From b0782a62b34a8343968a456ed754f55cc41daf0f Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 7 May 2014 15:49:27 +0200 Subject: add customized HttpClient which can use the MOA Truststore to verfiy SSL connections --- id/server/moa-id-commons/pom.xml | 4 + .../ex/MOAHttpProtocolSocketFactoryException.java | 42 +++++++ .../utils/MOAHttpProtocolSocketFactory.java | 129 +++++++++++++++++++++ .../moa/id/commons/utils/ssl/SSLUtils.java | 12 +- .../apache/commons/httpclient/MOAHttpClient.java | 100 ++++++++++++++++ 5 files changed, 285 insertions(+), 2 deletions(-) create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/ex/MOAHttpProtocolSocketFactoryException.java create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java create mode 100644 id/server/moa-id-commons/src/main/java/org/apache/commons/httpclient/MOAHttpClient.java diff --git a/id/server/moa-id-commons/pom.xml b/id/server/moa-id-commons/pom.xml index 81513518f..1831d0e1c 100644 --- a/id/server/moa-id-commons/pom.xml +++ b/id/server/moa-id-commons/pom.xml @@ -64,6 +64,10 @@ commons-lang3 3.3.1 + + commons-httpclient + commons-httpclient + MOA moa-common diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/ex/MOAHttpProtocolSocketFactoryException.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/ex/MOAHttpProtocolSocketFactoryException.java new file mode 100644 index 000000000..c6d8b1d79 --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/ex/MOAHttpProtocolSocketFactoryException.java @@ -0,0 +1,42 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.commons.ex; + +/** + * @author tlenz + * + */ +public class MOAHttpProtocolSocketFactoryException extends Exception { + + private static final long serialVersionUID = 4934502074731319897L; + + + public MOAHttpProtocolSocketFactoryException(String message) { + super(message); + } + + public MOAHttpProtocolSocketFactoryException(String message, Throwable e) { + super(message, e ); + } + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java new file mode 100644 index 000000000..3b6fc34ea --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java @@ -0,0 +1,129 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.commons.utils; + +import iaik.pki.PKIException; + +import java.io.IOException; +import java.net.InetAddress; +import java.net.Socket; +import java.net.UnknownHostException; +import java.security.GeneralSecurityException; + +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocketFactory; + +import org.apache.commons.httpclient.ConnectTimeoutException; +import org.apache.commons.httpclient.params.HttpConnectionParams; +import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory; + +import at.gv.egovernment.moa.id.commons.db.dao.config.ChainingModeType; +import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; +import at.gv.egovernment.moa.id.commons.utils.ssl.SSLConfigurationException; +import at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils; + +/** + * @author tlenz + * + */ +public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory { + + + + private SSLSocketFactory sslfactory = null; + + public MOAHttpProtocolSocketFactory ( + String url, + String certStoreRootDirParam, + String trustStoreURL, + String acceptedServerCertURL, + ChainingModeType chainingMode, + boolean checkRevocation + ) throws MOAHttpProtocolSocketFactoryException { + super(); + + try { + this.sslfactory = SSLUtils.getSSLSocketFactory( + url, + certStoreRootDirParam, + trustStoreURL, + acceptedServerCertURL, + chainingMode.value(), + checkRevocation, + null, + null, + null); + + } catch (IOException e) { + throw new MOAHttpProtocolSocketFactoryException("Initialize SSL Context FAILED", e); + + } catch (GeneralSecurityException e) { + throw new MOAHttpProtocolSocketFactoryException("Initialize SSL Context FAILED", e); + + } catch (SSLConfigurationException e) { + throw new MOAHttpProtocolSocketFactoryException("SSL Configuration loading FAILED.", e); + + } catch (PKIException e) { + throw new MOAHttpProtocolSocketFactoryException("Initialize SSL Context FAILED", e); + + } + + } + + /* (non-Javadoc) + * @see org.apache.commons.httpclient.protocol.ProtocolSocketFactory#createSocket(java.lang.String, int, java.net.InetAddress, int) + */ + public Socket createSocket(String host, int port, InetAddress localAddress, + int localPort) throws IOException, UnknownHostException { + return this.sslfactory.createSocket(host, port, + localAddress, localPort); + } + + /* (non-Javadoc) + * @see org.apache.commons.httpclient.protocol.ProtocolSocketFactory#createSocket(java.lang.String, int, java.net.InetAddress, int, org.apache.commons.httpclient.params.HttpConnectionParams) + */ + public Socket createSocket(String host, int port, InetAddress localAddress, + int localPort, HttpConnectionParams params) throws IOException, + UnknownHostException, ConnectTimeoutException { + return this.sslfactory.createSocket(host, port, + localAddress, localPort); + } + + /* (non-Javadoc) + * @see org.apache.commons.httpclient.protocol.ProtocolSocketFactory#createSocket(java.lang.String, int) + */ + public Socket createSocket(String host, int port) throws IOException, + UnknownHostException { + return this.sslfactory.createSocket(host, port); + } + + /* (non-Javadoc) + * @see org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory#createSocket(java.net.Socket, java.lang.String, int, boolean) + */ + public Socket createSocket(Socket socket, String host, int port, + boolean autoClose) throws IOException, UnknownHostException { + return this.sslfactory.createSocket(socket, host, + port, autoClose); + } + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java index eed8b25e0..68437a04d 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java @@ -139,12 +139,19 @@ public class SSLUtils { KeyManager[] kms = at.gv.egovernment.moa.util.SSLUtils.getKeyManagers( clientKeyStoreType, clientKeyStoreURL, clientKeyStorePassword); SSLContext ctx = SSLContext.getInstance("TLS"); - ctx.init(kms, tms, null); ssf = ctx.getSocketFactory(); + ctx.init(kms, tms, null); + ssf = ctx.getSocketFactory(); // store SSLSocketFactory sslSocketFactories.put(url, ssf); return ssf; } + public static void removeSSLSocketFactory(String url) { + Logger.info("Remove SSLSocketFactory for URL " + url); + if (sslSocketFactories.containsKey(url)) + sslSocketFactories.remove(url); + + } /** * Initializes an IAIKX509TrustManager for a given trust store, @@ -158,7 +165,7 @@ public class SSLUtils { * @throws IOException on data-reading problems * @throws PKIException while initializing the IAIKX509TrustManager */ - public static TrustManager[] getTrustManagers(String certStoreRootDirParam, + private static TrustManager[] getTrustManagers(String certStoreRootDirParam, String chainingMode, String trustStoreURL, String acceptedServerCertURL, boolean checkRevocation) throws SSLConfigurationException, PKIException, IOException, GeneralSecurityException { @@ -175,4 +182,5 @@ public class SSLUtils { tm.init(cfg, profile); return new TrustManager[] {tm}; } + } diff --git a/id/server/moa-id-commons/src/main/java/org/apache/commons/httpclient/MOAHttpClient.java b/id/server/moa-id-commons/src/main/java/org/apache/commons/httpclient/MOAHttpClient.java new file mode 100644 index 000000000..e4aa6a284 --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/org/apache/commons/httpclient/MOAHttpClient.java @@ -0,0 +1,100 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package org.apache.commons.httpclient; + +import java.io.IOException; +import java.net.MalformedURLException; +import java.net.URL; + +import org.apache.commons.httpclient.HostConfiguration; +import org.apache.commons.httpclient.HttpClient; +import org.apache.commons.httpclient.HttpException; +import org.apache.commons.httpclient.HttpMethod; +import org.apache.commons.httpclient.HttpMethodDirector; +import org.apache.commons.httpclient.HttpState; +import org.apache.commons.httpclient.URI; +import org.apache.commons.httpclient.protocol.Protocol; +import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory; + +import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; + +/** + * @author tlenz + * + *HTTP client which can be used with MOA SSL TrustStore implementation + * + */ +public class MOAHttpClient extends HttpClient { + + + public void setCustomSSLTrustStore(String metadataURL, SecureProtocolSocketFactory protoSocketFactory) throws MOAHttpProtocolSocketFactoryException, MalformedURLException { + ; + + URL url = new URL(metadataURL); + int port = -1; + if (url.getPort() < 0) + port = url.getDefaultPort(); + else + port = url.getPort(); + + Protocol authhttps = new Protocol("https", protoSocketFactory, port); + getHostConfiguration().setHost(url.getHost(), port, authhttps); + + } + + public int executeMethod(HostConfiguration hostconfig, + final HttpMethod method, final HttpState state) + throws IOException, HttpException { + + if (method == null) { + throw new IllegalArgumentException("HttpMethod parameter may not be null"); + } + HostConfiguration defaulthostconfig = getHostConfiguration(); + if (hostconfig == null) { + hostconfig = defaulthostconfig; + } + URI uri = method.getURI(); + if (hostconfig == defaulthostconfig || uri.isAbsoluteURI()) { + // make a deep copy of the host defaults + hostconfig = (HostConfiguration) hostconfig.clone(); + + /** + * Only build default host with default protocol if protocol is empty + * + * In case of https, the methode setCustomSSLTrustStore can be used to set a + * the MOA TrustStore for SSL connection validation + */ + if (uri.isAbsoluteURI() && hostconfig.getProtocol() == null) { + hostconfig.setHost(uri); + } + } + + HttpMethodDirector methodDirector = new HttpMethodDirector( + getHttpConnectionManager(), + hostconfig, + getParams(), + (state == null ? getState() : state)); + methodDirector.executeMethod(method); + return method.getStatusCode(); + } +} -- cgit v1.2.3