aboutsummaryrefslogtreecommitdiff
path: root/id
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2016-10-21 10:21:15 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2016-10-21 10:21:15 +0200
commit7720eee7787b2149b36ac76da1b64e416e16d07c (patch)
tree3449005fee14728dafdf11e8c2125f095762565e /id
parent6e044fe2eff937e5a4d975005def49ee2e9a06d0 (diff)
downloadmoa-id-spss-7720eee7787b2149b36ac76da1b64e416e16d07c.tar.gz
moa-id-spss-7720eee7787b2149b36ac76da1b64e416e16d07c.tar.bz2
moa-id-spss-7720eee7787b2149b36ac76da1b64e416e16d07c.zip
update SSL certificate revocation-checking method-order if the IAIK_PKI module is used
Diffstat (limited to 'id')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java18
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java18
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java3
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java6
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java3
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIProfileImpl.java9
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java34
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java20
9 files changed, 67 insertions, 47 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
index 19adfe4c4..dc024e695 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
@@ -31,6 +31,7 @@ import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
+import java.util.Timer;
import javax.xml.namespace.QName;
@@ -68,6 +69,7 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
// private static MOAMetadataProvider instance = null;
MetadataProvider internalProvider = null;
+ private Timer timer = null;
private static Object mutex = new Object();
//private Map<String, Date> lastAccess = null;
@@ -163,10 +165,14 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
byte[] cert = Base64Utils.decode(certBase64, false);
String oaFriendlyName = oaParam.getFriendlyName();
+ if (timer == null)
+ timer = new Timer(true);
+
ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider;
HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL,
buildMetadataFilterChain(oaParam, metadataURL, cert),
- oaFriendlyName);
+ oaFriendlyName,
+ timer);
chainProvider.addMetadataProvider(newMetadataProvider);
@@ -374,6 +380,10 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
}
internalProvider = new ChainingMetadataProvider();
+
+ if (timer != null)
+ timer.cancel();
+
} else {
Logger.warn("ReInitalize MOAMetaDataProvider is not possible! MOA-ID Instance has to be restarted manualy");
}
@@ -414,12 +424,16 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
byte[] cert = Base64Utils.decode(certBase64, false);
+ if (timer == null)
+ timer = new Timer(true);
+
Logger.info("Loading metadata for: " + oaFriendlyName);
if (!providersinuse.containsKey(metadataurl)) {
httpProvider = createNewHTTPMetaDataProvider(
metadataurl,
buildMetadataFilterChain(oaParam, metadataurl, cert),
- oaFriendlyName);
+ oaFriendlyName,
+ timer);
if (httpProvider != null)
providersinuse.put(metadataurl, httpProvider);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java
index 8261a86c1..7a2acee9c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java
@@ -53,12 +53,13 @@ public abstract class SimpleMOAMetadataProvider implements MetadataProvider{
* @param metadataURL URL, where the metadata should be loaded
* @param filter Filters, which should be used to validate the metadata
* @param IdForLogging Id, which is used for Logging
+ * @param timer {@link Timer} which is used to schedule metadata refresh operations
*
* @return SAML2 Metadata Provider
*/
- protected HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, MetadataFilter filter, String IdForLogging ) {
+ protected HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, MetadataFilter filter, String IdForLogging, Timer timer) {
HTTPMetadataProvider httpProvider = null;
- Timer timer= null;
+ //Timer timer= null;
MOAHttpClient httpClient = null;
try {
httpClient = new MOAHttpClient();
@@ -71,7 +72,8 @@ public abstract class SimpleMOAMetadataProvider implements MetadataProvider{
AuthConfigurationProviderFactory.getInstance().getTrustedCACertificates(),
null,
AuthConfiguration.DEFAULT_X509_CHAININGMODE,
- AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking());
+ AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking(),
+ AuthConfigurationProviderFactory.getInstance().getRevocationMethodOrder());
httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory);
@@ -81,7 +83,7 @@ public abstract class SimpleMOAMetadataProvider implements MetadataProvider{
}
}
- timer = new Timer(true);
+// timer = new Timer(true);
