Search in sources :

Example 1 with ClientCertPSKTlsClient

use of org.openecard.crypto.tls.ClientCertPSKTlsClient in project open-ecard by ecsec.

the class TlsConnectionHandler method setUpClient.

public void setUpClient() throws ConnectionError {
    try {
        TCTokenType token = tokenRequest.getTCToken();
        String cardType = null;
        if (handle != null) {
            if (handle.getRecognitionInfo() != null) {
                cardType = handle.getRecognitionInfo().getCardType();
            }
            if (cardType == null) {
                cardType = tokenRequest.getCardType();
            }
        }
        // eID servers usually have problems with sni, so disable it for them
        // TODO: check occasionally if this still holds
        boolean doSni = !"http://bsi.bund.de/cif/npa.xml".equals(cardType);
        sessionId = token.getSessionIdentifier();
        serverAddress = new URL(token.getServerAddress());
        String serverHost = serverAddress.getHost();
        if (Boolean.valueOf(OpenecardProperties.getProperty("legacy.session"))) {
            serverAddress = fixServerAddress(serverAddress, sessionId);
        }
        // extract connection parameters from endpoint
        hostname = serverAddress.getHost();
        port = serverAddress.getPort();
        if (port == -1) {
            port = serverAddress.getDefaultPort();
        }
        resource = serverAddress.getFile();
        resource = resource.isEmpty() ? "/" : resource;
        String secProto = token.getPathSecurityProtocol();
        // use same channel as demanded in TR-03124 sec. 2.4.3
        if (isSameChannel()) {
            tlsClient = tokenRequest.getTokenContext().getTlsClient();
            if (tlsClient instanceof ClientCertDefaultTlsClient) {
                ((ClientCertDefaultTlsClient) tlsClient).setEnforceSameSession(true);
            }
        } else {
            // kill open channel in tctoken request, it is not needed anymore
            if (tokenRequest.getTokenContext() != null) {
                tokenRequest.getTokenContext().closeStream();
            }
            // determine TLS version to use
            ProtocolVersion version = ProtocolVersion.TLSv12;
            ProtocolVersion minVersion = ProtocolVersion.TLSv12;
            switch(secProto) {
                case "urn:ietf:rfc:5246":
                    // no changes
                    break;
                case "urn:ietf:rfc:4279":
                    minVersion = ProtocolVersion.TLSv11;
                    break;
            }
            // Set up TLS connection
            DynamicAuthentication tlsAuth = new DynamicAuthentication(serverHost);
            TlsCrypto crypto = new BcTlsCrypto(ReusableSecureRandom.getInstance());
            switch(secProto) {
                case "urn:ietf:rfc:4279":
                    {
                        byte[] psk = token.getPathSecurityParameters().getPSK();
                        TlsPSKIdentity pskId = new BasicTlsPSKIdentity(sessionId, psk);
                        tlsClient = new ClientCertPSKTlsClient(crypto, pskId, serverHost, doSni);
                        tlsClient.setClientVersion(version);
                        tlsClient.setMinimumVersion(minVersion);
                        break;
                    }
                case "urn:ietf:rfc:5246":
                    {
                        // use a smartcard for client authentication if needed
                        tlsAuth.setCredentialFactory(makeSmartCardCredential());
                        tlsClient = new ClientCertDefaultTlsClient(crypto, serverHost, doSni);
                        tlsClient.setClientVersion(version);
                        tlsClient.setMinimumVersion(minVersion);
                        // add PKIX verifier
                        if (verifyCertificates) {
                            tlsAuth.addCertificateVerifier(new JavaSecVerifier());
                        }
                        break;
                    }
                default:
                    throw new ConnectionError(UNKNOWN_SEC_PROTOCOL, secProto);
            }
            // make sure nobody changes the server when the connection gets reestablished
            tlsAuth.addCertificateVerifier(new SameCertVerifier());
            // save eService certificate for use in EAC
            tlsAuth.addCertificateVerifier(new SaveEServiceCertHandler());
            // set the authentication class in the tls client
            tlsClient.setAuthentication(tlsAuth);
        }
    } catch (MalformedURLException ex) {
        throw new ConnectionError(MALFORMED_URL, ex, "ServerAddress");
    }
}
Also used : TCTokenType(generated.TCTokenType) ClientCertPSKTlsClient(org.openecard.crypto.tls.ClientCertPSKTlsClient) MalformedURLException(java.net.MalformedURLException) ClientCertDefaultTlsClient(org.openecard.crypto.tls.ClientCertDefaultTlsClient) BcTlsCrypto(org.openecard.bouncycastle.tls.crypto.impl.bc.BcTlsCrypto) ProtocolVersion(org.openecard.bouncycastle.tls.ProtocolVersion) URL(java.net.URL) TlsCrypto(org.openecard.bouncycastle.tls.crypto.TlsCrypto) BcTlsCrypto(org.openecard.bouncycastle.tls.crypto.impl.bc.BcTlsCrypto) BasicTlsPSKIdentity(org.openecard.bouncycastle.tls.BasicTlsPSKIdentity) SameCertVerifier(org.openecard.crypto.tls.verify.SameCertVerifier) TlsPSKIdentity(org.openecard.bouncycastle.tls.TlsPSKIdentity) BasicTlsPSKIdentity(org.openecard.bouncycastle.tls.BasicTlsPSKIdentity) DynamicAuthentication(org.openecard.crypto.tls.auth.DynamicAuthentication) JavaSecVerifier(org.openecard.crypto.tls.verify.JavaSecVerifier)

Aggregations

TCTokenType (generated.TCTokenType)1 MalformedURLException (java.net.MalformedURLException)1 URL (java.net.URL)1 BasicTlsPSKIdentity (org.openecard.bouncycastle.tls.BasicTlsPSKIdentity)1 ProtocolVersion (org.openecard.bouncycastle.tls.ProtocolVersion)1 TlsPSKIdentity (org.openecard.bouncycastle.tls.TlsPSKIdentity)1 TlsCrypto (org.openecard.bouncycastle.tls.crypto.TlsCrypto)1 BcTlsCrypto (org.openecard.bouncycastle.tls.crypto.impl.bc.BcTlsCrypto)1 ClientCertDefaultTlsClient (org.openecard.crypto.tls.ClientCertDefaultTlsClient)1 ClientCertPSKTlsClient (org.openecard.crypto.tls.ClientCertPSKTlsClient)1 DynamicAuthentication (org.openecard.crypto.tls.auth.DynamicAuthentication)1 JavaSecVerifier (org.openecard.crypto.tls.verify.JavaSecVerifier)1 SameCertVerifier (org.openecard.crypto.tls.verify.SameCertVerifier)1