summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--BKUOnline/src/main/policy/50mocca.policy7
-rw-r--r--BKUOnline/src/main/webapp/WEB-INF/conf/configuration.xml4
-rw-r--r--bkucommon/src/main/java/at/gv/egiz/bku/spring/PKIProfileFactoryBean.java41
-rw-r--r--bkucommon/src/site/apt/configuration.apt4
4 files changed, 52 insertions, 4 deletions
diff --git a/BKUOnline/src/main/policy/50mocca.policy b/BKUOnline/src/main/policy/50mocca.policy
index 8cda9eb6..d001e515 100644
--- a/BKUOnline/src/main/policy/50mocca.policy
+++ b/BKUOnline/src/main/policy/50mocca.policy
@@ -40,7 +40,9 @@
// with <any_resource_you_would_like_to_grant_XSLTs_document()_function_access_to>
//
// replace www.a-trust.at and ksp.ecard.sozialversicherung.gv.at
-// with <idLink_template_download_URL>
+// with <idLink_template_download_URL>, currently:
+// A-Trust: http://www.a-trust.at/zmr/persb204.xsl
+// Verwaltungssignatur: http://ksp.ecard.sozialversicherung.gv.at/ePortal/public/xslt/ExpandIdLink-2_0.xslt
// replace ldap.a-trust.at:389, ocsp.a-trust.at:80 and ocsp.ecard.sozialversicherung.at:80
// with <certificate_revocation_authority_endpoint> (OCSP, CRLs)
//
@@ -70,6 +72,9 @@ grant codeBase "file:${catalina.base}/webapps/bkuonline/-" {
permission java.net.SocketPermission "apps.egiz.gv.at:443", "connect, resolve";
permission java.net.SocketPermission "www.buergerkarte.at:443", "connect, resolve";
permission java.net.SocketPermission "www.sozialversicherung.gv.at:443", "connect, resolve";
+ permission java.net.SocketPermission "www.sozialversicherung.at:443", "connect, resolve";
+ permission java.net.SocketPermission "www2.sozialversicherung.gv.at:443", "connect, resolve";
+ permission java.net.SocketPermission "www2.sozialversicherung.at:443", "connect, resolve";
// other resources (crls, persb.xsl, ...)
permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve";
diff --git a/BKUOnline/src/main/webapp/WEB-INF/conf/configuration.xml b/BKUOnline/src/main/webapp/WEB-INF/conf/configuration.xml
index 20d27bb0..d4736429 100644
--- a/BKUOnline/src/main/webapp/WEB-INF/conf/configuration.xml
+++ b/BKUOnline/src/main/webapp/WEB-INF/conf/configuration.xml
@@ -7,4 +7,8 @@
-->
<MaxHops>50</MaxHops>
</DataURLConnection>
+ <!-- default revocation service type order: OCSP, CRL
+ <SSL>
+ <revocationServiceOrder>OCSP</revocationServiceOrder>
+ </SSL-->
</MoccaConfiguration> \ No newline at end of file
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/spring/PKIProfileFactoryBean.java b/bkucommon/src/main/java/at/gv/egiz/bku/spring/PKIProfileFactoryBean.java
index 97a0d872..d5eb411d 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/spring/PKIProfileFactoryBean.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/spring/PKIProfileFactoryBean.java
@@ -48,9 +48,15 @@ import org.springframework.core.io.ResourceLoader;
import at.gv.egiz.bku.conf.IAIKLogAdapterFactory;
import at.gv.egiz.bku.conf.MoccaConfigurationFacade;
+import java.util.ArrayList;
+import java.util.List;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
public class PKIProfileFactoryBean implements FactoryBean, ResourceLoaderAware {
+ protected static final Logger log = LoggerFactory.getLogger(PKIProfileFactoryBean.class);
+
/**
* The configuration facade.
*/
@@ -68,6 +74,8 @@ public class PKIProfileFactoryBean implements FactoryBean, ResourceLoaderAware {
public static final String SSL_CA_DIRECTORY_DEFAULT = "classpath:at/gv/egiz/bku/certs/trustStore";
+ public static final String SSL_REVOCATION_SERVICE_ORDER = "SSL.revocationServiceOrder";
+
public URL getCertDirectory() throws MalformedURLException {
return getURL(SSL_CERT_DIRECTORY);
}
@@ -75,7 +83,11 @@ public class PKIProfileFactoryBean implements FactoryBean, ResourceLoaderAware {
public URL getCaDirectory() throws MalformedURLException {
return getURL(SSL_CA_DIRECTORY);
}
-
+
+ public List<String> getRevocationServiceOrder() throws Exception {
+ return configuration.getList(SSL_REVOCATION_SERVICE_ORDER);
+ }
+
private URL getURL(String key) throws MalformedURLException {
String url = configuration.getString(key);
if (url == null || url.isEmpty()) {
@@ -199,6 +211,30 @@ public class PKIProfileFactoryBean implements FactoryBean, ResourceLoaderAware {
TrustStoreTypes.DIRECTORY, caDirectory.getAbsolutePath());
}
+
+ protected String[] createRevocationServiceOrder() throws Exception {
+ List<String> services = configurationFacade.getRevocationServiceOrder();
+
+ if (services != null) {
+ List<String> order = new ArrayList<String>(2);
+ for (String service : services) {
+ if ("OCSP".equals(service)) {
+ order.add(RevocationSourceTypes.OCSP);
+ } else if ("CRL".equals(service)) {
+ order.add(RevocationSourceTypes.CRL);
+ } else {
+ throw new Exception("Unsupported revocation service type " + service);
+ }
+ }
+ if (!order.isEmpty()) {
+ log.info("configure revocation service type order: {}", order);
+ return order.toArray(new String[order.size()]);
+ }
+ }
+ log.info("configure default revocation service type order: [OCSP, CRL]");
+ return new String[]
+ { RevocationSourceTypes.OCSP, RevocationSourceTypes.CRL };
+ }
@Override
public Object getObject() throws Exception {
@@ -216,8 +252,7 @@ public class PKIProfileFactoryBean implements FactoryBean, ResourceLoaderAware {
DefaultPKIProfile pkiProfile = new DefaultPKIProfile(trustProfile);
pkiProfile.setAutoAddCertificates(true);
- pkiProfile.setPreferredServiceOrder(new String[] {
- RevocationSourceTypes.OCSP, RevocationSourceTypes.CRL });
+ pkiProfile.setPreferredServiceOrder(createRevocationServiceOrder());
return pkiProfile;
}
diff --git a/bkucommon/src/site/apt/configuration.apt b/bkucommon/src/site/apt/configuration.apt
index 1a5adee1..15340c71 100644
--- a/bkucommon/src/site/apt/configuration.apt
+++ b/bkucommon/src/site/apt/configuration.apt
@@ -77,6 +77,10 @@ MOCCA Configuration
[<<<disableAllChecks>>>] May be set to <<<true>>> to disable all TSL/SSL related checks.
Default: <<<false>>>
+
+ [<<<revocationServiceOrder>>>] May be set to <<<CRL,OCSP>>>, <<<CRL>>> or <<<OCSP>>> to define the (order of) revocation service(s) to be used.
+
+ Default: <<<OCSP,CRL>>>
[<<<ProductName>>>] May be specified to set the product name given by the <<<Server>>> and <<<User-Agent>>> HTTP headers as specified by {{{http://www.buergerkarte.at/konzept/securitylayer/spezifikation/aktuell/bindings/bindings.en.html#http}HTTP binding}}.