From 8673d715af90bb7df168f4bac9979ab48ee04e3e Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 21 Feb 2017 15:30:11 +0100 Subject: update javadoc --- .../java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'id/server/moa-id-commons/src/main/java/at') diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java index d2c827d55..fcf4c3ffa 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java @@ -32,7 +32,7 @@ public interface AuthConfiguration extends ConfigurationProvider{ * Get a configuration value from basic file based MOA-ID configuration * * @param key configuration key - * @return configuration value + * @return configuration value or null if it is not found */ public String getBasicMOAIDConfiguration(final String key); -- cgit v1.2.3 From 3979e8addd354e59d5601d1ad89b4fad228da2d5 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 10 Mar 2017 16:02:16 +0100 Subject: fix possible DoS Bug --- .../src/main/java/at/gv/egovernment/moa/util/DOMUtils.java | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'id/server/moa-id-commons/src/main/java/at') diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java index fed968443..62a168ac8 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java @@ -28,6 +28,7 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; +import java.util.Collections; import java.util.HashMap; import java.util.HashSet; import java.util.Iterator; @@ -542,6 +543,7 @@ public class DOMUtils { /** * A convenience method to parse an XML document non validating. + * This method disallow DocType declarations * * @param inputStream The InputStream containing the XML * document. @@ -552,10 +554,16 @@ public class DOMUtils { * parser. */ public static Element parseXmlNonValidating(InputStream inputStream) - throws ParserConfigurationException, SAXException, IOException { + throws ParserConfigurationException, SAXException, IOException { return DOMUtils - .parseDocument(inputStream, false, Constants.ALL_SCHEMA_LOCATIONS, null, null) - .getDocumentElement(); + .parseDocument(inputStream, false, Constants.ALL_SCHEMA_LOCATIONS, null, + Collections.unmodifiableMap(new HashMap() { + private static final long serialVersionUID = 1L; + { + put(DOMUtils.DISALLOW_DOCTYPE_FEATURE, true); + + } + })).getDocumentElement(); } /** -- cgit v1.2.3 From 250a89d7eaeb1c8a905fa7bb2032992946fec40f Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 12 Jul 2017 14:42:09 +0200 Subject: add new demo module for dummy authentication --- .../main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'id/server/moa-id-commons/src/main/java/at') diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java index 8d893be9d..b16941f51 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java @@ -181,6 +181,7 @@ public class MOAIDAuthConstants extends MOAIDConstants{ public static final String PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION = "requireLocalAuthentication"; public static final String PROCESSCONTEXT_PERFORM_BKUSELECTION = "performBKUSelection"; public static final String PROCESSCONTEXT_ISLEGACYREQUEST = "isLegacyRequest"; + public static final String PROCESSCONTEXT_UNIQUE_OA_IDENTFIER = "uniqueSPId"; //General protocol-request data-store keys public static final String AUTHPROCESS_DATA_TARGET = "authProces_Target"; @@ -189,5 +190,5 @@ public class MOAIDAuthConstants extends MOAIDConstants{ //General MOASession data-store keys public static final String MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE = "holderofkey_cert"; - + } -- cgit v1.2.3 From 91d38d59b42ee77346b0d33315f403d8fa678576 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 17 Jul 2017 10:25:02 +0200 Subject: update MOA SAML2 metadata provider to support metadata located on file system --- .../java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'id/server/moa-id-commons/src/main/java/at') diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java index fcf4c3ffa..4df11b35c 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java @@ -16,7 +16,8 @@ public interface AuthConfiguration extends ConfigurationProvider{ public static final String DEFAULT_X509_CHAININGMODE = "pkix"; - + public static final int CONFIG_PROPS_METADATA_SOCKED_TIMEOUT = 20 * 1000; //20 seconds metadata socked timeout + public Properties getGeneralPVP2ProperiesConfig(); -- cgit v1.2.3 From c4fe089610dba3d6e8929f6e163538dfae0d18da Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 25 Jul 2017 12:07:59 +0200 Subject: betaversion for a workaround to solve problem with Java8 >= 141 and SHA1 certificates in certificate chain --- .../utils/ssl/MOASSLAlgorithmConstraints.java | 175 ++++++++++++++ .../commons/utils/ssl/MOATrustManagerWrapper.java | 267 +++++++++++++++++++++ .../moa/id/commons/utils/ssl/SSLUtils.java | 4 +- .../commons/validation/MOASSLAlgorithmChecker.java | 226 +++++++++++++++++ 4 files changed, 671 insertions(+), 1 deletion(-) create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOASSLAlgorithmConstraints.java create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOATrustManagerWrapper.java create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java (limited to 'id/server/moa-id-commons/src/main/java/at') diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOASSLAlgorithmConstraints.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOASSLAlgorithmConstraints.java new file mode 100644 index 000000000..8f367598d --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOASSLAlgorithmConstraints.java @@ -0,0 +1,175 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.commons.utils.ssl; + +import java.security.AlgorithmConstraints; +import java.security.AlgorithmParameters; +import java.security.CryptoPrimitive; +import java.security.Key; +import java.util.Set; + +import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLSocket; + +/** + * @author tlenz + * + */ +public class MOASSLAlgorithmConstraints implements AlgorithmConstraints { + + private AlgorithmConstraints userAlgConstraints = null; + private AlgorithmConstraints peerAlgConstraints = null; + + private boolean enabledX509DisabledAlgConstraints = true; + + + static final AlgorithmConstraints DEFAULT = new MOASSLAlgorithmConstraints(null); + + + public MOASSLAlgorithmConstraints() + { + + } + + + static final AlgorithmConstraints DEFAULT_SSL_ONLY = new MOASSLAlgorithmConstraints((SSLSocket)null, false); + + MOASSLAlgorithmConstraints(AlgorithmConstraints paramAlgorithmConstraints) + { + this.userAlgConstraints = paramAlgorithmConstraints; + + } + + + MOASSLAlgorithmConstraints(SSLSocket paramSSLSocket, boolean paramBoolean) + { + if (paramSSLSocket != null) { + this.userAlgConstraints = paramSSLSocket.getSSLParameters().getAlgorithmConstraints(); + + } + + if (!(paramBoolean)) + this.enabledX509DisabledAlgConstraints = false; + } + + + MOASSLAlgorithmConstraints(SSLEngine paramSSLEngine, boolean paramBoolean) + { + if (paramSSLEngine != null) { + this.userAlgConstraints = paramSSLEngine.getSSLParameters().getAlgorithmConstraints(); + + } + + if (!(paramBoolean)) + this.enabledX509DisabledAlgConstraints = false; + } + + MOASSLAlgorithmConstraints(SSLSocket paramSSLSocket, String[] paramArrayOfString, boolean paramBoolean) + { + if (paramSSLSocket != null) { + this.userAlgConstraints = paramSSLSocket.getSSLParameters().getAlgorithmConstraints(); + + //this.peerAlgConstraints = new SupportedSignatureAlgorithmConstraints(paramArrayOfString); + + } + + if (!(paramBoolean)) + this.enabledX509DisabledAlgConstraints = false; + } + + +// MOASSLAlgorithmConstraints(SSLEngine paramSSLEngine, String[] paramArrayOfString, boolean paramBoolean) +// { +// if (paramSSLEngine != null) { +// this.userAlgConstraints = paramSSLEngine.getSSLParameters().getAlgorithmConstraints(); +// +// this.peerAlgConstraints = new SupportedSignatureAlgorithmConstraints(paramArrayOfString); +// +// } +// +// if (!(paramBoolean)) +// this.enabledX509DisabledAlgConstraints = false; +// } + + + /* (non-Javadoc) + * @see java.security.AlgorithmConstraints#permits(java.util.Set, java.lang.String, java.security.AlgorithmParameters) + */ + @Override + public boolean permits(Set primitives, String algorithm, AlgorithmParameters parameters) { + boolean bool = true; + + if (this.peerAlgConstraints != null) { + bool = this.peerAlgConstraints.permits(primitives, algorithm, parameters); + + } + + if ((bool) && (this.userAlgConstraints != null)) { + bool = this.userAlgConstraints.permits(primitives, algorithm, parameters); + + } + + return bool; + + } + + /* (non-Javadoc) + * @see java.security.AlgorithmConstraints#permits(java.util.Set, java.security.Key) + */ + @Override + public boolean permits(Set primitives, Key key) { + boolean bool = true; + + if (this.peerAlgConstraints != null) { + bool = this.peerAlgConstraints.permits(primitives, key); + } + + if ((bool) && (this.userAlgConstraints != null)) { + bool = this.userAlgConstraints.permits(primitives, key); + } + + return bool; + + } + + /* (non-Javadoc) + * @see java.security.AlgorithmConstraints#permits(java.util.Set, java.lang.String, java.security.Key, java.security.AlgorithmParameters) + */ + @Override + public boolean permits(Set primitives, String algorithm, Key key, AlgorithmParameters parameters) { + boolean bool = true; + + if (this.peerAlgConstraints != null) { + bool = this.peerAlgConstraints.permits(primitives, algorithm, key, parameters); + + } + + if ((bool) && (this.userAlgConstraints != null)) { + bool = this.userAlgConstraints.permits(primitives, algorithm, key, parameters); + + } + + return bool; + } + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOATrustManagerWrapper.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOATrustManagerWrapper.java new file mode 100644 index 000000000..c71d50161 --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOATrustManagerWrapper.java @@ -0,0 +1,267 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.commons.utils.ssl; + +import java.lang.reflect.Constructor; +import java.net.Socket; +import java.security.AlgorithmConstraints; +import java.security.Timestamp; +import java.security.cert.CertPathValidatorException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.PKIXCertPathChecker; +import java.security.cert.X509Certificate; +import java.util.Collections; +import java.util.HashSet; + +import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLSession; +import javax.net.ssl.SSLSocket; +import javax.net.ssl.X509ExtendedTrustManager; +import javax.net.ssl.X509TrustManager; + +import at.gv.egovernment.moa.id.commons.validation.MOASSLAlgorithmChecker; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; +import sun.security.provider.certpath.AlgorithmChecker; +import sun.security.util.DisabledAlgorithmConstraints; + +/** + * @author tlenz + * + */ +public class MOATrustManagerWrapper extends X509ExtendedTrustManager implements X509TrustManager { + + private X509TrustManager internalTrustManager = null; + + + /** + * + */ + public MOATrustManagerWrapper(X509TrustManager trustManger) { + this.internalTrustManager = trustManger; + + } + + + + /* (non-Javadoc) + * @see javax.net.ssl.X509TrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String) + */ + @Override + public void checkClientTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString) + throws CertificateException { + internalTrustManager.checkClientTrusted(paramArrayOfX509Certificate, paramString); + + } + + /* (non-Javadoc) + * @see javax.net.ssl.X509TrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String) + */ + @Override + public void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString) + throws CertificateException { + internalTrustManager.checkServerTrusted(paramArrayOfX509Certificate, paramString); + + } + + /* (non-Javadoc) + * @see javax.net.ssl.X509TrustManager#getAcceptedIssuers() + */ + @Override + public X509Certificate[] getAcceptedIssuers() { + return internalTrustManager.getAcceptedIssuers(); + } + + /* (non-Javadoc) + * @see javax.net.ssl.X509ExtendedTrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String, java.net.Socket) + */ + @Override + public void checkClientTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString, + Socket paramSocket) throws CertificateException { + internalTrustManager.checkClientTrusted(paramArrayOfX509Certificate, paramString); + + checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSocket, true); + + } + + /* (non-Javadoc) + * @see javax.net.ssl.X509ExtendedTrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String, java.net.Socket) + */ + @Override + public void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString, + Socket paramSocket) throws CertificateException { + + internalTrustManager.checkServerTrusted(paramArrayOfX509Certificate, paramString); + + checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSocket, false); + + } + + /* (non-Javadoc) + * @see javax.net.ssl.X509ExtendedTrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String, javax.net.ssl.SSLEngine) + */ + @Override + public void checkClientTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString, + SSLEngine paramSSLEngine) throws CertificateException { + internalTrustManager.checkClientTrusted(paramArrayOfX509Certificate, paramString); + + checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSSLEngine, true); + + } + + /* (non-Javadoc) + * @see javax.net.ssl.X509ExtendedTrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String, javax.net.ssl.SSLEngine) + */ + @Override + public void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString, + SSLEngine paramSSLEngine) throws CertificateException { + internalTrustManager.checkServerTrusted(paramArrayOfX509Certificate, paramString); + + checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSSLEngine, false); + } + + + + private void checkAdditionalTrust(X509Certificate[] paramArrayOfX509Certificate, + String paramString, Socket paramSocket, boolean isClient) throws CertificateException { + if ((paramSocket == null) || (!