From ead5dc6d62e7fd6325ea164625b02a6b6fbb226e Mon Sep 17 00:00:00 2001 From: wbauer Date: Fri, 5 Sep 2008 09:50:12 +0000 Subject: Added SSL configuration to BKUOnline git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@15 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../at/gv/egiz/bku/online/conf/Configurator.java | 131 ++++++++-------- .../egiz/bku/online/conf/SpringConfigurator.java | 167 ++++++++++++++++++++- 2 files changed, 230 insertions(+), 68 deletions(-) (limited to 'BKUOnline/src/main/java') diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/Configurator.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/Configurator.java index f51335e1..d158b46e 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/Configurator.java +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/Configurator.java @@ -1,21 +1,21 @@ /* -* Copyright 2008 Federal Chancellery Austria and -* Graz University of Technology -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ -package at.gv.egiz.bku.online.conf; - + * Copyright 2008 Federal Chancellery Austria and + * Graz University of Technology + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package at.gv.egiz.bku.online.conf; + import iaik.security.ecc.provider.ECCProvider; import iaik.xml.crypto.XSecProvider; @@ -30,53 +30,52 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import at.gv.egiz.bku.slcommands.impl.xsect.STALProvider; - -/** - * - * TODO currently only the code to get started. - */ -public class Configurator { - private Log log = LogFactory.getLog(Configurator.class); - - protected Properties properties; - - public Configurator() { - } - - protected void configUrlConnections() { - HttpsURLConnection.setFollowRedirects(false); - HttpURLConnection.setFollowRedirects(false); - } - - protected void configureProviders() { - log.debug("Registering security providers"); - Security.addProvider(new STALProvider()); - XSecProvider.addAsProvider(false); - Security.insertProviderAt(new ECCProvider(false), 1); - StringBuffer sb = new StringBuffer(); - sb.append("Following providers are now registered: "); - int i = 1; - for (Provider prov : Security.getProviders()) { - sb.append((i++) + ". : " + prov); - } - log.debug("Configured provider" + sb.toString()); - } - - public void configure() { - configureProviders(); - configUrlConnections(); - } - public void setConfiguration(Properties props) { - this.properties = props; - configure(); - } - - public String getProperty(String key) { - if (properties != null) { - return properties.getProperty(key); - } - return null; - } - -} +/** + * + * TODO currently only the code to get started. + */ +public class Configurator { + + private Log log = LogFactory.getLog(Configurator.class); + + protected Properties properties; + + public Configurator() { + } + + protected void configUrlConnections() { + HttpsURLConnection.setFollowRedirects(false); + HttpURLConnection.setFollowRedirects(false); + } + + protected void configureProviders() { + log.debug("Registering security providers"); + Security.addProvider(new STALProvider()); + XSecProvider.addAsProvider(false); + Security.insertProviderAt(new ECCProvider(false), 1); + StringBuffer sb = new StringBuffer(); + sb.append("Following providers are now registered: "); + int i = 1; + for (Provider prov : Security.getProviders()) { + sb.append((i++) + ". : " + prov); + } + log.debug("Configured provider" + sb.toString()); + } + + public void configure() { + configureProviders(); + configUrlConnections(); + } + + public void setConfiguration(Properties props) { + this.properties = props; + } + + public String getProperty(String key) { + if (properties != null) { + return properties.getProperty(key); + } + return null; + } +} diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java index 96588d7d..100285ed 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java @@ -1,16 +1,52 @@ package at.gv.egiz.bku.online.conf; +import java.io.File; +import java.io.FileInputStream; import java.io.IOException; +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; +import java.security.Security; +import java.security.cert.CertPath; +import java.security.cert.CertPathBuilder; +import java.security.cert.CertStore; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.security.cert.CollectionCertStoreParameters; +import java.security.cert.PKIXBuilderParameters; +import java.security.cert.PKIXCertPathBuilderResult; +import java.security.cert.TrustAnchor; +import java.security.cert.X509CertSelector; +import java.security.cert.X509Certificate; +import java.util.HashSet; +import java.util.LinkedList; +import java.util.List; import java.util.Properties; +import java.util.Set; + +import javax.net.ssl.CertPathTrustManagerParameters; +import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.KeyManager; +import javax.net.ssl.ManagerFactoryParameters; +import javax.net.ssl.SSLContext; +import