summaryrefslogtreecommitdiff
path: root/eaaf_modules/eaaf_module_pvp2_core
diff options
context:
space:
mode:
authorThomas Lenz <thomas.lenz@egiz.gv.at>2020-02-17 17:54:04 +0100
committerThomas Lenz <thomas.lenz@egiz.gv.at>2020-02-17 17:54:04 +0100
commitf62bafa252e6e0dfaaa9ba4acbc34b47ee627e21 (patch)
treebd4f87cf6e131902e4f7637f4a36737e48748728 /eaaf_modules/eaaf_module_pvp2_core
parent7848c74de2cdafed8bee69d1d5b8e5efa7535bc6 (diff)
downloadEAAF-Components-f62bafa252e6e0dfaaa9ba4acbc34b47ee627e21.tar.gz
EAAF-Components-f62bafa252e6e0dfaaa9ba4acbc34b47ee627e21.tar.bz2
EAAF-Components-f62bafa252e6e0dfaaa9ba4acbc34b47ee627e21.zip
update EaafKeyStoreFactory to get the Security Provider if the KeyStore depends on a special provider implementation
Diffstat (limited to 'eaaf_modules/eaaf_module_pvp2_core')
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java58
1 files changed, 31 insertions, 27 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java
index cd77228c..26a5c5f6 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java
@@ -21,6 +21,7 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.utils;
import java.security.KeyStore;
import java.security.KeyStoreException;
+import java.security.Provider;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
@@ -31,24 +32,25 @@ import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.PostConstruct;
-import org.apache.commons.lang3.StringUtils;
-import org.apache.xml.security.algorithms.JCEMapper;
-import org.opensaml.security.credential.UsageType;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.core.io.ResourceLoader;
-
import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
import at.gv.egiz.eaaf.core.exceptions.EaafException;
import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
-import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
import at.gv.egiz.eaaf.modules.pvp2.PvpConstants;
import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
import at.gv.egiz.eaaf.modules.pvp2.api.utils.IPvp2CredentialProvider;
import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException;
import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafKeyStoreX509CredentialAdapter;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.xml.security.algorithms.JCEMapper;
+import org.opensaml.security.credential.UsageType;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.core.io.ResourceLoader;
+
import lombok.extern.slf4j.Slf4j;
@Slf4j
@@ -64,7 +66,7 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi
@Autowired
private EaafKeyStoreFactory keyStoreFactory;
- private KeyStore keyStore = null;
+ private Pair<KeyStore, Provider> keyStore = null;
/**
* Get a friendlyName for this keyStore implementation This friendlyName is used
@@ -75,10 +77,10 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi
public final String getFriendlyName() {
try {
return getBasicKeyStoreConfig().getFriendlyName();
-
- } catch (EaafConfigurationException e) {
+
+ } catch (final EaafConfigurationException e) {
return "No KeyStoreName";
-
+
}
}
@@ -143,8 +145,9 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi
@Override
public EaafX509Credential getMetaDataSigningCredential() throws CredentialsNotAvailableException {
try {
- final EaafKeyStoreX509CredentialAdapter credentials = new EaafKeyStoreX509CredentialAdapter(keyStore,
- getMetadataKeyAlias(), getPassCharArrayOrNull(getMetadataKeyPassword()), getFriendlyName());
+ final EaafKeyStoreX509CredentialAdapter credentials = new EaafKeyStoreX509CredentialAdapter(
+ keyStore.getFirst(), getMetadataKeyAlias(),
+ getPassCharArrayOrNull(getMetadataKeyPassword()), getFriendlyName());
credentials.setUsageType(UsageType.SIGNING);
credentials.setSignatureAlgorithmForSigning(selectSigningAlgorithm(credentials));
credentials.setKeyEncryptionAlgorithmForDataEncryption(selectKeyEncryptionAlgorithm(credentials));
