feat(tsl): add TrustStore configuration property to enforce TSL availability

7 files changed, 113 insertions, 66 deletions

diff --git a/moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-config-3.2.0.xsd b/moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-config-3.2.0.xsd
index 279e027..d9cecf1 100644
--- a/moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-config-3.2.0.xsd
+++ b/moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-config-3.2.0.xsd
@@ -189,13 +189,14 @@
 																<xs:element name="Id" type="xs:token"/>
 																<xs:element name="TrustAnchorsLocation" type="xs:anyURI"/>
 																<xs:element name="SignerCertsLocation" type="xs:anyURI" minOccurs="0"/>
-																<xs:element name="EUTSL" minOccurs="0">
+																<xs:element name="EUTSL" minOccurs="0" maxOccurs="1">
 																	<xs:complexType>
 																		<xs:sequence>
 																			<xs:element name="CountrySelection" type="xs:string" minOccurs="0" maxOccurs="1"/>
 																			<xs:element name="AllowedTSPStatus" type="xs:string" minOccurs="0" maxOccurs="1"/>
 																			<xs:element name="AllowedTSPServiceTypes" type="xs:string" minOccurs="0" maxOccurs="1"/>
 																		</xs:sequence>
+																		<xs:attribute name="forceAvailability" type="xs:boolean" default="true"/>
 																	</xs:complexType>
 																</xs:element>
 															</xs:sequence>
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
index dc18239..75da0a6 100644
--- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
+++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
@@ -1273,8 +1273,12 @@ public class ConfigurationPartsBuilder {
       // check if TSL support is enabled
       final Element eutslElem = (Element) XPathUtils.selectSingleNode(profileElem, CONF + "EUTSL");
       boolean tslEnabled = false;
+      boolean forceTslAvailability = true;
+
       if (eutslElem != null) {
         tslEnabled = true;
+        forceTslAvailability = Boolean.valueOf(getAttributeValue(
+            profileElem, CONF + "EUTSL" + "/@" + "forceAvailability", String.valueOf(true)));
       }
 
       // load TSL configuration
@@ -1285,9 +1289,12 @@ public class ConfigurationPartsBuilder {
       final String allowedTspServiceTypes = getElementValue(profileElem, CONF + "EUTSL" + "/" + CONF
           + "AllowedTSPServiceTypes", null);
 
+
+
       // create profile configuration
       final TrustProfile profile = new TrustProfile(id, trustAnchorsLocURI.toString(), signerCertsLocStr,
-          tslEnabled, countries, allowedTspStatus, allowedTspServiceTypes);
+          tslEnabled, countries, allowedTspStatus, allowedTspServiceTypes, forceTslAvailability);
+
       trustProfiles.put(id, profile);
 
     }
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java
index 94155d6..31a2fc5 100644
--- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java
+++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java
@@ -51,6 +51,7 @@ public class TrustProfile {
 
   /** Defines if Trustprofile makes use of EU TSL */
   private final boolean tslEnabled;
+  private final boolean forceTslAvailability;
   /** The countries given */
   private final List<String> countries = new ArrayList<>();
 
@@ -71,13 +72,15 @@ public class TrustProfile {
    * @param allowedTspStatus
    */
   public TrustProfile(String id, String uri, String signerCertsUri,
-      boolean tslEnabled, String countries, String allowedTspStatus, String allowedTspServiceTypes) {
+      boolean tslEnabled, String countries, String allowedTspStatus, String allowedTspServiceTypes,
+      boolean forceTslAvailability) {
     this.id = id;
     this.uri = uri;
     this.signerCertsUri = signerCertsUri;
 
     // TSL configuration parameters
     this.tslEnabled = tslEnabled;
+    this.forceTslAvailability = forceTslAvailability;
 
     if (tslEnabled) {
       setCountries(countries);
@@ -96,6 +99,9 @@ public class TrustProfile {
       Logger.info("TrustProfile " + id + " allows " + Arrays.toString(this.allowedTspServiceTypes.toArray())
           + " TSL service-type identifier");
 
