Commit 23576b1d authored by Peter Sone Koldkjær's avatar Peter Sone Koldkjær
Browse files

DKERST-1231: Add support for timeout on NHR UDDI requests.

parent 3f260f3c
......@@ -5167,9 +5167,10 @@
<ConfigurationSection xsi:type="RootCertificateCollectionConfig">
<RootCertificateLocationCollection>
<RootCertificateLocation>
<KeyStoreLocation>./test/src/keys/OCES_Test.jks</KeyStoreLocation>
<!-- <KeyStoreLocation>./test/src/keys/OCES_Test.jks</KeyStoreLocation>-->
<KeyStoreLocation>./common/resources/Certificates/Live/Root/OCES_root_Prod.jks</KeyStoreLocation>
<KeyStorePassword>Test1234</KeyStorePassword>
<KeyLabel>ca</KeyLabel>
<KeyLabel></KeyLabel>
</RootCertificateLocation>
</RootCertificateLocationCollection>
</ConfigurationSection>
......
Subproject commit 57ec63496e83309ffd34b499d907051b102efb37
Subproject commit 2d9df2d52e5dceac262b9cd688cc023f8db4b9ca
......@@ -116,7 +116,7 @@ public class ConfigurationHandler {
/**
* Sets the file name of the configuration file.
*
* @param file The file name
* @param file The file name.
*/
public static void setConfigurationFile(String file) {
raspConfigurationFileName = file;
......@@ -233,7 +233,10 @@ public class ConfigurationHandler {
/**
* Loads the configuration from the file specified with setConfigurationFile(String file).
*/
synchronized void loadXMLConfiguration() {
synchronized public void loadXMLConfiguration() {
// Empty local cache:
uddiConfig = null;
raspConfigurationFile = ConfigurationLoaderUtil.loadXMLConfiguration(raspConfigurationFileName, log);
log.debug("Loading RaspConfiguration from file=" + raspConfigurationFileName);
versionNumber = loadVersionNumber();
......@@ -451,23 +454,24 @@ public class ConfigurationHandler {
return uddiConfig;
}
private LookupRegistryFallbackConfig getLookupRegistryFallbackConfig(SubnodeConfiguration lookupRegistryFallbackSubnodes) throws URISyntaxException {
private LookupRegistryFallbackConfig getLookupRegistryFallbackConfig(SubnodeConfiguration lookupRegistryFallbackSubNodes) throws URISyntaxException {
LookupRegistryFallbackConfig config = new LookupRegistryFallbackConfig();
ArrayList<Registry> registries = new ArrayList<>();
List<?> registrySubnodes = lookupRegistryFallbackSubnodes.configurationsAt("PrioritizedRegistryList/Registry");
for (Object registrySubnodeObject : registrySubnodes) {
SubnodeConfiguration registrySubnode = (SubnodeConfiguration) registrySubnodeObject;
Registry registry = getRegistry(registrySubnode);
List<?> registrySubNodes = lookupRegistryFallbackSubNodes.configurationsAt("PrioritizedRegistryList/Registry");
for (Object registrySubNodeObject : registrySubNodes) {
SubnodeConfiguration registrySubNode = (SubnodeConfiguration) registrySubNodeObject;
Registry registry = loadRegistry(registrySubNode);
registries.add(registry);
}
config.setRegistries(registries);
return config;
}
private Registry getRegistry(SubnodeConfiguration registrySubNode) throws URISyntaxException {
private Registry loadRegistry(SubnodeConfiguration registrySubNode) throws URISyntaxException {
String xpath = "/EndpointCollection/Endpoint";
String[] endpoints = registrySubNode.getStringArray(xpath);
return new Registry(endpoints);
int uddiLookupTimeoutSeconds = registrySubNode.getInt("/UddiLookupTimeoutSeconds", 120);
return new Registry(endpoints, uddiLookupTimeoutSeconds);
}
/**
......
