From 52306ddf6e786bd1ceaba09cbe37b42778b715fe Mon Sep 17 00:00:00 2001 From: Christof Rabensteiner Date: Fri, 28 Jun 2019 08:00:42 +0200 Subject: Simplified Config Validation - Also: Ensure that truststore is of type JKS because PKCS12 is not supported. --- .../at/gv/egiz/moazs/preprocess/ConfigUtil.java | 30 ++++++++++----------- src/test/java/at/gv/egiz/moazs/MsgClientTest.java | 31 +++++++++++----------- 2 files changed, 30 insertions(+), 31 deletions(-) diff --git a/src/main/java/at/gv/egiz/moazs/preprocess/ConfigUtil.java b/src/main/java/at/gv/egiz/moazs/preprocess/ConfigUtil.java index 14fb377..6c9d264 100644 --- a/src/main/java/at/gv/egiz/moazs/preprocess/ConfigUtil.java +++ b/src/main/java/at/gv/egiz/moazs/preprocess/ConfigUtil.java @@ -229,13 +229,11 @@ public class ConfigUtil { } private boolean isTVNZClientConfigured(ClientType tnvzClient, Boolean isPerformQueryPersonRequest) { - return (isPerformQueryPersonRequest - && tnvzClient != null - && tnvzClient.getURL() != null - && tnvzClient.getReceiveTimeout() != null - && tnvzClient.getConnectionTimeout() != null - && isSSLConfigured(tnvzClient)) - || !isPerformQueryPersonRequest; + return !isPerformQueryPersonRequest || (tnvzClient != null + && tnvzClient.getURL() != null + && tnvzClient.getReceiveTimeout() != null + && tnvzClient.getConnectionTimeout() != null + && isSSLConfigured(tnvzClient)); } private boolean isMSGClientConfigured(ClientType msgClientParams) { @@ -247,21 +245,23 @@ public class ConfigUtil { } private boolean isSSLConfigured(ClientType clientParams) { - return (clientParams.getURL().startsWith("https") - && clientParams.getSSL() != null + return !clientParams.getURL().startsWith("https") || (clientParams.getSSL() != null && clientParams.getSSL().isTrustAll() != null && clientParams.getSSL().isLaxHostNameVerification() != null && isKeyStoreConfigured(clientParams.getSSL().getKeyStore()) - && isKeyStoreConfigured(clientParams.getSSL().getTrustStore())) - || !clientParams.getURL().startsWith("https"); + && isTrustStoreConfigured(clientParams.getSSL().getTrustStore())); } private boolean isKeyStoreConfigured(KeyStoreType keyStore) { - return (keyStore != null - && keyStore.getPassword() != null + return keyStore == null || (keyStore.getPassword() != null && keyStore.getFileType() != null - && keyStore.getFileName() != null) - || keyStore == null; + && keyStore.getFileName() != null); + } + + private boolean isTrustStoreConfigured(KeyStoreType trustStore) { + return trustStore == null || (trustStore.getPassword() != null + && "JKS".equals(trustStore.getFileType()) + && trustStore.getFileName() != null); } diff --git a/src/test/java/at/gv/egiz/moazs/MsgClientTest.java b/src/test/java/at/gv/egiz/moazs/MsgClientTest.java index bd68d9d..485d01c 100644 --- a/src/test/java/at/gv/egiz/moazs/MsgClientTest.java +++ b/src/test/java/at/gv/egiz/moazs/MsgClientTest.java @@ -7,12 +7,9 @@ import at.gv.zustellung.app2mzs.xsd.ClientType; import at.gv.zustellung.app2mzs.xsd.KeyStoreType; import at.gv.zustellung.msg.xsd.DeliveryRequestType; import at.gv.zustellung.msg.xsd.ObjectFactory; -import org.junit.runner.RunWith; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.boot.test.context.SpringBootTest; -import org.springframework.test.context.junit4.SpringRunner; import javax.xml.bind.JAXBElement; import java.io.BufferedInputStream; @@ -91,12 +88,12 @@ public class MsgClientTest { // - server uses the server certificate in ssl/server/server.localhost.*.pem // - server sends certificate chain ssl/server/ca-chain.cert.pem //@Test - public void sendOverSSLWithTrustAll() throws IOException { + public void sendOverSSLWithClientAuthTrustAll() throws IOException { var request = loadFromFile("validDeliveryRequest.xml"); - var sslServiceUri = "https://localhost/zusemsg/services/DeliveryRequest"; + var httpsServiceURL = "https://localhost/zusemsg/services/DeliveryRequest"; - var clientParams = generateSSLClientParams(sslServiceUri, true, false); + var clientParams = generateSSLClientParams(httpsServiceURL, true, false); var client = factory.create(clientParams); var status = client.delivery(request); @@ -109,12 +106,12 @@ public class MsgClientTest { // - server uses the server certificate in ssl/server/server.localhost.*.pem // - server sends certificate chain ssl/server/ca-chain.cert.pem //@Test - public void sendOverSSLWithLaxHostnameVerification() throws IOException { + public void sendOverSSLWithClientAuthLaxHostnameVerification() throws IOException { var request = loadFromFile("validDeliveryRequest.xml"); - var sslServiceUri = "https://notlocalhost/zusemsg/services/DeliveryRequest"; + var httpsServiceURL = "https://notlocalhost/zusemsg/services/DeliveryRequest"; - var clientParams = generateSSLClientParams(sslServiceUri, false, true); + var clientParams = generateSSLClientParams(httpsServiceURL, false, true); var client = factory.create(clientParams); var status = client.delivery(request); @@ -130,16 +127,20 @@ public class MsgClientTest { public void rejectBecauseHostNameVerificationFails() throws IOException { var request = loadFromFile("validDeliveryRequest.xml"); - var sslServiceUri = "https://notlocalhost/zusemsg/services/DeliveryRequest"; + var httpsServiceURL = "https://notlocalhost/zusemsg/services/DeliveryRequest"; - var clientParams = generateSSLClientParams(sslServiceUri, false, false); + var clientParams = generateSSLClientParams(httpsServiceURL, false, false); var client = factory.create(clientParams); var status = client.delivery(request); log.info("status: " + msgMarshaller.marshallXml(OF.createDeliveryRequestStatus(status))); } - private ClientType generateSSLClientParams(String sslServiceUri, boolean trustAll, boolean laxHostNameVerification) { + private ClientType generateSSLClientParams(String httpsServiceURL, boolean trustAll, boolean laxHostNameVerification) { + return generateSSLClientParams(httpsServiceURL, trustAll, laxHostNameVerification, generateTrustLocalhostStore()); + } + + private ClientType generateSSLClientParams(String httpsServiceURL, boolean trustAll, boolean laxHostNameVerification, KeyStoreType truststore) { var keystore = keyStoreTypeBuilder() .withFileName("ssl/client.cert.key.p12") @@ -147,17 +148,15 @@ public class MsgClientTest { .withPassword("123456") .build(); - var truststore = trustAll ? null : generateTrustLocalhostStore(); - var sslParams = SSLTypeBuilder() .withLaxHostNameVerification(laxHostNameVerification) .withTrustAll(trustAll) .withKeyStore(keystore) - .withTrustStore(truststore) + .withTrustStore(trustAll ? null : truststore) .build(); return clientTypeBuilder() - .withURL(sslServiceUri) + .withURL(httpsServiceURL) .withSSL(sslParams) .withReceiveTimeout(BigInteger.ZERO) .withConnectionTimeout(BigInteger.ZERO) -- cgit v1.2.3