/************************************************************************* *                                                                       * *  EJBCA: The OpenSource Certificate Authority                          * *                                                                       * *  This software is free software; you can redistribute it and/or       * *  modify it under the terms of the GNU Lesser General Public           * *  License as published by the Free Software Foundation; either         * *  version 2.1 of the License, or any later version.                    * *                                                                       * *  See terms of license at gnu.org.                                     * *                                                                       * *************************************************************************/ package se.anatom.ejbca.ca.caadmin;import java.io.UnsupportedEncodingException;import java.security.KeyStore;import java.security.PrivateKey;import java.security.PublicKey;import java.security.cert.CertPath;import java.security.cert.CertPathValidator;import java.security.cert.CertPathValidatorException;import java.security.cert.CertPathValidatorResult;import java.security.cert.Certificate;import java.security.cert.CertificateExpiredException;import java.security.cert.CertificateFactory;import java.security.cert.CertificateNotYetValidException;import java.security.cert.PKIXCertPathValidatorResult;import java.security.cert.PKIXParameters;import java.security.cert.TrustAnchor;import java.security.cert.X509Certificate;import java.sql.Connection;import java.sql.SQLException;import java.util.ArrayList;import java.util.Collection;import java.util.Date;import java.util.HashMap;import java.util.HashSet;import java.util.Iterator;import javax.ejb.CreateException;import javax.ejb.EJBException;import javax.naming.InitialContext;import javax.naming.NamingException;import javax.sql.DataSource;import org.bouncycastle.asn1.ASN1Set;import org.bouncycastle.jce.PKCS10CertificationRequest;import se.anatom.ejbca.BaseSessionBean;import se.anatom.ejbca.SecConst;import se.anatom.ejbca.authorization.AuthorizationDeniedException;import se.anatom.ejbca.authorization.AvailableAccessRules;import se.anatom.ejbca.authorization.IAuthorizationSessionLocal;import se.anatom.ejbca.authorization.IAuthorizationSessionLocalHome;import se.anatom.ejbca.ca.auth.UserAuthData;import se.anatom.ejbca.ca.caadmin.extendedcaservices.ExtendedCAServiceInfo;import se.anatom.ejbca.ca.caadmin.extendedcaservices.OCSPCAService;import se.anatom.ejbca.ca.caadmin.extendedcaservices.OCSPCAServiceInfo;import se.anatom.ejbca.ca.crl.ICreateCRLSessionLocal;import se.anatom.ejbca.ca.crl.ICreateCRLSessionLocalHome;import se.anatom.ejbca.ca.crl.RevokedCertInfo;import se.anatom.ejbca.ca.exception.CADoesntExistsException;import se.anatom.ejbca.ca.exception.CAExistsException;import se.anatom.ejbca.ca.exception.CATokenAuthenticationFailedException;import se.anatom.ejbca.ca.exception.CATokenOfflineException;import se.anatom.ejbca.ca.exception.IllegalKeyStoreException;import se.anatom.ejbca.ca.sign.ISignSessionLocal;import se.anatom.ejbca.ca.sign.ISignSessionLocalHome;import se.anatom.ejbca.ca.store.ICertificateStoreSessionLocal;import se.anatom.ejbca.ca.store.ICertificateStoreSessionLocalHome;import se.anatom.ejbca.ca.store.certificateprofiles.CertificateProfile;import se.anatom.ejbca.exception.EjbcaException;import se.anatom.ejbca.log.Admin;import se.anatom.ejbca.log.ILogSessionLocal;import se.anatom.ejbca.log.ILogSessionLocalHome;import se.anatom.ejbca.log.LogEntry;import se.anatom.ejbca.protocol.IRequestMessage;import se.anatom.ejbca.protocol.IResponseMessage;import se.anatom.ejbca.protocol.PKCS10RequestMessage;import se.anatom.ejbca.protocol.X509ResponseMessage;import se.anatom.ejbca.ra.IUserAdminSessionLocal;import se.anatom.ejbca.ra.IUserAdminSessionLocalHome;import se.anatom.ejbca.util.CertTools;import se.anatom.ejbca.util.KeyTools;/** * Administrates and manages CAs in EJBCA system. * * @version $Id: CAAdminSessionBean.java,v 1.25 2004/05/31 14:29:06 anatom Exp $ */public class CAAdminSessionBean extends BaseSessionBean {        /** Var holding JNDI name of datasource */    private String dataSource = "";        /** The local home interface of CAData.*/    private CADataLocalHome cadatahome;        /** The local interface of the log session bean */    private ILogSessionLocal logsession;        /** The local interface of the authorization session bean */    private IAuthorizationSessionLocal authorizationsession;        /** The local interface of the user admin session bean */    private IUserAdminSessionLocal useradminsession;        /** The local interface of the certificate store session bean */    private ICertificateStoreSessionLocal certificatestoresession;        /** The local interface of the sign session bean */    private ISignSessionLocal signsession;        /** The local interface of the job runner session bean used to create crls.*/    private ICreateCRLSessionLocal jobrunner;            /**     * Default create for SessionBean without any creation Arguments.     * @throws CreateException if bean instance can't be created     */    public void ejbCreate() throws CreateException {        debug(">ejbCreate()");        dataSource = (String)lookup("java:comp/env/DataSource", java.lang.String.class);        debug("DataSource=" + dataSource);        cadatahome = (CADataLocalHome)lookup("java:comp/env/ejb/CADataLocal");        // Install BouncyCastle provider        CertTools.installBCProvider();        debug("<ejbCreate()");    }        /** Gets connection to Datasource used for manual SQL searches     * @return Connection     */    private Connection getConnection() throws SQLException, NamingException {        DataSource ds = (DataSource)getInitialContext().lookup(dataSource);        return ds.getConnection();    } //getConnection            /** Gets connection to log session bean     */    private ILogSessionLocal getLogSession() {        if(logsession == null){            try{                ILogSessionLocalHome logsessionhome = (ILogSessionLocalHome) lookup("java:comp/env/ejb/LogSessionLocal",ILogSessionLocalHome.class);                logsession = logsessionhome.create();            }catch(Exception e){                throw new EJBException(e);            }        }        return logsession;    } //getLogSession            /** Gets connection to authorization session bean     * @return Connection     */    private IAuthorizationSessionLocal getAuthorizationSession() {        if(authorizationsession == null){            try{                IAuthorizationSessionLocalHome authorizationsessionhome = (IAuthorizationSessionLocalHome) lookup("java:comp/env/ejb/AuthorizationSessionLocal",IAuthorizationSessionLocalHome.class);                authorizationsession = authorizationsessionhome.create();            }catch(Exception e){                throw new EJBException(e);            }        }        return authorizationsession;    } //getAuthorizationSession    /** Gets connection to crl create session bean     * @return Connection     */    private ICreateCRLSessionLocal getCRLCreateSession() {      if(jobrunner == null){      	 try{      	    ICreateCRLSessionLocalHome home = (ICreateCRLSessionLocalHome) lookup("java:comp/env/ejb/CreateCRLSessionLocal", ICreateCRLSessionLocalHome.class);    	    jobrunner = home.create();      	 }catch(Exception e){      	 	throw new EJBException(e);      	 }      	       }        return jobrunner;    }            /** Gets connection to user admin session bean     * @return Connection     */    private IUserAdminSessionLocal getUserAdminSession() {        if(useradminsession == null){            try{                IUserAdminSessionLocalHome useradminsessionhome = (IUserAdminSessionLocalHome) lookup("java:comp/env/ejb/UserAdminSessionLocal",IUserAdminSessionLocalHome.class);                useradminsession = useradminsessionhome.create();            }catch(Exception e){                throw new EJBException(e);            }        }        return useradminsession;    } //getUserAdminSession        /** Gets connection to certificate store session bean     * @return Connection     */    private ICertificateStoreSessionLocal getCertificateStoreSession() {        if(certificatestoresession == null){            try{                ICertificateStoreSessionLocalHome certificatestoresessionhome = (ICertificateStoreSessionLocalHome) lookup("java:comp/env/ejb/CertificateStoreSessionLocal",ICertificateStoreSessionLocalHome.class);                certificatestoresession = certificatestoresessionhome.create();            }catch(Exception e){                throw new EJBException(e);            }        }        return certificatestoresession;    } //getCertificateStoreSession        /** Gets connection to sign session bean     * @return Connection     */    private ISignSessionLocal getSignSession() {        if(signsession == null){            try{                ISignSessionLocalHome signsessionhome = (ISignSessionLocalHome) lookup("java:comp/env/ejb/SignSessionLocal",ISignSessionLocalHome.class);                signsession = signsessionhome.create();            }catch(Exception e){                throw new EJBException(e);            }        }        return signsession;    } //getCertificateStoreSession            /**     *  @see se.anatom.ejbca.ca.caadmin.ICAAdminSessionLocal     */    public void createCA(Admin admin, CAInfo cainfo) throws CAExistsException, AuthorizationDeniedException, CATokenOfflineException, CATokenAuthenticationFailedException{    	Collection certpublishers = null;    	int castatus = SecConst.CA_OFFLINE;        // Check that administrat has superadminsitrator rights.        try{            getAuthorizationSession().isAuthorizedNoLog(admin,"/super_administrator");        }catch(AuthorizationDeniedException ade){            getLogSession().log (admin, admin.getCAId(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,"Administrator isn't authorized to create CA",ade);            throw new AuthorizationDeniedException("Administrator not authorized to create CA");        }                // Check that CA doesn't already exists        try{            int caid = cainfo.getCAId();                        if(caid >=0 && caid <= CAInfo.SPECIALCAIDBORDER){                getLogSession().log(admin, admin.getCAId(), LogEntry.MODULE_CA,  new java.util.Date(), null, null, LogEntry.EVENT_ERROR_CACREATED,"CA already exists.");                throw new CAExistsException();            }            cadatahome.findByPrimaryKey(new Integer(caid));