changed ssl certificate validation, now using iaik_pki

git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@83 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
author: wbauer <wbauer@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4> 2008-10-08 08:39:17 +0000
committer: wbauer <wbauer@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4> 2008-10-08 08:39:17 +0000
commit: 27d91275555207f9e152c2867d52fbbf83f92ba7 (patch)
tree: 27798cbea71918278dc04c9a3e4e309f05956888 /bkucommon/src/main/java
parent: 35364f7492308692bd690c17f5527f4157eb583a (diff)
download: mocca-27d91275555207f9e152c2867d52fbbf83f92ba7.tar.gz
mocca-27d91275555207f9e152c2867d52fbbf83f92ba7.tar.bz2
mocca-27d91275555207f9e152c2867d52fbbf83f92ba7.zip
3 files changed, 172 insertions, 64 deletions
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/conf/CertValidator.java b/bkucommon/src/main/java/at/gv/egiz/bku/conf/CertValidator.java
new file mode 100644
index 00000000..6a95b369
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/conf/CertValidator.java
@@ -0,0 +1,13 @@
+package at.gv.egiz.bku.conf;
+
+import iaik.x509.X509Certificate;
+
+import java.io.File;
+
+public interface CertValidator {
+
+  public abstract void init(File certDir, File caDir);
+
+  public abstract boolean isCertificateValid(String transactionId, X509Certificate[] certs);
+
+}
+\ No newline at end of file
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/conf/CertValidatorImpl.java b/bkucommon/src/main/java/at/gv/egiz/bku/conf/CertValidatorImpl.java
new file mode 100644
index 00000000..125233c1
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/conf/CertValidatorImpl.java
@@ -0,0 +1,83 @@
+package at.gv.egiz.bku.conf;
+
+import iaik.logging.TransactionId;
+import iaik.logging.impl.TransactionIdImpl;
+import iaik.pki.DefaultPKIConfiguration;
+import iaik.pki.DefaultPKIProfile;
+import iaik.pki.PKIConfiguration;
+import iaik.pki.PKIException;
+import iaik.pki.PKIFactory;
+import iaik.pki.PKIModule;
+import iaik.pki.PKIProfile;
+import iaik.pki.store.certstore.CertStoreParameters;
+import iaik.pki.store.certstore.directory.DefaultDirectoryCertStoreParameters;
+import iaik.pki.store.truststore.DefaultTrustStoreProfile;
+import iaik.pki.store.truststore.TrustStoreProfile;
+import iaik.pki.store.truststore.TrustStoreTypes;
+import iaik.x509.X509Certificate;
+
+import java.io.File;
+import java.util.Date;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class CertValidatorImpl implements CertValidator {
+
+  private static Log log = LogFactory.getLog(CertValidatorImpl.class);
+
+  private PKIFactory pkiFactory;
+  private PKIProfile profile;
+
+  public CertValidatorImpl() {
+
+  }
+
+  /* (non-Javadoc)
+   * @see at.gv.egiz.bku.conf.CertValidator#init(java.io.File, java.io.File)
+   */
+  public void init(File certDir, File caDir) {
+    // the parameters specifying the directory certstore
+    CertStoreParameters[] certStoreParameters = { new DefaultDirectoryCertStoreParameters(
+        "CS-001", certDir.getAbsolutePath(), true, false) };
+
+    // create a new PKI configuration using the certstore parameters
+    PKIConfiguration pkiConfig = new DefaultPKIConfiguration(
+        certStoreParameters);
+
+    // Transaction ID for logging
+    TransactionId tid = new TransactionIdImpl("Configure-PKI");
+    // get PKI factory for creating PKI module(s)
+    pkiFactory = PKIFactory.getInstance();
+    // configure the factory
+    try {
+      pkiFactory.configure(pkiConfig, tid);
+    } catch (PKIException e) {
+      log.error("Cannot configure PKI module", e);
+    }
+    // the truststore to be used
+    TrustStoreProfile trustProfile = new DefaultTrustStoreProfile("TS-001",
+        TrustStoreTypes.DIRECTORY, caDir.getAbsolutePath());
+    profile = new DefaultPKIProfile(trustProfile);
+    ((DefaultPKIProfile)profile).setAutoAddCertificates(true);
+  }
+
+  /* (non-Javadoc)
+   * @see at.gv.egiz.bku.conf.CertValidator#isCertificateValid(java.lang.String, iaik.x509.X509Certificate[])
+   */
+  public boolean isCertificateValid(String transactionId,
+      X509Certificate[] certs) {
+    // Transaction ID for logging
+    TransactionId tid = new TransactionIdImpl(transactionId);
+    // get a PKIModule
+    PKIModule pkiModule;
+    try {
+      pkiModule = pkiFactory.getPKIModule(profile);
+      return pkiModule.validateCertificate(new Date(), certs[0], certs, null,
+          tid).isCertificateValid();
+    } catch (PKIException e) {
+      log.error("Cannot validate certificate", e);
+    }
+    return false;
+  }
+}
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/conf/Configurator.java b/bkucommon/src/main/java/at/gv/egiz/bku/conf/Configurator.java
index 9a1e7020..9ed99190 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/conf/Configurator.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/conf/Configurator.java
@@ -9,6 +9,7 @@ import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.HttpURLConnection;
+import java.security.GeneralSecurityException;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
 import java.security.Provider;
@@ -18,27 +19,18 @@ import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.CollectionCertStoreParameters;
 import java.security.cert.LDAPCertStoreParameters;
-import java.security.cert.PKIXBuilderParameters;
-import java.security.cert.TrustAnchor;
-import java.security.cert.X509CertSelector;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
-import java.util.HashSet;
-import java.util.Iterator;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Properties;
-import java.util.Set;
 
-import javax.net.ssl.CertPathTrustManagerParameters;
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.KeyManager;
-import javax.net.ssl.ManagerFactoryParameters;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509TrustManager;
 
 import org.apache.commons.logging.Log;
@@ -55,6 +47,8 @@ public abstract class Configurator {
 
   protected Properties properties;
 
+  protected CertValidator certValidator;
+
   protected Configurator() {
   }
 
@@ -64,9 +58,9 @@ public abstract class Configurator {
 
   protected abstract InputStream getManifest();
 
-  private Set<TrustAnchor> getCACerts() throws IOException,
+  private X509Certificate[] getCACerts() throws IOException,
       CertificateException {
-    Set<TrustAnchor> caCerts = new HashSet<TrustAnchor>();
+    List<X509Certificate> caCerts = new ArrayList<X509Certificate>();
     File caDir = getCADir();
     if (caDir != null) {
       if (!caDir.isDirectory()) {
@@ -81,13 +75,12 @@ public abstract class Configurator {
           X509Certificate cert = (X509Certificate) cf.generateCertificate(fis);
           fis.close();
           log.debug("Adding trusted cert " + cert.getSubjectDN());
-          caCerts.add(new TrustAnchor(cert, null));
+          caCerts.add(cert);
         } catch (Exception e) {
           log.error("Cannot add trusted ca", e);
         }
       }
-      return caCerts;
-
+      return  caCerts.toArray(new X509Certificate[caCerts.size()]);
     } else {
       log.warn("No CA certificates configured");
     }
@@ -239,69 +232,33 @@ public abstract class Configurator {
   }
 
   public void configureSSL() {
-    Set<TrustAnchor> caCerts = null;
+    X509Certificate[] caCerts = null;
     try {
       caCerts = getCACerts();
     } catch (Exception e1) {
       log.error("Cannot load CA certificates", e1);
     }
-    List<CertStore> certStoreList = null;
-    try {
-      certStoreList = getCertstore();
-    } catch (Exception e1) {
-      log.error("Cannot load certstore certificates", e1);
-    }
-    String aia = getProperty("SSL.useAIA");
-    if ((aia == null) || (aia.equals(""))) {
-      System.setProperty("com.sun.security.enableAIAcaIssuers", "true");
-    } else {
-      System.setProperty("com.sun.security.enableAIAcaIssuers", aia);
-    }
-    String lifetime = getProperty("SSL.cache.lifetime");
-    if ((lifetime == null) || (lifetime.equals(""))) {
-      System.setProperty("sun.security.certpath.ldap.cache.lifetime", "0");
-    } else {
-      System.setProperty("sun.security.certpath.ldap.cache.lifetime", lifetime);
-    }
-    X509CertSelector selector = new X509CertSelector();
-    PKIXBuilderParameters pkixParams;
+    String disableAll = getProperty("SSL.disableAllChecks");
     try {
-      pkixParams = new PKIXBuilderParameters(caCerts, selector);
-      if ((getProperty("SSL.doRevocationChecking") != null)
-          && (Boolean.valueOf(getProperty("SSL.doRevocationChecking")))) {
-        log.info("Enable revocation checking");
-        System.setProperty("com.sun.security.enableCRLDP", "true");
-        Security.setProperty("ocsp.enable", "true");
-      } else {
-        log.warn("Revocation checking disabled");
-      }
-      for (CertStore cs : certStoreList) {
-        pkixParams.addCertStore(cs);
-      }
-      ManagerFactoryParameters trustParams = new CertPathTrustManagerParameters(
-          pkixParams);
-      TrustManagerFactory trustFab;
-      trustFab = TrustManagerFactory.getInstance("PKIX");
-      trustFab.init(trustParams);
       KeyManager[] km = null;
       SSLContext sslCtx = SSLContext
           .getInstance(getProperty("SSL.sslProtocol"));
-      String disableAll = getProperty("SSL.disableAllChecks");
       if ((disableAll != null) && (Boolean.parseBoolean(disableAll))) {
         log.warn("--------------------------------------");
         log.warn(" Disabling SSL Certificate Validation ");
         log.warn("--------------------------------------");
 
-        sslCtx.init(km, new TrustManager[] { new MyTrustManager(caCerts,
-            certStoreList) }, null);
+        sslCtx.init(km,
+            new TrustManager[] { new MyAlwaysTrustManager(caCerts) }, null);
       } else {
-        sslCtx.init(km, trustFab.getTrustManagers(), null);
+        MyPKITrustManager pkixTM = new MyPKITrustManager(certValidator,
+            getCertDir(), getCADir(), caCerts);
+        sslCtx.init(km, new TrustManager[] { pkixTM }, null);
       }
       HttpsURLConnection.setDefaultSSLSocketFactory(sslCtx.getSocketFactory());
     } catch (Exception e) {
       log.error("Cannot configure SSL", e);
     }
-    String disableAll = getProperty("SSL.disableAllChecks");
     if ((disableAll != null) && (Boolean.parseBoolean(disableAll))) {
       log.warn("---------------------------------");
       log.warn(" Disabling Hostname Verification ");
@@ -315,20 +272,75 @@ public abstract class Configurator {
     }
   }
 
-  private static class MyTrustManager implements X509TrustManager {
-    private static Log log = LogFactory.getLog(MyTrustManager.class);
+  
+  
+  public void setCertValidator(CertValidator certValidator) {
+    this.certValidator = certValidator;
+  }
+
+  private static class MyPKITrustManager implements X509TrustManager {
+    private static Log log = LogFactory.getLog(MyPKITrustManager.class);
+
+    private CertValidator certValidator;
     private X509Certificate[] trustedCerts;
 
-    public MyTrustManager(Set<TrustAnchor> caCerts, List<CertStore> cs) {
-      trustedCerts = new X509Certificate[caCerts.size()];
+    public MyPKITrustManager(CertValidator cv, File certStore, File trustStore,
+        X509Certificate[] trustedCerts) {
+      certValidator = cv;
+      certValidator.init(certStore, trustStore);
+      this.trustedCerts = trustedCerts;
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] chain, String authType)
+        throws CertificateException {
+      log.error("Did not expect this method to get called");
+      throw new CertificateException("Method not implemented");
+    }
+
+    private static iaik.x509.X509Certificate[] convertCerts(
+        X509Certificate[] certs) throws GeneralSecurityException {
+      iaik.x509.X509Certificate[] retVal = new iaik.x509.X509Certificate[certs.length];
       int i = 0;
-      for (Iterator<TrustAnchor> it = caCerts.iterator(); it.hasNext();) {
-        TrustAnchor ta = it.next();
-        trustedCerts[i++] = ta.getTrustedCert();
+      for (X509Certificate cert : certs) {
+        if (cert instanceof iaik.x509.X509Certificate) {
+          retVal[i++] = (iaik.x509.X509Certificate) cert;
+        } else {
+          retVal[i++] = new iaik.x509.X509Certificate(cert.getEncoded());
+        }
+      }
+      return retVal;
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] chain, String authType)
+        throws CertificateException {
+      try {
+        boolean valid = certValidator.isCertificateValid(Thread.currentThread()
+            .getName(), convertCerts(chain));
+        if (!valid) {
+          throw new CertificateException("Certificate not valid");
+        }
+      } catch (GeneralSecurityException e) {
+        throw new CertificateException(e);
       }
     }
 
     @Override
+    public X509Certificate[] getAcceptedIssuers() {
+      return trustedCerts;
+    }
+  }
+
+  private static class MyAlwaysTrustManager implements X509TrustManager {
+    private static Log log = LogFactory.getLog(MyAlwaysTrustManager.class);
+    private X509Certificate[] trustedCerts;
+
+    public MyAlwaysTrustManager(X509Certificate[] trustedCerts) {
+      this.trustedCerts = trustedCerts;
+    }
+
+    @Override
     public void checkClientTrusted(X509Certificate[] arg0, String arg1)
         throws CertificateException {
       log.error("Did not expect this method to get called");
author	wbauer <wbauer@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>	2008-10-08 08:39:17 +0000
committer	wbauer <wbauer@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>	2008-10-08 08:39:17 +0000
commit	27d91275555207f9e152c2867d52fbbf83f92ba7 (patch)
tree	27798cbea71918278dc04c9a3e4e309f05956888 /bkucommon/src/main/java
parent	35364f7492308692bd690c17f5527f4157eb583a (diff)
download	mocca-27d91275555207f9e152c2867d52fbbf83f92ba7.tar.gz mocca-27d91275555207f9e152c2867d52fbbf83f92ba7.tar.bz2 mocca-27d91275555207f9e152c2867d52fbbf83f92ba7.zip