1 13 14 package org.ejbca.core.ejb.keyrecovery; 15 16 import java.security.KeyPair ; 17 import java.security.cert.X509Certificate ; 18 import java.util.Collection ; 19 import java.util.Iterator ; 20 21 import javax.ejb.CreateException ; 22 import javax.ejb.EJBException ; 23 import javax.ejb.FinderException ; 24 25 import org.ejbca.core.ejb.BaseSessionBean; 26 import org.ejbca.core.ejb.authorization.IAuthorizationSessionLocal; 27 import org.ejbca.core.ejb.authorization.IAuthorizationSessionLocalHome; 28 import org.ejbca.core.ejb.ca.caadmin.ICAAdminSessionLocal; 29 import org.ejbca.core.ejb.ca.caadmin.ICAAdminSessionLocalHome; 30 import org.ejbca.core.ejb.ca.sign.ISignSessionLocal; 31 import org.ejbca.core.ejb.ca.sign.ISignSessionLocalHome; 32 import org.ejbca.core.ejb.ca.store.ICertificateStoreSessionLocal; 33 import org.ejbca.core.ejb.ca.store.ICertificateStoreSessionLocalHome; 34 import org.ejbca.core.ejb.log.ILogSessionLocal; 35 import org.ejbca.core.ejb.log.ILogSessionLocalHome; 36 import org.ejbca.core.ejb.ra.IUserAdminSessionLocal; 37 import org.ejbca.core.ejb.ra.IUserAdminSessionLocalHome; 38 import org.ejbca.core.ejb.approval.IApprovalSessionLocal; 39 import org.ejbca.core.ejb.approval.IApprovalSessionLocalHome; 40 import org.ejbca.core.model.InternalResources; 41 import org.ejbca.core.model.approval.ApprovalException; 42 import org.ejbca.core.model.approval.ApprovalExecutorUtil; 43 import org.ejbca.core.model.approval.ApprovalOveradableClassName; 44 import org.ejbca.core.model.approval.WaitingForApprovalException; 45 import org.ejbca.core.model.approval.approvalrequests.KeyRecoveryApprovalRequest; 46 import org.ejbca.core.model.authorization.AuthorizationDeniedException; 47 import org.ejbca.core.model.authorization.AvailableAccessRules; 48 import org.ejbca.core.model.ca.caadmin.CAInfo; 49 import org.ejbca.core.model.ca.caadmin.extendedcaservices.KeyRecoveryCAServiceRequest; 50 import org.ejbca.core.model.ca.caadmin.extendedcaservices.KeyRecoveryCAServiceResponse; 51 import org.ejbca.core.model.keyrecovery.KeyRecoveryData; 52 import org.ejbca.core.model.log.Admin; 53 import org.ejbca.core.model.log.LogEntry; 54 import org.ejbca.core.model.ra.UserDataConstants; 55 import org.ejbca.util.CertTools; 56 57 58 168 public class LocalKeyRecoverySessionBean extends BaseSessionBean { 169 170 171 private static final InternalResources intres = InternalResources.getInstance(); 172 173 174 private KeyRecoveryDataLocalHome keyrecoverydatahome = null; 175 176 177 private ISignSessionLocal signsession = null; 178 179 180 private ICertificateStoreSessionLocal certificatestoresession = null; 181 182 183 private ICAAdminSessionLocal caadminsession = null; 184 185 186 private IApprovalSessionLocal approvalsession = null; 187 188 189 private IUserAdminSessionLocal useradminsession = null; 190 191 192 193 194 private ILogSessionLocal logsession = null; 195 196 197 private IAuthorizationSessionLocal authorizationsession; 198 199 200 216 private boolean authorizedToKeyRecover(Admin admin, int profileid) throws AuthorizationDeniedException{ 217 boolean returnval = false; 218 try{ 219 authorizationsession.isAuthorizedNoLog(admin, "/super_administrator"); 