summaryrefslogtreecommitdiff
path: root/src/main/java/at/gv/util/ssl
diff options
context:
space:
mode:
authorThomas Lenz <thomas.lenz@egiz.gv.at>2013-12-20 12:35:28 +0100
committerThomas Lenz <thomas.lenz@egiz.gv.at>2013-12-20 12:35:28 +0100
commitdefceef8afef538555c13d33e344a89a828a3d97 (patch)
tree24b44f970f161d5b139dde501ca0f5d883f9fdea /src/main/java/at/gv/util/ssl
downloadegovutils-defceef8afef538555c13d33e344a89a828a3d97.tar.gz
egovutils-defceef8afef538555c13d33e344a89a828a3d97.tar.bz2
egovutils-defceef8afef538555c13d33e344a89a828a3d97.zip
inital
Diffstat (limited to 'src/main/java/at/gv/util/ssl')
-rw-r--r--src/main/java/at/gv/util/ssl/JaxWsSSLConfiguration.java35
-rw-r--r--src/main/java/at/gv/util/ssl/JaxWsSSLConfigurationPropertiesImpl.java61
-rw-r--r--src/main/java/at/gv/util/ssl/SSLUtils.java173
3 files changed, 269 insertions, 0 deletions
diff --git a/src/main/java/at/gv/util/ssl/JaxWsSSLConfiguration.java b/src/main/java/at/gv/util/ssl/JaxWsSSLConfiguration.java
new file mode 100644
index 0000000..789dcbc
--- /dev/null
+++ b/src/main/java/at/gv/util/ssl/JaxWsSSLConfiguration.java
@@ -0,0 +1,35 @@
+/*
+ * Copyright 2011 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.util.ssl;
+
+import javax.net.ssl.SSLContext;
+
+import at.gv.util.ex.EgovUtilException;
+
+/**
+ * Interface providing an SSL context for handling secure connections in
+ * JAX-WS.
+ *
+ * @author <a href="mailto:Arne.Tauber@egiz.gv.at">Arne Tauber</a>
+ *
+ */
+public interface JaxWsSSLConfiguration {
+
+ SSLContext getSSLContext(boolean forceTrustAllManager) throws EgovUtilException;
+ boolean useLaxHostNameVerifier();
+
+}
diff --git a/src/main/java/at/gv/util/ssl/JaxWsSSLConfigurationPropertiesImpl.java b/src/main/java/at/gv/util/ssl/JaxWsSSLConfigurationPropertiesImpl.java
new file mode 100644
index 0000000..ef8b035
--- /dev/null
+++ b/src/main/java/at/gv/util/ssl/JaxWsSSLConfigurationPropertiesImpl.java
@@ -0,0 +1,61 @@
+/*
+ * Copyright 2011 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.util.ssl;
+
+import java.util.Properties;
+
+import javax.net.ssl.SSLContext;
+
+import at.gv.util.ex.EgovUtilException;
+
+/**
+ * JAX-WS SSL configuration implementation based on Java properties.
+ *
+ * @author <a href="mailto:Arne.Tauber@egiz.gv.at">Arne Tauber</a>
+ *
+ */
+public class JaxWsSSLConfigurationPropertiesImpl implements JaxWsSSLConfiguration {
+
+ private Properties props = null;
+ private String configDir = null;
+ private String propsPrefix = null;
+
+ public JaxWsSSLConfigurationPropertiesImpl(Properties props, String configDir, String propsPrefix) {
+ if (props == null) {
+ throw new NullPointerException("Argument 'props' must not be null.");
+ }
+ if (configDir == null) {
+ throw new NullPointerException("Argument 'configDir' must not be null.");
+ }
+ if (propsPrefix == null) {
+ throw new NullPointerException("Argument 'propsPrefix' must not be null.");
+ }
+ this.props = props;
+ this.configDir = configDir;
+ this.propsPrefix = propsPrefix;
+ }
+
+ public SSLContext getSSLContext(boolean forceTrustAllManager)
+ throws EgovUtilException {
+ return SSLUtils.getPropertiesSSLContext(this.props, this.configDir, this.propsPrefix, forceTrustAllManager);
+ }
+
+ public boolean useLaxHostNameVerifier() {
+ return SSLUtils.useLaxHostNameVerifier(this.props, this.propsPrefix);
+ }
+
+}
diff --git a/src/main/java/at/gv/util/ssl/SSLUtils.java b/src/main/java/at/gv/util/ssl/SSLUtils.java
new file mode 100644
index 0000000..47b71ab
--- /dev/null
+++ b/src/main/java/at/gv/util/ssl/SSLUtils.java
@@ -0,0 +1,173 @@
+/*
+ * Copyright 2011 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.util.ssl;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
+import java.util.Properties;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import at.gv.util.TrustAllManager;
+import at.gv.util.ex.EgovUtilException;
+
+/**
+ * Some utility methods for SSL handling.
