Added SSL configuration to BKUOnline

git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@15 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4

2 files changed, 230 insertions, 68 deletions

diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/Configurator.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/Configurator.java
index f51335e1..d158b46e 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/Configurator.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/Configurator.java
@@ -1,21 +1,21 @@
 /*
-* Copyright 2008 Federal Chancellery Austria and
-* Graz University of Technology
-*
-* Licensed under the Apache License, Version 2.0 (the "License");
-* you may not use this file except in compliance with the License.
-* You may obtain a copy of the License at
-*
-*     http://www.apache.org/licenses/LICENSE-2.0
-*
-* Unless required by applicable law or agreed to in writing, software
-* distributed under the License is distributed on an "AS IS" BASIS,
-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-* See the License for the specific language governing permissions and
-* limitations under the License.
-*/
-package at.gv.egiz.bku.online.conf;

-

+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.bku.online.conf;
+
 import iaik.security.ecc.provider.ECCProvider;
 import iaik.xml.crypto.XSecProvider;
 
@@ -30,53 +30,52 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
 import at.gv.egiz.bku.slcommands.impl.xsect.STALProvider;
-

-/**

- * 

- * TODO currently only the code to get started.  

- */

-public class Configurator {

-  private Log log = LogFactory.getLog(Configurator.class);
-  
-  protected Properties properties;

-

-  public Configurator() {

-  }

-

-  protected void configUrlConnections() {

-    HttpsURLConnection.setFollowRedirects(false);

-    HttpURLConnection.setFollowRedirects(false);

-  }

-

-  protected void configureProviders() {

-    log.debug("Registering security providers");  

-    Security.addProvider(new STALProvider());

-    XSecProvider.addAsProvider(false);

-    Security.insertProviderAt(new ECCProvider(false), 1);

-    StringBuffer sb = new StringBuffer();

-    sb.append("Following providers are now registered: ");

-    int i = 1;

-    for (Provider prov : Security.getProviders()) {

-      sb.append((i++) + ". : " + prov);

-    }

-    log.debug("Configured provider" + sb.toString());

-  }

-

-  public void configure() {

-    configureProviders();

-    configUrlConnections();

-  }

 
-  public void setConfiguration(Properties props) {
-  	this.properties = props;
-  	configure();
-  }
-  
-  public String getProperty(String key) {
-  	if (properties != null) {
-  		return properties.getProperty(key);
-  	}
-  	return null;
-  }
-  

-}

+/**
+ * 
+ * TODO currently only the code to get started.
+ */
+public class Configurator {
+
+	private Log log = LogFactory.getLog(Configurator.class);
+
+	protected Properties properties;
+
+	public Configurator() {
+	}
+
+	protected void configUrlConnections() {
+		HttpsURLConnection.setFollowRedirects(false);
+		HttpURLConnection.setFollowRedirects(false);
+	}
+
+	protected void configureProviders() {
+		log.debug("Registering security providers");
+		Security.addProvider(new STALProvider());
+		XSecProvider.addAsProvider(false);
+		Security.insertProviderAt(new ECCProvider(false), 1);
+		StringBuffer sb = new StringBuffer();
+		sb.append("Following providers are now registered: ");
+		int i = 1;
+		for (Provider prov : Security.getProviders()) {
+			sb.append((i++) + ". : " + prov);
+		}
+		log.debug("Configured provider" + sb.toString());
+	}
+
+	public void configure() {
+		configureProviders();
+		configUrlConnections();
+	}
+
+	public void setConfiguration(Properties props) {
+		this.properties = props;
+	}
+
+	public String getProperty(String key) {
+		if (properties != null) {
+			return properties.getProperty(key);
+		}
+		return null;
+	}
+}
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java
index 96588d7d..100285ed 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java
@@ -1,16 +1,52 @@
 package at.gv.egiz.bku.online.conf;

 

+import java.io.File;

+import java.io.FileInputStream;

 import java.io.IOException;

+import java.security.InvalidAlgorithmParameterException;

+import java.security.NoSuchAlgorithmException;

+import java.security.Security;

+import java.security.cert.CertPath;

+import java.security.cert.CertPathBuilder;

+import java.security.cert.CertStore;

+import java.security.cert.CertificateException;

+import java.security.cert.CertificateFactory;

+import java.security.cert.CollectionCertStoreParameters;

+import java.security.cert.PKIXBuilderParameters;

+import java.security.cert.PKIXCertPathBuilderResult;

+import java.security.cert.TrustAnchor;

+import java.security.cert.X509CertSelector;

+import java.security.cert.X509Certificate;

+import java.util.HashSet;

+import java.util.LinkedList;

+import java.util.List;

 import java.util.Properties;

+import java.util.Set;

+

+import javax.net.ssl.CertPathTrustManagerParameters;

+import javax.net.ssl.HttpsURLConnection;

+import javax.net.ssl.KeyManager;

+import javax.net.ssl.ManagerFactoryParameters;

+import javax.net.ssl.SSLContext;

+import javax.net.ssl.TrustManager;

+import javax.net.ssl.TrustManagerFactory;

+import javax.net.ssl.X509TrustManager;

 

 import org.apache.commons.logging.Log;

 import org.apache.commons.logging.LogFactory;

+import org.springframework.context.ResourceLoaderAware;

 import org.springframework.core.io.Resource;

+import org.springframework.core.io.ResourceLoader;

+

+import at.gv.egiz.bku.slexceptions.SLRuntimeException;

 

