From adc58a6ecb2d3d5bb0dc17f0e4a7a0e7803ebbb1 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 19 Jun 2020 10:28:58 +0200 Subject: activates HSM-Facade, if HSM-Facade-Provider is an already loaded Java Security-Provider --- .../core/impl/credential/EaafKeyStoreFactory.java | 132 ++++++++++++--------- .../test/credentials/EaafKeyStoreFactoryTest.java | 24 +++- 2 files changed, 101 insertions(+), 55 deletions(-) diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java index 711a3517..504afc9f 100644 --- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java +++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java @@ -172,69 +172,93 @@ public class EaafKeyStoreFactory { @PostConstruct private void initialize() throws EaafException { - Class hsmProviderClazz = getHsmProviderClass(); - final String hsmFacadeHost = basicConfig.getBasicConfiguration(CONFIG_PROP_HSM_FACADE_HOST); - if (hsmProviderClazz != null && StringUtils.isNotEmpty(hsmFacadeHost)) { - log.debug("Find host for HSMFacade. Starting crypto provider initialization ... "); - try { - final int port = Integer.parseUnsignedInt( - getConfigurationParameter(CONFIG_PROP_HSM_FACADE_PORT)); - final String clientUsername = - getConfigurationParameter(CONFIG_PROP_HSM_FACADE_CLIENT_USERNAME); - final String clientPassword = - getConfigurationParameter(CONFIG_PROP_HSM_FACADE_CLIENT_PASSWORD); - - //initialize HSM-Facade by using JAVA Reflection, because in that case HSM-Facade - //has not be in ClassPath on every project + Class hsmProviderClazz = getHsmProviderClass(); + if (hsmProviderClazz != null) { + final String hsmFacadeHost = basicConfig.getBasicConfiguration(CONFIG_PROP_HSM_FACADE_HOST); + Provider alreadyLoadedProvider = Security.getProvider(HSM_FACADE_PROVIDER); + if (alreadyLoadedProvider != null + && alreadyLoadedProvider.getClass().isAssignableFrom(hsmProviderClazz)) { + //TODO: check isInitialized() flag, if the parameter is available in next version - Method constructor = hsmProviderClazz.getMethod(HSM_FACADE_PROVIDER_METHOD_CONSTRUCT, new Class[]{}); - Method initMethod = hsmProviderClazz.getMethod(HSM_FACADE_PROVIDER_METHOD_INIT, - X509Certificate.class, String.class, String.class, String.class, int.class); - if (initMethod != null && constructor != null) { - Object rawProvider = constructor.invoke(hsmProviderClazz); - initMethod.invoke( - rawProvider, getHsmFacadeTrustSslCertificate(), - clientUsername, clientPassword, hsmFacadeHost, port); + + log.info("Find already initialized Java SecurityProvider: {}", alreadyLoadedProvider.getName()); + log.info("HSM Facade is already initialized. {} can provide KeyStores based on remote HSM", + EaafKeyStoreFactory.class.getSimpleName()); + isHsmFacadeInitialized = true; + + } else if (StringUtils.isNotEmpty(hsmFacadeHost)) { + log.debug("Find host for HSMFacade. Starting crypto provider initialization ... "); + initializeHsmFacadeSecurityProvider(hsmProviderClazz, hsmFacadeHost); + + } else { + log.info("HSM Facade is on ClassPath but not configurated. {} can only provide software keystores", + EaafKeyStoreFactory.class.getSimpleName()); + + } + + } else { + log.info("HSM Facade is not on ClassPath. {} can only provide software keystores", + EaafKeyStoreFactory.class.getSimpleName()); + + } + + } + + private void initializeHsmFacadeSecurityProvider(Class hsmProviderClazz, String hsmFacadeHost) + throws EaafException { + try { + final int port = Integer.parseUnsignedInt( + getConfigurationParameter(CONFIG_PROP_HSM_FACADE_PORT)); + final String clientUsername = + getConfigurationParameter(CONFIG_PROP_HSM_FACADE_CLIENT_USERNAME); + final String clientPassword = + getConfigurationParameter(CONFIG_PROP_HSM_FACADE_CLIENT_PASSWORD); + + //initialize HSM-Facade by using JAVA Reflection, because in that case HSM-Facade + //has not be in ClassPath on every project + Method constructor = hsmProviderClazz.getMethod(HSM_FACADE_PROVIDER_METHOD_CONSTRUCT, new Class[]{}); + Method initMethod = hsmProviderClazz.getMethod(HSM_FACADE_PROVIDER_METHOD_INIT, + X509Certificate.class, String.class, String.class, String.class, int.class); + if (initMethod != null && constructor != null) { + Object rawProvider = constructor.invoke(hsmProviderClazz); + initMethod.invoke( + rawProvider, getHsmFacadeTrustSslCertificate(), + clientUsername, clientPassword, hsmFacadeHost, port); + + if (rawProvider instanceof Provider) { + Security.insertProviderAt((Provider) rawProvider, 0); + isHsmFacadeInitialized = true; + log.info("HSM Facade is initialized. {} can provide KeyStores based on remote HSM", + EaafKeyStoreFactory.class.getSimpleName()); - if (rawProvider instanceof Provider) { - Security.insertProviderAt((Provider) rawProvider, 0); - isHsmFacadeInitialized = true; - log.info("HSM Facade is initialized. {} can provide KeyStores based on remote HSM", - EaafKeyStoreFactory.class.getSimpleName()); - - } else { - log.warn("Is HSM-Facade class type of 'java.security.Provider': {}", - rawProvider instanceof Provider); - throw new EaafException(ERRORCODE_10, new Object[] {HSM_FACADE_PROVIDER_CLASS}); - - } - - } else { - log.warn(HSM_FACADE_PROVIDER_INIT_ERROR_MSG, - HSM_FACADE_PROVIDER_METHOD_CONSTRUCT, constructor != null); - log.warn(HSM_FACADE_PROVIDER_INIT_ERROR_MSG, - HSM_FACADE_PROVIDER_METHOD_INIT, initMethod != null); + } else { + log.warn("Is HSM-Facade class type of 'java.security.Provider': {}", + rawProvider instanceof Provider); throw new EaafException(ERRORCODE_10, new Object[] {HSM_FACADE_PROVIDER_CLASS}); } - - //final HsmFacadeProvider provider = HsmFacadeProvider.Companion.getInstance(); - //provider.init(getHsmFacadeTrustSslCertificate(), clientUsername, clientPassword, hsmFacadeHost, port); - - } catch (final EaafException e) { - throw e; - - } catch (final Exception e) { - log.error("HSM Facade initialization FAILED with an generic error.", e); - throw new EaafConfigurationException(ERRORCODE_03, new Object[] { e.getMessage() }, e); + + } else { + log.warn(HSM_FACADE_PROVIDER_INIT_ERROR_MSG, + HSM_FACADE_PROVIDER_METHOD_CONSTRUCT, constructor != null); + log.warn(HSM_FACADE_PROVIDER_INIT_ERROR_MSG, + HSM_FACADE_PROVIDER_METHOD_INIT, initMethod != null); + throw new EaafException(ERRORCODE_10, new Object[] {HSM_FACADE_PROVIDER_CLASS}); + } + + //final HsmFacadeProvider provider = HsmFacadeProvider.Companion.getInstance(); + //provider.init(getHsmFacadeTrustSslCertificate(), clientUsername, clientPassword, hsmFacadeHost, port); - } else { - log.info("HSM Facade is not configurated. {} can only provide software keystores", - EaafKeyStoreFactory.class.getSimpleName()); + } catch (final EaafException e) { + throw e; + } catch (final Exception e) { + log.error("HSM Facade initialization FAILED with an generic error.", e); + throw new EaafConfigurationException(ERRORCODE_03, new Object[] { e.getMessage() }, e); + } - + } private Class getHsmProviderClass() { diff --git a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java index fc945fdd..6a24f6b4 100644 --- a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java +++ b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java @@ -4,6 +4,7 @@ import java.security.Key; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.Provider; +import java.security.Security; import java.security.cert.X509Certificate; import java.util.List; @@ -27,6 +28,7 @@ import com.google.common.base.Predicates; import com.google.common.base.Throwables; import com.google.common.collect.FluentIterable; +import at.asitplus.hsmfacade.provider.HsmFacadeProvider; import at.gv.egiz.eaaf.core.exception.EaafKeyAccessException; import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; import at.gv.egiz.eaaf.core.exceptions.EaafException; @@ -73,7 +75,8 @@ public class EaafKeyStoreFactoryTest { @Before public void testSetup() { mapConfig.clearAllConfig(); - + Security.removeProvider(HsmFacadeProvider.getInstance().getName()); + } @Test @@ -434,6 +437,14 @@ public class EaafKeyStoreFactoryTest { Assert.assertNull("Provider is not null", key.getSecond()); } + + @Test + @DirtiesContext + public void hsmFacadeNoHostConfig() { + context.getBean(EaafKeyStoreFactory.class); + + } + @Test @DirtiesContext @@ -598,6 +609,17 @@ public class EaafKeyStoreFactoryTest { } + @Test + @DirtiesContext + public void hsmFacadeAlreadLoaded() { + HsmFacadeProvider provider = HsmFacadeProvider.getInstance(); + Security.addProvider(provider); + + final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); + Assert.assertTrue("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); + + } + @Test @DirtiesContext public void hsmFacadeKeyStoreNoKeyStoreName() { -- cgit v1.2.3