From a8e726382b0472ad030d7a579fe8d6878a216bd4 Mon Sep 17 00:00:00 2001
From: Christof Rabensteiner <christof.rabensteiner@iaik.tugraz.at>
Date: Thu, 27 Jun 2019 13:11:53 +0200
Subject: Fixes; SSL Client Auth Works!

- Switch to java 12 for now. Reason: Bug [1] in JDK 11 (up to
  jdk-11+28) impairs SSLHandshake ("Unsupported Operation Exception"),
  but was fixed in Java 12.
- Set HTTP policy to infinite.
- Fix key/truststore path resolution
- Fix NPE in ConfigUtil.merge
- Rearrange application.yaml to include two config profiles (one with
  and one without SSL for the msg client).
- Add key material for testcases (Note: expires: May 2 14:47:08 2020 GMT)
- Update MsgClient Testcases

[1] https://bugs.openjdk.java.net/browse/JDK-8214098
---
 src/main/java/at/gv/egiz/moazs/msg/MsgClient.java  |   4 +--
 .../at/gv/egiz/moazs/msg/MsgClientFactory.java     |  19 ++++++++---
 .../at/gv/egiz/moazs/preprocess/ConfigUtil.java    |  10 ++++++
 src/main/resources/application.yaml                |  38 +++++----------------
 src/main/resources/ssl/client.cert.key.p12         | Bin 0 -> 6221 bytes
 src/main/resources/ssl/truststore.jks              | Bin 0 -> 1648 bytes
 src/main/resources/ssl/truststore.p12              | Bin 0 -> 1776 bytes
 7 files changed, 35 insertions(+), 36 deletions(-)
 create mode 100644 src/main/resources/ssl/client.cert.key.p12
 create mode 100644 src/main/resources/ssl/truststore.jks
 create mode 100644 src/main/resources/ssl/truststore.p12

(limited to 'src/main')

diff --git a/src/main/java/at/gv/egiz/moazs/msg/MsgClient.java b/src/main/java/at/gv/egiz/moazs/msg/MsgClient.java
index 84a7801..d834eff 100644
--- a/src/main/java/at/gv/egiz/moazs/msg/MsgClient.java
+++ b/src/main/java/at/gv/egiz/moazs/msg/MsgClient.java
@@ -31,8 +31,8 @@ public class MsgClient {
     private final String address;
 
     //TODO: make configurable
-    private final int connectionTimeout = 60;
-    private final int receiveTimeout = 60;
+    private final int connectionTimeout = 0;
+    private final int receiveTimeout = 0;
 
     @Nullable
     private final SSLContext sslContext;
diff --git a/src/main/java/at/gv/egiz/moazs/msg/MsgClientFactory.java b/src/main/java/at/gv/egiz/moazs/msg/MsgClientFactory.java
index d4cc9f1..071a243 100644
--- a/src/main/java/at/gv/egiz/moazs/msg/MsgClientFactory.java
+++ b/src/main/java/at/gv/egiz/moazs/msg/MsgClientFactory.java
@@ -4,6 +4,9 @@ import at.gv.egiz.moazs.util.FileUtils;
 import at.gv.egiz.moazs.util.SSLContextCreator;
 import at.gv.zustellung.app2mzs.xsd.ClientType;
 import at.gv.zustellung.app2mzs.xsd.KeyStoreType;
+import com.sun.istack.Nullable;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
@@ -14,6 +17,8 @@ import static at.gv.zustellung.app2mzs.xsd.KeyStoreType.keyStoreTypeBuilder;
 @Component
 public class MsgClientFactory {
 
+    private static final Logger log = LoggerFactory.getLogger(MsgClientFactory.class);
+
     private final StoreSOAPBodyBinaryInRepositoryInterceptor storeResponseInterceptor;
     private final SSLContextCreator sslContextCreator;
     private final FileUtils fileUtils;
@@ -47,10 +52,16 @@ public class MsgClientFactory {
         return new MsgClient(storeResponseInterceptor, params.getURL(), sslContext);
     }
 
-    private KeyStoreType resolveKeyStorePath(KeyStoreType store) {
-        return store == null ? null
-            : keyStoreTypeBuilder(store)
-                .withFileName(fileUtils.determinePath(store.getFileName()))
+    private KeyStoreType resolveKeyStorePath(@Nullable KeyStoreType store) {
+
+        if (store == null) return null;
+
+        var resolvedURI = "file:" + fileUtils.determinePath(store.getFileName());
+
+        log.trace("Resolved key store path from {} to {}.", store.getFileName(), resolvedURI);
+
+        return keyStoreTypeBuilder(store)
+                .withFileName(resolvedURI)
                 .build();
     }
 
diff --git a/src/main/java/at/gv/egiz/moazs/preprocess/ConfigUtil.java b/src/main/java/at/gv/egiz/moazs/preprocess/ConfigUtil.java
index 1befd1d..aa86873 100644
--- a/src/main/java/at/gv/egiz/moazs/preprocess/ConfigUtil.java
+++ b/src/main/java/at/gv/egiz/moazs/preprocess/ConfigUtil.java
@@ -138,6 +138,11 @@ public class ConfigUtil {
     }
 
     private ClientType merge(ClientType primary, ClientType fallback) {
+
+        if (fallback == null) {
+            return primary;
+        }
+
         var builder = clientTypeBuilder(fallback);
 
         if (primary.getURL() != null) {
@@ -152,6 +157,11 @@ public class ConfigUtil {
     }
 
     private SSLType merge(SSLType primary, SSLType fallback) {
+
+        if (fallback == null) {
+            return primary;
+        }
+
         var builder = SSLTypeBuilder(fallback);
 
         if (primary.getKeyStore() != null) {
diff --git a/src/main/resources/application.yaml b/src/main/resources/application.yaml
index a0040ca..2d376a8 100644
--- a/src/main/resources/application.yaml
+++ b/src/main/resources/application.yaml
@@ -13,56 +13,34 @@ spring:
 # Order: DeliveryRequest/Config > [chosen-profile] > default
 delivery-request-configuration-profiles:
   default:
-
     perform-query-person-request: false
+    msg-client.url: http://localhost:8081/services/DeliveryRequest
 
-    ## All parameters for MSG client.
+  ssl-profile:
+    perform-query-person-request: false
     msg-client:
-
-      url: http://localhost:8081/services/DeliveryRequest
-
+      url: https://localhost/zusemsg/services/DeliveryRequest
       ssl:
-
         ## Boolean; if true, app will trust all server certificates;
         ## if false, server certificate needs to be in truststore.
         trust-all: false
-
         ## Boolean; if true, app ignores mismatches between server's host name and
         ## Certificate's common name / alternative subject name.
         lax-hostname-verification: false
-
         ## Parameters for ssl client auth
         keystore:
-          ## Absolute path to file
-          filename: ssl/client.jks
+          ## Path to file
+          filename: ssl/client.cert.key.p12
           ## Password to unlock key store.
-          password: 1233
+          password: 123456
           ## JKS or PKCS12
-          type: JKS
-
-
-
-  app-profile-1:
-    msg:
-      url: https://msg-url1.com
-    perform-query-person-request: true
-
-  app-profile-2:
-    msg:
-      url: https://msg-url2.com
+          type: PKCS12
 
 ## If set to false, moa zs ignores an incomplete default DeliveryRequest-configuration
 ## profile and continues startup. See 'delivery-request-configuration-profiles'.
 ## Default value: true
 # verify-completeness-of-default-delivery-request-configuration: false
 
-## todo: fix this
-#  ssl.keystore.file=../keys/www.egiz.gv.at.p12
-#  egovutil.mis.ssl.keystore.password=OSgmSn!
-#  egovutil.mis.ssl.keystore.type=PKCS12
-#  egovutil.mis.ssl.trustall=true
-#  egovutil.mis.ssl.laxhostnameverification=false
-
 ### logging
 logging:
   level:
diff --git a/src/main/resources/ssl/client.cert.key.p12 b/src/main/resources/ssl/client.cert.key.p12
new file mode 100644
index 0000000..f3becbf
Binary files /dev/null and b/src/main/resources/ssl/client.cert.key.p12 differ
diff --git a/src/main/resources/ssl/truststore.jks b/src/main/resources/ssl/truststore.jks
new file mode 100644
index 0000000..3f90814
Binary files /dev/null and b/src/main/resources/ssl/truststore.jks differ
diff --git a/src/main/resources/ssl/truststore.p12 b/src/main/resources/ssl/truststore.p12
new file mode 100644
index 0000000..67eb611
Binary files /dev/null and b/src/main/resources/ssl/truststore.p12 differ
-- 
cgit v1.2.3