diff options
author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-06-15 15:00:12 +0200 |
---|---|---|
committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-06-15 15:00:12 +0200 |
commit | 43a86470cfb621226fbffa609640bdd4a5d381eb (patch) | |
tree | ffa7df4a6cb290160bcc11af6a39d8df0e743005 /eaaf_core_utils | |
parent | 2566ca181ff46eaa23c5c94baf9f2a81f1a9287f (diff) | |
parent | 8003717dc8fb8e5a51f2376f09e0ea740e6eca8f (diff) | |
download | EAAF-Components-43a86470cfb621226fbffa609640bdd4a5d381eb.tar.gz EAAF-Components-43a86470cfb621226fbffa609640bdd4a5d381eb.tar.bz2 EAAF-Components-43a86470cfb621226fbffa609640bdd4a5d381eb.zip |
Merge branch 'nightlyBuild' of gitlab.iaik.tugraz.at:egiz/eaaf_components into nightlyBuild
Diffstat (limited to 'eaaf_core_utils')
-rw-r--r-- | eaaf_core_utils/pom.xml | 2 | ||||
-rw-r--r-- | eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java | 116 |
2 files changed, 92 insertions, 26 deletions
diff --git a/eaaf_core_utils/pom.xml b/eaaf_core_utils/pom.xml index 9c9c20af..02c7839b 100644 --- a/eaaf_core_utils/pom.xml +++ b/eaaf_core_utils/pom.xml @@ -7,7 +7,7 @@ <parent> <groupId>at.gv.egiz</groupId> <artifactId>eaaf</artifactId> - <version>1.1.5-SNAPSHOT</version> + <version>1.1.6-SNAPSHOT</version> </parent> <groupId>at.gv.egiz.eaaf</groupId> <artifactId>eaaf_core_utils</artifactId> diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java index eafd8a04..81ebe1fe 100644 --- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java +++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java @@ -162,42 +162,108 @@ public class HttpUtils { boolean trustAllServerCertificates, @Nonnull String friendlyName) throws EaafConfigurationException, EaafFactoryException { try { - log.trace("Open SSL Client-Auth keystore with password: {}", keyPasswordString); - final char[] keyPassword = keyPasswordString == null ? StringUtils.EMPTY.toCharArray() - : keyPasswordString.toCharArray(); - SSLContextBuilder sslContextBuilder = SSLContexts.custom(); - if (keyStore.getSecond() != null) { - Provider provider = new BouncyCastleJsseProvider(keyStore.getSecond()); - log.debug("KeyStore: {} provide special security-provider. Inject: {} into SSLContext", - friendlyName, provider.getName()); - sslContextBuilder.setProvider(provider); - - } - if (StringUtils.isNotEmpty(keyAlias)) { - sslContextBuilder = sslContextBuilder - .loadKeyMaterial(keyStore.getFirst(), keyPassword, new EaafSslKeySelectionStrategy(keyAlias)); - - } else { - sslContextBuilder = sslContextBuilder - .loadKeyMaterial(keyStore.getFirst(), keyPassword); - } - - if (trustAllServerCertificates) { - log.warn("Http-client:{} trusts ALL TLS server-certificates!"); - final TrustStrategy trustStrategy = new TrustAllStrategy(); - sslContextBuilder = sslContextBuilder.loadTrustMaterial(trustStrategy); + injectKeyStore(sslContextBuilder, keyStore, keyAlias, keyPasswordString, friendlyName); + + injectTrustStore(sslContextBuilder, null, trustAllServerCertificates, friendlyName); + + return sslContextBuilder.build(); - } + } catch (NoSuchAlgorithmException | KeyManagementException | UnrecoverableKeyException + | KeyStoreException e) { + throw new EaafFactoryException(ERROR_03, new Object[] { friendlyName, e.getMessage() }, e); + } + } + + /** + * Initialize a {@link SSLContext} with a {@link KeyStore} that uses X509 Client + * authentication and a custom TrustStore as {@link KeyStore}. + * + * @param keyStore KeyStore with private keys that should be + * used + * @param keyAlias Alias of the key that should be used. If + * the alias is null, than the first key that + * is found will be selected. + * @param keyPasswordString Password of the Key in this keystore + * @param trustStore TrustStore with trusted SSL certificates + * @param trustAllServerCertificates Deactivate SSL server-certificate + * validation + * @param friendlyName FriendlyName of the http client for logging + * purposes + * @return {@link SSLContext} with X509 client authentication + * @throws EaafConfigurationException In case of a configuration error + * @throws EaafFactoryException In case of a {@link SSLContext} + * initialization error + */ + public static SSLContext buildSslContextWithSslClientAuthentication(@Nonnull final Pair<KeyStore, Provider> keyStore, + @Nullable String keyAlias, @Nullable String keyPasswordString, + @Nullable final Pair<KeyStore, Provider> trustStore, boolean trustAllServerCertificates, + @Nonnull String friendlyName) + throws EaafConfigurationException, EaafFactoryException { + try { + SSLContextBuilder sslContextBuilder = SSLContexts.custom(); + + injectKeyStore(sslContextBuilder, keyStore, keyAlias, keyPasswordString, friendlyName); + + injectTrustStore(sslContextBuilder, trustStore, trustAllServerCertificates, friendlyName); + return sslContextBuilder.build(); } catch (NoSuchAlgorithmException | KeyManagementException | UnrecoverableKeyException | KeyStoreException e) { throw new EaafFactoryException(ERROR_03, new Object[] { friendlyName, e.getMessage() }, e); + } + } + + private static void injectTrustStore(SSLContextBuilder sslContextBuilder, + Pair<KeyStore, Provider> trustStore, boolean trustAllServerCertificates, String friendlyName) + throws NoSuchAlgorithmException, KeyStoreException { + + TrustStrategy trustStrategy = null; + if (trustAllServerCertificates) { + log.warn("Http-client:{} trusts ALL TLS server-certificates!", friendlyName); + trustStrategy = new TrustAllStrategy(); + + } + + KeyStore trustStoreImpl = null; + if (trustStore != null) { + log.info("Http-client: {} uses custom TrustStore.", friendlyName); + trustStoreImpl = trustStore.getFirst(); + + } + + sslContextBuilder.loadTrustMaterial(trustStoreImpl, trustStrategy); + + } + + private static void injectKeyStore(SSLContextBuilder sslContextBuilder, Pair<KeyStore, Provider> keyStore, + String keyAlias, String keyPasswordString, String friendlyName) + throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException { + if (keyStore.getSecond() != null) { + Provider provider = new BouncyCastleJsseProvider(keyStore.getSecond()); + log.debug("KeyStore: {} provide special security-provider. Inject: {} into SSLContext", + friendlyName, provider.getName()); + sslContextBuilder.setProvider(provider); + + } + + log.trace("Open SSL Client-Auth keystore with password: {}", keyPasswordString); + final char[] keyPassword = keyPasswordString == null ? StringUtils.EMPTY.toCharArray() + : keyPasswordString.toCharArray(); + + if (StringUtils.isNotEmpty(keyAlias)) { + sslContextBuilder + .loadKeyMaterial(keyStore.getFirst(), keyPassword, new EaafSslKeySelectionStrategy(keyAlias)); + + } else { + sslContextBuilder.loadKeyMaterial(keyStore.getFirst(), keyPassword); + } + } } |