diff options
Diffstat (limited to 'BKULocal/src/main/java/at/gv')
7 files changed, 520 insertions, 321 deletions
diff --git a/BKULocal/src/main/java/at/gv/egiz/bku/local/accesscontroller/SpringSecurityManager.java b/BKULocal/src/main/java/at/gv/egiz/bku/local/accesscontroller/SpringSecurityManager.java new file mode 100644 index 00000000..b547bf6a --- /dev/null +++ b/BKULocal/src/main/java/at/gv/egiz/bku/local/accesscontroller/SpringSecurityManager.java @@ -0,0 +1,65 @@ +/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.bku.local.accesscontroller;
+
+import java.io.IOException;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.beans.factory.config.PropertyPlaceholderConfigurer;
+import org.springframework.context.ResourceLoaderAware;
+import org.springframework.core.io.Resource;
+import org.springframework.core.io.ResourceLoader;
+
+import at.gv.egiz.bku.accesscontroller.SecurityManagerFacade;
+import at.gv.egiz.bku.local.conf.Configurator;
+
+public class SpringSecurityManager extends SecurityManagerFacade implements
+ ResourceLoaderAware {
+
+ private ResourceLoader resourceLoader;
+
+ private static Log log = LogFactory.getLog(SpringSecurityManager.class);
+
+ protected Configurator config;
+
+ public void setConfig(Configurator config) {
+ this.config = config;
+ }
+
+ public void init() {
+ String noMatch = config.getProperty("AccessController.acceptNoMatch");
+ if (noMatch != null) {
+ log.debug("Setting allow now match to: " + noMatch);
+ setAllowUnmatched(Boolean.getBoolean(noMatch));
+ }
+ String policy = config.getProperty("AccessController.policyResource");
+ log.info("Loading resource: " + policy);
+ try {
+ Resource res = resourceLoader.getResource(policy);
+ init(res.getInputStream());
+ } catch (IOException e) {
+ log.error(e);
+ }
+ }
+
+ @Override
+ public void setResourceLoader(ResourceLoader loader) {
+ this.resourceLoader = loader;
+ }
+
+}
diff --git a/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/ConfigurationUpdater.java b/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/ConfigurationUpdater.java deleted file mode 100644 index 3214f4bc..00000000 --- a/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/ConfigurationUpdater.java +++ /dev/null @@ -1,44 +0,0 @@ -/* -* Copyright 2008 Federal Chancellery Austria and -* Graz University of Technology -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ -package at.gv.egiz.bku.local.conf;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.quartz.JobExecutionContext;
-import org.quartz.JobExecutionException;
-import org.springframework.scheduling.quartz.QuartzJobBean;
-
-public class ConfigurationUpdater extends QuartzJobBean {
- private static Log log = LogFactory.getLog(ConfigurationUpdater.class);
- private Configurator config;
-
- @Override
- protected void executeInternal(JobExecutionContext arg0)
- throws JobExecutionException {
- log.trace("Checking config update");
- config.checkUpdate();
- }
-
- public Configurator getConfig() {
- return config;
- }
-
- public void setConfig(Configurator config) {
- this.config = config;
- }
-
-}
diff --git a/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/Configurator.java b/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/Configurator.java index e9510101..57a0f84f 100644 --- a/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/Configurator.java +++ b/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/Configurator.java @@ -1,274 +1,103 @@ /* -* Copyright 2008 Federal Chancellery Austria and -* Graz University of Technology -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ -package at.gv.egiz.bku.local.conf;
-
-import iaik.security.ecc.provider.ECCProvider;
-import iaik.xml.crypto.XSecProvider;
-
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
-import java.io.InputStream;
