Modified: geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ca/FileCertificateStore.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ca/FileCertificateStore.java?view=diff&rev=476291&r1=476290&r2=476291
==============================================================================
--- geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ca/FileCertificateStore.java (original)
+++ geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ca/FileCertificateStore.java Fri Nov 17 12:05:24 2006
@@ -1,351 +1,351 @@
-/**
- *
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.geronimo.security.ca;
-
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.math.BigInteger;
-import java.net.URI;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateFactory;
-import java.security.cert.X509Certificate;
-import java.util.Properties;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.apache.geronimo.gbean.AbstractName;
-import org.apache.geronimo.gbean.GBeanInfo;
-import org.apache.geronimo.gbean.GBeanInfoBuilder;
-import org.apache.geronimo.gbean.GBeanLifecycle;
-import org.apache.geronimo.j2ee.j2eeobjectnames.NameFactory;
-import org.apache.geronimo.kernel.Kernel;
-import org.apache.geronimo.management.geronimo.CertificateStore;
-import org.apache.geronimo.management.geronimo.CertificateStoreException;
-import org.apache.geronimo.system.serverinfo.ServerInfo;
-import org.apache.geronimo.util.CaUtils;
-
-/**
- * A certificate store implementation using disk files.
- *
- * @version $Rev$ $Date$
- */
-
-public class FileCertificateStore implements CertificateStore, GBeanLifecycle {
- private static final Log log = LogFactory.getLog(FileCertificateStore.class);
-
- private ServerInfo serverInfo;
- private Kernel kernel;
- private AbstractName abstractName;
- private URI directoryPath;
-
- // File name for storing the highest serial number in the store
- private static final String SERIAL_NUMBER_FILE = "highest-serial-number.txt";
- // Extension for certificate files. Filename would be <serial-number>+CERT_FILE_SUFFIX
- private static final String CERT_FILE_SUFFIX = ".txt";
- // File name for storing CA's certificate
- private static final String CA_CERT_FILE = "ca-cert.txt";
- // File name for storing Certificate Challenges
- private static final String CHALLENGE_FILENAME = "challenge.properties";
- private static final String CHALLENGE_FILE_HEADER = "Challenge File";
-
- // directory for the certificate store
- private File storeDir = null;
-
- // File object of SERIAL_NUMBER_FILE cached
- private File highestSerialFile = null;
- // highest serial number cached
- private BigInteger highestSerialNumber = null;
- // Cerificate Challenges
- private Properties challenges = null;
-
- /**
- * Constructor
- * @param storeDir directory for the certificate store
- */
- public FileCertificateStore(ServerInfo serverInfo, URI directoryPath, Kernel kernel, AbstractName abstractName) {
- this.serverInfo = serverInfo;
- this.kernel = kernel;
- this.abstractName = abstractName;
- this.directoryPath = directoryPath;
- }
- /**
- * This method stores a given certificate.
- *
- * @param cert Certificate to be stored
- */
- public void storeCertificate(Certificate cert) throws CertificateStoreException {
- BigInteger sNo = ((X509Certificate)cert).getSerialNumber();
- File certFile = new File(storeDir, sNo+CERT_FILE_SUFFIX);
- try {
- // Check if the highest serial number is less than the serial number of certificate to be stored.
- if(sNo.compareTo(getHighestSerialNumber()) == 1) {
- // store the current serial number so that getNextSerialNumber() will not result in duplicate
- // serial number
- setHighestSerialNumber(sNo);
- }
-
- // Store the certificate to disk in base64 format
- FileOutputStream fout = new FileOutputStream(certFile);
- CaUtils.storeInBase64(fout, cert.getEncoded(), CaUtils.CERT_HEADER, CaUtils.CERT_FOOTER, CaUtils.B64_LINE_SIZE);
- fout.close();
- } catch (Exception e) {
- throw new CertificateStoreException("Error while storing certificate.", e);
- }
- }
-
- /**
- * This method returns a Certificate with a given serial number (if it exists in the store)
- *
- * @param sNo Serial Number of the certificate to be retrieved.
- */
- public Certificate getCertificate(BigInteger sNo) throws CertificateStoreException {
- File certFile = new File(storeDir, sNo+CERT_FILE_SUFFIX);
- if(!certFile.exists()) {
- // No such certificate in the store.
- throw new CertificateStoreException("No certificate with serial number "+sNo+" found.");
- }
-
- // Read the certificate from disk and generate a java.security.cert.Certificate
- try {
- FileInputStream fin = new FileInputStream(certFile);
- CertificateFactory certFac = CertificateFactory.getInstance("X.509");
- Certificate cert = certFac.generateCertificate(fin);
- fin.close();
- return cert;
- } catch (Exception e) {
- throw new CertificateStoreException("Error while retrieving certificate.", e);
- }
- }
-
- /**
- * This method returns base64 encoded certificate with a given serial number (if it exists in the store)
- *
- * @param sNo Serial Number of the certificate to be retrieved.
- */
- public String getCertificateBase64Text(BigInteger sNo) throws CertificateStoreException {
- File certFile = new File(storeDir, sNo+CERT_FILE_SUFFIX);
- if(!certFile.exists()) {
- throw new CertificateStoreException("No certificate with serial number "+sNo+" found.");
- }
- FileInputStream fin;
- try {
- fin = new FileInputStream(certFile);
- byte[] data = new byte[fin.available()];
- fin.read(data);
- fin.close();
- return new String(data);
- } catch (Exception e) {
- throw new CertificateStoreException("Error while retrieving certificate.", e);
- }
- }
-
- /**
- * This method returns the highest certificate serial number in the store.
- */
- public BigInteger getHighestSerialNumber() throws CertificateStoreException{
- if(highestSerialNumber == null) {
- // Value has not been cached. Read from the disk.
- try {
- FileInputStream finp = new FileInputStream(highestSerialFile);
- byte[] data = new byte[finp.available()];
- finp.read(data);
- finp.close();
- highestSerialNumber = new BigInteger(new String(data).trim());
- } catch (Exception e) {
- throw new CertificateStoreException("Error while getting serial number.", e);
- }
- }
- return highestSerialNumber;
- }
-
- /**
- * This method returns the 'highest certificate serial number plus ONE' and increments the highest
- * serial number in the store.
- */
- public BigInteger getNextSerialNumber() throws CertificateStoreException{
- setHighestSerialNumber(getHighestSerialNumber().add(BigInteger.ONE));
- return highestSerialNumber;
- }
-
- /**
- * This method checks if a certificate with a given serial number exists in the store.
- *
- * @param sNo Serial number of the certificate to be checked
- */
- public boolean containsCertificate(BigInteger sNo) {
- File certFile = new File(storeDir, sNo+CERT_FILE_SUFFIX);
- return certFile.exists();
- }
-
- /**
- * This method sets the highest serial number to a given value and updates the same to disk.
- * @param sNo The serial number to be set
- */
- private void setHighestSerialNumber(BigInteger sNo) throws CertificateStoreException{
- try {
- highestSerialNumber = sNo;
- FileOutputStream fout = new FileOutputStream(highestSerialFile);
- fout.write(highestSerialNumber.toString().getBytes());
- fout.close();
- } catch (Exception e) {
- throw new CertificateStoreException("Error while setting highest serial number.", e);
- }
- }
-
- /**
- * This method stores the CA's certificate in the store.
