I'm attempting to create a basic EST (RFC 7030) error response. If my reading of RFC 5272 is correct, then it should look like this:
$ echo "MD8CAQMxADAyBggrBgEFBQcMA6AmMCQwHjAcAgEBBggrBgEFBQcHGTENMAsCAQIwAwIBAQIBBzAAMACgAKEAMQA=" | openssl asn1parse
0:d=0 hl=2 l= 63 cons: SEQUENCE
2:d=1 hl=2 l= 1 prim: INTEGER :03
5:d=1 hl=2 l= 0 cons: SET
7:d=1 hl=2 l= 50 cons: SEQUENCE
9:d=2 hl=2 l= 8 prim: OBJECT :id-cct-PKIResponse
19:d=2 hl=2 l= 38 cons: cont [ 0 ]
21:d=3 hl=2 l= 36 cons: SEQUENCE
23:d=4 hl=2 l= 30 cons: SEQUENCE
25:d=5 hl=2 l= 28 cons: SEQUENCE
27:d=6 hl=2 l= 1 prim: INTEGER :01
30:d=6 hl=2 l= 8 prim: OBJECT :1.3.6.1.5.5.7.7.25
40:d=6 hl=2 l= 13 cons: SET
42:d=7 hl=2 l= 11 cons: SEQUENCE
44:d=8 hl=2 l= 1 prim: INTEGER :02
47:d=8 hl=2 l= 3 cons: SEQUENCE
49:d=9 hl=2 l= 1 prim: INTEGER :01
52:d=8 hl=2 l= 1 prim: INTEGER :07
55:d=4 hl=2 l= 0 cons: SEQUENCE
57:d=4 hl=2 l= 0 cons: SEQUENCE
59:d=1 hl=2 l= 0 cons: cont [ 0 ]
61:d=1 hl=2 l= 0 cons: cont [ 1 ]
63:d=1 hl=2 l= 0 cons: SET
However, unlike SimplePKIResponse, BC does not appear to provide any convenient holder for this, only the raw ASN1 types. Additionally, CMSSignedData does not count the outer object as valid, as it lacks certificates.
As a result, the code to get the status is quite tedious, and would be even more so to account for there being other or different controls:
SignedData signedData = SignedData.getInstance(bytes);
PKIResponse pkiResponse = PKIResponse.getInstance(signedData.getEncapContentInfo().getContent());
TaggedAttribute attr = TaggedAttribute.getInstance(pkiResponse.getControlSequence().getObjectAt(0));
CMCStatusInfoV2 info = CMCStatusInfoV2.getInstance(attr.getAttrValues().getObjectAt(0));
CMCStatus status = info.getcMCStatus();
The code to build such a response on the server side is also tedious, and with no validity checks other than a size==3.
CMCStatusInfoV2 info = new CMCStatusInfoV2Builder(CMCStatus.failed, new BodyPartID(1))
.setOtherInfo(CMCFailInfo.badIdentity)
.build(); // good so far
TaggedAttribute attr = new TaggedAttribute(
new BodyPartID(1), CMCObjectIdentifiers.id_cmc_statusInfoV2, new DERSet(info))
);
PKIResponse pkiResponse = PKIResponse.getInstance(new DERSequence(new ASN1Encodable[]{
new DERSequence(attr), new DERSequence(), new DERSequence()
});
SignedData err = new SignedData(
new DERSet(),
new ContentInfo(CMCObjectIdentifiers.id_cct_PKIResponse, pkiResponse),
new DERSet(),
new DERSet(),
new DERSet()
);Have I missed something, either in my understanding of what the structure should be, or some classes that make this easier to deal with? If not, then can such things be added, and ideally integrated into ESTService?
I'm attempting to create a basic EST (RFC 7030) error response. If my reading of RFC 5272 is correct, then it should look like this:
However, unlike
SimplePKIResponse, BC does not appear to provide any convenient holder for this, only the raw ASN1 types. Additionally,CMSSignedDatadoes not count the outer object as valid, as it lacks certificates.As a result, the code to get the status is quite tedious, and would be even more so to account for there being other or different controls:
The code to build such a response on the server side is also tedious, and with no validity checks other than a
size==3.Have I missed something, either in my understanding of what the structure should be, or some classes that make this easier to deal with? If not, then can such things be added, and ideally integrated into
ESTService?