Search in sources :

Example 1 with LoadedKey

use of com.helger.security.keystore.LoadedKey in project phoss-directory by phax.

the class PDHttpClientSettings method resetToConfiguration.

/**
 * Overwrite all settings that can appear in the configuration file
 * "pd-client.properties".
 *
 * @param sTargetURI
 *        The target URI to connect to. Makes a difference if this is "http"
 *        or "https". May neither be <code>null</code> nor empty.
 */
public final void resetToConfiguration(@Nonnull @Nonempty final String sTargetURI) {
    ValueEnforcer.notEmpty(sTargetURI, "TargetURI");
    final boolean bUseHttps = EURLProtocol.HTTPS.isUsedInURL(sTargetURI);
    // Proxy host
    final String sProxyHost = PDClientConfiguration.getHttpProxyHost();
    final int nProxyPort = PDClientConfiguration.getHttpProxyPort();
    if (sProxyHost != null && nProxyPort > 0) {
        final HttpHost aProxyHost = new HttpHost(sProxyHost, nProxyPort);
        LOGGER.info("PD client uses proxy host " + aProxyHost);
        setProxyHost(aProxyHost);
    } else
        setProxyHost(null);
    // Proxy credentials
    final String sProxyUsername = PDClientConfiguration.getProxyUsername();
    if (StringHelper.hasText(sProxyUsername)) {
        LOGGER.info("PD client uses proxy credentials");
        setProxyCredentials(new UsernamePasswordCredentials(sProxyUsername, PDClientConfiguration.getProxyPassword()));
    } else
        setProxyCredentials(null);
    // Reset SSL stuff
    setHostnameVerifier(null);
    setSSLContext(null);
    if (bUseHttps) {
        if (PDClientConfiguration.isHttpsHostnameVerificationDisabled()) {
            LOGGER.info("PD client uses disabled hostname verification");
            setHostnameVerifierVerifyAll();
        }
        // Load key store
        final LoadedKeyStore aLoadedKeyStore = PDClientConfiguration.loadKeyStore();
        if (aLoadedKeyStore.isFailure()) {
            LOGGER.error("PD client failed to initialize keystore for service connection - can only use http now! Details: " + PeppolKeyStoreHelper.getLoadError(aLoadedKeyStore));
        } else {
            LOGGER.info("PD client keystore successfully loaded");
            // Sanity check if key can be loaded
            {
                final LoadedKey<PrivateKeyEntry> aLoadedKey = PDClientConfiguration.loadPrivateKey(aLoadedKeyStore.getKeyStore());
                if (aLoadedKey.isFailure()) {
                    LOGGER.error("PD client failed to initialize key from keystore. Details: " + PeppolKeyStoreHelper.getLoadError(aLoadedKey));
                } else
                    LOGGER.info("PD client key successfully loaded");
            }
            // Load trust store (may not be present/configured)
            final LoadedKeyStore aLoadedTrustStore = PDClientConfiguration.loadTrustStore();
            if (aLoadedTrustStore.isFailure())
                LOGGER.error("PD client failed to initialize truststore for service connection. Details: " + PeppolKeyStoreHelper.getLoadError(aLoadedTrustStore));
            else
                LOGGER.info("PD client truststore successfully loaded");
            try {
                final PrivateKeyStrategy aPKS = new PrivateKeyStrategyFromAliasCaseInsensitive(PDClientConfiguration.getKeyStoreKeyAlias());
                final TrustStrategy aTS = new TrustStrategyTrustAll();
                setSSLContext(SSLContexts.custom().loadKeyMaterial(aLoadedKeyStore.getKeyStore(), PDClientConfiguration.getKeyStoreKeyPassword(), aPKS).loadTrustMaterial(aLoadedTrustStore.getKeyStore(), aTS).build());
                LOGGER.info("PD client successfully set SSL context");
            } catch (final GeneralSecurityException ex) {
                throw new IllegalStateException("PD client failed to set SSL context", ex);
            }
        }
    }
    // Timeouts
    setConnectionTimeoutMS(PDClientConfiguration.getConnectTimeoutMS());
    setSocketTimeoutMS(PDClientConfiguration.getRequestTimeoutMS());
}
Also used : PrivateKeyStrategy(org.apache.http.ssl.PrivateKeyStrategy) TrustStrategy(org.apache.http.ssl.TrustStrategy) GeneralSecurityException(java.security.GeneralSecurityException) LoadedKey(com.helger.security.keystore.LoadedKey) UsernamePasswordCredentials(org.apache.http.auth.UsernamePasswordCredentials) TrustStrategyTrustAll(com.helger.httpclient.security.TrustStrategyTrustAll) LoadedKeyStore(com.helger.security.keystore.LoadedKeyStore) HttpHost(org.apache.http.HttpHost) PrivateKeyStrategyFromAliasCaseInsensitive(com.helger.httpclient.security.PrivateKeyStrategyFromAliasCaseInsensitive)

Example 2 with LoadedKey

use of com.helger.security.keystore.LoadedKey in project phoss-smp by phax.

the class PageSecureCertificateInformation method fillContent.

@Override
protected void fillContent(@Nonnull final WebPageExecutionContext aWPEC) {
    final HCNodeList aNodeList = aWPEC.getNodeList();
    final Locale aDisplayLocale = aWPEC.getDisplayLocale();
    final ZonedDateTime aNowZDT = PDTFactory.getCurrentZonedDateTime();
    final LocalDateTime aNowLDT = aNowZDT.toLocalDateTime();
    final String sDirectoryName = SMPWebAppConfiguration.getDirectoryName();
    if (aWPEC.hasAction(ACTION_RELOAD_KEYSTORE)) {
        SMPKeyManager.reloadFromConfiguration();
        aWPEC.postRedirectGetInternal(info("The keystore was updated from the configuration at " + DateTimeFormatter.ISO_DATE_TIME.format(aNowZDT) + ". The changes are reflected below."));
    } else if (aWPEC.hasAction(ACTION_RELOAD_TRUSTSTORE)) {
        SMPTrustManager.reloadFromConfiguration();
        aWPEC.postRedirectGetInternal(info("The truststore was updated from the configuration at " + DateTimeFormatter.ISO_DATE_TIME.format(aNowZDT) + ". The changes are reflected below."));
    } else if (aWPEC.hasAction(ACTION_RELOAD_DIRECTORY_CONFIGURATION)) {
        PDClientConfiguration.reloadConfiguration();
        aWPEC.postRedirectGetInternal(info("The " + sDirectoryName + " configuration was reloaded at " + DateTimeFormatter.ISO_DATE_TIME.format(aNowZDT) + ". The changes are reflected below."));
    }
    {
        final BootstrapButtonToolbar aToolbar = new BootstrapButtonToolbar(aWPEC);
        aToolbar.addChild(new BootstrapButton().addChild("Reload keystore").setIcon(EDefaultIcon.REFRESH).setOnClick(aWPEC.getSelfHref().add(CPageParam.PARAM_ACTION, ACTION_RELOAD_KEYSTORE)));
        aToolbar.addChild(new BootstrapButton().addChild("Reload truststore").setIcon(EDefaultIcon.REFRESH).setOnClick(aWPEC.getSelfHref().add(CPageParam.PARAM_ACTION, ACTION_RELOAD_TRUSTSTORE)));
        if (SMPMetaManager.getSettings().isDirectoryIntegrationEnabled()) {
            aToolbar.addChild(new BootstrapButton().addChild("Reload " + sDirectoryName + " configuration").setIcon(EDefaultIcon.REFRESH).setOnClick(aWPEC.getSelfHref().add(CPageParam.PARAM_ACTION, ACTION_RELOAD_DIRECTORY_CONFIGURATION)));
        }
        aNodeList.addChild(aToolbar);
    }
    final BootstrapTabBox aTabBox = aNodeList.addAndReturnChild(new BootstrapTabBox());
    // SMP Key store
    {
        final HCNodeList aTab = new HCNodeList();
        if (!SMPKeyManager.isKeyStoreValid()) {
            aTab.addChild(error(SMPKeyManager.getInitializationError()));
        } else {
            // Successfully loaded private key
            final SMPKeyManager aKeyMgr = SMPKeyManager.getInstance();
            final KeyStore aKeyStore = aKeyMgr.getKeyStore();
            if (aKeyStore != null) {
                try {
                    int nKeyEntries = 0;
                    for (final String sAlias : CollectionHelper.newList(aKeyStore.aliases())) {
                        if (aKeyStore.isKeyEntry(sAlias))
                            nKeyEntries++;
                    }
                    if (nKeyEntries == 0)
                        aTab.addChild(error("Found no private key entry in the configured key store."));
                    else if (nKeyEntries > 1)
                        aTab.addChild(warn("The configured key store contains " + nKeyEntries + " key entries. It is highly recommended to have only the SMP key in the key store to avoid issues with the SML communication."));
                } catch (final GeneralSecurityException ex) {
                    aTab.addChild(error("Error iterating key store.").addChild(SMPCommonUI.getTechnicalDetailsUI(ex)));
                }
            }
            final PrivateKeyEntry aKeyEntry = aKeyMgr.getPrivateKeyEntry();
            if (aKeyEntry != null) {
                final Certificate[] aChain = aKeyEntry.getCertificateChain();
                // Key store path and password are fine
                aTab.addChild(success(div("Keystore is located at '" + SMPServerConfiguration.getKeyStorePath() + "' and was successfully loaded.")).addChild(div("The private key with the alias '" + SMPServerConfiguration.getKeyStoreKeyAlias() + "' was successfully loaded.")));
                if (aChain.length > 0 && aChain[0] instanceof X509Certificate) {
                    final X509Certificate aHead = (X509Certificate) aChain[0];
                    final String sIssuer = aHead.getIssuerX500Principal().getName();
                    final EPredefinedCert eCert = EPredefinedCert.getFromIssuerOrNull(sIssuer);
                    if (eCert != null) {
                        if (eCert.isDeprecated())
                            aTab.addChild(warn("You are currently using a ").addChild(strong("deprecated")).addChild(" " + eCert.getName() + " certificate!"));
