aboutsummaryrefslogtreecommitdiff
path: root/id/server
diff options
context:
space:
mode:
Diffstat (limited to 'id/server')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java11
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java1
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java20
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java44
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java4
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java4
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java4
9 files changed, 74 insertions, 22 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
index 1fa17c683..4fc37d88f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
@@ -145,7 +145,9 @@ public class MOAMetadataProvider extends AbstractChainingMetadataProvider {
try {
//FIX: change hostname validation default flag to true when httpClient is updated to > 4.4
MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
- PVPConstants.SSLSOCKETFACTORYNAME,
+ PVPConstants.SSLSOCKETFACTORYNAME,
+ moaAuthConfig.getBasicMOAIDConfigurationBoolean(
+ AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, false),
moaAuthConfig.getTrustedCACertificates(),
null,
AuthConfiguration.DEFAULT_X509_CHAININGMODE,
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java
index d7ada1f36..bd908f894 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java
@@ -75,7 +75,9 @@ public class MOASAMLSOAPClient {
//FIX: change hostname validation default flag to true when httpClient is updated to > 4.4
SecureProtocolSocketFactory sslprotocolsocketfactory =
new MOAHttpProtocolSocketFactory(
- PVPConstants.SSLSOCKETFACTORYNAME,
+ PVPConstants.SSLSOCKETFACTORYNAME,
+ AuthConfigurationProviderFactory.getInstance().getBasicMOAIDConfigurationBoolean(
+ AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, false),
AuthConfigurationProviderFactory.getInstance().getTrustedCACertificates(),
null,
AuthConfigurationProviderFactory.getInstance().getDefaultChainingMode(),
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
index 611dff3b1..6bf44a527 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
@@ -61,6 +61,7 @@ import javax.net.ssl.SSLSocketFactory;
import org.apache.regexp.RE;
import org.apache.regexp.RESyntaxException;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.api.ConfigurationProvider;
import at.gv.egovernment.moa.id.commons.api.ConnectionParameterInterface;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
@@ -93,6 +94,10 @@ public class SSLUtils {
ConfigurationProvider conf, String url )
throws IOException, GeneralSecurityException, ConfigurationException, PKIException {
+ boolean useStandardJavaTrustStore = conf.getBasicMOAIDConfigurationBoolean(
+ AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE,
+ false);
+
// else create new SSLSocketFactory
String trustStoreURL = conf.getTrustedCACertificates();
@@ -107,6 +112,7 @@ public class SSLUtils {
try {
SSLSocketFactory ssf = at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils.getSSLSocketFactory(
url,
+ useStandardJavaTrustStore,
null,
trustStoreURL,
acceptedServerCertURL,
@@ -148,6 +154,10 @@ public class SSLUtils {
ConnectionParameterInterface connParam)
throws IOException, GeneralSecurityException, ConfigurationException, PKIException {
+ boolean useStandardJavaTrustStore = conf.getBasicMOAIDConfigurationBoolean(
+ AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE,
+ false);
+
// else create new SSLSocketFactory
String trustStoreURL = conf.getTrustedCACertificates();
@@ -162,6 +172,7 @@ public class SSLUtils {
try {
SSLSocketFactory ssf = at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils.getSSLSocketFactory(
connParam.getUrl(),
+ useStandardJavaTrustStore,
null,
trustStoreURL,
acceptedServerCertURL,
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java
index a787cea00..4dd0a857f 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java
@@ -11,6 +11,7 @@ import iaik.pki.revocation.RevocationSourceTypes;
public interface AuthConfiguration extends ConfigurationProvider{
+ public static final String PROP_KEY_SSL_USE_JVM_TRUSTSTORE = "configuration.ssl.useStandardJavaTrustStore";
public static final String PROP_KEY_SSL_HOSTNAME_VALIDATION = "configuration.ssl.validation.hostname";
public static final String PROP_KEY_OVS_SSL_HOSTNAME_VALIDATION = "service.onlinemandates.ssl.validation.hostname";
public static final String PROP_KEY_PROTOCOL_PVP_METADATA_ENTITYCATEGORY_RESOLVER = "protocols.pvp2.metadata.entitycategories.active";
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
index bdadf681d..6c8c092ed 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java
@@ -34,7 +34,6 @@ import java.util.Arrays;
import java.util.List;
import javax.net.ssl.SSLException;
-import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
@@ -51,7 +50,6 @@ import at.gv.egovernment.moa.id.commons.utils.ssl.SSLConfigurationException;
import at.gv.egovernment.moa.util.MiscUtil;
import at.gv.egovernment.moaspss.logging.Logger;
import iaik.pki.PKIException;
-import sun.security.ssl.ProtocolVersion;
/**
* @author tlenz
@@ -77,14 +75,15 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory
* @throws MOAHttpProtocolSocketFactoryException
*/
public MOAHttpProtocolSocketFactory (
- String url,
+ String url,
+ boolean useStandardJavaTrustStore,
String trustStoreURL,
String acceptedServerCertURL,
String chainingMode,
boolean checkRevocation,
String[] revocationMethodOrder,
boolean verifyHostName) throws MOAHttpProtocolSocketFactoryException {
- internalInitialize(url, null, trustStoreURL, acceptedServerCertURL, chainingMode, checkRevocation, revocationMethodOrder);
+ internalInitialize(url, useStandardJavaTrustStore, null, trustStoreURL, acceptedServerCertURL, chainingMode, checkRevocation, revocationMethodOrder);
this.verifyHostName = verifyHostName;
@@ -103,26 +102,31 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory
* @param verifyHostName Enables / Disables hostName verfication
* @throws MOAHttpProtocolSocketFactoryException
*/
- public MOAHttpProtocolSocketFactory(String url, String certStoreDirectory, String trustStoreURL,
+ public MOAHttpProtocolSocketFactory(String url, boolean useStandardJavaTrustStore,
+ String certStoreDirectory,
+ String trustStoreURL,
String acceptedServerCertURL,
String chainingMode,
boolean checkRevocation,
String[] revocationMethodOrder,
boolean verifyHostName) throws MOAHttpProtocolSocketFactoryException {
- internalInitialize(url, certStoreDirectory, trustStoreURL, acceptedServerCertURL, chainingMode, checkRevocation, revocationMethodOrder);
+ internalInitialize(url, useStandardJavaTrustStore, certStoreDirectory, trustStoreURL, acceptedServerCertURL, chainingMode, checkRevocation, revocationMethodOrder);
this.verifyHostName = verifyHostName;
}
- private void internalInitialize(String url, String certStoreDirectory, String trustStoreURL,
+ private void internalInitialize(String url, boolean useStandardJavaTrustStore,
+ String certStoreDirectory,
+ String trustStoreURL,
String acceptedServerCertURL,
String chainingMode,
boolean checkRevocation,
String[] revocationMethodOrder) throws MOAHttpProtocolSocketFactoryException {
try {
this.sslfactory = at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils.getSSLSocketFactory(
- url,
+ url,
+ useStandardJavaTrustStore,
certStoreDirectory,
trustStoreURL,
acceptedServerCertURL,
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
index e6efca4ea..a96daead3 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
@@ -108,8 +108,29 @@ public class SSLUtils {
}
}
+ /**
+ * Get SSLSocketFactory with TrustStore and KeyStore implementations
+ *
+ * @param url URL of the Service that should be connected
+ * @param useStandardJavaTrustStore Flag to use standard JVM truststore
+ * @param certStoreRootDirParam Path to certStore, if own truststore is used
+ * @param trustStoreURL Path to truststore, if own truststore is used
+ * @param acceptedServerCertURL Path to whitelist with EE-Server certificats, if own truststore is used
+ * @param chainingMode PKIX-Mode or Onion-Model for certificate validation, if own truststore is used
+ * @param checkRevocation Flag to activate or deactivate revocation checks, if own truststore is used
+ * @param revocationMethodOrder Revocation check order (CLR, OCSP), if own truststore is used
+ * @param clientKeyStoreURL Path to KeyStore for SSL Client-Authentication, or null
+ * @param clientKeyStorePassword KeyStore password
+ * @param clientKeyStoreType KeyStore type
+ * @return
+ * @throws IOException
+ * @throws GeneralSecurityException
+ * @throws SSLConfigurationException
+ * @throws PKIException
+ */
public static SSLSocketFactory getSSLSocketFactory(
- String url,
+ String url,
+ boolean useStandardJavaTrustStore,
String certStoreRootDirParam,
String trustStoreURL,
String acceptedServerCertURL,
@@ -130,14 +151,19 @@ public class SSLUtils {
return ssf;
}
-
- TrustManager[] tms = getTrustManagers(
- certStoreRootDirParam,
- chainingMode,
- trustStoreURL,
- acceptedServerCertURL,
- checkRevocation,
- revocationMethodOrder);
+
+ //initialize own trust-store implementation
+ TrustManager[] tms = null;
+ if (useStandardJavaTrustStore) {
+ tms = getTrustManagers(
+ certStoreRootDirParam,
+ chainingMode,
+ trustStoreURL,
+ acceptedServerCertURL,
+ checkRevocation,
+ revocationMethodOrder);
+
+ }
KeyManager[] kms = getKeyManagers(
clientKeyStoreType, clientKeyStoreURL, clientKeyStorePassword);
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java
index 5cee90658..cd3f1f788 100644
--- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java
@@ -322,7 +322,9 @@ public class EidasCentralAuthMetadataProvider extends SimpleMetadataProvider
try {
//FIX: change hostname validation default flag to true when httpClient is updated to > 4.4
MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
- PVPConstants.SSLSOCKETFACTORYNAME,
+ PVPConstants.SSLSOCKETFACTORYNAME,
+ moaAuthConfig.getBasicMOAIDConfigurationBoolean(
+ AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, false),
moaAuthConfig.getTrustedCACertificates(),
null,
AuthConfiguration.DEFAULT_X509_CHAININGMODE,
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
index aca818532..feeff6f84 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
@@ -440,7 +440,9 @@ public class MOAeIDASChainingMetadataProvider extends SimpleMetadataProvider imp
AuthConfiguration moaAuthConfig = (AuthConfiguration) basicConfig;
//FIX: change hostname validation default flag to true when httpClient is updated to > 4.4
MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
- PVPConstants.SSLSOCKETFACTORYNAME,
+ PVPConstants.SSLSOCKETFACTORYNAME,
+ basicConfig.getBasicMOAIDConfigurationBoolean(
+ AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, false),
moaAuthConfig.getTrustedCACertificates(),
null,
AuthConfiguration.DEFAULT_X509_CHAININGMODE,
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java
index e8cfae10a..7bb98c719 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java
@@ -322,7 +322,9 @@ public class ELGAMandateServiceMetadataProvider extends SimpleMetadataProvider
try {
//FIX: change hostname validation default flag to true when httpClient is updated to > 4.4
MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
- PVPConstants.SSLSOCKETFACTORYNAME,
+ PVPConstants.SSLSOCKETFACTORYNAME,
+ moaAuthConfig.getBasicMOAIDConfigurationBoolean(
+ AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, false),
moaAuthConfig.getTrustedCACertificates(),
null,
AuthConfiguration.DEFAULT_X509_CHAININGMODE,