diff options
Diffstat (limited to 'eaaf_modules/eaaf_module_auth_sl20')
-rw-r--r-- | eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java | 135 |
1 files changed, 68 insertions, 67 deletions
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java index 259c21bf..1668752a 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java @@ -4,6 +4,7 @@ import java.io.IOException; import java.security.Key; import java.security.KeyStore; import java.security.KeyStoreException; +import java.security.Provider; import java.security.cert.CertificateEncodingException; import java.security.cert.X509Certificate; import java.util.Collections; @@ -12,6 +13,22 @@ import java.util.List; import javax.annotation.Nonnull; import javax.annotation.PostConstruct; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.exception.EaafKeyAccessException; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.utils.X509Utils; +import at.gv.egiz.eaaf.modules.auth.sl20.Constants; +import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult; +import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception; +import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20SecurityException; +import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoBuildException; +import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoParserException; + import org.apache.commons.lang3.StringUtils; import org.jose4j.jwa.AlgorithmConstraints; import org.jose4j.jwa.AlgorithmConstraints.ConstraintType; @@ -32,35 +49,19 @@ import org.springframework.util.Base64Utils; import com.fasterxml.jackson.core.JsonParseException; import com.fasterxml.jackson.databind.JsonNode; -import at.gv.egiz.eaaf.core.api.idp.IConfiguration; -import at.gv.egiz.eaaf.core.exception.EaafKeyAccessException; -import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; -import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; -import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; -import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; -import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; -import at.gv.egiz.eaaf.core.impl.data.Pair; -import at.gv.egiz.eaaf.core.impl.utils.X509Utils; -import at.gv.egiz.eaaf.modules.auth.sl20.Constants; -import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult; -import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception; -import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20SecurityException; -import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoBuildException; -import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoParserException; - @Service public class JsonSecurityUtils implements IJoseTools { private static final Logger log = LoggerFactory.getLogger(JsonSecurityUtils.class); private static final String FRIENDLYNAME_KEYSTORE = "SL2.0 KeyStore"; private static final String FRIENDLYNAME_TRUSTSTORE = "SL2.0 TrustStore"; - + @Autowired(required = true) IConfiguration authConfig; @Autowired(required = true) EaafKeyStoreFactory keystoreFactory; - - private KeyStore keyStore; - private KeyStore trustStore; - + + private Pair<KeyStore, Provider> keyStore; + private Pair<KeyStore, Provider> trustStore; + private static JsonMapper mapper = new JsonMapper(); @PostConstruct @@ -68,36 +69,36 @@ public class JsonSecurityUtils implements IJoseTools { log.info("Initialize SL2.0 authentication security constrains ... "); try { //load KeyStore - KeyStoreConfiguration keyStoreConfig = buildKeyStoreConfiguration(); + final KeyStoreConfiguration keyStoreConfig = buildKeyStoreConfiguration(); keyStore = keystoreFactory.buildNewKeyStore(keyStoreConfig); - + //load TrustStore - KeyStoreConfiguration trustStoreConfig = buildTrustStoreConfiguration(); + final KeyStoreConfiguration trustStoreConfig = buildTrustStoreConfiguration(); trustStore = keystoreFactory.buildNewKeyStore(trustStoreConfig); - + //validate KeyStore entries - EaafKeyStoreUtils.getPrivateKeyAndCertificates(keyStore, getSigningKeyAlias(), + EaafKeyStoreUtils.getPrivateKeyAndCertificates(keyStore.getFirst(), getSigningKeyAlias(), getSigningKeyPassword(), true, FRIENDLYNAME_KEYSTORE); - Pair<Key, X509Certificate[]> encCredentials = - EaafKeyStoreUtils.getPrivateKeyAndCertificates(keyStore, getEncryptionKeyAlias(), + final Pair<Key, X509Certificate[]> encCredentials = + EaafKeyStoreUtils.getPrivateKeyAndCertificates(keyStore.getFirst(), getEncryptionKeyAlias(), getEncryptionKeyPassword(), false, FRIENDLYNAME_TRUSTSTORE); if (encCredentials == null) { log.info("No encryption key for SL2.0 found. End-to-End encryption is not used."); - + } - + //validate TrustStore - List<X509Certificate> trustedCerts = EaafKeyStoreUtils.readCertsFromKeyStore(trustStore); + final List<X509Certificate> trustedCerts = EaafKeyStoreUtils.readCertsFromKeyStore(trustStore.getFirst()); if (trustedCerts.isEmpty()) { - log.info("No certificates in TrustStore: {}. Signature validation will FAIL!", + log.info("No certificates in TrustStore: {}. Signature validation will FAIL!", FRIENDLYNAME_TRUSTSTORE); - + } else { - log.info("Find #{} certificates in TrustStore: {}", + log.info("Find #{} certificates in TrustStore: {}", trustedCerts.size(), FRIENDLYNAME_TRUSTSTORE); - + } - + log.info("SL2.0 authentication security constrains initialized."); } catch (final RuntimeException e) { @@ -124,9 +125,9 @@ public class JsonSecurityUtils implements IJoseTools { // set signing information jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256); - Pair<Key, X509Certificate[]> signingCred = EaafKeyStoreUtils.getPrivateKeyAndCertificates(keyStore, - getSigningKeyAlias(), getSigningKeyPassword(), true, FRIENDLYNAME_KEYSTORE); - + final Pair<Key, X509Certificate[]> signingCred = EaafKeyStoreUtils.getPrivateKeyAndCertificates( + keyStore.getFirst(), getSigningKeyAlias(), getSigningKeyPassword(), true, FRIENDLYNAME_KEYSTORE); + jws.setKey(signingCred.getFirst()); // TODO: @@ -218,8 +219,8 @@ public class JsonSecurityUtils implements IJoseTools { SL20Constants.SL20_ALGORITHM_WHITELIST_SIGNING .toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_SIGNING.size()])); - final VerificationResult result = - validateSignature(serializedContent, EaafKeyStoreUtils.readCertsFromKeyStore(trustStore), algConstraints); + final VerificationResult result = + validateSignature(serializedContent, EaafKeyStoreUtils.readCertsFromKeyStore(trustStore.getFirst()), algConstraints); if (!result.isValidSigned()) { log.info("JWS signature invalide. Stopping authentication process ..."); @@ -259,9 +260,9 @@ public class JsonSecurityUtils implements IJoseTools { // set payload receiverJwe.setCompactSerialization(compactSerialization); - Pair<Key, X509Certificate[]> encryptionCred = EaafKeyStoreUtils.getPrivateKeyAndCertificates(keyStore, - getEncryptionKeyAlias(), getEncryptionKeyPassword(), true, FRIENDLYNAME_KEYSTORE); - + final Pair<Key, X509Certificate[]> encryptionCred = EaafKeyStoreUtils.getPrivateKeyAndCertificates( + keyStore.getFirst(), getEncryptionKeyAlias(), getEncryptionKeyPassword(), true, FRIENDLYNAME_KEYSTORE); + // validate key from header against key from config final List<X509Certificate> x5cCerts = receiverJwe.getCertificateChainHeaderValue(); final String x5t256 = receiverJwe.getX509CertSha256ThumbprintHeaderValue(); @@ -318,7 +319,7 @@ public class JsonSecurityUtils implements IJoseTools { } catch (final IOException e) { log.warn("Decrypted SL2.0 result can not be parsed.", e); throw new SlCommandoParserException("Decrypted SL2.0 result can not be parsed", e); - + } } @@ -326,28 +327,28 @@ public class JsonSecurityUtils implements IJoseTools { public X509Certificate getEncryptionCertificate() { Pair<Key, X509Certificate[]> encryptionCred; try { - encryptionCred = EaafKeyStoreUtils.getPrivateKeyAndCertificates(keyStore, + encryptionCred = EaafKeyStoreUtils.getPrivateKeyAndCertificates(keyStore.getFirst(), getEncryptionKeyAlias(), getEncryptionKeyPassword(), false, FRIENDLYNAME_KEYSTORE); if (encryptionCred != null && encryptionCred.getSecond().length > 0) { return encryptionCred.getSecond()[0]; - + } - - } catch (EaafKeyAccessException e) { + + } catch (final EaafKeyAccessException e) { log.trace("Exception is skipped because Encryption is not mandatory on this level", e); - + } - + return null; - + } private KeyStoreConfiguration buildKeyStoreConfiguration() throws EaafConfigurationException { - KeyStoreConfiguration config = new KeyStoreConfiguration(); + final KeyStoreConfiguration config = new KeyStoreConfiguration(); config.setFriendlyName(FRIENDLYNAME_KEYSTORE); - + config.setKeyStoreType(authConfig.getBasicConfiguration( - authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_TYPE), + authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_TYPE), KeyStoreType.JKS.getKeyStoreType())); config.setKeyStoreName( authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_NAME)); @@ -355,20 +356,20 @@ public class JsonSecurityUtils implements IJoseTools { authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_PATH)); config.setSoftKeyStorePassword( authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_PASSWORD)); - + //validate configuration state config.validate(); - + return config; - + } - + private KeyStoreConfiguration buildTrustStoreConfiguration() throws EaafConfigurationException { - KeyStoreConfiguration config = new KeyStoreConfiguration(); + final KeyStoreConfiguration config = new KeyStoreConfiguration(); config.setFriendlyName(FRIENDLYNAME_TRUSTSTORE); - + config.setKeyStoreType(authConfig.getBasicConfiguration( - authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_TYPE), + authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_TYPE), KeyStoreType.JKS.getKeyStoreType())); config.setKeyStoreName( authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_NAME)); @@ -376,13 +377,13 @@ public class JsonSecurityUtils implements IJoseTools { authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_PATH)); config.setSoftKeyStorePassword( authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_PASSWORD)); - + //validate configuration state config.validate(); - + return config; } - + private String getSigningKeyAlias() { String value = authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_SIGN_ALIAS); @@ -394,7 +395,7 @@ public class JsonSecurityUtils implements IJoseTools { } private char[] getSigningKeyPassword() { - String value = authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_SIGN_PASSWORD); + final String value = authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_SIGN_PASSWORD); if (value != null) { return value.trim().toCharArray(); } @@ -412,7 +413,7 @@ public class JsonSecurityUtils implements IJoseTools { } private char[] getEncryptionKeyPassword() { - String value = authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_ENCRYPTION_PASSWORD); + final String value = authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_ENCRYPTION_PASSWORD); if (value != null) { return value.trim().toCharArray(); } |