caadminsessionbean.java

一套JAVA的CA证书签发系统.

            getLogSession().log(admin, admin.getCAId(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CACREATED,"CA already exists.");
            throw new CAExistsException();
        }catch(javax.ejb.FinderException fe) {}
        
        try{
            cadatahome.findByName(cainfo.getName());
            getLogSession().log(admin, admin.getCAId(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CACREATED,"CA name already exists.");
            throw new CAExistsException("CA Name already exists");
        }catch(javax.ejb.FinderException fe) {}
        
        // Create CAToken
        CAToken catoken = null;
        CATokenInfo catokeninfo = cainfo.getCATokenInfo();
        if(catokeninfo instanceof SoftCATokenInfo){
            try{
                catoken = new SoftCAToken();
                ((SoftCAToken) catoken).generateKeys((SoftCATokenInfo) catokeninfo);
            }catch(Exception e){
                getLogSession().log(admin, admin.getCAId(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CACREATED,"Error when creating CA token.",e);
                throw new EJBException(e);
            }
        }
        if(catokeninfo instanceof HardCATokenInfo){
        	catoken = new HardCATokenContainer();
        	((HardCATokenContainer) catoken).updateCATokenInfo(catokeninfo);
        	try{
        		catoken.activate(((HardCATokenInfo) catokeninfo).getAuthenticationCode());
        	}catch(CATokenAuthenticationFailedException ctaf){                	
        		getLogSession().log(admin, admin.getCAId(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CACREATED,"Error when creating hard CA token. Authorization code was wrong.",ctaf);
        		throw ctaf;                	                	
        	}catch(CATokenOfflineException ctoe){                	
        		getLogSession().log(admin, admin.getCAId(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CACREATED,"Error when creating hard CA token. CA token is offline.",ctoe);
        		throw ctoe;                	                	
        	}
        }
        
        // Create CA
        CA ca = null;
        if(cainfo instanceof X509CAInfo){
            X509CAInfo x509cainfo = (X509CAInfo) cainfo;
            // Create X509CA
            ca = new X509CA((X509CAInfo) cainfo);
            X509CA x509ca = (X509CA) ca;       
            ca.setCAToken(catoken);
            
            // Create Certificate Chain
            Collection certificatechain = null;
            
            // getCertificateProfile
            CertificateProfile certprofile = getCertificateStoreSession().getCertificateProfile(admin,cainfo.getCertificateProfileId());
            certpublishers = certprofile.getPublisherList();
            if(x509cainfo.getPolicyId() != null){
              certprofile.setUseCertificatePolicies(true);
              certprofile.setCertificatePolicyId(x509cainfo.getPolicyId());
            }else{
              if(certprofile.getUseCertificatePolicies())
                x509ca.setPolicyId(certprofile.getCertificatePolicyId());  
            }
            
            if(cainfo.getSignedBy() == CAInfo.SELFSIGNED){
              try{
                // create selfsigned certificate
                Certificate cacertificate = null;
               
                log.debug("CAAdminSessionBean : " + cainfo.getSubjectDN());
                
                UserAuthData cadata = new UserAuthData("nobody", null, cainfo.getSubjectDN(), cainfo.getSubjectDN().hashCode(), x509cainfo.getSubjectAltName(), null, 
                                                       0,  cainfo.getCertificateProfileId(), null);
                cacertificate = ca.generateCertificate(cadata, catoken.getPublicKey(SecConst.CAKEYPURPOSE_CERTSIGN),-1, cainfo.getValidity(), certprofile);
                
                log.debug("CAAdminSessionBean : " + ((X509Certificate) cacertificate).getSubjectDN().toString());
                
                // Build Certificate Chain
                certificatechain = new ArrayList();
                certificatechain.add(cacertificate);
                