-import java.net.HttpURLConnection;
-import java.security.KeyStore;
-import java.security.Provider;
-import java.security.Security;
-import java.security.cert.CertStore;
-import java.security.cert.CertificateFactory;
-import java.security.cert.CollectionCertStoreParameters;
-import java.security.cert.PKIXBuilderParameters;
-import java.security.cert.X509CertSelector;
-import java.security.cert.X509Certificate;
-import java.util.Enumeration;
-import java.util.LinkedList;
-import java.util.List;
-
-import javax.net.ssl.CertPathTrustManagerParameters;
-import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.KeyManager;
-import javax.net.ssl.KeyManagerFactory;
-import javax.net.ssl.ManagerFactoryParameters;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.TrustManagerFactory;
-
-import org.apache.commons.configuration.ConfigurationException;
-import org.apache.commons.configuration.XMLConfiguration;
-import org.apache.commons.configuration.reloading.FileChangedReloadingStrategy;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import at.gv.egiz.bku.slcommands.impl.xsect.STALProvider;
-import at.gv.egiz.smcc.SWCard;
-import at.gv.egiz.smcc.util.SMCCHelper;
-
-public class Configurator {
- private Log log = LogFactory.getLog(Configurator.class);
- private XMLConfiguration baseConfig;
- private XMLConfiguration specialConfig;
- private boolean autoSave = false;
-
- public Configurator() {
- super();
- init();
- configure();
- }
-
- private void init() {
- log.debug("Initializing configuration");
-
- baseConfig = new XMLConfiguration();
- try {
- baseConfig.load(getClass().getClassLoader().getResourceAsStream(
- "./at/gv/egiz/bku/local/baseconfig.xml"));
- log.debug("Successfully loaded base configuration");
- } catch (ConfigurationException e) {
- log.error("Cannot load base configuration", e);
- }
- autoSave = baseConfig.getBoolean("OverrideConfigurationFile[@autosave]");
- try {
- specialConfig = new XMLConfiguration();
- specialConfig.setFileName(baseConfig
- .getString("OverrideConfigurationFile"));
- specialConfig.load();
- } catch (Exception e) {
- log.debug("Cannot get special configuration at: "
- + baseConfig.getString("OverrideConfigurationFile") + ": " + e);
- log.debug("Creating new special configuration");
- try {
- specialConfig = new XMLConfiguration(baseConfig);
- specialConfig.setFileName(baseConfig
- .getString("OverrideConfigurationFile"));
- specialConfig.save();
- } catch (ConfigurationException e1) {
- log.error("Cannot load defaults " + e1);
- }
- }
- specialConfig.setReloadingStrategy(new FileChangedReloadingStrategy());
- specialConfig.setAutoSave(autoSave);
- }
-
- protected void configUrlConnections() {
- HttpsURLConnection.setFollowRedirects(false);
- HttpURLConnection.setFollowRedirects(false);
- }
-
- protected KeyStore loadKeyStore(String fileName, String type, String password) {
- KeyStore ks = null;
- try {
- ks = KeyStore.getInstance(type);
- InputStream is = new FileInputStream(fileName);
- if (is == null) {
- log.warn("Cannot load keystore from: " + fileName);
- }
- ks.load(is, password.toCharArray());
- for (Enumeration<String> alias = ks.aliases(); alias.hasMoreElements();) {
- log.debug("Found keystore alias: " + alias.nextElement());
- }
- } catch (Exception e) {
- log.error("Cannot config keystore", e);
- return null;
- }
- return ks;
- }
-
- protected void configSSL() {
- String trustStoreName = specialConfig.getString("SSL.trustStoreFile");
- String trustStoreType = specialConfig.getString("SSL.trustStoreType");
- String trustStorePass = specialConfig.getString("SSL.trustStorePass");
- String certStoreDirectory = specialConfig
- .getString("SSL.certStoreDirectory");
- String keyStoreName = specialConfig.getString("SSL.keyStoreFile");
- String keyStoreType = specialConfig.getString("SSL.keyStoreType");
- String keyStorePass = specialConfig.getString("SSL.keyStorePass");
-
- String caIncludeDir = specialConfig.getString("SSL.caIncludeDirectory");
-
- KeyStore trustStore = loadKeyStore(trustStoreName, trustStoreType,
- trustStorePass);
- KeyStore keyStore = null;
- if (keyStoreName != null) {
- keyStore = loadKeyStore(keyStoreName, keyStoreType, keyStorePass);
- }
-
- try {
- PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustStore,
- new X509CertSelector());
-
- if (certStoreDirectory != null) {
- File dir = new File(certStoreDirectory);
- if (dir.isDirectory()) {
- List<X509Certificate> certCollection = new LinkedList<X509Certificate>();
- CertificateFactory cf = CertificateFactory.getInstance("X.509");
- for (File f : dir.listFiles()) {
- log.debug("adding " + f.getName());
- certCollection.add((X509Certificate) cf
- .generateCertificate(new FileInputStream(f)));
- }
- CollectionCertStoreParameters csp = new CollectionCertStoreParameters(
- certCollection);
- CertStore cs = CertStore.getInstance("Collection", csp);
- pkixParams.addCertStore(cs);
- log.debug("Added collection certstore");
- } else {
- log.error("CertstoreDirectory " + certStoreDirectory
- + " is not a directory");
- }
- }
-
- if (caIncludeDir != null) {
- File dir = new File(caIncludeDir);
- if (dir.exists() && dir.isDirectory()) {
- CertificateFactory cf = CertificateFactory.getInstance("X.509");
- try {
- for (File f : dir.listFiles()) {
- FileInputStream fis = new FileInputStream(f);
- X509Certificate cert = (X509Certificate) cf
- .generateCertificate(fis);
- fis.close();
- log.debug("Adding trusted cert " + cert.getSubjectDN());
- trustStore.setCertificateEntry(cert.getSubjectDN().getName(),
- cert);
- f.delete();
- }
- } finally {
- trustStore.store(new FileOutputStream(trustStoreName),
- trustStorePass.toCharArray());
- }
- }
- }
-
- pkixParams.setRevocationEnabled(specialConfig
- .getBoolean("SSL.revocation"));
- if (specialConfig.getBoolean("SSL.revocation")) {
- System.setProperty("com.sun.security.enableCRLDP ", "true");
- Security.setProperty("ocsp.enable", "true");
- }
- System.setProperty("com.sun.security.enableAIAcaIssuers", "true");
- log.debug("Setting revocation check to: "
- + pkixParams.isRevocationEnabled());
- ManagerFactoryParameters trustParams = new CertPathTrustManagerParameters(
- pkixParams);
- TrustManagerFactory trustFab = TrustManagerFactory.getInstance("PKIX");
- trustFab.init(trustParams);
-
- KeyManager[] km = null;
- SSLContext sslCtx = SSLContext.getInstance(specialConfig
- .getString("SSL.sslProtocol"));
- if (keyStore != null) {
- KeyManagerFactory keyFab = KeyManagerFactory.getInstance("SunX509");
- keyFab.init(keyStore, keyStorePass.toCharArray());
- km = keyFab.getKeyManagers();
- }
- sslCtx.init(km, trustFab.getTrustManagers(), null);
- HttpsURLConnection.setDefaultSSLSocketFactory(sslCtx.getSocketFactory());
- log.info("Successfully configured ssl");
- } catch (Exception e) {
- log.debug("Cannot init ssl", e);
- }
- }
-
- protected void configureProviders() {
- log.debug("Registering security providers");
- ECCProvider.addAsProvider(false);
- Security.addProvider(new STALProvider());
- XSecProvider.addAsProvider(false);
- StringBuffer sb = new StringBuffer();
- sb.append("Following providers are now registered: ");
- int i = 1;
- for (Provider prov : Security.getProviders()) {
- sb.append((i++) + ". : " + prov);
- }
- log.debug("Configured provider" + sb.toString());
- }
-
- protected void configureBKU() {
- if (specialConfig.containsKey("BKU.useSWCard")) {
- boolean useSWCard = specialConfig.getBoolean("BKU.useSWCard");
- log.info("Setting SW Card to: "+useSWCard);
- SMCCHelper.setUseSWCard(useSWCard);
- }
- if (specialConfig.containsKey("BKU.SWCardDirectory")) {
- //SWCard.