javax.net.ssl.TrustManager; +import javax.net.ssl.TrustManagerFactory; +import javax.net.ssl.X509TrustManager; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.springframework.context.ResourceLoaderAware; import org.springframework.core.io.Resource; +import org.springframework.core.io.ResourceLoader; + +import at.gv.egiz.bku.slexceptions.SLRuntimeException; -public class SpringConfigurator extends Configurator { +public class SpringConfigurator extends Configurator implements + ResourceLoaderAware { private final static Log log = LogFactory.getLog(SpringConfigurator.class); + private ResourceLoader resourceLoader; + public void setResource(Resource resource) { log.debug("Loading config from: " + resource); if (resource != null) { @@ -24,4 +60,131 @@ public class SpringConfigurator extends Configurator { } } -} + public void configure() { + super.configure(); + configureSSL(); + } + + private Set getCACerts() throws IOException, + CertificateException { + Set caCerts = new HashSet(); + String caDirectory = getProperty("SSL.caDirectory"); + if (caDirectory != null) { + Resource caDirRes = resourceLoader.getResource(caDirectory); + + File caDir = caDirRes.getFile(); + if (!caDir.isDirectory()) { + log.error("Expecting directory as SSL.caDirectory parameter"); + throw new SLRuntimeException( + "Expecting directory as SSL.caDirectory parameter"); + } + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + for (File f : caDir.listFiles()) { + try { + FileInputStream fis = new FileInputStream(f); + X509Certificate cert = (X509Certificate) cf.generateCertificate(fis); + fis.close(); + log.debug("Adding trusted cert " + cert.getSubjectDN()); + caCerts.add(new TrustAnchor(cert, null)); + } catch (Exception e) { + log.error("Cannot add trusted ca", e); + } + } + return caCerts; + + } else { + log.warn("No CA certificates configured"); + } + return null; + } + + private CertStore getCertstore() throws IOException, CertificateException, + InvalidAlgorithmParameterException, NoSuchAlgorithmException { + String certDirectory = getProperty("SSL.certDirectory"); + if (certDirectory != null) { + Resource certDirRes = resourceLoader.getResource(certDirectory); + + File certDir = certDirRes.getFile(); + if (!certDir.isDirectory()) { + log.error("Expecting directory as SSL.certDirectory parameter"); + throw new SLRuntimeException( + "Expecting directory as SSL.certDirectory parameter"); + } + List certCollection = new LinkedList(); + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + for (File f : certDir.listFiles()) { + try { + FileInputStream fis = new FileInputStream(f); + X509Certificate cert =(X509Certificate) cf.generateCertificate(fis); + certCollection.add(cert); + fis.close(); + log.trace("Added following cert to certstore: "+cert.getSubjectDN()); + } catch (Exception ex) { + log.error("Cannot add certificate", ex); + } + } + CollectionCertStoreParameters csp = new CollectionCertStoreParameters( + certCollection); + return CertStore.getInstance("Collection", csp); + + } else { + log.warn("No certstore configured"); + } + return null; + } + + public void configureSSL() { + Set caCerts = null; + try { + caCerts = getCACerts(); + } catch (Exception e1) { + log.error("Cannot load CA certificates", e1); + } + CertStore certStore = null; + try { + certStore = getCertstore(); + } catch (Exception e1) { + log.error("Cannot load certstore certificates", e1); + } + System.setProperty("com.sun.security.enableAIAcaIssuers", "true"); + try { + X509CertSelector selector = new X509CertSelector(); + PKIXBuilderParameters pkixParams; + pkixParams = new PKIXBuilderParameters(caCerts, selector); + if ((getProperty("SSL.doRevocationChecking") != null) + && (Boolean.valueOf(getProperty("SSL.doRevocationChecking")))) { + log.info("Enable revocation checking"); + pkixParams.setRevocationEnabled(true); + System.setProperty("com.sun.security.enableCRLDP", "true"); + Security.setProperty("ocsp.enable", "true"); + } else { + log.warn("Revocation checking disabled"); + pkixParams.setRevocationEnabled(false); + } + pkixParams.addCertStore(certStore); + ManagerFactoryParameters trustParams = new CertPathTrustManagerParameters( + pkixParams); + TrustManagerFactory trustFab; + try { + trustFab = TrustManagerFactory.getInstance("PKIX"); + trustFab.init(trustParams); + KeyManager[] km = null; + SSLContext sslCtx = SSLContext + .getInstance(getProperty("SSL.sslProtocol")); + sslCtx.init(km, trustFab.getTrustManagers(), null); + HttpsURLConnection + .setDefaultSSLSocketFactory(sslCtx.getSocketFactory()); + } catch (Exception e) { + log.error("Cannot configure SSL", e); + } + + } catch (InvalidAlgorithmParameterException e) { + log.error("Cannot configure SSL", e); + } + } + + @Override + public void setResourceLoader(ResourceLoader loader) { + this.resourceLoader = loader; + } +} \ No newline at end of file -- cgit v1.2.3