revocation request

[pragyasandeep1998hal]

hi ,is there any java code available for Revoke request?

I am getting error :
2024-10-01 05:50:47,776+0000 DEBUG [com.keyfactor.util.keys.KeyTools] (default task-4) MaxAllowedKeyLength for DES is: 2147483647
2024-10-01 05:50:47,777+0000 DEBUG [com.keyfactor.util.StringTools] (default task-4) Using encrypted CmpConfiguration
2024-10-01 05:50:47,777+0000 DEBUG [org.ejbca.core.protocol.cmp.authentication.VerifyPKIMessage] (default task-4) Trying to verify the message using CMP authentication module 'HMAC' with parameter '-'
2024-10-01 05:50:47,777+0000 DEBUG [org.ejbca.core.protocol.cmp.authentication.VerifyPKIMessage] (default task-4) Trying to verify the message using CMP authentication module 'DnPartPwd' with parameter 'UID'
2024-10-01 05:50:47,777+0000 INFO [org.ejbca.core.protocol.cmp.RevocationMessageHandler] (default task-4) No request was found in the PKIMessage

Can u please help

[pragyasandeep1998hal]

Complete log:

2024-10-01 05:50:47,772+0000 INFO [org.ejbca.ui.web.protocol.CmpServlet] (default task-4) CMP message received from: 172.19.91.116, for CMP alias: CMP-Server
2024-10-01 05:50:47,772+0000 DEBUG [org.ejbca.core.protocol.cmp.CmpMessageDispatcherSessionBean] (default task-4) Received CMP message with pvno=2, sender=4: C=IN,ST=DEL,O=CAP,CN=PRAGYA,UID=PRAGYA, recipient=4: CN=CMP
Cmp configuration alias: CMP-Server
The CMP message is already authenticated: false
Body is of type: 11
Transaction ID: #3131323132
2024-10-01 05:50:47,772+0000 INFO [org.ejbca.core.protocol.cmp.CmpMessageDispatcherSessionBean] (default task-4) Dispatching message of type 11 with transaction ID: #3131323132
2024-10-01 05:50:47,772+0000 DEBUG [org.ejbca.core.protocol.cmp.GeneralCmpMessage] (default task-4) Received a RevReqContent
2024-10-01 05:50:47,772+0000 INFO [org.ejbca.core.protocol.cmp.GeneralCmpMessage] (default task-4) Received a revocation request for issuer: 'CN=CMP', serno: 247df5ddfbceb657e7199d814a457148e11a8876.
2024-10-01 05:50:47,772+0000 DEBUG [org.ejbca.core.protocol.cmp.CmpMessageDispatcherSessionBean] (default task-4) Add CA certificates of CAs '' to the CMP response message caPubs field.
2024-10-01 05:50:47,772+0000 DEBUG [org.ejbca.core.protocol.cmp.CmpMessageDispatcherSessionBean] (default task-4) Add CA certificates of CAs '' to the PKI response message extraCerts field.
2024-10-01 05:50:47,772+0000 DEBUG [org.ejbca.core.protocol.cmp.RevocationMessageHandler] (default task-4) Get recipient CA from recipient: CN=CMP
2024-10-01 05:50:47,772+0000 DEBUG [org.ejbca.core.protocol.cmp.RevocationMessageHandler] (default task-4) CA DN is 'CN=CMP' and resulting caId is 1992071860, after DnComponents.stringToBCDNString conversion.
2024-10-01 05:50:47,773+0000 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-4) 2024-10-01 05:50:47+00:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;172.19.91.116;;;;resource0=/ca/1992071860
2024-10-01 05:50:47,773+0000 DEBUG [org.cesecore.audit.log.InternalSecurityEventsLoggerSessionBean] (default task-4) LogDevice: Log4jDevice Proc: 0
2024-10-01 05:50:47,773+0000 DEBUG [org.jboss.as.jpa] (default task-4) default task-4:transaction scoped EntityManager [ejbca.ear#ejbca]: created entity manager session Local transaction (delegate=TransactionImple < ac, BasicAction: 0:ffffac150002:28fe3070:66ea9c48:1a1ce status: ActionStatus.RUNNING >, owner=Local transaction context for provider JBoss JTA transaction provider)
