📄 ocspservletstandalone.java
字号:
} if ( chain==null ) { wMsg = intres.getLocalizedMessage("ocsp.signcerthasnochain", cert.getSerialNumber(), cert.getIssuerDN()); m_log.warn(wMsg); } return chain; } private boolean loadFromKeyStore(Admin adm, String fileName) { final Enumeration eAlias; final KeyStore keyStore; try { KeyStore tmpKeyStore; try { tmpKeyStore = KeyStore.getInstance("JKS"); tmpKeyStore.load(new FileInputStream(fileName), mStorePassword); } catch( IOException e ) { tmpKeyStore = KeyStore.getInstance("PKCS12", "BC"); tmpKeyStore.load(new FileInputStream(fileName), mStorePassword); } keyStore = tmpKeyStore; eAlias = keyStore.aliases(); } catch( Exception e ) { m_log.debug("Unable to load key file "+fileName+". Exception: "+e.getMessage()); return false; } while( eAlias.hasMoreElements() ) { final String alias = (String)eAlias.nextElement(); try { final PrivateKey key = (PrivateKey)keyStore.getKey(alias, mKeyPassword); final X509Certificate cert = (X509Certificate)keyStore.getCertificate(alias); if ( key!=null && cert!=null ) putSignEntity(new PrivateKeyFactorySW(key), cert, adm, "BC"); } catch (Exception e) { String errMsg = intres.getLocalizedMessage("ocsp.errorgetalias", alias, fileName); m_log.error(errMsg, e); } } return true; } private boolean putSignEntity( PrivateKeyFactory keyFactory, X509Certificate cert, Admin adm, String providerName ) { if ( keyFactory!=null && cert!=null ) { X509Certificate[] chain = getCertificateChain(cert, adm); if ( chain!=null ) { int caid = getCaid(chain[1]); m_log.debug("CA with ID "+caid+" now has a OCSP signing key."); SigningEntity oldSigningEntity = (SigningEntity)mSignEntity.get(new Integer(caid)); if ( oldSigningEntity!=null && !oldSigningEntity.getCertificateChain().equals(chain) ) { String wMsg = intres.getLocalizedMessage("ocsp.newsigningkey", chain[1].getSubjectDN(), chain[0].getSubjectDN()); m_log.warn(wMsg); } mSignEntity.put( new Integer(caid), new SigningEntity(chain, keyFactory, providerName) ); } return true; } return false; } public String healtCheck() { StringWriter sw = new StringWriter(); PrintWriter pw = new PrintWriter(sw); try { loadCertificates(); Iterator i = mSignEntity.values().iterator(); while ( i.hasNext() ) { SigningEntity signingEntity = (SigningEntity)i.next(); if ( !signingEntity.isOK() ) { pw.println(); String errMsg = intres.getLocalizedMessage("ocsp.errorocspkeynotusable", signingEntity.getCertificateChain()[1].getSubjectDN(), signingEntity.getCertificateChain()[0].getSerialNumber().toString(16)); pw.print(errMsg); m_log.error(errMsg); } } } catch (Exception e) { String errMsg = intres.getLocalizedMessage("ocsp.errorloadsigningcerts"); m_log.error(errMsg, e); pw.print(errMsg + ": "+e.getMessage()); } pw.flush(); return sw.toString(); } interface PrivateKeyFactory { PrivateKey getKey() throws Exception; boolean isOK(); } private class PrivateKeyFactorySW implements PrivateKeyFactory { final private PrivateKey privateKey; PrivateKeyFactorySW( PrivateKey key) { privateKey = key; } public PrivateKey getKey() throws Exception { return privateKey; } public boolean isOK() { // SW checked when initialized return privateKey!=null; } } private class PrivateKeyFactoryHW implements PrivateKeyFactory { final private RSAPublicKey publicKey; PrivateKeyFactoryHW( RSAPublicKey key) { publicKey = key; } public PrivateKey getKey() throws Exception { return mHardTokenObject.getPrivateKey(publicKey); } public boolean isOK() { return mHardTokenObject.isOK(publicKey); } } private boolean putSignEntityHW( Object obj, Admin adm ) { if ( obj!