From e2e77ed55687cb92c6f5a273995daf64dedef848 Mon Sep 17 00:00:00 2001
From: Christof Rabensteiner <christof.rabensteiner@iaik.tugraz.at>
Date: Wed, 26 Jun 2019 08:47:58 +0200
Subject: Protect MsgClient via SSL (ink Client Authentication)

- Add Component to create SSLContexts with own Key- and trust store.
- Inject SSLContext into HTTP Client.
- Add EAAF-Components Core Dependency, which is needed by
  SSLContextCreator (KeyStoreUtils).

Schema Changes in mzs:DeliveryRequest/Config:
- Got Rid of mzs:DeliveryRequest/Config/Server. In mzs 1.4.1,
  Server replaces the result of zkopf query person request. Since this
  zkopf interface does not exist anymore, Server was removed.
- Add ClientType, which holds all parameters needed to connect to a
  service (Url, SSL params, a.o.).

Configuration:
- Add default parameters for SSL Clients in application.yaml.
- Merge default parameters into incoming mzs:DeliveryRequests.

MoaZSException Fixes:
- Remove "Extends throwable" from Builder.
- Add convenient shorthand init method (message, throwable).

Refactor:
- Put "determinePath" to FileUtils.
- Put string related utility functions into StringUtils.
---
 src/main/resources/application.yaml | 29 ++++++++++++++---------------
 src/main/resources/mzs/app2mzs.xsd  | 34 +++++++++++++++++++++++++++-------
 2 files changed, 41 insertions(+), 22 deletions(-)

(limited to 'src/main/resources')

diff --git a/src/main/resources/application.yaml b/src/main/resources/application.yaml
index 9ce1158..a0040ca 100644
--- a/src/main/resources/application.yaml
+++ b/src/main/resources/application.yaml
@@ -13,32 +13,34 @@ spring:
 # Order: DeliveryRequest/Config > [chosen-profile] > default
 delivery-request-configuration-profiles:
   default:
+
+    perform-query-person-request: false
+
     ## All parameters for MSG client.
-    msg:
+    msg-client:
 
-      ## How to reach
       url: http://localhost:8081/services/DeliveryRequest
+
       ssl:
 
+        ## Boolean; if true, app will trust all server certificates;
+        ## if false, server certificate needs to be in truststore.
+        trust-all: false
+
+        ## Boolean; if true, app ignores mismatches between server's host name and
+        ## Certificate's common name / alternative subject name.
+        lax-hostname-verification: false
+
         ## Parameters for ssl client auth
         keystore:
           ## Absolute path to file
-          filename:
+          filename: ssl/client.jks
           ## Password to unlock key store.
           password: 1233
           ## JKS or PKCS12
           type: JKS
 
-        ## Boolean; if true, app will trust all server certificates;
-        ## if false, server certificate needs to be in truststore.
-        trustall: false
 
-        ## Boolean; if true, app ignores mismatches between server's host name and
-        ## Certificate's common name / alternative subject name.
-        laxhostnameverification: false
-
-
-    perform-query-person-request: false
 
   app-profile-1:
     msg:
@@ -49,9 +51,6 @@ delivery-request-configuration-profiles:
     msg:
       url: https://msg-url2.com
 
-key-store-profiles:
-  msg-key-store:
-
 ## If set to false, moa zs ignores an incomplete default DeliveryRequest-configuration
 ## profile and continues startup. See 'delivery-request-configuration-profiles'.
 ## Default value: true
diff --git a/src/main/resources/mzs/app2mzs.xsd b/src/main/resources/mzs/app2mzs.xsd
index 05a9ea4..956cd31 100644
--- a/src/main/resources/mzs/app2mzs.xsd
+++ b/src/main/resources/mzs/app2mzs.xsd
@@ -81,19 +81,39 @@
 	<xs:complexType name="ConfigType">
 		<xs:sequence>
 			<xs:element name="ProfileID" type="xs:token" minOccurs="0"></xs:element>
-			<xs:element ref="Server" minOccurs="0"></xs:element>
 			<xs:element name="PerformQueryPersonRequest" type="xs:boolean" minOccurs="0" />
+			<xs:element ref="MSGClient" minOccurs="0" />
+			<xs:element ref="TNVZClient" minOccurs="0" />
 		</xs:sequence>
 	</xs:complexType>
-	<xs:element name="Server" type="ServerType" />
-	<xs:complexType name="ServerType">
+	<xs:element name="MSGClient" type="ClientType" />
+	<xs:element name="TNVZClient" type="ClientType" />
+	<xs:complexType name="ClientType">
 		<xs:sequence>
-			<xs:element name="ZUSEUrlID" type="xs:anyURI" minOccurs="0"/>
-			<xs:element name="X509" type="xs:base64Binary" minOccurs="0"/>
+			<xs:element name="URL" type="xs:anyURI" />
+			<xs:element ref="SSL" minOccurs="0"/>
+		</xs:sequence>
+	</xs:complexType>
+	<xs:element name="SSL" type="SSLType" />
+	<xs:complexType name="SSLType">
+		<xs:sequence>
+			<xs:element name="TrustAll" minOccurs="0" type="xs:boolean" />
+			<xs:element name="LaxHostNameVerification" minOccurs="0" type="xs:boolean" />
+			<xs:element ref="KeyStore" minOccurs="0" />
+			<xs:element ref="TrustStore" minOccurs="0"/>
+		</xs:sequence>
+	</xs:complexType>
+	<xs:element name="TrustStore" type="KeyStoreType" />
+	<xs:element name="KeyStore" type="KeyStoreType" />
+	<xs:complexType name="KeyStoreType">
+		<xs:sequence>
+			<xs:element name="FileName" type="xs:string" minOccurs="0"/>
+			<xs:element name="Password" type="xs:string" minOccurs="0"/>
+			<xs:element name="FileType" type="xs:string" minOccurs="0"/>
 		</xs:sequence>
 	</xs:complexType>
 	<xs:element name="DeliveryResponse" type="DeliveryResponseType"/>
-  <xs:complexType name="DeliveryResponseType">
+	<xs:complexType name="DeliveryResponseType">
 		<xs:choice>
 			<xs:element ref="PartialSuccess"/>
 			<xs:element ref="Success"/>
@@ -179,7 +199,7 @@
 			<xs:element ref="msg:DeliverySystem"/>
 			<xs:element ref="msg:ZSDeliveryID" />
 			<xs:element ref="msg:GZ" minOccurs="0"/>
-      <xs:element name="SignedDeliveryRequestStatus" type="xs:base64Binary" minOccurs="0"/>
+			<xs:element name="SignedDeliveryRequestStatus" type="xs:base64Binary" minOccurs="0"/>
 		</xs:sequence>
 	</xs:complexType>
 
-- 
cgit v1.2.3