(paramSocket.isConnected())) || (!(paramSocket instanceof SSLSocket))) { + return; + + } + + SSLSocket localSSLSocket = (SSLSocket)paramSocket; + SSLSession localSSLSession = localSSLSocket.getHandshakeSession(); + if (localSSLSession == null) { + throw new CertificateException("No handshake session"); + } + + String endpointIdenfificationAlgo = localSSLSocket.getSSLParameters().getEndpointIdentificationAlgorithm(); + if (MiscUtil.isNotEmpty(endpointIdenfificationAlgo)) { + String peerHost = localSSLSession.getPeerHost(); + checkIdentity(peerHost, paramArrayOfX509Certificate[0], endpointIdenfificationAlgo); + + } + + AlgorithmConstraints localSSLAlgorithmConstraints = new DisabledAlgorithmConstraints("jdk.certpath.disabledAlgorithms"); + checkAlgorithmConstraints(paramArrayOfX509Certificate, localSSLAlgorithmConstraints, isClient); + } + + private void checkAdditionalTrust(X509Certificate[] paramArrayOfX509Certificate, String paramString, + SSLEngine paramSSLEngine, boolean isClient) throws CertificateException { + if (paramSSLEngine != null) { + SSLSession localSSLSession = paramSSLEngine.getHandshakeSession(); + if (localSSLSession == null) { + throw new CertificateException("No handshake session"); + + } + + String str = paramSSLEngine.getSSLParameters().getEndpointIdentificationAlgorithm(); + if ((str != null) && (str.length() != 0)) { + String peerHost = localSSLSession.getPeerHost(); + checkIdentity(peerHost, paramArrayOfX509Certificate[0], str); + + } + + AlgorithmConstraints localSSLAlgorithmConstraints = new DisabledAlgorithmConstraints("jdk.certpath.disabledAlgorithms"); + checkAlgorithmConstraints(paramArrayOfX509Certificate, localSSLAlgorithmConstraints, isClient); + } + } + + private void checkAlgorithmConstraints(X509Certificate[] certificates, + java.security.AlgorithmConstraints algorithmConstraint, boolean isClient) throws CertificateException { + try { + int i = certificates.length - 1; + HashSet localHashSet = new HashSet(); + X509Certificate[] arrayOfX509Certificate = this.internalTrustManager.getAcceptedIssuers(); + + if ((arrayOfX509Certificate != null) && (arrayOfX509Certificate.length > 0)) { + Collections.addAll(localHashSet, arrayOfX509Certificate); + + } + + if (localHashSet.contains(certificates[i])) { + --i; + } + + if (i >= 0) { + PKIXCertPathChecker localAlgorithmChecker = null; + Class algorithCheckerClass = null; + try { + algorithCheckerClass = Class.forName("sun.security.provider.certpath.AlgorithmChecker"); + Constructor algorithCheckerConstructorJava8_141 = algorithCheckerClass.getConstructor(AlgorithmConstraints.class, Timestamp.class, String.class); + localAlgorithmChecker = (AlgorithmChecker) algorithCheckerConstructorJava8_141.newInstance(algorithmConstraint, (Timestamp)null, isClient?"tls client":"tls server"); + Logger.trace("Use SSL AlgorithmChecker from JAVA8 >= 141 ..."); + + } catch (Throwable e) { + try { + Constructor algorithCheckerConstructorJava8_71 = algorithCheckerClass.getConstructor(AlgorithmConstraints.class); + localAlgorithmChecker = (AlgorithmChecker) algorithCheckerConstructorJava8_71.newInstance(algorithmConstraint); + + Logger.trace("Use SSL AlgorithmChecker from JAVA8 < 141 ..."); + + } catch (Throwable e1) { + Logger.error("Can NOT instance JAVA SSL AlgorithmChecker", e1); + Logger.error("USE ONE LEGACY VERSION OF ALGORITHM CHECKER ..."); + localAlgorithmChecker = new MOASSLAlgorithmChecker(); + + } + } + + + localAlgorithmChecker.init(false); + + for (int j = i; j >= 0; --j) { + X509Certificate localX509Certificate = certificates[j]; + + //localAlgorithmChecker.check((Certificate)localX509Certificate, Collections.emptySet()); + localAlgorithmChecker.check((Certificate)localX509Certificate, null); + } + } + } catch (CertPathValidatorException localCertPathValidatorException) { + throw new CertificateException("Certificates does not conform to algorithm constraints"); + + } + } + + private void checkIdentity(String peerHost, X509Certificate paramX509Certificate, String endpointIdenfificationAlgo) + throws CertificateException { + if (MiscUtil.isEmpty(endpointIdenfificationAlgo)) + return; + + if ((peerHost != null) && (peerHost.startsWith("[")) && (peerHost.endsWith("]"))) { + peerHost = peerHost.substring(1, peerHost.length() - 1); + + } + + if (endpointIdenfificationAlgo.equalsIgnoreCase("HTTPS")) { + sun.security.util.HostnameChecker.getInstance((byte)1).match(peerHost, paramX509Certificate); + + } else if ((endpointIdenfificationAlgo.equalsIgnoreCase("LDAP")) || (endpointIdenfificationAlgo.equalsIgnoreCase("LDAPS"))) { + sun.security.util.HostnameChecker.getInstance((byte)2).match(peerHost, paramX509Certificate); + + } else + throw new CertificateException("Unknown identification algorithm: " + endpointIdenfificationAlgo); + } + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java index 109390132..3e793e4d1 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java @@ -147,6 +147,7 @@ public class SSLUtils { SSLContext ctx = SSLContext.getInstance("TLS"); ctx.init(kms, tms, null); ssf = ctx.getSocketFactory(); + // store SSLSocketFactory sslSocketFactories.put(url, ssf); @@ -259,7 +260,8 @@ public class SSLUtils { MOAIDTrustManager.initializeLoggingContext(); MOAIDTrustManager tm = new MOAIDTrustManager(acceptedServerCertURL); tm.init(cfg, profile); - return new TrustManager[] {tm}; + return new TrustManager[] {new MOATrustManagerWrapper(tm)}; + } } diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java new file mode 100644 index 000000000..990b5d3b1 --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java @@ -0,0 +1,226 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.commons.validation; + +import java.math.BigInteger; +import java.security.AlgorithmConstraints; +import java.security.AlgorithmParameters; +import java.security.CryptoPrimitive; +import java.security.GeneralSecurityException; +import java.security.KeyFactory; +import java.security.PublicKey; +import java.security.cert.CertPathValidatorException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.CertificateParsingException; +import java.security.cert.PKIXCertPathChecker; +import java.security.cert.PKIXReason; +import java.security.cert.X509Certificate; +import java.security.interfaces.DSAParams; +import java.security.interfaces.DSAPublicKey; +import java.security.spec.DSAPublicKeySpec; +import java.util.Collection; +import java.util.Collections; +import