summaryrefslogtreecommitdiff
path: root/eaaf_core_utils
diff options
context:
space:
mode:
authorThomas Lenz <thomas.lenz@egiz.gv.at>2020-02-17 17:54:04 +0100
committerThomas Lenz <thomas.lenz@egiz.gv.at>2020-02-17 17:54:04 +0100
commitf62bafa252e6e0dfaaa9ba4acbc34b47ee627e21 (patch)
treebd4f87cf6e131902e4f7637f4a36737e48748728 /eaaf_core_utils
parent7848c74de2cdafed8bee69d1d5b8e5efa7535bc6 (diff)
downloadEAAF-Components-f62bafa252e6e0dfaaa9ba4acbc34b47ee627e21.tar.gz
EAAF-Components-f62bafa252e6e0dfaaa9ba4acbc34b47ee627e21.tar.bz2
EAAF-Components-f62bafa252e6e0dfaaa9ba4acbc34b47ee627e21.zip
update EaafKeyStoreFactory to get the Security Provider if the KeyStore depends on a special provider implementation
Diffstat (limited to 'eaaf_core_utils')
-rw-r--r--eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java35
-rw-r--r--eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/HttpClientFactory.java29
-rw-r--r--eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java48
3 files changed, 68 insertions, 44 deletions
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java
index 5e6ca34b..5936e106 100644
--- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java
@@ -2,10 +2,12 @@ package at.gv.egiz.eaaf.core.impl.credential;
import java.io.IOException;
import java.io.InputStream;
+import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
+import java.security.Provider;
import java.security.Security;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
@@ -15,11 +17,6 @@ import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.PostConstruct;
-import org.apache.commons.lang3.StringUtils;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.core.io.Resource;
-import org.springframework.core.io.ResourceLoader;
-
import at.asitplus.hsmfacade.provider.HsmFacadeProvider;
import at.asitplus.hsmfacade.provider.RemoteKeyStoreLoadParameter;
import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
@@ -27,8 +24,15 @@ import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
import at.gv.egiz.eaaf.core.exceptions.EaafException;
import at.gv.egiz.eaaf.core.exceptions.EaafFactoryException;
import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
import at.gv.egiz.eaaf.core.impl.utils.FileUtils;
import at.gv.egiz.eaaf.core.impl.utils.KeyStoreUtils;
+
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.core.io.Resource;
+import org.springframework.core.io.ResourceLoader;
+
import lombok.extern.slf4j.Slf4j;
@Slf4j
@@ -64,10 +68,12 @@ public class EaafKeyStoreFactory {
* Get a new KeyStore based on a KeyStore configuration-object.
*
* @param config KeyStore configuration
- * @return new KeyStore instance
+ * @return {@link Pair} of a new KeyStore instance and an optional {@link Provider}. If the {@link Provider}
+ * is not <code>null</code> this {@link KeyStore} requires a specific {@link Provider} for {@link Key} operations.
* @throws EaafException In case of a KeyStore initialization error
*/
- public KeyStore buildNewKeyStore(KeyStoreConfiguration config) throws EaafException {
+ @Nonnull
+ public Pair<KeyStore, Provider> buildNewKeyStore(KeyStoreConfiguration config) throws EaafException {
log.trace("Starting KeyStore generation based on configuration object ... ");
if (KeyStoreType.PKCS12.equals(config.getKeyStoreType())
|| KeyStoreType.JKS.equals(config.getKeyStoreType())) {
@@ -127,7 +133,8 @@ public class EaafKeyStoreFactory {
final HsmFacadeProvider provider = HsmFacadeProvider.Companion.getInstance();
provider.init(getHsmFacadeTrustSslCertificate(), clientUsername, clientPassword, hsmFacadeHost, port,
hsmName);
- Security.addProvider(provider);
+ //Security.addProvider(provider);
+ Security.insertProviderAt(provider, 0);
isHsmFacadeInitialized = true;
log.info("HSM Facade is initialized. {} can provide KeyStores based on remote HSM",
EaafKeyStoreFactory.class.getSimpleName());
@@ -148,8 +155,9 @@ public class EaafKeyStoreFactory {
}
- private KeyStore getKeyStoreFromFileSystem(KeyStoreConfiguration config) throws EaafConfigurationException,
- EaafFactoryException {
+ @Nonnull
+ private Pair<KeyStore, Provider> getKeyStoreFromFileSystem(KeyStoreConfiguration config)
+ throws EaafConfigurationException, EaafFactoryException {
try {
final String keyStorePath = checkConfigurationParameter(config.getSoftKeyStoreFilePath(),
ERRORCODE_06, config.getFriendlyName(), "Software-KeyStore missing filepath to KeyStore");
@@ -176,7 +184,7 @@ public class EaafKeyStoreFactory {
}
- return keyStore;
+ return Pair.newInstance(keyStore, null);
} catch (KeyStoreException | IOException e) {
log.error("Software KeyStore initialization FAILED with an generic error.", e);
@@ -185,7 +193,8 @@ public class EaafKeyStoreFactory {
}
}
- private KeyStore getKeyStoreFromHsmFacade(KeyStoreConfiguration config)
+ @Nonnull
+ private Pair<KeyStore, Provider> getKeyStoreFromHsmFacade(KeyStoreConfiguration config)
throws EaafFactoryException, EaafConfigurationException {
final String keyStoreName = checkConfigurationParameter(config.getKeyStoreName(),
ERRORCODE_06, config.getFriendlyName(), "KeyStoreName missing for HSM Facade");
@@ -193,7 +202,7 @@ public class EaafKeyStoreFactory {
try {
final KeyStore keyStore = KeyStore.getInstance(HSM_FACADE_KEYSTORE_TYPE, HSM_FACADE_PROVIDER);
keyStore.load(new RemoteKeyStoreLoadParameter(keyStoreName));
- return keyStore;
+ return Pair.newInstance(keyStore, keyStore.getProvider());
} catch (NoSuchAlgorithmException | CertificateException | IOException | KeyStoreException
| NoSuchProviderException e) {
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/HttpClientFactory.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/HttpClientFactory.java
index ade0c28d..e681e705 100644
--- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/HttpClientFactory.java
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/HttpClientFactory.java
@@ -10,6 +10,13 @@ import javax.annotation.PostConstruct;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
+import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
+import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
+
import org.apache.commons.lang3.StringUtils;
import org.apache.http.HttpRequest;
import org.apache.http.HttpResponse;
@@ -38,12 +45,6 @@ import org.apache.http.ssl.SSLContexts;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.io.ResourceLoader;
-import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
-import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
-import at.gv.egiz.eaaf.core.exceptions.EaafException;
-import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
-import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
-import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
import lombok.extern.slf4j.Slf4j;
@Slf4j
@@ -51,10 +52,10 @@ public class HttpClientFactory implements IHttpClientFactory {
@Autowired(required = true)
private IConfiguration basicConfig;
-
+
@Autowired(required = true)
ResourceLoader resourceLoader;
-
+
@Autowired private EaafKeyStoreFactory keyStoreFactory;
public static final String PROP_CONFIG_CLIENT_HTTP_CONNECTION_POOL_USE =
@@ -79,7 +80,7 @@ public class HttpClientFactory implements IHttpClientFactory {
"client.auth.ssl.keystore.path";
public static final String PROP_CONFIG_CLIENT_AUTH_SSL_KEYSTORE_PASSORD =
"client.auth.ssl.keystore.password";
- private static final String PROP_CONFIG_CLIENT_AUTH_SSL_KEYSTORE_NAME =
+ private static final String PROP_CONFIG_CLIENT_AUTH_SSL_KEYSTORE_NAME =
"client.auth.ssl.keystore.name";
public static final String PROP_CONFIG_CLIENT_AUTH_SSL_KEYSTORE_TYPE =
"client.auth.ssl.keystore.type";
@@ -269,18 +270,18 @@ public class HttpClientFactory implements IHttpClientFactory {
.getBasicConfiguration(PROP_CONFIG_CLIENT_AUTH_SSL_KEYSTORE_NAME, StringUtils.EMPTY);
try {
- KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration();
+ final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration();
keyStoreConfig.setKeyStoreType(keyStoreType);
keyStoreConfig.setFriendlyName("HttpClient Keystore");
