diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/pki')
2 files changed, 353 insertions, 0 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/pki/PKIProfileImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/pki/PKIProfileImpl.java new file mode 100644 index 000000000..4a27a8d66 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/pki/PKIProfileImpl.java @@ -0,0 +1,210 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.id.iaik.pki; + +import java.security.cert.X509Certificate; +import java.util.Collections; +import java.util.Set; + +import iaik.pki.PKIProfile; +import iaik.pki.pathvalidation.ValidationProfile; +import iaik.pki.revocation.RevocationProfile; +import iaik.pki.revocation.RevocationSourceTypes; +import iaik.pki.store.truststore.TrustStoreProfile; +import iaik.pki.store.truststore.TrustStoreTypes; + +import at.gv.egovernment.moa.id.iaik.servertools.observer.ObservableImpl; + +/** + * Implementation of the <code>PKIProfile</code> interface and subinterfaces + * providing information needed for certificate path validation. + * + * @author Paul Ivancsics + * @version $Id$ + */ +public class PKIProfileImpl extends ObservableImpl + implements PKIProfile, RevocationProfile, TrustStoreProfile, ValidationProfile { + + /** + * URI to the truststore + */ + private String trustStoreURI; + + /** + * revocation checking; + */ + private boolean revocationChecking; + + /** + * The trust profile identifier. + */ + private String id; + + + /** + * Create a new <code>PKIProfileImpl</code>. + * + * @param trustStoreURI trust store URI + */ + public PKIProfileImpl(String trustStoreURI, boolean revocationChecking) { + this.trustStoreURI = trustStoreURI; + this.revocationChecking = revocationChecking; + String id = String.valueOf(System.currentTimeMillis()); + setId("id-" + id); + } + + /** + * @see iaik.pki.PKIProfile#autoAddCertificates() + */ + public boolean autoAddCertificates() { + return true; + } + + /** + * @see iaik.pki.PKIProfile#getRevocationProfile() + */ + public RevocationProfile getRevocationProfile() { + return this; + } + + /** + * @see iaik.pki.PKIProfile#getTrustStoreProfile() + */ + public TrustStoreProfile getTrustStoreProfile() { + return this; + } + + /** + * @see iaik.pki.PKIProfile#getValidationProfile() + */ + public ValidationProfile getValidationProfile() { + return this; + } + + /** + * @see iaik.pki.PKIProfile#useAuthorityInfoAccess() + */ + public boolean useAuthorityInfoAccess() { + return true; + } + + /** + * @see iaik.pki.revocation.RevocationProfile#getMaxRevocationAge(java.lang.String) + */ + public long getMaxRevocationAge(String arg0) { + return 0; + } + + /** + * @see iaik.pki.revocation.RevocationProfile#getOCSPRequestHashAlgorithm() + */ + public String getOCSPRequestHashAlgorithm() { + return null; + } + + /** + * @see iaik.pki.revocation.RevocationProfile#getPreferredServiceOrder(java.security.cert.X509Certificate) + */ + public String[] getPreferredServiceOrder(X509Certificate arg0) { + return new String[] {RevocationSourceTypes.CRL}; + } + + /** + * @see iaik.pki.store.truststore.TrustStoreProfile#getType() + */ + public String getType() { + return TrustStoreTypes.DIRECTORY; + } + + /** + * @see iaik.pki.store.truststore.TrustStoreProfile#getURI() + */ + public String getURI() { + return trustStoreURI; + } + + /** + * @see iaik.pki.pathvalidation.ValidationProfile#getInitialAnyPolicyInhibit() + */ + public boolean getInitialAnyPolicyInhibit() { + return false; + } + + /** + * @see iaik.pki.pathvalidation.ValidationProfile#getInitialExplicitPolicy() + */ + public boolean getInitialExplicitPolicy() { + return false; + } + + /** + * @see iaik.pki.pathvalidation.ValidationProfile#getInitialPolicyMappingInhibit() + */ + public boolean getInitialPolicyMappingInhibit() { + return false; + } + + /** + * @see iaik.pki.pathvalidation.ValidationProfile#getInitialPolicySet() + */ + public Set getInitialPolicySet() { + return Collections.EMPTY_SET; + } + + /** + * @see iaik.pki.pathvalidation.ValidationProfile#getNameConstraintsProcessing() + */ + public boolean getNameConstraintsProcessing() { + return false; + } + + /** + * @see iaik.pki.pathvalidation.ValidationProfile#getPolicyProcessing() + */ + public boolean getPolicyProcessing() { + return false; + } + + /** + * @see iaik.pki.pathvalidation.ValidationProfile#getRevocationChecking() + */ + public boolean getRevocationChecking() { + return this.revocationChecking; + } + + /** + * @see iaik.pki.store.truststore.TrustStoreProfile#getId() + */ + public String getId() { + return id; + } + /** + * Sets the trust profile identifier. + * @param id