📄 ldappublisher.java
字号:
/************************************************************************* * * * EJBCA: The OpenSource Certificate Authority * * * * This software is free software; you can redistribute it and/or * * modify it under the terms of the GNU Lesser General Public * * License as published by the Free Software Foundation; either * * version 2.1 of the License, or any later version. * * * * See terms of license at gnu.org. * * * *************************************************************************/ package org.ejbca.core.model.ca.publisher;import java.io.IOException;import java.io.UnsupportedEncodingException;import java.security.cert.CRLException;import java.security.cert.Certificate;import java.security.cert.CertificateEncodingException;import java.security.cert.X509CRL;import java.security.cert.X509Certificate;import java.util.ArrayList;import java.util.Collection;import java.util.Collections;import java.util.HashMap;import java.util.Iterator;import java.util.List;import java.util.StringTokenizer;import org.apache.commons.lang.StringUtils;import org.apache.log4j.Logger;import org.ejbca.core.ejb.ca.store.CertificateDataBean;import org.ejbca.core.model.InternalResources;import org.ejbca.core.model.log.Admin;import org.ejbca.core.model.ra.ExtendedInformation;import org.ejbca.util.Base64;import org.ejbca.util.CertTools;import org.ejbca.util.dn.DNFieldExtractor;import com.novell.ldap.LDAPAttribute;import com.novell.ldap.LDAPAttributeSet;import com.novell.ldap.LDAPConnection;import com.novell.ldap.LDAPEntry;import com.novell.ldap.LDAPException;import com.novell.ldap.LDAPJSSESecureSocketFactory;import com.novell.ldap.LDAPModification;/** * LdapPublisher is a class handling a publishing to various v3 LDAP catalouges. * * @version $Id: LdapPublisher.java,v 1.23.2.2 2007/05/18 16:32:55 anatom Exp $ */public class LdapPublisher extends BasePublisher { private static final Logger log = Logger.getLogger(LdapPublisher.class); /** Internal localization of logs and errors */ private static final InternalResources intres = InternalResources.getInstance(); protected static byte[] fakecrl = null; public static final float LATEST_VERSION = 5; public static final int TYPE_LDAPPUBLISHER = 2; public static final String DEFAULT_USEROBJECTCLASS = "top;person;organizationalPerson;inetOrgPerson"; public static final String DEFAULT_CAOBJECTCLASS = "top;applicationProcess;certificationAuthority"; public static final String DEFAULT_CACERTATTRIBUTE = "cACertificate;binary"; public static final String DEFAULT_USERCERTATTRIBUTE = "userCertificate;binary"; public static final String DEFAULT_CRLATTRIBUTE = "certificateRevocationList;binary"; public static final String DEFAULT_ARLATTRIBUTE = "authorityRevocationList;binary"; public static final String DEFAULT_PORT = "389"; public static final String DEFAULT_SSLPORT = "636"; // Default Values protected static final String HOSTNAME = "hostname"; protected static final String USESSL = "usessl"; protected static final String PORT = "port"; protected static final String BASEDN = "baswdn"; protected static final String LOGINDN = "logindn"; protected static final String LOGINPASSWORD = "loginpassword"; protected static final String CREATENONEXISTING = "createnonexisting"; protected static final String MODIFYEXISTING = "modifyexisting"; protected static final String USEROBJECTCLASS = "userobjectclass"; protected static final String CAOBJECTCLASS = "caobjectclass"; protected static final String USERCERTATTRIBUTE = "usercertattribute"; protected static final String CACERTATTRIBUTE = "cacertattribute"; protected static final String CRLATTRIBUTE = "crlattribute"; protected static final String ARLATTRIBUTE = "arlattribute"; protected static final String USEFIELDINLDAPDN = "usefieldsinldapdn"; protected static final String ADDMULTIPLECERTIFICATES = "addmultiplecertificates"; protected static final String REMOVEREVOKED = "removerevoked"; protected static final String REMOVEUSERONCERTREVOKE = "removeusersoncertrevoke"; public LdapPublisher(){ super(); data.put(TYPE, new Integer(TYPE_LDAPPUBLISHER)); setHostname(""); setUseSSL(true); setPort(DEFAULT_SSLPORT); setBaseDN(""); setLoginDN(""); setLoginPassword(""); setCreateNonExisingUsers(true); setModifyExistingUsers(true); setUserObjectClass(DEFAULT_USEROBJECTCLASS); setCAObjectClass(DEFAULT_CAOBJECTCLASS); setUserCertAttribute(DEFAULT_USERCERTATTRIBUTE); setCACertAttribute(DEFAULT_CACERTATTRIBUTE); setCRLAttribute(DEFAULT_CRLATTRIBUTE); setARLAttribute(DEFAULT_ARLATTRIBUTE); setUseFieldInLdapDN(new ArrayList()); // By default use only one certificate for each user setAddMultipleCertificates(false); setRemoveRevokedCertificates(true); setRemoveUsersWhenCertRevoked(false); if(fakecrl == null){ try { X509CRL crl = CertTools.getCRLfromByteArray(fakecrlbytes); fakecrl = crl.getEncoded(); } catch (CRLException e) {} catch (IOException e) {} } } // Public Methods /** * Publishes certificate in LDAP, if the certificate is not revoked. If the certifiate is revoked, nothing is done * and the publishing is counted as successful (i.e. returns true). * * @see org.ejbca.core.model.ca.publisher.BasePublisher */ public boolean storeCertificate(Admin admin, Certificate incert, String username, String password, String cafp, int status, int type, long revocationDate, int revocationReason, ExtendedInformation extendedinformation) throws PublisherException{ log.debug(">storeCertificate(username="+username+")"); // Don't publish non-active certificates if (status != CertificateDataBean.CERT_ACTIVE) { String msg = intres.getLocalizedMessage("publisher.notpublrevoked", new Integer(status)); log.info(msg); return true; } int ldapVersion = LDAPConnection.LDAP_V3; LDAPConnection lc = createLdapConnection(); String dn = null; String certdn = null; try { // Extract the users DN from the cert. certdn = CertTools.getSubjectDN((X509Certificate) incert); log.debug( "Constructing DN for: " + username); dn = constructLDAPDN(certdn); log.debug("LDAP DN for user " +username +" is " + dn); } catch (Exception e) { String msg = intres.getLocalizedMessage("publisher.errorldapdecode", "certificate"); log.error(msg, e); throw new PublisherException(msg); } // Extract the users email from the cert. String email = CertTools.getEMailAddress((X509Certificate)incert); // Check if the entry is already present, we will update it with the new certificate. LDAPEntry oldEntry = searchOldEntity(username, ldapVersion, lc, dn); // PART 2: Create LDAP entry LDAPEntry newEntry = null; ArrayList modSet = new ArrayList(); LDAPAttributeSet attributeSet = null; String attribute = null; String objectclass = null; if (type == CertificateDataBean.CERTTYPE_ENDENTITY) { log.debug("Publishing end user certificate to " + getHostname()); if (oldEntry != null) { // TODO: Are we the correct type objectclass? modSet = getModificationSet(oldEntry, certdn, true, true); } else { objectclass = getUserObjectClass(); // just used for logging attributeSet = getAttributeSet(incert, getUserObjectClass(), certdn, true, true, password, extendedinformation); } if (email != null) { //log.debug("Adding email attribute: "+email); LDAPAttribute mailAttr = new LDAPAttribute("mail", email); if (oldEntry != null) { modSet.add(new LDAPModification(LDAPModification.REPLACE, mailAttr)); } else { attributeSet.add(mailAttr); } } try { attribute = getUserCertAttribute(); LDAPAttribute certAttr = new LDAPAttribute(getUserCertAttribute(), incert.getEncoded()); if (oldEntry != null) { if (getAddMultipleCertificates()) { modSet.add(new LDAPModification(LDAPModification.ADD, certAttr)); log.debug("Appended new certificate in user entry; " + username+": "+dn); } else { modSet.add(new LDAPModification(LDAPModification.REPLACE, certAttr)); log.debug("Replaced certificate in user entry; " + username+": "+dn); } } else { attributeSet.add(certAttr); log.debug("Added new certificate to user entry; " + username+": "+dn); } } catch (CertificateEncodingException e) { String msg = intres.getLocalizedMessage("publisher.errorldapencodestore", "certificate"); log.error(msg, e); throw new PublisherException(msg); } } else if ((type == CertificateDataBean.CERTTYPE_SUBCA) || (type == CertificateDataBean.CERTTYPE_ROOTCA)) { log.debug("Publishing CA certificate to " + getHostname()); if (oldEntry != null) { modSet = getModificationSet(oldEntry, certdn, false, false); } else { objectclass = getCAObjectClass(); // just used for logging attributeSet = getAttributeSet(incert, getCAObjectClass(), certdn, true, false, password, extendedinformation); } try { attribute = getCACertAttribute(); LDAPAttribute certAttr = new LDAPAttribute(getCACertAttribute(), incert.getEncoded()); if (oldEntry != null) { modSet.add(new LDAPModification(LDAPModification.REPLACE, certAttr)); } else { attributeSet.add(certAttr); // Also create using the crlattribute, it may be required LDAPAttribute crlAttr = new LDAPAttribute(getCRLAttribute(), fakecrl); attributeSet.add(crlAttr); // Also create using the arlattribute, it may be required LDAPAttribute arlAttr = new LDAPAttribute(getARLAttribute(), fakecrl); attributeSet.add(arlAttr); log.debug("Added (fake) attribute for CRL and ARL."); } } catch (CertificateEncodingException e) { String msg = intres.getLocalizedMessage("publisher.errorldapencodestore", "certificate"); log.error(msg, e); throw new PublisherException(msg); } } else { String msg = intres.getLocalizedMessage("publisher.notpubltype", new Integer(type)); log.info(msg); throw new PublisherException(msg); } // PART 3: MODIFICATION AND ADDITION OF NEW USERS try { lc.connect(getHostname(), Integer.parseInt(getPort())); // authenticate to the server lc.bind(ldapVersion, getLoginDN(), getLoginPassword().getBytes("UTF8")); // Add or modify the entry if (oldEntry != null && getModifyExistingUsers()) { LDAPModification[] mods = new LDAPModification[modSet.size()]; mods = (LDAPModification[])modSet.toArray(mods); String oldDn = oldEntry.getDN(); log.debug("Writing modification to DN: "+oldDn); lc.modify(oldDn, mods); String msg = intres.getLocalizedMessage("publisher.ldapmodify", "CERT", oldDn); log.info(msg); } else { if(this.getCreateNonExisingUsers()){ if (oldEntry == null) { newEntry = new LDAPEntry(dn, attributeSet); log.debug("Adding DN: "+dn); lc.add(newEntry); String msg = intres.getLocalizedMessage("publisher.ldapadd", "CERT", dn); log.info(msg); } } } } catch (LDAPException e) { String msg = intres.getLocalizedMessage("publisher.errorldapstore", "certificate", attribute, objectclass, dn); log.error(msg, e); throw new PublisherException(msg); } catch (UnsupportedEncodingException e) { String msg = intres.getLocalizedMessage("publisher.errorpassword", getLoginPassword()); log.error(msg, e); throw new PublisherException(msg); } finally { // disconnect with the server try { lc.disconnect(); } catch (LDAPException e) { String msg = intres.getLocalizedMessage("publisher.errordisconnect", getLoginPassword()); log.error(msg, e); } } log.debug("<storeCertificate()");⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -