From c7cbf8a12db4fcb77fd374392e88c3fa04b1e100 Mon Sep 17 00:00:00 2001 From: wbauer Date: Tue, 9 Sep 2008 09:54:32 +0000 Subject: added check to avoid sending baseid to non .gv.at domains git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@25 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../at/gv/egiz/bku/online/applet/BKUApplet.java | 139 ++++++------ .../at/gv/egiz/bku/online/applet/BKUWorker.java | 25 ++- .../online/applet/InternalSSLSocketFactory.java | 237 +++++++++++++-------- .../applet/InternalSSLSocketFactoryException.java | 45 ---- 4 files changed, 240 insertions(+), 206 deletions(-) delete mode 100644 BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactoryException.java (limited to 'BKUApplet/src') diff --git a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/BKUApplet.java b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/BKUApplet.java index 5d4d0dab..8289f30b 100644 --- a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/BKUApplet.java +++ b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/BKUApplet.java @@ -1,19 +1,19 @@ /* -* Copyright 2008 Federal Chancellery Austria and -* Graz University of Technology -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ + * Copyright 2008 Federal Chancellery Austria and + * Graz University of Technology + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package at.gv.egiz.bku.online.applet; import java.util.Locale; @@ -29,71 +29,68 @@ import at.gv.egiz.bku.gui.BKUGUIFacade; import at.gv.egiz.bku.gui.BKUGUIFactory; /** - * Note: all swing code is executed by the event dispatch thread (see BKUGUIFacade) + * Note: all swing code is executed by the event dispatch thread (see + * BKUGUIFacade) */ public class BKUApplet extends JApplet { - private static Log log = LogFactory.getLog(BKUApplet.class); + private static Log log = LogFactory.getLog(BKUApplet.class); + + public final static String RESOURCE_BUNDLE_BASE = "at/gv/egiz/bku/online/applet/Messages"; - public final static String RESOURCE_BUNDLE_BASE = "at/gv/egiz/bku/online/applet/Messages"; + public final static String LOCALE_PARAM_KEY = "Locale"; + public final static String LOGO_URL_KEY = "LogoURL"; + public final static String WSDL_URL = "WSDL_URL"; + public final static String SESSION_ID = "SessionID"; - public final static String LOCALE_PARAM_KEY = "Locale"; - public final static String LOGO_URL_KEY="LogoURL"; - public final static String WSDL_URL="WSDL_URL"; - public final static String SESSION_ID="SessionID"; + protected ResourceBundle resourceBundle; + protected BKUWorker worker; + protected Thread workerThread; - protected ResourceBundle resourceBundle; - protected BKUWorker worker; - protected Thread workerThread; - - public BKUApplet() { - } + public BKUApplet() { + } - public void init() { - log.debug("Called init()"); - try { - HttpsURLConnection.setDefaultSSLSocketFactory(InternalSSLSocketFactory.getSocketFactory()); - HttpsURLConnection.setDefaultHostnameVerifier(InternalSSLSocketFactory.getHostNameVerifier()); - } catch (InternalSSLSocketFactoryException e) { - log.error(e); - } - String localeString = getMyAppletParameter(LOCALE_PARAM_KEY); - if (localeString != null) { - resourceBundle = ResourceBundle.getBundle(RESOURCE_BUNDLE_BASE, - new Locale(localeString)); - } else { - resourceBundle = ResourceBundle.getBundle(RESOURCE_BUNDLE_BASE); - } - BKUGUIFacade gui = BKUGUIFactory.createGUI(); - gui.init(getContentPane(), localeString); - worker = new BKUWorker(gui, this, resourceBundle); - } + public void init() { + log.debug("Called init()"); + HttpsURLConnection.setDefaultSSLSocketFactory(InternalSSLSocketFactory + .getInstance()); + String localeString = getMyAppletParameter(LOCALE_PARAM_KEY); + if (localeString != null) { + resourceBundle = ResourceBundle.getBundle(RESOURCE_BUNDLE_BASE, + new Locale(localeString)); + } else { + resourceBundle = ResourceBundle.getBundle(RESOURCE_BUNDLE_BASE); + } + BKUGUIFacade gui = BKUGUIFactory.createGUI(); + gui.init(getContentPane(), localeString); + worker = new BKUWorker(gui, this, resourceBundle); + } - public void start() { - log.debug("Called start()"); - workerThread = new Thread(worker); - workerThread.start(); - } + public void start() { + log.debug("Called start()"); + workerThread = new Thread(worker); + workerThread.start(); + } - public void stop() { - log.debug("Called stop()"); - if ((workerThread != null) && (workerThread.isAlive())) { - workerThread.interrupt(); - } - } + public void stop() { + log.debug("Called stop()"); + if ((workerThread != null) && (workerThread.isAlive())) { + workerThread.interrupt(); + } + } - public void destroy() { - log.debug("Called destroy()"); - } + public void destroy() { + log.debug("Called destroy()"); + } - /** - * Applet configuration parameters - * - * @param paramKey - * @return - */ - public String getMyAppletParameter(String paramKey) { - log.info("Getting parameter: "+paramKey+ ": "+ getParameter(paramKey)); - return getParameter(paramKey); - } + /** + * Applet