summaryrefslogtreecommitdiff
path: root/bkucommon/src
diff options
context:
space:
mode:
Diffstat (limited to 'bkucommon/src')
-rw-r--r--bkucommon/src/main/java/at/gv/egiz/bku/spring/PKIProfileFactoryBean.java41
-rw-r--r--bkucommon/src/site/apt/configuration.apt4
2 files changed, 42 insertions, 3 deletions
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/spring/PKIProfileFactoryBean.java b/bkucommon/src/main/java/at/gv/egiz/bku/spring/PKIProfileFactoryBean.java
index 97a0d872..d5eb411d 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/spring/PKIProfileFactoryBean.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/spring/PKIProfileFactoryBean.java
@@ -48,9 +48,15 @@ import org.springframework.core.io.ResourceLoader;
import at.gv.egiz.bku.conf.IAIKLogAdapterFactory;
import at.gv.egiz.bku.conf.MoccaConfigurationFacade;
+import java.util.ArrayList;
+import java.util.List;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
public class PKIProfileFactoryBean implements FactoryBean, ResourceLoaderAware {
+ protected static final Logger log = LoggerFactory.getLogger(PKIProfileFactoryBean.class);
+
/**
* The configuration facade.
*/
@@ -68,6 +74,8 @@ public class PKIProfileFactoryBean implements FactoryBean, ResourceLoaderAware {
public static final String SSL_CA_DIRECTORY_DEFAULT = "classpath:at/gv/egiz/bku/certs/trustStore";
+ public static final String SSL_REVOCATION_SERVICE_ORDER = "SSL.revocationServiceOrder";
+
public URL getCertDirectory() throws MalformedURLException {
return getURL(SSL_CERT_DIRECTORY);
}
@@ -75,7 +83,11 @@ public class PKIProfileFactoryBean implements FactoryBean, ResourceLoaderAware {
public URL getCaDirectory() throws MalformedURLException {
return getURL(SSL_CA_DIRECTORY);
}
-
+
+ public List<String> getRevocationServiceOrder() throws Exception {
+ return configuration.getList(SSL_REVOCATION_SERVICE_ORDER);
+ }
+
private URL getURL(String key) throws MalformedURLException {
String url = configuration.getString(key);
if (url == null || url.isEmpty()) {
@@ -199,6 +211,30 @@ public class PKIProfileFactoryBean implements FactoryBean, ResourceLoaderAware {
TrustStoreTypes.DIRECTORY, caDirectory.getAbsolutePath());
}
+
+ protected String[] createRevocationServiceOrder() throws Exception {
+ List<String> services = configurationFacade.getRevocationServiceOrder();
+
+ if (services != null) {
+ List<String> order = new ArrayList<String>(2);
+ for (String service : services) {
+ if ("OCSP".equals(service)) {
+ order.add(RevocationSourceTypes.OCSP);
+ } else if ("CRL".equals(service)) {
+ order.add(RevocationSourceTypes.CRL);
+ } else {
+ throw new Exception("Unsupported revocation service type " + service);
+ }
+ }
+ if (!order.isEmpty()) {
+ log.info("configure revocation service type order: {}", order);
+ return order.toArray(new String[order.size()]);
+ }
+ }
+ log.info("configure default revocation service type order: [OCSP, CRL]");
+ return new String[]
+ { RevocationSourceTypes.OCSP, RevocationSourceTypes.CRL };
+ }
@Override
public Object getObject() throws Exception {
@@ -216,8 +252,7 @@ public class PKIProfileFactoryBean implements FactoryBean, ResourceLoaderAware {
DefaultPKIProfile pkiProfile = new DefaultPKIProfile(trustProfile);
pkiProfile.setAutoAddCertificates(true);
- pkiProfile.setPreferredServiceOrder(new String[] {
- RevocationSourceTypes.OCSP, RevocationSourceTypes.CRL });
+ pkiProfile.setPreferredServiceOrder(createRevocationServiceOrder());
return pkiProfile;
}
diff --git a/bkucommon/src/site/apt/configuration.apt b/bkucommon/src/site/apt/configuration.apt
index 1a5adee1..15340c71 100644
--- a/bkucommon/src/site/apt/configuration.apt
+++ b/bkucommon/src/site/apt/configuration.apt
@@ -77,6 +77,10 @@ MOCCA Configuration
[<<<disableAllChecks>>>] May be set to <<<true>>> to disable all TSL/SSL related checks.
Default: <<<false>>>
+
+ [<<<revocationServiceOrder>>>] May be set to <<<CRL,OCSP>>>, <<<CRL>>> or <<<OCSP>>> to define the (order of) revocation service(s) to be used.
+
+ Default: <<<OCSP,CRL>>>
[<<<ProductName>>>] May be specified to set the product name given by the <<<Server>>> and <<<User-Agent>>> HTTP headers as specified by {{{http://www.buergerkarte.at/konzept/securitylayer/spezifikation/aktuell/bindings/bindings.en.html#http}HTTP binding}}.