Commit 79c7f321 authored by Tobias Assmann's avatar Tobias Assmann
Browse files

fix and pimp deployments stuff, some code cleanup, work in progress - not ready!

parent ed939c95
#!/bin/bash
# deployment script for reqesidta
# michael rauh, tobias assmann
echo "fix setup first!"
exit 1
# setup env
ENV=stage
USER=tobias
HOST=localhost
DIR=/home/tobias/Projects/reqesidta/deploy
# Synchronize this directory with the target on $HOST.
# Exclude the dev files and rename the corresponding files on the server.
rsync -av --delete --progress \
--exclude 'docker-compose.yml' \
--exclude 'poseidas/config/POSeIDAS.xml' \
--exclude 'poseidas/db/poseidas.mv.db' \
--exclude 'sam/config/ssa-server.conf' \
--exclude 'deploy-to_*' \
--exclude '*.dodeploy' \
--exclude '*.dodeploy' \
./ $USER@$HOST:$DIR
ssh $USER@$HOST "mv $DIR/docker-compose_$ENV.yml $DIR/docker-compose.yml"
ssh $USER@$HOST "mv $DIR/poseidas/config/POSeIDAS_stage.xml $DIR/poseidas/config/POSeIDAS.xml"
ssh $USER@$HOST "mv $DIR/poseidas/db/poseidas_stage.mv.db $DIR/poseidas/db/poseidas.mv.db"
ssh $USER@$HOST "mv $DIR/ssa/config/ssa-server_$ENV.yml $DIR/ssa/config/ssa-server.conf"
# Restart / re-build the services
ssh $USER@$HOST "cd $DIR/ && docker-compose up -d --build"
......@@ -6,15 +6,14 @@ rsync -av --delete --progress \
--exclude 'docker-compose.yml' \
--exclude 'poseidas/config/POSeIDAS.xml' \
--exclude 'poseidas/db/poseidas.mv.db' \
--exclude 'deploy-to-vserver-001.sh' \
--exclude 'deploy-to_*.sh' \
--exclude '*.dodeploy' \
--exclude '*.dodeploy' \
./ reqesidta@vserver-001.ecsec.de:/home/reqesidta/docker/
ssh reqesidta@vserver-001.ecsec.de "mv /home/reqesidta/docker/docker-compose-vserver-001.yml /home/reqesidta/docker/docker-compose.yml"
ssh reqesidta@vserver-001.ecsec.de "mv /home/reqesidta/docker/poseidas/config/POSeIDAS-verserver-001.xml /home/reqesidta/docker/poseidas/config/POSeIDAS.xml"
ssh reqesidta@vserver-001.ecsec.de "mv /home/reqesidta/docker/poseidas/db/poseidas-vserver-001.mv.db /home/reqesidta/docker/poseidas/db/poseidas.mv.db"
ssh reqesidta@vserver-001.ecsec.de "mv /home/reqesidta/docker/docker-compose_vserver-001.yml /home/reqesidta/docker/docker-compose.yml"
ssh reqesidta@vserver-001.ecsec.de "mv /home/reqesidta/docker/poseidas/config/POSeIDAS_vserver-001.xml /home/reqesidta/docker/poseidas/config/POSeIDAS.xml"
ssh reqesidta@vserver-001.ecsec.de "mv /home/reqesidta/docker/poseidas/db/poseidas_vserver-001.mv.db /home/reqesidta/docker/poseidas/db/poseidas.mv.db"
# Restart / re-build the services
ssh reqesidta@vserver-001.ecsec.de "cd /home/reqesidta/docker && docker-compose up -d --build"
......@@ -71,6 +71,7 @@ services:
hostname: localhost:8444
ports:
- "127.0.0.1:8444:8443"
- "127.0.0.1:8081:8080"
depends_on:
- postgres
# DEPRECATED
......
