diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java')
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java | 105 |
1 files changed, 32 insertions, 73 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java index ed3f297c7..81abe3f5a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java @@ -46,11 +46,7 @@ package at.gv.egovernment.moa.id.util; -import iaik.pki.PKIConfiguration; import iaik.pki.PKIException; -import iaik.pki.PKIFactory; -import iaik.pki.PKIProfile; -import iaik.pki.jsse.IAIKX509TrustManager; import iaik.security.provider.IAIK; import java.io.BufferedInputStream; @@ -62,26 +58,19 @@ import java.io.Reader; import java.net.URL; import java.security.GeneralSecurityException; import java.security.Security; -import java.util.HashMap; -import java.util.Map; import javax.net.ssl.HttpsURLConnection; -import javax.net.ssl.KeyManager; -import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSocketFactory; -import javax.net.ssl.TrustManager; import org.apache.regexp.RE; import org.apache.regexp.RESyntaxException; +import at.gv.egovernment.moa.id.commons.utils.ssl.SSLConfigurationException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.ConfigurationProvider; import at.gv.egovernment.moa.id.config.ConnectionParameter; import at.gv.egovernment.moa.id.config.ConnectionParameterInterface; -import at.gv.egovernment.moa.id.iaik.config.PKIConfigurationImpl; -import at.gv.egovernment.moa.id.iaik.pki.PKIProfileImpl; -import at.gv.egovernment.moa.id.iaik.pki.jsse.MOAIDTrustManager; -import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; /** @@ -94,14 +83,7 @@ import at.gv.egovernment.moa.logging.Logger; */ public class SSLUtils { - /** SSLSocketFactory store, mapping URL->SSLSocketFactory **/ - private static Map<String, SSLSocketFactory> sslSocketFactories = new HashMap<String, SSLSocketFactory>(); - - /** - * Initializes the SSLSocketFactory store. - */ public static void initialize() { - sslSocketFactories = new HashMap<String, SSLSocketFactory>(); // JSSE Abhängigkeit //Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider()); Security.addProvider(new IAIK()); @@ -132,61 +114,38 @@ public class SSLUtils { ConnectionParameterInterface connParam) throws IOException, GeneralSecurityException, ConfigurationException, PKIException { - Logger.debug("Get SSLSocketFactory for " + connParam.getUrl()); - // retrieve SSLSocketFactory if already created - SSLSocketFactory ssf = (SSLSocketFactory)sslSocketFactories.get(connParam.getUrl()); - if (ssf != null) - return ssf; - - // else create new SSLSocketFactory - String trustStoreURL = conf.getTrustedCACertificates(); - - if (trustStoreURL == null) - throw new ConfigurationException( - "config.08", new Object[] {"TrustedCACertificates"}); - String acceptedServerCertURL = connParam.getAcceptedServerCertificates(); - - TrustManager[] tms = getTrustManagers(conf, trustStoreURL, acceptedServerCertURL); - - KeyManager[] kms = at.gv.egovernment.moa.util.SSLUtils.getKeyManagers( - "pkcs12", connParam.getClientKeyStore(), connParam.getClientKeyStorePassword()); - SSLContext ctx = SSLContext.getInstance("TLS"); - ctx.init(kms, tms, null); ssf = ctx.getSocketFactory(); - // store SSLSocketFactory - sslSocketFactories.put(connParam.getUrl(), ssf); - return ssf; + // else create new SSLSocketFactory + String trustStoreURL = conf.getTrustedCACertificates(); + + if (trustStoreURL == null) + throw new ConfigurationException( + "config.08", new Object[] {"TrustedCACertificates"}); + + String acceptedServerCertURL = connParam.getAcceptedServerCertificates(); + + //INFO: MOA-ID 2.x always use defaultChainingMode + + try { + SSLSocketFactory ssf = + at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils.getSSLSocketFactory( + connParam.getUrl(), + conf.getCertstoreDirectory(), + trustStoreURL, + acceptedServerCertURL, + AuthConfigurationProvider.getInstance().getDefaultChainingMode(), + AuthConfigurationProvider.getInstance().isTrustmanagerrevoationchecking(), + connParam.getClientKeyStore(), + connParam.getClientKeyStorePassword(), + "pkcs12"); + + return ssf; + + } catch (SSLConfigurationException e) { + throw new ConfigurationException(e.getErrorID(), e.getParameters(), e.getE()); + + } } - - /** - * Initializes an <code>IAIKX509TrustManager</code> for a given trust store, - * using configuration data. - * - * @param conf MOA-ID configuration provider - * @param trustStoreURL trust store URL - * @param acceptedServerCertURL file URL pointing to directory containing accepted server SSL certificates - * @return <code>TrustManager</code> array containing the <code>IAIKX509TrustManager</code> - * @throws ConfigurationException on invalid configuration data - * @throws IOException on data-reading problems - * @throws PKIException while initializing the <code>IAIKX509TrustManager</code> - */ - public static TrustManager[] getTrustManagers( - ConfigurationProvider conf, String trustStoreURL, String acceptedServerCertURL) - throws ConfigurationException, PKIException, IOException, GeneralSecurityException { - - PKIConfiguration cfg = null; - if (! PKIFactory.getInstance().isAlreadyConfigured()) - cfg = new PKIConfigurationImpl(conf); - boolean checkRevocation = conf.isTrustmanagerrevoationchecking(); - PKIProfile profile = new PKIProfileImpl(trustStoreURL, checkRevocation); - // This call fixes a bug occuring when PKIConfiguration is - // initialized by the MOA-SP initialization code, in case - // MOA-SP is called by API - MOAIDTrustManager.initializeLoggingContext(); - IAIKX509TrustManager tm = new MOAIDTrustManager(acceptedServerCertURL); - tm.init(cfg, profile); - return new TrustManager[] {tm}; - } /** * Reads a file, given by URL, into a byte array, * securing the connection by IAIKX509TrustManager. |