aboutsummaryrefslogtreecommitdiff
path: root/id/server
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2017-10-10 06:34:29 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2017-10-10 06:34:29 +0200
commit07427ae095618c054f38a519aa49f527bd968294 (patch)
tree121980d80ec773d14a73f9862df154a8652b7972 /id/server
parent352c4f2de3503dfc7f8528b846ebaa62a7f439f1 (diff)
downloadmoa-id-spss-07427ae095618c054f38a519aa49f527bd968294.tar.gz
moa-id-spss-07427ae095618c054f38a519aa49f527bd968294.tar.bz2
moa-id-spss-07427ae095618c054f38a519aa49f527bd968294.zip
update MOAIDTrustManager to implement a better error handling for acceptedServerCertificates
Diffstat (limited to 'id/server')
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties1
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java55
2 files changed, 44 insertions, 12 deletions
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 50b2c5ece..d5c7c812d 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -88,6 +88,7 @@ config.24=MOA-ID-Auth Configfile {1} does not start with {0} prefix.
config.25=Der verwendete IDP PublicURLPrefix {0} ist nicht erlaubt.
config.26=Federated IDP {0} contains no AttributeQuery URL.
config.27=Fehler beim Verarbeiten eines Konfigurationsparameters. Msg:{0}
+config.28=Fehler beim initialisieren des SSL-TrustManagers. Zertifikat {0} kann nicht geladen werden; Ursache: {1}
parser.00=Leichter Fehler beim Parsen: {0}
parser.01=Fehler beim Parsen: {0}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java
index 9fc6f799d..beb6cc1c6 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java
@@ -57,6 +57,7 @@ import java.util.ArrayList;
import java.util.List;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Base64Utils;
import at.gv.egovernment.moaspss.logging.LoggingContext;
import at.gv.egovernment.moaspss.logging.LoggingContextManager;
import iaik.pki.jsse.IAIKX509TrustManager;
@@ -72,16 +73,17 @@ import iaik.pki.jsse.IAIKX509TrustManager;
public class MOAIDTrustManager extends IAIKX509TrustManager {
/** an x509Certificate array containing all accepted server certificates*/
- private X509Certificate[] acceptedServerCertificates;
+ private X509Certificate[] acceptedServerCertificates = null;
/**
* Constructor
* @param acceptedServerCertificateStoreURL the url leading to the acceptedServer cert store
* @throws GeneralSecurityException occurs on security errors
* @throws IOException occurs on IO errors
+ * @throws SSLConfigurationException
*/
public MOAIDTrustManager(String acceptedServerCertificateStoreURL)
- throws IOException, GeneralSecurityException {
+ throws IOException, GeneralSecurityException, SSLConfigurationException {
if (acceptedServerCertificateStoreURL != null)
buildAcceptedServerCertificates(acceptedServerCertificateStoreURL);
@@ -111,26 +113,55 @@ public class MOAIDTrustManager extends IAIKX509TrustManager {
* containing accepted server X509 certificates
* @throws GeneralSecurityException on security errors
* @throws IOException on any IO errors
+ * @throws SSLConfigurationException
*/
private void buildAcceptedServerCertificates(String acceptedServerCertificateStoreURL)
- throws IOException, GeneralSecurityException {
-
+ throws IOException, GeneralSecurityException, SSLConfigurationException {
List<X509Certificate> certList = new ArrayList<X509Certificate>();
URL storeURL = new URL(acceptedServerCertificateStoreURL);
File storeDir = new File(storeURL.getFile());
// list certificate files in directory
- File[] certFiles = storeDir.listFiles();
+ File[] certFiles = storeDir.listFiles();
for (int i = 0; i < certFiles.length; i++) {
- // for each: create an X509Certificate and store it in list
- File certFile = certFiles[i];
- FileInputStream fis = new FileInputStream(certFile.getPath());
- CertificateFactory certFact = CertificateFactory.getInstance("X.509");
- X509Certificate cert = (X509Certificate)certFact.generateCertificate(fis);
- fis.close();
- certList.add(cert);
+ // for each: create an X509Certificate and store it in list
+ File certFile = certFiles[i];
+ FileInputStream fis = null;
+ try {
+ fis = new FileInputStream(certFile.getPath());
+ CertificateFactory certFact = CertificateFactory.getInstance("X.509");
+ X509Certificate cert = (X509Certificate)certFact.generateCertificate(fis);
+ certList.add(cert);
+
+ } catch (Exception e) {
+ Logger.error("Can NOT initialize SSLTrustManager. Certificate: " + certFile.getPath()
+ + " is not loadable, Reason: " + e.getMessage());
+
+ if (Logger.isDebugEnabled()) {
+ try {
+ if (fis != null)
+ Logger.debug("Certificate: " + Base64Utils.encode(fis));
+
+ } catch (Exception e1) {
+ Logger.warn("Can NOT log content of certificate: " + certFile.getPath()
+ + ". Reason: " + e.getMessage(), e);
+
+ }
+ }
+
+ throw new SSLConfigurationException("", new Object[]{certFile.getPath(), e.getMessage()}, e);
+
+ } finally {
+ if (fis != null)
+ fis.close();
+
+ }
}
+
// store acceptedServerCertificates
acceptedServerCertificates = (X509Certificate[]) certList.toArray(new X509Certificate[0]);
+ Logger.debug("Add #" + acceptedServerCertificates.length
+ + " certificates as 'AcceptedServerCertificates' from: " + acceptedServerCertificateStoreURL );
+
}
/**