1 13 14 package org.ejbca.core.protocol.xkms.generators; 15 16 import java.math.BigInteger ; 17 import java.security.cert.CertificateEncodingException ; 18 import java.security.cert.X509Certificate ; 19 import java.security.interfaces.RSAPublicKey ; 20 import java.util.ArrayList ; 21 import java.util.Date ; 22 import java.util.GregorianCalendar ; 23 import java.util.Iterator ; 24 import java.util.List ; 25 26 import javax.ejb.CreateException ; 27 import javax.naming.NamingException ; 28 import javax.xml.datatype.DatatypeConfigurationException ; 29 import javax.xml.datatype.XMLGregorianCalendar ; 30 31 import org.apache.log4j.Logger; 32 import org.ejbca.core.ejb.ca.sign.SernoGenerator; 33 import org.ejbca.core.model.InternalResources; 34 import org.ejbca.core.model.ca.caadmin.CAInfo; 35 import org.ejbca.core.model.ca.certificateprofiles.CertificateProfile; 36 import org.ejbca.core.model.ca.crl.RevokedCertInfo; 37 import org.ejbca.core.model.ca.store.CertificateInfo; 38 import org.ejbca.core.protocol.xkms.common.XKMSConstants; 39 import org.ejbca.util.CertTools; 40 import org.ejbca.util.dn.DNFieldExtractor; 41 import org.w3._2000._09.xmldsig_.KeyInfoType; 42 import org.w3._2000._09.xmldsig_.KeyValueType; 43 import org.w3._2000._09.xmldsig_.RSAKeyValueType; 44 import org.w3._2000._09.xmldsig_.X509DataType; 45 import org.w3._2002._03.xkms_.KeyBindingAbstractType; 46 import org.w3._2002._03.xkms_.KeyBindingType; 47 import org.w3._2002._03.xkms_.ObjectFactory; 48 import org.w3._2002._03.xkms_.RequestAbstractType; 49 import org.w3._2002._03.xkms_.ResultType; 50 import org.w3._2002._03.xkms_.StatusType; 51 import org.w3._2002._03.xkms_.UnverifiedKeyBindingType; 52 import org.w3._2002._03.xkms_.UseKeyWithType; 53 import org.w3._2002._03.xkms_.ValidityIntervalType; 54 55 56 57 66 67 public abstract class RequestAbstractTypeResponseGenerator extends BaseResponseGenerator{ 68 69 private static Logger log = Logger.getLogger(RequestAbstractTypeResponseGenerator.class); 70 private static final InternalResources intres = InternalResources.getInstance(); 71 72 protected static final BigInteger SERVERRESPONSELIMIT = new BigInteger ("30"); 73 74 75 protected RequestAbstractType req; 76 protected ObjectFactory xkmsFactory = new ObjectFactory(); 77 protected org.w3._2000._09.xmldsig_.ObjectFactory sigFactory = new org.w3._2000._09.xmldsig_.ObjectFactory(); 78 79 protected String resultMajor = null; 80 protected String resultMinor = null; 81 82 83 84 public RequestAbstractTypeResponseGenerator(String remoteIP, RequestAbstractType req){ 85 super(remoteIP); 86 this.req = req; 87 88 } 89 90 91 92 93 97 protected void populateResponse(ResultType result, boolean requestVerifies){ 98 result.setService(genServiceValue()); 99 result.setId(genId()); 100 result.setRequestId(req.getId()); 101 result.setOpaqueClientData(req.getOpaqueClientData()); 102 103 104 106 if(!requestVerifies){ 107 resultMajor = XKMSConstants.RESULTMAJOR_SENDER; 108 resultMinor = XKMSConstants.RESULTMINOR_NOAUTHENTICATION; 109 } 110 111 } 112 113 114 protected int getResponseLimit() { 115 if(req.getResponseLimit() == null || req.getResponseLimit().compareTo(SERVERRESPONSELIMIT) >= 0){ 116 return SERVERRESPONSELIMIT.intValue(); 117 } 118 119 return req.getResponseLimit().intValue(); 120 } 121 122 123 private String genId() { 124 String id = ""; 125 try { 126 id = SernoGenerator.instance().getSerno().toString(); 127 } catch (Exception e) { 128 log.error(intres.getLocalizedMessage("xkms.errorgenrespid"),e); 129 } 130 return "_" + id; 131 } 132 133 134 private String genServiceValue() { 135 return "http://@httpsserver.hostname@:@httpserver.pubhttp@/ejbca/xkms/xkms"; 136 } 137 138 139 140 143 protected void setResult(ResultType result){ 144 result.setResultMajor(resultMajor); 145 if(resultMinor != null){ 146 result.setResultMinor(resultMinor); 147 } 148 } 149 150 156 protected List <String > getCertKeyUsageSpec(X509Certificate cert) { 157 ArrayList <String > retval = new ArrayList <String >(); 158 159 if(cert.getKeyUsage()[CertificateProfile.DATAENCIPHERMENT]){ 160 retval.add(XKMSConstants.KEYUSAGE_ENCRYPTION); 161 } 162 if(cert.getKeyUsage()[CertificateProfile.DIGITALSIGNATURE] 163 || cert.getKeyUsage()[CertificateProfile.KEYENCIPHERMENT]){ 164 retval.add(XKMSConstants.KEYUSAGE_EXCHANGE); 165 } 166 if(XKMSConfig.signatureIsNonRep()){ 167 if(cert.getKeyUsage()[CertificateProfile.NONREPUDIATION]){ 168 retval.add(XKMSConstants.KEYUSAGE_SIGNATURE); 169 } 170 }else{ 171 if(cert.getKeyUsage()[CertificateProfile.DIGITALSIGNATURE]){ 172 retval.add(XKMSConstants.KEYUSAGE_SIGNATURE); 173 } 174 } 175 176 return retval; 177 } 178 179 183 protected List <UseKeyWithType> genUseKeyWithAttributes(X509Certificate cert, List <UseKeyWithType> reqUsages) throws Exception { 184 ArrayList <UseKeyWithType> retval = new ArrayList (); 185 186 Iterator <UseKeyWithType> iter = reqUsages.iterator(); 187 while(iter.hasNext()){ 188 UseKeyWithType useKeyWithType = iter.next(); 189 DNFieldExtractor altNameExtractor = new DNFieldExtractor(CertTools.getSubjectAlternativeName(cert),DNFieldExtractor.TYPE_SUBJECTALTNAME); 190 String cn = CertTools.getPartFromDN(cert.getSubjectDN().toString(), "CN"); 191 192 193 if(useKeyWithType.getApplication().equals(XKMSConstants.USEKEYWITH_XKMS)|| 194 useKeyWithType.getApplication().equals(XKMSConstants.USEKEYWITH_XKMSPROFILE) || 195 useKeyWithType.getApplication().equals(XKMSConstants.USEKEYWITH_TLS)){ 196 if(altNameExtractor.getField(DNFieldExtractor.URI, 0).startsWith(useKeyWithType.getIdentifier())){ 197 retval.add(useKeyWithType); 198 } 199 } 200 if(useKeyWithType.getApplication().equals(XKMSConstants.USEKEYWITH_SMIME)|| 201 useKeyWithType.getApplication().equals(XKMSConstants.USEKEYWITH_PGP)){ 202 if(altNameExtractor.getField(DNFieldExtractor.RFC822NAME, 0).startsWith(useKeyWithType.getIdentifier())){ 203 retval.add(useKeyWithType); 204 } 205 } 206 if(useKeyWithType.getApplication().equals(XKMSConstants.USEKEYWITH_TLSHTTP)){ 207 if(cn.startsWith(useKeyWithType.getIdentifier())){ 208 retval.add(useKeyWithType); 209 } 210 } 211 if(useKeyWithType.getApplication().equals(XKMSConstants.USEKEYWITH_TLSSMTP)){ 212 if(altNameExtractor.getField(DNFieldExtractor.DNSNAME, 0).startsWith(useKeyWithType.getIdentifier())){ 213 