update SSL certificate revocation-checking method-order if the IAIK_PKI module is used

author: Thomas Lenz <tlenz@iaik.tugraz.at> 2016-10-21 10:21:15 +0200
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2016-10-21 10:21:15 +0200
commit: 7720eee7787b2149b36ac76da1b64e416e16d07c (patch)
tree: 3449005fee14728dafdf11e8c2125f095762565e
parent: 6e044fe2eff937e5a4d975005def49ee2e9a06d0 (diff)
download: moa-id-spss-7720eee7787b2149b36ac76da1b64e416e16d07c.tar.gz
moa-id-spss-7720eee7787b2149b36ac76da1b64e416e16d07c.tar.bz2
moa-id-spss-7720eee7787b2149b36ac76da1b64e416e16d07c.zip
10 files changed, 67 insertions, 47 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
index 19adfe4c4..dc024e695 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
@@ -31,6 +31,7 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
+import java.util.Timer;
 
 import javax.xml.namespace.QName;
 
@@ -68,6 +69,7 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
 	
 //	private static MOAMetadataProvider instance = null;
 	MetadataProvider internalProvider = null;
+	private Timer timer = null;
 	private static Object mutex = new Object();
 	//private Map<String, Date> lastAccess = null;
 	
@@ -163,10 +165,14 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
 						byte[] cert = Base64Utils.decode(certBase64, false);
 						String oaFriendlyName = oaParam.getFriendlyName();
 					
+						if (timer == null)
+							timer = new Timer(true);
+						
 						ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider;						
 						HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL, 								 
 								buildMetadataFilterChain(oaParam, metadataURL, cert), 
-								oaFriendlyName);
+								oaFriendlyName,
+								timer);
 						
 						chainProvider.addMetadataProvider(newMetadataProvider);
 						
@@ -374,6 +380,10 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
 			}
 				
 			internalProvider = new ChainingMetadataProvider();
+			
+			if (timer != null)
+				timer.cancel();
+			
 		} else {
 			Logger.warn("ReInitalize MOAMetaDataProvider is not possible! MOA-ID Instance has to be restarted manualy");
 		}
@@ -414,12 +424,16 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
 								byte[] cert = Base64Utils.decode(certBase64, false);
 								
 								
+								if (timer == null)
+									timer = new Timer(true);
+								
 								Logger.info("Loading metadata for: " + oaFriendlyName);					
 								if (!providersinuse.containsKey(metadataurl)) {					
 									httpProvider = createNewHTTPMetaDataProvider(
 											metadataurl, 
 											buildMetadataFilterChain(oaParam, metadataurl, cert),
-											oaFriendlyName);
+											oaFriendlyName,
+											timer);
 						
 									if (httpProvider != null)
 										providersinuse.put(metadataurl, httpProvider);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java
index 8261a86c1..7a2acee9c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java
@@ -53,12 +53,13 @@ public abstract class SimpleMOAMetadataProvider implements MetadataProvider{
 	 * @param metadataURL URL, where the metadata should be loaded
 	 * @param filter Filters, which should be used to validate the metadata
 	 * @param IdForLogging Id, which is used for Logging
+	 * @param timer {@link Timer} which is used to schedule metadata refresh operations
 	 * 
 	 * @return SAML2 Metadata Provider
 	 */
-	protected HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, MetadataFilter filter, String IdForLogging ) {
+	protected HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, MetadataFilter filter, String IdForLogging, Timer timer) {
 		HTTPMetadataProvider httpProvider = null;
-		Timer timer= null;
+		//Timer timer= null;
 		MOAHttpClient httpClient = null;
 		try {			
 			httpClient = new MOAHttpClient();
@@ -71,7 +72,8 @@ public abstract class SimpleMOAMetadataProvider implements MetadataProvider{
 							AuthConfigurationProviderFactory.getInstance().getTrustedCACertificates(),
 							null,
 							AuthConfiguration.DEFAULT_X509_CHAININGMODE, 
-							AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking());
+							AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking(),
+							AuthConfigurationProviderFactory.getInstance().getRevocationMethodOrder());
 					
 					httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory);
 
@@ -81,7 +83,7 @@ public abstract class SimpleMOAMetadataProvider implements MetadataProvider{
 				}
 			}
 			
-			timer = new Timer(true);
+//			timer = new Timer(true);
 			httpProvider = new HTTPMetadataProvider(timer, httpClient, 
 					metadataURL);
 			httpProvider.setParserPool(new BasicParserPool());
@@ -121,10 +123,10 @@ public abstract class SimpleMOAMetadataProvider implements MetadataProvider{
 				httpProvider.destroy();
 			}
 			
-			if (timer != null) {
-				Logger.debug("Destroy Timer.");
-				timer.cancel();
-			}
+//			if (timer != null) {
+//				Logger.debug("Destroy Timer.");
+//				timer.cancel();
+//			}
 
