caadminsessionbean.java

JAVA做的J2EE下CA认证系统 基于EJB开发

            getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error when trying to remove CA.",e);
            throw new EJBException(e);
        }
    } // removeCA

    /**
     * @ejb.interface-method
     */
    public void renameCA(Admin admin, String oldname, String newname) throws CAExistsException, AuthorizationDeniedException{
        // Get CA from database
        try{
            CADataLocal cadata = cadatahome.findByName(oldname);
            // Check authorization
            int caid = cadata.getCaId().intValue();
            try{
                getAuthorizationSession().isAuthorizedNoLog(admin,"/super_administrator");
            }catch(AuthorizationDeniedException e){
                getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,"Administrator isn't authorized to rename CA",e);
                throw new AuthorizationDeniedException("Not authorized to rename CA with caid = " + caid);
            }

            try{
                CADataLocal cadatanew = cadatahome.findByName(newname);
                cadatanew.getCaId();
                throw new CAExistsException(" CA name " + newname + " already exists.");
            }catch(javax.ejb.FinderException fe) {
                // new CA doesn't exits, it's ok to rename old one.
                cadata.setName(newname);
                getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_INFO_CAEDITED,"CA : " + oldname + " renamed to " + newname);
            }
        }catch(javax.ejb.FinderException fe) {
            getLogSession().log(admin, admin.getCaId(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error when trying to rename CA.");
            throw new EJBException(fe);
        }
    } // renewCA

    /**
     * @ejb.transaction type="Supports"
     * @ejb.interface-method
     */
    public CAInfo getCAInfo(Admin admin, String name) {
        CAInfo cainfo = null;
        try{
            CADataLocal cadata = cadatahome.findByName(name);
			if(cadata.getStatus() == SecConst.CA_ACTIVE && new Date(cadata.getExpireTime()).before(new Date())){
			  cadata.setStatus(SecConst.CA_EXPIRED);
			}
            authorizedToCA(admin,cadata.getCaId().intValue());
            
            CATokenInfo catokeninfo = cadata.getCA().getCAToken().getCATokenInfo();
            if(catokeninfo instanceof HardCATokenInfo && ((HardCATokenInfo) catokeninfo).getCATokenStatus() == IHardCAToken.STATUS_OFFLINE){
            	cadata.setStatus(SecConst.CA_OFFLINE);
            }
        
            cainfo = cadata.getCA().getCAInfo();
        }catch(javax.ejb.FinderException fe) {}
         catch(Exception e){
           throw new EJBException(e);
         }

        return cainfo;
    } // getCAInfo

    /**
     * @ejb.transaction type="Supports"
     * @ejb.interface-method
     */
    public CAInfo getCAInfo(Admin admin, int caid){
        CAInfo cainfo = null;
        try{
            authorizedToCA(admin,caid);
            CADataLocal cadata = cadatahome.findByPrimaryKey(new Integer(caid));
			if(cadata.getStatus() == SecConst.CA_ACTIVE && new Date(cadata.getExpireTime()).before(new Date())){
			  cadata.setStatus(SecConst.CA_EXPIRED);
			}
            CATokenInfo catokeninfo = cadata.getCA().getCAToken().getCATokenInfo();
            if(catokeninfo instanceof HardCATokenInfo && ((HardCATokenInfo) catokeninfo).getCATokenStatus() == IHardCAToken.STATUS_OFFLINE){
            	cadata.setStatus(SecConst.CA_OFFLINE);
            }
            cainfo = cadata.getCA().getCAInfo();

        }catch(javax.ejb.FinderException fe) {}
         catch(Exception e){
           throw new EJBException(e);
         }

        return cainfo;
    } // getCAInfo

    /**
     * @ejb.transaction type="Supports"
     * @ejb.interface-method
     */
    public HashMap getCAIdToNameMap(Admin admin){
        HashMap returnval = new HashMap();
        try{
            Collection result = cadatahome.findAll();
            Iterator iter = result.iterator();
            while(iter.hasNext()){
                CADataLocal cadata = (CADataLocal) iter.next();
                returnval.put(cadata.getCaId(), cadata.getName());
            }
        }catch(javax.ejb.FinderException fe){}


        return returnval;
    }

    /**
     *  Method returning id's of all CA's avaible to the system. i.e. not have status
     * "external" or "waiting for certificate response"
     *
     * @return a Collection (Integer) of available CA id's
     * @ejb.transaction type="Supports"
     * @ejb.interface-method
     */
    public Collection getAvailableCAs(Admin admin){
		ArrayList returnval = new ArrayList();
		try{
			Collection result = cadatahome.findAll();
			Iterator iter = result.iterator();
			while(iter.hasNext()){
				CADataLocal cadata = (CADataLocal) iter.next();
				if(cadata.getStatus() != SecConst.CA_WAITING_CERTIFICATE_RESPONSE && cadata.getStatus() != SecConst.CA_EXTERNAL)
				  returnval.add(cadata.getCaId());
			}
		}catch(javax.ejb.FinderException fe){}

		return returnval;
    }


    /**
     * @ejb.interface-method
     */
    public IRequestMessage makeRequest(Admin admin, int caid, Collection cachain, boolean setstatustowaiting) throws CADoesntExistsException, AuthorizationDeniedException, CertPathValidatorException, CATokenOfflineException{
        PKCS10RequestMessage returnval = null;
        // Check authorization
        try{
            getAuthorizationSession().isAuthorizedNoLog(admin,"/super_administrator");
        }catch(AuthorizationDeniedException e){
            getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,"Not authorized to make certificate request for CA",e);
            throw new AuthorizationDeniedException("Not authorized to make certificate request for CA with caid = " + caid);
        }
        
