From f7fd3c35f915dfc7f1d04a2b7288a8fa9aab2558 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 12 Jun 2020 16:16:31 +0200 Subject: add TrustStore SSLContext builder --- .../at/gv/egiz/eaaf/core/impl/http/HttpUtils.java | 116 ++++++++++++++++----- 1 file changed, 91 insertions(+), 25 deletions(-) (limited to 'eaaf_core_utils/src/main/java') diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java index eafd8a04..5035460f 100644 --- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java +++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java @@ -162,42 +162,108 @@ public class HttpUtils { boolean trustAllServerCertificates, @Nonnull String friendlyName) throws EaafConfigurationException, EaafFactoryException { try { - log.trace("Open SSL Client-Auth keystore with password: {}", keyPasswordString); - final char[] keyPassword = keyPasswordString == null ? StringUtils.EMPTY.toCharArray() - : keyPasswordString.toCharArray(); - SSLContextBuilder sslContextBuilder = SSLContexts.custom(); - if (keyStore.getSecond() != null) { - Provider provider = new BouncyCastleJsseProvider(keyStore.getSecond()); - log.debug("KeyStore: {} provide special security-provider. Inject: {} into SSLContext", - friendlyName, provider.getName()); - sslContextBuilder.setProvider(provider); - - } - if (StringUtils.isNotEmpty(keyAlias)) { - sslContextBuilder = sslContextBuilder - .loadKeyMaterial(keyStore.getFirst(), keyPassword, new EaafSslKeySelectionStrategy(keyAlias)); - - } else { - sslContextBuilder = sslContextBuilder - .loadKeyMaterial(keyStore.getFirst(), keyPassword); - } - - if (trustAllServerCertificates) { - log.warn("Http-client:{} trusts ALL TLS server-certificates!"); - final TrustStrategy trustStrategy = new TrustAllStrategy(); - sslContextBuilder = sslContextBuilder.loadTrustMaterial(trustStrategy); + injectKeyStore(sslContextBuilder, keyStore, keyAlias, keyPasswordString, friendlyName); + + injectTrustStore(sslContextBuilder, null, trustAllServerCertificates, friendlyName); + + return sslContextBuilder.build(); - } + } catch (NoSuchAlgorithmException | KeyManagementException | UnrecoverableKeyException + | KeyStoreException e) { + throw new EaafFactoryException(ERROR_03, new Object[] { friendlyName, e.getMessage() }, e); + } + } + + /** + * Initialize a {@link SSLContext} with a {@link KeyStore} that uses X509 Client + * authentication and a custom TrustStore as {@link KeyStore}. + * + * @param keyStore KeyStore with private keys that should be + * used + * @param keyAlias Alias of the key that should be used. If + * the alias is null, than the first key that + * is found will be selected. + * @param keyPasswordString Password of the Key in this keystore + * @param trustStore TrustStore with trusted SSL certificates + * @param trustAllServerCertificates Deactivate SSL server-certificate + * validation + * @param friendlyName FriendlyName of the http client for logging + * purposes + * @return {@link SSLContext} with X509 client authentication + * @throws EaafConfigurationException In case of a configuration error + * @throws EaafFactoryException In case of a {@link SSLContext} + * initialization error + */ + public static SSLContext buildSslContextWithSslClientAuthentication(@Nonnull final Pair keyStore, + @Nullable String keyAlias, @Nullable String keyPasswordString, + @Nullable final Pair trustStore, boolean trustAllServerCertificates, + @Nonnull String friendlyName) + throws EaafConfigurationException, EaafFactoryException { + try { + SSLContextBuilder sslContextBuilder = SSLContexts.custom(); + + injectKeyStore(sslContextBuilder, keyStore, keyAlias, keyPasswordString, friendlyName); + + injectTrustStore(sslContextBuilder, trustStore, trustAllServerCertificates, friendlyName); + return sslContextBuilder.build(); } catch (NoSuchAlgorithmException | KeyManagementException | UnrecoverableKeyException | KeyStoreException e) { throw new EaafFactoryException(ERROR_03, new Object[] { friendlyName, e.getMessage() }, e); + } + } + + private static void injectTrustStore(SSLContextBuilder sslContextBuilder, + Pair trustStore, boolean trustAllServerCertificates, String friendlyName) + throws NoSuchAlgorithmException, KeyStoreException { + + TrustStrategy trustStrategy = null; + if (trustAllServerCertificates) { + log.warn("Http-client:{} trusts ALL TLS server-certificates!", friendlyName); + trustStrategy = new TrustAllStrategy(); + + } + + KeyStore trustStoreImpl = null; + if (trustStore != null) { + log.info("Http-client: {} uses custom TrustStore.", friendlyName); + trustStoreImpl = trustStore.getFirst(); + + } + + sslContextBuilder.loadTrustMaterial(trustStoreImpl, trustStrategy); + + } + + private static void injectKeyStore(SSLContextBuilder sslContextBuilder, Pair keyStore, + String keyAlias, String keyPasswordString, String friendlyName) + throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException { + if (keyStore.getSecond() != null) { + Provider provider = new BouncyCastleJsseProvider(keyStore.getSecond()); + log.debug("KeyStore: {} provide special security-provider. Inject: {} into SSLContext", + friendlyName, provider.getName()); + sslContextBuilder.setProvider(provider); + + } + + log.trace("Open SSL Client-Auth keystore with password: {}", keyPasswordString); + final char[] keyPassword = keyPasswordString == null ? StringUtils.EMPTY.toCharArray() + : keyPasswordString.toCharArray(); + + if (StringUtils.isNotEmpty(keyAlias)) { + sslContextBuilder = sslContextBuilder + .loadKeyMaterial(keyStore.getFirst(), keyPassword, new EaafSslKeySelectionStrategy(keyAlias)); + + } else { + sslContextBuilder = sslContextBuilder + .loadKeyMaterial(keyStore.getFirst(), keyPassword); } + } } -- cgit v1.2.3