Merge branch 'eIDAS_node_implementation' of https://gitlab.iaik.tugraz.at/egiz/moa-idspss into eIDAS_node_implementation

author: Thomas Lenz <thomas.lenz@egiz.gv.at> 2017-11-21 12:14:09 +0100
committer: Thomas Lenz <thomas.lenz@egiz.gv.at> 2017-11-21 12:14:09 +0100
commit: b1940fc000b40808a7d173125d5552e9e0424024 (patch)
tree: ab96581fd3522525e8d30647de875d8f7834790b /id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons
parent: 27b687ed27fad429e6fbf1b3e69c579a8f2aae16 (diff)
parent: 1b5e11112af6bbe48bfb5c95c8b75ae90f3edb22 (diff)
download: moa-id-spss-b1940fc000b40808a7d173125d5552e9e0424024.tar.gz
moa-id-spss-b1940fc000b40808a7d173125d5552e9e0424024.tar.bz2
moa-id-spss-b1940fc000b40808a7d173125d5552e9e0424024.zip
7 files changed, 161 insertions, 63 deletions
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java
index d8d3dbeee..6f6735d48 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java
@@ -9,6 +9,7 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
+import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import iaik.asn1.ObjectID;
 
 
@@ -123,12 +124,12 @@ public class MOAIDAuthConstants extends MOAIDConstants{
   /** List of OWs */
   public static final List<ObjectID> OW_LIST = Arrays.asList( 
 		  new ObjectID(OW_ORGANWALTER));  
-  
-  /**BKU type identifiers to use bkuURI from configuration*/ 
-  public static final String REQ_BKU_TYPE_LOCAL = "local";
-  public static final String REQ_BKU_TYPE_ONLINE = "online"; 
-  public static final String REQ_BKU_TYPE_HANDY = "handy"; 
-  public static final List<String> REQ_BKU_TYPES = Arrays.asList(REQ_BKU_TYPE_LOCAL, REQ_BKU_TYPE_ONLINE, REQ_BKU_TYPE_HANDY);
+    
+  public static final List<String> REQ_BKU_TYPES = Arrays.asList(
+		  IOAAuthParameters.HANDYBKU, 
+		  IOAAuthParameters.LOCALBKU, 
+		  IOAAuthParameters.THIRDBKU, 
+		  IOAAuthParameters.ONLINEBKU);
 
   public static final List<String> LEGACYPARAMETERWHITELIST 
   	= Arrays.asList(PARAM_TARGET, PARAM_BKU, PARAM_OA, PARAM_TEMPLATE, PARAM_USEMANDATE, PARAM_CCC, PARAM_SOURCEID);
@@ -178,19 +179,25 @@ public class MOAIDAuthConstants extends MOAIDConstants{
   
   //AuthnRequest IssueInstant validation
   public static final int TIME_JITTER = 5;  //all 5 minutes time jitter 
-  
+
+  //General MOASession data-store keys
+  public static final String MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE = "holderofkey_cert";
+
+  //Process context keys
   public static final String PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH = "interfederationAuthentication";
   public static final String PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION = "requireLocalAuthentication";
   public static final String PROCESSCONTEXT_PERFORM_BKUSELECTION = "performBKUSelection";
   public static final String PROCESSCONTEXT_ISLEGACYREQUEST = "isLegacyRequest";
   public static final String PROCESSCONTEXT_UNIQUE_OA_IDENTFIER = "uniqueSPId";
+  public static final String PROCESSCONTEXT_SSL_CLIENT_CERTIFICATE = MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE;
   
   //General protocol-request data-store keys
+  public static final String AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE = "authProces_SecurityLayerTemplate";
+  
+  @Deprecated
   public static final String AUTHPROCESS_DATA_TARGET = "authProces_Target";
+  @Deprecated
   public static final String AUTHPROCESS_DATA_TARGETFRIENDLYNAME = "authProces_TargetFriendlyName";
-  public static final String AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE = "authProces_SecurityLayerTemplate";
   
-  //General MOASession data-store keys
-  public static final String MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE = "holderofkey_cert";
-    
+
 }
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java
index e9f9a7e80..98f0616a5 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java
@@ -28,6 +28,8 @@ import java.util.Hashtable;
 import java.util.List;
 import java.util.Map;
 
+import at.gv.egovernment.moa.util.Constants;
+
 /**
  * @author tlenz
  *
@@ -40,9 +42,15 @@ public class MOAIDConstants {
 	
 	public static final String FILE_URI_PREFIX = "file:/";
 	
-	public static final String PREFIX_WPBK = "urn:publicid:gv.at:wbpk+";
-    public static final String PREFIX_STORK = "urn:publicid:gv.at:storkid+";
-    public static final String PREFIX_EIDAS = "urn:publicid:gv.at:eidasid+";
+	public static final String PREFIX_BASEID = Constants.URN_PREFIX_BASEID;	
+	public static final String PREFIX_PBK    = Constants.URN_PREFIX_BPK;
+	public static final String PREFIX_HPI    = Constants.URN_PREFIX_HPI;
+	
+	public static final String PREFIX_CDID   = Constants.URN_PREFIX_CDID + "+";
+	public static final String PREFIX_WPBK   = Constants.URN_PREFIX_WBPK + "+";
+    public static final String PREFIX_STORK  = Constants.URN_PREFIX_STORK + "+";
+    public static final String PREFIX_EIDAS  = Constants.URN_PREFIX_EIDAS + "+";
+    
 	
 	public static final String IDENIFICATIONTYPE_FN = "FN";
 	public static final String IDENIFICATIONTYPE_ERSB = "ERSB";
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
index bba6d0541..1e1bfa94b 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
@@ -31,6 +31,7 @@ import at.gv.egovernment.moa.id.commons.api.data.CPEPS;
 import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters;
 import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute;
 import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 
 /**
  * @author tlenz
@@ -38,9 +39,16 @@ import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin;
  */
 public interface IOAAuthParameters {
 
-	public static final String ONLINEBKU = "online";
+	public static final String CONFIG_KEY_RESTRICTIONS_BASEID_INTERNAL = "configuration.restrictions.baseID.idpProcessing";
+	public static final String CONFIG_KEY_RESTRICTIONS_BASEID_TRANSMISSION = "configuration.restrictions.baseID.spTransmission";
+	
+	public static final String THIRDBKU = "thirdBKU";
 	public static final String HANDYBKU = "handy";
 	public static final String LOCALBKU = "local";
+	
+	@Deprecated
+	public static final String ONLINEBKU = "online";
+	
 	public static final String INDERFEDERATEDIDP = "interfederated";
 	public static final String EIDAS = "eIDAS";
 	public static final String AUTHTYPE_OTHERS = "others";
@@ -63,20 +71,52 @@ public interface IOAAuthParameters {
 	public String getFriendlyName();
 	
 	public String getPublicURLPrefix();
-
-	public String getOaType();
 	
-	public boolean getBusinessService();
+	/**
+	 * Indicates if this online applications has private area restrictions that disallow baseId processing in general
+	 * This restriction is evaluated from area-identifier of this online application and a policy from configuration. 
+	 * The configuration key 'configuration.restrictions.baseID.idpProcessing' specifies a list of comma-separated values 
+	 * of area-identifier prefixes that are allowed to receive a baseID. By default only the prefix 
+	 * 'urn:publicid:gv.at:cdid+' is allowed to receive baseIDs
+	 * 
+	 * @return true if there is a restriction, otherwise false
+	 * @throws ConfigurationException In case of online-application configuration has public and private identifies
+	 */
+	public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException;
+	
 	
 	/**
-	 * Get target of a public service-provider
+	 * Indicates if this online applications has private area restrictions that disallow baseId transfer to OA
+	 * This restriction is evaluated from area-identifier of this online application and a policy from configuration. 
+	 * The configuration key 'configuration.restrictions.baseID.spTransmission' specifies a list of comma-separated values 
+	 * of area-identifier prefixes that are allowed to receive a baseID. By default only the prefix 
+	 * 'urn:publicid:gv.at:cdid+' is allowed to receive baseIDs
 	 * 
-	 * @return target identifier without prefix
+	 * @return true if there is a restriction, otherwise false
+	 * @throws ConfigurationException In case of online-application configuration has public and private identifies
 	 */
-	public String getTarget();
+	public boolean hasBaseIdTransferRestriction() throws ConfigurationException;
 	
-	public String getTargetFriendlyName();
 	
+	/**
+	 * Get the full area-identifier for this online application to calculate the 
+	 * area-specific unique person identifier (bPK, wbPK, eIDAS unique identifier, ...). 
+	 * This identifier always contains the full prefix 
+	 * 
+	 * @return area identifier with prefix
+	 * @throws ConfigurationException In case of online-application configuration has public and private identifies  
+	 */
+	public String getAreaSpecificTargetIdentifier() throws ConfigurationException;
+	
+	/**
+	 * Get a friendly name for the specific area-identifier of this online application
+	 * 
+	 * @return fiendly name of the area-identifier
+	 * @throws ConfigurationException In case of online-application configuration has public and private identifies
+	 */
+	public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException;
+	
+		
 	public boolean isInderfederationIDP();
 	
 	public boolean isSTORKPVPGateway();
@@ -84,13 +124,6 @@ public interface IOAAuthParameters {
 	public boolean isRemovePBKFromAuthBlock();
 	
