carolloversubcommand.java

一套JAVA的CA证书签发系统.

/*************************************************************************
 *                                                                       *
 *  EJBCA: The OpenSource Certificate Authority                          *
 *                                                                       *
 *  This software is free software; you can redistribute it and/or       *
 *  modify it under the terms of the GNU Lesser General Public           *
 *  License as published by the Free Software Foundation; either         *
 *  version 2.1 of the License, or any later version.                    *
 *                                                                       *
 *  See terms of license at gnu.org.                                     *
 *                                                                       *
 *************************************************************************/
 
package se.anatom.ejbca.admin;

import java.io.*;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;

import se.anatom.ejbca.util.CertTools;
import se.anatom.ejbca.util.Hex;
import se.anatom.ejbca.util.KeyTools;


/**
 * Creates a new root certificate with new validity, using the same key.
 *
 * @version $Id: CaRolloverSubCommand.java,v 1.10 2004/04/16 07:38:57 anatom Exp $
 */
public class CaRolloverSubCommand extends BaseCaAdminCommand {
    /**
     * Creates a new instance of CaRolloverSubCommand
     *
     * @param args command line arguments
     */
    public CaRolloverSubCommand(String[] args) {
        super(args);
    }

    /**
     * Runs the command
     *
     * @throws IllegalAdminCommandException Error in command args
     * @throws ErrorAdminCommandException Error running command
     */
    public void execute() throws IllegalAdminCommandException, ErrorAdminCommandException {
        try {
            if (args.length < 5) {
                System.out.println(
                    "Usage: CA rolloversub <validity-days> <keystore filename> <storepassword> <certrequest filename>");
                System.out.println(
                    "Rolloversub is used to generate a new subCA certificate using an existing keypair. This updates the current subCA keystore.");

                return;
            }

            int validity = Integer.parseInt(args[1]);
            String ksfilename = args[2];
            String storepwd = args[3];
            String reqfile = args[4];

            // Load keystore
            KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC");
            InputStream is = new FileInputStream(ksfilename);
            keyStore.load(is, storepwd.toCharArray());

            // Get old certificate chain
            Certificate[] chain = KeyTools.getCertChain(keyStore, privKeyAlias);

            if (chain.length > 2) {
                System.out.println(
                    "Certificate chain too long, this keystore was not generated with EJBCA?");

                return;
            }

            X509Certificate rootcert = (X509Certificate) chain[chain.length - 1];

            if (!CertTools.isSelfSigned(rootcert)) {
                System.out.println("Root certificate is not self signed???");

                return;
            }

            X509Certificate cacert = null;

            if (chain.length > 1) {
                cacert = (X509Certificate) chain[0];
            }

            if (cacert == null) {
                System.out.println(
                    "No subCA certificate found in keystore, this is not a subCA or keystore was not generated with EJBCA.");

                return;
            }

            String subjectDN = CertTools.getSubjectDN(cacert);
            System.out.println("Generating new certificate request for CA with DN '" + subjectDN +
                "'.");

            // Get private key
            PrivateKey privateKey = (PrivateKey) keyStore.getKey(privKeyAlias, privateKeyPass);

            if (privateKey == null) {
                System.out.println("No private key with alias '" + privKeyAlias +
                    "' in keystore, this keystore was not generated with EJBCA?");

                return;
            }

            // Make a KeyPair
            KeyPair keyPair = new KeyPair(cacert.getPublicKey(), privateKey);

            // verify that the old and new keyidentifieras are the same
            String policyId = CertTools.getCertificatePolicyId(cacert, 0);
            X509Certificate newselfcert = CertTools.genSelfCert(subjectDN, validity, policyId,
                    privateKey, cacert.getPublicKey(), true);
            String oldKeyId = Hex.encode(CertTools.getSubjectKeyId(cacert));
            String newKeyId = Hex.encode(CertTools.getSubjectKeyId(newselfcert));
            System.out.println("Old key id: " + oldKeyId);

            if (oldKeyId == null) {
                System.out.println("Old certificate does not contain SubjectKeyIdentifier.");
                System.out.println("This is recommended, but decided by your CA.");
                System.out.println("Continuing...");
            } else {
                System.out.println("New key id: " + newKeyId);

                if (oldKeyId.compareTo(newKeyId) != 0) {
                    System.out.println(
                        "Old key identifier and new key identifieras does not match, have the key pair changed?");
                    System.out.println("Unable to rollover subCA.");

                    return;
                }
            }

            // Generate the new certificate request
            makeCertRequest(subjectDN, keyPair, reqfile);

            System.out.println(
                "Submit certificare request to RootCA and when receiving reply run 'ca recrep'.");
        } catch (Exception e) {
            e.printStackTrace();
            throw new ErrorAdminCommandException(e);
        }
    } // execute
}