localcertificatestoresessionbean.java

一套JAVA的CA证书签发系统.

		Connection con = null;
    	PreparedStatement ps  = null;
    	PreparedStatement ps2 = null;
		int temprevoked = 0;
		int revoked = 0;
		
		String bcdn = CertTools.stringToBCDNString(issuerdn);
     	
     	final String firstsqlstatement = "UPDATE CertificateData SET status=?" +
                                                 " WHERE issuerDN=? AND status = ? ";
		final String secondsqlstatement = "UPDATE CertificateData SET status=?, revocationDate=?, revocationReason=?" +
												 " WHERE issuerDN=? AND status <> ?";
												 
		long currentdate = new Date().getTime();												 
        	
		try {
			// First SQL statement, changing all temporaty revoked certificates to permanently revoked certificates                			
			con = getConnection();
			ps = con.prepareStatement(firstsqlstatement);		  							  
			ps.setInt(1, CertificateData.CERT_REVOKED); // first statusfield
			ps.setString(2, bcdn); // issuerdn field
			ps.setInt(3, CertificateData.CERT_TEMP_REVOKED); // second statusfield
		    temprevoked = ps.executeUpdate();

            // Second SQL statement, revoking all non revoked certificates.
			ps2 = con.prepareStatement(secondsqlstatement);				
			ps2.setInt(1, CertificateData.CERT_REVOKED); // first statusfield
			ps2.setLong(2, currentdate); // revokedate field
			ps2.setInt(3, reason); // revokation reason
			ps2.setString(4, bcdn); // issuer dn
			ps2.setInt(5, CertificateData.CERT_REVOKED); // second statusfield
			
			revoked = ps2.executeUpdate();
			
			getLogSession().log(admin, bcdn.hashCode(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_INFO_REVOKEDCERT,("Revoked All CAs certificates successfully. Permantly revoked :" + (revoked + temprevoked) + " Certificates with reason: " + reason));
		 } catch (Exception e) {
			 getLogSession().log(admin, bcdn.hashCode(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_REVOKEDCERT,"Error when trying to revoke a CA's all certificates", e);		 	
			 throw new EJBException(e);
		 } finally {
			 try {				 
				 if (ps != null) ps.close();
				 if (ps2 != null) ps2.close();
				 if (con!= null) con.close();
			 } catch(SQLException se) {
				 error("Error cleaning up: ", se);
			 }
		 }                       		               
     } // revokeAllCertByCA

    /**
     *  Method that checks if a users all certificates have been revoked.
     *
     * @param admin DOCUMENT ME!
     * @param username the username to check for.
     *
     * @return returns true if all certificates are revoked.
     */
    public boolean checkIfAllRevoked(Admin admin, String username){
       boolean returnval = true;
       X509Certificate certificate = null;
       // Strip dangerous chars
       username = StringTools.strip(username);
       try{
         Collection certs = findCertificatesByUsername(admin, username);
          // Revoke all certs
         if (!certs.isEmpty()) {
           Iterator j = certs.iterator();
           while (j.hasNext()) {
             CertificateDataPK revpk = new CertificateDataPK();
             certificate = (X509Certificate) j.next();
             revpk.fingerprint = CertTools.getFingerprintAsString(certificate);
             CertificateDataLocal rev = certHome.findByPrimaryKey(revpk);
             if (rev.getStatus() != CertificateData.CERT_REVOKED) {
                returnval=false;

            }
          }
         }

       }catch(FinderException e){
          throw new EJBException(e);
       }

       return returnval;
    }


	/**
	 * The method returns the revocation status for a list or certificate identified
	 * by the serialnumber.
	 *
	 * @param admin
	 * @param issuer the subjectDN of a CA certificate
	 * @param sernos a collection of certificate serialnumbers
	 *
	 * @return Collection a collection of {@link RevokedCertInfo} objects which
	 *                    reflect the revocation status of the given certificates.
	 */
	public Collection isRevoked(Admin admin, String issuerDN, Collection sernos) {
        if (log.isDebugEnabled()) {
            debug(">isRevoked(), dn:"+issuerDN+", no of sernos="+sernos.size());
        }
		Connection con = null;
		PreparedStatement ps = null;
		ResultSet result = null;
		ArrayList vect = null;

		if (null == admin
			|| null == issuerDN || issuerDN.length() <= 0
			|| null == sernos) {
			throw new IllegalArgumentException();
		}

		if (sernos.isEmpty()) {
			return new ArrayList();
		}

		// First make a DN in our well-known format
		String dn = CertTools.stringToBCDNString(issuerDN);
		try {
			final StringBuffer sb = new StringBuffer();

			/*
			 * tmeckel:
			 * why commented out refer to 'findCertificateByIssuerAndSernos'
			CollectionUtils.forAllDo(sernos, new Closure() {
												public void execute(Object input) {
													if (null != input) {
														sb.append(", ");
														sb.append(input.toString());
													}
												}} );
			*/
			{
				Iterator iter = sernos.iterator();
				while (iter.hasNext()) {
                    sb.append(", '");
                    // Make sure this is really a BigInteger passed in as (untrusted param)
                    BigInteger serno = (BigInteger)iter.next(); 
                    sb.append(serno.toString());
                    sb.append("'");
				}
			}
			/*
			 * to save the repeating if-statement in the above
			 * Closure not to add ', ' as the first characters
			 * in the StringBuffer we remove the two chars here :)
			 */
			sb.delete(0, ", ".length());
			con = getConnection();
			ps = con.prepareStatement("SELECT DISTINCT serialNumber, revocationDate, revocationReason, status"
									  + " FROM CertificateData WHERE"
									  + " issuerDN = '" + dn + "'"
									  + " AND serialNumber IN (" + sb.toString() + ")");
			result = ps.executeQuery();

			vect = new ArrayList();
			while (result.next()) {
				RevokedCertInfo info = new RevokedCertInfo(new BigInteger(result.getBytes(1)), new Date(result.getLong(2)), result.getInt(3));
				// Backwards compatibility, handle databases that did not have NOT_REVOKED
				if (result.getInt(4) != CertificateData.CERT_REVOKED) {
					info.setReason(RevokedCertInfo.NOT_REVOKED);
				}
				vect.add(info);
			}

		} catch (Exception e) {
			error("Unable to load revoked certificates for issuer '"
				  + issuerDN
				  + "'"
				  , e);
			throw new EJBException(e);
		} finally {
		   try {
				if (result != null) {
					result.close();
				}

				if (ps != null) {
					ps.close();
				}

				if (con != null) {
					con.close();
				}
			} catch (SQLException se) {
				error("Unable to cleanup after : isRevoked()", se);
			}
		}
		debug("<isRevoked()");
		return vect;
	} // isRevoked

    /**
     * Implements ICertificateStoreSession::isRevoked.
     * Uses select directly from datasource.
     *
     * @param admin DOCUMENT ME!
     * @param issuerDN DOCUMENT ME!
     * @param serno DOCUMENT ME!
     *
     * @return DOCUMENT ME!
     */
    public RevokedCertInfo isRevoked(Admin admin, String issuerDN, BigInteger serno) {
        if (log.isDebugEnabled()) {
            debug(">isRevoked(), dn:"+issuerDN+", serno="+serno);
        }
        // First make a DN in our well-known format
        String dn = CertTools.stringToBCDNString(issuerDN);