 	/**
-	 * Return the private-service domain-identifier with PreFix
-	 * 
-	 * @return the identityLinkDomainIdentifier
-	 */
-	public String getIdentityLinkDomainIdentifier();
-
-	/**
 	 * @return the keyBoxIdentifier
 	 */
 	public String getKeyBoxIdentifier();
@@ -138,11 +171,6 @@ public interface IOAAuthParameters {
 	 */
 	public List<String> getMandateProfiles();
 
-	/**
-	 * @return the identityLinkDomainIdentifierType
-	 */
-	public String getIdentityLinkDomainIdentifierType();
-
 	public boolean isShowMandateCheckBox();
 
 	public boolean isOnlyMandateAllowed();
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IStorkConfig.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IStorkConfig.java
index b2d90aed4..bc4cd72af 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IStorkConfig.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IStorkConfig.java
@@ -44,7 +44,8 @@ public interface IStorkConfig {
 
 	boolean isSTORKAuthentication(String ccc);
 
-	CPEPS getCPEPS(String ccc);
+	CPEPS getCPEPSWithFullName(String ccc);
+	CPEPS getCPEPSWithCC(String ccc);
 
 	List<StorkAttribute> getStorkAttributes();
 
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java
index 5091195d8..93f26051c 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java
@@ -208,7 +208,7 @@ public class ConfigurationMigrationUtils {
 				if (bkuurls != null) {
 					result.put(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY, bkuurls.getHandyBKU());
 					result.put(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_LOCAL, bkuurls.getLocalBKU());
-					result.put(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE, bkuurls.getOnlineBKU());
+					result.put(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD, bkuurls.getOnlineBKU());
 					
 				}
 	
@@ -831,7 +831,7 @@ public class ConfigurationMigrationUtils {
             authoa.setBKUURLS(bkuruls);
             bkuruls.setHandyBKU(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY));
             bkuruls.setLocalBKU(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_LOCAL));
-            bkuruls.setOnlineBKU(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE));
+            bkuruls.setOnlineBKU(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD));
         	
             //store SecurtiyLayerTemplates            
             TemplatesType templates = authoa.getTemplates();
@@ -1438,7 +1438,7 @@ public class ConfigurationMigrationUtils {
 						defaultbkus.getHandyBKU());
 				result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_LOCAL, 
 						defaultbkus.getLocalBKU());
-				result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE, 
+				result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD, 
 						defaultbkus.getOnlineBKU());
 			}
 			
@@ -1448,7 +1448,7 @@ public class ConfigurationMigrationUtils {
 						slreq.getHandyBKU());
 				result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_LOCAL, 
 						slreq.getLocalBKU());
-				result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE, 
+				result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD, 
 						slreq.getOnlineBKU());
 
 			}
@@ -1711,8 +1711,8 @@ public class ConfigurationMigrationUtils {
 		if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_HANDY)))
 			dbbkus.setHandyBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_HANDY));
 		
-		if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE)))
-			dbbkus.setOnlineBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE));
+		if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD)))
+			dbbkus.setOnlineBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD));
 		
 		if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_LOCAL)))
 			dbbkus.setLocalBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_LOCAL));
@@ -1900,8 +1900,8 @@ public class ConfigurationMigrationUtils {
 			slrequesttempl.setHandyBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_HANDY));
 		if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_LOCAL)))
 			slrequesttempl.setLocalBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_LOCAL));
-		if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE)))
-			slrequesttempl.setOnlineBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE));
+		if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD)))
+			slrequesttempl.setOnlineBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD));
 		
 		if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_AUTH_TRUSTSTORE_URL)))
 				dbconfig.setTrustedCACertificates(moaconfig.get(MOAIDConfigurationConstants.GENERAL_AUTH_TRUSTSTORE_URL));
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java
index b72034002..695df3123 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java
@@ -70,7 +70,7 @@ public final class MOAIDConfigurationConstants extends MOAIDConstants {
 	public static final String SERVICE_AUTH_TARGET_PUBLIC_OWN_NAME = SERVICE_AUTH_TARGET_PUBLIC + ".own.name";
 	
