certreqservlet.java

一套JAVA的CA证书签发系统.

            debug.printMessage("Invalid request!");
            debug.printMessage("Please supply a correct request.");
            debug.printDebugInfo();

            return;
        } catch (SignRequestSignatureException se) {
            log.debug("Invalid signature on certificate request!");
            debug.printMessage("Invalid signature on certificate request!");
            debug.printMessage("Please supply a correctly signed request.");
            debug.printDebugInfo();

            return;
        } catch (java.lang.ArrayIndexOutOfBoundsException ae) {
            log.debug("Empty or invalid request received.");
            debug.printMessage("Empty or invalid request!");
            debug.printMessage("Please supply a correct request.");
            debug.printDebugInfo();

            return;
        } catch (Exception e) {
            log.debug(e);
            debug.print("<h3>parameter name and values: </h3>");

            Enumeration paramNames = request.getParameterNames();

            while (paramNames.hasMoreElements()) {
                String name = paramNames.nextElement().toString();
                String parameter = request.getParameter(name);
                debug.print("<h4>" + name + ":</h4>" + parameter + "<br>");
            }

            debug.takeCareOfException(e);
            debug.printDebugInfo();
        }
    }

    //doPost

    /**
     * Handles HTTP GET
     *
     * @param request servlet request
     * @param response servlet response
     *
     * @throws IOException input/output error
     * @throws ServletException on error
     */
    public void doGet(HttpServletRequest request, HttpServletResponse response)
        throws IOException, ServletException {
        log.debug(">doGet()");
        response.setHeader("Allow", "POST");

        ServletDebug debug = new ServletDebug(request, response);
        debug.print("The certificate request servlet only handles POST method.");
        debug.printDebugInfo();
        log.debug("<doGet()");
    }

    // doGet
    private void sendP12Token(KeyStore ks, String username, String kspassword,
        HttpServletResponse out) throws Exception {
        ByteArrayOutputStream buffer = new ByteArrayOutputStream();
        ks.store(buffer, kspassword.toCharArray());

        out.setContentType("application/x-pkcs12");
        out.setHeader("Content-disposition", "filename=" + username + ".p12");
        out.setContentLength(buffer.size());
        buffer.writeTo(out.getOutputStream());
        out.flushBuffer();
        buffer.close();
    }

    private void sendJKSToken(KeyStore ks, String username, String kspassword,
        HttpServletResponse out) throws Exception {
        ByteArrayOutputStream buffer = new ByteArrayOutputStream();
        ks.store(buffer, kspassword.toCharArray());

        out.setContentType("application/octet-stream");
        out.setHeader("Content-disposition", "filename=" + username + ".jks");
        out.setContentLength(buffer.size());
        buffer.writeTo(out.getOutputStream());
        out.flushBuffer();
        buffer.close();
    }

    private void sendPEMTokens(KeyStore ks, String username, String kspassword,
        HttpServletResponse out) throws Exception {
        ByteArrayOutputStream buffer = new ByteArrayOutputStream();
        String alias = "";

        // Find the key private key entry in the keystore
        Enumeration e = ks.aliases();
        Object o = null;
        PrivateKey serverPrivKey = null;

        while (e.hasMoreElements()) {
            o = e.nextElement();

            if (o instanceof String) {
                if ((ks.isKeyEntry((String) o)) &&
                        ((serverPrivKey = (PrivateKey) ks.getKey((String) o,
                                kspassword.toCharArray())) != null)) {
                    alias = (String) o;

                    break;
                }
            }
        }

        byte[] privKeyEncoded = "".getBytes();

        if (serverPrivKey != null) {
            privKeyEncoded = serverPrivKey.getEncoded();
        }

        //Certificate chain[] = ks.getCertificateChain((String) o);
        Certificate[] chain = KeyTools.getCertChain(ks, (String) o);
        X509Certificate userX509Certificate = (X509Certificate) chain[0];

        byte[] output = userX509Certificate.getEncoded();
        String sn = CertTools.getSubjectDN(userX509Certificate);

        String subjectdnpem = sn.replace(',', '/');
        String issuerdnpem = CertTools.getIssuerDN(userX509Certificate).replace(',', '/');

        buffer.write(bagattributes);
        buffer.write(friendlyname);
        buffer.write(alias.getBytes());
        buffer.write(NL);
        buffer.write(beginPrivateKey);
        buffer.write(NL);

        byte[] privKey = Base64.encode(privKeyEncoded);
        buffer.write(privKey);
        buffer.write(NL);
        buffer.write(endPrivateKey);
        buffer.write(NL);
        buffer.write(bagattributes);
        buffer.write(friendlyname);
        buffer.write(alias.getBytes());
        buffer.write(NL);
        buffer.write(subject);
        buffer.write(subjectdnpem.getBytes());
        buffer.write(NL);
        buffer.write(issuer);
        buffer.write(issuerdnpem.getBytes());
        buffer.write(NL);
        buffer.write(beginCertificate);
        buffer.write(NL);

        byte[] userCertB64 = Base64.encode(output);
        buffer.write(userCertB64);
        buffer.write(NL);
        buffer.write(endCertificate);
        buffer.write(NL);

        if (CertTools.isSelfSigned(userX509Certificate)) {
        } else {
            for (int num = 1; num < chain.length; num++) {
                X509Certificate tmpX509Cert = (X509Certificate) chain[num];
                sn = CertTools.getSubjectDN(tmpX509Cert);

                String cn = CertTools.getPartFromDN(sn, "CN");

                subjectdnpem = sn.replace(',', '/');
                issuerdnpem = CertTools.getIssuerDN(tmpX509Cert).replace(',', '/');

                buffer.write(bagattributes);
                buffer.write(friendlyname);
                buffer.write(cn.getBytes());
                buffer.write(NL);
                buffer.write(subject);
                buffer.write(subjectdnpem.getBytes());
                buffer.write(NL);
                buffer.write(issuer);
                buffer.write(issuerdnpem.getBytes());
                buffer.write(NL);

                byte[] tmpOutput = tmpX509Cert.getEncoded();
                buffer.write(beginCertificate);
                buffer.write(NL);

                byte[] tmpCACertB64 = Base64.encode(tmpOutput);
                buffer.write(tmpCACertB64);
                buffer.write(NL);
                buffer.write(endCertificate);
                buffer.write(NL);
            }
        }

        out.setContentType("application/octet-stream");
        out.setHeader("Content-disposition", " attachment; filename=" + username + ".pem");
        buffer.writeTo(out.getOutputStream());
        out.flushBuffer();
        buffer.close();
    }


    private KeyStore generateToken(Admin administrator, String username, String password, int caid, int keylength, boolean createJKS, boolean loadkeys, boolean savekeys)
       throws Exception{
         KeyPair rsaKeys = null;
         if(loadkeys){
           // used saved keys.
           IKeyRecoverySessionRemote keyrecoverysession = keyrecoveryhome.create();
           rsaKeys = ((KeyRecoveryData) keyrecoverysession.keyRecovery(administrator, username)).getKeyPair();
         }
         else{
           // generate new keys.
           rsaKeys = KeyTools.genKeys(keylength);
         }

         ISignSessionRemote signsession = signsessionhome.create();
         X509Certificate cert = (X509Certificate)signsession.createCertificate(administrator, username, password, rsaKeys.getPublic());


        // Make a certificate chain from the certificate and the CA-certificate
        CertificateFactory cf = CertTools.getCertificateFactory();
        Certificate[] cachain = (Certificate[]) signsession.getCertificateChain(administrator, caid).toArray(new Certificate[0]);

        // Verify CA-certificate
        if (CertTools.isSelfSigned((X509Certificate) cachain[cachain.length - 1])) {
            try {
                cachain[cachain.length - 1].verify(cachain[cachain.length - 1].getPublicKey());
            } catch (GeneralSecurityException se) {
                throw new Exception("RootCA certificate does not verify");
            }
        } else {
            throw new Exception("RootCA certificate not self-signed");
        }

        // Verify that the user-certificate is signed by our CA
        try {
            cert.verify(cachain[0].getPublicKey());
        } catch (GeneralSecurityException se) {
            throw new Exception("Generated certificate does not verify using CA-certificate.");
        }

        if (savekeys) {
            // Save generated keys to database.
            IKeyRecoverySessionRemote keyrecoverysession = keyrecoveryhome.create();
            keyrecoverysession.addKeyRecoveryData(administrator, cert, username, rsaKeys);
        }

        // Use CN if as alias in the keystore, if CN is not present use username
        String alias = CertTools.getPartFromDN(CertTools.getSubjectDN(cert), "CN");
        if (alias == null) alias = username;

        // Store keys and certificates in keystore.
        KeyStore ks = null;

        if (createJKS) {
            ks = KeyTools.createJKS(alias, rsaKeys.getPrivate(), password, cert, cachain);
        } else {
            ks = KeyTools.createP12(alias, rsaKeys.getPrivate(), cert, cachain);
        }

        return ks;
    }
}


// CertReqServlet