From 5e72494c61164869fbb605a134fe224ac5d5e7d8 Mon Sep 17 00:00:00 2001 From: kstranacher_eGovL Date: Thu, 27 Dec 2012 21:25:50 +0000 Subject: Update Integration TSL Library Update MOA-SP documentation Update repository (for TSL integration) Update MOA-ID (Organwalter bPK from MIS) git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1302 d688527b-c9ab-4aba-bd8d-4036d912da1d --- .../xmlbind/VerifyCMSSignatureResponseBuilder.java | 3 +- .../moa/spss/server/init/SystemInitializer.java | 30 ++-- .../invoke/CMSSignatureVerificationInvoker.java | 80 ++++++++- .../invoke/VerifyCMSSignatureResponseBuilder.java | 27 ++- .../invoke/XMLSignatureVerificationInvoker.java | 29 ++-- .../moa/spss/tsl/config/Configurator.java | 6 +- .../moa/spss/tsl/connector/TSLConnector.java | 9 +- .../moa/spss/tsl/timer/TSLUpdaterTimerTask.java | 181 ++++++++++++--------- 8 files changed, 237 insertions(+), 128 deletions(-) (limited to 'spss/server/serverlib/src/main/java') diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java index 1971096a8..7ad838822 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java @@ -99,7 +99,6 @@ public class VerifyCMSSignatureResponseBuilder { CheckResult signatureCheck = responseElement.getSignatureCheck(); CheckResult certCheck = responseElement.getCertificateCheck(); - // TODO CMS TSL check ResponseBuilderUtils.addSignerInfo( responseDoc, responseElem, @@ -107,7 +106,7 @@ public class VerifyCMSSignatureResponseBuilder { signerInfo.isQualifiedCertificate(), signerInfo.isPublicAuthority(), signerInfo.getPublicAuhtorityID(), - false); + signerInfo.isSSCD()); ResponseBuilderUtils.addCodeInfoElement( responseDoc, diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java index c9b76dd7e..d9e20fda9 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java @@ -135,7 +135,7 @@ public class SystemInitializer { //start TSL Update TSLUpdaterTimerTask.tslconnector_ = tslconnector; - TSLUpdaterTimerTask.update(); + //TSLUpdaterTimerTask.update(); //initialize TSL Update Task initTSLUpdateTask(tslconfig); @@ -147,20 +147,20 @@ public class SystemInitializer { catch (TSLEngineDiedException e) { Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); } - catch (TSLSearchException e) { - Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); - } - catch (CertStoreException e) { - Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); - } catch (TrustStoreException e) { - Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); - } catch (CertificateException e) { - Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); - } catch (FileNotFoundException e) { - Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); - } catch (IOException e) { - Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); - } +// catch (TSLSearchException e) { +// Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); +// } +// catch (CertStoreException e) { +// Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); +// } catch (TrustStoreException e) { +// Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); +// } catch (CertificateException e) { +// Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); +// } catch (FileNotFoundException e) { +// Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); +// } catch (IOException e) { +// Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); +// } // set IXSIL debug output IXSILInit.setPrintDebugLog( diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java index ba2513d2f..2c4bbd4eb 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java @@ -30,6 +30,9 @@ import iaik.server.modules.cmsverify.CMSSignatureVerificationModule; import iaik.server.modules.cmsverify.CMSSignatureVerificationModuleFactory; import iaik.server.modules.cmsverify.CMSSignatureVerificationProfile; import iaik.server.modules.cmsverify.CMSSignatureVerificationResult; +import iaik.x509.X509Certificate; +import iaik.xml.crypto.tsl.ex.TSLEngineDiedException; +import iaik.xml.crypto.tsl.ex.TSLSearchException; import java.io.IOException; import java.io.InputStream; @@ -37,6 +40,8 @@ import java.util.Date; import java.util.Iterator; import java.util.List; +import at.gv.egovernment.moa.logging.LogMsg; +import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.logging.LoggingContext; import at.gv.egovernment.moa.logging.LoggingContextManager; import at.gv.egovernment.moa.spss.MOAApplicationException; @@ -52,6 +57,8 @@ import at.gv.egovernment.moa.spss.server.logging.IaikLog; import at.gv.egovernment.moa.spss.server.logging.TransactionId; import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; +import at.gv.egovernment.moa.spss.tsl.timer.TSLUpdaterTimerTask; +import at.gv.egovernment.moa.spss.util.MessageProvider; /** * A class providing an interface to the @@ -183,7 +190,12 @@ public class CMSSignatureVerificationInvoker { for (resultIter = results.iterator(); resultIter.hasNext();) { result = (CMSSignatureVerificationResult) resultIter.next(); - responseBuilder.addResult(result, trustProfile); + + // check QC and SSCD via TSL (if enabled) + boolean checkQCFromTSL = checkQC(trustProfile.isTSLEnabled(), result.getCertificateValidationResult().getCertificateChain()); + boolean checkSSCDFromTSL = checkSSCD(trustProfile.isTSLEnabled(), result.getCertificateValidationResult().getCertificateChain());; + + responseBuilder.addResult(result, trustProfile, checkQCFromTSL, checkSSCDFromTSL); } } else { int i; @@ -194,7 +206,12 @@ public class CMSSignatureVerificationInvoker { try { result = (CMSSignatureVerificationResult) results.get(signatories[i] - 1); - responseBuilder.addResult(result, trustProfile); + // check QC and SSCD via TSL (if enabled) + boolean checkQCFromTSL = checkQC(trustProfile.isTSLEnabled(), result.getCertificateValidationResult().getCertificateChain()); + boolean checkSSCDFromTSL = checkSSCD(trustProfile.isTSLEnabled(), result.getCertificateValidationResult().getCertificateChain());; + + + responseBuilder.addResult(result, trustProfile, checkQCFromTSL, checkSSCDFromTSL); } catch (IndexOutOfBoundsException e) { throw new MOAApplicationException( "2249", @@ -206,6 +223,65 @@ public class CMSSignatureVerificationInvoker { return responseBuilder.getResponse(); } + private boolean checkQC(boolean tslEnabledTrustProfile, List chainlist) { + boolean checkQCFromTSL = false; + try { + if (tslEnabledTrustProfile) { + if (chainlist != null) { + X509Certificate[] chain = new X509Certificate[chainlist.size()]; + + Iterator it = chainlist.iterator(); + int i = 0; + while(it.hasNext()) { + chain[i] = (X509Certificate)it.next(); + i++; + } + + checkQCFromTSL = TSLUpdaterTimerTask.tslconnector_.checkQC(chain); + //checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain); + } + } + } + catch (TSLEngineDiedException e) { + MessageProvider msg = MessageProvider.getInstance(); + Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); + } catch (TSLSearchException e) { + MessageProvider msg = MessageProvider.getInstance(); + Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); + } + + return checkQCFromTSL; + } + + private boolean checkSSCD(boolean tslEnabledTrustProfile, List chainlist) { + boolean checkSSCDFromTSL = false; + try { + if (tslEnabledTrustProfile) { + if (chainlist != null) { + X509Certificate[] chain = new X509Certificate[chainlist.size()]; + + Iterator it = chainlist.iterator(); + int i = 0; + while(it.hasNext()) { + chain[i] = (X509Certificate)it.next(); + i++; + } + + checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain); + } + } + } + catch (TSLEngineDiedException e) { + MessageProvider msg = MessageProvider.getInstance(); + Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); + } catch (TSLSearchException e) { + MessageProvider msg = MessageProvider.getInstance(); + Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); + } + + return checkSSCDFromTSL; + } + /** * Get the signed content contained either in the request itself or given as a * reference to external data. diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java index fcd5ae0e7..3b82c6caf 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java @@ -71,9 +71,13 @@ public class VerifyCMSSignatureResponseBuilder { * * @param result The result to add. * @param trustprofile The actual trustprofile + * @param checkQCFromTSL true, if the TSL check verifies the + * certificate as qualified, otherwise false. + * @param checkSSCDFromTSL true, if the TSL check verifies the + * signature based on a SSDC, otherwise false. * @throws MOAException */ - public void addResult(CMSSignatureVerificationResult result, TrustProfile trustProfile) + public void addResult(CMSSignatureVerificationResult result, TrustProfile trustProfile, boolean checkQCFromTSL, boolean checkSSCDFromTSL) throws MOAException { CertificateValidationResult certResult = @@ -86,16 +90,28 @@ public class VerifyCMSSignatureResponseBuilder { SignerInfo signerInfo; CheckResult