ocspservlet.java

一套JAVA的CA证书签发系统.

        if (reqexts != null) {
            X509Extension ext = (X509Extension)reqexts.getExtension(id_pkix_ocsp_nonce);
            if (null != ext) {
                //m_log.debug("Found extension Nonce");
                Hashtable table = new Hashtable();
                table.put(id_pkix_ocsp_nonce, ext);
                X509Extensions exts = new X509Extensions(table); 
                res.setResponseExtensions(exts);
            }
            ext = (X509Extension)reqexts.getExtension(id_pkix_ocsp_response);
            if (null != ext) {
                //m_log.debug("Found extension AcceptableResponses");
                ASN1OctetString oct = ext.getValue();
                try {
                    ASN1Sequence seq = ASN1Sequence.getInstance((ASN1Sequence) new DERInputStream(
                                new ByteArrayInputStream(oct.getOctets())).readObject());
                    Enumeration enum = seq.getObjects();
                    boolean supportsResponseType = false;
                    while (enum.hasMoreElements()) {
                        DERObjectIdentifier oid = (DERObjectIdentifier)enum.nextElement();
                        //m_log.debug("Found oid: "+oid.getId());
                        if (oid.equals(id_pkix_ocsp_basic)) {
                            // This is the response type we support, so we are happy! Break the loop.
                            supportsResponseType = true;
                            m_log.debug("Response type supported: "+oid.getId());
                            continue;
                        }
                    }
                    if (!supportsResponseType) {
                        throw new NotSupportedException("Required response type not supported, this responder only supports id-pkix-ocsp-basic.");
                    }
                } catch (IOException e) {
                }
            }
        }
        return res;
    }
    
    protected BasicOCSPResp signOCSPResponse(BasicOCSPRespGenerator basicRes, X509Certificate cacert) 
    throws CADoesntExistsException, ExtendedCAServiceRequestException, ExtendedCAServiceNotActiveException, IllegalExtendedCAServiceRequestException {
        // Find the OCSP signing key and cert for the issuer
        String issuerdn = CertTools.stringToBCDNString(cacert.getSubjectDN().toString()); 
        int caid = issuerdn.hashCode();
        BasicOCSPResp retval = null;
        {
            // Call extended CA services to get our OCSP stuff
            OCSPCAServiceResponse caserviceresp = (OCSPCAServiceResponse)m_signsession.extendedService(m_adm,caid, new OCSPCAServiceRequest(basicRes, m_sigAlg, m_useCASigningCert, m_includeChain));
            // Now we can use the returned OCSPServiceResponse to get private key and cetificate chain to sign the ocsp response
            Collection coll = caserviceresp.getOCSPSigningCertificateChain();
            m_log.debug("Cert chain for OCSP signing is of size "+coll.size());
            retval = caserviceresp.getBasicOCSPResp();            
        }  
        return retval;
    }
    
    public void init(ServletConfig config) 
        throws ServletException {
        super.init(config);
        
        try {
            InitialContext ctx = new InitialContext();
            ICertificateStoreSessionLocalHome castorehome = 
                (ICertificateStoreSessionLocalHome) ctx.lookup("java:comp/env/ejb/CertificateStoreSessionLocal");
            m_certStore = castorehome.create();
            ICAAdminSessionLocalHome caadminsessionhome = (ICAAdminSessionLocalHome) ctx.lookup("java:comp/env/ejb/CAAdminSessionLocal");
            m_caadminsession = caadminsessionhome.create();
            m_adm = new Admin(Admin.TYPE_INTERNALUSER);
            ISignSessionLocalHome signhome = (ISignSessionLocalHome) ctx.lookup("java:comp/env/ejb/SignSessionLocal");
            m_signsession = signhome.create();
            
