[phiz] 2 new revisions pushed by michal.kotelba@esacinc.com on 2015-03-18 19:16 GMT

2 views

Skip to first unread message

ph...@googlecode.com

unread,

Mar 18, 2015, 3:16:53 PM3/18/15

to phiz-de...@googlegroups.com

2 new revisions:

Revision: c5045755e113
Branch: default
Author: Michal Kotelba <michal....@esacinc.com>
Date: Wed Mar 18 02:04:22 2015 UTC
Log: - Supports PHIZ-37....
https://code.google.com/p/phiz/source/detail?r=c5045755e113

Revision: ea3e02d474ef
Branch: default
Author: Michal Kotelba <michal....@esacinc.com>
Date: Wed Mar 18 12:21:24 2015 UTC
Log: - Supports PHIZ-38....
https://code.google.com/p/phiz/source/detail?r=ea3e02d474ef

==============================================================================
Revision: c5045755e113
Branch: default
Author: Michal Kotelba <michal....@esacinc.com>
Date: Wed Mar 18 02:04:22 2015 UTC
Log: - Supports PHIZ-37.
- Implemented SSL debug message processing (currently, only used for
capturing SSL [client + server] HELLO information).
https://code.google.com/p/phiz/source/detail?r=c5045755e113

Added:
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/PhizCryptoServiceBean.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/SslDebugPrintStreamType.java
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/SslEvent.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/SslEventProcessor.java
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/SslHelloEvent.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/SslHelloEventProcessor.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/impl/AbstractSslEvent.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/impl/AbstractSslEventProcessor.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/impl/SslDebugPrintStream.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/impl/SslHelloEventImpl.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/impl/SslHelloEventProcessorImpl.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/PhizSslManagerBean.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/revocation/OcspContentTypes.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/revocation/OcspOids.java
Deleted:

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/PhizCryptoContentTypes.java
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/PhizCryptoOids.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/impl/CertificateJsonSerializer.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/impl/PhizSslDebugConfiguration.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/AbstractPhizSslContextAwareFactoryBean.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/AbstractPhizSslManagerFactoryBean.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/AbstractPhizSslSocketFactoryFactoryBean.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/PhizSslClientSocketFactoryFactoryBean.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/PhizSslServerSocketFactoryFactoryBean.java
Modified:
/phiz-core/src/main/java/gov/hhs/onc/phiz/aop/utils/PhizProxyUtils.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/impl/AbstractPhizCryptoFactoryBean.java
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/SslTrustEvent.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/impl/SslTrustEventImpl.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/AbstractPhizSslParametersAwareFactoryBean.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/PhizKeyManagerFactoryBean.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/PhizSslContextFactoryBean.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/PhizTrustManager.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/revocation/impl/PhizRevocationChecker.java

/phiz-core/src/main/resources/META-INF/phiz/logback/logback-phiz-include.xml

/phiz-core/src/main/resources/META-INF/phiz/spring/spring-phiz-crypto-ssl.xml

/phiz-core/src/test/java/gov/hhs/onc/phiz/test/crypto/ssl/revocation/impl/PhizOcspServerImpl.java

/phiz-core/src/test/resources/META-INF/phiz/spring/spring-phiz-crypto-ssl-test.xml
/phiz-parent/pom.xml

/phiz-web-core/src/main/java/gov/hhs/onc/phiz/web/crypto/impl/PhizJsseImplementation.java

/phiz-web-core/src/main/resources/META-INF/phiz/spring/spring-phiz-web-tomcat.xml

/phiz-web-core/src/test/resources/META-INF/phiz/spring/spring-phiz-web-soapui-test.xml

/phiz-web-core/src/test/resources/META-INF/phiz/spring/spring-phiz-web-tomcat-test.xml

/phiz-web-ws/src/main/resources/META-INF/phiz/spring/spring-phiz-web-ws-client.xml

/phiz-web-ws/src/test/resources/META-INF/phiz/spring/spring-phiz-web-ws-client-test.xml

=======================================
--- /dev/null
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/PhizCryptoServiceBean.java
Wed Mar 18 02:04:22 2015 UTC
@@ -0,0 +1,13 @@
+package gov.hhs.onc.phiz.crypto;
+
+import java.security.Provider;
+
+public interface PhizCryptoServiceBean {
+ public Provider getProvider();
+
+ public void setProvider(Provider prov);
+
+ public String getType();
+
+ public void setType(String type);
+}
=======================================
--- /dev/null
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/SslDebugPrintStreamType.java
Wed Mar 18 02:04:22 2015 UTC
@@ -0,0 +1,40 @@
+package gov.hhs.onc.phiz.crypto.logging;
+
+import gov.hhs.onc.phiz.crypto.PhizCryptoTagId;
+import java.io.PrintStream;
+import java.util.function.Consumer;
+import java.util.function.Supplier;
+
+public enum SslDebugPrintStreamType implements PhizCryptoTagId {
+ OUT(1, () -> System.out, System::setOut), ERR(2, () -> System.err,
System::setErr);
+
+ private final int tag;
+ private final String id;
+ private final Supplier<PrintStream> getter;
+ private final Consumer<PrintStream> setter;
+
+ private SslDebugPrintStreamType(int tag, Supplier<PrintStream> getter,
Consumer<PrintStream> setter) {
+ this.tag = tag;
+ this.id = this.name().toLowerCase();
+ this.getter = getter;
+ this.setter = setter;
+ }
+
+ public Supplier<PrintStream> getGetter() {
+ return this.getter;
+ }
+
+ @Override
+ public String getId() {
+ return this.id;
+ }
+
+ public Consumer<PrintStream> getSetter() {
+ return this.setter;
+ }
+
+ @Override
+ public int getTag() {
+ return this.tag;
+ }
+}
=======================================
--- /dev/null
+++ /phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/SslEvent.java
Wed Mar 18 02:04:22 2015 UTC
@@ -0,0 +1,11 @@
+package gov.hhs.onc.phiz.crypto.logging;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import gov.hhs.onc.phiz.crypto.ssl.PhizSslLocation;
+
+public interface SslEvent {
+ @JsonProperty
+ public PhizSslLocation getLocation();
+
+ public void setLocation(PhizSslLocation loc);
+}
=======================================
--- /dev/null
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/SslEventProcessor.java
Wed Mar 18 02:04:22 2015 UTC
@@ -0,0 +1,7 @@
+package gov.hhs.onc.phiz.crypto.logging;
+
+public interface SslEventProcessor<T extends SslEvent> {
+ public void processEvent(StackTraceElement[] frames, String msg);
+
+ public boolean canProcessEvent(StackTraceElement[] frames);
+}
=======================================
--- /dev/null
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/SslHelloEvent.java
Wed Mar 18 02:04:22 2015 UTC
@@ -0,0 +1,17 @@
+package gov.hhs.onc.phiz.crypto.logging;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import gov.hhs.onc.phiz.logging.logstash.MarkerObjectFieldName;
+
+@MarkerObjectFieldName("sslHello")
+public interface SslHelloEvent extends SslEvent {
+ @JsonProperty
+ public String[] getCipherSuites();
+
+ public void setCipherSuites(String[] cipherSuites);
+
+ @JsonProperty
+ public String getProtocol();
+
+ public void setProtocol(String protocol);
+}
=======================================
--- /dev/null
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/SslHelloEventProcessor.java
Wed Mar 18 02:04:22 2015 UTC
@@ -0,0 +1,4 @@
+package gov.hhs.onc.phiz.crypto.logging;
+
+public interface SslHelloEventProcessor extends
SslEventProcessor<SslHelloEvent> {
+}
=======================================
--- /dev/null
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/impl/AbstractSslEvent.java
Wed Mar 18 02:04:22 2015 UTC
@@ -0,0 +1,18 @@
+package gov.hhs.onc.phiz.crypto.logging.impl;
+
+import gov.hhs.onc.phiz.crypto.logging.SslEvent;
+import gov.hhs.onc.phiz.crypto.ssl.PhizSslLocation;
+
+public abstract class AbstractSslEvent implements SslEvent {
+ protected PhizSslLocation loc;
+
+ @Override
+ public PhizSslLocation getLocation() {
+ return this.loc;
+ }
+
+ @Override
+ public void setLocation(PhizSslLocation loc) {
+ this.loc = loc;
+ }
+}
=======================================
--- /dev/null
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/impl/AbstractSslEventProcessor.java
Wed Mar 18 02:04:22 2015 UTC
@@ -0,0 +1,51 @@
+package gov.hhs.onc.phiz.crypto.logging.impl;
+
+import ch.qos.logback.classic.Level;
+import ch.qos.logback.classic.Logger;
+import ch.qos.logback.classic.spi.LoggingEvent;
+import gov.hhs.onc.phiz.crypto.logging.SslEvent;
+import gov.hhs.onc.phiz.crypto.logging.SslEventProcessor;
+import gov.hhs.onc.phiz.logging.logstash.PhizLogstashTags;
+import gov.hhs.onc.phiz.logging.logstash.impl.PhizLogstashMarkers;
+import gov.hhs.onc.phiz.utils.PhizStringUtils;
+import java.util.Arrays;
+import java.util.Set;
+import java.util.TreeSet;
+import java.util.function.Supplier;
+import java.util.stream.Stream;
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.LoggerFactory;
+
+public abstract class AbstractSslEventProcessor<T extends SslEvent>
implements SslEventProcessor<T> {
+ private final static String DEBUG_SYS_PROP_NAME = "javax.net.debug";
+ private final static String SSL_DEBUG_SYS_PROP_VALUE = "ssl";
+
+ private final static Logger LOGGER = ((Logger)
LoggerFactory.getLogger(AbstractSslEventProcessor.class));
+
+ protected ThreadLocal<T> threadEvent;
+ protected Set<String> debugSysPropValues = new
TreeSet<>(String.CASE_INSENSITIVE_ORDER);
+
+ protected AbstractSslEventProcessor(Supplier<T> eventCreator,
String ... debugSysPropValues) {
+ this.threadEvent = ThreadLocal.withInitial(eventCreator);
+
+ this.debugSysPropValues.add(SSL_DEBUG_SYS_PROP_VALUE);
+
Stream.of(debugSysPropValues).forEach(this.debugSysPropValues::add);
+ }
+
+ @Override
+ public boolean canProcessEvent(StackTraceElement[] frames) {
+ String debugSysPropValue = System.getProperty(DEBUG_SYS_PROP_NAME);
+
+ return (!StringUtils.isBlank(debugSysPropValue) &&
this.debugSysPropValues.containsAll(Arrays.asList(PhizStringUtils.tokenize(debugSysPropValue))));
+ }
+
+ protected void dispatchEvent(StackTraceElement[] frames, Level level,
String msg, T event) {
+ LoggingEvent loggingEvent = new LoggingEvent(Logger.FQCN, LOGGER,
level, msg, null, null);
+ loggingEvent.setCallerData(frames);
+
loggingEvent.setMarker(PhizLogstashMarkers.append(PhizLogstashTags.SSL,
event));
+
+ LOGGER.callAppenders(loggingEvent);
+
+ this.threadEvent.remove();
+ }
+}
=======================================
--- /dev/null
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/impl/SslDebugPrintStream.java
Wed Mar 18 02:04:22 2015 UTC
@@ -0,0 +1,324 @@
+package gov.hhs.onc.phiz.crypto.logging.impl;
+
+import gov.hhs.onc.phiz.crypto.logging.SslDebugPrintStreamType;
+import gov.hhs.onc.phiz.crypto.logging.SslEventProcessor;
+import java.io.OutputStreamWriter;
+import java.io.PrintStream;
+import java.nio.charset.Charset;
+import java.util.Arrays;
+import java.util.Map;
+import java.util.Set;
+import java.util.TreeSet;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+import javax.annotation.Nullable;
+import javax.annotation.Resource;
+import org.apache.commons.lang3.ArrayUtils;
+import org.apache.commons.lang3.ClassUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.beans.factory.DisposableBean;
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.core.annotation.AnnotationAwareOrderComparator;
+
+public class SslDebugPrintStream extends PrintStream implements
DisposableBean, InitializingBean {
+ private static enum SslDebugInvocationStatus {
+ PROPAGATE, REJECT, ACCEPT
+ }
+
+ private static class SslDebugInvocation {
+ private SslDebugInvocationStatus status;
+ private SslEventProcessor<?> eventProc;
+ private StackTraceElement[] frames;
+
+ public SslDebugInvocation(SslDebugInvocationStatus status) {
+ this(status, null);
+ }
+
+ public SslDebugInvocation(SslDebugInvocationStatus status,
@Nullable StackTraceElement[] frames) {
+ this(status, frames, null);
+ }
+
+ public SslDebugInvocation(SslDebugInvocationStatus status,
@Nullable StackTraceElement[] frames, @Nullable SslEventProcessor<?>
eventProc) {
+ this.status = status;
+ this.eventProc = eventProc;
+ this.frames = frames;
+ }
+
+ @Nullable
+ public SslEventProcessor<?> getEventProcessor() {
+ return this.eventProc;
+ }
+
+ @Nullable
+ public StackTraceElement[] getFrames() {
+ return this.frames;
+ }
+
+ public SslDebugInvocationStatus getStatus() {
+ return this.status;
+ }
+ }
+
+ public final static String SUN_PKG_NAME_PREFIX = "sun.";
+ public final static String SUN_MISC_PKG_NAME_PREFIX =
SUN_PKG_NAME_PREFIX + "misc.";
+ public final static String SUN_SEC_PKG_NAME_PREFIX =
SUN_PKG_NAME_PREFIX + "security.";
+ public final static String SUN_SEC_SSL_PKG_NAME_PREFIX =
SUN_SEC_PKG_NAME_PREFIX + "ssl.";
+ public final static String SUN_SEC_UTIL_PKG_NAME_PREFIX =
SUN_SEC_PKG_NAME_PREFIX + "util.";
+
+ private final static String DEBUG_CLASS_NAME_SUFFIX = "Debug";
+ private final static String ENC_CLASS_NAME_SUFFIX = "Encoder";
+
+ private final static String[] SKIP_INVOKER_CLASS_NAMES = Stream.concat(
+
ClassUtils.convertClassesToClassNames(Arrays.asList(SslDebugPrintStream.class,
OutputStreamWriter.class, PrintStream.class)).stream(),
+ Stream.of((SUN_PKG_NAME_PREFIX + "nio.cs.StreamEncoder"),
(SUN_SEC_SSL_PKG_NAME_PREFIX + DEBUG_CLASS_NAME_SUFFIX),
+ (SUN_SEC_UTIL_PKG_NAME_PREFIX +
DEBUG_CLASS_NAME_SUFFIX))).toArray(String[]::new);
+
+ private final static String[] REJECT_INVOKER_CLASS_NAMES =
ArrayUtils.toArray((SUN_MISC_PKG_NAME_PREFIX + "Character" +
ENC_CLASS_NAME_SUFFIX),
+ (SUN_MISC_PKG_NAME_PREFIX + "HexDump" + ENC_CLASS_NAME_SUFFIX));
+
+ private final static String MSG_STRIP_CHARS = "*";
+
+ private final static Map<SslDebugPrintStreamType,
ThreadLocal<StringBuilder>> THREAD_BUILDER_MAP =
Stream.of(SslDebugPrintStreamType.values()).collect(
+ Collectors.toMap(Function.<SslDebugPrintStreamType> identity(),
type -> ThreadLocal.withInitial(() -> new StringBuilder(64))));
+
+ @Resource(name = "charsetUtf8")
+ private Charset charset;
+
+ private SslDebugPrintStreamType type;
+ private Set<SslEventProcessor<?>> eventProcs = new
TreeSet<>(AnnotationAwareOrderComparator.INSTANCE);
+
+ public SslDebugPrintStream(SslDebugPrintStreamType type) {
+ super(type.getGetter().get());
+
+ this.type = type;
+ }
+
+ @Override
+ public void println(double data) {
+ this.println(Double.toString(data));
+ }
+
+ @Override
+ public void println(float data) {
+ this.println(Float.toString(data));
+ }
+
+ @Override
+ public void println(long data) {
+ this.println(Long.toString(data));
+ }
+
+ @Override
+ public void println(int data) {
+ this.println(Integer.toString(data));
+ }
+
+ @Override
+ public void println(boolean data) {
+ this.println(Boolean.toString(data));
+ }
+
+ @Override
+ public void println(Object data) {
+ this.println(data.toString());
+ }
+
+ @Override
+ public void println(String data) {
+ this.println(data.toCharArray());
+ }
+
+ @Override
+ public void println(char data) {
+ this.println(new char[] { data });
+ }
+
+ @Override
+ public void println(@SuppressWarnings({ "NullableProblems" }) char[]
data) {
+ SslDebugInvocation invocation = processInvocation();
+
+ switch (invocation.getStatus()) {
+ case ACCEPT:
+ processDataEvent(this.type, invocation.getFrames(),
invocation.getEventProcessor(), data);
+ break;
+
+ case PROPAGATE:
+ super.println(data);
+ break;
+ }
+ }
+
+ @Override
+ public void println() {
+ SslDebugInvocation invocation = processInvocation();
+
+ switch (invocation.getStatus()) {
+ case ACCEPT:
+ processDataEvent(this.type, invocation.getFrames(),
invocation.getEventProcessor());
+ break;
+
+ case PROPAGATE:
+ super.println();
+ break;
+ }
+ }
+
+ @Override
+ public void print(double data) {
+ this.print(Double.toString(data));
+ }
+
+ @Override
+ public void print(float data) {
+ this.print(Float.toString(data));
+ }
+
+ @Override
+ public void print(long data) {
+ this.print(Long.toString(data));
+ }
+
+ @Override
+ public void print(int data) {
+ this.print(Integer.toString(data));
+ }
+
+ @Override
+ public void print(boolean data) {
+ this.print(Boolean.toString(data));
+ }
+
+ @Override
+ public void print(Object data) {
+ this.print(data.toString());
+ }
+
+ @Override
+ public void print(String data) {
+ this.print(data.toCharArray());
+ }
+
+ @Override
+ public void print(char data) {
+ this.print(new char[] { data });
+ }
+
+ @Override
+ public void print(@SuppressWarnings({ "NullableProblems" }) char[]
data) {
+ switch (processInvocation().getStatus()) {
+ case ACCEPT:
+ processData(this.type, data);
+ break;
+
+ case PROPAGATE:
+ super.print(data);
+ break;
+ }
+ }
+
+ @Override
+ public void write(int data) {
+ this.write(new byte[] { ((byte) data) });
+ }
+
+ @Override
+ public void write(@SuppressWarnings({ "NullableProblems" }) byte[]
data) {
+ this.write(data, 0, data.length);
+ }
+
+ @Override
+ public void write(@SuppressWarnings({ "NullableProblems" }) byte[]
data, int dataOffset, int dataLen) {
+ switch (processInvocation().getStatus()) {
+ case ACCEPT:
+ processData(this.type, new String(data,
this.charset).toCharArray());
+ break;
+
+ case PROPAGATE:
+ super.write(data, dataOffset, dataLen);
+ break;
+ }
+ }
+
+ @Override
+ public synchronized void destroy() throws Exception {
+ this.type.getSetter().accept(((PrintStream) this.out));
+ }
+
+ @Override
+ public synchronized void afterPropertiesSet() throws Exception {
+ this.type.getSetter().accept(this);
+ }
+
+ private static void processDataEvent(SslDebugPrintStreamType type,
StackTraceElement[] frames, SslEventProcessor<?> eventProc) {
+ // noinspection NullArgumentToVariableArgMethod
+ processDataEvent(type, frames, eventProc, null);
+ }
+
+ private static void processDataEvent(SslDebugPrintStreamType type,
StackTraceElement[] frames, SslEventProcessor<?> eventProc, @Nullable
char ... data) {
+ ThreadLocal<StringBuilder> threadBuilder =
THREAD_BUILDER_MAP.get(type);
+
+ // noinspection SynchronizationOnLocalVariableOrMethodParameter
+ synchronized (threadBuilder) {
+ StringBuilder builder = threadBuilder.get();
+
+ if (data != null) {
+ // noinspection ConstantConditions
+ builder.append(data);
+ }
+
+ String msg =
StringUtils.trim(StringUtils.strip(builder.toString(), MSG_STRIP_CHARS));
+
+ // noinspection ConstantConditions
+ if (!msg.isEmpty()) {
+ eventProc.processEvent(frames, msg);
+ }
+
+ threadBuilder.remove();
+ }
+ }
+
+ private static void processData(SslDebugPrintStreamType type, char ...
data) {
+ ThreadLocal<StringBuilder> threadBuilder =
THREAD_BUILDER_MAP.get(type);
+
+ // noinspection SynchronizationOnLocalVariableOrMethodParameter
+ synchronized (threadBuilder) {
+ threadBuilder.get().append(data);
+ }
+ }
+
+ private SslDebugInvocation processInvocation() {
+ StackTraceElement[] frames = new Throwable().getStackTrace();
+
+ for (int a = 0; a < frames.length; a++) {
+ if (!StringUtils.startsWithAny(frames[a].getClassName(),
SKIP_INVOKER_CLASS_NAMES)) {
+ frames = ArrayUtils.subarray(frames, a, frames.length);
+
+ break;
+ }
+ }
+
+ final StackTraceElement[] invokerFrames = frames;
+ String invokerClassName = invokerFrames[0].getClassName();
+ boolean propagateInvocation;
+ SslEventProcessor<?> invokerEventProc = null;
+
+ if (StringUtils.startsWithAny(invokerClassName,
REJECT_INVOKER_CLASS_NAMES)
+ || (!(propagateInvocation
= !invokerClassName.startsWith(SUN_SEC_SSL_PKG_NAME_PREFIX)) &&
((invokerEventProc =
+ this.eventProcs.stream().filter(eventProc ->
eventProc.canProcessEvent(invokerFrames)).findFirst().orElse(null)) ==
null))) {
+ return new SslDebugInvocation(SslDebugInvocationStatus.REJECT);
+ }
+
+ return new SslDebugInvocation((propagateInvocation ?
SslDebugInvocationStatus.PROPAGATE : SslDebugInvocationStatus.ACCEPT),
invokerFrames,
+ invokerEventProc);
+ }
+
+ public Set<SslEventProcessor<?>> getEventProcessors() {
+ return this.eventProcs;
+ }
+
+ public void setEventProcessors(Set<SslEventProcessor<?>> eventProcs) {
+ this.eventProcs.clear();
+ this.eventProcs.addAll(eventProcs);
+ }
+}
=======================================
--- /dev/null
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/impl/SslHelloEventImpl.java
Wed Mar 18 02:04:22 2015 UTC
@@ -0,0 +1,28 @@
+package gov.hhs.onc.phiz.crypto.logging.impl;
+
+import gov.hhs.onc.phiz.crypto.logging.SslHelloEvent;
+
+public class SslHelloEventImpl extends AbstractSslEvent implements
SslHelloEvent {
+ private String[] cipherSuites;
+ private String protocol;
+
+ @Override
+ public String[] getCipherSuites() {
+ return this.cipherSuites;
+ }
+
+ @Override
+ public void setCipherSuites(String[] cipherSuites) {
+ this.cipherSuites = cipherSuites;
+ }
+
+ @Override
+ public String getProtocol() {
+ return this.protocol;
+ }
+
+ @Override
+ public void setProtocol(String protocol) {
+ this.protocol = protocol;
+ }
+}
=======================================
--- /dev/null
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/impl/SslHelloEventProcessorImpl.java
Wed Mar 18 02:04:22 2015 UTC
@@ -0,0 +1,117 @@
+package gov.hhs.onc.phiz.crypto.logging.impl;
+
+import ch.qos.logback.classic.Level;
+import gov.hhs.onc.phiz.crypto.logging.SslHelloEvent;
+import gov.hhs.onc.phiz.crypto.logging.SslHelloEventProcessor;
+import gov.hhs.onc.phiz.crypto.ssl.PhizSslLocation;
+import java.util.Map;
+import java.util.function.Function;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.core.Ordered;
+import org.springframework.core.annotation.Order;
+import org.springframework.stereotype.Component;
+
+@Component("sslEventProcHelloImpl")
+@Order(Ordered.HIGHEST_PRECEDENCE)
+public class SslHelloEventProcessorImpl extends
AbstractSslEventProcessor<SslHelloEvent> implements SslHelloEventProcessor {
+ private final static String HANDSHAKE_MSG_CLASS_NAME_PREFIX =
SslDebugPrintStream.SUN_SEC_SSL_PKG_NAME_PREFIX + "HandshakeMessage$";
+
+ private final static String HELLO_CLASS_NAME_SUFFIX = "Hello";
+
+ private final static Map<String, PhizSslLocation> LOC_MAP =
Stream.of(PhizSslLocation.values()).collect(
+ Collectors.toMap(loc -> (HANDSHAKE_MSG_CLASS_NAME_PREFIX +
StringUtils.capitalize(loc.getId()) + HELLO_CLASS_NAME_SUFFIX),
+ Function.<PhizSslLocation> identity()));
+
+ private final static String CIPHER_SUITE_DELIM = ", ";
+
+ private final static String CIPHER_SUITES_PATTERN = "([\\w" +
CIPHER_SUITE_DELIM + "]+)";
+
+ private final static String PROTOCOL_LINE_PATTERN_PREFIX = "^";
+ private final static String CIPHER_SUITES_LINE_PATTERN_PREFIX
= "^Cipher Suite";
+
+ private final static String PROTOCOL_LINE_PATTERN_SUFFIX =
HELLO_CLASS_NAME_SUFFIX + ", ([^$]+)$";
+ private final static String CLIENT_CIPHER_SUITES_LINE_PATTERN_SUFFIX
= "s: \\[" + CIPHER_SUITES_PATTERN + "\\]$";
+ private final static String SERVER_CIPHER_SUITES_LINE_PATTERN_SUFFIX
= ": " + CIPHER_SUITES_PATTERN + "$";
+
+ private final static Map<PhizSslLocation, Pattern>
PROTOCOL_LINE_PATTERN_MAP = Stream.of(PhizSslLocation.values()).collect(
+ Collectors.toMap(Function.<PhizSslLocation> identity(),
+ loc -> Pattern.compile((PROTOCOL_LINE_PATTERN_PREFIX +
StringUtils.capitalize(loc.getId()) + PROTOCOL_LINE_PATTERN_SUFFIX))));
+
+ private final static Map<PhizSslLocation, Pattern>
CIPHER_SUITES_LINE_PATTERN_MAP =
Stream.of(PhizSslLocation.values()).collect(
+ Collectors.toMap(Function.<PhizSslLocation> identity(), loc ->
Pattern.compile((CIPHER_SUITES_LINE_PATTERN_PREFIX + ((loc ==
PhizSslLocation.CLIENT)
+ ? CLIENT_CIPHER_SUITES_LINE_PATTERN_SUFFIX :
SERVER_CIPHER_SUITES_LINE_PATTERN_SUFFIX)))));
+
+ public SslHelloEventProcessorImpl() {
+ super(SslHelloEventImpl::new, "handshake");
+ }
+
+ @Override
+ public synchronized void processEvent(StackTraceElement[] frames,
String msg) {
+ String callerClassName = frames[0].getClassName();
+ PhizSslLocation loc =
LOC_MAP.keySet().stream().filter(callerClassName::startsWith).findFirst().map(LOC_MAP::get).orElse(null);
+ SslHelloEvent event = this.threadEvent.get();
+
+ if (event.getLocation() == null) {
+ Matcher protocolLineMatcher =
PROTOCOL_LINE_PATTERN_MAP.get(loc).matcher(msg);
+
+ if (!protocolLineMatcher.matches()) {
+ this.threadEvent.remove();
+
+ return;
+ }
+
+ event.setLocation(loc);
+ event.setProtocol(protocolLineMatcher.group(1));
+ } else {
+ Matcher cipherSuitesMatcher =
CIPHER_SUITES_LINE_PATTERN_MAP.get(loc).matcher(msg);
+
+ if (!cipherSuitesMatcher.matches()) {
+ return;
+ }
+
+ String[] cipherSuites =
StringUtils.splitByWholeSeparator(cipherSuitesMatcher.group(1),
CIPHER_SUITE_DELIM);
+ event.setCipherSuites(cipherSuites);
+
+ this.dispatchEvent(frames, Level.DEBUG,
+ String.format("SSL %s HELLO (protocol=%s,
cipherSuites=[%s]).", loc.getId(), event.getProtocol(),
StringUtils.join(cipherSuites, ", ")), event);
+ }
+ }
+
+ @Override
+ public boolean canProcessEvent(StackTraceElement[] frames) {
+ if (!super.canProcessEvent(frames)) {
+ return false;
+ }
+
+ String callerClassName = frames[0].getClassName();
+
+ return
LOC_MAP.keySet().stream().anyMatch(callerClassName::startsWith);
+ }
+
+ // @formatter:off
+ /*
+ TRACE - ClientHello, TLSv1.2
+ TRACE - RandomCookie: Session ID: {}
+ TRACE - Cipher Suites: [TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
+ TRACE - Compression Methods: { 0 }
+ TRACE - ClientHello, TLSv1.2
+ TRACE - RandomCookie: Session ID: {}
+ TRACE - Cipher Suites: [TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
+ TRACE - Compression Methods: { 0 }
+ TRACE - ServerHello, TLSv1.2
+ TRACE - RandomCookie: Session ID: {85, 8, 158, 71, 7, 108, 253, 222,
56, 71, 34, 74, 13, 81, 194, 249, 46, 177, 144, 178, 235, 196, 172, 15, 51,
90, 32, 103, 226, 42, 19, 225}
+ TRACE - Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+ TRACE - Compression Method: 0
+ TRACE - ServerHelloDone
+ TRACE - ServerHello, TLSv1.2
+ TRACE - RandomCookie: Session ID: {85, 8, 158, 71, 7, 108, 253, 222,
56, 71, 34, 74, 13, 81, 194, 249, 46, 177, 144, 178, 235, 196, 172, 15, 51,
90, 32, 103, 226, 42, 19, 225}
+ TRACE - Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+ TRACE - Compression Method: 0
+ TRACE - ServerHelloDone
+ */
+ // @formatter:on
+}
=======================================
--- /dev/null
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/PhizSslManagerBean.java
Wed Mar 18 02:04:22 2015 UTC
@@ -0,0 +1,13 @@
+package gov.hhs.onc.phiz.crypto.ssl;
+
+import gov.hhs.onc.phiz.crypto.PhizCryptoServiceBean;
+import java.security.KeyStore;
+import org.springframework.beans.factory.InitializingBean;
+
+public interface PhizSslManagerBean<T> extends InitializingBean,
PhizCryptoServiceBean {
+ public T getBuilderParameters();
+
+ public KeyStore getKeyStore();
+
+ public void setKeyStore(KeyStore keyStore);
+}
=======================================
--- /dev/null
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/revocation/OcspContentTypes.java
Wed Mar 18 02:04:22 2015 UTC
@@ -0,0 +1,16 @@
+package gov.hhs.onc.phiz.crypto.ssl.revocation;
+
+import org.springframework.util.MimeType;
+
+public final class OcspContentTypes {
+ public final static String OCSP_REQ_TYPE = "application";
+ public final static String OCSP_REQ_SUBTYPE = "ocsp-request";
+ public final static MimeType OCSP_REQ = new MimeType(OCSP_REQ_TYPE,
OCSP_REQ_SUBTYPE);
+
+ public final static String OCSP_RESP_TYPE = "application";
+ public final static String OCSP_RESP_SUBTYPE = "ocsp-response";
+ public final static MimeType OCSP_RESP = new MimeType(OCSP_RESP_TYPE,
OCSP_RESP_SUBTYPE);
+
+ private OcspContentTypes() {
+ }
+}
=======================================
--- /dev/null
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/revocation/OcspOids.java
Wed Mar 18 02:04:22 2015 UTC
@@ -0,0 +1,13 @@
+package gov.hhs.onc.phiz.crypto.ssl.revocation;
+
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
+
+public final class OcspOids {
+ public final static ASN1ObjectIdentifier ID_PKIX_OCSP_PREF_SIG_ALGS =
OCSPObjectIdentifiers.id_pkix_ocsp.branch(Integer.toString(8));
+
+ public final static ASN1ObjectIdentifier ID_PKIX_OCSP_EXTENDED_REVOKE
= OCSPObjectIdentifiers.id_pkix_ocsp.branch(Integer.toString(9));
+
+ private OcspOids() {
+ }
+}
=======================================
---
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/PhizCryptoContentTypes.java
Sat Mar 7 13:04:18 2015 UTC
+++ /dev/null
@@ -1,16 +0,0 @@
-package gov.hhs.onc.phiz.crypto;
-
-import org.springframework.util.MimeType;
-
-public final class PhizCryptoContentTypes {
- public final static String OCSP_REQ_TYPE = "application";
- public final static String OCSP_REQ_SUBTYPE = "ocsp-request";
- public final static MimeType OCSP_REQ = new MimeType(OCSP_REQ_TYPE,
OCSP_REQ_SUBTYPE);
-
- public final static String OCSP_RESP_TYPE = "application";
- public final static String OCSP_RESP_SUBTYPE = "ocsp-response";
- public final static MimeType OCSP_RESP = new MimeType(OCSP_RESP_TYPE,
OCSP_RESP_SUBTYPE);
-
- private PhizCryptoContentTypes() {
- }
-}
=======================================
--- /phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/PhizCryptoOids.java
Sat Mar 7 13:04:18 2015 UTC
+++ /dev/null
@@ -1,13 +0,0 @@
-package gov.hhs.onc.phiz.crypto;
-
-import org.bouncycastle.asn1.ASN1ObjectIdentifier;
-import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
-
-public final class PhizCryptoOids {
- public final static ASN1ObjectIdentifier ID_PKIX_OCSP_PREF_SIG_ALGS =
OCSPObjectIdentifiers.id_pkix_ocsp.branch(Integer.toString(8));
-
- public final static ASN1ObjectIdentifier ID_PKIX_OCSP_EXTENDED_REVOKE
= OCSPObjectIdentifiers.id_pkix_ocsp.branch(Integer.toString(9));
-
- private PhizCryptoOids() {
- }
-}
=======================================
---
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/impl/CertificateJsonSerializer.java
Sat Mar 7 13:04:18 2015 UTC
+++ /dev/null
@@ -1,118 +0,0 @@
-package gov.hhs.onc.phiz.crypto.logging.impl;
-
-import com.fasterxml.jackson.core.JsonGenerator;
-import com.fasterxml.jackson.databind.SerializerProvider;
-import gov.hhs.onc.phiz.logging.logstash.impl.AbstractPhizJsonSerializer;
-import java.security.cert.X509Certificate;
-import java.util.LinkedHashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.stream.Collectors;
-import java.util.stream.Stream;
-import org.apache.commons.codec.binary.Hex;
-import org.bouncycastle.asn1.ASN1ObjectIdentifier;
-import org.bouncycastle.asn1.x500.AttributeTypeAndValue;
-import org.bouncycastle.asn1.x500.X500Name;
-import org.bouncycastle.asn1.x500.style.BCStyle;
-import org.bouncycastle.asn1.x500.style.IETFUtils;
-import org.bouncycastle.asn1.x509.Extension;
-import org.bouncycastle.asn1.x509.Extensions;
-import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
-import org.springframework.stereotype.Component;
-
-@Component("jsonSerializerCert")
-public class CertificateJsonSerializer extends
AbstractPhizJsonSerializer<X509Certificate> {
- private final static String ALT_NAMES_FIELD_NAME_SUFFIX = "_alt_names";
-
- private final static String ENCODED_FIELD_NAME = "encoded";
- private final static String OID_FIELD_NAME = "oid";
-
- private final static String VERSION_FIELD_NAME = "version";
- private final static String SUBJECT_FIELD_NAME = "subject";
- private final static String SUBJECT_ALT_NAMES_FIELD_NAME =
SUBJECT_FIELD_NAME + ALT_NAMES_FIELD_NAME_SUFFIX;
- private final static String ISSUER_FIELD_NAME = "issuer";
- private final static String ISSUER_ALT_NAMES_FIELD_NAME =
ISSUER_FIELD_NAME + ALT_NAMES_FIELD_NAME_SUFFIX;
- private final static String SERIAL_NUM_FIELD_NAME = "serial_number";
- private final static String KEY_USAGES_FIELD_NAME = "key_usages";
- private final static String EXT_KEY_USAGES_FIELD_NAME = "extended_" +
KEY_USAGES_FIELD_NAME;
-
- private final static String VALID_FIELD_NAME = "valid";
- private final static String VALID_FROM_FIELD_NAME = "from";
- private final static String VALID_TO_FIELD_NAME = "to";
-
- private final static String SIG_FIELD_NAME = "signature";
- private final static String SIG_ALG_FIELD_NAME = "algorithm";
-
- private final static String EXTS_FIELD_NAME = "extensions";
-
- private final static String EXT_CRITICAL_FIELD_NAME = "critical";
-
- private final static long serialVersionUID = 0L;
-
- public CertificateJsonSerializer() {
- super(X509Certificate.class);
- }
-
- @Override
- protected void serializeFields(X509Certificate cert, JsonGenerator
jsonGen, SerializerProvider serializerProv) throws Exception {
- Extensions certExts = new
JcaX509CertificateHolder(cert).getExtensions();
- Set<ASN1ObjectIdentifier> certExtOids =
Stream.of(certExts.getExtensionOIDs()).collect(Collectors.toCollection(LinkedHashSet::new));
-
- jsonGen.writeObjectField(VERSION_FIELD_NAME, cert.getVersion());
-
- serializeDnField(jsonGen, SUBJECT_FIELD_NAME, new
X500Name(cert.getSubjectX500Principal().getName()));
-
- if (certExtOids.contains(Extension.subjectAlternativeName)) {
- //jsonGen.writeObjectField(SUBJECT_ALT_NAMES_FIELD_NAME,
cert.getSubjectAlternativeNames());
- }
-
- serializeDnField(jsonGen, ISSUER_FIELD_NAME, new
X500Name(cert.getIssuerX500Principal().getName()));
-
- jsonGen.writeObjectField(SERIAL_NUM_FIELD_NAME,
cert.getSerialNumber());
-
- jsonGen.writeObjectFieldStart(VALID_FIELD_NAME);
- jsonGen.writeObjectField(VALID_FROM_FIELD_NAME,
cert.getNotBefore());
- jsonGen.writeObjectField(VALID_TO_FIELD_NAME, cert.getNotAfter());
- jsonGen.writeEndObject();
-
- jsonGen.writeObjectFieldStart(SIG_FIELD_NAME);
- jsonGen.writeObjectField(SIG_ALG_FIELD_NAME, cert.getSigAlgName());
- jsonGen.writeObjectField(OID_FIELD_NAME, cert.getSigAlgOID());
- jsonGen.writeObjectField(ENCODED_FIELD_NAME,
Hex.encodeHexString(cert.getSignature()));
- jsonGen.writeEndObject();
-
- jsonGen.writeArrayFieldStart(EXTS_FIELD_NAME);
-
- Extension certExt;
-
- for (ASN1ObjectIdentifier certExtOid : certExtOids) {
- jsonGen.writeStartObject();
- jsonGen.writeObjectField(OID_FIELD_NAME, certExtOid.getId());
- jsonGen.writeObjectField(EXT_CRITICAL_FIELD_NAME, (certExt =
certExts.getExtension(certExtOid)).isCritical());
- jsonGen.writeObjectField(ENCODED_FIELD_NAME,
Hex.encodeHexString(certExt.getEncoded()));
- jsonGen.writeEndObject();
- }
-
- jsonGen.writeEndArray();
- }
-
- private static void serializeDnField(JsonGenerator jsonGen, String
dnFieldName, X500Name dn) throws Exception {
- jsonGen.writeObjectFieldStart(dnFieldName);
-
- Map<String, List<AttributeTypeAndValue>> rdnAttrMap =
Stream.of(dn.getRDNs()).flatMap(rdn -> Stream.of(rdn.getTypesAndValues()))
- .collect(Collectors.groupingBy((AttributeTypeAndValue rdnAttr)
-> BCStyle.INSTANCE.oidToDisplayName(rdnAttr.getType())));
-
- for (String rdnAttrName : rdnAttrMap.keySet()) {
- jsonGen.writeArrayFieldStart(rdnAttrName);
-
- for (AttributeTypeAndValue rdnAttr :
rdnAttrMap.get(rdnAttrName)) {
-
jsonGen.writeString(IETFUtils.valueToString(rdnAttr.getValue()));
- }
-
- jsonGen.writeEndArray();
- }
-
- jsonGen.writeEndObject();
- }
-}
=======================================
---
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/impl/PhizSslDebugConfiguration.java
Sat Mar 7 13:04:18 2015 UTC
+++ /dev/null
@@ -1,127 +0,0 @@
-package gov.hhs.onc.phiz.crypto.logging.impl;
-
-import ch.qos.logback.classic.Level;
-import ch.qos.logback.classic.Logger;
-import ch.qos.logback.classic.spi.LoggingEvent;
-import gov.hhs.onc.phiz.aop.utils.PhizProxyUtils;
-import gov.hhs.onc.phiz.aop.utils.PhizProxyUtils.PhizMethodAdvisor;
-import gov.hhs.onc.phiz.aop.utils.PhizProxyUtils.PhizMethodInterceptor;
-import gov.hhs.onc.phiz.logging.logstash.PhizLogstashTags;
-import gov.hhs.onc.phiz.logging.logstash.impl.PhizLogstashMarkers;
-import java.io.PrintStream;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Set;
-import java.util.function.Consumer;
-import java.util.stream.Collectors;
-import java.util.stream.Stream;
-import org.apache.commons.lang3.ArrayUtils;
-import org.apache.commons.lang3.ClassUtils;
-import org.apache.commons.lang3.StringUtils;
-import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.DisposableBean;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-
-@Configuration("sslDebugConfiguration")
-public class PhizSslDebugConfiguration implements DisposableBean {
- private final static String SUN_SEC_PKG_NAME_PREFIX =
StringUtils.join(ArrayUtils.toArray("sun", "security", "ssl",
StringUtils.EMPTY),
- ClassUtils.PACKAGE_SEPARATOR);
-
- private final static String HANDSHAKE_MSG_INNER_CLASS_NAME_PREFIX =
SUN_SEC_PKG_NAME_PREFIX + "HandshakeMessage$";
- private final static String ENHANCED_PRINT_STREAM_CLASS_NAME_PREFIX =
PhizProxyUtils.ENHANCER_CLASS_NAME_PREFIX + PrintStream.class.getName()
- + PhizProxyUtils.ENHANCER_CLASS_NAME_SUFFIX;
-
- private final static String DEBUG_CLASS_NAME = SUN_SEC_PKG_NAME_PREFIX
+ "Debug";
- private final static String
HANDSHAKE_MSG_CLIENT_HELLO_INNER_CLASS_NAME =
HANDSHAKE_MSG_INNER_CLASS_NAME_PREFIX + "ClientHello";
- private final static String
HANDSHAKE_MSG_SERVER_HELLO_INNER_CLASS_NAME =
HANDSHAKE_MSG_INNER_CLASS_NAME_PREFIX + "ServerHello";
-
- private final static Set<String> HANDSHAKE_CLASS_NAMES = Stream
- .of(HANDSHAKE_MSG_CLIENT_HELLO_INNER_CLASS_NAME,
HANDSHAKE_MSG_SERVER_HELLO_INNER_CLASS_NAME).collect(Collectors.toSet());
-
- private final static String PRINT_METHOD_NAME = "print";
- private final static String PRINTLN_METHOD_NAME = "println";
-
- private final static int THREAD_PRINT_STR_BUILDER_INITIAL_CAPACITY =
64;
- private final static ThreadLocal<StringBuilder>
THREAD_PRINT_STR_BUILDER = ThreadLocal.withInitial(() -> new StringBuilder(
- THREAD_PRINT_STR_BUILDER_INITIAL_CAPACITY));
-
- private final static Map<PrintStream, Consumer<PrintStream>>
DELEGATE_PRINT_STREAM_MAP = new HashMap<>(2);
-
- private final static Logger LOGGER = ((Logger)
LoggerFactory.getLogger(PhizSslDebugConfiguration.class));
-
- private final static PhizMethodAdvisor PRINT_STREAM_METHODS_ADVISOR =
new PhizMethodAdvisor(((PhizMethodInterceptor) (invocation, method,
methodName, args,
- target) -> {
- StackTraceElement[] stackTraceElems = new
Throwable().getStackTrace();
- int numStackTraceElems = stackTraceElems.length;
- StackTraceElement stackTraceElem;
-
- for (int a = 0; a < numStackTraceElems; a++) {
- if (StringUtils.startsWith((stackTraceElem =
stackTraceElems[a]).getClassName(), ENHANCED_PRINT_STREAM_CLASS_NAME_PREFIX)
- && stackTraceElem.getMethodName().equals(methodName)) {
- if
(!StringUtils.startsWith(stackTraceElems[++a].getClassName(),
SUN_SEC_PKG_NAME_PREFIX)) {
- break;
- }
-
- if (args.length != 1) {
- return null;
- }
-
- while
(stackTraceElems[a].getClassName().equals(DEBUG_CLASS_NAME)) {
- a++;
- }
-
- if
(!HANDSHAKE_CLASS_NAMES.contains(stackTraceElems[a].getClassName())) {
- return null;
- }
-
- StringBuilder printStrBuilder =
THREAD_PRINT_STR_BUILDER.get();
- printStrBuilder.append(args[0]);
-
- if (methodName.equals(PRINTLN_METHOD_NAME)) {
- String msg =
StringUtils.trim(StringUtils.strip(printStrBuilder.toString()));
-
- // noinspection ConstantConditions
- if (!msg.isEmpty()) {
- LoggingEvent srcEvent = new LoggingEvent(Logger.FQCN, LOGGER,
Level.TRACE, msg, null, null);
- srcEvent.setCallerData(ArrayUtils.subarray(stackTraceElems, a,
numStackTraceElems));
-
srcEvent.setMarker(PhizLogstashMarkers.append(PhizLogstashTags.SSL));
-
- LOGGER.callAppenders(srcEvent);
- }
-
- THREAD_PRINT_STR_BUILDER.remove();
- }
-
- return null;
-}
-}
-
-return invocation.proceed();
-}), PRINT_METHOD_NAME, PRINTLN_METHOD_NAME);
-
- @Bean(name = "sslDebugPrintStreamErr")
- public PrintStream getErrPrintStream() {
- return buildProxyPrintStream(System.err, System::setErr);
- }
-
- @Bean(name = "sslDebugPrintStreamOut")
- public PrintStream getOutPrintStream() {
- return buildProxyPrintStream(System.out, System::setOut);
- }
-
- @Override
- public synchronized void destroy() throws Exception {
- DELEGATE_PRINT_STREAM_MAP.forEach((delegatePrintStream,
delegateStreamSetter) -> delegateStreamSetter.accept(delegatePrintStream));
- }
-
- private synchronized static PrintStream
buildProxyPrintStream(PrintStream delegatePrintStream,
Consumer<PrintStream> delegateStreamSetter) {
- PrintStream proxyPrintStream =
PhizProxyUtils.buildProxyFactory(delegatePrintStream, PrintStream.class,
PRINT_STREAM_METHODS_ADVISOR).getProxy();
-
- DELEGATE_PRINT_STREAM_MAP.put(delegatePrintStream,
delegateStreamSetter);
-
- delegateStreamSetter.accept(proxyPrintStream);
-
- return proxyPrintStream;
- }
-}
=======================================
---
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/AbstractPhizSslContextAwareFactoryBean.java
Sat Mar 7 13:04:18 2015 UTC
+++ /dev/null
@@ -1,19 +0,0 @@
-package gov.hhs.onc.phiz.crypto.ssl.impl;
-
-import javax.net.ssl.SSLContext;
-
-public abstract class AbstractPhizSslContextAwareFactoryBean<T> extends
AbstractPhizSslParametersAwareFactoryBean<T> {
- protected SSLContext sslContext;
-
- protected AbstractPhizSslContextAwareFactoryBean(Class<T> objClass) {
- super(objClass);
- }
-
- public SSLContext getSslContext() {
- return this.sslContext;
- }
-
- public void setSslContext(SSLContext sslContext) {
- this.sslContext = sslContext;
- }
-}
=======================================
---
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/AbstractPhizSslManagerFactoryBean.java
Sat Feb 21 20:45:44 2015 UTC
+++ /dev/null
@@ -1,23 +0,0 @@
-package gov.hhs.onc.phiz.crypto.ssl.impl;
-
-import gov.hhs.onc.phiz.crypto.impl.AbstractPhizCryptoFactoryBean;
-import java.security.KeyStore;
-import javax.net.ssl.ManagerFactoryParameters;
-
-public abstract class AbstractPhizSslManagerFactoryBean<T, U extends
ManagerFactoryParameters> extends AbstractPhizCryptoFactoryBean<T> {
- protected KeyStore keyStore;
-
- protected AbstractPhizSslManagerFactoryBean(Class<T> objClass) {
- super(objClass);
- }
-
- protected abstract U buildFactoryParameters() throws Exception;
-
- public KeyStore getKeyStore() {
- return this.keyStore;
- }
-
- public void setKeyStore(KeyStore keyStore) {
- this.keyStore = keyStore;
- }
-}
=======================================
---
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/AbstractPhizSslSocketFactoryFactoryBean.java
Sat Feb 21 20:45:44 2015 UTC
+++ /dev/null
@@ -1,17 +0,0 @@
-package gov.hhs.onc.phiz.crypto.ssl.impl;
-
-import java.io.Closeable;
-import org.springframework.aop.aspectj.annotation.AspectJProxyFactory;
-
-public abstract class AbstractPhizSslSocketFactoryFactoryBean<T, U extends
Closeable> extends AbstractPhizSslContextAwareFactoryBean<T> {
- protected AbstractPhizSslSocketFactoryFactoryBean(Class<T> objClass) {
- super(objClass);
- }
-
- @Override
- public T getObject() throws Exception {
- return this.objClass.cast(this.buildProxyFactory().getProxy());
- }
-
- protected abstract AspectJProxyFactory buildProxyFactory();
-}
=======================================
---
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/PhizSslClientSocketFactoryFactoryBean.java
Sun Feb 22 22:41:41 2015 UTC
+++ /dev/null
@@ -1,26 +0,0 @@
-package gov.hhs.onc.phiz.crypto.ssl.impl;
-
-import gov.hhs.onc.phiz.aop.utils.PhizProxyUtils;
-import gov.hhs.onc.phiz.aop.utils.PhizProxyUtils.PhizMethodAdvisor;
-import javax.net.ssl.SSLSocket;
-import javax.net.ssl.SSLSocketFactory;
-import org.aopalliance.intercept.MethodInterceptor;
-import org.springframework.aop.aspectj.annotation.AspectJProxyFactory;
-
-public class PhizSslClientSocketFactoryFactoryBean extends
AbstractPhizSslSocketFactoryFactoryBean<SSLSocketFactory, SSLSocket> {
- private final static String CREATE_SOCKET_METHOD_NAME = "createSocket";
-
- public PhizSslClientSocketFactoryFactoryBean() {
- super(SSLSocketFactory.class);
- }
-
- @Override
- protected AspectJProxyFactory buildProxyFactory() {
- return
PhizProxyUtils.buildProxyFactory(this.sslContext.getSocketFactory(),
this.objClass, new PhizMethodAdvisor(((MethodInterceptor) invocation -> {
- SSLSocket socket = ((SSLSocket) invocation.proceed());
- socket.setSSLParameters(this.sslParams);
-
- return socket;
- }), CREATE_SOCKET_METHOD_NAME));
- }
-}
=======================================
---
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/PhizSslServerSocketFactoryFactoryBean.java
Sun Feb 22 22:41:41 2015 UTC
+++ /dev/null
@@ -1,27 +0,0 @@
-package gov.hhs.onc.phiz.crypto.ssl.impl;
-
-import gov.hhs.onc.phiz.aop.utils.PhizProxyUtils;
-import gov.hhs.onc.phiz.aop.utils.PhizProxyUtils.PhizMethodAdvisor;
-import javax.net.ssl.SSLServerSocket;
-import javax.net.ssl.SSLServerSocketFactory;
-import org.aopalliance.intercept.MethodInterceptor;
-import org.springframework.aop.aspectj.annotation.AspectJProxyFactory;
-
-public class PhizSslServerSocketFactoryFactoryBean extends
AbstractPhizSslSocketFactoryFactoryBean<SSLServerSocketFactory,
SSLServerSocket> {
- private final static String CREATE_SERVER_SOCKET_METHOD_NAME
= "createServerSocket";
-
- public PhizSslServerSocketFactoryFactoryBean() {
- super(SSLServerSocketFactory.class);
- }
-
- @Override
- protected AspectJProxyFactory buildProxyFactory() {
- return
PhizProxyUtils.buildProxyFactory(this.sslContext.getServerSocketFactory(),
this.objClass, new PhizMethodAdvisor(
- ((MethodInterceptor) invocation -> {
- SSLServerSocket serverSocket = ((SSLServerSocket)
invocation.proceed());
- serverSocket.setSSLParameters(this.sslParams);
-
- return serverSocket;
- }), CREATE_SERVER_SOCKET_METHOD_NAME));
- }
-}
=======================================
--- /phiz-core/src/main/java/gov/hhs/onc/phiz/aop/utils/PhizProxyUtils.java
Sun Feb 22 22:41:41 2015 UTC
+++ /phiz-core/src/main/java/gov/hhs/onc/phiz/aop/utils/PhizProxyUtils.java
Wed Mar 18 02:04:22 2015 UTC
@@ -34,7 +34,7 @@
public static interface PhizMethodInterceptor extends
MethodInterceptor {
@Nullable
@Override
- default public Object invoke(MethodInvocation invocation) throws
Throwable {
+ public default Object invoke(MethodInvocation invocation) throws
Throwable {
Method method = invocation.getMethod();

return this.invoke(invocation, method, method.getName(),
invocation.getArguments(), invocation.getThis());
=======================================
---
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/impl/AbstractPhizCryptoFactoryBean.java
Wed Feb 18 20:44:48 2015 UTC
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/impl/AbstractPhizCryptoFactoryBean.java
Wed Mar 18 02:04:22 2015 UTC
@@ -1,9 +1,10 @@
package gov.hhs.onc.phiz.crypto.impl;

import gov.hhs.onc.phiz.beans.factory.impl.AbstractPhizFactoryBean;
+import gov.hhs.onc.phiz.crypto.PhizCryptoServiceBean;
import java.security.Provider;

-public abstract class AbstractPhizCryptoFactoryBean<T> extends
AbstractPhizFactoryBean<T> {
+public abstract class AbstractPhizCryptoFactoryBean<T> extends
AbstractPhizFactoryBean<T> implements PhizCryptoServiceBean {
protected Provider prov;
protected String type;

@@ -11,18 +12,22 @@
super(objClass);
}

+ @Override
public Provider getProvider() {
return this.prov;
}

+ @Override
public void setProvider(Provider prov) {
this.prov = prov;
}

+ @Override
public String getType() {
return this.type;
}

+ @Override
public void setType(String type) {
this.type = type;
}
=======================================
---
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/SslTrustEvent.java
Sat Mar 7 13:04:18 2015 UTC
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/SslTrustEvent.java
Wed Mar 18 02:04:22 2015 UTC
@@ -1,12 +1,11 @@
package gov.hhs.onc.phiz.crypto.logging;

import com.fasterxml.jackson.annotation.JsonProperty;
-import gov.hhs.onc.phiz.crypto.ssl.PhizSslLocation;
import gov.hhs.onc.phiz.logging.logstash.MarkerObjectFieldName;
import javax.annotation.Nullable;

@MarkerObjectFieldName("sslTrust")
-public interface SslTrustEvent {
+public interface SslTrustEvent extends SslEvent {
@JsonProperty
@Nullable
public String getAuthType();
@@ -18,9 +17,6 @@

public void setCertificates(String[] certs);

- @JsonProperty
- public PhizSslLocation getLocation();
-
@JsonProperty
@Nullable
public String[] getPathCertificates();
=======================================
---
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/impl/SslTrustEventImpl.java
Sat Mar 7 13:04:18 2015 UTC
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/logging/impl/SslTrustEventImpl.java
Wed Mar 18 02:04:22 2015 UTC
@@ -1,20 +1,14 @@
package gov.hhs.onc.phiz.crypto.logging.impl;

-import gov.hhs.onc.phiz.crypto.ssl.PhizSslLocation;
import gov.hhs.onc.phiz.crypto.logging.SslTrustEvent;
import javax.annotation.Nullable;

-public class SslTrustEventImpl implements SslTrustEvent {
- protected String authType;
- protected String[] certs;
- protected PhizSslLocation loc;
- protected String[] pathCerts;
- protected String trustAnchorCert;
- protected boolean trusted;
-
- public SslTrustEventImpl(PhizSslLocation loc) {
- this.loc = loc;
- }
+public class SslTrustEventImpl extends AbstractSslEvent implements
SslTrustEvent {
+ private String authType;
+ private String[] certs;
+ private String[] pathCerts;
+ private String trustAnchorCert;
+ private boolean trusted;

@Nullable
@Override
@@ -36,11 +30,6 @@
public void setCertificates(String[] certs) {
this.certs = certs;
}
-
- @Override
- public PhizSslLocation getLocation() {
- return this.loc;
- }

@Nullable
@Override
=======================================
---
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/AbstractPhizSslParametersAwareFactoryBean.java
Sat Mar 7 13:04:18 2015 UTC
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/AbstractPhizSslParametersAwareFactoryBean.java
Wed Mar 18 02:04:22 2015 UTC
@@ -4,17 +4,17 @@
import javax.net.ssl.SSLParameters;

public abstract class AbstractPhizSslParametersAwareFactoryBean<T> extends
AbstractPhizCryptoFactoryBean<T> {
- protected SSLParameters sslParams;
+ protected SSLParameters params;

protected AbstractPhizSslParametersAwareFactoryBean(Class<T> objClass)
{
super(objClass);
}

- public SSLParameters getSslParameters() {
- return this.sslParams;
+ public SSLParameters getParameters() {
+ return this.params;
}

- public void setSslParameters(SSLParameters sslParams) {
- this.sslParams = sslParams;
+ public void setParameters(SSLParameters params) {
+ this.params = params;
}
}
=======================================
---
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/PhizKeyManagerFactoryBean.java
Sat Feb 21 20:45:44 2015 UTC
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/PhizKeyManagerFactoryBean.java
Wed Mar 18 02:04:22 2015 UTC
@@ -1,29 +1,50 @@
package gov.hhs.onc.phiz.crypto.ssl.impl;

+import gov.hhs.onc.phiz.crypto.impl.AbstractPhizCryptoFactoryBean;
+import gov.hhs.onc.phiz.crypto.ssl.PhizSslManagerBean;
+import java.security.KeyStore;
import java.security.KeyStore.Builder;
import java.security.KeyStore.PasswordProtection;
-import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.KeyStoreBuilderParameters;
+import javax.net.ssl.X509ExtendedKeyManager;

-public class PhizKeyManagerFactoryBean extends
AbstractPhizSslManagerFactoryBean<KeyManager, KeyStoreBuilderParameters> {
- protected String pass;
+public class PhizKeyManagerFactoryBean extends
AbstractPhizCryptoFactoryBean<X509ExtendedKeyManager> implements
PhizSslManagerBean<KeyStoreBuilderParameters> {
+ private KeyStoreBuilderParameters builderParams;
+ private KeyStore keyStore;
+ private String pass;

public PhizKeyManagerFactoryBean() {
- super(KeyManager.class);
+ super(X509ExtendedKeyManager.class);
}

@Override
- public KeyManager getObject() throws Exception {
+ public X509ExtendedKeyManager getObject() throws Exception {
KeyManagerFactory factory =
KeyManagerFactory.getInstance(this.type, this.prov);
- factory.init(this.buildFactoryParameters());
+ factory.init(this.builderParams);
+
+ return ((X509ExtendedKeyManager) factory.getKeyManagers()[0]);
+ }
+
+ @Override
+ public void afterPropertiesSet() throws Exception {
+ this.builderParams =
+ new
KeyStoreBuilderParameters(Builder.newInstance(this.keyStore, new
PasswordProtection(((this.pass != null) ? this.pass.toCharArray() :
null))));
+ }
+
+ @Override
+ public KeyStoreBuilderParameters getBuilderParameters() {
+ return this.builderParams;
+ }

- return factory.getKeyManagers()[0];
+ @Override
+ public KeyStore getKeyStore() {
+ return this.keyStore;
}

@Override
- protected KeyStoreBuilderParameters buildFactoryParameters() throws
Exception {
- return new
KeyStoreBuilderParameters(Builder.newInstance(this.keyStore, new
PasswordProtection(((this.pass != null) ? this.pass.toCharArray() :
null))));
+ public void setKeyStore(KeyStore keyStore) {
+ this.keyStore = keyStore;
}

public void setPassword(String pass) {
=======================================
---
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/PhizSslContextFactoryBean.java
Sat Mar 7 13:04:18 2015 UTC
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/PhizSslContextFactoryBean.java
Wed Mar 18 02:04:22 2015 UTC
@@ -2,22 +2,48 @@

import gov.hhs.onc.phiz.aop.utils.PhizProxyUtils;
import gov.hhs.onc.phiz.aop.utils.PhizProxyUtils.PhizMethodAdvisor;
+import gov.hhs.onc.phiz.crypto.utils.PhizCertificateUtils;
+import gov.hhs.onc.phiz.logging.logstash.PhizLogstashTags;
+import gov.hhs.onc.phiz.logging.logstash.impl.PhizLogstashMarkers;
import java.security.SecureRandom;
import java.security.Security;
+import java.security.cert.X509Certificate;
+import java.util.Date;
import java.util.stream.Stream;
+import javax.annotation.Resource;
+import javax.net.ssl.ExtendedSSLSession;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLContextSpi;
import javax.net.ssl.SSLEngine;
-import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLServerSocket;
+import javax.net.ssl.SSLServerSocketFactory;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import org.aopalliance.intercept.MethodInterceptor;
+import org.apache.commons.codec.binary.Hex;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.time.FastDateFormat;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;

public class PhizSslContextFactoryBean extends
AbstractPhizSslParametersAwareFactoryBean<SSLContext> {
private final static String SSL_CONTEXT_SERVICE_TYPE =
SSLContext.class.getSimpleName();

- private final static String BEGIN_HANDSHAKE_METHOD_NAME
= "beginHandshake";
private final static String ENGINE_CREATE_SSL_ENGINE_METHOD_NAME
= "engineCreateSSLEngine";
+ private final static String
ENGINE_GET_SERVER_SOCKET_FACTORY_METHOD_NAME
= "engineGetServerSocketFactory";
+ private final static String ENGINE_GET_SOCKET_FACTORY_METHOD_NAME
= "engineGetSocketFactory";
+
+ private final static String CREATE_SERVER_SOCKET_METHOD_NAME
= "createServerSocket";
+ private final static String CREATE_SOCKET_METHOD_NAME = "createSocket";
+
+ private final static String BEGIN_HANDSHAKE_METHOD_NAME
= "beginHandshake";
+
+ private final static Logger LOGGER =
LoggerFactory.getLogger(PhizSslContextFactoryBean.class);
+
+ @Resource(name = "dateFormatUtcDisplay")
+ private FastDateFormat displayDateFormat;

private KeyManager[] keyManagers;
private SecureRandom secureRandom;
@@ -34,34 +60,78 @@
.filter(service ->
(service.getType().equals(SSL_CONTEXT_SERVICE_TYPE) &&
service.getAlgorithm().equals(this.type))).findFirst().get()
.newInstance(null));

- return new SSLContext(PhizProxyUtils.buildProxyFactory(contextSpi,
SSLContextSpi.class,
- new PhizMethodAdvisor(((MethodInterceptor) contextInvocation
-> {
- SSLEngine engine = ((SSLEngine)
contextInvocation.proceed());
- engine.setSSLParameters(this.sslParams);
-
- return PhizProxyUtils.buildProxyFactory(engine,
SSLEngine.class, new PhizMethodAdvisor(((MethodInterceptor)
engineInvocation -> {
- SSLSession session = engine.getSession();
-
- if (session.isValid()) {
- session.invalidate();
- }
-
- engineInvocation.proceed();
-
- return null;
- }), BEGIN_HANDSHAKE_METHOD_NAME)).getProxy();
- }), ENGINE_CREATE_SSL_ENGINE_METHOD_NAME)).getProxy(),
this.prov, this.type) {
+ return new SSLContext(PhizProxyUtils.buildProxyFactory(
+ contextSpi,
+ SSLContextSpi.class,
+ new PhizMethodAdvisor(((MethodInterceptor) contextInvocation
-> this.buildEngine(((SSLEngine) contextInvocation.proceed()))),
+ ENGINE_CREATE_SSL_ENGINE_METHOD_NAME),
+ new PhizMethodAdvisor(
+ ((MethodInterceptor) contextInvocation ->
this.buildServerSocketFactory(((SSLServerSocketFactory)
contextInvocation.proceed()))),
+ ENGINE_GET_SERVER_SOCKET_FACTORY_METHOD_NAME),
+ new PhizMethodAdvisor(((MethodInterceptor) contextInvocation
-> this.buildSocketFactory(((SSLSocketFactory)
contextInvocation.proceed()))),
+ ENGINE_GET_SOCKET_FACTORY_METHOD_NAME)).getProxy(),
this.prov, this.type) {
{
this.init(PhizSslContextFactoryBean.this.keyManagers,
PhizSslContextFactoryBean.this.trustManagers,
PhizSslContextFactoryBean.this.secureRandom);
}
};
}
+
+ private SSLSocketFactory buildSocketFactory(SSLSocketFactory
socketFactory) {
+ return PhizProxyUtils.buildProxyFactory(socketFactory,
SSLSocketFactory.class, new PhizMethodAdvisor(((MethodInterceptor)
socketFactoryInvocation -> {
+ SSLSocket socket = ((SSLSocket)
socketFactoryInvocation.proceed());
+ socket.setSSLParameters(this.params);
+
+ return socket;
+ }), CREATE_SOCKET_METHOD_NAME)).getProxy();
+ }
+
+ private SSLServerSocketFactory
buildServerSocketFactory(SSLServerSocketFactory serverSocketFactory) {
+ return PhizProxyUtils.buildProxyFactory(serverSocketFactory,
SSLServerSocketFactory.class,
+ new PhizMethodAdvisor(((MethodInterceptor)
serverSocketFactoryInvocation -> {
+ SSLServerSocket serverSocket = ((SSLServerSocket)
serverSocketFactoryInvocation.proceed());
+ serverSocket.setSSLParameters(this.params);
+
+ return serverSocket;
+ }), CREATE_SERVER_SOCKET_METHOD_NAME)).getProxy();
+ }
+
+ private SSLEngine buildEngine(SSLEngine engine) {
+ engine.setSSLParameters(this.params);
+
+ return PhizProxyUtils
+ .buildProxyFactory(
+ engine,
+ SSLEngine.class,
+ new PhizMethodAdvisor(
+ ((MethodInterceptor) engineInvocation -> {
+ ExtendedSSLSession session = ((ExtendedSSLSession)
engine.getSession());
+
+ if (session.isValid()) {
+ session.invalidate();
+
+ LOGGER.debug(
+
PhizLogstashMarkers.append(PhizLogstashTags.SSL),
+ String
+ .format(
+ "Existing SSL session (id=%s,
creationTime=%s, lastAccessedTime=%s, peerHost=%s, peerPort=%d,
protocol=%s, cipherSuite=%s, localCertificateDnNames=[%s],
peerCertificateDnNames=[%s]) invalidated.",
+
Hex.encodeHexString(session.getId()), this.displayDateFormat.format(new
Date(session.getCreationTime())),
+ this.displayDateFormat.format(new
Date(session.getLastAccessedTime())), session.getPeerHost(),
session.getPeerPort(),
+ session.getProtocol(),
session.getCipherSuite(),
+
StringUtils.join(PhizCertificateUtils.buildSubjectDnNames(((X509Certificate[])
session.getLocalCertificates())), ", "),
+
StringUtils.join(PhizCertificateUtils.buildSubjectDnNames(((X509Certificate[])
session.getPeerCertificates())), ", ")));
+ }
+
+ engineInvocation.proceed();
+
+ return null;
+ }), BEGIN_HANDSHAKE_METHOD_NAME)).getProxy();
+ }

public KeyManager[] getKeyManagers() {
return this.keyManagers;
}

- public void setKeyManagers(KeyManager[] keyManagers) {
+ public void setKeyManagers(KeyManager ... keyManagers) {
this.keyManagers = keyManagers;
}

@@ -77,7 +147,7 @@
return this.trustManagers;
}

- public void setTrustManagers(TrustManager[] trustManagers) {
+ public void setTrustManagers(TrustManager ... trustManagers) {
this.trustManagers = trustManagers;
}
}
=======================================
---
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/PhizTrustManager.java
Sat Mar 7 13:04:18 2015 UTC
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/PhizTrustManager.java
Wed Mar 18 02:04:22 2015 UTC
@@ -2,8 +2,9 @@

import gov.hhs.onc.phiz.crypto.logging.SslTrustEvent;
import gov.hhs.onc.phiz.crypto.logging.impl.SslTrustEventImpl;
+import gov.hhs.onc.phiz.crypto.ssl.PhizSslLocation;
+import gov.hhs.onc.phiz.crypto.ssl.PhizSslManagerBean;
import gov.hhs.onc.phiz.crypto.ssl.revocation.impl.PhizRevocationChecker;
-import gov.hhs.onc.phiz.crypto.ssl.PhizSslLocation;
import gov.hhs.onc.phiz.crypto.utils.PhizCertificatePathUtils;
import gov.hhs.onc.phiz.crypto.utils.PhizCertificateUtils;
import gov.hhs.onc.phiz.logging.logstash.PhizLogstashTags;
@@ -37,9 +38,8 @@
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.BeanFactory;
import org.springframework.beans.factory.BeanFactoryAware;
-import org.springframework.beans.factory.InitializingBean;

-public class PhizTrustManager extends X509ExtendedTrustManager implements
BeanFactoryAware, InitializingBean {
+public class PhizTrustManager extends X509ExtendedTrustManager implements
BeanFactoryAware, PhizSslManagerBean<ExtendedPKIXBuilderParameters> {
private final static Logger LOGGER =
LoggerFactory.getLogger(PhizTrustManager.class);

private BeanFactory beanFactory;
@@ -97,9 +97,11 @@

private <T> void checkTrusted(PhizSslLocation loc, X509Certificate[]
certs, String authType, @Nullable T component,
@Nullable Function<T, Boolean> componentAvailableMapper, @Nullable
Function<T, SSLSession> handshakeSessionMapper) throws CertificateException
{
- SslTrustEvent event = new SslTrustEventImpl(loc);
String certSubjectDnNamesStr = null, certIssuerDnNamesStr = null,
certSerialNumsStr = null;

+ SslTrustEvent event = new SslTrustEventImpl();
+ event.setLocation(loc);
+
try {
event.setAuthType(authType);

@@ -161,7 +163,7 @@
event.setTrusted(true);

LOGGER
- .debug(
+ .info(
PhizLogstashMarkers.append(PhizLogstashTags.SSL,
event),
String
.format(
@@ -190,6 +192,11 @@
public void setBeanFactory(BeanFactory beanFactory) throws
BeansException {
this.beanFactory = beanFactory;
}
+
+ @Override
+ public ExtendedPKIXBuilderParameters getBuilderParameters() {
+ return this.builderParams;
+ }

@Nullable
public List<PKIXCertPathChecker> getCertificatePathCheckers() {
@@ -208,18 +215,22 @@
this.certSelector = certSelector;
}

+ @Override
public KeyStore getKeyStore() {
return this.keyStore;
}

+ @Override
public void setKeyStore(KeyStore keyStore) {
this.keyStore = keyStore;
}

+ @Override
public Provider getProvider() {
return this.prov;
}

+ @Override
public void setProvider(Provider prov) {
this.prov = prov;
}
@@ -232,10 +243,12 @@
this.revocationCheckerBeanName = revocationCheckerBeanName;
}

+ @Override
public String getType() {
return this.type;
}

+ @Override
public void setType(String type) {
this.type = type;
}
=======================================
---
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/revocation/impl/PhizRevocationChecker.java
Sat Mar 7 13:04:18 2015 UTC
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/revocation/impl/PhizRevocationChecker.java
Wed Mar 18 02:04:22 2015 UTC
@@ -1,10 +1,10 @@
package gov.hhs.onc.phiz.crypto.ssl.revocation.impl;

import com.github.sebhoss.warnings.CompilerWarnings;
-import gov.hhs.onc.phiz.crypto.PhizCryptoContentTypes;
-import gov.hhs.onc.phiz.crypto.PhizCryptoOids;
import gov.hhs.onc.phiz.crypto.ssl.PhizSslLocation;
import gov.hhs.onc.phiz.crypto.ssl.revocation.OcspCertificateStatusType;
+import gov.hhs.onc.phiz.crypto.ssl.revocation.OcspContentTypes;
+import gov.hhs.onc.phiz.crypto.ssl.revocation.OcspOids;
import gov.hhs.onc.phiz.crypto.ssl.revocation.OcspResponseStatusType;
import gov.hhs.onc.phiz.crypto.ssl.revocation.OcspRevokeReasonType;
import gov.hhs.onc.phiz.crypto.utils.PhizCryptoUtils;
@@ -126,8 +126,8 @@
private Extension[] baseOcspReqExts;

static {
- BASE_OCSP_REQ_HEADERS.put(HttpHeaders.ACCEPT,
PhizCryptoContentTypes.OCSP_RESP.toString());
- BASE_OCSP_REQ_HEADERS.put(HttpHeaders.CONTENT_TYPE,
PhizCryptoContentTypes.OCSP_REQ.toString());
+ BASE_OCSP_REQ_HEADERS.put(HttpHeaders.ACCEPT,
OcspContentTypes.OCSP_RESP.toString());
+ BASE_OCSP_REQ_HEADERS.put(HttpHeaders.CONTENT_TYPE,
OcspContentTypes.OCSP_REQ.toString());
}

public PhizRevocationChecker(PhizSslLocation loc, X509Certificate
issuerCert) {
@@ -159,7 +159,7 @@
ASN1EncodableVector preferredSigAlgsVector = new
ASN1EncodableVector();
this.preferredSigAlgIds.forEach(preferredSigAlgId ->
preferredSigAlgsVector.add(new DERSequence(preferredSigAlgId)));
Extension preferredSigAlgsOcspReqExt =
- new Extension(PhizCryptoOids.ID_PKIX_OCSP_PREF_SIG_ALGS,
false, new DEROctetString(new DERSequence(preferredSigAlgsVector)));
+ new Extension(OcspOids.ID_PKIX_OCSP_PREF_SIG_ALGS, false, new
DEROctetString(new DERSequence(preferredSigAlgsVector)));

this.baseOcspReqExts = ArrayUtils.toArray(respTypeOcspReqExt,
preferredSigAlgsOcspReqExt);
}
@@ -225,7 +225,7 @@
throw buildException(String.format("SSL %s certificate
(subjectDnName=%s, issuerDnName=%s, serialNum=%d) does not specify an OCSP
URL.",
this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum));
} else {
- LOGGER.debug(String.format("Skipping SSL %s certificate
(subjectDnName=%s, issuerDnName=%s, serialNum=%d) revocation checking.",
+ LOGGER.info(String.format("Skipping SSL %s certificate
(subjectDnName=%s, issuerDnName=%s, serialNum=%d) revocation checking.",
this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum));

return;
@@ -292,13 +292,14 @@
certSubjectDnNameStr, certIssuerDnNameStr, certSerialNum,
ocspResponderUrl), e);
}

+ String ocspRespProducedAtTimeStr =
this.displayDateFormat.format(ocspResp.getProducedAt());
Extension nonceOcspRespExt =
ocspResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);

if (nonceOcspRespExt == null) {
throw buildException(String
.format(
- "SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) OCSP responder (url=%s) response does not
contain a nonce extension (oid=%s).",
- this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl,
+ "SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) OCSP responder (url=%s) response
(producedAt=%s) does not contain a nonce extension (oid=%s).",
+ this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl,
ocspRespProducedAtTimeStr,
OCSPObjectIdentifiers.id_pkix_ocsp_nonce.getId()));
}

@@ -307,8 +308,8 @@
if (!Arrays.equals(nonceOcspReqExtContent,
nonceOcspRespExtContent)) {
throw buildException(String
.format(
- "SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) OCSP responder (url=%s) response nonce
extension (oid=%s) value does not match (%s).",
- this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl,
+ "SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) OCSP responder (url=%s) response
(producedAt=%s) nonce extension (oid=%s) value does not match (%s).",
+ this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl,
ocspRespProducedAtTimeStr,
OCSPObjectIdentifiers.id_pkix_ocsp_nonce.getId(),
Hex.encodeHexString(nonceOcspRespExtContent)));
}

@@ -324,22 +325,23 @@
}
} catch (OCSPException e) {
throw buildException(
- String
- .format(
- "Unable to match SSL %s certificate
(subjectDnName=%s, issuerDnName=%s, serialNum=%d) OCSP responder (url=%s)
response certificate (serialNum=%d) response.",
- this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl,
- availableOcspCertRespId.getSerialNumber()),
- e);
+ String.format(
+ "Unable to match SSL %s certificate
(subjectDnName=%s, issuerDnName=%s, serialNum=%d) OCSP responder (url=%s)
response (producedAt=%s) certificate (serialNum=%d) status.",
+ this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl,
ocspRespProducedAtTimeStr,
+ availableOcspCertRespId.getSerialNumber()), e);
}
}

if (ocspCertResp == null) {
throw buildException(String
.format(
- "SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) OCSP responder (url=%s) response does not
contain matching certificate response.",
- this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl));
+ "SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) OCSP responder (url=%s) response
(producedAt=%s) does not contain matching certificate status.",
+ this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl,
ocspRespProducedAtTimeStr));
}

+ Date ocspCertRespNextUpdateTime = ocspCertResp.getNextUpdate();
+ String ocspCertRespThisUpdateTimeStr =
this.displayDateFormat.format(ocspCertResp.getThisUpdate()),
ocspCertRespNextUpdateTimeStr =
+ ((ocspCertRespNextUpdateTime != null) ?
this.displayDateFormat.format(ocspCertRespNextUpdateTime) : null);
CertificateStatus ocspCertRespStatusObj =
ocspCertResp.getCertStatus();
OcspCertificateStatusType ocspCertRespStatus =
PhizCryptoUtils.findByType(OcspCertificateStatusType.class,
((ocspCertRespStatusObj != null)
@@ -348,9 +350,14 @@
// noinspection ConstantConditions
switch (ocspCertRespStatus) {
case GOOD:
-
LOGGER.debug(PhizLogstashMarkers.append(PhizLogstashTags.SSL),
String.format(
- "SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) OCSP responder (url=%s) response certificate
response (status=%s).",
- this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl,
ocspCertRespStatus.name()));
+ LOGGER
+ .info(
+ PhizLogstashMarkers.append(PhizLogstashTags.SSL),
+ String
+ .format(
+ "SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) OCSP responder (url=%s) response
(producedAt=%s) certificate status (thisUpdate=%s, nextUpdate=%s) is good.",
+ this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl,
ocspRespProducedAtTimeStr,
+ ocspCertRespThisUpdateTimeStr,
ocspCertRespNextUpdateTimeStr));
break;

case REVOKED:
@@ -364,16 +371,18 @@
// noinspection ConstantConditions
throw buildException(
String.format(
- "SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) OCSP responder (url=%s) response certificate
response (status=%s, time=%s, reason=%s).",
- this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl,
ocspCertRespStatus.name(),
-
this.displayDateFormat.format(ocspCertRespRevokeTime),
ocspCertRespRevokeReason.name()), new CertificateRevokedException(
- ocspCertRespRevokeTime,
ocspCertRespRevokeReason.getReason(),
this.issuerCert.getSubjectX500Principal(),
- mapOcspResponseExtensions(ocspResp)));
+ "SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) OCSP responder (url=%s) response
(producedAt=%s) certificate status (thisUpdate=%s, nextUpdate=%s) is
revoked (time=%s, reason=%s).",
+ this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl,
ocspRespProducedAtTimeStr,
+ ocspCertRespThisUpdateTimeStr,
ocspCertRespNextUpdateTimeStr,
this.displayDateFormat.format(ocspCertRespRevokeTime),
+ ocspCertRespRevokeReason.name()), new
CertificateRevokedException(ocspCertRespRevokeTime,
ocspCertRespRevokeReason.getReason(),
+ this.issuerCert.getSubjectX500Principal(),
mapOcspResponseExtensions(ocspResp)));

case UNKNOWN:
- throw buildException(String.format(
- "SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) OCSP responder (url=%s) response certificate
response (status=%s).",
- this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl,
ocspCertRespStatus.name()));
+ throw buildException(String
+ .format(
+ "SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) OCSP responder (url=%s) response
(producedAt=%s) certificate status (thisUpdate=%s, nextUpdate=%s) is
unknown.",
+ this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl,
ocspRespProducedAtTimeStr,
+ ocspCertRespThisUpdateTimeStr,
ocspCertRespNextUpdateTimeStr));
}
}

@@ -409,7 +418,7 @@

String ocspRespContentType = ocspResponderConn.getContentType();

- if ((ocspRespContentType == null) |
| !MimeType.valueOf(ocspRespContentType).equals(PhizCryptoContentTypes.OCSP_RESP))
{
+ if ((ocspRespContentType == null) |
| !MimeType.valueOf(ocspRespContentType).equals(OcspContentTypes.OCSP_RESP))
{
throw new IOException(String.format("Invalid OCSP responder
(url=%s) response content type (%s).", ocspResponderUrl,
ocspRespContentType));
}

=======================================
---
/phiz-core/src/main/resources/META-INF/phiz/logback/logback-phiz-include.xml
Sat Mar 7 13:04:18 2015 UTC
+++
/phiz-core/src/main/resources/META-INF/phiz/logback/logback-phiz-include.xml
Wed Mar 18 02:04:22 2015 UTC
@@ -16,12 +16,6 @@
<appender-ref ref="fileLogstashAsync"/>
</logger>

- 
-


=======================================
---
/phiz-core/src/main/resources/META-INF/phiz/spring/spring-phiz-crypto-ssl.xml
Sat Mar 7 17:35:44 2015 UTC
+++
/phiz-core/src/main/resources/META-INF/phiz/spring/spring-phiz-crypto-ssl.xml
Wed Mar 18 02:04:22 2015 UTC
@@ -15,12 +15,31 @@
http://www.springframework.org/schema/task
http://www.springframework.org/schema/task/spring-task.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util.xsd">

+

+ <beans:bean id="sslDebugPrintStream"
class="gov.hhs.onc.phiz.crypto.logging.impl.SslDebugPrintStream"
abstract="true">
+ <beans:property name="eventProcessors">
+ <beans:set>
+ <beans:ref bean="sslEventProcHelloImpl"/>
+ </beans:set>
+ </beans:property>
+ </beans:bean>
+
+ <beans:bean id="sslDebugPrintStreamOut" parent="sslDebugPrintStream"
+ c:type="#{
T(gov.hhs.onc.phiz.crypto.logging.SslDebugPrintStreamType).OUT }"/>
+
+ <beans:bean id="sslDebugPrintStreamErr" parent="sslDebugPrintStream"
+ c:type="#{
T(gov.hhs.onc.phiz.crypto.logging.SslDebugPrintStreamType).ERR }"/>
+


<beans:bean id="keyManager" class="javax.net.ssl.KeyManager"
abstract="true"/>

- <beans:bean id="keyManagerBase"
class="gov.hhs.onc.phiz.crypto.ssl.impl.PhizKeyManagerFactoryBean"
parent="keyManager" abstract="true"
+ <beans:bean id="keyManagerX509Extended"
class="javax.net.ssl.X509ExtendedKeyManager" parent="keyManager"
abstract="true"/>
+
+ <beans:bean id="keyManagerBase"
class="gov.hhs.onc.phiz.crypto.ssl.impl.PhizKeyManagerFactoryBean"
parent="keyManagerX509Extended" abstract="true"
p:provider="#{
T(gov.hhs.onc.phiz.crypto.PhizCryptoProviders).SUN_JSSE }"
p:type="NewSunX509"/>

@@ -70,7 +89,9 @@

=====================================================================================================-->
<beans:bean id="trustManager" class="javax.net.ssl.TrustManager"
abstract="true"/>

- <beans:bean id="trustManagerBase"
class="gov.hhs.onc.phiz.crypto.ssl.impl.PhizTrustManager"
parent="trustManager" abstract="true"
+ <beans:bean id="trustManagerX509Extended"
class="javax.net.ssl.X509ExtendedTrustManager" parent="trustManager"
abstract="true"/>
+
+ <beans:bean id="trustManagerBase"
class="gov.hhs.onc.phiz.crypto.ssl.impl.PhizTrustManager"
parent="trustManagerX509Extended" abstract="true"
p:certificateSelector-ref="certSelectorX509"
p:provider="#{ T(gov.hhs.onc.phiz.crypto.PhizCryptoProviders).BC }"
p:type="PKIX">
@@ -107,20 +128,4 @@
p:provider="#{
T(gov.hhs.onc.phiz.crypto.PhizCryptoProviders).SUN_JSSE }"
p:secureRandom-ref="secureRandomSha1"
p:type="#{
T(gov.hhs.onc.phiz.crypto.ssl.PhizTlsVersions).TLS_1_2_NAME }"/>
-
-

- <beans:bean id="sslSocketFactoryClient"
class="javax.net.ssl.SSLSocketFactory" abstract="true"/>
-
- <beans:bean id="sslSocketFactoryClientBase"
class="gov.hhs.onc.phiz.crypto.ssl.impl.PhizSslClientSocketFactoryFactoryBean"
parent="sslSocketFactoryClient"
- abstract="true"/>
-
-

- <beans:bean id="sslSocketFactoryServer"
class="javax.net.ssl.SSLServerSocketFactory" abstract="true"/>
-
- <beans:bean id="sslSocketFactoryServerBase"
class="gov.hhs.onc.phiz.crypto.ssl.impl.PhizSslServerSocketFactoryFactoryBean"
parent="sslSocketFactoryServer"
- abstract="true"/>
</beans:beans>
=======================================
---
/phiz-core/src/test/java/gov/hhs/onc/phiz/test/crypto/ssl/revocation/impl/PhizOcspServerImpl.java
Sat Mar 7 13:04:18 2015 UTC
+++
/phiz-core/src/test/java/gov/hhs/onc/phiz/test/crypto/ssl/revocation/impl/PhizOcspServerImpl.java
Wed Mar 18 02:04:22 2015 UTC
@@ -2,7 +2,7 @@

import com.github.sebhoss.warnings.CompilerWarnings;
import gov.hhs.onc.phiz.crypto.PhizCredential;
-import gov.hhs.onc.phiz.crypto.PhizCryptoContentTypes;
+import gov.hhs.onc.phiz.crypto.ssl.revocation.OcspContentTypes;
import gov.hhs.onc.phiz.crypto.ssl.revocation.OcspCertificateStatusType;
import gov.hhs.onc.phiz.crypto.ssl.revocation.OcspResponseStatusType;
import gov.hhs.onc.phiz.crypto.ssl.revocation.impl.PhizCertificateId;
@@ -209,7 +209,7 @@

HttpHeaders reqMsgHeaders = reqMsg.headers();

- if (!reqMsgHeaders.contains(Names.CONTENT_TYPE) |
| !MimeType.valueOf(reqMsgHeaders.get(Names.CONTENT_TYPE)).equals(PhizCryptoContentTypes.OCSP_REQ))
{
+ if (!reqMsgHeaders.contains(Names.CONTENT_TYPE) |
| !MimeType.valueOf(reqMsgHeaders.get(Names.CONTENT_TYPE)).equals(OcspContentTypes.OCSP_REQ))
{
this.writeResponse(context,
HttpResponseStatus.BAD_REQUEST);

return;
@@ -269,7 +269,7 @@
FullHttpResponse respMsg = new
DefaultFullHttpResponse(HttpVersion.HTTP_1_1, respMsgStatus,
respContentBuffer);

HttpHeaders.setContentLength(respMsg,
respContentBuffer.array().length);
- respMsg.headers().set(Names.CONTENT_TYPE,
PhizCryptoContentTypes.OCSP_RESP.toString());
+ respMsg.headers().set(Names.CONTENT_TYPE,
OcspContentTypes.OCSP_RESP.toString());

context.writeAndFlush(respMsg).addListener(ChannelFutureListener.CLOSE);
}
=======================================
---
/phiz-core/src/test/resources/META-INF/phiz/spring/spring-phiz-crypto-ssl-test.xml
Sat Mar 7 13:04:18 2015 UTC
+++
/phiz-core/src/test/resources/META-INF/phiz/spring/spring-phiz-crypto-ssl-test.xml
Wed Mar 18 02:04:22 2015 UTC
@@ -74,9 +74,9 @@
<beans:entry
key="${phiz.crypto.store.key.ca.entry.ca.alias}">

<beans:bean parent="keyStoreEntryPrivateKey"
- p:certificateChain="#{
credCa.certificateResponse.identity.chain[0] }"
+ p:certificateChain="#{ credCa.certificate }"

p:password="${phiz.crypto.store.key.ca.entry.ca.pass}"
- p:privateKey="#{
credCa.certificateResponse.identity.privateKey }"/>
+ p:privateKey="#{ credCa.privateKey }"/>
</beans:entry>
</beans:map>
</beans:property>
=======================================
--- /phiz-parent/pom.xml Sat Mar 7 17:35:44 2015 UTC
+++ /phiz-parent/pom.xml Wed Mar 18 02:04:22 2015 UTC
@@ -1058,7 +1058,7 @@

<suiteXmlFile>${project.build.testngDirectory}/testng-${project.artifactId}.xml</suiteXmlFile>
</suiteXmlFiles>
<systemPropertyVariables combine.children="append">
-
<javax.net.debug>ssl,certpath,handshake</javax.net.debug>
+
<javax.net.debug>ssl,handshake</javax.net.debug>
<javax.net.ssl.keyStore/>
<javax.net.ssl.trustStore/>

<jdk.tls.ephemeralDHKeySize>2048</jdk.tls.ephemeralDHKeySize>
=======================================
---
/phiz-web-core/src/main/java/gov/hhs/onc/phiz/web/crypto/impl/PhizJsseImplementation.java
Sat Mar 7 13:04:18 2015 UTC
+++
/phiz-web-core/src/main/java/gov/hhs/onc/phiz/web/crypto/impl/PhizJsseImplementation.java
Wed Mar 18 02:04:22 2015 UTC
@@ -16,12 +16,13 @@
import org.apache.tomcat.util.net.SSLUtil;
import org.apache.tomcat.util.net.ServerSocketFactory;
import org.apache.tomcat.util.net.jsse.JSSEImplementation;
+import org.springframework.beans.factory.InitializingBean;
import org.springframework.beans.factory.annotation.Configurable;
import org.springframework.context.annotation.Lazy;

@Configurable
@Lazy
-public class PhizJsseImplementation extends JSSEImplementation {
+public class PhizJsseImplementation extends JSSEImplementation implements
InitializingBean {
private class PhizJsseSocketFactory implements ServerSocketFactory,
SSLUtil {
private AbstractEndpoint<?> endpoint;

@@ -113,8 +114,6 @@
@SuppressWarnings({ "SpringJavaAutowiringInspection" })
private SSLContext context;

- @Resource(name = "sslServerSocketFactoryTomcatServer")
- @SuppressWarnings({ "SpringJavaAutowiringInspection" })
private SSLServerSocketFactory serverSocketFactory;

@Override
@@ -126,6 +125,11 @@
public SSLUtil getSSLUtil(AbstractEndpoint<?> endpoint) {
return new PhizJsseSocketFactory(endpoint);
}
+
+ @Override
+ public void afterPropertiesSet() throws Exception {
+ this.serverSocketFactory = this.context.getServerSocketFactory();
+ }

@Override
public String getImplementationName() {
=======================================
---
/phiz-web-core/src/main/resources/META-INF/phiz/spring/spring-phiz-web-tomcat.xml
Sat Mar 7 13:04:18 2015 UTC
+++
/phiz-web-core/src/main/resources/META-INF/phiz/spring/spring-phiz-web-tomcat.xml
Wed Mar 18 02:04:22 2015 UTC
@@ -52,25 +52,9 @@
= SSL CONTEXTS

=====================================================================================================-->
<beans:bean id="sslContextTomcatServer" parent="sslContextBase"
lazy-init="true"
- p:sslParameters-ref="sslParamsServerTomcatServer">
- <beans:property name="keyManagers">
- <beans:array>
- <beans:ref bean="keyManagerTomcatServer"/>
- </beans:array>
- </beans:property>
- <beans:property name="trustManagers">
- <beans:array>
- <beans:ref bean="trustManagerTomcatServer"/>
- </beans:array>
- </beans:property>
- </beans:bean>
-
-

- <beans:bean id="sslServerSocketFactoryTomcatServer"
parent="sslSocketFactoryServerBase" lazy-init="true"
- p:sslContext-ref="sslContextTomcatServer"
- p:sslParameters-ref="sslParamsServerTomcatServer"/>
+ p:keyManagers-ref="keyManagerTomcatServer"
+ p:parameters-ref="sslParamsServerTomcatServer"
+ p:trustManagers-ref="trustManagerTomcatServer"/>


<beans:bean parent="keyStoreEntryPrivateKey"
- p:certificateChain="#{
credSoapUiClient.certificateResponse.identity.chain[0] }"
+ p:certificateChain="#{
credSoapUiClient.certificate }"

p:password="${phiz.crypto.store.key.soapui.client.entry.ssl.pass}"
- p:privateKey="#{
credSoapUiClient.certificateResponse.identity.privateKey }"/>
+ p:privateKey="#{ credSoapUiClient.privateKey }"/>
</beans:entry>
</beans:map>
</beans:property>
@@ -101,7 +101,7 @@
<beans:entry
key="${phiz.crypto.store.trust.soapui.client.entry.ca.alias}">

<beans:bean parent="keyStoreEntryTrustedCert"
- p:certificate="#{
credCa.certificateResponse.identity.chain[0] }"/>
+ p:certificate="#{ credCa.certificate }"/>
</beans:entry>
</beans:map>
</beans:property>
@@ -117,9 +117,9 @@
<beans:entry
key="${phiz.crypto.store.key.soapui.client.revoked.entry.ssl.alias}">

<beans:bean parent="keyStoreEntryPrivateKey"
- p:certificateChain="#{
credSoapUiClientRevoked.certificateResponse.identity.chain[0] }"
+ p:certificateChain="#{
credSoapUiClientRevoked.certificate }"

p:password="${phiz.crypto.store.key.soapui.client.revoked.entry.ssl.pass}"
- p:privateKey="#{
credSoapUiClientRevoked.certificateResponse.identity.privateKey }"/>
+ p:privateKey="#{
credSoapUiClientRevoked.privateKey }"/>
</beans:entry>
</beans:map>
</beans:property>
@@ -135,9 +135,9 @@
<beans:entry
key="${phiz.crypto.store.key.soapui.client.untrusted.entry.ssl.alias}">

<beans:bean parent="keyStoreEntryPrivateKey"
- p:certificateChain="#{
credSoapUiClientUntrusted.certificateResponse.identity.chain[0] }"
+ p:certificateChain="#{
credSoapUiClientUntrusted.certificate }"

p:password="${phiz.crypto.store.key.soapui.client.untrusted.entry.ssl.pass}"
- p:privateKey="#{
credSoapUiClientUntrusted.certificateResponse.identity.privateKey }"/>
+ p:privateKey="#{
credSoapUiClientUntrusted.privateKey }"/>
</beans:entry>
</beans:map>
</beans:property>
@@ -153,7 +153,7 @@
<beans:entry
key="${phiz.crypto.store.trust.soapui.client.untrusted.entry.ca.alias}">

<beans:bean parent="keyStoreEntryTrustedCert"
- p:certificate="#{
credCaUntrusted.certificateResponse.identity.chain[0] }"/>
+ p:certificate="#{ credCaUntrusted.certificate }"/>
</beans:entry>
</beans:map>
</beans:property>
@@ -208,52 +208,16 @@
= SSL CONTEXTS

=====================================================================================================-->
<beans:bean id="sslContextSoapUiClient" parent="sslContextBase"
lazy-init="true"
- p:sslParameters-ref="sslParamsClientSoapUiClient">
- <beans:property name="keyManagers">
- <beans:array>
- <beans:ref bean="keyManagerSoapUiClient"/>
- </beans:array>
- </beans:property>
- <beans:property name="trustManagers">
- <beans:array>
- <beans:ref bean="trustManagerSoapUiClient"/>
- </beans:array>
- </beans:property>
- </beans:bean>
-
- <beans:bean id="sslContextSoapUiClientRevoked"
parent="sslContextSoapUiClient" lazy-init="true">
- <beans:property name="keyManagers">
- <beans:array>
- <beans:ref bean="keyManagerSoapUiClientRevoked"/>
- </beans:array>
- </beans:property>
- </beans:bean>
-
- <beans:bean id="sslContextSoapUiClientUntrusted"
parent="sslContextSoapUiClient" lazy-init="true">
- <beans:property name="keyManagers">
- <beans:array>
- <beans:ref bean="keyManagerSoapUiClientUntrusted"/>
- </beans:array>
- </beans:property>
- <beans:property name="trustManagers">
- <beans:array>
- <beans:ref bean="trustManagerSoapUiClientUntrusted"/>
- </beans:array>
- </beans:property>
- </beans:bean>
-
-

- <beans:bean id="sslSocketFactoryClientSoapUiClient"
parent="sslSocketFactoryClientBase" lazy-init="true"
- p:sslContext-ref="sslContextSoapUiClient"
- p:sslParameters-ref="sslParamsClientSoapUiClient"/>
+ p:keyManagers-ref="keyManagerSoapUiClient"
+ p:parameters-ref="sslParamsClientSoapUiClient"
+ p:trustManagers-ref="trustManagerSoapUiClient"/>

- <beans:bean id="sslSocketFactoryClientSoapUiClientRevoked"
parent="sslSocketFactoryClientSoapUiClient" lazy-init="true"
- p:sslContext-ref="sslContextSoapUiClientRevoked"/>
+ <beans:bean id="sslContextSoapUiClientRevoked"
parent="sslContextSoapUiClient" lazy-init="true"
+ p:keyManagers-ref="keyManagerSoapUiClientRevoked"/>

- <beans:bean id="sslSocketFactoryClientSoapUiClientUntrusted"
parent="sslSocketFactoryClientSoapUiClient" lazy-init="true"
- p:sslContext-ref="sslContextSoapUiClientUntrusted"/>
+ <beans:bean id="sslContextSoapUiClientUntrusted"
parent="sslContextSoapUiClient" lazy-init="true"
+ p:keyManagers-ref="keyManagerSoapUiClientUntrusted"
+ p:trustManagers-ref="trustManagerSoapUiClientUntrusted"/>


<beans:bean parent="keyStoreEntryPrivateKey"
- p:certificateChain="#{
credTomcatServer.certificateResponse.identity.chain[0] }"
+ p:certificateChain="#{
credTomcatServer.certificate }"

p:password="${phiz.crypto.store.key.tomcat.server.entry.ssl.pass}"
- p:privateKey="#{
credTomcatServer.certificateResponse.identity.privateKey }"/>
+ p:privateKey="#{ credTomcatServer.privateKey }"/>
</beans:entry>
</beans:map>
</beans:property>
@@ -66,7 +66,7 @@
<beans:entry
key="${phiz.crypto.store.trust.tomcat.server.entry.ca.alias}">

<beans:bean parent="keyStoreEntryTrustedCert"
- p:certificate="#{
credCa.certificateResponse.identity.chain[0] }"/>
+ p:certificate="#{ credCa.certificate }"/>
</beans:entry>
</beans:map>
</beans:property>
=======================================
---
/phiz-web-ws/src/main/resources/META-INF/phiz/spring/spring-phiz-web-ws-client.xml
Sat Mar 7 17:35:44 2015 UTC
+++
/phiz-web-ws/src/main/resources/META-INF/phiz/spring/spring-phiz-web-ws-client.xml
Wed Mar 18 02:04:22 2015 UTC
@@ -56,25 +56,9 @@
= SSL CONTEXTS

=====================================================================================================-->
<beans:bean id="sslContextWsClient" parent="sslContextBase"
lazy-init="true"
- p:sslParameters-ref="sslParamsClientWsClient">
- <beans:property name="keyManagers">
- <beans:array>
- <beans:ref bean="keyManagerWsClient"/>
- </beans:array>
- </beans:property>
- <beans:property name="trustManagers">
- <beans:array>
- <beans:ref bean="trustManagerWsClient"/>
- </beans:array>
- </beans:property>
- </beans:bean>
-
-

- <beans:bean id="sslSocketFactoryClientWsClient"
parent="sslSocketFactoryClientBase" lazy-init="true"
- p:sslContext-ref="sslContextWsClient"
- p:sslParameters-ref="sslParamsClientWsClient"/>
+ p:keyManagers-ref="keyManagerWsClient"
+ p:parameters-ref="sslParamsClientWsClient"
+ p:trustManagers-ref="trustManagerWsClient"/>


<beans:bean id="tlsParamsClientWs" parent="tlsParamsClient"
lazy-init="true"
- p:SSLSocketFactory-ref="sslSocketFactoryClientWsClient"/>
+ p:SSLSocketFactory="#{ sslContextWsClient.socketFactory }"/>


<beans:bean parent="keyStoreEntryPrivateKey"
- p:certificateChain="#{
credWsClient.certificateResponse.identity.chain[0] }"
+ p:certificateChain="#{ credWsClient.certificate }"

p:password="${phiz.crypto.store.key.ws.client.entry.ssl.pass}"
- p:privateKey="#{
credWsClient.certificateResponse.identity.privateKey }"/>
+ p:privateKey="#{ credWsClient.privateKey }"/>
</beans:entry>
</beans:map>
</beans:property>
@@ -51,7 +51,7 @@
<beans:entry
key="${phiz.crypto.store.trust.ws.client.entry.ca.alias}">

<beans:bean parent="keyStoreEntryTrustedCert"
- p:certificate="#{
credCa.certificateResponse.identity.chain[0] }"/>
+ p:certificate="#{ credCa.certificate }"/>
</beans:entry>
</beans:map>
</beans:property>

==============================================================================
Revision: ea3e02d474ef
Branch: default
Author: Michal Kotelba <michal....@esacinc.com>
Date: Wed Mar 18 12:21:24 2015 UTC
Log: - Supports PHIZ-38.
- Implemented certificate path algorithm constraints validation (the
associated built-in JSSE mechanism is effectively disabled).
https://code.google.com/p/phiz/source/detail?r=ea3e02d474ef

Added:
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/PhizKeyType.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/constraints/impl/PermitAllConstraints.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/constraints/impl/PhizConstraintsChecker.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/AbstractPhizPathChecker.java
Modified:

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/impl/GeneratedCredentialFactoryBean.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/impl/PhizKeyPairGeneratorFactoryBean.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/PhizTrustManager.java

/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/revocation/impl/PhizRevocationChecker.java
/phiz-core/src/main/resources/META-INF/phiz/phiz.properties

/phiz-core/src/main/resources/META-INF/phiz/spring/spring-phiz-crypto-ssl.xml
/phiz-core/src/main/resources/META-INF/phiz/spring/spring-phiz-crypto.xml

/phiz-web-core/src/test/java/gov/hhs/onc/phiz/web/test/soapui/PhizSoapUiProperties.java
/phiz-web-core/src/test/resources/META-INF/phiz/phiz-web-test.properties

/phiz-web-core/src/test/resources/META-INF/phiz/spring/spring-phiz-web-soapui-test.xml
/phiz-web-ws/src/it/soapui/soapui-phiz-web-ws.xml

=======================================
--- /dev/null
+++ /phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/PhizKeyType.java Wed
Mar 18 12:21:24 2015 UTC
@@ -0,0 +1,39 @@
+package gov.hhs.onc.phiz.crypto;
+
+import java.security.interfaces.DSAKey;
+import java.security.interfaces.ECKey;
+import java.security.interfaces.RSAKey;
+import javax.crypto.interfaces.DHKey;
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
+import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
+
+public enum PhizKeyType implements PhizCryptoObjectId, PhizCryptoTypeId {
+ DH("DH", PKCSObjectIdentifiers.dhKeyAgreement, DHKey.class),
DSA("DSA", X9ObjectIdentifiers.id_dsa, DSAKey.class), EC("EC",
+ X9ObjectIdentifiers.id_ecPublicKey, ECKey.class), RSA("RSA",
PKCSObjectIdentifiers.rsaEncryption, RSAKey.class);
+
+ private final String id;
+ private final ASN1ObjectIdentifier oid;
+ private final Class<?> type;
+
+ private PhizKeyType(String id, ASN1ObjectIdentifier oid, Class<?>
type) {
+ this.id = id;
+ this.oid = oid;
+ this.type = type;
+ }
+
+ @Override
+ public String getId() {
+ return this.id;
+ }
+
+ @Override
+ public ASN1ObjectIdentifier getOid() {
+ return this.oid;
+ }
+
+ @Override
+ public Class<?> getType() {
+ return this.type;
+ }
+}
=======================================
--- /dev/null
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/constraints/impl/PermitAllConstraints.java
Wed Mar 18 12:21:24 2015 UTC
@@ -0,0 +1,57 @@
+package gov.hhs.onc.phiz.crypto.ssl.constraints.impl;
+
+import java.security.AlgorithmConstraints;
+import java.security.AlgorithmParameters;
+import java.security.CryptoPrimitive;
+import java.security.Key;
+import java.util.Set;
+import javax.annotation.Nullable;
+import org.apache.commons.collections4.CollectionUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.stereotype.Component;
+
+@Component("constraintsPermitAll")
+public class PermitAllConstraints implements AlgorithmConstraints {
+ @Override
+ public boolean permits(Set<CryptoPrimitive> primitives, Key key) {
+ validatePrimitives(primitives);
+ validateKey(key);
+
+ return true;
+ }
+
+ @Override
+ public boolean permits(Set<CryptoPrimitive> primitives, String algId,
@Nullable AlgorithmParameters algParams) {
+ validatePrimitives(primitives);
+ validateAlgorithmId(algId);
+
+ return true;
+ }
+
+ @Override
+ public boolean permits(Set<CryptoPrimitive> primitives, String algId,
Key key, @Nullable AlgorithmParameters algParams) {
+ validatePrimitives(primitives);
+ validateAlgorithmId(algId);
+ validateKey(key);
+
+ return true;
+ }
+
+ protected static void validateKey(@Nullable Key key) {
+ if (key == null) {
+ throw new IllegalArgumentException("SSL key must be
specified.");
+ }
+ }
+
+ protected static void validateAlgorithmId(@Nullable String algId) {
+ if (StringUtils.isEmpty(algId)) {
+ throw new IllegalArgumentException("SSL algorithm ID must be
specified.");
+ }
+ }
+
+ protected static void validatePrimitives(@Nullable
Set<CryptoPrimitive> primitives) {
+ if (CollectionUtils.isEmpty(primitives)) {
+ throw new IllegalArgumentException("SSL primitive(s) must be
specified.");
+ }
+ }
+}
=======================================
--- /dev/null
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/constraints/impl/PhizConstraintsChecker.java
Wed Mar 18 12:21:24 2015 UTC
@@ -0,0 +1,147 @@
+package gov.hhs.onc.phiz.crypto.ssl.constraints.impl;
+
+import gov.hhs.onc.phiz.crypto.PhizKeyType;
+import gov.hhs.onc.phiz.crypto.ssl.PhizSslLocation;
+import gov.hhs.onc.phiz.crypto.ssl.impl.AbstractPhizPathChecker;
+import gov.hhs.onc.phiz.crypto.utils.PhizCryptoUtils;
+import gov.hhs.onc.phiz.logging.logstash.PhizLogstashTags;
+import gov.hhs.onc.phiz.logging.logstash.impl.PhizLogstashMarkers;
+import java.math.BigInteger;
+import java.security.Key;
+import java.security.PublicKey;
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.CertPathValidatorException.BasicReason;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.DSAKey;
+import java.security.interfaces.ECKey;
+import java.security.interfaces.RSAKey;
+import java.util.EnumMap;
+import java.util.EnumSet;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+import javax.crypto.interfaces.DHKey;
+import javax.crypto.spec.DHParameterSpec;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class PhizConstraintsChecker extends AbstractPhizPathChecker {
+ private final static Logger LOGGER =
LoggerFactory.getLogger(PhizConstraintsChecker.class);
+
+ private Set<PhizKeyType> keyTypes = EnumSet.noneOf(PhizKeyType.class);
+ private Map<PhizKeyType, Integer> minKeySizes = new
EnumMap<>(PhizKeyType.class);
+ private Set<AlgorithmIdentifier> sigAlgIds = new HashSet<>();
+
+ public PhizConstraintsChecker(PhizSslLocation loc, X509Certificate
issuerCert) {
+ super(loc, issuerCert, BasicReason.ALGORITHM_CONSTRAINED);
+ }
+
+ @Override
+ @SuppressWarnings({ "CloneDoesntCallSuperClone" })
+ public PhizConstraintsChecker clone() {
+ return this;
+ }
+
+ @Override
+ protected void checkInternal(X509Certificate cert, String
certSubjectDnNameStr, String certIssuerDnNameStr, BigInteger certSerialNum)
+ throws CertPathValidatorException {
+ PublicKey certPublicKey = cert.getPublicKey();
+ String certKeyAlgName = certPublicKey.getAlgorithm();
+ PhizKeyType certKeyType =
PhizCryptoUtils.findByType(PhizKeyType.class, certPublicKey.getClass());
+
+ if (certKeyType == null) {
+ throw this.buildException(String.format("Unknown SSL %s
certificate (subjectDnName=%s, issuerDnName=%s, serialNum=%d) key type
(algName=%s).",
+ this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, certKeyAlgName));
+ }
+
+ String certKeyAlgOid = certKeyType.getOid().getId();
+
+ if (!this.keyTypes.contains(certKeyType)) {
+ throw this.buildException(String.format(
+ "Invalid SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) key type (algName=%s, algOid=%s).",
this.loc.getId(),
+ certSubjectDnNameStr, certIssuerDnNameStr, certSerialNum,
certKeyAlgName, certKeyAlgOid));
+ }
+
+ if (this.minKeySizes.containsKey(certKeyType)) {
+ int minKeySize = this.minKeySizes.get(certKeyType),
certKeySize = extractKeySize(certKeyType, certPublicKey);
+
+ if (certKeySize >= minKeySize) {
+
LOGGER.debug(PhizLogstashMarkers.append(PhizLogstashTags.SSL),
String.format(
+ "Valid SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) key (algName=%s, algOid=%s) size (%d
>= %d).",
+ this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, certKeyAlgName, certKeyAlgOid,
certKeySize, minKeySize));
+ } else if (certKeySize == -1) {
+ throw this.buildException(String.format(
+ "Unknown SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) key (algName=%s, algOid=%s) size.",
this.loc.getId(),
+ certSubjectDnNameStr, certIssuerDnNameStr,
certSerialNum, certKeyAlgName, certKeyAlgOid));
+ } else {
+ throw this.buildException(String.format(
+ "Invalid SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) key (algName=%s, algOid=%s) size (%d < %d).",
+ this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, certKeyAlgName, certKeyAlgOid,
certKeySize, minKeySize));
+ }
+ }
+
+ String certSigAlgName = cert.getSigAlgName(), certSigAlgOid =
cert.getSigAlgOID();
+ AlgorithmIdentifier certSigAlgId =
PhizCryptoUtils.SIG_ALG_ID_FINDER.find(certSigAlgName);
+
+ if (this.sigAlgIds.contains(certSigAlgId)) {
+ LOGGER.debug(
+ PhizLogstashMarkers.append(PhizLogstashTags.SSL),
+ String.format("Valid SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) signature algorithm (name=%s, oid=%s).",
+ this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, certSigAlgName, certSigAlgOid));
+ } else {
+ throw this.buildException(String.format(
+ "Invalid SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) signature algorithm (name=%s, oid=%s).",
this.loc.getId(),
+ certSubjectDnNameStr, certIssuerDnNameStr, certSerialNum,
certSigAlgName, certSigAlgOid));
+ }
+ }
+
+ private static int extractKeySize(PhizKeyType keyType, Key key) {
+ switch (keyType) {
+ case DH:
+ DHParameterSpec dhKeyParams = ((DHKey) key).getParams();
+ int dhKeyParamLValue = dhKeyParams.getL();
+
+ return ((dhKeyParamLValue != 0) ? dhKeyParamLValue :
dhKeyParams.getP().bitLength());
+
+ case DSA:
+ return (((DSAKey) key).getParams().getP().bitLength() - 1);
+
+ case EC:
+ return ((ECKey) key).getParams().getOrder().bitLength();
+
+ case RSA:
+ return ((RSAKey) key).getModulus().bitLength();
+
+ default:
+ return -1;
+ }
+ }
+
+ public Set<PhizKeyType> getKeyTypes() {
+ return this.keyTypes;
+ }
+
+ public void setKeyTypes(Set<PhizKeyType> keyTypes) {
+ this.keyTypes = keyTypes;
+ }
+
+ public Map<PhizKeyType, Integer> getMinimumKeySizes() {
+ return this.minKeySizes;
+ }
+
+ public void setMinimumKeySizes(Map<PhizKeyType, Integer> minKeySizes) {
+ this.minKeySizes.clear();
+ this.minKeySizes.putAll(minKeySizes);
+ }
+
+ public Set<AlgorithmIdentifier> getSignatureAlgorithmIds() {
+ return this.sigAlgIds;
+ }
+
+ public void setSignatureAlgorithmIds(Set<String> sigAlgIds) {
+ this.sigAlgIds.clear();
+
+
sigAlgIds.stream().map(PhizCryptoUtils.SIG_ALG_ID_FINDER::find).forEach(this.sigAlgIds::add);
+ }
+}
=======================================
--- /dev/null
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/AbstractPhizPathChecker.java
Wed Mar 18 12:21:24 2015 UTC
@@ -0,0 +1,99 @@
+package gov.hhs.onc.phiz.crypto.ssl.impl;
+
+import gov.hhs.onc.phiz.crypto.ssl.PhizSslLocation;
+import java.math.BigInteger;
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.CertPathValidatorException.BasicReason;
+import java.security.cert.CertPathValidatorException.Reason;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.CertificateRevokedException;
+import java.security.cert.PKIXCertPathChecker;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.Set;
+import java.util.stream.Collectors;
+import javax.annotation.Nullable;
+import javax.annotation.Resource;
+import org.apache.commons.lang3.time.FastDateFormat;
+import org.apache.commons.lang3.tuple.ImmutablePair;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
+import org.springframework.beans.factory.InitializingBean;
+
+public abstract class AbstractPhizPathChecker extends PKIXCertPathChecker
implements InitializingBean {
+ protected final static Map<Class<? extends CertificateException>,
Reason> CAUSE_REASON_MAP = Arrays
+ .<Entry<Class<? extends CertificateException>, Reason>> asList(new
ImmutablePair<>(CertificateExpiredException.class, BasicReason.EXPIRED),
+ new ImmutablePair<>(CertificateNotYetValidException.class,
BasicReason.NOT_YET_VALID),
+ new ImmutablePair<>(CertificateRevokedException.class,
BasicReason.REVOKED)).stream().collect(Collectors.toMap(Entry::getKey,
Entry::getValue));
+
+ @Resource(name = "dateFormatUtcDisplay")
+ protected FastDateFormat displayDateFormat;
+
+ protected PhizSslLocation loc;
+ protected X509Certificate issuerCert;
+ protected Reason defaultReason;
+ protected X509CertificateHolder issuerCertHolder;
+
+ protected AbstractPhizPathChecker(PhizSslLocation loc, X509Certificate
issuerCert, Reason defaultReason) {
+ this.loc = loc;
+ this.issuerCert = issuerCert;
+ this.defaultReason = defaultReason;
+ }
+
+ @Override
+ public void check(Certificate baseCert, Collection<String>
unresolvedCriticalExts) throws CertPathValidatorException {
+ X509Certificate cert = ((X509Certificate) baseCert);
+
+ this.checkInternal(cert, cert.getSubjectX500Principal().getName(),
cert.getIssuerX500Principal().getName(), cert.getSerialNumber());
+ }
+
+ @Override
+ public void init(boolean forward) throws CertPathValidatorException {
+ if (forward) {
+ throw new CertPathValidatorException("Forward certificate path
checking is not supported.");
+ }
+ }
+
+ @Override
+ public void afterPropertiesSet() throws Exception {
+ this.issuerCertHolder = new
JcaX509CertificateHolder(this.issuerCert);
+ }
+
+ protected abstract void checkInternal(X509Certificate cert, String
certSubjectDnNameStr, String certIssuerDnNameStr, BigInteger certSerialNum)
+ throws CertPathValidatorException;
+
+ protected CertPathValidatorException buildException(String msg) {
+ return this.buildException(msg, null);
+ }
+
+ protected CertPathValidatorException buildException(String msg,
@Nullable Throwable cause) {
+ Reason reason = this.defaultReason;
+
+ if (cause != null) {
+ final Class<? extends Throwable> causeClass = cause.getClass();
+
+ reason =
+ CAUSE_REASON_MAP.entrySet().stream().filter(causeEntry ->
causeEntry.getKey().isAssignableFrom(causeClass)).findFirst().map(Entry::getValue)
+ .orElse(this.defaultReason);
+ }
+
+ return new CertPathValidatorException(msg, cause, null, -1,
reason);
+ }
+
+ @Override
+ public boolean isForwardCheckingSupported() {
+ return false;
+ }
+
+ @Nullable
+ @Override
+ public Set<String> getSupportedExtensions() {
+ return null;
+ }
+}
=======================================
---
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/impl/GeneratedCredentialFactoryBean.java
Sat Mar 7 13:04:18 2015 UTC
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/impl/GeneratedCredentialFactoryBean.java
Wed Mar 18 12:21:24 2015 UTC
@@ -2,23 +2,31 @@

import br.net.woodstock.rockframework.security.Identity;
import br.net.woodstock.rockframework.security.cert.CertificateGenerator;
+import br.net.woodstock.rockframework.security.cert.CertificateRequest;
import br.net.woodstock.rockframework.security.cert.CertificateResponse;
import gov.hhs.onc.phiz.crypto.PhizCredential;
import java.io.OutputStreamWriter;
+import java.security.KeyPairGenerator;
import java.util.Date;
import javax.annotation.Nullable;
import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
import org.bouncycastle.openssl.jcajce.JcaPKCS8Generator;
import org.bouncycastle.util.io.pem.PemWriter;
+import org.springframework.beans.BeansException;
+import org.springframework.beans.factory.BeanFactory;
+import org.springframework.beans.factory.BeanFactoryAware;
+import org.springframework.beans.factory.ListableBeanFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.io.FileSystemResource;

-public class GeneratedCredentialFactoryBean extends
AbstractPhizCryptoFactoryBean<PhizCredential> {
+public class GeneratedCredentialFactoryBean extends
AbstractPhizCryptoFactoryBean<PhizCredential> implements BeanFactoryAware {
@Autowired
@SuppressWarnings({ "SpringJavaAutowiringInspection" })
private CertificateGenerator certGen;

+ private ListableBeanFactory beanFactory;
private PhizCredential cred;
+ private String keyPairGenBeanName;
private FileSystemResource privateKeyResource;
private FileSystemResource certResource;

@@ -28,11 +36,16 @@

@Override
public PhizCredential getObject() throws Exception {
+ CertificateRequest certReq = this.cred.getCertificateRequest();
+
+ certReq.setKeyPair(((KeyPairGenerator)
this.beanFactory.getBean(this.keyPairGenBeanName,
certReq.getKeySize().getSize())).generateKeyPair());
+
if (!this.cred.isRootIssuer()) {
+ // noinspection ConstantConditions

this.cred.getCertificateRequest().setIssuer(this.cred.getIssuerCredential().getCertificateResponse().getIdentity());
}

- CertificateResponse certResp =
this.certGen.generate(this.cred.getCertificateRequest());
+ CertificateResponse certResp = this.certGen.generate(certReq);
this.cred.setCertificateResponse(certResp);

Identity identity = certResp.getIdentity();
@@ -59,6 +72,11 @@

return this.cred;
}
+
+ @Override
+ public void setBeanFactory(BeanFactory beanFactory) throws
BeansException {
+ this.beanFactory = ((ListableBeanFactory) beanFactory);
+ }

public boolean hasCertificateResource() {
return (this.certResource != null);
@@ -80,6 +98,14 @@
public void setCredential(PhizCredential cred) {
this.cred = cred;
}
+
+ public String getKeyPairGeneratorBeanName() {
+ return this.keyPairGenBeanName;
+ }
+
+ public void setKeyPairGeneratorBeanName(String keyPairGenBeanName) {
+ this.keyPairGenBeanName = keyPairGenBeanName;
+ }

public boolean hasPrivateKeyResource() {
return (this.privateKeyResource != null);
=======================================
---
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/impl/PhizKeyPairGeneratorFactoryBean.java
Thu Dec 25 10:17:46 2014 UTC
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/impl/PhizKeyPairGeneratorFactoryBean.java
Wed Mar 18 12:21:24 2015 UTC
@@ -8,7 +8,13 @@
private SecureRandom secRand;

public PhizKeyPairGeneratorFactoryBean() {
+ this(-1);
+ }
+
+ public PhizKeyPairGeneratorFactoryBean(int keySize) {
super(KeyPairGenerator.class);
+
+ this.keySize = keySize;
}

@Override
@@ -22,10 +28,6 @@
public int getKeySize() {
return this.keySize;
}
-
- public void setKeySize(int keySize) {
- this.keySize = keySize;
- }

public SecureRandom getSecureRandom() {
return this.secRand;
=======================================
---
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/PhizTrustManager.java
Wed Mar 18 02:04:22 2015 UTC
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/impl/PhizTrustManager.java
Wed Mar 18 12:21:24 2015 UTC
@@ -4,6 +4,7 @@
import gov.hhs.onc.phiz.crypto.logging.impl.SslTrustEventImpl;
import gov.hhs.onc.phiz.crypto.ssl.PhizSslLocation;
import gov.hhs.onc.phiz.crypto.ssl.PhizSslManagerBean;
+import gov.hhs.onc.phiz.crypto.ssl.constraints.impl.PhizConstraintsChecker;
import gov.hhs.onc.phiz.crypto.ssl.revocation.impl.PhizRevocationChecker;
import gov.hhs.onc.phiz.crypto.utils.PhizCertificatePathUtils;
import gov.hhs.onc.phiz.crypto.utils.PhizCertificateUtils;
@@ -45,6 +46,7 @@
private BeanFactory beanFactory;
private List<PKIXCertPathChecker> certPathCheckers;
private X509CertSelector certSelector;
+ private String constraintsCheckerBeanName;
private KeyStore keyStore;
private Provider prov;
private String revocationCheckerBeanName;
@@ -148,8 +150,12 @@
ExtendedPKIXBuilderParameters certBuilderParams =
((ExtendedPKIXBuilderParameters) this.builderParams.clone());
certBuilderParams.setTargetCertConstraints(certSelector);

certBuilderParams.addCertStore(PhizCertificatePathUtils.buildStore(certs));
-
certBuilderParams.addCertPathChecker(((PhizRevocationChecker)
this.beanFactory.getBean(this.revocationCheckerBeanName, loc,
-
PhizCertificatePathUtils.findRootCertificate(certBuilderParams,
certs[0]))));
+
+ X509Certificate issuerCert =
PhizCertificatePathUtils.findRootCertificate(certBuilderParams, certs[0]);
+
+
certBuilderParams.addCertPathChecker(((PhizConstraintsChecker)
this.beanFactory.getBean(this.constraintsCheckerBeanName, loc,
issuerCert)));
+
+
certBuilderParams.addCertPathChecker(((PhizRevocationChecker)
this.beanFactory.getBean(this.revocationCheckerBeanName, loc, issuerCert)));

CertPathBuilder builder =
CertPathBuilder.getInstance(this.type, this.prov);

@@ -214,6 +220,14 @@
public void setCertificateSelector(X509CertSelector certSelector) {
this.certSelector = certSelector;
}
+
+ public String getConstraintsCheckerBeanName() {
+ return this.constraintsCheckerBeanName;
+ }
+
+ public void setConstraintsCheckerBeanName(String
constraintsCheckerBeanName) {
+ this.constraintsCheckerBeanName = constraintsCheckerBeanName;
+ }

@Override
public KeyStore getKeyStore() {
=======================================
---
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/revocation/impl/PhizRevocationChecker.java
Wed Mar 18 02:04:22 2015 UTC
+++
/phiz-core/src/main/java/gov/hhs/onc/phiz/crypto/ssl/revocation/impl/PhizRevocationChecker.java
Wed Mar 18 12:21:24 2015 UTC
@@ -2,6 +2,7 @@

import com.github.sebhoss.warnings.CompilerWarnings;
import gov.hhs.onc.phiz.crypto.ssl.PhizSslLocation;
+import gov.hhs.onc.phiz.crypto.ssl.impl.AbstractPhizPathChecker;
import gov.hhs.onc.phiz.crypto.ssl.revocation.OcspCertificateStatusType;
import gov.hhs.onc.phiz.crypto.ssl.revocation.OcspContentTypes;
import gov.hhs.onc.phiz.crypto.ssl.revocation.OcspOids;
@@ -19,28 +20,21 @@
import java.security.SecureRandom;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertPathValidatorException.BasicReason;
-import java.security.cert.Certificate;
import java.security.cert.CertificateRevokedException;
-import java.security.cert.PKIXRevocationChecker;
import java.security.cert.X509Certificate;
import java.util.Arrays;
-import java.util.Collection;
-import java.util.Collections;
import java.util.Date;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
-import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.Nonnegative;
import javax.annotation.Nullable;
-import javax.annotation.Resource;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.collections4.set.ListOrderedSet;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.ArrayUtils;
-import org.apache.commons.lang3.time.FastDateFormat;
import org.apache.http.HttpHeaders;
import org.apache.http.client.methods.HttpPost;
import org.bouncycastle.asn1.ASN1EncodableVector;
@@ -57,8 +51,6 @@
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.GeneralName;
-import org.bouncycastle.cert.X509CertificateHolder;
-import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.cert.ocsp.OCSPException;
@@ -69,10 +61,9 @@
import org.bouncycastle.operator.DigestCalculator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.InitializingBean;
import org.springframework.util.MimeType;

-public class PhizRevocationChecker extends PKIXRevocationChecker
implements InitializingBean {
+public class PhizRevocationChecker extends AbstractPhizPathChecker {
private static class OcspExtension implements
java.security.cert.Extension {
private Extension ext;

@@ -103,16 +94,8 @@

private final static Map<String, String> BASE_OCSP_REQ_HEADERS = new
LinkedHashMap<>();

- private final static List<CertPathValidatorException>
SOFT_FAIL_EXCEPTIONS =
Collections.unmodifiableList(Collections.emptyList());
-
private final static Logger LOGGER =
LoggerFactory.getLogger(PhizRevocationChecker.class);

- @Resource(name = "dateFormatUtcDisplay")
- private FastDateFormat displayDateFormat;
-
- private PhizSslLocation loc;
- private X509Certificate issuerCert;
-
private int connectTimeout;
private AlgorithmIdentifier digestAlgId;
private int nonceSize;
@@ -120,8 +103,6 @@
private ListOrderedSet<AlgorithmIdentifier> preferredSigAlgIds;
private int readTimeout;
private SecureRandom secureRandom;
- private int pathIndex;
- private X509CertificateHolder issuerCertHolder;
private DigestCalculator digestCalc;
private Extension[] baseOcspReqExts;

@@ -131,25 +112,12 @@
}

public PhizRevocationChecker(PhizSslLocation loc, X509Certificate
issuerCert) {
- this.loc = loc;
- this.issuerCert = issuerCert;
- }
-
- @Override
- public void check(Certificate cert, Collection<String>
unresolvedCriticalExts) throws CertPathValidatorException {
- this.pathIndex++;
-
- this.checkInternal(((X509Certificate) cert));
- }
-
- @Override
- public void init(boolean forward) throws CertPathValidatorException {
- this.pathIndex = -1;
+ super(loc, issuerCert, BasicReason.UNDETERMINED_REVOCATION_STATUS);
}

@Override
public void afterPropertiesSet() throws Exception {
- this.issuerCertHolder = new
JcaX509CertificateHolder(this.issuerCert);
+ super.afterPropertiesSet();

this.digestCalc =
PhizCryptoUtils.DIGEST_CALC_PROV.get(this.digestAlgId);

@@ -166,7 +134,7 @@

@Override
@SuppressWarnings({ "CloneDoesntCallSuperClone" })
- public PKIXRevocationChecker clone() {
+ public PhizRevocationChecker clone() {
return this;
}

@@ -198,31 +166,22 @@
.getString()) : null);
}

- private static CertPathValidatorException buildException(String msg) {
- return buildException(msg, null);
- }
-
- private static CertPathValidatorException buildException(String msg,
@Nullable Throwable cause) {
- return new CertPathValidatorException(msg, cause, null, -1,
((cause instanceof CertificateRevokedException)
- ? BasicReason.REVOKED :
BasicReason.UNDETERMINED_REVOCATION_STATUS));
- }
-
+ @Override
@SuppressWarnings({ CompilerWarnings.UNCHECKED })
- private void checkInternal(X509Certificate cert) throws
CertPathValidatorException {
- String certSubjectDnNameStr =
cert.getSubjectX500Principal().getName(), certIssuerDnNameStr =
cert.getIssuerX500Principal().getName();
- BigInteger certSerialNum = cert.getSerialNumber();
+ protected void checkInternal(X509Certificate cert, String
certSubjectDnNameStr, String certIssuerDnNameStr, BigInteger certSerialNum)
+ throws CertPathValidatorException {
URL ocspResponderUrl;

try {
ocspResponderUrl = findOcspResponderUrl(cert);
} catch (IOException e) {
- throw buildException(String.format("Unable to determine SSL %s
certificate (subjectDnName=%s, issuerDnName=%s, serialNum=%d) OCSP URL.",
+ throw this.buildException(String.format("Unable to determine
SSL %s certificate (subjectDnName=%s, issuerDnName=%s, serialNum=%d) OCSP
URL.",
this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum), e);
}

if (ocspResponderUrl == null) {
if (!this.optional) {
- throw buildException(String.format("SSL %s certificate
(subjectDnName=%s, issuerDnName=%s, serialNum=%d) does not specify an OCSP
URL.",
+ throw this.buildException(String.format("SSL %s
certificate (subjectDnName=%s, issuerDnName=%s, serialNum=%d) does not
specify an OCSP URL.",
this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum));
} else {
LOGGER.info(String.format("Skipping SSL %s certificate
(subjectDnName=%s, issuerDnName=%s, serialNum=%d) revocation checking.",
@@ -237,7 +196,7 @@
try {
ocspReqCertId = new PhizCertificateId(this.digestCalc,
this.issuerCertHolder, certSerialNum);
} catch (OCSPException e) {
- throw buildException(String.format("Unable to determine SSL %s
certificate (subjectDnName=%s, issuerDnName=%s, serialNum=%d) OCSP ID.",
+ throw this.buildException(String.format("Unable to determine
SSL %s certificate (subjectDnName=%s, issuerDnName=%s, serialNum=%d) OCSP
ID.",
this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum), e);
}

@@ -253,7 +212,7 @@
try {
ocspReqContent = ocspReqBuilder.build().getEncoded();
} catch (IOException | OCSPException e) {
- throw buildException(String.format("Unable to build SSL %s
certificate (subjectDnName=%s, issuerDnName=%s, serialNum=%d) OCSP
request.",
+ throw this.buildException(String.format("Unable to build
SSL %s certificate (subjectDnName=%s, issuerDnName=%s, serialNum=%d) OCSP
request.",
this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum), e);
}

@@ -262,14 +221,15 @@
try {
ocspRespWrapper = this.queryOcspResponder(ocspResponderUrl,
ocspReqContent);
} catch (IOException e) {
- throw buildException(String.format("Unable to query SSL %s
certificate (subjectDnName=%s, issuerDnName=%s, serialNum=%d) OCSP
responder (url=%s).",
- this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl), e);
+ throw this.buildException(String.format(
+ "Unable to query SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) OCSP responder (url=%s).", this.loc.getId(),
+ certSubjectDnNameStr, certIssuerDnNameStr, certSerialNum,
ocspResponderUrl), e);
}

OcspResponseStatusType ocspRespStatus =
PhizCryptoUtils.findByTag(OcspResponseStatusType.class,
ocspRespWrapper.getStatus());

if (ocspRespStatus != OcspResponseStatusType.SUCCESSFUL) {
- throw buildException(String.format(
+ throw this.buildException(String.format(
"Invalid SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) OCSP responder (url=%s) response status
(%s).", this.loc.getId(),
certSubjectDnNameStr, certIssuerDnNameStr, certSerialNum,
ocspResponderUrl, ocspRespStatus));
}
@@ -277,7 +237,7 @@
ASN1ObjectIdentifier ocspRespType =
ocspRespWrapper.toASN1Structure().getResponseBytes().getResponseType();

if
(!ocspRespType.equals(OCSPObjectIdentifiers.id_pkix_ocsp_basic)) {
- throw buildException(String.format(
+ throw this.buildException(String.format(
"Invalid SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) OCSP responder (url=%s) response type
(oid=%s).",
this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl,
ocspRespType.getId()));
}
@@ -287,7 +247,7 @@
try {
ocspResp = ((BasicOCSPResp)
ocspRespWrapper.getResponseObject());
} catch (OCSPException e) {
- throw buildException(String.format(
+ throw this.buildException(String.format(
"Unable to build SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) OCSP responder (url=%s) response.",
this.loc.getId(),
certSubjectDnNameStr, certIssuerDnNameStr, certSerialNum,
ocspResponderUrl), e);
}
@@ -296,21 +256,23 @@
Extension nonceOcspRespExt =
ocspResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);

if (nonceOcspRespExt == null) {
- throw buildException(String
- .format(
- "SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) OCSP responder (url=%s) response
(producedAt=%s) does not contain a nonce extension (oid=%s).",
- this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl,
ocspRespProducedAtTimeStr,
- OCSPObjectIdentifiers.id_pkix_ocsp_nonce.getId()));
+ throw this
+ .buildException(String
+ .format(
+ "SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) OCSP responder (url=%s) response
(producedAt=%s) does not contain a nonce extension (oid=%s).",
+ this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl,
ocspRespProducedAtTimeStr,
+ OCSPObjectIdentifiers.id_pkix_ocsp_nonce.getId()));
}

byte[] nonceOcspRespExtContent =
nonceOcspRespExt.getExtnValue().getOctets();

if (!Arrays.equals(nonceOcspReqExtContent,
nonceOcspRespExtContent)) {
- throw buildException(String
- .format(
- "SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) OCSP responder (url=%s) response
(producedAt=%s) nonce extension (oid=%s) value does not match (%s).",
- this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl,
ocspRespProducedAtTimeStr,
- OCSPObjectIdentifiers.id_pkix_ocsp_nonce.getId(),
Hex.encodeHexString(nonceOcspRespExtContent)));
+ throw this
+ .buildException(String
+ .format(
+ "SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) OCSP responder (url=%s) response
(producedAt=%s) nonce extension (oid=%s) value does not match (%s).",
+ this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl,
ocspRespProducedAtTimeStr,
+ OCSPObjectIdentifiers.id_pkix_ocsp_nonce.getId(),
Hex.encodeHexString(nonceOcspRespExtContent)));
}

SingleResp ocspCertResp = null;
@@ -324,19 +286,22 @@
ocspCertResp = availableOcspCertResp;
}
} catch (OCSPException e) {
- throw buildException(
- String.format(
- "Unable to match SSL %s certificate
(subjectDnName=%s, issuerDnName=%s, serialNum=%d) OCSP responder (url=%s)
response (producedAt=%s) certificate (serialNum=%d) status.",
- this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl,
ocspRespProducedAtTimeStr,
- availableOcspCertRespId.getSerialNumber()), e);
+ throw this
+ .buildException(
+ String
+ .format(
+ "Unable to match SSL %s certificate
(subjectDnName=%s, issuerDnName=%s, serialNum=%d) OCSP responder (url=%s)
response (producedAt=%s) certificate (serialNum=%d) status.",
+ this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl,
ocspRespProducedAtTimeStr,
+
availableOcspCertRespId.getSerialNumber()), e);
}
}

if (ocspCertResp == null) {
- throw buildException(String
- .format(
- "SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) OCSP responder (url=%s) response
(producedAt=%s) does not contain matching certificate status.",
- this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl,
ocspRespProducedAtTimeStr));
+ throw this
+ .buildException(String
+ .format(
+ "SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) OCSP responder (url=%s) response
(producedAt=%s) does not contain matching certificate status.",
+ this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl,
ocspRespProducedAtTimeStr));
}

Date ocspCertRespNextUpdateTime = ocspCertResp.getNextUpdate();
@@ -369,20 +334,23 @@
ocspCertRespRevokedStatus.getRevocationReason()) :
OcspRevokeReasonType.UNSPECIFIED);

// noinspection ConstantConditions
- throw buildException(
- String.format(
- "SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) OCSP responder (url=%s) response
(producedAt=%s) certificate status (thisUpdate=%s, nextUpdate=%s) is
revoked (time=%s, reason=%s).",
- this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl,
ocspRespProducedAtTimeStr,
- ocspCertRespThisUpdateTimeStr,
ocspCertRespNextUpdateTimeStr,
this.displayDateFormat.format(ocspCertRespRevokeTime),
- ocspCertRespRevokeReason.name()), new
CertificateRevokedException(ocspCertRespRevokeTime,
ocspCertRespRevokeReason.getReason(),
- this.issuerCert.getSubjectX500Principal(),
mapOcspResponseExtensions(ocspResp)));
+ throw this
+ .buildException(
+ String
+ .format(
+ "SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) OCSP responder (url=%s) response
(producedAt=%s) certificate status (thisUpdate=%s, nextUpdate=%s) is
revoked (time=%s, reason=%s).",
+ this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl,
ocspRespProducedAtTimeStr,
+ ocspCertRespThisUpdateTimeStr,
ocspCertRespNextUpdateTimeStr,
this.displayDateFormat.format(ocspCertRespRevokeTime),
+ ocspCertRespRevokeReason.name()), new
CertificateRevokedException(ocspCertRespRevokeTime,
ocspCertRespRevokeReason.getReason(),
+ this.issuerCert.getSubjectX500Principal(),
mapOcspResponseExtensions(ocspResp)));

case UNKNOWN:
- throw buildException(String
- .format(
- "SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) OCSP responder (url=%s) response
(producedAt=%s) certificate status (thisUpdate=%s, nextUpdate=%s) is
unknown.",
- this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl,
ocspRespProducedAtTimeStr,
- ocspCertRespThisUpdateTimeStr,
ocspCertRespNextUpdateTimeStr));
+ throw this
+ .buildException(String
+ .format(
+ "SSL %s certificate (subjectDnName=%s,
issuerDnName=%s, serialNum=%d) OCSP responder (url=%s) response
(producedAt=%s) certificate status (thisUpdate=%s, nextUpdate=%s) is
unknown.",
+ this.loc.getId(), certSubjectDnNameStr,
certIssuerDnNameStr, certSerialNum, ocspResponderUrl,
ocspRespProducedAtTimeStr,
+ ocspCertRespThisUpdateTimeStr,
ocspCertRespNextUpdateTimeStr));
}
}

@@ -448,11 +416,6 @@
public void setDigestAlgorithmId(String digestAlgId) {
this.digestAlgId =
PhizCryptoUtils.DIGEST_ALG_ID_FINDER.find(digestAlgId);
}
-
- @Override
- public boolean isForwardCheckingSupported() {
- return false;
- }

@Nonnegative
public int getNonceSize() {
@@ -495,15 +458,4 @@
public void setSecureRandom(SecureRandom secureRandom) {
this.secureRandom = secureRandom;
}
-
- @Override
- public List<CertPathValidatorException> getSoftFailExceptions() {
- return SOFT_FAIL_EXCEPTIONS;
- }
-
- @Nullable
- @Override
- public Set<String> getSupportedExtensions() {
- return null;
- }
}
=======================================
--- /phiz-core/src/main/resources/META-INF/phiz/phiz.properties Sat Mar 7
17:35:44 2015 UTC
+++ /phiz-core/src/main/resources/META-INF/phiz/phiz.properties Wed Mar 18
12:21:24 2015 UTC
@@ -31,6 +31,12 @@
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,\
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,\
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+
+
+#================================================================================
+# CRYPTOGRAPHY CONSTRAINTS
+#================================================================================
+phiz.crypto.constraints.key.rsa.size.min=#{
T(br.net.woodstock.rockframework.security.cert.KeySizeType).KEYSIZE_2K.size
}

