aboutsummaryrefslogtreecommitdiff
path: root/src/main/java
diff options
context:
space:
mode:
authorChristof Rabensteiner <christof.rabensteiner@iaik.tugraz.at>2019-06-27 17:39:24 +0200
committerChristof Rabensteiner <christof.rabensteiner@iaik.tugraz.at>2019-06-27 17:39:24 +0200
commita9a9e1cb62123475edd733a53ecc00611c2aa764 (patch)
tree05ac9f2f2a6c199badb802c1390f1a9fc887aba8 /src/main/java
parent8b80ea299ef6fadfbc0ec59308e0937612eb8c35 (diff)
downloadmoa-zs-a9a9e1cb62123475edd733a53ecc00611c2aa764.tar.gz
moa-zs-a9a9e1cb62123475edd733a53ecc00611c2aa764.tar.bz2
moa-zs-a9a9e1cb62123475edd733a53ecc00611c2aa764.zip
Honor & Test TrustAll and LaxHostNameVerification
- Print a big scary warning message for everyone who enables "trustAll" - Test TrustAll and LaxHostNameVerification - Describe test case requirements and add key material needed to run these test cases.
Diffstat (limited to 'src/main/java')
-rw-r--r--src/main/java/at/gv/egiz/moazs/msg/MsgClientFactory.java33
-rw-r--r--src/main/java/at/gv/egiz/moazs/util/SSLContextCreator.java55
2 files changed, 79 insertions, 9 deletions
diff --git a/src/main/java/at/gv/egiz/moazs/msg/MsgClientFactory.java b/src/main/java/at/gv/egiz/moazs/msg/MsgClientFactory.java
index 389fa5c..e55debc 100644
--- a/src/main/java/at/gv/egiz/moazs/msg/MsgClientFactory.java
+++ b/src/main/java/at/gv/egiz/moazs/msg/MsgClientFactory.java
@@ -4,6 +4,7 @@ import at.gv.egiz.moazs.util.FileUtils;
import at.gv.egiz.moazs.util.SSLContextCreator;
import at.gv.zustellung.app2mzs.xsd.ClientType;
import at.gv.zustellung.app2mzs.xsd.KeyStoreType;
+import at.gv.zustellung.app2mzs.xsd.SSLType;
import at.gv.zustellung.msg.xsd.App2ZusePort;
import org.apache.cxf.configuration.jsse.TLSClientParameters;
import org.apache.cxf.endpoint.Client;
@@ -32,7 +33,9 @@ public class MsgClientFactory {
private final FileUtils fileUtils;
@Autowired
- public MsgClientFactory(StoreSOAPBodyBinaryInRepositoryInterceptor storeResponseInterceptor, SSLContextCreator creator, FileUtils fileUtils) {
+ public MsgClientFactory(StoreSOAPBodyBinaryInRepositoryInterceptor storeResponseInterceptor,
+ SSLContextCreator creator,
+ FileUtils fileUtils) {
this.storeResponseInterceptor = storeResponseInterceptor;
this.sslContextCreator = creator;
this.fileUtils = fileUtils;
@@ -44,7 +47,6 @@ public class MsgClientFactory {
* @param params for the client, such as service url and ssl parameters.
* @return the msg client
*/
- //TODO evaluate and honor laxhostnameverification and trustall parameter!
