localcertificatestoresessionbean.java

一个免费的CA,基于EJB平台的,老师叫我们测试,现把之共享出来让大家参考

     * Set the status of certificates of given dn to revoked.
     *
     * @param admin      Administrator performing the operation
     * @param username   the username of user to revoke certificates.
     * @param publishers and array of publiserids (Integer) of publishers to revoke the certificate in.
     * @param reason     the reason of the revokation. (One of the RevokedCertInfo.REVOKATION_REASON
     *                   constants.)
     * @ejb.transaction type="Required"
     * @ejb.interface-method
     */
    public void setRevokeStatus(Admin admin, String username, Collection publishers, int reason) {
        debug(">setRevokeStatus(),  username=" + username);
        // Strip dangerous chars
        username = StringTools.strip(username);
        try {
            Collection certs = findCertificatesByUsername(admin, username);
            // Revoke all certs
            if (!certs.isEmpty()) {
                Iterator j = certs.iterator();
                while (j.hasNext()) {
        	        setRevokeStatus(admin, (X509Certificate) j.next(), publishers, reason);
                }
            }
        } catch (FinderException e) {
        	String msg = intres.getLocalizedMessage("store.errorfindcertuser", username);            	
            getLogSession().log(admin, admin.getCaId(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_REVOKEDCERT, msg);
            throw new EJBException(e);
        }
        debug("<setRevokeStatus(),  username=" + username);
    } // setRevokeStatus

    /**
     * Set the status of certificate with  given serno to revoked.
     *
     * @param admin      Administrator performing the operation
     * @param serno      the serno of certificate to revoke.
     * @param publishers and array of publiserids (Integer) of publishers to revoke the certificate in.
     * @param reason     the reason of the revokation. (One of the RevokedCertInfo.REVOKATION_REASON constants.)
     * @ejb.transaction type="Required"
     * @ejb.interface-method
     */
    public void setRevokeStatus(Admin admin, String issuerdn, BigInteger serno, Collection publishers, int reason) {
        debug(">setRevokeStatus(),  issuerdn=" + issuerdn + ", serno=" + serno);
        X509Certificate certificate = null;
        try {
            certificate = (X509Certificate) this.findCertificateByIssuerAndSerno(admin, issuerdn, serno);
	        setRevokeStatus(admin, certificate, publishers, reason);
        } catch (FinderException e) {
        	String msg = intres.getLocalizedMessage("store.errorfindcertserno", serno.toString(16));            	
            getLogSession().log(admin, issuerdn.hashCode(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_REVOKEDCERT, msg);
            throw new EJBException(e);
        }
        debug("<setRevokeStatus(),  issuerdn=" + issuerdn + ", serno=" + serno);
    } // setRevokeStatus

    /**
     * Helper method to set the status of certificate to revoked or active.
     *
     * @param admin      Administrator performing the operation
     * @param certificate the certificate to revoke or activate.
     * @param publishers and array of publiserids (Integer) of publishers to revoke/re-publish the certificate in.
     * @param reason     the reason of the revokation. (One of the RevokedCertInfo.REVOKATION_REASON constants.)
     * @throws FinderException 
     */
    private void setRevokeStatus(Admin admin, X509Certificate certificate, Collection publishers, int reason) throws FinderException {
    	if (certificate == null) {
    		return;
    	}
        debug(">setRevokeStatus(X509Certificate),  issuerdn=" + certificate.getIssuerDN() + ", serno=" + certificate.getSerialNumber());

