Example 1 with DynamicContext
use of org.openecard.common.DynamicContext in project open-ecard by ecsec.
the class PACEStep method perform.
@Override
public DIDAuthenticateResponse perform(DIDAuthenticate request, Map<String, Object> internalData) {
// get context to save values in
DynamicContext dynCtx = DynamicContext.getInstance(TR03112Keys.INSTANCE_KEY);
DIDAuthenticate didAuthenticate = request;
DIDAuthenticateResponse response = new DIDAuthenticateResponse();
ConnectionHandleType conHandle = (ConnectionHandleType) dynCtx.get(TR03112Keys.CONNECTION_HANDLE);
try {
ObjectSchemaValidator valid = (ObjectSchemaValidator) dynCtx.getPromise(EACProtocol.SCHEMA_VALIDATOR).deref();
boolean messageValid = valid.validateObject(request);
if (!messageValid) {
String msg = "Validation of the EAC1InputType message failed.";
LOG.error(msg);
dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
response.setResult(WSHelper.makeResultError(ECardConstants.Minor.App.INCORRECT_PARM, msg));
return response;
}
} catch (ObjectValidatorException ex) {
String msg = "Validation of the EAC1InputType message failed due to invalid input data.";
LOG.error(msg, ex);
dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
response.setResult(WSHelper.makeResultError(ECardConstants.Minor.App.INT_ERROR, msg));
return response;
} catch (InterruptedException ex) {
String msg = "Thread interrupted while waiting for schema validator instance.";
LOG.error(msg, ex);
dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
response.setResult(WSHelper.makeResultError(ECardConstants.Minor.App.INT_ERROR, msg));
return response;
}
if (!ByteUtils.compare(conHandle.getSlotHandle(), didAuthenticate.getConnectionHandle().getSlotHandle())) {
String msg = "Invalid connection handle given in DIDAuthenticate message.";
Result r = WSHelper.makeResultError(ECardConstants.Minor.SAL.UNKNOWN_HANDLE, msg);
response.setResult(r);
dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
return response;
}
byte[] slotHandle = conHandle.getSlotHandle();
dynCtx.put(EACProtocol.SLOT_HANDLE, slotHandle);
dynCtx.put(EACProtocol.DISPATCHER, dispatcher);
try {
EAC1InputType eac1Input = new EAC1InputType(didAuthenticate.getAuthenticationProtocolData());
EAC1OutputType eac1Output = eac1Input.getOutputType();
AuthenticatedAuxiliaryData aad = new AuthenticatedAuxiliaryData(eac1Input.getAuthenticatedAuxiliaryData());
byte pinID = PasswordID.valueOf(didAuthenticate.getDIDName()).getByte();
final String passwordType = PasswordID.parse(pinID).getString();
// determine PACE capabilities of the terminal
boolean nativePace = genericPACESupport(conHandle);
dynCtx.put(EACProtocol.IS_NATIVE_PACE, nativePace);
// Certificate chain
CardVerifiableCertificateChain certChain = new CardVerifiableCertificateChain(eac1Input.getCertificates());
byte[] rawCertificateDescription = eac1Input.getCertificateDescription();
CertificateDescription certDescription = CertificateDescription.getInstance(rawCertificateDescription);
// put CertificateDescription into DynamicContext which is needed for later checks
dynCtx.put(TR03112Keys.ESERVICE_CERTIFICATE_DESC, certDescription);
// according to BSI-INSTANCE_KEY-7 we MUST perform some checks immediately after receiving the eService cert
Result activationChecksResult = performChecks(certDescription, dynCtx);
if (!ECardConstants.Major.OK.equals(activationChecksResult.getResultMajor())) {
response.setResult(activationChecksResult);
dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
return response;
}
CHAT requiredCHAT = new CHAT(eac1Input.getRequiredCHAT());
CHAT optionalCHAT = new CHAT(eac1Input.getOptionalCHAT());
// get the PACEMarker
CardStateEntry cardState = (CardStateEntry) internalData.get(EACConstants.IDATA_CARD_STATE_ENTRY);
PACEMarkerType paceMarker = getPaceMarker(cardState, passwordType);
dynCtx.put(EACProtocol.PACE_MARKER, paceMarker);
// Verify that the certificate description matches the terminal certificate
CardVerifiableCertificate taCert = certChain.getTerminalCertificate();
CardVerifiableCertificateVerifier.verify(taCert, certDescription);
// Verify that the required CHAT matches the terminal certificate's CHAT
CHAT taCHAT = taCert.getCHAT();
// an other role.
if (taCHAT.getRole() != CHAT.Role.AUTHENTICATION_TERMINAL) {
String msg = "Unsupported terminal type in Terminal Certificate referenced. Refernced terminal type is " + taCHAT.getRole().toString() + ".";
response.setResult(WSHelper.makeResultError(ECardConstants.Minor.App.INCORRECT_PARM, msg));
dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
return response;
}
CHATVerifier.verfiy(taCHAT, requiredCHAT);
// remove overlapping values from optional chat
optionalCHAT.restrictAccessRights(taCHAT);
// Prepare data in DIDAuthenticate for GUI
final EACData eacData = new EACData();
eacData.didRequest = didAuthenticate;
eacData.certificate = certChain.getTerminalCertificate();
eacData.certificateDescription = certDescription;
eacData.rawCertificateDescription = rawCertificateDescription;
eacData.transactionInfo = eac1Input.getTransactionInfo();
eacData.requiredCHAT = requiredCHAT;
eacData.optionalCHAT = optionalCHAT;
eacData.selectedCHAT = requiredCHAT;
eacData.aad = aad;
eacData.pinID = pinID;
eacData.passwordType = passwordType;
dynCtx.put(EACProtocol.EAC_DATA, eacData);
// get initial pin status
InputAPDUInfoType input = new InputAPDUInfoType();
input.setInputAPDU(new byte[] { (byte) 0x00, (byte) 0x22, (byte) 0xC1, (byte) 0xA4, (byte) 0x0F, (byte) 0x80, (byte) 0x0A, (byte) 0x04, (byte) 0x00, (byte) 0x7F, (byte) 0x00, (byte) 0x07, (byte) 0x02, (byte) 0x02, (byte) 0x04, (byte) 0x02, (byte) 0x02, (byte) 0x83, (byte) 0x01, (byte) 0x03 });
input.getAcceptableStatusCode().addAll(EacPinStatus.getCodes());
Transmit transmit = new Transmit();
transmit.setSlotHandle(slotHandle);
transmit.getInputAPDUInfo().add(input);
TransmitResponse pinCheckResponse = (TransmitResponse) dispatcher.safeDeliver(transmit);
WSHelper.checkResult(pinCheckResponse);
byte[] output = pinCheckResponse.getOutputAPDU().get(0);
CardResponseAPDU outputApdu = new CardResponseAPDU(output);
byte[] status = outputApdu.getStatusBytes();
dynCtx.put(EACProtocol.PIN_STATUS, EacPinStatus.fromCode(status));
// define GUI depending on the PIN status
final UserConsentDescription uc = new UserConsentDescription(LANG.translationForKey(TITLE));
final CardMonitor cardMon;
uc.setDialogType("EAC");
// create GUI and init executor
cardMon = new CardMonitor();
CardRemovedFilter filter = new CardRemovedFilter(conHandle.getIFDName(), conHandle.getSlotIndex());
eventDispatcher.add(cardMon, filter);
CVCStep cvcStep = new CVCStep(eacData);
cvcStep.setBackgroundTask(cardMon);
CVCStepAction cvcStepAction = new CVCStepAction(cvcStep);
cvcStep.setAction(cvcStepAction);
uc.getSteps().add(cvcStep);
uc.getSteps().add(CHATStep.createDummy());
uc.getSteps().add(PINStep.createDummy(passwordType));
ProcessingStep procStep = new ProcessingStep();
ProcessingStepAction procStepAction = new ProcessingStepAction(procStep);
procStep.setAction(procStepAction);
uc.getSteps().add(procStep);
Thread guiThread = new Thread(new Runnable() {
@Override
public void run() {
try {
// get context here because it is thread local
DynamicContext dynCtx = DynamicContext.getInstance(TR03112Keys.INSTANCE_KEY);
if (!uc.getSteps().isEmpty()) {
UserConsentNavigator navigator = gui.obtainNavigator(uc);
dynCtx.put(TR03112Keys.OPEN_USER_CONSENT_NAVIGATOR, navigator);
ExecutionEngine exec = new ExecutionEngine(navigator);
ResultStatus guiResult = exec.process();
dynCtx.put(EACProtocol.GUI_RESULT, guiResult);
if (guiResult == ResultStatus.CANCEL) {
Promise<Object> pPaceSuccessful = dynCtx.getPromise(EACProtocol.PACE_EXCEPTION);
