x509ca.java

一个免费的CA,基于EJB平台的,老师叫我们测试,现把之共享出来让大家参考

        // Certificate Policies
        if ( (certProfile.getUseCertificatePolicies() == true) && (StringUtils.isNotEmpty(certProfile.getCertificatePolicyId())) ) {
            int displayencoding = DisplayText.CONTENT_TYPE_BMPSTRING;
            if (getUseUTF8PolicyText()) {
                displayencoding = DisplayText.CONTENT_TYPE_UTF8STRING;
            }
            String policyId = certProfile.getCertificatePolicyId();
            String cpsurl = certProfile.getCpsUrl();
            String usernotice = certProfile.getUserNoticeText();
            ASN1EncodableVector policys = new ASN1EncodableVector();
            if (StringUtils.isNotEmpty(policyId )) {
                StringTokenizer tokenizer = new StringTokenizer(policyId, ";", false);
                while (tokenizer.hasMoreTokens()) {
                    String id = tokenizer.nextToken();
                    PolicyInformation pi = getPolicyInformation(id, cpsurl, usernotice, displayencoding);
                    // We only support a cpsurl and usernotice on the first policyid
                    cpsurl = null;
                    usernotice = null;
                    if (pi != null) {
                        policys.add(pi);                    	
                    }
                }
                // Add the final extension
                DERSequence seq = new DERSequence(policys);
                certgen.addExtension(X509Extensions.CertificatePolicies.getId(),
                        certProfile.getCertificatePoliciesCritical(), seq);
            }
        }

         // CRL Distribution point URI
         if (certProfile.getUseCRLDistributionPoint() == true) {
        	 String crldistpoint = certProfile.getCRLDistributionPointURI();
             String crlissuer=certProfile.getCRLIssuer();
        	 if(certProfile.getUseDefaultCRLDistributionPoint()){
        		 crldistpoint = getDefaultCRLDistPoint();
        		 crlissuer = getDefaultCRLIssuer();
        	 }
             // Multiple CDPs are spearated with the ';' sign        	         	 
            ArrayList dpns = new ArrayList();
            if (StringUtils.isNotEmpty(crldistpoint)) {
                StringTokenizer tokenizer = new StringTokenizer(crldistpoint, ";", false);
                while (tokenizer.hasMoreTokens()) {
                    // 6 is URI
                    String uri = tokenizer.nextToken();
                    GeneralName gn = new GeneralName(6, new DERIA5String(uri));
                    log.debug("Added CRL distpoint: "+uri);
                    ASN1EncodableVector vec = new ASN1EncodableVector();
                    vec.add(gn);
                    GeneralNames gns = new GeneralNames(new DERSequence(vec));
                    DistributionPointName dpn = new DistributionPointName(0, gns);
                    dpns.add(dpn);
                }            	
            }
            // CRL issuer works much like Dist point URI. If separated by ; it is put in the same global distPoint as the URI, 
            // if there is more of one of them, the one with more is put in an own global distPoint.
            ArrayList issuers = new ArrayList();
            if (StringUtils.isNotEmpty(crlissuer)) {
                StringTokenizer tokenizer = new StringTokenizer(crlissuer, ";", false);
                while (tokenizer.hasMoreTokens()) {
                	String issuer = tokenizer.nextToken();
                	GeneralName gn = new GeneralName(new X509Name(issuer));
                    log.debug("Added CRL issuer: "+issuer);
                    ASN1EncodableVector vec = new ASN1EncodableVector();
                    vec.add(gn);
                    GeneralNames gns = new GeneralNames(new DERSequence(vec));
                    issuers.add(gns);
                }            	
            }
            ArrayList distpoints = new ArrayList();
            if ( (issuers.size() > 0) || (dpns.size() > 0) ) {
            	int i = dpns.size();
            	if (issuers.size() > i) {
            		i = issuers.size();
            	}
            	for (int j = 0; j < i; j++) {
            		DistributionPointName dpn = null;
            		GeneralNames issuer = null;
            		if (dpns.size() > j) {
            			dpn = (DistributionPointName)dpns.get(j);
            		}
            		if (issuers.size() > j) {
            			issuer = (GeneralNames)issuers.get(j);
            		}
            		if ( (dpn != null) || (issuer != null) ) {
                        distpoints.add(new DistributionPoint(dpn, null, issuer));            	            			
            		}
            	}
            }
            if (distpoints.size() > 0) {
                CRLDistPoint ext = new CRLDistPoint((DistributionPoint[])distpoints.toArray(new DistributionPoint[0]));
                certgen.addExtension(X509Extensions.CRLDistributionPoints.getId(),
                    certProfile.getCRLDistributionPointCritical(), ext);
            }
         }
         // Authority Information Access (OCSP url)
         if (certProfile.getUseOCSPServiceLocator() == true) {
             String ocspUrl = certProfile.getOCSPServiceLocatorURI();
             if(certProfile.getUseDefaultOCSPServiceLocator()){
            	 ocspUrl = getDefaultOCSPServiceLocator();
             }
             if (StringUtils.isNotEmpty(ocspUrl)) {
                 // OCSP access location is a URL (GeneralName no 6)
                 GeneralName ocspLocation = new GeneralName(6, new DERIA5String(ocspUrl));
                 certgen.addExtension(X509Extensions.AuthorityInfoAccess.getId(),
                     false, new AuthorityInformationAccess(X509ObjectIdentifiers.ocspAccessMethod, ocspLocation));                 
             }
         }
         
