diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2016-10-21 10:21:15 +0200 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2016-10-21 10:21:15 +0200 |
commit | 7720eee7787b2149b36ac76da1b64e416e16d07c (patch) | |
tree | 3449005fee14728dafdf11e8c2125f095762565e /id/server/moa-id-commons/src/main/java/at | |
parent | 6e044fe2eff937e5a4d975005def49ee2e9a06d0 (diff) | |
download | moa-id-spss-7720eee7787b2149b36ac76da1b64e416e16d07c.tar.gz moa-id-spss-7720eee7787b2149b36ac76da1b64e416e16d07c.tar.bz2 moa-id-spss-7720eee7787b2149b36ac76da1b64e416e16d07c.zip |
update SSL certificate revocation-checking method-order if the IAIK_PKI module is used
Diffstat (limited to 'id/server/moa-id-commons/src/main/java/at')
4 files changed, 25 insertions, 27 deletions
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java index 142e9a23a..3b1f0c7b5 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java @@ -54,7 +54,8 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory String trustStoreURL, String acceptedServerCertURL, String chainingMode, - boolean checkRevocation + boolean checkRevocation, + String[] revocationMethodOrder ) throws MOAHttpProtocolSocketFactoryException { super(); @@ -65,7 +66,8 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory trustStoreURL, acceptedServerCertURL, chainingMode, - checkRevocation, + checkRevocation, + revocationMethodOrder, null, null, null); diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java index e0304f928..969de3ce6 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java @@ -67,6 +67,7 @@ import iaik.pki.PKIFactory; import iaik.pki.PKIProfile; import iaik.pki.jsse.IAIKX509TrustManager; + /** * <code>TrustManager</code> implementation featuring CRL checking (inherited from * <code>IAIKX509TrustManager</code>), plus server-end-SSL-certificate checking. @@ -172,7 +173,7 @@ public class MOAIDTrustManager extends IAIKX509TrustManager { throw new NullPointerException("pkiConfig parameter must not be null"); } - + TransactionId tid = new TransactionIdImpl("Init"); log_.info(tid, "Setting up IAIKX509TrustManager", null); if (pkiConfig != null) { diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIProfileImpl.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIProfileImpl.java index a34fa9b8b..9b692c090 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIProfileImpl.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIProfileImpl.java @@ -77,6 +77,9 @@ public class PKIProfileImpl extends ObservableImpl */ private boolean revocationChecking; + + private String[] revocationCheckMethode = new String[] {RevocationSourceTypes.CRL}; + /** * The trust profile identifier. */ @@ -141,9 +144,13 @@ public class PKIProfileImpl extends ObservableImpl * @see iaik.pki.revocation.RevocationProfile#getPreferredServiceOrder(java.security.cert.X509Certificate) */ public String[] getPreferredServiceOrder(X509Certificate arg0) { - return new String[] {RevocationSourceTypes.CRL}; + return revocationCheckMethode; } + public void setPreferredServiceOrder(String[] order) { + this.revocationCheckMethode = order; + } + /** * @see iaik.pki.store.truststore.TrustStoreProfile#getType() */ diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java index 6fa4595d8..d2a099c69 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java @@ -64,7 +64,6 @@ import at.gv.egovernment.moa.util.KeyStoreUtils; import iaik.pki.PKIConfiguration; import iaik.pki.PKIException; import iaik.pki.PKIFactory; -import iaik.pki.PKIProfile; //import iaik.pki.jsse.IAIKX509TrustManager; import iaik.security.provider.IAIK; @@ -94,24 +93,7 @@ public class SSLUtils { } - - /** - * Creates an <code>SSLSocketFactory</code> which utilizes an - * <code>IAIKX509TrustManager</code> for the given trust store, - * and the given key store. - * - * @param conf configuration provider providing a generic properties pointing - * to trusted CA store and certificate store root - * @param connParam connection parameter containing the client key store settings - * to be used in case of client authentication; - * if <code>connParam.getClientKeyStore() == null</code>, client authentication - * is assumed to be disabled - * @return <code>SSLSocketFactory</code> to be used by an <code>HttpsURLConnection</code> - * @throws IOException thrown while reading key store file - * @throws GeneralSecurityException thrown while creating the socket factory - * @throws ConfigurationException on invalid configuration data - * @throws PKIException while initializing the <code>IAIKX509TrustManager</code> - */ + public static SSLSocketFactory getSSLSocketFactory( String url, String certStoreRootDirParam, @@ -119,9 +101,10 @@ public class SSLUtils { String acceptedServerCertURL, String chainingMode, boolean checkRevocation, + String[] revocationMethodOrder, String clientKeyStoreURL, String clientKeyStorePassword, - String clientKeyStoreType + String clientKeyStoreType ) throws IOException, GeneralSecurityException, SSLConfigurationException, PKIException { @@ -136,7 +119,8 @@ public class SSLUtils { chainingMode, trustStoreURL, acceptedServerCertURL, - checkRevocation); + checkRevocation, + revocationMethodOrder); KeyManager[] kms = getKeyManagers( clientKeyStoreType, clientKeyStoreURL, clientKeyStorePassword); @@ -231,13 +215,17 @@ public class SSLUtils { */ private static TrustManager[] getTrustManagers(String certStoreRootDirParam, String chainingMode, String trustStoreURL, String acceptedServerCertURL, - boolean checkRevocation) + boolean checkRevocation, String[] revocationMethodOrder) throws SSLConfigurationException, PKIException, IOException, GeneralSecurityException { PKIConfiguration cfg = null; if (! PKIFactory.getInstance().isAlreadyConfigured()) cfg = new PKIConfigurationImpl(certStoreRootDirParam, chainingMode); - PKIProfile profile = new PKIProfileImpl(trustStoreURL, checkRevocation); + + PKIProfileImpl profile = new PKIProfileImpl(trustStoreURL, checkRevocation); + + profile.setPreferredServiceOrder(revocationMethodOrder); + // This call fixes a bug occuring when PKIConfiguration is // initialized by the MOA-SP initialization code, in case // MOA-SP is called by API |