📄 certdistservlet.java
字号:
} else { res.setContentLength(cert.length); res.getOutputStream().write(cert); } log.debug("Sent latest certificate for '"+dn+"' to client at " + remoteAddr); } else { log.debug("No certificate found for '"+dn+"'."); res.sendError(HttpServletResponse.SC_NOT_FOUND, "No certificate found for requested subject '"+dn+"'."); } } if (command.equalsIgnoreCase(COMMAND_LISTCERT)) { res.setContentType("text/html"); PrintWriter pout = new PrintWriter(res.getOutputStream()); printHtmlHeader("Certificates for "+dn, pout); for (int i=0;i<certs.length;i++) { Date notBefore = ((X509Certificate)certs[i]).getNotBefore(); Date notAfter = ((X509Certificate)certs[i]).getNotAfter(); String subject = CertTools.getSubjectDN((X509Certificate)certs[i]); String issuer = CertTools.getIssuerDN((X509Certificate)certs[i]); BigInteger serno = ((X509Certificate)certs[i]).getSerialNumber(); pout.println("<pre>Subject:"+subject); pout.println("Issuer:"+issuer); pout.println("NotBefore:"+notBefore.toString()); pout.println("NotAfter:"+notAfter.toString()); pout.println("Serial number:"+serno.toString()); pout.println("</pre>"); pout.println("<a href=\"certdist?cmd=revoked&issuer="+URLEncoder.encode(issuer, "UTF-8")+"&serno="+serno.toString()+"\">Check if certificate is revoked</a>"); pout.println("<hr>"); } if (certs.length == 0) { pout.println("No certificates exists for '"+dn+"'."); } printHtmlFooter(pout); pout.close(); } } catch (Exception e) { log.debug("Error getting certificates for '"+dn+"' for "+remoteAddr+": ", e); res.sendError(HttpServletResponse.SC_NOT_FOUND, "Error getting certificates."); return; } } else if ((command.equalsIgnoreCase(COMMAND_NSCACERT) || command.equalsIgnoreCase(COMMAND_IECACERT) || command.equalsIgnoreCase(COMMAND_CACERT)) && ( issuerdn != null || caid != 0)) { String lev = req.getParameter(LEVEL_PROPERTY); int level = 0; boolean pkcs7 = false; if (lev != null) level = Integer.parseInt(lev); else pkcs7 = true; // CA is level 0, next over root level 1 etc etc, -1 returns chain as PKCS7 try { ISignSessionLocal ss = getSignSession(); Certificate[] chain = null; if(caid != 0) { chain = (Certificate[]) ss.getCertificateChain(administrator, caid).toArray(new Certificate[0]); } else { chain = (Certificate[]) ss.getCertificateChain(administrator, issuerdn.hashCode()).toArray(new Certificate[0]); } // chain.length-1 is last cert in chain (root CA) if (chain.length < level) { PrintStream ps = new PrintStream(res.getOutputStream()); ps.println("No CA certificate of level "+level+" exist."); log.debug("No CA certificate of level "+level+" exist."); return; } X509Certificate cacert = (X509Certificate)chain[level]; String filename=CertTools.getPartFromDN(CertTools.getSubjectDN(cacert), "CN"); if (filename == null) filename = "ca"; byte[] enccert = null; if (pkcs7) enccert = ss.createPKCS7(administrator, cacert, true); else enccert = cacert.getEncoded(); if (command.equalsIgnoreCase(COMMAND_NSCACERT)) { res.setContentType("application/x-x509-ca-cert"); res.setContentLength(enccert.length); res.getOutputStream().write(enccert); log.debug("Sent CA cert to NS client, len="+enccert.length+"."); } else if (command.equalsIgnoreCase(COMMAND_IECACERT)) { // We must remove cache headers for IE ServletUtils.removeCacheHeaders(res); if (pkcs7) res.setHeader("Content-disposition", "attachment; filename=\""+filename+".p7c\""); else res.setHeader("Content-disposition", "attachment; filename=\""+filename+".crt\""); res.setContentType("application/octet-stream"); res.setContentLength(enccert.length); res.getOutputStream().write(enccert); log.debug("Sent CA cert to IE client, len="+enccert.length+"."); } else if (command.equalsIgnoreCase(COMMAND_CACERT)) { byte[] b64cert = Base64.encode(enccert); String out; if (pkcs7) out = "-----BEGIN PKCS7-----\n"; else out = "-----BEGIN CERTIFICATE-----\n"; out += new String(b64cert); if (pkcs7) out += "\n-----END PKCS7-----\n"; else out += "\n-----END CERTIFICATE-----\n"; // We must remove cache headers for IE ServletUtils.removeCacheHeaders(res); res.setHeader("Content-disposition", "attachment; filename=\""+filename+".pem\""); res.setContentType("application/octet-stream"); res.setContentLength(out.length()); res.getOutputStream().write(out.getBytes()); log.debug("Sent CA cert to client, len="+out.length()+"."); } else { res.setContentType("text/plain"); res.getOutputStream().println("Commands="+COMMAND_NSCACERT+" || "+COMMAND_IECACERT+" || "+COMMAND_CACERT); return; } } catch (Exception e) { log.debug("Error getting CA certificates: ", e); res.sendError(HttpServletResponse.SC_NOT_FOUND, "Error getting CA certificates."); return; } } else if ((command.equalsIgnoreCase(COMMAND_NSOCSPCERT) || command.equalsIgnoreCase(COMMAND_IEOCSPCERT) || command.equalsIgnoreCase(COMMAND_OCSPCERT)) && ( issuerdn != null || caid != 0)) { try { ICAAdminSessionLocal casession = getCASession(); CAInfo cainfo = null; if(caid != 0) { cainfo = casession.getCAInfo(administrator, caid); } else { int id = issuerdn.hashCode(); cainfo = casession.getCAInfo(administrator, id); } X509Certificate ocspcert = null; Iterator iter = cainfo.getExtendedCAServiceInfos().iterator(); while(iter.hasNext()){ ExtendedCAServiceInfo next = (ExtendedCAServiceInfo) iter.next(); if(next instanceof OCSPCAServiceInfo){ if(((OCSPCAServiceInfo) next).getOCSPSignerCertificatePath() != null) ocspcert = (X509Certificate) ((OCSPCAServiceInfo) next).getOCSPSignerCertificatePath().get(0); } } // If no cert, send back a NOT_FOUND response if (ocspcert == null) { res.sendError(HttpServletResponse.SC_NOT_FOUND, "No OCSP certificate found for CA."); return; } String filename=CertTools.getPartFromDN(CertTools.getSubjectDN(ocspcert), "CN"); if (filename == null) filename = "ocsp"; byte[] enccert = null; enccert = ocspcert.getEncoded(); if (command.equalsIgnoreCase(COMMAND_NSOCSPCERT)) { res.setContentType("application/x-x509-ca-cert"); res.setContentLength(enccert.length); res.getOutputStream().write(enccert); log.debug("Sent OCSP cert to NS client, len="+enccert.length+"."); } else if (command.equalsIgnoreCase(COMMAND_IEOCSPCERT)) { // We must remove cache headers for IE ServletUtils.removeCacheHeaders(res); res.setHeader("Content-disposition", "attachment; filename=\""+filename+".crt\""); res.setContentType("application/octet-stream"); res.setContentLength(enccert.length); res.getOutputStream().write(enccert); log.debug("Sent OCSP cert to IE client, len="+enccert.length+"."); } else if (command.equalsIgnoreCase(COMMAND_OCSPCERT)) { byte[] b64cert = Base64.encode(enccert); String out; out = "-----BEGIN CERTIFICATE-----\n"; out += new String(b64cert); out += "\n-----END CERTIFICATE-----\n"; // We must remove cache headers for IE ServletUtils.removeCacheHeaders(res); res.setHeader("Content-disposition", "attachment; filename=\""+filename+".pem\""); res.setContentType("application/octet-stream"); res.setContentLength(out.length()); res.getOutputStream().write(out.getBytes()); log.debug("Sent OCSP cert to client, len="+out.length()+"."); } else { res.setContentType("text/plain"); res.getOutputStream().println("Commands="+COMMAND_NSCACERT+" || "+COMMAND_IECACERT+" || "+COMMAND_CACERT); return; } } catch (Exception e) { log.debug("Error getting OCSP certificate for CA: ", e); res.sendError(HttpServletResponse.SC_NOT_FOUND, "Error getting OCSP certificate for CA."); return; } } else if (command.equalsIgnoreCase(COMMAND_REVOKED)) { String dn = req.getParameter(ISSUER_PROPERTY); if (dn == null) { log.debug("Bad request, no 'issuer' arg to 'revoked' command."); res.sendError(HttpServletResponse.SC_BAD_REQUEST, "Usage command=revoked?issuer=<issuerdn>&serno=<serialnumber>."); return; } String serno = req.getParameter(SERNO_PROPERTY); if (serno == null) { log.debug("Bad request, no 'serno' arg to 'revoked' command."); res.sendError(HttpServletResponse.SC_BAD_REQUEST, "Usage command=revoked?issuer=<issuerdn>&serno=<serialnumber>."); return; } log.debug("Looking for certificate for '"+dn+"' and serno='"+serno+"'."); try { ICertificateStoreSessionLocal store = getStoreSession(); RevokedCertInfo revinfo = store.isRevoked(administrator, dn, new BigInteger(serno)); PrintWriter pout = new PrintWriter(res.getOutputStream()); res.setContentType("text/html"); printHtmlHeader("Check revocation", pout); if (revinfo != null) { if (revinfo.getReason() == RevokedCertInfo.NOT_REVOKED) { pout.println("<h1>NOT REVOKED</h1>"); pout.println("Certificate with issuer '"+dn+"' and serial number '"+serno+"' is NOT revoked."); } else { pout.println("<h1>REVOKED</h1>"); pout.println("Certificate with issuer '"+dn+"' and serial number '"+serno+"' is revoked."); pout.println("RevocationDate is '"+revinfo.getRevocationDate()+"' and reason '"+revinfo.getReason()+"'."); } } else { pout.println("<h1>CERTIFICATE DOES NOT EXIST</h1>"); pout.println("Certificate with issuer '"+dn+"' and serial number '"+serno+"' does not exist."); } printHtmlFooter(pout); pout.close(); } catch (Exception e) { log.debug("Error checking revocation for '"+dn+"' with serno '"+serno+"': ", e); res.sendError(HttpServletResponse.SC_NOT_FOUND, "Error checking revocation."); return; } } else { res.sendError(HttpServletResponse.SC_BAD_REQUEST, "Commands=cacert | lastcert | listcerts | crl | revoked && issuer=<issuerdn>"); return; } } // doGet private void printHtmlHeader(String title, PrintWriter pout) { pout.println("<html><head>"); pout.println("<title>"+title+"</title>"); pout.println("<META HTTP-EQUIV=\"Pragma\" CONTENT=\"no-cache\">"); pout.println("<META HTTP-EQUIV=\"Expires\" CONTENT=\"-1\">"); pout.println("</head>"); pout.println("<body><p>"); } private void printHtmlFooter(PrintWriter pout) { pout.println("</body>"); pout.println("<head>"); pout.println("<META HTTP-EQUIV=\"Pragma\" CONTENT=\"no-cache\">"); pout.println("<META HTTP-EQUIV=\"Expires\" CONTENT=\"-1\">"); pout.println("</head>"); pout.println("</html>"); }}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -