From f62bafa252e6e0dfaaa9ba4acbc34b47ee627e21 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 17 Feb 2020 17:54:04 +0100 Subject: update EaafKeyStoreFactory to get the Security Provider if the KeyStore depends on a special provider implementation --- .../core/impl/credential/EaafKeyStoreFactory.java | 35 ++++++++++++++-------- .../eaaf/core/impl/utils/HttpClientFactory.java | 29 +++++++++--------- 2 files changed, 37 insertions(+), 27 deletions(-) (limited to 'eaaf_core_utils/src/main') diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java index 5e6ca34b..5936e106 100644 --- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java +++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java @@ -2,10 +2,12 @@ package at.gv.egiz.eaaf.core.impl.credential; import java.io.IOException; import java.io.InputStream; +import java.security.Key; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; +import java.security.Provider; import java.security.Security; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; @@ -15,11 +17,6 @@ import javax.annotation.Nonnull; import javax.annotation.Nullable; import javax.annotation.PostConstruct; -import org.apache.commons.lang3.StringUtils; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.core.io.Resource; -import org.springframework.core.io.ResourceLoader; - import at.asitplus.hsmfacade.provider.HsmFacadeProvider; import at.asitplus.hsmfacade.provider.RemoteKeyStoreLoadParameter; import at.gv.egiz.eaaf.core.api.idp.IConfiguration; @@ -27,8 +24,15 @@ import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; import at.gv.egiz.eaaf.core.exceptions.EaafException; import at.gv.egiz.eaaf.core.exceptions.EaafFactoryException; import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; +import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.core.impl.utils.FileUtils; import at.gv.egiz.eaaf.core.impl.utils.KeyStoreUtils; + +import org.apache.commons.lang3.StringUtils; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.core.io.Resource; +import org.springframework.core.io.ResourceLoader; + import lombok.extern.slf4j.Slf4j; @Slf4j @@ -64,10 +68,12 @@ public class EaafKeyStoreFactory { * Get a new KeyStore based on a KeyStore configuration-object. * * @param config KeyStore configuration - * @return new KeyStore instance + * @return {@link Pair} of a new KeyStore instance and an optional {@link Provider}. If the {@link Provider} + * is not null this {@link KeyStore} requires a specific {@link Provider} for {@link Key} operations. * @throws EaafException In case of a KeyStore initialization error */ - public KeyStore buildNewKeyStore(KeyStoreConfiguration config) throws EaafException { + @Nonnull + public Pair buildNewKeyStore(KeyStoreConfiguration config) throws EaafException { log.trace("Starting KeyStore generation based on configuration object ... "); if (KeyStoreType.PKCS12.equals(config.getKeyStoreType()) || KeyStoreType.JKS.equals(config.getKeyStoreType())) { @@ -127,7 +133,8 @@ public class EaafKeyStoreFactory { final HsmFacadeProvider provider = HsmFacadeProvider.Companion.getInstance(); provider.init(getHsmFacadeTrustSslCertificate(), clientUsername, clientPassword, hsmFacadeHost, port, hsmName); - Security.addProvider(provider); + //Security.addProvider(provider); + Security.insertProviderAt(provider, 0); isHsmFacadeInitialized = true; log.info("HSM Facade is initialized. {} can provide KeyStores based on remote HSM", EaafKeyStoreFactory.class.getSimpleName()); @@ -148,8 +155,9 @@ public class EaafKeyStoreFactory { } - private KeyStore getKeyStoreFromFileSystem(KeyStoreConfiguration config) throws EaafConfigurationException, - EaafFactoryException { + @Nonnull + private Pair getKeyStoreFromFileSystem(KeyStoreConfiguration config) + throws EaafConfigurationException, EaafFactoryException { try { final String keyStorePath = checkConfigurationParameter(config.getSoftKeyStoreFilePath(), ERRORCODE_06, config.getFriendlyName(), "Software-KeyStore missing filepath to KeyStore"); @@ -176,7 +184,7 @@ public class EaafKeyStoreFactory { } - return