aboutsummaryrefslogtreecommitdiff
path: root/id/server/moa-id-commons/src/main/java/at/gv
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/moa-id-commons/src/main/java/at/gv')
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java44
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/InterfederationSessionStore.java195
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java70
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/statistic/StatisticLog.java18
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/ex/MOAHttpProtocolSocketFactoryException.java42
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java129
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/CertStoreConfigurationImpl.java156
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java164
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/ObservableImpl.java92
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIConfigurationImpl.java118
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIProfileImpl.java230
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/RevocationConfigurationImpl.java84
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLConfigurationException.java71
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java186
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/ValidationConfigurationImpl.java97
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/TargetValidator.java104
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/ValidationHelper.java387
17 files changed, 2185 insertions, 2 deletions
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java
index 730a328ab..5cfb1bb92 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java
@@ -30,6 +30,7 @@ import java.util.List;
import javax.persistence.CascadeType;
import javax.persistence.Column;
import javax.persistence.Entity;
+import javax.persistence.FetchType;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
@@ -53,7 +54,13 @@ import org.hibernate.annotations.DynamicUpdate;
@NamedQuery(name="getSessionWithID", query = "select authenticatedsessionstore from AuthenticatedSessionStore authenticatedsessionstore where authenticatedsessionstore.sessionid = :sessionid"),
@NamedQuery(name="getSessionWithSSOID", query = "select authenticatedsessionstore from AuthenticatedSessionStore authenticatedsessionstore where authenticatedsessionstore.SSOsessionid = :sessionid"),
@NamedQuery(name="getSessionWithPendingRequestID", query = "select authenticatedsessionstore from AuthenticatedSessionStore authenticatedsessionstore where authenticatedsessionstore.pendingRequestID = :sessionid"),
- @NamedQuery(name="getMOAISessionsWithTimeOut", query = "select authenticatedsessionstore from AuthenticatedSessionStore authenticatedsessionstore where authenticatedsessionstore.created < :timeoutcreate or authenticatedsessionstore.updated < :timeoutupdate")
+ @NamedQuery(name="getMOAISessionsWithTimeOut", query = "select authenticatedsessionstore from AuthenticatedSessionStore authenticatedsessionstore where authenticatedsessionstore.created < :timeoutcreate or authenticatedsessionstore.updated < :timeoutupdate"),
+ @NamedQuery(name="getMOAISessionWithUserNameID", query = "select authenticatedsessionstore from AuthenticatedSessionStore authenticatedsessionstore join fetch authenticatedsessionstore.activeOAsessions activeOAsessions where activeOAsessions.userNameID = :usernameid and activeOAsessions.attributeQueryUsed is false"),
+ @NamedQuery(name="getActiveOAWithSessionIDandOAIDandProtocol", query = "select authenticatedsessionstore from AuthenticatedSessionStore authenticatedsessionstore join fetch authenticatedsessionstore.activeOAsessions activeOAsessions where activeOAsessions.oaurlprefix = :oaID and activeOAsessions.protocolType = :protocol and authenticatedsessionstore.sessionid = :sessionID"),
+ @NamedQuery(name="getMOASessionWithNameIDandOAID", query = "select authenticatedsessionstore from AuthenticatedSessionStore authenticatedsessionstore join fetch authenticatedsessionstore.activeOAsessions activeOAsessions where activeOAsessions.oaurlprefix = :oaID and activeOAsessions.userNameID = :nameID"),
+ @NamedQuery(name="getInterfederatedIDPForAttributeQueryWithSessionID", query = "select authenticatedsessionstore from AuthenticatedSessionStore authenticatedsessionstore join fetch authenticatedsessionstore.inderfederation inderfederations where inderfederations.attributesRequested is false and authenticatedsessionstore.sessionid = :sessionID"),
+ @NamedQuery(name="getInterfederatedIDPForSSOWithSessionID", query = "select authenticatedsessionstore from AuthenticatedSessionStore authenticatedsessionstore join fetch authenticatedsessionstore.inderfederation inderfederations where inderfederations.attributesRequested is true and authenticatedsessionstore.sessionid = :sessionID order by inderfederations.QAALevel DESC"),
+ @NamedQuery(name="getInterfederatedIDPForSSOWithSessionIDIDPID", query = "select authenticatedsessionstore from AuthenticatedSessionStore authenticatedsessionstore join fetch authenticatedsessionstore.inderfederation inderfederations where inderfederations.attributesRequested is true and authenticatedsessionstore.sessionid = :sessionID and inderfederations.idpurlprefix = :idpID")
})
public class AuthenticatedSessionStore implements Serializable{
@@ -82,6 +89,9 @@ public class AuthenticatedSessionStore implements Serializable{
@Column(name = "isSSOSession", nullable=false)
private boolean isSSOSession = false;
+
+ @Column(name = "isInterfederatedSSOSession", nullable=false)
+ private boolean isInterfederatedSSOSession = false;
@Column(name = "pendingRequestID", nullable=false)
private String pendingRequestID = "";
@@ -100,6 +110,9 @@ public class AuthenticatedSessionStore implements Serializable{
@OneToMany(mappedBy="moasession", cascade=CascadeType.ALL)
private List<OldSSOSessionIDStore> oldssosessionids = null;
+ @OneToMany(mappedBy="moasession", cascade=CascadeType.ALL, fetch=FetchType.EAGER)
+ private List<InterfederationSessionStore> inderfederation = null;
+
@PrePersist
protected void created() {
this.updated = this.created = new Date();
@@ -193,6 +206,20 @@ public class AuthenticatedSessionStore implements Serializable{
public void setOldssosessionids(List<OldSSOSessionIDStore> oldssosessionids) {
this.oldssosessionids = oldssosessionids;
}
+
+ /**
+ * @return the inderfederation
+ */
+ public List<InterfederationSessionStore> getInderfederation() {
+ return inderfederation;
+ }
+
+ /**
+ * @param inderfederation the inderfederation to set
+ */
+ public void setInderfederation(List<InterfederationSessionStore> inderfederation) {
+ this.inderfederation = inderfederation;
+ }
/**
* @return the pendingRequestID
@@ -221,8 +248,21 @@ public class AuthenticatedSessionStore implements Serializable{
public void setIv(byte[] iv) {
this.iv = iv;
}
+
+ /**
+ * @return the isInterfederatedSSOSession
+ */
+ public boolean isInterfederatedSSOSession() {
+ return isInterfederatedSSOSession;
+ }
+
+ /**
+ * @param isInterfederatedSSOSession the isInterfederatedSSOSession to set
+ */
+ public void setInterfederatedSSOSession(boolean isInterfederatedSSOSession) {
+ this.isInterfederatedSSOSession = isInterfederatedSSOSession;
+ }
-
}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/InterfederationSessionStore.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/InterfederationSessionStore.java
new file mode 100644
index 000000000..1fcdd9b9b
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/InterfederationSessionStore.java
@@ -0,0 +1,195 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.commons.db.dao.session;
+
+import java.io.Serializable;
+import java.util.Date;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.FetchType;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.JoinColumn;
+import javax.persistence.ManyToOne;
+import javax.persistence.Table;
+
+import org.hibernate.annotations.DynamicUpdate;
+
+@Entity
+@DynamicUpdate(value=true)
+@Table(name = "interfederation")
+
+public class InterfederationSessionStore implements Serializable{
+
+ private static final long serialVersionUID = 1L;
+
+ @Id
+ @GeneratedValue(strategy = GenerationType.IDENTITY)
+ @Column(name = "id", unique=true, nullable=false)
+ private long id;
+
+ @Column(name = "idpurlprefix", unique=false, nullable=false)
+ private String idpurlprefix;
+
+ @Column(name = "sessionIndex", unique=false, nullable=false)
+ private String sessionIndex;
+
+ @Column(name = "nameID", unique=false, nullable=false)
+ private String userNameID;
+
+ @Column(name = "QAALevel", unique=false, nullable=false)
+ private String QAALevel;
+
+ @Column(name = "attributesRequested", unique=false, nullable=true)
+ private boolean attributesRequested;
+
+ @Column(name = "created", updatable=false, nullable=false)
+// @Temporal(TemporalType.TIMESTAMP)
+ private Date created;
+
+// @PrePersist
+// protected void created() {
+// this.created = new Date();
+// }
+
+ @ManyToOne(fetch=FetchType.LAZY)
+ @JoinColumn(name = "moasession")
+ private AuthenticatedSessionStore moasession;
+
+ /**
+ * @return the id
+ */
+ public long getId() {
+ return id;
+ }
+
+ /**
+ * @param id the id to set
+ */
+ public void setId(long id) {
+ this.id = id;
+ }
+
+ /**
+ * @return the idpurlprefix
+ */
+ public String getIdpurlprefix() {
+ return idpurlprefix;
+ }
+
+ /**
+ * @param idpurlprefix the idpurlprefix to set
+ */
+ public void setIdpurlprefix(String idpurlprefix) {
+ this.idpurlprefix = idpurlprefix;
+ }
+
+ /**
+ * @return the sessionIndex
+ */
+ public String getSessionIndex() {
+ return sessionIndex;
+ }
+
+ /**
+ * @param sessionIndex the sessionIndex to set
+ */
+ public void setSessionIndex(String sessionIndex) {
+ this.sessionIndex = sessionIndex;
+ }
+
+ /**
+ * @return the userNameID
+ */
+ public String getUserNameID() {
+ return userNameID;
+ }
+
+ /**
+ * @param userNameID the userNameID to set
+ */
+ public void setUserNameID(String userNameID) {
+ this.userNameID = userNameID;
+ }
+
+ /**
+ * @return the attributesRequested
+ */
+ public boolean isAttributesRequested() {
+ return attributesRequested;
+ }
+
+ /**
+ * @param attributesRequested the attributesRequested to set
+ */
+ public void setAttributesRequested(boolean attributesRequested) {
+ this.attributesRequested = attributesRequested;
+ }
+
+ /**
+ * @return the created
+ */
+ public Date getCreated() {
+ return created;
+ }
+
+ /**
+ * @param created the created to set
+ */
+ public void setCreated(Date created) {
+ this.created = created;
+ }
+
+ /**
+ * @return the moasession
+ */
+ public AuthenticatedSessionStore getMoasession() {
+ return moasession;
+ }
+
+ /**
+ * @param moasession the moasession to set
+ */
+ public void setMoasession(AuthenticatedSessionStore moasession) {
+ this.moasession = moasession;
+ }
+
+ /**
+ * @return the qAALevel
+ */
+ public String getQAALevel() {
+ return QAALevel;
+ }
+
+ /**
+ * @param qAALevel the qAALevel to set
+ */
+ public void setQAALevel(String qAALevel) {
+ QAALevel = qAALevel;
+ }
+
+
+}
+
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java
index 6d1b64262..539de990f 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java
@@ -56,6 +56,18 @@ public class OASessionStore implements Serializable{
@Column(name = "assertionSessionID", unique=false, nullable=true)
private String assertionSessionID;
+ @Column(name = "userNameID", unique=false, nullable=true)
+ private String userNameID;
+
+ @Column(name = "userNameIDFormat", unique=false, nullable=true)
+ private String userNameIDFormat;
+
+ @Column(name = "protocolType", unique=false, nullable=true)
+ private String protocolType;
+
+ @Column(name = "attributequeryused", unique=false, nullable=false)
+ private boolean attributeQueryUsed = false;
+
@Column(name = "created", updatable=false, nullable=false)
// @Temporal(TemporalType.TIMESTAMP)
private Date created;
@@ -115,6 +127,64 @@ public class OASessionStore implements Serializable{
this.assertionSessionID = assertionSessionID;
}
+ /**
+ * @return the userNameID
+ */
+ public String getUserNameID() {
+ return userNameID;
+ }
+
+ /**
+ * @param userNameID the userNameID to set
+ */
+ public void setUserNameID(String userNameID) {
+ this.userNameID = userNameID;
+ }
+
+ /**
+ * @return the protocolType
+ */
+ public String getProtocolType() {
+ return protocolType;
+ }
+
+ /**
+ * @param protocolType the protocolType to set
+ */
+ public void setProtocolType(String protocolType) {
+ this.protocolType = protocolType;
+ }
+
+ /**
+ * @return the attributeQueryUsed
+ */
+ public boolean isAttributeQueryUsed() {
+ return attributeQueryUsed;
+ }
+
+ /**
+ * @param attributeQueryUsed the attributeQueryUsed to set
+ */
+ public void setAttributeQueryUsed(boolean attributeQueryUsed) {
+ this.attributeQueryUsed = attributeQueryUsed;
+ }
+
+ /**
+ * @return the userNameIDFormat
+ */
+ public String getUserNameIDFormat() {
+ return userNameIDFormat;
+ }
+
+ /**
+ * @param userNameIDFormat the userNameIDFormat to set
+ */
+ public void setUserNameIDFormat(String userNameIDFormat) {
+ this.userNameIDFormat = userNameIDFormat;
+ }
+
+
+
}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/statistic/StatisticLog.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/statistic/StatisticLog.java
index 65c9003e3..b557d2dc9 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/statistic/StatisticLog.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/statistic/StatisticLog.java
@@ -78,6 +78,9 @@ public class StatisticLog implements Serializable{
@Column(name = "isSSOLogin", unique=false)
private boolean ssosession;
+ @Column(name = "isInterfederatedSSOLogin", unique=false)
+ private boolean interfederatedSSOSession;
+
@Column(name = "isBusinessService", unique=false)
private boolean businessservice;
@@ -390,6 +393,21 @@ public class StatisticLog implements Serializable{
public void setErrortype(String errortype) {
this.errortype = errortype;
}
+
+ /**
+ * @return the interfederatedSSOSession
+ */
+ public boolean isInterfederatedSSOSession() {
+ return interfederatedSSOSession;
+ }
+
+ /**
+ * @param interfederatedSSOSession the interfederatedSSOSession to set
+ */
+ public void setInterfederatedSSOSession(boolean interfederatedSSOSession) {
+ this.interfederatedSSOSession = interfederatedSSOSession;
+ }
+
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/ex/MOAHttpProtocolSocketFactoryException.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/ex/MOAHttpProtocolSocketFactoryException.java
new file mode 100644
index 000000000..c6d8b1d79
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/ex/MOAHttpProtocolSocketFactoryException.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.commons.ex;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOAHttpProtocolSocketFactoryException extends Exception {
+
+ private static final long serialVersionUID = 4934502074731319897L;
+
+
+ public MOAHttpProtocolSocketFactoryException(String message) {
+ super(message);
+ }
+
+ public MOAHttpProtocolSocketFactoryException(String message, Throwable e) {
+ super(message, e );
+ }
+
+}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
new file mode 100644
index 000000000..3b6fc34ea
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
@@ -0,0 +1,129 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.commons.utils;
+
+import iaik.pki.PKIException;
+
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.Socket;
+import java.net.UnknownHostException;
+import java.security.GeneralSecurityException;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
+
+import org.apache.commons.httpclient.ConnectTimeoutException;
+import org.apache.commons.httpclient.params.HttpConnectionParams;
+import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory;
+
+import at.gv.egovernment.moa.id.commons.db.dao.config.ChainingModeType;
+import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
+import at.gv.egovernment.moa.id.commons.utils.ssl.SSLConfigurationException;
+import at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory {
+
+
+
+ private SSLSocketFactory sslfactory = null;
+
+ public MOAHttpProtocolSocketFactory (
+ String url,
+ String certStoreRootDirParam,
+ String trustStoreURL,
+ String acceptedServerCertURL,
+ ChainingModeType chainingMode,
+ boolean checkRevocation
+ ) throws MOAHttpProtocolSocketFactoryException {
+ super();
+
+ try {
+ this.sslfactory = SSLUtils.getSSLSocketFactory(
+ url,
+ certStoreRootDirParam,
+ trustStoreURL,
+ acceptedServerCertURL,
+ chainingMode.value(),
+ checkRevocation,
+ null,
+ null,
+ null);
+
+ } catch (IOException e) {
+ throw new MOAHttpProtocolSocketFactoryException("Initialize SSL Context FAILED", e);
+
+ } catch (GeneralSecurityException e) {
+ throw new MOAHttpProtocolSocketFactoryException("Initialize SSL Context FAILED", e);
+
+ } catch (SSLConfigurationException e) {
+ throw new MOAHttpProtocolSocketFactoryException("SSL Configuration loading FAILED.", e);
+
+ } catch (PKIException e) {
+ throw new MOAHttpProtocolSocketFactoryException("Initialize SSL Context FAILED", e);
+
+ }
+
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.commons.httpclient.protocol.ProtocolSocketFactory#createSocket(java.lang.String, int, java.net.InetAddress, int)
+ */
+ public Socket createSocket(String host, int port, InetAddress localAddress,
+ int localPort) throws IOException, UnknownHostException {
+ return this.sslfactory.createSocket(host, port,
+ localAddress, localPort);
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.commons.httpclient.protocol.ProtocolSocketFactory#createSocket(java.lang.String, int, java.net.InetAddress, int, org.apache.commons.httpclient.params.HttpConnectionParams)
+ */
+ public Socket createSocket(String host, int port, InetAddress localAddress,
+ int localPort, HttpConnectionParams params) throws IOException,
+ UnknownHostException, ConnectTimeoutException {
+ return this.sslfactory.createSocket(host, port,
+ localAddress, localPort);
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.commons.httpclient.protocol.ProtocolSocketFactory#createSocket(java.lang.String, int)
+ */
+ public Socket createSocket(String host, int port) throws IOException,
+ UnknownHostException {
+ return this.sslfactory.createSocket(host, port);
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory#createSocket(java.net.Socket, java.lang.String, int, boolean)
+ */
+ public Socket createSocket(Socket socket, String host, int port,
+ boolean autoClose) throws IOException, UnknownHostException {
+ return this.sslfactory.createSocket(socket, host,
+ port, autoClose);
+ }
+
+}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/CertStoreConfigurationImpl.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/CertStoreConfigurationImpl.java
new file mode 100644
index 000000000..00e750f58
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/CertStoreConfigurationImpl.java
@@ -0,0 +1,156 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ ******************************************************************************/
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.id.commons.utils.ssl;
+
+import at.gv.egovernment.moa.logging.Logger;
+import iaik.pki.store.certstore.CertStoreConfiguration;
+import iaik.pki.store.certstore.CertStoreParameters;
+import iaik.pki.store.certstore.CertStoreTypes;
+import iaik.pki.store.certstore.directory.DirectoryCertStoreParameters;
+
+import java.io.File;
+
+/**
+ * Implementation of interface needed to initialize an IAIK JSSE <code>TrustManager</code>
+ *
+ * @author Paul Ivancsics
+ * @version $Id$
+ */
+public class CertStoreConfigurationImpl extends ObservableImpl
+ implements CertStoreConfiguration, DirectoryCertStoreParameters {
+ /**
+ * identifies the rootDirectory
+ */
+ private String rootDirectory;
+
+ /**
+ * Array for storing all CertStoreParameters
+ */
+ private CertStoreParameters[] parameters;
+
+ /**
+ * Create a new <code>CertStoreConfigurationImpl</code>.
+ *
+ * @param conf The MOA configuration from which the configuration data is
+ * @throws ConfigurationException an any config-error
+ * being read.
+ */
+ public CertStoreConfigurationImpl(String certStoreRootDirParam) throws SSLConfigurationException {
+
+ if (certStoreRootDirParam == null)
+ throw new SSLConfigurationException(
+ "config.08", new Object[]{"CertStoreDirectory"});
+
+ //rootDirectory = FileUtils.makeAbsoluteURL(certStoreRootDirParam, conf.getRootConfigFileDir());
+ rootDirectory = certStoreRootDirParam;
+ Logger.error("Using file: " + rootDirectory);
+ if (rootDirectory.startsWith("file:")) rootDirectory = rootDirectory.substring(5);
+ Logger.error("Using file2: " + rootDirectory);
+
+ File f = new File(rootDirectory);
+ //Logger.error("Using file: " + certStoreRootDirParam + " param: " + conf.getRootConfigFileDir());
+
+ if (!f.exists()) {
+ Logger.error("File does not exists: " + f.getAbsolutePath());
+ throw new SSLConfigurationException(
+ "config.05", new Object[]{"CertStoreDirectory"});
+ }
+
+ if (!f.isDirectory()) {
+ Logger.error("File is not a directory: " + f.getAbsolutePath());
+ throw new SSLConfigurationException(
+ "config.05", new Object[]{"CertStoreDirectory"});
+ }
+
+
+ parameters = new CertStoreParameters[]{this};
+ }
+
+ /**
+ * @see iaik.pki.store.certstore.CertStoreConfiguration#getParameters()
+ */
+ public CertStoreParameters[] getParameters() {
+ return parameters;
+ }
+
+ /**
+ * @see iaik.pki.store.certstore.directory.DirectoryCertStoreParameters#getRootDirectory()
+ */
+ public String getRootDirectory() {
+ return rootDirectory;
+ }
+
+ /**
+ * @see iaik.pki.store.certstore.directory.DirectoryCertStoreParameters#createNew()
+ */
+ public boolean createNew() {
+ return false;
+ }
+
+ /**
+ * @see iaik.pki.store.certstore.CertStoreParameters#getId()
+ */
+ public String getId() {
+ return "MOA ID Directory CertStore";
+ }
+
+ /**
+ * @see iaik.pki.store.certstore.CertStoreParameters#isReadOnly()
+ */
+ public boolean isReadOnly() {
+ return false;
+ }
+
+ /**
+ * @return <code>CertStoreTypes.DIRECTORY</code>
+ * @see iaik.pki.store.certstore.CertStoreParameters#getType()
+ */
+ public String getType() {
+ return CertStoreTypes.DIRECTORY;
+ }
+
+}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java
new file mode 100644
index 000000000..eaef3f1d4
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java
@@ -0,0 +1,164 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ ******************************************************************************/
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.id.commons.utils.ssl;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.net.URL;
+import java.security.GeneralSecurityException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.List;
+
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.logging.LoggingContext;
+import at.gv.egovernment.moa.logging.LoggingContextManager;
+
+import iaik.pki.jsse.IAIKX509TrustManager;
+
+/**
+ * <code>TrustManager</code> implementation featuring CRL checking (inherited from
+ * <code>IAIKX509TrustManager</code>), plus server-end-SSL-certificate checking.
+ *
+ * @author Paul Ivancsics
+ * @version $Id$
+ */
+public class MOAIDTrustManager extends IAIKX509TrustManager {
+
+ /** an x509Certificate array containing all accepted server certificates*/
+ private X509Certificate[] acceptedServerCertificates;
+
+ /**
+ * Constructor
+ * @param acceptedServerCertificateStoreURL the url leading to the acceptedServer cert store
+ * @throws GeneralSecurityException occurs on security errors
+ * @throws IOException occurs on IO errors
+ */
+ public MOAIDTrustManager(String acceptedServerCertificateStoreURL)
+ throws IOException, GeneralSecurityException {
+
+ if (acceptedServerCertificateStoreURL != null)
+ buildAcceptedServerCertificates(acceptedServerCertificateStoreURL);
+ else
+ acceptedServerCertificates = null;
+ }
+
+
+ /**
+ * Initializes the LoggingContextManager logging context.
+ * Fixes a bug occuring in the case MOA-SP is called by API.
+ * In this case, IAIKX509TrustManager uses the LogginConfig of MOA-SP.
+ * This method must be called before a MOAIDTrustManager is constructed,
+ * from every thread.
+ */
+ public static void initializeLoggingContext() {
+ if (LoggingContextManager.getInstance().getLoggingContext() == null)
+ LoggingContextManager.getInstance().setLoggingContext(
+ new LoggingContext(Thread.currentThread().getName()));
+ }
+
+
+ /**
+ * Builds an Array of accepted server certificates from an URL,
+ * and stores it in <code>acceptedServerCertificates</code>.
+ * @param acceptedServerCertificateStoreURL file URL pointing to the directory
+ * containing accepted server X509 certificates
+ * @throws GeneralSecurityException on security errors
+ * @throws IOException on any IO errors
+ */
+ private void buildAcceptedServerCertificates(String acceptedServerCertificateStoreURL)
+ throws IOException, GeneralSecurityException {
+
+ List<X509Certificate> certList = new ArrayList<X509Certificate>();
+ URL storeURL = new URL(acceptedServerCertificateStoreURL);
+ File storeDir = new File(storeURL.getFile());
+ // list certificate files in directory
+ File[] certFiles = storeDir.listFiles();
+ for (int i = 0; i < certFiles.length; i++) {
+ // for each: create an X509Certificate and store it in list
+ File certFile = certFiles[i];
+ FileInputStream fis = new FileInputStream(certFile.getPath());
+ CertificateFactory certFact = CertificateFactory.getInstance("X.509");
+ X509Certificate cert = (X509Certificate)certFact.generateCertificate(fis);
+ fis.close();
+ certList.add(cert);
+ }
+ // store acceptedServerCertificates
+ acceptedServerCertificates = (X509Certificate[]) certList.toArray(new X509Certificate[0]);
+ }
+
+ /**
+ * Does additional server-end-SSL-certificate checking.
+ * @see com.sun.net.ssl.X509TrustManager#isServerTrusted(java.security.cert.X509Certificate[])
+ */
+ public boolean isServerTrusted(X509Certificate[] certChain) {
+ boolean trusted = super.isServerTrusted(certChain);
+ if (! trusted || acceptedServerCertificates == null)
+ return trusted;
+ else {
+ // check server-end-SSL-certificate with acceptedServerCertificates
+ X509Certificate serverCert = certChain[0];
+ for (int i = 0; i < acceptedServerCertificates.length; i++) {
+ X509Certificate acceptedServerCert = acceptedServerCertificates[i];
+ if (serverCert.equals(acceptedServerCert))
+ return true;
+ }
+ Logger.warn("SSL certificate validation FAILED.");
+ return false;
+ }
+ }
+ /**
+ * In rare cases, this method is being called although it should not be.
+ * @see com.sun.net.ssl.X509TrustManager#isClientTrusted(X509Certificate[])
+ */
+ public boolean isClientTrusted(java.security.cert.X509Certificate arg0[])
+ {
+ return true;
+ }
+}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/ObservableImpl.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/ObservableImpl.java
new file mode 100644
index 000000000..fa9cd879d
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/ObservableImpl.java
@@ -0,0 +1,92 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ ******************************************************************************/
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.id.commons.utils.ssl;
+
+import iaik.pki.store.observer.NotificationData;
+import iaik.pki.store.observer.Observable;
+import iaik.pki.store.observer.Observer;
+
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
+
+
+/**
+ * Implementation of interface <needed to initialize an IAIK JSSE <code>TrustManager</code>
+ * @author Paul Ivancsics
+ * @version $Id$
+ */
+public class ObservableImpl implements Observable {
+ /** a List for all observers */
+ private List<Observer> observers = new ArrayList<Observer>();
+
+ /**
+ * @see iaik.pki.store.observer.Observable#addObserver(iaik.pki.store.observer.Observer)
+ */
+ public void addObserver(Observer observer) {
+ observers.add(observer);
+ }
+
+ /**
+ * @see iaik.pki.store.observer.Observable#removeObserver(iaik.pki.store.observer.Observer)
+ */
+ public boolean removeObserver(Observer observer) {
+ return observers.remove(observer);
+ }
+
+ /**
+ * @see iaik.pki.store.observer.Observable#notify(iaik.pki.store.observer.NotificationData)
+ */
+ public void notify(NotificationData data) {
+ Iterator<Observer> iter = observers.iterator();
+ for (iter = observers.iterator(); iter.hasNext();) {
+ Observer observer = (Observer) iter.next();
+ observer.notify(data);
+ }
+ }
+
+}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIConfigurationImpl.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIConfigurationImpl.java
new file mode 100644
index 000000000..5d8c7a54e
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIConfigurationImpl.java
@@ -0,0 +1,118 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ ******************************************************************************/
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.id.commons.utils.ssl;
+
+import iaik.pki.PKIConfiguration;
+import iaik.pki.pathvalidation.ValidationConfiguration;
+import iaik.pki.revocation.RevocationConfiguration;
+import iaik.pki.store.certstore.CertStoreConfiguration;
+import iaik.pki.store.revocation.archive.ArchiveConfiguration;
+
+/**
+ * Implementation of interface <code>PKIConfiguration</code> needed to
+ * initialize an IAIK JSSE <code>TrustManager</code>
+ *
+ * @author Paul Ivancsics
+ * @version $Id$
+ */
+public class PKIConfigurationImpl implements PKIConfiguration {
+ /** The configuration for the CertStore */
+ private CertStoreConfiguration certStoreConfiguration;
+ /** The configuration for the RevocationChecks */
+ private RevocationConfiguration revocationConfiguration;
+ /** The configuration for the Validation */
+ private ValidationConfiguration validationConfiguration;
+
+ /**
+ * Constructor
+ * @param conf the Configuration for the PKIConfig
+ * @throws ConfigurationException for any config error
+ */
+ public PKIConfigurationImpl(String certStoreRootDirParam, String chainingMode) throws SSLConfigurationException {
+
+ certStoreConfiguration = new CertStoreConfigurationImpl(certStoreRootDirParam);
+ revocationConfiguration = new RevocationConfigurationImpl();
+ validationConfiguration = new ValidationConfigurationImpl(chainingMode);
+ }
+
+ /**
+ * @see iaik.pki.PKIConfiguration#getCertStoreConfiguration()
+ */
+ public CertStoreConfiguration getCertStoreConfiguration() {
+ return certStoreConfiguration;
+ }
+
+ /**
+ * @see iaik.pki.PKIConfiguration#getRevocationConfiguration()
+ */
+ public RevocationConfiguration getRevocationConfiguration() {
+ return revocationConfiguration;
+ }
+
+ /**
+ * @see iaik.pki.PKIConfiguration#getArchiveConfiguration()
+ */
+ public ArchiveConfiguration getArchiveConfiguration() {
+ return null;
+ }
+
+ /**
+ * @see iaik.pki.PKIConfiguration#getValidationConfiguration()
+ */
+ public ValidationConfiguration getValidationConfiguration() {
+ return validationConfiguration;
+ }
+
+/* (non-Javadoc)
+ * @see iaik.pki.PKIConfiguration#getTimeout()
+ */
+ public int getTimeout() {
+ // TODO Auto-generated method stub
+ return 0;
+}
+
+}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIProfileImpl.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIProfileImpl.java
new file mode 100644
index 000000000..59994a257
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIProfileImpl.java
@@ -0,0 +1,230 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ ******************************************************************************/
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.id.commons.utils.ssl;
+
+import java.security.cert.X509Certificate;
+import java.util.Collections;
+import java.util.Set;
+
+import iaik.pki.PKIProfile;
+import iaik.pki.pathvalidation.ValidationProfile;
+import iaik.pki.revocation.RevocationProfile;
+import iaik.pki.revocation.RevocationSourceTypes;
+import iaik.pki.store.truststore.TrustStoreProfile;
+import iaik.pki.store.truststore.TrustStoreTypes;
+
+/**
+ * Implementation of the <code>PKIProfile</code> interface and subinterfaces
+ * providing information needed for certificate path validation.
+ *
+ * @author Paul Ivancsics
+ * @version $Id$
+ */
+public class PKIProfileImpl extends ObservableImpl
+ implements PKIProfile, RevocationProfile, TrustStoreProfile, ValidationProfile {
+
+ /**
+ * URI to the truststore
+ */
+ private String trustStoreURI;
+
+ /**
+ * revocation checking;
+ */
+ private boolean revocationChecking;
+
+ /**
+ * The trust profile identifier.
+ */
+ private String id;
+
+
+ /**
+ * Create a new <code>PKIProfileImpl</code>.
+ *
+ * @param trustStoreURI trust store URI
+ */
+ public PKIProfileImpl(String trustStoreURI, boolean revocationChecking) {
+ this.trustStoreURI = trustStoreURI;
+ this.revocationChecking = revocationChecking;
+ String id = String.valueOf(System.currentTimeMillis());
+ setId("id-" + id);
+ }
+
+ /**
+ * @see iaik.pki.PKIProfile#autoAddCertificates()
+ */
+ public boolean autoAddCertificates() {
+ return true;
+ }
+
+ /**
+ * @see iaik.pki.PKIProfile#getRevocationProfile()
+ */
+ public RevocationProfile getRevocationProfile() {
+ return this;
+ }
+
+ /**
+ * @see iaik.pki.PKIProfile#getTrustStoreProfile()
+ */
+ public TrustStoreProfile getTrustStoreProfile() {
+ return this;
+ }
+
+ /**
+ * @see iaik.pki.PKIProfile#getValidationProfile()
+ */
+ public ValidationProfile getValidationProfile() {
+ return this;
+ }
+
+ /**
+ * @see iaik.pki.PKIProfile#useAuthorityInfoAccess()
+ */
+ public boolean useAuthorityInfoAccess() {
+ return true;
+ }
+
+ /**
+ * @see iaik.pki.revocation.RevocationProfile#getMaxRevocationAge(java.lang.String)
+ */
+ public long getMaxRevocationAge(String arg0) {
+ return 0;
+ }
+
+ /**
+ * @see iaik.pki.revocation.RevocationProfile#getOCSPRequestHashAlgorithm()
+ */
+ public String getOCSPRequestHashAlgorithm() {
+ return null;
+ }
+
+ /**
+ * @see iaik.pki.revocation.RevocationProfile#getPreferredServiceOrder(java.security.cert.X509Certificate)
+ */
+ public String[] getPreferredServiceOrder(X509Certificate arg0) {
+ return new String[] {RevocationSourceTypes.CRL};
+ }
+
+ /**
+ * @see iaik.pki.store.truststore.TrustStoreProfile#getType()
+ */
+ public String getType() {
+ return TrustStoreTypes.DIRECTORY;
+ }
+
+ /**
+ * @see iaik.pki.store.truststore.TrustStoreProfile#getURI()
+ */
+ public String getURI() {
+ return trustStoreURI;
+ }
+
+ /**
+ * @see iaik.pki.pathvalidation.ValidationProfile#getInitialAnyPolicyInhibit()
+ */
+ public boolean getInitialAnyPolicyInhibit() {
+ return false;
+ }
+
+ /**
+ * @see iaik.pki.pathvalidation.ValidationProfile#getInitialExplicitPolicy()
+ */
+ public boolean getInitialExplicitPolicy() {
+ return false;
+ }
+
+ /**
+ * @see iaik.pki.pathvalidation.ValidationProfile#getInitialPolicyMappingInhibit()
+ */
+ public boolean getInitialPolicyMappingInhibit() {
+ return false;
+ }
+
+ /**
+ * @see iaik.pki.pathvalidation.ValidationProfile#getInitialPolicySet()
+ */
+ public Set getInitialPolicySet() {
+ return Collections.EMPTY_SET;
+ }
+
+ /**
+ * @see iaik.pki.pathvalidation.ValidationProfile#getNameConstraintsProcessing()
+ */
+ public boolean getNameConstraintsProcessing() {
+ return false;
+ }
+
+ /**
+ * @see iaik.pki.pathvalidation.ValidationProfile#getPolicyProcessing()
+ */
+ public boolean getPolicyProcessing() {
+ return false;
+ }
+
+ /**
+ * @see iaik.pki.pathvalidation.ValidationProfile#getRevocationChecking()
+ */
+ public boolean getRevocationChecking() {
+ return this.revocationChecking;
+ }
+
+ /**
+ * @see iaik.pki.store.truststore.TrustStoreProfile#getId()
+ */
+ public String getId() {
+ return id;
+ }
+ /**
+ * Sets the trust profile identifier.
+ * @param id The id to set.
+ */
+ public void setId(String id) {
+ this.id = id;
+ }
+}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/RevocationConfigurationImpl.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/RevocationConfigurationImpl.java
new file mode 100644
index 000000000..b5e0543db
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/RevocationConfigurationImpl.java
@@ -0,0 +1,84 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ ******************************************************************************/
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.id.commons.utils.ssl;
+
+import iaik.pki.revocation.RevocationConfiguration;
+
+import java.security.cert.X509Certificate;
+import java.util.Collections;
+import java.util.Date;
+import java.util.Set;
+
+/**
+ * Implementation of interface needed to initialize an IAIK JSSE <code>TrustManager</code>
+ * @author Paul Ivancsics
+ * @version $Id$
+ */
+public class RevocationConfigurationImpl extends ObservableImpl implements RevocationConfiguration {
+
+ /**
+ * @see iaik.pki.revocation.RevocationConfiguration#getAlternativeDistributionPoints(java.security.cert.X509Certificate, java.security.cert.X509Certificate, java.util.Date)
+ */
+ public Set getAlternativeDistributionPoints(
+ X509Certificate arg0,
+ X509Certificate arg1,
+ Date arg2) {
+ return Collections.EMPTY_SET;
+ }
+
+ /**
+ * @see iaik.pki.revocation.RevocationConfiguration#archiveRevocationInfo(java.lang.String, java.lang.String)
+ */
+ public boolean archiveRevocationInfo(String arg0, String arg1) {
+ return false;
+ }
+
+ public Integer getCrlRetentionInterval(String arg0) {
+ return null;
+ }
+
+}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLConfigurationException.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLConfigurationException.java
new file mode 100644
index 000000000..b1334ad67
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLConfigurationException.java
@@ -0,0 +1,71 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.commons.utils.ssl;
+
+/**
+ * @author tlenz
+ *
+ */
+public class SSLConfigurationException extends Exception {
+
+ private static final long serialVersionUID = -3705679559648920151L;
+
+ private String errorID = null;
+ private Object[] parameters = null;
+ private Throwable e = null;
+
+ public SSLConfigurationException(String errorID, Object[] parameters) {
+ this.errorID = errorID;
+ this.parameters = parameters;
+ }
+
+ public SSLConfigurationException(String errorID, Object[] parameters, Throwable e) {
+ this.errorID = errorID;
+ this.parameters = parameters;
+ this.e = e;
+ }
+
+ /**
+ * @return the errorID
+ */
+ public String getErrorID() {
+ return errorID;
+ }
+
+ /**
+ * @return the parameters
+ */
+ public Object[] getParameters() {
+ return parameters;
+ }
+
+ /**
+ * @return the e
+ */
+ public Throwable getE() {
+ return e;
+ }
+
+
+
+}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
new file mode 100644
index 000000000..68437a04d
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
@@ -0,0 +1,186 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ ******************************************************************************/
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.id.commons.utils.ssl;
+
+import iaik.pki.PKIConfiguration;
+import iaik.pki.PKIException;
+import iaik.pki.PKIFactory;
+import iaik.pki.PKIProfile;
+import iaik.pki.jsse.IAIKX509TrustManager;
+import iaik.security.provider.IAIK;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.Security;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
+
+import at.gv.egovernment.moa.logging.Logger;
+
+
+/**
+ * Utility for a obtaining a secure socket factory using <code>IAIKX509TrustManager</code>.
+ * This <code>TrustManager</code> implementation features CRL checking.<br/>
+ * <code>SSLUtils</code> caches secure socket factories for given <code>ConnectionParameter</code>s.
+ *
+ * @author Paul Ivancsics
+ * @version $Id$
+ */
+public class SSLUtils {
+
+ /** SSLSocketFactory store, mapping URL->SSLSocketFactory **/
+ private static Map<String, SSLSocketFactory> sslSocketFactories = new HashMap<String, SSLSocketFactory>();
+
+ /**
+ * Initializes the SSLSocketFactory store.
+ */
+ public static void initialize() {
+ sslSocketFactories = new HashMap<String, SSLSocketFactory>();
+ // JSSE Abhängigkeit
+ //Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
+ Security.addProvider(new IAIK());
+ //System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
+
+
+ }
+
+ /**
+ * Creates an <code>SSLSocketFactory</code> which utilizes an
+ * <code>IAIKX509TrustManager</code> for the given trust store,
+ * and the given key store.
+ *
+ * @param conf configuration provider providing a generic properties pointing
+ * to trusted CA store and certificate store root
+ * @param connParam connection parameter containing the client key store settings
+ * to be used in case of client authentication;
+ * if <code>connParam.getClientKeyStore() == null</code>, client authentication
+ * is assumed to be disabled
+ * @return <code>SSLSocketFactory</code> to be used by an <code>HttpsURLConnection</code>
+ * @throws IOException thrown while reading key store file
+ * @throws GeneralSecurityException thrown while creating the socket factory
+ * @throws ConfigurationException on invalid configuration data
+ * @throws PKIException while initializing the <code>IAIKX509TrustManager</code>
+ */
+ public static SSLSocketFactory getSSLSocketFactory(
+ String url,
+ String certStoreRootDirParam,
+ String trustStoreURL,
+ String acceptedServerCertURL,
+ String chainingMode,
+ boolean checkRevocation,
+ String clientKeyStoreURL,
+ String clientKeyStorePassword,
+ String clientKeyStoreType
+ )
+ throws IOException, GeneralSecurityException, SSLConfigurationException, PKIException {
+
+ Logger.debug("Get SSLSocketFactory for " + url);
+ // retrieve SSLSocketFactory if already created
+ SSLSocketFactory ssf = (SSLSocketFactory)sslSocketFactories.get(url);
+ if (ssf != null)
+ return ssf;
+
+ TrustManager[] tms = getTrustManagers(
+ certStoreRootDirParam,
+ chainingMode,
+ trustStoreURL,
+ acceptedServerCertURL,
+ checkRevocation);
+
+ KeyManager[] kms = at.gv.egovernment.moa.util.SSLUtils.getKeyManagers(
+ clientKeyStoreType, clientKeyStoreURL, clientKeyStorePassword);
+ SSLContext ctx = SSLContext.getInstance("TLS");
+ ctx.init(kms, tms, null);
+ ssf = ctx.getSocketFactory();
+ // store SSLSocketFactory
+ sslSocketFactories.put(url, ssf);
+ return ssf;
+ }
+
+ public static void removeSSLSocketFactory(String url) {
+ Logger.info("Remove SSLSocketFactory for URL " + url);
+ if (sslSocketFactories.containsKey(url))
+ sslSocketFactories.remove(url);
+
+ }
+
+ /**
+ * Initializes an <code>IAIKX509TrustManager</code> for a given trust store,
+ * using configuration data.
+ *
+ * @param conf MOA-ID configuration provider
+ * @param trustStoreURL trust store URL
+ * @param acceptedServerCertURL file URL pointing to directory containing accepted server SSL certificates
+ * @return <code>TrustManager</code> array containing the <code>IAIKX509TrustManager</code>
+ * @throws ConfigurationException on invalid configuration data
+ * @throws IOException on data-reading problems
+ * @throws PKIException while initializing the <code>IAIKX509TrustManager</code>
+ */
+ private static TrustManager[] getTrustManagers(String certStoreRootDirParam,
+ String chainingMode, String trustStoreURL, String acceptedServerCertURL,
+ boolean checkRevocation)
+ throws SSLConfigurationException, PKIException, IOException, GeneralSecurityException {
+
+ PKIConfiguration cfg = null;
+ if (! PKIFactory.getInstance().isAlreadyConfigured())
+ cfg = new PKIConfigurationImpl(certStoreRootDirParam, chainingMode);
+ PKIProfile profile = new PKIProfileImpl(trustStoreURL, checkRevocation);
+ // This call fixes a bug occuring when PKIConfiguration is
+ // initialized by the MOA-SP initialization code, in case
+ // MOA-SP is called by API
+ MOAIDTrustManager.initializeLoggingContext();
+ IAIKX509TrustManager tm = new MOAIDTrustManager(acceptedServerCertURL);
+ tm.init(cfg, profile);
+ return new TrustManager[] {tm};
+ }
+
+}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/ValidationConfigurationImpl.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/ValidationConfigurationImpl.java
new file mode 100644
index 000000000..275aed4c4
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/ValidationConfigurationImpl.java
@@ -0,0 +1,97 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ ******************************************************************************/
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.id.commons.utils.ssl;
+
+import iaik.pki.pathvalidation.ValidationConfiguration;
+
+import java.security.cert.X509Certificate;
+import java.security.spec.AlgorithmParameterSpec;
+
+
+/**
+ * Implementation of interface needed to initialize an IAIK JSSE <code>TrustManager</code>
+ * @author Paul Ivancsics
+ * @version $Id$
+ */
+public class ValidationConfigurationImpl extends ObservableImpl
+ implements ValidationConfiguration {
+ /** The ConfigurationProvider for the validation*/
+ private String chainingMode;
+
+ /**
+ * Constructor
+ * @param conf with the configuration
+ */
+ public ValidationConfigurationImpl(String chainingMode) {
+ this.chainingMode = chainingMode;
+ }
+
+ /**
+ * @see iaik.pki.pathvalidation.ValidationConfiguration#getChainingMode(java.security.cert.X509Certificate)
+ */
+ public String getChainingMode(X509Certificate trustAnchor) {
+
+ //INFO: MOA-ID 2.x always use defaultChainingMode
+
+ return chainingMode;
+ }
+
+ /**
+ * @see iaik.pki.pathvalidation.ValidationConfiguration#getPublicKeyParamsAsSpec(java.security.cert.X509Certificate)
+ */
+ public AlgorithmParameterSpec getPublicKeyParamsAsSpec(X509Certificate arg0) {
+ return null;
+ }
+
+ /**
+ * @see iaik.pki.pathvalidation.ValidationConfiguration#getPublicKeyParamsAsCert(java.security.cert.X509Certificate)
+ */
+ public X509Certificate getPublicKeyParamsAsCert(X509Certificate arg0) {
+ return null;
+ }
+
+}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/TargetValidator.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/TargetValidator.java
new file mode 100644
index 000000000..2ad50568a
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/TargetValidator.java
@@ -0,0 +1,104 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.commons.validation;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import at.gv.egovernment.moa.util.MiscUtil;
+
+
+public class TargetValidator {
+
+ private static Map<String, String> targetList = null;
+
+ static {
+ targetList = new HashMap<String, String>();
+ targetList.put("AR", "Arbeit");
+ targetList.put("AS", "Amtliche Statistik");
+ targetList.put("BF", "Bildung und Forschung");
+ targetList.put("BW", "Bauen und Wohnen");
+ targetList.put("EA", "EU und Auswärtige Angelegenheiten");
+ targetList.put("EF", "Ein- und Ausfuhr");
+ targetList.put("GH", "Gesundheit");
+ targetList.put("GS", "Gesellschaft und Soziales");
+// targetList.put("GS-RE", "Restitution");
+ targetList.put("JR", "Justiz/Zivilrechtswesen");
+ targetList.put("KL", "Kultus");
+ targetList.put("KU", "Kunst und Kultur");
+ targetList.put("LF", "Land- und Forstwirtschaft");
+ targetList.put("LV", "Landesverteidigung");
+ targetList.put("RT", "Rundfunk und sonstige Medien sowie Telekommunikation");
+ targetList.put("SA", "Steuern und Abgaben");
+ targetList.put("SA", "Sport und Freizeit");
+ targetList.put("SO", "Sicherheit und Ordnung");
+// targetList.put("SO-VR", "Vereinsregister");
+// targetList.put("SR-RG", "Strafregister");
+ targetList.put("SV", "Sozialversicherung");
+ targetList.put("UW", "Umwelt");
+ targetList.put("VT", "Verkehr und Technik");
+ targetList.put("VV", "Vermögensverwaltung");
+ targetList.put("WT", "Wirtschaft");
+ targetList.put("ZP", "Personenidentität und Bürgerrechte(zur Person)");
+ targetList.put("BR", "Bereichsübergreifender Rechtsschutz");
+ targetList.put("HR", "Zentrales Rechnungswesen");
+ targetList.put("KI", "Auftraggeberinterne allgemeine Kanzleiindizes");
+ targetList.put("OI", "Öffentlichkeitsarbeit");
+ targetList.put("PV", "Personalverwaltung");
+ targetList.put("RD", "Zentraler Rechtsdienst");
+ targetList.put("VS", "Zentrale Durchführung von Verwaltungsstrafverfahren");
+// targetList.put("VS-RG", "Zentrales Verwaltungsstrafregister");
+ targetList.put("ZU", "Zustellungen");
+ }
+
+ public static List<String> getListOfTargets() {
+ Map<String, String> list = new HashMap<String, String>();
+ list.put("", "");
+ list.putAll(targetList);
+
+ List<String> sortedList = new ArrayList<String>();
+ sortedList.addAll(list.keySet());
+ Collections.sort(sortedList);
+
+ return sortedList;
+
+ }
+
+ public static String getTargetFriendlyName(String target) {
+ String name = targetList.get(target);
+
+ if (MiscUtil.isNotEmpty(name))
+ return name;
+ else
+ return null;
+ }
+
+ public static boolean isValidTarget(String target) {
+ return targetList.containsKey(target);
+ }
+
+
+}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/ValidationHelper.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/ValidationHelper.java
new file mode 100644
index 000000000..be6d7d01e
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/ValidationHelper.java
@@ -0,0 +1,387 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.commons.validation;
+
+import iaik.asn1.ObjectID;
+import iaik.utils.Util;
+import iaik.x509.X509Certificate;
+import iaik.x509.X509ExtensionInitException;
+
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.net.UnknownHostException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.text.ParseException;
+import java.text.SimpleDateFormat;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+
+import org.apache.log4j.Logger;
+
+
+public class ValidationHelper {
+
+ public static final String PUBLICSERVICE_URL_POSTFIX = ".gv.at";
+
+ private static final Logger log = Logger.getLogger(ValidationHelper.class);
+ private static final String TEMPLATE_DATEFORMAT = "dd.MM.yyyy";
+
+
+
+ public static boolean isPublicServiceAllowed(String identifier) {
+
+ SSLSocket socket = null;
+
+ try {
+ URL url = new URL(identifier);
+ String host = url.getHost();
+
+ if (host.endsWith("/"))
+ host = host.substring(0, host.length()-1);
+
+ if (url.getHost().endsWith(PUBLICSERVICE_URL_POSTFIX)) {
+ log.debug("PublicURLPrefix with .gv.at Domain found.");
+ return true;
+
+ } else {
+ SSLSocketFactory factory = HttpsURLConnection.getDefaultSSLSocketFactory();
+ socket = (SSLSocket) factory.createSocket(url.getHost(), url.getPort());
+ socket.startHandshake();
+
+ SSLSession session = socket.getSession();
+ Certificate[] servercerts = session.getPeerCertificates();
+ X509Certificate[] iaikChain = new X509Certificate[servercerts.length];
+ for (int i=0; i<servercerts.length; i++) {
+ iaikChain[i] = new X509Certificate(servercerts[i].getEncoded());
+ }
+
+
+ X509Certificate cert = Util.arrangeCertificateChain(iaikChain, false)[0];
+
+ if (cert != null) {
+ ObjectID vwOID = new ObjectID("1.2.40.0.10.1.1.1"); // Verwaltungseigenschaft
+ ObjectID dOID = new ObjectID("1.2.40.0.10.1.1.2"); // Dienstleistereigenschaft
+
+
+ if ((cert.getExtension(vwOID) == null) && (cert.getExtension(dOID) == null)) {
+ return false;
+
+ } else {
+ log.info("Found correct X509 Extension in server certificate. PublicService is allowed");
+ return true;
+ }
+ }
+
+ return false;
+ }
+
+ } catch (MalformedURLException e) {
+ log.warn("PublicURLPrefix can not parsed to URL", e);
+ return false;
+
+ } catch (UnknownHostException e) {
+ log.warn("Can not connect to PublicURLPrefix Server", e);
+ return false;
+
+ } catch (IOException e) {
+ log.warn("Can not connect to PublicURLPrefix Server", e);
+ return false;
+
+ } catch (CertificateEncodingException e) {
+ log.warn("Can not parse X509 server certificate", e);
+ return false;
+
+ } catch (CertificateException e) {
+ log.warn("Can not read X509 server certificate", e);
+ return false;
+
+ } catch (X509ExtensionInitException e) {
+ log.warn("Can not read X509 server certificate extension", e);
+ return false;
+ }
+
+ finally {
+ if (socket != null)
+ try {
+ socket.close();
+ } catch (IOException e) {
+ log.warn("SSL Socket can not be closed.", e);
+ }
+ }
+ }
+
+ public static boolean validateOAID(String oaIDObj) {
+ if (oaIDObj != null) {
+ try {
+
+ long oaID = Long.valueOf(oaIDObj);
+
+ if (oaID > 0 && oaID < Long.MAX_VALUE)
+ return true;
+
+ } catch (Throwable t) {
+ log.warn("No valid DataBase OAID received! " + oaIDObj);
+ }
+ }
+ return false;
+ }
+
+ public static boolean validateNumber(String value) {
+
+ log.debug("Validate Number " + value);
+
+ try {
+ Float.valueOf(value);
+
+ return true;
+
+ } catch (NumberFormatException e) {
+ return false;
+ }
+
+
+ }
+
+ public static boolean validatePhoneNumber(String value) {
+ log.debug ("Validate PhoneNumber " + value);
+
+ /* ************************************************************************************************
+ * Legende:
+ * ======== AA = post/pre-Text
+ * BB = (+49)
+ * CC = Vorwahl
+ * DD = Durchwahl
+ * EE = Nebenstelle
+ * Pattern p = Pattern.compile("^ [a-zA-Z .,;:/\\-]* [ ]* [(]{0,1}[ ]*[+]{0,1}[ ]*[0-9]{0,2}[ ]*[)]{0,1} [ ]* [0-9]*[ ]* [0-9][ ]* [0-9]* [ ]* [a-zA-Z .,;:\\/-]* $");
+ * ------- AA ------- --------------------- BB --------------------- --------- CC -------- - DD - - EE - ------- AA -------
+ * ************************************************************************************************ */
+ Pattern pattern = Pattern.compile("^[a-zA-Z .,;:/\\-]*[ ]*[(]{0,1}[ ]*[+]{0,1}[ ]*[0-9]{0,2}[ ]*[)]{0,1}[ ]*[0-9]*[ ]*[0-9]*[ ]*[0-9]*[ ]*[a-zA-Z .,;:\\/-]*$");
+ Matcher matcher = pattern.matcher(value);
+ boolean b = matcher.matches();
+ if (b) {
+ log.debug("Parameter PhoneNumber erfolgreich ueberprueft");
+ return true;
+ }
+ else {
+ log.error("Fehler Ueberpruefung Parameter PhoneNumber. PhoneNumber entspricht nicht den Kriterien ^ [a-zA-Z .,;:/\\-]* [ ]* [(]{0,1}[ ]*[+]{0,1}[ ]*[0-9]{0,2}[ ]*[)]{0,1} [ ]* [0-9]*[ ]*[/\\-]{0,1} [ ]*[ ]* [0-9]* [ ]* [a-zA-Z .,;:\\/-]* $");
+ return false;
+ }
+
+
+ }
+
+ public static boolean validateURL(String urlString) {
+
+ log.debug("Validate URL " + urlString);
+
+ if (urlString.startsWith("http") || urlString.startsWith("https")) {
+ try {
+ new URL(urlString);
+ return true;
+
+ } catch (MalformedURLException e) {
+ }
+ }
+
+ return false;
+ }
+
+// public static boolean validateGeneralURL(String urlString) {
+//
+// log.debug("Validate URL " + urlString);
+//
+// try {
+// new URL(urlString);
+// return true;
+//
+// } catch (MalformedURLException e) {
+//
+// }
+//
+// return false;
+// }
+
+ public static boolean isValidAdminTarget(String target) {
+
+ log.debug("Ueberpruefe Parameter Target");
+
+ Pattern pattern = Pattern.compile("[a-zA-Z-]{1,5}");
+ Matcher matcher = pattern.matcher(target);
+ boolean b = matcher.matches();
+ if (b) {
+ log.debug("Parameter SSO-Target erfolgreich ueberprueft. SSO Target is PublicService.");
+ return true;
+ }
+ else {
+ log.info("Parameter SSO-Target entspricht nicht den Kriterien " +
+ "(nur Zeichen a-z, A-Z und -, sowie 1-5 Zeichen lang) fuer den oeffentlichen Bereich. " +
+ "Valiere SSO-Target fuer privatwirtschaftliche Bereiche.");
+ return false;
+ }
+ }
+
+ public static boolean isValidTarget(String target) {
+
+ log.debug("Ueberpruefe Parameter Target");
+
+ if (TargetValidator.isValidTarget(target)) {
+ log.debug("Parameter Target erfolgreich ueberprueft");
+ return true;
+ }
+ else {
+ log.error("Fehler Ueberpruefung Parameter Target. Target entspricht nicht den Kriterien (nur Zeichen a-z, A-Z und -, sowie 1-5 Zeichen lang)");
+ return false;
+ }
+
+ }
+
+ public static boolean isValidSourceID(String sourceID) {
+
+ log.debug("Ueberpruefe Parameter sourceID");
+
+ Pattern pattern = Pattern.compile("[\\w-_]{1,20}");
+ Matcher matcher = pattern.matcher(sourceID);
+ boolean b = matcher.matches();
+ if (b) {
+ log.debug("Parameter sourceID erfolgreich ueberprueft");
+ return true;
+ }
+ else {
+ log.error("Fehler Ueberpruefung Parameter sourceID. SourceID entspricht nicht den Kriterien (nur Zeichen a-z, A-Z, - und _, sowie 1-20 Zeichen lang)");
+ return false;
+ }
+ }
+
+ public static boolean isDateFormat(String dateString) {
+ if (dateString.length() > TEMPLATE_DATEFORMAT.length())
+ return false;
+
+ SimpleDateFormat sdf = new SimpleDateFormat(TEMPLATE_DATEFORMAT);
+ try {
+ sdf.parse(dateString);
+ return true;
+
+ } catch (ParseException e) {
+ return false;
+ }
+ }
+
+ public static boolean isEmailAddressFormat(String address) {
+ if (address == null) {
+ return false;
+ }
+ return Pattern.compile("^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,6}$").matcher(address).matches();
+ }
+
+ public static boolean isValidOAIdentifier(String param) {
+ if (param == null) {
+ return false;
+ }
+ return param.indexOf(";") != -1 ||
+ param.indexOf("%") != -1 ||
+ param.indexOf("\"") != -1 ||
+ param.indexOf("'") != -1 ||
+ param.indexOf("?") != -1 ||
+ param.indexOf("`") != -1 ||
+ param.indexOf(",") != -1 ||
+ param.indexOf("<") != -1 ||
+ param.indexOf(">") != -1 ||
+ param.indexOf("\\") != -1;
+
+ }
+
+ public static String getNotValidOAIdentifierCharacters() {
+
+ return "; % \" ' ` , < > \\";
+ }
+
+ public static boolean containsPotentialCSSCharacter(String param, boolean commaallowed) {
+
+ if (param == null) {
+ return false;
+ }
+ return param.indexOf(";") != -1 ||
+ param.indexOf("%") != -1 ||
+ param.indexOf("\"") != -1 ||
+ param.indexOf("'") != -1 ||
+ param.indexOf("?") != -1 ||
+ param.indexOf("`") != -1 ||
+ ( param.indexOf(",") != -1 && !commaallowed ) ||
+ param.indexOf("<") != -1 ||
+ param.indexOf(">") != -1 ||
+ param.indexOf("\\") != -1 ||
+ param.indexOf("/") != -1;
+ }
+
+ public static String getPotentialCSSCharacter(boolean commaallowed) {
+
+ if (commaallowed)
+ return "; % \" ' ` < > \\ /";
+ else
+ return "; % \" ' ` , < > \\ /";
+ }
+
+ public static boolean isNotValidIdentityLinkSigner(String param) {
+ if (param == null) {
+ return false;
+ }
+ return param.indexOf(";") != -1 ||
+ param.indexOf("%") != -1 ||
+ param.indexOf("\"") != -1 ||
+ param.indexOf("'") != -1 ||
+ param.indexOf("?") != -1 ||
+ param.indexOf("`") != -1 ||
+ param.indexOf("<") != -1 ||
+ param.indexOf(">") != -1;
+
+ }
+
+ public static String getNotValidIdentityLinkSignerCharacters() {
+
+ return "; % \" ' ` < >";
+ }
+
+ public static boolean isValidHexValue(String param) {
+
+ try {
+ if (param.startsWith("#") && param.length() <= 7) {
+ Long.decode(param);
+ return true;
+ }
+
+ } catch (Exception e) {
+
+ }
+ return false;
+
+ }
+
+}