certreqservlet.java

用来生成java证书

/*************************************************************************
 *                                                                       *
 *  EJBCA: The OpenSource Certificate Authority                          *
 *                                                                       *
 *  This software is free software; you can redistribute it and/or       *
 *  modify it under the terms of the GNU Lesser General Public           *
 *  License as published by the Free Software Foundation; either         *
 *  version 2.1 of the License, or any later version.                    *
 *                                                                       *
 *  See terms of license at gnu.org.                                     *
 *                                                                       *
 *************************************************************************/
 
package org.ejbca.ui.web.pub;

import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.io.PrintStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Enumeration;

import javax.ejb.EJBException;
import javax.ejb.ObjectNotFoundException;
import javax.naming.InitialContext;
import javax.rmi.PortableRemoteObject;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.ejbca.core.ejb.ServiceLocator;
import org.ejbca.core.ejb.ca.sign.ISignSessionLocal;
import org.ejbca.core.ejb.ca.sign.ISignSessionLocalHome;
import org.ejbca.core.ejb.ca.store.ICertificateStoreSessionHome;
import org.ejbca.core.ejb.ca.store.ICertificateStoreSessionRemote;
import org.ejbca.core.ejb.ra.IUserAdminSessionHome;
import org.ejbca.core.ejb.ra.IUserAdminSessionRemote;
import org.ejbca.core.ejb.ra.raadmin.IRaAdminSessionHome;
import org.ejbca.core.ejb.ra.raadmin.IRaAdminSessionRemote;
import org.ejbca.core.model.InternalResources;
import org.ejbca.core.model.SecConst;
import org.ejbca.core.model.ca.AuthLoginException;
import org.ejbca.core.model.ca.AuthStatusException;
import org.ejbca.core.model.ca.SignRequestException;
import org.ejbca.core.model.ca.SignRequestSignatureException;
import org.ejbca.core.model.ca.catoken.CATokenConstants;
import org.ejbca.core.model.ca.catoken.CATokenOfflineException;
import org.ejbca.core.model.log.Admin;
import org.ejbca.core.model.ra.UserDataConstants;
import org.ejbca.core.model.ra.UserDataVO;
import org.ejbca.core.model.ra.raadmin.EndEntityProfile;
import org.ejbca.core.model.util.GenerateToken;
import org.ejbca.ui.web.RequestHelper;
import org.ejbca.util.Base64;
import org.ejbca.util.CertTools;
import org.ejbca.util.keystore.KeyTools;

public class CertReqServlet extends HttpServlet {
    private static final Logger log = Logger.getLogger(CertReqServlet.class);
    /** Internal localization of logs and errors */
    private static final InternalResources intres = InternalResources.getInstance();

    private byte[] bagattributes = "Bag Attributes\n".getBytes();
    private byte[] friendlyname = "    friendlyName: ".getBytes();
    private byte[] subject = "subject=/".getBytes();
    private byte[] issuer = "issuer=/".getBytes();
    private byte[] beginCertificate = "-----BEGIN CERTIFICATE-----".getBytes();
    private byte[] endCertificate = "-----END CERTIFICATE-----".getBytes();
    private byte[] beginPrivateKey = "-----BEGIN PRIVATE KEY-----".getBytes();
    private byte[] endPrivateKey = "-----END PRIVATE KEY-----".getBytes();
    private byte[] NL = "\n".getBytes();

    private IUserAdminSessionHome useradminhome = null;
    private ICertificateStoreSessionHome storehome = null;
    private IRaAdminSessionHome raadminhome = null;

    private ISignSessionLocal signsession = null;

    private synchronized ISignSessionLocal getSignSession(){
    	if(signsession == null){	
    		try {
    			ISignSessionLocalHome signhome = (ISignSessionLocalHome)ServiceLocator.getInstance().getLocalHome(ISignSessionLocalHome.COMP_NAME);
    			signsession = signhome.create();
    		}catch(Exception e){
    			throw new EJBException(e);      	  	    	  	
    		}
    	}
    	return signsession;
    }
    
    /**
     * Servlet init
     *
     * @param config servlet configuration
     *
     * @throws ServletException on error
     */
    public void init(ServletConfig config) throws ServletException {
        super.init(config);

        try {
            // Install BouncyCastle provider
            CertTools.installBCProvider();//没有引用EJB，ok

            // Get EJB context and home interfaces
            InitialContext ctx = new InitialContext();
            useradminhome = (IUserAdminSessionHome) PortableRemoteObject.narrow(
                             ctx.lookup(IUserAdminSessionHome.JNDI_NAME), IUserAdminSessionHome.class );
            raadminhome   = (IRaAdminSessionHome) PortableRemoteObject.narrow(
                             ctx.lookup(IRaAdminSessionHome.JNDI_NAME), IRaAdminSessionHome.class );            
            storehome   = (ICertificateStoreSessionHome) PortableRemoteObject.narrow(
                    ctx.lookup(ICertificateStoreSessionHome.JNDI_NAME), ICertificateStoreSessionHome.class );            
        } catch( Exception e ) {
            throw new ServletException(e);
        }
    }

