Examples of org.ejbca.core.model.ra.UserDataVO

• org.ejbca.core.model.ra.UserDataVO
  Holds admin data collected from UserData in the database. Strings are stored in Base64 encoded format to be safe for storing in database, xml etc. @version $Id: UserDataVO.java 11728 2011-04-12 21:55:36Z jeklund $

    // Helper methods
    //

    private X509Certificate createUserAndCert() throws Exception {
        // Make user that we know...
        UserDataVO user = new UserDataVO(USERNAME, "C=SE,O=AnaTom,CN=foo", caid, null, "foo@anatom.se", SecConst.USER_ENDUSER, SecConst.EMPTY_ENDENTITYPROFILE,
                SecConst.CERTPROFILE_FIXED_ENDUSER, SecConst.TOKEN_SOFT_PEM, 0, null);
        user.setPassword("foo123");

        if(userAdminSession.findUser(admin, USERNAME) == null) {
        userAdminSession.addUser(admin, user, false);
        // usersession.addUser(admin,USERNAME,"foo123","C=SE,O=AnaTom,CN=foo",null,"foo@anatom.se",false,SecConst.EMPTY_ENDENTITYPROFILE,SecConst.CERTPROFILE_FIXED_ENDUSER,SecConst.USER_ENDUSER,SecConst.TOKEN_SOFT_PEM,0,caid);
        log.debug("created user: " + USERNAME + ", foo123, C=SE, O=AnaTom, CN=foo");

      try {
        String templatefilename = args[2];
        String printername = args[3];
        Properties data = new Properties();
        data.load(new FileInputStream(USERDATAFILENAME));
        UserDataVO userdata = new UserDataVO("", data.getProperty("DN"),0,"", data.getProperty("EMAIL"),
                                                       0,0,0,0, (Date) null, (Date) null,0,0 ,null);
        String[] pins = new String[2];
        String[] puks = new String[2];
        pins[0] = data.getProperty("PIN1");
        pins[1] = data.getProperty("PIN2");

     * Lookup the requested user and generate or recover a keystore.
     */
    private KeyStoreRetrievalResponse processKeyStoreRetrievalRequest(Admin admin, KeyStoreRetrievalRequest submessage) {
        log.debug("Processing KeyStoreRetrievalRequest");
    try {
      UserDataVO data = null;
      try {
        data = userAdminSession.findUser(admin, submessage.getUsername());
      } catch (AuthorizationDeniedException e) {
        log.info("External RA admin was denied access to a user: " + e.getMessage());
      }
      if (data == null) {
        return new KeyStoreRetrievalResponse(((ExtRARequest) submessage).getRequestId(), false, "No such user.", null, null);
      }
      // Find out if are doing key recovery
      int endEntityProfileId = data.getEndEntityProfileId();  // TODO should probably also be used to get keysize and algorithm in the future..
      boolean usekeyrecovery = globalConfigurationSession.getCachedGlobalConfiguration(admin).getEnableKeyRecovery();
      boolean savekeys = data.getKeyRecoverable() && usekeyrecovery &&  (data.getStatus() != UserDataConstants.STATUS_KEYRECOVERY);
      boolean loadkeys = (data.getStatus() == UserDataConstants.STATUS_KEYRECOVERY) && usekeyrecovery;
      boolean reusecertificate = endEntityProfileSession.getEndEntityProfile(admin, endEntityProfileId).getReUseKeyRecoveredCertificate();
      // Generate or recover keystore and save it in the configured format
      GenerateToken tgen = new GenerateToken(authenticationSession, userAdminSession, caAdminSession, keyRecoverySession, signSession);
      byte[] buf = null;
      int tokentype = data.getTokenType();
      boolean createJKS = (tokentype == SecConst.TOKEN_SOFT_JKS);
      KeyStore ks = tgen.generateOrKeyRecoverToken(admin, submessage.getUsername(), submessage.getPassword(), data.getCAId(), "2048", AlgorithmConstants.KEYALGORITHM_RSA,
          createJKS, loadkeys, savekeys, reusecertificate, endEntityProfileId);
      if (tokentype == SecConst.TOKEN_SOFT_PEM) {
        buf = KeyTools.getSinglePemFromKeyStore(ks, submessage.getPassword().toCharArray());
      } else if (tokentype == SecConst.TOKEN_SOFT_P12 || tokentype == SecConst.TOKEN_SOFT_JKS) {
        ByteArrayOutputStream baos = new ByteArrayOutputStream();

    private ISubMessage processExtRAKeyRecoveryRequest(Admin admin, KeyRecoveryRequest submessage) {
    log.debug("Processing ExtRAKeyRecoveryRequest");
    PKCS12Response retval = null;
    try{

