From 36fafda8e3b953d3d1cba91efeb4fc82388b0445 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Tue, 5 May 2020 14:58:38 +0200
Subject: finish SSLContext creation by using KeyStore from HSM-Facade

---
 .../egiz/eaaf/core/impl/http/EaafSslKeySelectionStrategy.java | 11 ++++++++---
 .../gv/egiz/eaaf/core/impl/http/HttpClientConfiguration.java  | 10 ++++++----
 .../main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java   |  8 ++------
 3 files changed, 16 insertions(+), 13 deletions(-)

(limited to 'eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http')

diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/EaafSslKeySelectionStrategy.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/EaafSslKeySelectionStrategy.java
index 1e1e2137..d2377d69 100644
--- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/EaafSslKeySelectionStrategy.java
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/EaafSslKeySelectionStrategy.java
@@ -33,18 +33,23 @@ public class EaafSslKeySelectionStrategy implements PrivateKeyStrategy {
   @Override
   public String chooseAlias(Map<String, PrivateKeyDetails> aliases, Socket socket) {
     log.trace("Selection SSL client-auth key for alias: {}", keyAlias);
+    if (aliases.keySet().isEmpty()) {
+      log.debug("No Key with Alias: {} in empty KeyStore", keyAlias);
+      return null;
+      
+    }
+    
     final PrivateKeyDetails selected = aliases.get(keyAlias);
     if (selected != null) {
       log.trace("Select SL client-auth key with type:", selected.getType());
       return keyAlias;
 
-    } else {
+    } else {     
       log.warn("KeyStore contains NO key with alias: {}. Using first key from keystore", keyAlias);
       log.info("Available aliases: {}", StringUtils.join(aliases.keySet(), ", "));
       return aliases.keySet().iterator().next();
-
+        
     }
-
   }
 
 }
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpClientConfiguration.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpClientConfiguration.java
index 582ad545..6a66dfff 100644
--- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpClientConfiguration.java
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpClientConfiguration.java
@@ -5,11 +5,11 @@ import java.util.UUID;
 
 import javax.annotation.Nonnull;
 
-import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
-import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
-
 import org.apache.commons.lang3.StringUtils;
 
+import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
 import lombok.Getter;
 import lombok.Setter;
 import lombok.extern.slf4j.Slf4j;
@@ -117,7 +117,9 @@ public class HttpClientConfiguration {
 
       }
 
-      if (StringUtils.isEmpty(this.sslKeyPassword)) {
+      if (StringUtils.isEmpty(this.sslKeyPassword) 
+          && (KeyStoreType.JKS.equals(keyStoreConfig.getKeyStoreType()) 
+              || KeyStoreType.PKCS12.equals(keyStoreConfig.getKeyStoreType()))) {
         throw new EaafConfigurationException(ERROR_02, new Object[] {
             this.friendlyName, this.keyStoreConfig.getFriendlyName()});
 
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java
index b357bb01..eafd8a04 100644
--- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java
@@ -23,7 +23,6 @@ import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.Provider;
-import java.security.Security;
 import java.security.UnrecoverableKeyException;
 
 import javax.annotation.Nonnull;
@@ -168,16 +167,14 @@ public class HttpUtils {
           : keyPasswordString.toCharArray();
 
       SSLContextBuilder sslContextBuilder = SSLContexts.custom();
-      if (keyStore.getSecond() != null) {        
+      if (keyStore.getSecond() != null) {
         Provider provider = new BouncyCastleJsseProvider(keyStore.getSecond());
-        
         log.debug("KeyStore: {} provide special security-provider. Inject: {} into SSLContext",
             friendlyName, provider.getName());
         sslContextBuilder.setProvider(provider);
-        Security.addProvider(provider);
-        //sslContextBuilder.setSecureRandom(SecureRandom.getInstanceStrong());
         
       }
+      
       if (StringUtils.isNotEmpty(keyAlias)) {
         sslContextBuilder = sslContextBuilder
             .loadKeyMaterial(keyStore.getFirst(), keyPassword, new EaafSslKeySelectionStrategy(keyAlias));
@@ -185,7 +182,6 @@ public class HttpUtils {
       } else {
         sslContextBuilder = sslContextBuilder
             .loadKeyMaterial(keyStore.getFirst(), keyPassword);
-
       }
 
       if (trustAllServerCertificates) {
-- 
cgit v1.2.3