if (!pPaceSuccessful.isDelivered()) {
pPaceSuccessful.deliver(WSHelper.createException(WSHelper.makeResultError(ECardConstants.Minor.SAL.CANCELLATION_BY_USER, "User canceled the PACE dialog.")));
}
}
}
} finally {
if (cardMon != null) {
eventDispatcher.del(cardMon);
}
}
}
}, "EAC-GUI");
guiThread.start();
// wait for PACE to finish
Promise<Object> pPaceException = dynCtx.getPromise(EACProtocol.PACE_EXCEPTION);
Object pPaceError = pPaceException.deref();
if (pPaceError != null) {
if (pPaceError instanceof WSHelper.WSException) {
response.setResult(((WSHelper.WSException) pPaceError).getResult());
return response;
} else if (pPaceError instanceof DispatcherException | pPaceError instanceof InvocationTargetException) {
String msg = "Internal error while PACE authentication.";
Result r = WSHelper.makeResultError(ECardConstants.Minor.App.INT_ERROR, msg);
response.setResult(r);
return response;
} else {
String msg = "Unknown error while PACE authentication.";
Result r = WSHelper.makeResultError(ECardConstants.Minor.App.UNKNOWN_ERROR, msg);
response.setResult(r);
return response;
}
}
// get challenge from card
TerminalAuthentication ta = new TerminalAuthentication(dispatcher, slotHandle);
byte[] challenge = ta.getChallenge();
// prepare DIDAuthenticationResponse
DIDAuthenticationDataType data = eacData.paceResponse.getAuthenticationProtocolData();
AuthDataMap paceOutputMap = new AuthDataMap(data);
// int retryCounter = Integer.valueOf(paceOutputMap.getContentAsString(PACEOutputType.RETRY_COUNTER));
byte[] efCardAccess = paceOutputMap.getContentAsBytes(PACEOutputType.EF_CARD_ACCESS);
byte[] currentCAR = paceOutputMap.getContentAsBytes(PACEOutputType.CURRENT_CAR);
byte[] previousCAR = paceOutputMap.getContentAsBytes(PACEOutputType.PREVIOUS_CAR);
byte[] idpicc = paceOutputMap.getContentAsBytes(PACEOutputType.ID_PICC);
// Store SecurityInfos
SecurityInfos securityInfos = SecurityInfos.getInstance(efCardAccess);
internalData.put(EACConstants.IDATA_SECURITY_INFOS, securityInfos);
// Store additional data
internalData.put(EACConstants.IDATA_AUTHENTICATED_AUXILIARY_DATA, aad);
internalData.put(EACConstants.IDATA_CERTIFICATES, certChain);
internalData.put(EACConstants.IDATA_CURRENT_CAR, currentCAR);
internalData.put(EACConstants.IDATA_PREVIOUS_CAR, previousCAR);
internalData.put(EACConstants.IDATA_CHALLENGE, challenge);
// Create response
// eac1Output.setRetryCounter(retryCounter);
eac1Output.setCHAT(eacData.selectedCHAT.toByteArray());
eac1Output.setCurrentCAR(currentCAR);
eac1Output.setPreviousCAR(previousCAR);
eac1Output.setEFCardAccess(efCardAccess);
eac1Output.setIDPICC(idpicc);
eac1Output.setChallenge(challenge);
response.setResult(WSHelper.makeResultOK());
response.setAuthenticationProtocolData(eac1Output.getAuthDataType());
} catch (CertificateException ex) {
LOG.error(ex.getMessage(), ex);
String msg = ex.getMessage();
response.setResult(WSHelper.makeResultError(ECardConstants.Minor.SAL.EAC.DOC_VALID_FAILED, msg));
dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
} catch (WSHelper.WSException e) {
LOG.error(e.getMessage(), e);
response.setResult(e.getResult());
dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
} catch (ElementParsingException ex) {
LOG.error(ex.getMessage(), ex);
response.setResult(WSHelper.makeResultError(ECardConstants.Minor.App.INCORRECT_PARM, ex.getMessage()));
dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
