From 62601fb50b606f812933f746f126dda0b8139911 Mon Sep 17 00:00:00 2001 From: Christof Rabensteiner Date: Thu, 13 Jun 2019 10:10:22 +0200 Subject: Fix moa-sig-lib's Integration Issues Fixing "ASN.1 creation error: iaik.asn1.CodingException: Length: Too large ASN.1 object: 109" - Set fallback value ('jks') for system property 'javax.net.ssl.keyStoreType' and 'javax.net.ssl.trustStoreType'. If system property is not defined, MoaSigConfig falls back to value from spring environment. Reason: Without this property explicitly set to JKS, the inclusion of eaaf-components-moa-sig-lib breaks the HTTP client builder and the ASN.1 creation error arises. See [1] for explanation. - Why fall back: Allows a user to configure these parameters via command line, but gives meaningful defaults in case of absent command line properties. Furthermore, these parameters can be configured via application.yaml or .properties. Others: - Set fallback value for system property 'moa.spss.server.configuration'. If system property is not defined, fall back to value from spring environment. Reason: Allows a user to configure these parameters via command line while providing meaningful defaults in case of absent command line properties. - Add switch 'moa.spss.is-active' to enable / disable signature verification. - Change log levels of at.gv.* and iaik.* packages to INFO - Add default certstore (copied from EAAF Components). - Add mzs root certificate to cert- and truststore. - Update readme's installation requirements and guide. Refactor: - Extract public interface of SignatureVerification class. - Rename trustprofile folder. [1] Why eaaf-components-moa-sig-lib breaks HTTP client: - Including eaaf-components-moa-sig-lib includes IAIK's jca/jce and xsect, which in turn injects the iaik provider for cryptographic operations and its own key store (iaik.pkcs.pkcs12.PKCS12KeyStore). - The Apache HTTP client builder will ask for a java.base/javax.net.ssl.SSLSocketFactory because it creates an SSL context, even if the connection runs without SSL. - Somewhere down the stack, this will trigger the TrustStoreManager to hand over the systems default trust store (a JKS file) to IAIK's PKCS12KeyStore. This happens if the type properties of the trust stores are not set. - Oracle relaxed a precondition of this trust store (somewhere in between Java 8 and 11) in the TrustStoreManager: Formerly, the trust store was a JKS object. Now, the trust store can be both a JKS and a PKCS12 object. The TrustStoreManager expects the key store to handle both types, and Oracle's keystore does. However, IAIK's key store cannot handle a JKS object, but since eaaf-components-moa-sig-lib was included, the IAIK key store comes first. - PKCS12KeyStore expects a PKCS12 file but receives a JKS file -> Parser Error. --- src/test/java/at/gv/egiz/moazs/SameThreadDeliveryPipelineTest.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/test/java/at') diff --git a/src/test/java/at/gv/egiz/moazs/SameThreadDeliveryPipelineTest.java b/src/test/java/at/gv/egiz/moazs/SameThreadDeliveryPipelineTest.java index b0c03a2..c132abf 100644 --- a/src/test/java/at/gv/egiz/moazs/SameThreadDeliveryPipelineTest.java +++ b/src/test/java/at/gv/egiz/moazs/SameThreadDeliveryPipelineTest.java @@ -2,7 +2,7 @@ package at.gv.egiz.moazs; import at.gv.egiz.moazs.msg.MsgClient; import at.gv.egiz.moazs.msg.MsgClientFactory; -import at.gv.egiz.moazs.msg.SignatureVerifier; +import at.gv.egiz.moazs.msg.MoaSPSSSignatureVerifier; import at.gv.egiz.moazs.msg.StoreSOAPBodyBinaryInRepositoryInterceptor; import at.gv.egiz.moazs.pipeline.DeliveryPipeline; import at.gv.egiz.moazs.pipeline.SameThreadDeliveryPipeline; @@ -63,7 +63,7 @@ public class SameThreadDeliveryPipelineTest { private StoreSOAPBodyBinaryInRepositoryInterceptor interceptor; @Mock - private SignatureVerifier verifier; + private MoaSPSSSignatureVerifier verifier; private DeliveryPipeline pipeline; -- cgit v1.2.3