The id to set. + */ + public void setId(String id) { + this.id = id; + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/pki/jsse/MOAIDTrustManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/pki/jsse/MOAIDTrustManager.java new file mode 100644 index 000000000..9b4853439 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/pki/jsse/MOAIDTrustManager.java @@ -0,0 +1,143 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.id.iaik.pki.jsse; + +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.net.URL; +import java.security.GeneralSecurityException; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.List; + +import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.logging.LoggingContext; +import at.gv.egovernment.moa.logging.LoggingContextManager; + +import iaik.pki.jsse.IAIKX509TrustManager; + +/** + * <code>TrustManager</code> implementation featuring CRL checking (inherited from + * <code>IAIKX509TrustManager</code>), plus server-end-SSL-certificate checking. + * + * @author Paul Ivancsics + * @version $Id$ + */ +public class MOAIDTrustManager extends IAIKX509TrustManager { + + /** an x509Certificate array containing all accepted server certificates*/ + private X509Certificate[] acceptedServerCertificates; + + /** + * Constructor + * @param acceptedServerCertificateStoreURL the url leading to the acceptedServer cert store + * @throws GeneralSecurityException occurs on security errors + * @throws IOException occurs on IO errors + */ + public MOAIDTrustManager(String acceptedServerCertificateStoreURL) + throws IOException, GeneralSecurityException { + + if (acceptedServerCertificateStoreURL != null) + buildAcceptedServerCertificates(acceptedServerCertificateStoreURL); + else + acceptedServerCertificates = null; + } + + + /** + * Initializes the LoggingContextManager logging context. + * Fixes a bug occuring in the case MOA-SP is called by API. + * In this case, IAIKX509TrustManager uses the LogginConfig of MOA-SP. + * This method must be called before a MOAIDTrustManager is constructed, + * from every thread. + */ + public static void initializeLoggingContext() { + if (LoggingContextManager.getInstance().getLoggingContext() == null) + LoggingContextManager.getInstance().setLoggingContext( + new LoggingContext(Thread.currentThread().getName())); + } + + + /** + * Builds an Array of accepted server certificates from an URL, + * and stores it in <code>acceptedServerCertificates</code>. + * @param acceptedServerCertificateStoreURL file URL pointing to the directory + * containing accepted server X509 certificates + * @throws GeneralSecurityException on security errors + * @throws IOException on any IO errors + */ + private void buildAcceptedServerCertificates(String acceptedServerCertificateStoreURL) + throws IOException, GeneralSecurityException { + + List certList = new ArrayList(); + URL storeURL = new URL(acceptedServerCertificateStoreURL); + File storeDir = new File(storeURL.getFile()); + // list certificate files in directory + File[] certFiles = storeDir.listFiles(); + for (int i = 0; i < certFiles.length; i++) { + // for each: create an X509Certificate and store it in list + File certFile = certFiles[i]; + FileInputStream fis = new FileInputStream(certFile.getPath()); + CertificateFactory certFact = CertificateFactory.getInstance("X.509"); + X509Certificate cert = (X509Certificate)certFact.generateCertificate(fis); + fis.close(); + certList.add(cert); + } + // store acceptedServerCertificates + acceptedServerCertificates = (X509Certificate[]) certList.toArray(new X509Certificate[0]); + } + + /** + * Does additional server-end-SSL-certificate checking. + * @see com.sun.net.ssl.X509TrustManager#isServerTrusted(java.security.cert.X509Certificate[]) + */ + public boolean isServerTrusted(X509Certificate[] certChain) { + boolean trusted = super.isServerTrusted(certChain); + if (! trusted || acceptedServerCertificates == null) + return trusted; + else { + // check server-end-SSL-certificate with acceptedServerCertificates + X509Certificate serverCert = certChain[0]; + for (int i = 0; i < acceptedServerCertificates.length; i++) { + X509Certificate acceptedServerCert = acceptedServerCertificates[i]; + if (serverCert.equals(acceptedServerCert)) + return true; + } + Logger.warn(MOAIDMessageProvider.getInstance().getMessage("ssl.01", null)); + return false; + } + } + /** + * In rare cases, this method is being called although it should not be. + * @see com.sun.net.ssl.X509TrustManager#isClientTrusted(X509Certificate[]) + */ + public boolean isClientTrusted(java.security.cert.X509Certificate arg0[]) + { + return true; + } +} |