rsasignsessionbean.java

一套JAVA的CA证书签发系统.

/*************************************************************************
 *                                                                       *
 *  EJBCA: The OpenSource Certificate Authority                          *
 *                                                                       *
 *  This software is free software; you can redistribute it and/or       *
 *  modify it under the terms of the GNU Lesser General Public           *
 *  License as published by the Free Software Foundation; either         *
 *  version 2.1 of the License, or any later version.                    *
 *                                                                       *
 *  See terms of license at gnu.org.                                     *
 *                                                                       *
 *************************************************************************/
 
package se.anatom.ejbca.ca.sign;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.cert.CRLException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.Vector;

import javax.ejb.CreateException;
import javax.ejb.EJBException;
import javax.ejb.ObjectNotFoundException;

import org.bouncycastle.jce.X509KeyUsage;

import se.anatom.ejbca.BaseSessionBean;
import se.anatom.ejbca.SecConst;
import se.anatom.ejbca.ca.auth.IAuthenticationSessionLocal;
import se.anatom.ejbca.ca.auth.IAuthenticationSessionLocalHome;
import se.anatom.ejbca.ca.auth.UserAuthData;
import se.anatom.ejbca.ca.caadmin.CA;
import se.anatom.ejbca.ca.caadmin.CADataLocal;
import se.anatom.ejbca.ca.caadmin.CADataLocalHome;
import se.anatom.ejbca.ca.caadmin.CAToken;
import se.anatom.ejbca.ca.caadmin.extendedcaservices.ExtendedCAServiceNotActiveException;
import se.anatom.ejbca.ca.caadmin.extendedcaservices.ExtendedCAServiceRequest;
import se.anatom.ejbca.ca.caadmin.extendedcaservices.ExtendedCAServiceRequestException;
import se.anatom.ejbca.ca.caadmin.extendedcaservices.ExtendedCAServiceResponse;
import se.anatom.ejbca.ca.caadmin.extendedcaservices.IllegalExtendedCAServiceRequestException;
import se.anatom.ejbca.ca.exception.AuthLoginException;
import se.anatom.ejbca.ca.exception.AuthStatusException;
import se.anatom.ejbca.ca.exception.CADoesntExistsException;
import se.anatom.ejbca.ca.exception.CATokenOfflineException;
import se.anatom.ejbca.ca.exception.IllegalKeyException;
import se.anatom.ejbca.ca.exception.IllegalKeyStoreException;
import se.anatom.ejbca.ca.exception.SignRequestException;
import se.anatom.ejbca.ca.exception.SignRequestSignatureException;
import se.anatom.ejbca.ca.publisher.IPublisherSessionLocal;
import se.anatom.ejbca.ca.publisher.IPublisherSessionLocalHome;
import se.anatom.ejbca.ca.store.CertificateData;
import se.anatom.ejbca.ca.store.ICertificateStoreSessionLocal;
import se.anatom.ejbca.ca.store.ICertificateStoreSessionLocalHome;
import se.anatom.ejbca.ca.store.certificateprofiles.CertificateProfile;
import se.anatom.ejbca.log.Admin;
import se.anatom.ejbca.log.ILogSessionLocal;
import se.anatom.ejbca.log.ILogSessionLocalHome;
import se.anatom.ejbca.log.LogEntry;
import se.anatom.ejbca.protocol.FailInfo;
import se.anatom.ejbca.protocol.IRequestMessage;
import se.anatom.ejbca.protocol.IResponseMessage;
import se.anatom.ejbca.protocol.ResponseStatus;
import se.anatom.ejbca.util.CertTools;
import se.anatom.ejbca.util.Hex;

/**
 * Creates and isigns certificates.
 *
 * @version $Id: RSASignSessionBean.java,v 1.130 2004/05/24 20:04:54 anatom Exp $
 */
public class RSASignSessionBean extends BaseSessionBean {
    

    /** Local interfacte to ca admin store */
    private CADataLocalHome cadatahome;
    
    /** Home interface to certificate store */
    private ICertificateStoreSessionLocalHome storeHome = null;
        
    /* Home interface to Authentication session */
    private IAuthenticationSessionLocalHome authHome = null;

    /* Home interface to Publisher session */
    private IPublisherSessionLocalHome publishHome = null;
    
    /** The local interface of the log session bean */
    private ILogSessionLocal logsession;
    /**
     * Source of good random data
     */
    SecureRandom randomSource = null;
    

    /**
     * Default create for SessionBean without any creation Arguments.
     *
     * @throws CreateException if bean instance can't be created
     */
    public void ejbCreate() throws CreateException {
        debug(">ejbCreate()");

        try {
             // Install BouncyCastle provider
             CertTools.installBCProvider();

            // get home interfaces to other session beans used
            storeHome = (ICertificateStoreSessionLocalHome) lookup(
                    "java:comp/env/ejb/CertificateStoreSessionLocal");
            authHome = (IAuthenticationSessionLocalHome) lookup(
                    "java:comp/env/ejb/AuthenticationSessionLocal");

            cadatahome = (CADataLocalHome)lookup("java:comp/env/ejb/CADataLocal");
            
            publishHome = (IPublisherSessionLocalHome) lookup("java:comp/env/ejb/PublisherSessionLocal");
            
            // Get a decent source of random data
            String  randomAlgorithm = (String) lookup("java:comp/env/randomAlgorithm");
            randomSource = SecureRandom.getInstance(randomAlgorithm);
            SernoGenerator.setAlgorithm(randomAlgorithm);


        } catch( Exception e ) {
            debug("Caught exception in ejbCreate(): ", e);
            throw new EJBException(e);
        }

        debug("<ejbCreate()");
    }
    
    
    /** Gets connection to log session bean
     */
    private ILogSessionLocal getLogSession() {
        if(logsession == null){
            try{
                ILogSessionLocalHome logsessionhome = (ILogSessionLocalHome) lookup("java:comp/env/ejb/LogSessionLocal",ILogSessionLocalHome.class);
                logsession = logsessionhome.create();
            }catch(Exception e){
                throw new EJBException(e);
            }
        }
        return logsession;
    } //getLogSession   
    

    /**
     *  Returns the Certificate Chain of a CA. 
     *
 	 * @param admin admin performing action!
     * @param caid is the issuerdn.hashCode()
     */
    public Collection getCertificateChain(Admin admin, int caid){
      // get CA
         CADataLocal cadata = null; 
         try{
           cadata = cadatahome.findByPrimaryKey(new Integer(caid));
         }catch(javax.ejb.FinderException fe){         
            throw new EJBException(fe);                   
         }
                
         CA ca = null;
         try{
           ca = cadata.getCA();
         }catch(java.io.UnsupportedEncodingException uee){
           throw new EJBException(uee);   
         }
        
         return ca.getCertificateChain();        
    }  // getCertificateChain


    /**
     * Implements ISignSession::createPKCS7
     *
     * @param admin Information about the administrator or admin preforming the event.
     * @param cert client certificate which we want ancapsulated in a PKCS7 together with
     *        certificate chain. If null, a PKCS7 with only CA certificate chain is returned.
     *
     * @return The DER-encoded PKCS7 message.
     *
     * @throws CADoesntExistsException if the CA does not exist or is expired, or has an invalid cert
     */
    public byte[] createPKCS7(Admin admin, Certificate cert) throws CADoesntExistsException, SignRequestSignatureException {
        Integer caid = new Integer(CertTools.getIssuerDN((X509Certificate) cert).hashCode());
        return createPKCS7(admin, caid.intValue(), cert);
    } // createPKCS7

    /**
     * Implements ISignSession::createPKCS7
     *
     * @param admin Information about the administrator or admin preforming the event.
	 * @param caId CA for which we want a PKCS7 certificate chain.
     *
     * @return The DER-encoded PKCS7 message.
     *
     * @throws CADoesntExistsException if the CA does not exist or is expired, or has an invalid cert
     */
    public byte[] createPKCS7(Admin admin, int caId) throws CADoesntExistsException {
        try {
            return createPKCS7(admin, caId, null);
        } catch (SignRequestSignatureException e) {
            error("Unknown error, strange?", e); 
            throw new EJBException(e);
        }
    } // createPKCS7

    /** Internal helper method
     * @param admin Information about the administrator or admin preforming the event.
	 * @param caId CA for which we want a PKCS7 certificate chain.
     * @param cert client certificate which we want ancapsulated in a PKCS7 together with
     *        certificate chain, or null
     * @return The DER-encoded PKCS7 message.
     * @throws CADoesntExistsException if the CA does not exist or is expired, or has an invalid cert
     */
    private byte[] createPKCS7(Admin admin, int caId, Certificate cert) throws CADoesntExistsException, SignRequestSignatureException {
        debug(">createPKCS7("+caId+", "+CertTools.getIssuerDN((X509Certificate)cert)+")");
        byte[] returnval = null;
         // get CA
         CADataLocal cadata = null; 
         try{
           cadata = cadatahome.findByPrimaryKey(new Integer(caId));
         }catch(javax.ejb.FinderException fe){         
            throw new CADoesntExistsException(fe);                   
         }
                
         CA ca = null;
         try{
           ca = cadata.getCA();
         }catch(java.io.UnsupportedEncodingException uee){
           throw new CADoesntExistsException(uee);   
         }
                
         // Check that CA hasn't expired.
         X509Certificate cacert = (X509Certificate) ca.getCACertificate();                  
         try{
           cacert.checkValidity();                   
         }catch(CertificateExpiredException e){
           // Signers Certificate has expired.