=null && obj instanceof X509Certificate ) { X509Certificate cert = (X509Certificate)obj; PrivateKeyFactory keyFactory = new PrivateKeyFactoryHW((RSAPublicKey)cert.getPublicKey()); putSignEntity( keyFactory, cert, adm, "PrimeKey" ); m_log.debug("HW key added. Serial number: "+cert.getSerialNumber().toString(0x10)); return true; } else return false; } private void loadFromKeyCards(Admin adm, String fileName) { final CertificateFactory cf; try { cf = CertificateFactory.getInstance("X.509"); } catch (java.security.cert.CertificateException e) { throw new Error(e); } String fileType = null; try {// read certs from PKCS#7 file final Collection c = cf.generateCertificates(new FileInputStream(fileName)); if ( c!=null && !c.isEmpty() ) { Iterator i = c.iterator(); while (i.hasNext()) { if ( putSignEntityHW(i.next(), adm) ) fileType = "PKCS#7"; } } } catch( Exception e) { } if ( fileType==null ) { try {// read concatinated cert in PEM format BufferedInputStream bis = new BufferedInputStream(new FileInputStream(fileName)); while (bis.available() > 0) { if ( putSignEntityHW(cf.generateCertificate(bis), adm) ) fileType="PEM"; } } catch(Exception e){ } } if ( fileType!=null ) m_log.debug("Certificate(s) found in file "+fileName+" of "+fileType+"."); else m_log.debug("File "+fileName+" has no cert."); } protected void loadPrivateKeys(Admin adm) throws ServletException, IOException { mSignEntity.clear(); File dir = new File(mKeystoreDirectoryName); if ( dir==null || dir.isDirectory()==false ) throw new ServletException(dir.getCanonicalPath() + " is not a directory."); File files[] = dir.listFiles(); if ( files==null || files.length==0 ) throw new ServletException("No files in soft key directory: " + dir.getCanonicalPath()); for ( int i=0; i<files.length; i++ ) { final String fileName = files[i].getCanonicalPath(); if ( !loadFromKeyStore(adm, fileName) ) loadFromKeyCards(adm, fileName); } if ( mSignEntity.size()==0 ) throw new ServletException("No valid keys in directory " + dir.getCanonicalPath()); } private class SigningEntity { final private X509Certificate mChain[]; final private PrivateKeyFactory mKeyFactory; final private String providerName; SigningEntity(X509Certificate c[], PrivateKeyFactory f, String sName) { mChain = c; mKeyFactory = f; providerName = sName; } OCSPCAServiceResponse sign( OCSPCAServiceRequest request) throws ExtendedCAServiceRequestException { X509Certificate signerCert = mChain[0]; final String sigAlgs = request.getSigAlg(); PublicKey pk = signerCert.getPublicKey(); String sigAlg = OCSPUtil.getSigningAlgFromAlgSelection(sigAlgs, pk); m_log.debug("Signing algorithm: "+sigAlg); final X509Certificate[] chain = request.includeChain() ? mChain : null; try { BasicOCSPResp ocspresp = OCSPUtil.generateBasicOCSPResp(request, sigAlg, signerCert, mKeyFactory.getKey(), providerName, chain); return new OCSPCAServiceResponse(ocspresp, chain == null ? null : Arrays.asList(chain)); } catch (Exception e) { throw new ExtendedCAServiceRequestException(e); } } boolean isOK() { try { return mKeyFactory.isOK(); } catch (Exception e) { m_log.debug("Exception thrown when accessing the private key", e); return false; } } X509Certificate[] getCertificateChain() { return mChain; } } protected Collection findCertificatesByType(Admin adm, int type, String issuerDN) { return getStoreSessionOnlyData().findCertificatesByType(adm, type, issuerDN); } protected Certificate findCertificateByIssuerAndSerno(Admin adm, String issuer, BigInteger serno) { return getStoreSessionOnlyData().findCertificateByIssuerAndSerno(adm, issuer, serno); } protected OCSPCAServiceResponse extendedService(Admin adm, int caid, OCSPCAServiceRequest request) throws ExtendedCAServiceRequestException, ExtendedCAServiceNotActiveException { SigningEntity se =(SigningEntity)mSignEntity.get(new Integer(caid)); if ( se!=null ) { return se.sign(request); } throw new ExtendedCAServiceNotActiveException("No ocsp signing key for caid "+caid); } protected RevokedCertInfo isRevoked(Admin adm, String name, BigInteger serialNumber) { return getStoreSessionOnlyData().isRevoked(adm, name, serialNumber); }}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -