diff options
Diffstat (limited to 'bkucommon/src/main/java/at/gv/egiz/bku/conf/Configurator.java')
| -rw-r--r-- | bkucommon/src/main/java/at/gv/egiz/bku/conf/Configurator.java | 467 |
1 files changed, 0 insertions, 467 deletions
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/conf/Configurator.java b/bkucommon/src/main/java/at/gv/egiz/bku/conf/Configurator.java deleted file mode 100644 index 50f5d2b4..00000000 --- a/bkucommon/src/main/java/at/gv/egiz/bku/conf/Configurator.java +++ /dev/null @@ -1,467 +0,0 @@ -package at.gv.egiz.bku.conf;
-
-import iaik.security.ecc.provider.ECCProvider;
-import iaik.security.provider.IAIK;
-import iaik.xml.crypto.XSecProvider;
-
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.net.HttpURLConnection;
-import java.net.URL;
-import java.security.GeneralSecurityException;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.NoSuchAlgorithmException;
-import java.security.Provider;
-import java.security.Security;
-import java.security.Provider.Service;
-import java.security.cert.CertStore;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
-import java.security.cert.CollectionCertStoreParameters;
-import java.security.cert.LDAPCertStoreParameters;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Properties;
-import java.util.Set;
-import java.util.jar.Attributes;
-import java.util.jar.Manifest;
-
-import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.KeyManager;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLSession;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.X509TrustManager;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import at.gv.egiz.bku.binding.DataUrl;
-import at.gv.egiz.bku.slcommands.impl.xsect.DataObject;
-import at.gv.egiz.bku.slcommands.impl.xsect.STALProvider;
-import at.gv.egiz.bku.slexceptions.SLRuntimeException;
-import at.gv.egiz.bku.utils.urldereferencer.URLDereferencer;
-import javax.net.ssl.SSLSocketFactory;
-
-public abstract class Configurator {
-
- private Log log = LogFactory.getLog(Configurator.class);
-
- public final static String USERAGENT_CONFIG_P = "UserAgent";
- public static final String DATAURLCONNECTION_CONFIG_P = "DataURLConnectionImplClass";
-
- public static final String USERAGENT_DEFAULT = "citizen-card-environment/1.2 MOCCA/UNKNOWN";
- public static final String USERAGENT_BASE = "citizen-card-environment/1.2 MOCCA/";
-
- public static final String SIGNATURE_LAYOUT = "SignatureLayout";
-
- protected Properties properties;
-
- protected CertValidator certValidator;
- protected String signaturLayoutVersion;
-
- protected Configurator() {
- }
-
- protected abstract File getCertDir();
-
- protected abstract File getCADir();
-
- protected abstract InputStream getManifest();
-
- private X509Certificate[] getCACerts() throws IOException,
- CertificateException {
- List<X509Certificate> caCerts = new ArrayList<X509Certificate>();
- File caDir = getCADir();
- if (caDir != null) {
- if (!caDir.isDirectory()) {
- log.error("Expecting directory as SSL.caDirectory parameter");
- throw new SLRuntimeException(
- "Expecting directory as SSL.caDirectory parameter");
- }
- log.info("loading trustStore from " + caDir.getAbsolutePath());
- CertificateFactory cf = CertificateFactory.getInstance("X.509");
- for (File f : caDir.listFiles()) {
- try {
- FileInputStream fis = new FileInputStream(f);
- X509Certificate cert = (X509Certificate) cf.generateCertificate(fis);
- fis.close();
- log.debug("Adding trusted cert " + cert.getSubjectDN());
- caCerts.add(cert);
- } catch (Exception e) {
- log.error("Cannot add trusted ca", e);
- }
- }
- return caCerts.toArray(new X509Certificate[caCerts.size()]);
- } else {
- log.warn("No CA certificates configured");
- }
- return null;
- }
-
- protected List<CertStore> getCertstore() throws IOException,
- CertificateException, InvalidAlgorithmParameterException,