 	private static final String SERVICE_AUTH_BKU = AUTH + "." + BKU;
-	public static final String SERVICE_AUTH_BKU_ONLINE = SERVICE_AUTH_BKU + ".onlineBKU";
+	public static final String SERVICE_AUTH_BKU_THIRD = SERVICE_AUTH_BKU + ".onlineBKU";
 	public static final String SERVICE_AUTH_BKU_LOCAL = SERVICE_AUTH_BKU + ".localBKU";
 	public static final String SERVICE_AUTH_BKU_HANDY = SERVICE_AUTH_BKU + ".handyBKU";
 	public static final String SERVICE_AUTH_BKU_KEYBOXIDENTIFIER = SERVICE_AUTH_BKU + ".keyBoxIdentifier";
@@ -196,13 +196,13 @@ public final class MOAIDConfigurationConstants extends MOAIDConstants {
 	
 	private static final String GENERAL_DEFAULTS = PREFIX_MOAID_GENERAL + ".defaults";	
 	private static final String GENERAL_DEFAULTS_BKU = GENERAL_DEFAULTS + "." + BKU;
-	public static final String GENERAL_DEFAULTS_BKU_ONLINE = GENERAL_DEFAULTS_BKU + ".onlineBKU";
+	public static final String GENERAL_DEFAULTS_BKU_THIRD = GENERAL_DEFAULTS_BKU + ".onlineBKU";
 	public static final String GENERAL_DEFAULTS_BKU_HANDY = GENERAL_DEFAULTS_BKU + ".handyBKU";
 	public static final String GENERAL_DEFAULTS_BKU_LOCAL = GENERAL_DEFAULTS_BKU + ".localBKU";
 	private static final String GENERAL_DEFAULTS_TEMPLATES = GENERAL_DEFAULTS + "." + TEMPLATES;
 	public static final String GENERAL_DEFAULTS_TEMPLATES_LOCAL = GENERAL_DEFAULTS_TEMPLATES + ".localBKU";
 	public static final String GENERAL_DEFAULTS_TEMPLATES_HANDY = GENERAL_DEFAULTS_TEMPLATES + ".handyBKU";
-	public static final String GENERAL_DEFAULTS_TEMPLATES_ONLINE = GENERAL_DEFAULTS_TEMPLATES + ".onlineBKU";
+	public static final String GENERAL_DEFAULTS_TEMPLATES_THIRD = GENERAL_DEFAULTS_TEMPLATES + ".onlineBKU";
 	
 	private static final String GENERAL_AUTH = PREFIX_MOAID_GENERAL + ".auth";
 	private static final String GENERAL_AUTH_CERTIFICATE = GENERAL_AUTH + ".certificate";
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java
index 9fc6f799d..dd606ea18 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java
@@ -57,6 +57,8 @@ import java.util.ArrayList;
 import java.util.List;
 
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Base64Utils;
+import at.gv.egovernment.moa.util.MiscUtil;
 import at.gv.egovernment.moaspss.logging.LoggingContext;
 import at.gv.egovernment.moaspss.logging.LoggingContextManager;
 import iaik.pki.jsse.IAIKX509TrustManager;
@@ -72,21 +74,27 @@ import iaik.pki.jsse.IAIKX509TrustManager;
 public class MOAIDTrustManager extends IAIKX509TrustManager {
   
   /** an x509Certificate array containing all accepted server certificates*/
-  private X509Certificate[] acceptedServerCertificates;
+  private X509Certificate[] acceptedServerCertificates = null;
 
   /**
    * Constructor
    * @param acceptedServerCertificateStoreURL the url leading to the acceptedServer cert store
    * @throws GeneralSecurityException occurs on security errors
    * @throws IOException occurs on IO errors
+ * @throws SSLConfigurationException 
    */
   public MOAIDTrustManager(String acceptedServerCertificateStoreURL) 
-    throws IOException, GeneralSecurityException {
+    throws IOException, GeneralSecurityException, SSLConfigurationException {
     
-    if (acceptedServerCertificateStoreURL != null)
-      buildAcceptedServerCertificates(acceptedServerCertificateStoreURL);
-    else
-      acceptedServerCertificates = null;
+    if (acceptedServerCertificateStoreURL != null && MiscUtil.isNotEmpty(acceptedServerCertificateStoreURL.trim())) {
+    	Logger.info("Initialize SSL-TrustStore with explicit accepted server-certificates");
+    	buildAcceptedServerCertificates(acceptedServerCertificateStoreURL);
+    	
+    } else {
+    	Logger.info("Initialize SSL-TrustStore without explicit accepted server-certificates");
+    	acceptedServerCertificates = null;
+    	
+    }
   }
 
  
@@ -111,26 +119,72 @@ public class MOAIDTrustManager extends IAIKX509TrustManager {
    *         containing accepted server X509 certificates
    * @throws GeneralSecurityException on security errors
    * @throws IOException on any IO errors
+ * @throws SSLConfigurationException 
    */
   private void buildAcceptedServerCertificates(String acceptedServerCertificateStoreURL) 
-    throws IOException, GeneralSecurityException {
-
+    throws IOException, GeneralSecurityException, SSLConfigurationException {	  
     List<X509Certificate> certList = new ArrayList<X509Certificate>();
     URL storeURL = new URL(acceptedServerCertificateStoreURL);
+    
+    //check URL to TrustStore
+    if (storeURL.getFile() == null) {
+    	Logger.error("Can NOT initialize SSLTrustManager. TrustStore: " + acceptedServerCertificateStoreURL 
+   			+ " is NOT found");
+    	throw new SSLConfigurationException("config.29", new Object[]{acceptedServerCertificateStoreURL, "File or Directory NOT found!"});
+    	
+    }    
     File storeDir = new File(storeURL.getFile());
-    // list certificate files in directory
-    File[] certFiles = storeDir.listFiles(); 
+    
+    //check directory and files
+    if (storeDir == null || storeDir.listFiles() == null) {
+    	Logger.error("Can NOT initialize SSLTrustManager. TrustStore: " + acceptedServerCertificateStoreURL 
+       			+ " is NOT found");
+        	throw new SSLConfigurationException("config.29", new Object[]{acceptedServerCertificateStoreURL, "Files or Directory NOT found!"});
+        	
+    }
+    
+    // list certificate files in directory    
+    File[] certFiles = storeDir.listFiles();    
     for (int i = 0; i < certFiles.length; i++) {
-      // for each: create an X509Certificate and store it in list
-      File certFile = certFiles[i];
-      FileInputStream fis = new FileInputStream(certFile.getPath());
-      CertificateFactory certFact = CertificateFactory.getInstance("X.509");
-      X509Certificate cert = (X509Certificate)certFact.generateCertificate(fis);
-      fis.close();
-      certList.add(cert);
+    	// for each: create an X509Certificate and store it in list
+    	File certFile = certFiles[i];
+    	FileInputStream fis = null;
+    	try {
+    		fis = new FileInputStream(certFile.getPath());
+    		CertificateFactory certFact = CertificateFactory.getInstance("X.509");
+    		X509Certificate cert = (X509Certificate)certFact.generateCertificate(fis);
+    		certList.add(cert);
+    		
+    	} catch (Exception e) {
+    	   	Logger.error("Can NOT initialize SSLTrustManager. Certificate: " + certFile.getPath() 
+    	   		+ " is not loadable, Reason: " + e.getMessage());
+    	   	
+    	   	if (Logger.isDebugEnabled()) {
+    	   		try {
+    	   			if (fis != null)
+    	   				Logger.debug("Certificate: " + Base64Utils.encode(fis));
+    	   			
+    	   		} catch (Exception e1) {
+    	   			Logger.warn("Can NOT log content of certificate: " + certFile.getPath() 
+    	   				+ ". Reason: " + e.getMessage(), e);
+    	   			
+    	   		}
+    	   	}
+    	   	
+    	    throw new SSLConfigurationException("config.28", new Object[]{certFile.getPath(), e.getMessage()}, e);
+    	    
+    	} finally {
+			if (fis != null)
+				fis.close();
+			
+		}
     }
+    
     // store acceptedServerCertificates
     acceptedServerCertificates = (X509Certificate[]) certList.toArray(new X509Certificate[0]);
+    Logger.debug("Add #" + acceptedServerCertificates.length 
+    		+ " certificates as 'AcceptedServerCertificates' from: " + acceptedServerCertificateStoreURL );
+    	    
   }
 
   /**
author	Thomas Lenz <thomas.lenz@egiz.gv.at>	2017-11-21 12:14:09 +0100
committer	Thomas Lenz <thomas.lenz@egiz.gv.at>	2017-11-21 12:14:09 +0100
commit	b1940fc000b40808a7d173125d5552e9e0424024 (patch)
tree	ab96581fd3522525e8d30647de875d8f7834790b /id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons
parent	27b687ed27fad429e6fbf1b3e69c579a8f2aae16 (diff)
parent	1b5e11112af6bbe48bfb5c95c8b75ae90f3edb22 (diff)
download	moa-id-spss-b1940fc000b40808a7d173125d5552e9e0424024.tar.gz moa-id-spss-b1940fc000b40808a7d173125d5552e9e0424024.tar.bz2 moa-id-spss-b1940fc000b40808a7d173125d5552e9e0424024.zip