diff options
4 files changed, 28 insertions, 28 deletions
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/EaafSslKeySelectionStrategy.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/EaafSslKeySelectionStrategy.java index 1e1e2137..d2377d69 100644 --- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/EaafSslKeySelectionStrategy.java +++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/EaafSslKeySelectionStrategy.java @@ -33,18 +33,23 @@ public class EaafSslKeySelectionStrategy implements PrivateKeyStrategy { @Override public String chooseAlias(Map<String, PrivateKeyDetails> aliases, Socket socket) { log.trace("Selection SSL client-auth key for alias: {}", keyAlias); + if (aliases.keySet().isEmpty()) { + log.debug("No Key with Alias: {} in empty KeyStore", keyAlias); + return null; + + } + final PrivateKeyDetails selected = aliases.get(keyAlias); if (selected != null) { log.trace("Select SL client-auth key with type:", selected.getType()); return keyAlias; - } else { + } else { log.warn("KeyStore contains NO key with alias: {}. Using first key from keystore", keyAlias); log.info("Available aliases: {}", StringUtils.join(aliases.keySet(), ", ")); return aliases.keySet().iterator().next(); - + } - } } diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpClientConfiguration.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpClientConfiguration.java index 582ad545..6a66dfff 100644 --- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpClientConfiguration.java +++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpClientConfiguration.java @@ -5,11 +5,11 @@ import java.util.UUID; import javax.annotation.Nonnull; -import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; -import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; - import org.apache.commons.lang3.StringUtils; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; import lombok.Getter; import lombok.Setter; import lombok.extern.slf4j.Slf4j; @@ -117,7 +117,9 @@ public class HttpClientConfiguration { } - if (StringUtils.isEmpty(this.sslKeyPassword)) { + if (StringUtils.isEmpty(this.sslKeyPassword) + && (KeyStoreType.JKS.equals(keyStoreConfig.getKeyStoreType()) + || KeyStoreType.PKCS12.equals(keyStoreConfig.getKeyStoreType()))) { throw new EaafConfigurationException(ERROR_02, new Object[] { this.friendlyName, this.keyStoreConfig.getFriendlyName()}); diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java index b357bb01..eafd8a04 100644 --- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java +++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java @@ -23,7 +23,6 @@ import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.Provider; -import java.security.Security; import java.security.UnrecoverableKeyException; import javax.annotation.Nonnull; @@ -168,16 +167,14 @@ public class HttpUtils { : keyPasswordString.toCharArray(); SSLContextBuilder sslContextBuilder = SSLContexts.custom(); - if (keyStore.getSecond() != null) { + if (keyStore.getSecond() != null) { Provider provider = new BouncyCastleJsseProvider(keyStore.getSecond()); - log.debug("KeyStore: {} provide special security-provider. Inject: {} into SSLContext", friendlyName, provider.getName()); sslContextBuilder.setProvider(provider); - Security.addProvider(provider); - //sslContextBuilder.setSecureRandom(SecureRandom.getInstanceStrong()); } + if (StringUtils.isNotEmpty(keyAlias)) { sslContextBuilder = sslContextBuilder .loadKeyMaterial(keyStore.getFirst(), keyPassword, new EaafSslKeySelectionStrategy(keyAlias)); @@ -185,7 +182,6 @@ public class HttpUtils { } else { sslContextBuilder = sslContextBuilder .loadKeyMaterial(keyStore.getFirst(), keyPassword); - } if (trustAllServerCertificates) { diff --git a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java index 140c74f5..72ec7008 100644 --- a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java +++ b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java @@ -332,30 +332,27 @@ public class HttpClientFactoryTest { @Test public void getCustomClientX509AuthWithHsmFacade() throws EaafException, ClientProtocolException, IOException, KeyStoreException { - final HttpClientConfiguration config = new HttpClientConfiguration("jUnit"); - config.setAuthMode("ssl"); - config.buildKeyStoreConfig( - "hsmfacade", - null, - null, - "authhandler"); - config.setSslKeyPassword("password"); - config.setSslKeyAlias("authhandler-sign"); - config.setDisableTlsHostCertificateValidation(true); + final HttpClientConfiguration clientConfig = new HttpClientConfiguration("jUnit-client"); + clientConfig.setAuthMode("ssl"); + clientConfig.buildKeyStoreConfig("hsmfacade", null, null, "authhandler"); + clientConfig.setSslKeyAlias("authhandler-sign"); + clientConfig.setDisableTlsHostCertificateValidation(true); - final CloseableHttpClient client = httpClientFactory.getHttpClient(config); + + + final CloseableHttpClient client = httpClientFactory.getHttpClient(clientConfig); Assert.assertNotNull("httpClient", client); //set-up mock-up web-server with SSL client authentication final Pair<KeyStore, Provider> sslClientKeyStore = - keyStoreFactory.buildNewKeyStore(config.getKeyStoreConfig()); + keyStoreFactory.buildNewKeyStore(clientConfig.getKeyStoreConfig()); + X509Certificate clientRootCert = (X509Certificate) sslClientKeyStore.getFirst() + .getCertificateChain(clientConfig.getSslKeyAlias())[1]; + final String localhost = InetAddress.getByName("localhost").getCanonicalHostName(); final HeldCertificate localhostCertificate = new HeldCertificate.Builder() .addSubjectAlternativeName(localhost) .build(); - X509Certificate clientRootCert = (X509Certificate) sslClientKeyStore.getFirst() - .getCertificateChain(config.getSslKeyAlias())[1]; - final HandshakeCertificates serverCertificates = new HandshakeCertificates.Builder() .addTrustedCertificate(clientRootCert) .heldCertificate(localhostCertificate) |