        // Get CA info.
        CADataLocal cadata = null;
        try{
            cadata = this.cadatahome.findByPrimaryKey(new Integer(caid));
            CA ca = cadata.getCA();
            
            try{
                // if issuer is insystem CA or selfsigned, then generate new certificate.
                if(ca.getSignedBy() == CAInfo.SIGNEDBYEXTERNALCA){
                    
                    
                    ca.setRequestCertificateChain(createCertChain(cachain));
                    
                    // generate PKCS10CertificateRequest
                    // TODO implement PKCS10 Certificate Request attributes.
                    ASN1Set attributes = null;
                    
                    /* We don't use these uneccesary attributes
                     DERConstructedSequence kName = new DERConstructedSequence();
                     DERConstructedSet  kSeq = new DERConstructedSet();
                     kName.addObject(PKCSObjectIdentifiers.pkcs_9_at_emailAddress);
                     kSeq.addObject(new DERIA5String("foo@bar.se"));
                     kName.addObject(kSeq);
                     req.setAttributes(kName);
                     */
                    
                    ExtendedPKCS10CertificationRequest req = new ExtendedPKCS10CertificationRequest("SHA1WithRSA",
                            CertTools.stringToBcX509Name(ca.getSubjectDN()), ca.getCAToken().getPublicKey(SecConst.CAKEYPURPOSE_CERTSIGN), attributes, ca.getCAToken().getPrivateKey(SecConst.CAKEYPURPOSE_CERTSIGN));
                    
                    // create PKCS10RequestMessage
                    returnval = new PKCS10RequestMessage(req);
                    // Set statuses.
                    if(setstatustowaiting){
                        cadata.setStatus(SecConst.CA_WAITING_CERTIFICATE_RESPONSE);
                        ca.setStatus(SecConst.CA_WAITING_CERTIFICATE_RESPONSE);
                    }
                    
                    cadata.setCA(ca);
                }else{
                    // Cannot create certificate request for internal CA
                    getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error: cannot create certificate request for internal CA");
                    throw new EJBException(new EjbcaException("Error: cannot create certificate request for internal CA"));
                }
            }catch(CATokenOfflineException e) {
                ca.setStatus(SecConst.CA_OFFLINE);
                getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error when creating certificate request",e);
                throw e;
            }
        }catch(CATokenOfflineException e) {
            throw e;
        }catch(CertPathValidatorException e) {
            getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error when creating certificate request",e);
            throw e;
        }catch(Exception e){
            getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error when creating certificate request",e);
            throw new EJBException(e);
        }
        
        getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_INFO_CAEDITED,"Certificate request generated successfully.");
        
        return returnval;
    } // makeRequest

    /**
     * @ejb.interface-method
     */
    public void receiveResponse(Admin admin, int caid, IResponseMessage responsemessage) throws CADoesntExistsException, AuthorizationDeniedException, CertPathValidatorException, CATokenOfflineException{
    	// check authorization
    	Certificate cacert = null;
    	// Check authorization
    	try{
    		getAuthorizationSession().isAuthorizedNoLog(admin,"/super_administrator");
    	}catch(AuthorizationDeniedException e){
    		getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,"Not authorized to recieve certificate responce for CA",e);
    		throw new AuthorizationDeniedException("Not authorized to recieve certificate responce for CA with caid = " + caid);
    	}

    	// Get CA info.
    	CADataLocal cadata = null;
    	try{
    		cadata = this.cadatahome.findByPrimaryKey(new Integer(caid));
    		CA ca = cadata.getCA();

    		try{
    			if(responsemessage instanceof X509ResponseMessage){
    				cacert = ((X509ResponseMessage) responsemessage).getCertificate();
    			}else{
    				getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util. Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error: illegal response message.");
    				throw new EJBException(new EjbcaException("Error: illegal response message."));
    			}

    			// if issuer is insystem CA or selfsigned, then generate new certificate.
    			if(ca.getSignedBy() == CAInfo.SIGNEDBYEXTERNALCA){
    				// check the validity of the certificate chain.

    				// Check that DN is the equals the request.
    				if(!CertTools.getSubjectDN((X509Certificate) cacert).equals(CertTools.stringToBCDNString(ca.getSubjectDN()))){
    					getLogSession().log(admin, caid, LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CAEDITED,"Error: Subject DN of recieved certificate doesn't match request");
    					throw new EJBException(new EjbcaException("Error: Subject DN of recieved certificate doesn't match request"));
    				}

    				ArrayList cachain = new ArrayList();
    				cachain.add(cacert);
    				cachain.addAll(ca.getRequestCertificateChain());

    				ca.setCertificateChain(createCertChain(cachain));
    				// Set statuses.
    				cadata.setStatus(SecConst.CA_ACTIVE);

    				// Publish CA Cert
    				int certtype = CertificateDataBean.CERTTYPE_SUBCA;
    		           if(ca.getSignedBy() == CAInfo.SELFSIGNED)
    		          	  certtype = CertificateDataBean.CERTTYPE_ROOTCA;
    		        ArrayList cacertcol = new ArrayList();
    		        cacertcol.add(cacert);
    				getSignSession().publishCACertificate(admin, cacertcol, ca.getCRLPublishers(), certtype);

    				if(ca instanceof X509CA){
    					cadata.setExpireTime(((X509Certificate) cacert).getNotAfter().getTime());
    				}

    				if(cadata.getStatus() ==SecConst.CA_ACTIVE){
    					// activate External CA Services
    					Iterator iter = ca.getExternalCAServiceTypes().iterator();
    					while(iter.hasNext()){
    						int type = ((Integer) iter.next()).intValue();
    						try{