package at.gv.egiz.moazs.client; import at.gv.egiz.eaaf.core.impl.utils.KeyStoreUtils; import at.gv.zustellung.app2mzs.xsd.KeyStoreType; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.lang.Nullable; import org.springframework.stereotype.Component; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import javax.net.ssl.X509TrustManager; import javax.net.ssl.*; import java.io.IOException; import java.security.*; import static at.gv.egiz.moazs.MoaZSException.moaZSException; import static java.lang.String.format; @Component /** * Adapted from at.asitplus.eidas.specific.modules.authmodule_eIDASv2.szr.SZRClient */ public class SSLContextCreator { private static final Logger log = LoggerFactory.getLogger(SSLContextCreator.class); private static final String SSL_WARN_MAN_IN_THE_MIDDLE_MSG = "HTTP Client trusts ANY server certificate and is therefore vulnerable to Man-In-The-Middle attacks. " + "Use this configuration for testing purposes only and NOT IN PRODUCTION. "; /** * Creates an SSL Context. * * @param keystore (if null, use no key store) * @param truststore (if null, use default trust store) * @throws at.gv.egiz.moazs.MoaZSException */ public SSLContext createSSLContext(@Nullable KeyStoreType keystore, @Nullable KeyStoreType truststore) { return createSSLContext(keystore, false, truststore); } /** * Creates an SSL Context that trusts all certificates. Don't use in production. * * @param keystore (if null, use no key store) * @throws at.gv.egiz.moazs.MoaZSException */ public SSLContext createUnsafeSSLContext(@Nullable KeyStoreType keystore) { log.warn(SSL_WARN_MAN_IN_THE_MIDDLE_MSG); return createSSLContext(keystore, true, null); } private SSLContext createSSLContext(@Nullable KeyStoreType keystore, boolean trustAll, @Nullable KeyStoreType truststore) { try { SSLContext context = SSLContext.getInstance("TLS"); KeyManager[] keyManager = initKeyManager(keystore); TrustManager[] trustManager = trustAll ? new TrustManager[]{new TrustAllManager()} : initTrustManager(truststore); context.init(keyManager, trustManager, new SecureRandom()); return context; } catch (NoSuchAlgorithmException | KeyManagementException e) { throw moaZSException("SSLContext initialization FAILED.", e); } } private KeyManager[] initKeyManager(KeyStoreType keystore) { if (keystore == null) { log.trace("No keystore path provided. NOT using SSL client authentication. "); return null; } else { log.trace("Find keystore path: {}. Injecting SSL client certificate... ", keystore.getFileName()); try { KeyStore keyStore = KeyStoreUtils.loadKeyStore( keystore.getFileType(), keystore.getFileName(), keystore.getPassword()); KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); kmf.init(keyStore, keystore.getPassword().toCharArray()); log.trace("SSL client certificate injected."); return kmf.getKeyManagers(); } catch (IOException | GeneralSecurityException e) { throw moaZSException(format("Can NOT load SSL client certificate from path: %s.", keystore.getFileName()), e); } } } private TrustManager[] initTrustManager(KeyStoreType truststore) { if (truststore == null) { log.trace("Using default truststore. "); return null; } else { log.trace("Find truststore path: {}. Injecting SSL truststore... ", truststore.getFileName()); try { KeyStore trustStore = KeyStoreUtils.loadKeyStore( truststore.getFileType(), truststore.getFileName(), truststore.getPassword()); TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); tmf.init(trustStore); log.trace("SSL TrustStore injected to client. "); return tmf.getTrustManagers(); } catch (GeneralSecurityException | IOException e) { throw moaZSException(format("Can NOT open SSL TrustStore from path: %s.", truststore.getFileName()), e); } } } /** * Class implementing a trust manager that trusts all certificates. * * @author Arne Tauber */ public static class TrustAllManager implements X509TrustManager { private static Logger log = LoggerFactory.getLogger(TrustAllManager.class); public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; } public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException { log.debug("Automatically accepting client certificate as trusted."); } public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException { log.debug("Automatically accepting server certificate as trusted."); } } }