......@@ -17,13 +17,13 @@ import java.net.URL;
class ConfigurationLoaderUtil {
/*
* At first we search by directly given path, than also in conf subfolder
* (like it was in OIORASP 1.2.3.HotFix1, for backward compatibility), than
* - in parent folder.
*
* TODO DLK: Why do we search in parent folder? What if file with the same
* name is located in more than 2 places?
*/
* At first we search by directly given path, than also in conf subfolder
* (like it was in OIORASP 1.2.3.HotFix1, for backward compatibility), than
* - in parent folder.
*
* TODO DLK: Why do we search in parent folder? What if file with the same
* name is located in more than 2 places?
*/
protected static final String[] CONFIG_PATH_PREFIX_LIST = new String[]{"", "conf/", "../"};
public static XMLConfiguration loadXMLConfiguration(String configPath, Log log) {
......@@ -37,9 +37,7 @@ class ConfigurationLoaderUtil {
log.debug("Looking for configuration file: " + configPath);
}
/*
* Remember first error
*/
// Remember first error:
Throwable firstError = null;
for (String configPrefix : CONFIG_PATH_PREFIX_LIST) {
try {
......@@ -59,25 +57,22 @@ class ConfigurationLoaderUtil {
}
/*
* Try to give a hint at which location OIORASP configuration was
* found or at least where we looked for it
*/
* Try to give a hint at which location OIORASP configuration was
* found or at least where we looked for it
*/
if (config == null) {
URL configPathUrl = null;
try {
/*
* It is highly important to use the same way of location as XMLConfiguration uses.
*
* It is not enough just to check that File(configPath)
* exists, at server environment OIORASP configuration xml
* is placed into classpath.
*/
* It is highly important to use the same way of location as XMLConfiguration uses.
*
* It is not enough just to check that File(configPath)
* exists, at server environment OIORASP configuration xml
* is placed into classpath.
*/
configPathUrl = ConfigurationUtils.locate(configPath);
} catch (Exception e2) {
/*
* Hide locate exception, it has no detailed information, we
* will build our own message below
*/
// Hide locate exception, it has no detailed information, we will build our own message below
}
if (configPathUrl == null) {
// OIORASP configuration xml was not found at all, try to describe, where we looked for it.
......@@ -98,16 +93,16 @@ class ConfigurationLoaderUtil {
}
/*
* TODO: What is the reason to have this reloading strategy? Do we really support RaspConfiguration.xml dynamic modification?
*/
* TODO: What is the reason to have this reloading strategy? Do we really support RaspConfiguration.xml dynamic modification?
*/
// config.setReloadingStrategy(new FileChangedReloadingStrategy());
config.setExpressionEngine(new XPathExpressionEngine());
} catch (Exception e) {
/*
* Log error also into System.err in case if logger is not configured at all at this environment
*
* This is a critical situation which is expected to be fixed asap, so it should be very visible
*/
* Log error also into System.err in case if logger is not configured at all at this environment
*
* This is a critical situation which is expected to be fixed asap, so it should be very visible
*/
e.printStackTrace();
log.fatal("OIORASP cannot load configuration xml [" + configPath + "]: " + e.getMessage(), e);
......@@ -140,4 +135,4 @@ class ConfigurationLoaderUtil {
return file.getAbsolutePath();
}
}
}
\ No newline at end of file
}
......@@ -42,7 +42,7 @@ public class Version {
* @return String denoting our current version
*/
public static String getVersionNumber() {
return String.valueOf(getMajorVersionNum()) + "." + getMinorVersionNum() + "." + getMaintenanceVersionNum();
return getMajorVersionNum() + "." + getMinorVersionNum() + "." + getMaintenanceVersionNum();
}
/**
......@@ -50,7 +50,7 @@ public class Version {
*
* @param argv command line arguments, unused.