signatureCheck; CheckResult certificateCheck; - - // TODO Check TSL check + + + boolean qualifiedCertificate = false; + + // verify qualified certificate checks (certificate or TSL) + if (trustProfile.isTSLEnabled()) { + // take TSL result + qualifiedCertificate = checkQCFromTSL; + } + else { + // take result from certificate + qualifiedCertificate = certResult.isQualifiedCertificate(); + } + // add SignerInfo element signerInfo = factory.createSignerInfo( (X509Certificate) certResult.getCertificateChain().get(0), - certResult.isQualifiedCertificate(), + qualifiedCertificate, certResult.isPublicAuthorityCertificate(), certResult.getPublicAuthorityID(), - false); + checkSSCDFromTSL); // add SignatureCheck element signatureCheck = factory.createCheckResult(signatureCheckCode, null); @@ -103,6 +119,7 @@ public class VerifyCMSSignatureResponseBuilder { // add CertificateCheck element certificateCheck = factory.createCheckResult(certificateCheckCode, null); + // build the response element diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java index 290841c66..8a5b6f5b7 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java @@ -229,6 +229,14 @@ public class XMLSignatureVerificationInvoker { profile, signingTime, new TransactionId(context.getTransactionID())); + } catch (IAIKException e) { + MOAException moaException = IaikExceptionMapper.getInstance().map(e); + throw moaException; + } catch (IAIKRuntimeException e) { + MOAException moaException = IaikExceptionMapper.getInstance().map(e); + throw moaException; + } + try { if (tp.isTSLEnabled()) { List list = result.getCertificateValidationResult().getCertificateChain(); if (list != null) { @@ -245,21 +253,14 @@ public class XMLSignatureVerificationInvoker { checkQCFromTSL = TSLUpdaterTimerTask.tslconnector_.checkQC(chain); checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain); } - - } - - } catch (IAIKException e) { - MOAException moaException = IaikExceptionMapper.getInstance().map(e); - throw moaException; - } catch (IAIKRuntimeException e) { - MOAException moaException = IaikExceptionMapper.getInstance().map(e); - throw moaException; - } catch (TSLEngineDiedException e) { - MOAException moaException = IaikExceptionMapper.getInstance().map(e); - throw moaException; + } + } + catch (TSLEngineDiedException e) { + MessageProvider msg = MessageProvider.getInstance(); + Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); } catch (TSLSearchException e) { - MOAException moaException = IaikExceptionMapper.getInstance().map(e); - throw moaException; + MessageProvider msg = MessageProvider.getInstance(); + Logger.error(new LogMsg(msg.getMessage("tsl.01", null)), e); } // swap back in the request as root document diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/config/Configurator.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/config/Configurator.java index 7e8dcf0c4..defaedd86 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/config/Configurator.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/config/Configurator.java @@ -41,8 +41,10 @@ public class Configurator { throw new TSLEngineDiedException(e); } - //@TODO Check "/" - Configurator._TSLWorkingDirectoryPath = TSLWorkingDirectoryPath + "/"; + if (!TSLWorkingDirectoryPath.endsWith("/")) + TSLWorkingDirectoryPath += "/"; + + Configurator._TSLWorkingDirectoryPath = TSLWorkingDirectoryPath; initialDefaultConfig(); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java index b88255115..2e4af2817 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java @@ -92,17 +92,12 @@ public class TSLConnector implements TSLConnectorInterface { //TODO: clean hascash and TLS Download folder String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR"); - System.out.println("hashcachedir: " + hashcachedir); - if (hashcachedir==null) hashcachedir = DEFAULT_HASHCACHE_DIR; String tsldownloaddir = Configurator.get_TSLWorkingDirectoryPath() + "TslDownload"; - System.out.println("hashcachedir: " + hashcachedir); - File hashcachefile = new File(hashcachedir); - System.out.println("Hashcache: " + hashcachefile.getAbsolutePath()); File[] filelist = hashcachefile.listFiles(); @@ -247,8 +242,8 @@ public class TSLConnector implements TSLConnectorInterface { Countries expectedTerritory = entry.getValue().getSchemeTerritory(); try { - if (expectedTerritory.equals("RO")) - System.out.println("Stop"); +// if (expectedTerritory.equals("RO")) +// System.out.println("Stop"); Number