从Web Service返回X509Certificate

Question

我在JBOSS上运行了一个Web服务。该Web服务有一个名为public X509Certificate provideCertificate(String name, PublicKey key){ ... }的方法，为客户提供新的证书，以便与其他方进行通信。

问题是，我无法接收PublicKey，因为JAXB抱怨它的接口而且我不能返回X509Certificate，因为它没有空构造函数（或者说JBOSS说）。

我已经尝试将这些对象封装在某种DTO对象上，但它也没有用。 我知道也许这不是这样做的方式，所以关于这个主题的任何灯光都会有很大的吸引力。

我的网络服务代码：

@javax.jws.WebService
public class CAWebService
{
@javax.jws.WebMethod
public X509Certificate addOperatorPublicKey(PublicKeyReqResDTO req)
{
    PublicKey key = req.getPublicKey();
    String operador = req.getNome();

    X509CertImpl cert = null;
    try
    {
        // used algorithm
        String algorithm = "MD5WithRSA";

        // create certificate for this request
        PrivateKey privateKey = caKeyPair.getPrivate();
        X509CertInfo info = new X509CertInfo();

        // 3600000 = 1 hour maximum duration
        Date from = new Date();
        Date to = new Date(from.getTime() + 3600000L);

        CertificateValidity interval = new CertificateValidity(from, to);
        BigInteger sn = new BigInteger(64, new SecureRandom());
        X500Name owner = new X500Name(operador);

        info.set(X509CertInfo.VALIDITY, interval);
        info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
        info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
        info.set(X509CertInfo.ISSUER, new CertificateIssuerName(new X500Name("CA")));
        info.set(X509CertInfo.KEY, new CertificateX509Key(key));
        info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
        AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
        info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));

        // signs the certificate using this web service private key
        cert = new X509CertImpl(info);
        cert.sign(privateKey, algorithm);

        // updates and re-signs
        algo = (AlgorithmId)cert.get(X509CertImpl.SIG_ALG);
        info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo);
        cert = new X509CertImpl(info);
        cert.sign(privateKey, algorithm);
    }
            //catch all the exceptions, its like 10 diffente ones
    catch( .... )
            {
    }

    //is the name already on the valid cert list?
    boolean found = false; int index = 0;
    for(int i = 0; i < validList.size(); i++)
    {
        if(validList.get(i).getSubjectX500Principal().getName().equals(operador))
        {
            found = true; index = i;
            break;
        }
    }

    //the cert was already on the valid list, so we put it on the black list
    if(found)
    {
        blackList.add(validList.get(index));
        validList.remove(index);
        validList.add(cert);
    }
    else
    {
        //didnt find so no need to put on the black list
        validList.add(cert);
    }

    return cert;
}

我也使用ArrayList来控制黑色和有效的证书列表，因为由于某种原因，X509CRL不包含.add（）方法。 我对持久性不感兴趣，我只是希望它在网络服务上线时工作，时间离线我不在乎是否存在eveything siezes。

提前感谢。

Answer 1

如果您将X509Certificate作为byte []从Web服务返回到客户端并从客户端的byte []重新创建X509Certificate，那将很容易。

它可以通过以下方式完成。 转换为byte []：

ByteArrayOutputStream bos = new ByteArrayOutputStream(); 
ObjectOutput out = new ObjectOutputStream(bos);   
out.writeObject(certificate);
byte[] data = bos.toByteArray(); 
bos.close();

从byte []重新创建X509Certificate：

CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate x509Certificate = (X509Certificate) cf.generateCertificate(new  ByteArrayInputStream(data));