caadminsessionbean.java

一套JAVA的CA证书签发系统.

    			cadata.setStatus(SecConst.CA_ACTIVE);  
    			
    			ca.setCertificateChain(cachain);
    			cadata.setCA(ca);
    			
    			// Publish the new CA certificate
                int certtype = SecConst.CERTTYPE_SUBCA;	
                if(ca.getSignedBy() == CAInfo.SELFSIGNED)
 			      certtype = SecConst.CERTTYPE_ROOTCA;
                 ArrayList cacert = new ArrayList();
                 cacert.add(ca.getCACertificate());
     			 getSignSession().publishCACertificate(admin, cacert, ca.getCRLPublishers(), certtype);

    			
    		}catch(CATokenOfflineException e){
    			ca.setStatus(SecConst.CA_OFFLINE);
    			getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Couldn't Renew CA.",e);
    			throw e;
    		}
    	}catch(Exception e){
    		getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Couldn't Renew CA.",e);
    		throw new EJBException(e);
    	}  
    	
    	getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_INFO_CAEDITED,"CA Renew Successfully.");        
    	debug("<CAAdminSession, renewCA(), caid=" + caid);
    } // renewCA
    
    /**
     *  @see se.anatom.ejbca.ca.caadmin.ICAAdminSessionLocal
     */
    public void revokeCA(Admin admin, int caid, int reason)  throws CADoesntExistsException, AuthorizationDeniedException{        
        // check authorization        
		try{
			getAuthorizationSession().isAuthorizedNoLog(admin,"/super_administrator");
		}catch(AuthorizationDeniedException e){
			getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,"Administrator isn't authorized to revoke CA",e);
			throw new AuthorizationDeniedException("Not authorized to revoke CA with caid = " + caid);
		}
		        
        // Get CA info.
        CADataLocal ca = null;
        try{
        	ca = this.cadatahome.findByPrimaryKey(new Integer(caid));
        }catch(javax.ejb.FinderException fe){
           throw new EJBException(fe);
        }
        
        String issuerdn = ca.getSubjectDN();                
                                
               
        try{
			CA cadata = ca.getCA();
			
			// Revoke CA certificate 
			getCertificateStoreSession().revokeCertificate(admin, cadata.getCACertificate(), cadata.getCRLPublishers(), reason);
             // Revoke all certificates generated by CA
		    getCertificateStoreSession().revokeAllCertByCA(admin, issuerdn, RevokedCertInfo.REVOKATION_REASON_CACOMPROMISE);				

				
			InitialContext jndicontext = new InitialContext();            
            getCRLCreateSession().run(admin, issuerdn);
							           
            
			cadata.setRevokationReason(reason);
			cadata.setRevokationDate(new Date());
			cadata.setStatus(SecConst.CA_REVOKED);
			ca.setStatus(SecConst.CA_REVOKED);			
			ca.setCA(cadata);

        }catch(Exception e){
		   getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAREVOKED,"An error occured when revoking  CA " + ca.getName(),e);
           throw new EJBException(e);
        }           
        
		getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_INFO_CAREVOKED,"CA " + ca.getName() + " revoked sucessfully, reason: " + reason);      
    } // revokeCA
    
    /**
     *  @see se.anatom.ejbca.ca.caadmin.ICAAdminSessionLocal
     */
    public void upgradeFromOldCAKeyStore(Admin admin, String caname, byte[] p12file, char[] keystorepass,
                                         char[] privkeypass, String privatekeyalias){
        try{
            // check authorization
            if(admin.getAdminType() !=  Admin.TYPE_CACOMMANDLINE_USER)
              getAuthorizationSession().isAuthorizedNoLog(admin,"/super_administrator");
            
            // load keystore
            java.security.KeyStore keystore=KeyStore.getInstance("PKCS12", "BC");
            keystore.load(new java.io.ByteArrayInputStream(p12file),keystorepass);
            
            Certificate[] certchain = KeyTools.getCertChain(keystore, privatekeyalias);
            if (certchain.length < 1) {
                log.error("Cannot load certificate chain with alias "+privatekeyalias);
                throw new Exception("Cannot load certificate chain with alias "+privatekeyalias);
            }
            
            ArrayList certificatechain = new ArrayList();
            for(int i=0;i< certchain.length;i++){
                certificatechain.add(certchain[i]);
            }
            
            X509Certificate cacertificate = (X509Certificate) certchain[0];
            
            PrivateKey p12privatekey = (PrivateKey) keystore.getKey( privatekeyalias, privkeypass);
            PublicKey p12publickey = cacertificate.getPublicKey();
            
            CAToken catoken = new SoftCAToken();
            ((SoftCAToken) catoken).importKeysFromP12(p12privatekey, p12publickey);
            
            // Create a X509CA
            int signedby = CAInfo.SELFSIGNED;
            int certprof = SecConst.CERTPROFILE_FIXED_ROOTCA;
            if(certchain.length > 1){
                signedby = CAInfo.SIGNEDBYEXTERNALCA;
                certprof = SecConst.CERTPROFILE_FIXED_SUBCA; 
            }    
            
