x509ca.java

JAVA做的J2EE下CA认证系统 基于EJB开发

            gen.addCertificatesAndCRLs(certs);
            CMSSignedData s = gen.generate(msg, true, getCAToken().getProvider());
            return s.getEncoded();
        } catch (CATokenOfflineException e) {
        	this.setStatus(SecConst.CA_OFFLINE);
        	throw new javax.ejb.EJBException(e);        	
        } catch (Exception e) {
            throw new javax.ejb.EJBException(e);
        }   
    }    
    
    
    public Certificate generateCertificate(UserDataVO subject, 
                                           PublicKey publicKey, 
                                           int keyusage, 
                                           long validity,
                                           CertificateProfile certProfile) throws Exception{
                                               
    	    	
        final String sigAlg = getCAToken().getCATokenInfo().getSignatureAlgorithm();
        Date firstDate = new Date();
        // Set back startdate ten minutes to avoid some problems with wrongly set clocks.
        firstDate.setTime(firstDate.getTime() - 10 * 60 * 1000);
        Date lastDate = new Date();
        // validity in days = validity*24*60*60*1000 milliseconds
        long val = validity;
        if(val == -1)
          val = certProfile.getValidity();
        
        lastDate.setTime(lastDate.getTime() + ( val * 24 * 60 * 60 * 1000));
        ExtendedX509V3CertificateGenerator certgen = new ExtendedX509V3CertificateGenerator();
        // Serialnumber is random bits, where random generator is initialized by the
        // serno generator.
        BigInteger serno = SernoGenerator.instance().getSerno();
        certgen.setSerialNumber(serno);
        certgen.setNotBefore(firstDate);
        certgen.setNotAfter(lastDate);
        certgen.setSignatureAlgorithm(sigAlg);
        // Make DNs
        String dn = subject.getDN(); 
        
        if(certProfile.getUseSubjectDNSubSet()){
          dn= certProfile.createSubjectDNSubSet(dn);	
        }
        
        if(certProfile.getUseCNPostfix()){
          dn = CertTools.insertCNPostfix(dn,certProfile.getCNPostfix());	
        }
        
        
        String altName = subject.getSubjectAltName(); 
      
        if(certProfile.getUseSubjectAltNameSubSet()){
        	altName = certProfile.createSubjectAltNameSubSet(altName);
        }
        
        certgen.setSubjectDN(CertTools.stringToBcX509Name(dn));
        X509Name caname = getSubjectDNAsX509Name();
        certgen.setIssuerDN(caname);
        certgen.setPublicKey(publicKey);

        // Basic constranits, all subcerts are NOT CAs
        if (certProfile.getUseBasicConstraints() == true) {
        	BasicConstraints bc = new BasicConstraints(false);
            if ((certProfile.getType() == CertificateProfile.TYPE_SUBCA)
                || (certProfile.getType() == CertificateProfile.TYPE_ROOTCA)){            	
            	if(certProfile.getUsePathLengthConstraint()){
            		bc = new BasicConstraints(certProfile.getPathLengthConstraint());
            	}else{
            		bc =  new BasicConstraints(true);
            	}            	
            }
                            
            certgen.addExtension(
                X509Extensions.BasicConstraints.getId(),
                certProfile.getBasicConstraintsCritical(),
                bc);
        }
        // Key usage
        int newKeyUsage = -1;
        if (certProfile.getAllowKeyUsageOverride() && (keyusage >= 0)) {
            newKeyUsage = keyusage;
        } else {
            newKeyUsage = CertTools.sunKeyUsageToBC(certProfile.getKeyUsage());
        }
        if ( (certProfile.getUseKeyUsage() == true) && (newKeyUsage >=0) ){
            X509KeyUsage ku = new X509KeyUsage(newKeyUsage);
            certgen.addExtension(
                X509Extensions.KeyUsage.getId(),
                certProfile.getKeyUsageCritical(),
                ku);
        }
        // Extended Key usage
        if (certProfile.getUseExtendedKeyUsage() == true) {
            // Get extended key usage from certificate profile
            Collection c = certProfile.getExtendedKeyUsageAsOIDStrings();
            Vector usage = new Vector();
            Iterator iter = c.iterator();
            while (iter.hasNext()) {
                usage.add(new DERObjectIdentifier((String)iter.next()));
            }
            ExtendedKeyUsage eku = new ExtendedKeyUsage(usage);
            // Extended Key Usage may be either critical or non-critical
            certgen.addExtension(
                X509Extensions.ExtendedKeyUsage.getId(),
                certProfile.getExtendedKeyUsageCritical(),
                eku);
        }
        // Subject key identifier
        if (certProfile.getUseSubjectKeyIdentifier() == true) {
            SubjectPublicKeyInfo spki =
                new SubjectPublicKeyInfo(
                    (ASN1Sequence) new ASN1InputStream(new ByteArrayInputStream(publicKey.getEncoded())).readObject());
            SubjectKeyIdentifier ski = new SubjectKeyIdentifier(spki);
            certgen.addExtension(
                X509Extensions.SubjectKeyIdentifier.getId(),
                certProfile.getSubjectKeyIdentifierCritical(), ski);
        }
        // Authority key identifier
        if (certProfile.getUseAuthorityKeyIdentifier() == true) {
            SubjectPublicKeyInfo apki = null;
            try{
              apki =
                new SubjectPublicKeyInfo(
                    (ASN1Sequence) new ASN1InputStream(new ByteArrayInputStream(getCAToken().getPublicKey(SecConst.CAKEYPURPOSE_CERTSIGN).getEncoded())).readObject());
             }catch(CATokenOfflineException e){
                 log.debug("X509CA : Setting STATUS OFFLINE " + this.getName());    
                 this.setStatus(SecConst.CA_OFFLINE);
                 log.debug("X509CA : New STATUS  " + this.getStatus());
                 throw new CATokenOfflineException(e.getMessage()); 
            }
            AuthorityKeyIdentifier aki = new AuthorityKeyIdentifier(apki);
            certgen.addExtension(
                X509Extensions.AuthorityKeyIdentifier.getId(),
                certProfile.getAuthorityKeyIdentifierCritical(), aki);
        }
         // Subject Alternative name
        if ( (certProfile.getUseSubjectAlternativeName() == true) && (altName != null) && (altName.length() > 0) ) {
            String email = CertTools.getEmailFromDN(altName);
            DEREncodableVector vec = new DEREncodableVector();
            if (email != null) {
                GeneralName gn = new GeneralName(1, new DERIA5String(email));
                vec.add(gn);
            }
            
            ArrayList dns = CertTools.getPartsFromDN(altName, CertTools.DNS);
            if (!dns.isEmpty()) {            
				Iterator iter = dns.iterator();
				while (iter.hasNext()) {
					GeneralName gn = new GeneralName(2, new DERIA5String((String)iter.next()));
					vec.add(gn);
				}
            }
            			            
            ArrayList uri = CertTools.getPartsFromDN(altName, CertTools.URI);
			if (!uri.isEmpty()) {            
				Iterator iter = uri.iterator();
				while (iter.hasNext()) {
					GeneralName gn = new GeneralName(6, new DERIA5String((String)iter.next()));
					vec.add(gn);
				}
			}

			uri = CertTools.getPartsFromDN(altName, CertTools.URI1);
			if (!uri.isEmpty()) {            
				Iterator iter = uri.iterator();
				while (iter.hasNext()) {
					GeneralName gn = new GeneralName(6, new DERIA5String((String)iter.next()));
					vec.add(gn);
				}
			}
            
                    
            ArrayList ipstr = CertTools.getPartsFromDN(altName, CertTools.IPADDR);
			if (!ipstr.isEmpty()) {            
				Iterator iter = ipstr.iterator();
				while (iter.hasNext()) {
					byte[] ipoctets = StringTools.ipStringToOctets((String)iter.next());
					GeneralName gn = new GeneralName(7, new DEROctetString(ipoctets));
					vec.add(gn);
				}
			}
			            
            ArrayList upn =  CertTools.getPartsFromDN(altName, CertTools.UPN);
			if (!upn.isEmpty()) {            
				Iterator iter = upn.iterator();				
				while (iter.hasNext()) {
					ASN1EncodableVector v = new ASN1EncodableVector();
					v.add(new DERObjectIdentifier(CertTools.UPN_OBJECTID));
					v.add(new DERTaggedObject(true, 0, new DERUTF8String((String)iter.next())));
					//GeneralName gn = new GeneralName(new DERSequence(v), 0);
					DERObject gn = new DERTaggedObject(false, 0, new DERSequence(v));
					vec.add(gn);
				}
			}
            
          
            ArrayList guid =  CertTools.getPartsFromDN(altName, CertTools.GUID);
			if (!guid.isEmpty()) {            
				Iterator iter = guid.iterator();				
				while (iter.hasNext()) {					
	                ASN1EncodableVector v = new ASN1EncodableVector();
	                byte[] guidbytes = Hex.decode((String)iter.next());
	                if (guidbytes != null) {
	                    v.add(new DERObjectIdentifier(CertTools.GUID_OBJECTID));
	                    v.add(new DERTaggedObject(true, 0, new DEROctetString(guidbytes)));
	                    DERObject gn = new DERTaggedObject(false, 0, new DERSequence(v));
	                    vec.add(gn);                    
	                } else {
	                    log.error("Cannot decode hexadecimal guid: "+guid);
	                }
				}
            }            
            if (vec.size() > 0) {
                GeneralNames san = new GeneralNames(new DERSequence(vec));
                certgen.addExtension(X509Extensions.SubjectAlternativeName.getId(), certProfile.getSubjectAlternativeNameCritical(), san);
            }
        }
        
        // Certificate Policies
         if (certProfile.getUseCertificatePolicies() == true) {
                 PolicyInformation pi = new PolicyInformation(new DERObjectIdentifier(certProfile.getCertificatePolicyId()));
                 DERSequence seq = new DERSequence(pi);
                 certgen.addExtension(X509Extensions.CertificatePolicies.getId(),
                         certProfile.getCertificatePoliciesCritical(), seq);