certdistservlet.java

一套JAVA的CA证书签发系统.

/*************************************************************************
 *                                                                       *
 *  EJBCA: The OpenSource Certificate Authority                          *
 *                                                                       *
 *  This software is free software; you can redistribute it and/or       *
 *  modify it under the terms of the GNU Lesser General Public           *
 *  License as published by the Free Software Foundation; either         *
 *  version 2.1 of the License, or any later version.                    *
 *                                                                       *
 *  See terms of license at gnu.org.                                     *
 *                                                                       *
 *************************************************************************/
 
package se.anatom.ejbca.webdist;

import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.util.Date;
import java.util.Collection;
import java.util.Iterator;
import java.security.cert.*;
import java.math.BigInteger;

import javax.naming.InitialContext;

import org.apache.log4j.Logger;

import se.anatom.ejbca.ca.store.ICertificateStoreSessionLocal;
import se.anatom.ejbca.ca.store.ICertificateStoreSessionLocalHome;
import se.anatom.ejbca.ca.sign.ISignSessionLocal;
import se.anatom.ejbca.ca.sign.ISignSessionLocalHome;
import se.anatom.ejbca.ca.caadmin.CAInfo;
import se.anatom.ejbca.ca.caadmin.ICAAdminSessionLocal;
import se.anatom.ejbca.ca.caadmin.ICAAdminSessionLocalHome;
import se.anatom.ejbca.ca.caadmin.extendedcaservices.ExtendedCAServiceInfo;
import se.anatom.ejbca.ca.caadmin.extendedcaservices.OCSPCAServiceInfo;
import se.anatom.ejbca.ca.crl.RevokedCertInfo;
import se.anatom.ejbca.util.CertTools;
import se.anatom.ejbca.util.Base64;
import se.anatom.ejbca.log.Admin;

/**
 * Servlet used to distribute certificates and CRLs.<br>
 *
 * The servlet is called with method GET or POST and syntax
 * <code>command=&lt;command&gt;</code>.
 * <p>The follwing commands are supported:<br>
 * <ul>
 * <li>crl - gets the latest CRL.
 * <li>lastcert - gets latest certificate of a user, takes argument 'subject=<subjectDN>'.
 * <li>listcerts - lists all certificates of a user, takes argument 'subject=<subjectDN>'.
 * <li>revoked - checks if a certificate is revoked, takes arguments 'subject=<subjectDN>&serno=<serial number>'.
 * <li>cacert - returns ca certificate in PEM-format, takes argument 'issuer=<issuerDN>&level=<ca-level, 0=root>'
 * <li>nscacert - returns ca certificate for Netscape/Mozilla, same args as above
 * <li>iecacert - returns ca certificate for Internet Explorer, same args as above
 * </ul>
 * cacert, nscacert and iecacert also takes optional parameter level=<int 1,2,...>, where the level is
 * which ca certificate in a hierachy should be returned. 0=root (default), 1=sub to root etc.
 *
 * @version $Id: CertDistServlet.java,v 1.27 2004/05/23 13:00:12 anatom Exp $
 */
public class CertDistServlet extends HttpServlet {

    private static Logger log = Logger.getLogger(CertDistServlet.class);

    private static final String COMMAND_PROPERTY_NAME = "cmd";
    private static final String COMMAND_CRL = "crl";
    private static final String COMMAND_REVOKED = "revoked";
    private static final String COMMAND_CERT = "lastcert";
    private static final String COMMAND_LISTCERT = "listcerts";
    private static final String COMMAND_NSCACERT = "nscacert";
    private static final String COMMAND_IECACERT = "iecacert";
    private static final String COMMAND_CACERT = "cacert";
    private static final String COMMAND_NSOCSPCERT = "nsocspcert";
    private static final String COMMAND_IEOCSPCERT = "ieocspcert";
    private static final String COMMAND_OCSPCERT = "ocspcert";
    
    private static final String SUBJECT_PROPERTY = "subject";
	private static final String CAID_PROPERTY = "caid";
    private static final String ISSUER_PROPERTY = "issuer";
    private static final String SERNO_PROPERTY = "serno";
    private static final String LEVEL_PROPERTY = "level";
    private static final String MOZILLA_PROPERTY = "moz";

    private ICertificateStoreSessionLocalHome storehome = null;
    private ISignSessionLocalHome signhome = null;
    private ICAAdminSessionLocalHome cahome = null;

    /**
     * init servlet
     *
     * @param config servlet configuration
     *
     * @throws ServletException error
     */
    public void init(ServletConfig config) throws ServletException {
        super.init(config);
        try {

            // Get EJB context and home interfaces
            InitialContext ctx = new InitialContext();
            storehome = (ICertificateStoreSessionLocalHome)ctx.lookup("java:comp/env/ejb/CertificateStoreSessionLocal");
            signhome = (ISignSessionLocalHome)ctx.lookup("java:comp/env/ejb/SignSessionLocal");
            cahome = (ICAAdminSessionLocalHome)ctx.lookup("java:comp/env/ejb/CAAdminSessionLocal");
        } catch( Exception e ) {
            throw new ServletException(e);
        }
    }

    /**
     * handles http post
     *
     * @param req servlet request
     * @param res servlet response
     *
     * @throws IOException input/output error
     * @throws ServletException error
     */
    public void doPost(HttpServletRequest req, HttpServletResponse res)
        throws IOException, ServletException {
        log.debug(">doPost()");
        doGet(req, res);
        log.debug("<doPost()");
    } //doPost

	/**
	 * handles http get
	 *
	 * @param req servlet request
	 * @param res servlet response
	 *
	 * @throws IOException input/output error
	 * @throws ServletException error
	 */
    public void doGet(HttpServletRequest req,  HttpServletResponse res) throws java.io.IOException, ServletException {
        log.debug(">doGet()");

        String command;
        // Keep this for logging.
        String remoteAddr = req.getRemoteAddr();
        Admin administrator = new Admin(Admin.TYPE_PUBLIC_WEB_USER, remoteAddr);

        String issuerdn = null; 
        if(req.getParameter(ISSUER_PROPERTY) != null){
          issuerdn = java.net.URLDecoder.decode(req.getParameter(ISSUER_PROPERTY),"UTF-8");
        }    
        
		int caid = 0; 
		if(req.getParameter(CAID_PROPERTY) != null){
		  caid = Integer.parseInt(req.getParameter(CAID_PROPERTY));
		}    
        
