From a8e726382b0472ad030d7a579fe8d6878a216bd4 Mon Sep 17 00:00:00 2001 From: Christof Rabensteiner Date: Thu, 27 Jun 2019 13:11:53 +0200 Subject: Fixes; SSL Client Auth Works! - Switch to java 12 for now. Reason: Bug [1] in JDK 11 (up to jdk-11+28) impairs SSLHandshake ("Unsupported Operation Exception"), but was fixed in Java 12. - Set HTTP policy to infinite. - Fix key/truststore path resolution - Fix NPE in ConfigUtil.merge - Rearrange application.yaml to include two config profiles (one with and one without SSL for the msg client). - Add key material for testcases (Note: expires: May 2 14:47:08 2020 GMT) - Update MsgClient Testcases [1] https://bugs.openjdk.java.net/browse/JDK-8214098 --- pom.xml | 2 +- src/main/java/at/gv/egiz/moazs/msg/MsgClient.java | 4 +- .../at/gv/egiz/moazs/msg/MsgClientFactory.java | 19 ++++++-- .../at/gv/egiz/moazs/preprocess/ConfigUtil.java | 10 ++++ src/main/resources/application.yaml | 38 ++++----------- src/main/resources/ssl/client.cert.key.p12 | Bin 0 -> 6221 bytes src/main/resources/ssl/truststore.jks | Bin 0 -> 1648 bytes src/main/resources/ssl/truststore.p12 | Bin 0 -> 1776 bytes src/test/java/at/gv/egiz/moazs/MsgClientTest.java | 51 +++++++++++++++++---- 9 files changed, 78 insertions(+), 46 deletions(-) create mode 100644 src/main/resources/ssl/client.cert.key.p12 create mode 100644 src/main/resources/ssl/truststore.jks create mode 100644 src/main/resources/ssl/truststore.p12 diff --git a/pom.xml b/pom.xml index c27e764..37063b9 100644 --- a/pom.xml +++ b/pom.xml @@ -31,7 +31,7 @@ - 11 + 12 3.3.0 2.1.3.RELEASE 2.6.2 diff --git a/src/main/java/at/gv/egiz/moazs/msg/MsgClient.java b/src/main/java/at/gv/egiz/moazs/msg/MsgClient.java index 84a7801..d834eff 100644 --- a/src/main/java/at/gv/egiz/moazs/msg/MsgClient.java +++ b/src/main/java/at/gv/egiz/moazs/msg/MsgClient.java @@ -31,8 +31,8 @@ public class MsgClient { private final String address; //TODO: make configurable - private final int connectionTimeout = 60; - private final int receiveTimeout = 60; + private final int connectionTimeout = 0; + private final int receiveTimeout = 0; @Nullable private final SSLContext sslContext; diff --git a/src/main/java/at/gv/egiz/moazs/msg/MsgClientFactory.java b/src/main/java/at/gv/egiz/moazs/msg/MsgClientFactory.java index d4cc9f1..071a243 100644 --- a/src/main/java/at/gv/egiz/moazs/msg/MsgClientFactory.java +++ b/src/main/java/at/gv/egiz/moazs/msg/MsgClientFactory.java @@ -4,6 +4,9 @@ import at.gv.egiz.moazs.util.FileUtils; import at.gv.egiz.moazs.util.SSLContextCreator; import at.gv.zustellung.app2mzs.xsd.ClientType; import at.gv.zustellung.app2mzs.xsd.KeyStoreType; +import com.sun.istack.Nullable; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; @@ -14,6 +17,8 @@ import static at.gv.zustellung.app2mzs.xsd.KeyStoreType.keyStoreTypeBuilder; @Component public class MsgClientFactory { + private static final Logger log = LoggerFactory.getLogger(MsgClientFactory.class); + private final StoreSOAPBodyBinaryInRepositoryInterceptor storeResponseInterceptor; private final SSLContextCreator sslContextCreator; private final FileUtils fileUtils; @@ -47,10 +52,16 @@ public class MsgClientFactory { return new MsgClient(storeResponseInterceptor, params.getURL(), sslContext); } - private KeyStoreType resolveKeyStorePath(KeyStoreType store) { - return store == null ? null - : keyStoreTypeBuilder(store) - .withFileName(fileUtils.determinePath(store.getFileName())) + private KeyStoreType resolveKeyStorePath(@Nullable KeyStoreType