/* * Copyright 2014 Federal Chancellery Austria * MOA-ID has been developed in a cooperation between BRZ, the Federal * Chancellery Austria - ICT staff unit, and Graz University of Technology. * * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by * the European Commission - subsequent versions of the EUPL (the "Licence"); * You may not use this work except in compliance with the Licence. * You may obtain a copy of the Licence at: * http://www.osor.eu/eupl/ * * Unless required by applicable law or agreed to in writing, software * distributed under the Licence is distributed on an "AS IS" basis, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the Licence for the specific language governing permissions and * limitations under the Licence. * * This product combines work with different licenses. See the "NOTICE" text * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. */ package at.gv.egovernment.moa.id.commons.utils; import java.io.IOException; import java.net.InetAddress; import java.net.Socket; import java.net.UnknownHostException; import java.security.GeneralSecurityException; import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; import org.apache.commons.httpclient.ConnectTimeoutException; import org.apache.commons.httpclient.params.HttpConnectionParams; import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory; import org.apache.commons.lang3.StringUtils; import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; import at.gv.egovernment.moa.id.commons.utils.ssl.SSLConfigurationException; import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moaspss.logging.Logger; import iaik.pki.PKIException; /** * @author tlenz * */ public class MOAHttpProtocolSocketFactory implements SecureProtocolSocketFactory { private SSLSocketFactory sslfactory = null; public MOAHttpProtocolSocketFactory ( String url, String trustStoreURL, String acceptedServerCertURL, String chainingMode, boolean checkRevocation, String[] revocationMethodOrder) throws MOAHttpProtocolSocketFactoryException { internalInitialize(url, null, trustStoreURL, acceptedServerCertURL, chainingMode, checkRevocation, revocationMethodOrder); } /** * @param string * @param certStoreDirectory * @param trustStoreDirectory * @param object * @param string2 * @param b * @param strings */ public MOAHttpProtocolSocketFactory(String url, String certStoreDirectory, String trustStoreURL, String acceptedServerCertURL, String chainingMode, boolean checkRevocation, String[] revocationMethodOrder) throws MOAHttpProtocolSocketFactoryException { internalInitialize(url, certStoreDirectory, trustStoreURL, acceptedServerCertURL, chainingMode, checkRevocation, revocationMethodOrder); } private void internalInitialize(String url, String certStoreDirectory, String trustStoreURL, String acceptedServerCertURL, String chainingMode, boolean checkRevocation, String[] revocationMethodOrder) throws MOAHttpProtocolSocketFactoryException { try { this.sslfactory = at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils.getSSLSocketFactory( url, certStoreDirectory, trustStoreURL, acceptedServerCertURL, chainingMode, checkRevocation, revocationMethodOrder, null, null, null); } catch (IOException e) { throw new MOAHttpProtocolSocketFactoryException("Initialize SSL Context FAILED", e); } catch (GeneralSecurityException e) { throw new MOAHttpProtocolSocketFactoryException("Initialize SSL Context FAILED", e); } catch (SSLConfigurationException e) { throw new MOAHttpProtocolSocketFactoryException("SSL Configuration loading FAILED.", e); } catch (PKIException e) { throw new MOAHttpProtocolSocketFactoryException("Initialize SSL Context FAILED", e); } } /* (non-Javadoc) * @see org.apache.commons.httpclient.protocol.ProtocolSocketFactory#createSocket(java.lang.String, int, java.net.InetAddress, int) */ public Socket createSocket(String host, int port, InetAddress localAddress, int localPort) throws IOException, UnknownHostException { return setEnabledSslCiphers(this.sslfactory.createSocket(host, port, localAddress, localPort)); } /* (non-Javadoc) * @see org.apache.commons.httpclient.protocol.ProtocolSocketFactory#createSocket(java.lang.String, int, java.net.InetAddress, int, org.apache.commons.httpclient.params.HttpConnectionParams) */ public Socket createSocket(String host, int port, InetAddress localAddress, int localPort, HttpConnectionParams params) throws IOException, UnknownHostException, ConnectTimeoutException { return setEnabledSslCiphers(this.sslfactory.createSocket(host, port, localAddress, localPort)); } /* (non-Javadoc) * @see org.apache.commons.httpclient.protocol.ProtocolSocketFactory#createSocket(java.lang.String, int) */ public Socket createSocket(String host, int port) throws IOException, UnknownHostException { return setEnabledSslCiphers(this.sslfactory.createSocket(host, port)); } /* (non-Javadoc) * @see org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory#createSocket(java.net.Socket, java.lang.String, int, boolean) */ public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException, UnknownHostException { return setEnabledSslCiphers(this.sslfactory.createSocket(socket, host, port, autoClose)); } /** * Enable only a specific subset of TLS cipher suites * This subset can be set by 'https.cipherSuites' SystemProperty (z.B. -Dhttps.cipherSuites=...) * * @param sslSocket {@link SSLSocket} * @return {@link SSLSocket} with Ciphersuites */ private Socket setEnabledSslCiphers(Socket sslSocket) { if (sslSocket instanceof SSLSocket) { String systemProp = System.getProperty("https.cipherSuites"); if (MiscUtil.isNotEmpty(systemProp)) { ((SSLSocket) sslSocket).setEnabledCipherSuites(systemProp.split(",")); } try { Logger.trace("Enabled SSL-Cipher: " + StringUtils.join(((SSLSocket) sslSocket).getEnabledCipherSuites(), ",")); } catch (Exception e) { Logger.error(e); } } return sslSocket; } }