Example 1 with InvalidTCTokenElement
use of org.openecard.addons.cg.ex.InvalidTCTokenElement in project open-ecard by ecsec.
the class TCTokenVerifier method verifyRequestToken.
/**
* Verifies the elements of the TCToken.
*
* @throws InvalidRedirectUrlException Thrown in case the RefreshAddress is missing or invalid.
* @throws InvalidTCTokenElement Thrown in case any element inside the TCToken is invalid.
*/
public void verifyRequestToken() throws InvalidRedirectUrlException, InvalidTCTokenElement {
assertRefreshURL(token.getRefreshAddress());
assertHttpsURL("ServerAddress", token.getServerAddress());
assertRequired("SessionIdentifier", token.getSessionIdentifier());
assertRequired("PathSecurity-Protocol", token.getPathSecurityProtocol());
checkEqualOR("PathSecurity-Protocol", token.getPathSecurityProtocol(), "urn:ietf:rfc:5246", "http://ws.openecard.org/pathsecurity/tlsv12-with-pin-encryption");
if (token.getPathSecurityProtocol().equals("http://ws.openecard.org/pathsecurity/tlsv12-with-pin-encryption")) {
assertRequired("PathSecurity-Parameters", token.getPathSecurityParameters());
assertRequired("JWK", token.getPathSecurityParameters().getJWK());
try {
JsonWebKey key = JsonWebKey.Factory.newJwk(token.getPathSecurityParameters().getJWK());
} catch (JoseException ex) {
throw new InvalidTCTokenElement("Failed to parse JWK.", ex);
}
}
}
Also used :
JoseException(org.jose4j.lang.JoseException)
InvalidTCTokenElement(org.openecard.addons.cg.ex.InvalidTCTokenElement)
JsonWebKey(org.jose4j.jwk.JsonWebKey)
Example 2 with InvalidTCTokenElement
use of org.openecard.addons.cg.ex.InvalidTCTokenElement in project open-ecard by ecsec.
the class TCTokenHandler method processBinding.
/**
* Performs the actual ChipGateway procedure.
* Connects the given card, establishes the HTTP channel and talks to the server. Afterwards disconnects the card.
*
* @param token The TCToken containing the connection parameters.
* @return A TCTokenResponse indicating success or failure.
* @throws DispatcherException If there was a problem dispatching a request from the server.
* @throws ChipGatewayException If there was a transport error.
*/
private ChipGatewayResponse processBinding(@Nonnull TCToken token) throws InvalidTCTokenElement, RedirectionBaseError, InvalidRedirectUrlException {
ChipGatewayResponse response = new ChipGatewayResponse();
response.setToken(token);
String binding = token.getBinding();
switch(binding) {
case "http://ws.openecard.org/binding/chipgateway":
{
ChipGatewayTask task = new ChipGatewayTask(token, ctx);
FutureTask<TerminateType> cgTask = new FutureTask<>(task);
Thread cgThread = new Thread(cgTask, "ChipGateway-" + THREAD_NUM.getAndIncrement());
cgThread.start();
// wait for computation to finish
waitForTask(token, cgTask, cgThread);
break;
}
default:
// unknown binding
throw new InvalidTCTokenElement(ELEMENT_VALUE_INVALID, "Binding");
}
return response;
}
Also used :
FutureTask(java.util.concurrent.FutureTask)
ChipGatewayResponse(org.openecard.addons.cg.impl.ChipGatewayResponse)
InvalidTCTokenElement(org.openecard.addons.cg.ex.InvalidTCTokenElement)
ChipGatewayTask(org.openecard.addons.cg.impl.ChipGatewayTask)
Example 3 with InvalidTCTokenElement
use of org.openecard.addons.cg.ex.InvalidTCTokenElement in project open-ecard by ecsec.
the class TlsConnectionHandler method setUpClient.
