Example 1 with X509Certificate
use of com.itrus.cert.X509Certificate in project portal by ixinportal.
the class UserFromClientLoginController method loginByCert.
/**
* retCode:
* 0.表示错误,弹出错误提示 1.表示证书登录成功,并且已经绑定了用户,跳转首页 2.表示证书未绑定用户,需要先进行用户绑定,跳转证书绑定页面
*
* @param pkcs7
* @param keySn
* @param session
* @return
*/
@RequestMapping("/loginByCert")
@ResponseBody
public Map<String, Object> loginByCert(@RequestParam("pkcs7") String pkcs7, @RequestParam("keySn") String keySn, @RequestParam("enterpriseName") String enterpriseName, HttpSession session) {
Map<String, Object> retMap = new HashMap<String, Object>();
retMap.put("retCode", 0);
if (StringUtils.isBlank(pkcs7) || StringUtils.isBlank(keySn) || StringUtils.isBlank(enterpriseName)) {
retMap.put("retMsg", "缺少请求参数,请重新尝试");
return retMap;
}
// 验证签名
String webrandom = (String) session.getAttribute("webrandom");
// 验证签名
X509Certificate cert;
try {
cert = X509Certificate.getInstance(SVM.verifySignature("LOGONDATA:" + webrandom, pkcs7));
// 获得证书信息
UserCert userCert = userCertService.getUserCert(cert);
if (StringUtils.isBlank(userCert.getKeySn()) || !userCert.getKeySn().equals(keySn)) {
userCert.setKeySn(keySn);
// 更新证书对应的keysn
sqlSession.update("com.itrus.portal.db.UserCertMapper.updateByPrimaryKey", userCert);
}
if (null != userCert.getIsValid() && userCert.getIsValid().equals(0)) {
retMap.put("retMsg", "该证书已过期,请使用更新后的证书登录");
return retMap;
}
Long userid = userCert.getUserinfo();
UserInfo userInfo = null;
if (null != userid) {
UserInfoExample example = new UserInfoExample();
UserInfoExample.Criteria criteria = example.or();
criteria.andIdEqualTo(userid);
userInfo = sqlSession.selectOne("com.itrus.portal.db.UserInfoMapper.selectByExample", example);
}
retMap.put("has_userInfo", 1);
if (userInfo == null) {
// 证书不存在绑定的用户,需要跳转用户绑定页面
retMap.put("has_userInfo", 0);
}
Enterprise enterprise = null;
if (null != userCert.getEnterprise()) {
enterprise = enterpriseService.getEnterpriseById(userCert.getEnterprise());
}
retMap.put("has_enterpriseInfo", 1);
if (null == enterprise) {
// 证书不存在企业信息,需要补充企业信息
retMap.put("has_enterpriseInfo", 0);
}
// 设置session
// 验证码验证通过
session.setAttribute(ComNames.WEB_VERIFY_CODE_STATUS, true);
session.setAttribute(ComNames.WEB_USER_INFO, userInfo);
session.setAttribute(ComNames.WEB_ENTERPRISE, enterprise);
if (null == userInfo || null == enterprise) {
// 证书不存在企业信息,需要补充企业信息
retMap.put("retCode", 2);
return retMap;
}
// 成功
retMap.put("retCode", 1);
// 记录日志
UserLog userlog = new UserLog();
userlog.setProject(userInfo.getProject());
userlog.setType("客户端证书登录");
userlog.setInfo("证书登录成功");
userlog.setHostId("未知");
userlog.setSn(null == userInfo.getUniqueId() ? null : userInfo.getUniqueId());
LogUtil.userlog(sqlSession, userlog);
} catch (CertificateException e) {
retMap.put("retMsg", e.getMessage());
return retMap;
} catch (SigningServerException e) {
retMap.put("retMsg", e.getMessage());
return retMap;
} catch (Exception e) {
retMap.put("retMsg", "服务端出现未知异常,请联系管理员");
String info = "证书登录失败,原因:" + e.getMessage();
LogUtil.syslog(sqlSession, "证书登录", info);
return retMap;
}
return retMap;
}
Also used :
CertificateException(java.security.cert.CertificateException)
X509Certificate(com.itrus.cert.X509Certificate)
JsonMappingException(org.codehaus.jackson.map.JsonMappingException)
ParseException(java.text.ParseException)
JsonGenerationException(org.codehaus.jackson.JsonGenerationException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
SigningServerException(com.itrus.cryptorole.SigningServerException)
UserInfoServiceException(com.itrus.portal.exception.UserInfoServiceException)
SigningServerException(com.itrus.cryptorole.SigningServerException)
Example 2 with X509Certificate
use of com.itrus.cert.X509Certificate in project portal by ixinportal.
the class CrlContextController method create.
// 新建处理
@RequestMapping(params = "save", method = RequestMethod.POST, produces = "text/html")
public String create(@Valid CrlContext crlContext, BindingResult bindingResult, Model uiModel, HttpServletRequest httpServletRequest) throws Exception {
if (bindingResult.hasErrors()) {
uiModel.addAttribute("message", "提交数据不正确");
return "crlcontext/create";
}
// 检查是否包含CA证书
if (crlContext.getCaCertBuf() == null || crlContext.getCaCertBuf().length == 0) {
uiModel.addAttribute("message", "必须选择CA证书");
return createForm(uiModel);
}
String message = null;
// 验证CRL文件有效性
try {
X509Certificate caCert = com.itrus.cert.X509Certificate.getInstance(crlContext.getCaCertBuf());
crlContext.setCaCertBuf(Base64.encode(caCert.getEncoded()));
crlContext.setIssuerdn(caCert.getIssuerDNString());
crlContext.setCertSn(caCert.getHexSerialNumber().toUpperCase());
crlContext.setCertSubject(caCert.getSubjectDNString());
crlContext.setCertStartTime(caCert.getNotBefore());
crlContext.setCertEndTime(caCert.getNotAfter());
// 检查crl文件的有效性,此处未设置
/*
* if (crlContext.crlBuf != null && crlContext.crlBuf.length > 0) {
* X509CRL crl =
* com.itrus.cert.X509CRL.getInstance(crlContext.crlBuf); if
* (crlContext.getCheckCrl()) { if
* (java.security.Security.getProvider("BC") == null) {
* java.security.Security.addProvider(new BouncyCastleProvider()); }
* crl.verify(caCert.publicKey); } }
*/
} catch (Exception e) {
if (e instanceof SignatureException)
message = "CRL签名验证失败,请您检查CRL是否为CA签发。";
else if (e instanceof CertificateException)
message = "X509Certificate对象实例化失败,请您检查CA证书格式是否正确。";
else if (e instanceof CRLException)
message = "X509CRL对象实例化失败,请您检查CRL文件格式是否正确。";
uiModel.addAttribute("message", message);
return createForm(uiModel);
}
sqlSession.insert("com.itrus.portal.db.CrlContextMapper.insert", crlContext);
String oper = "增加信任源";
String info = "签发者: " + crlContext.getIssuerdn() + "\r\n" + "crl颁发地址" + crlContext.getCrlUrl();
LogUtil.adminlog(sqlSession, oper, info);
// 初始化CRL检查
cacheCustomer.initCrlConfig();
return "redirect:/crlcontext/" + crlContext.getId();
}
Also used :
CertificateException(java.security.cert.CertificateException)
SignatureException(java.security.SignatureException)
CRLException(java.security.cert.CRLException)
X509Certificate(com.itrus.cert.X509Certificate)
SignatureException(java.security.SignatureException)
CertificateException(java.security.cert.CertificateException)
CRLException(java.security.cert.CRLException)
RequestMapping(org.springframework.web.bind.annotation.RequestMapping)
Example 3 with X509Certificate
use of com.itrus.cert.X509Certificate in project portal by ixinportal.
the class CrlContextController method delete.
// 删除
@RequestMapping(value = "/{id}", method = RequestMethod.DELETE, produces = "text/html")
public String delete(@PathVariable("id") Long id, @RequestParam(value = "page", required = false) Integer page, @RequestParam(value = "size", required = false) Integer size, HttpServletRequest request, Model uiModel) {
String retPath = getReferer(request, "redirect:/crlcontext", true);
CrlContext crlContext = sqlSession.selectOne("com.itrus.portal.db.CrlContextMapper.selectByPrimaryKey", id);
if (crlContext == null) {
uiModel.addAttribute("message", "未找到要删除信任源信息");
} else {
try {
X509Certificate x509cert = null;
if (crlContext.getCaCertBuf() != null && crlContext.getCaCertBuf().length > 0) {
x509cert = X509Certificate.getInstance(crlContext.getCaCertBuf());
}
sqlSession.delete("com.itrus.portal.db.CrlContextMapper.deleteByPrimaryKey", id);
// 删除ca的支持
cacheCustomer.initCrlConfig();
String oper = "删除信任源";
String info = "证书主题: " + crlContext.getCertSubject() + "\r\n" + "crl颁发地址" + crlContext.getCrlUrl();
LogUtil.adminlog(sqlSession, oper, info);
} catch (Exception e) {
uiModel.addAttribute("message", "要删除信任源存在关联,无法删除");
}
}
return retPath;
}
Also used :
CrlContext(com.itrus.portal.db.CrlContext)
X509Certificate(com.itrus.cert.X509Certificate)
SignatureException(java.security.SignatureException)
CertificateException(java.security.cert.CertificateException)
CRLException(java.security.cert.CRLException)
RequestMapping(org.springframework.web.bind.annotation.RequestMapping)
Example 4 with X509Certificate
use of com.itrus.cert.X509Certificate in project portal by ixinportal.
the class CVM method verifyCertificate.
/**
* 通过CRL来验证证书的有效性
*
* @param userCert
* @return int 返回状态码,可以使用CVM.VALID ...判断结果
*/
public static int verifyCertificate(java.security.cert.X509Certificate userCert) {
if (crlContexts == null) {
throw new RuntimeException("CVM未初始化");
}
String SerialNumber = DERUtils.BigIntegerToHexString(userCert.getSerialNumber());
X509Certificate cert = null;
try {
cert = X509Certificate.getInstance(userCert);
} catch (Exception e) {
log.error(e.getMessage());
}
CRLContext crlContext = null;
log.debug("查找支持的CA[" + cert.getIssuerDN().getName() + "]");
crlContext = (CRLContext) crlContexts.get(cert.getIssuerDN().getName());
if (null == crlContext) {
log.info("不支持的颁发者=[" + cert.getIssuerDN().getName() + "],Cert's SubjectDN=[" + cert.getSubjectDN().getName() + "]");
return UNKNOWN_ISSUER;
}
X509Certificate cACert = crlContext.getM_CaCert();
if (!cert.verify(cACert)) {
log.info("验证CA签名失败,疑是伪造证书,Cert's SubjectDN=[" + cert.getSubjectDN().getName() + "]");
return ILLEGAL_ISSUER;
}
if (crlContext.isM_ChechCRL()) {
ItrusCRL itrusCRL = crlContext.getItrusCRL();
if (itrusCRL == null) {
log.error("无法获取CRL,请检查配置文件和网络。");
return CRL_UNAVAILABLE;
}
if (itrusCRL.findSN(SerialNumber) >= 0) {
log.info("证书已吊销,Cert's SubjectDN=[" + cert.getSubjectDN().getName() + "]");
return REVOKED;
}
}
// if (!cert.isOnValidPeriod()) {
if (!cert.getNotAfter().after(new Date())) {
// 不验证证书开始时间,即不验证证书是否已经生效
log.info("证书已过期,Cert's SubjectDN=[" + cert.getSubjectDN().getName() + "]");
return EXPIRED;
}
log.debug("证书状态有效,Cert's SubjectDN=[" + cert.getSubjectDN().getName() + "]");
return VALID;
}
Also used :
X509Certificate(com.itrus.cert.X509Certificate)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
CRLException(java.security.cert.CRLException)
NoSuchProviderException(java.security.NoSuchProviderException)
Date(java.util.Date)
ItrusCRL(com.itrus.portal.certAPI.cert.ItrusCRL)
Example 5 with X509Certificate
use of com.itrus.cert.X509Certificate in project portal by ixinportal.
the class ChargingRuleTaskTest method test1.
public void test1(String certBase64) {
try {
X509Certificate cert = X509Certificate.getInstance(certBase64);
System.out.println(cert);
} catch (CertificateException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
Also used :
CertificateException(java.security.cert.CertificateException)
X509Certificate(com.itrus.cert.X509Certificate)
Aggregations
X509Certificate (com.itrus.cert.X509Certificate)11
CertificateException (java.security.cert.CertificateException)10
IOException (java.io.IOException)6
CRLException (java.security.cert.CRLException)4
RequestMapping (org.springframework.web.bind.annotation.RequestMapping)4
SigningServerException (com.itrus.cryptorole.SigningServerException)3
CrlContext (com.itrus.portal.db.CrlContext)3
NoSuchProviderException (java.security.NoSuchProviderException)3
SignatureException (java.security.SignatureException)3
UserInfoServiceException (com.itrus.portal.exception.UserInfoServiceException)2
FileNotFoundException (java.io.FileNotFoundException)2
UnsupportedEncodingException (java.io.UnsupportedEncodingException)2
KeyStoreException (java.security.KeyStoreException)2
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)2
ParseException (java.text.ParseException)2
JsonGenerationException (org.codehaus.jackson.JsonGenerationException)2
JsonMappingException (org.codehaus.jackson.map.JsonMappingException)2
CryptoException (com.itrus.cryptorole.CryptoException)1
NotSupportException (com.itrus.cryptorole.NotSupportException)1
ItrusCRL (com.itrus.portal.certAPI.cert.ItrusCRL)1
