ejbcaws.java

一个免费的CA,基于EJB平台的,老师叫我们测试,现把之共享出来让大家参考

			} catch (NamingException e) {
				log.error("EJBCA WebService error, pkcs10Req : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (InvalidKeyException e) {
				log.error("EJBCA WebService error, pkcs10Req : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (ObjectNotFoundException e) {
				throw new NotFoundException(e.getMessage());
			} catch (AuthStatusException e) {
				log.error("EJBCA WebService error, pkcs10Req : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (AuthLoginException e) {
				log.error("EJBCA WebService error, pkcs10Req : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (IllegalKeyException e) {
				log.error("EJBCA WebService error, pkcs10Req : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (CADoesntExistsException e) {
				log.error("EJBCA WebService error, pkcs10Req : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (NoSuchAlgorithmException e) {
				log.error("EJBCA WebService error, pkcs10Req : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (NoSuchProviderException e) {
				log.error("EJBCA WebService error, pkcs10Req : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (CertificateEncodingException e) {
				log.error("EJBCA WebService error, pkcs10Req : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (FinderException e) {
				new NotFoundException(e.getMessage());
			}

		return retval;
	
	}

	/**
	 * Method to use to generate a server generated keystore. The method must be preceded by
	 * a editUser call, either to set the userstatus to 'new' or to add nonexisting users and
	 * the users token should be set to SecConst.TOKEN_SOFT_P12.
	 * 
	 * Authorization requirements: the client certificate must have the following priviledges set
	 * - Administrator flag set
	 * - /administrator
	 * - /ra_functionality/view_end_entity
	 * - /ra_functionality/<end entity profile of the user>/view_end_entity
	 * - /ca_functionality/create_certificate
	 * - /ca/<ca of user>
	 * 
	 * @param username the unique username
	 * @param password the password sent with editUser call
	 * @param hardTokenSN If the certificate should be connected with a hardtoken, it is
	 * possible to map it by give the hardTokenSN here, this will simplyfy revokation of a tokens
	 * certificates. Use null if no hardtokenSN should be assiciated with the certificate.
	 * @param keyspec that the generated key should have, examples are 1024 for RSA or prime192v1 for ECDSA.
	 * @param keyalg that the generated key should have, RSA, ECDSA. Use one of the constants in CATokenConstants.org.ejbca.core.model.ca.catoken.KEYALGORITHM_XX.
	 * @return the generated keystore
	 * @throws AuthorizationDeniedException if client isn't authorized to request
	 * @throws NotFoundException if user cannot be found
	 */
	
	public KeyStore pkcs12Req(String username, String password, String hardTokenSN, String keyspec, String keyalg) throws AuthorizationDeniedException, NotFoundException, EjbcaException {
		KeyStore retval = null;
		
		try{
			  Admin admin = getAdmin();
			  
			  // check CAID
			  UserDataVO userdata = getUserAdminSession().findUser(admin,username);
			  if(userdata == null){
				  throw new NotFoundException("Error: User " + username + " doesn't exist");
			  }
			  int caid = userdata.getCAId();
			  getAuthorizationSession().isAuthorized(admin,AvailableAccessRules.CAPREFIX +caid);

			  getAuthorizationSession().isAuthorizedNoLog(admin,AvailableAccessRules.REGULAR_CREATECERTIFICATE);
			  
			  // Check tokentype
			  if(userdata.getTokenType() != SecConst.TOKEN_SOFT_P12){
				  throw new EjbcaException("Error: Wrong Token Type of user, must be 'P12' for PKCS12 requests");
			  }
			  
			  KeyPair keys = KeyTools.genKeys(keyspec, keyalg);
		      // Generate Certificate
		      X509Certificate cert = (X509Certificate) getSignSession().createCertificate(admin,username,password, keys.getPublic());
		      
		      // Generate Keystore
		        // Fetch CA Cert Chain.	        
		      Collection chain =  getCAAdminSession().getCAInfo(admin, caid).getCertificateChain();
		      String alias = CertTools.getPartFromDN(CertTools.getSubjectDN(cert), "CN");
		      if (alias == null){
		    	  alias = username;
		      }	      	      
		      java.security.KeyStore pkcs12 = KeyTools.createP12(alias, keys.getPrivate(), cert, chain);

			  retval = new KeyStore(pkcs12, password);
			  
			  if(hardTokenSN != null){ 
				  getHardTokenSession().addHardTokenCertificateMapping(admin,hardTokenSN,cert);				  
			  }
			  
