ejbcaws.java

一个免费的CA,基于EJB平台的,老师叫我们测试,现把之共享出来让大家参考

package org.ejbca.core.protocol.ws;

import java.io.IOException;
import java.math.BigInteger;
import java.rmi.RemoteException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;

import javax.annotation.Resource;
import javax.ejb.CreateException;
import javax.ejb.EJBException;
import javax.ejb.FinderException;
import javax.ejb.ObjectNotFoundException;
import javax.ejb.RemoveException;
import javax.jws.WebService;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.servlet.http.HttpServletRequest;
import javax.xml.ws.WebServiceContext;
import javax.xml.ws.handler.MessageContext;

import org.apache.log4j.Logger;
import org.ejbca.core.EjbcaException;
import org.ejbca.core.ejb.authorization.IAuthorizationSessionLocal;
import org.ejbca.core.ejb.authorization.IAuthorizationSessionLocalHome;
import org.ejbca.core.ejb.ca.caadmin.ICAAdminSessionLocal;
import org.ejbca.core.ejb.ca.caadmin.ICAAdminSessionLocalHome;
import org.ejbca.core.ejb.ca.sign.ISignSessionLocal;
import org.ejbca.core.ejb.ca.sign.ISignSessionLocalHome;
import org.ejbca.core.ejb.ca.store.ICertificateStoreSessionLocal;
import org.ejbca.core.ejb.ca.store.ICertificateStoreSessionLocalHome;
import org.ejbca.core.ejb.hardtoken.IHardTokenSessionLocal;
import org.ejbca.core.ejb.hardtoken.IHardTokenSessionLocalHome;
import org.ejbca.core.ejb.ra.IUserAdminSessionLocal;
import org.ejbca.core.ejb.ra.IUserAdminSessionLocalHome;
import org.ejbca.core.ejb.ra.raadmin.IRaAdminSessionLocal;
import org.ejbca.core.ejb.ra.raadmin.IRaAdminSessionLocalHome;
import org.ejbca.core.model.SecConst;
import org.ejbca.core.model.approval.ApprovalException;
import org.ejbca.core.model.approval.WaitingForApprovalException;
import org.ejbca.core.model.authorization.AuthorizationDeniedException;
import org.ejbca.core.model.authorization.AvailableAccessRules;
import org.ejbca.core.model.ca.AuthLoginException;
import org.ejbca.core.model.ca.AuthStatusException;
import org.ejbca.core.model.ca.IllegalKeyException;
import org.ejbca.core.model.ca.caadmin.CADoesntExistsException;
import org.ejbca.core.model.ca.crl.RevokedCertInfo;
import org.ejbca.core.model.log.Admin;
import org.ejbca.core.model.ra.NotFoundException;
import org.ejbca.core.model.ra.UserDataVO;
import org.ejbca.core.model.ra.raadmin.UserDoesntFullfillEndEntityProfile;
import org.ejbca.core.protocol.PKCS10RequestMessage;
import org.ejbca.core.protocol.ws.objects.Certificate;
import org.ejbca.core.protocol.ws.objects.KeyStore;
import org.ejbca.core.protocol.ws.objects.RevokeStatus;
import org.ejbca.core.protocol.ws.objects.UserDataVOWS;
import org.ejbca.core.protocol.ws.objects.UserMatch;
import org.ejbca.ui.web.RequestHelper;
import org.ejbca.util.CertTools;
import org.ejbca.util.KeyTools;
import org.ejbca.util.query.IllegalQueryException;
import org.ejbca.util.query.Query;

/**
 * Interface the the EJBCA RA WebService. Contains the following methods:
 * 
 * editUser    : Edits/adds  userdata
 * findUser    : Retrieves the userdata for a given user.
 * findCerts   : Retrieves the certificates generated for a user.
 * pkcs10Req   : Generates a certificate using the given userdata and the public key from the PKCS10
 * pkcs12Req   : Generates a PKCS12 keystore (with the private key) using the given userdata
 * revokeCert  : Revokes the given certificate.
 * revokeUser  : Revokes all certificates for a given user, it's also possible to delete the user.
 * revokeToken : Revokes all certificates placed on a given hard token
 * checkRevokationStatus : Checks the revokation status of a certificate.
 * 
 * Observere: All methods have to be called using client authenticated https
 * otherwise will a AuthorizationDenied Exception be thrown.
 * 
 * @author Philip Vendil
 * $Id: EjbcaWS.java,v 1.3 2006/10/31 08:21:28 anatom Exp $
 */

@WebService
public class EjbcaWS {
	@Resource
	private WebServiceContext wsContext;	
	
