Refactor CRMFPopClient (part 2)

The CRMFPopClient has been updated to generate the CRMF request using NSSDatabase.createCRMFRequest().
dogtagpki · Feb 24, 2025 · 86ba72f · 86ba72f
1 parent b2e1edf
commit 86ba72f
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 63 deletions.
diff --git a/base/common/src/main/java/org/dogtagpki/nss/NSSDatabase.java b/base/common/src/main/java/org/dogtagpki/nss/NSSDatabase.java
@@ -1125,20 +1125,17 @@ public PKCS10 createPKCS10Request(
                 extensions);
     }
 
-    public String createCRMFRequest(
+    public byte[] createCRMFRequest(
             CryptoToken token,
             KeyPair keyPair,
             org.mozilla.jss.crypto.X509Certificate transportCert,
-            String subjectDN,
-            boolean attributeEncoding,
+            Name subject,
             SignatureAlgorithm signatureAlgorithm,
-            boolean withPop,
+            Boolean withPop,
             KeyWrapAlgorithm keyWrapAlgorithm,
             boolean useOAEP,
             boolean useSharedSecret) throws Exception {
 
-        Name subject = CryptoUtil.createName(subjectDN, attributeEncoding);
-
         CertRequest certRequest = CryptoUtil.createCertRequest(
                 useSharedSecret,
                 token,
@@ -1149,19 +1146,24 @@ public String createCRMFRequest(
                 useOAEP);
 
         ProofOfPossession pop = null;
-        if (withPop) {
+        if (withPop != null) { // !POP_NONE
             Signature signer = CryptoUtil.createSigner(token, signatureAlgorithm, keyPair);
 
-            ByteArrayOutputStream bo = new ByteArrayOutputStream();
-            certRequest.encode(bo);
-            signer.update(bo.toByteArray());
-            byte[] signature = signer.sign();
+            if (withPop) { // POP_SUCCESS
+                ByteArrayOutputStream bo = new ByteArrayOutputStream();
+                certRequest.encode(bo);
+                signer.update(bo.toByteArray());
 
+            } else { // POP_FAIL
+                byte[] data = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
+                signer.update(data);
+            }
+
+            byte[] signature = signer.sign();
             pop = CryptoUtil.createPop(signatureAlgorithm, signature);
         }
 
-        byte[] crmfRequest = CryptoUtil.createCRMFRequest(certRequest, pop);
-        return Utils.base64encode(crmfRequest, true);
+        return CryptoUtil.createCRMFRequest(certRequest, pop);
     }
 
     public static int validityUnitFromString(String validityUnit) throws Exception {

diff --git a/base/tools/src/main/java/com/netscape/cmstools/CRMFPopClient.java b/base/tools/src/main/java/com/netscape/cmstools/CRMFPopClient.java
@@ -18,7 +18,6 @@
 package com.netscape.cmstools;
 
 import java.io.BufferedReader;
-import java.io.ByteArrayOutputStream;
 import java.io.FileWriter;
 import java.io.InputStreamReader;
 import java.io.PrintWriter;
@@ -53,13 +52,10 @@
 import org.mozilla.jss.crypto.CryptoToken;
 import org.mozilla.jss.crypto.KeyWrapAlgorithm;
 import org.mozilla.jss.crypto.PrivateKey;
-import org.mozilla.jss.crypto.Signature;
 import org.mozilla.jss.crypto.SignatureAlgorithm;
 import org.mozilla.jss.crypto.X509Certificate;
 import org.mozilla.jss.netscape.security.util.Cert;
 import org.mozilla.jss.netscape.security.util.Utils;
-import org.mozilla.jss.pkix.crmf.CertRequest;
-import org.mozilla.jss.pkix.crmf.ProofOfPossession;
 import org.mozilla.jss.pkix.primitive.AVA;
 import org.mozilla.jss.pkix.primitive.Name;
 import org.mozilla.jss.util.Password;
@@ -516,56 +512,38 @@ public static void main(String args[]) throws Exception {
                 keyWrapAlgorithm = KeyWrapAlgorithm.fromString(kwAlg);
             }
 