-public class SpringConfigurator extends Configurator {

+public class SpringConfigurator extends Configurator implements

+		ResourceLoaderAware {

 

 	private final static Log log = LogFactory.getLog(SpringConfigurator.class);

 

+	private ResourceLoader resourceLoader;

+

 	public void setResource(Resource resource) {

 		log.debug("Loading config from: " + resource);

 		if (resource != null) {

@@ -24,4 +60,131 @@ public class SpringConfigurator extends Configurator {
 		}

 	}

 

-}

+	public void configure() {

+		super.configure();

+		configureSSL();

+	}

+

+	private Set<TrustAnchor> getCACerts() throws IOException,

+			CertificateException {

+		Set<TrustAnchor> caCerts = new HashSet<TrustAnchor>();

+		String caDirectory = getProperty("SSL.caDirectory");

+		if (caDirectory != null) {

+			Resource caDirRes = resourceLoader.getResource(caDirectory);

+

+			File caDir = caDirRes.getFile();

+			if (!caDir.isDirectory()) {

+				log.error("Expecting directory as SSL.caDirectory parameter");

+				throw new SLRuntimeException(

+						"Expecting directory as SSL.caDirectory parameter");

+			}

+			CertificateFactory cf = CertificateFactory.getInstance("X.509");

+			for (File f : caDir.listFiles()) {

+				try {

+					FileInputStream fis = new FileInputStream(f);

+					X509Certificate cert = (X509Certificate) cf.generateCertificate(fis);

+					fis.close();

+					log.debug("Adding trusted cert " + cert.getSubjectDN());

+					caCerts.add(new TrustAnchor(cert, null));

+				} catch (Exception e) {

+					log.error("Cannot add trusted ca", e);

+				}

+			}

+			return caCerts;

+

+		} else {

+			log.warn("No CA certificates configured");

+		}

+		return null;

+	}

+

+	private CertStore getCertstore() throws IOException, CertificateException,

+			InvalidAlgorithmParameterException, NoSuchAlgorithmException {

+		String certDirectory = getProperty("SSL.certDirectory");

+		if (certDirectory != null) {

+			Resource certDirRes = resourceLoader.getResource(certDirectory);

+

+			File certDir = certDirRes.getFile();

+			if (!certDir.isDirectory()) {

+				log.error("Expecting directory as SSL.certDirectory parameter");

+				throw new SLRuntimeException(

+						"Expecting directory as SSL.certDirectory parameter");

+			}

+			List<X509Certificate> certCollection = new LinkedList<X509Certificate>();

+			CertificateFactory cf = CertificateFactory.getInstance("X.509");

+			for (File f : certDir.listFiles()) {

+				try {

+					FileInputStream fis = new FileInputStream(f);

+					X509Certificate cert =(X509Certificate) cf.generateCertificate(fis);

+					certCollection.add(cert);

+					fis.close();

+					log.trace("Added following cert to certstore: "+cert.getSubjectDN());

+				} catch (Exception ex) {

+					log.error("Cannot add certificate", ex);

+				}

+			}

+			CollectionCertStoreParameters csp = new CollectionCertStoreParameters(

+					certCollection);

+			return CertStore.getInstance("Collection", csp);

+

+		} else {

+			log.warn("No certstore configured");

+		}

+		return null;

+	}

+

+	public void configureSSL() {

+		Set<TrustAnchor> caCerts = null;

+		try {

+			caCerts = getCACerts();

+		} catch (Exception e1) {

+			log.error("Cannot load CA certificates", e1);

+		}

+		CertStore certStore = null;

+		try {

+			certStore = getCertstore();

+		} catch (Exception e1) {

+			log.error("Cannot load certstore certificates", e1);

+		}

+		System.setProperty("com.sun.security.enableAIAcaIssuers", "true");

+		try {

+			X509CertSelector selector = new X509CertSelector();

+			PKIXBuilderParameters pkixParams;

+			pkixParams = new PKIXBuilderParameters(caCerts, selector);

+			if ((getProperty("SSL.doRevocationChecking") != null)

+					&& (Boolean.valueOf(getProperty("SSL.doRevocationChecking")))) {

+				log.info("Enable revocation checking");

+				pkixParams.setRevocationEnabled(true);

+				System.setProperty("com.sun.security.enableCRLDP", "true");

+				Security.setProperty("ocsp.enable", "true");

+			} else {

+				log.warn("Revocation checking disabled");

+				pkixParams.setRevocationEnabled(false);

+			}

+			pkixParams.addCertStore(certStore);

+			ManagerFactoryParameters trustParams = new CertPathTrustManagerParameters(

+					pkixParams);

+			TrustManagerFactory trustFab;

+			try {

+				trustFab = TrustManagerFactory.getInstance("PKIX");

+				trustFab.init(trustParams);

+				KeyManager[] km = null;

+				SSLContext sslCtx = SSLContext

+						.getInstance(getProperty("SSL.sslProtocol"));

+				sslCtx.init(km, trustFab.getTrustManagers(), null);

+				HttpsURLConnection

+						.setDefaultSSLSocketFactory(sslCtx.getSocketFactory());

+			} catch (Exception e) {

+				log.error("Cannot configure SSL", e);

+			}

+

+		} catch (InvalidAlgorithmParameterException e) {

+			log.error("Cannot configure SSL", e);

+		}

+	}

+

+	@Override

+	public void setResourceLoader(ResourceLoader loader) {

+		this.resourceLoader = loader;

+	}

+}
\ No newline at end of file