      UserDataVO userdata = null;

      if(submessage.getReUseCertificate()){
        userdata = userAdminSession.findUser(admin,submessage.getUsername());
      }else{
        userdata = generateUserDataVO(admin, submessage);
        userdata.setPassword("foo123");
      }

      // Get KeyPair
      keyRecoverySession.unmarkUser(admin,submessage.getUsername());
      X509Certificate orgcert = (X509Certificate) certificateStoreSession.findCertificateByIssuerAndSerno(admin,CertTools.stringToBCDNString(submessage.getIssuerDN()), submessage.getCertificateSN());
      if(orgcert == null){
        throw new EjbcaException("Error in Key Recovery Request, couldn't find specified certificate");
      }
      if(!userAdminSession.prepareForKeyRecovery(admin, userdata.getUsername(), userdata.getEndEntityProfileId(), orgcert)){
        throw new EjbcaException("Error in Key Recovery Request, no keys saved for specified request");
      }
      KeyRecoveryData keyData = keyRecoverySession.keyRecovery(admin, submessage.getUsername(), userdata.getEndEntityProfileId());
      if(keyData == null){
        throw new EjbcaException("Error in Key Recovery Request, no keys saved for specified request");
      }
      KeyPair savedKeys = keyData.getKeyPair();

                }
            }
            log.debug("Got request for " + username + ".");
            debug.print("<h3>username: " + username + "</h3>");

            final UserDataVO data = userAdminSession.findUser(administrator, username);
            final X509Certificate notRevokedCerts[]; {
                Set<X509Certificate> set = new HashSet<X509Certificate>();
                for( Iterator<java.security.cert.Certificate> i = certificateStoreSession.findCertificatesByUsername(administrator, username).iterator(); i.hasNext(); ) {
                    Object o = i.next();
                    if ( o instanceof X509Certificate ) {
                        X509Certificate cert = (X509Certificate)o;
                        boolean isRevoked = certificateStoreSession.isRevoked(cert.getIssuerDN().getName(), cert.getSerialNumber());
                        if (!isRevoked) {
                            set.add(cert);
                        }
                    }
                }
                notRevokedCerts = (X509Certificate[])set.toArray(new X509Certificate[0]);
            }
            if (data == null) {
                throw new ObjectNotFoundException();
            }
            final String authReq = request.getParameter("authpkcs10");
            final String signReq = request.getParameter("signpkcs10");

            if ( authReq!=null && signReq!=null ) {
                final int authCertProfile;
                final int signCertProfile;
                final HardTokenProfile hardTokenProfile = hardTokenSession.getHardTokenProfile(administrator, data.getTokenType());
                {
                    CertProfileID certProfileID = new CertProfileID(data, administrator, hardTokenProfile);
                    authCertProfile = certProfileID.getProfileID("authCertProfile", SwedishEIDProfile.CERTUSAGE_AUTHENC);
                    signCertProfile = certProfileID.getProfileID("signCertProfile", SwedishEIDProfile.CERTUSAGE_SIGN);
                }
                final int authCA;
                final int signCA;
                {
                    CAID caid = new CAID(data,administrator, hardTokenProfile, caAdminSession);
                    authCA = caid.getProfileID("authCA", SwedishEIDProfile.CERTUSAGE_AUTHENC);
                    signCA = caid.getProfileID("signCA", SwedishEIDProfile.CERTUSAGE_SIGN);
                }
                // if not IE, check if it's manual request
                final byte[] authReqBytes = authReq.getBytes();
                final byte[] signReqBytes = signReq.getBytes();
                if ( authReqBytes!=null && signReqBytes!=null) {
                  try {
                    userAdminSession.changeUser(administrator, username,data.getPassword(), data.getDN(), data.getSubjectAltName(),
                        data.getEmail(), true, data.getEndEntityProfileId(), authCertProfile, data.getType(),
                        SecConst.TOKEN_SOFT_BROWSERGEN, 0, data.getStatus(), authCA);
                    final byte[] authb64cert=pkcs10CertRequest(administrator, signSession, authReqBytes, username, data.getPassword());

                    userAdminSession.changeUser(administrator, username, data.getPassword(), data.getDN(), data.getSubjectAltName(),
                        data.getEmail(), true, data.getEndEntityProfileId(), signCertProfile, data.getType(),
                        SecConst.TOKEN_SOFT_BROWSERGEN, 0, UserDataConstants.STATUS_NEW, signCA);
                    final byte[] signb64cert=pkcs10CertRequest(administrator, signSession, signReqBytes, username, data.getPassword());