- NoSuchAlgorithmException {
- List<CertStore> resultList = new ArrayList<CertStore>();
- File certDir = getCertDir();
- if (certDir != null) {
- if (!certDir.isDirectory()) {
- log.error("Expecting directory as SSL.certDirectory parameter");
- throw new SLRuntimeException(
- "Expecting directory as SSL.certDirectory parameter");
- }
- log.info("loading certStore from " + certDir.getAbsolutePath());
- List<X509Certificate> certCollection = new LinkedList<X509Certificate>();
- CertificateFactory cf = CertificateFactory.getInstance("X.509");
- for (File f : certDir.listFiles()) {
- try {
- FileInputStream fis = new FileInputStream(f);
- X509Certificate cert = (X509Certificate) cf.generateCertificate(fis);
- certCollection.add(cert);
- fis.close();
- log
- .trace("Added following cert to certstore: "
- + cert.getSubjectDN());
- } catch (Exception ex) {
- log.error("Cannot add certificate", ex);
- }
- }
- CollectionCertStoreParameters csp = new CollectionCertStoreParameters(
- certCollection);
- resultList.add(CertStore.getInstance("Collection", csp));
- log.info("Added collection certstore");
- } else {
- log.warn("No certstore directory configured");
- }
- String ldapHost = getProperty("SSL.ldapServer");
- if ((ldapHost != null) && (!"".equals(ldapHost))) {
- String ldapPortString = getProperty("SSL.ldapPort");
- int ldapPort = 389;
- if (ldapPortString != null) {
- try {
- ldapPort = Integer.parseInt(ldapPortString);
- } catch (NumberFormatException nfe) {
- log.error("Invalid ldap port, using default 389");
- }
- } else {
- log.warn("ldap port not specified, using default 389");
- }
- LDAPCertStoreParameters ldapParams = new LDAPCertStoreParameters(
- ldapHost, ldapPort);
- resultList.add(CertStore.getInstance("LDAP", ldapParams));
- log.info("Added LDAP certstore");
- }
- return resultList;
- }
-
- protected void configUrlConnections() {
- HttpsURLConnection.setFollowRedirects(false);
- HttpURLConnection.setFollowRedirects(false);
- }
-
- protected void configureProviders() {
- log.debug("Registering security providers");
-
- IAIK iaikProvider = new IAIK();
- if (Security.getProvider(iaikProvider.getName()) == null) {
- // register IAIK provider at first position
- Security.insertProviderAt(iaikProvider, 1);
- } else {
- // IAIK provider already registered
- log.info("Provider " + iaikProvider.getName() + " already registered.");
- }
-
- ECCProvider eccProvider = new ECCProvider(false);
- if (Security.getProvider(eccProvider.getName()) == null) {
- // register ECC Provider at second position
- Security.insertProviderAt(eccProvider, 2);
- } else {
- // ECC Provider already registered
- log.info("Provider " + eccProvider.getName() + " already registered.");
- }
-
- // registering STALProvider as delegation provider for XSECT
- STALProvider stalProvider = new STALProvider();
- if (Security.getProvider(stalProvider.getName()) == null) {
- // register STAL provider
- Set<Service> services = stalProvider.getServices();
- StringBuilder sb = new StringBuilder();
- for (Service service : services) {
- String algorithm = service.getType() + "." + service.getAlgorithm();
- XSecProvider.setDelegationProvider(algorithm, stalProvider.getName());
- sb.append("\n" + algorithm);
- }
- log
- .debug("Registered STALProvider as XSecProvider delegation provider for the following services : "
- + sb.toString());
-
- Security.addProvider(stalProvider);
- } else {
- // STAL Provider already registered
- log.info("Provider " + stalProvider.getName() + " already registered.");
- }
-
- if (Security.getProvider(XSecProvider.NAME) == null) {
- // register XML Security provider
- XSecProvider.addAsProvider(false);
- } else {
- log.info("Provider " + XSecProvider.NAME + " already registered.");
- }
-
- if (log.isDebugEnabled()) {
- StringBuilder sb = new StringBuilder();