+      Logger.info("TrustProfile " + id +
+          (forceTslAvailability ? " enforce" : " not enforce") + " TSL availability");
+
     }
   }
 
@@ -202,6 +208,15 @@ public class TrustProfile {
   }
 
   /**
+   * Indicates of TSL must or should be available.
+   *
+   * @return <code>true</code> of TSL must be available
+   */
+  public boolean isForceTslAvailability() {
+    return forceTslAvailability;
+  }
+
+  /**
    * Returns the given countries
    *
    * @return Given countries
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/PKIProfileImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/PKIProfileImpl.java
index a53bce8..f15bbb3 100644
--- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/PKIProfileImpl.java
+++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/PKIProfileImpl.java
@@ -65,7 +65,7 @@ public class PKIProfileImpl implements PKIProfile {
 
   /**
    * Create a new <code>PKIProfileImpl</code>.
-   * 
+   *
    * @param config         The MOA configuration providing configuration data
    *                       about certificate path validation.
    * @param trustProfileID The trust profile ID denoting the location of the trust
@@ -83,58 +83,6 @@ public class PKIProfileImpl implements PKIProfile {
 
   }
 
-  private void internalTrustProfileBuilder(String trustProfileId) throws MOAApplicationException {
-    final TrustProfile tp = config.getTrustProfile(trustProfileId);
-    if (tp != null) {
-      // build directory based trust store as default
-
-      if (tp.isTSLEnabled()) {
-        TslTrustStoreProfile tslTrustStore;
-        try {
-          if (!TSLServiceFactory.isInitialized()) {
-            Logger.error("Can not build TrustProfile:" + trustProfileId
-                + " Reason: TrustProfile needs TSL support but TSL client NOT initialized.");
-            throw new TslPKIException("Trust Status-List service client is NOT initialized");
-
-          }
-
-          // build TSL truststore if enabled
-          tslTrustStore = TSLServiceFactory.getTSLServiceClient().buildTrustStoreProfile(
-              tp.getCountries(),
-              tp.getAllowedTspStatus(),
-              tp.getAllowedTspServiceTypes(),
-              trustProfileId + "_TSL");
-
-          // build Directory based TrustStore
-          final TrustStoreProfileImpl directoryTrustStore = new TrustStoreProfileImpl(trustProfileId
-              + "_Directory", tp.getUri());
-
-          // generate a virtual truststore that concatenates the TSL TrustStore and the
-          // directory TrustStore
-          final ChainingTrustStoreProfile chainedProfile = new ChainingTrustStoreProfile(
-              Arrays.asList(tslTrustStore, directoryTrustStore),
-              trustProfileId);
-
-          // set this virtual truststore
-          setTrustStoreProfile(chainedProfile);
-
-        } catch (final TslPKIException e) {
-          Logger.error("Virtual TSL based TrustProfile generation FAILED.", e);
-          throw new MOAApplicationException("2900", new Object[] { trustProfileId });
-
-        }
-
-      } else {
-        setTrustStoreProfile(new TrustStoreProfileImpl(trustProfileId, tp.getUri()));
-      }
-
-    } else {
-      throw new MOAApplicationException("2203", new Object[] { trustProfileId });
-
-    }
-
-  }
-
   /**
    * @see iaik.pki.PKIProfile#autoAddCertificates()
    */
@@ -153,7 +101,7 @@ public class PKIProfileImpl implements PKIProfile {
 
   /**
    * Sets the <code>RevocationProfile</code>.
-   * 
+   *
    * @param revocationProfile The <code>RevocationProfile</code> used for
    *                          revocation checking.
    */
@@ -171,7 +119,7 @@ public class PKIProfileImpl implements PKIProfile {
 
   /**
    * Sets the <code>TrustStoreProfile</code>.
-   * 
+   *
    * @param trustStoreProfile The <code>TrustStoreProfile</code>.
    */
   protected void setTrustStoreProfile(TrustStoreProfile trustStoreProfile) {
@@ -188,7 +136,7 @@ public class PKIProfileImpl implements PKIProfile {
 
