From a917335ea69ab857f00bd17679e259fcc215cad9 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 4 Feb 2019 08:58:10 +0100 Subject: update SSLUtils to use default JVM trustStore for SSL connections as optional --- .../config/ConfigurationProvider.java | 1 + .../validation/oa/OAPVP2ConfigValidation.java | 3 +- .../task/impl/ServicesProtocolPVP2XTask.java | 3 +- .../pvp2x/metadata/MOAMetadataProvider.java | 4 +- .../protocols/pvp2x/utils/MOASAMLSOAPClient.java | 4 +- .../at/gv/egovernment/moa/id/util/SSLUtils.java | 11 ++++++ .../moa/id/commons/api/AuthConfiguration.java | 1 + .../utils/MOAHttpProtocolSocketFactory.java | 20 ++++++---- .../moa/id/commons/utils/ssl/SSLUtils.java | 44 +++++++++++++++++----- .../utils/EidasCentralAuthMetadataProvider.java | 4 +- .../engine/MOAeIDASChainingMetadataProvider.java | 4 +- .../utils/ELGAMandateServiceMetadataProvider.java | 4 +- 12 files changed, 79 insertions(+), 24 deletions(-) (limited to 'id') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java index d249fa597..41a86cef2 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java @@ -633,6 +633,7 @@ public class ConfigurationProvider { try { MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( "MOAMetaDataProvider", + true, ConfigurationProvider.getInstance().getCertStoreDirectory(), ConfigurationProvider.getInstance().getTrustStoreDirectory(), null, diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java index 8b41823e1..cbb7c88b2 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java @@ -129,6 +129,7 @@ public class OAPVP2ConfigValidation { try { MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( "MOAMetaDataProvider", + true, ConfigurationProvider.getInstance().getCertStoreDirectory(), ConfigurationProvider.getInstance().getTrustStoreDirectory(), null, @@ -145,7 +146,7 @@ public class OAPVP2ConfigValidation { log.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.", e); } catch (ConfigurationException e) { - log.info("No MOA specific SSL-TrustStore configured. Use default Java TrustStore.", e); + log.info("No MOA specific SSL-TrustStore configured. Use default Java TrustStore."); } diff --git a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesProtocolPVP2XTask.java b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesProtocolPVP2XTask.java index 2d6f7c9a9..1e5762f04 100644 --- a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesProtocolPVP2XTask.java +++ b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesProtocolPVP2XTask.java @@ -192,6 +192,7 @@ public class ServicesProtocolPVP2XTask extends AbstractTaskValidator implements try { MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( "MOAMetaDataProvider", + true, MOAIDWebGUIConfiguration.getInstance().getCertStoreDirectory(), MOAIDWebGUIConfiguration.getInstance().getTrustStoreDirectory(), null, @@ -208,7 +209,7 @@ public class ServicesProtocolPVP2XTask extends AbstractTaskValidator implements log.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.", e); } catch (at.gv.egovernment.moa.id.config.webgui.exception.ConfigurationException e) { - log.info("No MOA specific SSL-TrustStore configured. Use default Java TrustStore.", e); + log.info("No MOA specific SSL-TrustStore configured. Use default Java TrustStore."); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index 1fa17c683..4fc37d88f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -145,7 +145,9 @@ public class MOAMetadataProvider extends AbstractChainingMetadataProvider { try { //FIX: change hostname validation default flag to true when httpClient is updated to > 4.4 MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( - PVPConstants.SSLSOCKETFACTORYNAME, + PVPConstants.SSLSOCKETFACTORYNAME, + moaAuthConfig.getBasicMOAIDConfigurationBoolean( + AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, false), moaAuthConfig.getTrustedCACertificates(), null, AuthConfiguration.DEFAULT_X509_CHAININGMODE, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java index d7ada1f36..bd908f894 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java @@ -75,7 +75,9 @@ public class MOASAMLSOAPClient { //FIX: change hostname validation default flag to true when httpClient is updated to > 4.4 SecureProtocolSocketFactory sslprotocolsocketfactory = new MOAHttpProtocolSocketFactory( - PVPConstants.SSLSOCKETFACTORYNAME, + PVPConstants.SSLSOCKETFACTORYNAME, + AuthConfigurationProviderFactory.getInstance().getBasicMOAIDConfigurationBoolean( + AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, false), AuthConfigurationProviderFactory.getInstance().getTrustedCACertificates(), null, AuthConfigurationProviderFactory.getInstance().getDefaultChainingMode(), diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java index 611dff3b1..6bf44a527 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java @@ -61,6 +61,7 @@ import javax.net.ssl.SSLSocketFactory; import org.apache.regexp.RE; import org.apache.regexp.RESyntaxException; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.ConfigurationProvider; import at.gv.egovernment.moa.id.commons.api.ConnectionParameterInterface; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; @@ -93,6 +94,10 @@ public class SSLUtils { ConfigurationProvider conf, String url ) throws IOException, GeneralSecurityException, ConfigurationException, PKIException { + boolean useStandardJavaTrustStore = conf.getBasicMOAIDConfigurationBoolean( + AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, + false); + // else create new SSLSocketFactory String trustStoreURL = conf.getTrustedCACertificates(); @@ -107,6 +112,7 @@ public class SSLUtils { try { SSLSocketFactory ssf = at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils.getSSLSocketFactory( url, + useStandardJavaTrustStore, null, trustStoreURL, acceptedServerCertURL, @@ -148,6 +154,10 @@ public class SSLUtils { ConnectionParameterInterface connParam) throws IOException, GeneralSecurityException, ConfigurationException, PKIException { + boolean useStandardJavaTrustStore = conf.getBasicMOAIDConfigurationBoolean( + AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, + false); + // else create new SSLSocketFactory String trustStoreURL = conf.getTrustedCACertificates(); @@ -162,6 +172,7 @@ public class SSLUtils { try { SSLSocketFactory ssf = at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils.getSSLSocketFactory( connParam.getUrl(), + useStandardJavaTrustStore, null, trustStoreURL, acceptedServerCertURL, diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java index a787cea00..4dd0a857f 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java @@ -11,6 +11,7 @@ import iaik.pki.revocation.RevocationSourceTypes; public interface AuthConfiguration extends ConfigurationProvider{ + public static final String PROP_KEY_SSL_USE_JVM_TRUSTSTORE = "configuration.ssl.useStandardJavaTrustStore"; public static final String PROP_KEY_SSL_HOSTNAME_VALIDATION = "configuration.ssl.validation.hostname"; public static final String PROP_KEY_OVS_SSL_HOSTNAME_VALIDATION = "service.onlinemandates.ssl.validation.hostname"; public static final String PROP_KEY_PROTOCOL_PVP_METADATA_ENTITYCATEGORY_RESOLVER = "protocols.pvp2.metadata.entitycategories.active"; diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java index bdadf681d..6c8c092ed 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAHttpProtocolSocketFactory.java @@ -34,7 +34,6 @@ import java.util.Arrays; import java.util.List; import javax.net.ssl.SSLException; -import javax.net.ssl.SSLParameters; import javax.net.ssl.SSLPeerUnverifiedException; import javax.net.ssl.SSLSession; import javax.net.ssl.SSLSocket; @@ -51,7 +50,6 @@ import at.gv.egovernment.moa.id.commons.utils.ssl.SSLConfigurationException; import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moaspss.logging.Logger; import iaik.pki.PKIException; -import sun.security.ssl.ProtocolVersion; /** * @author tlenz @@ -77,14 +75,15 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory * @throws MOAHttpProtocolSocketFactoryException */ public MOAHttpProtocolSocketFactory ( - String url, + String url, + boolean useStandardJavaTrustStore, String trustStoreURL, String acceptedServerCertURL, String chainingMode, boolean checkRevocation, String[] revocationMethodOrder, boolean verifyHostName) throws MOAHttpProtocolSocketFactoryException { - internalInitialize(url, null, trustStoreURL, acceptedServerCertURL, chainingMode, checkRevocation, revocationMethodOrder); + internalInitialize(url, useStandardJavaTrustStore, null, trustStoreURL, acceptedServerCertURL, chainingMode, checkRevocation, revocationMethodOrder); this.verifyHostName = verifyHostName; @@ -103,26 +102,31 @@ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory * @param verifyHostName Enables / Disables hostName verfication * @throws MOAHttpProtocolSocketFactoryException */ - public MOAHttpProtocolSocketFactory(String url, String certStoreDirectory, String trustStoreURL, + public MOAHttpProtocolSocketFactory(String url, boolean useStandardJavaTrustStore, + String certStoreDirectory, + String trustStoreURL, String acceptedServerCertURL, String chainingMode, boolean checkRevocation, String[] revocationMethodOrder, boolean verifyHostName) throws MOAHttpProtocolSocketFactoryException { - internalInitialize(url, certStoreDirectory, trustStoreURL, acceptedServerCertURL, chainingMode, checkRevocation, revocationMethodOrder); + internalInitialize(url, useStandardJavaTrustStore, certStoreDirectory, trustStoreURL, acceptedServerCertURL, chainingMode, checkRevocation, revocationMethodOrder); this.verifyHostName = verifyHostName; } - private