rsasignsessionbean.java

一个免费的CA,基于EJB平台的,老师叫我们测试,现把之共享出来让大家参考

            } catch (CertificateNotYetValidException cve) {
                throw new CADoesntExistsException(cve);
            }

            // See if we need some key material to decrypt request
            if (req.requireKeyInfo()) {
                // You go figure...scep encrypts message with the public CA-cert
                req.setKeyInfo((X509Certificate)ca.getCACertificate(), catoken.getPrivateKey(SecConst.CAKEYPURPOSE_CERTSIGN), catoken.getProvider());
            }
            //Create the response message with all nonces and checks etc
            ret = req.createResponseMessage(responseClass, req, ca.getCACertificate(), catoken.getPrivateKey(SecConst.CAKEYPURPOSE_CERTSIGN), catoken.getPrivateKey(SecConst.CAKEYPURPOSE_KEYENCRYPT), catoken.getProvider());
            
            // Get the CRL, don't even bother digging into the encrypted CRLIssuerDN...since we already
            // know that we are the CA (SCEP is soooo stupid!)
            byte[] crl = certificateStore.getLastCRL(admin, ca.getSubjectDN());
            if (crl != null) {
                ret.setCrl(CertTools.getCRLfromByteArray(crl));
                ret.setStatus(ResponseStatus.SUCCESS);
            } else {
                ret.setStatus(ResponseStatus.FAILURE);
                ret.setFailInfo(FailInfo.BAD_REQUEST);
            }
            ret.create();
            // TODO: handle returning errors as response message,
            // javax.ejb.ObjectNotFoundException and the others thrown...
        } catch (NotFoundException e) {
        	// This actually can not happen here
            throw new CADoesntExistsException(e);
        } catch (IllegalKeyStoreException e) {
            throw new IllegalKeyException(e);
        } catch (UnsupportedEncodingException e) {
            throw new CADoesntExistsException(e);
        } catch (NoSuchProviderException e) {
            log.error("NoSuchProvider provider: ", e);
        } catch (InvalidKeyException e) {
            log.error("Invalid key in request: ", e);
        } catch (NoSuchAlgorithmException e) {
            log.error("No such algorithm: ", e);
        } catch (CRLException e) {
            log.error("Cannot create response message: ", e);
        } catch (IOException e) {
            log.error("Cannot create response message: ", e);
        } catch (CATokenOfflineException ctoe) {
        	String msg = intres.getLocalizedMessage("error.catokenoffline", cadata.getSubjectDN());
        	log.error(msg, ctoe);
            getLogSession().log(admin, cadata.getCaId().intValue(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_GETLASTCRL, msg, ctoe);
            throw new CADoesntExistsException(msg);
        }
        debug("<getCRL(IRequestMessage)");
        return ret;
    }
    