2024-10-01 05:50:47,773+0000 DEBUG [org.jboss.as.jpa] (default task-4) default task-4:transaction scoped EntityManager [ejbca.ear#ejbca]: reuse entity manager session already in tx Local transaction (delegate=TransactionImple < ac, BasicAction: 0:ffffac150002:28fe3070:66ea9c48:1a1ce status: ActionStatus.RUNNING >, owner=Local transaction context for provider JBoss JTA transaction provider)
2024-10-01 05:50:47,773+0000 DEBUG [org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory] (default task-4) java.sql.Connection#beginRequest has been invoked
2024-10-01 05:50:47,775+0000 DEBUG [org.cesecore.config.CesecoreConfiguration] (default task-4) Using default value of 20 for new CA's ca.serialnumberoctetsize
2024-10-01 05:50:47,775+0000 DEBUG [org.cesecore.certificates.ca.CAData] (default task-4) CAData.getProtectString gives size: 10145
2024-10-01 05:50:47,776+0000 DEBUG [org.cesecore.config.CesecoreConfiguration] (default task-4) Using default value of 20 for new CA's ca.serialnumberoctetsize
2024-10-01 05:50:47,776+0000 DEBUG [org.cesecore.internal.CommonCacheBase] (default task-4) Update not needed X509CAImpl in cache. Digest was -480700200, cacheEntry digest was -480700200
2024-10-01 05:50:47,776+0000 DEBUG [com.keyfactor.util.keys.KeyTools] (default task-4) MaxAllowedKeyLength for DES is: 2147483647
2024-10-01 05:50:47,777+0000 DEBUG [com.keyfactor.util.StringTools] (default task-4) Using encrypted CmpConfiguration
2024-10-01 05:50:47,777+0000 DEBUG [org.ejbca.core.protocol.cmp.authentication.VerifyPKIMessage] (default task-4) Trying to verify the message using CMP authentication module 'HMAC' with parameter '-'
2024-10-01 05:50:47,777+0000 DEBUG [org.ejbca.core.protocol.cmp.authentication.VerifyPKIMessage] (default task-4) Trying to verify the message using CMP authentication module 'DnPartPwd' with parameter 'UID'
2024-10-01 05:50:47,777+0000 INFO [org.ejbca.core.protocol.cmp.RevocationMessageHandler] (default task-4) No request was found in the PKIMessage
2024-10-01 05:50:47,777+0000 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-4) 2024-10-01 05:50:47+00:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;cmpProtocolSignErrorResponse;;;;resource0=/ca/1992071860
2024-10-01 05:50:47,777+0000 DEBUG [org.cesecore.audit.log.InternalSecurityEventsLoggerSessionBean] (default task-4) LogDevice: Log4jDevice Proc: 0
2024-10-01 05:50:47,777+0000 DEBUG [org.cesecore.keys.token.CryptoTokenSessionBean] (default task-4) CryptoToken with ID -1557500643 will be checked for updates.
2024-10-01 05:50:47,777+0000 DEBUG [org.jboss.as.jpa] (default task-4) default task-4:transaction scoped EntityManager [ejbca.ear#ejbca]: reuse entity manager session already in tx Local transaction (delegate=TransactionImple < ac, BasicAction: 0:ffffac150002:28fe3070:66ea9c48:1a1ce status: ActionStatus.RUNNING >, owner=Local transaction context for provider JBoss JTA transaction provider)
2024-10-01 05:50:47,778+0000 DEBUG [org.cesecore.internal.CommonCacheBase] (default task-4) Update not needed SoftCryptoToken in cache. Digest was 194783572, cacheEntry digest was 194783572
2024-10-01 05:50:47,778+0000 DEBUG [org.ejbca.core.protocol.cmp.CmpMessageHelper] (default task-4) Creating a signed error message with failInfo=2, failText=No request was found in the PKIMessage
2024-10-01 05:50:47,778+0000 DEBUG [org.ejbca.core.protocol.cmp.CmpErrorResponseMessage] (default task-4) Create error message from requestType: 23

[primetomas]

2024-10-01 05:50:47,777+0000 INFO [org.ejbca.core.protocol.cmp.RevocationMessageHandler] (default task-4) No request was found in the PKIMessage

Means that you are probably trying to revoke another users certificate with CMP in client mode?

