ugu5ma / jscep

Automatically exported from code.google.com/p/jscep
MIT License
0 stars 0 forks source link

Select apropiate certificate connecting to RA SCEP Server #94

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Hi all,

Currently i'm working on a scep server and client using your great library. I 
have some problems related to certificate choose on client side in case of have 
the scep server on a RA and sending a pair of certificates in the GetCACert 
Response.

My recipient identity certificate doesn't have an apropiate KeyUsage (I know 
its my fault) of key or data encipherment, so your recipientSelector get the CA 
cert to encrypt PKCS7 and it doesn't work.

May I suggest to try to choose first the non-CA certificate in case that both 
certificates don't have apropiate keyUsage flags instead of choose the CA?

In code it is now:

X509CertSelector keyEncSelector = new X509CertSelector();
        keyEncSelector.setBasicConstraints(-2);
        keyEncSelector.setKeyUsage(new boolean[] { false, false, true });

        X509CertSelector dataEncSelector = new X509CertSelector();
        dataEncSelector.setBasicConstraints(-2);
        dataEncSelector
                .setKeyUsage(new boolean[] { false, false, false, true });

        X509CertSelector caSelector = new X509CertSelector();
        caSelector.setBasicConstraints(0);

        return Arrays.asList(keyEncSelector, dataEncSelector, caSelector);

And could change to:

X509CertSelector keyEncSelector = new X509CertSelector();
        keyEncSelector.setBasicConstraints(-2);
        keyEncSelector.setKeyUsage(new boolean[] { false, false, true });

        X509CertSelector dataEncSelector = new X509CertSelector();
        dataEncSelector.setBasicConstraints(-2);
        dataEncSelector
                .setKeyUsage(new boolean[] { false, false, false, true });

        X509CertSelector nonCaSelector = new X509CertSelector();
        dataEncSelector.setBasicConstraints(-2);

        X509CertSelector caSelector = new X509CertSelector();
        caSelector.setBasicConstraints(0);

        return Arrays.asList(keyEncSelector, dataEncSelector, nonCaSelector, caSelector); 

Original issue reported on code.google.com by eb.j...@gmail.com on 10 Jul 2014 at 9:42

GoogleCodeExporter commented 9 years ago
Have you considered injecting your own CertStoreInspectorFactory using 
Client.setCertStoreInspectorFactory()?

Original comment by da...@grant.org.uk on 11 Jul 2014 at 8:54

GoogleCodeExporter commented 9 years ago
Perfect idea! I hadn't seen that method. Thanks!

Original comment by eb.j...@gmail.com on 11 Jul 2014 at 5:46