        if (certificate != null) {        	
            CertificateDataPK revpk = new CertificateDataPK();
            revpk.fingerprint = CertTools.getFingerprintAsString(certificate);
            CertificateDataLocal rev = certHome.findByPrimaryKey(revpk);            
            String serialNo = certificate.getSerialNumber().toString(16); // for logging
            if ( (rev.getStatus() != CertificateDataBean.CERT_REVOKED) 
            		&& (reason != RevokedCertInfo.NOT_REVOKED) && (reason != RevokedCertInfo.REVOKATION_REASON_REMOVEFROMCRL) ) {
            	  rev.setStatus(CertificateDataBean.CERT_REVOKED);
            	  rev.setRevocationDate(new Date());
            	  rev.setRevocationReason(reason);            	  
            	  String msg = intres.getLocalizedMessage("store.revokedcert", new Integer(reason));            	
            	  getLogSession().log(admin, certificate, LogEntry.MODULE_CA, new java.util.Date(), null, certificate, LogEntry.EVENT_INFO_REVOKEDCERT, msg);
            	  // Revoke in all related publishers
            	  if (publishers != null) {
            		  getPublisherSession().revokeCertificate(admin, publishers, certificate, reason);
            	  }            	  
            } else if ( ((reason == RevokedCertInfo.NOT_REVOKED) || (reason == RevokedCertInfo.REVOKATION_REASON_REMOVEFROMCRL)) 
            		&& (rev.getRevocationReason() == RevokedCertInfo.REVOKATION_REASON_CERTIFICATEHOLD) ) {
            	// Only allow unrevocation if the certificate is revoked and the revocation reason is CERTIFICATE_HOLD
            	rev.setStatus(CertificateDataBean.CERT_ACTIVE);
            	rev.setRevocationDate(null);
            	rev.setRevocationReason(RevokedCertInfo.NOT_REVOKED);
            	// Republish the certificate if possible
            	// If it is not possible, only log error but continue the operation of not revoking the certificate
            	try {
            		CertReqHistory certreqhist = getCertReqHistory(admin, certificate.getSerialNumber(), certificate.getIssuerDN().getName());
            		if(certreqhist == null){
            			throw new Exception("Unrevoked cert:" + serialNo + " reason: " + reason + " Must not be republished.");
            		}
            		UserDataVO userdata = certreqhist.getUserDataVO();
            		if ( userdata == null ){
            			throw new Exception("Unrevoked cert:" + serialNo + " reason: " + reason + " Could not be republished, there ane no UserData in History.");
            		}
            		CertificateProfile certprofile = getCertificateProfile(admin, userdata.getCertificateProfileId());
            		if(certprofile == null){
            			throw new Exception("Unrevoked cert:" + serialNo + " reason: " + reason + " Could not be republished, can't find certificate profile.");  
            		}
            		CertificateInfo certinfo = getCertificateInfo(admin, CertTools.getFingerprintAsString(certificate));
            		if(certprofile.getPublisherList().size() <= 0){
            			throw new Exception("Unrevoked cert:" + serialNo + " reason: " + reason + " Could not be republished, there are no publishers defined.");
            		}
            		boolean published = publishersession.storeCertificate(admin, certprofile.getPublisherList(), certificate, certreqhist.getUserDataVO().getUsername(), certreqhist.getUserDataVO().getPassword(),
            				certinfo.getCAFingerprint(), certinfo.getStatus() , certinfo.getType(), certinfo.getRevocationDate().getTime(), certinfo.getRevocationReason(), certreqhist.getUserDataVO().getExtendedinformation());
            		if ( !published ) {
            			throw new Exception("Unrevoked cert:" + serialNo + " reason: " + reason + " Could not be republished.");
            		}                	  
            		String msg = intres.getLocalizedMessage("store.republishunrevokedcert", new Integer(reason));            	
            		getLogSession().log(admin, certificate.getIssuerDN().hashCode(), LogEntry.MODULE_CA, new java.util.Date(), null, certificate, LogEntry.EVENT_INFO_NOTIFICATION, msg);
            	} catch (Exception ex) {
            		// We catch the exception thrown above, to log the message, but it is only informational, so we dont re-throw anything
            		getLogSession().log(admin, certificate.getIssuerDN().hashCode(), LogEntry.MODULE_CA, new java.util.Date(), null, certificate, LogEntry.EVENT_INFO_NOTIFICATION, ex.getMessage());
            	}
            } else {
        		String msg = intres.getLocalizedMessage("store.ignorerevoke", serialNo, new Integer(rev.getStatus()), new Integer(reason));            	
            	getLogSession().log(admin, certificate.getIssuerDN().hashCode(), LogEntry.MODULE_CA, new java.util.Date(), null, certificate, LogEntry.EVENT_INFO_NOTIFICATION, msg);
            }
            // Update database protection
            if (protect) {
        		CertificateInfo entry = new CertificateInfo(rev.getFingerprint(), rev.getCaFingerprint(), rev.getSerialNumber(), rev.getIssuerDN(), rev.getSubjectDN(), rev.getStatus(), rev.getType(), rev.getExpireDate(), rev.getRevocationDate(), rev.getRevocationReason());
            	TableProtectSessionLocal protect;
            	try {
            		protect = protecthome.create();
            		protect.protect(admin, entry);            	
            	} catch (CreateException e) {
                	String msg = intres.getLocalizedMessage("protect.errorcreatesession");            	
            		error(msg, e);
            	}
            }