retval.add(useKeyWithType); 214 } 215 } 216 if(useKeyWithType.getApplication().equals(XKMSConstants.USEKEYWITH_IPSEC)){ 217 if(altNameExtractor.getField(DNFieldExtractor.IPADDRESS, 0).startsWith(useKeyWithType.getIdentifier())){ 218 retval.add(useKeyWithType); 219 } 220 } 221 if(useKeyWithType.getApplication().equals(XKMSConstants.USEKEYWITH_PKIX)){ 222 if(cert.getSubjectDN().toString().equalsIgnoreCase(CertTools.stringToBCDNString(useKeyWithType.getIdentifier()))){ 223 retval.add(useKeyWithType); 224 } 225 } 226 } 227 228 229 return retval; 230 } 231 232 238 protected KeyBindingAbstractType getResponseValues(KeyBindingAbstractType queryKeyBindingType, X509Certificate cert, boolean validateOrRevokeReq, boolean kRSSCall){ 239 UnverifiedKeyBindingType retval = xkmsFactory.createUnverifiedKeyBindingType(); 240 if(validateOrRevokeReq || kRSSCall){ 241 retval = xkmsFactory.createKeyBindingType(); 242 243 ((KeyBindingType) retval).setStatus(getStatus(cert, kRSSCall)); 244 } 245 246 247 retval.setId("_" + cert.getSerialNumber().toString(16)); 248 retval.setValidityInterval(getValidityInterval(cert)); 249 250 KeyInfoType keyInfoType = sigFactory.createKeyInfoType(); 251 252 if(req.getRespondWith().contains(XKMSConstants.RESPONDWITH_KEYNAME)){ 253 String keyName = cert.getSubjectDN().toString(); 254 keyInfoType.getContent().add(sigFactory.createKeyName(keyName)); 255 } 256 257 if(req.getRespondWith().contains(XKMSConstants.RESPONDWITH_KEYVALUE)){ 258 if(cert.getPublicKey() instanceof RSAPublicKey ){ 259 RSAPublicKey pubKey = (RSAPublicKey ) cert.getPublicKey(); 260 RSAKeyValueType rSAKeyValueType = sigFactory.createRSAKeyValueType(); 261 rSAKeyValueType.setModulus(pubKey.getModulus().toByteArray()); 262 rSAKeyValueType.setExponent(pubKey.getPublicExponent().toByteArray()); 263 KeyValueType keyValue = sigFactory.createKeyValueType(); 264 keyValue.getContent().add(sigFactory.createRSAKeyValue(rSAKeyValueType)); 265 keyInfoType.getContent().add(sigFactory.createKeyValue(keyValue)); 266 }else{ 267 log.error(intres.getLocalizedMessage("xkms.onlyrsakeysupported")); 268 resultMajor = XKMSConstants.RESULTMAJOR_RECIEVER; 269 resultMinor = XKMSConstants.RESULTMINOR_FAILURE; 270 } 271 } 272 273 if(req.getRespondWith().contains(XKMSConstants.RESPONDWITH_X509CERT) || 274 req.getRespondWith().contains(XKMSConstants.RESPONDWITH_X509CHAIN) || 275 req.getRespondWith().contains(XKMSConstants.RESPONDWITH_X509CRL)){ 276 X509DataType x509DataType = sigFactory.createX509DataType(); 277 if(req.getRespondWith().contains(XKMSConstants.RESPONDWITH_X509CERT) && !req.getRespondWith().contains(XKMSConstants.RESPONDWITH_X509CHAIN)){ 278 try { 279 x509DataType.getX509IssuerSerialOrX509SKIOrX509SubjectName().add(sigFactory.createX509DataTypeX509Certificate(cert.getEncoded())); 280 } catch (CertificateEncodingException e) { 281 log.error(intres.getLocalizedMessage("xkms.errordecodingcert"),e); 282 resultMajor = XKMSConstants.RESULTMAJOR_RECIEVER; 283 resultMinor = XKMSConstants.RESULTMINOR_FAILURE; 284 } 285 } 286 if(req.getRespondWith().contains(XKMSConstants.RESPONDWITH_X509CHAIN)){ 287 int caid = CertTools.getIssuerDN(cert).hashCode(); 