*/
public static void main(String argv[]) {
public static void main(String[] argv) {
System.out.println(getVersion());
}
......@@ -117,4 +117,4 @@ public class Version {
revision = a[3];
}
}
}
\ No newline at end of file
}
......@@ -13,7 +13,7 @@
* The Original Code is Java RASP toolkit.
*
* The Initial Developer of the Original Code is Lenio. Portions
* created by Lenio are Copyright (C) 2007 Danish National IT and
* created by Lenio are Copyright (C) 2007 Danish National IT and
* Telecom Agency (http://www.itst.dk). All Rights Reserved.
*/
......@@ -50,9 +50,6 @@ public class RootCertificateConfig {
}
@Override
/*
* Added for logging purposes
*/
public String toString() {
return "RootCertificateConfig [KeyStoreLocation=" + KeyStoreLocation +
", KeyLabel=" + KeyLabel +
......
......@@ -78,7 +78,7 @@ public class CertificateLoader {
X509Certificate x509Certificate;
String aliasLabelPrefix = rootCertConfig.getKeyLabel();
String alias;
List<X509Certificate> x509Certificates = new ArrayList<>();
List<X509Certificate> x509RootCertificateList = new ArrayList<>();
// define receiver certificate.
KeyStore keyStore = KeyStore.getInstance("JKS");
URL rootCertLocation = ConfigurationUtils.locate(rootCertConfig.getKeyStoreLocation());
......@@ -97,7 +97,7 @@ public class CertificateLoader {
if (alias.startsWith(aliasLabelPrefix)) {
x509Certificate = (X509Certificate) keyStore.getCertificate(alias);
if (x509Certificate != null) {
x509Certificates.add(x509Certificate);
x509RootCertificateList.add(x509Certificate);
}
// } else {
// certificate alias does not start with the desired prefix
......@@ -106,11 +106,11 @@ public class CertificateLoader {
} else {
log.error("Keystore not found at location=" + rootCertConfig.getKeyStoreLocation());
}
if (x509Certificates.isEmpty()) {
if (x509RootCertificateList.isEmpty()) {
log.error("No certificates found based on: " + rootCertConfig);
} else {
log.info(x509Certificates.size() + " certificates found based on: " + rootCertConfig);
log.info(x509RootCertificateList.size() + " certificates found based on: " + rootCertConfig);
}
return x509Certificates;
return x509RootCertificateList;
}
}
......@@ -21,7 +21,7 @@ import java.net.URL;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.LinkedList;
import java.util.ArrayList;
import java.util.List;
/**
......@@ -29,13 +29,13 @@ import java.util.List;
*/
public class CertificateUtil {
private static Log log = LogFactory.getLog(CertificateUtil.class);
private static final Log log = LogFactory.getLog(CertificateUtil.class);
public CertificateUtil() {
}
public List<URL> getOcspUrls(X509Certificate cert) throws Exception {
List<URL> urls = new LinkedList<URL>();
List<URL> urls = new ArrayList<>();
AuthorityInformationAccess authInfoAccess = null;
try {
......@@ -67,7 +67,7 @@ public class CertificateUtil {
}
public List<URL> getIssuerUrls(X509Certificate cert) throws Exception {
List<URL> urls = new LinkedList<URL>();
List<URL> urls = new ArrayList<>();
AuthorityInformationAccess authInfoAccess = null;
try {
......@@ -99,7 +99,7 @@ public class CertificateUtil {
}
public List<URL> getCrlURLs(X509Certificate cert) {
List<URL> urls = new LinkedList<URL>();
List<URL> urls = new ArrayList<>();
// Retrieves the raw ASN1 data of the CRL Dist Points X509 extension
byte[] cdp = cert.getExtensionValue(X509Extension.cRLDistributionPoints.getId());
......@@ -196,12 +196,12 @@ public class CertificateUtil {
CertificateIssuerSubject certificateIssuerSubject = new CertificateIssuerSubject(certificate);
X509Certificate downloadedX509Certificate = null;
OutVariable<X509Certificate> issuerCertificateOutVariable = new OutVariable<X509Certificate>();
OutVariable<X509Certificate> issuerCertificateOutVariable = new OutVariable<>();
if (cache.tryGetValue(certificateIssuerSubject, issuerCertificateOutVariable)) {
// certificate already retrieved - using the cached version
downloadedX509Certificate = issuerCertificateOutVariable.getVariable();
} else {
// download the certificate, and add it to the cache
// download the certificate, and add it to the cache.
InputStream inputStream = null;
// CertificateUtil certificateUtil = new CertificateUtil();
URL issuerCertificateURL = getIssuerUrl(certificate);
......@@ -235,4 +235,4 @@ public class CertificateUtil {
return downloadedX509Certificate;
}
}
\ No newline at end of file
}
......@@ -68,21 +68,17 @@ import java.util.List;
@SuppressWarnings("deprecation")
public class OcspLookup implements IRevocationLookup {
private Log log = LogFactory.getLog(OcspLookup.class);
private OcspConfig configuration;
private final Log log = LogFactory.getLog(OcspLookup.class);
/**
* Root certificate
* Root certificates.
*/
private HashMap<String, X509Certificate> rootCertificateMap;
private final HashMap<String, X509Certificate> rootCertificateMap;
/**
* The ocsp cache
*/
// Set cache time to one hour
private final ICache<X500Principal, RevocationResponse> ocspCache = CacheFactory.getInstance().getOcspLookupCache();
private OcspConfig configuration;
private CertificateUtil certificateUtil;
/**
......@@ -97,7 +93,7 @@ public class OcspLookup implements IRevocationLookup {
throw new ConfigurationException(e.getMessage());
}
rootCertificateMap = new HashMap<String, X509Certificate>();
rootCertificateMap = new HashMap<>();
try {
List<X509Certificate> list = configuration.getDefaultOcesRootCertificateCollectionFromStore();
......@@ -119,7 +115,7 @@ public class OcspLookup implements IRevocationLookup {
public OcspLookup(OcspConfig configuration) {
this.configuration = configuration;
rootCertificateMap = new HashMap<String, X509Certificate>();
rootCertificateMap = new HashMap<>();
try {
List<X509Certificate> list = this.configuration.getDefaultOcesRootCertificateCollectionFromStore();
......@@ -141,7 +137,7 @@ public class OcspLookup implements IRevocationLookup {
*/
public OcspLookup(OcspConfig conf, X509Certificate defaultRootCertificate) {
this.configuration = conf;
this.rootCertificateMap = new HashMap<String, X509Certificate>();
this.rootCertificateMap = new HashMap<>();
//this.rootcertList = new ArrayList<X509Certificate>();
this.rootCertificateMap.put(defaultRootCertificate.getIssuerDN().getName(), defaultRootCertificate);
this.certificateUtil = new CertificateUtil();
......@@ -156,7 +152,7 @@ public class OcspLookup implements IRevocationLookup {
public OcspLookup(OcspConfig conf, ArrayList<X509Certificate> defaultRootCertificateList) {
this.configuration = conf;
rootCertificateMap = new HashMap<String, X509Certificate>();
rootCertificateMap = new HashMap<>();
for (X509Certificate rootCertificate : defaultRootCertificateList) {
rootCertificateMap.put(rootCertificate.getIssuerDN().getName(), rootCertificate);
......@@ -176,13 +172,13 @@ public class OcspLookup implements IRevocationLookup {
}
/**
* Checks a certificate status on a ocsp server.
* Checks the certificate status on a OCSP server.
*
* @param certificate The certificate to check
* @return The RevocationResponse object that contains the result
* @param certificate The certificate to check.
* @return The RevocationResponse object that contains the result.
*/
public RevocationResponse checkCertificate(X509Certificate certificate) throws RevocationException {
OutVariable<RevocationResponse> value = new OutVariable<RevocationResponse>();
OutVariable<RevocationResponse> value = new OutVariable<>();
RevocationResponse revocationResponse;
if (ocspCache.tryGetValue(certificate.getSubjectX500Principal(), value)) {
// response already in cache.
......@@ -227,7 +223,7 @@ public class OcspLookup implements IRevocationLookup {
public RevocationResponse revocationResponse(X509Certificate certificate) throws RevocationException {
// this method can be call recursive, so check the cache first
RevocationResponse revocationResponse;
OutVariable<RevocationResponse> value = new OutVariable<RevocationResponse>();
OutVariable<RevocationResponse> value = new OutVariable<>();
if (ocspCache.tryGetValue(certificate.getSubjectX500Principal(), value)) {
// response already in cache.
......@@ -247,21 +243,20 @@ public class OcspLookup implements IRevocationLookup {
}
/**
* Checks a certificate status on a ocsp server
* Checks the certificate status on a OCSP server.
*
* @param x509Certificate - The certificate to check.
* @return The RevocationResponse object that contains the result
* @return The RevocationResponse object that contains the result.
* @throws RevocationException On error...
*/
public RevocationResponse revocationResponseOnline(X509Certificate x509Certificate) throws RevocationException {
// The response was not in the cache - we must validate the certificate our self
// The response was not in the cache - we must validate the certificate online.
if (x509Certificate == null) {
throw new RevocationException("Certificate is null");
}
X509Certificate issuerX509Certificate = findIssuerCertificate(x509Certificate);
if (issuerX509Certificate == null) {
throw new RevocationException("Certificate '" + x509Certificate.getSubjectX500Principal() + "' is not trusted, as issuer could not be identified");
}
......@@ -276,7 +271,7 @@ public class OcspLookup implements IRevocationLookup {
if (revocationResponse != null && revocationResponse.isValid()) {
// Now we know the certificate is valid.
// If the issuer is a trusted root certificate, all is good
if (this.rootCertificateMap.containsKey(issuerX509Certificate.getIssuerDN().getName())) {
if (rootCertificateMap.containsKey(issuerX509Certificate.getIssuerDN().getName())) {
// the root certificate is trusted, so the RevocationResponse can be put on the cache
ocspCache.add(x509Certificate.getSubjectX500Principal(), revocationResponse);
} else {
......@@ -350,7 +345,7 @@ public class OcspLookup implements IRevocationLookup {
throw new RevocationException("No OCSP url found in certificate: " + x509Certificate.getSubjectDN().getName());
}
// we always validate against the first defined url
// we always validate against the first defined url:
String url = urlList.get(0);
revocationResponse = revocationResponseOnline(x509Certificate, issuerX509Certificate, url);
......@@ -384,10 +379,7 @@ public class OcspLookup implements IRevocationLookup {
// 3. Make result object.
revocationResponse = processOcspResponse(serverX509Certificate, binaryResp);
} catch (NoSuchProviderException e) {
log.error(e.getMessage(), e);
throw new RevocationException(e);
} catch (IOException e) {
} catch (NoSuchProviderException | IOException e) {
log.error(e.getMessage(), e);
throw new RevocationException(e);
}
......@@ -556,21 +548,21 @@ public class OcspLookup implements IRevocationLookup {
public X509Certificate findIssuerCertificate(X509Certificate certificate) {
// tree possibilities
// 1 - A root certificate - exist in root list
// 2 - A root certificate not trusted - not in list
// 3 - Issuer certificate, can can be downloaded
// 1: A root certificate - exist in root list.
// 2: A root certificate not trusted/not in list.
// 3: Issuer certificate, can be downloaded.
X509Certificate issuerCertificate;
String key = certificate.getIssuerDN().getName();
if (this.rootCertificateMap.containsKey(key)) {
if (rootCertificateMap.containsKey(key)) {
// root certificate is in the trusted key store (possibility 1)
issuerCertificate = this.rootCertificateMap.get(key);
issuerCertificate = rootCertificateMap.get(key);
} else {
// So down to possibility 2 or 3
// 2 - A root certificate not trusted - not in list
// 3 - Issuer certificate, can can be downloaded
// Down to possibility 2 or 3:
// 2: A root certificate not trusted/not in list.
// 3: Issuer certificate, can can be downloaded
// So we will try to download the certificate
issuerCertificate = this.certificateUtil.downloadIssuerCert(certificate);
issuerCertificate = certificateUtil.downloadIssuerCert(certificate);
// if ( issuerCertificate== null){
// The issuer certificate is a root certificate , but not trusted (oces1)
......@@ -592,7 +584,7 @@ public class OcspLookup implements IRevocationLookup {
byte[] ext = certificate.getExtensionValue(X509Extensions.AuthorityInfoAccess.getId());
aIn = new ASN1InputStream(ext);
aIn = new ASN1InputStream(((ASN1OctetString) aIn.readObject()).getOctets());
ASN1Encodable object = (ASN1Encodable) aIn.readObject();
ASN1Encodable object = aIn.readObject();
AuthorityInformationAccess auth = AuthorityInformationAccess.getInstance(object);
AccessDescription[] acc = auth.getAccessDescriptions();
return acc[0].getAccessLocation().toString().substring(3);
......@@ -610,7 +602,7 @@ public class OcspLookup implements IRevocationLookup {
}
public List<String> getAuthorityInformationAccessOcspUrl(X509Certificate x509Certificate) {
List<String> ocspUrls = new ArrayList<String>();
List<String> ocspUrls = new ArrayList<>();
ASN1InputStream extensionAns1InputStream = null;
ASN1InputStream octetAns1InputStream = null;
......@@ -659,9 +651,7 @@ public class OcspLookup implements IRevocationLookup {
try {
ocspCertificate.checkValidity();
return true;
} catch (CertificateExpiredException e) {
return false;
} catch (CertificateNotYetValidException e) {
} catch (CertificateExpiredException | CertificateNotYetValidException e) {
return false;
}
}
......@@ -697,4 +687,4 @@ public class OcspLookup implements IRevocationLookup {
public RevocationSourceType getRevocationSourceType() {
return RevocationSourceType.OCSP;
}
}
\ No newline at end of file
}
......@@ -13,49 +13,52 @@
* The Original Code is Java RASP toolkit.
*
* The Initial Developer of the Original Code is Lenio. Portions
* created by Lenio are Copyright (C) 2007 Danish National IT and
* created by Lenio are Copyright (C) 2007 Danish National IT and
* Telecom Agency (http://www.itst.dk). All Rights Reserved.
*/
package dk.gov.oiosi.uddi;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
/**
* Configuration section for the lookup registry fallback mechanism.
* @author dennis.soegaard
*
* @author dennis.soegaard
*/
public class LookupRegistryFallbackConfig {
private Collection<Registry> _registries = new ArrayList<Registry>();
private List<Registry> _registries = new ArrayList<>();
/**
* Default constructor
*/
public LookupRegistryFallbackConfig() { }
public LookupRegistryFallbackConfig() {
}
/**
* Constructor that takes the given registries.
* @param registries
* Constructor that takes the given List of registries.
*/
public LookupRegistryFallbackConfig(Collection<Registry> registries) {
setRegistries(registries);
public LookupRegistryFallbackConfig(List<Registry> registryList) {
setRegistries(registryList);
}
/**
* Gets the registries
*
* @return a collection of registries
*/
public Collection<Registry> getRegistries() {
return _registries;
public List<Registry> getRegistries() {
return _registries;
}
/**
* Sets the registries
* @param registries the registries that should be initiated
*
* @param registries the registries that should be initiated.
*/
public void setRegistries(Collection<Registry> registries) {
_registries = registries;
public void setRegistries(List<Registry> registries) {
_registries = registries;
}
}