jscep [![Build Status](https://travis-ci.org/jscep/jscep.svg?branch=master)](https://travis-ci.org/jscep/jscep)
=====
## Constructing a Client
In order to construct a client, we need two objects:
- a URL
- a Callback Handler
## Determining the URL
The URL should be obtained from your system administrator. In the case of Microsoft NDES, the URL will look like so:
```java
URL url = new URL("http://[host]/certsrv/mscep_admin/mscep.dll");
```
In the case of EJBCA, it will look like so:
```java
URL url = new URL("http://[host]/ejbca/publicweb/apply/scep/pkiclient.exe");
```
### Using a HTTP Proxy
jscep doesn't directly support using a proxy to access your SCEP server, as it doesn't really make sense for SCEP. However, if you need to use a proxy, you can use the mechanism provided by
[ProxySelector](http://docs.oracle.com/javase/6/docs/api/java/net/ProxySelector.html), like so:
```java
ProxySelector.setDefault(new ProxySelector() {
@Override
public List<Proxy> select(URI uri) {
Proxy proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress("squid", 3128);
return Collections.singletonList(proxy);
}
@Override
public void connectFailed(URI uri, SocketAddress sa, IOException ioe) {
// Do nothing
}
});
```
### Using HTTPS
jscep uses [HttpURLConnection](http://docs.oracle.com/javase/6/docs/api/java/net/HttpURLConnection.html) under the hood,
and offers full support for HTTPS-enabled SCEP servers - although HTTPS is unnecessary.
If your SCEP server requires the use of SSL to establish a connection, you may wish to configure
[HttpsURLConnection](http://docs.oracle.com/javase/6/docs/api/javax/net/ssl/HttpsURLConnection.html) by using the static
`setDefaultHostnameVerifier` and `setDefaultSSLSocketFactory` methods. You'll only need to specify a `HostnameVerifier`
if your SSL server provides a certificate that doesn't match the hostname in the SCEP URL.
By default, `HttpsURLConnection` will use the `SSLSocketFactory` as specified by JSSE, so there should be no need to configure it directly. For more information, read the [JSSE Reference Guide](http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html),
particularly the section on [customization](http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#Customization).
### Customising the Transport
If you want to provide your own transport implementation, take a look at the [TransportFactory](https://github.com/jscep/jscep/blob/master/src/main/java/org/jscep/transport/TransportFactory.java) class.
## Creating a Callback Handler
The callback handler is used to verify the CA certificate being sent by the SCEP server is the certificate you expect. With jscep, you can choose to use either the default callback mechanism with a choice of certificate verifiers, or to provide your own callback handler.
### Default Callback Mechanism
The default callback mechanism provides a `DefaultCallbackHandler` which delegates verification to a `CertificateVerifier` implementation. jscep supports several strategies for verifying a certificate, including pre-provisioned certificates or digests, and an interactive console verifier. The following example shows the steps necessary to configure the console verifier:
```java
CertificateVerifier verifier = new ConsoleCertificateVerifier();
CallbackHandler handler = new DefaultCallbackHandler(verifier);
```
By default, jscep will request verification before each operation. If you are performing a number of operations against the same SCEP server, you may wish to cache the users response by decorating the certificate verifier, like so:
```java
CertificateVerifier consoleVerifier = new ConsoleCertificateVerifier();
CertificateVerifier verifier = new CachingCertificateVerifier(consoleVerifier);
CallbackHandler handler = new DefaultCallbackHandler(verifier);
```
### Providing Your Own Callback Handler
If you wish to use your own `CallbackHandler`, you must handle the `CertificateVerificationCallback`.
# Creating the Client
To create the client, just combine the two parameters:
```java
Client client = new Client(url, handler);
```
The client is thread-safe, so you can use to enrol multiple entities in parallel if you're using the same CA.
## Profiles
If your SCEP server supports multiple CAs, your CA administrator must provide a string to identify the issuer to use. Each of the operations supported by jscep accepts an optional profile parameter in the form of a `String`.
Because the jscep client is thread-safe, your application can invoke operations against multiple CA profiles _without_ having to construct a new SCEP client.
*Note:* Microsoft NDES _always_ requires a profile.