+ *
+ * @author <a href="mailto:Arne.Tauber@egiz.gv.at">Arne Tauber</a>
+ *
+ */
+public class SSLUtils {
+
+ private static Logger log = LoggerFactory.getLogger(SSLUtils.class);
+
+ public static boolean useLaxHostNameVerifier(Properties props, String propsPrefix) {
+ try {
+ return Boolean.parseBoolean(props.getProperty(propsPrefix + ".ssl.laxhostnameverification"));
+ } catch(Exception e) {
+ return false;
+ }
+ }
+
+ public static SSLContext getPropertiesSSLContext(Properties props, String configDir, String propsPrefix, boolean forceTrustAllManager) throws EgovUtilException {
+ log.trace("Configuring SSL socket factory.");
+ if (props == null) {
+ throw new NullPointerException("Argument 'properties' must not be null.");
+ }
+ if (configDir == null) {
+ throw new NullPointerException("Argument 'configDir' must not be null.");
+ }
+ boolean hasSSLConfigured = props.getProperty(propsPrefix + ".ssl.keystore.file") != null ||
+ props.getProperty(propsPrefix + ".ssl.truststore.file") != null ||
+ "true".equalsIgnoreCase(props.getProperty(propsPrefix + ".ssl.trustall"));
+
+ log.trace("SSL enabled: " + hasSSLConfigured);
+ if (hasSSLConfigured) {
+ log.trace("Configuring using standard JKS or PKCS12 keystore/truststore.");
+ try {
+ SSLContext context = SSLContext.getInstance("TLS");
+
+ // load client key store
+ KeyManager[] keyManager = null;
+ if (props.getProperty(propsPrefix + ".ssl.keystore.file") != null) {
+ log.trace("Keystore definition found.");
+ String keyStoreFileName = props.getProperty(propsPrefix + ".ssl.keystore.file");
+ File keyTmp = new File(keyStoreFileName);
+ File keyStoreFile = null;
+ if (keyTmp.isAbsolute()) {
+ keyStoreFile = keyTmp;
+ } else {
+ keyStoreFile = new File(configDir, keyStoreFileName);
+ }
+ log.trace("Key store location: " + keyStoreFile);
+ String keyStorePassword = props.getProperty(propsPrefix + ".ssl.keystore.password");
+ if (keyStorePassword == null) {
+ log.trace("No keystore password set in configuration, using empty password.");
+ keyStorePassword = "";
+ }
+ String keyStoreType = props.getProperty(propsPrefix + ".ssl.keystore.type");
+ if (keyStoreType == null) {
+ log.trace("No keystore type set in configuration, using default JKS.");
+ keyStoreType = "JKS";
+ }
+ log.trace("Key store type: " + keyStoreType);
+ KeyStore clientStore = KeyStore.getInstance(keyStoreType);
+ clientStore.load(new FileInputStream(keyStoreFile), keyStorePassword.toCharArray());
+ KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
+ kmf.init(clientStore, keyStorePassword.toCharArray());
+ keyManager = kmf.getKeyManagers();
+ } else {
+ log.trace("No keystore definition found. Not using SSL client authentication.");
+ }
+ // load trust store
+ TrustManager[] trustManager = null;
+ if (forceTrustAllManager || "true".equalsIgnoreCase(props.getProperty(propsPrefix + ".ssl.trustall"))) {
+ log.info("Trust all property is switched on. This setting is not recommended.");
+ trustManager = new TrustManager[] { new TrustAllManager() };
+ } else if (props.getProperty(propsPrefix + ".ssl.truststore.file") != null) {
+ log.trace("Using standard trust store mechanism (truststore file definition found).");
+ String trustStoreFileName = props.getProperty(propsPrefix + ".ssl.truststore.file");
+ File trustTmp = new File(trustStoreFileName);
+ File trustStoreFile = null;
+ if (trustTmp.isAbsolute()) {
+ trustStoreFile = trustTmp;
+ } else {
+ trustStoreFile = new File(configDir, trustStoreFileName);
+ }
+ log.trace("Trust store file location: " + trustStoreFile);
+ if (trustStoreFile == null) {
+ throw new EgovUtilException("Please set a trust store in your configuration or switch the trust all property on.");
+ }
+ String trustStorePassword = props.getProperty(propsPrefix + ".ssl.truststore.password");
+ if (trustStorePassword == null) {
+ log.trace("No truststore password set in configuration, using empty password.");
+ trustStorePassword = "";
+ }
+ String trustStoreType = props.getProperty(propsPrefix + ".ssl.truststore.type");
+ if (trustStoreType == null) {
+ log.trace("No truststore type set in configuration, using default JKS.");
+ trustStoreType = "JKS";
+ }
+ log.trace("Trust store type: " + trustStoreType);
+ KeyStore trustStore = KeyStore.getInstance(trustStoreType);
+ trustStore.load(new FileInputStream(trustStoreFile), trustStorePassword.toCharArray());
+ TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
+ tmf.init(trustStore);
+ trustManager = tmf.getTrustManagers();
+ } else {
+ log.warn("No truststore definition found. Using standard Java truststore mechanism.");
+ }
+ context.init(keyManager, trustManager, new SecureRandom());
+ return context;
+ } catch (NoSuchAlgorithmException e) {
+ throw new EgovUtilException(e);
+ } catch (KeyStoreException e) {
+ throw new EgovUtilException(e);
+ } catch (CertificateException e) {
+ throw new EgovUtilException(e);
+ } catch (FileNotFoundException e) {
+ throw new EgovUtilException(e);
+ } catch (IOException e) {
+ throw new EgovUtilException(e);
+ } catch (UnrecoverableKeyException e) {
+ throw new EgovUtilException(e);
+ } catch (KeyManagementException e) {
+ throw new EgovUtilException(e);
+ }
+ } else {
+ throw new EgovUtilException("Please provide an SSL configuration in your properties file.");
+ }
+ }
+
+
+}