store) { + + if (store == null) return null; + + var resolvedURI = "file:" + fileUtils.determinePath(store.getFileName()); + + log.trace("Resolved key store path from {} to {}.", store.getFileName(), resolvedURI); + + return keyStoreTypeBuilder(store) + .withFileName(resolvedURI) .build(); } diff --git a/src/main/java/at/gv/egiz/moazs/preprocess/ConfigUtil.java b/src/main/java/at/gv/egiz/moazs/preprocess/ConfigUtil.java index 1befd1d..aa86873 100644 --- a/src/main/java/at/gv/egiz/moazs/preprocess/ConfigUtil.java +++ b/src/main/java/at/gv/egiz/moazs/preprocess/ConfigUtil.java @@ -138,6 +138,11 @@ public class ConfigUtil { } private ClientType merge(ClientType primary, ClientType fallback) { + + if (fallback == null) { + return primary; + } + var builder = clientTypeBuilder(fallback); if (primary.getURL() != null) { @@ -152,6 +157,11 @@ public class ConfigUtil { } private SSLType merge(SSLType primary, SSLType fallback) { + + if (fallback == null) { + return primary; + } + var builder = SSLTypeBuilder(fallback); if (primary.getKeyStore() != null) { diff --git a/src/main/resources/application.yaml b/src/main/resources/application.yaml index a0040ca..2d376a8 100644 --- a/src/main/resources/application.yaml +++ b/src/main/resources/application.yaml @@ -13,56 +13,34 @@ spring: # Order: DeliveryRequest/Config > [chosen-profile] > default delivery-request-configuration-profiles: default: - perform-query-person-request: false + msg-client.url: http://localhost:8081/services/DeliveryRequest - ## All parameters for MSG client. + ssl-profile: + perform-query-person-request: false msg-client: - - url: http://localhost:8081/services/DeliveryRequest - + url: https://localhost/zusemsg/services/DeliveryRequest ssl: - ## Boolean; if true, app will trust all server certificates; ## if false, server certificate needs to be in truststore. trust-all: false - ## Boolean; if true, app ignores mismatches between server's host name and ## Certificate's common name / alternative subject name. lax-hostname-verification: false - ## Parameters for ssl client auth keystore: - ## Absolute path to file - filename: ssl/client.jks + ## Path to file + filename: ssl/client.cert.key.p12 ## Password to unlock key store. - password: 1233 + password: 123456 ## JKS or PKCS12 - type: JKS - - - - app-profile-1: - msg: - url: https://msg-url1.com - perform-query-person-request: true - - app-profile-2: - msg: - url: https://msg-url2.com + type: PKCS12 ## If set to false, moa zs ignores an incomplete default DeliveryRequest-configuration ## profile and continues startup. See 'delivery-request-configuration-profiles'. ## Default value: true # verify-completeness-of-default-delivery-request-configuration: false -## todo: fix this -# ssl.keystore.file=../keys/www.egiz.gv.at.p12 -# egovutil.mis.ssl.keystore.password=OSgmSn! -# egovutil.mis.ssl.keystore.type=PKCS12 -# egovutil.mis.ssl.trustall=true -# egovutil.mis.ssl.laxhostnameverification=false - ### logging logging: level: diff --git a/src/main/resources/ssl/client.cert.key.p12 b/src/main/resources/ssl/client.cert.key.p12 new file mode 100644 index 0000000..f3becbf Binary files /dev/null and b/src/main/resources/ssl/client.cert.key.p12 differ diff --git a/src/main/resources/ssl/truststore.jks b/src/main/resources/ssl/truststore.jks new file mode 100644 index 0000000..3f90814 Binary files /dev/null and b/src/main/resources/ssl/truststore.jks differ diff --git a/src/main/resources/ssl/truststore.p12 b/src/main/resources/ssl/truststore.p12 new file mode 