aboutsummaryrefslogtreecommitdiff
path: root/id/server/moa-id-commons/src/main/java/at/gv
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2019-02-04 08:58:10 +0100
committerThomas Lenz <tlenz@iaik.tugraz.at>2019-02-04 08:58:10 +0100
commita917335ea69ab857f00bd17679e259fcc215cad9 (patch)
tree2aff94e138b0a88d68e10a057071a7cd289978f1 /id/server/moa-id-commons/src/main/java/at/gv
parent9ddeacf32976d14c3f2f70ec446262998eb8a68e (diff)
downloadmoa-id-spss-a917335ea69ab857f00bd17679e259fcc215cad9.tar.gz
moa-id-spss-a917335ea69ab857f00bd17679e259fcc215cad9.tar.bz2
moa-id-spss-a917335ea69ab857f00bd17679e259fcc215cad9.zip
update SSLUtils to use default JVM trustStore for SSL connections as optional
Diffstat (limited to 'id/server/moa-id-commons/src/main/java/at/gv')
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java1
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java20
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java44
3 files changed, 48 insertions, 17 deletions
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java
index a787cea00..4dd0a857f 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java
@@ -11,6 +11,7 @@ import iaik.pki.revocation.RevocationSourceTypes;
public interface AuthConfiguration extends ConfigurationProvider{
+ public static final String PROP_KEY_SSL_USE_JVM_TRUSTSTORE = "configuration.ssl.useStandardJavaTrustStore";
public static final String PROP_KEY_SSL_HOSTNAME_VALIDATION = "configuration.ssl.validation.hostname";
public static final String PROP_KEY_OVS_SSL_HOSTNAME_VALIDATION = "service.onlinemandates.ssl.validation.hostname";
public static final String PROP_KEY_PROTOCOL_PVP_METADATA_ENTITYCATEGORY_RESOLVER = "protocols.pvp2.metadata.entitycategories.active";
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
index bdadf681d..6c8c092ed 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
@@ -34,7 +34,6 @@ import java.util.Arrays;
import java.util.List;
import javax.net.ssl.SSLException;
-import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
@@ -51,7 +50,6 @@ import at.gv.egovernment.moa.id.commons.utils.ssl.SSLConfigurationException;
import at.gv.egovernment.moa.util.MiscUtil;
import at.gv.egovernment.moaspss.logging.Logger;
import iaik.pki.PKIException;
-import sun.security.ssl.ProtocolVersion;
/**
* @author tlenz
@@ -77,14 +75,15 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory
* @throws MOAHttpProtocolSocketFactoryException
*/
public MOAHttpProtocolSocketFactory (
- String url,
+ String url,
+ boolean useStandardJavaTrustStore,
String trustStoreURL,
String acceptedServerCertURL,
String chainingMode,
boolean checkRevocation,
String[] revocationMethodOrder,
boolean verifyHostName) throws MOAHttpProtocolSocketFactoryException {
- internalInitialize(url, null, trustStoreURL, acceptedServerCertURL, chainingMode, checkRevocation, revocationMethodOrder);
+ internalInitialize(url, useStandardJavaTrustStore, null, trustStoreURL, acceptedServerCertURL, chainingMode, checkRevocation, revocationMethodOrder);
this.verifyHostName = verifyHostName;
@@ -103,26 +102,31 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory
* @param verifyHostName Enables / Disables hostName verfication
* @throws MOAHttpProtocolSocketFactoryException
*/
- public MOAHttpProtocolSocketFactory(String url, String certStoreDirectory, String trustStoreURL,
+ public MOAHttpProtocolSocketFactory(String url, boolean useStandardJavaTrustStore,
+ String certStoreDirectory,
+ String trustStoreURL,
String acceptedServerCertURL,
String chainingMode,
boolean checkRevocation,
String[] revocationMethodOrder,
boolean verifyHostName) throws MOAHttpProtocolSocketFactoryException {
- internalInitialize(url, certStoreDirectory, trustStoreURL, acceptedServerCertURL, chainingMode, checkRevocation, revocationMethodOrder);
+ internalInitialize(url, useStandardJavaTrustStore, certStoreDirectory, trustStoreURL, acceptedServerCertURL, chainingMode, checkRevocation, revocationMethodOrder);
this.verifyHostName = verifyHostName;
}
- private void internalInitialize(String url, String certStoreDirectory, String trustStoreURL,
+ private void internalInitialize(String url, boolean useStandardJavaTrustStore,
+ String certStoreDirectory,
+ String trustStoreURL,
String acceptedServerCertURL,
String chainingMode,
boolean checkRevocation,
String[] revocationMethodOrder) throws MOAHttpProtocolSocketFactoryException {
try {
this.sslfactory = at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils.getSSLSocketFactory(
- url,
+ url,
+ useStandardJavaTrustStore,
certStoreDirectory,
trustStoreURL,
acceptedServerCertURL,
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
index e6efca4ea..a96daead3 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
@@ -108,8 +108,29 @@ public class SSLUtils {
}
}
+ /**
+ * Get SSLSocketFactory with TrustStore and KeyStore implementations
+ *
+ * @param url URL of the Service that should be connected
+ * @param useStandardJavaTrustStore Flag to use standard JVM truststore
+ * @param certStoreRootDirParam Path to certStore, if own truststore is used
+ * @param trustStoreURL Path to truststore, if own truststore is used
+ * @param acceptedServerCertURL Path to whitelist with EE-Server certificats, if own truststore is used
+ * @param chainingMode PKIX-Mode or Onion-Model for certificate validation, if own truststore is used
+ * @param checkRevocation Flag to activate or deactivate revocation checks, if own truststore is used
+ * @param revocationMethodOrder Revocation check order (CLR, OCSP), if own truststore is used
+ * @param clientKeyStoreURL Path to KeyStore for SSL Client-Authentication, or null
+ * @param clientKeyStorePassword KeyStore password
+ * @param clientKeyStoreType KeyStore type
+ * @return
+ * @throws IOException
+ * @throws GeneralSecurityException
+ * @throws SSLConfigurationException
+ * @throws PKIException
+ */
public static SSLSocketFactory getSSLSocketFactory(
- String url,
+ String url,
+ boolean useStandardJavaTrustStore,
String certStoreRootDirParam,
String trustStoreURL,
String acceptedServerCertURL,
@@ -130,14 +151,19 @@ public class SSLUtils {
return ssf;
}
-
- TrustManager[] tms = getTrustManagers(
- certStoreRootDirParam,
- chainingMode,
- trustStoreURL,
- acceptedServerCertURL,
- checkRevocation,
- revocationMethodOrder);
+
+ //initialize own trust-store implementation
+ TrustManager[] tms = null;
+ if (useStandardJavaTrustStore) {
+ tms = getTrustManagers(
+ certStoreRootDirParam,
+ chainingMode,
+ trustStoreURL,
+ acceptedServerCertURL,
+ checkRevocation,
+ revocationMethodOrder);
+
+ }
KeyManager[] kms = getKeyManagers(
clientKeyStoreType, clientKeyStoreURL, clientKeyStorePassword);