                    for (int i=0; i<notRevokedCerts.length; i++) {
                      try {
                        userAdminSession.revokeCert(administrator, notRevokedCerts[i].getSerialNumber(),
                            notRevokedCerts[i].getIssuerDN().toString(), RevokedCertInfo.REVOCATION_REASON_SUPERSEDED);
                      } catch (WaitingForApprovalException e) {
                        log.info("A request for approval to revoke " + username + "'s old certificate "+
                            notRevokedCerts[i].getSerialNumber().toString(16)+" was added.");
                      } catch (ApprovalException e) {
                        log.info("A request for approval to revoke " + username + "'s old certificate "+
                            notRevokedCerts[i].getSerialNumber().toString(16)+" already exists.");
                      }
                    }

                    sendCertificates(authb64cert, signb64cert, response,  getServletContext(),
                        getInitParameter("responseTemplate"), notRevokedCerts);
                  } catch( Throwable t ) {
                        if (t instanceof Exception) {
                            throw (Exception)t;
                        }
                        else {
                            throw new Error(t);
                        }
                    } finally {
                        data.setStatus(UserDataConstants.STATUS_GENERATED);
                        userAdminSession.changeUser(administrator, data, true); // set back to original values
                    }
                }
            }
        } catch( UserCertificateRevokedException e) {

          // If we did not provide a password, set a default one
          if (StringUtils.isEmpty(password)) {
            log.debug("Empty password received, createOrEditUser=true so setting default password.");
            password = "foo123";
          }
            UserDataVO userdata = generateUserDataVO(admin, submessage);
            userdata.setPassword(password);
            log.info("Creating/editing user: "+userdata.getUsername()+", with dn: "+userdata.getDN());
          // See if the user already exists, if it exists and have status NEW or INPROCESS we will not try to change it
          // This way we can use approvals. When a request first comes in, it is put for approval. When it is approved,
          // we will not try to change it again, because it is ready to be processed
            storeUserData(admin, userdata,false,UserDataConstants.STATUS_INPROCESS );
        }

    private void createUser(Admin admin, String username, String password, int caID, int endEntityProfileId, int certProfileId, int maxFailedLogins)
            throws PersistenceException, AuthorizationDeniedException, UserDoesntFullfillEndEntityProfile, ApprovalException,
            WaitingForApprovalException, Exception {
        log.info("createUser: username=" + username + ", certProfileId=" + certProfileId);
        UserDataVO userdata = new UserDataVO(username, "CN=" + username, caID, null, null, 1, endEntityProfileId, certProfileId, SecConst.TOKEN_SOFT_P12, 0,
                null);
        ExtendedInformation ei = new ExtendedInformation();
        ei.setMaxLoginAttempts(maxFailedLogins);
        ei.setRemainingLoginAttempts(maxFailedLogins);
        userdata.setExtendedinformation(ei);
        userdata.setPassword(password);
        userAdminSession.addUser(admin, userdata, true);
        UserDataVO userdata2 = userAdminSession.findUser(admin, userdata.getUsername());
        assertNotNull("findUser: " + userdata.getUsername(), userdata2);
    }

    /** Tests authentication of users */
    public void test02AuthenticateUser() throws Exception {
        log.trace(">test02AuthenticateUser()");
        // user that we know exists...
        log.debug("Username:" + username1 + "\npwd:" + pwd1);
        UserDataVO data = authenticationSessionRemote.authenticateUser(admin, username1, pwd1);

        log.debug("DN: " + data.getDN());
        assertTrue("DN is wrong", data.getDN().indexOf(username1) != -1);

        log.debug("Email: " + data.getEmail());
        assertNotNull("Email should not be null", data.getEmail());
        assertTrue("Email is wrong", data.getEmail().equals(username1 + "@anatom.se"));

        log.debug("Type: " + data.getType());
        assertTrue("Type is wrong", data.getType() == SecConst.USER_ENDUSER);
        log.trace("<test02AuthenticateUser()");
    }

