From 5e78c0a4ecfc75b2e42c079c08cff8247845e293 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Wed, 7 May 2014 16:00:49 +0200
Subject: change MOAMetaDataProvider to use MOA HttpClient

---
 .../config/ConfigurationProvider.java              | 50 ++++++++++++++++++++--
 .../pvp2x/metadata/MOAMetadataProvider.java        | 35 ++++++++++++---
 2 files changed, 75 insertions(+), 10 deletions(-)

diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java
index bcc9a87ab..84af0d225 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java
@@ -41,7 +41,7 @@ import java.util.jar.Manifest;
 
 import javax.servlet.http.HttpServletRequest;
 
-import org.apache.commons.httpclient.HttpClient;
+import org.apache.commons.httpclient.MOAHttpClient;
 import org.apache.log4j.Logger;
 import org.opensaml.DefaultBootstrap;
 import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
@@ -49,7 +49,11 @@ import org.opensaml.xml.parse.BasicParserPool;
 import org.opensaml.xml.security.x509.BasicX509Credential;
 
 import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
+import at.gv.egovernment.moa.id.commons.db.dao.config.ChainingModeType;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
+import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
+import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
 import at.gv.egovernment.moa.id.configuration.Constants;
 import at.gv.egovernment.moa.id.configuration.auth.pvp2.MetaDataVerificationFilter;
 import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException;
@@ -436,6 +440,26 @@ public class ConfigurationProvider {
 		return parseVersionFromManifest();
 	}
 	
+	public String getCertStoreDirectory() throws CertificateException {
+		String dir = props.getProperty("general.ssl.certstore");
+		if (MiscUtil.isNotEmpty(dir))
+				return FileUtils.makeAbsoluteURL(dir, configRootDir);
+		
+		else
+			throw new CertificateException("No SSLCertStore configured use default JAVA TrustStore.");
+		
+	}
+	
+	public String getTrustStoreDirectory() throws CertificateException {
+		String dir = props.getProperty("general.ssl.truststore");
+		if (MiscUtil.isNotEmpty(dir))
+				return FileUtils.makeAbsoluteURL(dir, configRootDir);
+		
+		else
+			throw new CertificateException("No SSLTrustStore configured use default JAVA TrustStore.");
+		
+	}
+	
 	private void initalPVP2Login() throws ConfigurationException {
 		try {
 					
@@ -458,8 +482,28 @@ public class ConfigurationProvider {
 				log.info("NO IDP Metadata URL.");
 				throw new ConfigurationException("NO IDP Metadata URL.");
 			}
-						
-			idpMetadataProvider = new HTTPMetadataProvider(new Timer(), new HttpClient(), metadataurl);  
+			
+			MOAHttpClient httpClient = new MOAHttpClient();
+			
+			if (metadataurl.startsWith("https:")) {
+				try {
+					MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
+							"MOAMetaDataProvider", 
+							AuthConfigurationProvider.getInstance().getCertstoreDirectory(), 
+							AuthConfigurationProvider.getInstance().getTrustedCACertificates(),
+							null,
+							ChainingModeType.fromValue(AuthConfigurationProvider.getInstance().getDefaultChainingMode()), 
+							AuthConfigurationProvider.getInstance().isTrustmanagerrevoationchecking());
+					
+					httpClient.setCustomSSLTrustStore(metadataurl, protoSocketFactory);
+
+				} catch (MOAHttpProtocolSocketFactoryException e) {
+					log.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.");
+					
+				}
+			}
+			
+			idpMetadataProvider = new HTTPMetadataProvider(new Timer(), httpClient, metadataurl);  
 			idpMetadataProvider.setRequireValidMetadata(true);  
 			idpMetadataProvider.setParserPool(new BasicParserPool());
 			idpMetadataProvider.setMetadataFilter(new MetaDataVerificationFilter(idpCredential));
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
index 31100bfac..5c8e181a7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
@@ -34,7 +34,7 @@ import java.util.Timer;
 
 import javax.xml.namespace.QName;
 
-import org.apache.commons.httpclient.HttpClient;
+import org.apache.commons.httpclient.MOAHttpClient;
 import org.opensaml.saml2.metadata.EntitiesDescriptor;
 import org.opensaml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml2.metadata.RoleDescriptor;
@@ -47,11 +47,14 @@ import org.opensaml.xml.XMLObject;
 import org.opensaml.xml.parse.BasicParserPool;
 
 import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead;
+import at.gv.egovernment.moa.id.commons.db.dao.config.ChainingModeType;
 import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2;
 import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication;
+import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
+import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MetadataFilterChain;
-import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MetadataSignatureFilter;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
 
@@ -328,10 +331,30 @@ public class MOAMetadataProvider implements MetadataProvider {
 	private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, byte[] certificate, String oaName, MetadataFilterChain filter) {
 		HTTPMetadataProvider httpProvider = null;
 		Timer timer= null;
-		
-		try {
+		MOAHttpClient httpClient = null;
+		try {			
+			httpClient = new MOAHttpClient();
+			
+			if (metadataURL.startsWith("https:")) {
+				try {
+					MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
+							"MOAMetaDataProvider", 
+							AuthConfigurationProvider.getInstance().getCertstoreDirectory(), 
+							AuthConfigurationProvider.getInstance().getTrustedCACertificates(),
+							null,
+							ChainingModeType.fromValue(AuthConfigurationProvider.getInstance().getDefaultChainingMode()), 
+							AuthConfigurationProvider.getInstance().isTrustmanagerrevoationchecking());
+					
+					httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory);
+
+				} catch (MOAHttpProtocolSocketFactoryException e) {
+					Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.");
+					
+				}
+			}
+			
 			timer = new Timer();
-			httpProvider = new HTTPMetadataProvider(timer, new HttpClient(), 
+			httpProvider = new HTTPMetadataProvider(timer, httpClient, 
 					metadataURL);
 			httpProvider.setParserPool(new BasicParserPool());
 			httpProvider.setRequireValidMetadata(true);
@@ -339,8 +362,6 @@ public class MOAMetadataProvider implements MetadataProvider {
 			httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours
 			//httpProvider.setRefreshDelayFactor(0.1F);
 			
-			// TODO: use proper SSL checking
-			
 			if (filter == null) {			
 				filter = new MetadataFilterChain(metadataURL, certificate);
 			}
-- 
cgit v1.2.3