198 lines
9.6 KiB
Java
198 lines
9.6 KiB
Java
/*******************************************************************************
|
|
* The MIT License (MIT)
|
|
*
|
|
* Copyright (c) 2015-207 V2G Clarity (Dr.-Ing. Marc Mültin)
|
|
*
|
|
* Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
* of this software and associated documentation files (the "Software"), to deal
|
|
* in the Software without restriction, including without limitation the rights
|
|
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
* copies of the Software, and to permit persons to whom the Software is
|
|
* furnished to do so, subject to the following conditions:
|
|
*
|
|
* The above copyright notice and this permission notice shall be included in
|
|
* all copies or substantial portions of the Software.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
|
* THE SOFTWARE.
|
|
*******************************************************************************/
|
|
package com.v2gclarity.risev2g.secc.states;
|
|
|
|
import java.security.KeyPair;
|
|
import java.security.cert.X509Certificate;
|
|
import java.security.interfaces.ECPublicKey;
|
|
import java.util.HashMap;
|
|
|
|
import com.v2gclarity.risev2g.secc.session.V2GCommunicationSessionSECC;
|
|
import com.v2gclarity.risev2g.shared.enumerations.PKI;
|
|
import com.v2gclarity.risev2g.shared.enumerations.V2GMessages;
|
|
import com.v2gclarity.risev2g.shared.messageHandling.ReactionToIncomingMessage;
|
|
import com.v2gclarity.risev2g.shared.utils.SecurityUtils;
|
|
import com.v2gclarity.risev2g.shared.v2gMessages.msgDef.BodyBaseType;
|
|
import com.v2gclarity.risev2g.shared.v2gMessages.msgDef.CertificateChainType;
|
|
import com.v2gclarity.risev2g.shared.v2gMessages.msgDef.CertificateInstallationReqType;
|
|
import com.v2gclarity.risev2g.shared.v2gMessages.msgDef.CertificateInstallationResType;
|
|
import com.v2gclarity.risev2g.shared.v2gMessages.msgDef.ContractSignatureEncryptedPrivateKeyType;
|
|
import com.v2gclarity.risev2g.shared.v2gMessages.msgDef.ResponseCodeType;
|
|
import com.v2gclarity.risev2g.shared.v2gMessages.msgDef.SignatureType;
|
|
import com.v2gclarity.risev2g.shared.v2gMessages.msgDef.V2GMessage;
|
|
|
|
public class WaitForCertificateInstallationReq extends ServerState {
|
|
|
|
private CertificateInstallationResType certificateInstallationRes;
|
|
|
|
public WaitForCertificateInstallationReq(V2GCommunicationSessionSECC commSessionContext) {
|
|
super(commSessionContext);
|
|
certificateInstallationRes = new CertificateInstallationResType();
|
|
}
|
|
|
|
@Override
|
|
public ReactionToIncomingMessage processIncomingMessage(Object message) {
|
|
if (isIncomingMessageValid(message, CertificateInstallationReqType.class, certificateInstallationRes)) {
|
|
V2GMessage v2gMessageReq = (V2GMessage) message;
|
|
CertificateInstallationReqType certificateInstallationReq = (CertificateInstallationReqType) v2gMessageReq.getBody().getBodyElement().getValue();
|
|
CertificateChainType saContractCertificateChain =
|
|
getCommSessionContext().getBackendInterface().getContractCertificateChain(
|
|
SecurityUtils.getCertificate(certificateInstallationReq.getOEMProvisioningCert())
|
|
);
|
|
|
|
if (isResponseCodeOK(
|
|
certificateInstallationReq,
|
|
saContractCertificateChain,
|
|
v2gMessageReq.getHeader().getSignature())) {
|
|
// The EC key pair is also needed for the generation of the shared secret
|
|
KeyPair ecKeyPair = SecurityUtils.getECKeyPair();
|
|
if (ecKeyPair == null) {
|
|
getLogger().error("EC keypair could not be generated");
|
|
return null;
|
|
}
|
|
|
|
// Encrypt private key
|
|
ContractSignatureEncryptedPrivateKeyType encryptedContractCertPrivateKey =
|
|
SecurityUtils.encryptContractCertPrivateKey(
|
|
(ECPublicKey) SecurityUtils.getCertificate(certificateInstallationReq.getOEMProvisioningCert()).getPublicKey(),
|
|
ecKeyPair,
|
|
getCommSessionContext().getBackendInterface().getContractCertificatePrivateKey());
|
|
|
|
certificateInstallationRes.setContractSignatureCertChain(saContractCertificateChain);
|
|
/*
|
|
* Experience from the test symposium in San Diego (April 2016):
|
|
* The Id element of the signature is not restricted in size by the standard itself. But on embedded
|
|
* systems, the memory is very limited which is why we should not use long IDs for the signature reference
|
|
* element. A good size would be 3 characters max (like the example in the ISO 15118-2 annex J)
|
|
*/
|
|
certificateInstallationRes.getContractSignatureCertChain().setId("id1"); // contractSignatureCertChain
|
|
certificateInstallationRes.setContractSignatureEncryptedPrivateKey(encryptedContractCertPrivateKey);
|
|
certificateInstallationRes.getContractSignatureEncryptedPrivateKey().setId("id2"); // contractSignatureEncryptedPrivateKey
|
|