# Initialising the Requester
In each SCEP message exchange, there are two parties: the requester -- who is enrolling a particular entity into a PKI -- and a SCEP server, which represents the issuing authority, or CA.
For most operations, the SCEP server requires that the requester sign and encrypt its requests. In turn, the server will sign and encrypt its responses. In order for this to occur, both parties must have a certificate and key pair.
If the requester has been issued a certificate by the CA, the requester should use that certificate and its associated key pair. Likewise, if the requester has been issued a certificate by a different CA which is trusted by the current CA, then the requester should use _that_ certificate and key pair. Otherwise -- and this is for the majority of cases -- the requester should generate a self-signed certificate.
## Generating a Key Pair
Before we can generate a certificate, we must first generate a key pair. The SCEP specification only supports RSA, so that is what we will use. The JCA requires Java implementations to support 1024 and 2048-bit keys.
```java
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(1024);
KeyPair requesterKeyPair = keyPairGenerator.genKeyPair();
```
## Generating a Self-Signed Certificate
Once you have your key pair, the next step is to generate an X509 Certificate. The JCA doesn't provide a mechanism for building certificates programatically. However, you _can_ use Bouncy Castle to do it, using either the [JcaX509v1CertificateBuilder](http://www.bouncycastle.org/docs/pkixdocs1.5on/org/bouncycastle/cert/jcajce/JcaX509v1CertificateBuilder.html) or the [JcaX509v3CertificateBuilder](http://www.bouncycastle.org/docs/pkixdocs1.5on/org/bouncycastle/cert/jcajce/JcaX509v3CertificateBuilder.html) class.
The following example uses `JcaX509v3CertificateBuilder` due to its support for X509 extensions. Bouncy Castle provides classes and interfaces to simplify the usage of extensions through the [org.bouncycastle.asn1.x509](http://www.bouncycastle.org/docs/docs1.5on/org/bouncycastle/asn1/x509/package-summary.html) package.
If you don't require extensions, you can use `JcaX509v1CertificateBuilder`, which takes the same arguments as `JcaX509v3CertificateBuilder` in its JCA-compatible constructor. In either case, you will need to provide a `ContentSigner`, which can bebuilt using [JcaContentSignerBuilder](http://www.bouncycastle.org/docs/pkixdocs1.5on/org/bouncycastle/operator/jcajce/JcaContentSignerBuilder.html).
SCEP supports the following signature algorithms:
- `MD5withRSA`
- `SHA1withRSA`
- `SHA256withRSA`
- `SHA512withRSA`
You can find out the strongest signature algorithm supported by your SCEP server by using the following snippet.
```java
Capabilities caps = client.getCaCapabilities();
String sigAlg = caps.getStrongestSignatureAlgorithm();
```
*Note*: if you're using a self-signed certificate, your certificate subject X500 name _must_ be the same as the subject in your certificate-signing request.
```java
// Mandatory
X500Principal requesterIssuer = new X500Principal("CN=jscep.org, L=Cardi
没有合适的资源?快使用搜索试试~ 我知道了~
java版scep
共146个文件
java:134个
xml:3个
properties:1个
需积分: 9 13 下载量 36 浏览量
2016-12-08
13:20:32
上传
评论
收藏 161KB ZIP 举报
温馨提示
java版scep实现经过测试可用,而且还有好的文档,源码全部开放
资源推荐
资源详情
资源评论
收起资源包目录
java版scep (146个子文件)
.gitattributes 483B
.gitignore 500B
overview.html 487B
Client.java 30KB
ScepServlet.java 24KB
