《轉載請注明出處》
摸索這個東西好長時間了,資料太少無從下手找了個EJBCA的類似論壇的東西 一點點找入口.....
分享下:http://sourceforge.net/p/ejbca/discussion/132019/,這個EJBCA的論壇 有問題 裡面的人很快會回答的,但是 他們是做盈利機構的有些問題。。
EJBCA SVN路徑:https://svn.cesecore.eu/svn/ejbca/tags/Rel_3_9_7/ejbca 這是3的版本。 其他的版本到:https://svn.cesecore.eu/svn/ejbca/tags 這裡選。
一、先介紹下接口調用:
EJBCA 提供的ws接口有兩種調用方式:1、直接走ws接口;2、EJBCA提供的有指令行的方式,輸入指令調用ws接口 當然很多人會直接選擇EJBCA提供的ws接口,我當時是實在走不動了就反複看他的API(下面英文的)才想去試試指令行的,執行一下發現JBOSS背景報錯一樣才明白是咋回事。
Using the Web Services CLI
Included in the EJBCA Client Tool Box is a Web Service CLI tool.
To use the client do the following, copy the directory with all included files to the computer you want to remote administrate from. Then create a JKS or P12 file with the appropriate access rights (See the Using API section for details) and finally configure the file ejbcawsracli.properties. In this file you should specify the hostname of the CA server, the name of the keystore and the password to unlock it. Documentation for each setting is in the file ejbcacsracli.properties.
Use 'ejbcaClientToolBox.sh EjbcaWsRaCli' for a list of each subcommand and 'ejbcaClientToolBox.sh EjbcaWsRaCli "subcommand"' for detailed help how to use the cli.
Example usage: ejbcaClientToolBox.sh EjbcaWsRaCli pkcs12req testuser2 foo123 2048 NONE tmp
ejbcaClientToolBox.sh EjbcaWsRaCli revokeuser testuser2 SUPERSEDED false
二、調用步驟
1、拿到根證書; 2、在程式中設定證書屬性; 3、拿到ws接口; 4、調用你要的方法;
三、指令調用接口介紹
先說第二種通過指令行接口: 在你安裝EJBCA的目錄 ejbca_4_0_10\dist\ejbca-ws-cli 下面有cmd指令和sh指令,輸入後會有提示操作(但是這個指令太抽象、不是很好找)。如下圖:
查找使用者wsadmin的指令這樣寫:
<span style="font-size:18px;">ejbcawsracli.cmd finduser USERNAME Equals wsadmin</span>
然後會出來你想要的!!其他的指令我是沒怎麼找,太麻煩了!是以就想其他辦法吧。
不要急,往下看。 當你輸入more ejbca-ws-cli.cmd 顯示:
顯示這個指令行是封裝了的jar檔案,是以我們就可以反編譯看他封裝的源碼了!!哈哈
下載下傳svn的項目後 找到對應的路徑 看看吧,他是咋調用的就很清楚了(到這裡 就花了很長時間,因為沒思路)。
下面介紹下我熟悉的幾個接口:
到這個API的位置上看吧,裡面是你基本需要的方法:
http://www.ejbca.org/ws/org/ejbca/core/protocol/ws/client/gen/EjbcaWS.html#certificateRequest(org.ejbca.core.protocol.ws.client.gen.UserDataVOWS, java.lang.String, int, java.lang.String, java.lang.String)
四、接口示例介紹(簡單介紹一個)
看ws的API按照他給的例子就是不對,下面的連接配接進去看吧!
http://tirnanog.ls.fi.upm.es:8080/ejbca/doc/adminguide.html#Sample code 會出現很多的異常,還不知道錯在哪?
我這樣是正常的----
這樣設定證書的到程式中(官網他提供的API也不知道是方法太老還是太新了 ,我用的一直不對。)下面是我現在使用根證書認證的代碼:
</pre><pre name="code" class="java">String urlstr = "https://localhost:8443/ejbca/ejbcaws/ejbcaws?wsdl";
CryptoProviderTools.installBCProvider();
System.setProperty("javax.net.ssl.keyStore","C:/ejbca_4_0_10/p12/superadmin.p12");
System.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
Provider tlsProvider = new TLSProvider();
Security.addProvider(tlsProvider);
Security.setProperty("ssl.TrustManagerFactory.algorithm", "AcceptAll");
System.setProperty("javax.net.ssl.keyStorePassword", "ejbca");
try {
KeyManagerFactory.getInstance("NewSunX509");
} catch (NoSuchAlgorithmException e1) {
e1.printStackTrace();
}
Security.setProperty("ssl.KeyManagerFactory.algorithm", "NewSunX509");
QName qname = new QName("http://ws.protocol.core.ejbca.org/","EjbcaWSService");
EjbcaWSService service = null;
try {
service = new EjbcaWSService(new URL(urlstr), qname);
} catch (MalformedURLException e) {
e.printStackTrace();
}
EjbcaWS ejbcaraws = service.getEjbcaWSPort();
這樣你就可以拿到需要的webService接口了。下面是查找使用者的例子:
UserMatch usermatch = new UserMatch();
usermatch.setMatchwith(org.ejbca.util.query.UserMatch.MATCH_WITH_USERNAME);
usermatch.setMatchtype(org.ejbca.util.query.UserMatch.MATCH_TYPE_EQUALS);
usermatch.setMatchvalue(userName);
List<UserDataVOWS> result = ejbcaraws.findUser(usermatch);//(ejbcaraws 就是上面擷取到的ws service)
簡單說下這個方法的參數:
setMatchwith 和setMatchtype 這兩個參數是來說明你要按照什麼查找,例子中的是按使用者名查,他還提供了按subjectDN群組織等的查詢(自己看參數怎麼傳吧)
這就是最基本的操作了,下面的很多根據你需要自己看看源碼看看API吧。走通這個你最起碼不發愁沒方向了,我是難為了2周,找文章找人問都沒有 哭都哭不出來。
第一種調用法
很簡單了,隻要你拿到他的源碼,還有啥不難辦的呢?人家帶的測試類帶的例子那麼多,你要是看不出來 就.....