- }
- }
-
- public void configure() {
- configureProviders();
- configSSL();
- configUrlConnections();
- configureBKU();
-
- }
-
- public void checkUpdate() {
- if (specialConfig.getReloadingStrategy().reloadingRequired()) {
- log.info("Reloading configuration: " + specialConfig.getFileName());
- specialConfig.setAutoSave(false);
- specialConfig.clear();
- try {
- specialConfig.load();
- } catch (ConfigurationException e) {
- log.fatal(e);
- }
- specialConfig.setAutoSave(specialConfig
- .getBoolean("OverrideConfigurationFile[@autosave]"));
- configure();
- specialConfig.getReloadingStrategy().reloadingPerformed();
- }
- }
-
-}
+ * Copyright 2008 Federal Chancellery Austria and + * Graz University of Technology + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package at.gv.egiz.bku.local.conf; + +import iaik.security.ecc.provider.ECCProvider; +import iaik.security.provider.IAIK; +import iaik.xml.crypto.XSecProvider; + +import java.io.IOException; +import java.net.HttpURLConnection; +import java.security.Provider; +import java.security.Security; +import java.util.Properties; + +import javax.net.ssl.HttpsURLConnection; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + +import at.gv.egiz.bku.binding.DataUrl; +import at.gv.egiz.bku.binding.DataUrlConnection; +import at.gv.egiz.bku.slcommands.impl.xsect.DataObject; +import at.gv.egiz.bku.slcommands.impl.xsect.STALProvider; + +/** + * + * TODO currently only the code to get started. + */ +public abstract class Configurator { + + private Log log = LogFactory.getLog(Configurator.class); + + private static Configurator instance = new SpringConfigurator(); + + protected Properties properties; + + protected Configurator() { + } + + public static Configurator getInstance() { + return instance; + } + + protected void configUrlConnections() { + HttpsURLConnection.setFollowRedirects(false); + HttpURLConnection.setFollowRedirects(false); + } + + protected void configureProviders() { + log.debug("Registering security providers"); + Security.insertProviderAt(new IAIK(), 1); + Security.insertProviderAt(new ECCProvider(false), 2); + Security.addProvider(new STALProvider()); + XSecProvider.addAsProvider(false); + StringBuilder sb = new StringBuilder(); + sb.append("Registered providers: "); + int i = 1; + for (Provider prov : Security.getProviders()) { + sb.append((i++) + ". : " + prov); + } + log.debug(sb.toString()); + } + + protected void configViewer() { + String bv = properties.getProperty("ValidateHashDataInputs"); + if (bv != null) { + DataObject.enableHashDataInputValidation(Boolean.parseBoolean(bv)); + } else { + log.warn("ValidateHashDataInputs not set, falling back to default"); + } + } + + public void configure() { + configureProviders(); + configUrlConnections(); + configViewer(); + } + + public void setConfiguration(Properties props) { + this.properties = props; + } + + public String getProperty(String key) { + if (properties != null) { + return properties.getProperty(key); + } + return null; + } +} diff --git a/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/SpringConfigurator.java b/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/SpringConfigurator.java new file mode 100644 index 00000000..3aeb1745 --- /dev/null +++ b/BKULocal/src/main/java/at/gv/egiz/bku/local/conf/SpringConfigurator.java @@ -0,0 +1,336 @@ +/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.bku.local.conf;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.security.Security;
+import java.security.cert.CertPathBuilder;
+import java.security.cert.CertStore;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CollectionCertStoreParameters;
+import java.security.cert.LDAPCertStoreParameters;
+import java.security.cert.PKIXBuilderParameters;
+import java.security.cert.PKIXCertPathBuilderResult;
+import java.security.cert.TrustAnchor;
+import java.security.cert.X509CertSelector;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Properties;
+import java.util.Set;
+
+import javax.net.ssl.CertPathTrustManagerParameters;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.ManagerFactoryParameters;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.context.ResourceLoaderAware;
+import org.springframework.core.io.Resource;
+import org.springframework.core.io.ResourceLoader;
+
+import at.gv.egiz.bku.binding.DataUrl;
+import at.gv.egiz.bku.binding.DataUrlConnection;
+import at.gv.egiz.bku.slexceptions.SLRuntimeException;
+
+public class SpringConfigurator extends Configurator implements
+ ResourceLoaderAware {
+
+ private final static Log log = LogFactory.getLog(SpringConfigurator.class);
+
+ private ResourceLoader resourceLoader;
+
+ public SpringConfigurator() {
+ File configDir = new File(System.getProperty("user.home") + "/.bku/conf");
+ if (configDir.exists()) {
+ log.debug("Found existing config directory: " + configDir);
+ } else {
+ log.info("Config dir not existing, creating new");
+ if (!configDir.mkdirs()) {
+ log.error("Cannot create directory: " + configDir);
+ }
+ }
+ }
+
+ public void setResource(Resource resource) {
+ log.debug("Loading config from: " + resource);
+ if (resource != null) {
+ Properties props = new Properties();
+ try {
+ props.load(resource.getInputStream());
+ super.setConfiguration(props);
+ } catch (IOException e) {
+ log.error("Cannot load config", e);
+ }
+ } else {
+ log.warn("Cannot load properties, resource: " + resource);
+ }
+ }
+
+ public void configureVersion() {
+ Properties p = new Properties();
+ try {
+ p.load(resourceLoader.getResource("META-INF/MANIFEST.MF")
+ .getInputStream());
+ String version = p.getProperty("Implementation-Build");
+ properties.setProperty(DataUrlConnection.USER_AGENT_PROPERTY_KEY,
+ "citizen-card-environment/1.2 MOCCA " + version);
+ DataUrl.setConfiguration(properties);
+ log.debug("Setting user agent to: "
+ + properties.getProperty(DataUrlConnection.USER_AGENT_PROPERTY_KEY));
+ } catch (IOException e) {
+ log.error(e);
+ }
+ }
+
+ public void configure() {
+ super.configure();
+ configureSSL();
+ configureVersion();
+ configureNetwork();
+ }
+
+ public void configureNetwork() {
+
+ }
+
+ private Set<TrustAnchor> getCACerts() throws IOException,
+ CertificateException {
+ Set<TrustAnchor> caCerts = new HashSet<TrustAnchor>();
+ String caDirectory = getProperty("SSL.caDirectory");
+ if (caDirectory != null) {
+ Resource caDirRes = resourceLoader.getResource(caDirectory);
+ File caDir = caDirRes.getFile();
+ if (!caDir.isDirectory()) {
+ log.error("Expecting directory as SSL.caDirectory parameter");
+ throw new SLRuntimeException(
+ "Expecting directory as SSL.caDirectory parameter");
+ }
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+ for (File f : caDir.listFiles()) {
+ try {
+ FileInputStream fis = new FileInputStream(f);
+ X509Certificate cert = (X509Certificate) cf.generateCertificate(fis);
+ fis.close();
+ log.debug("Adding trusted cert " + cert.getSubjectDN());
+ caCerts.add(new TrustAnchor(cert, null));
+ } catch (Exception e) {
+ log.error("Cannot add trusted ca", e);
+ }
+ }
+ return caCerts;
+
+ } else {
+ log.warn("No CA certificates configured");
+ }
+ return null;
+ }
+
+ private List<CertStore> getCertstore() throws IOException,
+ CertificateException, InvalidAlgorithmParameterException,
+ NoSuchAlgorithmException {
+ List<CertStore> resultList = new ArrayList<CertStore>();
+ String certDirectory = getProperty("SSL.certDirectory");
+ if (certDirectory != null) {
+ Resource certDirRes = resourceLoader.getResource(certDirectory);
+
+ File certDir = certDirRes.getFile();
+ if (!certDir.isDirectory()) {
+ log.error("Expecting directory as SSL.certDirectory parameter");
+ throw new SLRuntimeException(
+ "Expecting directory as SSL.certDirectory parameter");
+ }
+ List<X509Certificate> certCollection = new LinkedList<X509Certificate>();
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+ for (File f : certDir.listFiles()) {
+ try {
+ FileInputStream fis = new FileInputStream(f);
+ X509Certificate cert = (X509Certificate) cf.generateCertificate(fis);
+ certCollection.add(cert);
+ fis.close();
+ log
+ .trace("Added following cert to certstore: "
+ + cert.getSubjectDN());
+ } catch (Exception ex) {
+ log.error("Cannot add certificate", ex);
+ }
+ }
+ CollectionCertStoreParameters csp = new CollectionCertStoreParameters(
+ certCollection);
+ resultList.add(CertStore.getInstance("Collection", csp));
+ log.info("Added collection certstore");
+ } else {
+ log.warn("No certstore directory configured");
+ }
+ String ldapHost = getProperty("SSL.ldapServer");
+ if ((ldapHost != null) && (!"".equals(ldapHost))) {
+ String ldapPortString = getProperty("SSL.ldapPort");
+ int ldapPort = 389;
+ if (ldapPortString != null) {
+ try {
+ ldapPort = Integer.parseInt(ldapPortString);
+ } catch (NumberFormatException nfe) {
+ log.error("Invalid ldap port, using default 389");
+ }
+ } else {
+ log.warn("ldap port not specified, using default 389");
+ }
+ LDAPCertStoreParameters ldapParams = new LDAPCertStoreParameters(
+ ldapHost, ldapPort);
+ resultList.add(CertStore.getInstance("LDAP", ldapParams));
+ log.info("Added LDAP certstore");
+ }
+ return resultList;
+ }
+
+ public void configureSSL() {
+ Set<TrustAnchor> caCerts = null;
+ try {
+ caCerts = getCACerts();
+ } catch (Exception e1) {
+ log.error("Cannot load CA certificates", e1);
+ }
+ List<CertStore> certStoreList = null;
+ try {
+ certStoreList = getCertstore();
+ } catch (Exception e1) {
+ log.error("Cannot load certstore certificates", e1);
+ }
+ String aia = getProperty("SSL.useAIA");
+ if ((aia == null) || (aia.equals(""))) {
+ System.setProperty("com.sun.security.enableAIAcaIssuers", "true");
+ } else {
+ System.setProperty("com.sun.security.enableAIAcaIssuers", aia);
+ }
+ String lifetime = getProperty("SSL.cache.lifetime");
+ if ((lifetime == null) || (lifetime.equals(""))) {
+ System.setProperty("sun.security.certpath.ldap.cache.lifetime", "0");
+ } else {
+ System.setProperty("sun.security.certpath.ldap.cache.lifetime", lifetime);
+ }
+ X509CertSelector selector = new X509CertSelector();
+ PKIXBuilderParameters pkixParams;
+ try {
+ pkixParams = new PKIXBuilderParameters(caCerts, selector);
+ if ((getProperty("SSL.doRevocationChecking") != null)
+ && (Boolean.valueOf(getProperty("SSL.doRevocationChecking")))) {
+ log.info("Enable revocation checking");
+ System.setProperty("com.sun.security.enableCRLDP", "true");
+ Security.setProperty("ocsp.enable", "true");
+ } else {
+ log.warn("Revocation checking disabled");
+ }
+ for (CertStore cs : certStoreList) {
+ pkixParams.addCertStore(cs);
+ }
+ ManagerFactoryParameters trustParams = new CertPathTrustManagerParameters(
+ pkixParams);
+ TrustManagerFactory trustFab;
+ trustFab = TrustManagerFactory.getInstance("PKIX");
+ trustFab.init(trustParams);
+ KeyManager[] km = null;
+ SSLContext sslCtx = SSLContext
+ .getInstance(getProperty("SSL.sslProtocol"));
+ sslCtx.init(km, trustFab.getTrustManagers(), null);
+ // sslCtx.init(km, new TrustManager[] { new MyTrustManager(caCerts,
+ // certStoreList) }, null);
+ HttpsURLConnection.setDefaultSSLSocketFactory(sslCtx.getSocketFactory());
+ } catch (Exception e) {
+ log.error("Cannot configure SSL", e);
+ }
+ }
+
+ @Override
+ public void setResourceLoader(ResourceLoader loader) {
+ this.resourceLoader = loader;
+ }
+}
+
+class MyTrustManager implements X509TrustManager {
+ private static Log log = LogFactory.getLog(MyTrustManager.class);
+ private Set<TrustAnchor> caCerts;
+ private List<CertStore> certStoreList;
+ private X509Certificate[] trustedCerts;
+
+ public MyTrustManager(Set<TrustAnchor> caCerts, List<CertStore> cs) {
+ this.caCerts = caCerts;
+ this.certStoreList = cs;
+ trustedCerts = new X509Certificate[caCerts.size()];
+ int i = 0;
+ for (Iterator<TrustAnchor> it = caCerts.iterator(); it.hasNext();) {
+ TrustAnchor ta = it.next();
+ trustedCerts[i++] = ta.getTrustedCert();
+ }
+
+ }
+
+ @Override
+ public void checkClientTrusted(X509Certificate[] arg0, String arg1)
+ throws CertificateException {
+ log.error("Did not expect this method to get called");
+ throw new CertificateException("Method not implemented");
+ }
+
+ @Override
+ public void checkServerTrusted(X509Certificate[] certs, String arg1)
