diff options
author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-02-17 17:54:04 +0100 |
---|---|---|
committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-02-17 17:54:04 +0100 |
commit | f62bafa252e6e0dfaaa9ba4acbc34b47ee627e21 (patch) | |
tree | bd4f87cf6e131902e4f7637f4a36737e48748728 /eaaf_modules/eaaf_module_pvp2_core | |
parent | 7848c74de2cdafed8bee69d1d5b8e5efa7535bc6 (diff) | |
download | EAAF-Components-f62bafa252e6e0dfaaa9ba4acbc34b47ee627e21.tar.gz EAAF-Components-f62bafa252e6e0dfaaa9ba4acbc34b47ee627e21.tar.bz2 EAAF-Components-f62bafa252e6e0dfaaa9ba4acbc34b47ee627e21.zip |
update EaafKeyStoreFactory to get the Security Provider if the KeyStore depends on a special provider implementation
Diffstat (limited to 'eaaf_modules/eaaf_module_pvp2_core')
-rw-r--r-- | eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java | 58 |
1 files changed, 31 insertions, 27 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java index cd77228c..26a5c5f6 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java @@ -21,6 +21,7 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.utils; import java.security.KeyStore; import java.security.KeyStoreException; +import java.security.Provider; import java.security.cert.Certificate; import java.security.cert.X509Certificate; import java.util.ArrayList; @@ -31,24 +32,25 @@ import java.util.List; import javax.annotation.Nonnull; import javax.annotation.PostConstruct; -import org.apache.commons.lang3.StringUtils; -import org.apache.xml.security.algorithms.JCEMapper; -import org.opensaml.security.credential.UsageType; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.core.io.ResourceLoader; - import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; import at.gv.egiz.eaaf.core.exceptions.EaafException; import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; -import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; +import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; import at.gv.egiz.eaaf.modules.pvp2.api.utils.IPvp2CredentialProvider; import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafKeyStoreX509CredentialAdapter; + +import org.apache.commons.lang3.StringUtils; +import org.apache.xml.security.algorithms.JCEMapper; +import org.opensaml.security.credential.UsageType; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.core.io.ResourceLoader; + import lombok.extern.slf4j.Slf4j; @Slf4j @@ -64,7 +66,7 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi @Autowired private EaafKeyStoreFactory keyStoreFactory; - private KeyStore keyStore = null; + private Pair<KeyStore, Provider> keyStore = null; /** * Get a friendlyName for this keyStore implementation This friendlyName is used @@ -75,10 +77,10 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi public final String getFriendlyName() { try { return getBasicKeyStoreConfig().getFriendlyName(); - - } catch (EaafConfigurationException e) { + + } catch (final EaafConfigurationException e) { return "No KeyStoreName"; - + } } @@ -143,8 +145,9 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi @Override public EaafX509Credential getMetaDataSigningCredential() throws CredentialsNotAvailableException { try { - final EaafKeyStoreX509CredentialAdapter credentials = new EaafKeyStoreX509CredentialAdapter(keyStore, - getMetadataKeyAlias(), getPassCharArrayOrNull(getMetadataKeyPassword()), getFriendlyName()); + final EaafKeyStoreX509CredentialAdapter credentials = new EaafKeyStoreX509CredentialAdapter( + keyStore.getFirst(), getMetadataKeyAlias(), + getPassCharArrayOrNull(getMetadataKeyPassword()), getFriendlyName()); credentials.setUsageType(UsageType.SIGNING); credentials.setSignatureAlgorithmForSigning(selectSigningAlgorithm(credentials)); credentials.setKeyEncryptionAlgorithmForDataEncryption(selectKeyEncryptionAlgorithm(credentials)); @@ -167,8 +170,9 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi @Override public EaafX509Credential getMessageSigningCredential() throws CredentialsNotAvailableException { try { - final EaafKeyStoreX509CredentialAdapter credentials = new EaafKeyStoreX509CredentialAdapter(keyStore, - getSignatureKeyAlias(), getPassCharArrayOrNull(getSignatureKeyPassword()), getFriendlyName()); + final EaafKeyStoreX509CredentialAdapter credentials = new EaafKeyStoreX509CredentialAdapter( + keyStore.getFirst(), getSignatureKeyAlias(), + getPassCharArrayOrNull(getSignatureKeyPassword()), getFriendlyName()); credentials.setUsageType(UsageType.SIGNING); credentials.setSignatureAlgorithmForSigning(selectSigningAlgorithm(credentials)); credentials.setKeyEncryptionAlgorithmForDataEncryption(selectKeyEncryptionAlgorithm(credentials)); @@ -196,8 +200,9 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi } try { - final EaafKeyStoreX509CredentialAdapter credentials = new EaafKeyStoreX509CredentialAdapter(keyStore, - getEncryptionKeyAlias(), getPassCharArrayOrNull(getEncryptionKeyPassword()), getFriendlyName()); + final EaafKeyStoreX509CredentialAdapter credentials = new EaafKeyStoreX509CredentialAdapter( + keyStore.getFirst(), getEncryptionKeyAlias(), + getPassCharArrayOrNull(getEncryptionKeyPassword()), getFriendlyName()); credentials.setUsageType(UsageType.ENCRYPTION); credentials.setSignatureAlgorithmForSigning(selectSigningAlgorithm(credentials)); credentials.setKeyEncryptionAlgorithmForDataEncryption(selectKeyEncryptionAlgorithm(credentials)); @@ -226,12 +231,12 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi final List<X509Certificate> result = new ArrayList<>(); try { - final Enumeration<String> aliases = keyStore.aliases(); + final Enumeration<String> aliases = keyStore.getFirst().aliases(); while (aliases.hasMoreElements()) { final String el = aliases.nextElement(); log.trace("Process TrustStoreEntry: " + el); - if (keyStore.isCertificateEntry(el)) { - final Certificate cert = keyStore.getCertificate(el); + if (keyStore.getFirst().isCertificateEntry(el)) { + final Certificate cert = keyStore.getFirst().getCertificate(el); if (cert != null && cert instanceof X509Certificate) { result.add((X509Certificate) cert); @@ -257,10 +262,10 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi final KeyStoreConfiguration keyStoreConfig = getBasicKeyStoreConfig(); keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig); - if (JCEMapper.getProviderId() != null - && !JCEMapper.getProviderId().equals(keyStore.getProvider().getName())) { + if (JCEMapper.getProviderId() != null && keyStore.getSecond() != null + && !JCEMapper.getProviderId().equals(keyStore.getSecond().getName())) { log.error("OpenSAML3.x can ONLY use a single type of CryptoProvider in an application. " - + "Can NOT set: {}, because {} was already set", keyStore.getProvider().getName(), + + "Can NOT set: {}, because {} was already set", keyStore.getSecond().getName(), JCEMapper.getProviderId()); throw new EaafConfigurationException(EaafKeyStoreFactory.ERRORCODE_06, new Object[] { keyStoreConfig.getFriendlyName(), @@ -271,12 +276,11 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi // Set JCEMapper only in case of HSM based KeyStores because Software KeyStores // can use // the default SecurityProvider system in OpenSAML3.x signing engine - if (!KeyStoreType.JKS.equals(keyStoreConfig.getKeyStoreType()) - && !KeyStoreType.PKCS12.equals(keyStoreConfig.getKeyStoreType()) + if (keyStore.getSecond() != null && JCEMapper.getProviderId() == null) { log.info("Register CryptoProvider: {} as defaut for OpenSAML3.x", - keyStore.getProvider().getName()); - JCEMapper.setProviderId(keyStore.getProvider().getName()); + keyStore.getSecond().getName()); + JCEMapper.setProviderId(keyStore.getSecond().getName()); } |