void internalInitialize(String url, String certStoreDirectory, String trustStoreURL, + private void internalInitialize(String url, boolean useStandardJavaTrustStore, + String certStoreDirectory, + String trustStoreURL, String acceptedServerCertURL, String chainingMode, boolean checkRevocation, String[] revocationMethodOrder) throws MOAHttpProtocolSocketFactoryException { try { this.sslfactory = at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils.getSSLSocketFactory( - url, + url, + useStandardJavaTrustStore, certStoreDirectory, trustStoreURL, acceptedServerCertURL, diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java index e6efca4ea..a96daead3 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java @@ -108,8 +108,29 @@ public class SSLUtils { } } + /** + * Get SSLSocketFactory with TrustStore and KeyStore implementations + * + * @param url URL of the Service that should be connected + * @param useStandardJavaTrustStore Flag to use standard JVM truststore + * @param certStoreRootDirParam Path to certStore, if own truststore is used + * @param trustStoreURL Path to truststore, if own truststore is used + * @param acceptedServerCertURL Path to whitelist with EE-Server certificats, if own truststore is used + * @param chainingMode PKIX-Mode or Onion-Model for certificate validation, if own truststore is used + * @param checkRevocation Flag to activate or deactivate revocation checks, if own truststore is used + * @param revocationMethodOrder Revocation check order (CLR, OCSP), if own truststore is used + * @param clientKeyStoreURL Path to KeyStore for SSL Client-Authentication, or null + * @param clientKeyStorePassword KeyStore password + * @param clientKeyStoreType KeyStore type + * @return + * @throws IOException + * @throws GeneralSecurityException + * @throws SSLConfigurationException + * @throws PKIException + */ public static SSLSocketFactory getSSLSocketFactory( - String url, + String url, + boolean useStandardJavaTrustStore, String certStoreRootDirParam, String trustStoreURL, String acceptedServerCertURL, @@ -130,14 +151,19 @@ public class SSLUtils { return ssf; } - - TrustManager[] tms = getTrustManagers( - certStoreRootDirParam, - chainingMode, - trustStoreURL, - acceptedServerCertURL, - checkRevocation, - revocationMethodOrder); + + //initialize own trust-store implementation + TrustManager[] tms = null; + if (useStandardJavaTrustStore) { + tms = getTrustManagers( + certStoreRootDirParam, + chainingMode, + trustStoreURL, + acceptedServerCertURL, + checkRevocation, + revocationMethodOrder); + + } KeyManager[] kms = getKeyManagers( clientKeyStoreType, clientKeyStoreURL, clientKeyStorePassword); diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java index 5cee90658..cd3f1f788 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java @@ -322,7 +322,9 @@ public class EidasCentralAuthMetadataProvider extends SimpleMetadataProvider try { //FIX: change hostname validation default flag to true when httpClient is updated to > 4.4 MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( - PVPConstants.SSLSOCKETFACTORYNAME, + PVPConstants.SSLSOCKETFACTORYNAME, + moaAuthConfig.getBasicMOAIDConfigurationBoolean( + AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, false), moaAuthConfig.getTrustedCACertificates(), null, AuthConfiguration.DEFAULT_X509_CHAININGMODE, diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java index aca818532..feeff6f84 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java @@ -440,7 +440,9 @@ public class MOAeIDASChainingMetadataProvider extends SimpleMetadataProvider imp AuthConfiguration moaAuthConfig = (AuthConfiguration) basicConfig; //FIX: change hostname validation default flag to true when httpClient is updated to > 4.4 MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( - PVPConstants.SSLSOCKETFACTORYNAME, + PVPConstants.SSLSOCKETFACTORYNAME, + basicConfig.getBasicMOAIDConfigurationBoolean( + AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, false), moaAuthConfig.getTrustedCACertificates(), null, AuthConfiguration.DEFAULT_X509_CHAININGMODE, diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java index e8cfae10a..7bb98c719 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java @@ -322,7 +322,9 @@ public class ELGAMandateServiceMetadataProvider extends SimpleMetadataProvider try { //FIX: change hostname validation default flag to true when httpClient is updated to > 4.4 MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( - PVPConstants.SSLSOCKETFACTORYNAME, + PVPConstants.SSLSOCKETFACTORYNAME, + moaAuthConfig.getBasicMOAIDConfigurationBoolean( + AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, false), moaAuthConfig.getTrustedCACertificates(), null, AuthConfiguration.DEFAULT_X509_CHAININGMODE, -- cgit v1.2.3