
+        assertNotNull("PKIResponse should be exposed", response.getPKIResponse());
+        assertEquals(1, response.getControlAttributes().length);
+        assertEquals(0, response.getCmsContents().length);
+
+        TaggedAttribute attr = response.getControlAttributes()[0];
+        assertEquals(CMCObjectIdentifiers.id_cmc_statusInfoV2, attr.getAttrType());
+
+        CMCStatusInfoV2 parsed = response.getStatusInfoV2();
+        assertNotNull("statusInfoV2 should be exposed", parsed);
+        assertEquals(CMCStatus.failed, parsed.getCMCStatus());
+        assertEquals("bad identity", parsed.getStatusStringUTF8().getString());
+        assertTrue(parsed.hasOtherInfo());
+
+        assertEquals(0, response.getCertificates().getMatches(null).size());
+    }
 }
