diff options
Diffstat (limited to 'id.server/src/at/gv/egovernment/moa/id/iaik')
8 files changed, 617 insertions, 0 deletions
diff --git a/id.server/src/at/gv/egovernment/moa/id/iaik/config/CertStoreConfigurationImpl.java b/id.server/src/at/gv/egovernment/moa/id/iaik/config/CertStoreConfigurationImpl.java new file mode 100644 index 000000000..421286876 --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/iaik/config/CertStoreConfigurationImpl.java @@ -0,0 +1,91 @@ +package at.gv.egovernment.moa.id.iaik.config; + +import java.io.File; + +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.ConfigurationProvider; +import at.gv.egovernment.moa.id.iaik.servertools.observer.ObservableImpl; +import iaik.pki.store.certstore.CertStoreConfiguration; +import iaik.pki.store.certstore.CertStoreParameters; +import iaik.pki.store.certstore.CertStoreTypes; +import iaik.pki.store.certstore.directory.DirectoryCertStoreParameters; + +/** + * Implementation of interface needed to initialize an IAIK JSSE <code>TrustManager</code> + * @author Paul Ivancsics + * @version $Id$ + */ +public class CertStoreConfigurationImpl extends ObservableImpl + implements CertStoreConfiguration, DirectoryCertStoreParameters { + /** identifies the rootDirectory */ + private String rootDirectory; + /** Array for storing all CertStoreParameters */ + private CertStoreParameters[] parameters; + + /** + * Create a new <code>CertStoreConfigurationImpl</code>. + * + * @param conf The MOA configuration from which the configuration data is + * @throws ConfigurationException an any config-error + * being read. + */ + public CertStoreConfigurationImpl(ConfigurationProvider conf) throws ConfigurationException { + String paramName = ConfigurationProvider.DIRECTORY_CERTSTORE_PARAMETER_PROPERTY; + String rootDirParam = conf.getGenericConfigurationParameter(paramName); + if (rootDirParam == null) + throw new ConfigurationException( + "config.08", new Object[] {paramName}); + File f = new File(rootDirParam); + if (f.isDirectory()) + rootDirectory = f.getAbsolutePath(); + else + throw new ConfigurationException( + "config.05", new Object[] {paramName}); + + parameters = new CertStoreParameters[] { this }; + } + + /** + * @see iaik.pki.store.certstore.CertStoreConfiguration#getParameters() + */ + public CertStoreParameters[] getParameters() { + return parameters; + } + + /** + * @see iaik.pki.store.certstore.directory.DirectoryCertStoreParameters#getRootDirectory() + */ + public String getRootDirectory() { + return rootDirectory; + } + + /** + * @see iaik.pki.store.certstore.directory.DirectoryCertStoreParameters#createNew() + */ + public boolean createNew() { + return false; + } + + /** + * @see iaik.pki.store.certstore.CertStoreParameters#getId() + */ + public String getId() { + return "MOA ID Directory CertStore"; + } + + /** + * @see iaik.pki.store.certstore.CertStoreParameters#isReadOnly() + */ + public boolean isReadOnly() { + return false; + } + + /** + * @return <code>CertStoreTypes.DIRECTORY</code> + * @see iaik.pki.store.certstore.CertStoreParameters#getType() + */ + public String getType() { + return CertStoreTypes.DIRECTORY; + } + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/iaik/config/LoggerConfigImpl.java b/id.server/src/at/gv/egovernment/moa/id/iaik/config/LoggerConfigImpl.java new file mode 100644 index 000000000..3cd02a2b5 --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/iaik/config/LoggerConfigImpl.java @@ -0,0 +1,51 @@ +package at.gv.egovernment.moa.id.iaik.config; + +import iaik.logging.LogConfigurationException; + +import java.io.IOException; +import java.io.InputStream; +import java.net.URL; +import java.util.Properties; + +/** + * Implementation of interface <needed to initialize an IAIK JSSE <code>TrustManager</code> + * @author Paul Ivancsics + * @version $Id$ + */ +public class LoggerConfigImpl implements iaik.logging.LoggerConfig { + + /** logging properties **/ + private Properties loggingProperties; + + /** + * Constructor + */ + public LoggerConfigImpl(String propertyFileURL) throws IOException { + InputStream in = new