add vendor extension to nonce request and response

Akretsch · Akretsch · commit eb6eefab5b7c · 2025-11-06T09:56:43.000+01:00
diff --git a/src/main/java/com/siemens/pki/cmpclientcomponent/configuration/ClientAttestationContext.java b/src/main/java/com/siemens/pki/cmpclientcomponent/configuration/ClientAttestationContext.java
@@ -58,6 +58,14 @@ default BigInteger getNonceRequestLen() {
     default String getNonceRequestType() {
         return null;
     }
+
+    /**
+     * Siemens proprietary extension to carry additional data
+     * @return additional data <code>null</code>
+     */
+    default byte[] getNonceRequestVendorextension() {
+        return null;
+    }
     /**
      * get certs to include in {@link EvidenceBundle}
      * @return certs
diff --git a/src/main/java/com/siemens/pki/cmpclientcomponent/main/CmpClient.java b/src/main/java/com/siemens/pki/cmpclientcomponent/main/CmpClient.java
@@ -425,7 +425,8 @@ public EnrollmentResult invokeEnrollment() {
                 NonceRequest nonceRequest = new NonceRequest(
                         attestationContext.getNonceRequestLen(),
                         attestationContext.getNonceRequestType(),
-                        attestationContext.getNonceRequestHint());
+                        attestationContext.getNonceRequestHint(),
+                        attestationContext.getNonceRequestVendorextension());
                 NonceRequestValue nonceRequestValue = new NonceRequestValue(new NonceRequest[] {nonceRequest});
                 ratNonceResponse = requestHandler.sendReceiveInitialMessage(new PKIBody(
                         PKIBody.TYPE_GEN_MSG,
diff --git a/src/main/java/com/siemens/pki/cmpracomponent/configuration/RatVerifierAdapter.java b/src/main/java/com/siemens/pki/cmpracomponent/configuration/RatVerifierAdapter.java
@@ -65,6 +65,14 @@ default String getHint() {
         default String getType() {
             return null;
         }
+
+        /**
+         * Siemens proprietary extension to carry additional data
+         * @return additional data or <code>null</code>
+         */
+        default byte[] getVendorextension() {
+            return null;
+        }
     }
 
     /**
@@ -73,9 +81,15 @@ default String getType() {
      * @param len the required length of the requested nonce, maybe <code>null</code>
      * @param type indicates which Evidence type to request a nonce for, OID as string or <code>null</code>
      * @param hint indicates which Verifier to request a nonce from, maybe <code>null</code>
+     * @param vendorextension additional Siemens proprietary data, maybe <code>null</code>
      * @param encodedNonceRequest encoded NonceRequest containing len, type and hint
      * @return fresh BER encoded NonceResponse
      */
     NonceResponseRet generateNonce(
-            byte[] transactionId, BigInteger len, String type, String hint, byte[] encodedNonceRequest);
+            byte[] transactionId,
+            BigInteger len,
+            String type,
+            String hint,
+            byte[] vendorextension,
+            byte[] encodedNonceRequest);
 }
diff --git a/src/main/java/com/siemens/pki/cmpracomponent/msgprocessing/ServiceImplementation.java b/src/main/java/com/siemens/pki/cmpracomponent/msgprocessing/ServiceImplementation.java
@@ -52,6 +52,7 @@
 import org.bouncycastle.asn1.ASN1EncodableVector;
 import org.bouncycastle.asn1.ASN1Integer;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.ASN1OctetString;
 import org.bouncycastle.asn1.ASN1Primitive;
 import org.bouncycastle.asn1.ASN1Sequence;
 import org.bouncycastle.asn1.ASN1UTF8String;
@@ -313,8 +314,10 @@ private PKIBody handleGetFreshRatNonce(final PKIMessage msg, final InfoTypeAndVa
                     ifNotNull(aktRequest.getLen(), ASN1Integer::getValue),
                     ifNotNull(aktRequest.getType(), ASN1ObjectIdentifier::getId),
                     ifNotNull(aktRequest.getHint(), ASN1UTF8String::getString),
+                    ifNotNull(aktRequest.getVendorextension(), ASN1OctetString::getOctets),
                     aktRequest.getEncoded());
-            responses[i] = new NonceResponse(ret.getNonce(), ret.getExpiry(), ret.getType(), ret.getHint());
+            responses[i] = new NonceResponse(
+                    ret.getNonce(), ret.getExpiry(), ret.getType(), ret.getHint(), ret.getVendorextension());
         }
         persistencyContext.markAsPreparingGenm();
         return new PKIBody(
diff --git a/src/main/java/com/siemens/pki/verifieradapter/asn1/NonceRequestValue.java b/src/main/java/com/siemens/pki/verifieradapter/asn1/NonceRequestValue.java
@@ -24,9 +24,11 @@
 import org.bouncycastle.asn1.ASN1Integer;
 import org.bouncycastle.asn1.ASN1Object;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.ASN1OctetString;
 import org.bouncycastle.asn1.ASN1Primitive;
 import org.bouncycastle.asn1.ASN1Sequence;
 import org.bouncycastle.asn1.ASN1UTF8String;
+import org.bouncycastle.asn1.DEROctetString;
 import org.bouncycastle.asn1.DERSequence;
 import org.bouncycastle.asn1.DERUTF8String;
 