version: "3.4"
services:
facade:
image: "reqesidta/facade"
container_name: "reqesidta_facade"
labels:
- "traefik.enable=true"
build:
context: ./facade
command:
--providers.docker=true
--providers.docker.exposedbydefault=false
--entryPoints.web.address=:80
--log.level=debug
ports:
- "80:80"
networks:
- reqesidta_net
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
poseidas:
image: "reqesidta/poseidas"
container_name: "reqesidta_poseidas"
labels:
- "traefik.enable=true"
- "traefik.http.services.poseidas.loadbalancer.server.port=8443"
- "traefik.http.routers.poseidas.rule=Path(`/POSeIDAS/eidas-middleware/paosreceiver`)"
- "traefik.http.routers.poseidas.entrypoints=web"
build:
context: ./poseidas
args:
JAR_FILE: POSeIDAS-exec.jar
# ports:
# - "127.0.0.1:8443:8443"
networks:
reqesidta_net:
aliases:
- poseidas.docker.reqesidta.de
volumes:
- ./poseidas/config:/opt/poseidas/config
- ./poseidas/db:/opt/poseidas/database
ejbca:
image: "reqesidta/ejbca"
container_name: "reqesidta_ejbca"
build:
context: ./ejbca
hostname: localhost:8444
# ports:
# - "127.0.0.1:8444:8443"
depends_on:
- postgres
environment:
DATABASE_JDBC_URL: jdbc:postgresql://postgres:5432/ejbca
DATABASE_USER: ejbca
DATABASE_PASSWORD: password
networks:
reqesidta_net:
aliases:
- ejbca.docker.reqesidta.de
postgres:
image: "postgres:11.4"
container_name: "reqesidta_postgres"
environment:
POSTGRES_USER: ejbca
POSTGRES_PASSWORD: password
networks:
- reqesidta_net
ssa:
image: "reqesidta/ssa"
container_name: "reqesidta_ssa"
labels:
- "traefik.enable=true"
- "traefik.http.services.ssa.loadbalancer.server.port=8080"
- "traefik.http.routers.ssa.rule=PathPrefix(`/ssa-server`)"
- "traefik.http.routers.ssa.entrypoints=web"
build:
context: ./ssa
depends_on:
- poseidas
- ejbca
command: /opt/jboss/wildfly/bin/standalone.sh -b 0.0.0.0 -bmanagement 0.0.0.0
# ports:
# - "127.0.0.1:28080:8080"
# volumes:
# - ./ssa/dist:/opt/jboss/wildfly/standalone/deployments/:rw
networks:
reqesidta_net:
aliases:
- ssa.docker.reqesidta.de
sam:
image: "reqesidta/sam"
container_name: "reqesidta_sam"
build:
context: ./sam
# ports:
# - "127.0.0.1:38080:8080"
networks:
reqesidta_net:
aliases:
- sam.docker.reqesidta.de
networks:
reqesidta_net:
driver: bridge
......@@ -34,8 +34,8 @@ services:
context: ./poseidas
args:
JAR_FILE: POSeIDAS-exec.jar
ports:
- "127.0.0.1:8443:8443"
# ports:
# - "127.0.0.1:8443:8443"
networks:
reqesidta_net:
aliases:
......@@ -50,8 +50,8 @@ services:
build:
context: ./ejbca
hostname: localhost:8444
ports:
- "127.0.0.1:8444:8443"
# ports:
# - "127.0.0.1:8444:8443"
depends_on:
- postgres
environment:
......@@ -86,10 +86,10 @@ services:
- poseidas
- ejbca
command: /opt/jboss/wildfly/bin/standalone.sh -b 0.0.0.0 -bmanagement 0.0.0.0
ports:
- "127.0.0.1:28080:8080"
volumes:
- ./ssa/dist:/opt/jboss/wildfly/standalone/deployments/:rw
# ports:
# - "127.0.0.1:28080:8080"
# volumes:
# - ./ssa/dist:/opt/jboss/wildfly/standalone/deployments/:rw
networks:
reqesidta_net:
aliases:
......@@ -100,8 +100,8 @@ services:
container_name: "reqesidta_sam"
build:
context: ./sam
ports:
- "127.0.0.1:38080:8080"
# ports:
# - "127.0.0.1:38080:8080"
networks:
reqesidta_net:
aliases:
......
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CoreConfiguration xmlns="http:/www.bos_bremen.de/2009/06/eID-Server-CoreConfig">
<ServerUrl>https://reqesidta.openecard.org/POSeIDAS/eidas-middleware</ServerUrl>
<sessionManagerUsesDatabase>true</sessionManagerUsesDatabase>
<sessionMaxPendingRequests>500</sessionMaxPendingRequests>
<TimerConfiguration>
<certRenewal length="2" unit="11"/>
<blacklistRenewal length="2" unit="11"/>
<masterAndDefectListRenewal length="2" unit="11"/>
</TimerConfiguration>
<ServiceProvider entityID="providerA" enabled="true">
<EPAConnectorConfiguration updateCVC="false">
<!-- refID of the devDB from 001-->
<CVCRefID>ecsec</CVCRefID>
<PkiConnectorConfiguration>
<!-- At least the certificates for blacklist, master and defectList have to be EC -->
<blackListTrustAnchor>MIH0MIGroAMCAQICBF04buEwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTE5MDcyNDE0NDQ0OVoXDTIwMDcyMzE0NDQ0OVowFDESMBAGA1UEAwwJbG9jYWxob3N0MEYwEAYHKoZIzj0CAQYFK4EEAB8DMgAEq6L6f/1HKWgN9LV90O0VFqkyrN0/E2oC4va+eqx4L/bvMTh1j5CoE5i7HMMD8UeXMAoGCCqGSM49BAMCAzgAMDUCGQCoV/FAXfsEX06XoPv/v1bFzdOpQH1b96YCGFJF31Illrn+frm+7LGg3FoPayQJAdiRfA==</blackListTrustAnchor>
<masterListTrustAnchor>MIH0MIGroAMCAQICBF04buEwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTE5MDcyNDE0NDQ0OVoXDTIwMDcyMzE0NDQ0OVowFDESMBAGA1UEAwwJbG9jYWxob3N0MEYwEAYHKoZIzj0CAQYFK4EEAB8DMgAEq6L6f/1HKWgN9LV90O0VFqkyrN0/E2oC4va+eqx4L/bvMTh1j5CoE5i7HMMD8UeXMAoGCCqGSM49BAMCAzgAMDUCGQCoV/FAXfsEX06XoPv/v1bFzdOpQH1b96YCGFJF31Illrn+frm+7LGg3FoPayQJAdiRfA==</masterListTrustAnchor>
<defectListTrustAnchor>MIH0MIGroAMCAQICBF04buEwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTE5MDcyNDE0NDQ0OVoXDTIwMDcyMzE0NDQ0OVowFDESMBAGA1UEAwwJbG9jYWxob3N0MEYwEAYHKoZIzj0CAQYFK4EEAB8DMgAEq6L6f/1HKWgN9LV90O0VFqkyrN0/E2oC4va+eqx4L/bvMTh1j5CoE5i7HMMD8UeXMAoGCCqGSM49BAMCAzgAMDUCGQCoV/FAXfsEX06XoPv/v1bFzdOpQH1b96YCGFJF31Illrn+frm+7LGg3FoPayQJAdiRfA==</defectListTrustAnchor>
<policyImplementationId>govDvca</policyImplementationId>
<sslKeys id="default">
