diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2017-07-25 16:11:25 +0200 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2017-07-25 16:11:25 +0200 |
commit | 040e51d335d3af127c3894bd5558a484ddd9b9ea (patch) | |
tree | 6a7f0935a36318a38b87e4acd725b0776924c75a /id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils | |
parent | c4fe089610dba3d6e8929f6e163538dfae0d18da (diff) | |
download | moa-id-spss-040e51d335d3af127c3894bd5558a484ddd9b9ea.tar.gz moa-id-spss-040e51d335d3af127c3894bd5558a484ddd9b9ea.tar.bz2 moa-id-spss-040e51d335d3af127c3894bd5558a484ddd9b9ea.zip |
Revert "betaversion for a workaround to solve problem with Java8 >= 141 and SHA1 certificates in certificate chain"
This reverts commit c4fe089610dba3d6e8929f6e163538dfae0d18da.
Diffstat (limited to 'id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils')
3 files changed, 1 insertions, 445 deletions
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOASSLAlgorithmConstraints.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOASSLAlgorithmConstraints.java deleted file mode 100644 index 8f367598d..000000000 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOASSLAlgorithmConstraints.java +++ /dev/null @@ -1,175 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.commons.utils.ssl; - -import java.security.AlgorithmConstraints; -import java.security.AlgorithmParameters; -import java.security.CryptoPrimitive; -import java.security.Key; -import java.util.Set; - -import javax.net.ssl.SSLEngine; -import javax.net.ssl.SSLSocket; - -/** - * @author tlenz - * - */ -public class MOASSLAlgorithmConstraints implements AlgorithmConstraints { - - private AlgorithmConstraints userAlgConstraints = null; - private AlgorithmConstraints peerAlgConstraints = null; - - private boolean enabledX509DisabledAlgConstraints = true; - - - static final AlgorithmConstraints DEFAULT = new MOASSLAlgorithmConstraints(null); - - - public MOASSLAlgorithmConstraints() - { - - } - - - static final AlgorithmConstraints DEFAULT_SSL_ONLY = new MOASSLAlgorithmConstraints((SSLSocket)null, false); - - MOASSLAlgorithmConstraints(AlgorithmConstraints paramAlgorithmConstraints) - { - this.userAlgConstraints = paramAlgorithmConstraints; - - } - - - MOASSLAlgorithmConstraints(SSLSocket paramSSLSocket, boolean paramBoolean) - { - if (paramSSLSocket != null) { - this.userAlgConstraints = paramSSLSocket.getSSLParameters().getAlgorithmConstraints(); - - } - - if (!(paramBoolean)) - this.enabledX509DisabledAlgConstraints = false; - } - - - MOASSLAlgorithmConstraints(SSLEngine paramSSLEngine, boolean paramBoolean) - { - if (paramSSLEngine != null) { - this.userAlgConstraints = paramSSLEngine.getSSLParameters().getAlgorithmConstraints(); - - } - - if (!(paramBoolean)) - this.enabledX509DisabledAlgConstraints = false; - } - - MOASSLAlgorithmConstraints(SSLSocket paramSSLSocket, String[] paramArrayOfString, boolean paramBoolean) - { - if (paramSSLSocket != null) { - this.userAlgConstraints = paramSSLSocket.getSSLParameters().getAlgorithmConstraints(); - - //this.peerAlgConstraints = new SupportedSignatureAlgorithmConstraints(paramArrayOfString); - - } - - if (!(paramBoolean)) - this.enabledX509DisabledAlgConstraints = false; - } - - -// MOASSLAlgorithmConstraints(SSLEngine paramSSLEngine, String[] paramArrayOfString, boolean paramBoolean) -// { -// if (paramSSLEngine != null) { -// this.userAlgConstraints = paramSSLEngine.getSSLParameters().getAlgorithmConstraints(); -// -// this.peerAlgConstraints = new SupportedSignatureAlgorithmConstraints(paramArrayOfString); -// -// } -// -// if (!