carolloverrootcommand.java

一套JAVA的CA证书签发系统.

/*************************************************************************
 *                                                                       *
 *  EJBCA: The OpenSource Certificate Authority                          *
 *                                                                       *
 *  This software is free software; you can redistribute it and/or       *
 *  modify it under the terms of the GNU Lesser General Public           *
 *  License as published by the Free Software Foundation; either         *
 *  version 2.1 of the License, or any later version.                    *
 *                                                                       *
 *  See terms of license at gnu.org.                                     *
 *                                                                       *
 *************************************************************************/
 
package se.anatom.ejbca.admin;

import java.io.*;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;

import se.anatom.ejbca.util.CertTools;
import se.anatom.ejbca.util.Hex;
import se.anatom.ejbca.util.KeyTools;


/**
 * Creates a new root certificate with new validity, using the same key.
 *
 * @version $Id: CaRolloverRootCommand.java,v 1.11 2004/04/16 07:38:57 anatom Exp $
 */
public class CaRolloverRootCommand extends BaseCaAdminCommand {
    /**
     * Creates a new instance of CaRolloverRootCommand
     *
     * @param args command line arguments
     */
    public CaRolloverRootCommand(String[] args) {
        super(args);
    }

    /**
     * Runs the command
     *
     * @throws IllegalAdminCommandException Error in command args
     * @throws ErrorAdminCommandException Error running command
     */
    public void execute() throws IllegalAdminCommandException, ErrorAdminCommandException {
        try {
            if (args.length < 4) {
                System.out.println(
                    "Usage: CA rolloverroot <validity-days> <keystore filename> <storepassword>");
                System.out.println(
                    "Rolloverroot is used to generate a new RootCA certificate using an existing keypair. This updates the current RootCA keystore.");

                return;
            }

            int validity = Integer.parseInt(args[1]);
            String filename = args[2];
            String storepwd = args[3];

            // Load keys store
            KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC");
            InputStream is = new FileInputStream(filename);
            keyStore.load(is, storepwd.toCharArray());
            // Get old root certificate
            Certificate[] chain = KeyTools.getCertChain(keyStore,privKeyAlias);
            if (chain.length > 2) {
                System.out.println(
                    "Certificate chain too long, this P12 was not generated with EJBCA?");

                return;
            }
            X509Certificate rootcert = (X509Certificate) chain[chain.length - 1];
            if (!CertTools.isSelfSigned(rootcert)) {
                System.out.println("Root certificate is not self signed???");

                return;
            }

            X509Certificate cacert = null;
            if (chain.length > 1) {
                cacert = (X509Certificate) chain[chain.length - 2];
            }
            // Get private key
            PrivateKey privateKey = (PrivateKey) keyStore.getKey(privKeyAlias, privateKeyPass);

            if (privateKey == null) {
                System.out.println("No private key with alias '" + privKeyAlias +
                    "' in keystore, this keystore was not generated with EJBCA?");

                return;
            }

            // Generate the new root certificate
            String policyId = CertTools.getCertificatePolicyId(rootcert, 0);
            System.out.println("Certificate policy Id is '" + policyId + "'.");

            X509Certificate newrootcert = CertTools.genSelfCert(CertTools.getSubjectDN(rootcert),
                    validity, policyId, privateKey, rootcert.getPublicKey(), true);

            // verify that the old and new keyidentifieras are the same
            String oldKeyId = Hex.encode(CertTools.getAuthorityKeyId(rootcert));
            String newKeyId = Hex.encode(CertTools.getAuthorityKeyId(newrootcert));
            System.out.println("Old key id: " + oldKeyId);
            System.out.println("New key id: " + newKeyId);

            if (oldKeyId.compareTo(newKeyId) != 0) {
                System.out.println(
                    "Old key identifier and new key identifieras does not match, have the key pair changed?");
                System.out.println("Unable to rollover Root CA.");

                return;
            }

            // Create the new PKCS12 file
            KeyStore ks = KeyTools.createP12(privKeyAlias, privateKey, newrootcert, cacert);
            FileOutputStream os = new FileOutputStream(filename);
            ks.store(os, storepwd.toCharArray());
            System.out.println("Keystore " + filename + " generated successfully.");
            System.out.println(
                "Please put keystore in correct location, restart application server and run 'ca init'.");
        } catch (Exception e) {
            throw new ErrorAdminCommandException(e);
        }
    } // execute
}