<serverCertificate>MIIEiDCCA3CgAwIBAgIDJlN5MA0GCSqGSIb3DQEBCwUAMFQxCzAJBgNVBAYTAkRFMRUwEwYDVQQKEwxELVRydXN0IEdtYkgxLjAsBgNVBAMTJUQtVFJVU1QgTGltaXRlZCBCYXNpYyBFQUMgQ0EgMS0xIDIwMTgwHhcNMTkwNDA0MTAyNDI3WhcNMjMwNDA0MTAyNDI3WjBTMQswCQYDVQQGEwJERTEUMBIGA1UEChMLRUFDIFN5c3RlbWUxHTAbBgNVBAMTFGJlcmNhLXAxLmQtdHJ1c3QubmV0MQ8wDQYDVQQIEwZCZXJsaW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXQ4WEJtKZZUIRmplenLmNVlLg2cJMVZ0xT/FsUrUWk/JXH2C4LAxlsnx/tv9rxKYXZUi2oVhz43jEPiMsXZxVUo4n8mpH6I1vqvxiwR8rgxtsPiTOf+iUeVLYIXp24WLGXV80hWy+WSOL7rFO+TgQHoFv2MU7tzvmdnLeeTUJxfpU1Ac1JYkvq0jcU8LXVoRKfC+v8VMQ8zfmGu1ZnYOGyUyWcSjNRkXjchGMNc4ADDBTFIRBUCthjb9RuVc4HV3Cm6XholZGzxAIG8O3ybmWMdxyav/wcadnLumcgD7r5qE5KH0yIo3RaO6HAN5f/W9Vzr9JjCHGAh1PWogL/SddAgMBAAGjggFiMIIBXjATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQU6ejGLsU+zo1cc+1gRpXM/H/i8HUwFgYDVR0gBA8wDTALBgkqghQAUAeDdAowHwYDVR0jBBgwFoAUswxYrf8CYVl4gE/vvK5G8oYbv2kwDgYDVR0PAQH/BAQDAgWgMIHeBgNVHR8EgdYwgdMwgdCggc2ggcqGgYFsZGFwOi8vZGlyZWN0b3J5LmQtdHJ1c3QubmV0L0NOPUQtVFJVU1QlMjBMaW1pdGVkJTIwQmFzaWMlMjBFQUMlMjBDQSUyMDEtMSUyMDIwMTgsTz1ELVRydXN0JTIwR21iSCxDPURFP2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3SGRGh0dHA6Ly9jcmwuZC10cnVzdC5uZXQvY3JsL2QtdHJ1c3RfbGltaXRlZF9iYXNpY19lYWNfY2FfMS0xXzIwMTguY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCkszC7hGOQIekspM6l5KPDzKMEWmjQjTJ4BnlejcVNQxUZR8KPZa0bB1yeEcVPTcmi6LQQOlHMYvVfo6tZ2SoXQ9Sbo5uh9TaDTcohcmwCBasy5Wrgaq1AqxgKG4Pgd92pHBCm1uMekBVqA8j+HOSk7ig0+fTx2vtttI6rTK2fk5Z9QOqOirh6pBh2sSah1txfjWUVVTM/LZrTmPuyfBRrGOqCb5H/wrEffxgcxoCNcd3kIm11n67GoBDagBrhOl8sL2Dj2hNET+WlrQCZitJmB91fBrucZdIndWfzf0ShWhWZnNKqKUuRuX6vHq4G8/xyK9v3VP5S4JQpO/haodxI</serverCertificate>
<clientCertificate>MIICqDCCAZCgAwIBAgIEWrTFLjANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtkdmNhX2NsaWVudDAeFw0xODAzMjMwOTEzMThaFw0yODAzMjMwOTEzMThaMBYxFDASBgNVBAMMC2R2Y2FfY2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz5fB2RlgtG7cS225RTz6FixoSGKKdESdZTaGM2/fgYAYlXRa3SR8rhxLq5sbZmCjmXU5aPe9yOO9Qavx8YC5kTi1gIc4b+zVU2/Vr/XZGwjloUU3bqVCgIWhaqc3EvkznaSsv3YbBSeS9QlXDJkGVT+qp9RA4g2X47auAD2k6XRprgXXoubimGfIpswssIbPgEWPw2UbBnuhCFRHD0Yg1Y2oLTwK9Z1IaNp+7dvgt8Pskfs9alPB24x+0fiBc5BXUzKSCLGweITGkQKhTOXCmZDO67aEbCdlcpmCQJuZpS++AliFMgr12axBM225uf4wvmtCyxI9jP1HdzTus8+1twIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQByup3Q2+oHAefbkEW2R3mOc3E7wl3VqRBniN6hJ0kdzVYsbIsnf15O+moh6Yr5iBdKj7JGyKwVR9HOihdyGv8g3LuId9weiaHl/It0z5g5VFKdVJ0ziYpGFmbx5x2ikJDL+oAYvjqIJhIEtsYkDGtnWtUIp+Kq4hffg/z/1GTMVpXCWw//vnE7m0ps8QiwSNTA+iFHvrQMLIU/Vz1B0xzKvrcbb8JYPKYJsQlMYYBEsB1QUZM134ThctnsCOj9Zxbycwi1z5XnlqaQLGXut1juciXtm5TD5vP5FlBiaMEOlC/ngxDVAYbs3ln6K+JrQtd2Lp2rJN6HK3hBM3VmZwGS</clientCertificate>
<clientKey>MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDPl8HZGWC0btxLbblFPPoWLGhIYop0RJ1lNoYzb9+BgBiVdFrdJHyuHEurmxtmYKOZdTlo973I471Bq/HxgLmROLWAhzhv7NVTb9Wv9dkbCOWhRTdupUKAhaFqpzcS+TOdpKy/dhsFJ5L1CVcMmQZVP6qn1EDiDZfjtq4APaTpdGmuBdei5uKYZ8imzCywhs+ARY/DZRsGe6EIVEcPRiDVjagtPAr1nUho2n7t2+C3w+yR+z1qU8HbjH7R+IFzkFdTMpIIsbB4hMaRAqFM5cKZkM7rtoRsJ2VymYJAm5mlL74CWIUyCvXZrEEzbbm5/jC+a0LLEj2M/Ud3NO6zz7W3AgMBAAECggEADd7IaMkyy8DP1EmyWXzKWDqYWc8dDB6yMNs0mpw3dU90lQvPWbuV3wuXR2cs11Qj/4gJvB3iyYOPQiOLHgU+oNmGpbNN4zXnnP8PFTDaft1t0QQvFiP8Q6+/X2u+bh9GF8WIdfRzYrlIWY9JsyxISYrgS/1ju8GHwVhpMNftkbGC4Zn5WnjidImG4aWz20q3GiOqirzayIJZny6a9ch4FuDi+4meuc9qAtGR6xpkRAfxirdYDSgS3P/+Y+0kPAgA1SZXmmsrGsTgoeuKl8HusVRzKCfeQqt0vTKcTUhGP0EEoyA0nC6QH6+Pklqu1wtTQ59RevC6M6rqrG4E5WCEaQKBgQDrHcQ9HoCjPp8Qf5L8dRHbKClb64gBuPyDfJ4tpVvpHHCIf9NTcJ0CBC/5ikoVrzrSwlJvGYtHgxZI+EYzn0MCFC6dxvkHeJA/bylwgw7942KzB4ieQdsmQNnLs/9nTdk06yRNkOMX4GUwQArThWsXiNeByibax4nA1GD/yptLyQKBgQDiCCSqwOoMA9Wsdc110rdQ9Uq6f78Tq0N0uNddvnxh/bY6JWYDHck+EXBvEz4cY6NTtaFqCCoophvrqllryBHEYB/ienual6N+e1XfPoUeLwtOAeqBfVd6IraSyS7jdA6fYErAMjFFgcwr6rqIpDW8AzJZNPCAteSmx7xr+rC1fwKBgGwcQNr1xqLJrayRbM4HKtHCMtpggCaCoCH50GYezhdvi1NIq6yHcLq3oDO3Yf98lqjIz8zkSwX0AfBFsUoVZmNzUkgccO/9gR6aB80DhoY54218/lX+5D0/vqYLO1qOEl1h7kx4XePhu8Wm/RNsGuU0eBvnD1y0OeRgA8Y6rJP5AoGAIdnkW+pOYwREAPMXlTi8mZRS38F4BWMV1CpGntSDXk2X9/dX4smYNQJ5mzj/iVLmyAegp/eXEMVn0xCNGdY5yvY2cD21uz5QjwW7o5aCazXSdJlW3JPAARunyi31Jr1f30CVkVkzBdzdjgo2a3ZkUccMyE1kY3JaTxwEvQsrYdMCgYEArObZilqguFcSPJ/NS4/LxT/XoMWYK7My+5Fpyd+HQchVG/ZDLC+GAhwjhylvSwmXEnJgCEggE1OlfyRqwHi4m2yOFupI4P5jd4kBcm1kM6j/MC/pvCHBu+XJ2/MM2kjqwunsVZt0M3frZ0g6T1LSW0bRC8p2Q4B1jHnmJp7Q8PU=</clientKey>
</sslKeys>
<terminalAuthService sslKeysId="default">
<url>https://dev.governikus-eid.de:9444/gov_dvca/ta-service</url>
</terminalAuthService>
<restrictedIdService sslKeysId="default">
<url>https://dev.governikus-eid.de:9444/gov_dvca/ri-service</url>
</restrictedIdService>
<passiveAuthService sslKeysId="default">
<url>https://dev.governikus-eid.de:9444/gov_dvca/pa-service</url>
</passiveAuthService>
<dvcaCertDescriptionService sslKeysId="default">
<url>https://dev.governikus-eid.de:9444/gov_dvca/certDesc-service</url>
</dvcaCertDescriptionService>
</PkiConnectorConfiguration>
<PaosReceiverURL>https://reqesidta.openecard.org/POSeIDAS/eidas-middleware/paosreceiver</PaosReceiverURL>
<hoursRefreshCVCBeforeExpires>48</hoursRefreshCVCBeforeExpires>
</EPAConnectorConfiguration>
</ServiceProvider>
<SAMConfig url="http://reqesidta_sam:8080/"></SAMConfig>
</CoreConfiguration>
......@@ -6,4 +6,10 @@ FROM $WILDFLY_IMAGE
# we need wsdl and cert for consuming the eID SOAP service
COPY wsdl/* /opt/jboss/
# copy the needed war into the image
COPY dist/* /opt/jboss/wildfly/standalone/deployments/
# copy the config for the server into the image
COPY config/ssa-server.conf /opt/jboss/ssa-server.conf
EXPOSE 9990
ssa-config {
sessionMaxAge: 60,
sessionCheckAgeInterval: 30,
baseUrl: "https://docker.reqesidta.de/ssa-server"
eidUrl: "http://poseidas.docker.reqesidta.de:8443/POSeIDAS/service/eid/TR-03130-WSDL.wsdl"
samUrl: "http://sam.docker.reqesidta.de:8080"
caUrl: "http://ejbca.docker.reqesidta.de:8080/ejbca/publicweb/cmp/ecsecCMP"
}
ssa-config {
sessionMaxAge: 60,
sessionCheckAgeInterval: 30,
baseUrl: "http://reqesidta.openecard.org/ssa-server"
eidUrl: "http://poseidas.docker.reqesidta.de:8443/POSeIDAS/service/eid/TR-03130-WSDL.wsdl"
samUrl: "http://sam.docker.reqesidta.de:8080"
caUrl: "http://ejbca.docker.reqesidta.de:8080/ejbca/publicweb/cmp/ecsecCMP"
}
ssa-config {
sessionMaxAge: 60,
sessionCheckAgeInterval: 30,
baseUrl: "https://reqesidta.openecard.org/ssa-server"
eidUrl: "http://poseidas.docker.reqesidta.de:8443/POSeIDAS/service/eid/TR-03130-WSDL.wsdl"
samUrl: "http://sam.docker.reqesidta.de:8080"
caUrl: "http://ejbca.docker.reqesidta.de:8080/ejbca/publicweb/cmp/ecsecCMP"
}
/****************************************************************************
* Copyright (C) 2019 ecsec GmbH.
* All rights reserved.
* Contact: ecsec GmbH (info@ecsec.de)
*
* This file may be used in accordance with the terms and conditions
* contained in a signed written agreement between you and ecsec GmbH.
