caadminsessionbean.java

一套JAVA的CA证书签发系统.

            getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error when trying to remove CA.",e);
            throw new EJBException(e);
        }
    } // removeCA
    
    /**
     *  @see se.anatom.ejbca.ca.caadmin.ICAAdminSessionLocal
     */
    public void renameCA(Admin admin, String oldname, String newname) throws CAExistsException, AuthorizationDeniedException{
        // Get CA from database
        try{
            CADataLocal cadata = cadatahome.findByName(oldname);
            // Check authorization
            int caid = ((Integer) cadata.getCAId()).intValue();
            try{
                getAuthorizationSession().isAuthorizedNoLog(admin,"/super_administrator");
            }catch(AuthorizationDeniedException e){
                getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,"Administrator isn't authorized to rename CA",e);
                throw new AuthorizationDeniedException("Not authorized to rename CA with caid = " + caid);
            }
            
            try{
                CADataLocal cadatanew = cadatahome.findByName(newname);
                throw new CAExistsException(" CA name " + newname + " already exists.");
            }catch(javax.ejb.FinderException fe) {
                // new CA doesn't exits, it's ok to rename old one.
                cadata.setName(newname);
                getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_INFO_CAEDITED,"CA : " + oldname + " renamed to " + newname);
            }
        }catch(javax.ejb.FinderException fe) {
            getLogSession().log(admin, admin.getCAId(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error when trying to rename CA.");
            throw new EJBException(fe);
        }
    } // renewCA
    
    /**
     *  @see se.anatom.ejbca.ca.caadmin.ICAAdminSessionLocal
     */
    public CAInfo getCAInfo(Admin admin, String name) {
        CAInfo cainfo = null;
        try{
            CADataLocal cadata = cadatahome.findByName(name);
			if(cadata.getStatus() == SecConst.CA_ACTIVE && new Date(cadata.getExpireTime()).before(new Date())){
			  cadata.setStatus(SecConst.CA_EXPIRED);
			}            
            authorizedToCA(admin,cadata.getCAId().intValue());
            try{
            	cadata.getCA().getCAToken().getPublicKey(SecConst.CAKEYPURPOSE_CERTSIGN);    
            }catch(CATokenOfflineException ctoe){
            	cadata.setStatus(SecConst.CA_OFFLINE);
            }
            cainfo = cadata.getCA().getCAInfo();
        }catch(javax.ejb.FinderException fe) {}        
         catch(Exception e){
           throw new EJBException(e);   
         }
        
        return cainfo;
    } // getCAInfo
    
    /**
     *  @see se.anatom.ejbca.ca.caadmin.ICAAdminSessionLocal
     */
    public CAInfo getCAInfo(Admin admin, int caid){
        CAInfo cainfo = null;
        try{
            authorizedToCA(admin,caid);
            CADataLocal cadata = cadatahome.findByPrimaryKey(new Integer(caid));
			if(cadata.getStatus() == SecConst.CA_ACTIVE && new Date(cadata.getExpireTime()).before(new Date())){
			  cadata.setStatus(SecConst.CA_EXPIRED);
			}            
            try{
            	cadata.getCA().getCAToken().getPublicKey(SecConst.CAKEYPURPOSE_CERTSIGN);    
            }catch(CATokenOfflineException ctoe){
            	cadata.setStatus(SecConst.CA_OFFLINE);
            }			
            cainfo = cadata.getCA().getCAInfo();
                        
        }catch(javax.ejb.FinderException fe) {}
         catch(Exception e){
           throw new EJBException(e);   
         }
        
        return cainfo;
    } // getCAInfo


    
    public HashMap getCAIdToNameMap(Admin admin){        		
        HashMap returnval = new HashMap();
        try{
            Collection result = cadatahome.findAll();            
            Iterator iter = result.iterator();
            while(iter.hasNext()){                                
                CADataLocal cadata = (CADataLocal) iter.next();                       
                returnval.put(cadata.getCAId(), cadata.getName());                                                   
            }
        }catch(javax.ejb.FinderException fe){}        
        		
        
        return returnval;
    }
    
    /**
     *  Method returning id's of all CA's avaible to the system. i.e. not have status 
     * "external" or "waiting for certificate response"
     *      
     * @return a Collection (Integer) of available CA id's
     */
    
    public Collection getAvailableCAs(Admin admin){
		ArrayList returnval = new ArrayList();
		try{
			Collection result = cadatahome.findAll();            
			Iterator iter = result.iterator();
			while(iter.hasNext()){                                
				CADataLocal cadata = (CADataLocal) iter.next();
				if(cadata.getStatus() != SecConst.CA_WAITING_CERTIFICATE_RESPONSE && cadata.getStatus() != SecConst.CA_EXTERNAL)                
				  returnval.add(cadata.getCAId());                                                   
			}
		}catch(javax.ejb.FinderException fe){}        
        
		return returnval;    	    	
    }
    
        
    /**
     *  @see se.anatom.ejbca.ca.caadmin.ICAAdminSessionLocal
     */
    public IRequestMessage  makeRequest(Admin admin, int caid, Collection cachain, boolean setstatustowaiting) throws CADoesntExistsException, AuthorizationDeniedException, CertPathValidatorException, CATokenOfflineException{
    	PKCS10RequestMessage returnval = null;
        // Check authorization
		try{
			getAuthorizationSession().isAuthorizedNoLog(admin,"/super_administrator");
		}catch(AuthorizationDeniedException e){
			getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,"Not authorized to make certificate request for CA",e);
			throw new AuthorizationDeniedException("Not authorized to make certificate request for CA with caid = " + caid);
		}
        