} catch (Exception e) {
LOG.error(e.getMessage(), e);
response.setResult(WSHelper.makeResultUnknownError(e.getMessage()));
dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
}
return response;
}
Also used :
ConnectionHandleType(iso.std.iso_iec._24727.tech.schema.ConnectionHandleType)
PACEMarkerType(org.openecard.sal.protocol.eac.anytype.PACEMarkerType)
ProcessingStepAction(org.openecard.sal.protocol.eac.gui.ProcessingStepAction)
CertificateException(java.security.cert.CertificateException)
CardMonitor(org.openecard.sal.protocol.eac.gui.CardMonitor)
UserConsentNavigator(org.openecard.gui.UserConsentNavigator)
Result(oasis.names.tc.dss._1_0.core.schema.Result)
ObjectValidatorException(org.openecard.common.interfaces.ObjectValidatorException)
ObjectSchemaValidator(org.openecard.common.interfaces.ObjectSchemaValidator)
UserConsentDescription(org.openecard.gui.definition.UserConsentDescription)
DispatcherException(org.openecard.common.interfaces.DispatcherException)
DIDAuthenticationDataType(iso.std.iso_iec._24727.tech.schema.DIDAuthenticationDataType)
InvocationTargetException(java.lang.reflect.InvocationTargetException)
Promise(org.openecard.common.util.Promise)
ExecutionEngine(org.openecard.gui.executor.ExecutionEngine)
AuthenticatedAuxiliaryData(org.openecard.crypto.common.asn1.eac.AuthenticatedAuxiliaryData)
CardVerifiableCertificate(org.openecard.crypto.common.asn1.cvc.CardVerifiableCertificate)
AuthDataMap(org.openecard.common.anytype.AuthDataMap)
CVCStepAction(org.openecard.sal.protocol.eac.gui.CVCStepAction)
DynamicContext(org.openecard.common.DynamicContext)
CardRemovedFilter(org.openecard.sal.protocol.eac.gui.CardRemovedFilter)
CardStateEntry(org.openecard.common.sal.state.CardStateEntry)
CVCStep(org.openecard.sal.protocol.eac.gui.CVCStep)
CHAT(org.openecard.crypto.common.asn1.cvc.CHAT)
InputAPDUInfoType(iso.std.iso_iec._24727.tech.schema.InputAPDUInfoType)
ElementParsingException(org.openecard.sal.protocol.eac.anytype.ElementParsingException)
EAC1OutputType(org.openecard.sal.protocol.eac.anytype.EAC1OutputType)
CardResponseAPDU(org.openecard.common.apdu.common.CardResponseAPDU)
CardVerifiableCertificateChain(org.openecard.crypto.common.asn1.cvc.CardVerifiableCertificateChain)
EAC1InputType(org.openecard.sal.protocol.eac.anytype.EAC1InputType)
WSHelper(org.openecard.common.WSHelper)
DIDAuthenticate(iso.std.iso_iec._24727.tech.schema.DIDAuthenticate)
Transmit(iso.std.iso_iec._24727.tech.schema.Transmit)
ResultStatus(org.openecard.gui.ResultStatus)
SecurityInfos(org.openecard.crypto.common.asn1.eac.SecurityInfos)
CertificateDescription(org.openecard.crypto.common.asn1.cvc.CertificateDescription)
ProcessingStep(org.openecard.sal.protocol.eac.gui.ProcessingStep)
DispatcherException(org.openecard.common.interfaces.DispatcherException)
ObjectValidatorException(org.openecard.common.interfaces.ObjectValidatorException)
InvocationTargetException(java.lang.reflect.InvocationTargetException)
ElementParsingException(org.openecard.sal.protocol.eac.anytype.ElementParsingException)
MalformedURLException(java.net.MalformedURLException)
CertificateException(java.security.cert.CertificateException)
DIDAuthenticateResponse(iso.std.iso_iec._24727.tech.schema.DIDAuthenticateResponse)
TransmitResponse(iso.std.iso_iec._24727.tech.schema.TransmitResponse)
Example 2 with DynamicContext
use of org.openecard.common.DynamicContext in project open-ecard by ecsec.
the class TerminalAuthenticationStep method perform.
@Override
public DIDAuthenticateResponse perform(DIDAuthenticate didAuthenticate, Map<String, Object> internalData) {
DIDAuthenticateResponse response = new DIDAuthenticateResponse();
DynamicContext dynCtx = DynamicContext.getInstance(TR03112Keys.INSTANCE_KEY);
try {
ObjectSchemaValidator valid = (ObjectSchemaValidator) dynCtx.getPromise(EACProtocol.SCHEMA_VALIDATOR).deref();
boolean messageValid = valid.validateObject(didAuthenticate);
if (!messageValid) {
String msg = "Validation of the EAC2InputType message failed.";
logger.error(msg);
dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
response.setResult(WSHelper.makeResultError(ECardConstants.Minor.App.INCORRECT_PARM, msg));
return response;
}
} catch (ObjectValidatorException ex) {
String msg = "Validation of the EAC2InputType message failed due to invalid input data.";
logger.error(msg, ex);
dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
response.setResult(WSHelper.makeResultError(ECardConstants.Minor.App.INT_ERROR, msg));
return response;
} catch (InterruptedException ex) {
String msg = "Thread interrupted while waiting for schema validator instance.";
logger.error(msg, ex);
dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
response.setResult(WSHelper.makeResultError(ECardConstants.Minor.App.INT_ERROR, msg));
return response;
}
byte[] slotHandle = didAuthenticate.getConnectionHandle().getSlotHandle();
try {
EAC2InputType eac2Input = new EAC2InputType(didAuthenticate.getAuthenticationProtocolData());
EAC2OutputType eac2Output = eac2Input.getOutputType();
TerminalAuthentication ta = new TerminalAuthentication(dispatcher, slotHandle);
// Build certificate chain
CardVerifiableCertificateChain certificateChain;
certificateChain = (CardVerifiableCertificateChain) internalData.get(EACConstants.IDATA_CERTIFICATES);
certificateChain.addCertificates(eac2Input.getCertificates());
byte[] currentCAR = (byte[]) internalData.get(EACConstants.IDATA_CURRENT_CAR);
byte[] previousCAR = (byte[]) internalData.get(EACConstants.IDATA_PREVIOUS_CAR);
CardVerifiableCertificateChain tmpChain = certificateChain.getCertificateChainFromCAR(currentCAR);
// try again with previous car if it didn't work
if (tmpChain.getCertificates().isEmpty() && previousCAR != null) {
tmpChain = certificateChain.getCertificateChainFromCAR(previousCAR);
}
certificateChain = tmpChain;
if (certificateChain.getCertificates().isEmpty()) {
String msg = "Failed to create a valid certificate chain from the transmitted certificates.";
logger.error(msg);
response.setResult(WSHelper.makeResultError(ECardConstants.Minor.App.INCORRECT_PARM, msg));
return response;
}
// TA: Step 1 - Verify certificates
ta.verifyCertificates(certificateChain);
// save values for later use
CardVerifiableCertificate terminalCertificate = certificateChain.getTerminalCertificate();
byte[] key = eac2Input.getEphemeralPublicKey();
byte[] signature = eac2Input.getSignature();
internalData.put(EACConstants.IDATA_PK_PCD, key);
internalData.put(EACConstants.IDATA_SIGNATURE, signature);
internalData.put(EACConstants.IDATA_TERMINAL_CERTIFICATE, terminalCertificate);
if (signature != null) {
logger.trace("Signature has been provided in EAC2InputType.");
// perform TA and CA authentication
ChipAuthentication ca = new ChipAuthentication(dispatcher, slotHandle);
AuthenticationHelper auth = new AuthenticationHelper(ta, ca);
eac2Output = auth.performAuth(eac2Output, internalData);
// no third step needed, notify GUI
DynamicContext ctx = DynamicContext.getInstance(TR03112Keys.INSTANCE_KEY);
ctx.put(EACProtocol.AUTHENTICATION_DONE, true);
} else {
logger.trace("Signature has not been provided in EAC2InputType.");
// send challenge again
byte[] rPICC = (byte[]) internalData.get(EACConstants.IDATA_CHALLENGE);
eac2Output.setChallenge(rPICC);
}
response.setResult(WSHelper.makeResultOK());
response.setAuthenticationProtocolData(eac2Output.getAuthDataType());
} catch (Exception e) {
logger.error(e.getMessage(), e);
response.setResult(WSHelper.makeResultUnknownError(e.getMessage()));
dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
}
Promise<Object> p = (Promise<Object>) dynCtx.getPromise(TR03112Keys.PROCESSING_CANCELLATION);
if (p.derefNonblocking() == null) {
return response;
} else {
response = new DIDAuthenticateResponse();
String msg = "Authentication Canceled by the user.";
response.setResult(WSHelper.makeResultError(ECardConstants.Minor.SAL.CANCELLATION_BY_USER, msg));
return response;
}
}
Also used :
ObjectValidatorException(org.openecard.common.interfaces.ObjectValidatorException)
Promise(org.openecard.common.util.Promise)
DIDAuthenticateResponse(iso.std.iso_iec._24727.tech.schema.DIDAuthenticateResponse)
ObjectValidatorException(org.openecard.common.interfaces.ObjectValidatorException)
EAC2InputType(org.openecard.sal.protocol.eac.anytype.EAC2InputType)
CardVerifiableCertificate(org.openecard.crypto.common.asn1.cvc.CardVerifiableCertificate)
ObjectSchemaValidator(org.openecard.common.interfaces.ObjectSchemaValidator)
CardVerifiableCertificateChain(org.openecard.crypto.common.asn1.cvc.CardVerifiableCertificateChain)
DynamicContext(org.openecard.common.DynamicContext)
EAC2OutputType(org.openecard.sal.protocol.eac.anytype.EAC2OutputType)
Example 3 with DynamicContext
use of org.openecard.common.DynamicContext in project open-ecard by ecsec.
the class ResourceContext method getStreamInt.
private static ResourceContext getStreamInt(URL url, CertificateValidator v, List<Pair<URL, TlsServerCertificate>> serverCerts, int maxRedirects) throws IOException, ResourceException, ValidationError, InvalidAddressException {
try {
DynamicContext dynCtx = DynamicContext.getInstance(TR03112Keys.INSTANCE_KEY);
CookieManager cManager = (CookieManager) dynCtx.get(TR03112Keys.COOKIE_MANAGER);
LOG.info("Trying to load resource from: {}", url);
if (maxRedirects == 0) {
throw new ResourceException(MAX_REDIRECTS);
}
maxRedirects--;
String protocol = url.getProtocol();
String hostname = url.getHost();
int port = url.getPort();
if (port == -1) {
port = url.getDefaultPort();
}
String resource = url.getFile();
resource = resource.isEmpty() ? "/" : resource;
if (!"https".equals(protocol)) {
throw new InvalidAddressException(INVALID_ADDRESS);
}
// open a TLS connection, retrieve the server certificate and save it
TlsClientProtocol h;
DynamicAuthentication tlsAuth = new DynamicAuthentication(hostname);
// add PKIX validator if not doin nPA auth
if (isPKIXVerify()) {
tlsAuth.addCertificateVerifier(new JavaSecVerifier());
}
// FIXME: validate certificate chain as soon as a usable solution exists for the trust problem
// tlsAuth.setCertificateVerifier(new JavaSecVerifier());
TlsCrypto crypto = new BcTlsCrypto(ReusableSecureRandom.getInstance());
ClientCertTlsClient tlsClient = new ClientCertDefaultTlsClient(crypto, hostname, true);
tlsClient.setAuthentication(tlsAuth);
// connect tls client
tlsClient.setClientVersion(ProtocolVersion.TLSv12);
Socket socket = ProxySettings.getDefault().getSocket(protocol, hostname, port);
h = new TlsClientProtocol(socket.getInputStream(), socket.getOutputStream());
LOG.debug("Performing TLS handshake.");
h.connect(tlsClient);
LOG.debug("TLS handshake performed.");
serverCerts.add(new Pair<>(url, tlsAuth.getServerCertificate()));
// check result
CertificateValidator.VerifierResult verifyResult = v.validate(url, tlsAuth.getServerCertificate());
if (verifyResult == CertificateValidator.VerifierResult.FINISH) {
List<Pair<URL, TlsServerCertificate>> pairs = Collections.unmodifiableList(serverCerts);
return new ResourceContext(tlsClient, h, pairs);
}
StreamHttpClientConnection conn = new StreamHttpClientConnection(h.getInputStream(), h.getOutputStream());
HttpContext ctx = new BasicHttpContext();
HttpRequestExecutor httpexecutor = new HttpRequestExecutor();
BasicHttpEntityEnclosingRequest req = new BasicHttpEntityEnclosingRequest("GET", resource);
HttpRequestHelper.setDefaultHeader(req, url);
req.setHeader("Accept", "text/xml, */*;q=0.8");
req.setHeader("Accept-Charset", "utf-8, *;q=0.8");
setCookieHeader(req, cManager, url);
HttpUtils.dumpHttpRequest(LOG, req);
LOG.debug("Sending HTTP request.");
HttpResponse response = httpexecutor.execute(req, conn, ctx);
storeCookies(response, cManager, url);
LOG.debug("HTTP response received.");
StatusLine status = response.getStatusLine();
int statusCode = status.getStatusCode();
String reason = status.getReasonPhrase();
HttpUtils.dumpHttpResponse(LOG, response, null);
HttpEntity entity = null;
boolean finished = false;
if (TR03112Utils.isRedirectStatusCode(statusCode)) {
Header[] headers = response.getHeaders("Location");
if (headers.length > 0) {
String uri = headers[0].getValue();
url = new URL(uri);
} else {
// FIXME: refactor exception handling
throw new ResourceException(MISSING_LOCATION_HEADER);
}
} else if (statusCode >= 400) {
// according to the HTTP RFC, codes greater than 400 signal errors
LOG.debug("Received a result code {} '{}' from server.", statusCode, reason);
throw new InvalidResultStatus(LANG.translationForKey(INVALID_RESULT_STATUS, statusCode, reason));
} else {
if (verifyResult == CertificateValidator.VerifierResult.CONTINUE) {
throw new InvalidAddressException(INVALID_REFRESH_ADDRESS_NOSOP);
} else {
conn.receiveResponseEntity(response);
entity = response.getEntity();
finished = true;
}
}
// follow next redirect or finish?
if (finished) {
assert (entity != null);
ResourceContext result = new ResourceContext(tlsClient, h, serverCerts);
LimitedInputStream is = new LimitedInputStream(entity.getContent());
result.setStream(is);
return result;
} else {
h.close();
return getStreamInt(url, v, serverCerts, maxRedirects);
}
} catch (URISyntaxException ex) {
throw new IOException(LANG.translationForKey(FAILED_PROXY), ex);
} catch (HttpException ex) {
// don't translate this, it is handled in the ActivationAction
throw new IOException("Invalid HTTP message received.", ex);
}
}
Also used :
HttpRequestExecutor(org.openecard.apache.http.protocol.HttpRequestExecutor)
HttpEntity(org.openecard.apache.http.HttpEntity)
BasicHttpContext(org.openecard.apache.http.protocol.BasicHttpContext)
LimitedInputStream(org.openecard.common.io.LimitedInputStream)
TlsClientProtocol(org.openecard.bouncycastle.tls.TlsClientProtocol)
URISyntaxException(java.net.URISyntaxException)
ClientCertTlsClient(org.openecard.crypto.tls.ClientCertTlsClient)
StreamHttpClientConnection(org.openecard.transport.httpcore.StreamHttpClientConnection)
URL(java.net.URL)
TlsCrypto(org.openecard.bouncycastle.tls.crypto.TlsCrypto)
BcTlsCrypto(org.openecard.bouncycastle.tls.crypto.impl.bc.BcTlsCrypto)
HttpException(org.openecard.apache.http.HttpException)
CookieManager(org.openecard.transport.httpcore.cookies.CookieManager)
JavaSecVerifier(org.openecard.crypto.tls.verify.JavaSecVerifier)
InvalidResultStatus(org.openecard.transport.httpcore.InvalidResultStatus)
Pair(org.openecard.common.util.Pair)
BasicHttpEntityEnclosingRequest(org.openecard.apache.http.message.BasicHttpEntityEnclosingRequest)
BasicHttpContext(org.openecard.apache.http.protocol.BasicHttpContext)
HttpContext(org.openecard.apache.http.protocol.HttpContext)
ClientCertDefaultTlsClient(org.openecard.crypto.tls.ClientCertDefaultTlsClient)
HttpResponse(org.openecard.apache.http.HttpResponse)
BcTlsCrypto(org.openecard.bouncycastle.tls.crypto.impl.bc.BcTlsCrypto)
IOException(java.io.IOException)
StatusLine(org.openecard.apache.http.StatusLine)
Header(org.openecard.apache.http.Header)
DynamicAuthentication(org.openecard.crypto.tls.auth.DynamicAuthentication)
InvalidAddressException(org.openecard.binding.tctoken.ex.InvalidAddressException)
Socket(java.net.Socket)
DynamicContext(org.openecard.common.DynamicContext)
Example 4 with DynamicContext
use of org.openecard.common.DynamicContext in project open-ecard by ecsec.
the class SaveEServiceCertHandler method isValid.