         // Microsoft Template
         if (certProfile.getUseMicrosoftTemplate() == true) {
             String mstemplate = certProfile.getMicrosoftTemplate();             
             DERObjectIdentifier oid = new DERObjectIdentifier(CertTools.OID_MSTEMPLATE);                           
             certgen.addExtension(oid, false, new DERIA5String(mstemplate));             
         }
         
         // QCStatement (rfc3739)
         if (certProfile.getUseQCStatement() == true) {
             String names = certProfile.getQCStatementRAName();
             GeneralNames san = CertTools.getGeneralNamesFromAltName(names);
             SemanticsInformation si = null;
             if (san != null) {
                 if (StringUtils.isNotEmpty(certProfile.getQCSemanticsId())) {
                     si = new SemanticsInformation(new DERObjectIdentifier(certProfile.getQCSemanticsId()), san.getNames());
                 } else {
                     si = new SemanticsInformation(san.getNames());                     
                 }
             } else if (StringUtils.isNotEmpty(certProfile.getQCSemanticsId())) {
                 si = new SemanticsInformation(new DERObjectIdentifier(certProfile.getQCSemanticsId()));                 
             }
             ArrayList qcs = new ArrayList();
             QCStatement qc = null;
             // First the standard rfc3739 QCStatement with an optional SematicsInformation
             DERObjectIdentifier pkixQcSyntax = RFC3739QCObjectIdentifiers.id_qcs_pkixQCSyntax_v1;
             if (certProfile.getUsePkixQCSyntaxV2()) {
            	 pkixQcSyntax = RFC3739QCObjectIdentifiers.id_qcs_pkixQCSyntax_v2;
             }
             if ( (si != null)  ) {
                 qc = new QCStatement(pkixQcSyntax, si);
                 qcs.add(qc);
             } else {
            	 qc = new QCStatement(pkixQcSyntax);
                 qcs.add(qc);
             }
             // ETSI Statement that the certificate is a Qualified Certificate
             if (certProfile.getUseQCEtsiQCCompliance()) {
            	 qc = new QCStatement(ETSIQCObjectIdentifiers.id_etsi_qcs_QcCompliance);
                 qcs.add(qc);
             }
             // ETSI Statement regarding limit on the value of transactions
             if (certProfile.getUseQCEtsiValueLimit()) {
            	 // Both value and currency must be availabel for this extension
            	 if ( (certProfile.getQCEtsiValueLimit() > 0) && (certProfile.getQCEtsiValueLimitCurrency() != null) ) {
            		 int limit = certProfile.getQCEtsiValueLimit();
            		 // The exponent should be default 0
            		 int exponent = certProfile.getQCEtsiValueLimitExp();
            		 MonetaryValue value = new MonetaryValue(new Iso4217CurrencyCode(certProfile.getQCEtsiValueLimitCurrency()), limit, exponent);
            		 qc = new QCStatement(ETSIQCObjectIdentifiers.id_etsi_qcs_LimiteValue, value);
            		 qcs.add(qc);
            	 }
             }
             // ETSI Statement claiming that the private key resides in a Signature Creation Device
             if (certProfile.getUseQCEtsiSignatureDevice()) {
            	 qc = new QCStatement(ETSIQCObjectIdentifiers.id_etsi_qcs_QcSSCD);
                 qcs.add(qc);
             }
             // Custom UTF8String QC-statement:
 			 // qcStatement-YourCustom QC-STATEMENT ::= { SYNTAX YourCustomUTF8String
			 //   IDENTIFIED BY youroid }
			 //   -- This statement gives you the possibility to define your own QC-statement
			 //   -- using an OID and a simple UTF8String, with describing text. A sample text could for example be:
			 //   -- This certificate, according to Act. No. xxxx Electronic Signature Law is a qualified electronic certificate
			 //
			 // YourCustomUTF8String ::= UTF8String
             if (certProfile.getUseQCCustomString()) {
            	 if (!StringUtils.isEmpty(certProfile.getQCCustomStringOid()) && !StringUtils.isEmpty(certProfile.getQCCustomStringText())) {
            		 DERUTF8String str = new DERUTF8String(certProfile.getQCCustomStringText());
            		 DERObjectIdentifier oid = new DERObjectIdentifier(certProfile.getQCCustomStringOid());
                	 qc = new QCStatement(oid, str);
                     qcs.add(qc);            		 
            	 }
             }
             if (qcs.size() >  0) {
            	 ASN1EncodableVector vec = new ASN1EncodableVector();
                 Iterator iter = qcs.iterator();
                 while (iter.hasNext()) {
                	 QCStatement q = (QCStatement)iter.next();
                     vec.add(q);
                 }
                 certgen.addExtension(CertTools.QCSTATEMENTS_OBJECTID, certProfile.getQCStatementCritical(), new DERSequence(vec));                 
             }
         }
         
