Search in sources :

Example 1 with MultiDomainTrustAnchorResolverProvider

use of org.nhindirect.stagent.trust.provider.MultiDomainTrustAnchorResolverProvider in project nhin-d by DirectProject.

the class WSSmtpAgentConfig method buildTrustAnchorResolver.

public void buildTrustAnchorResolver() {
    Provider<TrustAnchorResolver> provider = null;
    Map<String, Collection<X509Certificate>> incomingAnchors = new HashMap<String, Collection<X509Certificate>>();
    Map<String, Collection<X509Certificate>> outgoingAnchors = new HashMap<String, Collection<X509Certificate>>();
    /* 
		 * first determine how anchors are stored... possibilities are LDAP, keystore, and WS
		 * 
		 */
    Setting setting = null;
    String storeType;
    String resolverType;
    try {
        setting = cfService.getSettingByName("AnchorStoreType");
    } catch (Exception e) {
        throw new SmtpAgentException(SmtpAgentError.InvalidConfigurationFormat, "WebService error getting anchor store type: " + e.getMessage(), e);
    }
    if (setting == null || setting.getValue() == null || setting.getValue().isEmpty())
        // default to WS
        storeType = STORE_TYPE_WS;
    else
        storeType = setting.getValue();
    // if the store type is anything other than WS, then we need to get the anchor names so we can look them up in the repository
    if (!storeType.equalsIgnoreCase(STORE_TYPE_WS)) {
        getAnchorsFromNonWS(incomingAnchors, outgoingAnchors, storeType);
    } else {
        // trust bundles are shared objects across domains, so just pull the entire bundle list and associate
        // the anchors in the bundles to the appropriate domains as we go... this will not always be the most efficient
        // algorithm, but it most cases it will be when there are several domains configured (in which case this
        // loading algorithm will be much more efficient)
        final Map<String, TrustBundle> bundleMap = new HashMap<String, TrustBundle>();
        try {
            final TrustBundle[] bundles = cfService.getTrustBundles(true);
            // put the bundles in a Map by name
            if (bundles != null)
                for (TrustBundle bundle : bundles) bundleMap.put(bundle.getBundleName(), bundle);
        } catch (Exception e) {
            throw new SmtpAgentException(SmtpAgentError.InvalidConfigurationFormat, "WebService error getting trust bundles: " + e.getMessage(), e);
        }
        // hit up the web service for each domains anchor
        for (Domain domain : lookedupWSDomains) {
            try {
                final Collection<X509Certificate> incomingAnchorsToAdd = new ArrayList<X509Certificate>();
                final Collection<X509Certificate> outgoingAnchorsToAdd = new ArrayList<X509Certificate>();
                // get the anchors for the domain
                final Anchor[] anchors = cfService.getAnchorsForOwner(domain.getDomainName(), null);
                if (anchors != null) {
                    for (Anchor anchor : anchors) {
                        final X509Certificate anchorToAdd = certFromData(anchor.getData());
                        if (anchor.isIncoming())
                            incomingAnchorsToAdd.add(anchorToAdd);
                        if (anchor.isOutgoing())
                            outgoingAnchorsToAdd.add(anchorToAdd);
                    }
                }
                // check to see if there is a bundle associated to this domain
                final TrustBundleDomainReltn[] domainAssocs = cfService.getTrustBundlesByDomain(domain.getId(), false);
                if (domainAssocs != null) {
                    for (TrustBundleDomainReltn domainAssoc : domainAssocs) {
                        final TrustBundle bundle = bundleMap.get(domainAssoc.getTrustBundle().getBundleName());
