diff options
Diffstat (limited to 'id/server/moa-id-commons')
21 files changed, 2318 insertions, 9 deletions
diff --git a/id/server/moa-id-commons/pom.xml b/id/server/moa-id-commons/pom.xml index 6c2e12c65..1831d0e1c 100644 --- a/id/server/moa-id-commons/pom.xml +++ b/id/server/moa-id-commons/pom.xml @@ -4,11 +4,12 @@ <parent> <groupId>MOA.id</groupId> <artifactId>moa-id</artifactId> - <version>2.0.1</version> + <version>2.0.x</version> </parent> <artifactId>moa-id-commons</artifactId> <name>moa-id-commons</name> <groupId>MOA.id.server</groupId> + <version>${moa-id-version}</version> <profiles> <profile> @@ -64,11 +65,20 @@ <version>3.3.1</version> </dependency> <dependency> + <groupId>commons-httpclient</groupId> + <artifactId>commons-httpclient</artifactId> + </dependency> + <dependency> <groupId>MOA</groupId> <artifactId>moa-common</artifactId> <type>jar</type> </dependency> + <dependency> + <groupId>iaik.prod</groupId> + <artifactId>iaik_X509TrustManager</artifactId> + </dependency> + <!-- dependency> <groupId>com.sun.xml.bind</groupId> <artifactId>jaxb-xjc</artifactId> @@ -127,6 +137,7 @@ </resources> <plugins> + <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-compiler-plugin</artifactId> @@ -227,9 +238,9 @@ </execution> </executions> </plugin> - </plugins> - <pluginManagement> - <plugins> + </plugins> + <pluginManagement> + <plugins> <!--This plugin's configuration is used to store Eclipse m2e settings only. It has no influence on the Maven build itself.--> <plugin> <groupId>org.eclipse.m2e</groupId> @@ -261,6 +272,24 @@ </lifecycleMappingMetadata> </configuration> </plugin> + <plugin> + <groupId>org.codehaus.mojo</groupId> + <artifactId>properties-maven-plugin</artifactId> + <version>1.0-alpha-2</version> + <executions> + <execution> + <phase>initialize</phase> + <goals> + <goal>read-project-properties</goal> + </goals> + <configuration> + <files> + <file>${basedir}/moa-id.properties</file> + </files> + </configuration> + </execution> + </executions> + </plugin> </plugins> </pluginManagement> </build> diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java index 730a328ab..2a65366b8 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java @@ -53,7 +53,13 @@ import org.hibernate.annotations.DynamicUpdate; @NamedQuery(name="getSessionWithID", query = "select authenticatedsessionstore from AuthenticatedSessionStore authenticatedsessionstore where authenticatedsessionstore.sessionid = :sessionid"), @NamedQuery(name="getSessionWithSSOID", query = "select authenticatedsessionstore from AuthenticatedSessionStore authenticatedsessionstore where authenticatedsessionstore.SSOsessionid = :sessionid"), @NamedQuery(name="getSessionWithPendingRequestID", query = "select authenticatedsessionstore from AuthenticatedSessionStore authenticatedsessionstore where authenticatedsessionstore.pendingRequestID = :sessionid"), - @NamedQuery(name="getMOAISessionsWithTimeOut", query = "select authenticatedsessionstore from AuthenticatedSessionStore authenticatedsessionstore where authenticatedsessionstore.created < :timeoutcreate or authenticatedsessionstore.updated < :timeoutupdate") + @NamedQuery(name="getMOAISessionsWithTimeOut", query = "select authenticatedsessionstore from AuthenticatedSessionStore authenticatedsessionstore where authenticatedsessionstore.created < :timeoutcreate or authenticatedsessionstore.updated < :timeoutupdate"), + @NamedQuery(name="getMOAISessionWithUserNameID", query = "select authenticatedsessionstore from AuthenticatedSessionStore authenticatedsessionstore join fetch authenticatedsessionstore.activeOAsessions activeOAsessions where activeOAsessions.userNameID = :usernameid and activeOAsessions.attributeQueryUsed is false"), + @NamedQuery(name="getActiveOAWithSessionIDandOAIDandProtocol", query = "select authenticatedsessionstore from AuthenticatedSessionStore authenticatedsessionstore join fetch authenticatedsessionstore.activeOAsessions activeOAsessions where activeOAsessions.oaurlprefix = :oaID and activeOAsessions.protocolType = :protocol and authenticatedsessionstore.sessionid = :sessionID"), + @NamedQuery(name="getMOASessionWithNameIDandOAID", query = "select authenticatedsessionstore from AuthenticatedSessionStore authenticatedsessionstore join fetch authenticatedsessionstore.activeOAsessions activeOAsessions where activeOAsessions.oaurlprefix = :oaID and activeOAsessions.userNameID = :nameID"), + @NamedQuery(name="getInterfederatedIDPForAttributeQueryWithSessionID", query = "select authenticatedsessionstore from AuthenticatedSessionStore authenticatedsessionstore join fetch authenticatedsessionstore.inderfederation inderfederations where inderfederations.attributesRequested is false and authenticatedsessionstore.sessionid = :sessionID"), + @NamedQuery(name="getInterfederatedIDPForSSOWithSessionID", query = "select authenticatedsessionstore from AuthenticatedSessionStore authenticatedsessionstore join fetch authenticatedsessionstore.inderfederation inderfederations where inderfederations.attributesRequested is true and authenticatedsessionstore.sessionid = :sessionID order by inderfederations.QAALevel DESC"), + @NamedQuery(name="getInterfederatedIDPForSSOWithSessionIDIDPID", query = "select authenticatedsessionstore from AuthenticatedSessionStore authenticatedsessionstore join fetch authenticatedsessionstore.inderfederation inderfederations where inderfederations.attributesRequested is true and authenticatedsessionstore.sessionid = :sessionID and inderfederations.idpurlprefix = :idpID") }) public class AuthenticatedSessionStore implements Serializable{ @@ -82,6 +88,9 @@ public class AuthenticatedSessionStore implements Serializable{ @Column(name = "isSSOSession", nullable=false) private boolean isSSOSession = false; + + @Column(name = "isInterfederatedSSOSession", nullable=false) + private boolean isInterfederatedSSOSession = false; @Column(name = "pendingRequestID", nullable=false) private String pendingRequestID = ""; @@ -100,6 +109,9 @@ public class AuthenticatedSessionStore implements Serializable{ @OneToMany(mappedBy="moasession", cascade=CascadeType.ALL) private List<OldSSOSessionIDStore> oldssosessionids = null; + @OneToMany(mappedBy="moasession", cascade=CascadeType.ALL) + private List<InterfederationSessionStore> inderfederation = null; + @PrePersist protected void created() { this.updated = this.created = new Date(); @@ -193,6 +205,20 @@ public class AuthenticatedSessionStore implements Serializable{ public void setOldssosessionids(List<OldSSOSessionIDStore> oldssosessionids) { this.oldssosessionids = oldssosessionids; } + + /** + * @return the inderfederation + */ + public List<InterfederationSessionStore> getInderfederation() { + return inderfederation; + } + + /** + * @param inderfederation the inderfederation to set + */ + public void setInderfederation(List<InterfederationSessionStore> inderfederation) { + this.inderfederation = inderfederation; + } /** * @return the pendingRequestID @@ -221,8 +247,21 @@ public class AuthenticatedSessionStore implements Serializable{ public void setIv(byte[] iv) { this.iv = iv; } + + /** + * @return the isInterfederatedSSOSession + */ + public boolean isInterfederatedSSOSession() { + return isInterfederatedSSOSession; + } + + /** + * @param isInterfederatedSSOSession the isInterfederatedSSOSession to set + */ + public void setInterfederatedSSOSession(boolean isInterfederatedSSOSession) { + this.isInterfederatedSSOSession = isInterfederatedSSOSession; + } - } diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/InterfederationSessionStore.