            // Parameters for OCSP signing (private) key
            m_sigAlg = config.getInitParameter("SignatureAlgorithm");
            if (StringUtils.isEmpty(m_sigAlg)) {
                m_log.error("Signature algorithm not defined in initialization parameters.");
                throw new ServletException("Missing signature algorithm in initialization parameters.");
            }
            m_defaultResponderId = config.getInitParameter("defaultResponderID");
            if (StringUtils.isEmpty(m_defaultResponderId)) {
                m_log.error("Default responder id not defined in initialization parameters.");
                throw new ServletException("Missing default responder id in initialization parameters.");
            }
            String initparam = config.getInitParameter("enforceRequestSigning");
            if (m_log.isDebugEnabled()) {
                m_log.debug("Enforce request signing : '" 
                            + (StringUtils.isEmpty(initparam) ? "<not set>" : initparam)
                            + "'");
            }
            m_reqMustBeSigned = true;
            if (!StringUtils.isEmpty(initparam)) {
                if (initparam.equalsIgnoreCase("false") 
                    || initparam.equalsIgnoreCase("no")) {
                    m_reqMustBeSigned = false;
                }
            }
            initparam = config.getInitParameter("useCASigningCert");
            if (m_log.isDebugEnabled()) {
                m_log.debug("Use CA signing cert : '" 
                            + (StringUtils.isEmpty(initparam) ? "<not set>" : initparam)
                            + "'");
            }
            m_useCASigningCert = false;
            if (!StringUtils.isEmpty(initparam)) {
                if (initparam.equalsIgnoreCase("true") 
                    || initparam.equalsIgnoreCase("yes")) {
                        m_useCASigningCert = true;
                }
            }
            initparam = config.getInitParameter("includeCertChain");
            if (m_log.isDebugEnabled()) {
                m_log.debug("Include certificate chain: '" 
                            + (StringUtils.isEmpty(initparam) ? "<not set>" : initparam)
                            + "'");
            }
            m_includeChain = true;
            if (!StringUtils.isEmpty(initparam)) {
                if (initparam.equalsIgnoreCase("false") 
                    || initparam.equalsIgnoreCase("no")) {
                        m_includeChain = false;
                }
            }
            
        } catch(Exception e) {
            m_log.error("Unable to initialize OCSPServlet.", e);
            throw new ServletException(e);
        }
    }

    public void doPost(HttpServletRequest request, HttpServletResponse response) 
        throws IOException, ServletException {
        m_log.debug(">doPost()");
        String contentType = request.getHeader("Content-Type");
        if (!contentType.equalsIgnoreCase("application/ocsp-request")) {
            m_log.debug("Content type is not application/ocsp-request");
            response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Content type is not application/ocsp-request");
            return;
        }
                // Get the request data
        BufferedReader in = request.getReader();
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        // This works for small requests, and OCSP requests are small
        int b = in.read(); 
        while (b != -1) {
            baos.write(b);
            b = in.read();
        }
        baos.flush();
        in.close();
        byte[] reqBytes = baos.toByteArray();
        // Do it...
        service(request, response, reqBytes); 
        m_log.debug("<doPost()");
    } //doPost

    public void doGet(HttpServletRequest request,  HttpServletResponse response) 
        throws IOException, ServletException {
        m_log.debug(">doGet()");
        /**
         * We only support POST operation, so return
         * an appropriate HTTP error code to caller.
         */
        response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, "OCSP only supports POST");
        m_log.debug("<doGet()");
    } // doGet

    public void service(HttpServletRequest request, HttpServletResponse response, byte[] reqBytes) 
        throws IOException, ServletException {
        m_log.debug(">service()");
        if ( (reqBytes == null) || (reqBytes.length==0) ) {
            m_log.debug("No request bytes");
            response.sendError(HttpServletResponse.SC_BAD_REQUEST, "No request bytes.");
            return;
        }
        try {
            OCSPResp ocspresp = null;
            BasicOCSPRespGenerator basicRes = null;
            OCSPRespGenerator res = new OCSPRespGenerator();
            X509Certificate cacert = null; // CA-certificate used to sign response
            try {
                OCSPReq req = new OCSPReq(reqBytes);
                //m_log.debug("OCSPReq: "+new String(Base64.encode(req.getEncoded())));

                loadCertificates();
            
                if (m_log.isDebugEnabled()) {
                    StringBuffer certInfo = new StringBuffer();
                    Iterator iter = m_cacerts.iterator();
                    while (iter.hasNext()) {
                        X509Certificate cert = (X509Certificate)iter.next();
                        certInfo.append(cert.getSubjectDN().getName());
                        certInfo.append(',');
                        certInfo.append(cert.getSerialNumber().toString());
                        certInfo.append('\n');
                    }
                    m_log.debug("Found the following CA certificates : \n" 
                                + certInfo.toString());