again fix protection of NESTED responses (#114)

CHANGELOG.md

@@ -140,3 +140,6 @@ feat: add logging while accessing configuration data
 
 fix: handling of NestedEndpointContext.isIncomingRecipientValid
 
+### 4.1.4 (Jul 23 2024)
+
+fix: again fix protection of NESTED responses

pom.xml

@@ -8,7 +8,7 @@
 	<groupId>com.siemens.pki</groupId>
 	<artifactId>CmpRaComponent</artifactId>
 	<packaging>jar</packaging>
-	<version>4.1.3</version>
+	<version>4.1.4</version>
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<parent.basedir>.</parent.basedir>

src/main/java/com/siemens/pki/cmpracomponent/msggeneration/MsgOutputProtector.java

@@ -29,6 +29,7 @@
 import com.siemens.pki.cmpracomponent.protection.ProtectionProvider;
 import com.siemens.pki.cmpracomponent.protection.ProtectionProviderFactory;
 import com.siemens.pki.cmpracomponent.util.ConfigLogger;
+import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.util.Arrays;
 import java.util.Collections;
@@ -123,9 +124,11 @@ public MsgOutputProtector(final NestedEndpointContext config, final String inter
      * @param headerProvider the header to use
      * @param body body of new message
      * @return new message
-     * @throws Exception in case of error
+     * @throws IOException in case of encoding problem
+     * @throws GeneralSecurityException in case of error
      */
-    public PKIMessage createOutgoingMessage(final HeaderProvider headerProvider, PKIBody body) throws Exception {
+    public PKIMessage createOutgoingMessage(final HeaderProvider headerProvider, PKIBody body)
+            throws GeneralSecurityException, IOException {
         switch (reprotectMode) {
             case reprotect:
             case keep:
@@ -145,9 +148,11 @@ public PKIMessage createOutgoingMessage(final HeaderProvider headerProvider, PKI
      * @param request request to answer
      * @param body    body of new message
      * @return new message
-     * @throws Exception in case of error
+     * @throws GeneralSecurityException in case of error
+     * @throws IOException in case of encoding error
      */
-    public PKIMessage generateAndProtectResponseTo(PKIMessage request, final PKIBody body) throws Exception {
+    public PKIMessage generateAndProtectResponseTo(PKIMessage request, final PKIBody body)
+            throws GeneralSecurityException, IOException {
         return stripRedundantExtraCerts(PkiMessageGenerator.generateAndProtectMessage(
                 PkiMessageGenerator.buildRespondingHeaderProvider(request), protector, recipient, body, null));
     }
@@ -166,10 +171,11 @@ public ProtectionProvider getProtector() {
      * @param issuingChain trust chain of issued certificate to add to extracerts or
      *                     <code>null</code>
      * @return protected message ready to send
-     * @throws Exception in case of processing error
+     * @throws IOException in case of encoding problem
+     * @throws GeneralSecurityException in case of processing error
      */
     public PKIMessage protectOutgoingMessage(final PKIMessage in, final List<CMPCertificate> issuingChain)
-            throws Exception {
+            throws GeneralSecurityException, IOException {
         switch (reprotectMode) {
             case reprotect:
                 return stripRedundantExtraCerts(PkiMessageGenerator.generateAndProtectMessage(

src/main/java/com/siemens/pki/cmpracomponent/msggeneration/PkiMessageGenerator.java