220 returnval = true; 221 }catch(AuthorizationDeniedException e){} 222 223 if(admin.getAdminType() == Admin.TYPE_PUBLIC_WEB_USER){ 224 returnval = true; } 226 227 if(!returnval){ 228 returnval = authorizationsession.isAuthorizedNoLog(admin, AvailableAccessRules.ENDENTITYPROFILEPREFIX + profileid + AvailableAccessRules.KEYRECOVERY_RIGHTS) && 229 authorizationsession.isAuthorizedNoLog(admin, AvailableAccessRules.REGULAR_KEYRECOVERY); 230 } 231 232 return returnval; 233 } 234 235 242 private int getNumOfApprovalRequired(Admin admin,int action, int caid) { 243 CAInfo cainfo = caadminsession.getCAInfo(admin, caid); 244 return ApprovalExecutorUtil.getNumOfApprovalRequired(action, cainfo); 245 } 246 247 private IUserAdminSessionLocal getUserAdminSession(){ 248 if(useradminsession == null){ 249 try { 250 IUserAdminSessionLocalHome useradminhome = (IUserAdminSessionLocalHome) getLocator().getLocalHome(IUserAdminSessionLocalHome.COMP_NAME); 251 useradminsession = useradminhome.create(); 252 } catch (CreateException e) { 253 throw new EJBException (e); 254 } 255 } 256 return useradminsession; 257 } 258 259 269 private void checkIfApprovalRequired(Admin admin, X509Certificate certificate, String username, int endEntityProfileId, boolean checkNewest) throws ApprovalException, WaitingForApprovalException{ 270 final int caid = CertTools.getIssuerDN(certificate).hashCode(); 271 272 int numOfApprovalsRequired = getNumOfApprovalRequired(admin, CAInfo.REQ_APPROVAL_KEYRECOVER, caid ); 274 if (numOfApprovalsRequired > 0){ 275 276 KeyRecoveryApprovalRequest ar = new KeyRecoveryApprovalRequest(certificate,username,checkNewest, admin,null,numOfApprovalsRequired,caid,endEntityProfileId); 277 if (ApprovalExecutorUtil.requireApproval(ar, NONAPPROVABLECLASSNAMES_KEYRECOVERY)){ 278 approvalsession.addApprovalRequest(admin, ar); 279 String msg = intres.getLocalizedMessage("keyrecovery.addedforapproval"); 280 throw new WaitingForApprovalException(msg); 281 } 282 283 } 284 } 285 286 291 public void ejbCreate() throws CreateException { 292 debug(">ejbCreate()"); 293 294 try { 295 keyrecoverydatahome = (KeyRecoveryDataLocalHome) getLocator().getLocalHome(KeyRecoveryDataLocalHome.COMP_NAME); 296 297 ILogSessionLocalHome logHome = (ILogSessionLocalHome) getLocator().getLocalHome(ILogSessionLocalHome.COMP_NAME); 298 logsession = logHome.create(); 299 300 ICertificateStoreSessionLocalHome storeHome = (ICertificateStoreSessionLocalHome) getLocator().getLocalHome(ICertificateStoreSessionLocalHome.COMP_NAME); 301 certificatestoresession = storeHome.create(); 302 303 ISignSessionLocalHome signsessionhome = (ISignSessionLocalHome) getLocator().getLocalHome(ISignSessionLocalHome.COMP_NAME); 304 signsession = signsessionhome.create(); 305 306 IAuthorizationSessionLocalHome authorizationsessionhome = (IAuthorizationSessionLocalHome) getLocator().getLocalHome(IAuthorizationSessionLocalHome.COMP_NAME); 307 authorizationsession = authorizationsessionhome.create(); 308 309 ICAAdminSessionLocalHome caadminsessionhome = (ICAAdminSessionLocalHome) getLocator().getLocalHome(ICAAdminSessionLocalHome.COMP_NAME); 310 caadminsession = caadminsessionhome.create(); 311 