How to use SimplePKIResponse

[sNiXx]

I recently started working on an EST server implementation and was wondering how to use SimplePKIResponseto send CA certificates to the client. I have been reading and searching but cannot really make sense of how to use the BC API.

What I understand / what I tried so far:

1. When sending a Simple PKI Response to the client, the data structure to be sent is a SignedData structure encapsulated in a ContentInfo structure, which is NOT signed (Section 2.2 of RFC 5272):

   Simple PKI Request                      Simple PKI Response
   -------------------------               --------------------------

    +----------+                            +------------------+
    | PKCS #10 |                            | CMS ContentInfo  |
    +----------+--------------+             +------------------+------+
    | Certification Request   |             | CMS Signed Data,        |
    |                         |             |   no SignerInfo         |
    | Subject Name            |             |
    | Subject Public Key Info |             | SignedData contains one |
    |   (K_PUB)               |             | or more certificates in |
    | Attributes              |             | the certificates field  |
    |                         |             | Relevant CA certs and   |
    +-----------+-------------+             | CRLs can be included    |
                | signed with |             | as well.                |
                | matching    |             |                         |
                | K_PRIV      |             | encapsulatedContentInfo |
                +-------------+             | is absent.              |
                                            +--------------+----------+
                                                           | unsigned |
                                                           +----------+

2. The SignedData structure usually contains the following (Section 5.1 of RFC 5652):

SignedData ::= SEQUENCE {
        version CMSVersion,
        digestAlgorithms DigestAlgorithmIdentifiers,
        encapContentInfo EncapsulatedContentInfo,
        certificates [0] IMPLICIT CertificateSet OPTIONAL,
        crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
        signerInfos SignerInfos }

      DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier

      SignerInfos ::= SET OF SignerInfo

3. In case of the Simple PKI Response, however, SignedData only contains one or more certificates (and optionally CRLs). The way I understand this is, that the encapContentInfo and signerInfos is not part of the structure. This only leaves version, digestAlgorithms, certificates and crls (which was optional to begin with).

4. SimplePKIResponse has two constructors, although I find the javadoc for SimplePKIResponse(byte[] responseEncoding)confusing, as it states the parameter is the: "BER/DER encoding of the certificate.", but this constructor just calls the second constructor by passing it a ContentInfo instance. What is the meaning of "the certificate"? Also, the second constructor `SimplePKIResponse(ContentInfo signedData) is what seems to be used in ESTService directly, so I was looking into this further.

5. In addition, I followed the example in the documentation for CMSSignedDataGenerator to get a SignedData object. The certificates (and the signer) have been added, but what is the purpose of CMSTypedData? The javadoc says the parameter content of generate(CMSTypedData content) is "the content to be signed". I was then asking myself if this generator is only to be used for regular SignedData structures.

Hence, I am wondering if I am going at this the wrong way or if I am supposed to build an ASN.1 data structure of this non-conventional SignedData myself?

Could someone point me in the right direction? Thank you in advance 😃