把測試路徑給你發出來:
思路給分析了,其他的問題可以問問哈 加EJBCA開發群:362248338
五、異常
上一篇安裝時候提到的302異常(又經一起學習的哥們“希望、在前方” 驗證,這個是正确的當你通路伺服器時,捂手之後EJBCA會給你跳到127.0.0.1 就會報:伺服器發送了 HTTP 狀态代碼 302: Moved Temporarily 異常) 配置JBOSS :修改jboss下面的目錄中的檔案内容:
JOBSS_HOME
rver/default/deployers/jbossws.deployer/META-INF/jboss-beans.xml
注釋掉
<property name="webServiceHost">${jboss.bind.address}</property>
否則在使用代碼通路wsdl時候 會出現:
ClientTransportException: 伺服器發送了 HTTP 狀态代碼 302: Moved Temporarily 異常
六、幾個常用的接口
========================================================== ====================證書驗證: ============================================== ========================================================== 1、驗證簽名是否正确
2、驗證證書是否由根CA頒發;
3、驗證證書是否過期 4、屬于應用層的驗證,驗證證書的 序列号+頒發者 和使用者的綁定關系;
========================================================== ====================證書查詢: ============================================== ========================================================== ejbcaraws .findCerts(certName, true ); //true 查找可用的證書;false 查找所有證書 根據參數不 true或者false來 查找不通的類型
========================================================== ====================使用者查詢接口: ============================================== ========================================================== UserMatch usermatch = new UserMatch(); // MATCH_WITH_USERNAME = 0;//使用者名 // MATCH_WITH_EMAIL = 1;//郵箱 // MATCH_WITH_STATUS = 2; // Value must the number representation. // MATCH_WITH_ENDENTITYPROFILE = 3; // Matches the profile id not profilename. // MATCH_WITH_CERTIFICATEPROFILE = 4; // Matches the certificatetype id not name. // MATCH_WITH_CA = 5; // Matches the CA id not CA name. // MATCH_WITH_TOKEN = 6; // MATCH_WITH_DN = 7; usermatch.setMatchwith(org.ejbca.util.query.UserMatch. MATCH_WITH_USERNAME ); // MATCH_TYPE_EQUALS = 0; 等于 //MATCH_TYPE_BEGINSWITH = 1; 以什麼開始 // MATCH_TYPE_CONTAINS = 2; 包含 usermatch.setMatchtype(org.ejbca.util.query.UserMatch. MATCH_TYPE_EQUALS ); usermatch.setMatchvalue( "WSTESTUSER2" ); ejbcaraws .findUser(usermatch) ========================================================== ==================== 擷取私鑰 ============================================== ========================================================== KeyStore result = ejbcaraws.pkcs12Req(userName,password, null , "1024" , AlgorithmConstants. KEYALGORITHM_RSA ); java.security.KeyStore ks2 = KeyStoreHelper.getKeyStore(result.getKeystoreData(), "PKCS12" ,password); Enumeration en =ks2.aliases(); System. out .println( "en:" +en); String alias = (String) en.nextElement(); X509Certificate cert2 = (X509Certificate) ks2.getCertificate(alias); PrivateKey privK2 = (PrivateKey)ks2.getKey(alias, "foo456" .toCharArray()); String key2 = new String(Hex.encode(privK2.getEncoded())); System. out .println( "秘鑰:" +key2);
========================================================== ==================== 擷取公鑰 ============================================== ========================================================== getPublicKey List<Certificate> result = ejbcaraws.findCerts( "hangzhou" , true ); Iterator<Certificate> iter = result.iterator(); while (iter.hasNext()){ i++; Certificate cert = iter.next(); Certificate aa = cert.getCertificate(); String certData = new String(cert.getCertificateData()); java.security.cert.Certificate retval = CertTools.getCertfromByteArray(Base64.decode(cert.getCertificateData())); System. out .println( "PublicKey:" +retval.getPublicKey()); }
CertTools. getSerialNumber(retval)
PublicKey key = ejbcaWsFactory .getRootPublicKey(); try { xc.verify(key); } catch (InvalidKeyException e) { e.printStackTrace(); } catch (CertificateException e) { e.printStackTrace(); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); } catch (NoSuchProviderException e) { e.printStackTrace(); } catch (SignatureException e) { e.printStackTrace(); }
========================================================== ==================== 獲驗證書資訊 ============================================== ========================================================== java.security.KeyStore ks = KeyStoreHelper.getKeyStore(ksenv.getKeystoreData(), "PKCS12" , "foo456" ); assertNotNull(ks); Enumeration en = ks.aliases(); String alias = (String) en.nextElement(); X509Certificate cert = (X509Certificate) ks.getCertificate(alias); assertTrue(cert.getSubjectDN().toString().equals( "CN=WSTESTUSER1,O=Test" ));
========================================================== ==================== 獲驗證書 IssuerDN SerialNumber ============================================== ==========================================================
java.security.KeyStore ks = KeyStoreHelper.getKeyStore(ksenv.getKeystoreData(), "PKCS12" , "foo456" ); Enumeration en = ks.aliases(); String alias = (String) en.nextElement(); X509Certificate cert = (X509Certificate ) ks.getCertificate(alias); System. out .println(cert.getSubjectDN().toString().equals( "CN=111111,O=Test" )); String issuerdn = cert.getIssuerDN().toString(); System. out .println( "第一次 IssuerDN:" +issuerdn); String serno = cert.getSerialNumber().toString(16); System. out .println( "第一次SerialNumber:" +serno); ========================================================== ==================== 撤銷證書 = ============================================= ========================================================== * revokeCert 方法 撤銷證書(在頁面上可以看到如下資訊) * 已撤銷 是 撤銷日期: 2014 - 05 - 29 23:55:07+08:00 撤銷原因: 證書挂起 ejbcaraws.revokeCert(issuerdn,serno, 6) 證書挂起後 新增還可以下載下傳 為什麼????
========================================================== ================== 編輯使用者實體 擷取使用者密碼 為null = ================== ==========================================================
編輯使用者實體時候 setClearPwd(false); 不知道什麼作用 擷取 passwoord 為空 ========================================================== ==================簡單 生成證書 = ================== ========================================================== BatchMakeP12 makep12 = new BatchMakeP12(); File tmpfile = File. createTempFile( "ejbca" , "p12" ); makep12.setMainStoreDir(tmpfile.getParent()); makep12.createAllNew();
=================================================== test06revokeCert做什麼的?
revokeUser("zhengzhou",1,true); 使用者沒了
========================================================== ==================驗證證書鍊 = ================== ==========================================================
public static boolean verifyEffect(String userName){ boolean effectFlag = false ; try { List<Certificate> foundcerts = ejbcaraws .getLastCertChain(userName); System. out .println( "foundcerts.size:" +foundcerts.size()); java.security.cert.Certificate cert = (java.security.cert.Certificate) CertificateHelper.getCertificate(foundcerts.get(0).getCertificateData()); System. out .println( "client SubjectDN:" + CertTools.getSubjectDN(cert)); System. out .println( "client IssuerDN:" + CertTools.getIssuerDN(cert)); System. out .println( "client SerialNumber:" + CertTools.getSerialNumber(cert)); for ( int i = 1; i < foundcerts.size(); i++) { java.security.cert.Certificate cert2 = (java.security.cert.Certificate) CertificateHelper.getCertificate(foundcerts.get(i).getCertificateData()); System. out .println( "serive SubjectDN:" + CertTools.getSubjectDN(cert2)); System. out .println( "serive IssuerDN:" + CertTools.getIssuerDN(cert2)); System. out .println( "serive SerialNumber:" + CertTools.getSerialNumber(cert2)); //System.out.println("serive SerialNumber:"+ CertTools.get); cert.verify(cert2.getPublicKey()); // will throw if verification fails effectFlag = true ; } } catch (AuthorizationDeniedException_Exception e) { e.printStackTrace(); } catch (EjbcaException_Exception e) { e.printStackTrace(); } catch (CertificateException e) { e.printStackTrace(); } catch (InvalidKeyException e) { e.printStackTrace(); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); } catch (NoSuchProviderException e) { e.printStackTrace(); } catch (SignatureException e) { e.printStackTrace(); } return effectFlag; } ========================================================== ==================移除 證書 = ================== ========================================================== ejbcaraws .revokeCert(issuerdn,serno, RevokedCertInfo. REVOKATION_REASON_KEYCOMPROMISE );
大家有什麼問題歡迎提一起探讨,後面我會把我遇到的一些問題和異常分享下!