httpProvider = new HTTPMetadataProvider(timer, httpClient,
metadataURL);
httpProvider.setParserPool(new BasicParserPool());
@@ -121,10 +123,10 @@ public abstract class SimpleMOAMetadataProvider implements MetadataProvider{
httpProvider.destroy();
}
- if (timer != null) {
- Logger.debug("Destroy Timer.");
- timer.cancel();
- }
+// if (timer != null) {
+// Logger.debug("Destroy Timer.");
+// timer.cancel();
+// }
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java
index 0426c2a6a..d5ab4b2e7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java
@@ -77,7 +77,8 @@ public class MOASAMLSOAPClient {
AuthConfigurationProviderFactory.getInstance().getTrustedCACertificates(),
null,
AuthConfigurationProviderFactory.getInstance().getDefaultChainingMode(),
- AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking());
+ AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking(),
+ AuthConfigurationProviderFactory.getInstance().getRevocationMethodOrder());
clientBuilder.setHttpsProtocolSocketFactory(sslprotocolsocketfactory );
} catch (MOAHttpProtocolSocketFactoryException e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
index caf7f570f..784581648 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
@@ -129,7 +129,8 @@ public class SSLUtils {
trustStoreURL,
acceptedServerCertURL,
AuthConfigurationProviderFactory.getInstance().getDefaultChainingMode(),
- AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking(),
+ AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking(),
+ AuthConfigurationProviderFactory.getInstance().getRevocationMethodOrder(),
connParam.getClientKeyStore(),
connParam.getClientKeyStorePassword(),
"pkcs12");
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
index 142e9a23a..3b1f0c7b5 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
@@ -54,7 +54,8 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory
String trustStoreURL,
String acceptedServerCertURL,
String chainingMode,
- boolean checkRevocation
+ boolean checkRevocation,
+ String[] revocationMethodOrder
) throws MOAHttpProtocolSocketFactoryException {
super();
@@ -65,7 +66,8 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory
trustStoreURL,
acceptedServerCertURL,
chainingMode,
- checkRevocation,
+ checkRevocation,
+ revocationMethodOrder,
null,
null,
null);
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java
index e0304f928..969de3ce6 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java
@@ -67,6 +67,7 @@ import iaik.pki.PKIFactory;
import iaik.pki.PKIProfile;
import iaik.pki.jsse.IAIKX509TrustManager;
+
/**
* <code>TrustManager</code> implementation featuring CRL checking (inherited from
* <code>IAIKX509TrustManager</code>), plus server-end-SSL-certificate checking.
@@ -172,7 +173,7 @@ public class MOAIDTrustManager extends IAIKX509TrustManager {
throw new NullPointerException("pkiConfig parameter must not be null");
}
-
+
TransactionId tid = new TransactionIdImpl("Init");
log_.info(tid, "Setting up IAIKX509TrustManager", null);
if (pkiConfig != null) {
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIProfileImpl.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIProfileImpl.java
index a34fa9b8b..9b692c090 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIProfileImpl.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIProfileImpl.java
@@ -77,6 +77,9 @@ public class PKIProfileImpl extends ObservableImpl
*/
private boolean revocationChecking;
+
+ private String[] revocationCheckMethode = new String[] {RevocationSourceTypes.CRL};
+
/**
* The trust profile identifier.
*/
@@ -141,9 +144,13 @@ public class PKIProfileImpl extends ObservableImpl
* @see iaik.pki.revocation.RevocationProfile#getPreferredServiceOrder(java.security.cert.X509Certificate)
*/
public String[] getPreferredServiceOrder(X509Certificate arg0) {
- return new String[] {RevocationSourceTypes.CRL};
+ return revocationCheckMethode;
}
+ public void setPreferredServiceOrder(String[] order) {
+ this.revocationCheckMethode = order;
+ }
+
/**
* @see iaik.pki.store.truststore.TrustStoreProfile#getType()
*/
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
index 6fa4595d8..d2a099c69 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
@@ -64,7 +64,6 @@ import at.gv.egovernment.moa.util.KeyStoreUtils;
import iaik.pki.PKIConfiguration;
import iaik.pki.PKIException;
import iaik.pki.PKIFactory;
-import iaik.pki.PKIProfile;
//import iaik.pki.jsse.IAIKX509TrustManager;
import iaik.security.provider.IAIK;
@@ -94,24 +93,7 @@ public class SSLUtils {
}
-
- /**
- * Creates an <code>SSLSocketFactory</code> which utilizes an
- * <code>IAIKX509TrustManager</code> for the given trust store,
- * and the given key store.
- *
- * @param conf configuration provider providing a generic properties pointing
- * to trusted CA store and certificate store root
- * @param connParam connection parameter containing the client key store settings
- * to be used in case of client authentication;
- * if <code>connParam.getClientKeyStore() == null</code>, client authentication
- * is assumed to be disabled
- * @return <code>SSLSocketFactory</code> to be used by an <code>HttpsURLConnection</code>
- * @throws IOException thrown while reading key store file
- * @throws GeneralSecurityException thrown while creating the socket factory
- * @throws ConfigurationException on invalid configuration data
- * @throws PKIException while initializing the <code>IAIKX509TrustManager</code>
- */
+
public static SSLSocketFactory getSSLSocketFactory(
String url,
String certStoreRootDirParam,
@@ -119,9 +101,10 @@ public class SSLUtils {
String acceptedServerCertURL,
String chainingMode,
boolean checkRevocation,
+ String[] revocationMethodOrder,
String clientKeyStoreURL,
String clientKeyStorePassword,
- String clientKeyStoreType
+ String clientKeyStoreType
)
throws IOException, GeneralSecurityException, SSLConfigurationException, PKIException {
@@ -136,7 +119,8 @@ public class SSLUtils {
chainingMode,
trustStoreURL,
acceptedServerCertURL,
- checkRevocation);
+ checkRevocation,
+ revocationMethodOrder);
KeyManager[] kms = getKeyManagers(
clientKeyStoreType, clientKeyStoreURL, clientKeyStorePassword);
@@ -231,13 +215,17 @@ public class SSLUtils {
*/
private static TrustManager[] getTrustManagers(String certStoreRootDirParam,
String chainingMode, String trustStoreURL, String acceptedServerCertURL,
- boolean checkRevocation)
+ boolean checkRevocation, String[] revocationMethodOrder)
throws SSLConfigurationException, PKIException, IOException, GeneralSecurityException {
PKIConfiguration cfg = null;
if (! PKIFactory.getInstance().isAlreadyConfigured())
cfg = new PKIConfigurationImpl(certStoreRootDirParam, chainingMode);
- PKIProfile profile = new PKIProfileImpl(trustStoreURL, checkRevocation);
+
+ PKIProfileImpl profile = new PKIProfileImpl(trustStoreURL, checkRevocation);
+
+ profile.setPreferredServiceOrder(revocationMethodOrder);
+
// This call fixes a bug occuring when PKIConfiguration is
// initialized by the MOA-SP initialization code, in case
// MOA-SP is called by API
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
index 7fb0dbb5f..cb1fe36c8 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
@@ -210,7 +210,8 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
authConfig.getTrustedCACertificates(),
null,
AuthConfiguration.DEFAULT_X509_CHAININGMODE,
- authConfig.isTrustmanagerrevoationchecking());
+ authConfig.isTrustmanagerrevoationchecking(),
+ authConfig.getRevocationMethodOrder());
httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory);
@@ -306,14 +307,17 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
} else {
//load new Metadata Provider
ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider;
- HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL);
- chainProvider.addMetadataProvider(newMetadataProvider);
+ HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL);
- emitChangeEvent();
- Logger.info("eIDAS metadata for "
- + metadataURL + " is added.");
- return true;
-
+ if (newMetadataProvider != null) {
+ chainProvider.addMetadataProvider(newMetadataProvider);
+
+ emitChangeEvent();
+ Logger.info("eIDAS metadata for "
+ + metadataURL + " is added.");
+ return true;
+
+ }
}
} else