From 70d21ad57916010b3079f8bf332f0986c91c7539 Mon Sep 17 00:00:00 2001 From: tkellner Date: Wed, 10 Apr 2013 19:31:49 +0000 Subject: Remove unneeded certs, add mobile test certs git-svn-id: https://joinup.ec.europa.eu/svn/pdf-over/trunk@368 174cde9d-5d70-4d2a-aa98-46368bc2aaf7 --- .../states/mobilebku/ASITTrustManager.java | 225 -------------------- .../states/mobilebku/SimpleXMLTrustManager.java | 226 +++++++++++++++++++++ .../states/mobilebku/TrustedSocketFactory.java | 2 +- 3 files changed, 227 insertions(+), 226 deletions(-) delete mode 100644 pdf-over-gui/src/main/java/at/asit/pdfover/gui/workflow/states/mobilebku/ASITTrustManager.java create mode 100644 pdf-over-gui/src/main/java/at/asit/pdfover/gui/workflow/states/mobilebku/SimpleXMLTrustManager.java (limited to 'pdf-over-gui/src/main/java') diff --git a/pdf-over-gui/src/main/java/at/asit/pdfover/gui/workflow/states/mobilebku/ASITTrustManager.java b/pdf-over-gui/src/main/java/at/asit/pdfover/gui/workflow/states/mobilebku/ASITTrustManager.java deleted file mode 100644 index f4e6be70..00000000 --- a/pdf-over-gui/src/main/java/at/asit/pdfover/gui/workflow/states/mobilebku/ASITTrustManager.java +++ /dev/null @@ -1,225 +0,0 @@ -/* - * Copyright 2012 by A-SIT, Secure Information Technology Center Austria - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://joinup.ec.europa.eu/software/page/eupl - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - */ -package at.asit.pdfover.gui.workflow.states.mobilebku; - -// Imports -import java.security.KeyStore; -import java.security.cert.CertificateException; -import java.security.cert.CertificateFactory; -import java.security.cert.X509Certificate; -import java.util.Arrays; - -import javax.net.ssl.TrustManager; -import javax.net.ssl.TrustManagerFactory; -import javax.net.ssl.X509TrustManager; -import javax.xml.parsers.DocumentBuilderFactory; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.w3c.dom.Document; -import org.w3c.dom.Node; -import org.w3c.dom.NodeList; - -/** - * - */ -public class ASITTrustManager implements X509TrustManager { - /** - * SLF4J Logger instance - **/ - private static final Logger log = LoggerFactory - .getLogger(ASITTrustManager.class); - - /* - * The default X509TrustManager returned by SunX509. We'll delegate - * decisions to it, and fall back to the logic in this class if the default - * X509TrustManager doesn't trust it. - */ - X509TrustManager sunJSSEX509TrustManager; - - /** - * Trust Manager for A-Trust Certificates - */ - X509TrustManager atrustTrustManager; - - /** - * Constructs the TrustManager - * - * @throws Exception - */ - public ASITTrustManager() throws Exception { - // create a "default" JSSE X509TrustManager. - - TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); //$NON-NLS-1$ - tmf.init((KeyStore) null); - - TrustManager tms[] = tmf.getTrustManagers(); - - /* - * Iterate over the returned trustmanagers, look for an instance of - * X509TrustManager. If found, use that as our "default" trust manager. - */ - for (int i = 0; i < tms.length; i++) { - if (tms[i] instanceof X509TrustManager) { - this.sunJSSEX509TrustManager = (X509TrustManager) tms[i]; - break; - } - } - - /* - * A-Trust Certificates - */ - - KeyStore atrustKeyStore = KeyStore.getInstance(KeyStore - .getDefaultType()); - - atrustKeyStore.load(null); - - String usedCertificates = "/certificates/used_certificates.xml"; //$NON-NLS-1$ - - Document doc = DocumentBuilderFactory.newInstance() - .newDocumentBuilder() - .parse(this.getClass().getResourceAsStream(usedCertificates)); - - Node certificates = doc.getFirstChild(); - - if (!certificates.getNodeName().equals("certificates")) { //$NON-NLS-1$ - throw new Exception( - "Used certificates xml is invalid! no certificates node"); //$NON-NLS-1$ - } - - NodeList certificateList = certificates.getChildNodes(); - - for (int i = 0; i < certificateList.getLength(); i++) { - try { - - Node certificateNode = certificateList.item(i); - - if (certificateNode.getNodeName().equals("#text")) { //$NON-NLS-1$ - continue; // Ignore dummy text node .. - } - - if (!certificateNode.getNodeName().equals("certificate")) { //$NON-NLS-1$ - log.warn("Ignoring XML node: " + certificateNode.getNodeName()); //$NON-NLS-1$ - continue; - } - - String certResource = "/certificates/" + certificateNode.getTextContent() + ".crt"; //$NON-NLS-1$ //$NON-NLS-2$ - - X509Certificate cert = (X509Certificate) CertificateFactory - .getInstance("X509"). //$NON-NLS-1$ - generateCertificate( - this.getClass().getResourceAsStream( - certResource)); - - atrustKeyStore.setCertificateEntry(certificateNode.getTextContent(), cert); - - log.debug("Loaded certificate : " + certResource); //$NON-NLS-1$ - - } catch (Exception ex) { - log.error("Failed to load certificate [" + "]", ex); //$NON-NLS-1$ //$NON-NLS-2$ - } - } - - tmf.init(atrustKeyStore); - - tms = tmf.getTrustManagers(); - - /* - * Iterate over the returned trustmanagers, look for an instance of - * X509TrustManager. If found, use that as our "default" trust manager. - */ - for (int i = 0; i < tms.length; i++) { - if (tms[i] instanceof X509TrustManager) { - this.atrustTrustManager = (X509TrustManager) tms[i]; - break; - } - } - - if (this.sunJSSEX509TrustManager != null - && this.atrustTrustManager != null) { - return; - } - - /* - * Find some other way to initialize, or else we have to fail the - * constructor. - */ - throw new Exception("Couldn't initialize ASITTrustManager"); //$NON-NLS-1$ - } - - /* - * (non-Javadoc) - * - * @see - * javax.net.ssl.X509TrustManager#checkClientTrusted(java.security.cert. - * X509Certificate[], java.lang.String) - */ - @Override - public void checkClientTrusted(X509Certificate[] arg0, String arg1) - throws CertificateException { - try { - this.atrustTrustManager.checkServerTrusted(arg0, arg1); - } catch (CertificateException ex) { - try { - this.sunJSSEX509TrustManager.checkClientTrusted(arg0, arg1); - } catch (CertificateException ex2) { - log.info("checkClientTrusted: ", ex2); //$NON-NLS-1$ - throw ex2; - } - } - } - - /* - * (non-Javadoc) - * - * @see - * javax.net.ssl.X509TrustManager#checkServerTrusted(java.security.cert. - * X509Certificate[], java.lang.String) - */ - @Override - public void checkServerTrusted(X509Certificate[] arg0, String arg1) - throws CertificateException { - try { - this.atrustTrustManager.checkServerTrusted(arg0, arg1); - } catch (CertificateException ex) { - try { - this.sunJSSEX509TrustManager.checkServerTrusted(arg0, arg1); - } catch (CertificateException ex2) { - log.info("checkServerTrusted: ", ex2); //$NON-NLS-1$ - throw ex2; - } - } - } - - /* - * (non-Javadoc) - * - * @see javax.net.ssl.X509TrustManager#getAcceptedIssuers() - */ - @Override - public X509Certificate[] getAcceptedIssuers() { - - X509Certificate[] default_certs = this.sunJSSEX509TrustManager.getAcceptedIssuers(); - - X509Certificate[] atrust_certs = this.atrustTrustManager.getAcceptedIssuers(); - - X509Certificate[] all_certs = Arrays.copyOf(default_certs, default_certs.length + atrust_certs.length); - System.arraycopy(atrust_certs, 0, all_certs, default_certs.length, atrust_certs.length); - return all_certs; - } - -} diff --git