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/InterfederationSessionStore.java new file mode 100644 index 000000000..1fcdd9b9b --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/InterfederationSessionStore.java @@ -0,0 +1,195 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.commons.db.dao.session; + +import java.io.Serializable; +import java.util.Date; + +import javax.persistence.Column; +import javax.persistence.Entity; +import javax.persistence.FetchType; +import javax.persistence.GeneratedValue; +import javax.persistence.GenerationType; +import javax.persistence.Id; +import javax.persistence.JoinColumn; +import javax.persistence.ManyToOne; +import javax.persistence.Table; + +import org.hibernate.annotations.DynamicUpdate; + +@Entity +@DynamicUpdate(value=true) +@Table(name = "interfederation") + +public class InterfederationSessionStore implements Serializable{ + + private static final long serialVersionUID = 1L; + + @Id + @GeneratedValue(strategy = GenerationType.IDENTITY) + @Column(name = "id", unique=true, nullable=false) + private long id; + + @Column(name = "idpurlprefix", unique=false, nullable=false) + private String idpurlprefix; + + @Column(name = "sessionIndex", unique=false, nullable=false) + private String sessionIndex; + + @Column(name = "nameID", unique=false, nullable=false) + private String userNameID; + + @Column(name = "QAALevel", unique=false, nullable=false) + private String QAALevel; + + @Column(name = "attributesRequested", unique=false, nullable=true) + private boolean attributesRequested; + + @Column(name = "created", updatable=false, nullable=false) +// @Temporal(TemporalType.TIMESTAMP) + private Date created; + +// @PrePersist +// protected void created() { +// this.created = new Date(); +// } + + @ManyToOne(fetch=FetchType.LAZY) + @JoinColumn(name = "moasession") + private AuthenticatedSessionStore moasession; + + /** + * @return the id + */ + public long getId() { + return id; + } + + /** + * @param id the id to set + */ + public void setId(long id) { + this.id = id; + } + + /** + * @return the idpurlprefix + */ + public String getIdpurlprefix() { + return idpurlprefix; + } + + /** + * @param idpurlprefix the idpurlprefix to set + */ + public void setIdpurlprefix(String idpurlprefix) { + this.idpurlprefix = idpurlprefix; + } + + /** + * @return the sessionIndex + */ + public String getSessionIndex() { + return sessionIndex; + } + + /** + * @param sessionIndex the sessionIndex to set + */ + public void setSessionIndex(String sessionIndex) { + this.sessionIndex = sessionIndex; + } + + /** + * @return the userNameID + */ + public String getUserNameID() { + return userNameID; + } + + /** + * @param userNameID the userNameID to set + */ + public void setUserNameID(String userNameID) { + this.userNameID = userNameID; + } + + /** + * @return the attributesRequested + */ + public boolean isAttributesRequested() { + return attributesRequested; + } + + /** + * @param attributesRequested the attributesRequested to set + */ + public void setAttributesRequested(boolean attributesRequested) { + this.attributesRequested = attributesRequested; + } + + /** + * @return the created + */ + public Date getCreated() { + return created; + } + + /** + * @param created the created to set + */ + public void setCreated(Date created) { + this.created = created; + } + + /** + * @return the moasession + */ + public AuthenticatedSessionStore getMoasession() { + return moasession; + } + + /** + * @param moasession the moasession to set + */ + public void setMoasession(AuthenticatedSessionStore moasession) { + this.moasession = moasession; + } + + /** + * @return the qAALevel + */ + public String getQAALevel() { + return QAALevel; + } + + /** + * @param qAALevel the qAALevel to set + */ + public void setQAALevel(String qAALevel) { + QAALevel = qAALevel; + } + + +} + diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java index 25b48310e..539de990f 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java @@ -59,9 +59,15 @@ public class OASessionStore implements Serializable{ @Column(name = "userNameID", unique=false, nullable=true) private String userNameID; + @Column(name = "userNameIDFormat", unique=false, nullable=true) + private String userNameIDFormat; + @Column(name = "protocolType", unique=false, nullable=true) private String protocolType; + @Column(name = "attributequeryused", unique=false, nullable=false) + private boolean attributeQueryUsed = false; + @Column(name = "created", updatable=false, nullable=false) // @Temporal(TemporalType.TIMESTAMP) private Date created; @@ -149,6 +155,36 @@ public class OASessionStore implements Serializable{ this.protocolType = protocolType; } + /** + * @return the attributeQueryUsed + */ + public boolean isAttributeQueryUsed() { + return attributeQueryUsed; + } + + /** + * @param attributeQueryUsed the attributeQueryUsed to set + */ + public void setAttributeQueryUsed(boolean attributeQueryUsed) { + this.attributeQueryUsed = attributeQueryUsed; + } + + /** + * @return the userNameIDFormat + */ + public String getUserNameIDFormat() { + return userNameIDFormat; + } + + /** + * @param userNameIDFormat the userNameIDFormat to set + */ + public void setUserNameIDFormat(String userNameIDFormat) { + this.userNameIDFormat = userNameIDFormat; + } + + + } diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/statistic/StatisticLog.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/statistic/StatisticLog.java index 65c9003e3..b557d2dc9 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/statistic/StatisticLog.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/statistic/StatisticLog.java @@ -78,6 +78,9 @@ public class StatisticLog implements Serializable{ @Column(name = "isSSOLogin", unique=false) private boolean ssosession; + @Column(name = "isInterfederatedSSOLogin", unique=false) + private boolean interfederatedSSOSession; + @Column(name = "isBusinessService", unique=false) private boolean businessservice; @@ -390,6 +393,21 @@ public class StatisticLog implements Serializable{ public void setErrortype(String errortype) { this.errortype = errortype; } + + /** + * @return the interfederatedSSOSession + */ + public boolean isInterfederatedSSOSession() { + return interfederatedSSOSession; + } + + /** + * @param interfederatedSSOSession the interfederatedSSOSession to set + */ + public void setInterfederatedSSOSession(boolean interfederatedSSOSession) { + this.interfederatedSSOSession = interfederatedSSOSession; + } + diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/ex/MOAHttpProtocolSocketFactoryException.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/ex/MOAHttpProtocolSocketFactoryException.java new file mode 100644 index 000000000..c6d8b1d79 --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/ex/MOAHttpProtocolSocketFactoryException.java @@ -0,0 +1,42 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.commons.ex; + +/** + * @author tlenz + * + */ +public class MOAHttpProtocolSocketFactoryException extends Exception { + + private static final long serialVersionUID = 4934502074731319897L; + + + public MOAHttpProtocolSocketFactoryException(String message) { + super(message); + } + + public MOAHttpProtocolSocketFactoryException(String message, Throwable e) { + super(message, e ); + } + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java new file mode 100644 index 000000000..3b6fc34ea --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java @@ -0,0 +1,129 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.commons.utils; + +import iaik.pki.PKIException; + +import java.io.IOException; +import java.net.InetAddress; +import java.net.Socket; +import java.net.UnknownHostException; +import java.security.GeneralSecurityException; + +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocketFactory; + +import org.apache.commons.httpclient.ConnectTimeoutException; +import org.apache.commons.httpclient.params.HttpConnectionParams; +import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory; + +import at.gv.egovernment.moa.id.commons.db.dao.config.ChainingModeType; +import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; +import at.gv.egovernment.moa.id.commons.utils.ssl.SSLConfigurationException; +import at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils; + +/** + * @author tlenz + * + */ +public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory { + + + + private SSLSocketFactory sslfactory = null; + + public MOAHttpProtocolSocketFactory ( + String url, + String certStoreRootDirParam, + String trustStoreURL, + String acceptedServerCertURL, + ChainingModeType chainingMode, + boolean checkRevocation + ) throws MOAHttpProtocolSocketFactoryException { + super(); + + try { + this.sslfactory = SSLUtils.getSSLSocketFactory( + url, + certStoreRootDirParam, + trustStoreURL, + acceptedServerCertURL, + chainingMode.value(), + checkRevocation, + null, + null, + null); + + } catch (IOException e) { + throw new MOAHttpProtocolSocketFactoryException("Initialize SSL Context FAILED", e); + + } catch (GeneralSecurityException e) { + throw new MOAHttpProtocolSocketFactoryException("Initialize SSL Context FAILED", e); + + } catch (SSLConfigurationException e) { + throw new MOAHttpProtocolSocketFactoryException("SSL Configuration loading FAILED.", e); + + } catch (PKIException e) { + throw new MOAHttpProtocolSocketFactoryException("Initialize SSL Context FAILED", e); + + } + + } + + /* (non-Javadoc) + * @see org.apache.commons.httpclient.protocol.ProtocolSocketFactory#createSocket(java.lang.String, int, java.net.InetAddress, int) + */ + public Socket createSocket(String host, int port, InetAddress localAddress, + int localPort) throws IOException, UnknownHostException { + return this.sslfactory.createSocket(host, port, + localAddress, localPort); + } + + /* (non-Javadoc) + * @see org.apache.commons.httpclient.protocol.ProtocolSocketFactory#createSocket(java.lang.String, int, java.net.InetAddress, int, org.apache.commons.httpclient.params.HttpConnectionParams) + */ + public Socket createSocket(String host, int port, InetAddress localAddress, + int localPort, HttpConnectionParams params) throws IOException, + UnknownHostException, ConnectTimeoutException { + return this.sslfactory.createSocket(host, port, + localAddress, localPort); + } + + /* (non-Javadoc) + * @see org.apache.commons.httpclient.protocol.ProtocolSocketFactory#createSocket(java.lang.String, int) + */ + public Socket createSocket(String host, int port) throws IOException, + UnknownHostException { + return this.sslfactory.createSocket(host, port); + } + + /* (non-Javadoc) + * @see org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory#createSocket(java.net.Socket, java.lang.String, int, boolean) + */ + public Socket createSocket(Socket socket, String host, int port, + boolean autoClose) throws IOException, UnknownHostException { + return this.sslfactory.createSocket(socket, host, + port, autoClose); + } + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/CertStoreConfigurationImpl.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/CertStoreConfigurationImpl.java new file mode 100644 index 000000000..00e750f58 --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/CertStoreConfigurationImpl.java @@ -0,0 +1,156 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + ******************************************************************************/ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.id.commons.utils.ssl; + +import at.gv.egovernment.moa.logging.Logger; +import iaik.pki.store.certstore.CertStoreConfiguration; +import iaik.pki.store.certstore.CertStoreParameters; +import iaik.pki.store.certstore.CertStoreTypes; +import iaik.pki.store.certstore.directory.DirectoryCertStoreParameters; + +import java.io.File; + +/** + * Implementation of interface needed to initialize an IAIK JSSE <code>TrustManager</code> + * + * @author Paul Ivancsics + * @version $Id$ + */ +public class CertStoreConfigurationImpl extends ObservableImpl + implements CertStoreConfiguration, DirectoryCertStoreParameters { + /** + * identifies the rootDirectory + */ + private String rootDirectory; + + /** + * Array for storing all CertStoreParameters + */ + private CertStoreParameters[] parameters; + + /** + * Create a new <code>CertStoreConfigurationImpl</code>. + * + * @param conf The MOA configuration from which the configuration data is + * @throws ConfigurationException an any config-error + * being read. + */ + public CertStoreConfigurationImpl(String certStoreRootDirParam) throws SSLConfigurationException { + + if (certStoreRootDirParam == null) + throw new SSLConfigurationException( + "config.08", new Object[]{"CertStoreDirectory"}); + + //rootDirectory = FileUtils.makeAbsoluteURL(certStoreRootDirParam, conf.getRootConfigFileDir()); + rootDirectory = certStoreRootDirParam; + Logger.error("Using file: " + rootDirectory); + if (rootDirectory.startsWith("file:")) rootDirectory = rootDirectory.substring(5); + Logger.error("Using file2: " + rootDirectory); + + File f = new File(rootDirectory); + //Logger.error("Using file: " + certStoreRootDirParam + " param: " + conf.getRootConfigFileDir()); + + if (!f.exists()) { + Logger.error("File does not exists: " + f.getAbsolutePath()); + throw new SSLConfigurationException( + "config.05", new Object[]{"CertStoreDirectory"}); + } + + if (!f.isDirectory()) { + Logger.error("File is not a directory: " + f.getAbsolutePath()); + throw new SSLConfigurationException( + "config.05", new Object[]{"CertStoreDirectory"}); + } + + + parameters = new CertStoreParameters[]{this}; + } + + /** + * @see iaik.pki.store.certstore.CertStoreConfiguration#getParameters() + */ + public CertStoreParameters[] getParameters() { + return parameters; + } + + /** + * @see iaik.pki.store.certstore.directory.DirectoryCertStoreParameters#getRootDirectory() + */ + public String getRootDirectory() { + return rootDirectory; + } + + /** + * @see iaik.pki.store.certstore.directory.DirectoryCertStoreParameters#createNew() + */ + public boolean createNew() { + return false; + } + + /** + * @see iaik.pki.store.certstore.CertStoreParameters#getId() + */ + public String getId() { + return "MOA ID Directory CertStore"; + } + + /** + * @see iaik.pki.store.certstore.CertStoreParameters#isReadOnly() + */ + public boolean isReadOnly() { + return false; + } + + /** + * @return <code>CertStoreTypes.DIRECTORY</code> + * @see iaik.pki.store.certstore.CertStoreParameters#getType() + */ + public String getType() { + return CertStoreTypes.DIRECTORY; + } + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java new file mode 100644 index 000000000..eaef3f1d4 --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java @@ -0,0 +1,164 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + ******************************************************************************/ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.id.commons.utils.ssl; + +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.net.URL; +import java.security.GeneralSecurityException; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.List; + +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.logging.LoggingContext; +import at.gv.egovernment.moa.logging.LoggingContextManager; + +import iaik.pki.jsse.IAIKX509TrustManager; + +/** + * <code>TrustManager</code> implementation featuring CRL checking (inherited from + * <code>IAIKX509TrustManager</code>), plus server-end-SSL-certificate checking. + * + * @author Paul Ivancsics + * @version $Id$ + */ +public class MOAIDTrustManager extends IAIKX509TrustManager { + + /** an x509Certificate array containing all accepted server certificates*/ + private X509Certificate[] acceptedServerCertificates; + + /** + * Constructor + * @param acceptedServerCertificateStoreURL the url leading to the acceptedServer cert store + * @throws GeneralSecurityException occurs on security errors + * @throws IOException occurs on IO errors + */ + public MOAIDTrustManager(String acceptedServerCertificateStoreURL) + throws IOException, GeneralSecurityException { + + if (acceptedServerCertificateStoreURL != null) + buildAcceptedServerCertificates(acceptedServerCertificateStoreURL); + else + acceptedServerCertificates = null; + } + + + /** + * Initializes the LoggingContextManager logging context. + * Fixes a bug occuring in the case MOA-SP is called by API. + * In this case, IAIKX509TrustManager uses the LogginConfig of MOA-SP. + * This method must be called before a MOAIDTrustManager is constructed, + * from every thread. + */ + public static void initializeLoggingContext() { + if (LoggingContextManager.getInstance().getLoggingContext() == null) + LoggingContextManager.getInstance().setLoggingContext( + new LoggingContext(Thread.currentThread().getName())); + } + + + /** + * Builds an Array of accepted server certificates from an URL, + * and stores it in <code>acceptedServerCertificates</code>. + * @param acceptedServerCertificateStoreURL file URL pointing to the directory + * containing accepted server X509 certificates + * @throws GeneralSecurityException on security errors + * @throws IOException on any IO errors + */ + private void buildAcceptedServerCertificates(String acceptedServerCertificateStoreURL) + throws IOException, GeneralSecurityException { + + List<X509Certificate> certList = new ArrayList<X509Certificate>(); + URL storeURL = new URL(acceptedServerCertificateStoreURL); + File storeDir = new File(storeURL.getFile()); + // list certificate files in directory + File[] certFiles = storeDir.listFiles(); + for (int i = 0; i < certFiles.length; i++) { + // for each: create an X509Certificate and store it in list + File certFile = certFiles[i]; + FileInputStream fis = new FileInputStream(certFile.getPath()); + CertificateFactory certFact = CertificateFactory.getInstance("X.509"); + X509Certificate cert = (X509Certificate)certFact.generateCertificate(fis); + fis.close(); + certList.add(cert); + } + // store acceptedServerCertificates + acceptedServerCertificates = (X509Certificate[]) certList.toArray(new X509Certificate[0]); + } + + /** + * Does additional server-end-SSL-certificate checking. + * @see com.sun.net.ssl.X509TrustManager#isServerTrusted(java.security.cert.X509Certificate[]) + */ + public boolean isServerTrusted(X509Certificate[] certChain) { + boolean trusted = super.isServerTrusted(certChain); + if (! trusted || acceptedServerCertificates == null) + return trusted; + else { + // check server-end-SSL-certificate with acceptedServerCertificates + X509Certificate serverCert = certChain[0]; + for (int i = 0; i < acceptedServerCertificates.length; i++) { + X509Certificate acceptedServerCert = acceptedServerCertificates[i]; + if (serverCert.equals(acceptedServerCert)) + return true; + } + Logger.warn("SSL certificate validation FAILED."); + return false; + } + } + /** + * In rare cases, this method is being called although it should not be. + * @see com.sun.net.ssl.X509TrustManager#isClientTrusted(X509Certificate[]) + */ + public boolean isClientTrusted(java.security.cert.X509Certificate arg0[]) + { + return true; + } +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/ObservableImpl.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/ObservableImpl.java new file mode 100644 index 000000000..fa9cd879d --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/ObservableImpl.java @@ -0,0 +1,92 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + ******************************************************************************/ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.id.commons.utils.ssl; + +import iaik.pki.store.observer.NotificationData; +import iaik.pki.store.observer.Observable; +import iaik.pki.store.observer.Observer; + +import java.util.ArrayList; +import java.util.Iterator; +import java.util.List; + + +/** + * Implementation of interface <needed to initialize an IAIK JSSE <code>TrustManager</code> + * @author Paul Ivancsics + * @version $Id$ + */ +public class ObservableImpl implements Observable { + /** a List for all observers */ + private List<Observer> observers = new ArrayList<Observer>(); + + /** + * @see iaik.pki.store.observer.Observable#addObserver(iaik.pki.store.observer.Observer) + */ + public void addObserver(Observer observer) { + observers.add(observer); + } + + /** + * @see iaik.pki.store.observer.Observable#removeObserver(iaik.pki.store.observer.Observer) + */ + public boolean removeObserver(Observer observer) { + return observers.remove(observer); + } + + /** + * @see iaik.pki.store.observer.Observable#notify(iaik.pki.store.observer.NotificationData) + */ + public void notify(NotificationData data) { + Iterator<Observer> iter = observers.iterator(); + for (iter = observers.iterator(); iter.hasNext();) { + Observer observer = (Observer) iter.next(); + observer.notify(data); + } + } + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIConfigurationImpl.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIConfigurationImpl.java new file mode 100644 index 000000000..5d8c7a54e --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIConfigurationImpl.java @@ -0,0 +1,118 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + ******************************************************************************/ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.id.commons.utils.ssl; + +import iaik.pki.PKIConfiguration; +import iaik.pki.pathvalidation.ValidationConfiguration; +import iaik.pki.revocation.RevocationConfiguration; +import iaik.pki.store.certstore.CertStoreConfiguration; +import iaik.pki.store.revocation.archive.ArchiveConfiguration; + +/** + * Implementation of interface <code>PKIConfiguration</code> needed to + * initialize an IAIK JSSE <code>TrustManager</code> + * + * @author Paul Ivancsics + * @version $Id$ + */ +public class PKIConfigurationImpl implements PKIConfiguration { + /** The configuration for the CertStore */ + private CertStoreConfiguration certStoreConfiguration; + /** The configuration for the RevocationChecks */ + private RevocationConfiguration revocationConfiguration; + /** The configuration for the Validation */ + private ValidationConfiguration validationConfiguration; + + /** + * Constructor + * @param conf the Configuration for the PKIConfig + * @throws ConfigurationException for any config error + */ + public PKIConfigurationImpl(String certStoreRootDirParam, String chainingMode) throws SSLConfigurationException { + + certStoreConfiguration = new CertStoreConfigurationImpl(certStoreRootDirParam); + revocationConfiguration = new RevocationConfigurationImpl(); + validationConfiguration = new ValidationConfigurationImpl(chainingMode); + } + + /** + * @see iaik.pki.PKIConfiguration#getCertStoreConfiguration() + */ + public CertStoreConfiguration getCertStoreConfiguration() { + return certStoreConfiguration; + } + + /** + * @see iaik.pki.PKIConfiguration#getRevocationConfiguration() + */ + public RevocationConfiguration getRevocationConfiguration() { + return revocationConfiguration; + } + + /** + * @see iaik.pki.PKIConfiguration#getArchiveConfiguration() + */ + public ArchiveConfiguration getArchiveConfiguration() { + return null; + } + + /** + * @see iaik.pki.PKIConfiguration#getValidationConfiguration() + */ + public ValidationConfiguration getValidationConfiguration() { + return validationConfiguration; + } + +/* (non-Javadoc) + * @see iaik.pki.PKIConfiguration#getTimeout() + */ + public int getTimeout() { + // TODO Auto-generated method stub + return 0; +} + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIProfileImpl.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIProfileImpl.java new file mode 100644 index 000000000..59994a257 --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIProfileImpl.java @@ -0,0 +1,230 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + ******************************************************************************/ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.id.commons.utils.ssl; + +import java.security.cert.X509Certificate; +import java.util.Collections; +import java.util.Set; + +import iaik.pki.PKIProfile; +import iaik.pki.pathvalidation.ValidationProfile; +import iaik.pki.revocation.RevocationProfile; +import iaik.pki.revocation.RevocationSourceTypes; +import iaik.pki.store.truststore.TrustStoreProfile; +import iaik.pki.store.truststore.TrustStoreTypes; + +/** + * Implementation of the <code>PKIProfile</code> interface and subinterfaces + * providing information needed for certificate path validation. + * + * @author Paul Ivancsics + * @version $Id$ + */ +public class PKIProfileImpl extends ObservableImpl + implements PKIProfile, RevocationProfile, TrustStoreProfile, ValidationProfile { + + /** + * URI to the truststore + */ + private String trustStoreURI; + + /** + * revocation checking; + */ + private boolean revocationChecking; + + /** + * The trust profile identifier. + */ + private String id; + + + /** + * Create a new <code>PKIProfileImpl</code>. + * + * @param trustStoreURI trust store URI + */ + public PKIProfileImpl(String trustStoreURI, boolean revocationChecking) { + this.trustStoreURI = trustStoreURI; + this.revocationChecking = revocationChecking; + String id = String.valueOf(System.currentTimeMillis()); + setId("id-" + id); + } + + /** + * @see iaik.pki.PKIProfile#autoAddCertificates() + */ + public boolean autoAddCertificates() { + return true; + } + + /** + * @see iaik.pki.PKIProfile#getRevocationProfile() + */ + public RevocationProfile getRevocationProfile() { + return this; + } + + /** + * @see iaik.pki.PKIProfile#getTrustStoreProfile() + */ + public TrustStoreProfile getTrustStoreProfile() { + return this; + } + + /** + * @see iaik.pki.PKIProfile#getValidationProfile() + */ + public ValidationProfile getValidationProfile() { + return this; + } + + /** + * @see iaik.pki.PKIProfile#useAuthorityInfoAccess() + */ + public boolean useAuthorityInfoAccess() { + return true; + } + + /** + * @see iaik.pki.revocation.RevocationProfile#getMaxRevocationAge(java.lang.String) + */ + public long getMaxRevocationAge(String arg0) { + return 0; + } + + /** + * @see iaik.pki.revocation.RevocationProfile#getOCSPRequestHashAlgorithm() + */ + public String getOCSPRequestHashAlgorithm() { + return null; + } + + /** + * @see iaik.pki.revocation.RevocationProfile#getPreferredServiceOrder(java.security.cert.X509Certificate) + */ + public String[] getPreferredServiceOrder(X509Certificate arg0) { + return new String[] {RevocationSourceTypes.CRL}; + } + + /** + * @see iaik.pki.store.truststore.TrustStoreProfile#getType() + */ + public String getType() { + return TrustStoreTypes.DIRECTORY; + } + + /** + * @see iaik.pki.store.truststore.TrustStoreProfile#getURI() + */ + public String getURI() { + return trustStoreURI; + } + + /** + * @see iaik.pki.pathvalidation.ValidationProfile#getInitialAnyPolicyInhibit() + */ + public boolean getInitialAnyPolicyInhibit() { + return false; + } + + /** + * @see iaik.pki.pathvalidation.ValidationProfile#getInitialExplicitPolicy() + */ + public boolean getInitialExplicitPolicy() { + return false; + } + + /** + * @see iaik.pki.pathvalidation.ValidationProfile#getInitialPolicyMappingInhibit() + */ + public boolean getInitialPolicyMappingInhibit() { + return false; + } + + /** + * @see iaik.pki.pathvalidation.ValidationProfile#getInitialPolicySet() + */ + public Set getInitialPolicySet() { + return Collections.EMPTY_SET; + } + + /** + * @see iaik.pki.pathvalidation.ValidationProfile#getNameConstraintsProcessing() + */ + public boolean getNameConstraintsProcessing() { + return false; + } + + /** + * @see iaik.pki.pathvalidation.ValidationProfile#getPolicyProcessing() + */ + public boolean getPolicyProcessing() { + return false; + } + + /** + * @see iaik.pki.pathvalidation.ValidationProfile#getRevocationChecking() + */ + public boolean getRevocationChecking() { + return this.revocationChecking; + } + + /** + * @see iaik.pki.store.truststore.TrustStoreProfile#getId() + */ + public String getId() { + return id; + } + /** + * Sets the trust profile identifier. + * @param id The id to set. + */ + public void setId(String id) { + this.id = id; + } +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/RevocationConfigurationImpl.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/RevocationConfigurationImpl.java new file mode 100644 index 000000000..b5e0543db --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/RevocationConfigurationImpl.java @@ -0,0 +1,84 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + ******************************************************************************/ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.id.commons.utils.ssl; + +import iaik.pki.revocation.RevocationConfiguration; + +import java.security.cert.X509Certificate; +import java.util.Collections; +import java.util.Date; +import java.util.Set; + +/** + * Implementation of interface needed to initialize an IAIK JSSE <code>TrustManager</code> + * @author Paul Ivancsics + * @version $Id$ + */ +public class RevocationConfigurationImpl extends ObservableImpl implements RevocationConfiguration { + + /** + * @see iaik.pki.revocation.RevocationConfiguration#getAlternativeDistributionPoints(java.security.cert.X509Certificate, java.security.cert.X509Certificate, java.util.Date) + */ + public Set getAlternativeDistributionPoints( + X509Certificate arg0, + X509Certificate arg1, + Date arg2) { + return Collections.EMPTY_SET; + } + + /** + * @see iaik.pki.revocation.RevocationConfiguration#archiveRevocationInfo(java.lang.String, java.lang.String) + */ + public boolean archiveRevocationInfo(String arg0, String arg1) { + return false; + } + + public Integer getCrlRetentionInterval(String arg0) { + return null; + } + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLConfigurationException.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLConfigurationException.java new file mode 100644 index 000000000..b1334ad67 --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLConfigurationException.java @@ -0,0 +1,71 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.commons.utils.ssl; + +/** + * @author tlenz + * + */ +public class SSLConfigurationException extends Exception { + + private static final long serialVersionUID = -3705679559648920151L; + + private String errorID = null; + private Object[] parameters = null; + private Throwable e = null; + + public SSLConfigurationException(String errorID, Object[] parameters) { + this.errorID = errorID; + this.parameters = parameters; + } + + public SSLConfigurationException(String errorID, Object[] parameters, Throwable e) { + this.errorID = errorID; + this.parameters = parameters; + this.e = e; + } + + /** + * @return the errorID + */ + public String getErrorID() { + return errorID; + } + + /** + * @return the parameters + */ + public Object[] getParameters() { + return parameters; + } + + /** + * @return the e + */ + public Throwable getE() { + return e; + } + + + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java new file mode 100644 index 000000000..68437a04d --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java @@ -0,0 +1,186 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + ******************************************************************************/ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.id.commons.utils.ssl; + +import iaik.pki.PKIConfiguration; +import iaik.pki.PKIException; +import iaik.pki.PKIFactory; +import iaik.pki.PKIProfile; +import iaik.pki.jsse.IAIKX509TrustManager; +import iaik.security.provider.IAIK; + +import java.io.IOException; +import java.security.GeneralSecurityException; +import java.security.Security; +import java.util.HashMap; +import java.util.Map; + +import javax.net.ssl.KeyManager; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocketFactory; +import javax.net.ssl.TrustManager; + +import at.gv.egovernment.moa.logging.Logger; + + +/** + * Utility for a obtaining a secure socket factory using <code>IAIKX509TrustManager</code>. + * This <code>TrustManager</code> implementation features CRL checking.<br/> + * <code>SSLUtils</code> caches secure socket factories for given <code>ConnectionParameter</code>s. + * + * @author Paul Ivancsics + * @version $Id$ + */ +public class SSLUtils { + + /** SSLSocketFactory store, mapping URL->SSLSocketFactory **/ + private static Map<String, SSLSocketFactory> sslSocketFactories = new HashMap<String, SSLSocketFactory>(); + + /** + * Initializes the SSLSocketFactory store. + */ + public static void initialize() { + sslSocketFactories = new HashMap<String, SSLSocketFactory>(); + // JSSE Abhängigkeit + //Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider()); + Security.addProvider(new IAIK()); + //System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol"); + + + } + + /** + * Creates an <code>SSLSocketFactory</code> which utilizes an + * <code>IAIKX509TrustManager</code> for the given trust store, + * and the given key store. + * + * @param conf configuration provider providing a generic properties pointing + * to trusted CA store and certificate store root + * @param connParam connection parameter containing the client key store settings + * to be used in case of client authentication; + * if <code>connParam.getClientKeyStore() == null</code>, client authentication + * is assumed to be disabled + * @return <code>SSLSocketFactory</code> to be used by an <code>HttpsURLConnection</code> + * @throws IOException thrown while reading key store file + * @throws GeneralSecurityException thrown while creating the socket factory + * @throws ConfigurationException on invalid configuration data + * @throws PKIException while initializing the <code>IAIKX509TrustManager</code> + */ + public static SSLSocketFactory getSSLSocketFactory( + String url, + String certStoreRootDirParam, + String trustStoreURL, + String acceptedServerCertURL, + String chainingMode, + boolean checkRevocation, + String clientKeyStoreURL, + String clientKeyStorePassword, + String clientKeyStoreType + ) + throws IOException, GeneralSecurityException, SSLConfigurationException, PKIException { + + Logger.debug("Get SSLSocketFactory for " + url); + // retrieve SSLSocketFactory if already created + SSLSocketFactory ssf = (SSLSocketFactory)sslSocketFactories.get(url); + if (ssf != null) + return ssf; + + TrustManager[] tms = getTrustManagers( + certStoreRootDirParam, + chainingMode, + trustStoreURL, + acceptedServerCertURL, + checkRevocation); + + KeyManager[] kms = at.gv.egovernment.moa.util.SSLUtils.getKeyManagers( + clientKeyStoreType, clientKeyStoreURL, clientKeyStorePassword); + SSLContext ctx = SSLContext.getInstance("TLS"); + ctx.init(kms, tms, null); + ssf = ctx.getSocketFactory(); + // store SSLSocketFactory + sslSocketFactories.put(url, ssf); + return ssf; + } + + public static void removeSSLSocketFactory(String url) { + Logger.info("Remove SSLSocketFactory for URL " + url); + if (sslSocketFactories.containsKey(url)) + sslSocketFactories.remove(url); + + } + + /** + * Initializes an <code>IAIKX509TrustManager</code> for a given trust store, + * using configuration data. + * + * @param conf MOA-ID configuration provider + * @param trustStoreURL trust store URL + * @param acceptedServerCertURL file URL pointing to directory containing accepted server SSL certificates + * @return <code>TrustManager</code> array containing the <code>IAIKX509TrustManager</code> + * @throws ConfigurationException on invalid configuration data + * @throws IOException on data-reading problems + * @throws PKIException while initializing the <code>IAIKX509TrustManager</code> + */ + private static TrustManager[] getTrustManagers(String certStoreRootDirParam, + String chainingMode, String trustStoreURL, String acceptedServerCertURL, + boolean checkRevocation) + throws SSLConfigurationException, PKIException, IOException, GeneralSecurityException { + + PKIConfiguration cfg = null; + if (! PKIFactory.getInstance().isAlreadyConfigured()) + cfg = new PKIConfigurationImpl(certStoreRootDirParam, chainingMode); + PKIProfile profile = new PKIProfileImpl(trustStoreURL, checkRevocation); + // This call fixes a bug occuring when PKIConfiguration is + // initialized by the MOA-SP initialization code, in case + // MOA-SP is called by API + MOAIDTrustManager.initializeLoggingContext(); + IAIKX509TrustManager tm = new MOAIDTrustManager(acceptedServerCertURL); + tm.init(cfg, profile); + return new TrustManager[] {tm}; + } + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/ValidationConfigurationImpl.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/ValidationConfigurationImpl.java new file mode 100644 index 000000000..275aed4c4 --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/ValidationConfigurationImpl.java @@ -0,0 +1,97 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + ******************************************************************************/ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.id.commons.utils.ssl; + +import iaik.pki.pathvalidation.ValidationConfiguration; + +import java.security.cert.X509Certificate; +import java.security.spec.AlgorithmParameterSpec; + + +/** + * Implementation of interface needed to initialize an IAIK JSSE <code>TrustManager</code> + * @author Paul Ivancsics + * @version $Id$ + */ +public class ValidationConfigurationImpl extends ObservableImpl + implements ValidationConfiguration { + /** The ConfigurationProvider for the validation*/ + private String chainingMode; + + /** + * Constructor + * @param conf with the configuration + */ + public ValidationConfigurationImpl(String chainingMode) { + this.chainingMode = chainingMode; + } + + /** + * @see iaik.pki.pathvalidation.ValidationConfiguration#getChainingMode(java.security.cert.X509Certificate) + */ + public String getChainingMode(X509Certificate trustAnchor) { + + //INFO: MOA-ID 2.x always use defaultChainingMode + + return chainingMode; + } + + /** + * @see iaik.pki.pathvalidation.ValidationConfiguration#getPublicKeyParamsAsSpec(java.security.cert.X509Certificate) + */ + public AlgorithmParameterSpec getPublicKeyParamsAsSpec(X509Certificate arg0) { + return null; + } + + /** + * @see iaik.pki.pathvalidation.ValidationConfiguration#getPublicKeyParamsAsCert(java.security.cert.X509Certificate) + */ + public X509Certificate getPublicKeyParamsAsCert(X509Certificate arg0) { + return null; + } + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/TargetValidator.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/TargetValidator.java new file mode 100644 index 000000000..2ad50568a --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/TargetValidator.java @@ -0,0 +1,104 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.commons.validation; + +import java.util.ArrayList; +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import at.gv.egovernment.moa.util.MiscUtil; + + +public class TargetValidator { + + private static Map<String, String> targetList = null; + + static { + targetList = new HashMap<String, String>(); + targetList.put("AR", "Arbeit"); + targetList.put("AS", "Amtliche Statistik"); + targetList.put("BF", "Bildung und Forschung"); + targetList.put("BW", "Bauen und Wohnen"); + targetList.put("EA", "EU und Auswärtige Angelegenheiten"); + targetList.put("EF", "Ein- und Ausfuhr"); + targetList.put("GH", "Gesundheit"); + targetList.put("GS", "Gesellschaft und Soziales"); +// targetList.put("GS-RE", "Restitution"); + targetList.put("JR", "Justiz/Zivilrechtswesen"); + targetList.put("KL", "Kultus"); + targetList.put("KU", "Kunst und Kultur"); + targetList.put("LF", "Land- und Forstwirtschaft"); + targetList.put("LV", "Landesverteidigung"); + targetList.put("RT", "Rundfunk und sonstige Medien sowie Telekommunikation"); + targetList.put("SA", "Steuern und Abgaben"); + targetList.put("SA", "Sport und Freizeit"); + targetList.put("SO", "Sicherheit und Ordnung"); +// targetList.put("SO-VR", "Vereinsregister"); +// targetList.put("SR-RG", "Strafregister"); + targetList.put("SV", "Sozialversicherung"); + targetList.put("UW", "Umwelt"); + targetList.put("VT", "Verkehr und Technik"); + targetList.put("VV", "Vermögensverwaltung"); + targetList.put("WT", "Wirtschaft"); + targetList.put("ZP", "Personenidentität und Bürgerrechte(zur Person)"); + targetList.put("BR", "Bereichsübergreifender Rechtsschutz"); + targetList.put("HR", "Zentrales Rechnungswesen"); + targetList.put("KI", "Auftraggeberinterne allgemeine Kanzleiindizes"); + targetList.put("OI", "Öffentlichkeitsarbeit"); + targetList.put("PV", "Personalverwaltung"); + targetList.put("RD", "Zentraler Rechtsdienst"); + targetList.put("VS", "Zentrale Durchführung von Verwaltungsstrafverfahren"); +// targetList.put("VS-RG", "Zentrales Verwaltungsstrafregister"); + targetList.put("ZU", "Zustellungen"); + } + + public static List<String> getListOfTargets() { + Map<String, String> list = new HashMap<String, String>(); + list.put("", ""); + list.putAll(targetList); + + List<String> sortedList = new ArrayList<String>(); + sortedList.addAll(list.keySet()); + Collections.sort(sortedList); + + return sortedList; + + } + + public static String getTargetFriendlyName(String target) { + String name = targetList.get(target); + + if (MiscUtil.isNotEmpty(name)) + return name; + else + return null; + } + + public static boolean isValidTarget(String target) { + return targetList.containsKey(target); + } + + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/ValidationHelper.