java.util.EnumSet; +import java.util.Set; + +import sun.security.util.DisabledAlgorithmConstraints; +import sun.security.x509.X509CertImpl; + +/** + * @author tlenz + * + */ +public class MOASSLAlgorithmChecker extends PKIXCertPathChecker { + + private final AlgorithmConstraints constraints; + private final PublicKey trustedPubKey; + private PublicKey prevPubKey; + private static final Set SIGNATURE_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE)); + private static final Set KU_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE, CryptoPrimitive.KEY_ENCAPSULATION, CryptoPrimitive.PUBLIC_KEY_ENCRYPTION, CryptoPrimitive.KEY_AGREEMENT)); + + private static final DisabledAlgorithmConstraints certPathDefaultConstraints = new DisabledAlgorithmConstraints("jdk.certpath.disabledAlgorithms"); + + /** + * + */ + public MOASSLAlgorithmChecker() { + this.prevPubKey = null; + this.trustedPubKey = null; + this.constraints = certPathDefaultConstraints; + + } + + public MOASSLAlgorithmChecker(AlgorithmConstraints paramAlgorithmConstraints) { + this.prevPubKey = null; + this.trustedPubKey = null; + this.constraints = paramAlgorithmConstraints; + } + + + /* (non-Javadoc) + * @see java.security.cert.PKIXCertPathChecker#init(boolean) + */ + @Override + public void init(boolean forward) throws CertPathValidatorException { + if (!(forward)) { + if (this.trustedPubKey != null) + this.prevPubKey = this.trustedPubKey; + + else + this.prevPubKey = null; + + } else + throw new CertPathValidatorException("forward checking not supported"); + + } + + /* (non-Javadoc) + * @see java.security.cert.PKIXCertPathChecker#isForwardCheckingSupported() + */ + @Override + public boolean isForwardCheckingSupported() { + return false; + + } + + /* (non-Javadoc) + * @see java.security.cert.PKIXCertPathChecker#getSupportedExtensions() + */ + @Override + public Set getSupportedExtensions() { + return null; + + } + + /* (non-Javadoc) + * @see java.security.cert.PKIXCertPathChecker#check(java.security.cert.Certificate, java.util.Collection) + */ + @Override + public void check(Certificate cert, Collection unresolvedCritExts) throws CertPathValidatorException { + if ((!(cert instanceof X509Certificate)) || (this.constraints == null)) { + return; + + } + + X509CertImpl localX509CertImpl = null; + try { + localX509CertImpl = sun.security.x509.X509CertImpl.toImpl((X509Certificate)cert); + + } catch (CertificateException localCertificateException1) { + throw new CertPathValidatorException(localCertificateException1); + + } + + PublicKey localPublicKey = localX509CertImpl.getPublicKey(); + String str = localX509CertImpl.getSigAlgName(); + + + //check algorithms + AlgorithmParameters localAlgorithmParameters = null; + try { + sun.security.x509.AlgorithmId localAlgorithmId = null; + localAlgorithmId = (sun.security.x509.AlgorithmId)localX509CertImpl.get("x509.algorithm"); + localAlgorithmParameters = localAlgorithmId.getParameters(); + + if (!(this.constraints.permits(SIGNATURE_PRIMITIVE_SET, str, localAlgorithmParameters))) { + throw new CertPathValidatorException("Algorithm constraints check failed: " + str, null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED); + + } + + } catch (CertificateParsingException localCertificateException2) { + throw new CertPathValidatorException(localCertificateException2); + + } + + + //check key usage + boolean[] arrayOfBoolean = localX509CertImpl.getKeyUsage(); + if ((arrayOfBoolean != null) && (arrayOfBoolean.length < 9)) + throw new CertPathValidatorException("incorrect KeyUsage extension", null, null, -1, PKIXReason.INVALID_KEY_USAGE); + + if (arrayOfBoolean != null) { + Set cryptoPrimitives = EnumSet.noneOf(CryptoPrimitive.class); + if ((arrayOfBoolean[0] == true) || (arrayOfBoolean[1] == true) || (arrayOfBoolean[5] == true) || (arrayOfBoolean[6] == true)) { + cryptoPrimitives.add(CryptoPrimitive.SIGNATURE); + + } + + if (arrayOfBoolean[2] == true) { + cryptoPrimitives.add(CryptoPrimitive.KEY_ENCAPSULATION); + + } + + if (arrayOfBoolean[3] == true) { + cryptoPrimitives.add(CryptoPrimitive.PUBLIC_KEY_ENCRYPTION); + + } + + if (arrayOfBoolean[4] == true) { + cryptoPrimitives.add(CryptoPrimitive.KEY_AGREEMENT); + + } + + if ((!(cryptoPrimitives.isEmpty())) && (!(this.constraints.permits(cryptoPrimitives, localPublicKey)))) { + throw new CertPathValidatorException("algorithm constraints check failed", null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED); + + } + } + + //check pubKeys + if (this.prevPubKey != null) { + if ((str != null) && (!(this.constraints.permits(SIGNATURE_PRIMITIVE_SET, str, this.prevPubKey, localAlgorithmParameters)))) { + throw new CertPathValidatorException("Algorithm constraints check failed: " + str, null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED); + + } + + if ((localPublicKey instanceof DSAPublicKey) && (((DSAPublicKey)localPublicKey).getParams() == null)) { + if (!(this.prevPubKey instanceof DSAPublicKey)) { + throw new CertPathValidatorException("Input key is not of a appropriate type for inheriting parameters"); + + } + + DSAParams localObject = ((DSAPublicKey)this.prevPubKey).getParams(); + if (localObject == null) { + throw new CertPathValidatorException("Key parameters missing"); + + } + + try { + BigInteger localBigInteger = ((DSAPublicKey)localPublicKey).getY(); + KeyFactory localKeyFactory = KeyFactory.getInstance("DSA"); + DSAPublicKeySpec localDSAPublicKeySpec = new DSAPublicKeySpec(localBigInteger, ((DSAParams)localObject).getP(), ((DSAParams)localObject).getQ(), ((DSAParams)localObject).getG()); + localPublicKey = localKeyFactory.generatePublic(localDSAPublicKeySpec); + + } catch (GeneralSecurityException localGeneralSecurityException) { + throw new CertPathValidatorException("Unable to generate key with inherited parameters: " + localGeneralSecurityException.getMessage(), localGeneralSecurityException); + + } + } + } + + this.prevPubKey = localPublicKey; + } + + +} -- cgit v1.2.3 From 040e51d335d3af127c3894bd5558a484ddd9b9ea Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 25 Jul 2017 16:11:25 +0200 Subject: Revert "betaversion for a workaround to solve problem with Java8 >= 141 and SHA1 certificates in certificate chain" This reverts commit c4fe089610dba3d6e8929f6e163538dfae0d18da. --- .../utils/ssl/MOASSLAlgorithmConstraints.java | 175 -------------- .../commons/utils/ssl/MOATrustManagerWrapper.java | 267 --------------------- .../moa/id/commons/utils/ssl/SSLUtils.java | 4 +- .../commons/validation/MOASSLAlgorithmChecker.java | 226 ----------------- 4 files changed, 1 insertion(+), 671 deletions(-) delete mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOASSLAlgorithmConstraints.java delete mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOATrustManagerWrapper.java delete mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java (limited to 'id/server/moa-id-commons/src/main/java/at') diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOASSLAlgorithmConstraints.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOASSLAlgorithmConstraints.java deleted file mode 100644 index 8f367598d..000000000 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOASSLAlgorithmConstraints.java +++ /dev/null @@ -1,175 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.commons.utils.ssl; - -import java.security.AlgorithmConstraints; -import java.security.AlgorithmParameters; -import java.security.CryptoPrimitive; -import java.security.Key; -import java.util.Set; - -import javax.net.ssl.SSLEngine; -import javax.net.ssl.SSLSocket; - -/** - * @author tlenz - * - */ -public class MOASSLAlgorithmConstraints implements AlgorithmConstraints { - - private AlgorithmConstraints userAlgConstraints = null; - private AlgorithmConstraints peerAlgConstraints = null; - - private boolean enabledX509DisabledAlgConstraints = true; - - - static final AlgorithmConstraints DEFAULT = new MOASSLAlgorithmConstraints(null); - - - public MOASSLAlgorithmConstraints() - { - - } - - - static final AlgorithmConstraints DEFAULT_SSL_ONLY = new MOASSLAlgorithmConstraints((SSLSocket)null, false); - - MOASSLAlgorithmConstraints(AlgorithmConstraints paramAlgorithmConstraints) - { - this.userAlgConstraints = paramAlgorithmConstraints; - - } - - - MOASSLAlgorithmConstraints(SSLSocket paramSSLSocket, boolean paramBoolean) - { - if (paramSSLSocket != null) { - this.userAlgConstraints = paramSSLSocket.getSSLParameters().getAlgorithmConstraints(); - - } - - if (!(paramBoolean)) - this.enabledX509DisabledAlgConstraints = false; - } - - - MOASSLAlgorithmConstraints(SSLEngine paramSSLEngine, boolean paramBoolean) - { - if (paramSSLEngine != null) { - this.userAlgConstraints = paramSSLEngine.getSSLParameters().getAlgorithmConstraints(); - - } - - if (!(paramBoolean)) - this.enabledX509DisabledAlgConstraints = false; - } - - MOASSLAlgorithmConstraints(SSLSocket paramSSLSocket, String[] paramArrayOfString, boolean paramBoolean) - { - if (paramSSLSocket != null) { - this.userAlgConstraints = paramSSLSocket.getSSLParameters().getAlgorithmConstraints(); - - //this.peerAlgConstraints = new SupportedSignatureAlgorithmConstraints(paramArrayOfString); - - } - - if (!(paramBoolean)) - this.enabledX509DisabledAlgConstraints = false; - } - - -// MOASSLAlgorithmConstraints(SSLEngine paramSSLEngine, String[] paramArrayOfString, boolean paramBoolean) -// { -// if (paramSSLEngine != null) { -// this.userAlgConstraints = paramSSLEngine.getSSLParameters().getAlgorithmConstraints(); -// -// this.peerAlgConstraints = new SupportedSignatureAlgorithmConstraints(paramArrayOfString); -// -// } -// -// if (!(paramBoolean)) -// this.enabledX509DisabledAlgConstraints = false; -// } - - - /* (non-Javadoc) - * @see java.security.AlgorithmConstraints#permits(java.util.Set, java.lang.String, java.security.AlgorithmParameters) - */ - @Override - public boolean permits(Set primitives, String algorithm, AlgorithmParameters parameters) { - boolean bool = true; - - if (this.peerAlgConstraints != null) { - bool = this.peerAlgConstraints.permits(primitives, algorithm, parameters); - - } - - if ((bool) && (this.userAlgConstraints != null)) { - bool = this.userAlgConstraints.permits(primitives, algorithm, parameters); - - } - - return bool; - - } - - /* (non-Javadoc) - * @see java.security.AlgorithmConstraints#permits(java.util.Set, java.security.Key) - */ - @Override - public boolean permits(Set primitives, Key key) { - boolean bool = true; - - if (this.peerAlgConstraints != null) { - bool = this.peerAlgConstraints.permits(primitives, key); - } - - if ((bool) && (this.userAlgConstraints != null)) { - bool = this.userAlgConstraints.permits(primitives, key); - } - - return bool; - - } - - /* (non-Javadoc) - * @see java.security.AlgorithmConstraints#permits(java.util.Set, java.lang.String, java.security.Key, java.security.AlgorithmParameters) - */ - @Override - public boolean permits(Set primitives, String algorithm, Key key, AlgorithmParameters parameters) { - boolean bool = true; - - if (this.peerAlgConstraints != null) { - bool = this.peerAlgConstraints.permits(primitives, algorithm, key, parameters); - - } - - if ((bool) && (this.userAlgConstraints != null)) { - bool = this.userAlgConstraints.permits(primitives, algorithm, key, parameters); - - } - - return bool; - } - -} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOATrustManagerWrapper.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOATrustManagerWrapper.java deleted file mode 100644 index c71d50161..000000000 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOATrustManagerWrapper.java +++ /dev/null @@ -1,267 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.commons.utils.ssl; - -import java.lang.reflect.Constructor; -import java.net.Socket; -import java.security.AlgorithmConstraints; -import java.security.Timestamp; -import java.security.cert.CertPathValidatorException; -import java.security.cert.Certificate; -import java.security.cert.CertificateException; -import java.security.cert.PKIXCertPathChecker; -import java.security.cert.X509Certificate; -import java.util.Collections; -import java.util.HashSet; - -import javax.net.ssl.SSLEngine; -import javax.net.ssl.SSLSession; -import javax.net.ssl.SSLSocket; -import javax.net.ssl.X509ExtendedTrustManager; -import javax.net.ssl.X509TrustManager; - -import at.gv.egovernment.moa.id.commons.validation.MOASSLAlgorithmChecker; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.MiscUtil; -import sun.security.provider.certpath.AlgorithmChecker; -import sun.security.util.DisabledAlgorithmConstraints; - -/** - * @author tlenz - * - */ -public class MOATrustManagerWrapper extends X509ExtendedTrustManager implements X509TrustManager { - - private X509TrustManager internalTrustManager = null; - - - /** - * - */ - public MOATrustManagerWrapper(X509TrustManager trustManger) { - this.internalTrustManager = trustManger; - - } - - - - /* (non-Javadoc) - * @see javax.net.ssl.X509TrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String) - */ - @Override - public void checkClientTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString) - throws CertificateException { - internalTrustManager.checkClientTrusted(paramArrayOfX509Certificate, paramString); - - } - - /* (non-Javadoc) - * @see javax.net.ssl.X509TrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String) - */ - @Override - public void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString) - throws CertificateException { - internalTrustManager.checkServerTrusted(paramArrayOfX509Certificate, paramString); - - } - - /* (non-Javadoc) - * @see javax.net.ssl.X509TrustManager#getAcceptedIssuers() - */ - @Override - public X509Certificate[] getAcceptedIssuers() { - return internalTrustManager.getAcceptedIssuers(); - } - - /* (non-Javadoc) - * @see javax.net.ssl.X509ExtendedTrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String, java.net.Socket) - */ - @Override - public void checkClientTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString, - Socket paramSocket) throws CertificateException { - internalTrustManager.checkClientTrusted(paramArrayOfX509Certificate, paramString); - - checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSocket, true); - - } - - /* (non-Javadoc) - * @see javax.net.ssl.X509ExtendedTrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String, java.net.Socket) - */ - @Override - public void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString, - Socket paramSocket) throws CertificateException { - - internalTrustManager.checkServerTrusted(paramArrayOfX509Certificate, paramString); - - checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSocket, false); - - } - - /* (non-Javadoc) - * @see javax.net.ssl.X509ExtendedTrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String, javax.net.ssl.SSLEngine) - */ - @Override - public void checkClientTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString, - SSLEngine paramSSLEngine) throws CertificateException { - internalTrustManager.checkClientTrusted(paramArrayOfX509Certificate, paramString); - - checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSSLEngine, true); - - } - - /* (non-Javadoc) - * @see javax.net.ssl.X509ExtendedTrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String, javax.net.ssl.SSLEngine) - */ - @Override - public void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString, - SSLEngine paramSSLEngine) throws CertificateException { - internalTrustManager.checkServerTrusted(paramArrayOfX509Certificate, paramString); - - checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSSLEngine, false); - } - - - - private void checkAdditionalTrust(X509Certificate[] paramArrayOfX509Certificate, - String paramString, Socket paramSocket, boolean isClient) throws CertificateException { - if ((paramSocket == null) || (!(paramSocket.isConnected())) || (!(paramSocket instanceof SSLSocket))) { - return; - - } - - SSLSocket localSSLSocket = (SSLSocket)paramSocket; - SSLSession localSSLSession = localSSLSocket.getHandshakeSession(); - if (localSSLSession == null) { - throw new CertificateException("No handshake session"); - } - - String endpointIdenfificationAlgo = localSSLSocket.getSSLParameters().getEndpointIdentificationAlgorithm(); - if (MiscUtil.isNotEmpty(endpointIdenfificationAlgo)) { - String peerHost = localSSLSession.getPeerHost(); - checkIdentity(peerHost, paramArrayOfX509Certificate[0], endpointIdenfificationAlgo); - - } - - AlgorithmConstraints localSSLAlgorithmConstraints = new DisabledAlgorithmConstraints("jdk.certpath.disabledAlgorithms"); - checkAlgorithmConstraints(paramArrayOfX509Certificate, localSSLAlgorithmConstraints, isClient); - } - - private void checkAdditionalTrust(X509Certificate[] paramArrayOfX509Certificate, String paramString, - SSLEngine paramSSLEngine, boolean isClient) throws CertificateException { - if (paramSSLEngine != null) { - SSLSession localSSLSession = paramSSLEngine.getHandshakeSession(); - if (localSSLSession == null) { - throw new CertificateException("No handshake session"); - - } - - String str = paramSSLEngine.getSSLParameters().getEndpointIdentificationAlgorithm(); - if ((str != null) && (str.length() != 0)) { - String peerHost = localSSLSession.getPeerHost(); - checkIdentity(peerHost, paramArrayOfX509Certificate[0], str); - - } - - AlgorithmConstraints localSSLAlgorithmConstraints = new DisabledAlgorithmConstraints("jdk.certpath.disabledAlgorithms"); - checkAlgorithmConstraints(paramArrayOfX509Certificate, localSSLAlgorithmConstraints, isClient); - } - } - - private void checkAlgorithmConstraints(X509Certificate[] certificates, - java.security.AlgorithmConstraints algorithmConstraint, boolean isClient) throws CertificateException { - try { - int i = certificates.length - 1; - HashSet localHashSet = new HashSet(); - X509Certificate[] arrayOfX509Certificate = this.internalTrustManager.getAcceptedIssuers(); - - if ((arrayOfX509Certificate != null) && (arrayOfX509Certificate.length > 0)) { - Collections.addAll(localHashSet, arrayOfX509Certificate); - - } - - if (localHashSet.contains(certificates[i])) { - --i; - } - - if (i >= 0) { - PKIXCertPathChecker localAlgorithmChecker = null; - Class algorithCheckerClass = null; - try { - algorithCheckerClass = Class.forName("sun.security.provider.certpath.AlgorithmChecker"); - Constructor algorithCheckerConstructorJava8_141 = algorithCheckerClass.getConstructor(AlgorithmConstraints.class, Timestamp.class, String.class); - localAlgorithmChecker = (AlgorithmChecker) algorithCheckerConstructorJava8_141.newInstance(algorithmConstraint, (Timestamp)null, isClient?"tls client":"tls server"); - Logger.trace("Use SSL AlgorithmChecker from JAVA8 >= 141 ..."); - - } catch (Throwable e) { - try { - Constructor algorithCheckerConstructorJava8_71 = algorithCheckerClass.getConstructor(AlgorithmConstraints.class); - localAlgorithmChecker = (AlgorithmChecker) algorithCheckerConstructorJava8_71.newInstance(algorithmConstraint); - - Logger.trace("Use SSL AlgorithmChecker from JAVA8 < 141 ..."); - - } catch (Throwable e1) { - Logger.error("Can NOT instance JAVA SSL AlgorithmChecker", e1); - Logger.error("USE ONE LEGACY VERSION OF ALGORITHM CHECKER ..."); - localAlgorithmChecker = new MOASSLAlgorithmChecker(); - - } - } - - - localAlgorithmChecker.init(false); - - for (int j = i; j >= 0; --j) { - X509Certificate localX509Certificate = certificates[j]; - - //localAlgorithmChecker.check((Certificate)localX509Certificate, Collections.emptySet()); - localAlgorithmChecker.check((Certificate)localX509Certificate, null); - } - } - } catch (CertPathValidatorException localCertPathValidatorException) { - throw new CertificateException("Certificates does not conform to algorithm constraints"); - - } - } - - private void checkIdentity(String peerHost, X509Certificate paramX509Certificate, String endpointIdenfificationAlgo) - throws CertificateException { - if (MiscUtil.isEmpty(endpointIdenfificationAlgo)) - return; - - if ((peerHost != null) && (peerHost.startsWith("[")) && (peerHost.endsWith("]"))) { - peerHost = peerHost.substring(1, peerHost.length() - 1); - - } - - if (endpointIdenfificationAlgo.equalsIgnoreCase("HTTPS")) { - sun.security.util.HostnameChecker.getInstance((byte)1).match(peerHost, paramX509Certificate); - - } else if ((endpointIdenfificationAlgo.equalsIgnoreCase("LDAP")) || (endpointIdenfificationAlgo.equalsIgnoreCase("LDAPS"))) { - sun.security.util.HostnameChecker.getInstance((byte)2).match(peerHost, paramX509Certificate); - - } else - throw new CertificateException("Unknown identification algorithm: " + endpointIdenfificationAlgo); - } - -} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java index 3e793e4d1..109390132 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java @@ -147,7 +147,6 @@ public class SSLUtils { SSLContext ctx = SSLContext.getInstance("TLS"); ctx.init(kms, tms, null); ssf = ctx.getSocketFactory(); - // store SSLSocketFactory sslSocketFactories.put(url, ssf); @@ -260,8 +259,7 @@ public class SSLUtils { MOAIDTrustManager.initializeLoggingContext(); MOAIDTrustManager tm = new MOAIDTrustManager(acceptedServerCertURL); tm.init(cfg, profile); - return new TrustManager[] {new MOATrustManagerWrapper(tm)}; - + return new TrustManager[] {tm}; } } diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java deleted file mode 100644 index 990b5d3b1..000000000 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java +++ /dev/null @@ -1,226 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.commons.validation; - -import java.math.BigInteger; -import java.security.AlgorithmConstraints; -import java.security.AlgorithmParameters; -import java.security.CryptoPrimitive; -import java.security.GeneralSecurityException; -import java.security.KeyFactory; -import java.security.PublicKey; -import java.security.cert.CertPathValidatorException; -import java.security.cert.Certificate; -import java.security.cert.CertificateException; -import java.security.cert.CertificateParsingException; -import java.security.cert.PKIXCertPathChecker; -import java.security.cert.PKIXReason; -import java.security.cert.X509Certificate; -import java.security.interfaces.DSAParams; -import java.security.interfaces.DSAPublicKey; -import java.security.spec.DSAPublicKeySpec; -import java.util.Collection; -import java.util.Collections; -import java.util.EnumSet; -import java.util.Set; - -import sun.security.util.DisabledAlgorithmConstraints; -import sun.security.x509.X509CertImpl; - -/** - * @author tlenz - * - */ -public class MOASSLAlgorithmChecker extends PKIXCertPathChecker { - - private final AlgorithmConstraints constraints; - private final PublicKey trustedPubKey; - private PublicKey prevPubKey; - private static final Set SIGNATURE_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE)); - private static final Set KU_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE, CryptoPrimitive.KEY_ENCAPSULATION, CryptoPrimitive.PUBLIC_KEY_ENCRYPTION, CryptoPrimitive.KEY_AGREEMENT)); - - private static final DisabledAlgorithmConstraints certPathDefaultConstraints = new DisabledAlgorithmConstraints("jdk.certpath.disabledAlgorithms"); - - /** - * - */ - public MOASSLAlgorithmChecker() { - this.prevPubKey = null; - this.trustedPubKey = null; - this.constraints = certPathDefaultConstraints; - - } - - public MOASSLAlgorithmChecker(AlgorithmConstraints paramAlgorithmConstraints) { - this.prevPubKey = null; - this.trustedPubKey = null; - this.constraints = paramAlgorithmConstraints; - } - - - /* (non-Javadoc) - * @see java.security.cert.PKIXCertPathChecker#init(boolean) - */ - @Override - public void init(boolean forward) throws CertPathValidatorException { - if (!(forward)) { - if (this.trustedPubKey != null) - this.prevPubKey = this.trustedPubKey; - - else - this.prevPubKey = null; - - } else - throw new CertPathValidatorException("forward checking not supported"); - - } - - /* (non-Javadoc) - * @see java.security.cert.PKIXCertPathChecker#isForwardCheckingSupported() - */ - @Override - public boolean isForwardCheckingSupported() { - return false; - - } - - /* (non-Javadoc) - * @see java.security.cert.PKIXCertPathChecker#getSupportedExtensions() - */ - @Override - public Set getSupportedExtensions() { - return null; - - } - - /* (non-Javadoc) - * @see java.security.cert.PKIXCertPathChecker#check(java.security.cert.Certificate, java.util.Collection) - */ - @Override - public void check(Certificate cert, Collection unresolvedCritExts) throws CertPathValidatorException { - if ((!(cert instanceof X509Certificate)) || (this.constraints == null)) { - return; - - } - - X509CertImpl localX509CertImpl = null; - try { - localX509CertImpl = sun.security.x509.X509CertImpl.toImpl((X509Certificate)cert); - - } catch (CertificateException localCertificateException1) { - throw new CertPathValidatorException(localCertificateException1); - - } - - PublicKey localPublicKey = localX509CertImpl.getPublicKey(); - String str = localX509CertImpl.getSigAlgName(); - - - //check algorithms - AlgorithmParameters localAlgorithmParameters = null; - try { - sun.security.x509.AlgorithmId localAlgorithmId = null; - localAlgorithmId = (sun.security.x509.AlgorithmId)localX509CertImpl.get("x509.algorithm"); - localAlgorithmParameters = localAlgorithmId.getParameters(); - - if (!(this.constraints.permits(SIGNATURE_PRIMITIVE_SET, str, localAlgorithmParameters))) { - throw new CertPathValidatorException("Algorithm constraints check failed: " + str, null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED); - - } - - } catch (CertificateParsingException localCertificateException2) { - throw new CertPathValidatorException(localCertificateException2); - - } - - - //check key usage - boolean[] arrayOfBoolean = localX509CertImpl.getKeyUsage(); - if ((arrayOfBoolean != null) && (arrayOfBoolean.length < 9)) - throw new CertPathValidatorException("incorrect KeyUsage extension", null, null, -1, PKIXReason.INVALID_KEY_USAGE); - - if (arrayOfBoolean != null) { - Set cryptoPrimitives = EnumSet.noneOf(CryptoPrimitive.class); - if ((arrayOfBoolean[0] == true) || (arrayOfBoolean[1] == true) || (arrayOfBoolean[5] == true) || (arrayOfBoolean[6] == true)) { - cryptoPrimitives.add(CryptoPrimitive.SIGNATURE); - - } - - if (arrayOfBoolean[2] == true) { - cryptoPrimitives.add(CryptoPrimitive.KEY_ENCAPSULATION); - - } - - if (arrayOfBoolean[3] == true) { - cryptoPrimitives.add(CryptoPrimitive.PUBLIC_KEY_ENCRYPTION); - - } - - if (arrayOfBoolean[4] == true) { - cryptoPrimitives.add(CryptoPrimitive.KEY_AGREEMENT); - - } - - if ((!(cryptoPrimitives.isEmpty())) && (!(this.constraints.permits(cryptoPrimitives, localPublicKey)))) { - throw new CertPathValidatorException("algorithm constraints check failed", null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED); - - } - } - - //check pubKeys - if (this.prevPubKey != null) { - if ((str != null) && (!(this.constraints.permits(SIGNATURE_PRIMITIVE_SET, str, this.prevPubKey, localAlgorithmParameters)))) { - throw new CertPathValidatorException("Algorithm constraints check failed: " + str, null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED); - - } - - if ((localPublicKey instanceof DSAPublicKey) && (((DSAPublicKey)localPublicKey).getParams() == null)) { - if (!