*
***************************************************************************/
package reqesidta.ssa.config;
/**
*
* @author Neil Crossley
*/
public class CertificateAuthorityConfig {
private String caName;
private String cmpAlias;
private String cmpPassword;
private String baseUrl;
private String certUserCn;
private String certPrefixCn;
public String getCaName() {
return caName;
}
public void setCaName(String caName) {
this.caName = caName;
}
public String getCmpAlias() {
return cmpAlias;
}
public void setCmpAlias(String cmpAlias) {
this.cmpAlias = cmpAlias;
}
public String getCmpPassword() {
return cmpPassword;
}
public void setCmpPassword(String cmpPassword) {
this.cmpPassword = cmpPassword;
}
public String getBaseUrl() {
return baseUrl;
}
public void setBaseUrl(String baseUrl) {
this.baseUrl = baseUrl;
}
public String getCertUserCn() {
return certUserCn;
}
public void setCertUserCn(String certUserCn) {
this.certUserCn = certUserCn;
}
public String getCertPrefixCn() {
return certPrefixCn;
}
public void setCertPrefixCn(String certPrefixCn) {
this.certPrefixCn = certPrefixCn;
}
}
......@@ -20,7 +20,7 @@ public class SSAConfig {
private String baseUrl;
private String eidUrl;
private String samUrl;
private CertificateAuthorityConfig caConfig;
private String caUrl;
public int getSessionMaxAge() {
return sessionMaxAge;
......@@ -62,11 +62,11 @@ public class SSAConfig {
this.samUrl = samUrl;
}
public CertificateAuthorityConfig getCaConfig() {
return caConfig;
public String getCaUrl() {
return this.caUrl;
}
public void setCaConfig(CertificateAuthorityConfig caConfig) {
this.caConfig = caConfig;
public void setCaUrl(String caUrl) {
this.caUrl = caUrl;
}
}
......@@ -11,22 +11,10 @@ package reqesidta.ssa.rest;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.net.URL;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import java.util.Set;
import javax.inject.Inject;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.Consumes;
import javax.ws.rs.NotFoundException;
......@@ -41,8 +29,8 @@ import javax.ws.rs.client.Invocation;
import javax.ws.rs.client.WebTarget;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Primitive;
......@@ -56,12 +44,7 @@ import org.bouncycastle.asn1.cmp.CertResponse;
import org.bouncycastle.asn1.cmp.CertifiedKeyPair;
import org.bouncycastle.asn1.cmp.PKIBody;
import org.bouncycastle.asn1.cmp.PKIMessage;
import org.bouncycastle.asn1.cms.ContentInfo;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.SignerInformationStore;
import org.bouncycastle.util.encoders.Hex;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
......@@ -83,7 +66,7 @@ import reqesidta.ssa.session.SessionStore;
/**
* WebService endpoint implementing the SSA interface
*
* @author Neil Crossley, Tobias Assmann
* @author Neil Crossley, Tobias Assmann, Renè Lottes
*/
@Path("/ssa")
public class SSAEndpoint {
......@@ -131,51 +114,45 @@ public class SSAEndpoint {
if (req.session == null) {
throw new BadRequestException();
}
Session session = this.readSession(req.session);
byte[] eidSessionId = (byte[])session.get(Session.KEY_EID_SERVER_SESSIONID).get();
String samSessionId = new String(eidSessionId);
Client c = ClientBuilder.newBuilder().register(JsonBContextResolver.class).build();
WebTarget webTarget = c.target(this.config.getSamUrl()+"/cert/getcsr");
Invocation.Builder invocationBuilder = webTarget.path(samSessionId).request(MediaType.APPLICATION_JSON);
CSRData csrData = invocationBuilder.get(CSRData.class);
byte[] csr = csrData.csr;
//get cert from CA aka ejbca
//TODO make the CAs SSL cert for client avail to use Webclient
// c = ClientBuilder.newClient();
// webTarget = c.target("https://ejbca.docker.reqesidta.de:8443/ejbca/publicweb/cmp/");
// invocationBuilder = webTarget.path("ecsecCMP").request();
// MediaType mt = new MediaType("application", "pkixcmp");
// Response certResp = invocationBuilder.post(Entity.entity(csr, mt));
// System.out.println(certResp.getStatus());
// start dummy code TODO remove! not for Production as it uses an all trusting DefaultTrustManager!
List<byte[]> certs = new ArrayList<>();
byte[] certificate;
try {
SSLContext ctx;
ctx = SSLContext.getInstance("TLS");
ctx.init(new KeyManager[0], new TrustManager[]{new DefaultTrustManager()}, new SecureRandom());
SSLContext.setDefault(ctx);
//TODO move url stuff to config!
