/* * Copyright 2014 Federal Chancellery Austria * MOA-ID has been developed in a cooperation between BRZ, the Federal * Chancellery Austria - ICT staff unit, and Graz University of Technology. * * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by * the European Commission - subsequent versions of the EUPL (the "Licence"); * You may not use this work except in compliance with the Licence. * You may obtain a copy of the Licence at: * http://www.osor.eu/eupl/ * * Unless required by applicable law or agreed to in writing, software * distributed under the Licence is distributed on an "AS IS" basis, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the Licence for the specific language governing permissions and * limitations under the Licence. * * This product combines work with different licenses. See the "NOTICE" text * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. */ package at.gv.egovernment.moa.id.auth; import java.io.IOException; import java.security.GeneralSecurityException; import java.security.Provider; import java.security.Security; import javax.activation.CommandMap; import javax.activation.MailcapCommandMap; import org.springframework.web.context.support.GenericWebApplicationContext; import at.gv.egiz.eaaf.core.impl.utils.Random; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider; import at.gv.egovernment.moa.id.config.ConfigurationProviderImpl; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.util.SSLUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.spss.MOAException; import at.gv.egovernment.moa.spss.api.Configurator; import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moaspss.logging.LoggingContext; import at.gv.egovernment.moaspss.logging.LoggingContextManager; import iaik.asn1.structures.AlgorithmID; import iaik.pki.PKIException; import iaik.security.ec.provider.ECCelerate; import iaik.security.provider.IAIK; /** * @author tlenz * */ public class MOAIDAuthInitializer { /** * Initializes the web application components which need initialization: * logging, JSSE, MOA-ID Auth configuration, Axis, session cleaner. * @param rootContext */ public static void initialize(GenericWebApplicationContext rootContext) throws ConfigurationException, PKIException, IOException, GeneralSecurityException { Logger.setHierarchy("moa.id.auth"); Logger.info("Default java file.encoding: " + System.getProperty("file.encoding")); //JDK bug workaround according to: // http://jce.iaik.tugraz.at/products/03_cms/faq/index.php#JarVerifier // register content data handlers for S/MIME types MailcapCommandMap mc = new MailcapCommandMap(); CommandMap.setDefaultCommandMap(mc); //allowed SSL ciphers regarding to PVP SMA 1.3 document if (MiscUtil.isEmpty(System.getProperty("https.cipherSuites"))) System.setProperty( "https.cipherSuites", //high secure RSA bases ciphers ",TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" + ",TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" + ",TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" + ",TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" + //high secure ECC bases ciphers ",TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" + ",TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" + ",TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" + ",TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" + ",TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" + ",TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" + ",TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" + ",TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" + //secure backup chipers ",TLS_DHE_RSA_WITH_AES_256_CBC_SHA" + ",TLS_DHE_RSA_WITH_AES_128_CBC_SHA" + ",TLS_RSA_WITH_AES_128_CBC_SHA" + ",TLS_RSA_WITH_AES_256_CBC_SHA" ); // load some jsse classes so that the integrity of the jars can be // verified // before the iaik jce is installed as the security provider // this workaround is only needed when sun jsse is used in conjunction // with // iaik-jce (on jdk1.3) ClassLoader cl = MOAIDAuthInitializer.class.getClassLoader(); try { cl.loadClass("javax.security.cert.Certificate"); // from jcert.jar } catch (ClassNotFoundException e) { Logger.warn(MOAIDMessageProvider.getInstance().getMessage( "init.01", null), e); } Logger.info("Loading Java security providers."); IAIK.addAsProvider(); ECCelerate.addAsProvider(); // Initializes SSLSocketFactory store SSLUtils.initialize(); //seed the random number generator Random.seedRandom(); Logger.debug("Random-number generator is seeded."); // Initialize configuration provider for non-spring managed parts AuthConfiguration authConf = AuthConfigurationProviderFactory.reload(rootContext); //test, if MOA-ID is already configured authConf.getPublicURLPrefix(); // Initialize MOA-SP //MOA-SP is only use by API calls since MOA-ID 3.0.0 try { LoggingContextManager.getInstance().setLoggingContext( new LoggingContext("startup")); Logger.debug("Starting MOA-SPSS initialization process ... "); Configurator.getInstance().init(); Logger.info("MOA-SPSS initialization complete "); } catch (MOAException e) { Logger.error("MOA-SP initialization FAILED!", e.getWrapped()); throw new ConfigurationException("config.10", new Object[] { e .toString() }, e); } //IAIK.addAsProvider(); //ECCProvider.addAsProvider(); Security.insertProviderAt(IAIK.getInstance(), 0); ECCelerate eccProvider = ECCelerate.getInstance(); if (Security.getProvider(eccProvider.getName()) != null) Security.removeProvider(eccProvider.getName()); Security.addProvider(new ECCelerate()); fixJava8_141ProblemWithSSLAlgorithms(); if (!authConf.getBasicMOAIDConfigurationBoolean(ConfigurationProviderImpl.VALIDATION_AUTHBLOCK_TARGETFRIENDLYNAME, true)) Logger.info("AuthBlock 'TargetFriendlyName' validation deactivated"); if (Logger.isDebugEnabled()) { Logger.debug("Loaded Security Provider:"); Provider[] providerList = Security.getProviders(); for (int i=0; i= 141 ..."); //new AlgorithmID("1.2.840.113549.1.1.4", "md5WithRSAEncryption", new String[] { "MD5withRSA", "MD5/RSA", }, null, true); new AlgorithmID("1.2.840.113549.1.1.5", "sha1WithRSAEncryption", new String[] { "SHA1withRSA" , "SHA1/RSA", "SHA-1/RSA", "SHA/RSA", }, null, true); new AlgorithmID("1.2.840.113549.1.1.14", "sha224WithRSAEncryption", new String[] { "SHA224withRSA", "SHA224/RSA", "SHA-224/RSA", }, null, true); new AlgorithmID("1.2.840.113549.1.1.11", "sha256WithRSAEncryption", new String[] { "SHA256withRSA", "SHA256/RSA", "SHA-256/RSA", }, null, true); new AlgorithmID("1.2.840.113549.1.1.12", "sha384WithRSAEncryption", new String[] { "SHA384withRSA", "SHA384/RSA", "SHA-384/RSA", }, null, true); new AlgorithmID("1.2.840.113549.1.1.13", "sha512WithRSAEncryption", new String[] { "SHA512withRSA", "SHA512/RSA", "SHA-512/RSA" }, null, true); Logger.info("Change AlgorithmIDs finished"); } }