From e2e77ed55687cb92c6f5a273995daf64dedef848 Mon Sep 17 00:00:00 2001
From: Christof Rabensteiner <christof.rabensteiner@iaik.tugraz.at>
Date: Wed, 26 Jun 2019 08:47:58 +0200
Subject: Protect MsgClient via SSL (ink Client Authentication)

- Add Component to create SSLContexts with own Key- and trust store.
- Inject SSLContext into HTTP Client.
- Add EAAF-Components Core Dependency, which is needed by
  SSLContextCreator (KeyStoreUtils).

Schema Changes in mzs:DeliveryRequest/Config:
- Got Rid of mzs:DeliveryRequest/Config/Server. In mzs 1.4.1,
  Server replaces the result of zkopf query person request. Since this
  zkopf interface does not exist anymore, Server was removed.
- Add ClientType, which holds all parameters needed to connect to a
  service (Url, SSL params, a.o.).

Configuration:
- Add default parameters for SSL Clients in application.yaml.
- Merge default parameters into incoming mzs:DeliveryRequests.

MoaZSException Fixes:
- Remove "Extends throwable" from Builder.
- Add convenient shorthand init method (message, throwable).

Refactor:
- Put "determinePath" to FileUtils.
- Put string related utility functions into StringUtils.
---
 src/main/java/at/gv/egiz/moazs/util/FileUtils.java | 22 ++++++
 .../at/gv/egiz/moazs/util/SSLContextCreator.java   | 82 ++++++++++++++++++++++
 .../java/at/gv/egiz/moazs/util/StringUtils.java    | 17 +++++
 3 files changed, 121 insertions(+)
 create mode 100644 src/main/java/at/gv/egiz/moazs/util/FileUtils.java
 create mode 100644 src/main/java/at/gv/egiz/moazs/util/SSLContextCreator.java
 create mode 100644 src/main/java/at/gv/egiz/moazs/util/StringUtils.java

(limited to 'src/main/java/at/gv/egiz/moazs/util')

diff --git a/src/main/java/at/gv/egiz/moazs/util/FileUtils.java b/src/main/java/at/gv/egiz/moazs/util/FileUtils.java
new file mode 100644
index 0000000..7e7723d
--- /dev/null
+++ b/src/main/java/at/gv/egiz/moazs/util/FileUtils.java
@@ -0,0 +1,22 @@
+package at.gv.egiz.moazs.util;
+
+import org.springframework.stereotype.Component;
+
+import java.io.File;
+
+@Component
+public class FileUtils {
+
+    /**
+     * If path is relative, resolve path as classpath resource. If path is absolute,
+     * leave as-is.
+     */
+    public String determinePath(String abstractPath) {
+        if (new File(abstractPath).isAbsolute()) {
+            return abstractPath;
+        } else {
+            //java.lang.Class needs relative resources to start with "/"
+            return this.getClass().getResource("/" + abstractPath).getFile();
+        }
+    }
+}
diff --git a/src/main/java/at/gv/egiz/moazs/util/SSLContextCreator.java b/src/main/java/at/gv/egiz/moazs/util/SSLContextCreator.java
new file mode 100644
index 0000000..b4d66d1
--- /dev/null
+++ b/src/main/java/at/gv/egiz/moazs/util/SSLContextCreator.java
@@ -0,0 +1,82 @@
+package at.gv.egiz.moazs.util;
+
+import at.gv.egiz.eaaf.core.impl.utils.KeyStoreUtils;
+import at.gv.zustellung.app2mzs.xsd.KeyStoreType;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.lang.Nullable;
+import org.springframework.stereotype.Component;
+
+import javax.net.ssl.*;
+import java.io.IOException;
+import java.security.*;
+
+import static at.gv.egiz.moazs.MoaZSException.moaZSException;
+import static java.lang.String.format;
+
+@Component
+public class SSLContextCreator {
+
+    private static final Logger log = LoggerFactory.getLogger(SSLContextCreator.class);
+
+    /**
+     * Creates an SSL Context.
+     * Adapted from at.asitplus.eidas.specific.modules.authmodule_eIDASv2.szr.SZRClient
+     *
+     * @param keystore (if null, use no key store)
+     * @param truststore (if null, use default trust store)
+     * @throws at.gv.egiz.moazs.MoaZSException
+     */
+    public SSLContext createSSLContext(@Nullable KeyStoreType keystore, @Nullable KeyStoreType truststore) {
+        try {
+            SSLContext context = SSLContext.getInstance("TLS");
+            KeyManager[] keyManager = initKeyManager(keystore);
+            TrustManager[] trustManager = initTrustManager(truststore);
+            context.init(keyManager, trustManager, new SecureRandom());
+            return context;
+        } catch (NoSuchAlgorithmException | KeyManagementException e) {
+            throw moaZSException("SSLContext initialization FAILED.", e);
+        }
+    }
+
+    private KeyManager[] initKeyManager(KeyStoreType keystore) {
+        if (keystore == null) {
+            log.trace("No keystore path provided. NOT using SSL client authentication. ");
+            return null;
+        } else {
+            log.trace("Find keystore path: {}. Injecting SSL client certificate... ", keystore.getFileName());
+            try {
+                KeyStore keyStore = KeyStoreUtils.loadKeyStore(
+                        keystore.getFileType(), keystore.getFileName(), keystore.getPassword());
+                KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
+                kmf.init(keyStore, keystore.getPassword().toCharArray());
+                log.trace("SSL client certificate injected.");
+                return kmf.getKeyManagers();
+            } catch (IOException | GeneralSecurityException e) {
+                throw moaZSException(format("Can NOT load SSL client certificate from path: %s.",
+                        keystore.getFileName()), e);
+            }
+        }
+    }
+
+    private TrustManager[] initTrustManager(KeyStoreType truststore) {
+        if (truststore == null) {
+            log.trace("Using default truststore. ");
+            return null;
+        } else {
+            log.trace("Find truststore path: {}. Injecting SSL truststore... ", truststore.getFileName());
+            try {
+                KeyStore trustStore = KeyStoreUtils.loadKeyStore(
+                        truststore.getFileType(), truststore.getFileName(), truststore.getPassword());
+                TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
+                tmf.init(trustStore);
+                log.trace("SSL TrustStore injected to client. ");
+                return tmf.getTrustManagers();
+            } catch (GeneralSecurityException | IOException e) {
+                throw moaZSException(format("Can NOT open SSL TrustStore from path: %s.",
+                        truststore.getFileName()), e);
+            }
+        }
+    }
+
+}
diff --git a/src/main/java/at/gv/egiz/moazs/util/StringUtils.java b/src/main/java/at/gv/egiz/moazs/util/StringUtils.java
new file mode 100644
index 0000000..fd40f6e
--- /dev/null
+++ b/src/main/java/at/gv/egiz/moazs/util/StringUtils.java
@@ -0,0 +1,17 @@
+package at.gv.egiz.moazs.util;
+
+public class StringUtils {
+
+    public static boolean hasPrefix(String name) {
+        return name.indexOf('.') != -1;
+    }
+
+    public static String keepPrefix(String name) {
+        return name.substring(0, name.indexOf('.'));
+    }
+
+    public static String removePrefix(String name) {
+        return name.substring(name.indexOf('.') + 1);
+    }
+
+}
-- 
cgit v1.2.3