@Override
public void isValid(TlsServerCertificate chain, String hostOrIP) throws CertificateVerificationException {
if (firstCert) {
firstCert = false;
DynamicContext dynCtx = DynamicContext.getInstance(TR03112Keys.INSTANCE_KEY);
dynCtx.put(TR03112Keys.ESERVICE_CERTIFICATE, chain);
}
}
Also used :
DynamicContext(org.openecard.common.DynamicContext)
Example 5 with DynamicContext
use of org.openecard.common.DynamicContext in project open-ecard by ecsec.
the class TCTokenContext method generateTCToken.
private static TCTokenContext generateTCToken(String data, ResourceContext base) throws InvalidTCTokenException, AuthServerException, InvalidRedirectUrlException, InvalidTCTokenElement, InvalidTCTokenUrlException, SecurityViolationException, UserCancellationException {
// correct common TCToken shortcomings
data = TCTokenHacks.fixPathSecurityParameters(data);
LOG.debug("Cleaned up TCToken:\n{}", data);
// Parse the TCToken
TCTokenParser parser = new TCTokenParser();
List<TCToken> tokens = parser.parse(data);
if (tokens.isEmpty()) {
throw new InvalidTCTokenException(NO_TCTOKEN_IN_DATA);
}
// Verify the TCToken
TCToken token = tokens.get(0);
TCTokenVerifier ver = new TCTokenVerifier(token, base);
if (ver.isErrorToken()) {
String minor = ResultMinor.CLIENT_ERROR;
throw new AuthServerException(token.getComErrorAddressWithParams(minor), ESERVICE_ERROR);
}
DynamicContext dynCtx = DynamicContext.getInstance(TR03112Keys.INSTANCE_KEY);
List<Pair<URL, TlsServerCertificate>> resultPoints = base.getCerts();
// probably just for tests
if (!resultPoints.isEmpty()) {
Pair<URL, TlsServerCertificate> last = resultPoints.get(0);
dynCtx.put(TR03112Keys.TCTOKEN_URL, last.p1);
}
ver.verifyUrlToken();
return new TCTokenContext(token, base);
}
Also used :
URL(java.net.URL)
TlsServerCertificate(org.openecard.bouncycastle.tls.TlsServerCertificate)
InvalidTCTokenException(org.openecard.binding.tctoken.ex.InvalidTCTokenException)
AuthServerException(org.openecard.binding.tctoken.ex.AuthServerException)
DynamicContext(org.openecard.common.DynamicContext)
Pair(org.openecard.common.util.Pair)
Aggregations
DynamicContext (org.openecard.common.DynamicContext)22
URL (java.net.URL)5
MalformedURLException (java.net.MalformedURLException)4
ObjectSchemaValidator (org.openecard.common.interfaces.ObjectSchemaValidator)4
ObjectValidatorException (org.openecard.common.interfaces.ObjectValidatorException)4
Promise (org.openecard.common.util.Promise)4
ConnectionHandleType (iso.std.iso_iec._24727.tech.schema.ConnectionHandleType)3
DIDAuthenticateResponse (iso.std.iso_iec._24727.tech.schema.DIDAuthenticateResponse)3
Pair (org.openecard.common.util.Pair)3
StepActionResult (org.openecard.gui.executor.StepActionResult)3
DIDAuthenticate (iso.std.iso_iec._24727.tech.schema.DIDAuthenticate)2
IOException (java.io.IOException)2
BigInteger (java.math.BigInteger)2
URISyntaxException (java.net.URISyntaxException)2
InvalidAddressException (org.openecard.binding.tctoken.ex.InvalidAddressException)2
UserCancellationException (org.openecard.binding.tctoken.ex.UserCancellationException)2
TlsServerCertificate (org.openecard.bouncycastle.tls.TlsServerCertificate)2
CardVerifiableCertificate (org.openecard.crypto.common.asn1.cvc.CardVerifiableCertificate)2
CardVerifiableCertificateChain (org.openecard.crypto.common.asn1.cvc.CardVerifiableCertificateChain)2
UserConsentNavigator (org.openecard.gui.UserConsentNavigator)2