String urlString = "https://ejbca.docker.reqesidta.de:8443/ejbca/publicweb/cmp/ecsecCMP";
URL url = new URL(urlString);
HttpsURLConnection con = (HttpsURLConnection) url.openConnection();
con.setDoOutput(true);
con.setRequestMethod("POST");
con.setRequestProperty("Content-type", "application/pkixcmp");
con.setHostnameVerifier((String arg0, SSLSession arg1) -> true);
con.connect();
// send csr as request
try (OutputStream os = con.getOutputStream()) {
os.write(csr);
}
// parse response, unpack the cert till we reach CMPCertificate, send it as response
ASN1InputStream asn1InputStream = new ASN1InputStream(con.getInputStream());
// get csr from sam
Session session = this.readSession(req.session);
byte[] eidSessionId = (byte[])session.get(Session.KEY_EID_SERVER_SESSIONID).get();
String samSessionId = new String(eidSessionId);
Client c = ClientBuilder.newBuilder().register(JsonBContextResolver.class).build();
WebTarget webTarget = c.target(this.config.getSamUrl()+"/cert/getcsr");
Invocation.Builder invocationBuilder = webTarget.path(samSessionId).request(MediaType.APPLICATION_JSON);
CSRData csrData = invocationBuilder.get(CSRData.class);
byte[] csr = csrData.csr;
//get cert from ejbca
c = ClientBuilder.newClient();
webTarget = c.target(this.config.getCaUrl());
invocationBuilder = webTarget.request();
MediaType mt = new MediaType("application", "pkixcmp");
Response certResp = invocationBuilder.post(Entity.entity(csr, mt));
System.out.println(certResp.getStatus());
PKIMessage respObject = null;
try {
respObject = PKIMessage.getInstance(asn1InputStream.readObject());
} finally {
asn1InputStream.close();
}
// URL url = new URL(this.config.getCaUrl());
// HttpURLConnection con = (HttpURLConnection) url.openConnection();
// con.setDoOutput(true);
// con.setRequestMethod("POST");
// con.setRequestProperty("Content-type", "application/pkixcmp");
// con.connect();
// // send csr as request
// try (OutputStream os = con.getOutputStream()) {
// os.write(csr);
// }
// InputStream in = con.getInputStream();
// ASN1InputStream asn1InputStream = new ASN1InputStream(in);
// try {
// respObject = PKIMessage.getInstance(asn1InputStream.readObject());
// } finally {
// asn1InputStream.close();
// }
respObject = PKIMessage.getInstance(certResp.getEntity());
// end dummy code
// parse response, unpack till we reach CMPCertificate, send it as response
PKIBody body = respObject.getBody();
CertRepMessage bodyCont = (CertRepMessage) body.getContent();
CertResponse resp = bodyCont.getResponse()[0];
......@@ -187,7 +164,6 @@ public class SSAEndpoint {
} catch (Exception ex) {
System.out.println("Error: " + ex.getMessage());
}
// end dummy code
CertificateResponse resp = new CertificateResponse();
resp.certificates = certs;
......@@ -200,72 +176,54 @@ public class SSAEndpoint {
@Path("/sign")
public SignResponse sign(SignRequest req) throws CMSException, IOException {
log.info("sign");
if (req.session == null) {
throw new BadRequestException();
}
Session session = this.readSession(req.session);
try {
//TODO send oid of digest algo from client?! or is it already comming?
// digest algo sha256 hardcoded here
String oid = "2.16.840.1.101.3.4.2.1";
byte[] docHash = null;
// extract the docHash from incoming cms data
ASN1InputStream asnInputStream = new ASN1InputStream(new ByteArrayInputStream(req.signerInfo));
DLSet readObject = (DLSet) asnInputStream.readObject();
//TODO make it easier with BC?
for (ASN1Encodable e : readObject) {
DLSequence primitive = (DLSequence) e.toASN1Primitive();
log.debug(primitive.toString());
ASN1Encodable[] primitiveArr = primitive.toArray();
// for (ASN1Encodable x : primitive) {
ASN1Primitive toASN1Primitive = primitiveArr[0].toASN1Primitive();
log.debug(toASN1Primitive.toString());
if (toASN1Primitive instanceof ASN1ObjectIdentifier) {
//messageDigest
// get messageDigest (the docHash) with its oid
if (((ASN1ObjectIdentifier) toASN1Primitive).getId().equals("1.2.840.113549.1.9.4")) {
DLSet set = (DLSet) primitiveArr[1].toASN1Primitive();
DEROctetString messageDigest =