rsasignsessionbean.java

一套JAVA的CA证书签发系统.

           cadata.setStatus(SecConst.CA_EXPIRED);         
           throw new CADoesntExistsException("Signing CA " + cadata.getSubjectDN() + " has expired");   
         } catch (CertificateNotYetValidException cve) {
			throw new CADoesntExistsException(cve);
		 }           
        
         returnval = ca.createPKCS7(cert);
         debug("<createPKCS7()");
         return returnval;
    } // createPKCS7

    /**
     * Implements ISignSession::createCertificate
     */
    public Certificate createCertificate(Admin admin, String username, String password, PublicKey pk) throws ObjectNotFoundException, AuthStatusException, AuthLoginException, IllegalKeyException, CADoesntExistsException {
        debug(">createCertificate(pk)");
        // Default key usage is defined in certificate profiles
        debug("<createCertificate(pk)");
        return createCertificate(admin, username, password, pk, -1);
    } // createCertificate

    /**
     * Implements ISignSession::createCertificate
     */
    public Certificate createCertificate(Admin admin, String username, String password, PublicKey pk, boolean[] keyusage) throws ObjectNotFoundException, AuthStatusException, AuthLoginException, IllegalKeyException, CADoesntExistsException {
        return createCertificate(admin, username, password, pk, sunKeyUsageToBC(keyusage));                    
    }

    /**
     * Implements ISignSession::createCertificate
     */
    public Certificate createCertificate(Admin admin, String username, String password, PublicKey pk, int keyusage) throws ObjectNotFoundException, AuthStatusException, AuthLoginException, IllegalKeyException, CADoesntExistsException {
        return createCertificate(admin, username, password, pk, keyusage, SecConst.PROFILE_NO_PROFILE);                    
    }

    
    /**
     * Implements ISignSession::createCertificate
     */
    public Certificate createCertificate(Admin admin, String username, String password, PublicKey pk, int keyusage, int certificateprofileid) throws ObjectNotFoundException, AuthStatusException, AuthLoginException, IllegalKeyException, CADoesntExistsException {
        debug(">createCertificate(pk, ku)");        
        try {
            // Authorize user and get DN
            UserAuthData data = authUser(admin, username, password);
            debug("Authorized user " + username + " with DN='" + data.getDN()+"'." + " with CA=" + data.getCAId());
            if(certificateprofileid != SecConst.PROFILE_NO_PROFILE){
            	debug("Overriding user certificate profile with :" + certificateprofileid);
            	data.setCertProfileId(certificateprofileid);
            }
            
            
            debug("type="+ data.getType());
            // get CA
            CADataLocal cadata = null; 
            try{
              cadata = cadatahome.findByPrimaryKey(new Integer(data.getCAId()));
            }catch(javax.ejb.FinderException fe){
              getLogSession().log(admin, data.getCAId(), LogEntry.MODULE_CA, new java.util.Date(),data.getUsername(), null, LogEntry.EVENT_ERROR_CREATECERTIFICATE,"Invalid CA Id",fe);  
              throw new CADoesntExistsException();                   
            }
            CA ca = null;
            try{
              ca = cadata.getCA();
            }catch(java.io.UnsupportedEncodingException uee){
               throw new EJBException(uee);   
            }
            // Check that CA hasn't expired.
            X509Certificate cacert = (X509Certificate) ca.getCACertificate();         
            
            if(ca.getStatus() != SecConst.CA_ACTIVE){
		      getLogSession().log(admin, data.getCAId(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CREATECERTIFICATE,"Signing CA " + cadata.getSubjectDN() + " isn't active.");
			  throw new EJBException("Signing CA " + cadata.getSubjectDN() + " isn't active.");             
            }
                     
            try{
                cacert.checkValidity();                   
            }catch(CertificateExpiredException cee){
                 // Signers Certificate has expired.   
                cadata.setStatus(SecConst.CA_EXPIRED);  
                getLogSession().log(admin, data.getCAId(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CREATECERTIFICATE,"Signing CA " + cadata.getSubjectDN() + " has expired",cee);
                throw new EJBException("Signing CA " + cadata.getSubjectDN() + " has expired");   
            } catch (CertificateNotYetValidException cve) {
				throw new EJBException(cve);
			}                
            