   /**
    * Sets the <code>ValidationProfile</code>.
-   * 
+   *
    * @param validationProfile The <code>ValidationProfile</code> to set.
    */
   protected void setValidationProfile(ValidationProfile validationProfile) {
@@ -211,15 +159,15 @@ public class PKIProfileImpl implements PKIProfile {
     if (config.getAutoAddCertificates()) {
       if (config.getAutoAddEECertificates()) {
         return PKIProfile.AUTO_ADD_ENABLE;
-        
+
       } else {
         return PKIProfile.AUTO_ADD_EE_DISABLE;
-        
+
       }
 
     } else {
       return PKIProfile.AUTO_ADD_DISABLE;
-      
+
     }
 
   }
@@ -230,4 +178,69 @@ public class PKIProfileImpl implements PKIProfile {
     return null;
   }
 
+  private void internalTrustProfileBuilder(String trustProfileId) throws MOAApplicationException {
+    final TrustProfile tp = config.getTrustProfile(trustProfileId);
+    if (tp != null) {
+      // build directory based trust store as default
+
+      if (tp.isTSLEnabled()) {
+        buildTrustStoreWithTslSupport(tp);
+
+      } else {
+        setTrustStoreProfile(new TrustStoreProfileImpl(trustProfileId, tp.getUri()));
+      }
+
+    } else {
+      throw new MOAApplicationException("2203", new Object[] { trustProfileId });
+
+    }
+  }
+
+  private void buildTrustStoreWithTslSupport(TrustProfile tp) throws MOAApplicationException {
+    try {
+      if (!TSLServiceFactory.isInitialized()) {
+        if (tp.isForceTslAvailability()) {
+          Logger.error("Can not build TrustProfile:" + tp.getId()
+              + " Reason: TrustProfile needs TSL support but TSL client NOT initialized.");
+          throw new TslPKIException("Trust Status-List service client is NOT initialized");
+
+        } else {
+          Logger.warn("Can not fully initialize TrustProfile:" + tp.getId()
+              + ", because TrustProfile needs TSL support but TSL client NOT initialized. Ignoring TSL support ... ");
+          setTrustStoreProfile(new TrustStoreProfileImpl(tp.getId(), tp.getUri()));
+
+        }
+
+      } else {
+
+        // build TSL truststore if enabled
+        TslTrustStoreProfile tslTrustStore = TSLServiceFactory.getTSLServiceClient().buildTrustStoreProfile(
+            tp.getCountries(),
+            tp.getAllowedTspStatus(),
+            tp.getAllowedTspServiceTypes(),
+            tp.getId() + "_TSL");
+
+        // build Directory based TrustStore
+        final TrustStoreProfileImpl directoryTrustStore =
+            new TrustStoreProfileImpl(tp.getId() + "_Directory", tp.getUri());
+
+        // generate a virtual truststore that concatenates the TSL TrustStore and the
+        // directory TrustStore
+        final ChainingTrustStoreProfile chainedProfile = new ChainingTrustStoreProfile(
+            Arrays.asList(tslTrustStore, directoryTrustStore),
+            tp.getId());
+
+        // set this virtual truststore
+        setTrustStoreProfile(chainedProfile);
+
+      }
+
+    } catch (final TslPKIException e) {
+      Logger.error("Virtual TSL based TrustProfile generation FAILED.", e);
+      throw new MOAApplicationException("2900", new Object[] { tp.getId() });
+
+    }
+
+  }
+
 }
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/tsl/TSLServiceFactory.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/tsl/TSLServiceFactory.java
index d75240e..0336834 100644
--- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/tsl/TSLServiceFactory.java
+++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/tsl/TSLServiceFactory.java
@@ -3,7 +3,6 @@ package at.gv.egovernment.moa.spss.tsl;
 import at.gv.egovernment.moa.sig.tsl.TslClientFactory;
 import at.gv.egovernment.moa.sig.tsl.api.ITslService;
 import at.gv.egovernment.moa.sig.tsl.config.TslConfigurationImpl;
-import at.gv.egovernment.moa.sig.tsl.exception.TslException;
 import at.gv.egovernment.moa.sig.tsl.pki.chaining.ChainingTrustStoreHandler;
 import at.gv.egovernment.moa.spss.server.monitoring.ServiceStatusContainer;
 import at.gv.egovernment.moa.spss.util.MessageProvider;
@@ -16,7 +15,7 @@ public class TSLServiceFactory {
   private static ITslService tslClient = null;
   private static TslConfigurationImpl interalConfig;
 
