summaryrefslogtreecommitdiff
path: root/eaaf_core_utils
diff options
context:
space:
mode:
authorThomas Lenz <thomas.lenz@egiz.gv.at>2020-05-05 14:58:38 +0200
committerThomas Lenz <thomas.lenz@egiz.gv.at>2020-05-05 14:58:38 +0200
commit36fafda8e3b953d3d1cba91efeb4fc82388b0445 (patch)
treee0c6c7833a9d71404bc9a62277716e5bea9d036c /eaaf_core_utils
parent49cb8adfd8992dc8d21ff208d8dd93e0592e1be4 (diff)
downloadEAAF-Components-36fafda8e3b953d3d1cba91efeb4fc82388b0445.tar.gz
EAAF-Components-36fafda8e3b953d3d1cba91efeb4fc82388b0445.tar.bz2
EAAF-Components-36fafda8e3b953d3d1cba91efeb4fc82388b0445.zip
finish SSLContext creation by using KeyStore from HSM-Facade
Diffstat (limited to 'eaaf_core_utils')
-rw-r--r--eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/EaafSslKeySelectionStrategy.java11
-rw-r--r--eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpClientConfiguration.java10
-rw-r--r--eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java8
-rw-r--r--eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java27
4 files changed, 28 insertions, 28 deletions
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/EaafSslKeySelectionStrategy.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/EaafSslKeySelectionStrategy.java
index 1e1e2137..d2377d69 100644
--- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/EaafSslKeySelectionStrategy.java
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/EaafSslKeySelectionStrategy.java
@@ -33,18 +33,23 @@ public class EaafSslKeySelectionStrategy implements PrivateKeyStrategy {
@Override
public String chooseAlias(Map<String, PrivateKeyDetails> aliases, Socket socket) {
log.trace("Selection SSL client-auth key for alias: {}", keyAlias);
+ if (aliases.keySet().isEmpty()) {
+ log.debug("No Key with Alias: {} in empty KeyStore", keyAlias);
+ return null;
+
+ }
+
final PrivateKeyDetails selected = aliases.get(keyAlias);
if (selected != null) {
log.trace("Select SL client-auth key with type:", selected.getType());
return keyAlias;
- } else {
+ } else {
log.warn("KeyStore contains NO key with alias: {}. Using first key from keystore", keyAlias);
log.info("Available aliases: {}", StringUtils.join(aliases.keySet(), ", "));
return aliases.keySet().iterator().next();
-
+
}
-
}
}
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpClientConfiguration.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpClientConfiguration.java
index 582ad545..6a66dfff 100644
--- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpClientConfiguration.java
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpClientConfiguration.java
@@ -5,11 +5,11 @@ import java.util.UUID;
import javax.annotation.Nonnull;
-import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
-import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
-
import org.apache.commons.lang3.StringUtils;
+import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
import lombok.Getter;
import lombok.Setter;
import lombok.extern.slf4j.Slf4j;
@@ -117,7 +117,9 @@ public class HttpClientConfiguration {
}
- if (StringUtils.isEmpty(this.sslKeyPassword)) {
+ if (StringUtils.isEmpty(this.sslKeyPassword)
+ && (KeyStoreType.JKS.equals(keyStoreConfig.getKeyStoreType())
+ || KeyStoreType.PKCS12.equals(keyStoreConfig.getKeyStoreType()))) {
throw new EaafConfigurationException(ERROR_02, new Object[] {
this.friendlyName, this.keyStoreConfig.getFriendlyName()});
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java
index b357bb01..eafd8a04 100644
--- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java
@@ -23,7 +23,6 @@ import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
-import java.security.Security;
import java.security.UnrecoverableKeyException;
import javax.annotation.Nonnull;
@@ -168,16 +167,14 @@ public class HttpUtils {
: keyPasswordString.toCharArray();
SSLContextBuilder sslContextBuilder = SSLContexts.custom();
- if (keyStore.getSecond() != null) {
+ if (keyStore.getSecond() != null) {
Provider provider = new BouncyCastleJsseProvider(keyStore.getSecond());
-
log.debug("KeyStore: {} provide special security-provider. Inject: {} into SSLContext",
friendlyName, provider.getName());
sslContextBuilder.setProvider(provider);
- Security.addProvider(provider);
- //sslContextBuilder.setSecureRandom(SecureRandom.getInstanceStrong());
}
+
if (StringUtils.isNotEmpty(keyAlias)) {
sslContextBuilder = sslContextBuilder
.loadKeyMaterial(keyStore.getFirst(), keyPassword, new EaafSslKeySelectionStrategy(keyAlias));
@@ -185,7 +182,6 @@ public class HttpUtils {
} else {
sslContextBuilder = sslContextBuilder
.loadKeyMaterial(keyStore.getFirst(), keyPassword);
-
}
if (trustAllServerCertificates) {
diff --git a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java
index 140c74f5..72ec7008 100644
--- a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java
+++ b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java
@@ -332,30 +332,27 @@ public class HttpClientFactoryTest {
@Test
public void getCustomClientX509AuthWithHsmFacade() throws EaafException, ClientProtocolException,
IOException, KeyStoreException {
- final HttpClientConfiguration config = new HttpClientConfiguration("jUnit");
- config.setAuthMode("ssl");
- config.buildKeyStoreConfig(
- "hsmfacade",
- null,
- null,
- "authhandler");
- config.setSslKeyPassword("password");
- config.setSslKeyAlias("authhandler-sign");
- config.setDisableTlsHostCertificateValidation(true);
+ final HttpClientConfiguration clientConfig = new HttpClientConfiguration("jUnit-client");
+ clientConfig.setAuthMode("ssl");
+ clientConfig.buildKeyStoreConfig("hsmfacade", null, null, "authhandler");
+ clientConfig.setSslKeyAlias("authhandler-sign");
+ clientConfig.setDisableTlsHostCertificateValidation(true);
- final CloseableHttpClient client = httpClientFactory.getHttpClient(config);
+
+
+ final CloseableHttpClient client = httpClientFactory.getHttpClient(clientConfig);
Assert.assertNotNull("httpClient", client);
//set-up mock-up web-server with SSL client authentication
final Pair<KeyStore, Provider> sslClientKeyStore =
- keyStoreFactory.buildNewKeyStore(config.getKeyStoreConfig());
+ keyStoreFactory.buildNewKeyStore(clientConfig.getKeyStoreConfig());
+ X509Certificate clientRootCert = (X509Certificate) sslClientKeyStore.getFirst()
+ .getCertificateChain(clientConfig.getSslKeyAlias())[1];
+
final String localhost = InetAddress.getByName("localhost").getCanonicalHostName();
final HeldCertificate localhostCertificate = new HeldCertificate.Builder()
.addSubjectAlternativeName(localhost)
.build();
- X509Certificate clientRootCert = (X509Certificate) sslClientKeyStore.getFirst()
- .getCertificateChain(config.getSslKeyAlias())[1];
-
final HandshakeCertificates serverCertificates = new HandshakeCertificates.Builder()
.addTrustedCertificate(clientRootCert)
.heldCertificate(localhostCertificate)