                        if (bundle != null && bundle.getTrustBundleAnchors() != null) {
                            for (TrustBundleAnchor anchor : bundle.getTrustBundleAnchors()) {
                                final X509Certificate anchorToAdd = certFromData(anchor.getData());
                                if (domainAssoc.isIncoming())
                                    incomingAnchorsToAdd.add(anchorToAdd);
                                if (domainAssoc.isOutgoing())
                                    outgoingAnchorsToAdd.add(anchorToAdd);
                            }
                        }
                    }
                }
                incomingAnchors.put(domain.getDomainName(), incomingAnchorsToAdd);
                outgoingAnchors.put(domain.getDomainName(), outgoingAnchorsToAdd);
            } catch (SmtpAgentException e) {
                // rethrow
                throw e;
            } catch (Exception e) {
                throw new SmtpAgentException(SmtpAgentError.InvalidTrustAnchorSettings, "WebService error getting trust anchors for domain " + domain + ":" + e.getMessage(), e);
            }
        }
    }
    try {
        setting = cfService.getSettingByName("AnchorResolverType");
    } catch (Exception e) {
        throw new SmtpAgentException(SmtpAgentError.InvalidConfigurationFormat, "WebService error getting anchor resolver type: " + e.getMessage(), e);
    }
    if (incomingAnchors.size() == 0 && outgoingAnchors.size() == 0)
        throw new SmtpAgentException(SmtpAgentError.InvalidTrustAnchorSettings, "No trust anchors defined.");
    if (setting == null || setting.getValue() == null || setting.getValue().isEmpty()) {
        // multi domain should be the default... uniform really only makes sense for dev purposes
        resolverType = ANCHOR_RES_TYPE_MULTIDOMAIN;
    } else
        resolverType = setting.getValue();
    if (resolverType.equalsIgnoreCase(ANCHOR_RES_TYPE_UNIFORM)) {
        // the same... just get the first collection in the incoming map
        if (incomingAnchors.size() > 0)
            provider = new UniformTrustAnchorResolverProvider(incomingAnchors.values().iterator().next());
        else
            provider = new UniformTrustAnchorResolverProvider(outgoingAnchors.values().iterator().next());
    } else if (resolverType.equalsIgnoreCase(ANCHOR_RES_TYPE_MULTIDOMAIN)) {
        provider = new MultiDomainTrustAnchorResolverProvider(incomingAnchors, outgoingAnchors);
    } else {
        throw new SmtpAgentException(SmtpAgentError.InvalidTrustAnchorSettings);
    }
    certAnchorModule = TrustAnchorModule.create(provider);
}
Also used : SmtpAgentException(org.nhindirect.gateway.smtp.SmtpAgentException) HashMap(java.util.HashMap) Setting(org.nhind.config.Setting) ArrayList(java.util.ArrayList) X509Certificate(java.security.cert.X509Certificate) AddressException(javax.mail.internet.AddressException) SmtpAgentException(org.nhindirect.gateway.smtp.SmtpAgentException) PolicyParseException(org.nhindirect.policy.PolicyParseException) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) TrustBundleDomainReltn(org.nhind.config.TrustBundleDomainReltn) TrustBundleAnchor(org.nhind.config.TrustBundleAnchor) Anchor(org.nhind.config.Anchor) TrustAnchorResolver(org.nhindirect.stagent.trust.TrustAnchorResolver) UniformTrustAnchorResolverProvider(org.nhindirect.stagent.trust.provider.UniformTrustAnchorResolverProvider) Collection(java.util.Collection) TrustBundle(org.nhind.config.TrustBundle) Domain(org.nhind.config.Domain) MultiDomainTrustAnchorResolverProvider(org.nhindirect.stagent.trust.provider.MultiDomainTrustAnchorResolverProvider) TrustBundleAnchor(org.nhind.config.TrustBundleAnchor)

Example 2 with MultiDomainTrustAnchorResolverProvider

use of org.nhindirect.stagent.trust.provider.MultiDomainTrustAnchorResolverProvider in project nhin-d by DirectProject.

the class XMLSmtpAgentConfig method buildTrustAnchorResolver.

/*
	 * Builds the resolver used to find trust anchors.
	 */
protected void buildTrustAnchorResolver(Element anchorStoreNode, Map<String, Collection<String>> incomingAnchorHolder, Map<String, Collection<String>> outgoingAnchorHolder) {
    Provider<TrustAnchorResolver> provider = null;
    String storeType = anchorStoreNode.getAttribute("storeType");
    Map<String, Collection<X509Certificate>> incomingAnchors = new HashMap<String, Collection<X509Certificate>>();
    Map<String, Collection<X509Certificate>> outgoingAnchors = new HashMap<String, Collection<X509Certificate>>();
    /*
		 * anchors are store in a key store
		 */
    if (storeType.equalsIgnoreCase("keystore")) {
        KeyStoreCertificateStore store = new KeyStoreCertificateStore(anchorStoreNode.getAttribute("file"), anchorStoreNode.getAttribute("filePass"), anchorStoreNode.getAttribute("privKeyPass"));
        // get incoming anchors
        for (Entry<String, Collection<String>> entries : incomingAnchorHolder.entrySet()) {
            Collection<X509Certificate> certs = new ArrayList<X509Certificate>();
            for (String alias : entries.getValue()) {
                X509Certificate cert = store.getByAlias(alias);
                if (cert != null) {
                    certs.add(cert);
                }
            }
            incomingAnchors.put(entries.getKey(), certs);
        }
        // get outgoing anchors
        for (Entry<String, Collection<String>> entries : outgoingAnchorHolder.entrySet()) {
            Collection<X509Certificate> certs = new ArrayList<X509Certificate>();
            for (String alias : entries.getValue()) {
                X509Certificate cert = store.getByAlias(alias);
                if (cert != null) {
                    certs.add(cert);
                }
            }
            outgoingAnchors.put(entries.getKey(), certs);
        }
    } else if (storeType.equalsIgnoreCase("ldap")) {
        ldapCertificateStore = (LDAPCertificateStore) buildLdapCertificateStoreProvider(anchorStoreNode, "LDAPTrustAnchorStore").get();
        // get incoming anchors
        for (Entry<String, Collection<String>> entries : incomingAnchorHolder.entrySet()) {
            Collection<X509Certificate> certs = new ArrayList<X509Certificate>();
            for (String alias : entries.getValue()) {
                //TODO what if 2nd entry has no certs? Fail?
                //each alias could have multiple certificates
                certs.addAll(ldapCertificateStore.getCertificates(alias));
            }
            incomingAnchors.put(entries.getKey(), certs);
        }
        // get outgoing anchors
        for (Entry<String, Collection<String>> entries : outgoingAnchorHolder.entrySet()) {
            Collection<X509Certificate> certs = new ArrayList<X509Certificate>();
            for (String alias : entries.getValue()) {
                certs.addAll(ldapCertificateStore.getCertificates(alias));
            }
            outgoingAnchors.put(entries.getKey(), certs);
        }
    }
    // determine what module to load to inject the trust anchor resolver implementation
    String type = anchorStoreNode.getAttribute("type");
    /*
		 * Uniform trust anchor
		 */
    if (type.equalsIgnoreCase("uniform")) {
        // this is uniform... doesn't really matter what we use for incoming or outgoing because in theory they should be
        // the same... just get the first collection in the incoming map
        provider = new UniformTrustAnchorResolverProvider(incomingAnchors.values().iterator().next());
    } else if (type.equalsIgnoreCase("multidomain")) {
        provider = new MultiDomainTrustAnchorResolverProvider(incomingAnchors, outgoingAnchors);
    } else {
        throw new SmtpAgentException(SmtpAgentError.InvalidTrustAnchorSettings);
    }
    certAnchorModule = TrustAnchorModule.create(provider);
}
Also used : SmtpAgentException(org.nhindirect.gateway.smtp.SmtpAgentException) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) X509Certificate(java.security.cert.X509Certificate) KeyStoreCertificateStore(org.nhindirect.stagent.cert.impl.KeyStoreCertificateStore) Entry(java.util.Map.Entry) TrustAnchorResolver(org.nhindirect.stagent.trust.TrustAnchorResolver) UniformTrustAnchorResolverProvider(org.nhindirect.stagent.trust.provider.UniformTrustAnchorResolverProvider) LDAPCertificateStore(org.nhindirect.stagent.cert.impl.LDAPCertificateStore) Collection(java.util.Collection) MultiDomainTrustAnchorResolverProvider(org.nhindirect.stagent.trust.provider.MultiDomainTrustAnchorResolverProvider)

Example 3 with MultiDomainTrustAnchorResolverProvider

use of org.nhindirect.stagent.trust.provider.MultiDomainTrustAnchorResolverProvider in project nhin-d by DirectProject.

the class RESTSmtpAgentConfig method buildTrustAnchorResolver.

public void buildTrustAnchorResolver() {
    Provider<TrustAnchorResolver> provider = null;
    Map<String, Collection<X509Certificate>> incomingAnchors = new HashMap<String, Collection<X509Certificate>>();
    Map<String, Collection<X509Certificate>> outgoingAnchors = new HashMap<String, Collection<X509Certificate>>();
    /* 
		 * first determine how anchors are stored... possibilities are LDAP, keystore, and WS
		 * 
		 */
    Setting setting = null;
    String storeType;
    String resolverType;
    try {
        setting = settingsService.getSetting("AnchorStoreType");
    } catch (Exception e) {
        throw new SmtpAgentException(SmtpAgentError.InvalidConfigurationFormat, "WebService error getting anchor store type: " + e.getMessage(), e);
    }
    if (setting == null || setting.getValue() == null || setting.getValue().isEmpty())
        // default to WS
        storeType = STORE_TYPE_WS;
    else
        storeType = setting.getValue();
    // if the store type is anything other than WS, then we need to get the anchor names so we can look them up in the repository
    if (!storeType.equalsIgnoreCase(STORE_TYPE_WS)) {
        getAnchorsFromNonWS(incomingAnchors, outgoingAnchors, storeType);
    } else {
        // trust bundles are shared objects across domains, so just pull the entire bundle list and associate
        // the anchors in the bundles to the appropriate domains as we go... this will not always be the most efficient
        // algorithm, but it most cases it will be when there are several domains configured (in which case this
        // loading algorithm will be much more efficient)
        final Map<String, TrustBundle> bundleMap = new HashMap<String, TrustBundle>();
        try {
            final Collection<TrustBundle> bundles = trustBundleService.getTrustBundles(true);
            // put the bundles in a Map by name
            if (bundles != null)
                for (TrustBundle bundle : bundles) bundleMap.put(bundle.getBundleName(), bundle);
        } catch (Exception e) {
            throw new SmtpAgentException(SmtpAgentError.InvalidConfigurationFormat, "WebService error getting trust bundles: " + e.getMessage(), e);
        }
        // hit up the web service for each domains anchor
        for (Domain domain : lookedupRESTServiceDomains) {
            try {
                final Collection<X509Certificate> incomingAnchorsToAdd = new ArrayList<X509Certificate>();
                final Collection<X509Certificate> outgoingAnchorsToAdd = new ArrayList<X509Certificate>();
                // get the anchors for the domain
                final Collection<Anchor> anchors = anchorService.getAnchorsForOwner(domain.getDomainName(), false, false, null);
                if (anchors != null) {
                    for (Anchor anchor : anchors) {
                        final X509Certificate anchorToAdd = certFromData(anchor.getCertificateData());
                        if (anchor.isIncoming())
                            incomingAnchorsToAdd.add(anchorToAdd);
                        if (anchor.isOutgoing())
                            outgoingAnchorsToAdd.add(anchorToAdd);
                    }
                }
                // check to see if there is a bundle associated to this domain
                final Collection<TrustBundleDomainReltn> domainAssocs = trustBundleService.getTrustBundlesByDomain(domain.getDomainName(), false);
                if (domainAssocs != null) {
                    for (TrustBundleDomainReltn domainAssoc : domainAssocs) {
                        final TrustBundle bundle = bundleMap.get(domainAssoc.getTrustBundle().getBundleName());
                        if (bundle != null && bundle.getTrustBundleAnchors() != null) {
                            for (TrustBundleAnchor anchor : bundle.getTrustBundleAnchors()) {
                                final X509Certificate anchorToAdd = certFromData(anchor.getAnchorData());
                                if (domainAssoc.isIncoming())
                                    incomingAnchorsToAdd.add(anchorToAdd);
                                if (domainAssoc.isOutgoing())
                                    outgoingAnchorsToAdd.add(anchorToAdd);
                            }
                        }
                    }
                }
                incomingAnchors.put(domain.getDomainName(), incomingAnchorsToAdd);
                outgoingAnchors.put(domain.getDomainName(), outgoingAnchorsToAdd);
            } catch (SmtpAgentException e) {
                // rethrow
                throw e;
            } catch (Exception e) {
                throw new SmtpAgentException(SmtpAgentError.InvalidTrustAnchorSettings, "WebService error getting trust anchors for domain " + domain + ":" + e.getMessage(), e);
            }
        }
    }
    try {
        setting = settingsService.getSetting("AnchorResolverType");
    } catch (Exception e) {
        throw new SmtpAgentException(SmtpAgentError.InvalidConfigurationFormat, "WebService error getting anchor resolver type: " + e.getMessage(), e);
    }
    if (incomingAnchors.size() == 0 && outgoingAnchors.size() == 0)
        throw new SmtpAgentException(SmtpAgentError.InvalidTrustAnchorSettings, "No trust anchors defined.");
    if (setting == null || setting.getValue() == null || setting.getValue().isEmpty()) {
        // multi domain should be the default... uniform really only makes sense for dev purposes
        resolverType = ANCHOR_RES_TYPE_MULTIDOMAIN;
    } else
        resolverType = setting.getValue();
    if (resolverType.equalsIgnoreCase(ANCHOR_RES_TYPE_UNIFORM)) {
        // the same... just get the first collection in the incoming map
        if (incomingAnchors.size() > 0)
            provider = new UniformTrustAnchorResolverProvider(incomingAnchors.values().iterator().next());
        else
            provider = new UniformTrustAnchorResolverProvider(outgoingAnchors.values().iterator().next());
    } else if (resolverType.equalsIgnoreCase(ANCHOR_RES_TYPE_MULTIDOMAIN)) {
        provider = new MultiDomainTrustAnchorResolverProvider(incomingAnchors, outgoingAnchors);
    } else {
        throw new SmtpAgentException(SmtpAgentError.InvalidTrustAnchorSettings);
    }
    certAnchorModule = TrustAnchorModule.create(provider);
}
Also used : SmtpAgentException(org.nhindirect.gateway.smtp.SmtpAgentException) HashMap(java.util.HashMap) Setting(org.nhindirect.config.model.Setting) ArrayList(java.util.ArrayList) X509Certificate(java.security.cert.X509Certificate) AddressException(javax.mail.internet.AddressException) SmtpAgentException(org.nhindirect.gateway.smtp.SmtpAgentException) PolicyParseException(org.nhindirect.policy.PolicyParseException) TrustBundleDomainReltn(org.nhindirect.config.model.TrustBundleDomainReltn) Anchor(org.nhindirect.config.model.Anchor) TrustBundleAnchor(org.nhindirect.config.model.TrustBundleAnchor) TrustAnchorResolver(org.nhindirect.stagent.trust.TrustAnchorResolver) UniformTrustAnchorResolverProvider(org.nhindirect.stagent.trust.provider.UniformTrustAnchorResolverProvider) Collection(java.util.Collection) TrustBundle(org.nhindirect.config.model.TrustBundle) Domain(org.nhindirect.config.model.Domain) MultiDomainTrustAnchorResolverProvider(org.nhindirect.stagent.trust.provider.MultiDomainTrustAnchorResolverProvider) TrustBundleAnchor(org.nhindirect.config.model.TrustBundleAnchor)

Aggregations

X509Certificate (java.security.cert.X509Certificate)3 ArrayList (java.util.ArrayList)3 Collection (java.util.Collection)3 HashMap (java.util.HashMap)3 SmtpAgentException (org.nhindirect.gateway.smtp.SmtpAgentException)3 TrustAnchorResolver (org.nhindirect.stagent.trust.TrustAnchorResolver)3 MultiDomainTrustAnchorResolverProvider (org.nhindirect.stagent.trust.provider.MultiDomainTrustAnchorResolverProvider)3 UniformTrustAnchorResolverProvider (org.nhindirect.stagent.trust.provider.UniformTrustAnchorResolverProvider)3 AddressException (javax.mail.internet.AddressException)2 PolicyParseException (org.nhindirect.policy.PolicyParseException)2 IOException (java.io.IOException)1 CertificateException (java.security.cert.CertificateException)1 Entry (java.util.Map.Entry)1 Anchor (org.nhind.config.Anchor)1 Domain (org.nhind.config.Domain)1 Setting (org.nhind.config.Setting)1 TrustBundle (org.nhind.config.TrustBundle)1 TrustBundleAnchor (org.nhind.config.TrustBundleAnchor)1 TrustBundleDomainReltn (org.nhind.config.TrustBundleDomainReltn)1 Anchor (org.nhindirect.config.model.Anchor)1