You can find samples code in the test suite. For example see genRevReq() in https://github.com/Keyfactor/ejbca-ce/blob/main/modules/systemtests/src-test/org/ejbca/core/protocol/cmp/CmpTestCase.java, which is called from other test methods the simulate a whole workflow.

[pragyasandeep1998hal]

[primetomas]

I recommend that you test with "openssl cmp" or some existing tool first. When you workflow is working, you can code so that your messages have the same content.

[pragyasandeep1998hal]

How we can request for revocation of certificate through openssl cmp.

can you provide code for Revoke request or any reference document

[primetomas]

You can find revocation request command example in the documentation.
https://docs.keyfactor.com/ejbca/latest/cmp-operations-guide#id-(latest)CMPOperationsGuide-openssl

[pragyasandeep1998hal]

I have tried:

protected static PKIMessage genRevReq(String issuerDN, X500Name userDN, BigInteger serNo, Certificate cacert, byte[] nonce, byte[] transid,
boolean noRevocationReason, AlgorithmIdentifier pAlg, DEROctetString senderKID) throws IOException {
CertTemplateBuilder certTemplateBuilder = new CertTemplateBuilder();
certTemplateBuilder.setIssuer(new X500Name(issuerDN));
certTemplateBuilder.setSubject(userDN);
certTemplateBuilder.setSerialNumber(new ASN1Integer(serNo));

    ASN1EncodableVector v = new ASN1EncodableVector();
    v.add(certTemplateBuilder.build());
    if (noRevocationReason) {
        // NOOP, crlEntryDetails are optional
    } else {
        ExtensionsGenerator extgen = new ExtensionsGenerator();
        CRLReason crlReason = CRLReason.lookup(CRLReason.keyCompromise);
        extgen.addExtension(Extension.reasonCode, false, crlReason);
        Extensions exts = extgen.generate();
        v.add(exts);
    }
    ASN1Sequence seq = new DERSequence(v);
    RevDetails revDetails = RevDetails.getInstance(seq);
    RevReqContent revReqContent = new RevReqContent(revDetails);

    final GeneralName recipient;
    // Recipient can be empty according to RFC4210 section D.1
    if (cacert != null) {
        recipient = new GeneralName(new X500Name(((X509Certificate) cacert).getSubjectDN().getName()));
    } else {
        RDN[] emptyRDN = new RDN[0];
        recipient = new GeneralName(new X500Name(emptyRDN));
    }
    PKIHeaderBuilder pkiHeaderBuilder = new PKIHeaderBuilder(PKIHeader.CMP_2000, new GeneralName(userDN), recipient);
    pkiHeaderBuilder.setMessageTime(new ASN1GeneralizedTime(new Date()));
    pkiHeaderBuilder.setSenderNonce(new DEROctetString(nonce));
    pkiHeaderBuilder.setTransactionID(new DEROctetString(transid));
    pkiHeaderBuilder.setProtectionAlg(pAlg);
    if (senderKID != null) {
        pkiHeaderBuilder.setSenderKID(senderKID);
    }
    PKIBody pkiBody = new PKIBody(PKIBody.TYPE_REVOCATION_REQ, revReqContent);
    PKIMessage pkiMessage = new PKIMessage(pkiHeaderBuilder.build(), pkiBody);
    return pkiMessage;
}

But still getting error:

2024-10-01 05:50:47,776+0000 DEBUG [com.keyfactor.util.keys.KeyTools] (default task-4) MaxAllowedKeyLength for DES is: 2147483647

2024-10-01 05:50:47,777+0000 DEBUG [com.keyfactor.util.StringTools] (default task-4) Using encrypted CmpConfiguration
2024-10-01 05:50:47,777+0000 DEBUG [org.ejbca.core.protocol.cmp.authentication.VerifyPKIMessage] (default task-4) Trying to verify the message using CMP authentication module 'HMAC' with parameter '-'
2024-10-01 05:50:47,777+0000 DEBUG [org.ejbca.core.protocol.cmp.authentication.VerifyPKIMessage] (default task-4) Trying to verify the message using CMP authentication module 'DnPartPwd' with parameter 'UID'
2024-10-01 05:50:47,777+0000 INFO [org.ejbca.core.protocol.cmp.RevocationMessageHandler] (default task-4) No request was found in the PKIMessage

Is there any setting we need to enable or is there any changes in URL for revocation

[primetomas]

Doesn't look like you have created any protection on your message.