	/** The maximum number of rows returned in array responses. */
	private static final int MAXNUMBEROFROWS = 100;
	
	private static final Logger log = Logger.getLogger(EjbcaWS.class);				
	/**
	 * Method that should be used to edit/add a user to the EJBCA database,
	 * if the user doesn't already exists it will be added othervise it will be
	 * overwritten.
	 * 
	 * Observe: if the user doesn't already exists, it's status will always be set to 'New'.
	 * 
	 * Authorization requirements: the client certificate must have the following priviledges set
	 * - Administrator flag set
	 * - /administrator
	 * - /ra_functionality/create_end_entity and/or edit_end_entity
	 * - /ra_functionality/<end entity profile of user>/create_end_entity and/or edit_end_entity
	 * - /ca/<ca of user>
	 * 
	 * @param userdata contains all the information about the user about to be added.
	 * @param clearPwd indicates it the password should be stored in cleartext, requeried
	 * when creating server generated keystores.
	 * @throws EjbcaException 
	 */	
	public void editUser(UserDataVOWS userdata)
			throws  AuthorizationDeniedException, UserDoesntFullfillEndEntityProfile, EjbcaException, ApprovalException, WaitingForApprovalException {
		   	    
		try{
		  Admin admin = getAdmin();
		  UserDataVO userdatavo = convertUserDataVOWS(admin, userdata);
		  
		  int caid = userdatavo.getCAId();
		  getAuthorizationSession().isAuthorizedNoLog(admin,AvailableAccessRules.CAPREFIX +caid);
		  
		  if(getUserAdminSession().findUser(admin, userdatavo.getUsername()) != null){
			  log.debug("User " + userdata.getUsername() + " exists, update the userdata." );
			  getUserAdminSession().changeUser(admin,userdatavo,userdata.getClearPwd());
		  }else{
			  log.debug(" New User " + userdata.getUsername() + ", adding userdata." );
			  getUserAdminSession().addUser(admin,userdatavo,userdata.getClearPwd());
		  }
		}catch(UserDoesntFullfillEndEntityProfile e){
			throw e;
	    } catch (ClassCastException e) {
	    	log.error("EJBCA WebService error, editUser : ", e);
			throw new EjbcaException(e.getMessage());
		} catch (AuthorizationDeniedException e) {
			throw e;
		} catch (CreateException e) {
	    	log.error("EJBCA WebService error, editUser : ", e);
			throw new EjbcaException(e.getMessage());
		} catch (NamingException e) {
	    	log.error("EJBCA WebService error, editUser : ", e);
			throw new EjbcaException(e.getMessage());
		} catch (FinderException e) {
			log.error("EJBCA WebService error, editUser : ",e);
			throw new EjbcaException(e.getMessage());
		} 
	}
	
	
	/**
	 * Retreives information about a user in the database.
	 * 
	 * Authorization requirements: the client certificate must have the following priviledges set
	 * - Administrator flag set
	 * - /administrator
	 * - /ra_functionality/view_end_entity
	 * - /ra_functionality/<end entity profile of matching users>/view_end_entity
	 * - /ca/<ca of matching users>
	 * 
	 * @param username, the unique username to search for
	 * @return a array of UserDataVOWS objects (Max 100) containing the information about the user or null if user doesn't exists.
	 * @throws AuthorizationDeniedException if client isn't authorized to request
	 * @throws IllegalQueryException if query isn't valid
	 * @throws EjbcaException 
	 */
	
	public List<UserDataVOWS> findUser(UserMatch usermatch) throws AuthorizationDeniedException, IllegalQueryException, EjbcaException {		
    	ArrayList<UserDataVOWS> retval = null;
		try{
		  Admin admin = getAdmin();
		  
		  Query query = convertUserMatch(admin, usermatch);		  		  
		  
		  Collection result = getUserAdminSession().query(admin, query, null,null, MAXNUMBEROFROWS);
		  
		  if(result.size() > 0){
		    retval = new ArrayList<UserDataVOWS>();
		    Iterator iter = result.iterator();
		    for(int i=0; i<result.size();i++){
		    	UserDataVO userdata = (UserDataVO) iter.next();
		    	retval.add(convertUserDataVO(admin,userdata));
		    }		    
		  }
		  
		}catch(AuthorizationDeniedException e){
			throw e;
		} catch (ClassCastException e) {
			log.error("EJBCA WebService error, findUser : ",e);
			throw new EjbcaException(e.getMessage());
		} catch (CreateException e) {
			log.error("EJBCA WebService error, findUser : ",e);
			throw new EjbcaException(e.getMessage());
		} catch (NamingException e) {
			log.error("EJBCA WebService error, findUser : ",e);
			throw new EjbcaException(e.getMessage());
		} 
		return retval;

	}

	/**
	 * Retreives a collection of certificates generated for a user.
	 * 
	 * Authorization requirements: the client certificate must have the following priviledges set
	 * - Administrator flag set
	 * - /administrator
	 * - /ra_functionality/view_end_entity
	 * - /ra_functionality/<end entity profile of the user>/view_end_entity
	 * - /ca/<ca of user>
	 * 
	 * @param username a unique username 
	 * @param onlyValid only return valid certs not revoked or expired ones.
	 * @return a collection of X509Certificates or null if no certificates could be found
	 * @throws AuthorizationDeniedException if client isn't authorized to request
	 * @throws NotFoundException if user cannot be found
	 * @throws EjbcaException 
	 */
	
	public List<Certificate> findCerts(String username, boolean onlyValid)
			throws  AuthorizationDeniedException, NotFoundException, EjbcaException {
		