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/ValidationHelper.java new file mode 100644 index 000000000..be6d7d01e --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/ValidationHelper.java @@ -0,0 +1,387 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.commons.validation; + +import iaik.asn1.ObjectID; +import iaik.utils.Util; +import iaik.x509.X509Certificate; +import iaik.x509.X509ExtensionInitException; + +import java.io.IOException; +import java.net.MalformedURLException; +import java.net.URL; +import java.net.UnknownHostException; +import java.security.cert.Certificate; +import java.security.cert.CertificateEncodingException; +import java.security.cert.CertificateException; +import java.text.ParseException; +import java.text.SimpleDateFormat; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.SSLSession; +import javax.net.ssl.SSLSocket; +import javax.net.ssl.SSLSocketFactory; + +import org.apache.log4j.Logger; + + +public class ValidationHelper { + + public static final String PUBLICSERVICE_URL_POSTFIX = ".gv.at"; + + private static final Logger log = Logger.getLogger(ValidationHelper.class); + private static final String TEMPLATE_DATEFORMAT = "dd.MM.yyyy"; + + + + public static boolean isPublicServiceAllowed(String identifier) { + + SSLSocket socket = null; + + try { + URL url = new URL(identifier); + String host = url.getHost(); + + if (host.endsWith("/")) + host = host.substring(0, host.length()-1); + + if (url.getHost().endsWith(PUBLICSERVICE_URL_POSTFIX)) { + log.debug("PublicURLPrefix with .gv.at Domain found."); + return true; + + } else { + SSLSocketFactory factory = HttpsURLConnection.getDefaultSSLSocketFactory(); + socket = (SSLSocket) factory.createSocket(url.getHost(), url.getPort()); + socket.startHandshake(); + + SSLSession session = socket.getSession(); + Certificate[] servercerts = session.getPeerCertificates(); + X509Certificate[] iaikChain = new X509Certificate[servercerts.length]; + for (int i=0; i<servercerts.length; i++) { + iaikChain[i] = new X509Certificate(servercerts[i].getEncoded()); + } + + + X509Certificate cert = Util.arrangeCertificateChain(iaikChain, false)[0]; + + if (cert != null) { + ObjectID vwOID = new ObjectID("1.2.40.0.10.1.1.1"); // Verwaltungseigenschaft + ObjectID dOID = new ObjectID("1.2.40.0.10.1.1.2"); // Dienstleistereigenschaft + + + if ((cert.getExtension(vwOID) == null) && (cert.getExtension(dOID) == null)) { + return false; + + } else { + log.info("Found correct X509 Extension in server certificate. PublicService is allowed"); + return true; + } + } + + return false; + } + + } catch (MalformedURLException e) { + log.warn("PublicURLPrefix can not parsed to URL", e); + return false; + + } catch (UnknownHostException e) { + log.warn("Can not connect to PublicURLPrefix Server", e); + return false; + + } catch (IOException e) { + log.warn("Can not connect to PublicURLPrefix Server", e); + return false; + + } catch (CertificateEncodingException e) { + log.warn("Can not parse X509 server certificate", e); + return false; + + } catch (CertificateException e) { + log.warn("Can not read X509 server certificate", e); + return false; + + } catch (X509ExtensionInitException e) { + log.warn("Can not read X509 server certificate extension", e); + return false; + } + + finally { + if (socket != null) + try { + socket.close(); + } catch (IOException e) { + log.warn("SSL Socket can not be closed.", e); + } + } + } + + public static boolean validateOAID(String oaIDObj) { + if (oaIDObj != null) { + try { + + long oaID = Long.valueOf(oaIDObj); + + if (oaID > 0 && oaID < Long.MAX_VALUE) + return true; + + } catch (Throwable t) { + log.warn("No valid DataBase OAID received! " + oaIDObj); + } + } + return false; + } + + public static boolean validateNumber(String value) { + + log.debug("Validate Number " + value); + + try { + Float.valueOf(value); + + return true; + + } catch (NumberFormatException e) { + return false; + } + + + } + + public static boolean validatePhoneNumber(String value) { + log.debug ("Validate PhoneNumber " + value); + + /* ************************************************************************************************ + * Legende: + * ======== AA = post/pre-Text + * BB = (+49) + * CC = Vorwahl + * DD = Durchwahl + * EE = Nebenstelle + * Pattern p = Pattern.compile("^ [a-zA-Z .,;:/\\-]* [ ]* [(]{0,1}[ ]*[+]{0,1}[ ]*[0-9]{0,2}[ ]*[)]{0,1} [ ]* [0-9]*[ ]* [0-9][ ]* [0-9]* [ ]* [a-zA-Z .,;:\\/-]* $"); + * ------- AA ------- --------------------- BB --------------------- --------- CC -------- - DD - - EE - ------- AA ------- + * ************************************************************************************************ */ + Pattern pattern = Pattern.compile("^[a-zA-Z .,;:/\\-]*[ ]*[(]{0,1}[ ]*[+]{0,1}[ ]*[0-9]{0,2}[ ]*[)]{0,1}[ ]*[0-9]*[ ]*[0-9]*[ ]*[0-9]*[ ]*[a-zA-Z .,;:\\/-]*$"); + Matcher matcher = pattern.matcher(value); + boolean b = matcher.matches(); + if (b) { + log.debug("Parameter PhoneNumber erfolgreich ueberprueft"); + return true; + } + else { + log.error("Fehler Ueberpruefung Parameter PhoneNumber. PhoneNumber entspricht nicht den Kriterien ^ [a-zA-Z .,;:/\\-]* [ ]* [(]{0,1}[ ]*[+]{0,1}[ ]*[0-9]{0,2}[ ]*[)]{0,1} [ ]* [0-9]*[ ]*[/\\-]{0,1} [ ]*[ ]* [0-9]* [ ]* [a-zA-Z .,;:\\/-]* $"); + return false; + } + + + } + + public static boolean validateURL(String urlString) { + + log.debug("Validate URL " + urlString); + + if (urlString.startsWith("http") || urlString.startsWith("https")) { + try { + new URL(urlString); + return true; + + } catch (MalformedURLException e) { + } + } + + return false; + } + +// public static boolean validateGeneralURL(String urlString) { +// +// log.debug("Validate URL " + urlString); +// +// try { +// new URL(urlString); +// return true; +// +// } catch (MalformedURLException e) { +// +// } +// +// return false; +// } + + public static boolean isValidAdminTarget(String target) { + + log.debug("Ueberpruefe Parameter Target"); + + Pattern pattern = Pattern.compile("[a-zA-Z-]{1,5}"); + Matcher matcher = pattern.matcher(target); + boolean b = matcher.matches(); + if (b) { + log.debug("Parameter SSO-Target erfolgreich ueberprueft. SSO Target is PublicService."); + return true; + } + else { + log.info("Parameter SSO-Target entspricht nicht den Kriterien " + + "(nur Zeichen a-z, A-Z und -, sowie 1-5 Zeichen lang) fuer den oeffentlichen Bereich. " + + "Valiere SSO-Target fuer privatwirtschaftliche Bereiche."); + return false; + } + } + + public static boolean isValidTarget(String target) { + + log.debug("Ueberpruefe Parameter Target"); + + if (TargetValidator.isValidTarget(target)) { + log.debug("Parameter Target erfolgreich ueberprueft"); + return true; + } + else { + log.error("Fehler Ueberpruefung Parameter Target. Target entspricht nicht den Kriterien (nur Zeichen a-z, A-Z und -, sowie 1-5 Zeichen lang)"); + return false; + } + + } + + public static boolean isValidSourceID(String sourceID) { + + log.debug("Ueberpruefe Parameter sourceID"); + + Pattern pattern = Pattern.compile("[\\w-_]{1,20}"); + Matcher matcher = pattern.matcher(sourceID); + boolean b = matcher.matches(); + if (b) { + log.debug("Parameter sourceID erfolgreich ueberprueft"); + return true; + } + else { + log.error("Fehler Ueberpruefung Parameter sourceID. SourceID entspricht nicht den Kriterien (nur Zeichen a-z, A-Z, - und _, sowie 1-20 Zeichen lang)"); + return false; + } + } + + public static boolean isDateFormat(String dateString) { + if (dateString.length() > TEMPLATE_DATEFORMAT.length()) + return false; + + SimpleDateFormat sdf = new SimpleDateFormat(TEMPLATE_DATEFORMAT); + try { + sdf.parse(dateString); + return true; + + } catch (ParseException e) { + return false; + } + } + + public static boolean isEmailAddressFormat(String address) { + if (address == null) { + return false; + } + return Pattern.compile("^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,6}$").matcher(address).matches(); + } + + public static boolean isValidOAIdentifier(String param) { + if (param == null) { + return false; + } + return param.indexOf(";") != -1 || + param.indexOf("%") != -1 || + param.indexOf("\"") != -1 || + param.indexOf("'") != -1 || + param.indexOf("?") != -1 || + param.indexOf("`") != -1 || + param.indexOf(",") != -1 || + param.indexOf("<") != -1 || + param.indexOf(">") != -1 || + param.indexOf("\\") != -1; + + } + + public static String getNotValidOAIdentifierCharacters() { + + return "; % \" ' ` , < > \\"; + } + + public static boolean containsPotentialCSSCharacter(String param, boolean commaallowed) { + + if (param == null) { + return false; + } + return param.indexOf(";") != -1 || + param.indexOf("%") != -1 || + param.indexOf("\"") != -1 || + param.indexOf("'") != -1 || + param.indexOf("?") != -1 || + param.indexOf("`") != -1 || + ( param.indexOf(",") != -1 && !commaallowed ) || + param.indexOf("<") != -1 || + param.indexOf(">") != -1 || + param.indexOf("\\") != -1 || + param.indexOf("/") != -1; + } + + public static String getPotentialCSSCharacter(boolean commaallowed) { + + if (commaallowed) + return "; % \" ' ` < > \\ /"; + else + return "; % \" ' ` , < > \\ /"; + } + + public static boolean isNotValidIdentityLinkSigner(String param) { + if (param == null) { + return false; + } + return param.indexOf(";") != -1 || + param.indexOf("%") != -1 || + param.indexOf("\"") != -1 || + param.indexOf("'") != -1 || + param.indexOf("?") != -1 || + param.indexOf("`") != -1 || + param.indexOf("<") != -1 || + param.indexOf(">") != -1; + + } + + public static String getNotValidIdentityLinkSignerCharacters() { + + return "; % \" ' ` < >"; + } + + public static boolean isValidHexValue(String param) { + + try { + if (param.startsWith("#") && param.length() <= 7) { + Long.decode(param); + return true; + } + + } catch (Exception e) { + + } + return false; + + } + +} diff --git a/id/server/moa-id-commons/src/main/java/org/apache/commons/httpclient/MOAHttpClient.java b/id/server/moa-id-commons/src/main/java/org/apache/commons/httpclient/MOAHttpClient.java new file mode 100644 index 000000000..e4aa6a284 --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/org/apache/commons/httpclient/MOAHttpClient.java @@ -0,0 +1,100 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package org.apache.commons.httpclient; + +import java.io.IOException; +import java.net.MalformedURLException; +import java.net.URL; + +import org.apache.commons.httpclient.HostConfiguration; +import org.apache.commons.httpclient.HttpClient; +import org.apache.commons.httpclient.HttpException; +import org.apache.commons.httpclient.HttpMethod; +import org.apache.commons.httpclient.HttpMethodDirector; +import org.apache.commons.httpclient.HttpState; +import org.apache.commons.httpclient.URI; +import org.apache.commons.httpclient.protocol.Protocol; +import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory; + +import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; + +/** + * @author tlenz + * + *HTTP client which can be used with MOA SSL TrustStore implementation + * + */ +public class MOAHttpClient extends HttpClient { + + + public void setCustomSSLTrustStore(String metadataURL, SecureProtocolSocketFactory protoSocketFactory) throws MOAHttpProtocolSocketFactoryException, MalformedURLException { + ; + + URL url = new URL(metadataURL); + int port = -1; + if (url.getPort() < 0) + port = url.getDefaultPort(); + else + port = url.getPort(); + + Protocol authhttps = new Protocol("https", protoSocketFactory, port); + getHostConfiguration().setHost(url.getHost(), port, authhttps); + + } + + public int executeMethod(HostConfiguration hostconfig, + final HttpMethod method, final HttpState state) + throws IOException, HttpException { + + if (method == null) { + throw new IllegalArgumentException("HttpMethod parameter may not be null"); + } + HostConfiguration defaulthostconfig = getHostConfiguration(); + if (hostconfig == null) { + hostconfig = defaulthostconfig; + } + URI uri = method.getURI(); + if (hostconfig == defaulthostconfig || uri.isAbsoluteURI()) { + // make a deep copy of the host defaults + hostconfig = (HostConfiguration) hostconfig.clone(); + + /** + * Only build default host with default protocol if protocol is empty + * + * In case of https, the methode setCustomSSLTrustStore can be used to set a + * the MOA TrustStore for SSL connection validation + */ + if (uri.isAbsoluteURI() && hostconfig.getProtocol() == null) { + hostconfig.setHost(uri); + } + } + + HttpMethodDirector methodDirector = new HttpMethodDirector( + getHttpConnectionManager(), + hostconfig, + getParams(), + (state == null ? getState() : state)); + methodDirector.executeMethod(method); + return method.getStatusCode(); + } +} diff --git a/id/server/moa-id-commons/src/main/resources/config/bindings.xjb b/id/server/moa-id-commons/src/main/resources/config/bindings.xjb index f2701bec4..cf04319c8 100644 --- a/id/server/moa-id-commons/src/main/resources/config/bindings.xjb +++ b/id/server/moa-id-commons/src/main/resources/config/bindings.xjb @@ -1,7 +1,8 @@ -<jaxb:bindings version="1.0" +<jaxb:bindings version="2.1" xmlns:jaxb="http://java.sun.com/xml/ns/jaxb" xmlns:xsd="http://www.w3.org/2001/XMLSchema" - xmlns:xjc="http://java.sun.com/xml/ns/jaxb/xjc"> + xmlns:xjc="http://java.sun.com/xml/ns/jaxb/xjc" + jaxb:extensionBindingPrefixes="hj"> <jaxb:bindings schemaLocation="moaid_config_2.0.xsd" node="/xsd:schema"> <jaxb:globalBindings localScoping="toplevel"> diff --git a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd index e8562a57b..3a2914cb4 100644 --- a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd +++ b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd @@ -1,6 +1,6 @@ <?xml version="1.0" encoding="UTF-8"?> <!-- Mit XMLSpy v2013 sp1 (http://www.altova.com) von Thomas Lenz (Graz University of Technology IAIK) bearbeitet --> -<xsd:schema xmlns="http://www.buergerkarte.at/namespaces/moaconfig#" xmlns:xsd="http://www.w3.org/2001/XMLSchema" targetNamespace="http://www.buergerkarte.at/namespaces/moaconfig#" elementFormDefault="qualified" attributeFormDefault="unqualified" version="2.0.0"> +<xsd:schema xmlns="http://www.buergerkarte.at/namespaces/moaconfig#" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:jaxb="http://java.sun.com/xml/ns/jaxb" xmlns:hj="http://hyperjaxb3.jvnet.org/ejb/schemas/customizations" xmlns:xjc="http://java.sun.com/xml/ns/jaxb/xjc" targetNamespace="http://www.buergerkarte.at/namespaces/moaconfig#" elementFormDefault="qualified" attributeFormDefault="unqualified" version="2.0.0" jaxb:extensionBindingPrefixes="xjc hj" jaxb:version="2.0"> <xsd:complexType name="OnlineApplication"> <xsd:complexContent> <xsd:extension base="OnlineApplicationType"> @@ -481,10 +481,27 @@ </xsd:element> </xsd:sequence> </xsd:complexType> + <xsd:complexType name="InterfederationIDPType"> + <xsd:sequence> + <xsd:element name="attributeQueryURL" type="xsd:string" minOccurs="0" maxOccurs="1"/> + <xsd:element name="storeSSOSession" type="xsd:boolean" minOccurs="1" maxOccurs="1" default="true"/> + </xsd:sequence> + <xsd:attribute name="inboundSSO" type="xsd:boolean" default="true"/> + <xsd:attribute name="outboundSSO" type="xsd:boolean" default="true"/> + </xsd:complexType> <xsd:complexType name="OnlineApplicationType"> <xsd:sequence> + <xsd:element name="isNew" type="xsd:boolean" default="false" minOccurs="0" maxOccurs="1"> + <xsd:annotation> + <xsd:appinfo> + <hj:ignored/> + </xsd:appinfo> + </xsd:annotation> + </xsd:element> <xsd:element name="isActive" type="xsd:boolean" default="false" minOccurs="1" maxOccurs="1"/> <xsd:element name="isAdminRequired" type="xsd:boolean" default="false" minOccurs="0" maxOccurs="1"/> + <xsd:element name="isInterfederationIDP" type="xsd:boolean" default="false" minOccurs="0" maxOccurs="1"/> + <xsd:element name="InterfederationIDP" type="InterfederationIDPType" minOccurs="0" maxOccurs="1"/> <xsd:element name="AuthComponent_OA" minOccurs="0"> <xsd:annotation> <xsd:documentation>enthält Parameter über die OA, die die @@ -938,6 +955,20 @@ <xsd:element name="isPVP2Generated" type="xsd:boolean" minOccurs="0" maxOccurs="1"/> <xsd:element name="lastLogin" type="xsd:string" minOccurs="1" maxOccurs="1"/> <xsd:element name="OnlineApplication" type="OnlineApplication" minOccurs="0" maxOccurs="unbounded"/> + <xsd:element name="onlyBusinessService" type="xsd:boolean" default="false" minOccurs="1" maxOccurs="1"> + <xsd:annotation> + <xsd:appinfo> + <hj:ignored/> + </xsd:appinfo> + </xsd:annotation> + </xsd:element> + <xsd:element name="businessServiceType" type="xsd:string" minOccurs="0" maxOccurs="1"> + <xsd:annotation> + <xsd:appinfo> + <hj:ignored/> + </xsd:appinfo> + </xsd:annotation> + </xsd:element> </xsd:sequence> </xsd:complexType> <xsd:complexType name="BKUSelectionCustomizationType"> |