📄 xkmsprovider.java
字号:
} catch (JAXBException e) { log.error(intres.getLocalizedMessage("xkms.errorunmarshallingreq"),e); } catch (ParserConfigurationException e) { log.error(intres.getLocalizedMessage("xkms.errorparsingresp"),e); } return response; } private JAXBElement validate(String remoteIP, ValidateRequestType value, boolean requestVerifies) { ValidateResponseGenerator gen = new ValidateResponseGenerator(remoteIP,value); JAXBElement<ValidateResultType> validateresult = xKMSObjectFactory.createValidateResult(gen.getResponse(requestVerifies)); return validateresult; } private JAXBElement locate(String remoteIP, LocateRequestType value, boolean requestVerifies) { LocateResponseGenerator gen = new LocateResponseGenerator(remoteIP, value); JAXBElement<LocateResultType> locateresult = xKMSObjectFactory.createLocateResult(gen.getResponse(requestVerifies)); return locateresult; } private JAXBElement register(String remoteIP, RegisterRequestType value, boolean requestVerifies, Document requestDoc) { RegisterResponseGenerator gen = new RegisterResponseGenerator(remoteIP, value,requestDoc); JAXBElement<RegisterResultType> registerresult = xKMSObjectFactory.createRegisterResult(gen.getResponse(requestVerifies)); return registerresult; } private JAXBElement reissue(String remoteIP, ReissueRequestType value, boolean requestVerifies, Document requestDoc) { ReissueResponseGenerator gen = new ReissueResponseGenerator(remoteIP, value,requestDoc); JAXBElement<ReissueResultType> reissueresult = xKMSObjectFactory.createReissueResult(gen.getResponse(requestVerifies)); return reissueresult; } private JAXBElement recover(String remoteIP, RecoverRequestType value, boolean requestVerifies, Document requestDoc) { RecoverResponseGenerator gen = new RecoverResponseGenerator(remoteIP, value,requestDoc); JAXBElement<RecoverResultType> recoverresult = xKMSObjectFactory.createRecoverResult(gen.getResponse(requestVerifies)); return recoverresult; } private JAXBElement revoke(String remoteIP, RevokeRequestType value, boolean requestVerifies, Document requestDoc) { RevokeResponseGenerator gen = new RevokeResponseGenerator(remoteIP, value,requestDoc); JAXBElement<RevokeResultType> recoverresult = xKMSObjectFactory.createRevokeResult(gen.getResponse(requestVerifies)); return recoverresult; } /** * Method that verifies the content of the requests against the * configured trusted CA. * * @param kISSRequest if the caller is a kISSRequest * */ private boolean verifyRequest(Document requestDoc) { boolean signatureExists = false; Node xmlSig = null; NodeList nodeList = requestDoc.getChildNodes().item(0).getChildNodes(); for(int i=0;i<nodeList.getLength();i++){ if(nodeList.item(i).getLocalName().equalsIgnoreCase("Signature")){ xmlSig = nodeList.item(i); } } signatureExists = xmlSig != null; // Check that signature exists and if it's required boolean sigRequired = XKMSConfig.isSignedRequestRequired(); if(sigRequired && !signatureExists){ log.error(intres.getLocalizedMessage("xkms.recievedreqwithoutsig")); return false; }else{ if(signatureExists){ try{ org.w3c.dom.Element xmlSigElement = (org.w3c.dom.Element)xmlSig; org.apache.xml.security.signature.XMLSignature xmlVerifySig = new org.apache.xml.security.signature.XMLSignature(xmlSigElement, null); org.apache.xml.security.keys.KeyInfo keyInfo = xmlVerifySig.getKeyInfo(); java.security.cert.X509Certificate verCert = keyInfo.getX509Certificate(); // Check signature if(xmlVerifySig.checkSignatureValue(verCert)){ // Check that the issuer is among accepted issuers int cAId = CertTools.getIssuerDN(verCert).hashCode(); Collection acceptedCAIds = XKMSConfig.getAcceptedCA(intAdmin, getCAAdminSession()); if(!acceptedCAIds.contains(new Integer(cAId))){ throw new Exception("Error XKMS request signature certificate isn't among the list of accepted CA certificates"); } CAInfo cAInfo = getCAAdminSession().getCAInfo(intAdmin, cAId); Collection cACertChain = cAInfo.getCertificateChain(); // Check issuer and validity X509Certificate rootCert = null; Iterator iter = cACertChain.iterator(); while(iter.hasNext()){ X509Certificate cert = (X509Certificate) iter.next(); if(cert.getIssuerDN().equals(cert.getSubjectDN())){ rootCert = cert; break; } } if(rootCert == null){ throw new CertPathValidatorException("Error Root CA cert not found in cACertChain"); } List list = new ArrayList(); list.add(verCert); list.add(cACertChain); CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list); CertStore store = CertStore.getInstance("Collection", ccsp); //validating path List certchain = new ArrayList(); certchain.addAll(cACertChain); certchain.add(verCert); CertPath cp = CertificateFactory.getInstance("X.509","BC").generateCertPath(certchain); Set trust = new HashSet(); trust.add(new TrustAnchor(rootCert, null)); CertPathValidator cpv = CertPathValidator.getInstance("PKIX","BC"); PKIXParameters param = new PKIXParameters(trust); param.addCertStore(store); param.setDate(new Date()); param.setRevocationEnabled(false); cpv.validate(cp, param); // Check revokation status RevokedCertInfo revCertInfo = getCertStoreSession().isRevoked(intAdmin, CertTools.getIssuerDN(verCert), verCert.getSerialNumber()); if(revCertInfo.getReason() != RevokedCertInfo.NOT_REVOKED){ return false; } }else{ log.error(intres.getLocalizedMessage("xkms.errorreqsigdoesntverify")); return false; } }catch(Exception e){ log.error(intres.getLocalizedMessage("xkms.errorwhenverifyingreq")); return false; } } } return true; } /** * Method that checks if signing is required by * checking the service configuration and the request, * It then signs the request, othervise it isn't * @param admin * @return the document signed or null of the signature failed; */ private Document signResponseIfNeeded(Document result, String id, boolean respMecSign, Admin admin){ Document retval = result; if(XKMSConfig.alwaysSignResponses() || (XKMSConfig.acceptSignRequests() && respMecSign)){ try { XKMSCAServiceRequest cAReq = new XKMSCAServiceRequest(result, id,true,false); XKMSCAServiceResponse resp = (XKMSCAServiceResponse) getSignSession().extendedService(admin, XKMSConfig.cAIdUsedForSigning(admin, getCAAdminSession()), cAReq); retval = resp.getSignedDocument(); } catch (Exception e) { log.error(intres.getLocalizedMessage("xkms.errorgenrespsig"), e); retval = null; } } return retval; } private ICertificateStoreSessionLocal certificatestoresession = null; protected ICertificateStoreSessionLocal getCertStoreSession() throws ClassCastException, CreateException, NamingException{ if(certificatestoresession == null){ Context context = new InitialContext(); certificatestoresession = ((ICertificateStoreSessionLocalHome) javax.rmi.PortableRemoteObject.narrow(context.lookup( "CertificateStoreSessionLocal"), ICertificateStoreSessionLocalHome.class)).create(); } return certificatestoresession; } private ICAAdminSessionLocal caadminsession = null; protected ICAAdminSessionLocal getCAAdminSession() throws ClassCastException, CreateException, NamingException{ if(caadminsession == null){ Context context = new InitialContext(); caadminsession = ((ICAAdminSessionLocalHome) javax.rmi.PortableRemoteObject.narrow(context.lookup( "CAAdminSessionLocal"), ICAAdminSessionLocalHome.class)).create(); } return caadminsession; } private ISignSessionLocal signsession = null; protected ISignSessionLocal getSignSession() throws ClassCastException, CreateException, NamingException{ if(signsession == null){ Context context = new InitialContext(); signsession = ((ISignSessionLocalHome) javax.rmi.PortableRemoteObject.narrow(context.lookup( "SignSessionLocal"), ISignSessionLocalHome.class)).create(); } return signsession; }}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -