summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Lenz <thomas.lenz@egiz.gv.at>2020-06-12 16:16:31 +0200
committerThomas Lenz <thomas.lenz@egiz.gv.at>2020-06-12 16:16:31 +0200
commitf7fd3c35f915dfc7f1d04a2b7288a8fa9aab2558 (patch)
treeeb98536b514acee2ad45231f4f4e414a69ae430a
parente3097f723fb9c7b7dda9a1c56f86af0c922651b0 (diff)
downloadEAAF-Components-f7fd3c35f915dfc7f1d04a2b7288a8fa9aab2558.tar.gz
EAAF-Components-f7fd3c35f915dfc7f1d04a2b7288a8fa9aab2558.tar.bz2
EAAF-Components-f7fd3c35f915dfc7f1d04a2b7288a8fa9aab2558.zip
add TrustStore SSLContext builder
-rw-r--r--eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java116
1 files changed, 91 insertions, 25 deletions
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java
index eafd8a04..5035460f 100644
--- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java
@@ -162,42 +162,108 @@ public class HttpUtils {
boolean trustAllServerCertificates, @Nonnull String friendlyName)
throws EaafConfigurationException, EaafFactoryException {
try {
- log.trace("Open SSL Client-Auth keystore with password: {}", keyPasswordString);
- final char[] keyPassword = keyPasswordString == null ? StringUtils.EMPTY.toCharArray()
- : keyPasswordString.toCharArray();
-
SSLContextBuilder sslContextBuilder = SSLContexts.custom();
- if (keyStore.getSecond() != null) {
- Provider provider = new BouncyCastleJsseProvider(keyStore.getSecond());
- log.debug("KeyStore: {} provide special security-provider. Inject: {} into SSLContext",
- friendlyName, provider.getName());
- sslContextBuilder.setProvider(provider);
-
- }
- if (StringUtils.isNotEmpty(keyAlias)) {
- sslContextBuilder = sslContextBuilder
- .loadKeyMaterial(keyStore.getFirst(), keyPassword, new EaafSslKeySelectionStrategy(keyAlias));
-
- } else {
- sslContextBuilder = sslContextBuilder
- .loadKeyMaterial(keyStore.getFirst(), keyPassword);
- }
-
- if (trustAllServerCertificates) {
- log.warn("Http-client:{} trusts ALL TLS server-certificates!");
- final TrustStrategy trustStrategy = new TrustAllStrategy();
- sslContextBuilder = sslContextBuilder.loadTrustMaterial(trustStrategy);
+ injectKeyStore(sslContextBuilder, keyStore, keyAlias, keyPasswordString, friendlyName);
+
+ injectTrustStore(sslContextBuilder, null, trustAllServerCertificates, friendlyName);
+
+ return sslContextBuilder.build();
- }
+ } catch (NoSuchAlgorithmException | KeyManagementException | UnrecoverableKeyException
+ | KeyStoreException e) {
+ throw new EaafFactoryException(ERROR_03, new Object[] { friendlyName, e.getMessage() }, e);
+ }
+ }
+
+ /**
+ * Initialize a {@link SSLContext} with a {@link KeyStore} that uses X509 Client
+ * authentication and a custom TrustStore as {@link KeyStore}.
+ *
+ * @param keyStore KeyStore with private keys that should be
+ * used
+ * @param keyAlias Alias of the key that should be used. If
+ * the alias is null, than the first key that
+ * is found will be selected.
+ * @param keyPasswordString Password of the Key in this keystore
+ * @param trustStore TrustStore with trusted SSL certificates
+ * @param trustAllServerCertificates Deactivate SSL server-certificate
+ * validation
+ * @param friendlyName FriendlyName of the http client for logging
+ * purposes
+ * @return {@link SSLContext} with X509 client authentication
+ * @throws EaafConfigurationException In case of a configuration error
+ * @throws EaafFactoryException In case of a {@link SSLContext}
+ * initialization error
+ */
+ public static SSLContext buildSslContextWithSslClientAuthentication(@Nonnull final Pair<KeyStore, Provider> keyStore,
+ @Nullable String keyAlias, @Nullable String keyPasswordString,
+ @Nullable final Pair<KeyStore, Provider> trustStore, boolean trustAllServerCertificates,
+ @Nonnull String friendlyName)
+ throws EaafConfigurationException, EaafFactoryException {
+ try {
+ SSLContextBuilder sslContextBuilder = SSLContexts.custom();
+
+ injectKeyStore(sslContextBuilder, keyStore, keyAlias, keyPasswordString, friendlyName);
+
+ injectTrustStore(sslContextBuilder, trustStore, trustAllServerCertificates, friendlyName);
+
return sslContextBuilder.build();
} catch (NoSuchAlgorithmException | KeyManagementException | UnrecoverableKeyException
| KeyStoreException e) {
throw new EaafFactoryException(ERROR_03, new Object[] { friendlyName, e.getMessage() }, e);
+ }
+ }
+
+ private static void injectTrustStore(SSLContextBuilder sslContextBuilder,
+ Pair<KeyStore, Provider> trustStore, boolean trustAllServerCertificates, String friendlyName)
+ throws NoSuchAlgorithmException, KeyStoreException {
+
+ TrustStrategy trustStrategy = null;
+ if (trustAllServerCertificates) {
+ log.warn("Http-client:{} trusts ALL TLS server-certificates!", friendlyName);
+ trustStrategy = new TrustAllStrategy();
+
+ }
+
+ KeyStore trustStoreImpl = null;
+ if (trustStore != null) {
+ log.info("Http-client: {} uses custom TrustStore.", friendlyName);
+ trustStoreImpl = trustStore.getFirst();
+
+ }
+
+ sslContextBuilder.loadTrustMaterial(trustStoreImpl, trustStrategy);
+
+ }
+
+ private static void injectKeyStore(SSLContextBuilder sslContextBuilder, Pair<KeyStore, Provider> keyStore,
+ String keyAlias, String keyPasswordString, String friendlyName)
+ throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException {
+ if (keyStore.getSecond() != null) {
+ Provider provider = new BouncyCastleJsseProvider(keyStore.getSecond());
+ log.debug("KeyStore: {} provide special security-provider. Inject: {} into SSLContext",
+ friendlyName, provider.getName());
+ sslContextBuilder.setProvider(provider);
+
+ }
+
+ log.trace("Open SSL Client-Auth keystore with password: {}", keyPasswordString);
+ final char[] keyPassword = keyPasswordString == null ? StringUtils.EMPTY.toCharArray()
+ : keyPasswordString.toCharArray();
+
+ if (StringUtils.isNotEmpty(keyAlias)) {
+ sslContextBuilder = sslContextBuilder
+ .loadKeyMaterial(keyStore.getFirst(), keyPassword, new EaafSslKeySelectionStrategy(keyAlias));
+
+ } else {
+ sslContextBuilder = sslContextBuilder
+ .loadKeyMaterial(keyStore.getFirst(), keyPassword);
}
+
}
}