From 7720eee7787b2149b36ac76da1b64e416e16d07c Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 21 Oct 2016 10:21:15 +0200 Subject: update SSL certificate revocation-checking method-order if the IAIK_PKI module is used --- .../pvp2x/metadata/MOAMetadataProvider.java | 18 +++++++++-- .../pvp2x/metadata/SimpleMOAMetadataProvider.java | 18 ++++++----- .../protocols/pvp2x/utils/MOASAMLSOAPClient.java | 3 +- .../at/gv/egovernment/moa/id/util/SSLUtils.java | 3 +- .../utils/MOAHttpProtocolSocketFactory.java | 6 ++-- .../id/commons/utils/ssl/MOAIDTrustManager.java | 3 +- .../moa/id/commons/utils/ssl/PKIProfileImpl.java | 9 +++++- .../moa/id/commons/utils/ssl/SSLUtils.java | 34 +++++++-------------- .../engine/MOAeIDASChainingMetadataProvider.java | 20 +++++++----- .../0.3.1/iaik_X509TrustManager-0.3.1.jar | Bin 0 -> 3401 bytes 10 files changed, 67 insertions(+), 47 deletions(-) create mode 100644 repository/iaik/prod/iaik_X509TrustManager/0.3.1/iaik_X509TrustManager-0.3.1.jar diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index 19adfe4c4..dc024e695 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -31,6 +31,7 @@ import java.util.Iterator; import java.util.List; import java.util.Map; import java.util.Map.Entry; +import java.util.Timer; import javax.xml.namespace.QName; @@ -68,6 +69,7 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider // private static MOAMetadataProvider instance = null; MetadataProvider internalProvider = null; + private Timer timer = null; private static Object mutex = new Object(); //private Map lastAccess = null; @@ -163,10 +165,14 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider byte[] cert = Base64Utils.decode(certBase64, false); String oaFriendlyName = oaParam.getFriendlyName(); + if (timer == null) + timer = new Timer(true); + ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider; HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL, buildMetadataFilterChain(oaParam, metadataURL, cert), - oaFriendlyName); + oaFriendlyName, + timer); chainProvider.addMetadataProvider(newMetadataProvider); @@ -374,6 +380,10 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider } internalProvider = new ChainingMetadataProvider(); + + if (timer != null) + timer.cancel(); + } else { Logger.warn("ReInitalize MOAMetaDataProvider is not possible! MOA-ID Instance has to be restarted manualy"); } @@ -414,12 +424,16 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider byte[] cert = Base64Utils.decode(certBase64, false); + if (timer == null) + timer = new Timer(true); + Logger.info("Loading metadata for: " + oaFriendlyName); if (!providersinuse.containsKey(metadataurl)) { httpProvider = createNewHTTPMetaDataProvider( metadataurl, buildMetadataFilterChain(oaParam, metadataurl, cert), - oaFriendlyName); + oaFriendlyName, + timer); if (httpProvider != null) providersinuse.put(metadataurl, httpProvider); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java index 8261a86c1..7a2acee9c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java @@ -53,12 +53,13 @@ public abstract class SimpleMOAMetadataProvider implements MetadataProvider{ * @param metadataURL URL, where the metadata should be loaded * @param filter Filters, which should be used to validate the metadata * @param IdForLogging Id, which is used for Logging + * @param timer {@link Timer} which is used to schedule metadata refresh operations * * @return SAML2 Metadata Provider */ - protected HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, MetadataFilter filter, String IdForLogging ) { + protected HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, MetadataFilter filter, String IdForLogging, Timer timer) { HTTPMetadataProvider httpProvider = null; - Timer timer= null; + //Timer timer= null; MOAHttpClient httpClient = null; try { httpClient = new MOAHttpClient(); @@ -71,7 +72,8 @@ public abstract class SimpleMOAMetadataProvider implements MetadataProvider{ AuthConfigurationProviderFactory.getInstance().getTrustedCACertificates(), null, AuthConfiguration.DEFAULT_X509_CHAININGMODE, - AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking()); + AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking(), + AuthConfigurationProviderFactory.getInstance().getRevocationMethodOrder()); httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory); @@ -81,7 +83,7 @@ public abstract class SimpleMOAMetadataProvider implements MetadataProvider{ } } - timer = new Timer(true); +// timer = new Timer(true); httpProvider = new HTTPMetadataProvider(timer, httpClient, metadataURL); httpProvider.setParserPool(new BasicParserPool()); @@ -121,10 +123,10 @@ public abstract class SimpleMOAMetadataProvider implements MetadataProvider{ httpProvider.destroy(); } - if (timer != null) { - Logger.debug("Destroy Timer."); - timer.cancel(); - } +// if (timer != null) { +// Logger.debug("Destroy Timer."); +// timer.cancel(); +// } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java index 0426c2a6a..d5ab4b2e7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java @@ -77,7 +77,8 @@ public class MOASAMLSOAPClient { AuthConfigurationProviderFactory.getInstance().getTrustedCACertificates(), null, AuthConfigurationProviderFactory.getInstance().getDefaultChainingMode(), - AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking()); + AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking(), + AuthConfigurationProviderFactory.getInstance().getRevocationMethodOrder()); clientBuilder.setHttpsProtocolSocketFactory(sslprotocolsocketfactory ); } catch (MOAHttpProtocolSocketFactoryException e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java index caf7f570f..784581648 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java @@ -129,7 +129,8 @@ public class SSLUtils { trustStoreURL, acceptedServerCertURL, AuthConfigurationProviderFactory.getInstance().getDefaultChainingMode(), - AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking(), + AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking(), + AuthConfigurationProviderFactory.getInstance().getRevocationMethodOrder(), connParam.getClientKeyStore(), connParam.getClientKeyStorePassword(), "pkcs12"); diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java index 142e9a23a..3b1f0c7b5 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java @@ -54,7 +54,8 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory String trustStoreURL, String acceptedServerCertURL, String chainingMode, - boolean checkRevocation + boolean checkRevocation, + String[] revocationMethodOrder ) throws MOAHttpProtocolSocketFactoryException { super(); @@ -65,7 +66,8 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory trustStoreURL, acceptedServerCertURL, chainingMode, - checkRevocation, + checkRevocation, + revocationMethodOrder, null, null, null); diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java index e0304f928..969de3ce6 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java @@ -67,6 +67,7 @@ import iaik.pki.PKIFactory; import iaik.pki.PKIProfile; import iaik.pki.jsse.IAIKX509TrustManager; + /** * TrustManager implementation featuring CRL checking (inherited from * IAIKX509TrustManager), plus server-end-SSL-certificate checking. @@ -172,7 +173,7 @@ public class MOAIDTrustManager extends IAIKX509TrustManager { throw new NullPointerException("pkiConfig parameter must not be null"); } - + TransactionId tid = new TransactionIdImpl("Init"); log_.info(tid, "Setting up IAIKX509TrustManager", null); if (pkiConfig != null) { diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIProfileImpl.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIProfileImpl.java index a34fa9b8b..9b692c090 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIProfileImpl.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/PKIProfileImpl.java @@ -77,6 +77,9 @@ public class PKIProfileImpl extends ObservableImpl */ private boolean revocationChecking; + + private String[] revocationCheckMethode = new String[] {RevocationSourceTypes.CRL}; + /** * The trust profile identifier. */ @@ -141,9 +144,13 @@ public class PKIProfileImpl extends ObservableImpl * @see iaik.pki.revocation.RevocationProfile#getPreferredServiceOrder(java.security.cert.X509Certificate) */ public String[] getPreferredServiceOrder(X509Certificate arg0) { - return new String[] {RevocationSourceTypes.CRL}; + return revocationCheckMethode; } + public void setPreferredServiceOrder(String[] order) { + this.revocationCheckMethode = order; + } + /** * @see iaik.pki.store.truststore.TrustStoreProfile#getType() */ diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java index 6fa4595d8..d2a099c69 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java @@ -64,7 +64,6 @@ import at.gv.egovernment.moa.util.KeyStoreUtils; import iaik.pki.PKIConfiguration; import iaik.pki.PKIException; import iaik.pki.PKIFactory; -import iaik.pki.PKIProfile; //import iaik.pki.jsse.IAIKX509TrustManager; import iaik.security.provider.IAIK; @@ -94,24 +93,7 @@ public class SSLUtils { } - - /** - * Creates an SSLSocketFactory which utilizes an - * IAIKX509TrustManager for the given trust store, - * and the given key store. - * - * @param conf configuration provider providing a generic properties pointing - * to trusted CA store and certificate store root - * @param connParam connection parameter containing the client key store settings - * to be used in case of client authentication; - * if connParam.getClientKeyStore() == null, client authentication - * is assumed to be disabled - * @return SSLSocketFactory to be used by an HttpsURLConnection - * @throws IOException thrown while reading key store file - * @throws GeneralSecurityException thrown while creating the socket factory - * @throws ConfigurationException on invalid configuration data - * @throws PKIException while initializing the IAIKX509TrustManager - */ + public static SSLSocketFactory getSSLSocketFactory( String url, String certStoreRootDirParam, @@ -119,9 +101,10 @@ public class SSLUtils { String acceptedServerCertURL, String chainingMode, boolean checkRevocation, + String[] revocationMethodOrder, String clientKeyStoreURL, String clientKeyStorePassword, - String clientKeyStoreType + String clientKeyStoreType ) throws IOException, GeneralSecurityException, SSLConfigurationException, PKIException { @@ -136,7 +119,8 @@ public class SSLUtils { chainingMode, trustStoreURL, acceptedServerCertURL, - checkRevocation); + checkRevocation, + revocationMethodOrder); KeyManager[] kms = getKeyManagers( clientKeyStoreType, clientKeyStoreURL, clientKeyStorePassword); @@ -231,13 +215,17 @@ public class SSLUtils { */ private static TrustManager[] getTrustManagers(String certStoreRootDirParam, String chainingMode, String trustStoreURL, String acceptedServerCertURL, - boolean checkRevocation) + boolean checkRevocation, String[] revocationMethodOrder) throws SSLConfigurationException, PKIException, IOException, GeneralSecurityException { PKIConfiguration cfg = null; if (! PKIFactory.getInstance().isAlreadyConfigured()) cfg = new PKIConfigurationImpl(certStoreRootDirParam, chainingMode); - PKIProfile profile = new PKIProfileImpl(trustStoreURL, checkRevocation); + + PKIProfileImpl profile = new PKIProfileImpl(trustStoreURL, checkRevocation); + + profile.setPreferredServiceOrder(revocationMethodOrder); + // This call fixes a bug occuring when PKIConfiguration is // initialized by the MOA-SP initialization code, in case // MOA-SP is called by API diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java index 7fb0dbb5f..cb1fe36c8 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java @@ -210,7 +210,8 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi authConfig.getTrustedCACertificates(), null, AuthConfiguration.DEFAULT_X509_CHAININGMODE, - authConfig.isTrustmanagerrevoationchecking()); + authConfig.isTrustmanagerrevoationchecking(), + authConfig.getRevocationMethodOrder()); httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory); @@ -306,14 +307,17 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi } else { //load new Metadata Provider ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider; - HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL); - chainProvider.addMetadataProvider(newMetadataProvider); + HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL); - emitChangeEvent(); - Logger.info("eIDAS metadata for " - + metadataURL + " is added."); - return true; - + if (newMetadataProvider != null) { + chainProvider.addMetadataProvider(newMetadataProvider); + + emitChangeEvent(); + Logger.info("eIDAS metadata for " + + metadataURL + " is added."); + return true; + + } } } else diff --git a/repository/iaik/prod/iaik_X509TrustManager/0.3.1/iaik_X509TrustManager-0.3.1.jar b/repository/iaik/prod/iaik_X509TrustManager/0.3.1/iaik_X509TrustManager-0.3.1.jar new file mode 100644 index 000000000..596b9aab2 Binary files /dev/null and b/repository/iaik/prod/iaik_X509TrustManager/0.3.1/iaik_X509TrustManager-0.3.1.jar differ -- cgit v1.2.3