- * @param cert CA's certificate
- */
- public boolean storeCACertificate(Certificate cert) throws CertificateStoreException{
- FileOutputStream fout = null;
- try {
- fout = new FileOutputStream(new File(storeDir, CA_CERT_FILE));
- CaUtils.storeInBase64(fout, cert.getEncoded(), CaUtils.CERT_HEADER, CaUtils.CERT_FOOTER, CaUtils.B64_LINE_SIZE);
- fout.close();
- return true;
- } catch (Exception e) {
- throw new CertificateStoreException("Exception in storing CA certificate", e);
- }
- }
-
- /**
- * This method returns the CA's certificate stored in the store.
- */
- public Certificate getCACertificate() throws CertificateStoreException {
- FileInputStream fin = null;
- try {
- fin = new FileInputStream(new File(storeDir, CA_CERT_FILE));
- CertificateFactory certFac = CertificateFactory.getInstance("X.509");
- Certificate cert = certFac.generateCertificate(fin);
- fin.close();
- return cert;
- } catch (Exception e) {
- throw new CertificateStoreException("Exception in getting CA certificate", e);
- }
- }
-
- /**
- * This method stores the challenge phrase against the specified certificate serial number
- * @param sNo Serial number of the certificate
- * @param challenge Challenge phrase
- */
- public boolean setCertificateChallenge(BigInteger sNo, String challenge) {
- if(challenges == null) {
- loadChallenges();
- }
- if(!challenges.containsKey(sNo.toString())) {
- challenges.setProperty(sNo.toString(), challenge);
- storeChallenges();
- return true;
- }
- return false;
- }
-
- /**
- * This methods stores the challenges map to disk
- */
- private void storeChallenges() {
- if(challenges == null) loadChallenges();
- File chFile = new File(storeDir, CHALLENGE_FILENAME);
- FileOutputStream fout = null;
- try {
- fout = new FileOutputStream(chFile);
- challenges.store(fout, CHALLENGE_FILE_HEADER);
- fout.close();
- } catch (Exception e) {
- log.error("Exceptions while storing challenges file. File = "+chFile.getAbsolutePath(), e);
- }
-
- }
-
- /**
- * This method loads the challenges map from disk.
- */
- private void loadChallenges() {
- File chFile = new File(storeDir, CHALLENGE_FILENAME);
- FileInputStream fin = null;
- try {
- if(!chFile.exists())
- chFile.createNewFile();
- fin = new FileInputStream(chFile);
- challenges = new Properties();
- challenges.load(fin);
- fin.close();
- } catch (IOException e) {
- log.error("Exceptions while loading challenges file. File = "+chFile.getAbsolutePath(), e);
- }
- }
-
- public void doFail() {
- }
-
- public void doStart() throws Exception {
- serverInfo.resolveServer(directoryPath);
- URI dirURI;
- if (serverInfo != null) {
- dirURI = serverInfo.resolve(directoryPath);
- } else {
- dirURI = directoryPath;
- }
- if (!dirURI.getScheme().equals("file")) {
- throw new IllegalStateException("FileCertificateStore must have a root that's a local directory (not " + dirURI + ")");
- }
- storeDir = new File(dirURI);
- if(!storeDir.exists()) {
- storeDir.mkdirs();
- log.debug("Created directory "+storeDir.getAbsolutePath());
- } else if(!storeDir.isDirectory() || !storeDir.canRead()) {
- throw new IllegalStateException("FileCertificateStore must have a root that's a valid readable directory (not " + storeDir.getAbsolutePath() + ")");
- }
- log.debug("CertificateStore directory is " + storeDir.getAbsolutePath());
- highestSerialFile = new File(storeDir, SERIAL_NUMBER_FILE);
- if(!highestSerialFile.exists()) {
- // If the file does not exist, it means the certificate store is a new one.
- // Start with ZERO
- try {
- setHighestSerialNumber(BigInteger.ZERO);
- } catch(CertificateStoreException e) {
- log.error("Error initializing certificate store. storeDir="+storeDir, e);
- }
- }
- loadChallenges();
- }
-
- public void doStop() throws Exception {
- }
-
- public static final GBeanInfo GBEAN_INFO;
-
- static {
- GBeanInfoBuilder infoFactory = GBeanInfoBuilder.createStatic(FileCertificateStore.class, "CertificateStore");
- infoFactory.addAttribute("directoryPath", URI.class, true, false);
- infoFactory.addAttribute("kernel", Kernel.class, false);
- infoFactory.addAttribute("abstractName", AbstractName.class, false);
- infoFactory.addReference("ServerInfo", ServerInfo.class, NameFactory.GERONIMO_SERVICE);
- infoFactory.addInterface(CertificateStore.class);
- infoFactory.setConstructor(new String[]{"ServerInfo", "directoryPath", "kernel", "abstractName"});
-
- GBEAN_INFO = infoFactory.getBeanInfo();
- }
-
- public static GBeanInfo getGBeanInfo() {
- return GBEAN_INFO;
- }
-}
+/**
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.security.ca;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.Properties;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.geronimo.gbean.AbstractName;
+import org.apache.geronimo.gbean.GBeanInfo;
+import org.apache.geronimo.gbean.GBeanInfoBuilder;
+import org.apache.geronimo.gbean.GBeanLifecycle;
+import org.apache.geronimo.j2ee.j2eeobjectnames.NameFactory;
+import org.apache.geronimo.kernel.Kernel;
+import org.apache.geronimo.management.geronimo.CertificateStore;
+import org.apache.geronimo.management.geronimo.CertificateStoreException;
+import org.apache.geronimo.system.serverinfo.ServerInfo;
+import org.apache.geronimo.util.CaUtils;
+
+/**
+ * A certificate store implementation using disk files.
+ *
+ * @version $Rev$ $Date$
+ */
+
+public class FileCertificateStore implements CertificateStore, GBeanLifecycle {
+ private static final Log log = LogFactory.getLog(FileCertificateStore.class);
+
+ private ServerInfo serverInfo;
+ private Kernel kernel;
+ private AbstractName abstractName;
+ private URI directoryPath;
+
+ // File name for storing the highest serial number in the store
+ private static final String SERIAL_NUMBER_FILE = "highest-serial-number.txt";
+ // Extension for certificate files. Filename would be <serial-number>+CERT_FILE_SUFFIX
+ private static final String CERT_FILE_SUFFIX = ".txt";
+ // File name for storing CA's certificate
+ private static final String CA_CERT_FILE = "ca-cert.txt";
+ // File name for storing Certificate Challenges
+ private static final String CHALLENGE_FILENAME = "challenge.properties";
+ private static final String CHALLENGE_FILE_HEADER = "Challenge File";
+
+ // directory for the certificate store
+ private File storeDir = null;
+
+ // File object of SERIAL_NUMBER_FILE cached
+ private File highestSerialFile = null;
+ // highest serial number cached
+ private BigInteger highestSerialNumber = null;
+ // Cerificate Challenges
+ private Properties challenges = null;
+
+ /**
+ * Constructor
+ * @param storeDir directory for the certificate store
+ */
+ public FileCertificateStore(ServerInfo serverInfo, URI directoryPath, Kernel kernel, AbstractName abstractName) {
+ this.serverInfo = serverInfo;
+ this.kernel = kernel;
+ this.abstractName = abstractName;
+ this.directoryPath = directoryPath;
+ }
+ /**
+ * This method stores a given certificate.