+ throws CertificateException {
+ try {
+ log.debug("Checking server certificate: " + certs[0].getSubjectDN());
+ CertPathBuilder pathBuilder = CertPathBuilder.getInstance("PKIX");
+ X509CertSelector selector = new X509CertSelector();
+ selector.setCertificate(certs[0]);
+ PKIXBuilderParameters pkixParams;
+ pkixParams = new PKIXBuilderParameters(caCerts, selector);
+ pkixParams.setRevocationEnabled(true); // FIXME
+ for (CertStore cs : certStoreList) {
+ pkixParams.addCertStore(cs);
+ }
+ PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) pathBuilder
+ .build(pkixParams);
+ if (log.isTraceEnabled()) {
+ StringBuffer sb = new StringBuffer();
+ for (Certificate cert : result.getCertPath().getCertificates()) {
+ sb.append(((X509Certificate) cert).getSubjectDN());
+ sb.append("->");
+ }
+ sb.append("End");
+ log.trace(sb);
+ }
+ } catch (Exception e) {
+ throw new CertificateException(e);
+ }
+ }
+
+ @Override
+ public X509Certificate[] getAcceptedIssuers() {
+ return trustedCerts;
+ }
+
+}
\ No newline at end of file diff --git a/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/BKUGuiProxy.java b/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/BKUGuiProxy.java index 0bed928d..c543c8ca 100644 --- a/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/BKUGuiProxy.java +++ b/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/BKUGuiProxy.java @@ -1,7 +1,12 @@ package at.gv.egiz.bku.local.stal;
import java.awt.Container;
+import java.awt.EventQueue;
+import java.awt.Toolkit;
import java.awt.event.ActionListener;
+import java.awt.event.FocusEvent;
+import java.awt.event.FocusListener;
+import java.awt.event.WindowEvent;
import java.util.List;
import javax.swing.JDialog;
@@ -126,5 +131,4 @@ public class BKUGuiProxy implements BKUGUIFacade { showDialog();
delegate.showWelcomeDialog();
}
-
}
diff --git a/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/SMCCSTAL.java b/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/SMCCSTAL.java index 6f9e72c5..4bc921aa 100644 --- a/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/SMCCSTAL.java +++ b/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/SMCCSTAL.java @@ -7,6 +7,7 @@ import javax.swing.JDialog; import at.gv.egiz.bku.gui.BKUGUIFacade;
import at.gv.egiz.bku.online.applet.BKUWorker;
+import at.gv.egiz.stal.QuitRequest;
import at.gv.egiz.stal.STALRequest;
import at.gv.egiz.stal.STALResponse;
import at.gv.egiz.stal.SignRequest;
@@ -26,8 +27,16 @@ public class SMCCSTAL extends BKUWorker { public List<STALResponse> handleRequest(List<STALRequest> requestList) {
signatureCard = null;
List<STALResponse> responses = super.handleRequest(requestList);
- container.setVisible(false);
+ //container.setVisible(false);
return responses;
}
+ @Override
+ public STALResponse handleRequest(STALRequest request) {
+ if (request instanceof QuitRequest) {
+ container.setVisible(false);
+ }
+ return null;
+ }
+
}
diff --git a/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/SMCCSTALFactory.java b/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/SMCCSTALFactory.java index 97646d09..f9a8bef5 100644 --- a/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/SMCCSTALFactory.java +++ b/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/SMCCSTALFactory.java @@ -53,6 +53,7 @@ public class SMCCSTALFactory implements STALFactory { stal = new SMCCSTAL(new BKUGuiProxy(dialog, gui), dialog, resourceBundle); dialog.setPreferredSize(new Dimension(400, 200)); dialog.setDefaultCloseOperation(WindowConstants.HIDE_ON_CLOSE); + dialog.pack(); Dimension screenSize = Toolkit.getDefaultToolkit().getScreenSize(); Dimension frameSize = dialog.getSize(); if (frameSize.height > screenSize.height) { @@ -63,13 +64,12 @@ public class SMCCSTALFactory implements STALFactory { } dialog.setLocation((screenSize.width - frameSize.width) / 2, (screenSize.height - frameSize.height) / 2); - dialog.pack(); } return stal; } @Override - public void setLocale(Locale locale) { + public void setLocale(Locale locale) { this.locale = locale; } } |