ScepServletTest.java 12KB
PkiMessageDecoder.java 11KB
PkiMessageEncoder.java 11KB
PkiMessageEncoderTest.java 10KB
ScepServletImpl.java 7KB
PkcsPkiEnvelopeDecoder.java 7KB
EnrollmentTransaction.java 6KB
KeyStoreExampleClientTest.java 6KB
SignedDataUtils.java 6KB
Capabilities.java 6KB
ClientTest.java 5KB
Transaction.java 5KB
CertRep.java 5KB
AttributeTableFactory.java 5KB
PkcsPkiEnvelopeEncoder.java 4KB
UrlConnectionPostTransport.java 4KB
Operation.java 4KB
EnrollmentResponse.java 4KB
PkiMessage.java 4KB
NonEnrollmentTransaction.java 4KB
UrlConnectionGetTransport.java 4KB
CapabilitiesTest.java 4KB
GetCaCapsResponseHandler.java 4KB
TransactionId.java 4KB
Capability.java 3KB
AbstractCertStoreInspector.java 3KB
AttributeTableFactoryTest.java 3KB
NextCaCertificateContentHandlerTest.java 3KB
IssuerAndSubject.java 3KB
CertStoreInspectorTest.java 3KB
GetCaCertResponseHandler.java 3KB
CertificationRequestUtils.java 3KB
CertificateVerificationCallback.java 3KB
FailInfo.java 3KB
AbstractTransportTest.java 3KB
ConsoleCallbackVerifierTest.java 3KB
EnrollmentResponseTest.java 3KB
ConsoleCertificateVerifier.java 3KB
GetNextCaCertResponseHandler.java 3KB
AbstractClientTest.java 2KB
MessageDigestCertificateVerifier.java 2KB
ScepObjectIdentifier.java 2KB
MessageDigestCertificateVerifierTest.java 2KB
CaCapabilitiesContentHandlerTest.java 2KB
CapabilitiesMessageDigestTest.java 2KB
X509Certificates.java 2KB
GetCaCapsRequest.java 2KB
DefaultCertStoreInspector.java 2KB
PkiRequest.java 2KB
DefaultCallbackHandlerTest.java 2KB
PkiOperationResponseHandler.java 2KB
GetCert.java 2KB
PkcsReq.java 2KB
HarmonyCertStoreInspector.java 2KB
ClientValidationTest.java 2KB
Nonce.java 2KB
CachingCertificateVerifier.java 2KB
CaCertificateContentHandlerTest.java 2KB
InvalidContentTypeException.java 2KB
MessageType.java 2KB
AbstractTransport.java 2KB
HttpPostTransportTest.java 2KB
DefaultCallbackHandler.java 2KB
PkiStatus.java 1KB
InvalidNonceException.java 1KB
CapabilitiesCipherTest.java 1KB
CachingCertificateVerifierTest.java 1KB
CertificateVerificationCallbackTest.java 1KB
TransactionIdTest.java 1KB
TransportException.java 1KB
PkiOperationRequest.java 1KB
NonceQueue.java 1KB
Request.java 1KB
GetNextCaCertRequest.java 1KB
PreProvisionedCertificateVerifier.java 1KB
GetCaCertRequest.java 1KB
Transport.java 1009B
IssuerAndSubjectTest.java 989B
GetCaCapsTest.java 984B
GetCaCertTest.java 984B
GetCertInitial.java 982B
GetCrl.java 965B
TransportExceptionTest.java 965B
MessageDecodingException.java 935B
MessageEncodingException.java 935B
OperationFailureException.java 925B
InvalidContentException.java 904B
DefaultCertStoreInspectorFactory.java 865B
TransactionException.java 864B
PreProvisionedCertificateVerifierTest.java 820B
HarmonyCertStoreInspectorFactory.java 806B
InvalidNonceExceptionTest.java 801B
CertStoreInspectorFactory.java 784B
ClientException.java 776B
GetNextCaCertTest.java 755B
共 146 条
- 1
- 2
资源评论
新IT民工
- 粉丝: 65
- 资源: 44
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
- pta题库答案c语言之排序4统计工龄.zip
- pta题库答案c语言之树结构7堆中的路径.zip
- pta题库答案c语言之树结构3TreeTraversalsAgain.zip
- pta题库答案c语言之树结构2ListLeaves.zip
- pta题库答案c语言之树结构1树的同构.zip
- 基于C++实现民航飞行与地图简易管理系统可执行程序+说明+详细注释.zip
- pta题库答案c语言之复杂度1最大子列和问题.zip
- 三维装箱问题(Three-Dimensional Bin Packing Problem,3D-BPP)是一个经典的组合优化问题
- 以下是一些关于Linux线程同步的基本概念和方法.txt
- 以下是一个简化的示例,它使用pygame库来模拟烟花动画的框架.txt
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功