(paramBoolean)) -// this.enabledX509DisabledAlgConstraints = false; -// } - - - /* (non-Javadoc) - * @see java.security.AlgorithmConstraints#permits(java.util.Set, java.lang.String, java.security.AlgorithmParameters) - */ - @Override - public boolean permits(Set<CryptoPrimitive> primitives, String algorithm, AlgorithmParameters parameters) { - boolean bool = true; - - if (this.peerAlgConstraints != null) { - bool = this.peerAlgConstraints.permits(primitives, algorithm, parameters); - - } - - if ((bool) && (this.userAlgConstraints != null)) { - bool = this.userAlgConstraints.permits(primitives, algorithm, parameters); - - } - - return bool; - - } - - /* (non-Javadoc) - * @see java.security.AlgorithmConstraints#permits(java.util.Set, java.security.Key) - */ - @Override - public boolean permits(Set<CryptoPrimitive> primitives, Key key) { - boolean bool = true; - - if (this.peerAlgConstraints != null) { - bool = this.peerAlgConstraints.permits(primitives, key); - } - - if ((bool) && (this.userAlgConstraints != null)) { - bool = this.userAlgConstraints.permits(primitives, key); - } - - return bool; - - } - - /* (non-Javadoc) - * @see java.security.AlgorithmConstraints#permits(java.util.Set, java.lang.String, java.security.Key, java.security.AlgorithmParameters) - */ - @Override - public boolean permits(Set<CryptoPrimitive> primitives, String algorithm, Key key, AlgorithmParameters parameters) { - boolean bool = true; - - if (this.peerAlgConstraints != null) { - bool = this.peerAlgConstraints.permits(primitives, algorithm, key, parameters); - - } - - if ((bool) && (this.userAlgConstraints != null)) { - bool = this.userAlgConstraints.permits(primitives, algorithm, key, parameters); - - } - - return bool; - } - -} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOATrustManagerWrapper.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOATrustManagerWrapper.java deleted file mode 100644 index c71d50161..000000000 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOATrustManagerWrapper.java +++ /dev/null @@ -1,267 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.commons.utils.ssl; - -import java.lang.reflect.Constructor; -import java.net.Socket; -import java.security.AlgorithmConstraints; -import java.security.Timestamp; -import java.security.cert.CertPathValidatorException; -import java.security.cert.Certificate; -import java.security.cert.CertificateException; -import java.security.cert.PKIXCertPathChecker; -import java.security.cert.X509Certificate; -import java.util.Collections; -import java.util.HashSet; - -import javax.net.ssl.SSLEngine; -import javax.net.ssl.SSLSession; -import javax.net.ssl.SSLSocket; -import javax.net.ssl.X509ExtendedTrustManager; -import javax.net.ssl.X509TrustManager; - -import at.gv.egovernment.moa.id.commons.validation.MOASSLAlgorithmChecker; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.MiscUtil; -import sun.security.provider.certpath.AlgorithmChecker; -import sun.security.util.DisabledAlgorithmConstraints; - -/** - * @author tlenz - * - */ -public class MOATrustManagerWrapper extends X509ExtendedTrustManager implements X509TrustManager { - - private X509TrustManager internalTrustManager = null; - - - /** - * - */ - public MOATrustManagerWrapper(X509TrustManager trustManger) { - this.internalTrustManager = trustManger; - - } - - - - /* (non-Javadoc) - * @see javax.net.ssl.X509TrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String) - */ - @Override - public void checkClientTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString) - throws CertificateException { - internalTrustManager.checkClientTrusted(paramArrayOfX509Certificate, paramString); - - } - - /* (non-Javadoc) - * @see javax.net.ssl.X509TrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String) - */ - @Override - public void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString) - throws CertificateException { - internalTrustManager.checkServerTrusted(paramArrayOfX509Certificate, paramString); - - } - - /* (non-Javadoc) - * @see javax.net.ssl.X509TrustManager#getAcceptedIssuers() - */ - @Override - public X509Certificate[] getAcceptedIssuers() { - return internalTrustManager.getAcceptedIssuers(); - } - - /* (non-Javadoc) - * @see javax.net.ssl.X509ExtendedTrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String, java.net.Socket) - */ - @Override - public void checkClientTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString, - Socket paramSocket) throws CertificateException { - internalTrustManager.checkClientTrusted(paramArrayOfX509Certificate, paramString); - - checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSocket, true); - - } - - /* (non-Javadoc) - * @see javax.net.ssl.X509ExtendedTrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String, java.net.Socket) - */ - @Override - public void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString, - Socket paramSocket) throws CertificateException { - - internalTrustManager.checkServerTrusted(paramArrayOfX509Certificate, paramString); - - checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSocket, false); - - } - - /* (non-Javadoc) - * @see javax.net.ssl.X509ExtendedTrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String, javax.net.ssl.SSLEngine) - */ - @Override - public void checkClientTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString, - SSLEngine paramSSLEngine) throws CertificateException { - internalTrustManager.checkClientTrusted(paramArrayOfX509Certificate, paramString); - - checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSSLEngine, true); - - } - - /* (non-Javadoc) - * @see javax.net.ssl.X509ExtendedTrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String, javax.net.ssl.SSLEngine) - */ - @Override - public void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString, - SSLEngine paramSSLEngine) throws CertificateException { - internalTrustManager.checkServerTrusted(paramArrayOfX509Certificate, paramString); - - checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSSLEngine, false); - } - - - - private void checkAdditionalTrust(X509Certificate[] paramArrayOfX509Certificate, - String paramString, Socket paramSocket, boolean isClient) throws CertificateException { - if ((paramSocket == null) || (!(paramSocket.isConnected())) || (!(paramSocket instanceof SSLSocket))) { - return; - - } - - SSLSocket localSSLSocket = (SSLSocket)paramSocket; - SSLSession localSSLSession = localSSLSocket.getHandshakeSession(); - if (localSSLSession == null) { - throw new CertificateException("No handshake session"); - } - - String endpointIdenfificationAlgo = localSSLSocket.getSSLParameters().getEndpointIdentificationAlgorithm(); - if (MiscUtil.isNotEmpty(endpointIdenfificationAlgo)) { - String peerHost = localSSLSession.getPeerHost(); - checkIdentity(peerHost, paramArrayOfX509Certificate[0], endpointIdenfificationAlgo); - - } - - AlgorithmConstraints localSSLAlgorithmConstraints = new DisabledAlgorithmConstraints("jdk.certpath.disabledAlgorithms"); - checkAlgorithmConstraints(paramArrayOfX509Certificate, localSSLAlgorithmConstraints, isClient); - } - - private void checkAdditionalTrust(X509Certificate[] paramArrayOfX509Certificate, String paramString, - SSLEngine paramSSLEngine, boolean isClient) throws CertificateException { - if (paramSSLEngine != null) { - SSLSession localSSLSession = paramSSLEngine.getHandshakeSession(); - if (localSSLSession == null) { - throw new CertificateException("No handshake session"); - - } - - String str = paramSSLEngine.getSSLParameters().getEndpointIdentificationAlgorithm(); - if ((str != null) && (str.length() != 0)) { - String peerHost = localSSLSession.getPeerHost(); - checkIdentity(peerHost, paramArrayOfX509Certificate[0], str); - - } - - AlgorithmConstraints localSSLAlgorithmConstraints = new DisabledAlgorithmConstraints("jdk.certpath.disabledAlgorithms"); - checkAlgorithmConstraints(paramArrayOfX509Certificate, localSSLAlgorithmConstraints, isClient); - } - } - - private void checkAlgorithmConstraints(X509Certificate[] certificates, - java.security.AlgorithmConstraints algorithmConstraint, boolean isClient) throws CertificateException { - try { - int i = certificates.length - 1; - HashSet<X509Certificate> localHashSet = new HashSet<X509Certificate>(); - X509Certificate[] arrayOfX509Certificate = this.internalTrustManager.getAcceptedIssuers(); - - if ((arrayOfX509Certificate != null) && (arrayOfX509Certificate.length > 0)) { - Collections.addAll(localHashSet, arrayOfX509Certificate); - - } - - if (localHashSet.contains(certificates[i])) { - --i; - } - - if (i >= 0) { - PKIXCertPathChecker localAlgorithmChecker = null; - Class<?> algorithCheckerClass = null; - try { - algorithCheckerClass = Class.forName("sun.security.provider.certpath.AlgorithmChecker"); - Constructor<?> algorithCheckerConstructorJava8_141 = algorithCheckerClass.getConstructor(AlgorithmConstraints.class, Timestamp.class, String.class); - localAlgorithmChecker = (AlgorithmChecker) algorithCheckerConstructorJava8_141.newInstance(algorithmConstraint, (Timestamp)null, isClient?"tls client":"tls server"); - Logger.trace("Use SSL AlgorithmChecker from JAVA8 >= 141 ..."); - - } catch (Throwable e) { - try { - Constructor<?> algorithCheckerConstructorJava8_71 = algorithCheckerClass.getConstructor(AlgorithmConstraints.class); - localAlgorithmChecker = (AlgorithmChecker) algorithCheckerConstructorJava8_71.newInstance(algorithmConstraint); - - Logger.trace("Use SSL AlgorithmChecker from JAVA8 < 141 ..."); - - } catch (Throwable e1) { - Logger.error("Can NOT instance JAVA SSL AlgorithmChecker", e1); - Logger.error("USE ONE LEGACY VERSION OF ALGORITHM CHECKER ..."); - localAlgorithmChecker = new MOASSLAlgorithmChecker(); - - } - } - - - localAlgorithmChecker.init(false); - - for (int j = i; j >= 0; --j) { - X509Certificate localX509Certificate = certificates[j]; - - //localAlgorithmChecker.check((Certificate)localX509Certificate, Collections.emptySet()); - localAlgorithmChecker.check((Certificate)localX509Certificate, null); - } - } - } catch (CertPathValidatorException localCertPathValidatorException) { - throw new CertificateException("Certificates does not conform to algorithm constraints"); - - } - } - - private void checkIdentity(String peerHost, X509Certificate paramX509Certificate, String endpointIdenfificationAlgo) - throws CertificateException { - if (MiscUtil.isEmpty(endpointIdenfificationAlgo)) - return; - - if ((peerHost != null) && (peerHost.startsWith("[")) && (peerHost.endsWith("]"))) { - peerHost = peerHost.substring(1, peerHost.length() - 1); - - } - - if (endpointIdenfificationAlgo.equalsIgnoreCase("HTTPS")) { - sun.security.util.HostnameChecker.getInstance((byte)1).match(peerHost, paramX509Certificate); - - } else if ((endpointIdenfificationAlgo.equalsIgnoreCase("LDAP")) || (endpointIdenfificationAlgo.equalsIgnoreCase("LDAPS"))) { - sun.security.util.HostnameChecker.getInstance((byte)2).match(peerHost, paramX509Certificate); - - } else - throw new CertificateException("Unknown identification algorithm: " + endpointIdenfificationAlgo); - } - -} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java index 3e793e4d1..109390132 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java @@ -147,7 +147,6 @@ public class SSLUtils { SSLContext ctx = SSLContext.getInstance("TLS"); ctx.init(kms, tms, null); ssf = ctx.getSocketFactory(); - // store SSLSocketFactory sslSocketFactories.put(url, ssf); @@ -260,8 +259,7 @@ public class SSLUtils { MOAIDTrustManager.initializeLoggingContext(); MOAIDTrustManager tm = new MOAIDTrustManager(acceptedServerCertURL); tm.init(cfg, profile); - return new TrustManager[] {new MOATrustManagerWrapper(tm)}; - + return new TrustManager[] {tm}; } } |