-            if (verbose) System.out.println("Creating certificate request");
-            CertRequest certRequest = CryptoUtil.createCertRequest(
-                    use_shared_secret,
-                    token,
-                    transportCert,
-                    keyPair,
-                    subject,
-                    keyWrapAlgorithm,
-                    client.useOAEP());
-
-            ProofOfPossession pop = null;
-
-            if (!popOption.equals("POP_NONE")) {
-
-                if (verbose) System.out.println("Creating signer");
-
-                SignatureAlgorithm signatureAlgorithm;
-                if (algorithm.equals("rsa")) {
-                    signatureAlgorithm = SignatureAlgorithm.RSASignatureWithSHA256Digest;
-
-                } else if (algorithm.equals("ec")) {
-                    signatureAlgorithm = SignatureAlgorithm.ECSignatureWithSHA256Digest;
-
-                } else {
-                    throw new Exception("Unknown algorithm: " + algorithm);
-                }
-
-                Signature signer = CryptoUtil.createSigner(token, signatureAlgorithm, keyPair);
-
-                if (popOption.equals("POP_SUCCESS")) {
-
-                    ByteArrayOutputStream bo = new ByteArrayOutputStream();
-                    certRequest.encode(bo);
-                    signer.update(bo.toByteArray());
+            SignatureAlgorithm signatureAlgorithm;
+            if (algorithm.equals("rsa")) {
+                signatureAlgorithm = SignatureAlgorithm.RSASignatureWithSHA256Digest;
 
-                } else if (popOption.equals("POP_FAIL")) {
+            } else if (algorithm.equals("ec")) {
+                signatureAlgorithm = SignatureAlgorithm.ECSignatureWithSHA256Digest;
 
-                    byte[] data = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
+            } else {
+                throw new Exception("Unknown algorithm: " + algorithm);
+            }
 
-                    signer.update(data);
-                }
+            Boolean withPop = null; // POP_NONE
 
-                byte[] signature = signer.sign();
+            if (popOption.equals("POP_SUCCESS")) {
+                withPop = true;
 
-                if (verbose) System.out.println("Creating POP");
-                pop = CryptoUtil.createPop(signatureAlgorithm, signature);
+            } else if (popOption.equals("POP_FAIL")) {
+                withPop = false;
             }
 
             if (verbose) System.out.println("Creating CRMF request");
-            byte[] crmfRequest = CryptoUtil.createCRMFRequest(certRequest, pop);
+
+            byte[] crmfRequest = nssdb.createCRMFRequest(
+                    token,
+                    keyPair,
+                    transportCert,
+                    subject,
+                    signatureAlgorithm,
+                    withPop,
+                    keyWrapAlgorithm,
+                    useOAEP,
+                    use_shared_secret);
             String request = Utils.base64encode(crmfRequest, true);
 
             StringWriter sw = new StringWriter();

diff --git a/base/tools/src/main/java/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/tools/src/main/java/com/netscape/cmstools/client/ClientCertRequestCLI.java
@@ -41,8 +41,10 @@
 import org.mozilla.jss.crypto.X509Certificate;
 import org.mozilla.jss.netscape.security.pkcs.PKCS10;
 import org.mozilla.jss.netscape.security.util.Cert;
+import org.mozilla.jss.netscape.security.util.Utils;
 import org.mozilla.jss.netscape.security.x509.Extensions;
 import org.mozilla.jss.netscape.security.x509.X500Name;
+import org.mozilla.jss.pkix.primitive.Name;
 
 import com.netscape.certsrv.ca.AuthorityID;
 import com.netscape.certsrv.ca.CACertClient;
@@ -54,6 +56,7 @@
 import com.netscape.certsrv.profile.ProfileInput;
 import com.netscape.cmstools.ca.CACertRequestCLI;
 import com.netscape.cmstools.cli.MainCLI;
+import com.netscape.cmsutil.crypto.CryptoUtil;
 
 import netscape.ldap.util.DN;
 import netscape.ldap.util.RDN;
@@ -218,7 +221,7 @@ public void execute(CommandLine cmd) throws Exception {
             }
         }
 
-        boolean withPop = !cmd.hasOption("without-pop");
+        Boolean withPop = cmd.hasOption("without-pop") ? null : true;
 
         AuthorityID aid = null;
         if (cmd.hasOption("issuer-id")) {
@@ -320,17 +323,19 @@ public void execute(CommandLine cmd) throws Exception {
                 throw new Exception("Unknown algorithm: " + algorithm);
             }
 
-            csr = nssdb.createCRMFRequest(
+            Name subject = CryptoUtil.createName(subjectDN, attributeEncoding);
+
+            byte[] crmfRequest = nssdb.createCRMFRequest(
                     token,
                     keyPair,
                     transportCert,
-                    subjectDN,
-                    attributeEncoding,
+                    subject,
                     signatureAlgorithm,
                     withPop,
                     keyWrapAlgorithm,
                     useOAEP,
                     false); // useSharedSecret
+            csr = Utils.base64encode(crmfRequest, true);
 
         } else {
             throw new Exception("Unknown request type: " + requestType);