    /**
     * Help Method that extracts the CA specified in the request.
     * 
     */
    private CADataLocal getCAFromRequest(Admin admin, IRequestMessage req) throws AuthStatusException, AuthLoginException, CADoesntExistsException, UnsupportedEncodingException{
    	CADataLocal cadata = null;
    	UserDataVO data = null;
        try {
            // See if we can get issuerDN directly from request
            if (req.getIssuerDN() != null) {
            	String dn = req.getIssuerDN();
            	debug("Got an issuerDN: "+dn);
            	// If we have issuer and serialNo, we must find the CA certificate, to get the CAs subject name
            	// If we don't have a serialNumber, we take a chance that it was actually the subjectDN (for example a RootCA)
            	BigInteger serno = req.getSerialNo();
            	if (serno != null) {
            		debug("Got a serialNumber: "+serno.toString(16));
                    ICertificateStoreSessionLocal certificateStore = storeHome.create();
            		X509Certificate cert = (X509Certificate)certificateStore.findCertificateByIssuerAndSerno(admin, dn, serno);
            		if (cert != null) {
            			dn = cert.getSubjectDN().getName();
            		}
            	}
            	debug("Using DN: "+dn);
                cadata = cadatahome.findByPrimaryKey(new Integer(dn.hashCode()));
                debug("Using CA (from issuerDN) with id: " + cadata.getCaId() + " and DN: " + cadata.getSubjectDN());
            } else if (req.getUsername() != null) {
                // See if we can get username and password directly from request
                String username = req.getUsername();
                String password = req.getPassword();
                data = authUser(admin, username, password);
                cadata = cadatahome.findByPrimaryKey(new Integer(data.getCAId()));
                debug("Using CA (from username) with id: " + cadata.getCaId() + " and DN: " + cadata.getSubjectDN());
            } else {
                throw new CADoesntExistsException();
            }
        } catch (javax.ejb.FinderException fe) {
            String msg = intres.getLocalizedMessage("signsession.canotfoundissuerusername", req.getIssuerDN(), req.getUsername());        	
            error(msg);
            getLogSession().log(admin, -1, LogEntry.MODULE_CA, new java.util.Date(), req.getUsername(), null, LogEntry.EVENT_ERROR_CREATECERTIFICATE, msg, fe);
            throw new CADoesntExistsException(fe);
        } catch (CreateException ce) {
        	// Really fatal error
            String msg = intres.getLocalizedMessage("signsession.canotfoundissuerusername", req.getIssuerDN(), req.getUsername());        	
            error(msg, ce);        	
            getLogSession().log(admin, -1, LogEntry.MODULE_CA, new java.util.Date(), req.getUsername(), null, LogEntry.EVENT_ERROR_CREATECERTIFICATE, msg, ce);
            throw new EJBException(ce);
        }
        
        CA ca = null;
        try {
        	ca = cadata.getCA();
        	
        	if (ca.getStatus() != SecConst.CA_ACTIVE) {
                String msg = intres.getLocalizedMessage("signsession.canotactive", cadata.getSubjectDN());
        		getLogSession().log(admin, cadata.getCaId().intValue(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CREATECERTIFICATE, msg);
        		throw new EJBException(msg);
        	}
        	
        	// Check that CA hasn't expired.
        	X509Certificate cacert = (X509Certificate) ca.getCACertificate();
        	cacert.checkValidity();
        } catch (CertificateExpiredException cee) {
            // Signers Certificate has expired.
            cadata.setStatus(SecConst.CA_EXPIRED);
            ca.setStatus(SecConst.CA_EXPIRED);
            String msg = intres.getLocalizedMessage("signsession.caexpired", cadata.getSubjectDN());
            getLogSession().log(admin, cadata.getCaId().intValue(), LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CREATECERTIFICATE, msg, cee);
            throw new CADoesntExistsException(msg);
        } catch (CertificateNotYetValidException cve) {
            throw new CADoesntExistsException(cve);
        } catch (IllegalKeyStoreException e) {
        	throw new EJBException(e);
        }
        
        return cadata;
    }

    /**
     * Requests for a CRL to be created with the passed (revoked) certificates.
     *
     * @param admin Information about the administrator or admin preforming the event.
     * @param caid Id of the CA which CRL should be created.
     * @param certs vector of RevokedCertInfo object.
     * @return The newly created CRL in DER encoded byte form or null, use CerlTools.getCRLfromByteArray to convert to X509CRL.
     * @throws CATokenOfflineException 
     * @ejb.interface-method view-type="both"
     */
    public byte[] createCRL(Admin admin, int caid, Vector certs) throws CATokenOfflineException {
        debug(">createCRL()");
        byte[] crlBytes;
        CADataLocal cadata = null;
        try {
            // get CA
            try {
                cadata = cadatahome.findByPrimaryKey(new Integer(caid));
            } catch (javax.ejb.FinderException fe) {
                String msg = intres.getLocalizedMessage("signsession.canotfoundcaid", new Integer(caid));        	
                getLogSession().log(admin, caid, LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CREATECRL, msg, fe);
                throw new EJBException(fe);
            }