312 IApprovalSessionLocalHome approvalsessionhome = (IApprovalSessionLocalHome) getLocator().getLocalHome(IApprovalSessionLocalHome.COMP_NAME); 313 approvalsession = approvalsessionhome.create(); 314 315 316 317 debug("<ejbCreate()"); 318 } catch (Exception e) { 319 throw new EJBException (e); 320 } 321 } 322 323 337 public boolean addKeyRecoveryData(Admin admin, X509Certificate certificate, String username, 338 KeyPair keypair) { 339 debug(">addKeyRecoveryData(user: " + username + ")"); 340 341 boolean returnval = false; 342 343 try { 344 int caid = CertTools.getIssuerDN(certificate).hashCode(); 345 346 KeyRecoveryCAServiceResponse response = (KeyRecoveryCAServiceResponse) signsession.extendedService(admin, caid, 347 new KeyRecoveryCAServiceRequest(KeyRecoveryCAServiceRequest.COMMAND_ENCRYPTKEYS, keypair)); 348 349 keyrecoverydatahome.create(certificate.getSerialNumber(), 350 CertTools.getIssuerDN(certificate), username, response.getKeyData()); 351 String msg = intres.getLocalizedMessage("keyrecovery.addeddata", certificate.getSerialNumber().toString(16), CertTools.getIssuerDN(certificate)); 352 logsession.log(admin, certificate, LogEntry.MODULE_KEYRECOVERY, new java.util.Date (), username, 353 certificate, LogEntry.EVENT_INFO_KEYRECOVERY, msg); 354 returnval = true; 355 } catch (Exception e) { 356 String msg = intres.getLocalizedMessage("keyrecovery.erroradddata", certificate.getSerialNumber().toString(16), CertTools.getIssuerDN(certificate)); 357 logsession.log(admin, certificate, LogEntry.MODULE_KEYRECOVERY, new java.util.Date (), 358 username, certificate, LogEntry.EVENT_ERROR_KEYRECOVERY, msg); 359 } 360 361 debug("<addKeyRecoveryData()"); 362 363 return returnval; 364 } 366 380 public boolean changeKeyRecoveryData(Admin admin, X509Certificate certificate, 381 boolean markedasrecoverable, KeyPair keypair) { 382 debug(">changeKeyRecoveryData(certsn: " + certificate.getSerialNumber().toString(16) + ", " + 383 CertTools.getIssuerDN(certificate) + ")"); 384 385 boolean returnval = false; 386 final String hexSerial = certificate.getSerialNumber().toString(16); 387 final String dn = CertTools.getIssuerDN(certificate); 388 try { 389 KeyRecoveryDataLocal krd = keyrecoverydatahome.findByPrimaryKey(new KeyRecoveryDataPK(hexSerial, dn)); 390 krd.setMarkedAsRecoverable(markedasrecoverable); 391 392 int caid = dn.hashCode(); 393 394 KeyRecoveryCAServiceResponse response = (KeyRecoveryCAServiceResponse) signsession.extendedService(admin, caid, 395 new KeyRecoveryCAServiceRequest(KeyRecoveryCAServiceRequest.COMMAND_ENCRYPTKEYS, keypair)); 396 397 398 krd.setKeyDataFromByteArray(response.getKeyData()); 399 String msg = intres.getLocalizedMessage("keyrecovery.changeddata", hexSerial, dn); 400 logsession.log(admin, certificate, LogEntry.MODULE_KEYRECOVERY, new java.util.Date (), 401 krd.getUsername(), certificate, LogEntry.EVENT_INFO_KEYRECOVERY, msg); 402 returnval = true; 403 } catch (Exception e) { 404 String msg = intres.getLocalizedMessage("keyrecovery.errorchangedata", hexSerial, dn); 405 logsession.log(admin, certificate, LogEntry.MODULE_KEYRECOVERY, new java.util.Date (), null, 406 certificate, LogEntry.EVENT_ERROR_KEYRECOVERY, msg); 