/************************************************************************* *                                                                       * *  EJBCA: The OpenSource Certificate Authority                          * *                                                                       * *  This software is free software; you can redistribute it and/or       * *  modify it under the terms of the GNU Lesser General Public           * *  License as published by the Free Software Foundation; either         * *  version 2.1 of the License, or any later version.                    * *                                                                       * *  See terms of license at gnu.org.                                     * *                                                                       * *************************************************************************/ package se.anatom.ejbca.apply;import java.io.*;import java.security.GeneralSecurityException;import java.security.KeyPair;import java.security.KeyStore;import java.security.PrivateKey;import java.security.cert.*;import java.util.*;import javax.ejb.*;import javax.naming.InitialContext;import javax.rmi.PortableRemoteObject;import javax.servlet.*;import javax.servlet.http.*;import org.apache.log4j.Logger;import se.anatom.ejbca.SecConst;import se.anatom.ejbca.ca.exception.AuthLoginException;import se.anatom.ejbca.ca.exception.AuthStatusException;import se.anatom.ejbca.ca.exception.SignRequestException;import se.anatom.ejbca.ca.exception.SignRequestSignatureException;import se.anatom.ejbca.ca.sign.ISignSessionHome;import se.anatom.ejbca.ca.sign.ISignSessionRemote;import se.anatom.ejbca.keyrecovery.IKeyRecoverySessionHome;import se.anatom.ejbca.keyrecovery.IKeyRecoverySessionRemote;import se.anatom.ejbca.keyrecovery.KeyRecoveryData;import se.anatom.ejbca.ra.raadmin.IRaAdminSessionRemote;import se.anatom.ejbca.ra.raadmin.IRaAdminSessionHome;import se.anatom.ejbca.log.Admin;import se.anatom.ejbca.ra.IUserAdminSessionHome;import se.anatom.ejbca.ra.IUserAdminSessionRemote;import se.anatom.ejbca.ra.UserAdminData;import se.anatom.ejbca.ra.UserDataRemote;import se.anatom.ejbca.util.Base64;import se.anatom.ejbca.util.CertTools;import se.anatom.ejbca.util.KeyTools;/** * Servlet used to install a private key with a corresponding certificate in a browser. A new * certificate is installed in the browser in following steps:<br> * 1. The key pair is generated by the browser. <br> * 2. The public part is sent to the servlet in a POST together with user info ("pkcs10|keygen", * "inst", "user", "password"). For internet explorer the public key is sent as a PKCS10 * certificate request. <br> * 3. The new certificate is created by calling the RSASignSession session bean. <br> * 4. A page containing the new certificate and a script that installs it is returned to the * browser. <br> *  * <p></p> *  * <p> * The following initiation parameters are needed by this servlet: <br> * "responseTemplate" file that defines the response to the user (IE). It should have one line * with the text "cert =". This line is replaced with the new certificate. "keyStorePass". * Password needed to load the key-store. If this parameter is none existing it is assumed that no * password is needed. The path could be absolute or relative.<br> * </p> * * @author Original code by Lars Silv?n * @version $Id: CertReqServlet.java,v 1.45.2.1 2004/06/22 11:04:12 herrvendil Exp $ */public class CertReqServlet extends HttpServlet {    private static Logger log = Logger.getLogger(CertReqServlet.class);    private ISignSessionHome signsessionhome = null;    private IUserAdminSessionHome useradminhome = null;    private IRaAdminSessionHome raadminhome = null;    private IKeyRecoverySessionHome keyrecoveryhome = null;    private byte[] bagattributes = "Bag Attributes\n".getBytes();    private byte[] friendlyname = "    friendlyName: ".getBytes();    private byte[] subject = "subject=/".getBytes();    private byte[] issuer = "issuer=/".getBytes();    private byte[] beginCertificate = "-----BEGIN CERTIFICATE-----".getBytes();    private byte[] endCertificate = "-----END CERTIFICATE-----".getBytes();    private byte[] beginPrivateKey = "-----BEGIN PRIVATE KEY-----".getBytes();    private byte[] endPrivateKey = "-----END PRIVATE KEY-----".getBytes();    private byte[] NL = "\n".getBytes();    /**     * Servlet init     *     * @param config servlet configuration     *     * @throws ServletException on error     */    public void init(ServletConfig config) throws ServletException {        super.init(config);        try {            // Install BouncyCastle provider            CertTools.installBCProvider();            // Get EJB context and home interfaces            InitialContext ctx = new InitialContext();            signsessionhome = (ISignSessionHome) PortableRemoteObject.narrow(                      ctx.lookup("RSASignSession"), ISignSessionHome.class );            useradminhome = (IUserAdminSessionHome) PortableRemoteObject.narrow(                             ctx.lookup("UserAdminSession"), IUserAdminSessionHome.class );            raadminhome   = (IRaAdminSessionHome) PortableRemoteObject.narrow(                             ctx.lookup("RaAdminSession"), IRaAdminSessionHome.class );                        keyrecoveryhome = (IKeyRecoverySessionHome) PortableRemoteObject.narrow(                             ctx.lookup("KeyRecoverySession"), IKeyRecoverySessionHome.class );        } catch( Exception e ) {            throw new ServletException(e);        }    }    /**     * Handles HTTP POST     *     * @param request servlet request     * @param response servlet response     *     * @throws IOException input/output error     * @throws ServletException on error     */    public void doPost(HttpServletRequest request, HttpServletResponse response)        throws IOException, ServletException {        ServletDebug debug = new ServletDebug(request, response);        boolean usekeyrecovery = false;        try {            String username = request.getParameter("user");            String password = request.getParameter("password");            String keylengthstring = request.getParameter("keylength");			int keylength = 1024;			            int resulttype = 0;            if(request.getParameter("resulttype") != null)              resulttype = Integer.parseInt(request.getParameter("resulttype")); // Indicates if certificate or PKCS7 should be returned on manual PKCS10 request.                        