diff options
7 files changed, 113 insertions, 66 deletions
diff --git a/moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-config-3.2.0.xsd b/moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-config-3.2.0.xsd index 279e027..d9cecf1 100644 --- a/moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-config-3.2.0.xsd +++ b/moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-config-3.2.0.xsd @@ -189,13 +189,14 @@ <xs:element name="Id" type="xs:token"/> <xs:element name="TrustAnchorsLocation" type="xs:anyURI"/> <xs:element name="SignerCertsLocation" type="xs:anyURI" minOccurs="0"/> - <xs:element name="EUTSL" minOccurs="0"> + <xs:element name="EUTSL" minOccurs="0" maxOccurs="1"> <xs:complexType> <xs:sequence> <xs:element name="CountrySelection" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="AllowedTSPStatus" type="xs:string" minOccurs="0" maxOccurs="1"/> <xs:element name="AllowedTSPServiceTypes" type="xs:string" minOccurs="0" maxOccurs="1"/> </xs:sequence> + <xs:attribute name="forceAvailability" type="xs:boolean" default="true"/> </xs:complexType> </xs:element> </xs:sequence> diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java index dc18239..75da0a6 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java @@ -1273,8 +1273,12 @@ public class ConfigurationPartsBuilder { // check if TSL support is enabled final Element eutslElem = (Element) XPathUtils.selectSingleNode(profileElem, CONF + "EUTSL"); boolean tslEnabled = false; + boolean forceTslAvailability = true; + if (eutslElem != null) { tslEnabled = true; + forceTslAvailability = Boolean.valueOf(getAttributeValue( + profileElem, CONF + "EUTSL" + "/@" + "forceAvailability", String.valueOf(true))); } // load TSL configuration @@ -1285,9 +1289,12 @@ public class ConfigurationPartsBuilder { final String allowedTspServiceTypes = getElementValue(profileElem, CONF + "EUTSL" + "/" + CONF + "AllowedTSPServiceTypes", null); + + // create profile configuration final TrustProfile profile = new TrustProfile(id, trustAnchorsLocURI.toString(), signerCertsLocStr, - tslEnabled, countries, allowedTspStatus, allowedTspServiceTypes); + tslEnabled, countries, allowedTspStatus, allowedTspServiceTypes, forceTslAvailability); + trustProfiles.put(id, profile); } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java index 94155d6..31a2fc5 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java @@ -51,6 +51,7 @@ public class TrustProfile { /** Defines if Trustprofile makes use of EU TSL */ private final boolean tslEnabled; + private final boolean forceTslAvailability; /** The countries given */ private final List<String> countries = new ArrayList<>(); @@ -71,13 +72,15 @@ public class TrustProfile { * @param allowedTspStatus */ public TrustProfile(String id, String uri, String signerCertsUri, - boolean tslEnabled, String countries, String allowedTspStatus, String allowedTspServiceTypes) { + boolean tslEnabled, String countries, String allowedTspStatus, String allowedTspServiceTypes, + boolean forceTslAvailability) { this.id = id; this.uri = uri; this.signerCertsUri = signerCertsUri; // TSL configuration parameters this.tslEnabled = tslEnabled; + this.forceTslAvailability = forceTslAvailability; if (tslEnabled) { setCountries(countries); @@ -96,6 +99,9 @@ public class TrustProfile { Logger.info("TrustProfile " + id + " allows " + Arrays.toString(this.allowedTspServiceTypes.toArray()) + " TSL service-type identifier"); + Logger.info("TrustProfile " + id + + (forceTslAvailability ? " enforce" : " not enforce") + " TSL availability"); + } } @@ -202,6 +208,15 @@ public class TrustProfile { } /** + * Indicates of TSL must or should be available. + * + * @return <code>true</code> of TSL must be available + */ + public boolean isForceTslAvailability() { + return forceTslAvailability; + } + + /** * Returns the given countries * * @return Given countries diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/PKIProfileImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/PKIProfileImpl.java index a53bce8..f15bbb3 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/PKIProfileImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/PKIProfileImpl.java @@ -65,7 +65,7 @@ public class PKIProfileImpl implements PKIProfile { /** * Create a new <code>PKIProfileImpl</code>. - * + * * @param config The MOA configuration providing configuration data * about certificate path