xkmsinvoker.java

一个免费的CA,基于EJB平台的,老师叫我们测试,现把之共享出来让大家参考

	 * @param authenticationPassphrase the authenticationkeybinding passphrase, use null if it shouldn't be used.
	 * @param reissueKeyBindingId is of the PrototypeKeyBinding tag.
	 * @return a ReissueResultType
	 * @throws XKMSResponseSignatureException if the response signature didn't verify
	 * @throws StringprepException if the passphrase doesn't fullfull the SASLPrep profile
	 */
	public RecoverResultType recover(RecoverRequestType recoverRequestType, X509Certificate signCert, Key privateKey, String authenticationPassphrase, String recoverKeyBindingId) throws XKMSResponseSignatureException, StringprepException{				
		JAXBElement<RecoverRequestType> recoverRequest = xKMSObjectFactory.createRecoverRequest(recoverRequestType);
		DOMSource domSource = performSigning(recoverRequest, recoverRequestType.getId(), signCert, privateKey, authenticationPassphrase, null, recoverKeyBindingId);
		JAXBElement<RecoverResultType> response = invoke(domSource);		
		
		return response.getValue();
	}
	
	/**
	 * Creates a revoke call to the web service
	 * 
	 * @param recvokeRequestType the request
	 * @param signCert the certificate that should sign the request, or null of no signing should be performed
	 * @param privateKey the key doing the signing, or null of no signing should be performed
	 * @param authenticationPassphrase the authenticationkeybinding passphrase, use null if it shouldn't be used.
	 * @param revokeKeyBindingId is of the PrototypeKeyBinding tag.
	 * @return a RevokeResultType
	 * @throws XKMSResponseSignatureException if the response signature didn't verify
	 * @throws StringprepException if the passphrase doesn't fullfull the SASLPrep profile
	 */
	public RevokeResultType revoke(RevokeRequestType revokeRequestType, X509Certificate signCert, Key privateKey, String authenticationPassphrase, String revokeKeyBindingId) throws XKMSResponseSignatureException, StringprepException{				
		JAXBElement<RevokeRequestType> revokeRequest = xKMSObjectFactory.createRevokeRequest(revokeRequestType);
		DOMSource domSource = performSigning(revokeRequest, revokeRequestType.getId(), signCert, privateKey, authenticationPassphrase, null, revokeKeyBindingId);
		JAXBElement<RevokeResultType> response = invoke(domSource);		
		
		return response.getValue();
	}
	
	
	/**
	 * Method that performs the actual invokation.
	 * @param abstractMessageType
	 * @return
	 * @throws XKMSResponseSignatureException 
	 */
	private JAXBElement invoke(DOMSource domSource) throws XKMSResponseSignatureException{
		JAXBElement result =null;
   
		try{						
			Source response = sourceDispatch.invoke(domSource);
			
			DocumentBuilder db = dbf.newDocumentBuilder();
			Document doc = db.parse(((StreamSource) response).getInputStream());
						
			verifyResponseSignature(doc);
			result = (JAXBElement) unmarshaller.unmarshal(doc);
		} catch(JAXBException e){
			log.error("Error marshalling XKMS request",e);
		} catch (ParserConfigurationException e) {
			log.error("Error parsing XKMS response",e);
		} catch (SAXException e) {
			log.error("Error parsing XKMS response",e);
		} catch (IOException e) {
			log.error("Error parsing XKMS response",e);
		}
		
		return result;
	}
	
	
	/**
	 * Creates a signature on a request and returns a DOM source.
	 * 
	 * @param messageAbstractType the request to sign
	 * @param signCert the certificate that should sign the request, or null of no signing should be performed
	 * @param privateKey the key doing the signing, or null of no signing should be performed
	 * @return a DOMSource or null if request was invalid
	 */
	private DOMSource performSigning(JAXBElement messageAbstractType, String messageId, X509Certificate signCert, Key privateKey){
		DOMSource retval = null;
		
		try{
			retval = performSigning(messageAbstractType, messageId, signCert, privateKey, null, null, null); 
		}catch(StringprepException e){
			// Should never happen
		}
		
		return retval;
	}
	
	/**
	 * Creates a signature on a request and returns a DOM source.
	 * 
	 * @param messageAbstractType the request to sign
	 * @param signCert the certificate that should sign the request, or null of no signing should be performed
	 * @param privateKey the key doing the signing, or null of no signing should be performed
	 * @param authenticationPassphrase the authenticationkeybinding passphrase, use null if it shouldn't be used.
	 * @param pOPPrivateKey private key to sign POP Element, use null to not append POPElement
	 * @param prototypeKeyBindingId is of the PrototypeKeyBinding tag.
	 * @return a DOMSource or null if request was invalid
	 * @throws StringprepException if the passphrase doesn't fullfull the SASLPrep profile
	 */
	private DOMSource performSigning(JAXBElement messageAbstractType, String messageId, X509Certificate signCert, Key privateKey, 
			                         String authenticationPassphrase, PrivateKey pOPPrivateKey, String prototypeKeyBindingId) throws StringprepException{
		    DOMSource retval = null;
		
			try{
				if(signCert != null && privateKey != null ){
					RequestAbstractType requestAbstractType = (RequestAbstractType) messageAbstractType.getValue();
					requestAbstractType.getResponseMechanism().add(XKMSConstants.RESPONSMEC_REQUESTSIGNATUREVALUE);
				}
				
				Document doc = dbf.newDocumentBuilder().newDocument();
				marshaller.marshal( messageAbstractType, doc );
				
				if(authenticationPassphrase != null){
					doc = XKMSUtil.appendKeyBindingAuthentication(doc, authenticationPassphrase, prototypeKeyBindingId);
				}
				
				if(pOPPrivateKey != null){
					doc = XKMSUtil.appendProofOfPossession(doc, pOPPrivateKey, prototypeKeyBindingId);
				}

				if(signCert != null && privateKey != null ){
					org.apache.xml.security.signature.XMLSignature xmlSig = new org.apache.xml.security.signature.XMLSignature(doc, "", org.apache.xml.security.signature.XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1, org.apache.xml.security.c14n.Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
					org.apache.xml.security.transforms.Transforms transforms = new org.apache.xml.security.transforms.Transforms(doc);
					transforms.addTransform(org.apache.xml.security.transforms.Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
					transforms.addTransform(org.apache.xml.security.transforms.Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
					xmlSig.addDocument("#" + messageId, transforms, org.apache.xml.security.utils.Constants.ALGO_ID_DIGEST_SHA1);        			
					xmlSig.addKeyInfo(signCert);
					doc.getDocumentElement().insertBefore( xmlSig.getElement() ,doc.getDocumentElement().getFirstChild());
					xmlSig.sign(privateKey);        
				}

				retval = new DOMSource(doc);
			
			}catch(XMLSignatureException e){
				log.error("Error performing XML Signature ",e);
			} catch (TransformationException e) {
				log.error("Error parsing XML request ",e);
			} catch (JAXBException e) {
				log.error("Error parsing XML request ",e);
			} catch (ParserConfigurationException e) {
				log.error("Error parsing XML request ",e);
			} catch (XMLSecurityException e) {
				log.error("Error performing XML Signature ",e);
			}						
		
		return retval;
	}
	
	/**
	 * Method that verifies the response signature,
	 * 
	 * doesn't check the revokation status of the server certificate.
	 * 
	 * @param response, the response from the service
	 * @throws {@link XKMSResponseSignatureException} if the signature doesn't verify
	 */
	private void verifyResponseSignature(Document doc) throws XKMSResponseSignatureException{
		try{

			boolean signatureExists = false;

			org.w3c.dom.NodeList xmlSigs = doc.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
			signatureExists = xmlSigs.getLength() > 0;
		
			if(signatureExists && cacerts != null){

				try{																					
					org.w3c.dom.Element xmlSigElement = (org.w3c.dom.Element)xmlSigs.item(0);        
					org.apache.xml.security.signature.XMLSignature xmlVerifySig = new org.apache.xml.security.signature.XMLSignature(xmlSigElement, null);

					org.apache.xml.security.keys.KeyInfo keyInfo = xmlVerifySig.getKeyInfo();
					java.security.cert.X509Certificate verCert = keyInfo.getX509Certificate();

					// Check signature
					if(xmlVerifySig.checkSignatureValue(verCert)){ 							
						
						Collection cACertChain = cacerts;
						// Check issuer and validity						
						X509Certificate rootCert = null;
						Iterator iter = cACertChain.iterator();
						while(iter.hasNext()){
							X509Certificate cert = (X509Certificate) iter.next();
							if(cert.getIssuerDN().equals(cert.getSubjectDN())){
								rootCert = cert;
								break;
							}
						}

						if(rootCert == null){
							throw new CertPathValidatorException("Error Root CA cert not found in cACertChain"); 
						}

						List list = new ArrayList();
						list.add(verCert);
						list.add(cACertChain);

						CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list);
						CertStore store = CertStore.getInstance("Collection", ccsp);

						//validating path
						List certchain = new ArrayList();
						certchain.addAll(cACertChain);
						certchain.add(verCert);
						CertPath cp = CertificateFactory.getInstance("X.509","BC").generateCertPath(certchain);

						Set trust = new HashSet();
						trust.add(new TrustAnchor(rootCert, null));

						CertPathValidator cpv = CertPathValidator.getInstance("PKIX","BC");
						PKIXParameters param = new PKIXParameters(trust);
						param.addCertStore(store);
						param.setDate(new Date());				        	
						param.setRevocationEnabled(false);

						cpv.validate(cp, param); 
					}else{
						throw new XKMSResponseSignatureException("Error XKMS request signature doesn't verify.");						
					}
				}catch(Exception e){					
					throw new XKMSResponseSignatureException("Error when verifying signature request.",e);
				}
			}else{
				if(cacerts != null){
					throw new XKMSResponseSignatureException("Error XKMS response didn't return and signed response");
				}
			}
        } catch (TransformerFactoryConfigurationError e) {
			log.error("Error when DOM parsing request.",e);
		}
	}
}