288 try { 289 Iterator iter = getCAAdminSession().getCAInfo(pubAdmin, caid).getCertificateChain().iterator(); 290 while(iter.hasNext()){ 291 X509Certificate next = (X509Certificate ) iter.next(); 292 x509DataType.getX509IssuerSerialOrX509SKIOrX509SubjectName().add(sigFactory.createX509DataTypeX509Certificate(next.getEncoded())); 293 } 294 x509DataType.getX509IssuerSerialOrX509SKIOrX509SubjectName().add(sigFactory.createX509DataTypeX509Certificate(cert.getEncoded())); 295 } catch (Exception e) { 296 log.error(intres.getLocalizedMessage("xkms.errorfetchinglastcrl"),e); 297 resultMajor = XKMSConstants.RESULTMAJOR_RECIEVER; 298 resultMinor = XKMSConstants.RESULTMINOR_FAILURE; 299 } 300 } 301 if(req.getRespondWith().contains(XKMSConstants.RESPONDWITH_X509CRL)){ 302 byte[] crl = null; 303 try { 304 crl = getCertStoreSession().getLastCRL(pubAdmin, CertTools.getIssuerDN(cert)); 305 } catch (Exception e) { 306 log.error(intres.getLocalizedMessage("xkms.errorfetchinglastcrl"),e); 307 resultMajor = XKMSConstants.RESULTMAJOR_RECIEVER; 308 resultMinor = XKMSConstants.RESULTMINOR_FAILURE; 309 } 310 x509DataType.getX509IssuerSerialOrX509SKIOrX509SubjectName().add(sigFactory.createX509DataTypeX509CRL(crl)); 311 } 312 keyInfoType.getContent().add(sigFactory.createX509Data(x509DataType)); 313 314 } 315 retval.setKeyInfo(keyInfoType); 316 retval.getKeyUsage().addAll(getCertKeyUsageSpec(cert)); 317 try { 318 retval.getUseKeyWith().addAll(genUseKeyWithAttributes(cert, queryKeyBindingType.getUseKeyWith())); 319 } catch (Exception e) { 320 log.error(intres.getLocalizedMessage("xkms.errorextractingusekeyattr"),e); 321 resultMajor = XKMSConstants.RESULTMAJOR_RECIEVER; 322 resultMinor = XKMSConstants.RESULTMINOR_FAILURE; 323 324 } 325 326 327 return retval; 328 } 329 330 protected ValidityIntervalType getValidityInterval(X509Certificate cert) { 331 ValidityIntervalType valitityIntervalType = xkmsFactory.createValidityIntervalType(); 332 try { 333 GregorianCalendar notBeforeGregorianCalendar = new GregorianCalendar (); 334 notBeforeGregorianCalendar.setTime(cert.getNotBefore()); 335 XMLGregorianCalendar notBeforeXMLGregorianCalendar = javax.xml.datatype.DatatypeFactory.newInstance().newXMLGregorianCalendar(notBeforeGregorianCalendar); 336 notBeforeXMLGregorianCalendar.normalize(); 337 valitityIntervalType.setNotBefore(notBeforeXMLGregorianCalendar); 338 339 GregorianCalendar notAfterGregorianCalendar = new GregorianCalendar (); 340 notAfterGregorianCalendar.setTime(cert.getNotAfter()); 341 XMLGregorianCalendar notAfterXMLGregorianCalendar = javax.xml.datatype.DatatypeFactory.newInstance().newXMLGregorianCalendar(notAfterGregorianCalendar); 342 notAfterXMLGregorianCalendar.normalize(); 343 valitityIntervalType.setNotOnOrAfter(notAfterXMLGregorianCalendar); 344 345 } catch (DatatypeConfigurationException e) { 346 log.error(intres.getLocalizedMessage("xkms.errorsetvalidityinterval"),e); 347 } 348 349 350 return valitityIntervalType; 351 } 352 353 354 361 private StatusType getStatus(X509Certificate cert, boolean kRSSCall) { 362 StatusType retval = xkmsFactory.createStatusType(); 363 364 if(kRSSCall){ 365 