    /**
     * Handles HTTP POST
     *
     * @param request servlet request
     * @param response servlet response
     *
     * @throws IOException input/output error
     * @throws ServletException on error
     */
    public void doPost(HttpServletRequest request, HttpServletResponse response)
        throws IOException, ServletException {
        ServletDebug debug = new ServletDebug(request, response);
        boolean usekeyrecovery = false;

        RequestHelper.setDefaultCharacterEncoding(request);
        try {
            String username = request.getParameter("user");
            String password = request.getParameter("password");
            String keylengthstring = request.getParameter("keylength");
            String keyalgstring = request.getParameter("keyalg");
            String openvpn = request.getParameter("openvpn");
            String certprofile = request.getParameter("certprofile");
			String keylength = "1024";
			String keyalg = CATokenConstants.KEYALGORITHM_RSA;//加密算法
			
            int resulttype = 0;
            if(request.getParameter("resulttype") != null)
              resulttype = Integer.parseInt(request.getParameter("resulttype")); // Indicates if certificate or PKCS7 should be returned on manual PKCS10 request.
            

            String classid = "clsid:127698e4-e730-4e5c-a2b1-21490a70c8a1\" CODEBASE=\"/CertControl/xenroll.cab#Version=5,131,3659,0";

            if ((request.getParameter("classid") != null) &&
                    !request.getParameter("classid").equals("")) {
                classid = request.getParameter("classid");
            }

            if (keylengthstring != null) {
                keylength = keylengthstring;
            }
            if (keyalgstring != null) {
                keyalg = keyalgstring;
            }

            Admin administrator = new Admin(Admin.TYPE_PUBLIC_WEB_USER, request.getRemoteAddr());

            IUserAdminSessionRemote adminsession = useradminhome.create();
            ICertificateStoreSessionRemote storesession = storehome.create();
            IRaAdminSessionRemote raadminsession = raadminhome.create();            
            ISignSessionLocal signsession = getSignSession();
            RequestHelper helper = new RequestHelper(administrator, debug);

    		String iMsg = intres.getLocalizedMessage("certreq.receivedcertreq", username, request.getRemoteAddr());
            log.info(iMsg);
            debug.print("Username: " + username);

            // Check user
            int tokentype = SecConst.TOKEN_SOFT_BROWSERGEN;//浏览器自己产生 TOKEN_SOFT_BROWSERGEN = 1;

            usekeyrecovery = (raadminsession.loadGlobalConfiguration(administrator)).getEnableKeyRecovery();

            UserDataVO data = adminsession.findUser(administrator, username);

            if (data == null) {
                throw new ObjectNotFoundException();
            }

            boolean savekeys = data.getKeyRecoverable() && usekeyrecovery &&  (data.getStatus() != UserDataConstants.STATUS_KEYRECOVERY);
            boolean loadkeys = (data.getStatus() == UserDataConstants.STATUS_KEYRECOVERY) && usekeyrecovery;

            int endEntityProfileId = data.getEndEntityProfileId();
            int certificateProfileId = data.getCertificateProfileId();
            EndEntityProfile endEntityProfile = raadminsession.getEndEntityProfile(administrator, endEntityProfileId);
            boolean reusecertificate = endEntityProfile.getReUseKeyRevoceredCertificate();
            // Set a new certificate profile, if we have requested one specific
            if (StringUtils.isNotEmpty(certprofile)) {
            	boolean clearpwd = StringUtils.isNotEmpty(data.getPassword());
            	int id = storesession.getCertificateProfileId(administrator, certprofile);
            	// Change the value if there exists a certprofile with the requested name, and it is not the same as 
            	// the one already registered to be used by default
            	if ( (id > 0) && (id != certificateProfileId) ) {
            		// Check if it is in allowed profiles in the entity profile
            		Collection c = endEntityProfile.getAvailableCertificateProfileIds();
            		if (c.contains(String.valueOf(id))) {
                    	data.setCertificateProfileId(id);
                    	// This admin can be the public web user, which may not be allowed to change status,
                    	// this is a bit ugly, but what can a man do...
                    	Admin tempadmin = new Admin(Admin.TYPE_INTERNALUSER);
                    	adminsession.changeUser(tempadmin, data, clearpwd);            		            			
            		} else {
                		log.error("Requested certificate profile is not allowed in end entity profile, using default: "+certprofile);
            		}
            	} else {
            		log.error("Requested certificate profile name does not exist, using default: "+certprofile);
            	}
            }