            // Create and active OSCP CA Service.
            ArrayList extendedcaservices = new ArrayList();
			extendedcaservices.add(
			  new OCSPCAServiceInfo(ExtendedCAServiceInfo.STATUS_ACTIVE,
			                        "CN=OCSPSignerCertificate, " + cacertificate.getSubjectDN().toString(),
			                        "",
			                        2048,
			                        OCSPCAServiceInfo.KEYALGORITHM_RSA));
                
                
			int validity = (int)((cacertificate.getNotAfter().getTime() - cacertificate.getNotBefore().getTime()) / (24*3600*1000));
            X509CAInfo cainfo = new X509CAInfo(cacertificate.getSubjectDN().toString(),
                                               caname, SecConst.CA_ACTIVE,
                                               "", certprof,
                                               validity, 
                                               cacertificate.getNotAfter(), // Expiretime                                              
                                               CAInfo.CATYPE_X509,
                                               signedby,
                                               (Collection) certificatechain,
                                               catoken.getCATokenInfo(),
                                               "Old Imported EJBCA version",
                                               -1, null, // revokationreason, revokationdate
                                               "", // PolicyId
                                               24, // CRLPeriod
                                               (Collection) new ArrayList(),
                                               true, // Authority Key Identifier
                                               false, // Authority Key Identifier Critical
                                               true, // CRL Number
                                               false, // CRL Number Critical
                                               true, // Finish User
			                                   extendedcaservices);
            
            X509CA ca = new X509CA(cainfo);
            ca.setCAToken(catoken);
            ca.setCertificateChain(certificatechain);            
            
            // Store CA in database.
            cadatahome.create(cainfo.getSubjectDN(), cainfo.getName(), SecConst.CA_ACTIVE, (CA) ca);
            getLogSession().log(admin, admin.getCAId(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_INFO_CACREATED,"CA imported successfully from old P12 file, status: " + ca.getStatus());
        }catch(Exception e){
            getLogSession().log(admin, admin.getCAId(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CACREATED,"An error occured when trying to import CA from old P12 file", e);
            throw new EJBException(e);
        }
        
    } // upgradeFromOldCAKeyStore
    
    /**
     *  @see se.anatom.ejbca.ca.caadmin.ICAAdminSessionLocal
     */    
    public Collection getAllCACertificates(Admin admin){
      ArrayList returnval = new ArrayList();
      
      try{      
        Collection result = cadatahome.findAll();
        Iterator iter = result.iterator();  
        while(iter.hasNext()){
           CADataLocal cadatalocal = (CADataLocal) iter.next();                                
           returnval.add(cadatalocal.getCA().getCACertificate());  
        }        
      }catch(javax.ejb.FinderException fe){}
        catch(UnsupportedEncodingException uee){
        	throw new EJBException(uee); 
        }
               
      return returnval;  
    } // getAllCACertificates
    
    /**
     *  @see se.anatom.ejbca.ca.caadmin.ICAAdminSessionLocal
     */    
    public void activateCAToken(Admin admin, int caid, String authorizationcode) throws AuthorizationDeniedException, CATokenAuthenticationFailedException, CATokenOfflineException{
       // Authorize, Check that admin is superadministrator.
       // TODO, make this possible for CAAdministrators
        try{
            getAuthorizationSession().isAuthorizedNoLog(admin,"/super_administrator");
        }catch(AuthorizationDeniedException ade){
            getLogSession().log (admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,"Administrator isn't authorized to activate CA token.",ade);
            throw new AuthorizationDeniedException("Administrator not authorized to activate CA token.");
        }    	

    	try{         
    		if(caid >=0 && caid <= CAInfo.SPECIALCAIDBORDER){
    			getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error when trying to activate CA with caid " + caid + ". CA activation not available.");
    			throw new CATokenAuthenticationFailedException("Error when trying to activate CA with caid " + caid + ". CA activation not available.");
    		}
    		CADataLocal cadata = cadatahome.findByPrimaryKey(new Integer(caid));    		
    		if(cadata.getStatus() == SecConst.CA_OFFLINE){
        		try {
    				cadata.getCA().getCAToken().activate(authorizationcode);
    				cadata.setStatus(SecConst.CA_ACTIVE);
    				getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_INFO_CAEDITED,"CA " + cadata.getName() + " activated successfully.");
    			} catch (IllegalKeyStoreException e) {
                    throw new EJBException(e);				
    			} catch (UnsupportedEncodingException e) {
                    throw new EJBException(e);
    			}                			
    		}else{
				getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"CA " + cadata.getName() + " must have the status 'offline' in order to be activated");
				throw new CATokenAuthenticationFailedException("CA must have the status 'offline' in order to be activated");    		  	
    		}
    	}catch(javax.ejb.FinderException fe) {
    	   getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error when trying to activate CA with caid " + caid + ". CA could not be found.");
    	   throw new EJBException(fe);
    	}   	    	
    }
    
    /**
     *  @see se.anatom.ejbca.ca.caadmin.ICAAdminSessionLocal
     */    
    public void deactivateCAToken(Admin admin, int caid) throws AuthorizationDeniedException, EjbcaException{
       // Authorize, Check that admin is superadministrator.
       // TODO, make this possible for CAAdministrators
        try{
            getAuthorizationSession().isAuthorizedNoLog(admin,"/super_administrator");
        }catch(AuthorizationDeniedException ade){
            getLogSession().log (admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,"Administrator isn't authorized to deactivate CA token.",ade);
            throw new AuthorizationDeniedException("Administrator not authorized to deactivate CA token.");
        }    	

    	try{         
    		if(caid >=0 && caid <= CAInfo.SPECIALCAIDBORDER){
                // This should never happen.
    			getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error when trying to deactivate CA with caid " + caid + ". CA deactivation not available.");
    			throw new EjbcaException("Error when trying to deactivate CA with caid " + caid + ". CA deactivation not available.");
    		}else{
    			CADataLocal cadata = cadatahome.findByPrimaryKey(new Integer(caid));    	
    			if(cadata.getStatus() == SecConst.CA_ACTIVE){
    				try {
    					cadata.getCA().getCAToken().deactivate();
    					cadata.setStatus(SecConst.CA_OFFLINE);
    					getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_INFO_CAEDITED,"CA " + cadata.getName() + "have been deactivated successfully.");
    				} catch (IllegalKeyStoreException e) {
    					throw new EJBExcepti