use of com.helger.security.keystore.LoadedKey in project phoss-directory by phax.
the class PDHttpClientSettings method resetToConfiguration.
/**
* Overwrite all settings that can appear in the configuration file
* "pd-client.properties".
*
* @param sTargetURI
* The target URI to connect to. Makes a difference if this is "http"
* or "https". May neither be <code>null</code> nor empty.
*/
public final void resetToConfiguration(@Nonnull @Nonempty final String sTargetURI) {
ValueEnforcer.notEmpty(sTargetURI, "TargetURI");
final boolean bUseHttps = EURLProtocol.HTTPS.isUsedInURL(sTargetURI);
// Proxy host
final String sProxyHost = PDClientConfiguration.getHttpProxyHost();
final int nProxyPort = PDClientConfiguration.getHttpProxyPort();
if (sProxyHost != null && nProxyPort > 0) {
final HttpHost aProxyHost = new HttpHost(sProxyHost, nProxyPort);
LOGGER.info("PD client uses proxy host " + aProxyHost);
setProxyHost(aProxyHost);
} else
setProxyHost(null);
// Proxy credentials
final String sProxyUsername = PDClientConfiguration.getProxyUsername();
if (StringHelper.hasText(sProxyUsername)) {
LOGGER.info("PD client uses proxy credentials");
setProxyCredentials(new UsernamePasswordCredentials(sProxyUsername, PDClientConfiguration.getProxyPassword()));
} else
setProxyCredentials(null);
// Reset SSL stuff
setHostnameVerifier(null);
setSSLContext(null);
if (bUseHttps) {
if (PDClientConfiguration.isHttpsHostnameVerificationDisabled()) {
LOGGER.info("PD client uses disabled hostname verification");
setHostnameVerifierVerifyAll();
}
// Load key store
final LoadedKeyStore aLoadedKeyStore = PDClientConfiguration.loadKeyStore();
if (aLoadedKeyStore.isFailure()) {
LOGGER.error("PD client failed to initialize keystore for service connection - can only use http now! Details: " + PeppolKeyStoreHelper.getLoadError(aLoadedKeyStore));
} else {
LOGGER.info("PD client keystore successfully loaded");
// Sanity check if key can be loaded
{
final LoadedKey<PrivateKeyEntry> aLoadedKey = PDClientConfiguration.loadPrivateKey(aLoadedKeyStore.getKeyStore());
if (aLoadedKey.isFailure()) {
LOGGER.error("PD client failed to initialize key from keystore. Details: " + PeppolKeyStoreHelper.getLoadError(aLoadedKey));
} else
LOGGER.info("PD client key successfully loaded");
}
// Load trust store (may not be present/configured)
final LoadedKeyStore aLoadedTrustStore = PDClientConfiguration.loadTrustStore();
if (aLoadedTrustStore.isFailure())
LOGGER.error("PD client failed to initialize truststore for service connection. Details: " + PeppolKeyStoreHelper.getLoadError(aLoadedTrustStore));
else
LOGGER.info("PD client truststore successfully loaded");
try {
final PrivateKeyStrategy aPKS = new PrivateKeyStrategyFromAliasCaseInsensitive(PDClientConfiguration.getKeyStoreKeyAlias());
final TrustStrategy aTS = new TrustStrategyTrustAll();
setSSLContext(SSLContexts.custom().loadKeyMaterial(aLoadedKeyStore.getKeyStore(), PDClientConfiguration.getKeyStoreKeyPassword(), aPKS).loadTrustMaterial(aLoadedTrustStore.getKeyStore(), aTS).build());
LOGGER.info("PD client successfully set SSL context");
} catch (final GeneralSecurityException ex) {
throw new IllegalStateException("PD client failed to set SSL context", ex);
}
}
}
// Timeouts
setConnectionTimeoutMS(PDClientConfiguration.getConnectTimeoutMS());
setSocketTimeoutMS(PDClientConfiguration.getRequestTimeoutMS());
}
use of com.helger.security.keystore.LoadedKey in project phoss-smp by phax.
the class PageSecureCertificateInformation method fillContent.