            // Now finally after all these checks, get the certificate
            Certificate cert = createCertificate(admin, data, ca, pk, keyusage);
            // Call authentication session and tell that we are finished with this user
            if (ca.getFinishUser() == true) {
                finishUser(admin, username, password);
            }
            debug("<createCertificate(pk, ku)");
            return cert;
        } catch (ObjectNotFoundException oe) {
            throw oe;
        } catch (AuthStatusException se) {
            throw se;
        } catch (AuthLoginException le) {
            throw le;
        } catch (IllegalKeyException ke) {
            throw ke;
        } 
    } // createCertificate

    /**
     * Implements ISignSession::createCertificate
     */
    public Certificate createCertificate(Admin admin, String username, String password, int certType, PublicKey pk) throws ObjectNotFoundException, AuthStatusException, AuthLoginException, IllegalKeyException, CADoesntExistsException {
        debug(">createCertificate(pk, certType)");
        // Create an array for KeyUsage acoording to X509Certificate.getKeyUsage()
        boolean[] keyusage = new boolean[9];
        Arrays.fill(keyusage, false);
        switch (certType) {
            case CertificateData.CERT_TYPE_ENCRYPTION:
                // keyEncipherment
                keyusage[2] = true;
                // dataEncipherment
                keyusage[3] = true;
                break;
            case CertificateData.CERT_TYPE_SIGNATURE:
                // digitalSignature
                keyusage[0] = true;
                // non-repudiation
                keyusage[1] = true;
                break;
            default:
                // digitalSignature
                keyusage[0] = true;
                // keyEncipherment
                keyusage[2] = true;
                break;
        }

        Certificate ret = createCertificate(admin, username, password, pk, keyusage);
        debug("<createCertificate(pk, certType)");
        return ret;
    } // createCertificate

    /**
     * Implements ISignSession::createCertificate
     */
    public Certificate createCertificate(Admin admin, String username, String password, Certificate incert) throws ObjectNotFoundException, AuthStatusException, AuthLoginException, IllegalKeyException, SignRequestSignatureException, CADoesntExistsException {
        debug(">createCertificate(cert)");
        X509Certificate cert = (X509Certificate)incert;
        try {
            cert.verify(cert.getPublicKey());
        }catch (Exception e) {                       
           throw new SignRequestSignatureException("Verification of signature (popo) on certificate failed.");
        }
        Certificate ret = createCertificate(admin, username, password, cert.getPublicKey(), cert.getKeyUsage());
        debug("<createCertificate(cert)");
        return ret;
    } // createCertificate

    /**
     * Implements ISignSession::createCertificate
     */
    public IResponseMessage createCertificate(Admin admin, IRequestMessage req, Class responseClass) throws ObjectNotFoundException, AuthStatusException, AuthLoginException, IllegalKeyException, CADoesntExistsException, SignRequestException, SignRequestSignatureException{
        return createCertificate(admin, req, -1, responseClass);
    }

    /**
     * Implements ISignSession::createCertificate
     *
     * @param admin Information about the administrator or admin preforming the event.
     * @param req a Certification Request message, containing the public key to be put in the
     *        created certificate. Currently no additional parameters in requests are considered!
     * @param keyUsage integer with bit mask describing desired keys usage. Bit mask is packed in
     *        in integer using contants from CertificateData. ex. int keyusage =
     *        CertificateData.digitalSignature | CertificateData.nonRepudiation; gives
     *        digitalSignature and nonRepudiation. ex. int keyusage = CertificateData.keyCertSign
     *        | CertificateData.cRLSign; gives keyCertSign and cRLSign. Keyusage < 0 means that default 
     *        keyUsage should be used.
     * @param responseClass the implementation class of the desired response 
     *
     * @return The newly created certificate or null.
     *
     * @throws ObjectNotFoundException if the user does not exist.
     * @throws AuthStatusException If the users status is incorrect.
     * @throws AuthLoginException If the password is incorrect.
     * @throws IllegalKeyException if the public key is of wrong type.
     * @throws CADoesntExistsException if the targeted CA does not exist
     * @throws SignRequestException if the provided request is invalid.
     * @throws SignRequestSignatureException if the provided client certificate was not signed by
     *         the CA.
     */
    public IResponseMessage createCertificate(Admin admin, IRequestMessage req, int keyUsage, Class responseClass) throws ObjectNotFoundException, AuthStatusException, AuthLoginException, IllegalKeyException, CADoesntExistsException, SignRequestException, SignRequestSignatureException {
        debug(">createCertificate(IRequestMessage)");
        IResponseMessage ret = null;