certificateInstallationRes.setDHpublickey(SecurityUtils.getDHPublicKey(ecKeyPair));
|
|
certificateInstallationRes.getDHpublickey().setId("id3"); // dhPublicKey
|
|
certificateInstallationRes.setEMAID(SecurityUtils.getEMAID(saContractCertificateChain));
|
|
certificateInstallationRes.getEMAID().setId("id4"); // emaid
|
|
certificateInstallationRes.setSAProvisioningCertificateChain(
|
|
getCommSessionContext().getBackendInterface().getCPSCertificateChain());
|
|
|
|
// Set xml reference elements
|
|
getXMLSignatureRefElements().put(
|
|
certificateInstallationRes.getContractSignatureCertChain().getId(),
|
|
SecurityUtils.generateDigest(
|
|
certificateInstallationRes.getContractSignatureCertChain().getId(),
|
|
getMessageHandler().getJaxbElement(certificateInstallationRes.getContractSignatureCertChain())));
|
|
getXMLSignatureRefElements().put(
|
|
certificateInstallationRes.getContractSignatureEncryptedPrivateKey().getId(),
|
|
SecurityUtils.generateDigest(
|
|
certificateInstallationRes.getContractSignatureEncryptedPrivateKey().getId(),
|
|
getMessageHandler().getJaxbElement(certificateInstallationRes.getContractSignatureEncryptedPrivateKey())));
|
|
getXMLSignatureRefElements().put(
|
|
certificateInstallationRes.getDHpublickey().getId(),
|
|
SecurityUtils.generateDigest(
|
|
certificateInstallationRes.getDHpublickey().getId(),
|
|
getMessageHandler().getJaxbElement(certificateInstallationRes.getDHpublickey())));
|
|
getXMLSignatureRefElements().put(
|
|
certificateInstallationRes.getEMAID().getId(),
|
|
SecurityUtils.generateDigest(
|
|
certificateInstallationRes.getEMAID().getId(),
|
|
getMessageHandler().getJaxbElement(certificateInstallationRes.getEMAID())));
|
|
|
|
// Set signing private key
|
|
setSignaturePrivateKey(getCommSessionContext().getBackendInterface().getCPSLeafPrivateKey());
|
|
|
|
} else {
|
|
setMandatoryFieldsForFailedRes(certificateInstallationRes, certificateInstallationRes.getResponseCode());
|
|
}
|
|
} else {
|
|
if (certificateInstallationRes.getResponseCode().equals(ResponseCodeType.FAILED_SEQUENCE_ERROR)) {
|
|
BodyBaseType responseMessage = getSequenceErrorResMessage(new CertificateInstallationResType(), message);
|
|
|
|
return getSendMessage(responseMessage, V2GMessages.NONE, certificateInstallationRes.getResponseCode());
|
|
} else {
|
|
setMandatoryFieldsForFailedRes(certificateInstallationRes, certificateInstallationRes.getResponseCode());
|
|
}
|
|
}
|
|
|
|
return getSendMessage(certificateInstallationRes, V2GMessages.PAYMENT_DETAILS_REQ, certificateInstallationRes.getResponseCode());
|
|
}
|
|
|
|
private boolean isResponseCodeOK(
|
|
CertificateInstallationReqType certificateInstallationReq,
|
|
CertificateChainType saContractCertificateChain,
|
|
SignatureType signature) {
|
|
ResponseCodeType responseCode = null;
|
|
X509Certificate oemProvCert = SecurityUtils.getCertificate(
|
|
certificateInstallationReq.getOEMProvisioningCert()
|
|
);
|
|
|
|
// Check for FAILED_NoCertificateAvailable
|
|
if (saContractCertificateChain == null || saContractCertificateChain.getCertificate() == null) {
|
|
certificateInstallationRes.setResponseCode(ResponseCodeType.FAILED_NO_CERTIFICATE_AVAILABLE);
|
|
return false;
|
|
}
|
|
|
|
// Check for FAILED_CertificateExpired
|
|
responseCode = SecurityUtils.verifyValidityPeriod(oemProvCert);
|
|
if (!responseCode.equals(ResponseCodeType.OK)) {
|
|
certificateInstallationRes.setResponseCode(responseCode);
|
|
return false;
|
|
}
|
|
|
|
// Check for correct attributes (e.g. correct domain component)
|
|
responseCode = SecurityUtils.verifyLeafCertificateAttributes(oemProvCert, PKI.OEM);
|
|
if (!responseCode.equals(ResponseCodeType.OK)) {
|
|
// FAILED_CertChainError is not defined for CertificateInstallationRes, that's why I set it to FAILED
|
|
certificateInstallationRes.setResponseCode(ResponseCodeType.FAILED);
|
|
return false;
|
|
}
|
|
|
|
// Check for FAILED_CertificateRevoked
|
|
// TODO check for revocation with OCSP
|
|
|
|
// Verify signature
|
|
HashMap<String, byte[]> verifyXMLSigRefElements = new HashMap<String, byte[]>();
|
|
verifyXMLSigRefElements.put(
|
|
certificateInstallationReq.getId(),
|
|
SecurityUtils.generateDigest(
|
|
certificateInstallationReq.getId(),
|
|
getMessageHandler().getJaxbElement(certificateInstallationReq)));
|
|
|
|
if (!SecurityUtils.verifySignature(
|
|
signature,
|
|
getMessageHandler().getJaxbElement(signature.getSignedInfo()),
|
|
verifyXMLSigRefElements,
|
|
certificateInstallationReq.getOEMProvisioningCert())) {
|
|
certificateInstallationRes.setResponseCode(ResponseCodeType.FAILED_SIGNATURE_ERROR);
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
@Override
|
|
public BodyBaseType getResponseMessage() {
|
|
return certificateInstallationRes;
|
|
}
|
|
}
|