                // set status to active
                castatus = SecConst.CA_ACTIVE;                
              }catch(CATokenOfflineException e){
              	getLogSession().log(admin, admin.getCAId(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CACREATED,"Couldn't Create Root CA.",e);
            	throw e;
              }catch(Exception fe){
                 getLogSession().log(admin, admin.getCAId(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CACREATED,"Couldn't Create Root CA.",fe);
                 throw new EJBException(fe);                                     
              }
            }
            if(cainfo.getSignedBy() == CAInfo.SIGNEDBYEXTERNALCA){
				certificatechain = new ArrayList();       
                // set status to waiting certificate response.
				castatus = SecConst.CA_WAITING_CERTIFICATE_RESPONSE;
            }
            
            if(cainfo.getSignedBy() > CAInfo.SPECIALCAIDBORDER || cainfo.getSignedBy() < 0){
                // Create CA signed by other internal CA.
            	try{
            		CADataLocal signcadata = cadatahome.findByPrimaryKey(new Integer(cainfo.getSignedBy()));   
            		CA signca = signcadata.getCA();
            		// Check validity of signers certificate
            		X509Certificate signcert = (X509Certificate) signca.getCACertificate();                  
            		try{
            			signcert.checkValidity();                   
            		}catch(CertificateExpiredException ce){
            			// Signers Certificate has expired.   
            			signcadata.setStatus(SecConst.CA_EXPIRED);  
            			getLogSession().log(admin, signcadata.getCAId().intValue(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CACREATED,"Signing CA " + signcadata.getSubjectDN() + " has expired",ce);
            			throw new EJBException(ce);   
            		}catch(CertificateNotYetValidException cve){			  
            			getLogSession().log(admin, signcadata.getCAId().intValue(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CACREATED,"Signing CA " + signcadata.getSubjectDN() + " is not yet valid",cve);
            			throw new EJBException(cve);				    
            		}
            		
            		// Create cacertificate                 
            		Certificate cacertificate = null;
            		
            		UserAuthData cadata = new UserAuthData("nobody", null, cainfo.getSubjectDN(), cainfo.getSubjectDN().hashCode(), x509cainfo.getSubjectAltName(), null, 
            				0,  cainfo.getCertificateProfileId(),null);
            		cacertificate = signca.generateCertificate(cadata, catoken.getPublicKey(SecConst.CAKEYPURPOSE_CERTSIGN), -1, cainfo.getValidity(), certprofile);
            		
            		// Build Certificate Chain
            		Collection rootcachain = signca.getCertificateChain();
            		certificatechain = new ArrayList();
            		certificatechain.add(cacertificate);
            		certificatechain.addAll(rootcachain);
            		// set status to active
            		castatus = SecConst.CA_ACTIVE;
            	}catch(CATokenOfflineException e){            		
            		getLogSession().log(admin, admin.getCAId(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CACREATED,"Couldn't Create Sub CA.",e);
            		throw e;
            	}catch(Exception fe){
            		getLogSession().log(admin, admin.getCAId(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CACREATED,"Couldn't Create Sub CA.",fe);
            		throw new EJBException(fe);                    
            	}                   
            }
            
            // Set Certificate Chain
            x509ca.setCertificateChain(certificatechain);
            
        }
       
        //	Publish CA certificates.
             
           int certtype = SecConst.CERTTYPE_SUBCA;	
           if(ca.getSignedBy() == CAInfo.SELFSIGNED)
          	  certtype = SecConst.CERTTYPE_ROOTCA;  
           getSignSession().publishCACertificate(admin, ca.getCertificateChain(), ca.getCRLPublishers(), certtype);			   
                          
             
             
		     if(castatus ==SecConst.CA_ACTIVE){
		     	// activate External CA Services
		     	Iterator iter = cainfo.getExtendedCAServiceInfos().iterator();
		     	while(iter.hasNext()){
		     	  ExtendedCAServiceInfo info = (ExtendedCAServiceInfo) iter.next();
		     	  if(info instanceof OCSPCAServiceInfo){
		     	  	try{
		     	  	  ca.initExternalService(OCSPCAService.TYPE, ca);
		     	  	  ArrayList ocspcertificate = new ArrayList();
		     	  	  ocspcertificate.add(((OCSPCAServiceInfo) ca.getExtendedCAServiceInfo(OCSPCAService.TYPE)).getOCSPSignerCertificatePath().get(0));
					  getSignSession().publishCACertificate(admin, ocspcertificate, ca.getCRLPublishers(), SecConst.CERTTYPE_ENDENTITY);					  
				    }catch(Exception fe){
					  getLogSession().log(admin, admin.getCAId(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CACREATED,"Couldn't Create ExternalCAService.",fe);
					  throw new EJBException(fe);                                     
				    }
		     	  }
		     	}
		     }
        // Store CA in database.
       try{
            cadatahome.create(cainfo.getSubjectDN(), cainfo.getName(), castatus, ca);
            