@@ -42,6 +44,8 @@
  * -- indicates which Evidence type to request a nonce for
  * hint   UTF8String OPTIONAL
  * -- indicates which Verifier to request a nonce from
+ * vendorextension OCTET STRING OPTIONAL
+ * -- Siemens proprietary extension to carry additional data
  * }
  * }
  */
@@ -62,23 +66,32 @@ public ASN1UTF8String getHint() {
             return hint;
         }
 
+        public ASN1OctetString getVendorextension() {
+            return vendorextension;
+        }
+
         private ASN1Integer len = null;
         private ASN1ObjectIdentifier type = null;
         private ASN1UTF8String hint = null;
+        private ASN1OctetString vendorextension = null;
 
-        public NonceRequest(ASN1Integer len, ASN1ObjectIdentifier type, ASN1UTF8String hint) {
+        public NonceRequest(
+                ASN1Integer len, ASN1ObjectIdentifier type, ASN1UTF8String hint, ASN1OctetString vendorextension) {
             this.len = len;
             this.type = type;
             this.hint = hint;
+            this.vendorextension = vendorextension;
         }
 
         public ASN1Primitive toASN1Primitive() {
 
-            ASN1EncodableVector v = new ASN1EncodableVector(3);
+            ASN1EncodableVector v = new ASN1EncodableVector(4);
 
             addOptional(v, len);
             addOptional(v, type);
             addOptional(v, hint);
+            addOptional(v, vendorextension);
+
             return new DERSequence(v);
         }
 
@@ -112,16 +125,28 @@ private NonceRequest(ASN1Sequence seq) {
                 }
                 next = en.nextElement();
             }
-            if (next != null) {
+            if (next instanceof ASN1UTF8String) {
                 hint = ASN1UTF8String.getInstance(next);
+                if (!en.hasMoreElements()) {
+                    return;
+                }
+                next = en.nextElement();
+            }
+            if (next instanceof ASN1OctetString) {
+                vendorextension = ASN1OctetString.getInstance(next);
             }
         }
 
-        public NonceRequest(BigInteger nonceRequestLen, String nonceRequestType, String nonceRequestHint) {
+        public NonceRequest(
+                BigInteger nonceRequestLen,
+                String nonceRequestType,
+                String nonceRequestHint,
+                byte[] nonceRequestVendorextension) {
             this(
                     nonceRequestLen != null ? new ASN1Integer(nonceRequestLen) : null,
                     nonceRequestType != null ? new ASN1ObjectIdentifier(nonceRequestType) : null,
-                    nonceRequestHint != null ? new DERUTF8String(nonceRequestHint) : null);
+                    nonceRequestHint != null ? new DERUTF8String(nonceRequestHint) : null,
+                    nonceRequestVendorextension != null ? new DEROctetString(nonceRequestVendorextension) : null);
         }
 
         private void addOptional(ASN1EncodableVector v, ASN1Encodable obj) {
diff --git a/src/main/java/com/siemens/pki/verifieradapter/asn1/NonceResponseValue.java b/src/main/java/com/siemens/pki/verifieradapter/asn1/NonceResponseValue.java
@@ -47,6 +47,8 @@
  * -- indicates which Evidence type to request a nonce for
  * hint UTF8String OPTIONAL
  * -- indicates which Verifier to request a nonce from
+ * vendorextension OCTET STRING OPTIONAL
+ * -- Siemens proprietary extension to carry additional data
  * }
  * }
  */
@@ -60,6 +62,7 @@ public static class NonceResponse extends ASN1Object {
         private ASN1Integer expiry = null;
         private ASN1ObjectIdentifier type = null;
         private ASN1UTF8String hint = null;
+        private ASN1OctetString vendorextension = null;
 
         public ASN1Primitive toASN1Primitive() {
 
@@ -69,6 +72,8 @@ public ASN1Primitive toASN1Primitive() {
             addOptional(v, expiry);
             addOptional(v, type);
             addOptional(v, hint);
+            addOptional(v, vendorextension);
+
             return new DERSequence(v);
         }
 
@@ -107,23 +112,38 @@ private NonceResponse(ASN1Sequence seq) {
                 }
                 next = en.nextElement();
             }
-            hint = ASN1UTF8String.getInstance(next);
+            if (next instanceof ASN1UTF8String) {
+                hint = ASN1UTF8String.getInstance(next);
+                if (!en.hasMoreElements()) {
+                    return;
+                }
+                next = en.nextElement();
+            }
+            if (next instanceof ASN1OctetString) {
+                vendorextension = ASN1OctetString.getInstance(next);
+            }
         }
 
         public NonceResponse(
-                ASN1OctetString nonce, ASN1Integer expiry, ASN1ObjectIdentifier type, ASN1UTF8String hint) {
+                ASN1OctetString nonce,
+                ASN1Integer expiry,
+                ASN1ObjectIdentifier type,
+                ASN1UTF8String hint,
+                ASN1OctetString vendorextension) {
             this.nonce = nonce;
             this.expiry = expiry;
             this.type = type;
             this.hint = hint;
+            this.vendorextension = vendorextension;
         }
 