+ *
+ * @param cert Certificate to be stored
+ */
+ public void storeCertificate(Certificate cert) throws CertificateStoreException {
+ BigInteger sNo = ((X509Certificate)cert).getSerialNumber();
+ File certFile = new File(storeDir, sNo+CERT_FILE_SUFFIX);
+ try {
+ // Check if the highest serial number is less than the serial number of certificate to be stored.
+ if(sNo.compareTo(getHighestSerialNumber()) == 1) {
+ // store the current serial number so that getNextSerialNumber() will not result in duplicate
+ // serial number
+ setHighestSerialNumber(sNo);
+ }
+
+ // Store the certificate to disk in base64 format
+ FileOutputStream fout = new FileOutputStream(certFile);
+ CaUtils.storeInBase64(fout, cert.getEncoded(), CaUtils.CERT_HEADER, CaUtils.CERT_FOOTER, CaUtils.B64_LINE_SIZE);
+ fout.close();
+ } catch (Exception e) {
+ throw new CertificateStoreException("Error while storing certificate.", e);
+ }
+ }
+
+ /**
+ * This method returns a Certificate with a given serial number (if it exists in the store)
+ *
+ * @param sNo Serial Number of the certificate to be retrieved.
+ */
+ public Certificate getCertificate(BigInteger sNo) throws CertificateStoreException {
+ File certFile = new File(storeDir, sNo+CERT_FILE_SUFFIX);
+ if(!certFile.exists()) {
+ // No such certificate in the store.
+ throw new CertificateStoreException("No certificate with serial number "+sNo+" found.");
+ }
+
+ // Read the certificate from disk and generate a java.security.cert.Certificate
+ try {
+ FileInputStream fin = new FileInputStream(certFile);
+ CertificateFactory certFac = CertificateFactory.getInstance("X.509");
+ Certificate cert = certFac.generateCertificate(fin);
+ fin.close();
+ return cert;
+ } catch (Exception e) {
+ throw new CertificateStoreException("Error while retrieving certificate.", e);
+ }
+ }
+
+ /**
+ * This method returns base64 encoded certificate with a given serial number (if it exists in the store)
+ *
+ * @param sNo Serial Number of the certificate to be retrieved.
+ */
+ public String getCertificateBase64Text(BigInteger sNo) throws CertificateStoreException {
+ File certFile = new File(storeDir, sNo+CERT_FILE_SUFFIX);
+ if(!certFile.exists()) {
+ throw new CertificateStoreException("No certificate with serial number "+sNo+" found.");
+ }
+ FileInputStream fin;
+ try {
+ fin = new FileInputStream(certFile);
+ byte[] data = new byte[fin.available()];
+ fin.read(data);
+ fin.close();
+ return new String(data);
+ } catch (Exception e) {
+ throw new CertificateStoreException("Error while retrieving certificate.", e);
+ }
+ }
+
+ /**
+ * This method returns the highest certificate serial number in the store.
+ */
+ public BigInteger getHighestSerialNumber() throws CertificateStoreException{
+ if(highestSerialNumber == null) {
+ // Value has not been cached. Read from the disk.
+ try {
+ FileInputStream finp = new FileInputStream(highestSerialFile);
+ byte[] data = new byte[finp.available()];
+ finp.read(data);
+ finp.close();
+ highestSerialNumber = new BigInteger(new String(data).trim());
+ } catch (Exception e) {
+ throw new CertificateStoreException("Error while getting serial number.", e);
+ }
+ }
+ return highestSerialNumber;
+ }
+
+ /**
+ * This method returns the 'highest certificate serial number plus ONE' and increments the highest
+ * serial number in the store.
+ */
+ public BigInteger getNextSerialNumber() throws CertificateStoreException{
+ setHighestSerialNumber(getHighestSerialNumber().add(BigInteger.ONE));
+ return highestSerialNumber;
+ }
+
+ /**
+ * This method checks if a certificate with a given serial number exists in the store.
+ *
+ * @param sNo Serial number of the certificate to be checked
+ */
+ public boolean containsCertificate(BigInteger sNo) {
+ File certFile = new File(storeDir, sNo+CERT_FILE_SUFFIX);
+ return certFile.exists();
+ }
+
+ /**
+ * This method sets the highest serial number to a given value and updates the same to disk.
+ * @param sNo The serial number to be set
+ */
+ private void setHighestSerialNumber(BigInteger sNo) throws CertificateStoreException{
+ try {
+ highestSerialNumber = sNo;
+ FileOutputStream fout = new FileOutputStream(highestSerialFile);
+ fout.write(highestSerialNumber.toString().getBytes());
+ fout.close();
+ } catch (Exception e) {
+ throw new CertificateStoreException("Error while setting highest serial number.", e);
+ }
+ }
+
+ /**
+ * This method stores the CA's certificate in the store.
+ * @param cert CA's certificate
+ */
+ public boolean storeCACertificate(Certificate cert) throws CertificateStoreException{
+ FileOutputStream fout = null;
+ try {
+ fout = new FileOutputStream(new File(storeDir, CA_CERT_FILE));
+ CaUtils.storeInBase64(fout, cert.getEncoded(), CaUtils.CERT_HEADER, CaUtils.CERT_FOOTER, CaUtils.B64_LINE_SIZE);
+ fout.close();
+ return true;
+ } catch (Exception e) {
+ throw new CertificateStoreException("Exception in storing CA certificate", e);
+ }
+ }
+
+ /**
+ * This method returns the CA's certificate stored in the store.
+ */
+ public Certificate getCACertificate() throws CertificateStoreException {
+ FileInputStream fin = null;
+ try {
+ fin = new FileInputStream(new File(storeDir, CA_CERT_FILE));
+ CertificateFactory certFac = CertificateFactory.getInstance("X.509");
+ Certificate cert = certFac.generateCertificate(fin);
+ fin.close();
+ return cert;
+ } catch (Exception e) {
+ throw new CertificateStoreException("Exception in getting CA certificate", e);
+ }
+ }
+
+ /**
+ * This method stores the challenge phrase against the specified certificate serial number
+ * @param sNo Serial number of the certificate
+ * @param challenge Challenge phrase
+ */
+ public boolean setCertificateChallenge(BigInteger sNo, String challenge) {
+ if(challenges == null) {
+ loadChallenges();
+ }
+ if(!challenges.containsKey(sNo.toString())) {
+ challenges.setProperty(sNo.toString(), challenge);
+ storeChallenges();
+ return true;
+ }
+ return false;
+ }
+
+ /**
+ * This methods stores the challenges map to disk
+ */
+ private void storeChallenges() {
+ if(challenges == null) loadChallenges();
+ File chFile = new File(storeDir, CHALLENGE_FILENAME);
+ FileOutputStream fout = null;
+ try {
+ fout = new FileOutputStream(chFile);
+ challenges.store(fout, CHALLENGE_FILE_HEADER);
+ fout.close();
+ } catch (Exception e) {
+ log.error("Exceptions while storing challenges file. File = "+chFile.getAbsolutePath(), e);
+ }
+
+ }
+
+ /**
+ * This method loads the challenges map from disk.