otpId = entry.getKey(); LocationAndCertHash lac = entry.getValue(); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java index 6798a5db1..c365a1121 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java @@ -1,21 +1,40 @@ package at.gv.egovernment.moa.spss.tsl.timer; import iaik.pki.store.certstore.CertStoreException; +import iaik.pki.store.certstore.CertStoreParameters; import iaik.pki.store.truststore.TrustStoreException; +import iaik.pki.store.truststore.TrustStoreProfile; +import iaik.pki.store.utils.StoreUpdater; +import iaik.server.ConfigurationData; +import iaik.x509.X509Certificate; import iaik.xml.crypto.tsl.ex.TSLEngineDiedException; import iaik.xml.crypto.tsl.ex.TSLSearchException; +import java.io.File; +import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.IOException; import java.security.cert.CertificateException; +import java.util.ArrayList; +import java.util.Date; +import java.util.Iterator; +import java.util.Map; import java.util.TimerTask; import at.gv.egovernment.moa.logging.LogMsg; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.spss.MOAApplicationException; +import at.gv.egovernment.moa.spss.api.common.TSLConfiguration; import at.gv.egovernment.moa.spss.server.config.ConfigurationException; +import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; +import at.gv.egovernment.moa.spss.server.config.TrustProfile; +import at.gv.egovernment.moa.spss.server.iaik.config.IaikConfigurator; +import at.gv.egovernment.moa.spss.server.iaik.pki.store.truststore.TrustStoreProfileImpl; +import at.gv.egovernment.moa.spss.server.logging.TransactionId; import at.gv.egovernment.moa.spss.tsl.connector.TSLConnector; import at.gv.egovernment.moa.spss.util.MessageProvider; +import at.gv.egovernment.moa.util.StringUtils; + public class TSLUpdaterTimerTask extends TimerTask { @@ -31,7 +50,7 @@ public class TSLUpdaterTimerTask extends TimerTask { Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e); // TODO wenn update nicht erfolgreich, dann soll TSL-Trustprofil nicht zur - // Verfügung stehen. + // Verfügung stehen? } catch (TSLSearchException e) { MessageProvider msg = MessageProvider.getInstance(); @@ -62,86 +81,86 @@ public class TSLUpdaterTimerTask extends TimerTask { } public static void update() throws TSLEngineDiedException, TSLSearchException, ConfigurationException, MOAApplicationException, CertStoreException, TrustStoreException, CertificateException, FileNotFoundException, IOException { -// MessageProvider msg = MessageProvider.getInstance(); -// -// //get TSl configuration -// ConfigurationProvider config = ConfigurationProvider.getInstance(); -// ConfigurationData configData = new IaikConfigurator().configure(config); -// TSLConfiguration tslconfig = config.getTSLConfiguration(); -// if (tslconfig != null) { -// -// Logger.info(new LogMsg(msg.getMessage("config.42", null))); -// -// // get certstore parameters -// CertStoreParameters[] certStoreParameters = configData.getPKIConfiguration().getCertStoreConfiguration().getParameters(); -// -// // iterate over all truststores -// Map mapTrustProfiles = config.getTrustProfiles(); -// Iterator it = mapTrustProfiles.entrySet().iterator(); -// while (it.hasNext()) { -// Map.Entry pairs = (Map.Entry)it.next(); -// TrustProfile tp = (TrustProfile) pairs.getValue(); -// if (tp.isTSLEnabled()) { -// TrustStoreProfile tsp = new TrustStoreProfileImpl(config, tp.getId()); -// TrustStoreProfile[] trustStoreProfiles = new TrustStoreProfile[1]; -// trustStoreProfiles[0] = tsp; -// -// Logger.debug(new LogMsg(msg.getMessage("config.43", new String[]{tp.getId()}))); -// -// TransactionId tid = new TransactionId("TSLConfigurator-" + tp.getId()); -// ArrayList tsl_certs = null; -// if (StringUtils.isEmpty(tp.getCountries())) { -// Logger.debug(new LogMsg(msg.getMessage("config.44", null))); -// -// // get certificates from TSL from all countries -// tsl_certs = tslconnector_.updateAndGetQualifiedCACertificates(new Date(), new String[]{"accredited","undersupervision"}); -// } -// else { -// Logger.debug(new LogMsg(msg.getMessage("config.44", null))); -// // get selected countries as array -// String countries = tp.getCountries(); -// String[] array = countries.split(","); -// for (int i = 0; i < array.length; i++) -// array[i] = array[i].trim(); -// -// // get certificates from TSL from given countries -// tsl_certs = tslconnector_.updateAndGetQualifiedCACertificates(new Date(), array, new