public App2ZusePort create(ClientType params) {
var factory = new JaxWsClientFactoryBean();
@@ -62,11 +64,7 @@ public class MsgClientFactory {
http.setClient(httpClientPolicy);
if (params.getURL().startsWith("https")) {
- var keystore = resolveKeyStorePath(params.getSSL().getKeyStore());
- var truststore = resolveKeyStorePath(params.getSSL().getTrustStore());
- SSLContext sslContext = sslContextCreator.createSSLContext(keystore, truststore);
- var tlsParams = new TLSClientParameters();
- tlsParams.setSSLSocketFactory(sslContext.getSocketFactory());
+ TLSClientParameters tlsParams = setupTLSParams(params.getSSL());
http.setTlsClientParameters(tlsParams);
log.info("SSLContext initialized. ");
}
@@ -74,6 +72,27 @@ public class MsgClientFactory {
return ((App2ZusePort)proxy);
}
+ private TLSClientParameters setupTLSParams(SSLType ssl) {
+
+ var tlsParams = new TLSClientParameters();
+ var keystore = resolveKeyStorePath(ssl.getKeyStore());
+
+ SSLContext sslContext;
+ if (ssl.isTrustAll()) {
+ sslContext = sslContextCreator.createUnsafeSSLContext(keystore);
+ } else {
+ var truststore = resolveKeyStorePath(ssl.getTrustStore());
+ sslContext = sslContextCreator.createSSLContext(keystore, truststore);
+ }
+ tlsParams.setSSLSocketFactory(sslContext.getSocketFactory());
+
+ if (ssl.isLaxHostNameVerification()) {
+ tlsParams.setDisableCNCheck(true);
+ }
+
+ return tlsParams;
+ }
+
private KeyStoreType resolveKeyStorePath(@Nullable KeyStoreType store) {
if (store == null) return null;
diff --git a/src/main/java/at/gv/egiz/moazs/util/SSLContextCreator.java b/src/main/java/at/gv/egiz/moazs/util/SSLContextCreator.java
index b4d66d1..302bbf0 100644
--- a/src/main/java/at/gv/egiz/moazs/util/SSLContextCreator.java
+++ b/src/main/java/at/gv/egiz/moazs/util/SSLContextCreator.java
@@ -6,6 +6,9 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.lang.Nullable;
import org.springframework.stereotype.Component;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import javax.net.ssl.X509TrustManager;
import javax.net.ssl.*;
import java.io.IOException;
@@ -15,23 +18,46 @@ import static at.gv.egiz.moazs.MoaZSException.moaZSException;
import static java.lang.String.format;
@Component
+ /**
+ * Adapted from at.asitplus.eidas.specific.modules.authmodule_eIDASv2.szr.SZRClient
+ */
public class SSLContextCreator {
private static final Logger log = LoggerFactory.getLogger(SSLContextCreator.class);
+ private static final String SSL_WARN_MAN_IN_THE_MIDDLE_MSG =
+ "HTTP Client trusts ANY server certificate and is therefore vulnerable to Man-In-The-Middle attacks. " +
+ "Use this configuration for testing purposes only and NOT IN PRODUCTION. ";
+
/**
* Creates an SSL Context.
- * Adapted from at.asitplus.eidas.specific.modules.authmodule_eIDASv2.szr.SZRClient
*
* @param keystore (if null, use no key store)
* @param truststore (if null, use default trust store)
* @throws at.gv.egiz.moazs.MoaZSException
*/
public SSLContext createSSLContext(@Nullable KeyStoreType keystore, @Nullable KeyStoreType truststore) {
+ return createSSLContext(keystore, false, truststore);
+ }
+
+ /**
+ * Creates an SSL Context that trusts all certificates. Don't use in production.
+ *
+ * @param keystore (if null, use no key store)
+ * @throws at.gv.egiz.moazs.MoaZSException
+ */
+ public SSLContext createUnsafeSSLContext(@Nullable KeyStoreType keystore) {
+ log.warn(SSL_WARN_MAN_IN_THE_MIDDLE_MSG);
+ return createSSLContext(keystore, true, null);
+ }
+
+ private SSLContext createSSLContext(@Nullable KeyStoreType keystore, boolean trustAll, @Nullable KeyStoreType truststore) {
try {
SSLContext context = SSLContext.getInstance("TLS");
KeyManager[] keyManager = initKeyManager(keystore);
- TrustManager[] trustManager = initTrustManager(truststore);
+ TrustManager[] trustManager = trustAll
+ ? new TrustManager[]{new TrustAllManager()}
+ : initTrustManager(truststore);
context.init(keyManager, trustManager, new SecureRandom());
return context;
} catch (NoSuchAlgorithmException | KeyManagementException e) {
@@ -79,4 +105,29 @@ public class SSLContextCreator {
}
}
+ /**
+ * Class implementing a trust manager that trusts all certificates.
+ *
+ * @author Arne Tauber
+ */
+ public static class TrustAllManager implements X509TrustManager {
+
+ private static Logger log = LoggerFactory.getLogger(TrustAllManager.class);
+
+ public X509Certificate[] getAcceptedIssuers() {
+ return new X509Certificate[0];
+ }
+
+ public void checkClientTrusted(X509Certificate[] arg0, String arg1)
+ throws CertificateException {
+ log.debug("Automatically accepting client certificate as trusted.");
+ }
+
+ public void checkServerTrusted(X509Certificate[] arg0, String arg1)
+ throws CertificateException {
+ log.debug("Automatically accepting server certificate as trusted.");
+ }
+ }
+
+
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-02 05:47:21 +0000