summaryrefslogtreecommitdiff
path: root/eaaf_modules/eaaf_module_auth_sl20/src/main/java
diff options
context:
space:
mode:
Diffstat (limited to 'eaaf_modules/eaaf_module_auth_sl20/src/main/java')
-rw-r--r--eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java135
1 files changed, 68 insertions, 67 deletions
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java
index 259c21bf..1668752a 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java
@@ -4,6 +4,7 @@ import java.io.IOException;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
+import java.security.Provider;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Collections;
@@ -12,6 +13,22 @@ import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.PostConstruct;
+import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
+import at.gv.egiz.eaaf.core.exception.EaafKeyAccessException;
+import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.impl.utils.X509Utils;
+import at.gv.egiz.eaaf.modules.auth.sl20.Constants;
+import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult;
+import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception;
+import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20SecurityException;
+import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoBuildException;
+import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoParserException;
+
import org.apache.commons.lang3.StringUtils;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwa.AlgorithmConstraints.ConstraintType;
@@ -32,35 +49,19 @@ import org.springframework.util.Base64Utils;
import com.fasterxml.jackson.core.JsonParseException;
import com.fasterxml.jackson.databind.JsonNode;
-import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
-import at.gv.egiz.eaaf.core.exception.EaafKeyAccessException;
-import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
-import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
-import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils;
-import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
-import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
-import at.gv.egiz.eaaf.core.impl.data.Pair;
-import at.gv.egiz.eaaf.core.impl.utils.X509Utils;
-import at.gv.egiz.eaaf.modules.auth.sl20.Constants;
-import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult;
-import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception;
-import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20SecurityException;
-import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoBuildException;
-import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoParserException;
-
@Service
public class JsonSecurityUtils implements IJoseTools {
private static final Logger log = LoggerFactory.getLogger(JsonSecurityUtils.class);
private static final String FRIENDLYNAME_KEYSTORE = "SL2.0 KeyStore";
private static final String FRIENDLYNAME_TRUSTSTORE = "SL2.0 TrustStore";
-
+
@Autowired(required = true) IConfiguration authConfig;
@Autowired(required = true) EaafKeyStoreFactory keystoreFactory;
-
- private KeyStore keyStore;
- private KeyStore trustStore;
-
+
+ private Pair<KeyStore, Provider> keyStore;
+ private Pair<KeyStore, Provider> trustStore;
+
private static JsonMapper mapper = new JsonMapper();
@PostConstruct
@@ -68,36 +69,36 @@ public class JsonSecurityUtils implements IJoseTools {
log.info("Initialize SL2.0 authentication security constrains ... ");
try {
//load KeyStore
- KeyStoreConfiguration keyStoreConfig = buildKeyStoreConfiguration();
+ final KeyStoreConfiguration keyStoreConfig = buildKeyStoreConfiguration();
keyStore = keystoreFactory.buildNewKeyStore(keyStoreConfig);
-
+
//load TrustStore
- KeyStoreConfiguration trustStoreConfig = buildTrustStoreConfiguration();
+ final KeyStoreConfiguration trustStoreConfig = buildTrustStoreConfiguration();
trustStore = keystoreFactory.buildNewKeyStore(trustStoreConfig);
-
+
//validate KeyStore entries
- EaafKeyStoreUtils.getPrivateKeyAndCertificates(keyStore, getSigningKeyAlias(),
+ EaafKeyStoreUtils.getPrivateKeyAndCertificates(keyStore.getFirst(), getSigningKeyAlias(),
getSigningKeyPassword(), true, FRIENDLYNAME_KEYSTORE);
- Pair<Key, X509Certificate[]> encCredentials =
- EaafKeyStoreUtils.getPrivateKeyAndCertificates(keyStore, getEncryptionKeyAlias(),
+ final Pair<Key, X509Certificate[]> encCredentials =
+ EaafKeyStoreUtils.getPrivateKeyAndCertificates(keyStore.getFirst(), getEncryptionKeyAlias(),
getEncryptionKeyPassword(), false, FRIENDLYNAME_TRUSTSTORE);
if (encCredentials == null) {
log.info("No encryption key for SL2.0 found. End-to-End encryption is not used.");
-
+
}
-
+
//validate TrustStore
- List<X509Certificate> trustedCerts = EaafKeyStoreUtils.readCertsFromKeyStore(trustStore);
+ final List<X509Certificate> trustedCerts = EaafKeyStoreUtils.readCertsFromKeyStore(trustStore.getFirst());
if (trustedCerts.isEmpty()) {
- log.info("No certificates in TrustStore: {}. Signature validation will FAIL!",
+ log.info("No certificates in TrustStore: {}. Signature validation will FAIL!",
FRIENDLYNAME_TRUSTSTORE);
-
+
} else {
- log.info("Find #{} certificates in TrustStore: {}",
+ log.info("Find #{} certificates in TrustStore: {}",
trustedCerts.size(), FRIENDLYNAME_TRUSTSTORE);
-
+
}
-
+
log.info("SL2.0 authentication security constrains initialized.");
} catch (final RuntimeException e) {
@@ -124,9 +125,9 @@ public class JsonSecurityUtils implements IJoseTools {
// set signing information
jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
- Pair<Key, X509Certificate[]> signingCred = EaafKeyStoreUtils.getPrivateKeyAndCertificates(keyStore,
- getSigningKeyAlias(), getSigningKeyPassword(), true, FRIENDLYNAME_KEYSTORE);
-
+ final Pair<Key, X509Certificate[]> signingCred = EaafKeyStoreUtils.getPrivateKeyAndCertificates(
+ keyStore.getFirst(), getSigningKeyAlias(), getSigningKeyPassword(), true, FRIENDLYNAME_KEYSTORE);
+
jws.setKey(signingCred.getFirst());
// TODO:
@@ -218,8 +219,8 @@ public class JsonSecurityUtils implements IJoseTools {
SL20Constants.SL20_ALGORITHM_WHITELIST_SIGNING
.toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_SIGNING.size()]));
- final VerificationResult result =
- validateSignature(serializedContent, EaafKeyStoreUtils.readCertsFromKeyStore(trustStore), algConstraints);
+ final VerificationResult result =
+ validateSignature(serializedContent, EaafKeyStoreUtils.readCertsFromKeyStore(trustStore.getFirst()), algConstraints);
if (!result.isValidSigned()) {
log.info("JWS signature invalide. Stopping authentication process ...");
@@ -259,9 +260,9 @@ public class JsonSecurityUtils implements IJoseTools {
// set payload
receiverJwe.setCompactSerialization(compactSerialization);
- Pair<Key, X509Certificate[]> encryptionCred = EaafKeyStoreUtils.getPrivateKeyAndCertificates(keyStore,
- getEncryptionKeyAlias(), getEncryptionKeyPassword(), true, FRIENDLYNAME_KEYSTORE);
-
+ final Pair<Key, X509Certificate[]> encryptionCred = EaafKeyStoreUtils.getPrivateKeyAndCertificates(
+ keyStore.getFirst(), getEncryptionKeyAlias(), getEncryptionKeyPassword(), true, FRIENDLYNAME_KEYSTORE);
+
// validate key from header against key from config
final List<X509Certificate> x5cCerts = receiverJwe.getCertificateChainHeaderValue();
final String x5t256 = receiverJwe.getX509CertSha256ThumbprintHeaderValue();
@@ -318,7 +319,7 @@ public class JsonSecurityUtils implements IJoseTools {
} catch (final IOException e) {
log.warn("Decrypted SL2.0 result can not be parsed.", e);
throw new SlCommandoParserException("Decrypted SL2.0 result can not be parsed", e);
-
+
}
}
@@ -326,28 +327,28 @@ public class JsonSecurityUtils implements IJoseTools {
public X509Certificate getEncryptionCertificate() {
Pair<Key, X509Certificate[]> encryptionCred;
try {
- encryptionCred = EaafKeyStoreUtils.getPrivateKeyAndCertificates(keyStore,
+ encryptionCred = EaafKeyStoreUtils.getPrivateKeyAndCertificates(keyStore.getFirst(),
getEncryptionKeyAlias(), getEncryptionKeyPassword(), false, FRIENDLYNAME_KEYSTORE);
if (encryptionCred != null && encryptionCred.getSecond().length > 0) {
return encryptionCred.getSecond()[0];
-
+
}
-
- } catch (EaafKeyAccessException e) {
+
+ } catch (final EaafKeyAccessException e) {
log.trace("Exception is skipped because Encryption is not mandatory on this level", e);
-
+
}
-
+
return null;
-
+
}
private KeyStoreConfiguration buildKeyStoreConfiguration() throws EaafConfigurationException {
- KeyStoreConfiguration config = new KeyStoreConfiguration();
+ final KeyStoreConfiguration config = new KeyStoreConfiguration();
config.setFriendlyName(FRIENDLYNAME_KEYSTORE);
-
+
config.setKeyStoreType(authConfig.getBasicConfiguration(
- authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_TYPE),
+ authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_TYPE),
KeyStoreType.JKS.getKeyStoreType()));
config.setKeyStoreName(
authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_NAME));
@@ -355,20 +356,20 @@ public class JsonSecurityUtils implements IJoseTools {
authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_PATH));
config.setSoftKeyStorePassword(
authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_PASSWORD));
-
+
//validate configuration state
config.validate();
-
+
return config;
-
+
}
-
+
private KeyStoreConfiguration buildTrustStoreConfiguration() throws EaafConfigurationException {
- KeyStoreConfiguration config = new KeyStoreConfiguration();
+ final KeyStoreConfiguration config = new KeyStoreConfiguration();
config.setFriendlyName(FRIENDLYNAME_TRUSTSTORE);
-
+
config.setKeyStoreType(authConfig.getBasicConfiguration(
- authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_TYPE),
+ authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_TYPE),
KeyStoreType.JKS.getKeyStoreType()));
config.setKeyStoreName(
authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_NAME));
@@ -376,13 +377,13 @@ public class JsonSecurityUtils implements IJoseTools {
authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_PATH));
config.setSoftKeyStorePassword(
authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_PASSWORD));
-
+
//validate configuration state
config.validate();
-
+
return config;
}
-
+
private String getSigningKeyAlias() {
String value = authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_SIGN_ALIAS);
@@ -394,7 +395,7 @@ public class JsonSecurityUtils implements IJoseTools {
}
private char[] getSigningKeyPassword() {
- String value = authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_SIGN_PASSWORD);
+ final String value = authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_SIGN_PASSWORD);
if (value != null) {
return value.trim().toCharArray();
}
@@ -412,7 +413,7 @@ public class JsonSecurityUtils implements IJoseTools {
}
private char[] getEncryptionKeyPassword() {
- String value = authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_ENCRYPTION_PASSWORD);
+ final String value = authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_ENCRYPTION_PASSWORD);
if (value != null) {
return value.trim().toCharArray();
}