diff options
Diffstat (limited to 'bkucommon/src/main/java/at')
3 files changed, 172 insertions, 64 deletions
| diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/conf/CertValidator.java b/bkucommon/src/main/java/at/gv/egiz/bku/conf/CertValidator.java new file mode 100644 index 00000000..6a95b369 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/conf/CertValidator.java @@ -0,0 +1,13 @@ +package at.gv.egiz.bku.conf;
 +
 +import iaik.x509.X509Certificate;
 +
 +import java.io.File;
 +
 +public interface CertValidator {
 +
 +  public abstract void init(File certDir, File caDir);
 +
 +  public abstract boolean isCertificateValid(String transactionId, X509Certificate[] certs);
 +
 +}
\ No newline at end of file diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/conf/CertValidatorImpl.java b/bkucommon/src/main/java/at/gv/egiz/bku/conf/CertValidatorImpl.java new file mode 100644 index 00000000..125233c1 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/conf/CertValidatorImpl.java @@ -0,0 +1,83 @@ +package at.gv.egiz.bku.conf;
 +
 +import iaik.logging.TransactionId;
 +import iaik.logging.impl.TransactionIdImpl;
 +import iaik.pki.DefaultPKIConfiguration;
 +import iaik.pki.DefaultPKIProfile;
 +import iaik.pki.PKIConfiguration;
 +import iaik.pki.PKIException;
 +import iaik.pki.PKIFactory;
 +import iaik.pki.PKIModule;
 +import iaik.pki.PKIProfile;
 +import iaik.pki.store.certstore.CertStoreParameters;
 +import iaik.pki.store.certstore.directory.DefaultDirectoryCertStoreParameters;
 +import iaik.pki.store.truststore.DefaultTrustStoreProfile;
 +import iaik.pki.store.truststore.TrustStoreProfile;
 +import iaik.pki.store.truststore.TrustStoreTypes;
 +import iaik.x509.X509Certificate;
 +
 +import java.io.File;
 +import java.util.Date;
 +
 +import org.apache.commons.logging.Log;
 +import org.apache.commons.logging.LogFactory;
 +
 +public class CertValidatorImpl implements CertValidator {
 +
 +  private static Log log = LogFactory.getLog(CertValidatorImpl.class);
 +
 +  private PKIFactory pkiFactory;
 +  private PKIProfile profile;
 +
 +  public CertValidatorImpl() {
 +
 +  }
 +
 +  /* (non-Javadoc)
 +   * @see at.gv.egiz.bku.conf.CertValidator#init(java.io.File, java.io.File)
 +   */
 +  public void init(File certDir, File caDir) {
 +    // the parameters specifying the directory certstore
 +    CertStoreParameters[] certStoreParameters = { new DefaultDirectoryCertStoreParameters(
 +        "CS-001", certDir.getAbsolutePath(), true, false) };
 +
 +    // create a new PKI configuration using the certstore parameters
 +    PKIConfiguration pkiConfig = new DefaultPKIConfiguration(
 +        certStoreParameters);
 +
 +    // Transaction ID for logging
 +    TransactionId tid = new TransactionIdImpl("Configure-PKI");
 +    // get PKI factory for creating PKI module(s)
 +    pkiFactory = PKIFactory.getInstance();
 +    // configure the factory
 +    try {
 +      pkiFactory.configure(pkiConfig, tid);
 +    } catch (PKIException e) {
 +      log.error("Cannot configure PKI module", e);
 +    }
 +    // the truststore to be used
 +    TrustStoreProfile trustProfile = new DefaultTrustStoreProfile("TS-001",
 +        TrustStoreTypes.DIRECTORY, caDir.getAbsolutePath());
 +    profile = new DefaultPKIProfile(trustProfile);
 +    ((DefaultPKIProfile)profile).setAutoAddCertificates(true);
 +  }
 +
 +  /* (non-Javadoc)
 +   * @see at.gv.egiz.bku.conf.CertValidator#isCertificateValid(java.lang.String, iaik.x509.X509Certificate[])
 +   */
 +  public boolean isCertificateValid(String transactionId,
 +      X509Certificate[] certs) {
 +    // Transaction ID for logging
 +    TransactionId tid = new TransactionIdImpl(transactionId);
 +    // get a PKIModule
 +    PKIModule pkiModule;
 +    try {
 +      pkiModule = pkiFactory.getPKIModule(profile);
 +      return pkiModule.validateCertificate(new Date(), certs[0], certs, null,
 +          tid).isCertificateValid();
 +    } catch (PKIException e) {
 +      log.error("Cannot validate certificate", e);
 +    }
 +    return false;
 +  }
 +}
 diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/conf/Configurator.java b/bkucommon/src/main/java/at/gv/egiz/bku/conf/Configurator.java index 9a1e7020..9ed99190 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/conf/Configurator.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/conf/Configurator.java @@ -9,6 +9,7 @@ import java.io.FileInputStream;  import java.io.IOException;
  import java.io.InputStream;
  import java.net.HttpURLConnection;
