scepservlet.java

一个免费的CA,基于EJB平台的,老师叫我们测试,现把之共享出来让大家参考

     */
    public void doGet(HttpServletRequest request, HttpServletResponse response)
            throws java.io.IOException, ServletException {
        log.debug(">doGet()");

            log.debug("query string=" + request.getQueryString());

            // These are mandatory in SCEP GET
            /*
             GET /cgi-bin/pkiclient.exe?operation=PKIOperation&message=MIAGCSqGSIb3D
             QEHA6CAMIACAQAxgDCBzAIBADB2MGIxETAPBgNVBAcTCE ......AAAAAA== 
             */
            String operation = request.getParameter("operation");
            String message = request.getParameter("message");

            service(operation, message, request.getRemoteAddr(), response);
            
        log.debug("<doGet()");
    } // doGet

    private void service(String operation, String message, String remoteAddr, HttpServletResponse response) throws IOException {
        try {
            if ((operation == null) || (message == null)) {
        		String errMsg = intres.getLocalizedMessage("scep.errormissingparam", remoteAddr);
                log.error(errMsg);
                response.sendError(HttpServletResponse.SC_BAD_REQUEST,errMsg);
                return;
            }
            
            Admin administrator = new Admin(Admin.TYPE_PUBLIC_WEB_USER, remoteAddr);
            log.debug("Got request '" + operation + "'");
            log.debug("Message: " + message);
    		String iMsg = intres.getLocalizedMessage("scep.receivedmsg", remoteAddr);
			log.info(iMsg);
            if (operation.equals("PKIOperation")) {
                byte[] scepmsg = Base64.decode(message.getBytes());
                ISignSessionLocal signsession = getSignSession();
                ScepPkiOpHelper helper = new ScepPkiOpHelper(administrator, signsession);
                
                // Read the message end get the cert, this also checksauthorization
                boolean includeCACert = true;
                if (StringUtils.equals("0", getInitParameter("includeCACert"))) {
                	includeCACert = false;
                }
                byte[] reply = helper.scepCertRequest(scepmsg, includeCACert);
                if (reply == null) {
                    // This is probably a getCert message?
                    response.sendError(HttpServletResponse.SC_NOT_IMPLEMENTED, "Can not handle request");
                    return;
                }
                // Send back Scep response, PKCS#7 which contains the end entity's certificate (or failure)
                RequestHelper.sendBinaryBytes(reply, response, "application/x-pki-message", null);
        		iMsg = intres.getLocalizedMessage("scep.sentresponsemsg", "PKIOperation", remoteAddr);
    			log.info(iMsg);
            } else if (operation.equals("GetCACert")) {
                // The response has the content type tagged as application/x-x509-ca-cert. 
                // The body of the response is a DER encoded binary X.509 certificate. 
                // For example: "Content-Type:application/x-x509-ca-cert\n\n"<BER-encoded X509>
                
                // CA_IDENT is the message for this request to indicate which CA we are talking about
                log.debug("Got SCEP cert request for CA '" + message + "'");
                Collection certs = null;
                ICAAdminSessionLocal caadminsession = getCASession();
                CAInfo cainfo = caadminsession.getCAInfo(administrator, message);
                if (cainfo != null) {
                    certs = cainfo.getCertificateChain();
                }
                if ((certs != null) && (certs.size() > 0)) {
                    // CAs certificate is in the first position in the Collection
                    Iterator iter = certs.iterator();
                    X509Certificate cert = (X509Certificate) iter.next();
                    log.debug("Sent certificate for CA '" + message + "' to SCEP client.");
                    RequestHelper.sendNewX509CaCert(cert.getEncoded(), response);
            		iMsg = intres.getLocalizedMessage("scep.sentresponsemsg", "GetCACert", remoteAddr);
        			log.info(iMsg);
                } else {
            		String errMsg = intres.getLocalizedMessage("scep.errorunknownca", "cert");
                    log.error(errMsg);
                    response.sendError(HttpServletResponse.SC_NOT_FOUND, "No CA certificates found.");
                }
            } else if (operation.equals("GetCACertChain")) {
                // The response for GetCACertChain is a certificates-only PKCS#7 
                // SignedDatato carry the certificates to the end entity, with a 
                // Content-Type of application/x-x509-ca-ra-cert-chain.
                
                // CA_IDENT is the message for this request to indicate which CA we are talking about
                log.debug("Got SCEP pkcs7 request for CA '" + message + "'");
                ICAAdminSessionLocal caadminsession = getCASession();
                CAInfo cainfo = caadminsession.getCAInfo(administrator, message);
                ISignSessionLocal signsession = getSignSession();
                byte[] pkcs7 = signsession.createPKCS7(administrator, cainfo.getCAId(), true);
                if ((pkcs7 != null) && (pkcs7.length > 0)) {
                    log.debug("Sent PKCS7 for CA '" + message + "' to SCEP client.");
                    RequestHelper.sendBinaryBytes(pkcs7, response, "application/x-x509-ca-ra-cert-chain", null);
            		iMsg = intres.getLocalizedMessage("scep.sentresponsemsg", "GetCACertChain", remoteAddr);
        			log.info(iMsg);
                } else {
            		String errMsg = intres.getLocalizedMessage("scep.errorunknownca", "pkcs7");
                    log.error(errMsg);
                    response.sendError(HttpServletResponse.SC_NOT_FOUND,"No CA certificates found.");
                }
            } else if (operation.equals("GetCACaps")) {
                // The response for GetCACaps is a <lf> separated list of capabilities

                /*
                 "GetNextCACert"       CA Supports the GetNextCACert message.
                 "POSTPKIOperation"    PKIOPeration messages may be sent via HTTP POST.
                 "SHA-1"               CA Supports the SHA-1 hashing algorithm in 
                                       signatures and fingerprints.  If present, the
                                       client SHOULD use SHA-1.  If absent, the client
                                       MUST use MD5 to maintain backward compatability.
                 "Renewal"             Clients may use current certificate and key to
                                       authenticate an enrollment request for a new
                                       certificate.  
                 */
                log.debug("Got SCEP CACaps request for CA '" + message + "'");
                response.setContentType("text/plain");
                response.getOutputStream().print("POSTPKIOperation\nSHA-1");
            } else {
                log.error("Invalid parameter '" + operation);
                // TODO: Send back proper Failure Response
                response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid parameter: " + operation);
            }
        } catch (CADoesntExistsException cae) {
    		String errMsg = intres.getLocalizedMessage("scep.errorunknownca", "cert");
            log.error(errMsg, cae);
            // TODO: Send back proper Failure Response
            response.sendError(HttpServletResponse.SC_NOT_FOUND, cae.getMessage());
        } catch (java.lang.ArrayIndexOutOfBoundsException ae) {
    		String errMsg = intres.getLocalizedMessage("scep.errorinvalidreq");
            log.error(errMsg, ae);
            // TODO: Send back proper Failure Response
            response.sendError(HttpServletResponse.SC_BAD_REQUEST, ae.getMessage());
        } catch (AuthorizationDeniedException ae) {
    		String errMsg = intres.getLocalizedMessage("scep.errorauth");
            log.error(errMsg, ae);
            // TODO: Send back proper Failure Response
            response.sendError(HttpServletResponse.SC_UNAUTHORIZED, ae.getMessage());
        } catch (AuthLoginException ae) {
    		String errMsg = intres.getLocalizedMessage("scep.errorauth");
            log.error(errMsg, ae);
            // TODO: Send back proper Failure Response
            response.sendError(HttpServletResponse.SC_UNAUTHORIZED, ae.getMessage());
        } catch (AuthStatusException ae) {
    		String errMsg = intres.getLocalizedMessage("scep.errorclientstatus");
            log.error(errMsg, ae);
            // TODO: Send back proper Failure Response
            response.sendError(HttpServletResponse.SC_UNAUTHORIZED, ae.getMessage());
        } catch (Exception e) {
    		String errMsg = intres.getLocalizedMessage("scep.errorgeneral");
            log.error(errMsg, e);
            // TODO: Send back proper Failure Response
            response.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
        }
    }
    
} // ScepServlet