add TrustStore SSLContext builder

author: Thomas Lenz <thomas.lenz@egiz.gv.at> 2020-06-12 16:16:31 +0200
committer: Thomas Lenz <thomas.lenz@egiz.gv.at> 2020-06-12 16:16:31 +0200
commit: f7fd3c35f915dfc7f1d04a2b7288a8fa9aab2558 (patch)
tree: eb98536b514acee2ad45231f4f4e414a69ae430a
parent: e3097f723fb9c7b7dda9a1c56f86af0c922651b0 (diff)
download: EAAF-Components-f7fd3c35f915dfc7f1d04a2b7288a8fa9aab2558.tar.gz
EAAF-Components-f7fd3c35f915dfc7f1d04a2b7288a8fa9aab2558.tar.bz2
EAAF-Components-f7fd3c35f915dfc7f1d04a2b7288a8fa9aab2558.zip
1 files changed, 91 insertions, 25 deletions
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java
index eafd8a04..5035460f 100644
--- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java
@@ -162,42 +162,108 @@ public class HttpUtils {
       boolean trustAllServerCertificates, @Nonnull String friendlyName)
       throws EaafConfigurationException, EaafFactoryException {
     try {
-      log.trace("Open SSL Client-Auth keystore with password: {}", keyPasswordString);
-      final char[] keyPassword = keyPasswordString == null ? StringUtils.EMPTY.toCharArray()
-          : keyPasswordString.toCharArray();
-
       SSLContextBuilder sslContextBuilder = SSLContexts.custom();
-      if (keyStore.getSecond() != null) {
-        Provider provider = new BouncyCastleJsseProvider(keyStore.getSecond());
-        log.debug("KeyStore: {} provide special security-provider. Inject: {} into SSLContext",
-            friendlyName, provider.getName());
-        sslContextBuilder.setProvider(provider);
-        
-      }
       
-      if (StringUtils.isNotEmpty(keyAlias)) {
-        sslContextBuilder = sslContextBuilder
-            .loadKeyMaterial(keyStore.getFirst(), keyPassword, new EaafSslKeySelectionStrategy(keyAlias));
-
-      } else {
-        sslContextBuilder = sslContextBuilder
-            .loadKeyMaterial(keyStore.getFirst(), keyPassword);
-      }
-
-      if (trustAllServerCertificates) {
-        log.warn("Http-client:{} trusts ALL TLS server-certificates!");
-        final TrustStrategy trustStrategy = new TrustAllStrategy();
-        sslContextBuilder = sslContextBuilder.loadTrustMaterial(trustStrategy);
+      injectKeyStore(sslContextBuilder, keyStore, keyAlias, keyPasswordString, friendlyName);
+            
+      injectTrustStore(sslContextBuilder, null, trustAllServerCertificates, friendlyName);
+      
+      return sslContextBuilder.build();
 
-      }
+    } catch (NoSuchAlgorithmException | KeyManagementException | UnrecoverableKeyException
+        | KeyStoreException e) {
+      throw new EaafFactoryException(ERROR_03, new Object[] { friendlyName, e.getMessage() }, e);
 
+    }
+  }
+  
+  /**
+   * Initialize a {@link SSLContext} with a {@link KeyStore} that uses X509 Client
+   * authentication and a custom TrustStore as {@link KeyStore}.
+   *
+   * @param keyStore                   KeyStore with private keys that should be
+   *                                   used
+   * @param keyAlias                   Alias of the key that should be used. If
+   *                                   the alias is null, than the first key that
+   *                                   is found will be selected.
+   * @param keyPasswordString          Password of the Key in this keystore
+   * @param trustStore                 TrustStore with trusted SSL certificates
+   * @param trustAllServerCertificates Deactivate SSL server-certificate
+   *                                   validation
+   * @param friendlyName               FriendlyName of the http client for logging
+   *                                   purposes
+   * @return {@link SSLContext} with X509 client authentication
+   * @throws EaafConfigurationException In case of a configuration error
+   * @throws EaafFactoryException       In case of a {@link SSLContext}
+   *                                    initialization error
+   */
+  public static SSLContext buildSslContextWithSslClientAuthentication(@Nonnull final Pair<KeyStore, Provider> keyStore,
+      @Nullable String keyAlias, @Nullable String keyPasswordString,
+      @Nullable final Pair<KeyStore, Provider> trustStore, boolean trustAllServerCertificates, 
+      @Nonnull String friendlyName)
+      throws EaafConfigurationException, EaafFactoryException {
+    try {
+      SSLContextBuilder sslContextBuilder = SSLContexts.custom();
+      
+      injectKeyStore(sslContextBuilder, keyStore, keyAlias, keyPasswordString, friendlyName);
+            
+      injectTrustStore(sslContextBuilder, trustStore, trustAllServerCertificates, friendlyName);
+      
       return sslContextBuilder.build();
 
     } catch (NoSuchAlgorithmException | KeyManagementException | UnrecoverableKeyException
         | KeyStoreException e) {
       throw new EaafFactoryException(ERROR_03, new Object[] { friendlyName, e.getMessage() }, e);
 
+    }    
+  }
+  
+  private static void injectTrustStore(SSLContextBuilder sslContextBuilder,
+      Pair<KeyStore, Provider> trustStore, boolean trustAllServerCertificates, String friendlyName) 
+          throws NoSuchAlgorithmException, KeyStoreException {
+    
+    TrustStrategy trustStrategy = null;
+    if (trustAllServerCertificates) {
+      log.warn("Http-client:{} trusts ALL TLS server-certificates!", friendlyName);
+      trustStrategy = new TrustAllStrategy();
+      
+    }
+            
+    KeyStore trustStoreImpl = null;
+    if (trustStore != null) {
+      log.info("Http-client: {} uses custom TrustStore.", friendlyName);
+      trustStoreImpl = trustStore.getFirst();
+
+    } 
+              
+    sslContextBuilder.loadTrustMaterial(trustStoreImpl, trustStrategy);
+        
+  }
+
+  private static void injectKeyStore(SSLContextBuilder sslContextBuilder, Pair<KeyStore, Provider> keyStore,
+      String keyAlias, String keyPasswordString, String friendlyName) 
+          throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException {
+    if (keyStore.getSecond() != null) {
+      Provider provider = new BouncyCastleJsseProvider(keyStore.getSecond());
+      log.debug("KeyStore: {} provide special security-provider. Inject: {} into SSLContext",
+          friendlyName, provider.getName());
+      sslContextBuilder.setProvider(provider);
+      
+    }
+    
+    log.trace("Open SSL Client-Auth keystore with password: {}", keyPasswordString);
+    final char[] keyPassword = keyPasswordString == null ? StringUtils.EMPTY.toCharArray()
+        : keyPasswordString.toCharArray();
+
+    if (StringUtils.isNotEmpty(keyAlias)) {
+      sslContextBuilder = sslContextBuilder
+          .loadKeyMaterial(keyStore.getFirst(), keyPassword, new EaafSslKeySelectionStrategy(keyAlias));
+
+    } else {
+      sslContextBuilder = sslContextBuilder
+          .loadKeyMaterial(keyStore.getFirst(), keyPassword);
     }
+    
   }
 
 }
author	Thomas Lenz <thomas.lenz@egiz.gv.at>	2020-06-12 16:16:31 +0200
committer	Thomas Lenz <thomas.lenz@egiz.gv.at>	2020-06-12 16:16:31 +0200
commit	f7fd3c35f915dfc7f1d04a2b7288a8fa9aab2558 (patch)
tree	eb98536b514acee2ad45231f4f4e414a69ae430a
parent	e3097f723fb9c7b7dda9a1c56f86af0c922651b0 (diff)
download	EAAF-Components-f7fd3c35f915dfc7f1d04a2b7288a8fa9aab2558.tar.gz EAAF-Components-f7fd3c35f915dfc7f1d04a2b7288a8fa9aab2558.tar.bz2 EAAF-Components-f7fd3c35f915dfc7f1d04a2b7288a8fa9aab2558.zip