                        else
                            aTab.addChild(info("You are currently using a " + eCert.getName() + " certificate!"));
                        if (aChain.length != eCert.getCertificateTreeLength())
                            aTab.addChild(error("The private key should be a chain of " + eCert.getCertificateTreeLength() + " certificates but it has " + aChain.length + " certificates. Please ensure that the respective root certificates are contained correctly!"));
                    }
                // else: we don't care
                }
                final String sAlias = SMPServerConfiguration.getKeyStoreKeyAlias();
                final HCOL aOL = new HCOL();
                for (final Certificate aCert : aChain) {
                    if (aCert instanceof X509Certificate) {
                        final X509Certificate aX509Cert = (X509Certificate) aCert;
                        final BootstrapTable aCertDetails = SMPCommonUI.createCertificateDetailsTable(sAlias, aX509Cert, aNowLDT, aDisplayLocale);
                        aOL.addItem(aCertDetails);
                    } else
                        aOL.addItem("The certificate is not an X.509 certificate! It is internally a " + ClassHelper.getClassName(aCert));
                }
                aTab.addChild(aOL);
            }
        }
        aTabBox.addTab("keystore", "Keystore", aTab);
    }
    // SMP Trust store
    {
        final HCNodeList aTab = new HCNodeList();
        if (!SMPTrustManager.isTrustStoreValid()) {
            aTab.addChild(warn(SMPTrustManager.getInitializationError()));
        } else {
            // Successfully loaded trust store
            final SMPTrustManager aTrustMgr = SMPTrustManager.getInstance();
            final KeyStore aTrustStore = aTrustMgr.getTrustStore();
            // Trust store path and password are fine
            aTab.addChild(success(div("Truststore is located at '" + SMPServerConfiguration.getTrustStorePath() + "' and was successfully loaded.")));
            final HCOL aOL = new HCOL();
            try {
                for (final String sAlias : CollectionHelper.newList(aTrustStore.aliases())) {
                    final Certificate aCert = aTrustStore.getCertificate(sAlias);
                    if (aCert instanceof X509Certificate) {
                        final X509Certificate aX509Cert = (X509Certificate) aCert;
                        final BootstrapTable aCertDetails = SMPCommonUI.createCertificateDetailsTable(sAlias, aX509Cert, aNowLDT, aDisplayLocale);
                        aOL.addItem(aCertDetails);
                    } else
                        aOL.addItem("The certificate is not an X.509 certificate! It is internally a " + ClassHelper.getClassName(aCert));
                }
            } catch (final GeneralSecurityException ex) {
                aOL.addItem(error("Error iterating trust store.").addChild(SMPCommonUI.getTechnicalDetailsUI(ex)));
            }
            aTab.addChild(aOL);
        }
        aTabBox.addTab("truststore", "Truststore", aTab);
    }
    // Peppol Directory client certificate
    if (SMPMetaManager.getSettings().isDirectoryIntegrationEnabled()) {
        // Directory client keystore
        {
            final HCNodeList aTab = new HCNodeList();
            final LoadedKeyStore aKeyStoreLR = PDClientConfiguration.loadKeyStore();
            if (aKeyStoreLR.isFailure()) {
                aTab.addChild(error(PeppolKeyStoreHelper.getLoadError(aKeyStoreLR)));
            } else {
                final String sKeyStorePath = PDClientConfiguration.getKeyStorePath();
                final LoadedKey<KeyStore.PrivateKeyEntry> aKeyLoading = PDClientConfiguration.loadPrivateKey(aKeyStoreLR.getKeyStore());
                if (aKeyLoading.isFailure()) {
                    aTab.addChild(success(div("Keystore is located at '" + sKeyStorePath + "' and was successfully loaded.")));
                    aTab.addChild(error(PeppolKeyStoreHelper.getLoadError(aKeyLoading)));
                } else {
                    // Successfully loaded private key
                    final String sAlias = PDClientConfiguration.getKeyStoreKeyAlias();
                    final PrivateKeyEntry aKeyEntry = aKeyLoading.getKeyEntry();
                    final Certificate[] aChain = aKeyEntry.getCertificateChain();
                    // Key store path and password are fine
                    aTab.addChild(success(div("Keystore is located at '" + sKeyStorePath + "' and was successfully loaded.")).addChild(div("The private key with the alias '" + sAlias + "' was successfully loaded.")));
                    if (aChain.length > 0 && aChain[0] instanceof X509Certificate) {
                        final X509Certificate aHead = (X509Certificate) aChain[0];
                        final String sIssuer = aHead.getIssuerX500Principal().getName();
                        final EPredefinedCert eCert = EPredefinedCert.getFromIssuerOrNull(sIssuer);
                        if (eCert != null) {
                            if (eCert.isDeprecated()) {
                                aTab.addChild(warn("You are currently using a ").addChild(strong("deprecated")).addChild(" " + eCert.getName() + " certificate!"));
                            } else
                                aTab.addChild(info("You are currently using a " + eCert.getName() + " certificate!"));
                            if (aChain.length != eCert.getCertificateTreeLength())
                                aTab.addChild(error("The private key should be a chain of " + eCert.getCertificateTreeLength() + " certificates but it has " + aChain.length + " certificates. Please ensure that the respective root certificates are contained!"));
                        }
                    // else: we don't care
                    }
                    final HCOL aUL = new HCOL();
                    for (final Certificate aCert : aChain) {
                        if (aCert instanceof X509Certificate) {
                            final X509Certificate aX509Cert = (X509Certificate) aCert;
                            final BootstrapTable aCertDetails = SMPCommonUI.createCertificateDetailsTable(sAlias, aX509Cert, aNowLDT, aDisplayLocale);
                            aUL.addItem(aCertDetails);
                        } else
                            aUL.addItem("The certificate is not an X.509 certificate! It is internally a " + ClassHelper.getClassName(aCert));
                    }
                    aTab.addChild(aUL);
                }
            }
            aTabBox.addTab("pdkeystore", sDirectoryName + " Keystore", aTab);
        }
        // Directory client truststore
        {
            final HCNodeList aTab = new HCNodeList();
            final LoadedKeyStore aTrustStoreLR = PDClientConfiguration.loadTrustStore();
            if (aTrustStoreLR.isFailure()) {
                aTab.addChild(error(PeppolKeyStoreHelper.getLoadError(aTrustStoreLR)));
            } else {
                // Successfully loaded trust store
                final String sTrustStorePath = PDClientConfiguration.getTrustStorePath();
                final KeyStore aTrustStore = aTrustStoreLR.getKeyStore();
                // Trust store path and password are fine
                aTab.addChild(success(div("Truststore is located at '" + sTrustStorePath + "' and was successfully loaded.")));
                final HCOL aOL = new HCOL();
                try {
                    for (final String sAlias : CollectionHelper.newList(aTrustStore.aliases())) {
                        final Certificate aCert = aTrustStore.getCertificate(sAlias);
                        if (aCert instanceof X509Certificate) {
                            final X509Certificate aX509Cert = (X509Certificate) aCert;
                            final BootstrapTable aCertDetails = SMPCommonUI.createCertificateDetailsTable(sAlias, aX509Cert, aNowLDT, aDisplayLocale);
                            aOL.addItem(aCertDetails);
                        } else
                            aOL.addItem("The certificate is not an X.509 certificate! It is internally a " + ClassHelper.getClassName(aCert));
                    }
                } catch (final GeneralSecurityException ex) {
                    aOL.addItem(error("Error iterating trust store.").addChild(SMPCommonUI.getTechnicalDetailsUI(ex)));
                }
                aTab.addChild(aOL);
            }
            aTabBox.addTab("pdtruststore", sDirectoryName + " Truststore", aTab);
        }
    }
}
Also used : Locale(java.util.Locale) LocalDateTime(java.time.LocalDateTime) HCNodeList(com.helger.html.hc.impl.HCNodeList) GeneralSecurityException(java.security.GeneralSecurityException) LoadedKey(com.helger.security.keystore.LoadedKey) BootstrapTabBox(com.helger.photon.bootstrap4.nav.BootstrapTabBox) LoadedKeyStore(com.helger.security.keystore.LoadedKeyStore) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) SMPTrustManager(com.helger.phoss.smp.security.SMPTrustManager) SMPKeyManager(com.helger.phoss.smp.security.SMPKeyManager) BootstrapTable(com.helger.photon.bootstrap4.table.BootstrapTable) ZonedDateTime(java.time.ZonedDateTime) LoadedKeyStore(com.helger.security.keystore.LoadedKeyStore) HCOL(com.helger.html.hc.html.grouping.HCOL) BootstrapButton(com.helger.photon.bootstrap4.button.BootstrapButton) BootstrapButtonToolbar(com.helger.photon.bootstrap4.buttongroup.BootstrapButtonToolbar) PrivateKeyEntry(java.security.KeyStore.PrivateKeyEntry) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Aggregations

LoadedKey (com.helger.security.keystore.LoadedKey)2 LoadedKeyStore (com.helger.security.keystore.LoadedKeyStore)2 GeneralSecurityException (java.security.GeneralSecurityException)2 HCOL (com.helger.html.hc.html.grouping.HCOL)1 HCNodeList (com.helger.html.hc.impl.HCNodeList)1 PrivateKeyStrategyFromAliasCaseInsensitive (com.helger.httpclient.security.PrivateKeyStrategyFromAliasCaseInsensitive)1 TrustStrategyTrustAll (com.helger.httpclient.security.TrustStrategyTrustAll)1 SMPKeyManager (com.helger.phoss.smp.security.SMPKeyManager)1 SMPTrustManager (com.helger.phoss.smp.security.SMPTrustManager)1 BootstrapButton (com.helger.photon.bootstrap4.button.BootstrapButton)1 BootstrapButtonToolbar (com.helger.photon.bootstrap4.buttongroup.BootstrapButtonToolbar)1 BootstrapTabBox (com.helger.photon.bootstrap4.nav.BootstrapTabBox)1 BootstrapTable (com.helger.photon.bootstrap4.table.BootstrapTable)1 KeyStore (java.security.KeyStore)1 PrivateKeyEntry (java.security.KeyStore.PrivateKeyEntry)1 Certificate (java.security.cert.Certificate)1 X509Certificate (java.security.cert.X509Certificate)1 LocalDateTime (java.time.LocalDateTime)1 ZonedDateTime (java.time.ZonedDateTime)1 Locale (java.util.Locale)1