100644 index 0000000..67eb611 Binary files /dev/null and b/src/main/resources/ssl/truststore.p12 differ diff --git a/src/test/java/at/gv/egiz/moazs/MsgClientTest.java b/src/test/java/at/gv/egiz/moazs/MsgClientTest.java index 62df52d..294b2b8 100644 --- a/src/test/java/at/gv/egiz/moazs/MsgClientTest.java +++ b/src/test/java/at/gv/egiz/moazs/MsgClientTest.java @@ -7,25 +7,28 @@ import at.gv.egiz.moazs.scheme.Marshaller; import at.gv.zustellung.app2mzs.xsd.ClientType; import at.gv.zustellung.msg.xsd.DeliveryRequestType; import at.gv.zustellung.msg.xsd.ObjectFactory; +import org.junit.Test; +import org.junit.runner.RunWith; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.test.context.junit4.SpringRunner; import javax.xml.bind.JAXBElement; import java.io.BufferedInputStream; import java.io.FileInputStream; import java.io.IOException; +import static at.gv.zustellung.app2mzs.xsd.KeyStoreType.keyStoreTypeBuilder; +import static at.gv.zustellung.app2mzs.xsd.SSLType.SSLTypeBuilder; // @RunWith(SpringRunner.class) // @SpringBootTest -public class MsgClientTest { - - private final static Logger logger = LoggerFactory.getLogger(MsgClient.class); - private String httpServiceUri = "http://localhost:8081/services/DeliveryRequest"; - private String sslServiceUri = "https://localhost/zusemsg/services/DeliveryRequest"; +public class MsgClientTest { + private final static Logger log = LoggerFactory.getLogger(MsgClient.class); private final String basePath = "src/test/resources/at/gv/egiz/moazs/MsgClientTest/"; @Autowired @@ -46,27 +49,57 @@ public class MsgClientTest { public void sendValidMessage() throws IOException { var request = loadFromFile("validDeliveryRequest.xml"); + var httpServiceUri = "http://localhost:8081/services/DeliveryRequest"; var clientParams = generateClientParams(httpServiceUri); var client = factory.create(clientParams); try{ var status = client.send(request); - logger.info("status: " + msgMarshaller.marshallXml(OF.createDeliveryResponse(status))); + log.info("status: " + msgMarshaller.marshallXml(OF.createDeliveryResponse(status))); } catch (Exception ex) { System.out.println(ex.getMessage()); } } //@Test - public void sendValidMessageToSSL() throws IOException { + public void sendValidMessageSSL() throws IOException { var request = loadFromFile("validDeliveryRequest.xml"); - var clientParams = generateClientParams(sslServiceUri); + var sslServiceUri = "https://localhost/zusemsg/services/DeliveryRequest"; + var clientParams = generateSSLClientParams(sslServiceUri); var client = factory.create(clientParams); var status = client.send(request); + log.info("status: " + msgMarshaller.marshallXml(OF.createDeliveryRequestStatus(status))); + + } + + private ClientType generateSSLClientParams(String sslServiceUri) { + + var keystore = keyStoreTypeBuilder() + .withFileName("ssl/client.cert.key.p12") + .withFileType("PKCS12") + .withPassword("123456") + .build(); + + var truststore = keyStoreTypeBuilder() + .withFileName("ssl/truststore.jks") + .withPassword("123456") + .withFileType("JKS") + .build(); + + var sslParams = SSLTypeBuilder() + .withLaxHostNameVerification(false) + .withTrustAll(false) + .withKeyStore(keystore) + .withTrustStore(truststore) + .build(); + + return ClientType.clientTypeBuilder() + .withURL(sslServiceUri) + .withSSL(sslParams) + .build(); - logger.info("status: " + msgMarshaller.marshallXml(OF.createDeliveryRequestStatus(status))); } private DeliveryRequestType loadFromFile(String fileName) throws IOException { -- cgit v1.2.3