        // Get CA that will receive request
        CADataLocal cadata = null; 
        UserAuthData data = null;
        try{
            // See if we can get issuerDN directly from request
            if (req.getIssuerDN() != null) {
                cadata = cadatahome.findByPrimaryKey(new Integer(req.getIssuerDN().hashCode()));
                debug("Using CA (from issuerDN) with id: "+cadata.getCAId()+" and DN: "+cadata.getSubjectDN());
            } else if (req.getUsername() != null ){
                // See if we can get username and password directly from request
                String username = req.getUsername();
                String password = req.getPassword();
                data = authUser(admin, username, password);
                cadata = cadatahome.findByPrimaryKey(new Integer(data.getCAId()));
                debug("Using CA (from username) with id: "+cadata.getCAId()+" and DN: "+cadata.getSubjectDN());
            } else {
                throw new CADoesntExistsException();
            }
        }catch(javax.ejb.FinderException fe) {
            error("Can not find CA Id from issuerDN: "+req.getIssuerDN() + " or username: "+req.getUsername());
            getLogSession().log(admin, -1, LogEntry.MODULE_CA, new java.util.Date(),req.getUsername(), null, LogEntry.EVENT_ERROR_CREATECERTIFICATE,"Invalid CA Id",fe);  
            throw new CADoesntExistsException(fe);                   
        }
        try {
            CA ca = cadata.getCA();
            CAToken catoken = ca.getCAToken();
            
			if(ca.getStatus() != SecConst.CA_ACTIVE){
			  getLogSession().log(admin, cadata.getCAId().intValue(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CREATECERTIFICATE,"Signing CA " + cadata.getSubjectDN() + " isn't active.");
			  throw new EJBException("Signing CA " + cadata.getSubjectDN() + " isn't active.");             
			}
			
            // Check that CA hasn't expired.
            X509Certificate cacert = (X509Certificate) ca.getCACertificate();                  
            try{	
                cacert.checkValidity();                   
            }catch(CertificateExpiredException cee){
                 // Signers Certificate has expired.   
                cadata.setStatus(SecConst.CA_EXPIRED);  
                getLogSession().log(admin, cadata.getCAId().intValue(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CREATECERTIFICATE,"Signing CA " + cadata.getSubjectDN() + " has expired",cee);
                throw new CADoesntExistsException("Signing CA " + cadata.getSubjectDN() + " has expired");   
            } catch (CertificateNotYetValidException cve) {
				throw new CADoesntExistsException(cve); 
			}                

             
            if (req.requireKeyInfo()) {
                // You go figure...scep encrypts message with the public CA-cert
                req.setKeyInfo((X509Certificate)ca.getCACertificate(), catoken.getPrivateKey(SecConst.CAKEYPURPOSE_CERTSIGN));
            }
            // Create the response message and set all required fields
            try {
                ret = (IResponseMessage) responseClass.newInstance();
            } catch (InstantiationException e) {
                //TODO : do something with these exceptions
                log.error("Error creating response message",e);
                return null;
            } catch (IllegalAccessException e) {
                log.error("Error creating response message",e);
                return null;
            }
            if (ret.requireSignKeyInfo()) {
                ret.setSignKeyInfo((X509Certificate)ca.getCACertificate(), catoken.getPrivateKey(SecConst.CAKEYPURPOSE_CERTSIGN));
            }