407 } 408 409 debug("<changeKeyRecoveryData()"); 410 411 return returnval; 412 } 414 424 public void removeKeyRecoveryData(Admin admin, X509Certificate certificate) { 425 debug(">removeKeyRecoveryData(certificate: " + certificate.getSerialNumber().toString() + 426 ")"); 427 final String hexSerial = certificate.getSerialNumber().toString(16); 428 final String dn = CertTools.getIssuerDN(certificate); 429 try { 430 String username = null; 431 KeyRecoveryDataLocal krd = keyrecoverydatahome.findByPrimaryKey(new KeyRecoveryDataPK(hexSerial, dn)); 432 username = krd.getUsername(); 433 krd.remove(); 434 String msg = intres.getLocalizedMessage("keyrecovery.removeddata", hexSerial, dn); 435 logsession.log(admin, certificate, LogEntry.MODULE_KEYRECOVERY, new java.util.Date (), username, 436 certificate, LogEntry.EVENT_INFO_KEYRECOVERY, msg); 437 } catch (Exception e) { 438 String msg = intres.getLocalizedMessage("keyrecovery.errorremovedata", hexSerial, dn); 439 logsession.log(admin, certificate, LogEntry.MODULE_KEYRECOVERY, new java.util.Date (), null, 440 certificate, LogEntry.EVENT_ERROR_KEYRECOVERY, msg); 441 } 442 443 debug("<removeKeyRecoveryData()"); 444 } 446 456 public void removeAllKeyRecoveryData(Admin admin, String username) { 457 debug(">removeAllKeyRecoveryData(user: " + username + ")"); 458 459 try { 460 Collection result = keyrecoverydatahome.findByUsername(username); 461 Iterator iter = result.iterator(); 462 463 while (iter.hasNext()) { 464 ((KeyRecoveryDataLocal) iter.next()).remove(); 465 } 466 467 String msg = intres.getLocalizedMessage("keyrecovery.removeduser", username); 468 logsession.log(admin, admin.getCaId(), LogEntry.MODULE_KEYRECOVERY, new java.util.Date (), username, 469 null, LogEntry.EVENT_INFO_KEYRECOVERY, msg); 470 } catch (Exception e) { 471 String msg = intres.getLocalizedMessage("keyrecovery.errorremoveuser", username); 472 logsession.log(admin, admin.getCaId(), LogEntry.MODULE_KEYRECOVERY, new java.util.Date (), null, 473 null, LogEntry.EVENT_ERROR_KEYRECOVERY, msg); 474 } 475 476 debug("<removeAllKeyRecoveryData()"); 477 } 479 494 public KeyRecoveryData keyRecovery(Admin admin, String username, int endEntityProfileId) throws AuthorizationDeniedException { 495 debug(">keyRecovery(user: " + username + ")"); 496 497 KeyRecoveryData returnval = null; 498 KeyRecoveryDataLocal krd = null; 499 X509Certificate certificate = null; 500 501 if(authorizedToKeyRecover(admin, endEntityProfileId)){ 502 503 try { 504 Collection result = keyrecoverydatahome.findByUserMark(username); 505 Iterator i = result.iterator(); 506 507 try { 508 while (i.hasNext()) { 509 krd = (KeyRecoveryDataLocal) i.next(); 510 511 if (returnval == null) { 512 int caid = krd.getIssuerDN().hashCode(); 513 514 KeyRecoveryCAServiceResponse response = (KeyRecoveryCAServiceResponse) signsession.extendedService(admin, caid, 515 new KeyRecoveryCAServiceRequest(KeyRecoveryCAServiceRequest.COMMAND_DECRYPTKEYS, krd.getKeyDataAsByteArray())); 516 KeyPair keys = response.getKeyPair(); 517 certificate = (X509Certificate ) certificatestoresession 518 .findCertificateByIssuerAndSerno(admin, 519 krd.getIssuerDN(), krd.getCertificateSN()); 520 