validation. * @param trustProfileID The trust profile ID denoting the location of the trust @@ -83,58 +83,6 @@ public class PKIProfileImpl implements PKIProfile { } - private void internalTrustProfileBuilder(String trustProfileId) throws MOAApplicationException { - final TrustProfile tp = config.getTrustProfile(trustProfileId); - if (tp != null) { - // build directory based trust store as default - - if (tp.isTSLEnabled()) { - TslTrustStoreProfile tslTrustStore; - try { - if (!TSLServiceFactory.isInitialized()) { - Logger.error("Can not build TrustProfile:" + trustProfileId - + " Reason: TrustProfile needs TSL support but TSL client NOT initialized."); - throw new TslPKIException("Trust Status-List service client is NOT initialized"); - - } - - // build TSL truststore if enabled - tslTrustStore = TSLServiceFactory.getTSLServiceClient().buildTrustStoreProfile( - tp.getCountries(), - tp.getAllowedTspStatus(), - tp.getAllowedTspServiceTypes(), - trustProfileId + "_TSL"); - - // build Directory based TrustStore - final TrustStoreProfileImpl directoryTrustStore = new TrustStoreProfileImpl(trustProfileId - + "_Directory", tp.getUri()); - - // generate a virtual truststore that concatenates the TSL TrustStore and the - // directory TrustStore - final ChainingTrustStoreProfile chainedProfile = new ChainingTrustStoreProfile( - Arrays.asList(tslTrustStore, directoryTrustStore), - trustProfileId); - - // set this virtual truststore - setTrustStoreProfile(chainedProfile); - - } catch (final TslPKIException e) { - Logger.error("Virtual TSL based TrustProfile generation FAILED.", e); - throw new MOAApplicationException("2900", new Object[] { trustProfileId }); - - } - - } else { - setTrustStoreProfile(new TrustStoreProfileImpl(trustProfileId, tp.getUri())); - } - - } else { - throw new MOAApplicationException("2203", new Object[] { trustProfileId }); - - } - - } - /** * @see iaik.pki.PKIProfile#autoAddCertificates() */ @@ -153,7 +101,7 @@ public class PKIProfileImpl implements PKIProfile { /** * Sets the <code>RevocationProfile</code>. - * + * * @param revocationProfile The <code>RevocationProfile</code> used for * revocation checking. */ @@ -171,7 +119,7 @@ public class PKIProfileImpl implements PKIProfile { /** * Sets the <code>TrustStoreProfile</code>. - * + * * @param trustStoreProfile The <code>TrustStoreProfile</code>. */ protected void setTrustStoreProfile(TrustStoreProfile trustStoreProfile) { @@ -188,7 +136,7 @@ public class PKIProfileImpl implements PKIProfile { /** * Sets the <code>ValidationProfile</code>. - * + * * @param validationProfile The <code>ValidationProfile</code> to set. */ protected void setValidationProfile(ValidationProfile validationProfile) { @@ -211,15 +159,15 @@ public class PKIProfileImpl implements PKIProfile { if (config.getAutoAddCertificates()) { if (config.getAutoAddEECertificates()) { return PKIProfile.AUTO_ADD_ENABLE; - + } else { return PKIProfile.AUTO_ADD_EE_DISABLE; - + } } else { return PKIProfile.AUTO_ADD_DISABLE; - + } } @@ -230,4 +178,69 @@ public class PKIProfileImpl implements PKIProfile { return null; } + private void internalTrustProfileBuilder(String trustProfileId) throws MOAApplicationException { + final TrustProfile tp = config.getTrustProfile(trustProfileId); + if (tp != null) { + // build directory based trust store as default + + if (tp.isTSLEnabled()) { + buildTrustStoreWithTslSupport(tp); + + } else { + setTrustStoreProfile(new TrustStoreProfileImpl(trustProfileId, tp.getUri())); + } + + } else { + throw new MOAApplicationException("2203", new Object[] { trustProfileId }); + + } + } + + private void buildTrustStoreWithTslSupport(TrustProfile tp) throws MOAApplicationException { + try { + if (!TSLServiceFactory.isInitialized()) { + if (tp.isForceTslAvailability()) { + Logger.error("Can not build TrustProfile:" + tp.getId() + + " Reason: TrustProfile needs TSL support but TSL client NOT initialized."); + throw new TslPKIException("Trust Status-List service client is NOT initialized"); + + } else { + Logger.warn("Can not fully initialize TrustProfile:" + tp.getId() + + ", because TrustProfile needs TSL support but TSL client NOT initialized. Ignoring TSL support ... "); + setTrustStoreProfile(new TrustStoreProfileImpl(tp.getId(), tp.getUri())); + + } + + } else { + + // build TSL truststore if enabled + TslTrustStoreProfile tslTrustStore = TSLServiceFactory.getTSLServiceClient().buildTrustStoreProfile( + tp.getCountries(), + tp.getAllowedTspStatus(), + tp.getAllowedTspServiceTypes(), + tp.getId() + "_TSL"); + + // build Directory based TrustStore + final TrustStoreProfileImpl directoryTrustStore = + new TrustStoreProfileImpl(tp.getId() + "_Directory", tp.getUri()); + + // generate a virtual truststore that concatenates the TSL TrustStore and the + // directory TrustStore + final ChainingTrustStoreProfile chainedProfile = new ChainingTrustStoreProfile( + Arrays.asList(tslTrustStore, directoryTrustStore), + tp.getId()); + + // set this virtual truststore + setTrustStoreProfile(chainedProfile); + + } + + } catch (final TslPKIException e) { + Logger.error("Virtual TSL based TrustProfile generation FAILED.", e); + throw new MOAApplicationException("2900", new Object[] { tp.getId() }); + + } + + } + } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/tsl/TSLServiceFactory.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/tsl/TSLServiceFactory.java index d75240e..0336834 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/tsl/TSLServiceFactory.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/tsl/TSLServiceFactory.java @@ -3,7 +3,6 @@ package at.gv.egovernment.moa.spss.tsl; import at.gv.egovernment.moa.sig.tsl.TslClientFactory; import at.gv.egovernment.moa.sig.tsl.api.ITslService; import at.gv.egovernment.moa.sig.tsl.config.TslConfigurationImpl; -import at.gv.egovernment.moa.sig.tsl.exception.TslException; import at.gv.egovernment.moa.sig.tsl.pki.chaining.ChainingTrustStoreHandler; import at.gv.egovernment.moa.spss.server.monitoring.ServiceStatusContainer; import at.gv.egovernment.moa.spss.util.MessageProvider; @@ -16,7 +15,7 @@ public class TSLServiceFactory { private static ITslService tslClient = null; private static TslConfigurationImpl interalConfig; - public static void initialize(TslConfigurationImpl config) { + public static synchronized void initialize(TslConfigurationImpl config) { if (tslClient == null) { try { interalConfig = config; @@ -28,7 +27,7 @@ public class TSLServiceFactory { ServiceStatusContainer.setStatus(true); ServiceStatusContainer.setStatusMsg(ServiceStatusContainer.STATUS_OK); - } catch (final TslException e) { + } catch (final Exception e) { Logger.fatal(new LogMsg(MessageProvider.getInstance().getMessage("init.05", new Object[] { e .getMessage() })), e); diff --git a/moaSig/moa-sig/src/test/resources/moaspss_config/MOASPSSConfiguration_tsl_eu_official.xml b/moaSig/moa-sig/src/test/resources/moaspss_config/MOASPSSConfiguration_tsl_eu_official.xml index 972cc4e..19ea337 100644 --- a/moaSig/moa-sig/src/test/resources/moaspss_config/MOASPSSConfiguration_tsl_eu_official.xml +++ b/moaSig/moa-sig/src/test/resources/moaspss_config/MOASPSSConfiguration_tsl_eu_official.xml @@ -57,6 +57,18 @@ <cfg:AllowedTSPServiceTypes></cfg:AllowedTSPServiceTypes> --> </cfg:EUTSL> </cfg:TrustProfile> + <cfg:TrustProfile> + <cfg:Id>OnlyTSLNotForced</cfg:Id> + <cfg:TrustAnchorsLocation>trustProfiles/testTSL</cfg:TrustAnchorsLocation> + <!-- aktiviere TSL-Unterstützung für dieses Vertrauensprofil --> + <cfg:EUTSL forceAvailability="false"> + <!-- Optional kann eine Länderliste mit zweistelligen Länderkürzeln angegeben werden (d.h. nur die --> + <!-- Vertrauensanker der angegeben Länder werden importiert) --> + <!-- cfg:CountrySelection>AT,BE</cfg:CountrySelection> + <cfg:AllowedTSPStatus></cfg:AllowedTSPStatus> + <cfg:AllowedTSPServiceTypes></cfg:AllowedTSPServiceTypes> --> + </cfg:EUTSL> + </cfg:TrustProfile> </cfg:PathValidation> <cfg:RevocationChecking> <cfg:EnableChecking>false</cfg:EnableChecking> diff --git a/release-infos/handbook/conf/moa-spss/sp.minimum_with_tsl.config.xml b/release-infos/handbook/conf/moa-spss/sp.minimum_with_tsl.config.xml index 92cb6f3..2d6530f 100644 --- a/release-infos/handbook/conf/moa-spss/sp.minimum_with_tsl.config.xml +++ b/release-infos/handbook/conf/moa-spss/sp.minimum_with_tsl.config.xml @@ -48,7 +48,7 @@ <cfg:Id>Test-TSLProfil</cfg:Id> <cfg:TrustAnchorsLocation>trustProfiles/testTSL</cfg:TrustAnchorsLocation> <!-- aktiviere TSL-Unterstützung für dieses Vertrauensprofil --> - <cfg:EUTSL> + <cfg:EUTSL forceAvailability="true"> <!-- Optional kann eine Länderliste mit zweistelligen Länderkürzeln angegeben werden (d.h. nur die --> <!-- Vertrauensanker der angegeben Länder werden importiert) --> <cfg:CountrySelection>AT,BE</cfg:CountrySelection> |