certreqservlet.java

一个免费的CA,基于EJB平台的,老师叫我们测试,现把之共享出来让大家参考

            }

            boolean savekeys = data.getKeyRecoverable() && usekeyrecovery &&  (data.getStatus() != UserDataConstants.STATUS_KEYRECOVERY);
            boolean loadkeys = (data.getStatus() == UserDataConstants.STATUS_KEYRECOVERY) &&
                usekeyrecovery;

            // get users Token Type.
            tokentype = data.getTokenType();
            if(tokentype == SecConst.TOKEN_SOFT_P12){
              KeyStore ks = generateToken(administrator, username, password, data.getCAId(), keylength, keyalg, false, loadkeys, savekeys, data.getEndEntityProfileId());
              if (StringUtils.equals(openvpn, "on")) {            	  
                  sendOpenVPNToken(ks, username, password, response);
              }
              sendP12Token(ks, username, password, response);
            }
            if(tokentype == SecConst.TOKEN_SOFT_JKS){
              KeyStore ks = generateToken(administrator, username, password, data.getCAId(), keylength, keyalg, true, loadkeys, savekeys, data.getEndEntityProfileId());
              sendJKSToken(ks, username, password, response);
            }
            if(tokentype == SecConst.TOKEN_SOFT_PEM){
              KeyStore ks = generateToken(administrator, username, password, data.getCAId(), keylength, keyalg, false, loadkeys, savekeys, data.getEndEntityProfileId());
              sendPEMTokens(ks, username, password, response);
            }
            if(tokentype == SecConst.TOKEN_SOFT_BROWSERGEN){

              // first check if it is a netcsape request,
              if (request.getParameter("keygen") != null) {
                  byte[] reqBytes=request.getParameter("keygen").getBytes();
                  log.debug("Received NS request:"+new String(reqBytes));
                  if (reqBytes != null) {
                      byte[] certs = helper.nsCertRequest(signsession, reqBytes, username, password);
                      RequestHelper.sendNewCertToNSClient(certs, response);
                  }
              } else if ( request.getParameter("iidPkcs10") != null && !request.getParameter("iidPkcs10").equals("") ) {
                  // NetID iid?
                  byte[] reqBytes=request.getParameter("iidPkcs10").getBytes();
                  if (reqBytes != null) {
                      byte[] b64cert=helper.pkcs10CertRequest(signsession, reqBytes, username, password, RequestHelper.ENCODED_CERTIFICATE, false);
                      RequestHelper.sendNewCertToIidClient(b64cert, response.getOutputStream(), getServletContext(), getInitParameter("responseIidTemplate"),classid);
                  }
              } else if ( (request.getParameter("pkcs10") != null) || (request.getParameter("PKCS10") != null) ) {
                  // if not netscape, check if it's IE
                  byte[] reqBytes=request.getParameter("pkcs10").getBytes();
                  if (reqBytes == null)
                      reqBytes=request.getParameter("PKCS10").getBytes();
                  log.debug("Received IE request:"+new String(reqBytes));
                  if (reqBytes != null) {
                      byte[] b64cert=helper.pkcs10CertRequest(signsession, reqBytes, username, password, RequestHelper.ENCODED_PKCS7);
                      debug.ieCertFix(b64cert);
                      RequestHelper.sendNewCertToIEClient(b64cert, response.getOutputStream(), getServletContext(), getInitParameter("responseTemplate"),classid);
                  }
              } else if (request.getParameter("pkcs10req") != null && resulttype != 0) {
                  // if not IE, check if it's manual request
                  byte[] reqBytes=request.getParameter("pkcs10req").getBytes();
                  if (reqBytes != null) {
                      byte[] b64cert=helper.pkcs10CertRequest(signsession, reqBytes, username, password, resulttype);
                      if(resulttype == RequestHelper.ENCODED_PKCS7)  
                        RequestHelper.sendNewB64Cert(b64cert, response, RequestHelper.BEGIN_PKCS7_WITH_NL, RequestHelper.END_PKCS7_WITH_NL);
                      if(resulttype == RequestHelper.ENCODED_CERTIFICATE)
                        RequestHelper.sendNewB64Cert(b64cert, response, RequestHelper.BEGIN_CERTIFICATE_WITH_NL, RequestHelper.END_CERTIFICATE_WITH_NL);
                  }
              }
            }
        } catch (ObjectNotFoundException oe) {
            log.debug("Non existent username!");
            debug.printMessage("Non existent username!");
            debug.printMessage(
                "To generate a certificate a valid username and password must be entered.");
            debug.printDebugInfo();
            return;
        } catch (AuthStatusException ase) {
            log.debug("Wrong user status!");
            debug.printMessage("Wrong user status!");
            if (usekeyrecovery) {
                debug.printMessage(
                    "To generate a certificate for a user the user must have status new, failed or inprocess.");
            } else {
                debug.printMessage(
                    "To generate a certificate for a user the user must have status new, failed or inprocess.");
            }
            debug.printDebugInfo();
            return;
        } catch (AuthLoginException ale) {
            log.debug("Wrong password for user!");
            debug.printMessage("Wrong username or password!");
            debug.printMessage(
                "To generate a certificate a valid username and password must be entered.");
            debug.printDebugInfo();
            return;
        } catch (SignRequestException re) {
            log.debug("Invalid request!");
            debug.printMessage("Invalid request!");
            debug.printMessage("Please supply a correct request.");
            debug.printDebugInfo();
            return;
        } catch (SignRequestSignatureException se) {
            log.error("Invalid signature on certificate request:", se);
            debug.printMessage("Invalid signature on certificate request!");
            debug.printMessage("Please supply a correctly signed request.");
            debug.printDebugInfo();
            return;
        } catch (java.lang.ArrayIndexOutOfBoundsException ae) {
            log.debug("Empty or invalid request received.");
            debug.printMessage("Empty or invalid request!");
            debug.printMessage("Please supply a correct request.");
            debug.printDebugInfo();
            return;
        } catch (org.ejbca.core.model.ca.IllegalKeyException e) {
            log.debug("Illegal Key received: "+e.getMessage());
            debug.printMessage("Invalid Key in request: "+e.getMessage());
            debug.printMessage("Please supply a correct request.");
            debug.printDebugInfo();
            return;
        } catch (Exception e) {
            log.debug(e);
            debug.print("<h3>parameter name and values: </h3>");
            Enumeration paramNames = request.getParameterNames();
            while (paramNames.hasMoreElements()) {
                String name = paramNames.nextElement().toString();
                String parameter = request.getParameter(name);
                debug.print("<h4>" + name + ":</h4>" + parameter + "<br>");
            }
            debug.takeCareOfException(e);
            debug.printDebugInfo();
        }
    }

    //doPost

    /**
     * Handles HTTP GET
     *
     * @param request servlet request
     * @param response servlet response
     *
     * @throws IOException input/output error
     * @throws ServletException on error
     */
    public void doGet(HttpServletRequest request, HttpServletResponse response)
        throws IOException, ServletException {
        log.debug(">doGet()");
        response.setHeader("Allow", "POST");

        ServletDebug debug = new ServletDebug(request, response);
        debug.print("The certificate request servlet only handles POST method.");
        debug.printDebugInfo();
        log.debug("<doGet()");
    }

    // doGet
    /**
     * method to create an install package for OpenVPN including keys and send to user.
     * Contributed by: Jon Bendtsen, jon.bendtsen(at)laerdal.dk
     */
    private void sendOpenVPNToken(KeyStore ks, String username, String kspassword, HttpServletResponse out) throws Exception {
    	ByteArrayOutputStream buffer = new ByteArrayOutputStream();
    	ks.store(buffer, kspassword.toCharArray());
    	
    	File fout = new File("/usr/local/tmp/" + username + ".p12");
    	FileOutputStream certfile = new FileOutputStream(fout);
    	
    	Enumeration en = ks.aliases();
    	String alias = (String)en.nextElement();
    	// Then get the certificates
    	Certificate[] certs = KeyTools.getCertChain(ks, alias);
    	// The first  one (certs[0]) is the users cert and the last
    	// one (certs [certs.lenght-1]) is the CA-cert
    	X509Certificate x509cert = (X509Certificate) certs[0];
    	String IssuerDN = x509cert.getIssuerDN().toString();
    	String SubjectDN = x509cert.getSubjectDN().toString();
    	
    	// export the users certificate to file
    	buffer.writeTo(certfile);
    	buffer.flush();
    	buffer.close();
    	certfile.close();
    	
    	// run shell script, which will also remove the created files
    	// parameters are the username, IssuerDN and SubjectDN
    	// IssuerDN and SubjectDN will be used to select the right
    	// openvpn configuration file
    	// they have to be written to stdin of the script to support
    	// spaces in the username, IssuerDN or SubjectDN
    	Runtime rt = Runtime.getRuntime();
    	if (rt==null) {
    		log.error("getRuntime failed. null pointer");
    	} else {
    		Process p = rt.exec("/usr/local/ejbca/bin/mk_openvpn_" + "windows_installer.sh");
    		if (p==null) {
    			log.error("execution of openvpn windows" + " installer script failed. Null pointer");
    		} else {
    			OutputStream pstdin = p.getOutputStream();
    			PrintStream stdoutp = new PrintStream(pstdin);
    			stdoutp.println(username);
    			stdoutp.println(IssuerDN);
    			stdoutp.println(SubjectDN);
    			stdoutp.flush();
    			stdoutp.close();
    			pstdin.close();
    			int exitVal = p.waitFor();
    			if (exitVal != 0) {
        			log.error("Openvpn windows installer script exitValue: " + exitVal);    				
    			} else {
        			log.debug("Openvpn windows installer script exitValue: " + exitVal);    				
    			}
    		}
    	}
    	
    	// we ought to check if the script was okay or not, but in a little
    	// while we will look for the openvpn-gui-install-$username.exe
    	// and fail there if the script failed. Also, one could question
    	// what to do if it did fail, serve the user the certificate?
    	
    	// sending the OpenVPN windows installer
    	String filename = "openvpn-gui-install-" + username + ".exe";
    	File fin =  new File("/usr/local/tmp/" + filename);
    	FileInputStream vpnfile = new FileInputStream(fin);
    	
    	out.setContentType("application/x-msdos-program");
    	out.setHeader("Content-disposition", "filename=" + filename);
    	int filesize=0;
    	byte[] buf = new byte[4096];    	
    	for(;;) {
    		int count = vpnfile.read(buf);
    		if (count == -1) {
    			break;
    		}
    		filesize = count + filesize;
    		// is this too late to set the filesize?
    		out.setContentLength(filesize);
    		out.getOutputStream().write(buf);
    	}
    	vpnfile.close();
    	// delete OpenVPN windows installer, the script will delete cert.
    	fin.delete();
    	out.flushBuffer();