- sb.append("Registered providers: ");
- int i = 1;
- for (Provider prov : Security.getProviders()) {
- sb.append((i++) + ". : " + prov);
- }
- log.debug(sb.toString());
- }
- }
-
- protected void configViewer() {
- String bv = properties.getProperty("ValidateHashDataInputs");
- if (bv != null) {
- DataObject.enableHashDataInputValidation(Boolean.parseBoolean(bv));
- } else {
- log.warn("ValidateHashDataInputs not set, falling back to default");
- }
- }
-
- public void configureSingatureLayoutVersion() {
- if (properties.get(SIGNATURE_LAYOUT) == null) {
- try {
- String classContainer = Configurator.class.getProtectionDomain()
- .getCodeSource().getLocation().toString();
- URL manifestUrl = new URL("jar:" + classContainer
- + "!/META-INF/MANIFEST.MF");
- Manifest manifest = new Manifest(manifestUrl.openStream());
- Attributes att = manifest.getMainAttributes();
- String layout = null;
- if (att != null) {
- layout = att.getValue(SIGNATURE_LAYOUT);
- }
- if (layout != null) {
- log.info("setting SignatureLayout header to " + layout);
- properties.put(SIGNATURE_LAYOUT, layout);
- } else {
- log.warn("no SignatureLayout version defined");
- }
- } catch (Exception ex) {
- log.warn("Cannot read manifest", ex);
- }
- }
- }
-
- public void configureNetwork() {
- String proxy = getProperty("HTTPProxyHost");
- String portString = getProperty("HTTPProxyPort");
- if ((proxy == null) || (proxy.equals(""))) {
- log.info("No proxy configured");
- } else {
- log.info("Setting proxy to: " + proxy + ":" + portString);
- System.setProperty("proxyHost", proxy);
- System.setProperty("proxyPort", portString);
- }
- String timeout = getProperty("DefaultSocketTimeout");
- if ((timeout != null) && (!timeout.equals(""))) {
- System.setProperty("sun.net.client.defaultConnectTimeout", timeout);
- }
- }
-
- public void configureVersion() {
- if (properties.getProperty(USERAGENT_CONFIG_P) == null) {
- Properties p = new Properties();
- try {
- InputStream is = getManifest();
- if (is != null) {
- p.load(getManifest());
- String version = p.getProperty("Implementation-Build");
- if (version == null) {
- version="UNKNOWN";
- }
- properties.setProperty(USERAGENT_CONFIG_P, USERAGENT_BASE + version);
- log.debug("Setting user agent to: "
- + properties.getProperty(USERAGENT_CONFIG_P));
- } else {
- log.warn("Failed to read manifest, setting user-agent to " + USERAGENT_DEFAULT);
- properties.setProperty(USERAGENT_CONFIG_P, USERAGENT_DEFAULT);
- }
- } catch (IOException e) {
- log.error(e);
- }
- } else {
- log.info("using configured user agent " + properties.getProperty(USERAGENT_CONFIG_P));
- }
- }
-
- /**
- * TODO cleanup configuration (read MANIFEST, DataURLconfig,...)
- */
- public void configure() {
- configureProviders();
- configUrlConnections();
- configViewer();
- configureSSL();
- configureVersion();
- configureSingatureLayoutVersion();
- configureNetwork();
- //after configureVersion() and configureSignatureLayoutVersion()
- DataUrl.setConfiguration(properties);
- }
-
- public void setConfiguration(Properties props) {
- this.properties = props;
- }
-
- public String getProperty(String key) {
- if (properties != null) {
- return properties.getProperty(key);
- }
- return null;
- }
-
- public void configureSSL() {
- X509Certificate[] caCerts = null;
- try {
- caCerts = getCACerts();
- } catch (Exception e1) {
- log.error("Cannot load CA certificates", e1);
- }
- String disableAll = getProperty("SSL.disableAllChecks");
- String disableHostnameVerification = getProperty("SSL.disableHostnameVerification");
- try {
- KeyManager[] km = null;
- SSLContext sslCtx = SSLContext
- .getInstance(getProperty("SSL.sslProtocol"));
- if ((disableAll != null) && (Boolean.parseBoolean(disableAll))) {
- log.warn("--------------------------------------");
- log.warn(" Disabling SSL Certificate Validation ");