-  public static void initialize(TslConfigurationImpl config) {
+  public static synchronized void initialize(TslConfigurationImpl config) {
     if (tslClient == null) {
       try {
         interalConfig = config;
@@ -28,7 +27,7 @@ public class TSLServiceFactory {
         ServiceStatusContainer.setStatus(true);
         ServiceStatusContainer.setStatusMsg(ServiceStatusContainer.STATUS_OK);
 
-      } catch (final TslException e) {
+      } catch (final Exception e) {
         Logger.fatal(new LogMsg(MessageProvider.getInstance().getMessage("init.05", new Object[] { e
             .getMessage() })), e);
 
diff --git a/moaSig/moa-sig/src/test/resources/moaspss_config/MOASPSSConfiguration_tsl_eu_official.xml b/moaSig/moa-sig/src/test/resources/moaspss_config/MOASPSSConfiguration_tsl_eu_official.xml
index 972cc4e..19ea337 100644
--- a/moaSig/moa-sig/src/test/resources/moaspss_config/MOASPSSConfiguration_tsl_eu_official.xml
+++ b/moaSig/moa-sig/src/test/resources/moaspss_config/MOASPSSConfiguration_tsl_eu_official.xml
@@ -57,6 +57,18 @@
 						<cfg:AllowedTSPServiceTypes></cfg:AllowedTSPServiceTypes> -->
 					</cfg:EUTSL>
 				</cfg:TrustProfile>				
+				<cfg:TrustProfile>
+					<cfg:Id>OnlyTSLNotForced</cfg:Id>
+					<cfg:TrustAnchorsLocation>trustProfiles/testTSL</cfg:TrustAnchorsLocation>
+					<!-- aktiviere TSL-Unterstützung für dieses Vertrauensprofil -->
+					<cfg:EUTSL forceAvailability="false">
+					<!-- Optional kann eine Länderliste mit zweistelligen Länderkürzeln angegeben werden (d.h. nur die -->
+					<!-- Vertrauensanker der angegeben Länder werden importiert) -->
+						<!-- cfg:CountrySelection>AT,BE</cfg:CountrySelection>
+						<cfg:AllowedTSPStatus></cfg:AllowedTSPStatus>
+						<cfg:AllowedTSPServiceTypes></cfg:AllowedTSPServiceTypes> -->
+					</cfg:EUTSL>
+				</cfg:TrustProfile>				
 			</cfg:PathValidation>
 			<cfg:RevocationChecking>
 				<cfg:EnableChecking>false</cfg:EnableChecking>
diff --git a/release-infos/handbook/conf/moa-spss/sp.minimum_with_tsl.config.xml b/release-infos/handbook/conf/moa-spss/sp.minimum_with_tsl.config.xml
index 92cb6f3..2d6530f 100644
--- a/release-infos/handbook/conf/moa-spss/sp.minimum_with_tsl.config.xml
+++ b/release-infos/handbook/conf/moa-spss/sp.minimum_with_tsl.config.xml
@@ -48,7 +48,7 @@
 					<cfg:Id>Test-TSLProfil</cfg:Id>
 					<cfg:TrustAnchorsLocation>trustProfiles/testTSL</cfg:TrustAnchorsLocation>
 					<!-- aktiviere TSL-Unterstützung für dieses Vertrauensprofil -->
-					<cfg:EUTSL>
+					<cfg:EUTSL forceAvailability="true">
 					<!-- Optional kann eine Länderliste mit zweistelligen Länderkürzeln angegeben werden (d.h. nur die -->
 					<!-- Vertrauensanker der angegeben Länder werden importiert) -->
 						<cfg:CountrySelection>AT,BE</cfg:CountrySelection>