#================================================================================
# CRYPTOGRAPHY CREDENTIALS: CERTIFICATE AUTHORITY
=======================================
---
/phiz-core/src/main/resources/META-INF/phiz/spring/spring-phiz-crypto-ssl.xml
Wed Mar 18 02:04:22 2015 UTC
+++
/phiz-core/src/main/resources/META-INF/phiz/spring/spring-phiz-crypto-ssl.xml
Wed Mar 18 12:21:24 2015 UTC
@@ -50,14 +50,39 @@

<beans:bean id="certPathCheckerPkix"
class="java.security.cert.PKIXCertPathChecker" parent="certPathChecker"
abstract="true"/>

+

+ 
+ <beans:bean id="constraintsChecker"
class="gov.hhs.onc.phiz.crypto.ssl.constraints.impl.PhizConstraintsChecker"
parent="certPathCheckerPkix"
+ lazy-init="true" scope="prototype">
+ <beans:property name="keyTypes">
+ <beans:set>
+ <beans:value>RSA</beans:value>
+ </beans:set>
+ </beans:property>
+ <beans:property name="minimumKeySizes">
+ <beans:map>
+ 
+ <beans:entry key="#{
T(gov.hhs.onc.phiz.crypto.PhizKeyType).RSA }"
value="${phiz.crypto.constraints.key.rsa.size.min}"/>
+ </beans:map>
+ </beans:property>
+ <beans:property name="signatureAlgorithmIds">
+ <beans:set>
+ <beans:value>#{
T(br.net.woodstock.rockframework.security.sign.SignatureType).SHA512_RSA.algorithm
}</beans:value>
+ <beans:value>#{
T(br.net.woodstock.rockframework.security.sign.SignatureType).SHA384_RSA.algorithm
}</beans:value>
+ <beans:value>#{
T(br.net.woodstock.rockframework.security.sign.SignatureType).SHA256_RSA.algorithm
}</beans:value>
+ <beans:value>#{
T(br.net.woodstock.rockframework.security.sign.SignatureType).SHA1_RSA.algorithm
}</beans:value>
+ </beans:set>
+ </beans:property>
+ </beans:bean>
+


- <beans:bean id="revocationChecker"
class="java.security.cert.PKIXRevocationChecker"
parent="certPathCheckerPkix" abstract="true"/>
-

- <beans:bean id="revocationCheckerBase"
class="gov.hhs.onc.phiz.crypto.ssl.revocation.impl.PhizRevocationChecker"
parent="revocationChecker" lazy-init="true"
- scope="prototype"
+ <beans:bean id="revocationChecker"
class="gov.hhs.onc.phiz.crypto.ssl.revocation.impl.PhizRevocationChecker"
parent="certPathCheckerPkix"
+ lazy-init="true" scope="prototype"
p:connectTimeout="${phiz.crypto.ocsp.conn.timeout}"
p:digestAlgorithmId="#{
T(br.net.woodstock.rockframework.security.digest.DigestType).SHA256.algorithm
}"
p:nonceSize="${phiz.crypto.ocsp.nonce.size}"
@@ -74,7 +99,7 @@
</beans:bean>


- <beans:bean id="revocationCheckerOptional"
parent="revocationCheckerBase" lazy-init="true" scope="prototype"
+ <beans:bean id="revocationCheckerOptional" parent="revocationChecker"
lazy-init="true" scope="prototype"
p:optional="true"/>



<beans:bean id="sslParams" class="javax.net.ssl.SSLParameters"
abstract="true"
+ p:algorithmConstraints-ref="constraintsPermitAll"
p:cipherSuites="${phiz.crypto.cipher.suites}"
p:useCipherSuitesOrder="true">
<beans:property name="protocols">
=======================================
---
/phiz-core/src/main/resources/META-INF/phiz/spring/spring-phiz-crypto.xml
Sat Mar 7 13:04:18 2015 UTC
+++
/phiz-core/src/main/resources/META-INF/phiz/spring/spring-phiz-crypto.xml
Wed Mar 18 12:21:24 2015 UTC
@@ -35,11 +35,11 @@

=====================================================================================================-->
<beans:bean id="keyPairGen" class="java.security.KeyPairGenerator"
abstract="true"/>

- <beans:bean id="keyPairGenRsa"
class="gov.hhs.onc.phiz.crypto.impl.PhizKeyPairGeneratorFactoryBean"
parent="keyPairGen"
- p:keySize="#{
T(br.net.woodstock.rockframework.security.cert.KeySizeType).KEYSIZE_2K.size
}"
+ 
+ <beans:bean id="keyPairGenBase"
class="gov.hhs.onc.phiz.crypto.impl.PhizKeyPairGeneratorFactoryBean"
parent="keyPairGen" lazy-init="true" scope="prototype"
p:provider="#{ T(gov.hhs.onc.phiz.crypto.PhizCryptoProviders).BC }"
p:secureRandom-ref="secureRandomSha1"
- p:type="#{
T(br.net.woodstock.rockframework.security.crypt.KeyPairType).RSA.algorithm
}"/>
+ p:type="#{ T(gov.hhs.onc.phiz.crypto.PhizKeyType).RSA.id }"/>


<beans:bean id="certReq"
class="br.net.woodstock.rockframework.security.cert.CertificateRequest"
abstract="true"
- p:keyPair="#{ keyPairGenRsa.generateKeyPair() }"
+ p:keySize="KEYSIZE_2K"
p:provider="#{
T(gov.hhs.onc.phiz.crypto.PhizCryptoProviders).BC_NAME }"
p:signType="SHA512_RSA"
p:version="V3"/>
@@ -103,7 +103,11 @@

<beans:bean id="credImpl"
class="gov.hhs.onc.phiz.crypto.impl.PhizCredentialImpl" parent="cred"
abstract="true"/>

- <beans:bean id="credGen"
class="gov.hhs.onc.phiz.crypto.impl.GeneratedCredentialFactoryBean"
parent="cred" abstract="true"/>
+ <beans:bean id="credGen"
class="gov.hhs.onc.phiz.crypto.impl.GeneratedCredentialFactoryBean"
parent="cred" abstract="true">
+ <beans:property name="keyPairGeneratorBeanName">
+ <beans:idref bean="keyPairGenBase"/>
+ </beans:property>
+ </beans:bean>


- 
<beans:bean id="credSoapUiClient" parent="credGen">
<beans:property name="credential">
<beans:bean parent="credLeaf">
@@ -35,7 +34,40 @@
</beans:property>
</beans:bean>

- 
+ <beans:bean id="credSoapUiClientInvalidKeySize" parent="credGen">
+ <beans:property name="credential">
+ <beans:bean parent="credLeaf">
+ <beans:property name="certificateRequest">
+ <beans:bean parent="certReqLeaf"
+ p:keySize="KEYSIZE_1K">
+ <beans:constructor-arg name="subject">
+ 
+ <beans:bean parent="dn"
+
p:commonName="${phiz.crypto.cred.soapui.client.invalid.key.size.ssl.subject.cn}"/>
+ </beans:constructor-arg>
+ </beans:bean>
+ </beans:property>
+ </beans:bean>
+ </beans:property>
+ </beans:bean>
+
+ <beans:bean id="credSoapUiClientInvalidSigAlg" parent="credGen">
+ <beans:property name="credential">
+ <beans:bean parent="credLeaf">
+ <beans:property name="certificateRequest">
+ <beans:bean parent="certReqLeaf"
+ p:signType="MD5_RSA">
+ <beans:constructor-arg name="subject">
+ 
+ <beans:bean parent="dn"
+
p:commonName="${phiz.crypto.cred.soapui.client.invalid.sig.alg.ssl.subject.cn}"/>
+ </beans:constructor-arg>
+ </beans:bean>
+ </beans:property>
+ </beans:bean>
+ </beans:property>
+ </beans:bean>
+
<beans:bean id="credSoapUiClientRevoked" parent="credGen">
<beans:property name="credential">
<beans:bean parent="credLeaf"
@@ -53,7 +85,6 @@
</beans:property>
</beans:bean>

- 
<beans:bean id="credSoapUiClientUntrusted" parent="credGen">
<beans:property name="credential">
<beans:bean parent="credLeafUntrusted">
@@ -107,6 +138,42 @@
</beans:property>
</beans:bean>

+ 
+ <beans:bean id="keyStoreKeySoapUiClientInvalidKeySize"
parent="keyStoreGen" lazy-init="true"
+
p:password="${phiz.crypto.store.key.soapui.client.invalid.key.size.pass}"
+
p:resource="${phiz.crypto.store.key.soapui.client.invalid.key.size.file}">
+ <beans:property name="entryMap">
+ <beans:map>
+ 
+ <beans:entry
key="${phiz.crypto.store.key.soapui.client.invalid.key.size.entry.ssl.alias}">
+ 
+ <beans:bean parent="keyStoreEntryPrivateKey"
+ p:certificateChain="#{
credSoapUiClientInvalidKeySize.certificate }"
+
p:password="${phiz.crypto.store.key.soapui.client.invalid.key.size.entry.ssl.pass}"
+ p:privateKey="#{
credSoapUiClientInvalidKeySize.privateKey }"/>
+ </beans:entry>
+ </beans:map>
+ </beans:property>
+ </beans:bean>
+
+ 
+ <beans:bean id="keyStoreKeySoapUiClientInvalidSigAlg"
parent="keyStoreGen" lazy-init="true"
+
p:password="${phiz.crypto.store.key.soapui.client.invalid.sig.alg.pass}"
+
p:resource="${phiz.crypto.store.key.soapui.client.invalid.sig.alg.file}">
+ <beans:property name="entryMap">
+ <beans:map>
+ 
+ <beans:entry
key="${phiz.crypto.store.key.soapui.client.invalid.sig.alg.entry.ssl.alias}">
+ 
+ <beans:bean parent="keyStoreEntryPrivateKey"
+ p:certificateChain="#{
credSoapUiClientInvalidSigAlg.certificate }"
+
p:password="${phiz.crypto.store.key.soapui.client.invalid.sig.alg.entry.ssl.pass}"
+ p:privateKey="#{
credSoapUiClientInvalidSigAlg.privateKey }"/>
+ </beans:entry>
+ </beans:map>
+ </beans:property>
+ </beans:bean>
+

<beans:bean id="keyStoreKeySoapUiClientRevoked" parent="keyStoreGen"
lazy-init="true"
p:password="${phiz.crypto.store.key.soapui.client.revoked.pass}"
@@ -167,6 +234,16 @@
p:keyStore-ref="keyStoreKeySoapUiClient"

p:password="${phiz.crypto.store.key.soapui.client.entry.ssl.pass}"/>

+ 
+ <beans:bean id="keyManagerSoapUiClientInvalidKeySize"
parent="keyManagerBase" lazy-init="true"
+ p:keyStore-ref="keyStoreKeySoapUiClientInvalidKeySize"
+
p:password="${phiz.crypto.store.key.soapui.client.invalid.key.size.entry.ssl.pass}"/>
+
+ 
+ <beans:bean id="keyManagerSoapUiClientInvalidSigAlg"
parent="keyManagerBase" lazy-init="true"
+ p:keyStore-ref="keyStoreKeySoapUiClientInvalidSigAlg"
+
p:password="${phiz.crypto.store.key.soapui.client.invalid.sig.alg.entry.ssl.pass}"/>
+

<beans:bean id="keyManagerSoapUiClientRevoked" parent="keyManagerBase"
lazy-init="true"
p:keyStore-ref="keyStoreKeySoapUiClientRevoked"
@@ -212,6 +289,12 @@
p:parameters-ref="sslParamsClientSoapUiClient"
p:trustManagers-ref="trustManagerSoapUiClient"/>

+ <beans:bean id="sslContextSoapUiClientInvalidKeySize"
parent="sslContextSoapUiClient" lazy-init="true"
+ p:keyManagers-ref="keyManagerSoapUiClientInvalidKeySize"/>
+
+ <beans:bean id="sslContextSoapUiClientInvalidSigAlg"
parent="sslContextSoapUiClient" lazy-init="true"
+ p:keyManagers-ref="keyManagerSoapUiClientInvalidSigAlg"/>
+
<beans:bean id="sslContextSoapUiClientRevoked"
parent="sslContextSoapUiClient" lazy-init="true"
p:keyManagers-ref="keyManagerSoapUiClientRevoked"/>

@@ -260,6 +343,10 @@
<beans:null/>
</beans:key>
</beans:entry>
+ <beans:entry key="#{
T(gov.hhs.onc.phiz.web.test.soapui.PhizSoapUiProperties).INVALID_KEY_SIZE_SSL_SOCKET_FACTORY_VALUE
}"
+ value="#{
sslContextSoapUiClientInvalidKeySize.socketFactory }"/>
+ <beans:entry key="#{
T(gov.hhs.onc.phiz.web.test.soapui.PhizSoapUiProperties).INVALID_SIG_ALG_SSL_SOCKET_FACTORY_VALUE
}"
+ value="#{
sslContextSoapUiClientInvalidSigAlg.socketFactory }"/>
<beans:entry key="#{
T(gov.hhs.onc.phiz.web.test.soapui.PhizSoapUiProperties).REVOKED_SSL_SOCKET_FACTORY_VALUE
}"
value="#{ sslContextSoapUiClientRevoked.socketFactory
}"/>
<beans:entry key="#{
T(gov.hhs.onc.phiz.web.test.soapui.PhizSoapUiProperties).UNTRUSTED_SSL_SOCKET_FACTORY_VALUE
}"
=======================================
--- /phiz-web-ws/src/it/soapui/soapui-phiz-web-ws.xml Sat Mar 7 13:04:18
2015 UTC
+++ /phiz-web-ws/src/it/soapui/soapui-phiz-web-ws.xml Wed Mar 18 12:21:24
2015 UTC
@@ -311,6 +311,90 @@
<con:name>#{
T(gov.hhs.onc.phiz.web.test.soapui.PhizSoapUiProperties).SSL_PARAMS_NAME
}</con:name>
<con:value>#{
T(gov.hhs.onc.phiz.web.test.soapui.PhizSoapUiProperties).BAD_CIPHER_SUITES_SSL_PARAMS_VALUE
}</con:value>
</con:property>
+ </con:properties>
+ </con:testCase>
+ <con:testCase failOnError="false" failTestCaseOnErrors="false"
keepSession="false" maxResults="0"
name="SubmitSingleMessage_SSL_Socket_Factory_Invalid_Key_Size"
searchProperties="true" wsrmEnabled="false" wsrmVersion="1.0" wsrmAckTo=""
amfAuthorisation="false" amfEndpoint="" amfLogin="" amfPassword="">
+ <con:description>SubmitSingleMessage invalid key size SSL socket
factory test case.</con:description>
+ <con:settings/>
+ <con:testStep type="request" name="SubmitSingleMessage">
+ <con:settings/>
+ <con:config xsi:type="con:RequestStep"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+ <con:interface>IISHubBindingSoap12</con:interface>
+ <con:operation>SubmitSingleMessage</con:operation>
+ <con:request name="SubmitSingleMessage" outgoingWss=""
incomingWss="" timeout="" sslKeystore="" useWsAddressing="true"
useWsReliableMessaging="false" wssPasswordType="">
+ <con:description/>
+ <con:settings/>
+ <con:encoding>UTF-8</con:encoding>
+
<con:endpoint>${#Spring#phiz.tomcat.ws.iis.hub.url}</con:endpoint>
+ <con:request><![CDATA[<soap:Envelope
xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
xmlns:iis="urn:cdc:iisb:2014" xmlns:iis-hub="urn:cdc:iisb:hub:2014">
+ <soap:Header>
+ <iis-hub:HubRequestHeader>
+
<iis-hub:DestinationId>${#Spring#phiz.dest.iis.dev.id}</iis-hub:DestinationId>
+ </iis-hub:HubRequestHeader>
+ </soap:Header>
+ <soap:Body>
+ <iis:SubmitSingleMessageRequest>
+
<iis:Hl7Message>${=project.name}_${=testSuite.name}_${=testCase.name}_${=testStep.name}_${=request.name}</iis:Hl7Message>
+ </iis:SubmitSingleMessageRequest>
+ </soap:Body>
+</soap:Envelope>]]></con:request>
+ <con:credentials>
+ <con:authType>No Authorization</con:authType>
+ </con:credentials>
+ <con:jmsConfig JMSDeliveryMode="PERSISTENT"/>
+ <con:jmsPropertyConfig/>
+ <con:wsaConfig mustUnderstand="TRUE" version="200508"
action="urn:cdc:iisb:hub:2014:IISHubPortType:SubmitSingleMessageRequest"
generateMessageId="true"/>
+ <con:wsrmConfig version="1.2"/>
+ </con:request>
+ </con:config>
+ </con:testStep>
+ <con:properties>
+ <con:property>
+ <con:name>#{
T(gov.hhs.onc.phiz.web.test.soapui.PhizSoapUiProperties).SSL_SOCKET_FACTORY_NAME
}</con:name>
+ <con:value>#{
T(gov.hhs.onc.phiz.web.test.soapui.PhizSoapUiProperties).INVALID_KEY_SIZE_SSL_SOCKET_FACTORY_VALUE
}</con:value>
+ </con:property>
+ </con:properties>
+ </con:testCase>
+ <con:testCase failOnError="false" failTestCaseOnErrors="false"
keepSession="false" maxResults="0"
name="SubmitSingleMessage_SSL_Socket_Factory_Invalid_Sig_Alg"
searchProperties="true" wsrmEnabled="false" wsrmVersion="1.0" wsrmAckTo=""
amfAuthorisation="false" amfEndpoint="" amfLogin="" amfPassword="">
+ <con:description>SubmitSingleMessage invalid signature algorithm SSL
socket factory test case.</con:description>
+ <con:settings/>
+ <con:testStep type="request" name="SubmitSingleMessage">
+ <con:settings/>
+ <con:config xsi:type="con:RequestStep"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+ <con:interface>IISHubBindingSoap12</con:interface>
+ <con:operation>SubmitSingleMessage</con:operation>
+ <con:request name="SubmitSingleMessage" outgoingWss=""
incomingWss="" timeout="" sslKeystore="" useWsAddressing="true"
useWsReliableMessaging="false" wssPasswordType="">
+ <con:description/>
+ <con:settings/>
+ <con:encoding>UTF-8</con:encoding>
+
<con:endpoint>${#Spring#phiz.tomcat.ws.iis.hub.url}</con:endpoint>
+ <con:request><![CDATA[<soap:Envelope
xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
xmlns:iis="urn:cdc:iisb:2014" xmlns:iis-hub="urn:cdc:iisb:hub:2014">
+ <soap:Header>
+ <iis-hub:HubRequestHeader>
+
<iis-hub:DestinationId>${#Spring#phiz.dest.iis.dev.id}</iis-hub:DestinationId>
+ </iis-hub:HubRequestHeader>
+ </soap:Header>
+ <soap:Body>
+ <iis:SubmitSingleMessageRequest>
+
<iis:Hl7Message>${=project.name}_${=testSuite.name}_${=testCase.name}_${=testStep.name}_${=request.name}</iis:Hl7Message>
+ </iis:SubmitSingleMessageRequest>
+ </soap:Body>
+</soap:Envelope>]]></con:request>
+ <con:credentials>
+ <con:authType>No Authorization</con:authType>
+ </con:credentials>
+ <con:jmsConfig JMSDeliveryMode="PERSISTENT"/>
+ <con:jmsPropertyConfig/>
+ <con:wsaConfig mustUnderstand="TRUE" version="200508"
action="urn:cdc:iisb:hub:2014:IISHubPortType:SubmitSingleMessageRequest"
generateMessageId="true"/>
+ <con:wsrmConfig version="1.2"/>
+ </con:request>
+ </con:config>
+ </con:testStep>
+ <con:properties>
+ <con:property>
+ <con:name>#{
T(gov.hhs.onc.phiz.web.test.soapui.PhizSoapUiProperties).SSL_SOCKET_FACTORY_NAME
}</con:name>
+ <con:value>#{
T(gov.hhs.onc.phiz.web.test.soapui.PhizSoapUiProperties).INVALID_SIG_ALG_SSL_SOCKET_FACTORY_VALUE
}</con:value>
+ </con:property>
</con:properties>
</con:testCase>
<con:testCase failOnError="false" failTestCaseOnErrors="false"
keepSession="false" maxResults="0"
name="SubmitSingleMessage_SSL_Socket_Factory_Revoked"
searchProperties="true" wsrmEnabled="false" wsrmVersion="1.0" wsrmAckTo=""
amfAuthorisation="false" amfEndpoint="" amfLogin="" amfPassword="">

Reply all

Reply to author

Forward

0 new messages