NAME

OpenXPKI::Crypt::PKCS7::SCEP

DESCRIPTION

This class parses and generates SCEP request messages and responses.

To parse an SCEP message, you can either pass the PKCS7 request message as single argument to the new method, or set it via message later. Call one of the "create_*_response" methods to generate a response for this request.

If you want to generate a response without having the request, you must call new with all parameters that are required to initialize the class as denoted below.

Parameters / Accessor methods

message

The outer PKCS7 (signedData) message as OpenXPKI::Crypt::PKCS7 object. This is the parsed result of the data passed to the constructor.

request

Returns the inner PKCS7 (envelopedData) as OpenXPKI::Crypt::PKCS7 object

message_type

Return the messageType from the envelope of the message (see mapMessageType)

transaction_id

Returns the transaction_id of the request, must be passed to the constructor when generating a new instances without a message.

request_nonce

Returns the value of the request nonce.

reply_nonce

The nonce used to generate the response message. If not set a random nonce is created when the response is created. Note that the nonce will be generated only once so subsequent calls to any generate_response method will use the same nonce value! The RFC defines a 16 byte nonce size but the size is adjusted to the sender nonce size in case this differs to support devices using a 8 bytes nonce as reported on the mailing list.

digest_alg

Returns the name of the digest algorithm used.

Must be set when generating any response.

enc_alg

Returns the name of the encryption algorithm used.

Must be set when generating a success response.

signer

A OpenXPKI::Crypt::X509 object representing the signer of the request.

This must be set before you can generate a success response.

recipient

Returns the recipient information for the message, the return value is an IssuerSerial hash as defined in OpenXPKI::Role::IssuerSerial

payload

Reads the payload from the response, returns the decypted raw binary data.

ratoken

A OpenXPKI::Crypt::X509 object representing the SCEP RA certificate.

ratoken_key

A Crypt::PK::* or OpenXPKI::Crypto::Backend::API object holding the private key of the RA, currently only Crypt::PK::RSA is supported. You can pass both arguments at construction time or set them on the instance.

certs

An array ref holding the DER encoded certificates that will be set as response to a certRep SUCCESS. The entity certificate must be the first item.

pkcs10

Returns the PKCS10 request from a enrollment message as OpenXPKI::Crypt::PKCS10 object.

issuer_serial

Returns a hash with issuer and serial extracted from the payload of a GetCRL or GetCert request. See OpenXPKI::Role::IssuerSerial.

Response Generation

There is an individual method to generate success, pending and failure responses. They all require that the class was either initiated with an incoming PKCS7 message or that the ratoken, transaction_id and digest algorithm are set.

All methods returned the DER encoded PKCS7 message as binary data.

create_cert_response

Generate a success response, requires that certs was set to contain the expected return data, signer is set to the recipient certificate and enc_alg is provided.

create_pending_response

Generate a pending response from the transaction_id passed to the constructor. Returns the binary DER encoded response.

create_failure_response

Generate a failure response using the transaction_id passed to the constructor and the error value passed as argument. The error can be given either a integer or one of the defined error codes badAlg, badMessageCheck, badRequest, badTime, badCertId

Returns the binary DER encoded response.