        }
        
        debug("<setRevokeStatus(),  issuerdn=" + certificate.getIssuerDN() + ", serno=" + certificate.getSerialNumber());
    } // setRevokeStatus

    /**
     * Revokes a certificate (already revoked by the CA), in the database
     *
     * @param cert       The DER coded Certificate that has been revoked.
     * @param publishers and array of publiserids (Integer) of publishers to revoke the certificate in.
     * @ejb.transaction type="Required"
     * @ejb.interface-method
     */
    public void revokeCertificate(Admin admin, Certificate cert, Collection publishers, int reason) {
        if (cert instanceof X509Certificate) {
            setRevokeStatus(admin, ((X509Certificate) cert).getIssuerDN().toString(), ((X509Certificate) cert).getSerialNumber(), publishers, reason);
        }
    } //revokeCertificate

    /**
     * Method revoking all certificates generated by the specified issuerdn. Sets revokedate to current time.
     * Should only be called by CAAdminBean when a CA is about to be revoked.
     *
     * @param admin    the administrator performing the event.
     * @param issuerdn the dn of CA about to be revoked
     * @param reason   the reason of revokation.
     * @ejb.transaction type="Required"
     * @ejb.interface-method
     */
    public void revokeAllCertByCA(Admin admin, String issuerdn, int reason) {
        Connection con = null;
        PreparedStatement ps = null;
        PreparedStatement ps2 = null;
        int temprevoked = 0;
        int revoked = 0;

        String bcdn = CertTools.stringToBCDNString(issuerdn);

        final String firstsqlstatement = "UPDATE CertificateData SET status=?" +
                " WHERE issuerDN=? AND status = ? ";
        final String secondsqlstatement = "UPDATE CertificateData SET status=?, revocationDate=?, revocationReason=?" +
                " WHERE issuerDN=? AND status <> ?";

        long currentdate = new Date().getTime();

        try {
            // First SQL statement, changing all temporaty revoked certificates to permanently revoked certificates
            con = JDBCUtil.getDBConnection(JNDINames.DATASOURCE);
            ps = con.prepareStatement(firstsqlstatement);
            ps.setInt(1, CertificateDataBean.CERT_REVOKED); // first statusfield
            ps.setString(2, bcdn); // issuerdn field
            ps.setInt(3, CertificateDataBean.CERT_TEMP_REVOKED); // second statusfield
            temprevoked = ps.executeUpdate();

            // Second SQL statement, revoking all non revoked certificates.
            ps2 = con.prepareStatement(secondsqlstatement);
            ps2.setInt(1, CertificateDataBean.CERT_REVOKED); // first statusfield
            ps2.setLong(2, currentdate); // revokedate field
            ps2.setInt(3, reason); // revokation reason
            ps2.setString(4, bcdn); // issuer dn
            ps2.setInt(5, CertificateDataBean.CERT_REVOKED); // second statusfield

            revoked = ps2.executeUpdate();

