ldappublisher.java

一套JAVA的CA证书签发系统.

            crl = CertTools.getCRLfromByteArray(incrl);
            // Extract the issuers DN from the crl.
            dn = constructLDAPDN(CertTools.getIssuerDN(crl));
        } catch (Exception e) {
        	log.error("Error decoding input CRL: ", e);        	
        	throw new PublisherException("Error decoding input CRL.");            
        }

        // Check if the entry is already present, we will update it with the new certificate.
        LDAPEntry oldEntry = null;
        try {
            // connect to the server
            lc.connect(getHostname(), Integer.parseInt(getPort()));
            // authenticate to the server
            lc.bind(ldapVersion, getLoginDN(), getLoginPassword());
            // try to read the old object
            oldEntry = lc.read(dn);
            
            // disconnect with the server
            lc.disconnect();
        } catch (LDAPException e) {
            if (e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT) {
                log.debug("No old entry exist for '" + dn + "'.");
            } else {
                log.error("Error binding to and reading from LDAP server: ", e);
                throw new PublisherException("Error binding to and reading from LDAP server.");                
            }
        }

        LDAPEntry newEntry = null;
        LDAPModificationSet modSet = null;
        LDAPAttributeSet attributeSet = null;

        if (oldEntry != null) {
            modSet = getModificationSet(oldEntry, dn, false, false);
        } else {
            attributeSet = getAttributeSet(null, this.getCAObjectClass(), dn, true, false);
        }

        try {
            LDAPAttribute crlAttr = new LDAPAttribute(getCRLAttribute(), crl.getEncoded());
            LDAPAttribute arlAttr = new LDAPAttribute(getARLAttribute(), crl.getEncoded());
            if (oldEntry != null) {
                modSet.add(LDAPModification.REPLACE, crlAttr);
                modSet.add(LDAPModification.REPLACE, arlAttr);
            } else {
                attributeSet.add(crlAttr);
                attributeSet.add(arlAttr);
            }
        } catch (CRLException e) {
            log.error("Error encoding CRL when storing in LDAP: ", e);
            throw new PublisherException("Error encoding CRL when storing in LDAP.");            
        }
        if (oldEntry == null) {
            newEntry = new LDAPEntry(dn, attributeSet);
        }
        try {
            // connect to the server
            lc.connect(getHostname(), Integer.parseInt(getPort()));
            // authenticate to the server
            lc.bind(ldapVersion, getLoginDN(), getLoginPassword());
            // Add or modify the entry
            if (oldEntry != null) {
                lc.modify(dn, modSet);
                log.debug("\nModified object: " + dn + " successfully.");
            } else {
                lc.add(newEntry);
                log.debug("\nAdded object: " + dn + " successfully.");                
            }
            // disconnect with the server
            lc.disconnect();
        } catch (LDAPException e) {
            log.error("Error storing CRL (" + getCRLAttribute() + ") in LDAP (" + getCAObjectClass() + "): ", e);
            throw new PublisherException("Error storing CRL (" + getCRLAttribute() + ") in LDAP (" + getCAObjectClass() + "): ");                        
        }
        return true;
    }
    
	/**
	 * OBSERVER This method haven't been tested
	 * 
	 * 
	 * @see se.anatom.ejbca.ca.publisher.BasePublisher
	 */    
	public void revokeCertificate(Admin admin, Certificate cert, int reason) throws PublisherException{
        log.debug(">revokeCertificate()");
        int ldapVersion = LDAPConnection.LDAP_V3;
        LDAPConnection lc = null;
        if(getUseSSL()){
          lc = new LDAPConnection(new LDAPJSSESecureSocketFactory());
        }else{
          lc = new LDAPConnection();        
        }
        String dn = null;

        try {
            // Extract the users DN from the cert.
            dn = constructLDAPDN(CertTools.getSubjectDN((X509Certificate) cert));
        } catch (Exception e) {
            log.error("Error decoding input certificate: ", e);            
            throw new PublisherException("Error decoding input certificate.");            
        }


        // Check if the entry is already present, we will update it with the new certificate.
        LDAPEntry oldEntry = null;

        try {
            // connect to the server
            lc.connect(getHostname(), Integer.parseInt(getPort()));
            // authenticate to the server
            lc.bind(ldapVersion, getLoginDN(), getLoginPassword());
            // try to read the old object
            oldEntry = lc.read(dn);
            // disconnect with the server
            lc.disconnect();
        } catch (LDAPException e) {
            if (e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT) {
                log.debug("No old entry exist for '" + dn + "'.");
                
            } else {
                log.error("Error binding to and reading from LDAP server: ", e);
                throw new PublisherException("Error binding to and reading from LDAP server.");                                
            }
        }

