Merge pull request #338 from B3Partners/pki-cert-fix

Gebruik default truststore van de JRE
B3Partners · May 5, 2017 · 36163ca · 36163ca
2 parents 150c24d + 068e6a0
commit 36163ca
Show file tree

Hide file tree

Showing 2 changed files with 99 additions and 24 deletions.
diff --git a/brmo-service/src/main/java/nl/b3p/brmo/service/scanner/GDS2OphalenProces.java b/brmo-service/src/main/java/nl/b3p/brmo/service/scanner/GDS2OphalenProces.java
@@ -11,6 +11,7 @@
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.FileWriter;
+import java.io.IOException;
 import java.io.InputStream;
 import java.io.PrintWriter;
 import java.io.StringWriter;
@@ -19,8 +20,11 @@
 import java.net.URL;
 import java.net.URLConnection;
 import java.security.KeyFactory;
+import java.security.KeyManagementException;
 import java.security.KeyStore;
+import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
 import java.security.PrivateKey;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
@@ -41,7 +45,9 @@
 import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
 import javax.persistence.NoResultException;
 import javax.persistence.Transient;
 import javax.xml.datatype.DatatypeConfigurationException;
@@ -57,6 +63,7 @@
 import static nl.b3p.brmo.persistence.staging.AutomatischProces.LOG_NEWLINE;
 import nl.b3p.brmo.persistence.staging.ClobElement;
 import nl.b3p.brmo.service.util.ConfigUtil;
+import nl.b3p.brmo.service.util.TrustManagerDelegate;
 import nl.b3p.gds2.Main;
 import nl.b3p.soap.logging.LogMessageHandler;
 import nl.kadaster.schemas.gds2.afgifte_bestandenlijstgbopvragen.v20130701.BestandenlijstGbOpvragenType;
@@ -482,13 +489,14 @@ private void laadBagAfgifte(AfgifteGBType a, String url) throws Exception {
         l.updateStatus(msg);
         l.addLog(msg);
 
-        HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());
-
         InputStream input = null;
         int attempt = 0;
         while (true) {
             try {
                 URLConnection connection = new URL(url).openConnection();
+                if (connection instanceof HttpsURLConnection) {
+                    ((HttpsURLConnection) connection).setSSLSocketFactory(context.getSocketFactory());
+                }
                 input = (InputStream) connection.getContent();
                 break;
             } catch (Exception e) {
@@ -538,16 +546,16 @@ private Bericht laadAfgifte(AfgifteGBType a, String url) throws Exception {
         String msg = "Downloaden " + url;
         l.updateStatus(msg);
         l.addLog(msg);
-        this.config.addLogLine(msg);
-
-        HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());
 
         ByteArrayOutputStream bos = new ByteArrayOutputStream();
 
         int attempt = 0;
         while (true) {
             try {
                 URLConnection connection = new URL(url).openConnection();
+                if (connection instanceof HttpsURLConnection) {
+                    ((HttpsURLConnection) connection).setSSLSocketFactory(context.getSocketFactory());
+                }
                 InputStream input = (InputStream) connection.getContent();
                 IOUtils.copy(input, bos);
                 break;
@@ -838,44 +846,65 @@ private Gds2AfgifteServiceV20130701 initGDS2() throws Exception {
         BindingProvider bp = (BindingProvider) gds2;
         Map<String, Object> ctxt = bp.getRequestContext();
 
-        // soap berichten logger inhaken
+        // soap berichten logger inhaken (actief met TRACE level)
         List<Handler> handlerChain = bp.getBinding().getHandlerChain();
         handlerChain.add(new LogMessageHandler());
         bp.getBinding().setHandlerChain(handlerChain);
 
-        //ctxt.put(BindingProvider.USERNAME_PROPERTY, username);
-        //ctxt.put(BindingProvider.PASSWORD_PROPERTY, password);
         String endpoint = (String) ctxt.get(BindingProvider.ENDPOINT_ADDRESS_PROPERTY);
         l.addLog("Kadaster endpoint: " + endpoint);
-
-        //ctxt.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY,  "http://localhost:8088/AfgifteService");
-        //l.addLog("Endpoint protocol gewijzigd naar mock");
         l.updateStatus("Laden keys...");
-        l.addLog("Loading keystore");
-        KeyStore ks = KeyStore.getInstance("jks");
-        ks.load(Main.class.getResourceAsStream("/pkioverheid.jks"), "changeit".toCharArray());
-
-        l.addLog("Initializing TrustManagerFactory");
-        TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");
-        tmf.init(ks);
 
         l.addLog("Initializing KeyManagerFactory");
         KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-        ks = KeyStore.getInstance("jks");
-        char[] thePassword = "changeit".toCharArray();
+        KeyStore ks = KeyStore.getInstance("jks");
+        final char[] thePassword = "changeit".toCharArray();
         PrivateKey privateKey = getPrivateKeyFromPEM(this.config.getConfig().get("gds2_privkey").getValue());
         Certificate certificate = getCertificateFromPEM(this.config.getConfig().get("gds2_pubkey").getValue());
         ks.load(null);
         ks.setKeyEntry("thekey", privateKey, thePassword, new Certificate[]{certificate});
         kmf.init(ks, thePassword);
 
         l.updateStatus("Opzetten SSL context...");
-        l.addLog("Initializing SSLContext");
-        this.config.addLogLine("Initializing SSLContext");
-        context = SSLContext.getInstance("TLS", "SunJSSE");
-        context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
+        context = createSslContext(kmf);
         ctxt.put(JAXWSProperties.SSL_SOCKET_FACTORY, context.getSocketFactory());
 
         return gds2;
     }
+
+    private SSLContext createSslContext(KeyManagerFactory kmf) throws KeyStoreException, IOException, CertificateException, NoSuchProviderException, NoSuchAlgorithmException, KeyManagementException {
+        final SSLContext sslContext = SSLContext.getInstance("TLS", "SunJSSE");
+
+        l.addLog("Loading PKIX Overheid keystore");
+        KeyStore ks = KeyStore.getInstance("jks");
+        ks.load(Main.class.getResourceAsStream("/pkioverheid.jks"), "changeit".toCharArray());
+
+        l.addLog("Initializing default TrustManagerFactory");
+        final TrustManagerFactory javaDefaultTrustManager = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+        javaDefaultTrustManager.init((KeyStore) null);
+        X509TrustManager defaultX509TrustManager = null;
+        for (TrustManager t : javaDefaultTrustManager.getTrustManagers()) {
+            if (t instanceof X509TrustManager) {
+                defaultX509TrustManager = (X509TrustManager) t;
+                break;
+            }
+        }
+        l.addLog("Initializing PKIX TrustManagerFactory");
+        final TrustManagerFactory customCaTrustManager = TrustManagerFactory.getInstance("PKIX");
+        customCaTrustManager.init(ks);
+
+        l.addLog("Initializing SSLContext");
+        sslContext.init(
+                kmf.getKeyManagers(),
+                new TrustManager[]{
+                    new TrustManagerDelegate(
+                            // customCaTrustManager is PKIX dus altijd X.509 (RFC3280)
+                            (X509TrustManager) customCaTrustManager.getTrustManagers()[0],
+                            defaultX509TrustManager
+                    )
+                },
+                null
+        );
+        return sslContext;
+    }
 }
diff --git a/brmo-service/src/main/java/nl/b3p/brmo/service/util/TrustManagerDelegate.java b/brmo-service/src/main/java/nl/b3p/brmo/service/util/TrustManagerDelegate.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2017 B3Partners B.V.
+ */
+package nl.b3p.brmo.service.util;
+
+import javax.net.ssl.X509TrustManager;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+/**
+ *
+ * @author mprins
+ */
+public class TrustManagerDelegate implements X509TrustManager {
+
+    private final X509TrustManager mainTrustManager;
+    private final X509TrustManager fallbackTrustManager;
+
+    public TrustManagerDelegate(X509TrustManager mainTrustManager, X509TrustManager fallbackTrustManager) {
+        this.mainTrustManager = mainTrustManager;
+        this.fallbackTrustManager = fallbackTrustManager;
+    }
+
+    @Override
+    public void checkClientTrusted(final X509Certificate[] x509Certificates, final String authType) throws CertificateException {
+        try {
+            mainTrustManager.checkClientTrusted(x509Certificates, authType);
+        } catch (CertificateException ignored) {
+            this.fallbackTrustManager.checkClientTrusted(x509Certificates, authType);
+        }
+    }
+
+    @Override
+    public void checkServerTrusted(final X509Certificate[] x509Certificates, final String authType) throws CertificateException {
+        try {
+            mainTrustManager.checkServerTrusted(x509Certificates, authType);
+        } catch (CertificateException ignored) {
+            this.fallbackTrustManager.checkServerTrusted(x509Certificates, authType);
+        }
+    }
+
+    @Override
+    public X509Certificate[] getAcceptedIssuers() {
+        return this.fallbackTrustManager.getAcceptedIssuers();
+    }
+}