diff options
author | Thomas <> | 2023-07-12 10:13:44 +0200 |
---|---|---|
committer | Thomas <> | 2023-07-12 10:13:44 +0200 |
commit | e0f7b2c41f66038dc6438b3cc6da14a1422ccf43 (patch) | |
tree | f2ca69eb5b058f4253aa9db4940d528d4ee72f16 | |
parent | 25ae045ff811ed39638e5366f7d53f3776f0d436 (diff) | |
download | EAAF-Components-e0f7b2c41f66038dc6438b3cc6da14a1422ccf43.tar.gz EAAF-Components-e0f7b2c41f66038dc6438b3cc6da14a1422ccf43.tar.bz2 EAAF-Components-e0f7b2c41f66038dc6438b3cc6da14a1422ccf43.zip |
feat(hsm-facade): make trusted SSL-certificate optional for HSM-Facade initialization
2 files changed, 54 insertions, 37 deletions
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java index fec984c4..0ecdcc92 100644 --- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java +++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java @@ -288,17 +288,29 @@ public class EaafKeyStoreFactory { final long grpcDeadline = getConfigurationParameterLong(CONFIG_PROP_HSM_FACADE_GRPC_DEADLINE, HSM_FACADE_DEFAULT_DEADLINE); + X509Certificate trustedSslCertificate = getHsmFacadeTrustSslCertificate(); //initialize HSM-Facade by using JAVA Reflection, because in that case HSM-Facade //has not be in ClassPath on every project final Method constructor = hsmProviderClazz.getMethod(HSM_FACADE_PROVIDER_METHOD_CONSTRUCT, new Class[]{}); - final Method initMethod = hsmProviderClazz.getMethod(HSM_FACADE_PROVIDER_METHOD_INIT, + final Method initMethodWithSslCert = hsmProviderClazz.getMethod(HSM_FACADE_PROVIDER_METHOD_INIT, X509Certificate.class, String.class, String.class, String.class, int.class, long.class); - if (initMethod != null && constructor != null) { + final Method initMethod = hsmProviderClazz.getMethod(HSM_FACADE_PROVIDER_METHOD_INIT, + String.class, String.class, String.class, int.class, long.class); + if (initMethodWithSslCert != null && initMethod != null && constructor != null) { final Object rawProvider = constructor.invoke(hsmProviderClazz); - initMethod.invoke( - rawProvider, getHsmFacadeTrustSslCertificate(), - clientUsername, clientPassword, hsmFacadeHost, port, grpcDeadline); + + if (trustedSslCertificate != null) { + log.trace("Invoking HSM-Facade constructor with SSL certificate ... "); + initMethodWithSslCert.invoke(rawProvider, trustedSslCertificate, clientUsername, clientPassword, + hsmFacadeHost, port, grpcDeadline); + + } else { + log.trace("Invoking HSM-Facade constructor without SSL certificate ... "); + initMethod.invoke(rawProvider, clientUsername, clientPassword, + hsmFacadeHost, port, grpcDeadline); + + } if (rawProvider instanceof Provider) { Security.addProvider((Provider) rawProvider); @@ -318,7 +330,7 @@ public class EaafKeyStoreFactory { log.warn(HSM_FACADE_PROVIDER_INIT_ERROR_MSG, HSM_FACADE_PROVIDER_METHOD_CONSTRUCT, constructor != null); log.warn(HSM_FACADE_PROVIDER_INIT_ERROR_MSG, - HSM_FACADE_PROVIDER_METHOD_INIT, initMethod != null); + HSM_FACADE_PROVIDER_METHOD_INIT, initMethodWithSslCert != null); throw new EaafException(ERRORCODE_10, new Object[] {HSM_FACADE_PROVIDER_CLASS}); } @@ -527,21 +539,29 @@ public class EaafKeyStoreFactory { private X509Certificate getHsmFacadeTrustSslCertificate() throws EaafConfigurationException { try { - final String certFilePath = getConfigurationParameter(CONFIG_PROP_HSM_FACADE_SSLTRUST); + final String certFilePath = basicConfig.getBasicConfiguration(CONFIG_PROP_HSM_FACADE_SSLTRUST); + if (StringUtils.isNotEmpty(certFilePath)) { + final String absolutCertFilePath = FileUtils.makeAbsoluteUrl( + certFilePath, basicConfig.getConfigurationRootDirectory()); - final String absolutCertFilePath = FileUtils.makeAbsoluteUrl( - certFilePath, basicConfig.getConfigurationRootDirectory()); - final Resource certFile = resourceLoader.getResource(absolutCertFilePath); + log.debug("Loading HSM-Facade trusted server-certificate from path : {}", absolutCertFilePath); + final Resource certFile = resourceLoader.getResource(absolutCertFilePath); - if (!certFile.exists()) { - throw new EaafConfigurationException(ERRORCODE_05, - new Object[] { CONFIG_PROP_HSM_FACADE_SSLTRUST, - "File not found at: " + absolutCertFilePath }); + if (!certFile.exists()) { + throw new EaafConfigurationException(ERRORCODE_05, + new Object[] { CONFIG_PROP_HSM_FACADE_SSLTRUST, + "File not found at: " + absolutCertFilePath }); - } + } + + return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate( + certFile.getInputStream()); - return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(certFile - .getInputStream()); + } else { + log.info("HSM-Facade trusted server-certificate is not set. Using System-TrustStore ... "); + return null; + + } } catch (final EaafConfigurationException e) { throw e; diff --git a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java index 932beb31..0d3492a7 100644 --- a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java +++ b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java @@ -608,27 +608,7 @@ public class EaafKeyStoreFactoryTest { } } - @Test - @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) - public void hsmFacadeMissingTrustedCertificate() { - mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HOST, - RandomStringUtils.randomNumeric(10)); - mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_PORT, - RandomStringUtils.randomNumeric(4)); - mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_USERNAME, - RandomStringUtils.randomNumeric(10)); - mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_PASSWORD, - RandomStringUtils.randomAlphanumeric(10)); - try { - context.getBean(EaafKeyStoreFactory.class); - Assert.fail("Missing HSM Facade not detected"); - - } catch (final BeansException e) { - checkMissingConfigException(e); - - } - } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) @@ -730,6 +710,23 @@ public class EaafKeyStoreFactoryTest { @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) + public void hsmFacadeWithOutTrustedCertificate() { + mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HOST, + RandomStringUtils.randomNumeric(10)); + mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_PORT, + RandomStringUtils.randomNumeric(4)); + mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_USERNAME, + RandomStringUtils.randomNumeric(10)); + mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_PASSWORD, + RandomStringUtils.randomAlphanumeric(10)); + + final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); + Assert.assertTrue("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); + + } + + @Test + @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void hsmFacadeHealthCheckNoProvider() { mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HOST, RandomStringUtils.randomNumeric(10)); |