returnval = new KeyRecoveryData(krd.getCertificateSN(), krd.getIssuerDN(), 521 krd.getUsername(), krd.getMarkedAsRecoverable(), keys, certificate); 522 523 524 } 525 526 } 528 529 String msg = intres.getLocalizedMessage("keyrecovery.sentdata", username); 530 logsession.log(admin, admin.getCaId(), LogEntry.MODULE_KEYRECOVERY, new java.util.Date (), 531 username, certificate, LogEntry.EVENT_INFO_KEYRECOVERY, msg); 532 } catch (Exception e) { 533 String msg = intres.getLocalizedMessage("keyrecovery.errorsenddata", username); 534 log.error(msg, e); 535 logsession.log(admin, admin.getCaId(), LogEntry.MODULE_KEYRECOVERY, new java.util.Date (), 536 username, null, LogEntry.EVENT_ERROR_KEYRECOVERY, msg); 537 } 538 } catch (FinderException e) { 539 } 540 } 541 542 debug("<keyRecovery()"); 543 544 return returnval; 545 } 547 548 private static final ApprovalOveradableClassName[] NONAPPROVABLECLASSNAMES_KEYRECOVERY = { 549 new ApprovalOveradableClassName("org.ejbca.core.model.approval.approvalrequests.KeyRecoveryApprovalRequest",null), 550 }; 551 552 570 public boolean markNewestAsRecoverable(Admin admin, String username, int endEntityProfileId) throws AuthorizationDeniedException, ApprovalException, WaitingForApprovalException { 571 debug(">markNewestAsRecoverable(user: " + username + ")"); 572 573 boolean returnval = false; 574 long newesttime = 0; 575 KeyRecoveryDataLocal krd = null; 576 KeyRecoveryDataLocal newest = null; 577 X509Certificate certificate = null; 578 X509Certificate newestcertificate = null; 579 580 if (!isUserMarked(admin, username)) { 581 try { 582 Collection result = keyrecoverydatahome.findByUsername(username); 583 Iterator iter = result.iterator(); 584 585 while (iter.hasNext()) { 586 krd = (KeyRecoveryDataLocal) iter.next(); 587 certificate = (X509Certificate ) certificatestoresession 588 .findCertificateByIssuerAndSerno(admin, 589 krd.getIssuerDN(), krd.getCertificateSN()); 590 591 if (certificate != null) { 592 if (certificate.getNotBefore().getTime() > newesttime) { 593 newesttime = certificate.getNotBefore().getTime(); 594 newest = krd; 595 newestcertificate = certificate; 596 } 597 } 598 } 599 600 if (newest != null) { 601 602 603 604 authorizedToKeyRecover(admin, endEntityProfileId); 606 checkIfApprovalRequired(admin,newestcertificate,username,endEntityProfileId,true); 608 newest.setMarkedAsRecoverable(true); 609 getUserAdminSession().setUserStatus(admin, username, UserDataConstants.STATUS_KEYRECOVERY); 610 returnval = true; 611 } 612 613 String msg = intres.getLocalizedMessage("keyrecovery.markeduser", username); 614 logsession.log(admin, admin.getCaId(), LogEntry.MODULE_KEYRECOVERY, new java.util.Date (), 615 username, newestcertificate, LogEntry.EVENT_INFO_KEYRECOVERY, msg); 616 } catch (FinderException e) { 617 String msg = intres.getLocalizedMessage("keyrecovery.errormarkuser", username); 618 logsession.log(admin, admin.getCaId(), LogEntry.MODULE_KEYRECOVERY, new java.util.Date (), 619 username, null, LogEntry.EVENT_ERROR_KEYRECOVERY, msg); 620 } 621 } 622 623 debug("<markNewestAsRecoverable()"); 624 625 return returnval; 626 } 628 643 public boolean markAsRecoverable(Admin admin, X509Certificate