		// Get CA info.
		CADataLocal cadata = null;
		try{
		  cadata = this.cadatahome.findByPrimaryKey(new Integer(caid));
		  CA ca = cadata.getCA();
            
		  try{
		// if issuer is insystem CA or selfsigned, then generate new certificate.
		    if(ca.getSignedBy() == CAInfo.SIGNEDBYEXTERNALCA){


			  ca.setRequestCertificateChain(createCertChain(cachain));
		    		    		   
		       // generate PKCS10CertificateRequest
		       // TODO implement PKCS10 Certificate Request arributes.
		      ASN1Set attributes = null; 
		    
			  /* We don't use these uneccesary attributes
			      DERConstructedSequence kName = new DERConstructedSequence();
				  DERConstructedSet  kSeq = new DERConstructedSet();
				  kName.addObject(PKCSObjectIdentifiers.pkcs_9_at_emailAddress);
				  kSeq.addObject(new DERIA5String("foo@bar.se"));
				  kName.addObject(kSeq);
				  req.setAttributes(kName);
				 */		    
		     
			  PKCS10CertificationRequest req = new PKCS10CertificationRequest("SHA1WithRSA",
					CertTools.stringToBcX509Name(ca.getSubjectDN()), ca.getCAToken().getPublicKey(SecConst.CAKEYPURPOSE_CERTSIGN), attributes, ca.getCAToken().getPrivateKey(SecConst.CAKEYPURPOSE_CERTSIGN));
					   
		       // create PKCS10RequestMessage
			  returnval = new PKCS10RequestMessage(req);	     
               // Set statuses.
              if(setstatustowaiting){                          	            
                 cadata.setStatus(SecConst.CA_WAITING_CERTIFICATE_RESPONSE);
                 ca.setStatus(SecConst.CA_WAITING_CERTIFICATE_RESPONSE);
              }
            
              cadata.setCA(ca);
		    }else{                
		       // Cannot create certificate request for internal CA
		       getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error: cannot create certificate request for internal CA"); 
		       throw new EJBException(new EjbcaException("Error: cannot create certificate request for internal CA"));
		    }   
		  }catch(CATokenOfflineException e) {
		    ca.setStatus(SecConst.CA_OFFLINE);	
		    getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error when creating certificate request",e);			
		    throw e;
		  }  
		}catch(CertPathValidatorException e) {
		  getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error when creating certificate request",e);			
		  throw e;		
        }catch(Exception e){
			getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error when creating certificate request",e);
		   throw new EJBException(e);
		}          
        
		getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_INFO_CAEDITED,"Certificate request generated successfully.");
        
        return returnval;
    } // makeRequest
    
    /**
     *  @see se.anatom.ejbca.ca.caadmin.ICAAdminSessionLocal
     */
    public void receiveResponse(Admin admin, int caid, IResponseMessage responsemessage) throws CADoesntExistsException, AuthorizationDeniedException, CertPathValidatorException, CATokenOfflineException{
    	// check authorization
    	Certificate cacert = null;
    	// Check authorization
    	try{
    		getAuthorizationSession().isAuthorizedNoLog(admin,"/super_administrator");
    	}catch(AuthorizationDeniedException e){
    		getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,"Not authorized to recieve certificate responce for CA",e);
    		throw new AuthorizationDeniedException("Not authorized to recieve certificate responce for CA with caid = " + caid);
    	}
    	
    	// Get CA info.
    	CADataLocal cadata = null;
    	try{                      
    		cadata = this.cadatahome.findByPrimaryKey(new Integer(caid));
    		CA ca = cadata.getCA();
    		
    		try{
    			if(responsemessage instanceof X509ResponseMessage){
    				cacert = ((X509ResponseMessage) responsemessage).getCertificate();        
    			}else{
    				getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util. Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error: illegal response message."); 
    				throw new EJBException(new EjbcaException("Error: illegal response message."));        	
    			}            
    			
    			// if issuer is insystem CA or selfsigned, then generate new certificate.
    			if(ca.getSignedBy() == CAInfo.SIGNEDBYEXTERNALCA){
    				// check the validity of the certificate chain.			
    				
    				// Check that DN is the equals the request.  
    				if(!CertTools.getSubjectDN((X509Certificate) cacert).equals(CertTools.stringToBCDNString(ca.getSubjectDN()))){
    					getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error: Subject DN of recieved certificate doesn't match request"); 
    					throw new EJBException(new EjbcaException("Error: Subject DN of recieved certificate doesn't match request"));		    
    				}
    				
    				ArrayList cachain = new ArrayList();
    				cachain.add(cacert);
    				cachain.addAll(ca.getRequestCertificateChain());
    				
    				ca.setCertificateChain(createCertChain(cachain));				     
    				// Set statuses.			                          	           
    				cadata.setStatus(SecConst.CA_ACTIVE);			
    				
    				// Publish CA Cert
    				int certtype = SecConst.CERTTYPE_SUBCA;	
    		           if(ca.getSignedBy() == CAInfo.SELFSIGNED)
    		          	  certtype = SecConst.CERTTYPE_ROOTCA;  
    		        ArrayList cacertcol = new ArrayList();
    		        cacertcol.add(cacert);
    				getSignSession().publishCACertificate(admin, cacertcol, ca.getCRLPublishers(), certtype);