move SSLSocketFactory to moa-id-commons

1 files changed, 178 insertions, 0 deletions

diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
new file mode 100644
index 000000000..eed8b25e0
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
@@ -0,0 +1,178 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ * 
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ * 
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ ******************************************************************************/
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.id.commons.utils.ssl;
+
+import iaik.pki.PKIConfiguration;
+import iaik.pki.PKIException;
+import iaik.pki.PKIFactory;
+import iaik.pki.PKIProfile;
+import iaik.pki.jsse.IAIKX509TrustManager;
+import iaik.security.provider.IAIK;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.Security;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
+
+import at.gv.egovernment.moa.logging.Logger;
+
+
+/**
+ * Utility for a obtaining a secure socket factory using <code>IAIKX509TrustManager</code>.
+ * This <code>TrustManager</code> implementation features CRL checking.<br/>
+ * <code>SSLUtils</code> caches secure socket factories for given <code>ConnectionParameter</code>s. 
+ * 
+ * @author Paul Ivancsics
+ * @version $Id$
+ */
+public class SSLUtils {
+  
+  /** SSLSocketFactory store, mapping URL->SSLSocketFactory **/
+  private static Map<String, SSLSocketFactory> sslSocketFactories = new HashMap<String, SSLSocketFactory>();
+
+  /**
+   * Initializes the SSLSocketFactory store.
+   */
+  public static void initialize() {
+    sslSocketFactories = new HashMap<String, SSLSocketFactory>();
+    // JSSE Abhängigkeit
+    //Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
+    Security.addProvider(new IAIK());
+    //System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
+    
+    
+  }
+  
+  /**
+   * Creates an <code>SSLSocketFactory</code> which utilizes an
+   * <code>IAIKX509TrustManager</code> for the given trust store,
+   * and the given key store.
+   * 
+   * @param conf configuration provider providing a generic properties pointing 
+   *         to trusted CA store and certificate store root
+   * @param connParam connection parameter containing the client key store settings
+   *         to be used in case of client authentication; 
+   *         if <code>connParam.getClientKeyStore() == null</code>, client authentication
+   *         is assumed to be disabled
+   * @return <code>SSLSocketFactory</code> to be used by an <code>HttpsURLConnection</code>
+   * @throws IOException thrown while reading key store file
+   * @throws GeneralSecurityException thrown while creating the socket factory
+   * @throws ConfigurationException on invalid configuration data
+   * @throws PKIException while initializing the <code>IAIKX509TrustManager</code>
+   */
+  public static SSLSocketFactory getSSLSocketFactory(
+		  String url, 
+		  String certStoreRootDirParam, 
+		  String trustStoreURL, 
+		  String acceptedServerCertURL,
+		  String chainingMode,
+		  boolean checkRevocation,
+		  String clientKeyStoreURL,
+		  String clientKeyStorePassword,
+		  String clientKeyStoreType
+		  ) 
+    throws IOException, GeneralSecurityException, SSLConfigurationException, PKIException {
+    
+    Logger.debug("Get SSLSocketFactory for " + url);
+    // retrieve SSLSocketFactory if already created
+    SSLSocketFactory ssf = (SSLSocketFactory)sslSocketFactories.get(url);
+    if (ssf != null) 
+      return ssf;
+        
+    TrustManager[] tms = getTrustManagers(
+    		 certStoreRootDirParam,
+    		 chainingMode,    		 
+    		 trustStoreURL, 
+    		 acceptedServerCertURL,
+    		 checkRevocation);
+    
+    KeyManager[] kms = at.gv.egovernment.moa.util.SSLUtils.getKeyManagers(
+      clientKeyStoreType, clientKeyStoreURL, clientKeyStorePassword);
+    SSLContext ctx = SSLContext.getInstance("TLS");
+    ctx.init(kms, tms, null);    ssf = ctx.getSocketFactory();
+    // store SSLSocketFactory
+    sslSocketFactories.put(url, ssf);
+    return ssf;
+  }
+  
+  
+  /**
+   * Initializes an <code>IAIKX509TrustManager</code> for a given trust store,
+   * using configuration data.
+   * 
+   * @param conf MOA-ID configuration provider
+   * @param trustStoreURL trust store URL
+   * @param acceptedServerCertURL file URL pointing to directory containing accepted server SSL certificates
+   * @return <code>TrustManager</code> array containing the <code>IAIKX509TrustManager</code>
+   * @throws ConfigurationException on invalid configuration data
+   * @throws IOException on data-reading problems
+   * @throws PKIException while initializing the <code>IAIKX509TrustManager</code>
+   */
+  public static TrustManager[] getTrustManagers(String certStoreRootDirParam, 
+		  String chainingMode, String trustStoreURL, String acceptedServerCertURL,
+    boolean checkRevocation) 
+    throws SSLConfigurationException, PKIException, IOException, GeneralSecurityException {
+
+    PKIConfiguration cfg = null;
+    if (! PKIFactory.getInstance().isAlreadyConfigured())
+      cfg = new PKIConfigurationImpl(certStoreRootDirParam, chainingMode);
+    PKIProfile profile = new PKIProfileImpl(trustStoreURL, checkRevocation);
+    // This call fixes a bug occuring when PKIConfiguration is
+    // initialized by the MOA-SP initialization code, in case
+    // MOA-SP is called by API
+    MOAIDTrustManager.initializeLoggingContext();    
+    IAIKX509TrustManager tm = new MOAIDTrustManager(acceptedServerCertURL);
+    tm.init(cfg, profile);
+    return new TrustManager[] {tm};
+  }
+}