String classid = "clsid:127698e4-e730-4e5c-a2b1-21490a70c8a1\" CODEBASE=\"/CertControl/xenroll.cab#Version=5,131,3659,0";            if ((request.getParameter("classid") != null) &&                    !request.getParameter("classid").equals("")) {                classid = request.getParameter("classid");            }            if (keylengthstring != null) {                keylength = Integer.parseInt(keylengthstring);            }            Admin administrator = new Admin(Admin.TYPE_PUBLIC_WEB_USER, request.getRemoteAddr());            IUserAdminSessionRemote adminsession = useradminhome.create();            IRaAdminSessionRemote raadminsession = raadminhome.create();                        ISignSessionRemote signsession = signsessionhome.create();            RequestHelper helper = new RequestHelper(administrator, debug);            log.debug("Got request for " + username + "/" + password);            debug.print("<h3>username: " + username + "</h3>");            // Check user            int tokentype = SecConst.TOKEN_SOFT_BROWSERGEN;            usekeyrecovery = (raadminsession.loadGlobalConfiguration(administrator)).getEnableKeyRecovery();            UserAdminData data = adminsession.findUser(administrator, username);            if (data == null) {                throw new ObjectNotFoundException();            }            boolean savekeys = data.getKeyRecoverable() && usekeyrecovery;            boolean loadkeys = (data.getStatus() == UserDataRemote.STATUS_KEYRECOVERY) &&                usekeyrecovery;            // get users Token Type.            tokentype = data.getTokenType();            if(tokentype == SecConst.TOKEN_SOFT_P12){              KeyStore ks = generateToken(administrator, username, password, data.getCAId(), keylength, false, loadkeys, savekeys);              sendP12Token(ks, username, password, response);            }            if(tokentype == SecConst.TOKEN_SOFT_JKS){              KeyStore ks = generateToken(administrator, username, password, data.getCAId(), keylength, true, loadkeys, savekeys);              sendJKSToken(ks, username, password, response);            }            if(tokentype == SecConst.TOKEN_SOFT_PEM){              KeyStore ks = generateToken(administrator, username, password, data.getCAId(), keylength, false, loadkeys, savekeys);              sendPEMTokens(ks, username, password, response);            }            if(tokentype == SecConst.TOKEN_SOFT_BROWSERGEN){              // first check if it is a netscape request,              if (request.getParameter("keygen") != null) {                  byte[] reqBytes=request.getParameter("keygen").getBytes();                  log.debug("Received NS request:"+new String(reqBytes));                  if (reqBytes != null) {                      byte[] certs = helper.nsCertRequest(signsession, reqBytes, username, password);                      RequestHelper.sendNewCertToNSClient(certs, response);                  }              } else if ( (request.getParameter("pkcs10") != null) || (request.getParameter("PKCS10") != null) ) {                  // if not netscape, check if it's IE                  byte[] reqBytes=request.getParameter("pkcs10").getBytes();                  if (reqBytes == null)                      reqBytes=request.getParameter("PKCS10").getBytes();                  log.debug("Received IE request:"+new String(reqBytes));                  if (reqBytes != null) {                      byte[] b64cert=helper.pkcs10CertRequest(signsession, reqBytes, username, password, RequestHelper.ENCODED_PKCS7);                      debug.ieCertFix(b64cert);                      RequestHelper.sendNewCertToIEClient(b64cert, response.getOutputStream(), getServletContext(), getInitParameter("responseTemplate"),classid);                  }              } else if (request.getParameter("pkcs10req") != null && resulttype != 0) {                  // if not IE, check if it's manual request                  byte[] reqBytes=request.getParameter("pkcs10req").getBytes();                  if (reqBytes != null) {                      byte[] b64cert=helper.pkcs10CertRequest(signsession, reqBytes, username, password, resulttype);                    if(resulttype == RequestHelper.ENCODED_PKCS7)                        RequestHelper.sendNewB64Cert(b64cert, response, RequestHelper.BEGIN_PKCS7_WITH_NL, RequestHelper.END_PKCS7_WITH_NL);                    if(resulttype == RequestHelper.ENCODED_CERTIFICATE)                      RequestHelper.sendNewB64Cert(b64cert, response, RequestHelper.BEGIN_CERTIFICATE_WITH_NL, RequestHelper.END_CERTIFICATE_WITH_NL);	                  }              }            }        } catch (ObjectNotFoundException oe) {            log.debug("Non existent username!");            debug.printMessage("Non existent username!");            debug.printMessage(                "To generate a certificate a valid username and password must be entered.");            debug.printDebugInfo();            return;        } catch (AuthStatusException ase) {            log.debug("Wrong user status!");            debug.printMessage("Wrong user status!");            if (usekeyrecovery) {                debug.printMessage(                    "To generate a certificate for a user the user must have status new, failed or inprocess.");            } else {                debug.printMessage(                    "To generate a certificate for a user the user must have status new, failed or inprocess.");            }            debug.printDebugInfo();            return;        } catch (AuthLoginException ale) {            log.debug("Wrong password for user!");            debug.printMessage("Wrong username or password!");            debug.printMessage(                "To generate a certificate a valid username and password must be entered.");            debug.printDebugInfo();            return;        } catch (SignRequestException re) {            log.debug("Invalid request!");