keyStoreConfig.setSoftKeyStoreFilePath(localKeyStorePath);
keyStoreConfig.setSoftKeyStorePassword(keyStorePassword);
keyStoreConfig.setKeyStoreName(keyStoreName);
-
+
log.debug("Open keyStore with type: {}", keyStoreType);
- KeyStore keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig);
-
+ final KeyStore keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig).getFirst();
+
return keyStore;
-
+
} catch (final EaafException e) {
log.warn("Can NOT read keyStore: {} from filesystem", localKeyStorePath, null, e);
throw new EaafConfigurationException("Can NOT read keyStore: {} from filesystem",
diff --git a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java
index 01c3d6f1..5b6b8170 100644
--- a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java
+++ b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java
@@ -3,6 +3,7 @@ package at.gv.egiz.eaaf.core.test.credentials;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
+import java.security.Provider;
import java.security.cert.X509Certificate;
import java.util.List;
@@ -210,8 +211,10 @@ public class EaafKeyStoreFactoryTest {
keyStoreConfig.setSoftKeyStoreFilePath(PATH_TO_SOFTWARE_KEYSTORE_JKS);
keyStoreConfig.setSoftKeyStorePassword(SOFTWARE_KEYSTORE_PASSWORD);
- final KeyStore keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig);
+ final Pair<KeyStore, Provider> keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig);
Assert.assertNotNull("KeyStore is null", keyStore);
+ Assert.assertNotNull("KeyStore is null", keyStore.getFirst());
+ Assert.assertNull("KeyStore is null", keyStore.getSecond());
}
@@ -274,8 +277,10 @@ public class EaafKeyStoreFactoryTest {
keyStoreConfig.validate();
- final KeyStore keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig);
+ final Pair<KeyStore, Provider> keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig);
Assert.assertNotNull("KeyStore is null", keyStore);
+ Assert.assertNotNull("KeyStore is null", keyStore.getFirst());
+ Assert.assertNull("KeyStore is null", keyStore.getSecond());
}
@@ -292,24 +297,26 @@ public class EaafKeyStoreFactoryTest {
keyStoreConfig.validate();
- final KeyStore keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig);
+ final Pair<KeyStore, Provider> keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig);
Assert.assertNotNull("KeyStore is null", keyStore);
+ Assert.assertNotNull("KeyStore is null", keyStore.getFirst());
+ Assert.assertNull("KeyStore is null", keyStore.getSecond());
//read trusted certs
- final List<X509Certificate> trustedCerts = EaafKeyStoreUtils.readCertsFromKeyStore(keyStore);
+ final List<X509Certificate> trustedCerts = EaafKeyStoreUtils.readCertsFromKeyStore(keyStore.getFirst());
Assert.assertNotNull("Trusted certs", trustedCerts);
Assert.assertEquals("Trusted certs size", 2, trustedCerts.size());
//read priv. key
final Pair<Key, X509Certificate[]> privCred1 = EaafKeyStoreUtils.getPrivateKeyAndCertificates(
- keyStore, "meta", "password".toCharArray(), true, "jUnit test");
+ keyStore.getFirst(), "meta", "password".toCharArray(), true, "jUnit test");
Assert.assertNotNull("Credential 1", privCred1);
Assert.assertNotNull("Credential 1 priv. key", privCred1.getFirst());
Assert.assertNotNull("Credential 1 certificate", privCred1.getSecond());
//read priv. key
final Pair<Key, X509Certificate[]> privCred2 = EaafKeyStoreUtils.getPrivateKeyAndCertificates(
- keyStore, "sig", "password".toCharArray(), true, "jUnit test");
+ keyStore.getFirst(), "sig", "password".toCharArray(), true, "jUnit test");
Assert.assertNotNull("Credential 2", privCred2);
Assert.assertNotNull("Credential 2 priv. key", privCred2.getFirst());
Assert.assertNotNull("Credential 2 certificate", privCred2.getSecond());
@@ -317,17 +324,17 @@ public class EaafKeyStoreFactoryTest {
//read priv. key
final Pair<Key, X509Certificate[]> privCred3 = EaafKeyStoreUtils.getPrivateKeyAndCertificates(
- keyStore, "notexist", "password".toCharArray(), false, "jUnit test");
