zhuzengpeng / jscep

Automatically exported from code.google.com/p/jscep
MIT License
0 stars 0 forks source link

fingerprint could not be verified #90

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
I create SCEP client for android. I have a problem with getting CA certificate 
from SCEP server under jSCEP. I use jscep-client

 <dependency>
    <groupId>com.google.code.jscep</groupId>
    <artifactId>jscep-client</artifactId>
    <version>1.0.0</version>
</dependency>
Server works fine, but on me device I get Error:

CA certificate fingerprint could not be verified (using SHA1)
What could be the reason? Part of code from my client:

KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(2048);
KeyPair keyPair = keyGen.generateKeyPair();
X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator();
v3CertGen.setSerialNumber(BigInteger.valueOf(Math.abs(new 
SecureRandom().nextInt())));
v3CertGen.setIssuerDN(new X509Principal("CN=somebody@user.com"));
v3CertGen.setNotBefore(new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 
24 * 30));
v3CertGen.setNotAfter(new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 
24 * 365*10)));
v3CertGen.setSubjectDN(new X509Principal("CN=somebody@user.com"));
v3CertGen.setPublicKey(keyPair.getPublic());
v3CertGen.setSignatureAlgorithm("SHA1WithRSAEncryption");
X509Certificate certificate = 
v3CertGen.generateX509Certificate(keyPair.getPrivate());
CallbackHandler handler = new CallbackHandler() {
    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
                    }
                };

MessageDigest md = MessageDigest.getInstance("SHA1");
byte[] publicKey = md.digest(certificate.getPublicKey().getEncoded());
URL url = new URL("http://10.100.66.96:8080/scep/pkiclient.exe");
Client client = new Client.Builder()
   .url(url)
   .callbackHandler(handler)
   .identity(certificate, keyPair)
   .caIdentifier("androidClient")
   .caFingerprint(publicKey, "SHA1")
   .build();
List<X509Certificate> qqq = client.getCaCertificate();

Original issue reported on code.google.com by niked...@gmail.com on 10 Apr 2013 at 3:21

GoogleCodeExporter commented 9 years ago
You need the hash of the *CA* certificate, not the public key.  I don't think 
1.0.0 works particularly well on Android.  Best to ask on the list.

Original comment by da...@grant.org.uk on 10 Apr 2013 at 7:11

GoogleCodeExporter commented 9 years ago
Which version will working fine? How it working but server crashed with error 
"org.bouncycastle.cms.CMSSignerDigestMismatchException: message-digest 
attribute value does not match calculated value" on PKIOperation when trying 
decode CMSSignedData

PkiMessageDecoder decoder = new PkiMessageDecoder(reqCert, envDecoder);
msg = decoder.decode(sd); << fail here

Which reasons can occur this error? Wrong certificate?

Original comment by niked...@gmail.com on 11 Apr 2013 at 3:23