@Override
protected void fillContent(@Nonnull final WebPageExecutionContext aWPEC) {
final HCNodeList aNodeList = aWPEC.getNodeList();
final Locale aDisplayLocale = aWPEC.getDisplayLocale();
final ZonedDateTime aNowZDT = PDTFactory.getCurrentZonedDateTime();
final LocalDateTime aNowLDT = aNowZDT.toLocalDateTime();
final String sDirectoryName = SMPWebAppConfiguration.getDirectoryName();
if (aWPEC.hasAction(ACTION_RELOAD_KEYSTORE)) {
SMPKeyManager.reloadFromConfiguration();
aWPEC.postRedirectGetInternal(info("The keystore was updated from the configuration at " + DateTimeFormatter.ISO_DATE_TIME.format(aNowZDT) + ". The changes are reflected below."));
} else if (aWPEC.hasAction(ACTION_RELOAD_TRUSTSTORE)) {
SMPTrustManager.reloadFromConfiguration();
aWPEC.postRedirectGetInternal(info("The truststore was updated from the configuration at " + DateTimeFormatter.ISO_DATE_TIME.format(aNowZDT) + ". The changes are reflected below."));
} else if (aWPEC.hasAction(ACTION_RELOAD_DIRECTORY_CONFIGURATION)) {
PDClientConfiguration.reloadConfiguration();
aWPEC.postRedirectGetInternal(info("The " + sDirectoryName + " configuration was reloaded at " + DateTimeFormatter.ISO_DATE_TIME.format(aNowZDT) + ". The changes are reflected below."));
}
{
final BootstrapButtonToolbar aToolbar = new BootstrapButtonToolbar(aWPEC);
aToolbar.addChild(new BootstrapButton().addChild("Reload keystore").setIcon(EDefaultIcon.REFRESH).setOnClick(aWPEC.getSelfHref().add(CPageParam.PARAM_ACTION, ACTION_RELOAD_KEYSTORE)));
aToolbar.addChild(new BootstrapButton().addChild("Reload truststore").setIcon(EDefaultIcon.REFRESH).setOnClick(aWPEC.getSelfHref().add(CPageParam.PARAM_ACTION, ACTION_RELOAD_TRUSTSTORE)));
if (SMPMetaManager.getSettings().isDirectoryIntegrationEnabled()) {
aToolbar.addChild(new BootstrapButton().addChild("Reload " + sDirectoryName + " configuration").setIcon(EDefaultIcon.REFRESH).setOnClick(aWPEC.getSelfHref().add(CPageParam.PARAM_ACTION, ACTION_RELOAD_DIRECTORY_CONFIGURATION)));
}
aNodeList.addChild(aToolbar);
}
final BootstrapTabBox aTabBox = aNodeList.addAndReturnChild(new BootstrapTabBox());
// SMP Key store
{
final HCNodeList aTab = new HCNodeList();
if (!SMPKeyManager.isKeyStoreValid()) {
aTab.addChild(error(SMPKeyManager.getInitializationError()));
} else {
// Successfully loaded private key
final SMPKeyManager aKeyMgr = SMPKeyManager.getInstance();
final KeyStore aKeyStore = aKeyMgr.getKeyStore();
if (aKeyStore != null) {
try {
int nKeyEntries = 0;
for (final String sAlias : CollectionHelper.newList(aKeyStore.aliases())) {
if (aKeyStore.isKeyEntry(sAlias))
nKeyEntries++;
}
if (nKeyEntries == 0)
aTab.addChild(error("Found no private key entry in the configured key store."));
else if (nKeyEntries > 1)
aTab.addChild(warn("The configured key store contains " + nKeyEntries + " key entries. It is highly recommended to have only the SMP key in the key store to avoid issues with the SML communication."));
} catch (final GeneralSecurityException ex) {
aTab.addChild(error("Error iterating key store.").addChild(SMPCommonUI.getTechnicalDetailsUI(ex)));
}
}
final PrivateKeyEntry aKeyEntry = aKeyMgr.getPrivateKeyEntry();
if (aKeyEntry != null) {
final Certificate[] aChain = aKeyEntry.getCertificateChain();
// Key store path and password are fine
aTab.addChild(success(div("Keystore is located at '" + SMPServerConfiguration.getKeyStorePath() + "' and was successfully loaded.")).addChild(div("The private key with the alias '" + SMPServerConfiguration.getKeyStoreKeyAlias() + "' was successfully loaded.")));
