summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas <>2023-07-12 10:13:44 +0200
committerThomas <>2023-07-12 10:13:44 +0200
commite0f7b2c41f66038dc6438b3cc6da14a1422ccf43 (patch)
treef2ca69eb5b058f4253aa9db4940d528d4ee72f16
parent25ae045ff811ed39638e5366f7d53f3776f0d436 (diff)
downloadEAAF-Components-e0f7b2c41f66038dc6438b3cc6da14a1422ccf43.tar.gz
EAAF-Components-e0f7b2c41f66038dc6438b3cc6da14a1422ccf43.tar.bz2
EAAF-Components-e0f7b2c41f66038dc6438b3cc6da14a1422ccf43.zip
feat(hsm-facade): make trusted SSL-certificate optional for HSM-Facade initialization
-rw-r--r--eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java54
-rw-r--r--eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java37
2 files changed, 54 insertions, 37 deletions
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java
index fec984c4..0ecdcc92 100644
--- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java
@@ -288,17 +288,29 @@ public class EaafKeyStoreFactory {
final long grpcDeadline = getConfigurationParameterLong(CONFIG_PROP_HSM_FACADE_GRPC_DEADLINE,
HSM_FACADE_DEFAULT_DEADLINE);
+ X509Certificate trustedSslCertificate = getHsmFacadeTrustSslCertificate();
//initialize HSM-Facade by using JAVA Reflection, because in that case HSM-Facade
//has not be in ClassPath on every project
final Method constructor = hsmProviderClazz.getMethod(HSM_FACADE_PROVIDER_METHOD_CONSTRUCT, new Class[]{});
- final Method initMethod = hsmProviderClazz.getMethod(HSM_FACADE_PROVIDER_METHOD_INIT,
+ final Method initMethodWithSslCert = hsmProviderClazz.getMethod(HSM_FACADE_PROVIDER_METHOD_INIT,
X509Certificate.class, String.class, String.class, String.class, int.class, long.class);
- if (initMethod != null && constructor != null) {
+ final Method initMethod = hsmProviderClazz.getMethod(HSM_FACADE_PROVIDER_METHOD_INIT,
+ String.class, String.class, String.class, int.class, long.class);
+ if (initMethodWithSslCert != null && initMethod != null && constructor != null) {
final Object rawProvider = constructor.invoke(hsmProviderClazz);
- initMethod.invoke(
- rawProvider, getHsmFacadeTrustSslCertificate(),
- clientUsername, clientPassword, hsmFacadeHost, port, grpcDeadline);
+
+ if (trustedSslCertificate != null) {
+ log.trace("Invoking HSM-Facade constructor with SSL certificate ... ");
+ initMethodWithSslCert.invoke(rawProvider, trustedSslCertificate, clientUsername, clientPassword,
+ hsmFacadeHost, port, grpcDeadline);
+
+ } else {
+ log.trace("Invoking HSM-Facade constructor without SSL certificate ... ");
+ initMethod.invoke(rawProvider, clientUsername, clientPassword,
+ hsmFacadeHost, port, grpcDeadline);
+
+ }
if (rawProvider instanceof Provider) {
Security.addProvider((Provider) rawProvider);
@@ -318,7 +330,7 @@ public class EaafKeyStoreFactory {
log.warn(HSM_FACADE_PROVIDER_INIT_ERROR_MSG,
HSM_FACADE_PROVIDER_METHOD_CONSTRUCT, constructor != null);
log.warn(HSM_FACADE_PROVIDER_INIT_ERROR_MSG,
- HSM_FACADE_PROVIDER_METHOD_INIT, initMethod != null);
+ HSM_FACADE_PROVIDER_METHOD_INIT, initMethodWithSslCert != null);
throw new EaafException(ERRORCODE_10, new Object[] {HSM_FACADE_PROVIDER_CLASS});
}
@@ -527,21 +539,29 @@ public class EaafKeyStoreFactory {
private X509Certificate getHsmFacadeTrustSslCertificate() throws EaafConfigurationException {
try {
- final String certFilePath = getConfigurationParameter(CONFIG_PROP_HSM_FACADE_SSLTRUST);
+ final String certFilePath = basicConfig.getBasicConfiguration(CONFIG_PROP_HSM_FACADE_SSLTRUST);
+ if (StringUtils.isNotEmpty(certFilePath)) {
+ final String absolutCertFilePath = FileUtils.makeAbsoluteUrl(
+ certFilePath, basicConfig.getConfigurationRootDirectory());
- final String absolutCertFilePath = FileUtils.makeAbsoluteUrl(
- certFilePath, basicConfig.getConfigurationRootDirectory());
- final Resource certFile = resourceLoader.getResource(absolutCertFilePath);
+ log.debug("Loading HSM-Facade trusted server-certificate from path : {}", absolutCertFilePath);
+ final Resource certFile = resourceLoader.getResource(absolutCertFilePath);
- if (!certFile.exists()) {
- throw new EaafConfigurationException(ERRORCODE_05,
- new Object[] { CONFIG_PROP_HSM_FACADE_SSLTRUST,
- "File not found at: " + absolutCertFilePath });
+ if (!certFile.exists()) {
+ throw new EaafConfigurationException(ERRORCODE_05,
+ new Object[] { CONFIG_PROP_HSM_FACADE_SSLTRUST,
+ "File not found at: " + absolutCertFilePath });
- }
+ }
+
+ return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(
+ certFile.getInputStream());
- return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(certFile
- .getInputStream());
+ } else {
+ log.info("HSM-Facade trusted server-certificate is not set. Using System-TrustStore ... ");
+ return null;
+
+ }
} catch (final EaafConfigurationException e) {
throw e;
diff --git a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java
index 932beb31..0d3492a7 100644
--- a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java
+++ b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java
@@ -608,27 +608,7 @@ public class EaafKeyStoreFactoryTest {
}
}
- @Test
- @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD)
- public void hsmFacadeMissingTrustedCertificate() {
- mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HOST,
- RandomStringUtils.randomNumeric(10));
- mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_PORT,
- RandomStringUtils.randomNumeric(4));
- mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_USERNAME,
- RandomStringUtils.randomNumeric(10));
- mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_PASSWORD,
- RandomStringUtils.randomAlphanumeric(10));
- try {
- context.getBean(EaafKeyStoreFactory.class);
- Assert.fail("Missing HSM Facade not detected");
-
- } catch (final BeansException e) {
- checkMissingConfigException(e);
-
- }
- }
@Test
@DirtiesContext(methodMode = MethodMode.BEFORE_METHOD)
@@ -730,6 +710,23 @@ public class EaafKeyStoreFactoryTest {
@Test
@DirtiesContext(methodMode = MethodMode.BEFORE_METHOD)
+ public void hsmFacadeWithOutTrustedCertificate() {
+ mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HOST,
+ RandomStringUtils.randomNumeric(10));
+ mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_PORT,
+ RandomStringUtils.randomNumeric(4));
+ mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_USERNAME,
+ RandomStringUtils.randomNumeric(10));
+ mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_PASSWORD,
+ RandomStringUtils.randomAlphanumeric(10));
+
+ final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class);
+ Assert.assertTrue("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized());
+
+ }
+
+ @Test
+ @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD)
public void hsmFacadeHealthCheckNoProvider() {
mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HOST,
RandomStringUtils.randomNumeric(10));