+ keyStore.getFirst(), "notexist", "password".toCharArray(), false, "jUnit test");
Assert.assertNull("Credential 3", privCred3);
//read priv. key
final Pair<Key, X509Certificate[]> privCred4 = EaafKeyStoreUtils.getPrivateKeyAndCertificates(
- keyStore, "meta", "wrong".toCharArray(), false, "jUnit test");
+ keyStore.getFirst(), "meta", "wrong".toCharArray(), false, "jUnit test");
Assert.assertNull("Credential 3", privCred4);
try {
EaafKeyStoreUtils.getPrivateKeyAndCertificates(
- keyStore, "meta", "wrong".toCharArray(), true, "jUnit test");
+ keyStore.getFirst(), "meta", "wrong".toCharArray(), true, "jUnit test");
Assert.fail("Wrong password not detected");
} catch (final EaafKeyAccessException e) {
@@ -336,7 +343,7 @@ public class EaafKeyStoreFactoryTest {
try {
EaafKeyStoreUtils.getPrivateKeyAndCertificates(
- keyStore, "wrong", "password".toCharArray(), true, "jUnit test");
+ keyStore.getFirst(), "wrong", "password".toCharArray(), true, "jUnit test");
Assert.fail("Wrong alias not detected");
} catch (final EaafKeyAccessException e) {
@@ -359,8 +366,10 @@ public class EaafKeyStoreFactoryTest {
keyStoreConfig.validate();
- final KeyStore keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig);
+ final Pair<KeyStore, Provider> keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig);
Assert.assertNotNull("KeyStore is null", keyStore);
+ Assert.assertNotNull("KeyStore is null", keyStore.getFirst());
+ Assert.assertNull("KeyStore is null", keyStore.getSecond());
}
@@ -593,8 +602,10 @@ public class EaafKeyStoreFactoryTest {
keyStoreConfig.validate();
try {
- final KeyStore keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig);
+ final Pair<KeyStore, Provider> keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig);
Assert.assertNotNull("KeyStore is null", keyStore);
+ Assert.assertNotNull("KeyStore is null", keyStore.getFirst());
+ Assert.assertNotNull("KeyStore is null", keyStore.getSecond());
} catch (final StatusRuntimeException e) {
// because there is no mockup of HSM facade available
@@ -618,31 +629,34 @@ public class EaafKeyStoreFactoryTest {
keyStoreConfig.validate();
- final KeyStore keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig);
+ final Pair<KeyStore, Provider> keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig);
Assert.assertNotNull("KeyStore is null", keyStore);
+ Assert.assertNotNull("KeyStore is null", keyStore.getFirst());
+ Assert.assertNotNull("KeyStore is null", keyStore.getSecond());
//read trusted certs
- final List<X509Certificate> trustedCerts = EaafKeyStoreUtils.readCertsFromKeyStore(keyStore);
+ final List<X509Certificate> trustedCerts = EaafKeyStoreUtils.readCertsFromKeyStore(
+ keyStore.getFirst());
Assert.assertNotNull("Trusted certs", trustedCerts);
Assert.assertEquals("Trusted certs size", 0, trustedCerts.size());
//read priv. key
final Pair<Key, X509Certificate[]> privCred1 = EaafKeyStoreUtils.getPrivateKeyAndCertificates(
- keyStore, HSM_FACADE_KEY_ALIAS, null, true, "jUnit test");
+ keyStore.getFirst(), HSM_FACADE_KEY_ALIAS, null, true, "jUnit test");
Assert.assertNotNull("Credential 1", privCred1);
Assert.assertNotNull("Credential 1 priv. key", privCred1.getFirst());
Assert.assertNotNull("Credential 1 certificate", privCred1.getSecond());
//read priv. key
final Pair<Key, X509Certificate[]> privCred2 = EaafKeyStoreUtils.getPrivateKeyAndCertificates(
- keyStore, HSM_FACADE_KEY_ALIAS, "shouldBeIgnord".toCharArray(), true, "jUnit test");
+ keyStore.getFirst(), HSM_FACADE_KEY_ALIAS, "shouldBeIgnord".toCharArray(), true, "jUnit test");
Assert.assertNotNull("Credential 2", privCred2);
Assert.assertNotNull("Credential 2 priv. key", privCred2.getFirst());
Assert.assertNotNull("Credential 2 certificate", privCred2.getSecond());
try {
EaafKeyStoreUtils.getPrivateKeyAndCertificates(
- keyStore, "notExist", "wrong".toCharArray(), true, "jUnit test");
+ keyStore.getFirst(), "notExist", "wrong".toCharArray(), true, "jUnit test");
Assert.fail("Wrong password not detected");
} catch (final EaafKeyAccessException e) {