public void setUpClient() throws InvalidTCTokenElement {
try {
sessionId = token.getSessionIdentifier();
serverAddress = new URL(token.getServerAddress());
String serverHost = serverAddress.getHost();
// extract connection parameters from endpoint
hostname = serverAddress.getHost();
port = serverAddress.getPort();
if (port == -1) {
port = serverAddress.getDefaultPort();
}
resource = serverAddress.getFile();
resource = resource.isEmpty() ? "/" : resource;
String secProto = token.getPathSecurityProtocol();
// determine TLS version to use
ProtocolVersion version = ProtocolVersion.TLSv12;
ProtocolVersion minVersion = ProtocolVersion.TLSv12;
switch(secProto) {
case "urn:ietf:rfc:5246":
case "http://ws.openecard.org/pathsecurity/tlsv12-with-pin-encryption":
// no changes
break;
}
// Set up TLS connection
DynamicAuthentication tlsAuth = new DynamicAuthentication(serverHost);
switch(secProto) {
case "urn:ietf:rfc:5246":
case "http://ws.openecard.org/pathsecurity/tlsv12-with-pin-encryption":
{
// use a smartcard for client authentication if needed
TlsCrypto crypto = new BcTlsCrypto(ReusableSecureRandom.getInstance());
tlsClient = new ClientCertDefaultTlsClient(crypto, serverHost, true);
tlsClient.setClientVersion(version);
tlsClient.setMinimumVersion(minVersion);
// add PKIX verifier
if (ChipGatewayProperties.isValidateServerCert()) {
tlsAuth.addCertificateVerifier(new CGJavaSecVerifier());
} else {
LOG.warn("Skipping server certificate validation of the ChipGateway server.");
}
break;
}
default:
throw new InvalidTCTokenElement(ELEMENT_VALUE_INVALID, "PathSecurity-Protocol");
}
// make sure nobody changes the server when the connection gets reestablished
tlsAuth.addCertificateVerifier(new SameCertVerifier());
// set the authentication class in the tls client
tlsClient.setAuthentication(tlsAuth);
} catch (MalformedURLException ex) {
throw new InvalidTCTokenElement(MALFORMED_URL, "ServerAddress");
}
}
Also used :
MalformedURLException(java.net.MalformedURLException)
InvalidTCTokenElement(org.openecard.addons.cg.ex.InvalidTCTokenElement)
SameCertVerifier(org.openecard.crypto.tls.verify.SameCertVerifier)
ClientCertDefaultTlsClient(org.openecard.crypto.tls.ClientCertDefaultTlsClient)
DynamicAuthentication(org.openecard.crypto.tls.auth.DynamicAuthentication)
BcTlsCrypto(org.openecard.bouncycastle.tls.crypto.impl.bc.BcTlsCrypto)
ProtocolVersion(org.openecard.bouncycastle.tls.ProtocolVersion)
URL(java.net.URL)
TlsCrypto(org.openecard.bouncycastle.tls.crypto.TlsCrypto)
BcTlsCrypto(org.openecard.bouncycastle.tls.crypto.impl.bc.BcTlsCrypto)
Example 4 with InvalidTCTokenElement
use of org.openecard.addons.cg.ex.InvalidTCTokenElement in project open-ecard by ecsec.
the class ActivateCGAction method execute.
@Override
public BindingResult execute(RequestBody body, Map<String, String> params, Headers headers, List<Attachment> att) {
BindingResult response;
boolean aquired = false;
try {
checkMethod(headers);
final TCToken token = TCToken.generateToken(params);
Runnable cgAction = new Runnable() {
@Override
public void run() {
try {
tokenHandler.handleNoCardActivate(token);
// run a full GC to free some heap memory
System.gc();
System.runFinalization();
System.gc();
} catch (ThreadTerminateException ex) {
LOG.debug("Activation task terminated by an interrupt.", ex);
} catch (RuntimeException ex) {
LOG.error("Unhandled exception in activation process.", ex);
} finally {
currentTaskThread = null;
// in some cases an error does not lead to a removal of the dynamic context so remove it here
DynamicContext.remove();
}
}
};
// guard thread creation
MUTEX.acquire();
aquired = true;
Thread t = currentTaskThread;
if (t != null) {
if (token.isForceProcessing()) {
LOG.info("Stopping already running ChipGateway Protocol instance.");
t.interrupt();
// wait for other task to complete
t.join();
} else {
LOG.info("Another ChipGateway Protocol instance is already running, return status=busy.");
response = new BindingResult(BindingResultCode.REDIRECT);
response.getAuxResultData().put(AuxDataKeys.REDIRECT_LOCATION, token.finalizeBusyAddress());
return response;
}
}
// perform ChipGateway Protocol in background thread, so that we can return directly
currentTaskThread = new Thread(cgAction);
currentTaskThread.setDaemon(true);
currentTaskThread.setName("ChipGateway-Activation-" + THREAD_NUM.getAndIncrement());
currentTaskThread.start();
// create redirect
response = new BindingResult(BindingResultCode.REDIRECT);
response.getAuxResultData().put(AuxDataKeys.REDIRECT_LOCATION, token.finalizeOkAddress());
} catch (WrongMethodException ex) {
LOG.warn(ex.getMessage());
response = new BindingResult(BindingResultCode.WRONG_PARAMETER);
response.setResultMessage(ex.getMessage());
} catch (NoMethodException ex) {
LOG.error("No method given in headers, maybe wrong binging.", ex);
response = new BindingResult(BindingResultCode.INTERNAL_ERROR);
response.setResultMessage(ex.getMessage());
} catch (InvalidRedirectUrlException | InvalidTCTokenElement ex) {
LOG.error("Failed to create TCToken.", ex);
response = ex.getBindingResult();
} catch (InterruptedException ex) {
LOG.info("ChipGateway activation interrupted.");
response = new BindingResult(BindingResultCode.INTERNAL_ERROR);
response.setResultMessage(ex.getMessage());
} finally {
if (aquired) {
MUTEX.release();
}
}
return response;
}
Also used :
InvalidRedirectUrlException(org.openecard.addons.cg.ex.InvalidRedirectUrlException)
BindingResult(org.openecard.addon.bind.BindingResult)
InvalidTCTokenElement(org.openecard.addons.cg.ex.InvalidTCTokenElement)
TCToken(org.openecard.addons.cg.tctoken.TCToken)
ThreadTerminateException(org.openecard.common.ThreadTerminateException)
Aggregations
InvalidTCTokenElement (org.openecard.addons.cg.ex.InvalidTCTokenElement)4
MalformedURLException (java.net.MalformedURLException)1
URL (java.net.URL)1
FutureTask (java.util.concurrent.FutureTask)1
JsonWebKey (org.jose4j.jwk.JsonWebKey)1
JoseException (org.jose4j.lang.JoseException)1
BindingResult (org.openecard.addon.bind.BindingResult)1
InvalidRedirectUrlException (org.openecard.addons.cg.ex.InvalidRedirectUrlException)1
ChipGatewayResponse (org.openecard.addons.cg.impl.ChipGatewayResponse)1
ChipGatewayTask (org.openecard.addons.cg.impl.ChipGatewayTask)1
TCToken (org.openecard.addons.cg.tctoken.TCToken)1
ProtocolVersion (org.openecard.bouncycastle.tls.ProtocolVersion)1
TlsCrypto (org.openecard.bouncycastle.tls.crypto.TlsCrypto)1
BcTlsCrypto (org.openecard.bouncycastle.tls.crypto.impl.bc.BcTlsCrypto)1
ThreadTerminateException (org.openecard.common.ThreadTerminateException)1
ClientCertDefaultTlsClient (org.openecard.crypto.tls.ClientCertDefaultTlsClient)1
DynamicAuthentication (org.openecard.crypto.tls.auth.DynamicAuthentication)1
SameCertVerifier (org.openecard.crypto.tls.verify.SameCertVerifier)1