			}catch(AuthorizationDeniedException ade){
				throw ade;
			} catch (ClassCastException e) {
				log.error("EJBCA WebService error, pkcs12Req : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (CreateException e) {
				log.error("EJBCA WebService error, pkcs12Req : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (NamingException e) {
				log.error("EJBCA WebService error, pkcs12Req : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (ObjectNotFoundException e) {
				log.error("EJBCA WebService error, pkcs12Req : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (AuthStatusException e) {
				log.error("EJBCA WebService error, pkcs12Req : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (AuthLoginException e) {
				log.error("EJBCA WebService error, pkcs12Req : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (IllegalKeyException e) {
				log.error("EJBCA WebService error, pkcs12Req : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (InvalidAlgorithmParameterException e) {
				log.error("EJBCA WebService error, pkcs12Req : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (CADoesntExistsException e) {
				log.error("EJBCA WebService error, pkcs12Req : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (NoSuchAlgorithmException e) {
				log.error("EJBCA WebService error, pkcs12Req : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (NoSuchProviderException e) {
				log.error("EJBCA WebService error, pkcs12Req : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (CertificateEncodingException e) {
				log.error("EJBCA WebService error, pkcs12Req : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (FinderException e) {
				new NotFoundException(e.getMessage());
			} catch (KeyStoreException e) {
				log.error("EJBCA WebService error, pkcs12Req : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (CertificateException e) {
				log.error("EJBCA WebService error, pkcs12Req : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (InvalidKeySpecException e) {
				log.error("EJBCA WebService error, pkcs12Req : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (IOException e) {
				log.error("EJBCA WebService error, pkcs12Req : ",e);
			    throw new EjbcaException(e.getMessage());
			}
			
			return retval;

	}

	/**
	 * Method used to revoke a certificate.
	 * 
	 * * Authorization requirements: the client certificate must have the following priviledges set
	 * - Administrator flag set
	 * - /administrator
	 * - /ra_functionality/revoke_end_entity
	 * - /ra_functionality/<end entity profile of the user owning the cert>/revoke_end_entity
	 * - /ca/<ca of certificate>
	 * 
	 * @param issuerDN of the certificate to revoke
	 * @param certificateSN of the certificate to revoke
	 * @param reason for revokation, one of RevokedCertInfo.REVOKATION_REASON_ constants
	 * @throws AuthorizationDeniedException if client isn't authorized.
	 * @throws NotFoundException if certificate doesn't exist
	 */
	
	public void revokeCert(String issuerDN, String certificateSN, int reason) throws AuthorizationDeniedException, NotFoundException, EjbcaException {
		
		try{
			Admin admin = getAdmin();
			BigInteger serno = new BigInteger(certificateSN,16);
			String username = getCertStoreSession().findUsernameByCertSerno(admin,serno,issuerDN);
			
			// check that admin is autorized to CA
			int caid = CertTools.stringToBCDNString(issuerDN).hashCode();		
			getAuthorizationSession().isAuthorizedNoLog(admin,AvailableAccessRules.CAPREFIX +caid);			  
			
			getUserAdminSession().revokeCert(admin,serno, issuerDN, username,  reason);
			
			}catch(AuthorizationDeniedException e){
				throw e;
			} catch (ClassCastException e) {
				log.error("EJBCA WebService error, revokeCert : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (CreateException e) {
				log.error("EJBCA WebService error, revokeCert : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (NamingException e) {
				log.error("EJBCA WebService error, revokeCert : ",e);
			    throw new EjbcaException(e.getMessage());
			} catch (FinderException e) {
				throw new NotFoundException(e.getMessage());
			}									
	}

	/**
	 * Method used to revoke all a users certificates. It is also possible to delete
	 * a user after all certificates have been revoked.
	 * 
	 * Authorization requirements: the client certificate must have the following priviledges set
	 * - Administrator flag set
	 * - /administrator
	 * - /ra_functionality/revoke_end_entity
	 * - /ra_functionality/<end entity profile of the user>/revoke_end_entity
	 * - /ca/<ca of users certificate>
	 * 
	 * @param username unique username i EJBCA
	 * @param reasonfor revokation, one of RevokedCertInfo.REVOKATION_REASON_ constants
	 * @param deleteUser deletes the users after all the certificates have been revoked.
	 * @throws AuthorizationDeniedException if client isn't authorized.
	 * @throws NotFoundException if user doesn't exist
	 */
	public void revokeUser(String username, int reason, boolean deleteUser)
			throws AuthorizationDeniedException, NotFoundException, EjbcaException {

		try{
			Admin admin = getAdmin();
			