        
        LDAPModificationSet modSet = null;
                                
        if (((X509Certificate) cert).getBasicConstraints() == -1) {
            log.debug("Removing end user certificate from " + getHostname());

            if (oldEntry != null) {            	
                // TODO: Are we the correct type objectclass?
                modSet = getModificationSet(oldEntry, dn, false, true);
                modSet.add(LDAPModification.DELETE, new LDAPAttribute(getUserCertAttribute()));
            }else{
                log.error("Certificate doesn't exist in database");            
                throw new PublisherException("Certificate doesn't exist in database");            
            }
        } else  {
            log.debug("Not removing CA certificate from " + getHostname() + "Because of object class restrictions.");
            // Currently removal of CA certificate isn't support because of object class restictions
            /*
            if (oldEntry != null) {
                modSet = getModificationSet(oldEntry, dn, false, false);
                modSet.add(LDAPModification.DELETE, new LDAPAttribute(getCACertAttribute()));
            } else {
                log.error("Certificate doesn't exist in database");            
                throw new PublisherException("Certificate doesn't exist in database");            
            }*/
        }

        try {
        
            lc.connect(getHostname(), Integer.parseInt(getPort()));
            // authenticate to the server
            lc.bind(ldapVersion, getLoginDN(), getLoginPassword());            
            // Add or modify the entry
            if (oldEntry != null && modSet != null && getModifyExistingUsers()) {
                lc.modify(dn, modSet);
                log.debug("\nRemoved certificate : " + dn + " successfully.");  
            }               
            // disconnect with the server
            lc.disconnect();
        } catch (LDAPException e) {
            log.error("Error when removing certificate from LDAP (" + dn + "): ", e);  
            throw new PublisherException("Error when removing certificate from LDAP (" + dn + ")");            
        }
        log.debug("<revokeCertificate()");
	}
    
	/**
	 * @see se.anatom.ejbca.ca.publisher.BasePublisher
	 */    
	public void testConnection(Admin admin) throws PublisherConnectionException{
	    int ldapVersion = LDAPConnection.LDAP_V3;
        LDAPConnection lc = null;
        if(getUseSSL()){
          lc = new LDAPConnection(new LDAPJSSESecureSocketFactory());
        }else{
          lc = new LDAPConnection();        
        }

        LDAPEntry entry = null;
        try {
            // connect to the server
            lc.connect(getHostname(), Integer.parseInt(getPort()));
            // authenticate to the server
            lc.bind(ldapVersion, getLoginDN(), getLoginPassword());
            // try to read the old object
            entry = lc.read(getBaseDN());
            // disconnect with the server
            lc.disconnect();
            
            log.debug("Entry" + entry.toString());
            
            if(entry == null)
              throw new PublisherConnectionException("Couldn't find bindDN.");
        } catch (LDAPException e) {
              if(e.getMessage() != null)
                throw new PublisherConnectionException("Error binding to and reading from LDAP server: " + e.getMessage());
              else
                throw new PublisherConnectionException("Error binding to and reading from LDAP server. ");                            
        }
	} 

    /**
     *  Returns the hostname of ldap server.
     */    
    public String getHostname (){
    	return (String) data.get(HOSTNAME);
    }

    /**
     *  Sets the hostname of ldap server.
     */        
    public void setHostname (String hostname){
    	data.put(HOSTNAME, hostname);	
    }
    
    /**
     *  Returns true if SSL connetion should be used.
     */    
    public boolean getUseSSL (){
    	return ((Boolean) data.get(USESSL)).booleanValue();
    }

    /**
     *  Sets if SSL connetion should be used.
     */        
    public void setUseSSL (boolean usessl){
    	data.put(USESSL, new Boolean(usessl));	
    }
    
    /**
     *  Returns the port of ldap server.
     */    
    public String getPort (){
    	return (String) data.get(PORT);
    }

    /**
     *  Sets the port of ldap server.
     */        
    public void setPort(String port){
    	data.put(PORT, port);	
    }
	
    /**
     *  Returns the basedn of ldap server.
     */    
    public String getBaseDN(){
    	return (String) data.get(BASEDN);
    }

    /**
     *  Sets the basedn of ldap server.
     */        
    public void setBaseDN(String basedn){
    	data.put(BASEDN, basedn);	
    }

    /**
     *  Returns the logindn to the ldap server.
     */    
    public String getLoginDN(){
    	return (String) data.get(LOGINDN);
    }

    /**
     *  Sets the logindn to the ldap server.
     */        
    public void setLoginDN(String logindn){
    	data.put(LOGINDN, logindn);	
    }

    /**
     *  Returns the loginpwd to the ldap server.
     */    
    public String getLoginPassword(){
    	return (String) data.get(LOGINPASSWORD);
    }

    /**
     *  Sets the loginpwd to the ldap server.
     */        
    public void setLoginPassword(String loginpwd){
    	data.put(LOGINPASSWORD, loginpwd);	
    }

    /**
     *  Returns true if nonexisting users should be created
     */    
    public boolean getCreateNonExisingUsers (){
    	return ((Boolean) data.get(CREATENONEXISTING)).booleanValue();
    }

    /**
     *  Sets if nonexisting users should be created.
     */        
    public void setCreateNonExisingUsers (boolean createnonexistingusers){
    	data.put(CREATENONEXISTING, new Boolean(createnonexistingusers));	
    }
	
    /**
     *  Returns true if existing users should be modified.
     */    
    public boolean getModifyExistingUsers (){
    	return ((Boolean) data.get(MODIFYEXISTING)).booleanValue();
    }

    /**
     *  Sets if existing users should be modified.
     */        
    public void setModifyExistingUsers (boolean modifyexistingusers){
    	data.put(MODIFYEXISTING, new Boolean(modifyexistingusers));	
    }

    /**
     *  Returns the user object class in the ldap instance
     */    
    public String getUserObjectClass(){
    	return (String) data.get(USEROBJECTCLASS);
    }

    /**
     *  Sets the user object class in the ldap instance
     */        
    public void setUserObjectClass(String userobjectclass){
    	data.put(USEROBJECTCLASS, userobjectclass);