            CA ca = null;
            try {
                ca = cadata.getCA();
            } catch (java.io.UnsupportedEncodingException uee) {
                throw new EJBException(uee);
            }
            if (ca.getStatus() != SecConst.CA_ACTIVE) {
                String msg = intres.getLocalizedMessage("signsession.canotactive", cadata.getSubjectDN());
                getLogSession().log(admin, caid, LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CREATECERTIFICATE, msg);
                throw new CATokenOfflineException(msg);
            }

            // Check that CA hasn't expired.
            X509Certificate cacert = (X509Certificate) ca.getCACertificate();
            try {
                cacert.checkValidity();
            } catch (CertificateExpiredException e) {
                // Signers Certificate has expired.
                cadata.setStatus(SecConst.CA_EXPIRED);
                ca.setStatus(SecConst.CA_EXPIRED);
                String msg = intres.getLocalizedMessage("signsession.caexpired", cadata.getSubjectDN());
                getLogSession().log(admin, caid, LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CREATECRL, msg, e);
                throw new EJBException(msg);
            } catch (CertificateNotYetValidException e) {
                throw new EJBException(e);
            }

            ICertificateStoreSessionLocal certificateStore = storeHome.create();
            // Get number of last CRL and increase by 1
            int number = certificateStore.getLastCRLNumber(admin, ca.getSubjectDN()) + 1;
            X509CRL crl = null;
            crl = (X509CRL) ca.generateCRL(certs, number);
            String msg = intres.getLocalizedMessage("signsession.createdcrl", new Integer(number), cadata.getName(), cadata.getSubjectDN());
            getLogSession().log(admin, caid, LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_INFO_CREATECRL, msg);

            // Store CRL in the database
            String fingerprint = CertTools.getFingerprintAsString(cacert);
            certificateStore.storeCRL(admin, crl.getEncoded(), fingerprint, number);
            // Store crl in ca CRL publishers.
            IPublisherSessionLocal pub = publishHome.create();
            pub.storeCRL(admin, ca.getCRLPublishers(), crl.getEncoded(), fingerprint, number);

            crlBytes = crl.getEncoded();
        } catch (CATokenOfflineException ctoe) {
            String cadn = null;
            if (cadata != null) {
                cadn = cadata.getSubjectDN();
            }
            String msg = intres.getLocalizedMessage("error.catokenoffline", cadn);
            log.error(msg, ctoe);
            getLogSession().log(admin, caid, LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CREATECRL, msg, ctoe);
            throw ctoe;
        } catch (Exception e) {
            getLogSession().log(admin, caid, LogEntry.MODULE_CA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CREATECRL, intres.getLocalizedMessage("signsession.errorcreatecrl"), e);
            throw new EJBException(intres.getLocalizedMessage("signsession.errorcreatecrl"), e);
        }
        debug("<createCRL()");
        return crlBytes;
    } // createCRL

    /**
     * Method that publishes the given CA certificate chain to the list of publishers.
     * Is mainly used by CAAdminSessionBean when CA is created.
     *
     * @param admin            Information about the administrator or admin preforming the event.
     * @param certificatechain certchain of certificate to publish
     * @param usedpublishers   a collection if publisher id's (Integer) indicating which publisher that should be used.
     * @ejb.interface-method view-type="both"
     */
    public void publishCACertificate(Admin admin, Collection certificatechain, Collection usedpublishers) {
        try {

            ICertificateStoreSessionLocal certificateStore = storeHome.create();

            Iterator certificates = certificatechain.iterator();
            while (certificates.hasNext()) {
                X509Certificate cert = (X509Certificate) certificates.next();
                String fingerprint = CertTools.getFingerprintAsString(cert);
                // Calculate the certtype
                boolean isSelfSigned = CertTools.isSelfSigned(cert);
                int type = CertificateDataBean.CERTTYPE_ENDENTITY;
                if (cert.getBasicConstraints() > -1)  {