@@ -167,8 +170,9 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi
@Override
public EaafX509Credential getMessageSigningCredential() throws CredentialsNotAvailableException {
try {
- final EaafKeyStoreX509CredentialAdapter credentials = new EaafKeyStoreX509CredentialAdapter(keyStore,
- getSignatureKeyAlias(), getPassCharArrayOrNull(getSignatureKeyPassword()), getFriendlyName());
+ final EaafKeyStoreX509CredentialAdapter credentials = new EaafKeyStoreX509CredentialAdapter(
+ keyStore.getFirst(), getSignatureKeyAlias(),
+ getPassCharArrayOrNull(getSignatureKeyPassword()), getFriendlyName());
credentials.setUsageType(UsageType.SIGNING);
credentials.setSignatureAlgorithmForSigning(selectSigningAlgorithm(credentials));
credentials.setKeyEncryptionAlgorithmForDataEncryption(selectKeyEncryptionAlgorithm(credentials));
@@ -196,8 +200,9 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi
}
try {
- final EaafKeyStoreX509CredentialAdapter credentials = new EaafKeyStoreX509CredentialAdapter(keyStore,
- getEncryptionKeyAlias(), getPassCharArrayOrNull(getEncryptionKeyPassword()), getFriendlyName());
+ final EaafKeyStoreX509CredentialAdapter credentials = new EaafKeyStoreX509CredentialAdapter(
+ keyStore.getFirst(), getEncryptionKeyAlias(),
+ getPassCharArrayOrNull(getEncryptionKeyPassword()), getFriendlyName());
credentials.setUsageType(UsageType.ENCRYPTION);
credentials.setSignatureAlgorithmForSigning(selectSigningAlgorithm(credentials));
credentials.setKeyEncryptionAlgorithmForDataEncryption(selectKeyEncryptionAlgorithm(credentials));
@@ -226,12 +231,12 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi
final List<X509Certificate> result = new ArrayList<>();
try {
- final Enumeration<String> aliases = keyStore.aliases();
+ final Enumeration<String> aliases = keyStore.getFirst().aliases();
while (aliases.hasMoreElements()) {
final String el = aliases.nextElement();
log.trace("Process TrustStoreEntry: " + el);
- if (keyStore.isCertificateEntry(el)) {
- final Certificate cert = keyStore.getCertificate(el);
+ if (keyStore.getFirst().isCertificateEntry(el)) {
+ final Certificate cert = keyStore.getFirst().getCertificate(el);
if (cert != null && cert instanceof X509Certificate) {
result.add((X509Certificate) cert);
@@ -257,10 +262,10 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi
final KeyStoreConfiguration keyStoreConfig = getBasicKeyStoreConfig();
keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig);
- if (JCEMapper.getProviderId() != null
- && !JCEMapper.getProviderId().equals(keyStore.getProvider().getName())) {
+ if (JCEMapper.getProviderId() != null && keyStore.getSecond() != null
+ && !JCEMapper.getProviderId().equals(keyStore.getSecond().getName())) {
log.error("OpenSAML3.x can ONLY use a single type of CryptoProvider in an application. "
- + "Can NOT set: {}, because {} was already set", keyStore.getProvider().getName(),
+ + "Can NOT set: {}, because {} was already set", keyStore.getSecond().getName(),
JCEMapper.getProviderId());
throw new EaafConfigurationException(EaafKeyStoreFactory.ERRORCODE_06,
new Object[] { keyStoreConfig.getFriendlyName(),
@@ -271,12 +276,11 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi
// Set JCEMapper only in case of HSM based KeyStores because Software KeyStores
// can use
// the default SecurityProvider system in OpenSAML3.x signing engine
- if (!KeyStoreType.JKS.equals(keyStoreConfig.getKeyStoreType())
- && !KeyStoreType.PKCS12.equals(keyStoreConfig.getKeyStoreType())
+ if (keyStore.getSecond() != null
&& JCEMapper.getProviderId() == null) {
log.info("Register CryptoProvider: {} as defaut for OpenSAML3.x",
- keyStore.getProvider().getName());
- JCEMapper.setProviderId(keyStore.getProvider().getName());
+ keyStore.getSecond().getName());
+ JCEMapper.setProviderId(keyStore.getSecond().getName());
}