diff options
4 files changed, 52 insertions, 4 deletions
diff --git a/BKUOnline/src/main/policy/50mocca.policy b/BKUOnline/src/main/policy/50mocca.policy index 8cda9eb6..d001e515 100644 --- a/BKUOnline/src/main/policy/50mocca.policy +++ b/BKUOnline/src/main/policy/50mocca.policy @@ -40,7 +40,9 @@ // with <any_resource_you_would_like_to_grant_XSLTs_document()_function_access_to> // // replace www.a-trust.at and ksp.ecard.sozialversicherung.gv.at -// with <idLink_template_download_URL> +// with <idLink_template_download_URL>, currently: +// A-Trust: http://www.a-trust.at/zmr/persb204.xsl +// Verwaltungssignatur: http://ksp.ecard.sozialversicherung.gv.at/ePortal/public/xslt/ExpandIdLink-2_0.xslt // replace ldap.a-trust.at:389, ocsp.a-trust.at:80 and ocsp.ecard.sozialversicherung.at:80 // with <certificate_revocation_authority_endpoint> (OCSP, CRLs) // @@ -70,6 +72,9 @@ grant codeBase "file:${catalina.base}/webapps/bkuonline/-" { permission java.net.SocketPermission "apps.egiz.gv.at:443", "connect, resolve"; permission java.net.SocketPermission "www.buergerkarte.at:443", "connect, resolve"; permission java.net.SocketPermission "www.sozialversicherung.gv.at:443", "connect, resolve"; + permission java.net.SocketPermission "www.sozialversicherung.at:443", "connect, resolve"; + permission java.net.SocketPermission "www2.sozialversicherung.gv.at:443", "connect, resolve"; + permission java.net.SocketPermission "www2.sozialversicherung.at:443", "connect, resolve"; // other resources (crls, persb.xsl, ...) permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve"; diff --git a/BKUOnline/src/main/webapp/WEB-INF/conf/configuration.xml b/BKUOnline/src/main/webapp/WEB-INF/conf/configuration.xml index 20d27bb0..d4736429 100644 --- a/BKUOnline/src/main/webapp/WEB-INF/conf/configuration.xml +++ b/BKUOnline/src/main/webapp/WEB-INF/conf/configuration.xml @@ -7,4 +7,8 @@ --> <MaxHops>50</MaxHops> </DataURLConnection> + <!-- default revocation service type order: OCSP, CRL + <SSL> + <revocationServiceOrder>OCSP</revocationServiceOrder> + </SSL--> </MoccaConfiguration>
\ No newline at end of file diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/spring/PKIProfileFactoryBean.java b/bkucommon/src/main/java/at/gv/egiz/bku/spring/PKIProfileFactoryBean.java index 97a0d872..d5eb411d 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/spring/PKIProfileFactoryBean.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/spring/PKIProfileFactoryBean.java @@ -48,9 +48,15 @@ import org.springframework.core.io.ResourceLoader; import at.gv.egiz.bku.conf.IAIKLogAdapterFactory; import at.gv.egiz.bku.conf.MoccaConfigurationFacade; +import java.util.ArrayList; +import java.util.List; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; public class PKIProfileFactoryBean implements FactoryBean, ResourceLoaderAware { + protected static final Logger log = LoggerFactory.getLogger(PKIProfileFactoryBean.class); + /** * The configuration facade. */ @@ -68,6 +74,8 @@ public class PKIProfileFactoryBean implements FactoryBean, ResourceLoaderAware { public static final String SSL_CA_DIRECTORY_DEFAULT = "classpath:at/gv/egiz/bku/certs/trustStore"; + public static final String SSL_REVOCATION_SERVICE_ORDER = "SSL.revocationServiceOrder"; + public URL getCertDirectory() throws MalformedURLException { return getURL(SSL_CERT_DIRECTORY); } @@ -75,7 +83,11 @@ public class PKIProfileFactoryBean implements FactoryBean, ResourceLoaderAware { public URL getCaDirectory() throws MalformedURLException { return getURL(SSL_CA_DIRECTORY); } - + + public List<String> getRevocationServiceOrder() throws Exception { + return configuration.getList(SSL_REVOCATION_SERVICE_ORDER); + } + private URL getURL(String key) throws MalformedURLException { String url = configuration.getString(key); if (url == null || url.isEmpty()) { @@ -199,6 +211,30 @@ public class PKIProfileFactoryBean implements FactoryBean, ResourceLoaderAware { TrustStoreTypes.DIRECTORY, caDirectory.getAbsolutePath()); } + + protected String[] createRevocationServiceOrder() throws Exception { + List<String> services = configurationFacade.getRevocationServiceOrder(); + + if (services != null) { + List<String> order = new ArrayList<String>(2); + for (String service : services) { + if ("OCSP".equals(service)) { + order.add(RevocationSourceTypes.OCSP); + } else if ("CRL".equals(service)) { + order.add(RevocationSourceTypes.CRL); + } else { + throw new Exception("Unsupported revocation service type " + service); + } + } + if (!order.isEmpty()) { + log.info("configure revocation service type order: {}", order); + return order.toArray(new String[order.size()]); + } + } + log.info("configure default revocation service type order: [OCSP, CRL]"); + return new String[] + { RevocationSourceTypes.OCSP, RevocationSourceTypes.CRL }; + } @Override public Object getObject() throws Exception { @@ -216,8 +252,7 @@ public class PKIProfileFactoryBean implements FactoryBean, ResourceLoaderAware { DefaultPKIProfile pkiProfile = new DefaultPKIProfile(trustProfile); pkiProfile.setAutoAddCertificates(true); - pkiProfile.setPreferredServiceOrder(new String[] { - RevocationSourceTypes.OCSP, RevocationSourceTypes.CRL }); + pkiProfile.setPreferredServiceOrder(createRevocationServiceOrder()); return pkiProfile; } diff --git a/bkucommon/src/site/apt/configuration.apt b/bkucommon/src/site/apt/configuration.apt index 1a5adee1..15340c71 100644 --- a/bkucommon/src/site/apt/configuration.apt +++ b/bkucommon/src/site/apt/configuration.apt @@ -77,6 +77,10 @@ MOCCA Configuration [<<<disableAllChecks>>>] May be set to <<<true>>> to disable all TSL/SSL related checks. Default: <<<false>>> + + [<<<revocationServiceOrder>>>] May be set to <<<CRL,OCSP>>>, <<<CRL>>> or <<<OCSP>>> to define the (order of) revocation service(s) to be used. + + Default: <<<OCSP,CRL>>> [<<<ProductName>>>] May be specified to set the product name given by the <<<Server>>> and <<<User-Agent>>> HTTP headers as specified by {{{http://www.buergerkarte.at/konzept/securitylayer/spezifikation/aktuell/bindings/bindings.en.html#http}HTTP binding}}. |