From 36fafda8e3b953d3d1cba91efeb4fc82388b0445 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Tue, 5 May 2020 14:58:38 +0200
Subject: finish SSLContext creation by using KeyStore from HSM-Facade

---
 .../impl/http/EaafSslKeySelectionStrategy.java     | 11 ++++++---
 .../core/impl/http/HttpClientConfiguration.java    | 10 ++++----
 .../at/gv/egiz/eaaf/core/impl/http/HttpUtils.java  |  8 ++-----
 .../eaaf/core/test/http/HttpClientFactoryTest.java | 27 ++++++++++------------
 4 files changed, 28 insertions(+), 28 deletions(-)

diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/EaafSslKeySelectionStrategy.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/EaafSslKeySelectionStrategy.java
index 1e1e2137..d2377d69 100644
--- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/EaafSslKeySelectionStrategy.java
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/EaafSslKeySelectionStrategy.java
@@ -33,18 +33,23 @@ public class EaafSslKeySelectionStrategy implements PrivateKeyStrategy {
   @Override
   public String chooseAlias(Map<String, PrivateKeyDetails> aliases, Socket socket) {
     log.trace("Selection SSL client-auth key for alias: {}", keyAlias);
+    if (aliases.keySet().isEmpty()) {
+      log.debug("No Key with Alias: {} in empty KeyStore", keyAlias);
+      return null;
+      
+    }
+    
     final PrivateKeyDetails selected = aliases.get(keyAlias);
     if (selected != null) {
       log.trace("Select SL client-auth key with type:", selected.getType());
       return keyAlias;
 
-    } else {
+    } else {     
       log.warn("KeyStore contains NO key with alias: {}. Using first key from keystore", keyAlias);
       log.info("Available aliases: {}", StringUtils.join(aliases.keySet(), ", "));
       return aliases.keySet().iterator().next();
-
+        
     }
-
   }
 
 }
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpClientConfiguration.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpClientConfiguration.java
index 582ad545..6a66dfff 100644
--- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpClientConfiguration.java
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpClientConfiguration.java
@@ -5,11 +5,11 @@ import java.util.UUID;
 
 import javax.annotation.Nonnull;
 
-import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
-import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
-
 import org.apache.commons.lang3.StringUtils;
 
+import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
 import lombok.Getter;
 import lombok.Setter;
 import lombok.extern.slf4j.Slf4j;
@@ -117,7 +117,9 @@ public class HttpClientConfiguration {
 
       }
 
-      if (StringUtils.isEmpty(this.sslKeyPassword)) {
+      if (StringUtils.isEmpty(this.sslKeyPassword) 
+          && (KeyStoreType.JKS.equals(keyStoreConfig.getKeyStoreType()) 
+              || KeyStoreType.PKCS12.equals(keyStoreConfig.getKeyStoreType()))) {
         throw new EaafConfigurationException(ERROR_02, new Object[] {
             this.friendlyName, this.keyStoreConfig.getFriendlyName()});
 
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java
index b357bb01..eafd8a04 100644
--- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java
@@ -23,7 +23,6 @@ import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.Provider;
-import java.security.Security;
 import java.security.UnrecoverableKeyException;
 
 import javax.annotation.Nonnull;
@@ -168,16 +167,14 @@ public class HttpUtils {
           : keyPasswordString.toCharArray();
 
       SSLContextBuilder sslContextBuilder = SSLContexts.custom();
-      if (keyStore.getSecond() != null) {        
+      if (keyStore.getSecond() != null) {
         Provider provider = new BouncyCastleJsseProvider(keyStore.getSecond());
-        
         log.debug("KeyStore: {} provide special security-provider. Inject: {} into SSLContext",
             friendlyName, provider.getName());
         sslContextBuilder.setProvider(provider);
-        Security.addProvider(provider);
-        //sslContextBuilder.setSecureRandom(SecureRandom.getInstanceStrong());
         
       }
+      
       if (StringUtils.isNotEmpty(keyAlias)) {
         sslContextBuilder = sslContextBuilder
             .loadKeyMaterial(keyStore.getFirst(), keyPassword, new EaafSslKeySelectionStrategy(keyAlias));
@@ -185,7 +182,6 @@ public class HttpUtils {
       } else {
         sslContextBuilder = sslContextBuilder
             .loadKeyMaterial(keyStore.getFirst(), keyPassword);
-
       }
 
       if (trustAllServerCertificates) {
diff --git a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java
index 140c74f5..72ec7008 100644
--- a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java
+++ b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java
@@ -332,30 +332,27 @@ public class HttpClientFactoryTest {
   @Test
   public void getCustomClientX509AuthWithHsmFacade() throws EaafException, ClientProtocolException,
       IOException, KeyStoreException {
-    final HttpClientConfiguration config = new HttpClientConfiguration("jUnit");
-    config.setAuthMode("ssl");
-    config.buildKeyStoreConfig(
-        "hsmfacade",
-        null,
-        null,
-        "authhandler");
-    config.setSslKeyPassword("password");
-    config.setSslKeyAlias("authhandler-sign");
-    config.setDisableTlsHostCertificateValidation(true);
+    final HttpClientConfiguration clientConfig = new HttpClientConfiguration("jUnit-client");
+    clientConfig.setAuthMode("ssl");
+    clientConfig.buildKeyStoreConfig("hsmfacade", null, null, "authhandler");
+    clientConfig.setSslKeyAlias("authhandler-sign");
+    clientConfig.setDisableTlsHostCertificateValidation(true);
 
-    final CloseableHttpClient client = httpClientFactory.getHttpClient(config);
+    
+    
+    final CloseableHttpClient client = httpClientFactory.getHttpClient(clientConfig);
     Assert.assertNotNull("httpClient", client);
 
     //set-up mock-up web-server with SSL client authentication
     final Pair<KeyStore, Provider> sslClientKeyStore =
-        keyStoreFactory.buildNewKeyStore(config.getKeyStoreConfig());
+        keyStoreFactory.buildNewKeyStore(clientConfig.getKeyStoreConfig());
+    X509Certificate clientRootCert = (X509Certificate) sslClientKeyStore.getFirst()
+            .getCertificateChain(clientConfig.getSslKeyAlias())[1];
+
     final String localhost = InetAddress.getByName("localhost").getCanonicalHostName();
     final HeldCertificate localhostCertificate = new HeldCertificate.Builder()
         .addSubjectAlternativeName(localhost)
         .build();
-    X509Certificate clientRootCert = (X509Certificate) sslClientKeyStore.getFirst()
-        .getCertificateChain(config.getSslKeyAlias())[1];
-        
     final HandshakeCertificates serverCertificates = new HandshakeCertificates.Builder()
         .addTrustedCertificate(clientRootCert)
         .heldCertificate(localhostCertificate)
-- 
cgit v1.2.3