configuration parameters + * + * @param paramKey + * @return + */ + public String getMyAppletParameter(String paramKey) { + log.info("Getting parameter: " + paramKey + ": " + getParameter(paramKey)); + return getParameter(paramKey); + } } diff --git a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/BKUWorker.java b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/BKUWorker.java index f7b5fb2f..042c6a83 100644 --- a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/BKUWorker.java +++ b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/BKUWorker.java @@ -34,6 +34,8 @@ import at.gv.egiz.bku.smccstal.AbstractSMCCSTAL; import at.gv.egiz.bku.smccstal.SMCCSTALRequestHandler; import at.gv.egiz.smcc.SignatureCard; import at.gv.egiz.smcc.util.SMCCHelper; +import at.gv.egiz.stal.ErrorResponse; +import at.gv.egiz.stal.InfoboxReadRequest; import at.gv.egiz.stal.QuitRequest; import at.gv.egiz.stal.STALRequest; import at.gv.egiz.stal.STALResponse; @@ -107,6 +109,8 @@ public class BKUWorker extends AbstractSMCCSTAL implements Runnable, gui.showWelcomeDialog(); try { stalPort = getSTALPort(); + + } catch (Exception e) { log.fatal("Failed to call STAL service.", e); actionCommandList.clear(); @@ -134,7 +138,26 @@ public class BKUWorker extends AbstractSMCCSTAL implements Runnable, GetNextRequestResponseType resp = stalPort.getNextRequest(nextRequest); log.info("Got " + resp.getRequest().size() + " requests from server."); List stalRequests = resp.getRequest(); - List responses = handleRequest(stalRequests); + boolean handle = true; + for (STALRequest request : stalRequests) { + if (request instanceof InfoboxReadRequest) { + InfoboxReadRequest infobx = (InfoboxReadRequest) request; + if (infobx.getInfoboxIdentifier().equals("IdentityLink")) { + if (infobx.getDomainIdentifier() == null) { + if (!InternalSSLSocketFactory.getInstance().isEgovAgency()) { + handle = false; + } + } + } + } + } + List responses; + if (handle) { + responses = handleRequest(stalRequests); + } else { + responses = new ArrayList(1); + responses.add(new ErrorResponse(6002)); + } log.info("Got " + responses.size() + " responses."); nextRequest = factory.createGetNextRequestType(); nextRequest.setSessionId(sessionId); diff --git a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactory.java b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactory.java index ab04d2b6..79c369a2 100644 --- a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactory.java +++ b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactory.java @@ -1,19 +1,19 @@ /* -* Copyright 2008 Federal Chancellery Austria and -* Graz University of Technology -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ + * Copyright 2008 Federal Chancellery Austria and + * Graz University of Technology + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ /* * To change this template, choose Tools | Templates * and open the template in the editor. @@ -22,80 +22,139 @@ package at.gv.egiz.bku.online.applet; import java.io.IOException; -import java.security.KeyManagementException; -import java.security.KeyStore; -import java.security.KeyStoreException; -import java.security.NoSuchAlgorithmException; -import java.security.UnrecoverableKeyException; -import java.security.cert.CertificateException; +import java.net.InetAddress; +import java.net.Socket; +import java.net.UnknownHostException; +import java.security.cert.CertificateParsingException; import java.security.cert.X509Certificate; +import java.util.Collection; +import java.util.List; -import javax.net.ssl.HostnameVerifier; -import javax.net.ssl.KeyManagerFactory; -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLSession; +import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.SSLPeerUnverifiedException; +import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; -import javax.net.ssl.X509TrustManager; - -public class InternalSSLSocketFactory { - - private SSLSocketFactory factory; - - public static SSLSocketFactory getSocketFactory() throws InternalSSLSocketFactoryException { - return new InternalSSLSocketFactory().factory; - } - - public static HostnameVerifier getHostNameVerifier() throws InternalSSLSocketFactoryException { - return (new HostnameVerifier() { - @Override - public boolean verify(String hostname, SSLSession session) { - return true; - } - }); - } - - public InternalSSLSocketFactory() throws InternalSSLSocketFactoryException { - SSLContext sslContext; - try { - sslContext = SSLContext.getInstance("TLSv1"); - sslContext.getClientSessionContext().setSessionTimeout(0); - KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509"); - - KeyStore keyStore = KeyStore.getInstance("JKS"); - keyStore.load(null, null); - keyManagerFactory.init(keyStore, null); - - sslContext.init(keyManagerFactory.getKeyManagers(), - new X509TrustManager[] { new AcceptAllTrustManager() }, - null); - } catch (NoSuchAlgorithmException e) { - throw new InternalSSLSocketFactoryException(e); - } catch (CertificateException e) { - throw new InternalSSLSocketFactoryException(e); - } catch (IOException e) { - throw new InternalSSLSocketFactoryException(e); - } catch (KeyStoreException e) { - throw new InternalSSLSocketFactoryException(e); - } catch (UnrecoverableKeyException e) { - throw new InternalSSLSocketFactoryException(e); - } catch (KeyManagementException e) { - throw new InternalSSLSocketFactoryException(e); - } - - this.factory = sslContext.getSocketFactory(); - } - - class AcceptAllTrustManager implements X509TrustManager { - - public X509Certificate[] getAcceptedIssuers() { - return null; - } - - public void checkClientTrusted(X509Certificate[] chain, String authType) { - } - - public void checkServerTrusted(X509Certificate[] chain, String authType) { - //FIXME - } - } -}; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + +public class InternalSSLSocketFactory extends SSLSocketFactory { + + private static InternalSSLSocketFactory instance = new InternalSSLSocketFactory(); + + private final static Log log = LogFactory + .getLog(InternalSSLSocketFactory.class); + + private final static String GOV_DOMAIN = ".gv.at"; + + private SSLSocket sslSocket; + + private SSLSocketFactory proxy; + + private InternalSSLSocketFactory() { + proxy = HttpsURLConnection.getDefaultSSLSocketFactory(); + } + + public static InternalSSLSocketFactory getInstance() { + return instance; + } + + @Override + public Socket createSocket() throws IOException { + sslSocket = (SSLSocket) proxy.createSocket(); + return sslSocket; + } + + @Override + public Socket createSocket(String arg0, int arg1) throws IOException, + UnknownHostException { + sslSocket = (SSLSocket) proxy.createSocket(arg0, arg1); + + return sslSocket; + } + + @Override + public Socket createSocket(InetAddress arg0, int arg1) throws IOException { + sslSocket = (SSLSocket) proxy.createSocket(arg0, arg1); + return sslSocket; + } + + @Override + public Socket createSocket(String arg0, int arg1, InetAddress arg2, int arg3) + throws IOException, UnknownHostException { + sslSocket = (SSLSocket) proxy.createSocket(arg0, arg1, arg2, arg3); + return sslSocket; + } + + @Override + public Socket createSocket(InetAddress arg0, int arg1, InetAddress arg2, + int arg3) throws IOException { + sslSocket = (SSLSocket) proxy.createSocket(arg0, arg1, arg2, arg3); + return sslSocket; + } + + @Override + public Socket createSocket(Socket arg0, String arg1, int arg2, boolean arg3) + throws IOException { + sslSocket = (SSLSocket) proxy.createSocket(arg0, arg1, arg2, arg3); + return sslSocket; + } + + @Override + public String[] getDefaultCipherSuites() { + return proxy.getDefaultCipherSuites(); + } + + @Override + public String[] getSupportedCipherSuites() { + return proxy.getSupportedCipherSuites(); + } + + public boolean isEgovAgency() { + log.info("Checking if server is egov agency"); + if (sslSocket != null) { + try { + X509Certificate cert = (X509Certificate) sslSocket.getSession() + .getPeerCertificates()[0]; + log.info("Server cert: " + cert); + return isGovAgency(cert); + } catch (SSLPeerUnverifiedException e) { + log.error(e); + return false; + } + } + log.info("Not a SSL connection"); + return false; + } + + public static boolean isGovAgency(X509Certificate cert) { + String[] rdns = (cert.getSubjectX500Principal().getName()).split(","); + for (String rdn : rdns) { + if (rdn.startsWith("CN=")) { + String dns = rdn.split("=")[1]; + if (dns.endsWith(GOV_DOMAIN)) { + return true; + } + } + } + try { + Collection> sanList = cert.getSubjectAlternativeNames(); + if (sanList != null) { + for (List san : sanList) { + if ((Integer) san.get(0) == 2) { + String dns = (String) san.get(1); + if (dns.endsWith(GOV_DOMAIN)) { + return true; + } + } + } + } + } catch (CertificateParsingException e) { + log.error(e); + } + if (cert.getExtensionValue("1.2.40.0.10.1.1.1") != null) { + return true; + } + return false; + } +} diff --git a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactoryException.java b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactoryException.java deleted file mode 100644 index c620284a..00000000 --- a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactoryException.java +++ /dev/null @@ -1,45 +0,0 @@ -/* -* Copyright 2008 Federal Chancellery Austria and -* Graz University of Technology -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ -/* - * To change this template, choose Tools | Templates - * and open the template in the editor. - */ - -package at.gv.egiz.bku.online.applet; - -/** - * - * @author mcentner - */ -public class InternalSSLSocketFactoryException extends Exception { - - public InternalSSLSocketFactoryException(Throwable cause) { - super(cause); - } - - public InternalSSLSocketFactoryException(String message, Throwable cause) { - super(message, cause); - } - - public InternalSSLSocketFactoryException(String message) { - super(message); - } - - public InternalSSLSocketFactoryException() { - } - -} -- cgit v1.2.3