📄 caadminsessionbean.java
字号:
if(ca instanceof X509CA){ cadata.setExpireTime(((X509Certificate) cacert).getNotAfter().getTime()); } if(cadata.getStatus() ==SecConst.CA_ACTIVE){ // activate External CA Services Iterator iter = ca.getExternalCAServiceTypes().iterator(); while(iter.hasNext()){ int type = ((Integer) iter.next()).intValue(); try{ ca.initExternalService(type, ca); ArrayList ocspcertificate = new ArrayList(); ocspcertificate.add(((OCSPCAServiceInfo) ca.getExtendedCAServiceInfo(OCSPCAService.TYPE)).getOCSPSignerCertificatePath().get(0)); getSignSession().publishCACertificate(admin, ocspcertificate, ca.getCRLPublishers(), SecConst.CERTTYPE_ENDENTITY); }catch(CATokenOfflineException e){ ca.setStatus(SecConst.CA_OFFLINE); getLogSession().log(admin, admin.getCAId(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CACREATED,"Couldn't Initialize ExternalCAService.",e); throw e; }catch(Exception fe){ getLogSession().log(admin, admin.getCAId(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CACREATED,"Couldn't Initialize ExternalCAService.",fe); throw new EJBException(fe); } } // create initial CRL this.getCRLCreateSession().run(admin,ca.getSubjectDN()); } cadata.setCA(ca); }else{ // Cannot create certificate request for internal CA getLogSession().log(admin, caid, LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error: can't recieve certificate responce for internal CA"); throw new EJBException(new EjbcaException("Error: can't recieve certificate responce for internal CA")); } }catch(CATokenOfflineException e){ ca.setStatus(SecConst.CA_OFFLINE); getLogSession().log(admin, caid, LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error: can't recieve certificate responce for internal CA", e); throw e; } }catch(Exception e){ getLogSession().log(admin, caid, LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error: can't recieve certificate responce for internal CA", e); throw new EJBException(e); } getLogSession().log(admin, caid, LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_INFO_CAEDITED,"Certificate responce recieved successfully"); } // recieveResponse /** * @see se.anatom.ejbca.ca.caadmin.ICAAdminSessionLocal */ public IResponseMessage processRequest(Admin admin, CAInfo cainfo, IRequestMessage requestmessage) throws CAExistsException, CADoesntExistsException, AuthorizationDeniedException, CATokenOfflineException { CA ca = null; Collection certchain = null; Collection certpublishers = null; IResponseMessage returnval = null; // check authorization try{ getAuthorizationSession().isAuthorizedNoLog(admin,"/super_administrator"); }catch(AuthorizationDeniedException e){ getLogSession().log(admin, admin.getCAId(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,"Administrator isn't authorized to process CA",e); throw new AuthorizationDeniedException("Not authorized to process a CA "); } // Check that CA doesn't already exists try{ int caid = cainfo.getCAId(); if(caid >=0 && caid <= CAInfo.SPECIALCAIDBORDER){ getLogSession().log(admin, admin.getCAId(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error when processing CA " + cainfo.getName() +". CA already exists."); throw new CAExistsException("Error when processing CA " + cainfo.getName() +". CA already exists."); } cadatahome.findByPrimaryKey(new Integer(caid)); getLogSession().log(admin, admin.getCAId(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error when processing CA " + cainfo.getName() +". CA already exists."); throw new CAExistsException("Error when processing CA " + cainfo.getName() +". CA already exists."); }catch(javax.ejb.FinderException fe) {} try{ cadatahome.findByName(cainfo.getName()); getLogSession().log(admin, admin.getCAId(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error when processing CA " + cainfo.getName() +". CA already exists."); throw new