Protect MsgClient via SSL (ink Client Authentication)

- Add Component to create SSLContexts with own Key- and trust store. - Inject SSLContext into HTTP Client. - Add EAAF-Components Core Dependency, which is needed by SSLContextCreator (KeyStoreUtils). Schema Changes in mzs:DeliveryRequest/Config: - Got Rid of mzs:DeliveryRequest/Config/Server. In mzs 1.4.1, Server replaces the result of zkopf query person request. Since this zkopf interface does not exist anymore, Server was removed. - Add ClientType, which holds all parameters needed to connect to a service (Url, SSL params, a.o.). Configuration: - Add default parameters for SSL Clients in application.yaml. - Merge default parameters into incoming mzs:DeliveryRequests. MoaZSException Fixes: - Remove "Extends throwable" from Builder. - Add convenient shorthand init method (message, throwable). Refactor: - Put "determinePath" to FileUtils. - Put string related utility functions into StringUtils.
author: Christof Rabensteiner <christof.rabensteiner@iaik.tugraz.at> 2019-06-26 08:47:58 +0200
committer: Christof Rabensteiner <christof.rabensteiner@iaik.tugraz.at> 2019-06-26 08:47:58 +0200
commit: e2e77ed55687cb92c6f5a273995daf64dedef848 (patch)
tree: c5955745715a513d2875fcd348a5d50d964c9b72 /src/main/java/at/gv/egiz/moazs/util
parent: 97aadc426ca2f61dccd58a05f37d065b2752ef6d (diff)
download: moa-zs-e2e77ed55687cb92c6f5a273995daf64dedef848.tar.gz
moa-zs-e2e77ed55687cb92c6f5a273995daf64dedef848.tar.bz2
moa-zs-e2e77ed55687cb92c6f5a273995daf64dedef848.zip
3 files changed, 121 insertions, 0 deletions
diff --git a/src/main/java/at/gv/egiz/moazs/util/FileUtils.java b/src/main/java/at/gv/egiz/moazs/util/FileUtils.java
new file mode 100644
index 0000000..7e7723d
--- /dev/null
+++ b/src/main/java/at/gv/egiz/moazs/util/FileUtils.java
@@ -0,0 +1,22 @@
+package at.gv.egiz.moazs.util;
+
+import org.springframework.stereotype.Component;
+
+import java.io.File;
+
+@Component
+public class FileUtils {
+
+    /**
+     * If path is relative, resolve path as classpath resource. If path is absolute,
+     * leave as-is.
+     */
+    public String determinePath(String abstractPath) {
+        if (new File(abstractPath).isAbsolute()) {
+            return abstractPath;
+        } else {
+            //java.lang.Class needs relative resources to start with "/"
+            return this.getClass().getResource("/" + abstractPath).getFile();
+        }
+    }
+}
diff --git a/src/main/java/at/gv/egiz/moazs/util/SSLContextCreator.java b/src/main/java/at/gv/egiz/moazs/util/SSLContextCreator.java
new file mode 100644
index 0000000..b4d66d1
--- /dev/null
+++ b/src/main/java/at/gv/egiz/moazs/util/SSLContextCreator.java
@@ -0,0 +1,82 @@
+package at.gv.egiz.moazs.util;
+
+import at.gv.egiz.eaaf.core.impl.utils.KeyStoreUtils;
+import at.gv.zustellung.app2mzs.xsd.KeyStoreType;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.lang.Nullable;
+import org.springframework.stereotype.Component;
+
+import javax.net.ssl.*;
+import java.io.IOException;
+import java.security.*;
+
+import static at.gv.egiz.moazs.MoaZSException.moaZSException;
+import static java.lang.String.format;
+
+@Component
+public class SSLContextCreator {
+
+    private static final Logger log = LoggerFactory.getLogger(SSLContextCreator.class);
+
+    /**
+     * Creates an SSL Context.
+     * Adapted from at.asitplus.eidas.specific.modules.authmodule_eIDASv2.szr.SZRClient
+     *
+     * @param keystore (if null, use no key store)
+     * @param truststore (if null, use default trust store)
+     * @throws at.gv.egiz.moazs.MoaZSException
+     */
+    public SSLContext createSSLContext(@Nullable KeyStoreType keystore, @Nullable KeyStoreType truststore) {
+        try {
+            SSLContext context = SSLContext.getInstance("TLS");
+            KeyManager[] keyManager = initKeyManager(keystore);
+            TrustManager[] trustManager = initTrustManager(truststore);
+            context.init(keyManager, trustManager, new SecureRandom());
+            return context;
+        } catch (NoSuchAlgorithmException | KeyManagementException e) {
+            throw moaZSException("SSLContext initialization FAILED.", e);
+        }
+    }
+
+    private KeyManager[] initKeyManager(KeyStoreType keystore) {
+        if (keystore == null) {
+            log.trace("No keystore path provided. NOT using SSL client authentication. ");
+            return null;
+        } else {
+            log.trace("Find keystore path: {}. Injecting SSL client certificate... ", keystore.getFileName());
+            try {
+                KeyStore keyStore = KeyStoreUtils.loadKeyStore(
+                        keystore.getFileType(), keystore.getFileName(), keystore.getPassword());
+                KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
+                kmf.init(keyStore, keystore.getPassword().toCharArray());
+                log.trace("SSL client certificate injected.");
+                return kmf.getKeyManagers();
+            } catch (IOException | GeneralSecurityException e) {
+                throw moaZSException(format("Can NOT load SSL client certificate from path: %s.",
+                        keystore.getFileName()), e);
+            }
+        }
+    }
+
+    private TrustManager[] initTrustManager(KeyStoreType truststore) {
+        if (truststore == null) {
+            log.trace("Using default truststore. ");
+            return null;
+        } else {
+            log.trace("Find truststore path: {}. Injecting SSL truststore... ", truststore.getFileName());
+            try {
+                KeyStore trustStore = KeyStoreUtils.loadKeyStore(
+                        truststore.getFileType(), truststore.getFileName(), truststore.getPassword());
+                TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
+                tmf.init(trustStore);
+                log.trace("SSL TrustStore injected to client. ");
+                return tmf.getTrustManagers();
+            } catch (GeneralSecurityException | IOException e) {
+                throw moaZSException(format("Can NOT open SSL TrustStore from path: %s.",
+                        truststore.getFileName()), e);
+            }
+        }
+    }
+
+}
diff --git a/src/main/java/at/gv/egiz/moazs/util/StringUtils.java b/src/main/java/at/gv/egiz/moazs/util/StringUtils.java
new file mode 100644
index 0000000..fd40f6e
--- /dev/null
+++ b/src/main/java/at/gv/egiz/moazs/util/StringUtils.java
@@ -0,0 +1,17 @@
+package at.gv.egiz.moazs.util;
+
+public class StringUtils {
+
+    public static boolean hasPrefix(String name) {
+        return name.indexOf('.') != -1;
+    }
+
+    public static String keepPrefix(String name) {
+        return name.substring(0, name.indexOf('.'));
+    }
+
+    public static String removePrefix(String name) {
+        return name.substring(name.indexOf('.') + 1);
+    }
+
+}
author	Christof Rabensteiner <christof.rabensteiner@iaik.tugraz.at>	2019-06-26 08:47:58 +0200
committer	Christof Rabensteiner <christof.rabensteiner@iaik.tugraz.at>	2019-06-26 08:47:58 +0200
commit	e2e77ed55687cb92c6f5a273995daf64dedef848 (patch)
tree	c5955745715a513d2875fcd348a5d50d964c9b72 /src/main/java/at/gv/egiz/moazs/util
parent	97aadc426ca2f61dccd58a05f37d065b2752ef6d (diff)
download	moa-zs-e2e77ed55687cb92c6f5a273995daf64dedef848.tar.gz moa-zs-e2e77ed55687cb92c6f5a273995daf64dedef848.tar.bz2 moa-zs-e2e77ed55687cb92c6f5a273995daf64dedef848.zip