summaryrefslogtreecommitdiff
path: root/BKUOnline/src/main/java/at
diff options
context:
space:
mode:
Diffstat (limited to 'BKUOnline/src/main/java/at')
-rw-r--r--BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/Configurator.java131
-rw-r--r--BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java167
2 files changed, 230 insertions, 68 deletions
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/Configurator.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/Configurator.java
index f51335e1..d158b46e 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/Configurator.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/Configurator.java
@@ -1,21 +1,21 @@
/*
-* Copyright 2008 Federal Chancellery Austria and
-* Graz University of Technology
-*
-* Licensed under the Apache License, Version 2.0 (the "License");
-* you may not use this file except in compliance with the License.
-* You may obtain a copy of the License at
-*
-* http://www.apache.org/licenses/LICENSE-2.0
-*
-* Unless required by applicable law or agreed to in writing, software
-* distributed under the License is distributed on an "AS IS" BASIS,
-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-* See the License for the specific language governing permissions and
-* limitations under the License.
-*/
-package at.gv.egiz.bku.online.conf;
-
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.bku.online.conf;
+
import iaik.security.ecc.provider.ECCProvider;
import iaik.xml.crypto.XSecProvider;
@@ -30,53 +30,52 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import at.gv.egiz.bku.slcommands.impl.xsect.STALProvider;
-
-/**
- *
- * TODO currently only the code to get started.
- */
-public class Configurator {
- private Log log = LogFactory.getLog(Configurator.class);
-
- protected Properties properties;
-
- public Configurator() {
- }
-
- protected void configUrlConnections() {
- HttpsURLConnection.setFollowRedirects(false);
- HttpURLConnection.setFollowRedirects(false);
- }
-
- protected void configureProviders() {
- log.debug("Registering security providers");
- Security.addProvider(new STALProvider());
- XSecProvider.addAsProvider(false);
- Security.insertProviderAt(new ECCProvider(false), 1);
- StringBuffer sb = new StringBuffer();
- sb.append("Following providers are now registered: ");
- int i = 1;
- for (Provider prov : Security.getProviders()) {
- sb.append((i++) + ". : " + prov);
- }
- log.debug("Configured provider" + sb.toString());
- }
-
- public void configure() {
- configureProviders();
- configUrlConnections();
- }
- public void setConfiguration(Properties props) {
- this.properties = props;
- configure();
- }
-
- public String getProperty(String key) {
- if (properties != null) {
- return properties.getProperty(key);
- }
- return null;
- }
-
-}
+/**
+ *
+ * TODO currently only the code to get started.
+ */
+public class Configurator {
+
+ private Log log = LogFactory.getLog(Configurator.class);
+
+ protected Properties properties;
+
+ public Configurator() {
+ }
+
+ protected void configUrlConnections() {
+ HttpsURLConnection.setFollowRedirects(false);
+ HttpURLConnection.setFollowRedirects(false);
+ }
+
+ protected void configureProviders() {
+ log.debug("Registering security providers");
+ Security.addProvider(new STALProvider());
+ XSecProvider.addAsProvider(false);
+ Security.insertProviderAt(new ECCProvider(false), 1);
+ StringBuffer sb = new StringBuffer();
+ sb.append("Following providers are now registered: ");
+ int i = 1;
+ for (Provider prov : Security.getProviders()) {
+ sb.append((i++) + ". : " + prov);
+ }
+ log.debug("Configured provider" + sb.toString());
+ }
+
+ public void configure() {
+ configureProviders();
+ configUrlConnections();
+ }
+
+ public void setConfiguration(Properties props) {
+ this.properties = props;
+ }
+
+ public String getProperty(String key) {
+ if (properties != null) {
+ return properties.getProperty(key);
+ }
+ return null;
+ }
+}
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java
index 96588d7d..100285ed 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java
@@ -1,16 +1,52 @@
package at.gv.egiz.bku.online.conf;
+import java.io.File;
+import java.io.FileInputStream;
import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.security.Security;
+import java.security.cert.CertPath;
+import java.security.cert.CertPathBuilder;
+import java.security.cert.CertStore;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CollectionCertStoreParameters;
+import java.security.cert.PKIXBuilderParameters;
+import java.security.cert.PKIXCertPathBuilderResult;
+import java.security.cert.TrustAnchor;
+import java.security.cert.X509CertSelector;
+import java.security.cert.X509Certificate;
+import java.util.HashSet;
+import java.util.LinkedList;
+import java.util.List;
import java.util.Properties;
+import java.util.Set;
+
+import javax.net.ssl.CertPathTrustManagerParameters;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.ManagerFactoryParameters;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.springframework.context.ResourceLoaderAware;
import org.springframework.core.io.Resource;
+import org.springframework.core.io.ResourceLoader;
+
+import at.gv.egiz.bku.slexceptions.SLRuntimeException;
-public class SpringConfigurator extends Configurator {
+public class SpringConfigurator extends Configurator implements
+ ResourceLoaderAware {
private final static Log log = LogFactory.getLog(SpringConfigurator.class);
+ private ResourceLoader resourceLoader;
+
public void setResource(Resource resource) {
log.debug("Loading config from: " + resource);
if (resource != null) {
@@ -24,4 +60,131 @@ public class SpringConfigurator extends Configurator {
}
}
-}
+ public void configure() {
+ super.configure();
+ configureSSL();
+ }
+
+ private Set<TrustAnchor> getCACerts() throws IOException,
+ CertificateException {
+ Set<TrustAnchor> caCerts = new HashSet<TrustAnchor>();
+ String caDirectory = getProperty("SSL.caDirectory");
+ if (caDirectory != null) {
+ Resource caDirRes = resourceLoader.getResource(caDirectory);
+
+ File caDir = caDirRes.getFile();
+ if (!caDir.isDirectory()) {
+ log.error("Expecting directory as SSL.caDirectory parameter");
+ throw new SLRuntimeException(
+ "Expecting directory as SSL.caDirectory parameter");
+ }
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+ for (File f : caDir.listFiles()) {
+ try {
+ FileInputStream fis = new FileInputStream(f);
+ X509Certificate cert = (X509Certificate) cf.generateCertificate(fis);
+ fis.close();
+ log.debug("Adding trusted cert " + cert.getSubjectDN());
+ caCerts.add(new TrustAnchor(cert, null));
+ } catch (Exception e) {
+ log.error("Cannot add trusted ca", e);
+ }
+ }
+ return caCerts;
+
+ } else {
+ log.warn("No CA certificates configured");
+ }
+ return null;
+ }
+
+ private CertStore getCertstore() throws IOException, CertificateException,
+ InvalidAlgorithmParameterException, NoSuchAlgorithmException {
+ String certDirectory = getProperty("SSL.certDirectory");
+ if (certDirectory != null) {
+ Resource certDirRes = resourceLoader.getResource(certDirectory);
+
+ File certDir = certDirRes.getFile();
+ if (!certDir.isDirectory()) {
+ log.error("Expecting directory as SSL.certDirectory parameter");
+ throw new SLRuntimeException(
+ "Expecting directory as SSL.certDirectory parameter");
+ }
+ List<X509Certificate> certCollection = new LinkedList<X509Certificate>();
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+ for (File f : certDir.listFiles()) {
+ try {
+ FileInputStream fis = new FileInputStream(f);
+ X509Certificate cert =(X509Certificate) cf.generateCertificate(fis);
+ certCollection.add(cert);
+ fis.close();
+ log.trace("Added following cert to certstore: "+cert.getSubjectDN());
+ } catch (Exception ex) {
+ log.error("Cannot add certificate", ex);
+ }
+ }
+ CollectionCertStoreParameters csp = new CollectionCertStoreParameters(
+ certCollection);
+ return CertStore.getInstance("Collection", csp);
+
+ } else {
+ log.warn("No certstore configured");
+ }
+ return null;
+ }
+
+ public void configureSSL() {
+ Set<TrustAnchor> caCerts = null;
+ try {
+ caCerts = getCACerts();
+ } catch (Exception e1) {
+ log.error("Cannot load CA certificates", e1);
+ }
+ CertStore certStore = null;
+ try {
+ certStore = getCertstore();
+ } catch (Exception e1) {
+ log.error("Cannot load certstore certificates", e1);
+ }
+ System.setProperty("com.sun.security.enableAIAcaIssuers", "true");
+ try {
+ X509CertSelector selector = new X509CertSelector();
+ PKIXBuilderParameters pkixParams;
+ pkixParams = new PKIXBuilderParameters(caCerts, selector);
+ if ((getProperty("SSL.doRevocationChecking") != null)
+ && (Boolean.valueOf(getProperty("SSL.doRevocationChecking")))) {
+ log.info("Enable revocation checking");
+ pkixParams.setRevocationEnabled(true);
+ System.setProperty("com.sun.security.enableCRLDP", "true");
+ Security.setProperty("ocsp.enable", "true");
+ } else {
+ log.warn("Revocation checking disabled");
+ pkixParams.setRevocationEnabled(false);
+ }
+ pkixParams.addCertStore(certStore);
+ ManagerFactoryParameters trustParams = new CertPathTrustManagerParameters(
+ pkixParams);
+ TrustManagerFactory trustFab;
+ try {
+ trustFab = TrustManagerFactory.getInstance("PKIX");
+ trustFab.init(trustParams);
+ KeyManager[] km = null;
+ SSLContext sslCtx = SSLContext
+ .getInstance(getProperty("SSL.sslProtocol"));
+ sslCtx.init(km, trustFab.getTrustManagers(), null);
+ HttpsURLConnection
+ .setDefaultSSLSocketFactory(sslCtx.getSocketFactory());
+ } catch (Exception e) {
+ log.error("Cannot configure SSL", e);
+ }
+
+ } catch (InvalidAlgorithmParameterException e) {
+ log.error("Cannot configure SSL", e);
+ }
+ }
+
+ @Override
+ public void setResourceLoader(ResourceLoader loader) {
+ this.resourceLoader = loader;
+ }
+} \ No newline at end of file