String[]{"accredited","undersupervision"}); -// } -// -// // create store updater for each TSL enabled truststore -// Logger.debug(new LogMsg(msg.getMessage("config.45", null))); -// StoreUpdater storeUpdater = new StoreUpdater(certStoreParameters, trustStoreProfiles, tid); -// -// // convert ArrayList to X509Certificate[] -// X509Certificate[] addCertificates = new X509Certificate[tsl_certs.size()]; -// Iterator itcert = tsl_certs.iterator(); -// int i = 0; -// while(itcert.hasNext()) { -// File f = (File)itcert.next(); -// X509Certificate cert = new X509Certificate(new FileInputStream(f)); -// addCertificates[i] = cert; -// -// i++; -// } -// -// // get certificates to be removed -// X509Certificate[] removeCertificates = tp.getCertficatesToBeRemoved(); -// -// -// //Logger.debug(new LogMsg(msg.getMessage("config.44", null))); -// Logger.debug(new LogMsg("Remove " + removeCertificates.length + " certificates.")); -// storeUpdater.removeCertificatesFromTrustStores(removeCertificates, tid); -// -// -// Logger.debug(new LogMsg("Add " + addCertificates.length + " certificates.")); -// storeUpdater.addCertificatesToTrustStores(addCertificates, tid); -// -// // set the certifcates to be removed for the next TSL update -// tp.setCertificatesToBeRemoved(addCertificates); -// -// } -// } -// } + MessageProvider msg = MessageProvider.getInstance(); + + //get TSl configuration + ConfigurationProvider config = ConfigurationProvider.getInstance(); + ConfigurationData configData = new IaikConfigurator().configure(config); + TSLConfiguration tslconfig = config.getTSLConfiguration(); + if (tslconfig != null) { + + Logger.info(new LogMsg(msg.getMessage("config.42", null))); + + // get certstore parameters + CertStoreParameters[] certStoreParameters = configData.getPKIConfiguration().getCertStoreConfiguration().getParameters(); + + // iterate over all truststores + Map mapTrustProfiles = config.getTrustProfiles(); + Iterator it = mapTrustProfiles.entrySet().iterator(); + while (it.hasNext()) { + Map.Entry pairs = (Map.Entry)it.next(); + TrustProfile tp = (TrustProfile) pairs.getValue(); + if (tp.isTSLEnabled()) { + TrustStoreProfile tsp = new TrustStoreProfileImpl(config, tp.getId()); + TrustStoreProfile[] trustStoreProfiles = new TrustStoreProfile[1]; + trustStoreProfiles[0] = tsp; + + Logger.debug(new LogMsg(msg.getMessage("config.43", new String[]{tp.getId()}))); + + TransactionId tid = new TransactionId("TSLConfigurator-" + tp.getId()); + ArrayList tsl_certs = null; + if (StringUtils.isEmpty(tp.getCountries())) { + Logger.debug(new LogMsg(msg.getMessage("config.44", null))); + + // get certificates from TSL from all countries + tsl_certs = tslconnector_.updateAndGetQualifiedCACertificates(new Date(), new String[]{"accredited","undersupervision"}); + } + else { + Logger.debug(new LogMsg(msg.getMessage("config.44", null))); + // get selected countries as array + String countries = tp.getCountries(); + String[] array = countries.split(","); + for (int i = 0; i < array.length; i++) + array[i] = array[i].trim(); + + // get certificates from TSL from given countries + tsl_certs = tslconnector_.updateAndGetQualifiedCACertificates(new Date(), array, new String[]{"accredited","undersupervision"}); + } + + // create store updater for each TSL enabled truststore + Logger.debug(new LogMsg(msg.getMessage("config.45", null))); + StoreUpdater storeUpdater = new StoreUpdater(certStoreParameters, trustStoreProfiles, tid); + + // convert ArrayList to X509Certificate[] + X509Certificate[] addCertificates = new X509Certificate[tsl_certs.size()]; + Iterator itcert = tsl_certs.iterator(); + int i = 0; + while(itcert.hasNext()) { + File f = (File)itcert.next(); + X509Certificate cert = new X509Certificate(new FileInputStream(f)); + addCertificates[i] = cert; + + i++; + } + + // get certificates to be removed + X509Certificate[] removeCertificates = tp.getCertficatesToBeRemoved(); + + + //Logger.debug(new LogMsg(msg.getMessage("config.44", null))); + Logger.debug(new LogMsg("Remove " + removeCertificates.length + " certificates.")); + storeUpdater.removeCertificatesFromTrustStores(removeCertificates, tid); + + + Logger.debug(new LogMsg("Add " + addCertificates.length + " certificates.")); + storeUpdater.addCertificatesToTrustStores(addCertificates, tid); + + // set the certifcates to be removed for the next TSL update + tp.setCertificatesToBeRemoved(addCertificates); + + } + } + } -- cgit v1.2.3