certificate, int endEntityProfileId) throws AuthorizationDeniedException, WaitingForApprovalException, ApprovalException { 644 debug(">markAsRecoverable(certificatesn: " + certificate.getSerialNumber() + ")"); 645 646 boolean returnval = false; 647 final String hexSerial = certificate.getSerialNumber().toString(16); 648 final String dn = CertTools.getIssuerDN(certificate); 649 try { 650 String username = null; 651 KeyRecoveryDataLocal krd = keyrecoverydatahome.findByPrimaryKey(new KeyRecoveryDataPK(hexSerial, dn)); 652 username = krd.getUsername(); 653 654 authorizedToKeyRecover(admin, endEntityProfileId); 656 checkIfApprovalRequired(admin,certificate,username,endEntityProfileId,false); 658 krd.setMarkedAsRecoverable(true); 659 getUserAdminSession().setUserStatus(admin, username, UserDataConstants.STATUS_KEYRECOVERY); 660 String msg = intres.getLocalizedMessage("keyrecovery.markedcert", hexSerial, dn); 661 logsession.log(admin, certificate, LogEntry.MODULE_KEYRECOVERY, new java.util.Date (), username, 662 certificate, LogEntry.EVENT_INFO_KEYRECOVERY, msg); 663 returnval = true; 664 } catch (FinderException e) { 665 String msg = intres.getLocalizedMessage("keyrecovery.errormarkcert", hexSerial, dn); 666 log.error(msg, e); 667 logsession.log(admin, certificate, LogEntry.MODULE_KEYRECOVERY, new java.util.Date (), null, 668 certificate, LogEntry.EVENT_ERROR_KEYRECOVERY, msg); 669 } 670 671 debug("<markAsRecoverable()"); 672 673 return returnval; 674 } 676 686 public void unmarkUser(Admin admin, String username) { 687 debug(">unmarkUser(user: " + username + ")"); 688 689 KeyRecoveryDataLocal krd = null; 690 691 try { 692 Collection result = keyrecoverydatahome.findByUserMark(username); 693 Iterator i = result.iterator(); 694 695 while (i.hasNext()) { 696 krd = (KeyRecoveryDataLocal) i.next(); 697 krd.setMarkedAsRecoverable(false); 698 } 699 } catch (Exception e) { 700 throw new EJBException (e); 701 } 702 703 debug("<unmarkUser()"); 704 } 706 719 public boolean isUserMarked(Admin admin, String username) { 720 debug(">isUserMarked(user: " + username + ")"); 721 722 boolean returnval = false; 723 KeyRecoveryDataLocal krd = null; 724 try { 725 Collection result = keyrecoverydatahome.findByUserMark(username); 726 Iterator i = result.iterator(); 727 728 while (i.hasNext()) { 729 krd = (KeyRecoveryDataLocal) i.next(); 730 731 if (krd.getMarkedAsRecoverable()) { 732 returnval = true; 733 break; 734 } 735 } 736 } catch (Exception e) { 737 throw new EJBException (e); 738 } 739 debug("<isUserMarked(" + returnval + ")"); 740 return returnval; 741 } 743 756 public boolean existsKeys(Admin admin, X509Certificate certificate) { 757 debug(">existsKeys()"); 758 759 boolean returnval = false; 760 final String hexSerial = certificate.getSerialNumber().toString(16); 761 final String dn = CertTools.getIssuerDN(certificate); 762 try { 763 KeyRecoveryDataLocal krd = keyrecoverydatahome.findByPrimaryKey(new KeyRecoveryDataPK(hexSerial, dn)); 764 debug("Found key for user: "+krd.getUsername()); 765 returnval = true; 766 } catch (FinderException e) { 767 } 768 debug("<existsKeys(" + returnval + ")"); 769 return returnval; 770 } 772 } 774 775 | Popular Tags |