			// check CAID
			UserDataVO userdata = getUserAdminSession().findUser(admin,username);
			if(userdata == null){
				throw new NotFoundException("Error: User " + username + " doesn't exist");
			}
			int caid = userdata.getCAId();
			getAuthorizationSession().isAuthorizedNoLog(admin,AvailableAccessRules.CAPREFIX +caid);						
			
			getUserAdminSession().revokeUser(admin,username,reason);
			if(deleteUser){
				getUserAdminSession().deleteUser(admin,username);
			}
		}catch(AuthorizationDeniedException e){
			throw e;
		} catch (ClassCastException e) {
			log.error("EJBCA WebService error, revokeUser : ",e);
			throw new EjbcaException(e.getMessage());
		} catch (CreateException e) {
			log.error("EJBCA WebService error, revokeUser : ",e);
			throw new EjbcaException(e.getMessage());
		} catch (NamingException e) {
			log.error("EJBCA WebService error, revokeUser : ",e);
			throw new EjbcaException(e.getMessage());
		} catch (FinderException e) {
			throw new NotFoundException(e.getMessage());
		} catch (NotFoundException e) {
			throw e;
		} catch (RemoveException e) {
			log.error("EJBCA WebService error, revokeUser : ",e);
			throw new EjbcaException(e.getMessage());
		}
	}

	/**
	 * Method used to revoke all certificates mapped to one hardtoken.
	 *
	 * Authorization requirements: the client certificate must have the following priviledges set
	 * - Administrator flag set
	 * - /administrator
	 * - /ra_functionality/revoke_end_entity
	 * - /ra_functionality/<end entity profile of the user owning the token>/revoke_end_entity
	 * - /ca/<ca of certificates on token>
	 * 
	 * @param hardTokenSN of the hardTokenSN
	 * @param reasonfor revokation, one of RevokedCertInfo.REVOKATION_REASON_ constants
	 * @throws AuthorizationDeniedException if client isn't authorized.
	 * @throws NotFoundException if token doesn't exist
	 */
	
	public void revokeToken(String hardTokenSN, int reason)
			throws RemoteException, AuthorizationDeniedException, NotFoundException, EjbcaException {

		try{
			Admin admin = getAdmin();
			Collection certs = getHardTokenSession().findCertificatesInHardToken(admin,hardTokenSN);
			Iterator iter = certs.iterator();
			String username = null;
			while(iter.hasNext()){
				X509Certificate next = (X509Certificate) iter.next();
				if(username == null){
					username = getCertStoreSession().findUsernameByCertSerno(admin,next.getSerialNumber(),next.getIssuerDN().toString());
				}
				
				// check that admin is autorized to CA
				int caid = CertTools.stringToBCDNString(next.getIssuerDN().toString()).hashCode();		
				getAuthorizationSession().isAuthorizedNoLog(admin,AvailableAccessRules.CAPREFIX +caid);
				
				getUserAdminSession().revokeCert(admin,next.getSerialNumber(),next.getIssuerDN().toString(),username,reason);
			}
		}catch(AuthorizationDeniedException e){
			throw e;
		} catch (ClassCastException e) {
			log.error("EJBCA WebService error, revokeToken : ",e);
			throw new EjbcaException(e.getMessage());
		} catch (CreateException e) {
			log.error("EJBCA WebService error, revokeToken : ",e);
			throw new EjbcaException(e.getMessage());
		} catch (NamingException e) {
			log.error("EJBCA WebService error, revokeToken : ",e);
			throw new EjbcaException(e.getMessage());
		} catch (FinderException e) {
			throw new NotFoundException(e.getMessage());
		}  
	}

	/**
	 * Method returning the revokestatus for given user
	 * 
	 * Authorization requirements: the client certificate must have the following priviledges set
	 * - Administrator flag set
	 * - /administrator
	 * - /ca/<ca of certificate>
	 * 
	 * @param issuerDN 
	 * @param certificateSN a hexadecimal string
	 * @return the revokestatus of null i certificate doesn't exists.
	 * @throws AuthorizationDeniedException if client isn't authorized.
	 * @see org.ejbca.core.protocol.ws.RevokeStatus
	 */
	
	public RevokeStatus checkRevokationStatus(String issuerDN, String certificateSN) throws   AuthorizationDeniedException, EjbcaException {
		RevokeStatus retval = null;

		try{
		  Admin admin = getAdmin();		  
		  
		  // check that admin is autorized to CA
		  int caid = CertTools.stringToBCDNString(issuerDN).hashCode();		
		  getAuthorizationSession().isAuthorizedNoLog(admin,AvailableAccessRules.CAPREFIX +caid);
		  
		  RevokedCertInfo certinfo = getCertStoreSession().isRevoked(admin,issuerDN,new BigInteger(certificateSN,16));		  
		  retval = new RevokeStatus(certinfo,issuerDN);