                }

                // Now start the actual work, we are ok and verified here
        String username = certificateStoreSession.findUsernameByCertSerno(admin, serno, CertTools.stringToBCDNString(issuerDN));
        if (username != null) {
                final UserDataVO data = userAdminSession.findUser(admin, username);
                if ( data.getStatus() != UserDataConstants.STATUS_NEW) {
                  log.error("User status must be new for "+username);
            retval = new ExtRAResponse(submessage.getRequestId(),false,"User status must be new for "+username);
                } else {
                        log.info("Processing Card Renewal for: issuer='"+issuerDN+"', serno="+serno);
                        int authCertProfile = -1;
                        int signCertProfile = -1;
                        int authCA = -1;
                        int signCA = -1;
                        // Get the profiles and CAs from the message if they exist
                  if (submessage.getAuthProfile() != -1) {
                    authCertProfile = submessage.getAuthProfile();
                  }
                  if (submessage.getSignProfile() != -1) {
                    signCertProfile = submessage.getSignProfile();
                  }
                  if (submessage.getAuthCA() != -1) {
                    authCA = submessage.getAuthCA();
                  }
                  if (submessage.getSignCA() != -1) {
                    signCA = submessage.getSignCA();
                  }
                        HardTokenProfile htp = hardTokenSession.getHardTokenProfile(admin, data.getTokenType());
                        if ( htp!=null && htp instanceof EIDProfile ) {
                          EIDProfile hardTokenProfile = (EIDProfile)htp;
                          if (authCertProfile == -1) {
                            authCertProfile = hardTokenProfile.getCertificateProfileId(SwedishEIDProfile.CERTUSAGE_AUTHENC);
                          }
                          if (signCertProfile == -1) {
                            signCertProfile = hardTokenProfile.getCertificateProfileId(SwedishEIDProfile.CERTUSAGE_SIGN);
                          }
                          if (authCA == -1) {
                            authCA = hardTokenProfile.getCAId(SwedishEIDProfile.CERTUSAGE_AUTHENC);
                            if (authCA == EIDProfile.CAID_USEUSERDEFINED) {
                              authCA = data.getCAId();
                            }
                          }
                          if (signCA == -1) {
                            signCA = hardTokenProfile.getCAId(SwedishEIDProfile.CERTUSAGE_SIGN);
                            if (signCA == EIDProfile.CAID_USEUSERDEFINED) {
                              signCA = data.getCAId();
                            }
                          }
                        } else {
                          if (authCertProfile == -1) {
                            authCertProfile = data.getCertificateProfileId();
                          }
                          if (signCertProfile == -1) {
                            signCertProfile = data.getCertificateProfileId();
                          }
                          if (authCA == -1) {
                            authCA = data.getCAId();
                          }
                          if (signCA == -1) {
                            signCA = data.getCAId();
                          }
                        }

                  // Set certificate profile and CA for auth certificate
                        UserDataVO newUser = new UserDataVO(username, data.getDN(), authCA, data.getSubjectAltName(), data.getEmail(), data.getType(), data.getEndEntityProfileId(), authCertProfile, data.getTokenType(), data.getHardTokenIssuerId(), null);
                        newUser.setPassword(data.getPassword());
                        userAdminSession.setUserStatus(admin, username, UserDataConstants.STATUS_NEW);
                        userAdminSession.changeUser(admin, newUser, false);

                  // We may have changed to a new auto generated password
                  UserDataVO data1 = userAdminSession.findUser(admin, username);
                  Certificate authcertOut=pkcs10CertRequest(admin, signSession, authPkcs10, username, data1.getPassword());

                  // Set certificate and CA for sign certificate
                        newUser = new UserDataVO(username, data.getDN(), signCA, data.getSubjectAltName(), data.getEmail(), data.getType(), data.getEndEntityProfileId(), signCertProfile, data.getTokenType(), data.getHardTokenIssuerId(), null);
                        newUser.setPassword(data.getPassword());
                        userAdminSession.setUserStatus(admin, username, UserDataConstants.STATUS_NEW);
                        userAdminSession.changeUser(admin, newUser, false);

                        // We may have changed to a new auto generated password
                  data1 = userAdminSession.findUser(admin, username);
                  Certificate signcertOut=pkcs10CertRequest(admin, signSession, signPkcs10, username, data1.getPassword());

                  // We are generated all right
                  data.setStatus(UserDataConstants.STATUS_GENERATED);
                  // set back to original values (except for generated)
                  userAdminSession.changeUser(admin, data, true);

        log.trace(">test03FailAuthenticateUser()");
        // Set status to GENERATED so authentication will fail
        userAdminSession.setUserStatus(admin, username1, UserDataConstants.STATUS_GENERATED);
        boolean authfailed = false;
        try {
            UserDataVO auth = authenticationSessionRemote.authenticateUser(admin, username1, pwd1);
            log.debug("Authenticated user: " + auth.getUsername());
        } catch (Exception e) {
            authfailed = true;
        }
        assertTrue("Authentication succeeded when it should have failed.", authfailed);
        log.trace("<test03FailAuthenticateUser()");