CAExistsException("Error when processing CA " + cainfo.getName() +". CA already exists."); }catch(javax.ejb.FinderException fe) {} //get signing CA if(cainfo.getSignedBy() > CAInfo.SPECIALCAIDBORDER || cainfo.getSignedBy() < 0){ try{ CADataLocal signcadata = cadatahome.findByPrimaryKey(new Integer(cainfo.getSignedBy())); CA signca = signcadata.getCA(); try{ // Check validity of signers certificate X509Certificate signcert = (X509Certificate) signca.getCACertificate(); try{ signcert.checkValidity(); }catch(CertificateExpiredException ce){ // Signers Certificate has expired. signcadata.setStatus(SecConst.CA_EXPIRED); getLogSession().log(admin, signcadata.getCAId().intValue(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Signing CA " + signcadata.getSubjectDN() + " has expired",ce); throw new EJBException(ce); }catch(CertificateNotYetValidException cve){ getLogSession().log(admin, signcadata.getCAId().intValue(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Signing CA " + signcadata.getSubjectDN() + " is not yet valid",cve); throw new EJBException(cve); } // Get public key from request PublicKey publickey = requestmessage.getRequestPublicKey(); // Create cacertificate Certificate cacertificate = null; if(cainfo instanceof X509CAInfo){ UserAuthData cadata = new UserAuthData("nobody", null, cainfo.getSubjectDN(), cainfo.getSubjectDN().hashCode(), ((X509CAInfo) cainfo).getSubjectAltName(), null, 0, cainfo.getCertificateProfileId(), null); CertificateProfile certprofile = getCertificateStoreSession().getCertificateProfile(admin, cainfo.getCertificateProfileId()); certpublishers = certprofile.getPublisherList(); cacertificate = signca.generateCertificate(cadata, publickey, -1, cainfo.getValidity(), certprofile); returnval = new X509ResponseMessage(); returnval.setCertificate(cacertificate); } // Build Certificate Chain Collection rootcachain = signca.getCertificateChain(); certchain = new ArrayList(); certchain.add(cacertificate); certchain.addAll(rootcachain); if(cainfo instanceof X509CAInfo){ X509CAInfo x509cainfo = (X509CAInfo) cainfo; // Create X509CA ca = new X509CA((X509CAInfo) cainfo); ca.setCertificateChain(certchain); ca.setCAToken(new NullCAToken()); } // set status to active cadatahome.create(cainfo.getSubjectDN(), cainfo.getName(), SecConst.CA_EXTERNAL, ca); // Publish CA certificates. getSignSession().publishCACertificate(admin, ca.getCertificateChain(), ca.getCRLPublishers(), SecConst.CERTTYPE_SUBCA); }catch(CATokenOfflineException e){ signca.setStatus(SecConst.CA_OFFLINE); getLogSession().log(admin, admin.getCAId(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Couldn't Process CA.",e); throw e; } }catch(Exception e){ getLogSession().log(admin, admin.getCAId(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Couldn't Process CA.",e); throw new EJBException(e); } } if(certchain != null) getLogSession().log(admin, cainfo.getCAId(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_INFO_CAEDITED,"CA processed successfully"); else getLogSession().log(admin, admin.getCAId(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error when processing CA"); return returnval; } // processRequest /** * @see se.anatom.ejbca.ca.caadmin.ICAAdminSessionLocal */ public void renewCA(Admin admin, int caid, IResponseMessage responsemessage) throws CADoesntExistsException, AuthorizationDeniedException, CertPathValidatorException, CATokenOfflineException{ debug(">CAAdminSession, renewCA(), caid=" + caid); Collection cachain = null; Certificate cacertificate = null; // check authorization try{ getAuthorizationSession().isAuthorizedNoLog(admin,"/super_administrator"); }catch(AuthorizationDeniedException e){ getLogSession().log(admin, caid, LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,"Administrator isn't authorized to renew CA",e); throw new AuthorizationDeniedException("Not