 +import java.security.GeneralSecurityException;
  import java.security.InvalidAlgorithmParameterException;
  import java.security.NoSuchAlgorithmException;
  import java.security.Provider;
 @@ -18,27 +19,18 @@ import java.security.cert.CertificateException;  import java.security.cert.CertificateFactory;
  import java.security.cert.CollectionCertStoreParameters;
  import java.security.cert.LDAPCertStoreParameters;
 -import java.security.cert.PKIXBuilderParameters;
 -import java.security.cert.TrustAnchor;
 -import java.security.cert.X509CertSelector;
  import java.security.cert.X509Certificate;
  import java.util.ArrayList;
 -import java.util.HashSet;
 -import java.util.Iterator;
  import java.util.LinkedList;
  import java.util.List;
  import java.util.Properties;
 -import java.util.Set;
 -import javax.net.ssl.CertPathTrustManagerParameters;
  import javax.net.ssl.HostnameVerifier;
  import javax.net.ssl.HttpsURLConnection;
  import javax.net.ssl.KeyManager;
 -import javax.net.ssl.ManagerFactoryParameters;
  import javax.net.ssl.SSLContext;
  import javax.net.ssl.SSLSession;
  import javax.net.ssl.TrustManager;
 -import javax.net.ssl.TrustManagerFactory;
  import javax.net.ssl.X509TrustManager;
  import org.apache.commons.logging.Log;
 @@ -55,6 +47,8 @@ public abstract class Configurator {    protected Properties properties;
 +  protected CertValidator certValidator;
 +
    protected Configurator() {
    }
 @@ -64,9 +58,9 @@ public abstract class Configurator {    protected abstract InputStream getManifest();
 -  private Set<TrustAnchor> getCACerts() throws IOException,
 +  private X509Certificate[] getCACerts() throws IOException,
        CertificateException {
 -    Set<TrustAnchor> caCerts = new HashSet<TrustAnchor>();
 +    List<X509Certificate> caCerts = new ArrayList<X509Certificate>();
      File caDir = getCADir();
      if (caDir != null) {
        if (!caDir.isDirectory()) {
 @@ -81,13 +75,12 @@ public abstract class Configurator {            X509Certificate cert = (X509Certificate) cf.generateCertificate(fis);
            fis.close();
            log.debug("Adding trusted cert " + cert.getSubjectDN());
 -          caCerts.add(new TrustAnchor(cert, null));
 +          caCerts.add(cert);
          } catch (Exception e) {
            log.error("Cannot add trusted ca", e);
          }
        }
 -      return caCerts;
 -
 +      return  caCerts.toArray(new X509Certificate[caCerts.size()]);
      } else {
        log.warn("No CA certificates configured");
      }
 @@ -239,69 +232,33 @@ public abstract class Configurator {    }
    public void configureSSL() {
 -    Set<TrustAnchor> caCerts = null;
 +    X509Certificate[] caCerts = null;
      try {
        caCerts = getCACerts();
      } catch (Exception e1) {
        log.error("Cannot load CA certificates", e1);
      }
 -    List<CertStore> certStoreList = null;
 -    try {
 -      certStoreList = getCertstore();
 -    } catch (Exception e1) {
 -      log.error("Cannot load certstore certificates", e1);
 -    }
 -    String aia = getProperty("SSL.useAIA");
 -    if ((aia == null) || (aia.equals(""))) {
 -      System.setProperty("com.sun.security.enableAIAcaIssuers", "true");
 -    } else {
 -      System.setProperty("com.sun.security.enableAIAcaIssuers", aia);
 -    }
 -    String lifetime = getProperty("SSL.cache.lifetime");
 -    if ((lifetime == null) || (lifetime.equals(""))) {
 -      System.setProperty("sun.security.certpath.ldap.cache.lifetime", "0");
 -    } else {
 -      System.setProperty("sun.security.certpath.ldap.cache.lifetime", lifetime);
 -    }
 -    X509CertSelector selector = new X509CertSelector();
 -    PKIXBuilderParameters pkixParams;
 +    String disableAll = getProperty("SSL.disableAllChecks");
      try {
 -      pkixParams = new PKIXBuilderParameters(caCerts, selector);
 -      if ((getProperty("SSL.doRevocationChecking") != null)
 -          && (Boolean.valueOf(getProperty("SSL.doRevocationChecking")))) {
 -        log.info("Enable revocation checking");
 -        System.setProperty("com.sun.security.enableCRLDP", "true");
 -        Security.setProperty("ocsp.enable", "true");
 -      } else {
 -        log.warn("Revocation checking disabled");
 -      }
 -      for (CertStore cs : certStoreList) {
 -        pkixParams.addCertStore(cs);
 -      }
 -      ManagerFactoryParameters trustParams = new CertPathTrustManagerParameters(
 -          pkixParams);
 -      TrustManagerFactory trustFab;
 -      trustFab = TrustManagerFactory.getInstance("PKIX");