 			
 		}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java
index 0426c2a6a..d5ab4b2e7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java
@@ -77,7 +77,8 @@ public class MOASAMLSOAPClient {
 								AuthConfigurationProviderFactory.getInstance().getTrustedCACertificates(),
 								null,
 								AuthConfigurationProviderFactory.getInstance().getDefaultChainingMode(), 
-								AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking());
+								AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking(),
+								AuthConfigurationProviderFactory.getInstance().getRevocationMethodOrder());
 				clientBuilder.setHttpsProtocolSocketFactory(sslprotocolsocketfactory );
 				
 			} catch (MOAHttpProtocolSocketFactoryException e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
index caf7f570f..784581648 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
@@ -129,7 +129,8 @@ public class SSLUtils {
 	    					trustStoreURL, 
 	    					acceptedServerCertURL, 
 	    					AuthConfigurationProviderFactory.getInstance().getDefaultChainingMode(), 
-	    					AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking(), 
+	    					AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking(),
+	    					AuthConfigurationProviderFactory.getInstance().getRevocationMethodOrder(),
 	    					connParam.getClientKeyStore(), 
 	    					connParam.getClientKeyStorePassword(), 
 	    					"pkcs12");
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
index 142e9a23a..3b1f0c7b5 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
@@ -54,7 +54,8 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory
 			String trustStoreURL,
 			String acceptedServerCertURL,
 			String chainingMode,
-			boolean checkRevocation
+			boolean checkRevocation,
+			String[] revocationMethodOrder
 			) throws MOAHttpProtocolSocketFactoryException {
 		super();
 		
@@ -65,7 +66,8 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory
 					trustStoreURL, 
 					acceptedServerCertURL, 
 					chainingMode, 
-					checkRevocation, 
+					checkRevocation,
+					revocationMethodOrder,
 					null, 
 					null, 
 					null);
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java
index e0304f928..969de3ce6 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java
@@ -67,6 +67,7 @@ import iaik.pki.PKIFactory;
 import iaik.pki.PKIProfile;
 import iaik.pki.jsse.IAIKX509TrustManager;
 
+
 /**
  * <code>TrustManager</code> implementation featuring CRL checking (inherited from
  * <code>IAIKX509TrustManager</code>), plus server-end-SSL-certificate checking.
@@ -172,7 +173,7 @@ public class MOAIDTrustManager extends IAIKX509TrustManager {
 		  throw new NullPointerException("pkiConfig parameter must not be null");
 		  
 	  }
-	  
+	  	  
 	  TransactionId tid = new TransactionIdImpl("Init");
 	  log_.info(tid, "Setting up IAIKX509TrustManager", null);
 	  if (pkiConfig != null) {
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIProfileImpl.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIProfileImpl.java
index a34fa9b8b..9b692c090 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIProfileImpl.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIProfileImpl.java
@@ -77,6 +77,9 @@ public class PKIProfileImpl extends ObservableImpl
 	 */
 	private boolean revocationChecking;
   
+	
+	private String[] revocationCheckMethode = new String[] {RevocationSourceTypes.CRL};
+	
   /**
    * The trust profile identifier. 
    */
@@ -141,9 +144,13 @@ public class PKIProfileImpl extends ObservableImpl
    * @see iaik.pki.revocation.RevocationProfile#getPreferredServiceOrder(java.security.cert.X509Certificate)
    */
   public String[] getPreferredServiceOrder(X509Certificate arg0) {
-    return new String[] {RevocationSourceTypes.CRL};
+    return revocationCheckMethode;
   }
 
+  public void setPreferredServiceOrder(String[] order) {
+	  this.revocationCheckMethode = order;
+  }
+  
   /**
    * @see iaik.pki.store.truststore.TrustStoreProfile#getType()
    */
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
index 6fa4595d8..d2a099c69 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
@@ -64,7 +64,6 @@ import at.gv.egovernment.moa.util.KeyStoreUtils;
 import iaik.pki.PKIConfiguration;
 import iaik.pki.PKIException;
 import iaik.pki.PKIFactory;
-import iaik.pki.PKIProfile;
 //import iaik.pki.jsse.IAIKX509TrustManager;
 import iaik.security.provider.IAIK;
 
@@ -94,24 +93,7 @@ public class SSLUtils {
     
     
   }
-  
-  /**
-   * Creates an <code>SSLSocketFactory</code> which utilizes an
-   * <code>IAIKX509TrustManager</code> for the given trust store,
-   * and the given key store.
-   * 
-   * @param conf configuration provider providing a generic properties pointing 
-   *         to trusted CA store and certificate store root
-   * @param connParam connection parameter containing the client key store settings
-   *         to be used in case of client authentication; 
-   *         if <code>connParam.getClientKeyStore() == null</code>, client authentication
-   *         is assumed to be disabled
-   * @return <code>SSLSocketFactory</code> to be used by an <code>HttpsURLConnection</code>
-   * @throws IOException thrown while reading key store file
-   * @throws GeneralSecurityException thrown while creating the socket factory
-   * @throws ConfigurationException on invalid configuration data
-   * @throws PKIException while initializing the <code>IAIKX509TrustManager</code>
-   */
+
   public static SSLSocketFactory getSSLSocketFactory(
 		  String url, 
 		  String certStoreRootDirParam, 
@@ -119,9 +101,10 @@ public class SSLUtils {
 		  String acceptedServerCertURL,
 		  String chainingMode,
 		  boolean checkRevocation,
+		  String[] revocationMethodOrder,
 		  String clientKeyStoreURL,
 		  String clientKeyStorePassword,
-		  String clientKeyStoreType
+		  String clientKeyStoreType		  
 		  ) 
     throws IOException, GeneralSecurityException, SSLConfigurationException, PKIException {
     
@@ -136,7 +119,8 @@ public class SSLUtils {
     		 chainingMode,    		 
     		 trustStoreURL, 
     		 acceptedServerCertURL,
-    		 checkRevocation);
+    		 checkRevocation,
+    		 revocationMethodOrder);
     
     KeyManager[] kms = getKeyManagers(
       clientKeyStoreType, clientKeyStoreURL, clientKeyStorePassword);
@@ -231,13 +215,17 @@ public class SSLUtils {
    */
   private static TrustManager[] getTrustManagers(String certStoreRootDirParam, 
 		  String chainingMode, String trustStoreURL, String acceptedServerCertURL,
-    boolean checkRevocation) 
+    boolean checkRevocation, String[] revocationMethodOrder) 
     throws SSLConfigurationException, PKIException, IOException, GeneralSecurityException {
 
     PKIConfiguration cfg = null;
     if (! PKIFactory.getInstance().isAlreadyConfigured())
       cfg = new PKIConfigurationImpl(certStoreRootDirParam, chainingMode);
-    PKIProfile profile = new PKIProfileImpl(trustStoreURL, checkRevocation);
+    
+    PKIProfileImpl profile = new PKIProfileImpl(trustStoreURL, checkRevocation);
+    
+    profile.setPreferredServiceOrder(revocationMethodOrder);
+    
     // This call fixes a bug occuring when PKIConfiguration is
     // initialized by the MOA-SP initialization code, in case
     // MOA-SP is called by API
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
index 7fb0dbb5f..cb1fe36c8 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
@@ -210,7 +210,8 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
 							authConfig.getTrustedCACertificates(),
 							null,
 							AuthConfiguration.DEFAULT_X509_CHAININGMODE, 
-							authConfig.isTrustmanagerrevoationchecking());
+							authConfig.isTrustmanagerrevoationchecking(),
+							authConfig.getRevocationMethodOrder());
 					
 					httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory);
 
@@ -306,14 +307,17 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
 				} else {
 					//load new Metadata Provider				
 					ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider;						
-					HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL);										
-					chainProvider.addMetadataProvider(newMetadataProvider);
+					HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL);	
 					
-					emitChangeEvent();
-					Logger.info("eIDAS metadata for " 
-							+ metadataURL + " is added.");
-					return true;
-										
+					if (newMetadataProvider != null) {
+						chainProvider.addMetadataProvider(newMetadataProvider);
+					
+						emitChangeEvent();
+						Logger.info("eIDAS metadata for " 
+								+ metadataURL + " is added.");
+						return true;
+						
+					}										
 				}
 														
 			} else
diff --git a/repository/iaik/prod/iaik_X509TrustManager/0.3.1/iaik_X509TrustManager-0.3.1.jar b/repository/iaik/prod/iaik_X509TrustManager/0.3.1/iaik_X509TrustManager-0.3.1.jar
new file mode 100644
index 000000000..596b9aab2
--- /dev/null
+++ b/repository/iaik/prod/iaik_X509TrustManager/0.3.1/iaik_X509TrustManager-0.3.1.jar
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2016-10-21 10:21:15 +0200
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2016-10-21 10:21:15 +0200
commit	7720eee7787b2149b36ac76da1b64e416e16d07c (patch)
tree	3449005fee14728dafdf11e8c2125f095762565e
parent	6e044fe2eff937e5a4d975005def49ee2e9a06d0 (diff)
download	moa-id-spss-7720eee7787b2149b36ac76da1b64e416e16d07c.tar.gz moa-id-spss-7720eee7787b2149b36ac76da1b64e416e16d07c.tar.bz2 moa-id-spss-7720eee7787b2149b36ac76da1b64e416e16d07c.zip