         // Subject Directory Attributes
         if (certProfile.getUseSubjectDirAttributes() == true) {
        	 // Get the attributes from ExtendedInformation
        	 String dirAttrString = subject.getExtendedinformation().getSubjectDirectoryAttributes();
        	 if (StringUtils.isNotEmpty(dirAttrString)) {
            	 // Subject Directory Attributes is a sequence of Attribute
            	 Collection attr = SubjectDirAttrExtension.getSubjectDirectoryAttributes(dirAttrString);
            	 ASN1EncodableVector vec = new ASN1EncodableVector();
            	 Iterator iter = attr.iterator();
            	 while (iter.hasNext()) {
            		 Attribute a = (Attribute)iter.next();
            		 vec.add(a);
            	 }        		 
            	 // Subject Directory Attributes must always be non-critical
            	 certgen.addExtension(X509Extensions.SubjectDirectoryAttributes, false, new DERSequence(vec));                 
        	 }
        	 
         }         

         // Check for Certificate Extensions
         CertificateExtensionFactory fact = CertificateExtensionFactory.getInstance();
         List usedCertExt = certProfile.getUsedCertificateExtensions();
         Iterator certExtIter = usedCertExt.iterator();
         while(certExtIter.hasNext()){
        	 Integer id = (Integer) certExtIter.next();
        	 CertificateExtension certExt = fact.getCertificateExtensions(id);
        	 certgen.addExtension(new DERObjectIdentifier(certExt.getOID()),certExt.isCriticalFlag(),certExt.getValue(subject, this, certProfile));        	 
         }
         
         X509Certificate cert;
         try{
           cert = certgen.generate(getCAToken().getPrivateKey(SecConst.CAKEYPURPOSE_CERTSIGN), 
                                            getCAToken().getProvider());
         }catch(CATokenOfflineException e){
             log.debug("X509CA : CA Token STATUS OFFLINE: ", e);
             throw e; 
         }
        
        // Verify before returning
        cert.verify(getCAToken().getPublicKey(SecConst.CAKEYPURPOSE_CERTSIGN));
        log.debug(">X509CA: generate certificate, CA "+ this.getCAId() + " for DN: " + subject.getDN());
      return cert;                                                                                        
    }

    
    public CRL generateCRL(Vector certs, int crlnumber) 
    throws CATokenOfflineException, IllegalKeyStoreException, IOException, SignatureException, NoSuchProviderException, InvalidKeyException, CRLException, NoSuchAlgorithmException {
        final String sigAlg= getCAToken().getCATokenInfo().getSignatureAlgorithm();

        Date thisUpdate = new Date();
        Date nextUpdate = new Date();

        // crlperiod is hours = crlperiod*60*60*1000 milliseconds
        nextUpdate.setTime(nextUpdate.getTime() + (getCRLPeriod() * (long)(60 * 60 * 1000)));
        X509V2CRLGenerator crlgen = new X509V2CRLGenerator();
        crlgen.setThisUpdate(thisUpdate);
        crlgen.setNextUpdate(nextUpdate);
        crlgen.setSignatureAlgorithm(sigAlg);
        // Make DNs
        X509Certificate cacert = (X509Certificate)getCACertificate();
        if (cacert == null) {
        	// This is an initial root CA, since no CA-certificate exists
            X509Name caname = CertTools.stringToBcX509Name(getSubjectDN());
            crlgen.setIssuerDN(caname);
        } else {
        	crlgen.setIssuerDN(cacert.getSubjectX500Principal());
        }
        if (certs != null) {            
            Iterator it = certs.iterator();