        try {
            Collection coll = certHome.findByIssuerDNSerialNumber(dn, serno.toString());
            if (coll != null) {
                if (coll.size() > 1)
                  getLogSession().log(admin, issuerDN.hashCode(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_DATABASE,"Error in database, more than one certificate has the same Issuer : " + issuerDN + " and serialnumber "
                                                                                                          + serno.toString(16) + ".");
                Iterator iter = coll.iterator();
                if (iter.hasNext()) {
                    RevokedCertInfo revinfo = null;
                    CertificateDataLocal data = (CertificateDataLocal)iter.next();
                    revinfo = new RevokedCertInfo(serno, new Date(data.getRevocationDate()), data.getRevocationReason());
                    // Make sure we have it as NOT revoked if it isn't
                    if (data.getStatus() != CertificateData.CERT_REVOKED) {
                        revinfo.setReason(RevokedCertInfo.NOT_REVOKED);
                    }
                    debug("<isRevoked() returned " + ((data.getStatus() == CertificateData.CERT_REVOKED) ? "yes" : "no"));
                    return revinfo;
                }
            }
        } catch (Exception e) {
            throw new EJBException(e);
        }
        return null;
    } //isRevoked

    /**
     * Implements ICertificateStoreSession::getLastCRL.
     *
     * @param admin DOCUMENT ME!
     *
     * @return DOCUMENT ME!
     */
    public byte[] getLastCRL(Admin admin, String issuerdn) {
        debug(">getLastCRL("+issuerdn+")");

        try {
            int maxnumber = getLastCRLNumber(admin, issuerdn);
            X509CRL crl = null;
            try {
                CRLDataLocal data = crlHome.findByIssuerDNAndCRLNumber(issuerdn, maxnumber);
                crl = data.getCRL();
            } catch (FinderException e) {
                crl = null;
            }
            debug("<getLastCRL()");
            if (crl == null)
                return null;

            getLogSession().log(admin, crl.getIssuerDN().toString().hashCode(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_INFO_GETLASTCRL,"Number :" + maxnumber);
            return crl.getEncoded();
        }
        catch (Exception e) {            
            getLogSession().log(admin, admin.getCAId(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_GETLASTCRL,"Error retrieving last crl.");            
            throw new EJBException(e);
        }
    } //getLastCRL

    /**
     * Implements ICertificateStoreSession::getLastCRLInfo.
     */
    public CRLInfo getLastCRLInfo(Admin admin, String issuerdn) {
        debug(">getLastCRLInfo("+issuerdn+")");
        try {
            int maxnumber = getLastCRLNumber(admin, issuerdn);
            CRLInfo crlinfo = null;
            try {
                CRLDataLocal data = crlHome.findByIssuerDNAndCRLNumber(issuerdn, maxnumber);
                crlinfo = new CRLInfo(data.getIssuerDN(), maxnumber, data.getThisUpdate(), data.getNextUpdate());
            } catch (FinderException e) {
                crlinfo = null;
            }
            debug("<getLastCRLInfo()");
            if (crlinfo == null)
                return null;
            
            return crlinfo;
        }
        catch (Exception e) {            
            getLogSession().log(admin, issuerdn.hashCode(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_GETLASTCRL,"Error retrieving crl info.");            
            throw new EJBException(e);
        }
    } //getLastCRL    
    
    /**
     * Implements ICertificateStoreSession::getLastCRLNumber.
     * Uses select directly from datasource.
     */
    public int getLastCRLNumber(Admin admin, String issuerdn) {
        debug(">getLastCRLNumber("+issuerdn+")");

        Connection con = null;
        PreparedStatement ps = null;;
        ResultSet result = null;
        try {
            con = getConnection();
            ps = con.prepareStatement("select MAX(CRLNumber) from CRLData where issuerDN=?");
            ps.setString(1,issuerdn);
            result = ps.executeQuery();

            int maxnumber = 0;
            if (result.next())
                maxnumber = result.getInt(1);
            debug("<getLastCRLNumber("+maxnumber+")");

            return maxnumber;
        }
        catch (Exception e) {
            throw new EJBException(e);
        } finally {
            try {
                if (result != null) {
                    result.close();
                }

                if (ps != null) {
                    ps.close();
                }

                if (con != null) {