java版scep

jscep [](https://travis-ci.org/jscep/jscep) ===== ## Constructing a Client In order to construct a client, we need two objects: - a URL - a Callback Handler ## Determining the URL The URL should be obtained from your system administrator. In the case of Microsoft NDES, the URL will look like so: ```java URL url = new URL("http://[host]/certsrv/mscep_admin/mscep.dll"); ``` In the case of EJBCA, it will look like so: ```java URL url = new URL("http://[host]/ejbca/publicweb/apply/scep/pkiclient.exe"); ``` ### Using a HTTP Proxy jscep doesn't directly support using a proxy to access your SCEP server, as it doesn't really make sense for SCEP. However, if you need to use a proxy, you can use the mechanism provided by [ProxySelector](http://docs.oracle.com/javase/6/docs/api/java/net/ProxySelector.html), like so: ```java ProxySelector.setDefault(new ProxySelector() { @Override public List<Proxy> select(URI uri) { Proxy proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress("squid", 3128); return Collections.singletonList(proxy); } @Override public void connectFailed(URI uri, SocketAddress sa, IOException ioe) { // Do nothing } }); ``` ### Using HTTPS jscep uses [HttpURLConnection](http://docs.oracle.com/javase/6/docs/api/java/net/HttpURLConnection.html) under the hood, and offers full support for HTTPS-enabled SCEP servers - although HTTPS is unnecessary. If your SCEP server requires the use of SSL to establish a connection, you may wish to configure [HttpsURLConnection](http://docs.oracle.com/javase/6/docs/api/javax/net/ssl/HttpsURLConnection.html) by using the static `setDefaultHostnameVerifier` and `setDefaultSSLSocketFactory` methods. You'll only need to specify a `HostnameVerifier` if your SSL server provides a certificate that doesn't match the hostname in the SCEP URL. By default, `HttpsURLConnection` will use the `SSLSocketFactory` as specified by JSSE, so there should be no need to configure it directly. For more information, read the [JSSE Reference Guide](http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html), particularly the section on [customization](http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#Customization). ### Customising the Transport If you want to provide your own transport implementation, take a look at the [TransportFactory](https://github.com/jscep/jscep/blob/master/src/main/java/org/jscep/transport/TransportFactory.java) class. ## Creating a Callback Handler The callback handler is used to verify the CA certificate being sent by the SCEP server is the certificate you expect. With jscep, you can choose to use either the default callback mechanism with a choice of certificate verifiers, or to provide your own callback handler. ### Default Callback Mechanism The default callback mechanism provides a `DefaultCallbackHandler` which delegates verification to a `CertificateVerifier` implementation. jscep supports several strategies for verifying a certificate, including pre-provisioned certificates or digests, and an interactive console verifier. The following example shows the steps necessary to configure the console verifier: ```java CertificateVerifier verifier = new ConsoleCertificateVerifier(); CallbackHandler handler = new DefaultCallbackHandler(verifier); ``` By default, jscep will request verification before each operation. If you are performing a number of operations against the same SCEP server, you may wish to cache the users response by decorating the certificate verifier, like so: ```java CertificateVerifier consoleVerifier = new ConsoleCertificateVerifier(); CertificateVerifier verifier = new CachingCertificateVerifier(consoleVerifier); CallbackHandler handler = new DefaultCallbackHandler(verifier); ``` ### Providing Your Own Callback Handler If you wish to use your own `CallbackHandler`, you must handle the `CertificateVerificationCallback`. # Creating the Client To create the client, just combine the two parameters: ```java Client client = new Client(url, handler); ``` The client is thread-safe, so you can use to enrol multiple entities in parallel if you're using the same CA. ## Profiles If your SCEP server supports multiple CAs, your CA administrator must provide a string to identify the issuer to use. Each of the operations supported by jscep accepts an optional profile parameter in the form of a `String`. Because the jscep client is thread-safe, your application can invoke operations against multiple CA profiles _without_ having to construct a new SCEP client. *Note:* Microsoft NDES _always_ requires a profile. # Initialising the Requester In each SCEP message exchange, there are two parties: the requester -- who is enrolling a particular entity into a PKI -- and a SCEP server, which represents the issuing authority, or CA. For most operations, the SCEP server requires that the requester sign and encrypt its requests. In turn, the server will sign and encrypt its responses. In order for this to occur, both parties must have a certificate and key pair. If the requester has been issued a certificate by the CA, the requester should use that certificate and its associated key pair. Likewise, if the requester has been issued a certificate by a different CA which is trusted by the current CA, then the requester should use _that_ certificate and key pair. Otherwise -- and this is for the majority of cases -- the requester should generate a self-signed certificate. ## Generating a Key Pair Before we can generate a certificate, we must first generate a key pair. The SCEP specification only supports RSA, so that is what we will use. The JCA requires Java implementations to support 1024 and 2048-bit keys. ```java KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); keyPairGenerator.initialize(1024); KeyPair requesterKeyPair = keyPairGenerator.genKeyPair(); ``` ## Generating a Self-Signed Certificate Once you have your key pair, the next step is to generate an X509 Certificate. The JCA doesn't provide a mechanism for building certificates programatically. However, you _can_ use Bouncy Castle to do it, using either the [JcaX509v1CertificateBuilder](http://www.bouncycastle.org/docs/pkixdocs1.5on/org/bouncycastle/cert/jcajce/JcaX509v1CertificateBuilder.html) or the [JcaX509v3CertificateBuilder](http://www.bouncycastle.org/docs/pkixdocs1.5on/org/bouncycastle/cert/jcajce/JcaX509v3CertificateBuilder.html) class. The following example uses `JcaX509v3CertificateBuilder` due to its support for X509 extensions. Bouncy Castle provides classes and interfaces to simplify the usage of extensions through the [org.bouncycastle.asn1.x509](http://www.bouncycastle.org/docs/docs1.5on/org/bouncycastle/asn1/x509/package-summary.html) package. If you don't require extensions, you can use `JcaX509v1CertificateBuilder`, which takes the same arguments as `JcaX509v3CertificateBuilder` in its JCA-compatible constructor. In either case, you will need to provide a `ContentSigner`, which can bebuilt using [JcaContentSignerBuilder](http://www.bouncycastle.org/docs/pkixdocs1.5on/org/bouncycastle/operator/jcajce/JcaContentSignerBuilder.html). SCEP supports the following signature algorithms: - `MD5withRSA` - `SHA1withRSA` - `SHA256withRSA` - `SHA512withRSA` You can find out the strongest signature algorithm supported by your SCEP server by using the following snippet. ```java Capabilities caps = client.getCaCapabilities(); String sigAlg = caps.getStrongestSignatureAlgorithm(); ``` *Note*: if you're using a self-signed certificate, your certificate subject X500 name _must_ be the same as the subject in your certificate-signing request. ```java // Mandatory X500Principal requesterIssuer = new X500Principal("CN=jscep.org, L=Cardi