summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorwbauer <wbauer@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>2008-09-09 09:54:32 +0000
committerwbauer <wbauer@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>2008-09-09 09:54:32 +0000
commitc7cbf8a12db4fcb77fd374392e88c3fa04b1e100 (patch)
tree1534e48980e74a6cb3f61e10e75e2c6adff3aad4
parentd3698ed2a4f129e5af970f072bc79bb8226d7765 (diff)
downloadmocca-c7cbf8a12db4fcb77fd374392e88c3fa04b1e100.tar.gz
mocca-c7cbf8a12db4fcb77fd374392e88c3fa04b1e100.tar.bz2
mocca-c7cbf8a12db4fcb77fd374392e88c3fa04b1e100.zip
added check to avoid sending baseid to non .gv.at domains
git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@25 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
-rw-r--r--BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/BKUApplet.java139
-rw-r--r--BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/BKUWorker.java25
-rw-r--r--BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactory.java237
-rw-r--r--BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactoryException.java45
4 files changed, 240 insertions, 206 deletions
diff --git a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/BKUApplet.java b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/BKUApplet.java
index 5d4d0dab..8289f30b 100644
--- a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/BKUApplet.java
+++ b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/BKUApplet.java
@@ -1,19 +1,19 @@
/*
-* Copyright 2008 Federal Chancellery Austria and
-* Graz University of Technology
-*
-* Licensed under the Apache License, Version 2.0 (the "License");
-* you may not use this file except in compliance with the License.
-* You may obtain a copy of the License at
-*
-* http://www.apache.org/licenses/LICENSE-2.0
-*
-* Unless required by applicable law or agreed to in writing, software
-* distributed under the License is distributed on an "AS IS" BASIS,
-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-* See the License for the specific language governing permissions and
-* limitations under the License.
-*/
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
package at.gv.egiz.bku.online.applet;
import java.util.Locale;
@@ -29,71 +29,68 @@ import at.gv.egiz.bku.gui.BKUGUIFacade;
import at.gv.egiz.bku.gui.BKUGUIFactory;
/**
- * Note: all swing code is executed by the event dispatch thread (see BKUGUIFacade)
+ * Note: all swing code is executed by the event dispatch thread (see
+ * BKUGUIFacade)
*/
public class BKUApplet extends JApplet {
- private static Log log = LogFactory.getLog(BKUApplet.class);
+ private static Log log = LogFactory.getLog(BKUApplet.class);
+
+ public final static String RESOURCE_BUNDLE_BASE = "at/gv/egiz/bku/online/applet/Messages";
- public final static String RESOURCE_BUNDLE_BASE = "at/gv/egiz/bku/online/applet/Messages";
+ public final static String LOCALE_PARAM_KEY = "Locale";
+ public final static String LOGO_URL_KEY = "LogoURL";
+ public final static String WSDL_URL = "WSDL_URL";
+ public final static String SESSION_ID = "SessionID";
- public final static String LOCALE_PARAM_KEY = "Locale";
- public final static String LOGO_URL_KEY="LogoURL";
- public final static String WSDL_URL="WSDL_URL";
- public final static String SESSION_ID="SessionID";
+ protected ResourceBundle resourceBundle;
+ protected BKUWorker worker;
+ protected Thread workerThread;
- protected ResourceBundle resourceBundle;
- protected BKUWorker worker;
- protected Thread workerThread;
-
- public BKUApplet() {
- }
+ public BKUApplet() {
+ }
- public void init() {
- log.debug("Called init()");
- try {
- HttpsURLConnection.setDefaultSSLSocketFactory(InternalSSLSocketFactory.getSocketFactory());
- HttpsURLConnection.setDefaultHostnameVerifier(InternalSSLSocketFactory.getHostNameVerifier());
- } catch (InternalSSLSocketFactoryException e) {
- log.error(e);
- }
- String localeString = getMyAppletParameter(LOCALE_PARAM_KEY);
- if (localeString != null) {
- resourceBundle = ResourceBundle.getBundle(RESOURCE_BUNDLE_BASE,
- new Locale(localeString));
- } else {
- resourceBundle = ResourceBundle.getBundle(RESOURCE_BUNDLE_BASE);
- }
- BKUGUIFacade gui = BKUGUIFactory.createGUI();
- gui.init(getContentPane(), localeString);
- worker = new BKUWorker(gui, this, resourceBundle);
- }
+ public void init() {
+ log.debug("Called init()");
+ HttpsURLConnection.setDefaultSSLSocketFactory(InternalSSLSocketFactory
+ .getInstance());
+ String localeString = getMyAppletParameter(LOCALE_PARAM_KEY);
+ if (localeString != null) {
+ resourceBundle = ResourceBundle.getBundle(RESOURCE_BUNDLE_BASE,
+ new Locale(localeString));
+ } else {
+ resourceBundle = ResourceBundle.getBundle(RESOURCE_BUNDLE_BASE);
+ }
+ BKUGUIFacade gui = BKUGUIFactory.createGUI();
+ gui.init(getContentPane(), localeString);
+ worker = new BKUWorker(gui, this, resourceBundle);
+ }
- public void start() {
- log.debug("Called start()");
- workerThread = new Thread(worker);
- workerThread.start();
- }
+ public void start() {
+ log.debug("Called start()");
+ workerThread = new Thread(worker);
+ workerThread.start();
+ }
- public void stop() {
- log.debug("Called stop()");
- if ((workerThread != null) && (workerThread.isAlive())) {
- workerThread.interrupt();
- }
- }
+ public void stop() {
+ log.debug("Called stop()");
+ if ((workerThread != null) && (workerThread.isAlive())) {
+ workerThread.interrupt();
+ }
+ }
- public void destroy() {
- log.debug("Called destroy()");
- }
+ public void destroy() {
+ log.debug("Called destroy()");
+ }
- /**
- * Applet configuration parameters
- *
- * @param paramKey
- * @return
- */
- public String getMyAppletParameter(String paramKey) {
- log.info("Getting parameter: "+paramKey+ ": "+ getParameter(paramKey));
- return getParameter(paramKey);
- }
+ /**
+ * Applet configuration parameters
+ *
+ * @param paramKey
+ * @return
+ */
+ public String getMyAppletParameter(String paramKey) {
+ log.info("Getting parameter: " + paramKey + ": " + getParameter(paramKey));
+ return getParameter(paramKey);
+ }
}
diff --git a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/BKUWorker.java b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/BKUWorker.java
index f7b5fb2f..042c6a83 100644
--- a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/BKUWorker.java
+++ b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/BKUWorker.java
@@ -34,6 +34,8 @@ import at.gv.egiz.bku.smccstal.AbstractSMCCSTAL;
import at.gv.egiz.bku.smccstal.SMCCSTALRequestHandler;
import at.gv.egiz.smcc.SignatureCard;
import at.gv.egiz.smcc.util.SMCCHelper;
+import at.gv.egiz.stal.ErrorResponse;
+import at.gv.egiz.stal.InfoboxReadRequest;
import at.gv.egiz.stal.QuitRequest;
import at.gv.egiz.stal.STALRequest;
import at.gv.egiz.stal.STALResponse;
@@ -107,6 +109,8 @@ public class BKUWorker extends AbstractSMCCSTAL implements Runnable,
gui.showWelcomeDialog();
try {
stalPort = getSTALPort();
+
+
} catch (Exception e) {
log.fatal("Failed to call STAL service.", e);
actionCommandList.clear();
@@ -134,7 +138,26 @@ public class BKUWorker extends AbstractSMCCSTAL implements Runnable,
GetNextRequestResponseType resp = stalPort.getNextRequest(nextRequest);
log.info("Got " + resp.getRequest().size() + " requests from server.");
List<STALRequest> stalRequests = resp.getRequest();
- List<STALResponse> responses = handleRequest(stalRequests);
+ boolean handle = true;
+ for (STALRequest request : stalRequests) {
+ if (request instanceof InfoboxReadRequest) {
+ InfoboxReadRequest infobx = (InfoboxReadRequest) request;
+ if (infobx.getInfoboxIdentifier().equals("IdentityLink")) {
+ if (infobx.getDomainIdentifier() == null) {
+ if (!InternalSSLSocketFactory.getInstance().isEgovAgency()) {
+ handle = false;
+ }
+ }
+ }
+ }
+ }
+ List<STALResponse> responses;
+ if (handle) {
+ responses = handleRequest(stalRequests);
+ } else {
+ responses = new ArrayList<STALResponse>(1);
+ responses.add(new ErrorResponse(6002));
+ }
log.info("Got " + responses.size() + " responses.");
nextRequest = factory.createGetNextRequestType();
nextRequest.setSessionId(sessionId);
diff --git a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactory.java b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactory.java
index ab04d2b6..79c369a2 100644
--- a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactory.java
+++ b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactory.java
@@ -1,19 +1,19 @@
/*
-* Copyright 2008 Federal Chancellery Austria and
-* Graz University of Technology
-*
-* Licensed under the Apache License, Version 2.0 (the "License");
-* you may not use this file except in compliance with the License.
-* You may obtain a copy of the License at
-*
-* http://www.apache.org/licenses/LICENSE-2.0
-*
-* Unless required by applicable law or agreed to in writing, software
-* distributed under the License is distributed on an "AS IS" BASIS,
-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-* See the License for the specific language governing permissions and
-* limitations under the License.
-*/
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
@@ -22,80 +22,139 @@
package at.gv.egiz.bku.online.applet;
import java.io.IOException;
-import java.security.KeyManagementException;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.UnrecoverableKeyException;
-import java.security.cert.CertificateException;
+import java.net.InetAddress;
+import java.net.Socket;
+import java.net.UnknownHostException;
+import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
+import java.util.Collection;
+import java.util.List;
-import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.KeyManagerFactory;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLSession;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLPeerUnverifiedException;
+import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
-import javax.net.ssl.X509TrustManager;
-
-public class InternalSSLSocketFactory {
-
- private SSLSocketFactory factory;
-
- public static SSLSocketFactory getSocketFactory() throws InternalSSLSocketFactoryException {
- return new InternalSSLSocketFactory().factory;
- }
-
- public static HostnameVerifier getHostNameVerifier() throws InternalSSLSocketFactoryException {
- return (new HostnameVerifier() {
- @Override
- public boolean verify(String hostname, SSLSession session) {
- return true;
- }
- });
- }
-
- public InternalSSLSocketFactory() throws InternalSSLSocketFactoryException {
- SSLContext sslContext;
- try {
- sslContext = SSLContext.getInstance("TLSv1");
- sslContext.getClientSessionContext().setSessionTimeout(0);
- KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
-
- KeyStore keyStore = KeyStore.getInstance("JKS");
- keyStore.load(null, null);
- keyManagerFactory.init(keyStore, null);
-
- sslContext.init(keyManagerFactory.getKeyManagers(),
- new X509TrustManager[] { new AcceptAllTrustManager() },
- null);
- } catch (NoSuchAlgorithmException e) {
- throw new InternalSSLSocketFactoryException(e);
- } catch (CertificateException e) {
- throw new InternalSSLSocketFactoryException(e);
- } catch (IOException e) {
- throw new InternalSSLSocketFactoryException(e);
- } catch (KeyStoreException e) {
- throw new InternalSSLSocketFactoryException(e);
- } catch (UnrecoverableKeyException e) {
- throw new InternalSSLSocketFactoryException(e);
- } catch (KeyManagementException e) {
- throw new InternalSSLSocketFactoryException(e);
- }
-
- this.factory = sslContext.getSocketFactory();
- }
-
- class AcceptAllTrustManager implements X509TrustManager {
-
- public X509Certificate[] getAcceptedIssuers() {
- return null;
- }
-
- public void checkClientTrusted(X509Certificate[] chain, String authType) {
- }
-
- public void checkServerTrusted(X509Certificate[] chain, String authType) {
- //FIXME
- }
- }
-};
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class InternalSSLSocketFactory extends SSLSocketFactory {
+
+ private static InternalSSLSocketFactory instance = new InternalSSLSocketFactory();
+
+ private final static Log log = LogFactory
+ .getLog(InternalSSLSocketFactory.class);
+
+ private final static String GOV_DOMAIN = ".gv.at";
+
+ private SSLSocket sslSocket;
+
+ private SSLSocketFactory proxy;
+
+ private InternalSSLSocketFactory() {
+ proxy = HttpsURLConnection.getDefaultSSLSocketFactory();
+ }
+
+ public static InternalSSLSocketFactory getInstance() {
+ return instance;
+ }
+
+ @Override
+ public Socket createSocket() throws IOException {
+ sslSocket = (SSLSocket) proxy.createSocket();
+ return sslSocket;
+ }
+
+ @Override
+ public Socket createSocket(String arg0, int arg1) throws IOException,
+ UnknownHostException {
+ sslSocket = (SSLSocket) proxy.createSocket(arg0, arg1);
+
+ return sslSocket;
+ }
+
+ @Override
+ public Socket createSocket(InetAddress arg0, int arg1) throws IOException {
+ sslSocket = (SSLSocket) proxy.createSocket(arg0, arg1);
+ return sslSocket;
+ }
+
+ @Override
+ public Socket createSocket(String arg0, int arg1, InetAddress arg2, int arg3)
+ throws IOException, UnknownHostException {
+ sslSocket = (SSLSocket) proxy.createSocket(arg0, arg1, arg2, arg3);
+ return sslSocket;
+ }
+
+ @Override
+ public Socket createSocket(InetAddress arg0, int arg1, InetAddress arg2,
+ int arg3) throws IOException {
+ sslSocket = (SSLSocket) proxy.createSocket(arg0, arg1, arg2, arg3);
+ return sslSocket;
+ }
+
+ @Override
+ public Socket createSocket(Socket arg0, String arg1, int arg2, boolean arg3)
+ throws IOException {
+ sslSocket = (SSLSocket) proxy.createSocket(arg0, arg1, arg2, arg3);
+ return sslSocket;
+ }
+
+ @Override
+ public String[] getDefaultCipherSuites() {
+ return proxy.getDefaultCipherSuites();
+ }
+
+ @Override
+ public String[] getSupportedCipherSuites() {
+ return proxy.getSupportedCipherSuites();
+ }
+
+ public boolean isEgovAgency() {
+ log.info("Checking if server is egov agency");
+ if (sslSocket != null) {
+ try {
+ X509Certificate cert = (X509Certificate) sslSocket.getSession()
+ .getPeerCertificates()[0];
+ log.info("Server cert: " + cert);
+ return isGovAgency(cert);
+ } catch (SSLPeerUnverifiedException e) {
+ log.error(e);
+ return false;
+ }
+ }
+ log.info("Not a SSL connection");
+ return false;
+ }
+
+ public static boolean isGovAgency(X509Certificate cert) {
+ String[] rdns = (cert.getSubjectX500Principal().getName()).split(",");
+ for (String rdn : rdns) {
+ if (rdn.startsWith("CN=")) {
+ String dns = rdn.split("=")[1];
+ if (dns.endsWith(GOV_DOMAIN)) {
+ return true;
+ }
+ }
+ }
+ try {
+ Collection<List<?>> sanList = cert.getSubjectAlternativeNames();
+ if (sanList != null) {
+ for (List<?> san : sanList) {
+ if ((Integer) san.get(0) == 2) {
+ String dns = (String) san.get(1);
+ if (dns.endsWith(GOV_DOMAIN)) {
+ return true;
+ }
+ }
+ }
+ }
+ } catch (CertificateParsingException e) {
+ log.error(e);
+ }
+ if (cert.getExtensionValue("1.2.40.0.10.1.1.1") != null) {
+ return true;
+ }
+ return false;
+ }
+}
diff --git a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactoryException.java b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactoryException.java
deleted file mode 100644
index c620284a..00000000
--- a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactoryException.java
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
-* Copyright 2008 Federal Chancellery Austria and
-* Graz University of Technology
-*
-* Licensed under the Apache License, Version 2.0 (the "License");
-* you may not use this file except in compliance with the License.
-* You may obtain a copy of the License at
-*
-* http://www.apache.org/licenses/LICENSE-2.0
-*
-* Unless required by applicable law or agreed to in writing, software
-* distributed under the License is distributed on an "AS IS" BASIS,
-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-* See the License for the specific language governing permissions and
-* limitations under the License.
-*/
-/*
- * To change this template, choose Tools | Templates
- * and open the template in the editor.
- */
-
-package at.gv.egiz.bku.online.applet;
-
-/**
- *
- * @author mcentner
- */
-public class InternalSSLSocketFactoryException extends Exception {
-
- public InternalSSLSocketFactoryException(Throwable cause) {
- super(cause);
- }
-
- public InternalSSLSocketFactoryException(String message, Throwable cause) {
- super(message, cause);
- }
-
- public InternalSSLSocketFactoryException(String message) {
- super(message);
- }
-
- public InternalSSLSocketFactoryException() {
- }
-
-}