        command = req.getParameter(COMMAND_PROPERTY_NAME);
        if (command == null)
            command = "";
        if (command.equalsIgnoreCase(COMMAND_CRL) && issuerdn != null) {
            try {
                ICertificateStoreSessionLocal store = storehome.create();
                byte[] crl = store.getLastCRL(administrator, issuerdn);
                X509CRL x509crl = CertTools.getCRLfromByteArray(crl);
                String dn = CertTools.getIssuerDN(x509crl);
                String moz = req.getParameter(MOZILLA_PROPERTY);
                if ((moz == null) || !moz.equalsIgnoreCase("y")) {
                    String filename = CertTools.getPartFromDN(dn,"CN")+".crl";
                    res.setHeader("Content-disposition", "attachment; filename=" +  filename);                    
                }
                res.setContentType("application/x-x509-crl");
                res.setContentLength(crl.length);
                res.getOutputStream().write(crl);
                log.debug("Sent latest CRL to client at " + remoteAddr);
            } catch (Exception e) {
                PrintStream ps = new PrintStream(res.getOutputStream());
                res.sendError(HttpServletResponse.SC_NOT_FOUND, "Error getting latest CRL.");
                e.printStackTrace(ps);
                log.debug("Error sending latest CRL to " + remoteAddr);
                log.debug(e);
                return;
            }
        } else if (command.equalsIgnoreCase(COMMAND_CERT) || command.equalsIgnoreCase(COMMAND_LISTCERT)) {
            String dn = req.getParameter(SUBJECT_PROPERTY);
            if (dn == null) {
                res.sendError(HttpServletResponse.SC_BAD_REQUEST, "Usage command=lastcert/listcert?subject=<subjectdn>.");
                log.debug("Bad request, no 'subject' arg to 'lastcert' or 'listcert' command.");
                return;
            }
            try {
                log.debug("Looking for certificates for '"+dn+"'.");
                ICertificateStoreSessionLocal store = storehome.create();
                Collection certcoll = store.findCertificatesBySubject(administrator, dn);
                Object[] certs = certcoll.toArray();
                int latestcertno = -1;
                if (command.equalsIgnoreCase(COMMAND_CERT)) {
                    long maxdate = 0;
                    for (int i=0;i<certs.length;i++) {
                        if (i == 0) {
                            maxdate = ((X509Certificate)certs[i]).getNotBefore().getTime();
                            latestcertno = 0;
                        }
                        else if ( ((X509Certificate)certs[i]).getNotBefore().getTime() > maxdate ) {
                            maxdate = ((X509Certificate)certs[i]).getNotBefore().getTime();
                            latestcertno = i;
                        }
                    }
                    if (latestcertno > -1) {
                        byte[] cert = ((X509Certificate)certs[latestcertno]).getEncoded();
                        String filename = CertTools.getPartFromDN(dn,"CN")+".cer";
                        res.setHeader("Content-disposition", "attachment; filename=" +  filename);
                        res.setContentType("application/octet-stream");
                        res.setContentLength(cert.length);
                        res.getOutputStream().write(cert);
                        log.debug("Sent latest certificate for '"+dn+"' to client at " + remoteAddr);

                    } else {
                        res.sendError(HttpServletResponse.SC_NOT_FOUND, "No certificate found for requested subject '"+dn+"'.");
                        log.debug("No certificate found for '"+dn+"'.");
                    }
                }
                if (command.equalsIgnoreCase(COMMAND_LISTCERT)) {
                    res.setContentType("text/html");
                    PrintWriter pout = new PrintWriter(res.getOutputStream());
                    printHtmlHeader("Certificates for "+dn, pout);
                    for (int i=0;i<certs.length;i++) {
                        Date notBefore = ((X509Certificate)certs[i]).getNotBefore();
                        Date notAfter = ((X509Certificate)certs[i]).getNotAfter();
                        String subject = CertTools.getSubjectDN((X509Certificate)certs[i]);
                        String issuer = CertTools.getIssuerDN((X509Certificate)certs[i]);
                        BigInteger serno = ((X509Certificate)certs[i]).getSerialNumber();
                        pout.println("<pre>Subject:"+subject);
                        pout.println("Issuer:"+issuer);
                        pout.println("NotBefore:"+notBefore.toString());
                        pout.println("NotAfter:"+notAfter.toString());
                        pout.println("Serial number:"+serno.toString());
                        pout.println("</pre>");
                        pout.println("<a href=\"certdist?cmd=revoked&issuer="+issuer+"&serno="+serno.toString()+"\">Check if certificate is revoked</a>");
                        pout.println("<hr>");

                    }
                    if (certs.length == 0) {
                        pout.println("No certificates exists for '"+dn+"'.");
                    }
                    printHtmlFooter(pout);
                    pout.close();
                }
            } catch (Exception e) {
                PrintStream ps = new PrintStream(res.getOutputStream());
                e.printStackTrace(ps);
                res.sendError(HttpServletResponse.SC_NOT_FOUND, "Error getting certificates.");
                log.debug("Error getting certificates for '"+dn+"' for "+remoteAddr);
                log.debug(e);
                return;
            }
        } else if ((command.equalsIgnoreCase(COMMAND_NSCACERT) || command.equalsIgnoreCase(COMMAND_IECACERT) || command.equalsIgnoreCase(COMMAND_CACERT)) && ( issuerdn != null || caid != 0)) {
            String lev = req.getParameter(LEVEL_PROPERTY);
            int level = 0;
            boolean pkcs7 = false;
            if (lev != null)
                level = Integer.parseInt(lev);