use of org.openecard.bouncycastle.tls.TlsPSKIdentity in project open-ecard by ecsec.
the class TlsConnectionHandler method setUpClient.
public void setUpClient() throws ConnectionError {
try {
TCTokenType token = tokenRequest.getTCToken();
String cardType = null;
if (handle != null) {
if (handle.getRecognitionInfo() != null) {
cardType = handle.getRecognitionInfo().getCardType();
}
if (cardType == null) {
cardType = tokenRequest.getCardType();
}
}
// eID servers usually have problems with sni, so disable it for them
// TODO: check occasionally if this still holds
boolean doSni = !"http://bsi.bund.de/cif/npa.xml".equals(cardType);
sessionId = token.getSessionIdentifier();
serverAddress = new URL(token.getServerAddress());
String serverHost = serverAddress.getHost();
if (Boolean.valueOf(OpenecardProperties.getProperty("legacy.session"))) {
serverAddress = fixServerAddress(serverAddress, sessionId);
}
// extract connection parameters from endpoint
hostname = serverAddress.getHost();
port = serverAddress.getPort();
if (port == -1) {
port = serverAddress.getDefaultPort();
}
resource = serverAddress.getFile();
resource = resource.isEmpty() ? "/" : resource;
String secProto = token.getPathSecurityProtocol();
// use same channel as demanded in TR-03124 sec. 2.4.3
if (isSameChannel()) {
tlsClient = tokenRequest.getTokenContext().getTlsClient();
if (tlsClient instanceof ClientCertDefaultTlsClient) {
((ClientCertDefaultTlsClient) tlsClient).setEnforceSameSession(true);
}
} else {
// kill open channel in tctoken request, it is not needed anymore
if (tokenRequest.getTokenContext() != null) {
tokenRequest.getTokenContext().closeStream();
}
// determine TLS version to use
ProtocolVersion version = ProtocolVersion.TLSv12;
ProtocolVersion minVersion = ProtocolVersion.TLSv12;
switch(secProto) {
case "urn:ietf:rfc:5246":
// no changes
break;
case "urn:ietf:rfc:4279":
minVersion = ProtocolVersion.TLSv11;
break;
}
// Set up TLS connection
DynamicAuthentication tlsAuth = new DynamicAuthentication(serverHost);
TlsCrypto crypto = new BcTlsCrypto(ReusableSecureRandom.getInstance());
switch(secProto) {
case "urn:ietf:rfc:4279":
{
byte[] psk = token.getPathSecurityParameters().getPSK();
TlsPSKIdentity pskId = new BasicTlsPSKIdentity(sessionId, psk);
tlsClient = new ClientCertPSKTlsClient(crypto, pskId, serverHost, doSni);
tlsClient.setClientVersion(version);
tlsClient.setMinimumVersion(minVersion);
break;
}
case "urn:ietf:rfc:5246":
{
// use a smartcard for client authentication if needed
tlsAuth.setCredentialFactory(makeSmartCardCredential());
tlsClient = new ClientCertDefaultTlsClient(crypto, serverHost, doSni);
tlsClient.setClientVersion(version);
tlsClient.setMinimumVersion(minVersion);
// add PKIX verifier
if (verifyCertificates) {
tlsAuth.addCertificateVerifier(new JavaSecVerifier());
}
break;
}
default:
throw new ConnectionError(UNKNOWN_SEC_PROTOCOL, secProto);
}
// make sure nobody changes the server when the connection gets reestablished
tlsAuth.addCertificateVerifier(new SameCertVerifier());
// save eService certificate for use in EAC
tlsAuth.addCertificateVerifier(new SaveEServiceCertHandler());
// set the authentication class in the tls client
tlsClient.setAuthentication(tlsAuth);
}
} catch (MalformedURLException ex) {
throw new ConnectionError(MALFORMED_URL, ex, "ServerAddress");
}
}
Aggregations