keyStore; + return Pair.newInstance(keyStore, null); } catch (KeyStoreException | IOException e) { log.error("Software KeyStore initialization FAILED with an generic error.", e); @@ -185,7 +193,8 @@ public class EaafKeyStoreFactory { } } - private KeyStore getKeyStoreFromHsmFacade(KeyStoreConfiguration config) + @Nonnull + private Pair getKeyStoreFromHsmFacade(KeyStoreConfiguration config) throws EaafFactoryException, EaafConfigurationException { final String keyStoreName = checkConfigurationParameter(config.getKeyStoreName(), ERRORCODE_06, config.getFriendlyName(), "KeyStoreName missing for HSM Facade"); @@ -193,7 +202,7 @@ public class EaafKeyStoreFactory { try { final KeyStore keyStore = KeyStore.getInstance(HSM_FACADE_KEYSTORE_TYPE, HSM_FACADE_PROVIDER); keyStore.load(new RemoteKeyStoreLoadParameter(keyStoreName)); - return keyStore; + return Pair.newInstance(keyStore, keyStore.getProvider()); } catch (NoSuchAlgorithmException | CertificateException | IOException | KeyStoreException | NoSuchProviderException e) { diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/HttpClientFactory.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/HttpClientFactory.java index ade0c28d..e681e705 100644 --- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/HttpClientFactory.java +++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/HttpClientFactory.java @@ -10,6 +10,13 @@ import javax.annotation.PostConstruct; import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLContext; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; + import org.apache.commons.lang3.StringUtils; import org.apache.http.HttpRequest; import org.apache.http.HttpResponse; @@ -38,12 +45,6 @@ import org.apache.http.ssl.SSLContexts; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.core.io.ResourceLoader; -import at.gv.egiz.eaaf.core.api.idp.IConfiguration; -import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; -import at.gv.egiz.eaaf.core.exceptions.EaafException; -import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; -import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; -import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; import lombok.extern.slf4j.Slf4j; @Slf4j @@ -51,10 +52,10 @@ public class HttpClientFactory implements IHttpClientFactory { @Autowired(required = true) private IConfiguration basicConfig; - + @Autowired(required = true) ResourceLoader resourceLoader; - + @Autowired private EaafKeyStoreFactory keyStoreFactory; public static final String PROP_CONFIG_CLIENT_HTTP_CONNECTION_POOL_USE = @@ -79,7 +80,7 @@ public class HttpClientFactory implements IHttpClientFactory { "client.auth.ssl.keystore.path"; public static final String PROP_CONFIG_CLIENT_AUTH_SSL_KEYSTORE_PASSORD = "client.auth.ssl.keystore.password"; - private static final String PROP_CONFIG_CLIENT_AUTH_SSL_KEYSTORE_NAME = + private static final String PROP_CONFIG_CLIENT_AUTH_SSL_KEYSTORE_NAME = "client.auth.ssl.keystore.name"; public static final String PROP_CONFIG_CLIENT_AUTH_SSL_KEYSTORE_TYPE = "client.auth.ssl.keystore.type"; @@ -269,18 +270,18 @@ public class HttpClientFactory implements IHttpClientFactory { .getBasicConfiguration(PROP_CONFIG_CLIENT_AUTH_SSL_KEYSTORE_NAME, StringUtils.EMPTY); try { - KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); + final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); keyStoreConfig.setKeyStoreType(keyStoreType); keyStoreConfig.setFriendlyName("HttpClient Keystore"); keyStoreConfig.setSoftKeyStoreFilePath(localKeyStorePath); keyStoreConfig.setSoftKeyStorePassword(keyStorePassword); keyStoreConfig.setKeyStoreName(keyStoreName); - + log.debug("Open keyStore with type: {}", keyStoreType); - KeyStore keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig); - + final KeyStore keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig).getFirst(); + return keyStore; - + } catch (final EaafException e) { log.warn("Can NOT read keyStore: {} from filesystem", localKeyStorePath, null, e); throw new EaafConfigurationException("Can NOT read keyStore: {} from filesystem", -- cgit v1.2.3