authorized to renew CA with caid = " + caid); } // Get CA info. CADataLocal cadata = null; try{ cadata = this.cadatahome.findByPrimaryKey(new Integer(caid)); CA ca = cadata.getCA(); try{ // if issuer is insystem CA or selfsigned, then generate new certificate. if(ca.getSignedBy() != CAInfo.SIGNEDBYEXTERNALCA){ if(ca.getSignedBy() == CAInfo.SELFSIGNED){ // create selfsigned certificate if( ca instanceof X509CA){ UserAuthData cainfodata = new UserAuthData("nobody", null, ca.getSubjectDN(), ca.getSubjectDN().hashCode(), ((X509CA) ca).getSubjectAltName(), null, 0, ca.getCertificateProfileId(), null); CertificateProfile certprofile = getCertificateStoreSession().getCertificateProfile(admin, ca.getCertificateProfileId()); cacertificate = ca.generateCertificate(cainfodata, ca.getCAToken().getPublicKey(SecConst.CAKEYPURPOSE_CERTSIGN),-1, ca.getValidity(), certprofile); } // Build Certificate Chain cachain = new ArrayList(); cachain.add(cacertificate); }else{ // Resign with CA above. if(ca.getSignedBy() > CAInfo.SPECIALCAIDBORDER || ca.getSignedBy() < 0){ // Create CA signed by other internal CA. CADataLocal signcadata = cadatahome.findByPrimaryKey(new Integer(ca.getSignedBy())); CA signca = signcadata.getCA(); // Check validity of signers certificate X509Certificate signcert = (X509Certificate) signca.getCACertificate(); try{ signcert.checkValidity(); }catch(CertificateExpiredException ce){ // Signers Certificate has expired. signcadata.setStatus(SecConst.CA_EXPIRED); getLogSession().log(admin, signcadata.getCAId().intValue(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Signing CA " + signcadata.getSubjectDN() + " has expired",ce); throw new EJBException(ce); }catch(CertificateNotYetValidException cve){ getLogSession().log(admin, signcadata.getCAId().intValue(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Signing CA " + signcadata.getSubjectDN() + " is not yet valid",cve); throw new EJBException(cve); } // Create cacertificate if( ca instanceof X509CA){ UserAuthData cainfodata = new UserAuthData("nobody", null, ca.getSubjectDN(), ca.getSubjectDN().hashCode(), ((X509CA) ca).getSubjectAltName(), null, 0, ca.getCertificateProfileId(), null); CertificateProfile certprofile = getCertificateStoreSession().getCertificateProfile(admin, ca.getCertificateProfileId()); cacertificate = signca.generateCertificate(cainfodata, ca.getCAToken().getPublicKey(SecConst.CAKEYPURPOSE_CERTSIGN),-1, ca.getValidity(), certprofile); } // Build Certificate Chain Collection rootcachain = signca.getCertificateChain(); cachain = new ArrayList(); cachain.add(cacertificate); cachain.addAll(rootcachain); } } }else{ // if external signer then use signed certificate. // check the validity of the certificate chain. if(responsemessage instanceof X509ResponseMessage){ cacertificate = ((X509ResponseMessage) responsemessage).getCertificate(); }else{ getLogSession().log(admin, caid, LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error: illegal response message."); throw new EJBException(new EjbcaException("Error: illegal response message.")); } // Check that DN is the equals the request. if(!CertTools.getSubjectDN((X509Certificate) cacertificate).equals(CertTools.stringToBCDNString(ca.getSubjectDN()))){ getLogSession().log(admin, caid, LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error: Subject DN of recieved certificate doesn't match request"); throw new EJBException(new EjbcaException("Error: Subject DN of recieved certificate doesn't match request")); } cachain = new ArrayList(); cachain.add(cacertificate); cachain.addAll(ca.getRequestCertificateChain()); cachain = createCertChain(cachain); } // Set statuses. if(cacertificate instanceof X509Certificate) cadata.setExpireTime(((X509Certificate) cacertificate).getNotAfter().getTime());⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -