certreqservlet.java

一个免费的CA,基于EJB平台的,老师叫我们测试,现把之共享出来让大家参考

    } // sendOpenVPNToken
    
    private void sendP12Token(KeyStore ks, String username, String kspassword,
        HttpServletResponse out) throws Exception {
        ByteArrayOutputStream buffer = new ByteArrayOutputStream();
        ks.store(buffer, kspassword.toCharArray());

        out.setContentType("application/x-pkcs12");
        out.setHeader("Content-disposition", "filename=" + username + ".p12");
        out.setContentLength(buffer.size());
        buffer.writeTo(out.getOutputStream());
        out.flushBuffer();
        buffer.close();
    }

    private void sendJKSToken(KeyStore ks, String username, String kspassword,
        HttpServletResponse out) throws Exception {
        ByteArrayOutputStream buffer = new ByteArrayOutputStream();
        ks.store(buffer, kspassword.toCharArray());

        out.setContentType("application/octet-stream");
        out.setHeader("Content-disposition", "filename=" + username + ".jks");
        out.setContentLength(buffer.size());
        buffer.writeTo(out.getOutputStream());
        out.flushBuffer();
        buffer.close();
    }

    private void sendPEMTokens(KeyStore ks, String username, String kspassword,
        HttpServletResponse out) throws Exception {
        ByteArrayOutputStream buffer = new ByteArrayOutputStream();
        String alias = "";

        // Find the key private key entry in the keystore
        Enumeration e = ks.aliases();
        Object o = null;
        PrivateKey serverPrivKey = null;

        while (e.hasMoreElements()) {
            o = e.nextElement();

            if (o instanceof String) {
                if ((ks.isKeyEntry((String) o)) &&
                        ((serverPrivKey = (PrivateKey) ks.getKey((String) o,
                                kspassword.toCharArray())) != null)) {
                    alias = (String) o;

                    break;
                }
            }
        }

        byte[] privKeyEncoded = "".getBytes();

        if (serverPrivKey != null) {
            privKeyEncoded = serverPrivKey.getEncoded();
        }

        //Certificate chain[] = ks.getCertificateChain((String) o);
        Certificate[] chain = KeyTools.getCertChain(ks, (String) o);
        X509Certificate userX509Certificate = (X509Certificate) chain[0];

        byte[] output = userX509Certificate.getEncoded();
        String sn = CertTools.getSubjectDN(userX509Certificate);

        String subjectdnpem = sn.replace(',', '/');
        String issuerdnpem = CertTools.getIssuerDN(userX509Certificate).replace(',', '/');

        buffer.write(bagattributes);
        buffer.write(friendlyname);
        buffer.write(alias.getBytes());
        buffer.write(NL);
        buffer.write(beginPrivateKey);
        buffer.write(NL);

        byte[] privKey = Base64.encode(privKeyEncoded);
        buffer.write(privKey);
        buffer.write(NL);
        buffer.write(endPrivateKey);
        buffer.write(NL);
        buffer.write(bagattributes);
        buffer.write(friendlyname);
        buffer.write(alias.getBytes());
        buffer.write(NL);
        buffer.write(subject);
        buffer.write(subjectdnpem.getBytes());
        buffer.write(NL);
        buffer.write(issuer);
        buffer.write(issuerdnpem.getBytes());
        buffer.write(NL);
        buffer.write(beginCertificate);
        buffer.write(NL);

        byte[] userCertB64 = Base64.encode(output);
        buffer.write(userCertB64);
        buffer.write(NL);
        buffer.write(endCertificate);
        buffer.write(NL);

        if (CertTools.isSelfSigned(userX509Certificate)) {
        } else {
            for (int num = 1; num < chain.length; num++) {
                X509Certificate tmpX509Cert = (X509Certificate) chain[num];
                sn = CertTools.getSubjectDN(tmpX509Cert);