              
              if(castatus == SecConst.CA_ACTIVE){
                //  create initial CRL
                this.getCRLCreateSession().run(admin,cainfo.getSubjectDN()); 
              }
            getLogSession().log(admin, ca.getCAId(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_INFO_CACREATED,"CA created successfully, status: " + castatus);                        
        }catch(javax.ejb.CreateException e){
            getLogSession().log(admin, admin.getCAId(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CACREATED,"Error when trying to create CA.");
            throw new EJBException(e);
        } 
        
        
    } // createCA
    
    /**
     *  @see se.anatom.ejbca.ca.caadmin.ICAAdminSessionLocal
     */
    public void editCA(Admin admin, CAInfo cainfo) throws AuthorizationDeniedException{
        boolean ocsprenewcert = false;
        
        // Check authorization
        try{
            getAuthorizationSession().isAuthorizedNoLog(admin,"/super_administrator");
        }catch(AuthorizationDeniedException e){
            getLogSession().log(admin, cainfo.getCAId(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,"Administrator isn't authorized to edit CA",e);
            throw new AuthorizationDeniedException("Not authorized to edit CA with caid = " + cainfo.getCAId());
        }
    
        // Check if OCSP Certificate is about to be renewed.
        Iterator iter = cainfo.getExtendedCAServiceInfos().iterator();
        while(iter.hasNext()){
          Object next = iter.next();
          if(next instanceof OCSPCAServiceInfo)
            ocsprenewcert = ((OCSPCAServiceInfo) next).getRenewFlag();	        
        }
    
        
        // Get CA from database
        try{
            CADataLocal cadata = cadatahome.findByPrimaryKey(new Integer(cainfo.getCAId()));
            CA ca = (CA) cadata.getCA();
            
            // Update CA values
            ca.updateCA(cainfo);
            // Store CA in database
            cadata.setCA(ca);                                                
            
            // If OCSP Certificate renew, publish the new one.
            if(ocsprenewcert){            
              X509Certificate ocspcert = (X509Certificate) ((OCSPCAServiceInfo) 
                                         ca.getExtendedCAServiceInfo(ExtendedCAServiceInfo.TYPE_OCSPEXTENDEDSERVICE))
                                         .getOCSPSignerCertificatePath().get(0);
			  ArrayList ocspcertificate = new ArrayList();
              ocspcertificate.add(ocspcert);
              getSignSession().publishCACertificate(admin, ocspcertificate, ca.getCRLPublishers(), SecConst.CERTTYPE_ENDENTITY);                 
            }
            // Log Action
            getLogSession().log(admin, cainfo.getCAId(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_INFO_CAEDITED,"");
        }catch(Exception fe) {
            getLogSession().log(admin, cainfo.getCAId(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Couldn't Edit CA.",fe);
            throw new EJBException(fe);
        }
    } // editCA
    
    /**
     *  @see se.anatom.ejbca.ca.caadmin.ICAAdminSessionLocal
     */
    public void removeCA(Admin admin, int caid) throws AuthorizationDeniedException{
        // check authorization
        try{
            getAuthorizationSession().isAuthorizedNoLog(admin,"/super_administrator");
        }catch(AuthorizationDeniedException e){
            getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,"Administrator isn't authorized to remove CA",e);
            throw new AuthorizationDeniedException("Not authorized to remove CA with caid = " + caid);
        }
        
        // Get CA from database
        try{
            CADataLocal cadata = cadatahome.findByPrimaryKey(new Integer(caid));
            // Remove CA
            cadata.remove();
            
            getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_INFO_CAEDITED,"CA Removed");
        }catch(Exception e) {