if (log.isTraceEnabled()) {
log.trace(">createCertificate(IRequestMessage)");
}
// Get CA that will receive request
UserDataVO data = null;
IResponseMessage ret = null;
CA ca;
if (suppliedUserData == null) {
ca = getCAFromRequest(admin, req);
} else {
ca = caSession.getCA(admin, suppliedUserData.getCAId()); // Take the CAId from the supplied userdata, if any
}
try {
CATokenContainer catoken = ca.getCAToken();
// See if we need some key material to decrypt request
if (req.requireKeyInfo()) {
// You go figure...scep encrypts message with the public CA-cert
req.setKeyInfo(ca.getCACertificate(), catoken.getPrivateKey(SecConst.CAKEYPURPOSE_CERTSIGN), catoken.getJCEProvider());
}
// Verify the request
if (req.verify() == false) {
String msg = intres.getLocalizedMessage("signsession.popverificationfailed");
logSession.log(admin, ca.getCAId(), LogConstants.MODULE_CA, new java.util.Date(), req.getUsername(), null, LogConstants.EVENT_ERROR_CREATECERTIFICATE, msg);
throw new SignRequestSignatureException(msg);
}
if (ca.isUseUserStorage() && req.getUsername() == null) {
String msg = intres.getLocalizedMessage("signsession.nouserinrequest", req.getRequestDN());
logSession.log(admin, ca.getCAId(), LogConstants.MODULE_CA, new java.util.Date(), req.getUsername(), null, LogConstants.EVENT_ERROR_CREATECERTIFICATE, msg);
throw new SignRequestException(msg);
//ret.setFailInfo(FailInfo.BAD_REQUEST);
//ret.setStatus(ResponseStatus.FAILURE);
} else if (ca.isUseUserStorage() && req.getPassword() == null) {
String msg = intres.getLocalizedMessage("signsession.nopasswordinrequest");
logSession.log(admin, ca.getCAId(), LogConstants.MODULE_CA, new java.util.Date(), req.getUsername(), null, LogConstants.EVENT_ERROR_CREATECERTIFICATE, msg);
throw new SignRequestException(msg);
} else {
ResponseStatus status = ResponseStatus.SUCCESS;
FailInfo failInfo = null;
String failText = null;
Certificate cert = null;
try {
// If we haven't done so yet, authenticate user. (Only if we store UserData for this CA.)
if (ca.isUseUserStorage()) {
data = authUser(admin, req.getUsername(), req.getPassword());
} else {
data = suppliedUserData;
}
PublicKey reqpk = req.getRequestPublicKey();
if (reqpk == null) {
logSession.log(admin, ca.getCAId(), LogConstants.MODULE_CA, new java.util.Date(), req.getUsername(), null, LogConstants.EVENT_ERROR_CREATECERTIFICATE, intres.getLocalizedMessage("signsession.nokeyinrequest"));
throw new InvalidKeyException("Key is null!");
}
// We need to make sure we use the users registered CA here
if (data.getCAId() != ca.getCAId()) {
failText = intres.getLocalizedMessage("signsession.wrongauthority", Integer.valueOf(ca.getCAId()), Integer.valueOf(data.getCAId()));
status = ResponseStatus.FAILURE;
failInfo = FailInfo.WRONG_AUTHORITY;
logSession.log(admin, ca.getCAId(), LogConstants.MODULE_CA, new java.util.Date(), req.getUsername(), null, LogConstants.EVENT_ERROR_CREATECERTIFICATE, failText);
}
if (status.equals(ResponseStatus.SUCCESS)) {
Date notBefore = req.getRequestValidityNotBefore(); // Optionally requested validity
Date notAfter = req.getRequestValidityNotAfter(); // Optionally requested validity
X509Extensions exts = req.getRequestExtensions(); // Optionally requested extensions
int keyusage = -1;
if (exts != null) {
if (log.isDebugEnabled()) {
log.debug("we have extensions, see if we can override KeyUsage by looking for a KeyUsage extension in request");
}
X509Extension ext = exts.getExtension(X509Extensions.KeyUsage);
if (ext != null) {
ASN1OctetString os = ext.getValue();
ByteArrayInputStream bIs = new ByteArrayInputStream(os.getOctets());
ASN1InputStream dIs = new ASN1InputStream(bIs);
DERObject dob = dIs.readObject();
DERBitString bs = DERBitString.getInstance(dob);
keyusage = bs.intValue();
if (log.isDebugEnabled()) {
log.debug("We have a key usage request extension: "+keyusage);
}
}
}
String sequence = null;
byte[] ki = req.getRequestKeyInfo();
if ( (ki != null) && (ki.length > 0) ) {
sequence = new String(ki);
}
cert = createCertificate(admin, data, req.getRequestX509Name(), ca, reqpk, keyusage, notBefore, notAfter, exts, sequence);
}
} catch (ObjectNotFoundException oe) {
// If we didn't find the entity return error message
log.error("User not found: ", oe);
failText = intres.getLocalizedMessage("signsession.nosuchuser", req.getUsername());
status = ResponseStatus.FAILURE;
failInfo = FailInfo.INCORRECT_DATA;
logSession.log(admin, ca.getCAId(), LogConstants.MODULE_CA, new java.util.Date(), req.getUsername(), null, LogConstants.EVENT_ERROR_CREATECERTIFICATE, failText);
}
//Create the response message with all nonces and checks etc
ret = req.createResponseMessage(responseClass, req, ca.getCACertificate(), catoken.getPrivateKey(SecConst.CAKEYPURPOSE_CERTSIGN), catoken.getProvider());
if ( (cert == null) && (status == ResponseStatus.SUCCESS) ) {
status = ResponseStatus.FAILURE;
failInfo = FailInfo.BAD_REQUEST;
} else {
ret.setCertificate(cert);
}
ret.setStatus(status);
if (failInfo != null) {
ret.setFailInfo(failInfo);
ret.setFailText(failText);
}
}
ret.create();
// Call authentication session and tell that we are finished with this user. (Only if we store UserData for this CA.)
if (ca.isUseUserStorage() && data!=null) {
finishUser(ca, data);
}
} catch (NoUniqueCertSerialNumberIndexException e) {