+ */
+ private void loadChallenges() {
+ File chFile = new File(storeDir, CHALLENGE_FILENAME);
+ FileInputStream fin = null;
+ try {
+ if(!chFile.exists())
+ chFile.createNewFile();
+ fin = new FileInputStream(chFile);
+ challenges = new Properties();
+ challenges.load(fin);
+ fin.close();
+ } catch (IOException e) {
+ log.error("Exceptions while loading challenges file. File = "+chFile.getAbsolutePath(), e);
+ }
+ }
+
+ public void doFail() {
+ }
+
+ public void doStart() throws Exception {
+ serverInfo.resolveServer(directoryPath);
+ URI dirURI;
+ if (serverInfo != null) {
+ dirURI = serverInfo.resolve(directoryPath);
+ } else {
+ dirURI = directoryPath;
+ }
+ if (!dirURI.getScheme().equals("file")) {
+ throw new IllegalStateException("FileCertificateStore must have a root that's a local directory (not " + dirURI + ")");
+ }
+ storeDir = new File(dirURI);
+ if(!storeDir.exists()) {
+ storeDir.mkdirs();
+ log.debug("Created directory "+storeDir.getAbsolutePath());
+ } else if(!storeDir.isDirectory() || !storeDir.canRead()) {
+ throw new IllegalStateException("FileCertificateStore must have a root that's a valid readable directory (not " + storeDir.getAbsolutePath() + ")");
+ }
+ log.debug("CertificateStore directory is " + storeDir.getAbsolutePath());
+ highestSerialFile = new File(storeDir, SERIAL_NUMBER_FILE);
+ if(!highestSerialFile.exists()) {
+ // If the file does not exist, it means the certificate store is a new one.
+ // Start with ZERO
+ try {
+ setHighestSerialNumber(BigInteger.ZERO);
+ } catch(CertificateStoreException e) {
+ log.error("Error initializing certificate store. storeDir="+storeDir, e);
+ }
+ }
+ loadChallenges();
+ }
+
+ public void doStop() throws Exception {
+ }
+
+ public static final GBeanInfo GBEAN_INFO;
+
+ static {
+ GBeanInfoBuilder infoFactory = GBeanInfoBuilder.createStatic(FileCertificateStore.class, "CertificateStore");
+ infoFactory.addAttribute("directoryPath", URI.class, true, false);
+ infoFactory.addAttribute("kernel", Kernel.class, false);
+ infoFactory.addAttribute("abstractName", AbstractName.class, false);
+ infoFactory.addReference("ServerInfo", ServerInfo.class, NameFactory.GERONIMO_SERVICE);
+ infoFactory.addInterface(CertificateStore.class);
+ infoFactory.setConstructor(new String[]{"ServerInfo", "directoryPath", "kernel", "abstractName"});
+
+ GBEAN_INFO = infoFactory.getBeanInfo();
+ }
+
+ public static GBeanInfo getGBeanInfo() {
+ return GBEAN_INFO;
+ }
+}
Propchange: geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ca/FileCertificateStore.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ca/FileCertificateStore.java
------------------------------------------------------------------------------
svn:keywords = Date Revision
Propchange: geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ca/FileCertificateStore.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
Modified: geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ca/GeronimoCertificationAuthority.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ca/GeronimoCertificationAuthority.java?view=diff&rev=476291&r1=476290&r2=476291
==============================================================================
--- geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ca/GeronimoCertificationAuthority.java (original)
+++ geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ca/GeronimoCertificationAuthority.java Fri Nov 17 12:05:24 2006
@@ -1,391 +1,391 @@
-/**
- *
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.geronimo.security.ca;
-
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.math.BigInteger;
-import java.security.PrivateKey;
-import java.security.PublicKey;
-import java.security.Signature;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateFactory;
-import java.util.Date;
-
-import javax.security.auth.x500.X500Principal;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.apache.geronimo.gbean.AbstractName;
-import org.apache.geronimo.gbean.GBeanInfo;
-import org.apache.geronimo.gbean.GBeanInfoBuilder;
-import org.apache.geronimo.gbean.GBeanLifecycle;
-import org.apache.geronimo.j2ee.j2eeobjectnames.NameFactory;
-import org.apache.geronimo.kernel.Kernel;
-import org.apache.geronimo.management.geronimo.CertificateRequestStore;
-import org.apache.geronimo.management.geronimo.CertificateStore;
-import org.apache.geronimo.management.geronimo.CertificateStoreException;
-import org.apache.geronimo.management.geronimo.CertificationAuthority;
-import org.apache.geronimo.management.geronimo.CertificationAuthorityException;
-import org.apache.geronimo.management.geronimo.KeystoreException;
-import org.apache.geronimo.management.geronimo.KeystoreInstance;
-import org.apache.geronimo.system.serverinfo.ServerInfo;
-import org.apache.geronimo.util.CaUtils;
-import org.apache.geronimo.util.asn1.ASN1InputStream;
-import org.apache.geronimo.util.asn1.DERBitString;
-import org.apache.geronimo.util.asn1.DEREncodableVector;
-import org.apache.geronimo.util.asn1.DERInteger;
-import org.apache.geronimo.util.asn1.DERObject;
-import org.apache.geronimo.util.asn1.DERSequence;
-import org.apache.geronimo.util.asn1.pkcs.PKCSObjectIdentifiers;
-import org.apache.geronimo.util.asn1.x509.AlgorithmIdentifier;
-import org.apache.geronimo.util.asn1.x509.SubjectPublicKeyInfo;
-import org.apache.geronimo.util.asn1.x509.TBSCertificateStructure;
-import org.apache.geronimo.util.asn1.x509.Time;
-import org.apache.geronimo.util.asn1.x509.V3TBSCertificateGenerator;
-import org.apache.geronimo.util.asn1.x509.X509Name;
-
-/**
- * A Certification Authority implementation using KeystoreInstance to store CA's private key,
- * CertificateStore to store issued certificates and CertificateRequestStore to store certificate requests
- *
- * @version $Rev$ $Date$
- */
-public class GeronimoCertificationAuthority implements CertificationAuthority, GBeanLifecycle {
- private final static Log log = LogFactory.getLog(GeronimoCertificationAuthority.class);
-
- private ServerInfo serverInfo;
- private Kernel kernel;
- private AbstractName abstractName;
-
- // KeystoreInstance with CA's private key and certificate
- private KeystoreInstance caKeystore = null;
- // CertificateStore used to store all certificates issued by the CA
- private CertificateStore certStore = null;
- // Password for CA's keystore and private-key
- private char[] password;
- // CertificateRequestStore used to store certificate requests
- private CertificateRequestStore certReqStore = null;
-
- // Cache variables
- // Key alias
- private String alias;
- // CA's private key
- private PrivateKey caPrivateKey;
- // CA's public key
- private PublicKey caPublicKey;
- // CA's own certificate
- private Certificate caCert;
- // CA's name
- private X509Name caName;
-
- /**
- * Constructor
- *
- * @param instance KeystoreInstance containing CA's private-key and certificate
- * @param certStore CertificateStore for storing certificates issued by this CA
- * @param certReqStore CeetificateRequestStore for storing certificates requests
- */
- public GeronimoCertificationAuthority(ServerInfo serverInfo, KeystoreInstance caKeystore, CertificateStore certStore, CertificateRequestStore certReqStore, Kernel kernel, AbstractName abstractName) {
- if(caKeystore == null) throw new IllegalArgumentException("caKeystore is null.");
- if(certStore == null) throw new IllegalArgumentException("certStore is null");
- if(certReqStore == null) throw new IllegalArgumentException("certReqStore is null");
- this.serverInfo = serverInfo;
- this.kernel = kernel;
- this.abstractName = abstractName;
- this.caKeystore = caKeystore;
- this.certStore = certStore;
- this.certReqStore = certReqStore;
- }
-
- /**
- * This method checks if the CA is locked.
- * @return true if CA is locked, false otherwise.
- */
- public boolean isLocked() {
- return password == null;
- }
-
- /**
- * This method locks the CA.
- */
- public void lock() {
- try {
- caKeystore.lockKeystore(password);
- } catch (KeystoreException e) {
- log.error("Error locking CA.", e);
- }
- password = null;
- caName = null;
- caCert = null;
- caPrivateKey = null;
- alias = null;
- }
-
- /**
- * This method unlocks the CA.
- * @param password Password to unlock the CA.
- */
- public void unlock(char[] password) throws CertificationAuthorityException{
- try {
- this.password = password;
- caKeystore.unlockKeystore(password);
- alias = caKeystore.listPrivateKeys(password)[0];
- caKeystore.unlockPrivateKey(alias, password, password);
- caCert = caKeystore.getCertificate(alias, password);
- caName = CaUtils.getSubjectX509Name(caCert);
- caPrivateKey = caKeystore.getPrivateKey(alias, password, password);
- caPublicKey = caCert.getPublicKey();
- } catch(Exception e) {
- throw new CertificationAuthorityException("Errors in unlocking CA.", e);
- }
- }
-
- /**
- * This method returns CA's name.
- * @throws Exception if CA is locked.
- */
- public X500Principal getName() throws CertificationAuthorityException {
- if(isLocked()) throw new CertificationAuthorityException("CA is locked.");
- try {
- return new X500Principal(caName.getEncoded());
- } catch (IOException e) {
- throw new CertificationAuthorityException("Error in getting CA name.", e);
- }
- }
-
- /**
- * This method returns CA's own certificate.
- * @throws Exception if CA is locked.
- */
- public Certificate getCertificate() throws CertificationAuthorityException {
- if(caCert == null) throw new CertificationAuthorityException("CA Certificate is null. CA may be locked.");
- try {
- return caCert = caKeystore.getCertificate(alias, password);
- } catch (KeystoreException e) {
- log.error("Error getting CA's certificate.", e);
- }
- return null;
- }
-
- /**
- * This method makes the CA issue a self-signed certificate with given details. This method is usually
- * called while initializing the CA.
- *
- * @param sNo Serial number for self-signed certificate
- * @param validFromDate Certificate validity period start date
- * @param validToDate Certificate validity period end date
- * @param algorithm Signature algorithm for self-signed certificate
- */
- public void issueOwnCertificate(BigInteger sNo, Date validFromDate, Date validToDate, String algorithm) throws CertificationAuthorityException{
- if(isLocked()) throw new CertificationAuthorityException("CA is locked.");
- try {
- PublicKey publicKey = caCert.getPublicKey();
- Certificate cert = issueCertificate(getName(), publicKey, sNo, validFromDate, validToDate, algorithm);
- caKeystore.importPKCS7Certificate(alias, CaUtils.base64Certificate(cert), password);
- caCert = cert;
- } catch(Exception e) {
- throw new CertificationAuthorityException("Error in issuing own certificate.", e);
- }
- }
-
- /**
- * This method issues a certificate.
- *
- * @param subject Subject X500Principal
- * @param publicKey Subject's public key
- * @param sNo Serial number for the certificate to be issued
- * @param validFromDate Certificate validity period start date
- * @param validToDate Certificate validity period end date
- * @param algorithm Signature algorithm for the certificate
- * @return newly issued certificate
- */
- public Certificate issueCertificate(X500Principal subject, PublicKey publicKey, BigInteger sNo, Date validFromDate, Date validToDate, String algorithm) throws CertificationAuthorityException{
- if(isLocked()) throw new CertificationAuthorityException("CA is locked.");
- try {
- X509Name subName = CaUtils.getX509Name(subject);
- Certificate cert = issueCertificate(subName, caName, sNo, publicKey, caPrivateKey, validFromDate, validToDate, algorithm);
- cert.verify(caPublicKey);
- certStore.storeCertificate(cert);
- return cert;
- } catch(Exception e) {
- throw new CertificationAuthorityException("Error in issuing certificate.", e);
- }
- }
-
- /**
- * This method returns the highest serial number used by the CA.
- */
- public BigInteger getHighestSerialNumber() throws CertificationAuthorityException {
- if(isLocked()) throw new CertificationAuthorityException("CA is locked.");
- try {
- return certStore.getHighestSerialNumber();
- } catch (CertificateStoreException e) {
- throw new CertificationAuthorityException("Error in getting highest serial number for CA.", e);
- }
- }
-
- /**
- * This method checks if a Certificate with a given serial number is already issued.
- * @param sNo The serial number of the the certificate to be looked for
- * @return true if a certificate with the specified serial number has already been issued
- */
- public boolean isCertificateIssued(BigInteger sNo) throws CertificationAuthorityException {
- if(isLocked()) throw new CertificationAuthorityException("CA is locked.");
- return certStore.containsCertificate(sNo);
- }
-
- /**
- * This method returns the next serial number that can be used to issue a certificate and increments the
- * highest serial number.
- */
- public BigInteger getNextSerialNumber() throws CertificationAuthorityException {
- if(isLocked()) throw new CertificationAuthorityException("CA is locked.");
- try {
- return certStore.getNextSerialNumber();
- } catch (CertificateStoreException e) {
- throw new CertificationAuthorityException("Error in getting next serial number for CA.", e);
- }
- }
-
- /**
- * This method retrieves a certificate with the specified serial number.
- * @param sNo The serial number of the certificate to be retrieved
- * @return java.security.cert.Certificate instance of the certificate
- */
- public Certificate getCertificate(BigInteger sNo) throws CertificationAuthorityException {
- if(isLocked()) throw new CertificationAuthorityException("CA is locked.");
- try {
- return certStore.getCertificate(sNo);
- } catch (CertificateStoreException e) {
- throw new CertificationAuthorityException("Error getting certificate. serial number = "+sNo, e);
- }
- }
-
- /**
- * This method retrieves a certificate with the specified serial number.
- * @param sNo The serial number of the certificate to be retrieved
- * @return base64 encoded certificate text
- */
- public String getCertificateBase64Text(BigInteger sNo) throws CertificationAuthorityException {
- if(isLocked()) throw new CertificationAuthorityException("CA is locked.");
- try {
- return certStore.getCertificateBase64Text(sNo);
- } catch (CertificateStoreException e) {
- throw new CertificationAuthorityException("Error getting certificate. serial number = "+sNo, e);
- }
- }
-
- /**
- * This method issues a certificate.
- * @param subName Subject's name
- * @param caName Issuer's name
- * @param serialNum Serial number for the certificate
- * @param subPubKey Subject's public key
- * @param caPriKey Issuer's private key
- * @param validFromDate Certificate validity period start date
- * @param validToDate Certificate validity period end date
- * @param algorithm Signature algorithm for the certificate
- * @return issued certificate
- */
- private Certificate issueCertificate(X509Name subName, X509Name caName, BigInteger serialNum, PublicKey subPubKey, PrivateKey caPriKey, Date validFromDate, Date validToDate, String algorithm) throws Exception {
- AlgorithmIdentifier algId = null;
- if("MD2withRSA".equalsIgnoreCase(algorithm))
- algId = new AlgorithmIdentifier(PKCSObjectIdentifiers.md2WithRSAEncryption);
- else if("MD5withRSA".equalsIgnoreCase(algorithm))
- algId = new AlgorithmIdentifier(PKCSObjectIdentifiers.md5WithRSAEncryption);
- else if("SHA1withRSA".equalsIgnoreCase(algorithm))
- algId = new AlgorithmIdentifier(PKCSObjectIdentifiers.sha1WithRSAEncryption);
- else
- throw new CertificationAuthorityException("Signature algorithm "+algorithm+" is not supported.");
-
- ASN1InputStream ais = new ASN1InputStream(subPubKey.getEncoded());
- DERObject subPubkeyDerObj = ais.readObject();
- SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(subPubkeyDerObj);
-
- // Create certificate generator and initialize fields
- // Certificate version is v3
- V3TBSCertificateGenerator v3certGen = new V3TBSCertificateGenerator();
- // Subject info
- v3certGen.setSubject(subName);
- v3certGen.setSubjectPublicKeyInfo(subPubKeyInfo);
- // Issuer info
- v3certGen.setIssuer(caName);
- // serial number
- v3certGen.setSerialNumber(new DERInteger(serialNum));
- // validity
- v3certGen.setStartDate(new Time(validFromDate));
- v3certGen.setEndDate(new Time(validToDate));
- // signature algorithm
- v3certGen.setSignature(algId);
-
- // Get the certificate info to be signed
- TBSCertificateStructure tbsCert = v3certGen.generateTBSCertificate();
- byte[] tobesigned = tbsCert.getEncoded();
-
- // Create the signature
- Signature signatureObj = Signature.getInstance(algorithm);
- signatureObj.initSign(caPriKey);
- signatureObj.update(tobesigned);
- byte[] signature = signatureObj.sign();
-
- // Compose tbsCert, algId and signature into a DER sequence.
- // This will be the certificate in DER encoded form
- DEREncodableVector certDerVec = new DEREncodableVector();
- certDerVec.add(tbsCert);
- certDerVec.add(algId);
- certDerVec.add(new DERBitString(signature));
- DERSequence certDerSeq = new DERSequence(certDerVec);
- byte[] certData = certDerSeq.getEncoded();
-
- // Create a java.security.cert.Certificate object
- Certificate certificate = CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(certData));
-
- return certificate;
- }
-
- public void doFail() {
- }
-
- public void doStart() throws Exception {
- if(caKeystore.isKeystoreLocked()) {
- lock();
- }
- }
-
- public void doStop() throws Exception {
- }
- public static final GBeanInfo GBEAN_INFO;
-
- static {
- GBeanInfoBuilder infoFactory = GBeanInfoBuilder.createStatic(GeronimoCertificationAuthority.class, "CertificationAuthority");
- infoFactory.addAttribute("kernel", Kernel.class, false);
- infoFactory.addAttribute("abstractName", AbstractName.class, false);
- infoFactory.addReference("ServerInfo", ServerInfo.class, NameFactory.GERONIMO_SERVICE);
- infoFactory.addReference("KeystoreInstance", KeystoreInstance.class, NameFactory.KEYSTORE_INSTANCE);
- infoFactory.addReference("CertificateStore", CertificateStore.class, "CertificateStore");
- infoFactory.addReference("CertificateRequestStore", CertificateRequestStore.class, "CertificateRequestStore");
- infoFactory.addInterface(CertificationAuthority.class);
- infoFactory.setConstructor(new String[]{"ServerInfo", "KeystoreInstance", "CertificateStore", "CertificateRequestStore", "kernel", "abstractName"});
-
- GBEAN_INFO = infoFactory.getBeanInfo();
- }
- public static GBeanInfo getGBeanInfo() {
- return GBEAN_INFO;
- }
-}
+/**
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.security.ca;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.Signature;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.util.Date;
+
+import javax.security.auth.x500.X500Principal;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.geronimo.gbean.AbstractName;
+import org.apache.geronimo.gbean.GBeanInfo;
+import org.apache.geronimo.gbean.GBeanInfoBuilder;
+import org.apache.geronimo.gbean.GBeanLifecycle;
+import org.apache.geronimo.j2ee.j2eeobjectnames.NameFactory;
+import org.apache.geronimo.kernel.Kernel;
+import org.apache.geronimo.management.geronimo.CertificateRequestStore;
+import org.apache.geronimo.management.geronimo.CertificateStore;
+import org.apache.geronimo.management.geronimo.CertificateStoreException;
+import org.apache.geronimo.management.geronimo.CertificationAuthority;
+import org.apache.geronimo.management.geronimo.CertificationAuthorityException;
+import org.apache.geronimo.management.geronimo.KeystoreException;
+import org.apache.geronimo.management.geronimo.KeystoreInstance;
+import org.apache.geronimo.system.serverinfo.ServerInfo;
+import org.apache.geronimo.util.CaUtils;
+import org.apache.geronimo.util.asn1.ASN1InputStream;
+import org.apache.geronimo.util.asn1.DERBitString;
+import org.apache.geronimo.util.asn1.DEREncodableVector;
+import org.apache.geronimo.util.asn1.DERInteger;
+import org.apache.geronimo.util.asn1.DERObject;
+import org.apache.geronimo.util.asn1.DERSequence;
+import org.apache.geronimo.util.asn1.pkcs.PKCSObjectIdentifiers;
+import org.apache.geronimo.util.asn1.x509.AlgorithmIdentifier;
+import org.apache.geronimo.util.asn1.x509.SubjectPublicKeyInfo;
+import org.apache.geronimo.util.asn1.x509.TBSCertificateStructure;
+import org.apache.geronimo.util.asn1.x509.Time;
+import org.apache.geronimo.util.asn1.x509.V3TBSCertificateGenerator;
+import org.apache.geronimo.util.asn1.x509.X509Name;
+
+/**
+ * A Certification Authority implementation using KeystoreInstance to store CA's private key,
+ * CertificateStore to store issued certificates and CertificateRequestStore to store certificate requests
+ *
+ * @version $Rev$ $Date$
+ */
+public class GeronimoCertificationAuthority implements CertificationAuthority, GBeanLifecycle {
+ private final static Log log = LogFactory.getLog(GeronimoCertificationAuthority.class);
+
+ private ServerInfo serverInfo;
+ private Kernel kernel;
+ private AbstractName abstractName;
+
+ // KeystoreInstance with CA's private key and certificate
+ private KeystoreInstance caKeystore = null;
+ // CertificateStore used to store all certificates issued by the CA
+ private CertificateStore certStore = null;
+ // Password for CA's keystore and private-key
+ private char[] password;
+ // CertificateRequestStore used to store certificate requests
+ private CertificateRequestStore certReqStore = null;
+
+ // Cache variables
+ // Key alias
+ private String alias;
+ // CA's private key
+ private PrivateKey caPrivateKey;
+ // CA's public key
+ private PublicKey caPublicKey;
+ // CA's own certificate
+ private Certificate caCert;
+ // CA's name
+ private X509Name caName;
+
+ /**
+ * Constructor
+ *
+ * @param instance KeystoreInstance containing CA's private-key and certificate
+ * @param certStore CertificateStore for storing certificates issued by this CA
+ * @param certReqStore CeetificateRequestStore for storing certificates requests
+ */
+ public GeronimoCertificationAuthority(ServerInfo serverInfo, KeystoreInstance caKeystore, CertificateStore certStore, CertificateRequestStore certReqStore, Kernel kernel, AbstractName abstractName) {
+ if(caKeystore == null) throw new IllegalArgumentException("caKeystore is null.");
+ if(certStore == null) throw new IllegalArgumentException("certStore is null");
+ if(certReqStore == null) throw new IllegalArgumentException("certReqStore is null");
+ this.serverInfo = serverInfo;
+ this.kernel = kernel;
+ this.abstractName = abstractName;
+ this.caKeystore = caKeystore;
+ this.certStore = certStore;
+ this.certReqStore = certReqStore;
+ }
+
+ /**
+ * This method checks if the CA is locked.
+ * @return true if CA is locked, false otherwise.
+ */
+ public boolean isLocked() {
+ return password == null;
+ }
+
+ /**
+ * This method locks the CA.
+ */
+ public void lock() {
+ try {
+ caKeystore.lockKeystore(password);
+ } catch (KeystoreException e) {
+ log.error("Error locking CA.", e);
+ }
+ password = null;
+ caName = null;
+ caCert = null;
+ caPrivateKey = null;
+ alias = null;
+ }
+
+ /**
+ * This method unlocks the CA.
+ * @param password Password to unlock the CA.
+ */
+ public void unlock(char[] password) throws CertificationAuthorityException{
+ try {
+ this.password = password;
+ caKeystore.unlockKeystore(password);
+ alias = caKeystore.listPrivateKeys(password)[0];
+ caKeystore.unlockPrivateKey(alias, password, password);
+ caCert = caKeystore.getCertificate(alias, password);
+ caName = CaUtils.getSubjectX509Name(caCert);
+ caPrivateKey = caKeystore.getPrivateKey(alias, password, password);
+ caPublicKey = caCert.getPublicKey();
+ } catch(Exception e) {
+ throw new CertificationAuthorityException("Errors in unlocking CA.", e);
+ }
+ }
+
+ /**
+ * This method returns CA's name.
+ * @throws Exception if CA is locked.
+ */
+ public X500Principal getName() throws CertificationAuthorityException {
+ if(isLocked()) throw new CertificationAuthorityException("CA is locked.");
+ try {
+ return new X500Principal(caName.getEncoded());
+ } catch (IOException e) {
+ throw new CertificationAuthorityException("Error in getting CA name.", e);
+ }
+ }
+
+ /**
+ * This method returns CA's own certificate.
+ * @throws Exception if CA is locked.
+ */
+ public Certificate getCertificate() throws CertificationAuthorityException {
+ if(caCert == null) throw new CertificationAuthorityException("CA Certificate is null. CA may be locked.");
+ try {
+ return caCert = caKeystore.getCertificate(alias, password);
+ } catch (KeystoreException e) {
+ log.error("Error getting CA's certificate.", e);
+ }
+ return null;
+ }
+
+ /**
+ * This method makes the CA issue a self-signed certificate with given details. This method is usually
+ * called while initializing the CA.
+ *
+ * @param sNo Serial number for self-signed certificate
+ * @param validFromDate Certificate validity period start date
+ * @param validToDate Certificate validity period end date
+ * @param algorithm Signature algorithm for self-signed certificate
+ */
+ public void issueOwnCertificate(BigInteger sNo, Date validFromDate, Date validToDate, String algorithm) throws CertificationAuthorityException{
+ if(isLocked()) throw new CertificationAuthorityException("CA is locked.");
+ try {
+ PublicKey publicKey = caCert.getPublicKey();
+ Certificate cert = issueCertificate(getName(), publicKey, sNo, validFromDate, validToDate, algorithm);
+ caKeystore.importPKCS7Certificate(alias, CaUtils.base64Certificate(cert), password);
+ caCert = cert;
+ } catch(Exception e) {
+ throw new CertificationAuthorityException("Error in issuing own certificate.", e);
+ }
+ }
+
+ /**
+ * This method issues a certificate.
+ *
+ * @param subject Subject X500Principal
+ * @param publicKey Subject's public key
+ * @param sNo Serial number for the certificate to be issued
+ * @param validFromDate Certificate validity period start date
+ * @param validToDate Certificate validity period end date
+ * @param algorithm Signature algorithm for the certificate
+ * @return newly issued certificate
+ */
+ public Certificate issueCertificate(X500Principal subject, PublicKey publicKey, BigInteger sNo, Date validFromDate, Date validToDate, String algorithm) throws CertificationAuthorityException{
+ if(isLocked()) throw new CertificationAuthorityException("CA is locked.");
+ try {
+ X509Name subName = CaUtils.getX509Name(subject);
+ Certificate cert = issueCertificate(subName, caName, sNo, publicKey, caPrivateKey, validFromDate, validToDate, algorithm);
+ cert.verify(caPublicKey);
+ certStore.storeCertificate(cert);
+ return cert;
+ } catch(Exception e) {
+ throw new CertificationAuthorityException("Error in issuing certificate.", e);
+ }
+ }
+
+ /**
+ * This method returns the highest serial number used by the CA.
+ */
+ public BigInteger getHighestSerialNumber() throws CertificationAuthorityException {
+ if(isLocked()) throw new CertificationAuthorityException("CA is locked.");
+ try {
+ return certStore.getHighestSerialNumber();
+ } catch (CertificateStoreException e) {
+ throw new CertificationAuthorityException("Error in getting highest serial number for CA.", e);
+ }
+ }
+
+ /**
+ * This method checks if a Certificate with a given serial number is already issued.
+ * @param sNo The serial number of the the certificate to be looked for
+ * @return true if a certificate with the specified serial number has already been issued
+ */
+ public boolean isCertificateIssued(BigInteger sNo) throws CertificationAuthorityException {
+ if(isLocked()) throw new CertificationAuthorityException("CA is locked.");
+ return certStore.containsCertificate(sNo);
+ }
+
+ /**
+ * This method returns the next serial number that can be used to issue a certificate and increments the
+ * highest serial number.
+ */
+ public BigInteger getNextSerialNumber() throws CertificationAuthorityException {
+ if(isLocked()) throw new CertificationAuthorityException("CA is locked.");
+ try {
+ return certStore.getNextSerialNumber();
+ } catch (CertificateStoreException e) {
+ throw new CertificationAuthorityException("Error in getting next serial number for CA.", e);
+ }
+ }
+
+ /**
+ * This method retrieves a certificate with the specified serial number.
+ * @param sNo The serial number of the certificate to be retrieved
+ * @return java.security.cert.Certificate instance of the certificate
+ */
+ public Certificate getCertificate(BigInteger sNo) throws CertificationAuthorityException {
+ if(isLocked()) throw new CertificationAuthorityException("CA is locked.");
+ try {
+ return certStore.getCertificate(sNo);
+ } catch (CertificateStoreException e) {
+ throw new CertificationAuthorityException("Error getting certificate. serial number = "+sNo, e);
+ }
+ }
+
+ /**
+ * This method retrieves a certificate with the specified serial number.
+ * @param sNo The serial number of the certificate to be retrieved
+ * @return base64 encoded certificate text
+ */
+ public String getCertificateBase64Text(BigInteger sNo) throws CertificationAuthorityException {
+ if(isLocked()) throw new CertificationAuthorityException("CA is locked.");
+ try {
+ return certStore.getCertificateBase64Text(sNo);
+ } catch (CertificateStoreException e) {
+ throw new CertificationAuthorityException("Error getting certificate. serial number = "+sNo, e);
+ }
+ }
+
+ /**
+ * This method issues a certificate.
+ * @param subName Subject's name
+ * @param caName Issuer's name
+ * @param serialNum Serial number for the certificate
+ * @param subPubKey Subject's public key
+ * @param caPriKey Issuer's private key
+ * @param validFromDate Certificate validity period start date
+ * @param validToDate Certificate validity period end date
+ * @param algorithm Signature algorithm for the certificate
+ * @return issued certificate
+ */
+ private Certificate issueCertificate(X509Name subName, X509Name caName, BigInteger serialNum, PublicKey subPubKey, PrivateKey caPriKey, Date validFromDate, Date validToDate, String algorithm) throws Exception {
+ AlgorithmIdentifier algId = null;
+ if("MD2withRSA".equalsIgnoreCase(algorithm))
+ algId = new AlgorithmIdentifier(PKCSObjectIdentifiers.md2WithRSAEncryption);
+ else if("MD5withRSA".equalsIgnoreCase(algorithm))
+ algId = new AlgorithmIdentifier(PKCSObjectIdentifiers.md5WithRSAEncryption);
+ else if("SHA1withRSA".equalsIgnoreCase(algorithm))
+ algId = new AlgorithmIdentifier(PKCSObjectIdentifiers.sha1WithRSAEncryption);
+ else
+ throw new CertificationAuthorityException("Signature algorithm "+algorithm+" is not supported.");
+
+ ASN1InputStream ais = new ASN1InputStream(subPubKey.getEncoded());
+ DERObject subPubkeyDerObj = ais.readObject();
+ SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(subPubkeyDerObj);
+
+ // Create certificate generator and initialize fields
+ // Certificate version is v3
+ V3TBSCertificateGenerator v3certGen = new V3TBSCertificateGenerator();
+ // Subject info
+ v3certGen.setSubject(subName);
+ v3certGen.setSubjectPublicKeyInfo(subPubKeyInfo);
+ // Issuer info
+ v3certGen.setIssuer(caName);
+ // serial number
+ v3certGen.setSerialNumber(new DERInteger(serialNum));
+ // validity
+ v3certGen.setStartDate(new Time(validFromDate));
+ v3certGen.setEndDate(new Time(validToDate));
+ // signature algorithm
+ v3certGen.setSignature(algId);
+
+ // Get the certificate info to be signed
+ TBSCertificateStructure tbsCert = v3certGen.generateTBSCertificate();
+ byte[] tobesigned = tbsCert.getEncoded();
+
+ // Create the signature
+ Signature signatureObj = Signature.getInstance(algorithm);
+ signatureObj.initSign(caPriKey);
+ signatureObj.update(tobesigned);
+ byte[] signature = signatureObj.sign();
+
+ // Compose tbsCert, algId and signature into a DER sequence.
+ // This will be the certificate in DER encoded form
+ DEREncodableVector certDerVec = new DEREncodableVector();
+ certDerVec.add(tbsCert);
+ certDerVec.add(algId);
+ certDerVec.add(new DERBitString(signature));
+ DERSequence certDerSeq = new DERSequence(certDerVec);
+ byte[] certData = certDerSeq.getEncoded();
+
+ // Create a java.security.cert.Certificate object
+ Certificate certificate = CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(certData));
+
+ return certificate;
+ }
+
+ public void doFail() {
+ }
+
+ public void doStart() throws Exception {
+ if(caKeystore.isKeystoreLocked()) {
+ lock();
+ }
+ }
+
+ public void doStop() throws Exception {
+ }
+ public static final GBeanInfo GBEAN_INFO;
+
+ static {
+ GBeanInfoBuilder infoFactory = GBeanInfoBuilder.createStatic(GeronimoCertificationAuthority.class, "CertificationAuthority");
+ infoFactory.addAttribute("kernel", Kernel.class, false);
+ infoFactory.addAttribute("abstractName", AbstractName.class, false);
+ infoFactory.addReference("ServerInfo", ServerInfo.class, NameFactory.GERONIMO_SERVICE);
+ infoFactory.addReference("KeystoreInstance", KeystoreInstance.class, NameFactory.KEYSTORE_INSTANCE);
+ infoFactory.addReference("CertificateStore", CertificateStore.class, "CertificateStore");
+ infoFactory.addReference("CertificateRequestStore", CertificateRequestStore.class, "CertificateRequestStore");
+ infoFactory.addInterface(CertificationAuthority.class);
+ infoFactory.setConstructor(new String[]{"ServerInfo", "KeystoreInstance", "CertificateStore", "CertificateRequestStore", "kernel", "abstractName"});
+
+ GBEAN_INFO = infoFactory.getBeanInfo();
+ }
+ public static GBeanInfo getGBeanInfo() {
+ return GBEAN_INFO;
+ }
+}
Propchange: geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ca/GeronimoCertificationAuthority.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ca/GeronimoCertificationAuthority.java
------------------------------------------------------------------------------
svn:keywords = Date Revision
Propchange: geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ca/GeronimoCertificationAuthority.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
|