add customized HttpClient which can use the MOA Truststore to verfiy SSL connections

5 files changed, 285 insertions, 2 deletions

diff --git a/id/server/moa-id-commons/pom.xml b/id/server/moa-id-commons/pom.xml
index 81513518f..1831d0e1c 100644
--- a/id/server/moa-id-commons/pom.xml
+++ b/id/server/moa-id-commons/pom.xml
@@ -65,6 +65,10 @@
             <version>3.3.1</version>
         </dependency>
         <dependency>
+					<groupId>commons-httpclient</groupId>
+					<artifactId>commons-httpclient</artifactId>
+				</dependency>
+        <dependency>
             <groupId>MOA</groupId>
             <artifactId>moa-common</artifactId>
             <type>jar</type>
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/ex/MOAHttpProtocolSocketFactoryException.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/ex/MOAHttpProtocolSocketFactoryException.java
new file mode 100644
index 000000000..c6d8b1d79
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/ex/MOAHttpProtocolSocketFactoryException.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.commons.ex;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOAHttpProtocolSocketFactoryException extends Exception {
+
+	private static final long serialVersionUID = 4934502074731319897L;
+
+	
+	public MOAHttpProtocolSocketFactoryException(String message) {
+		super(message);		
+	}
+	
+	public MOAHttpProtocolSocketFactoryException(String message, Throwable e) {
+		super(message, e );		
+	}
+	
+}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
new file mode 100644
index 000000000..3b6fc34ea
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
@@ -0,0 +1,129 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.commons.utils;
+
+import iaik.pki.PKIException;
+
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.Socket;
+import java.net.UnknownHostException;
+import java.security.GeneralSecurityException;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
+
+import org.apache.commons.httpclient.ConnectTimeoutException;
+import org.apache.commons.httpclient.params.HttpConnectionParams;
+import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory;
+
+import at.gv.egovernment.moa.id.commons.db.dao.config.ChainingModeType;
+import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
+import at.gv.egovernment.moa.id.commons.utils.ssl.SSLConfigurationException;
+import at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory {
+
+	
+	
+	private SSLSocketFactory sslfactory = null;
+	
+	public MOAHttpProtocolSocketFactory (
+			String url, 
+			String certStoreRootDirParam,
+			String trustStoreURL,
+			String acceptedServerCertURL,
+			ChainingModeType chainingMode,
+			boolean checkRevocation
+			) throws MOAHttpProtocolSocketFactoryException {
+		super();
+		
+		try {
+			this.sslfactory = SSLUtils.getSSLSocketFactory(
+					url, 
+					certStoreRootDirParam, 
+					trustStoreURL, 
+					acceptedServerCertURL, 
+					chainingMode.value(), 
+					checkRevocation, 
+					null, 
+					null, 
+					null);
+			
+		} catch (IOException e) {
+			throw new MOAHttpProtocolSocketFactoryException("Initialize SSL Context FAILED", e);
+			
+		} catch (GeneralSecurityException e) {
+			throw new MOAHttpProtocolSocketFactoryException("Initialize SSL Context FAILED", e);
+			
+		} catch (SSLConfigurationException e) {
+			throw new MOAHttpProtocolSocketFactoryException("SSL Configuration loading FAILED.", e);
+			
+		} catch (PKIException e) {
+			throw new MOAHttpProtocolSocketFactoryException("Initialize SSL Context FAILED", e);
+			
+		}
+			
+	}
+	
+	/* (non-Javadoc)
+	 * @see org.apache.commons.httpclient.protocol.ProtocolSocketFactory#createSocket(java.lang.String, int, java.net.InetAddress, int)
+	 */
+	public Socket createSocket(String host, int port, InetAddress localAddress,
+			int localPort) throws IOException, UnknownHostException {
+		return this.sslfactory.createSocket(host, port,
+				localAddress, localPort);
+	}
+
+	/* (non-Javadoc)
+	 * @see org.apache.commons.httpclient.protocol.ProtocolSocketFactory#createSocket(java.lang.String, int, java.net.InetAddress, int, org.apache.commons.httpclient.params.HttpConnectionParams)
+	 */
+	public Socket createSocket(String host, int port, InetAddress localAddress,
+			int localPort, HttpConnectionParams params) throws IOException,
+			UnknownHostException, ConnectTimeoutException {
+		return this.sslfactory.createSocket(host, port,
+				localAddress, localPort);
+	}
+
+	/* (non-Javadoc)
+	 * @see org.apache.commons.httpclient.protocol.ProtocolSocketFactory#createSocket(java.lang.String, int)
+	 */
+	public Socket createSocket(String host, int port) throws IOException,
+			UnknownHostException {
+		return this.sslfactory.createSocket(host, port);
+	}
+
+	/* (non-Javadoc)
+	 * @see org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory#createSocket(java.net.Socket, java.lang.String, int, boolean)
+	 */
+	public Socket createSocket(Socket socket, String host, int port,
+			boolean autoClose) throws IOException, UnknownHostException {
+		return this.sslfactory.createSocket(socket, host,
+				port, autoClose);
+	}
+
+}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
index eed8b25e0..68437a04d 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
@@ -139,12 +139,19 @@ public class SSLUtils {
     KeyManager[] kms = at.gv.egovernment.moa.util.SSLUtils.getKeyManagers(
       clientKeyStoreType, clientKeyStoreURL, clientKeyStorePassword);
     SSLContext ctx = SSLContext.getInstance("TLS");
-    ctx.init(kms, tms, null);    ssf = ctx.getSocketFactory();
+    ctx.init(kms, tms, null);    
+    ssf = ctx.getSocketFactory();
     // store SSLSocketFactory
     sslSocketFactories.put(url, ssf);
     return ssf;
   }
   
+  public static void removeSSLSocketFactory(String url) {
+	  Logger.info("Remove SSLSocketFactory for URL " + url);
+	if (sslSocketFactories.containsKey(url))
+		sslSocketFactories.remove(url);
+	  
+  }
   
   /**
    * Initializes an <code>IAIKX509TrustManager</code> for a given trust store,
@@ -158,7 +165,7 @@ public class SSLUtils {
    * @throws IOException on data-reading problems
    * @throws PKIException while initializing the <code>IAIKX509TrustManager</code>
    */
-  public static TrustManager[] getTrustManagers(String certStoreRootDirParam, 
+  private static TrustManager[] getTrustManagers(String certStoreRootDirParam, 
 		  String chainingMode, String trustStoreURL, String acceptedServerCertURL,
     boolean checkRevocation) 
     throws SSLConfigurationException, PKIException, IOException, GeneralSecurityException {
@@ -175,4 +182,5 @@ public class SSLUtils {
     tm.init(cfg, profile);
     return new TrustManager[] {tm};
   }
+    
 }
diff --git a/id/server/moa-id-commons/src/main/java/org/apache/commons/httpclient/MOAHttpClient.java b/id/server/moa-id-commons/src/main/java/org/apache/commons/httpclient/MOAHttpClient.java
new file mode 100644
index 000000000..e4aa6a284
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/java/org/apache/commons/httpclient/MOAHttpClient.java
@@ -0,0 +1,100 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package org.apache.commons.httpclient;
+
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
+
+import org.apache.commons.httpclient.HostConfiguration;
+import org.apache.commons.httpclient.HttpClient;
+import org.apache.commons.httpclient.HttpException;
+import org.apache.commons.httpclient.HttpMethod;
+import org.apache.commons.httpclient.HttpMethodDirector;
+import org.apache.commons.httpclient.HttpState;
+import org.apache.commons.httpclient.URI;
+import org.apache.commons.httpclient.protocol.Protocol;
+import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory;
+
+import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
+
+/**
+ * @author tlenz
+ *
+ *HTTP client which can be used with MOA SSL TrustStore implementation
+ * 
+ */
+public class MOAHttpClient extends HttpClient {
+
+	
+	public void setCustomSSLTrustStore(String metadataURL, SecureProtocolSocketFactory protoSocketFactory) throws MOAHttpProtocolSocketFactoryException, MalformedURLException {
+		;
+		
+		URL url = new URL(metadataURL);	
+		int port = -1;
+		if (url.getPort() < 0)
+			port = url.getDefaultPort();
+		else
+			port = url.getPort();
+				
+		Protocol authhttps = new Protocol("https", protoSocketFactory, port);
+		getHostConfiguration().setHost(url.getHost(), port, authhttps);
+		
+	}
+	
+    public int executeMethod(HostConfiguration hostconfig, 
+            final HttpMethod method, final HttpState state)
+            throws IOException, HttpException  {
+                
+            if (method == null) {
+                throw new IllegalArgumentException("HttpMethod parameter may not be null");
+            }
+            HostConfiguration defaulthostconfig = getHostConfiguration();
+            if (hostconfig == null) {
+                hostconfig = defaulthostconfig;
+            }
+            URI uri = method.getURI(); 
+            if (hostconfig == defaulthostconfig || uri.isAbsoluteURI()) {
+                // make a deep copy of the host defaults
+                hostconfig = (HostConfiguration) hostconfig.clone();
+                
+                /**
+                 * Only build default host with default protocol if protocol is empty
+                 * 
+                 * In case of https, the methode setCustomSSLTrustStore can be used to set a
+                 * the MOA TrustStore for SSL connection validation
+                 */
+                if (uri.isAbsoluteURI() && hostconfig.getProtocol() == null) {
+                    hostconfig.setHost(uri);
+                }
+           }
+            
+            HttpMethodDirector methodDirector = new HttpMethodDirector(
+                    getHttpConnectionManager(),
+                    hostconfig,
+                    getParams(),
+                    (state == null ? getState() : state));
+            methodDirector.executeMethod(method);
+            return method.getStatusCode();
+        }
+}