a/pdf-over-gui/src/main/java/at/asit/pdfover/gui/workflow/states/mobilebku/SimpleXMLTrustManager.java b/pdf-over-gui/src/main/java/at/asit/pdfover/gui/workflow/states/mobilebku/SimpleXMLTrustManager.java new file mode 100644 index 00000000..d08dcfe5 --- /dev/null +++ b/pdf-over-gui/src/main/java/at/asit/pdfover/gui/workflow/states/mobilebku/SimpleXMLTrustManager.java @@ -0,0 +1,226 @@ +/* + * Copyright 2012 by A-SIT, Secure Information Technology Center Austria + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://joinup.ec.europa.eu/software/page/eupl + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + */ +package at.asit.pdfover.gui.workflow.states.mobilebku; + +// Imports +import java.security.KeyStore; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; +import java.util.Arrays; + +import javax.net.ssl.TrustManager; +import javax.net.ssl.TrustManagerFactory; +import javax.net.ssl.X509TrustManager; +import javax.xml.parsers.DocumentBuilderFactory; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.w3c.dom.Document; +import org.w3c.dom.Node; +import org.w3c.dom.NodeList; + +/** + * + */ +public class SimpleXMLTrustManager implements X509TrustManager { + /** + * SLF4J Logger instance + **/ + private static final Logger log = LoggerFactory + .getLogger(SimpleXMLTrustManager.class); + + private static final String certificateList = "/certificates/certificates.xml"; //$NON-NLS-1$ + + + /* + * The default X509TrustManager returned by SunX509. We'll delegate + * decisions to it, and fall back to the logic in this class if the default + * X509TrustManager doesn't trust it. + */ + X509TrustManager sunJSSEX509TrustManager; + + /** + * Trust Manager for A-Trust Certificates + */ + X509TrustManager atrustTrustManager; + + /** + * Constructs the TrustManager + * + * @throws Exception + */ + public SimpleXMLTrustManager() throws Exception { + // create a "default" JSSE X509TrustManager. + + TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); //$NON-NLS-1$ + tmf.init((KeyStore) null); + + TrustManager tms[] = tmf.getTrustManagers(); + + /* + * Iterate over the returned trustmanagers, look for an instance of + * X509TrustManager. If found, use that as our "default" trust manager. + */ + for (int i = 0; i < tms.length; i++) { + if (tms[i] instanceof X509TrustManager) { + this.sunJSSEX509TrustManager = (X509TrustManager) tms[i]; + break; + } + } + + /* + * A-Trust Certificates + */ + + KeyStore myKeyStore = KeyStore.getInstance(KeyStore + .getDefaultType()); + + myKeyStore.load(null); + + Document doc = DocumentBuilderFactory.newInstance() + .newDocumentBuilder() + .parse(this.getClass().getResourceAsStream(certificateList)); + + Node certificates = doc.getFirstChild(); + + if (!certificates.getNodeName().equals("certificates")) { //$NON-NLS-1$ + throw new Exception( + "Used certificates xml is invalid! no certificates node"); //$NON-NLS-1$ + } + + NodeList certificateList = certificates.getChildNodes(); + + for (int i = 0; i < certificateList.getLength(); i++) { + try { + + Node certificateNode = certificateList.item(i); + + if (certificateNode.getNodeName().equals("#text")) { //$NON-NLS-1$ + continue; // Ignore dummy text node .. + } + + if (!certificateNode.getNodeName().equals("certificate")) { //$NON-NLS-1$ + log.warn("Ignoring XML node: " + certificateNode.getNodeName()); //$NON-NLS-1$ + continue; + } + + String certResource = "/certificates/" + certificateNode.getTextContent(); //$NON-NLS-1$ + + X509Certificate cert = (X509Certificate) CertificateFactory + .getInstance("X509"). //$NON-NLS-1$ + generateCertificate( + this.getClass().getResourceAsStream( + certResource)); + + myKeyStore.setCertificateEntry(certificateNode.getTextContent(), cert); + + log.debug("Loaded certificate : " + certResource); //$NON-NLS-1$ + + } catch (Exception ex) { + log.error("Failed to load certificate [" + "]", ex); //$NON-NLS-1$ //$NON-NLS-2$ + } + } + + tmf.init(myKeyStore); + + tms = tmf.getTrustManagers(); + + /* + * Iterate over the returned trustmanagers, look for an instance of + * X509TrustManager. If found, use that as our "default" trust manager. + */ + for (int i = 0; i < tms.length; i++) { + if (tms[i] instanceof X509TrustManager) { + this.atrustTrustManager = (X509TrustManager) tms[i]; + break; + } + } + + if (this.sunJSSEX509TrustManager != null + && this.atrustTrustManager != null) { + return; + } + + /* + * Find some other way to initialize, or else we have to fail the + * constructor. + */ + throw new Exception("Couldn't initialize ASITTrustManager"); //$NON-NLS-1$ + } + + /* + * (non-Javadoc) + * + * @see + * javax.net.ssl.X509TrustManager#checkClientTrusted(java.security.cert. + * X509Certificate[], java.lang.String) + */ + @Override + public void checkClientTrusted(X509Certificate[] arg0, String arg1) + throws CertificateException { + try { + this.atrustTrustManager.checkServerTrusted(arg0, arg1); + } catch (CertificateException ex) { + try { + this.sunJSSEX509TrustManager.checkClientTrusted(arg0, arg1); + } catch (CertificateException ex2) { + log.info("checkClientTrusted: ", ex2); //$NON-NLS-1$ + throw ex2; + } + } + } + + /* + * (non-Javadoc) + * + * @see + * javax.net.ssl.X509TrustManager#checkServerTrusted(java.security.cert. + * X509Certificate[], java.lang.String) + */ + @Override + public void checkServerTrusted(X509Certificate[] arg0, String arg1) + throws CertificateException { + try { + this.atrustTrustManager.checkServerTrusted(arg0, arg1); + } catch (CertificateException ex) { + try { + this.sunJSSEX509TrustManager.checkServerTrusted(arg0, arg1); + } catch (CertificateException ex2) { + log.info("checkServerTrusted: ", ex2); //$NON-NLS-1$ + throw ex2; + } + } + } + + /* + * (non-Javadoc) + * + * @see javax.net.ssl.X509TrustManager#getAcceptedIssuers() + */ + @Override + public X509Certificate[] getAcceptedIssuers() { + + X509Certificate[] default_certs = this.sunJSSEX509TrustManager.getAcceptedIssuers(); + + X509Certificate[] atrust_certs = this.atrustTrustManager.getAcceptedIssuers(); + + X509Certificate[] all_certs = Arrays.copyOf(default_certs, default_certs.length + atrust_certs.length); + System.arraycopy(atrust_certs, 0, all_certs, default_certs.length, atrust_certs.length); + return all_certs; + } + +} diff --git a/pdf-over-gui/src/main/java/at/asit/pdfover/gui/workflow/states/mobilebku/TrustedSocketFactory.java b/pdf-over-gui/src/main/java/at/asit/pdfover/gui/workflow/states/mobilebku/TrustedSocketFactory.java index e3da8076..add31972 100644 --- a/pdf-over-gui/src/main/java/at/asit/pdfover/gui/workflow/states/mobilebku/TrustedSocketFactory.java +++ b/pdf-over-gui/src/main/java/at/asit/pdfover/gui/workflow/states/mobilebku/TrustedSocketFactory.java @@ -51,7 +51,7 @@ public class TrustedSocketFactory implements ProtocolSocketFactory { private static SSLSocketFactory getFactory() throws NoSuchAlgorithmException, KeyManagementException, Exception { SSLContext sslContext = SSLContext.getInstance("TLS"); //$NON-NLS-1$ - sslContext.init(null, new TrustManager[] { new ASITTrustManager() }, + sslContext.init(null, new TrustManager[] { new SimpleXMLTrustManager() }, new java.security.SecureRandom()); return sslContext.getSocketFactory(); -- cgit v1.2.3