@@ -29,6 +29,7 @@
 import com.siemens.pki.cmpracomponent.util.MessageDumper;
 import java.io.IOException;
 import java.math.BigInteger;
+import java.security.GeneralSecurityException;
 import java.security.PrivateKey;
 import java.security.Signature;
 import java.util.Collections;
@@ -257,15 +258,16 @@ public ASN1OctetString getTransactionID() {
      * @param issuingChain       chain of enrolled certificate to append at the
      *                           extraCerts
      * @return a fully build and protected message
-     * @throws Exception in case of error
+     * @throws GeneralSecurityException in case of error
+     * @throws IOException in case of encoding error
      */
     public static PKIMessage generateAndProtectMessage(
             final HeaderProvider headerProvider,
             final ProtectionProvider protectionProvider,
             GeneralName newRecipient,
             final PKIBody body,
             final List<CMPCertificate> issuingChain)
-            throws Exception {
+            throws GeneralSecurityException, IOException {
         synchronized (protectionProvider) {
             final GeneralName recipient = computeDefaultIfNull(newRecipient, headerProvider::getRecipient);
             final GeneralName sender = computeDefaultIfNull(protectionProvider.getSender(), headerProvider::getSender);
@@ -422,11 +424,12 @@ public static PKIBody generateIpCpKupErrorBody(final int bodyType, final int fai
      * @param privateKey   private key to build the POPO, if set to null, POPO is
      *                     set to raVerified
      * @return a IR, CR or KUR body
-     * @throws Exception in case of error
+     * @throws GeneralSecurityException in case of error
+     * @throws IOException in case of encoding error
      */
     public static PKIBody generateIrCrKurBody(
             final int bodyType, final CertTemplate certTemplate, final Controls controls, final PrivateKey privateKey)
-            throws Exception {
+            throws GeneralSecurityException, IOException {
         final CertRequest certReq = new CertRequest(CERT_REQ_ID_0, certTemplate, controls);
         if (privateKey == null) {
             return new PKIBody(bodyType, new CertReqMessages(new CertReqMsg(certReq, new ProofOfPossession(), null)));
@@ -542,10 +545,11 @@ public static PKIBody generateRrBody(final X500Name issuer, final ASN1Integer se
      * @param headerProvider PKI header
      * @param body           message body
      * @return a fully build and not protected message
-     * @throws Exception in case of error
+     * @throws GeneralSecurityException in case of error
+     * @throws IOException in case of encoding error
      */
     public static PKIMessage generateUnprotectMessage(final HeaderProvider headerProvider, final PKIBody body)
-            throws Exception {
+            throws GeneralSecurityException, IOException {
         return generateAndProtectMessage(headerProvider, ProtectionProvider.NO_PROTECTION, null, body, null);
     }
 

src/main/java/com/siemens/pki/cmpracomponent/msgprocessing/CmpRaUpstream.java

@@ -32,6 +32,8 @@
 import com.siemens.pki.cmpracomponent.persistency.PersistencyContextManager;
 import com.siemens.pki.cmpracomponent.util.CmpFuncEx;
 import com.siemens.pki.cmpracomponent.util.ConfigLogger;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.HashSet;
@@ -76,19 +78,17 @@ class CmpRaUpstream implements RaUpstream {
      * @param persistencyContextManager persistency interface
      * @param config                    specific configuration
      * @param upstreamExchange          upstream function
-     * @throws Exception in case of error
      */
     CmpRaUpstream(
             final PersistencyContextManager persistencyContextManager,
             final Configuration config,
-            final CmpFuncEx<PKIMessage, PKIMessage> upstreamExchange)
-            throws Exception {
+            final CmpFuncEx<PKIMessage, PKIMessage> upstreamExchange) {
         this.persistencyContextManager = persistencyContextManager;
         this.config = config;
         this.upstreamMsgHandler = upstreamExchange;
     }
 
-    void gotResponseAtUpstream(final PKIMessage responseMessage) throws Exception {
+    void gotResponseAtUpstream(final PKIMessage responseMessage) throws IOException, CmpProcessingException {
         final PersistencyContext persistencyContext = persistencyContextManager.loadPersistencyContext(
                 responseMessage.getHeader().getTransactionID().getOctets());
         if (persistencyContext == null) {
@@ -162,7 +162,7 @@ public PKIMessage handleRequest(final PKIMessage in, final PersistencyContext pe
                         PkiMessageGenerator.generateResponseBodyWithWaiting(sentMessage.getBody(), INTERFACE_NAME));
             }
             // synchronous transfer
-            if (receivedMessage.getBody().getType() == PKIBody.TYPE_NESTED) {
+            if (receivedMessage.getBody().getType() == PKIBody.TYPE_NESTED && nestedEndpointContext != null) {
                 final MessageHeaderValidator nestedHeaderValidator = new MessageHeaderValidator(NESTED_INTERFACE_NAME);
                 nestedHeaderValidator.validate(receivedMessage);
                 final ProtectionValidator nestedProtectionValidator = new ProtectionValidator(
@@ -220,7 +220,7 @@ public PKIMessage handleRequest(final PKIMessage in, final PersistencyContext pe
     }
 
     private PKIMessage handlePollReq(final PKIMessage in, final PersistencyContext persistencyContext)
-            throws Exception {
+            throws BaseCmpException, GeneralSecurityException, IOException {
         final PKIMessage delayedResponse = persistencyContext.getPendingDelayedResponse();
         if (delayedResponse != null) {
             final InputValidator inputValidator = new InputValidator(