retval.setStatusValue(XKMSConstants.STATUSVALUE_VALID); 366 retval.getValidReason().add(XKMSConstants.STATUSREASON_VALIDITYINTERVAL); 367 retval.getValidReason().add(XKMSConstants.STATUSREASON_ISSUERTRUST); 368 retval.getValidReason().add(XKMSConstants.STATUSREASON_SIGNATURE); 369 retval.getValidReason().add(XKMSConstants.STATUSREASON_REVOCATIONSTATUS); 370 }else{ 371 boolean allValid = true; 372 boolean inValidSet = false; 373 374 try{ 376 cert.checkValidity( new Date ()); 377 retval.getValidReason().add(XKMSConstants.STATUSREASON_VALIDITYINTERVAL); 378 }catch(Exception e){ 379 retval.getInvalidReason().add(XKMSConstants.STATUSREASON_VALIDITYINTERVAL); 380 allValid = false; 381 inValidSet = true; 382 } 383 384 try{ 386 int caid = CertTools.getIssuerDN(cert).hashCode(); 387 CAInfo cAInfo = getCAAdminSession().getCAInfo(pubAdmin, caid); 388 if(cAInfo != null){ 389 retval.getValidReason().add(XKMSConstants.STATUSREASON_ISSUERTRUST); 390 391 try{ 393 if(CertTools.verify(cert, cAInfo.getCertificateChain())){ 394 retval.getValidReason().add(XKMSConstants.STATUSREASON_SIGNATURE); 395 }else{ 396 retval.getInvalidReason().add(XKMSConstants.STATUSREASON_SIGNATURE); 397 allValid = false; 398 inValidSet = true; 399 } 400 }catch(Exception e){ 401 retval.getInvalidReason().add(XKMSConstants.STATUSREASON_SIGNATURE); 402 allValid = false; 403 inValidSet = true; 404 } 405 }else{ 406 retval.getInvalidReason().add(XKMSConstants.STATUSREASON_ISSUERTRUST); 407 retval.getIndeterminateReason().add(XKMSConstants.STATUSREASON_SIGNATURE); 408 allValid = false; 409 inValidSet = true; 410 } 411 412 CertificateInfo certInfo = getCertStoreSession().getCertificateInfo(pubAdmin, CertTools.getFingerprintAsString(cert)); 414 if(certInfo != null){ 415 if(certInfo.getRevocationReason() == RevokedCertInfo.NOT_REVOKED){ 416 retval.getValidReason().add(XKMSConstants.STATUSREASON_REVOCATIONSTATUS); 417 }else{ 418 retval.getInvalidReason().add(XKMSConstants.STATUSREASON_REVOCATIONSTATUS); 419 allValid = false; 420 inValidSet = true; 421 } 422 }else{ 423 retval.getIndeterminateReason().add(XKMSConstants.STATUSREASON_REVOCATIONSTATUS); 424 allValid = false; 425 } 426 427 428 }catch(CreateException e){ 429 log.error(intres.getLocalizedMessage("xkms.errorcreatesession"),e); 430 resultMajor = XKMSConstants.RESULTMAJOR_RECIEVER; 431 resultMinor = XKMSConstants.RESULTMINOR_FAILURE; 432 } catch (ClassCastException e) { 433 log.error(intres.getLocalizedMessage("xkms.errorcreatesession"),e); 434 resultMajor = XKMSConstants.RESULTMAJOR_RECIEVER; 435 resultMinor = XKMSConstants.RESULTMINOR_FAILURE; 436 } catch (NamingException e) { 437 log.error(intres.getLocalizedMessage("xkms.errorcreatesession"),e); 438 resultMajor = XKMSConstants.RESULTMAJOR_RECIEVER; 439 resultMinor = XKMSConstants.RESULTMINOR_FAILURE; 440 } 441 442 if(allValid){ 443 retval.setStatusValue(XKMSConstants.STATUSVALUE_VALID); 444 }else{ 445 if(inValidSet){ 446 retval.setStatusValue(XKMSConstants.STATUSVALUE_INVALID); 447 }else{ 448 retval.setStatusValue(XKMSConstants.STATUSVALUE_INDETERMINATE); 449 } 450 } 451 452 } 453 return retval; 454 } 455 456 457 } 458 | Popular Tags |