 -      trustFab.init(trustParams);
        KeyManager[] km = null;
        SSLContext sslCtx = SSLContext
            .getInstance(getProperty("SSL.sslProtocol"));
 -      String disableAll = getProperty("SSL.disableAllChecks");
        if ((disableAll != null) && (Boolean.parseBoolean(disableAll))) {
          log.warn("--------------------------------------");
          log.warn(" Disabling SSL Certificate Validation ");
          log.warn("--------------------------------------");
 -        sslCtx.init(km, new TrustManager[] { new MyTrustManager(caCerts,
 -            certStoreList) }, null);
 +        sslCtx.init(km,
 +            new TrustManager[] { new MyAlwaysTrustManager(caCerts) }, null);
        } else {
 -        sslCtx.init(km, trustFab.getTrustManagers(), null);
 +        MyPKITrustManager pkixTM = new MyPKITrustManager(certValidator,
 +            getCertDir(), getCADir(), caCerts);
 +        sslCtx.init(km, new TrustManager[] { pkixTM }, null);
        }
        HttpsURLConnection.setDefaultSSLSocketFactory(sslCtx.getSocketFactory());
      } catch (Exception e) {
        log.error("Cannot configure SSL", e);
      }
 -    String disableAll = getProperty("SSL.disableAllChecks");
      if ((disableAll != null) && (Boolean.parseBoolean(disableAll))) {
        log.warn("---------------------------------");
        log.warn(" Disabling Hostname Verification ");
 @@ -315,20 +272,75 @@ public abstract class Configurator {      }
    }
 -  private static class MyTrustManager implements X509TrustManager {
 -    private static Log log = LogFactory.getLog(MyTrustManager.class);
 +  
 +  
 +  public void setCertValidator(CertValidator certValidator) {
 +    this.certValidator = certValidator;
 +  }
 +
 +  private static class MyPKITrustManager implements X509TrustManager {
 +    private static Log log = LogFactory.getLog(MyPKITrustManager.class);
 +
 +    private CertValidator certValidator;
      private X509Certificate[] trustedCerts;
 -    public MyTrustManager(Set<TrustAnchor> caCerts, List<CertStore> cs) {
 -      trustedCerts = new X509Certificate[caCerts.size()];
 +    public MyPKITrustManager(CertValidator cv, File certStore, File trustStore,
 +        X509Certificate[] trustedCerts) {
 +      certValidator = cv;
 +      certValidator.init(certStore, trustStore);
 +      this.trustedCerts = trustedCerts;
 +    }
 +
 +    @Override
 +    public void checkClientTrusted(X509Certificate[] chain, String authType)
 +        throws CertificateException {
 +      log.error("Did not expect this method to get called");
 +      throw new CertificateException("Method not implemented");
 +    }
 +
 +    private static iaik.x509.X509Certificate[] convertCerts(
 +        X509Certificate[] certs) throws GeneralSecurityException {
 +      iaik.x509.X509Certificate[] retVal = new iaik.x509.X509Certificate[certs.length];
        int i = 0;
 -      for (Iterator<TrustAnchor> it = caCerts.iterator(); it.hasNext();) {
 -        TrustAnchor ta = it.next();
 -        trustedCerts[i++] = ta.getTrustedCert();
 +      for (X509Certificate cert : certs) {
 +        if (cert instanceof iaik.x509.X509Certificate) {
 +          retVal[i++] = (iaik.x509.X509Certificate) cert;
 +        } else {
 +          retVal[i++] = new iaik.x509.X509Certificate(cert.getEncoded());
 +        }
 +      }
 +      return retVal;
 +    }
 +
 +    @Override
 +    public void checkServerTrusted(X509Certificate[] chain, String authType)
 +        throws CertificateException {
 +      try {
 +        boolean valid = certValidator.isCertificateValid(Thread.currentThread()
 +            .getName(), convertCerts(chain));
 +        if (!valid) {
 +          throw new CertificateException("Certificate not valid");
 +        }
 +      } catch (GeneralSecurityException e) {
 +        throw new CertificateException(e);
        }
      }
      @Override
 +    public X509Certificate[] getAcceptedIssuers() {
 +      return trustedCerts;
 +    }
 +  }
 +
 +  private static class MyAlwaysTrustManager implements X509TrustManager {
 +    private static Log log = LogFactory.getLog(MyAlwaysTrustManager.class);
 +    private X509Certificate[] trustedCerts;
 +
 +    public MyAlwaysTrustManager(X509Certificate[] trustedCerts) {
 +      this.trustedCerts = trustedCerts;
 +    }
 +
 +    @Override
      public void checkClientTrusted(X509Certificate[] arg0, String arg1)
          throws CertificateException {
        log.error("Did not expect this method to get called");
 | 