URL(propertyFileURL).openStream(); + loggingProperties = new Properties(); + loggingProperties.load(in); + in.close(); + } + + /** + * @see iaik.logging.LoggerConfig#getFactory() + */ + public String getFactory() { + return "iaik.logging.impl.Log4jFactory"; + } + + /** + * @see iaik.logging.LoggerConfig#getProperties() + */ + public Properties getProperties() throws LogConfigurationException { + return loggingProperties; + } + + /** + * @see iaik.logging.LoggerConfig#getNodeId() + */ + public String getNodeId() { + return "iaik"; + } + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/iaik/config/PKIConfigurationImpl.java b/id.server/src/at/gv/egovernment/moa/id/iaik/config/PKIConfigurationImpl.java new file mode 100644 index 000000000..8d09e2bc9 --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/iaik/config/PKIConfigurationImpl.java @@ -0,0 +1,65 @@ +package at.gv.egovernment.moa.id.iaik.config; + +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.ConfigurationProvider; +import iaik.pki.PKIConfiguration; +import iaik.pki.pathvalidation.ValidationConfiguration; +import iaik.pki.revocation.RevocationConfiguration; +import iaik.pki.store.certstore.CertStoreConfiguration; +import iaik.pki.store.revocation.archive.ArchiveConfiguration; + +/** + * Implementation of interface <code>PKIConfiguration</code> needed to + * initialize an IAIK JSSE <code>TrustManager</code> + * + * @author Paul Ivancsics + * @version $Id$ + */ +public class PKIConfigurationImpl implements PKIConfiguration { + /** The configuration for the CertStore */ + private CertStoreConfiguration certStoreConfiguration; + /** The configuration for the RevocationChecks */ + private RevocationConfiguration revocationConfiguration; + /** The configuration for the Validation */ + private ValidationConfiguration validationConfiguration; + + /** + * Constructor + * @param conf the Configuration for the PKIConfig + * @throws ConfigurationException for any config error + */ + public PKIConfigurationImpl(ConfigurationProvider conf) throws ConfigurationException { + certStoreConfiguration = new CertStoreConfigurationImpl(conf); + revocationConfiguration = new RevocationConfigurationImpl(); + validationConfiguration = new ValidationConfigurationImpl(conf); + } + + /** + * @see iaik.pki.PKIConfiguration#getCertStoreConfiguration() + */ + public CertStoreConfiguration getCertStoreConfiguration() { + return certStoreConfiguration; + } + + /** + * @see iaik.pki.PKIConfiguration#getRevocationConfiguration() + */ + public RevocationConfiguration getRevocationConfiguration() { + return revocationConfiguration; + } + + /** + * @see iaik.pki.PKIConfiguration#getArchiveConfiguration() + */ + public ArchiveConfiguration getArchiveConfiguration() { + return null; + } + + /** + * @see iaik.pki.PKIConfiguration#getValidationConfiguration() + */ + public ValidationConfiguration getValidationConfiguration() { + return validationConfiguration; + } + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/iaik/config/RevocationConfigurationImpl.java b/id.server/src/at/gv/egovernment/moa/id/iaik/config/RevocationConfigurationImpl.java new file mode 100644 index 000000000..c583babdc --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/iaik/config/RevocationConfigurationImpl.java @@ -0,0 +1,35 @@ +package at.gv.egovernment.moa.id.iaik.config; + +import iaik.pki.revocation.RevocationConfiguration; + +import java.security.cert.X509Certificate; +import java.util.Collections; +import java.util.Date; +import java.util.Set; + +import at.gv.egovernment.moa.id.iaik.servertools.observer.