		List<Certificate> retval = null;
		try{
			Admin admin = getAdmin();
			getUserAdminSession().findUser(admin,username);
			
			Collection certs = getCertStoreSession().findCertificatesByUsername(admin,username);
			
			if(onlyValid){
				certs = returnOnlyValidCertificates(admin,certs); 
			}
			
			certs = returnOnlyAuthorizedCertificates(admin,certs);
			
			if(certs.size() > 0){
			  retval = new ArrayList<Certificate>();
			  Iterator iter = certs.iterator();
			  for(int i=0; i < certs.size(); i++){				  					
				  retval.add(new Certificate((java.security.cert.Certificate) iter.next()));
			  }
			}
		}catch(AuthorizationDeniedException e){
			throw e;
		} catch (ClassCastException e) {
		    log.error("EJBCA WebService error, findCerts : ",e);
		    throw new EjbcaException(e.getMessage());
		} catch (CreateException e) {
			log.error("EJBCA WebService error, findCerts : ",e);
		    throw new EjbcaException(e.getMessage());
		} catch (NamingException e) {
			log.error("EJBCA WebService error, findCerts : ",e);
		    throw new EjbcaException(e.getMessage());
		} catch (FinderException e) {
			throw new NotFoundException(e.getMessage());
		} catch (CertificateEncodingException e) {
			log.error("EJBCA WebService error, findCerts : ",e);
		    throw new EjbcaException(e.getMessage());
		}
		return retval;
	}


	/**
	 * Method to use to generate a certificate for a user. The method must be preceded by
	 * a editUser call, either to set the userstatus to 'new' or to add nonexisting users.
	 * 
	 * Observe, the user must first have added/set the status to new with edituser command
	 * 
	 * Authorization requirements: the client certificate must have the following priviledges set
	 * - Administrator flag set
	 * - /administrator
	 * - /ra_functionality/view_end_entity
	 * - /ra_functionality/<end entity profile of the user>/view_end_entity
	 * - /ca_functionality/create_certificate
	 * - /ca/<ca of user>
	 * 
	 * @param username the unique username
	 * @param password the password sent with editUser call
	 * @param pkcs10 the PKCS10 (only the public key is used.)
	 * @param hardTokenSN If the certificate should be connected with a hardtoken, it is
	 * possible to map it by give the hardTokenSN here, this will simplyfy revokation of a tokens
	 * certificates. Use null if no hardtokenSN should be assiciated with the certificate.
	 * @return the generated certificate.
	 * @throws AuthorizationDeniedException if client isn't authorized to request
	 * @throws NotFoundException if user cannot be found
	 */
	
	public Certificate pkcs10Req(String username, String password,
			String pkcs10, String hardTokenSN) throws AuthorizationDeniedException, NotFoundException, EjbcaException {
		
		Certificate retval = null;
		
		try{
			  Admin admin = getAdmin();			  
			  
			  // check CAID
			  UserDataVO userdata = getUserAdminSession().findUser(admin,username);
			  if(userdata == null){
				  throw new NotFoundException("Error: User " + username + " doesn't exist");
			  }
			  int caid = userdata.getCAId();
			  getAuthorizationSession().isAuthorizedNoLog(admin,AvailableAccessRules.CAPREFIX +caid);
			  
			  getAuthorizationSession().isAuthorizedNoLog(admin,AvailableAccessRules.REGULAR_CREATECERTIFICATE);
			  
			  // Check tokentype
			  if(userdata.getTokenType() != SecConst.TOKEN_SOFT_BROWSERGEN){
				  throw new EjbcaException("Error: Wrong Token Type of user, must be 'USERGENERATED' for PKCS10 requests");
			  }
			  
			  PKCS10RequestMessage pkcs10req=RequestHelper.genPKCS10RequestMessageFromPEM(pkcs10.getBytes());
		      
		      java.security.cert.Certificate cert =  getSignSession().createCertificate(admin,username,password, pkcs10req.getRequestPublicKey());
			  retval = new Certificate(cert);
			            
			  if(hardTokenSN != null){ 
				  getHardTokenSession().addHardTokenCertificateMapping(admin,hardTokenSN,(X509Certificate) cert);				  
			  }
			  
			}catch(AuthorizationDeniedException ade){
				throw ade;
			} catch (ClassCastException e) {
			    log.error("EJBCA WebService error, pkcs10Req : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (CreateException e) {
				log.error("EJBCA WebService error, pkcs10Req : ",e);
		        throw new EjbcaException(e.getMessage());