Commit 57de9ef4 authored by michael.simon's avatar michael.simon
Browse files

implement customkeymanager for SSL Client authentication. Cannot test ->

disable for now
parent 0d6e3a31
......@@ -12,6 +12,10 @@ package edu.kit.scc.webreg.service.saml;
import java.io.IOException;
import java.io.Serializable;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.List;
import javax.enterprise.context.ApplicationScoped;
......@@ -43,6 +47,7 @@ import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;
import org.opensaml.xml.signature.KeyInfo;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureConstants;
import org.slf4j.Logger;
import edu.kit.scc.webreg.entity.SamlMetadataEntity;
import edu.kit.scc.webreg.entity.SamlSpConfigurationEntity;
......@@ -55,6 +60,9 @@ public class AttributeQueryHelper implements Serializable {
private static final long serialVersionUID = 1L;
@Inject
private Logger logger;
@Inject
private SamlHelper samlHelper;
......@@ -76,17 +84,28 @@ public class AttributeQueryHelper implements Serializable {
BasicSOAPMessageContext soapContext = new BasicSOAPMessageContext();
soapContext.setOutboundMessage(envelope);
HttpClientBuilder clientBuilder = new HttpClientBuilder();
BasicX509Credential signingCredential;
X509Certificate x509Cert;
PrivateKey privateKey;
try {
signingCredential = SecurityHelper.getSimpleCredential(
cryptoHelper.getCertificate(spEntity.getCertificate()),
cryptoHelper.getPrivateKey(spEntity.getPrivateKey()));
x509Cert = cryptoHelper.getCertificate(spEntity.getCertificate());
privateKey = cryptoHelper.getPrivateKey(spEntity.getPrivateKey());
signingCredential = SecurityHelper.getSimpleCredential(x509Cert, privateKey);
} catch (IOException e1) {
throw new MetadataException("No signing credential for SP " + spEntity.getEntityId(), e1);
}
HttpClientBuilder clientBuilder = new HttpClientBuilder();
/*
try {
clientBuilder.setHttpsProtocolSocketFactory(new CustomSecureProtocolSocketFactory(x509Cert, privateKey));
} catch (KeyManagementException e) {
logger.info("Cannot spawn CustomSecureProtocolSocketFactory: {}", e.getMessage());
} catch (NoSuchAlgorithmException e) {
logger.info("Cannot spawn CustomSecureProtocolSocketFactory: {}", e.getMessage());
}
*/
Signature signature = (Signature) Configuration.getBuilderFactory()
.getBuilder(Signature.DEFAULT_ELEMENT_NAME)
.buildObject(Signature.DEFAULT_ELEMENT_NAME);
......
package edu.kit.scc.webreg.service.saml;
import java.net.Socket;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import javax.net.ssl.X509ExtendedKeyManager;
public class CustomKeyManager extends X509ExtendedKeyManager {
private PrivateKey privateKey;
private X509Certificate cert;
public CustomKeyManager(X509Certificate cert, PrivateKey privateKey) {
super();
this.privateKey = privateKey;
this.cert = cert;
}
@Override
public String chooseClientAlias(String[] keyType, Principal[] issuers,
Socket socket) {
return "RSA";
}
@Override
public String chooseServerAlias(String keyType, Principal[] issuers,
Socket socket) {
return null;
}
@Override
public X509Certificate[] getCertificateChain(String alias) {
return new X509Certificate[] { cert };
}
@Override
public String[] getClientAliases(String keyType, Principal[] issuers) {
return null;
}
@Override
public PrivateKey getPrivateKey(String alias) {
return privateKey;
}
@Override
public String[] getServerAliases(String keyType, Principal[] issuers) {
return null;
}
}
package edu.kit.scc.webreg.service.saml;
import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.net.UnknownHostException;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import org.apache.commons.httpclient.ConnectTimeoutException;
import org.apache.commons.httpclient.params.HttpConnectionParams;
import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory;
public class CustomSecureProtocolSocketFactory implements SecureProtocolSocketFactory {
private KeyManager keyManager;
private SSLContext sslcontext;
public CustomSecureProtocolSocketFactory(X509Certificate cert, PrivateKey privateKey)
throws NoSuchAlgorithmException, KeyManagementException {
keyManager = new CustomKeyManager(cert, privateKey);
sslcontext = SSLContext.getInstance("SSL");
sslcontext.init(new KeyManager[] { keyManager }, null, null);
}
@Override
public Socket createSocket(String host, int port, InetAddress localAddress,
int localPort) throws IOException, UnknownHostException {
return sslcontext.getSocketFactory().createSocket(
host, port, localAddress, localPort);
}
@Override
public Socket createSocket(String host, int port, InetAddress localAddress,
int localPort, HttpConnectionParams params) throws IOException,
UnknownHostException, ConnectTimeoutException {
return sslcontext.getSocketFactory().createSocket(
host, port, localAddress, localPort);
}
@Override
public Socket createSocket(String host, int port) throws IOException,
UnknownHostException {
return sslcontext.getSocketFactory().createSocket(
host, port);
}
@Override
public Socket createSocket(Socket socket, String host, int port,
boolean autoClose) throws IOException, UnknownHostException {
return sslcontext.getSocketFactory().createSocket(
socket, host, port, autoClose);
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment