krssresponsegenerator.java

一个免费的CA,基于EJB平台的,老师叫我们测试,现把之共享出来让大家参考

		return retval;
	}

	protected boolean isPasswordEncrypted(RequestAbstractType req) {
        if(GeneralizedKRSSMessageHelper.getAuthenticationType(req) == null){
        	return false;
        }
		return GeneralizedKRSSMessageHelper.getAuthenticationType(req).getKeyBindingAuthentication() != null;
	}
	
	protected UserDataVO findUserData(String subjectDN) {
		UserDataVO retval = null;
		
		if(subjectDN != null){
			try {
				retval = getUserAdminSession().findUserBySubjectDN(pubAdmin, subjectDN);
			} catch (AuthorizationDeniedException e) {
				log.error(intres.getLocalizedMessage("xkms.errorinprivs"),e);				
			}		
			if(retval==null){
				resultMajor = XKMSConstants.RESULTMAJOR_SENDER;
				resultMinor = XKMSConstants.RESULTMINOR_NOMATCH;
			}
		}
		return retval;
	}
	
	/**
	 * Method finding the userdata of the specified cert or null
	 * if the user couldn't be foundl
	 */
	protected UserDataVO findUserData(X509Certificate cert) {
		UserDataVO retval = null;
        
		try {
			String username = getCertStoreSession().findUsernameByCertSerno(pubAdmin, cert.getSerialNumber(), CertTools.getIssuerDN(cert));
			retval = getUserAdminSession().findUser(pubAdmin, username);
		} catch (Exception e) {
			log.error(intres.getLocalizedMessage("xkms.errorfindinguserdata",cert.getSubjectDN().toString()));			
		}
		
		if(retval==null){
			resultMajor = XKMSConstants.RESULTMAJOR_SENDER;
			resultMinor = XKMSConstants.RESULTMINOR_NOMATCH;
		}

		return retval;
	}
	
	/**
     * Method that extracts and verifies the password. Then returns the undigested 
     * password from database
     * @param req in Document encoding
     * @param password cleartext version from database
     * @return The password or null if the password doesn't verify
     */
	protected String getEncryptedPassword(Document reqDoc, String password) {
		String retval = null;
		
		try {
			SecretKey sk = XKMSUtil.getSecretKeyFromPassphrase(password, true, 20, XKMSUtil.KEY_AUTHENTICATION);
			org.w3c.dom.NodeList authenticationElements = reqDoc.getElementsByTagNameNS("http://www.w3.org/2002/03/xkms#", "Authentication");        
			Element ae = (Element) authenticationElements.item(0);        
			org.w3c.dom.NodeList xmlSigs = ae.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");

			org.w3c.dom.Element xmlSigElement = (org.w3c.dom.Element)xmlSigs.item(0);        
			org.apache.xml.security.signature.XMLSignature xmlVerifySig = new org.apache.xml.security.signature.XMLSignature(xmlSigElement, null);

			if(xmlVerifySig.checkSignatureValue(sk)){
				retval = password;
			}else{
				resultMajor = XKMSConstants.RESULTMAJOR_SENDER;
				resultMinor = XKMSConstants.RESULTMINOR_NOAUTHENTICATION;	
			}
		} catch (Exception e) {
			log.error(intres.getLocalizedMessage("xkms.errorauthverification"),e);			
			resultMajor = XKMSConstants.RESULTMAJOR_SENDER;
			resultMinor = XKMSConstants.RESULTMINOR_NOAUTHENTICATION;
		} 

		return retval;
	}

	/**
	 * Returns the password when having NotBoundAuthentication instead
	 * of KeyBindingAuthentication. 
	 * 
	 * @param req
	 * @return The password or null if no NotBoundAuthentication were found.
	 */
    protected String getClearPassword(RequestAbstractType req, String dBPassword) {
		String retval = null;
		NotBoundAuthenticationType notBoundAuthenticationType = GeneralizedKRSSMessageHelper.getAuthenticationType(req).getNotBoundAuthentication(); 
		if(notBoundAuthenticationType != null){
			retval = new String(notBoundAuthenticationType.getValue());
		}else{
			resultMajor = XKMSConstants.RESULTMAJOR_SENDER;
			resultMinor = XKMSConstants.RESULTMINOR_MESSAGENOTSUPPORTED;
		}
		
		if(!retval.equals(dBPassword)){
			resultMajor = XKMSConstants.RESULTMAJOR_SENDER;
			resultMinor = XKMSConstants.RESULTMINOR_NOAUTHENTICATION;
			retval = null;
		}
				
		return retval;
	}
	
	/**
	 * Method that returns the subject DN taken from a UseKeyWith PKIX tag
	 * If no such tag exist is null returned and errorcodes set.
	 * @param req
	 * @return the subjectDN of null
	 */
    protected String getSubjectDN(RequestAbstractType req) {
	    String retval = null;
		
	    Iterator<UseKeyWithType> iter = GeneralizedKRSSMessageHelper.getKeyBindingAbstractType(req).getUseKeyWith().iterator();
	    while(iter.hasNext()){
	    	UseKeyWithType next = iter.next();
	    	if(next.getApplication().equals(XKMSConstants.USEKEYWITH_PKIX)){
	    		retval = CertTools.stringToBCDNString(next.getIdentifier());
	    		break;
	    	}
	    }
	    
	    if(retval == null){
	    	resultMajor = XKMSConstants.RESULTMAJOR_SENDER;
	    	resultMinor = XKMSConstants.RESULTMINOR_MESSAGENOTSUPPORTED;
	    }
	    
		return retval;
	}
	
	protected boolean certIsValid(X509Certificate cert) {
		boolean retval = false;
		
		try {
			CAInfo cAInfo = getCAAdminSession().getCAInfo(pubAdmin, CertTools.getIssuerDN(cert).hashCode());
			if(cAInfo != null){		
				Collection caCertChain = cAInfo.getCertificateChain();
				Iterator iter = caCertChain.iterator();
				
				boolean revoked = false;
				