*; + +/** + * Implementation of interface needed to initialize an IAIK JSSE <code>TrustManager</code> + * @author Paul Ivancsics + * @version $Id$ + */ +public class RevocationConfigurationImpl extends ObservableImpl implements RevocationConfiguration { + + /** + * @see iaik.pki.revocation.RevocationConfiguration#getAlternativeDistributionPoints(java.security.cert.X509Certificate, java.util.Date) + */ + public Set getAlternativeDistributionPoints( + X509Certificate arg0, + Date arg1) { + return Collections.EMPTY_SET; + } + + /** + * @see iaik.pki.revocation.RevocationConfiguration#archiveRevocationInfo(java.lang.String, java.lang.String) + */ + public boolean archiveRevocationInfo(String arg0, String arg1) { + return false; + } + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/iaik/config/ValidationConfigurationImpl.java b/id.server/src/at/gv/egovernment/moa/id/iaik/config/ValidationConfigurationImpl.java new file mode 100644 index 000000000..c500e2e8e --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/iaik/config/ValidationConfigurationImpl.java @@ -0,0 +1,51 @@ +package at.gv.egovernment.moa.id.iaik.config; + +import iaik.pki.pathvalidation.ValidationConfiguration; + +import java.security.cert.X509Certificate; +import java.security.spec.AlgorithmParameterSpec; + +import at.gv.egovernment.moa.id.config.ConfigurationProvider; +import at.gv.egovernment.moa.id.iaik.servertools.observer.ObservableImpl; + +/** + * Implementation of interface needed to initialize an IAIK JSSE <code>TrustManager</code> + * @author Paul Ivancsics + * @version $Id$ + */ +public class ValidationConfigurationImpl extends ObservableImpl + implements ValidationConfiguration { + /** The ConfigurationProvider for the validation*/ + private ConfigurationProvider conf; + + /** + * Constructor + * @param conf with the configuration + */ + public ValidationConfigurationImpl(ConfigurationProvider conf) { + this.conf = conf; + } + + /** + * @see iaik.pki.pathvalidation.ValidationConfiguration#getChainingMode(java.security.cert.X509Certificate) + */ + public String getChainingMode(X509Certificate trustAnchor) { + String chainingMode = conf.getChainingMode(trustAnchor); + return chainingMode; + } + + /** + * @see iaik.pki.pathvalidation.ValidationConfiguration#getPublicKeyParamsAsSpec(java.security.cert.X509Certificate) + */ + public AlgorithmParameterSpec getPublicKeyParamsAsSpec(X509Certificate arg0) { + return null; + } + + /** + * @see iaik.pki.pathvalidation.ValidationConfiguration#getPublicKeyParamsAsCert(java.security.cert.X509Certificate) + */ + public X509Certificate getPublicKeyParamsAsCert(X509Certificate arg0) { + return null; + } + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/iaik/pki/PKIProfileImpl.java b/id.server/src/at/gv/egovernment/moa/id/iaik/pki/PKIProfileImpl.java new file mode 100644 index 000000000..882a9c255 --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/iaik/pki/PKIProfileImpl.java @@ -0,0 +1,159 @@ +package at.gv.egovernment.moa.id.iaik.pki; + +import java.security.cert.X509Certificate; +import java.util.Collections; +import java.util.Set; + +import iaik.pki.PKIProfile; +import iaik.pki.pathvalidation.ValidationProfile; +import iaik.pki.revocation.RevocationProfile; +import iaik.pki.revocation.RevocationSourceTypes; +import iaik.pki.store.truststore.TrustStoreProfile; +import iaik.pki.store.truststore.TrustStoreTypes; + +import at.gv.egovernment.moa.id.iaik.servertools.observer.ObservableImpl; + +/** + * Implementation of the <code>PKIProfile</code> interface and subinterfaces + * providing information needed for certificate path validation. + * + * @author Paul Ivancsics + * @version $Id$ + */ +public class PKIProfileImpl extends ObservableImpl + implements PKIProfile, RevocationProfile, TrustStoreProfile, ValidationProfile { + + /** + * URI to the truststore + */ + private String trustStoreURI; + + /** + * Create a new <code>PKIProfileImpl</code>. + * + * @param trustStoreURI trust store URI + */ + public PKIProfileImpl(String trustStoreURI) { + this.trustStoreURI = trustStoreURI; + } + + /** + * @see iaik.pki.PKIProfile#autoAddCertificates() + */ + public boolean autoAddCertificates() { + return true; + } + + /** + * @see iaik.pki.PKIProfile#getRevocationProfile() + */ + public RevocationProfile getRevocationProfile() { + return this; + } + + /** + * @see iaik.pki.PKIProfile#getTrustStoreProfile() + */ + public TrustStoreProfile getTrustStoreProfile() { + return this; + } + + /** + * @see iaik.pki.PKIProfile#getValidationProfile() + */ + public ValidationProfile getValidationProfile() { + return this; + } + + /** + * @see iaik.pki.PKIProfile#useAuthorityInfoAccess() + */ + public boolean useAuthorityInfoAccess() { + return true; + } + + /** + * @see iaik.pki.revocation.RevocationProfile#getMaxRevocationAge(java.lang.String) + */ + public long getMaxRevocationAge(String arg0) { + return 0; + } + + /** + * @see iaik.pki.revocation.RevocationProfile#getOCSPRequestHashAlgorithm() + */ + public String getOCSPRequestHashAlgorithm() { + return null; + } + + /** + * @see iaik.pki.revocation.RevocationProfile#getPreferredServiceOrder(java.security.cert.X509Certificate) + */ + public String[] getPreferredServiceOrder(X509Certificate arg0) { + return new String[] {RevocationSourceTypes.CRL}; + } + + /** + * @see iaik.pki.store.truststore.TrustStoreProfile#getType() + */ + public String getType() { + return TrustStoreTypes.DIRECTORY; + } + + /** + * @see iaik.pki.store.truststore.TrustStoreProfile#getURI() + */ + public String getURI() { + return trustStoreURI; + } + + /** + * @see iaik.pki.pathvalidation.ValidationProfile#getInitialAnyPolicyInhibit() + */ + public boolean getInitialAnyPolicyInhibit() { + return false; + } + + /** + * @see iaik.pki.pathvalidation.ValidationProfile#getInitialExplicitPolicy() + */ + public boolean getInitialExplicitPolicy() { + return false; + } + + /** + * @see iaik.pki.pathvalidation.ValidationProfile#getInitialPolicyMappingInhibit() + */ + public boolean getInitialPolicyMappingInhibit() { + return false; + } + + /** + * @see iaik.pki.pathvalidation.ValidationProfile#getInitialPolicySet() + */ + public Set getInitialPolicySet() { + return Collections.EMPTY_SET; + } + + /** + * @see iaik.pki.pathvalidation.ValidationProfile#getNameConstraintsProcessing() + */ + public boolean getNameConstraintsProcessing() { + return false; + } + + /** + * @see iaik.pki.pathvalidation.ValidationProfile#getPolicyProcessing() + */ + public boolean getPolicyProcessing() { + return false; + } + + /** + * @see iaik.pki.pathvalidation.ValidationProfile#getRevocationChecking() + */ + public boolean getRevocationChecking() { + return true; + } + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/iaik/pki/jsse/MOAIDTrustManager.java b/id.server/src/at/gv/egovernment/moa/id/iaik/pki/jsse/MOAIDTrustManager.java new file mode 100644 index 000000000..9da006d35 --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/iaik/pki/jsse/MOAIDTrustManager.java @@ -0,0 +1,119 @@ +package at.gv.egovernment.moa.id.iaik.pki.jsse; + +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.net.URL; +import java.security.GeneralSecurityException; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.List; + +import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.logging.LoggingContext; +import at.gv.egovernment.moa.logging.LoggingContextManager; + +import iaik.pki.jsse.IAIKX509TrustManager; + +/** + * <code>TrustManager</code> implementation featuring CRL checking (inherited from + * <code>IAIKX509TrustManager</code>), plus server-end-SSL-certificate checking. + * + * @author Paul Ivancsics + * @version $Id$ + */ +public class MOAIDTrustManager extends IAIKX509TrustManager { + + /** an x509Certificate array containing all accepted server certificates*/ + private X509Certificate[] acceptedServerCertificates; + + /** + * Constructor + * @param acceptedServerCertificateStoreURL the url leading to the acceptedServer cert store + * @throws GeneralSecurityException occurs on security errors + * @throws IOException occurs on IO errors + */ + public MOAIDTrustManager(String acceptedServerCertificateStoreURL) + throws IOException, GeneralSecurityException { + + if (acceptedServerCertificateStoreURL != null) + buildAcceptedServerCertificates(acceptedServerCertificateStoreURL); + else + acceptedServerCertificates = null; + } + + + /** + * Initializes the LoggingContextManager logging context. + * Fixes a bug occuring in the case MOA-SP is called by API. + * In this case, IAIKX509TrustManager uses the LogginConfig of MOA-SP. + * This method must be called before a MOAIDTrustManager is constructed, + * from every thread. + */ + public static void initializeLoggingContext() { + if (LoggingContextManager.getInstance().getLoggingContext() == null) + LoggingContextManager.getInstance().setLoggingContext( + new LoggingContext(Thread.currentThread().getName())); + } + + + /** + * Builds an Array of accepted server certificates from an URL, + * and stores it in <code>acceptedServerCertificates</code>. + * @param acceptedServerCertificateStoreURL file URL pointing to the directory + * containing accepted server X509 certificates + * @throws GeneralSecurityException on security errors + * @throws IOException on any IO errors + */ + private void buildAcceptedServerCertificates(String acceptedServerCertificateStoreURL) + throws IOException, GeneralSecurityException { + + List certList = new ArrayList(); + URL storeURL = new URL(acceptedServerCertificateStoreURL); + File storeDir = new File(storeURL.getFile()); + // list certificate files in directory + File[] certFiles = storeDir.listFiles(); + for (int i = 0; i < certFiles.length; i++) { + // for each: create an X509Certificate and store it in list + File certFile = certFiles[i]; + FileInputStream fis = new FileInputStream(certFile.getPath()); + CertificateFactory certFact = CertificateFactory.getInstance("X.509"); + X509Certificate cert = (X509Certificate)certFact.generateCertificate(fis); + fis.close(); + certList.add(cert); + } + // store acceptedServerCertificates + acceptedServerCertificates = (X509Certificate[]) certList.toArray(new X509Certificate[0]); + } + + /** + * Does additional server-end-SSL-certificate checking. + * @see com.sun.net.ssl.X509TrustManager#isServerTrusted(java.security.cert.X509Certificate[]) + */ + public boolean isServerTrusted(X509Certificate[] certChain) { + boolean trusted = super.isServerTrusted(certChain); + if (! trusted || acceptedServerCertificates == null) + return trusted; + else { + // check server-end-SSL-certificate with acceptedServerCertificates + X509Certificate serverCert = certChain[0]; + for (int i = 0; i < acceptedServerCertificates.length; i++) { + X509Certificate acceptedServerCert = acceptedServerCertificates[i]; + if (serverCert.equals(acceptedServerCert)) + return true; + } + Logger.warn(MOAIDMessageProvider.getInstance().getMessage("ssl.01", null)); + return false; + } + } + /** + * In rare cases, this method is being called although it should not be. + * @see com.sun.net.ssl.X509TrustManager#isClientTrusted(X509Certificate[]) + */ + public boolean isClientTrusted(java.security.cert.X509Certificate arg0[]) + { + return true; + } +} diff --git a/id.server/src/at/gv/egovernment/moa/id/iaik/servertools/observer/ObservableImpl.java b/id.server/src/at/gv/egovernment/moa/id/iaik/servertools/observer/ObservableImpl.java new file mode 100644 index 000000000..6f6949ad6 --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/iaik/servertools/observer/ObservableImpl.java @@ -0,0 +1,46 @@ +package at.gv.egovernment.moa.id.iaik.servertools.observer; + +import iaik.servertools.observer.NotificationData; +import iaik.servertools.observer.Observable; +import iaik.servertools.observer.Observer; + +import java.util.ArrayList; +import java.util.Iterator; +import java.util.List; + + +/** + * Implementation of interface <needed to initialize an IAIK JSSE <code>TrustManager</code> + * @author Paul Ivancsics + * @version $Id$ + */ +public class ObservableImpl implements Observable { + /** a List for all observers */ + private List observers = new ArrayList(); + + /** + * @see iaik.servertools.observer.Observable#addObserver(iaik.servertools.observer.Observable) + */ + public void addObserver(Observer observer) { + observers.add(observer); + } + + /** + * @see iaik.servertools.observer.Observable#removeObserver(iaik.servertools.observer.Observable) + */ + public boolean removeObserver(Observer observer) { + return observers.remove(observer); + } + + /** + * @see iaik.servertools.observer.Observable#notify(iaik.servertools.observer.NotificationData) + */ + public void notify(NotificationData data) { + Iterator iter = observers.iterator(); + for (iter = observers.iterator(); iter.hasNext();) { + Observer observer = (Observer) iter.next(); + observer.notify(data); + } + } + +} |