            // get users Token Type.
            tokentype = data.getTokenType();
            GenerateToken tgen = new GenerateToken(true);
            if(tokentype == SecConst.TOKEN_SOFT_P12){
              KeyStore ks = tgen.generateOrKeyRecoverToken(administrator, username, password, data.getCAId(), keylength, keyalg, false, loadkeys, savekeys, reusecertificate, endEntityProfileId);
              if (StringUtils.equals(openvpn, "on")) {            	  
                  sendOpenVPNToken(ks, username, password, response);
              } else {
            	  sendP12Token(ks, username, password, response);
              }
            }
            if(tokentype == SecConst.TOKEN_SOFT_JKS){
              KeyStore ks = tgen.generateOrKeyRecoverToken(administrator, username, password, data.getCAId(), keylength, keyalg, true, loadkeys, savekeys, reusecertificate, endEntityProfileId);
              sendJKSToken(ks, username, password, response);
            }
            if(tokentype == SecConst.TOKEN_SOFT_PEM){
              KeyStore ks = tgen.generateOrKeyRecoverToken(administrator, username, password, data.getCAId(), keylength, keyalg, false, loadkeys, savekeys, reusecertificate, endEntityProfileId);
              sendPEMTokens(ks, username, password, response);
            }
            if(tokentype == SecConst.TOKEN_SOFT_BROWSERGEN){
            	/** Indicates that a browser generated token should be used. */
              // first check if it is a netscape request,
              if (request.getParameter("keygen") != null) {
                  byte[] reqBytes=request.getParameter("keygen").getBytes();
                  if (reqBytes != null) {
                      log.debug("Received NS request: "+new String(reqBytes));
                      byte[] certs = helper.nsCertRequest(signsession, reqBytes, username, password);
                      RequestHelper.sendNewCertToNSClient(certs, response);
                  }
              } else if ( request.getParameter("iidPkcs10") != null && !request.getParameter("iidPkcs10").equals("")) {
                  // NetID iid?
                  byte[] reqBytes=request.getParameter("iidPkcs10").getBytes();
                  if (reqBytes != null) {
                      log.debug("Received iidPkcs10 request: "+new String(reqBytes));
                      byte[] b64cert=helper.pkcs10CertRequest(signsession, reqBytes, username, password, RequestHelper.ENCODED_CERTIFICATE, false);
                      response.setContentType("text/html");
                      RequestHelper.sendNewCertToIidClient(b64cert, request, response.getOutputStream(), getServletContext(), getInitParameter("responseIidTemplate"),classid);
                  }
              } else if ( (request.getParameter("pkcs10") != null) || (request.getParameter("PKCS10") != null) ) {
                  // if not netscape, check if it's IE这是IE证书请求。。。。。。使用PKCS #10 文件提交新证书的申请
                  byte[] reqBytes=request.getParameter("pkcs10").getBytes();
                  if (reqBytes == null)
                      reqBytes=request.getParameter("PKCS10").getBytes();
                  if (reqBytes != null) {
                      log.debug("Received IE request: "+new String(reqBytes));
                      byte[] b64cert=helper.pkcs10CertRequest(signsession, reqBytes, username, password, RequestHelper.ENCODED_PKCS7);
                      debug.ieCertFix(b64cert);
                      RequestHelper.sendNewCertToIEClient(b64cert, response.getOutputStream(), getServletContext(), getInitParameter("responseTemplate"),classid);
                  }
              } else if (request.getParameter("pkcs10req") != null && resulttype != 0) {
                  // if not IE, check if it's manual request
                  byte[] reqBytes=request.getParameter("pkcs10req").getBytes();
                  if (reqBytes != null) {
                      log.debug("Received PKCS10 request: "+new String(reqBytes));
                      byte[] b64cert=helper.pkcs10CertRequest(signsession, reqBytes, username, password, resulttype);
                      if(resulttype == RequestHelper.ENCODED_PKCS7)  
                        RequestHelper.sendNewB64Cert(b64cert, response, RequestHelper.BEGIN_PKCS7_WITH_NL, RequestHelper.END_PKCS7_WITH_NL);
                      if(resulttype == RequestHelper.ENCODED_CERTIFICATE)
                        RequestHelper.sendNewB64Cert(b64cert, response, RequestHelper.BEGIN_CERTIFICATE_WITH_NL, RequestHelper.END_CERTIFICATE_WITH_NL);
                  }
              }
            }
        } catch (ObjectNotFoundException oe) {
            log.debug("Non existent username!");
            debug.printMessage("Non existent username!");
            debug.printMessage(
                "To generate a certificate a valid username and password must be entered.");
            debug.printDebugInfo();
            return;
        } catch (AuthStatusException ase) {
            log.debug("Wrong user status!");
            debug.printMessage("Wrong user status!");
            if (usekeyrecovery) {
                debug.printMessage(
                    "To generate a certificate for a user the user must have status new, failed or inprocess.");
            } else {
                debug.printMessage(
                    "To generate a certificate for a user the user must have status new, failed or inprocess.");
            }
            debug.printDebugInfo();
            return;
        } catch (AuthLoginException ale) {
            log.debug("Wrong password for user!");
            debug.printMessage("Wrong username or password!");