- log.warn("--------------------------------------");
-
- sslCtx.init(km,
- new TrustManager[] { new MyAlwaysTrustManager(caCerts) }, null);
- } else {
- MyPKITrustManager pkixTM = new MyPKITrustManager(certValidator,
- getCertDir(), getCADir(), caCerts);
- sslCtx.init(km, new TrustManager[] { pkixTM }, null);
- }
- DataUrl.setSSLSocketFactory(sslCtx.getSocketFactory());
- URLDereferencer.getInstance().setSSLSocketFactory(
- sslCtx.getSocketFactory());
- } catch (Exception e) {
- log.error("Cannot configure SSL", e);
- }
- if ((disableAll != null && Boolean.parseBoolean(disableAll))
- || (disableHostnameVerification != null && Boolean
- .parseBoolean(disableHostnameVerification))) {
- log.warn("---------------------------------");
- log.warn(" Disabling Hostname Verification ");
- log.warn("---------------------------------");
- DataUrl.setHostNameVerifier(new HostnameVerifier() {
- @Override
- public boolean verify(String hostname, SSLSession session) {
- return true;
- }
- });
- URLDereferencer.getInstance().setHostnameVerifier(new HostnameVerifier() {
- @Override
- public boolean verify(String hostname, SSLSession session) {
- return true;
- }
- });
- }
- }
-
- public void setCertValidator(CertValidator certValidator) {
- this.certValidator = certValidator;
- }
-
- private static class MyPKITrustManager implements X509TrustManager {
- private static Log log = LogFactory.getLog(MyPKITrustManager.class);
-
- private CertValidator certValidator;
- private X509Certificate[] trustedCerts;
-
- public MyPKITrustManager(CertValidator cv, File certStore, File trustStore,
- X509Certificate[] trustedCerts) {
- certValidator = cv;
- certValidator.init(certStore, trustStore);
- this.trustedCerts = trustedCerts;
- }
-
- @Override
- public void checkClientTrusted(X509Certificate[] chain, String authType)
- throws CertificateException {
- log.error("Did not expect this method to get called");
- throw new CertificateException("Method not implemented");
- }
-
- private static iaik.x509.X509Certificate[] convertCerts(
- X509Certificate[] certs) throws GeneralSecurityException {
- iaik.x509.X509Certificate[] retVal = new iaik.x509.X509Certificate[certs.length];
- int i = 0;
- for (X509Certificate cert : certs) {
- if (cert instanceof iaik.x509.X509Certificate) {
- retVal[i++] = (iaik.x509.X509Certificate) cert;
- } else {
- retVal[i++] = new iaik.x509.X509Certificate(cert.getEncoded());
- }
- }
- return retVal;
- }
-
- @Override
- public void checkServerTrusted(X509Certificate[] chain, String authType)
- throws CertificateException {
- try {
- boolean valid = certValidator.isCertificateValid(Thread.currentThread()
- .getName(), convertCerts(chain));
- if (!valid) {
- throw new CertificateException("Certificate not valid");
- }
- } catch (GeneralSecurityException e) {
- throw new CertificateException(e);
- }
- }
-
- @Override
- public X509Certificate[] getAcceptedIssuers() {
- return trustedCerts;
- }
- }
-
- private static class MyAlwaysTrustManager implements X509TrustManager {
- private static Log log = LogFactory.getLog(MyAlwaysTrustManager.class);
- private X509Certificate[] trustedCerts;
-
- public MyAlwaysTrustManager(X509Certificate[] trustedCerts) {
- this.trustedCerts = trustedCerts;
- }
-
- @Override
- public void checkClientTrusted(X509Certificate[] arg0, String arg1)
- throws CertificateException {
- log.error("Did not expect this method to get called");
- throw new CertificateException("Method not implemented");
- }
-
- @Override
- public void checkServerTrusted(X509Certificate[] certs, String arg1)
- throws CertificateException {
- log.warn("-------------------------------------");
- log.warn("SSL Certificate Validation Disabled !");
- log.warn("-------------------------------------");
- }
-
- @Override
- public X509Certificate[] getAcceptedIssuers() {
- return trustedCerts;
- }
- }
-}
|