I am working on an SCEP implementation (both requester and authority). The project uses JScep as a library.
During the communication for a PKCSReq the client receives a CertRep SUCCESS. The draft says the following:
+----------------+--------------------------------------------------+
| Request-type | Reply-contents |
+----------------+--------------------------------------------------+
| PKCSReq | the reply MUST contain at least the issued |
| | certificate in the certificates field of the |
| | Signed-Data. The reply MAY contain additional |
| | certificates, but the issued certificate MUST be |
| | the first in the list. The reply MUST NOT |
| | contain a CRL. All returned certificates MUST |
| | conform to [RFC5280]. |
I am a bit confused to interpret MAY contain additional certificates.
Does this mean that the whole cert chain will be presented in the response as a Collection (JScep)?
The whole certificate chain may be presented, but not necessarily. Generally I would expect SCEP servers to provide everything you need to establish a chain of trust.
If you call enrol and the resulting EnrollmentResponse is successful (isSuccess()), you can then call getCertStore to access a java.security.cert.CertStore. That CertStore will contain all the certificates sent by the server.
You can use the CertStoreInspector from jscep to directly extract relevant certificates like so:
CertStoreInspector inspector = DefaultCertStoreInspectorFactory.getInstance(certStore);
X509Certificate ca = inspector.getIssuer();
X509Certificate signer_ra = inspector.getSigner();
X509Certificate recipient_ra = inspector.getSigner();