(this.prevPubKey instanceof DSAPublicKey)) { - throw new CertPathValidatorException("Input key is not of a appropriate type for inheriting parameters"); - - } - - DSAParams localObject = ((DSAPublicKey)this.prevPubKey).getParams(); - if (localObject == null) { - throw new CertPathValidatorException("Key parameters missing"); - - } - - try { - BigInteger localBigInteger = ((DSAPublicKey)localPublicKey).getY(); - KeyFactory localKeyFactory = KeyFactory.getInstance("DSA"); - DSAPublicKeySpec localDSAPublicKeySpec = new DSAPublicKeySpec(localBigInteger, ((DSAParams)localObject).getP(), ((DSAParams)localObject).getQ(), ((DSAParams)localObject).getG()); - localPublicKey = localKeyFactory.generatePublic(localDSAPublicKeySpec); - - } catch (GeneralSecurityException localGeneralSecurityException) { - throw new CertPathValidatorException("Unable to generate key with inherited parameters: " + localGeneralSecurityException.getMessage(), localGeneralSecurityException); - - } - } - } - - this.prevPubKey = localPublicKey; - } - - -} -- cgit v1.2.3 From f912da9959267d214bb10a2be8e412af731141ed Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 26 Jul 2017 10:24:55 +0200 Subject: refactor MOA metadataprovider to load metadata from file system --- .../moa/id/commons/api/AuthConfiguration.java | 10 ++++++++++ .../moa/id/commons/utils/KeyValueUtils.java | 22 ++++++++++++++++++++++ 2 files changed, 32 insertions(+) (limited to 'id/server/moa-id-commons/src/main/java/at') diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java index 4df11b35c..07b07d980 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java @@ -47,6 +47,16 @@ public interface AuthConfiguration extends ConfigurationProvider{ */ public String getBasicMOAIDConfiguration(final String key, final String defaultValue); + /** + * Get a set of configuration values from basic file based MOA-ID configuration that starts with this prefix + *

+ * Important: The configuration values must be of type String! + * + * @param prefix Prefix of the configuration key + * @return Map without prefix, but never null + */ + public Map getBasicMOAIDConfigurationWithPrefix(final String prefix); + public int getTransactionTimeOut(); public int getSSOCreatedTimeOut(); public int getSSOUpdatedTimeOut(); diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/KeyValueUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/KeyValueUtils.java index bc567e5d2..40ef5a23a 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/KeyValueUtils.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/KeyValueUtils.java @@ -29,6 +29,7 @@ import java.util.Iterator; import java.util.List; import java.util.Map; import java.util.Map.Entry; +import java.util.Properties; import java.util.Set; import org.apache.commons.lang3.StringUtils; @@ -44,6 +45,27 @@ public class KeyValueUtils { public static final String KEY_DELIMITER = "."; public static final String CSV_DELIMITER = ","; + /** + * Convert Java properties into a Map + *

+ * Important: The key/values from properties must be of type String! + * + * @param properties + * @return + */ + public static Map concertPropertiesToMap(Properties properties) { + return new HashMap((Map) properties); + + //INFO Java8 solution ;) + // return properties.entrySet().stream().collect( +// Collectors.toMap( +// e -> e.getKey().toString(), +// e -> e.getValue().toString() +// ) +// ); + + } + /** * Extract the first child of an input key after a the prefix * -- cgit v1.2.3 From fab8bb66ea62eb23e806ad280008c5f722d684ec Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 27 Jul 2017 16:58:46 +0200 Subject: add eIDAS to StatisticLogger.java --- .../java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java | 1 + 1 file changed, 1 insertion(+) (limited to 'id/server/moa-id-commons/src/main/java/at') diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java index 1aea8d7b6..971e401ca 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java @@ -42,6 +42,7 @@ public interface IOAAuthParameters { public static final String HANDYBKU = "handy"; public static final String LOCALBKU = "local"; public static final String INDERFEDERATEDIDP = "interfederated"; + public static final String EIDAS = "eIDAS"; /** * Get the full key/value configuration for this online application -- cgit v1.2.3 From 41275a296c73a5ecb29d52829116f4b6e99ce006 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 6 Sep 2017 12:39:48 +0200 Subject: add xsd schema for eIDAS specific SAML2 extensions --- .../src/main/java/at/gv/egovernment/moa/util/Constants.java | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'id/server/moa-id-commons/src/main/java/at') diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java index 129478270..2a4e3b362 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java @@ -394,6 +394,12 @@ public interface Constants { public static final String SAML2_METADATA_SCHEMA_LOCATION = SCHEMA_ROOT + "saml-schema-metadata-2.0.xsd"; + + /* Prefix and Schema definition for eIDAS specific SAML2 extensions*/ + public static final String SAML2_eIDAS_EXTENSIONS_PREFIX = "eidas"; + public static final String SAML2_eIDAS_EXTENSIONS = "http://eidas.europa.eu/saml-extensions"; + public static final String SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION = SCHEMA_ROOT + "eIDAS_saml_extensions.xsd"; + /** * Contains all namespaces and local schema locations for XML schema * definitions relevant for MOA. For use in validating XML parsers. @@ -427,7 +433,8 @@ public interface Constants { + (STORK_NS_URI + " " + STORK_SCHEMA_LOCATION + " ") + (STORKP_NS_URI + " " + STORKP_SCHEMA_LOCATION + " ") + (SAML2_METADATA_URI + " " + SAML2_METADATA_SCHEMA_LOCATION + " ") - + (XENC_NS_URI + " " + XENC_SCHEMA_LOCATION); + + (XENC_NS_URI + " " + XENC_SCHEMA_LOCATION) + + (SAML2_eIDAS_EXTENSIONS + " " + SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION); /** URN prefix for bPK and wbPK. */ public static final String URN_PREFIX = "urn:publicid:gv.at"; -- cgit v1.2.3 From cfc0d2f6db21b4a07ef80ec31d589cbeb1f32a92 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 6 Sep 2017 14:31:25 +0200 Subject: add static variable and update demo OA --- .../java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java | 1 + 1 file changed, 1 insertion(+) (limited to 'id/server/moa-id-commons/src/main/java/at') diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java index 971e401ca..bba6d0541 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java @@ -43,6 +43,7 @@ public interface IOAAuthParameters { public static final String LOCALBKU = "local"; public static final String INDERFEDERATEDIDP = "interfederated"; public static final String EIDAS = "eIDAS"; + public static final String AUTHTYPE_OTHERS = "others"; /** * Get the full key/value configuration for this online application -- cgit v1.2.3