				RevokedCertInfo certInfo = getCertStoreSession().isRevoked(pubAdmin, CertTools.getIssuerDN(cert), cert.getSerialNumber());
				if(certInfo.getReason() != RevokedCertInfo.NOT_REVOKED){
					revoked = true;
				}
				
				while(iter.hasNext()){
					X509Certificate cACert = (X509Certificate) iter.next();
					RevokedCertInfo caCertInfo = getCertStoreSession().isRevoked(pubAdmin, CertTools.getIssuerDN(cACert), cACert.getSerialNumber());
					if(caCertInfo.getReason() != RevokedCertInfo.NOT_REVOKED){
						revoked = true;
					}
					
				}
				
				if(!revoked){
				  retval = verifyCert(caCertChain, null, cert);
				}
			}
		} catch (Exception e) {
			log.error(e);
		}
		
		if(retval == false){
			resultMajor = XKMSConstants.RESULTMAJOR_SENDER;
			resultMinor = XKMSConstants.RESULTMINOR_REFUSED;
		}

		return retval;
	}
	


	   /**
  * method that verifies the certificate and returns an error message
  * @param cACertChain
  * @param trustedCRLs
  * @param cert
  * @return  true if everything is OK
  */
	private boolean verifyCert(Collection cACertChain, Collection trustedCRLs, X509Certificate usercert){
    
     boolean retval = false;
             
     try{                	        	                   	
     	X509Certificate rootCert = null;
     	Iterator iter = cACertChain.iterator();
     	while(iter.hasNext()){
     		X509Certificate cert = (X509Certificate) iter.next();
     		if(cert.getIssuerDN().equals(cert.getSubjectDN())){
     			rootCert = cert;
     			break;
     		}
     	}
     	
     	if(rootCert == null){
     		throw new CertPathValidatorException("Error Root CA cert not found in cACertChain"); 
     	}
     	
     	List list = new ArrayList();
     	list.add(usercert);
     	list.addAll(cACertChain);
     	if(trustedCRLs != null){
     		list.addAll(trustedCRLs);
     	}
     	
     	CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list);
     	CertStore store = CertStore.getInstance("Collection", ccsp);
     	
     	//validating path
     	List certchain = new ArrayList();
     	certchain.addAll(cACertChain);
     	certchain.add(usercert);
     	CertPath cp = CertificateFactory.getInstance("X.509","BC").generateCertPath(certchain);
     	
     	Set trust = new HashSet();
     	trust.add(new TrustAnchor(rootCert, null));
     	
     	CertPathValidator cpv = CertPathValidator.getInstance("PKIX","BC");
     	PKIXParameters param = new PKIXParameters(trust);
     	param.addCertStore(store);
     	param.setDate(new Date());
     	if(trustedCRLs == null){
     		param.setRevocationEnabled(false);
     	}else{
     		param.setRevocationEnabled(true);
     	}
     	cpv.validate(cp, param);
     	retval = true;
     }catch(Exception e){
    	 log.error(intres.getLocalizedMessage("xkms.errorverifyingcert"),e);			

     } 

		
		return retval;
	}
    
	/**
	 * Method that checks that the given respondWith specification is valid.
	 * I.e contains one supported RespondWith tag.
	 */
	public boolean checkValidRespondWithRequest(List<String> respondWithList, boolean revokeCall){
		boolean returnval = false;
		if(revokeCall){
			returnval = true;
		}
		
		String[] supportedRespondWith = {XKMSConstants.RESPONDWITH_X509CERT,
				                         XKMSConstants.RESPONDWITH_X509CHAIN,
				                         XKMSConstants.RESPONDWITH_X509CRL,
				                         XKMSConstants.RESPONDWITH_PRIVATEKEY};		
	     
		for(int i=0;i<supportedRespondWith.length;i++){
		  returnval |= respondWithList.contains(supportedRespondWith[i]); 
		  if(returnval){
			  break;
		  }
		}
		  		
		return returnval;
	}
	
	/**
	 * Method returning the revocation code identifier or null
	 * if it doesn't exists.
	 * 
	 * @param req
	 * @return the RevocationCode or null if it doesn't exist.
	 */
    protected String getRevocationCode(RequestAbstractType req) {
    	String retval = null;
    	
    	if(req instanceof RegisterRequestType){
    		if(((RegisterRequestType) req).getPrototypeKeyBinding().getRevocationCodeIdentifier() != null){
    			retval = new String(Hex.encode(((RegisterRequestType) req).getPrototypeKeyBinding().getRevocationCodeIdentifier()));
    		}
    	}
    	if(req instanceof RevokeRequestType){
    		byte[] unMACedCode= ((RevokeRequestType) req).getRevocationCode();
    		if(unMACedCode != null){
    			try{
    				retval = new String(Hex.encode(XKMSUtil.getSecretKeyFromPassphrase(new String(unMACedCode,"ISO8859-1"), false, 20, XKMSUtil.KEY_REVOCATIONCODEIDENTIFIER_PASS2).getEncoded()));
    			}catch (XMLEncryptionException e) {
    				log.error(e);
    			} catch (StringprepException e) {// is never thrown}
    			} catch (UnsupportedEncodingException e) {
    				log.error(e);
				}
    		}
    	}
		
		return retval;
	}
}