if (aChain.length > 0 && aChain[0] instanceof X509Certificate) {
final X509Certificate aHead = (X509Certificate) aChain[0];
final String sIssuer = aHead.getIssuerX500Principal().getName();
final EPredefinedCert eCert = EPredefinedCert.getFromIssuerOrNull(sIssuer);
if (eCert != null) {
if (eCert.isDeprecated())
aTab.addChild(warn("You are currently using a ").addChild(strong("deprecated")).addChild(" " + eCert.getName() + " certificate!"));
else
aTab.addChild(info("You are currently using a " + eCert.getName() + " certificate!"));
if (aChain.length != eCert.getCertificateTreeLength())
aTab.addChild(error("The private key should be a chain of " + eCert.getCertificateTreeLength() + " certificates but it has " + aChain.length + " certificates. Please ensure that the respective root certificates are contained correctly!"));
}
// else: we don't care
}
final String sAlias = SMPServerConfiguration.getKeyStoreKeyAlias();
final HCOL aOL = new HCOL();
for (final Certificate aCert : aChain) {
if (aCert instanceof X509Certificate) {
final X509Certificate aX509Cert = (X509Certificate) aCert;
final BootstrapTable aCertDetails = SMPCommonUI.createCertificateDetailsTable(sAlias, aX509Cert, aNowLDT, aDisplayLocale);
aOL.addItem(aCertDetails);
} else
aOL.addItem("The certificate is not an X.509 certificate! It is internally a " + ClassHelper.getClassName(aCert));
}
aTab.addChild(aOL);
}
}
aTabBox.addTab("keystore", "Keystore", aTab);
}
// SMP Trust store
{
final HCNodeList aTab = new HCNodeList();
if (!SMPTrustManager.isTrustStoreValid()) {
aTab.addChild(warn(SMPTrustManager.getInitializationError()));
} else {
// Successfully loaded trust store
final SMPTrustManager aTrustMgr = SMPTrustManager.getInstance();
final KeyStore aTrustStore = aTrustMgr.getTrustStore();
// Trust store path and password are fine
aTab.addChild(success(div("Truststore is located at '" + SMPServerConfiguration.getTrustStorePath() + "' and was successfully loaded.")));
final HCOL aOL = new HCOL();
try {
for (final String sAlias : CollectionHelper.newList(aTrustStore.aliases())) {
final Certificate aCert = aTrustStore.getCertificate(sAlias);
if (aCert instanceof X509Certificate) {
final X509Certificate aX509Cert = (X509Certificate) aCert;
final BootstrapTable aCertDetails = SMPCommonUI.createCertificateDetailsTable(sAlias, aX509Cert, aNowLDT, aDisplayLocale);
aOL.addItem(aCertDetails);
} else
aOL.addItem("The certificate is not an X.509 certificate! It is internally a " + ClassHelper.getClassName(aCert));
}
} catch (final GeneralSecurityException ex) {
aOL.addItem(error("Error iterating trust store.").addChild(SMPCommonUI.getTechnicalDetailsUI(ex)));
}
aTab.addChild(aOL);
}
aTabBox.addTab("truststore", "Truststore", aTab);
}
// Peppol Directory client certificate
if (SMPMetaManager.getSettings().isDirectoryIntegrationEnabled()) {
// Directory client keystore
{
final HCNodeList aTab = new HCNodeList();
final LoadedKeyStore aKeyStoreLR = PDClientConfiguration.loadKeyStore();
if (aKeyStoreLR.isFailure()) {
aTab.addChild(error(PeppolKeyStoreHelper.getLoadError(aKeyStoreLR)));
} else {
final String sKeyStorePath = PDClientConfiguration.getKeyStorePath();
final LoadedKey<KeyStore.PrivateKeyEntry> aKeyLoading = PDClientConfiguration.loadPrivateKey(aKeyStoreLR.getKeyStore());
if (aKeyLoading.isFailure()) {
aTab.addChild(success(div("Keystore is located at '" + sKeyStorePath + "' and was successfully loaded.")));
aTab.addChild(error(PeppolKeyStoreHelper.getLoadError(aKeyLoading)));
} else {
// Successfully loaded private key
final String sAlias = PDClientConfiguration.getKeyStoreKeyAlias();
final PrivateKeyEntry aKeyEntry = aKeyLoading.getKeyEntry();
final Certificate[] aChain = aKeyEntry.getCertificateChain();
// Key store path and password are fine
aTab.addChild(success(div("Keystore is located at '" + sKeyStorePath + "' and was successfully loaded.")).addChild(div("The private key with the alias '" + sAlias + "' was successfully loaded.")));
if (aChain.length > 0 && aChain[0] instanceof X509Certificate) {
final X509Certificate aHead = (X509Certificate) aChain[0];
final String sIssuer = aHead.getIssuerX500Principal().getName();
final EPredefinedCert eCert = EPredefinedCert.getFromIssuerOrNull(sIssuer);
if (eCert != null) {
if (eCert.isDeprecated()) {
aTab.addChild(warn("You are currently using a ").addChild(strong("deprecated")).addChild(" " + eCert.getName() + " certificate!"));
} else
aTab.addChild(info("You are currently using a " + eCert.getName() + " certificate!"));
if (aChain.length != eCert.getCertificateTreeLength())
aTab.addChild(error("The private key should be a chain of " + eCert.getCertificateTreeLength() + " certificates but it has " + aChain.length + " certificates. Please ensure that the respective root certificates are contained!"));
}
// else: we don't care
}
final HCOL aUL = new HCOL();
for (final Certificate aCert : aChain) {
if (aCert instanceof X509Certificate) {
final X509Certificate aX509Cert = (X509Certificate) aCert;
final BootstrapTable aCertDetails = SMPCommonUI.createCertificateDetailsTable(sAlias, aX509Cert, aNowLDT, aDisplayLocale);
aUL.addItem(aCertDetails);
} else
aUL.addItem("The certificate is not an X.509 certificate! It is internally a " + ClassHelper.getClassName(aCert));
}
aTab.addChild(aUL);
}
}
aTabBox.addTab("pdkeystore", sDirectoryName + " Keystore", aTab);
}
// Directory client truststore
{
final HCNodeList aTab = new HCNodeList();
final LoadedKeyStore aTrustStoreLR = PDClientConfiguration.loadTrustStore();
if (aTrustStoreLR.isFailure()) {
aTab.addChild(error(PeppolKeyStoreHelper.getLoadError(aTrustStoreLR)));
} else {
// Successfully loaded trust store
final String sTrustStorePath = PDClientConfiguration.getTrustStorePath();
final KeyStore aTrustStore = aTrustStoreLR.getKeyStore();
// Trust store path and password are fine
aTab.addChild(success(div("Truststore is located at '" + sTrustStorePath + "' and was successfully loaded.")));
final HCOL aOL = new HCOL();
try {
for (final String sAlias : CollectionHelper.newList(aTrustStore.aliases())) {
final Certificate aCert = aTrustStore.getCertificate(sAlias);
if (aCert instanceof X509Certificate) {
final X509Certificate aX509Cert = (X509Certificate) aCert;
final BootstrapTable aCertDetails = SMPCommonUI.createCertificateDetailsTable(sAlias, aX509Cert, aNowLDT, aDisplayLocale);
aOL.addItem(aCertDetails);
} else
aOL.addItem("The certificate is not an X.509 certificate! It is internally a " + ClassHelper.getClassName(aCert));
}
} catch (final GeneralSecurityException ex) {
aOL.addItem(error("Error iterating trust store.").addChild(SMPCommonUI.getTechnicalDetailsUI(ex)));
}
aTab.addChild(aOL);
}
aTabBox.addTab("pdtruststore", sDirectoryName + " Truststore", aTab);
}
}
}
Aggregations