    		String msg = intres.getLocalizedMessage("store.revokedallbyca", issuerdn, new Integer(revoked + temprevoked), new Integer(reason));            	
            getLogSession().log(admin, bcdn.hashCode(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_INFO_REVOKEDCERT, msg);
        } catch (Exception e) {
    		String msg = intres.getLocalizedMessage("store.errorrevokeallbyca", issuerdn);            	
            getLogSession().log(admin, bcdn.hashCode(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_REVOKEDCERT, msg, e);
            throw new EJBException(e);
        } finally {
            JDBCUtil.close(con, ps, null);
            JDBCUtil.close(ps2);
        }
    } // revokeAllCertByCA

    /**
     * Method that checks if a users all certificates have been revoked.
     *
     * @param admin    Administrator performing the operation
     * @param username the username to check for.
     * @return returns true if all certificates are revoked.
     * @ejb.interface-method
     */
    public boolean checkIfAllRevoked(Admin admin, String username) {
        boolean returnval = true;
        X509Certificate certificate = null;
        // Strip dangerous chars
        username = StringTools.strip(username);
        try {
            Collection certs = findCertificatesByUsername(admin, username);
            // Revoke all certs
            if (!certs.isEmpty()) {
                Iterator j = certs.iterator();
                while (j.hasNext()) {
                    CertificateDataPK revpk = new CertificateDataPK();
                    certificate = (X509Certificate) j.next();
                    revpk.fingerprint = CertTools.getFingerprintAsString(certificate);
                    CertificateDataLocal rev = certHome.findByPrimaryKey(revpk);
                    if (protect) {
                		CertificateInfo entry = new CertificateInfo(rev.getFingerprint(), rev.getCaFingerprint(), rev.getSerialNumber(), rev.getIssuerDN(), rev.getSubjectDN(), rev.getStatus(), rev.getType(), rev.getExpireDate(), rev.getRevocationDate(), rev.getRevocationReason());
                    	TableProtectSessionLocal protect;
                    	try {
                    		protect = protecthome.create();
                    		// The verify method will log failed verifies itself
                    		TableVerifyResult res = protect.verify(entry);
                    		if (res.getResultCode() != TableVerifyResult.VERIFY_SUCCESS) {
                    			//error("Verify failed, but we go on anyway.");
                    		}
                    	} catch (CreateException e) {
                        	String msg = intres.getLocalizedMessage("protect.errorcreatesession");            	
                    		error(msg, e);
                    	}
                    }
                    if (rev.getStatus() != CertificateDataBean.CERT_REVOKED) {
                        returnval = false;
                    }
                }
            }

        } catch (FinderException e) {
            throw new EJBException(e);
        }

        return returnval;
    }

    /**
     * Checks if a certificate is revoked.
     *
     * @param admin    Administrator performing the operation
     * @param issuerDN the DN of the issuer.
     * @param serno    the serialnumber of the certificate that will be checked
     * @return RevokedCertInfo with revocation information, with reason RevokedCertInfo.NOT_REVOKED if NOT revoked. Returns null if certificate is not found.
     * @ejb.interface-method
     */
    public RevokedCertInfo isRevoked(Admin admin, String issuerDN, BigInteger serno) {
        return CertificateDataUtil.isRevoked(admin, issuerDN, serno, certHome, protecthome, adapter);
    } //isRevoked

    /**
     * Retrieves the latest CRL issued by this CA.
     *
     * @param admin Administrator performing the operation
     * @param issuerdn the CRL issuers DN (CAs subject DN)
     * @return X509CRL or null of no CRLs have been issued.
     * @ejb.interface-method
     */
    public byte[] getLastCRL(Admin admin, String issuerdn) {