-        public NonceResponse(byte[] nonce, Integer expiry, String type, String hint) {
+        public NonceResponse(byte[] nonce, Integer expiry, String type, String hint, byte[] vendorextension) {
             this(
                     nonce != null ? new DEROctetString(nonce) : null,
                     expiry != null ? new ASN1Integer(expiry) : null,
                     type != null ? new ASN1ObjectIdentifier(type) : null,
-                    hint != null ? new DERUTF8String(hint) : null);
+                    hint != null ? new DERUTF8String(hint) : null,
+                    vendorextension != null ? new DEROctetString(vendorextension) : null);
         }
 
         public ASN1OctetString getNonce() {
@@ -142,6 +162,10 @@ public ASN1UTF8String getHint() {
             return hint;
         }
 
+        public ASN1OctetString getVendorextension() {
+            return vendorextension;
+        }
+
         private void addOptional(ASN1EncodableVector v, ASN1Encodable obj) {
             if (obj != null) {
                 v.add(obj);
diff --git a/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestCrWithRAT.java b/src/test/java/com/siemens/pki/cmpclientcomponent/test/TestCrWithRAT.java
@@ -224,6 +224,7 @@ public NonceResponseRet generateNonce(
                             BigInteger len,
                             String type,
                             String hint,
+                            byte[] vendorextension,
                             byte[] encodedNonceRequest) {
                         LOGGER.debug(
                                 "generateNonce called with certprofile: {}, type: {}",
@@ -246,6 +247,11 @@ public String getHint() {
                                 return "responded hint: " + hint;
                             }
 
+                            @Override
+                            public byte[] getVendorextension() {
+                                return vendorextension;
+                            }
+
                             @Override
                             public String getType() {
                                 return new ASN1ObjectIdentifier("1.7.8.9").getId();
@@ -432,6 +438,11 @@ public BigInteger getNonceRequestLen() {
                         return new BigInteger("16");
                     }
 
+                    @Override
+                    public byte[] getNonceRequestVendorextension() {
+                        return "vendor extension".getBytes();
+                    }
+
                     @Override
                     public Certificate[] getEvidenceBundleCerts() {
                         // just provide some certificates
@@ -457,6 +468,8 @@ public byte[] getEvidenceStatement(byte[] attestationNonce) {
                         NonceResponse nonceResponse = NonceResponse.getInstance(attestationNonce);
                         assertNotNull(nonceResponse.getExpiry());
                         assertNotNull(nonceResponse.getHint());
+                        assertNotNull(nonceResponse.getVendorextension());
+
                         try {
                             return new EvidenceStatement(
                                             nonceResponse.getType().branch("88"),
diff --git a/src/test/java/com/siemens/pki/verifieradapter/asn1/TestRatAsn1.java b/src/test/java/com/siemens/pki/verifieradapter/asn1/TestRatAsn1.java
@@ -67,19 +67,22 @@ public void testEvidenceBundle() throws IOException {
 
     @Test
     public void testNonceRequestValue() throws IOException {
-        byte[] encoded = new NonceRequestValue(new NonceRequest[] {new NonceRequest((BigInteger) null, null, null)})
+        byte[] encoded = new NonceRequestValue(
+                        new NonceRequest[] {new NonceRequest((BigInteger) null, null, null, null)})
                 .getEncoded();
         NonceRequestValue decoded = NonceRequestValue.getInstance(encoded);
         assertEquals(1, decoded.getNonceRequests().length);
         final NonceRequest nonceRequest = decoded.getNonceRequests()[0];
         assertNull(nonceRequest.getLen());
         assertNull(nonceRequest.getType());
         assertNull(nonceRequest.getHint());
+        assertNull(nonceRequest.getVendorextension());
     }
 
     @Test
     public void testNonceResponseValue() throws IOException {
-        byte[] encoded = new NonceResponseValue(new NonceResponse[] {new NonceResponse(new byte[10], null, null, null)})
+        byte[] encoded = new NonceResponseValue(
+                        new NonceResponse[] {new NonceResponse(new byte[10], null, null, null, null)})
                 .getEncoded();
         NonceResponseValue decoded = NonceResponseValue.getInstance(encoded);
         assertEquals(1, decoded.getNonceResponse().length);
@@ -88,5 +91,6 @@ public void testNonceResponseValue() throws IOException {
         assertNull(nonceRequest.getExpiry());
         assertNull(nonceRequest.getType());
         assertNull(nonceRequest.getHint());
+        assertNull(nonceRequest.getVendorextension());
     }
 }
diff --git a/src/test/java/com/siemens/pki/verifieradapter/asn1/package-info.java b/src/test/java/com/siemens/pki/verifieradapter/asn1/package-info.java
