Package org.bouncycastle.est

Class ESTService

java.lang.Object
org.bouncycastle.est.ESTService
public class ESTService extends Object
ESTService provides unified access to an EST server which is defined as implementing RFC7030.

  • Field Details

  • Method Details

    • storeToArray

      public static X509CertificateHolder[] storeToArray(org.bouncycastle.util.Store<X509CertificateHolder> store)
      Utility method to extract all the X509Certificates from a store and return them in an array.
      Parameters:
      store - The store.
      Returns:
      An arrar of certificates/

    • storeToArray

      public static X509CertificateHolder[] storeToArray(org.bouncycastle.util.Store<X509CertificateHolder> store, org.bouncycastle.util.Selector<X509CertificateHolder> selector)
      Utility method to extract all the X509Certificates from a store using a filter and to return them as an array.
      Parameters:
      store - The store.
      selector - The selector.
      Returns:
      An array of X509Certificates.

    • getCACerts

      public CACertsResponse getCACerts() throws ESTException
      Query the EST server for ca certificates.

      RFC7030 leans heavily on the verification phases of TLS for both client and server verification.

      It does however define a bootstrapping mode where if the client does not have the necessary ca certificates to validate the server it can defer to an external source, such as a human, to formally accept the ca certs.

      If callers are using bootstrapping they must examine the CACertsResponse and validate it externally.

      Returns:
      A store of X509Certificates.
      Throws:
      ESTException

    • simpleEnroll

      public EnrollmentResponse simpleEnroll(EnrollmentResponse priorResponse) throws Exception
      Reissue an existing request where the server had previously returned a 202.
      Parameters:
      priorResponse - The prior response.
      Returns:
      A new ESTEnrollmentResponse
      Throws:
      Exception

    • enroll

      protected EnrollmentResponse enroll(boolean reenroll, PKCS10CertificationRequest certificationRequest, ESTAuth auth, boolean certGen) throws IOException
      Perform a simple enrollment operation.

      This method accepts an ESPHttpAuth instance to provide basic or digest authentication.

      If authentication is to be performed as part of TLS then this instances client keystore and their keystore password need to be specified.

      Parameters:
      certificationRequest - The certification request.
      auth - The http auth provider, basic auth or digest auth, can be null.
      certGen - if true, request server key generation
      Returns:
      The enrolled certificate.
      Throws:
      IOException

    • simpleEnroll

      public EnrollmentResponse simpleEnroll(boolean reenroll, PKCS10CertificationRequest certificationRequest, ESTAuth auth) throws IOException
      Perform a simple enrollment operation.

      This method accepts an ESPHttpAuth instance to provide basic or digest authentication.

      If authentication is to be performed as part of TLS then this instances client keystore and their keystore password need to be specified.

      Parameters:
      reenroll - true for enrollment.
      certificationRequest - The certification request.
      auth - The http auth provider, basic auth or digest auth, can be null.
      Returns:
      The enrolled certificate.
      Throws:
      IOException

    • simpleEnrollWithServersideCreation

      public EnrollmentResponse simpleEnrollWithServersideCreation(PKCS10CertificationRequest certificationRequest, ESTAuth auth) throws IOException
      Perform a simple enrollment operation.

      This method accepts an ESPHttpAuth instance to provide basic or digest authentication.

      If authentication is to be performed as part of TLS then this instances client keystore and their keystore password need to be specified.

      Parameters:
      certificationRequest - The certification request.
      auth - The http auth provider, basic auth or digest auth, can be null.
      Returns:
      The enrolled certificate.
      Throws:
      IOException

    • enrollPop

      public EnrollmentResponse enrollPop(boolean reEnroll, PKCS10CertificationRequestBuilder builder, ContentSigner contentSigner, ESTAuth auth, boolean certGen) throws IOException
      Implements Enroll with PoP. Request will have the tls-unique attribute added to it before it is signed and completed.
      Parameters:
      reEnroll - True = re enroll.
      builder - The request builder.
      contentSigner - The content signer.
      auth - Auth modes.
      certGen - if true will request server key generation.
      Returns:
      Enrollment response.
      Throws:
      IOException

    • simpleEnrollPoP

      public EnrollmentResponse simpleEnrollPoP(boolean reEnroll, PKCS10CertificationRequestBuilder builder, ContentSigner contentSigner, ESTAuth auth) throws IOException
      Implements Enroll with PoP. Request will have the tls-unique attribute added to it before it is signed and completed.
      Parameters:
      reEnroll - True = re enroll.
      builder - The request builder.
      contentSigner - The content signer.
      auth - Auth modes.
      Returns:
      Enrollment response.
      Throws:
      IOException

    • simpleEnrollPopWithServersideCreation

      public EnrollmentResponse simpleEnrollPopWithServersideCreation(PKCS10CertificationRequestBuilder builder, ContentSigner contentSigner, ESTAuth auth) throws IOException
      Simple enrollment with PoP and server side creation of keys.
      Parameters:
      builder - The request builder.
      contentSigner - The content signer
      auth - Auth modes
      Returns:
      Enrollment Response
      Throws:
      IOException

    • handleEnrollResponse

      protected EnrollmentResponse handleEnrollResponse(ESTResponse resp) throws IOException
      Handles an enrollment response, deals with status codes and setting of delays.
      Parameters:
      resp - The response.
      Returns:
      An EnrollmentResponse.
      Throws:
      IOException

    • getCSRAttributes

      public CSRRequestResponse getCSRAttributes() throws ESTException
      Fetch he CSR Attributes from the server.
      Returns:
      A CSRRequestResponse with the attributes.
      Throws:
      ESTException