                String cn = CertTools.getPartFromDN(sn, "CN");
                if (StringUtils.isEmpty(cn)) {
                	cn="Unknown";
                }

                subjectdnpem = sn.replace(',', '/');
                issuerdnpem = CertTools.getIssuerDN(tmpX509Cert).replace(',', '/');

                buffer.write(bagattributes);
                buffer.write(friendlyname);
                buffer.write(cn.getBytes());
                buffer.write(NL);
                buffer.write(subject);
                buffer.write(subjectdnpem.getBytes());
                buffer.write(NL);
                buffer.write(issuer);
                buffer.write(issuerdnpem.getBytes());
                buffer.write(NL);

                byte[] tmpOutput = tmpX509Cert.getEncoded();
                buffer.write(beginCertificate);
                buffer.write(NL);

                byte[] tmpCACertB64 = Base64.encode(tmpOutput);
                buffer.write(tmpCACertB64);
                buffer.write(NL);
                buffer.write(endCertificate);
                buffer.write(NL);
            }
        }

        out.setContentType("application/octet-stream");
        out.setHeader("Content-disposition", " attachment; filename=" + username + ".pem");
        buffer.writeTo(out.getOutputStream());
        out.flushBuffer();
        buffer.close();
    }


    private KeyStore generateToken(Admin administrator, String username, String password, int caid, String keylength, String keyalg, boolean createJKS, 
    		                       boolean loadkeys, boolean savekeys, int endEntityProfileId)
       throws Exception{
    	
    	
         KeyRecoveryData keyData = null;
         KeyPair rsaKeys = null;
         boolean reusecertificate = false;
         if(loadkeys){
        	 
           IRaAdminSessionRemote raadminsession = raadminhome.create();
           EndEntityProfile endEntityProfile = raadminsession.getEndEntityProfile(administrator, endEntityProfileId);
           reusecertificate = endEntityProfile.getReUseKeyRevoceredCertificate();
        	 
           // used saved keys.
           IKeyRecoverySessionRemote keyrecoverysession = keyrecoveryhome.create();
           keyData = keyrecoverysession.keyRecovery(administrator, username, endEntityProfileId);
           rsaKeys = keyData.getKeyPair();
           
           if(reusecertificate){
        	   keyrecoverysession.unmarkUser(administrator,username);
           }
         }
         else{
           // generate new keys.
           rsaKeys = KeyTools.genKeys(keylength, keyalg);
         }
         
         ISignSessionLocal signsession = getSignSession();
         X509Certificate cert = null;
         if(reusecertificate){
        	 cert = (X509Certificate) keyData.getCertificate();
             ICAAdminSessionLocal caadminsession = getCASession();
             boolean finishUser = caadminsession.getCAInfo(administrator,caid).getFinishUser();
             if(finishUser){
           	  IAuthenticationSessionRemote authsession = authhome.create();
           	  authsession.finishUser(administrator, username, password);
             }
        	 
         }else{        	 
             cert = (X509Certificate)signsession.createCertificate(administrator, username, password, rsaKeys.getPublic());	 
         }

        // Make a certificate chain from the certificate and the CA-certificate
        Certificate[] cachain = (Certificate[]) signsession.getCertificateChain(administrator, caid).toArray(new Certificate[0]);

        // Verify CA-certificate
        if (CertTools.isSelfSigned((X509Certificate) cachain[cachain.length - 1])) {
            try {
                cachain[cachain.length - 1].verify(cachain[cachain.length - 1].getPublicKey());
            } catch (GeneralSecurityException se) {
                throw new Exception("RootCA certificate does not verify");
            }
        } else {
            throw new Exception("RootCA certificate not self-signed");
        }

        // Verify that the user-certificate is signed by our CA
        try {
            cert.verify(cachain[0].getPublicKey());
        } catch (GeneralSecurityException se) {
            throw new Exception("Generated certificate does not verify using CA-certificate.");
        }

        if (savekeys) {
            // Save generated keys to database.
            IKeyRecoverySessionRemote keyrecoverysession = keyrecoveryhome.create();
            keyrecoverysession.addKeyRecoveryData(administrator, cert, username, rsaKeys);
        }

        // Use CN if as alias in the keystore, if CN is not present use username
        String alias = CertTools.getPartFromDN(CertTools.getSubjectDN(cert), "CN");
        if (alias == null) alias = username;

        // Store keys and certificates in keystore.
        KeyStore ks = null;

        if (createJKS) {
            ks = KeyTools.createJKS(alias, rsaKeys.getPrivate(), password, cert, cachain);
        } else {
            ks = KeyTools.createP12(alias, rsaKeys.getPrivate(), cert, cachain);
        }

        return ks;
    }
}


// CertReqServlet