aboutsummaryrefslogtreecommitdiff
path: root/src/main/java/at/gv/egiz/moazs/util/SSLContextCreator.java
diff options
context:
space:
mode:
Diffstat (limited to 'src/main/java/at/gv/egiz/moazs/util/SSLContextCreator.java')
-rw-r--r--src/main/java/at/gv/egiz/moazs/util/SSLContextCreator.java82
1 files changed, 82 insertions, 0 deletions
diff --git a/src/main/java/at/gv/egiz/moazs/util/SSLContextCreator.java b/src/main/java/at/gv/egiz/moazs/util/SSLContextCreator.java
new file mode 100644
index 0000000..b4d66d1
--- /dev/null
+++ b/src/main/java/at/gv/egiz/moazs/util/SSLContextCreator.java
@@ -0,0 +1,82 @@
+package at.gv.egiz.moazs.util;
+
+import at.gv.egiz.eaaf.core.impl.utils.KeyStoreUtils;
+import at.gv.zustellung.app2mzs.xsd.KeyStoreType;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.lang.Nullable;
+import org.springframework.stereotype.Component;
+
+import javax.net.ssl.*;
+import java.io.IOException;
+import java.security.*;
+
+import static at.gv.egiz.moazs.MoaZSException.moaZSException;
+import static java.lang.String.format;
+
+@Component
+public class SSLContextCreator {
+
+ private static final Logger log = LoggerFactory.getLogger(SSLContextCreator.class);
+
+ /**
+ * Creates an SSL Context.
+ * Adapted from at.asitplus.eidas.specific.modules.authmodule_eIDASv2.szr.SZRClient
+ *
+ * @param keystore (if null, use no key store)
+ * @param truststore (if null, use default trust store)
+ * @throws at.gv.egiz.moazs.MoaZSException
+ */
+ public SSLContext createSSLContext(@Nullable KeyStoreType keystore, @Nullable KeyStoreType truststore) {
+ try {
+ SSLContext context = SSLContext.getInstance("TLS");
+ KeyManager[] keyManager = initKeyManager(keystore);
+ TrustManager[] trustManager = initTrustManager(truststore);
+ context.init(keyManager, trustManager, new SecureRandom());
+ return context;
+ } catch (NoSuchAlgorithmException | KeyManagementException e) {
+ throw moaZSException("SSLContext initialization FAILED.", e);
+ }
+ }
+
+ private KeyManager[] initKeyManager(KeyStoreType keystore) {
+ if (keystore == null) {
+ log.trace("No keystore path provided. NOT using SSL client authentication. ");
+ return null;
+ } else {
+ log.trace("Find keystore path: {}. Injecting SSL client certificate... ", keystore.getFileName());
+ try {
+ KeyStore keyStore = KeyStoreUtils.loadKeyStore(
+ keystore.getFileType(), keystore.getFileName(), keystore.getPassword());
+ KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
+ kmf.init(keyStore, keystore.getPassword().toCharArray());
+ log.trace("SSL client certificate injected.");
+ return kmf.getKeyManagers();
+ } catch (IOException | GeneralSecurityException e) {
+ throw moaZSException(format("Can NOT load SSL client certificate from path: %s.",
+ keystore.getFileName()), e);
+ }
+ }
+ }
+
+ private TrustManager[] initTrustManager(KeyStoreType truststore) {
+ if (truststore == null) {
+ log.trace("Using default truststore. ");
+ return null;
+ } else {
+ log.trace("Find truststore path: {}. Injecting SSL truststore... ", truststore.getFileName());
+ try {
+ KeyStore trustStore = KeyStoreUtils.loadKeyStore(
+ truststore.getFileType(), truststore.getFileName(), truststore.getPassword());
+ TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
+ tmf.init(trustStore);
+ log.trace("SSL TrustStore injected to client. ");
+ return tmf.getTrustManagers();
+ } catch (GeneralSecurityException | IOException e) {
+ throw moaZSException(format("Can NOT open SSL TrustStore from path: %s.",
+ truststore.getFileName()), e);
+ }
+ }
+ }
+
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-10 19:12:57 +0000