added check to avoid sending baseid to non .gv.at domains

git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@25 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
author: wbauer <wbauer@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4> 2008-09-09 09:54:32 +0000
committer: wbauer <wbauer@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4> 2008-09-09 09:54:32 +0000
commit: c7cbf8a12db4fcb77fd374392e88c3fa04b1e100 (patch)
tree: 1534e48980e74a6cb3f61e10e75e2c6adff3aad4 /BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactory.java
parent: d3698ed2a4f129e5af970f072bc79bb8226d7765 (diff)
download: mocca-c7cbf8a12db4fcb77fd374392e88c3fa04b1e100.tar.gz
mocca-c7cbf8a12db4fcb77fd374392e88c3fa04b1e100.tar.bz2
mocca-c7cbf8a12db4fcb77fd374392e88c3fa04b1e100.zip
1 files changed, 148 insertions, 89 deletions
diff --git a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactory.java b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactory.java
index ab04d2b6..79c369a2 100644
--- a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactory.java
+++ b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactory.java
@@ -1,19 +1,19 @@
 /*
-* Copyright 2008 Federal Chancellery Austria and
-* Graz University of Technology
-*
-* Licensed under the Apache License, Version 2.0 (the "License");
-* you may not use this file except in compliance with the License.
-* You may obtain a copy of the License at
-*
-*     http://www.apache.org/licenses/LICENSE-2.0
-*
-* Unless required by applicable law or agreed to in writing, software
-* distributed under the License is distributed on an "AS IS" BASIS,
-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-* See the License for the specific language governing permissions and
-* limitations under the License.
-*/
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 /*
  * To change this template, choose Tools | Templates
  * and open the template in the editor.
@@ -22,80 +22,139 @@
 package at.gv.egiz.bku.online.applet;
 
 import java.io.IOException;
-import java.security.KeyManagementException;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.UnrecoverableKeyException;
-import java.security.cert.CertificateException;
+import java.net.InetAddress;
+import java.net.Socket;
+import java.net.UnknownHostException;
+import java.security.cert.CertificateParsingException;
 import java.security.cert.X509Certificate;
+import java.util.Collection;
+import java.util.List;
 
-import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.KeyManagerFactory;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLSession;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLPeerUnverifiedException;
+import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;
-import javax.net.ssl.X509TrustManager;
-
-public class InternalSSLSocketFactory {
-
-  private SSLSocketFactory factory;
-
-  public static SSLSocketFactory getSocketFactory() throws InternalSSLSocketFactoryException {
-    return new InternalSSLSocketFactory().factory;
-  }
-  
-  public static HostnameVerifier getHostNameVerifier() throws InternalSSLSocketFactoryException {
-   return (new HostnameVerifier() {
-    @Override
-    public boolean verify(String hostname, SSLSession session) {
-      return true;
-    }    
-   });
-  }
-
-  public InternalSSLSocketFactory() throws InternalSSLSocketFactoryException {
-    SSLContext sslContext;
-    try {
-      sslContext = SSLContext.getInstance("TLSv1");
-      sslContext.getClientSessionContext().setSessionTimeout(0);
-      KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
-
-      KeyStore keyStore = KeyStore.getInstance("JKS");
-      keyStore.load(null, null);
-      keyManagerFactory.init(keyStore, null);
-
-      sslContext.init(keyManagerFactory.getKeyManagers(), 
-        new X509TrustManager[] { new AcceptAllTrustManager() },
-        null);
-    } catch (NoSuchAlgorithmException e) {
-      throw new InternalSSLSocketFactoryException(e);
-    } catch (CertificateException e) {
-      throw new InternalSSLSocketFactoryException(e);
-    } catch (IOException e) {
-      throw new InternalSSLSocketFactoryException(e);
-    } catch (KeyStoreException e) {
-      throw new InternalSSLSocketFactoryException(e);
-    } catch (UnrecoverableKeyException e) {
-      throw new InternalSSLSocketFactoryException(e);
-    } catch (KeyManagementException e) {
-      throw new InternalSSLSocketFactoryException(e);
-    }
-
-    this.factory = sslContext.getSocketFactory();
-  }
-
-  class AcceptAllTrustManager implements X509TrustManager {
-
-    public X509Certificate[] getAcceptedIssuers() {
-      return null;
-    }
-
-    public void checkClientTrusted(X509Certificate[] chain, String authType) {
-    }
-
-    public void checkServerTrusted(X509Certificate[] chain, String authType) {
-      //FIXME
-    }
-  }
-};
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class InternalSSLSocketFactory extends SSLSocketFactory {
+
+	private static InternalSSLSocketFactory instance = new InternalSSLSocketFactory();
+
+	private final static Log log = LogFactory
+			.getLog(InternalSSLSocketFactory.class);
+
+	private final static String GOV_DOMAIN = ".gv.at";
+
+	private SSLSocket sslSocket;
+
+	private SSLSocketFactory proxy;
+
+	private InternalSSLSocketFactory() {
+		proxy = HttpsURLConnection.getDefaultSSLSocketFactory();
+	}
+
+	public static InternalSSLSocketFactory getInstance() {
+		return instance;
+	}
+
+	@Override
+	public Socket createSocket() throws IOException {
+		sslSocket = (SSLSocket) proxy.createSocket();
+		return sslSocket;
+	}
+
+	@Override
+	public Socket createSocket(String arg0, int arg1) throws IOException,
+			UnknownHostException {
+		sslSocket = (SSLSocket) proxy.createSocket(arg0, arg1);
+
+		return sslSocket;
+	}
+
+	@Override
+	public Socket createSocket(InetAddress arg0, int arg1) throws IOException {
+		sslSocket = (SSLSocket) proxy.createSocket(arg0, arg1);
+		return sslSocket;
+	}
+
+	@Override
+	public Socket createSocket(String arg0, int arg1, InetAddress arg2, int arg3)
+			throws IOException, UnknownHostException {
+		sslSocket = (SSLSocket) proxy.createSocket(arg0, arg1, arg2, arg3);
+		return sslSocket;
+	}
+
+	@Override
+	public Socket createSocket(InetAddress arg0, int arg1, InetAddress arg2,
+			int arg3) throws IOException {
+		sslSocket = (SSLSocket) proxy.createSocket(arg0, arg1, arg2, arg3);
+		return sslSocket;
+	}
+
+	@Override
+	public Socket createSocket(Socket arg0, String arg1, int arg2, boolean arg3)
+			throws IOException {
+		sslSocket = (SSLSocket) proxy.createSocket(arg0, arg1, arg2, arg3);
+		return sslSocket;
+	}
+
+	@Override
+	public String[] getDefaultCipherSuites() {
+		return proxy.getDefaultCipherSuites();
+	}
+
+	@Override
+	public String[] getSupportedCipherSuites() {
+		return proxy.getSupportedCipherSuites();
+	}
+
+	public boolean isEgovAgency() {
+		log.info("Checking if server is egov agency");
+		if (sslSocket != null) {
+			try {
+				X509Certificate cert = (X509Certificate) sslSocket.getSession()
+						.getPeerCertificates()[0];
+				log.info("Server cert: " + cert);
+				return isGovAgency(cert);
+			} catch (SSLPeerUnverifiedException e) {
+				log.error(e);
+				return false;
+			}
+		}
+		log.info("Not a SSL connection");
+		return false;
+	}
+
+	public static boolean isGovAgency(X509Certificate cert) {
+		String[] rdns = (cert.getSubjectX500Principal().getName()).split(",");
+		for (String rdn : rdns) {
+			if (rdn.startsWith("CN=")) {
+				String dns = rdn.split("=")[1];
+				if (dns.endsWith(GOV_DOMAIN)) {
+					return true;
+				}
+			}
+		}
+		try {
+			Collection<List<?>> sanList = cert.getSubjectAlternativeNames();
+			if (sanList != null) {
+				for (List<?> san : sanList) {
+					if ((Integer) san.get(0) == 2) {
+						String dns = (String) san.get(1);
+						if (dns.endsWith(GOV_DOMAIN)) {
+							return true;
+						}
+					}
+				}
+			}
+		} catch (CertificateParsingException e) {
+			log.error(e);
+		}
+		if (cert.getExtensionValue("1.2.40.0.10.1.1.1") != null) {
+			return true;
+		}
+		return false;
+	}
+}
author	wbauer <wbauer@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>	2008-09-09 09:54:32 +0000
committer	wbauer <wbauer@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>	2008-09-09 09:54:32 +0000
commit	c7cbf8a12db4fcb77fd374392e88c3fa04b1e100 (patch)
tree	1534e48980e74a6cb3f61e10e75e2c6adff3aad4 /BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactory.java
parent	d3698ed2a4f129e5af970f072bc79bb8226d7765 (diff)
download	mocca-c7cbf8a12db4fcb77fd374392e88c3fa04b1e100.tar.gz mocca-c7cbf8a12db4fcb77fd374392e88c3fa04b1e100.tar.bz2 mocca-c7cbf8a12db4fcb77fd374392e88c3fa04b1e100.zip