]> WPIA git - gigi.git/blob - src/org/cacert/gigi/Launcher.java
projects / gigi.git / blob
? search:


0490d1b1f1bf20609c494b5a2863e30e018d3b83
[gigi.git] / src / org / cacert / gigi / Launcher.java
1 package org.cacert.gigi;
2
3 import java.io.IOException;
4 import java.security.GeneralSecurityException;
5 import java.security.Key;
6 import java.security.KeyStore;
7 import java.security.KeyStoreException;
8 import java.security.NoSuchAlgorithmException;
9 import java.security.UnrecoverableKeyException;
10 import java.security.cert.Certificate;
11 import java.util.List;
12 import java.util.Locale;
13 import java.util.Properties;
14 import java.util.TimeZone;
15
16 import javax.net.ssl.ExtendedSSLSession;
17 import javax.net.ssl.SNIHostName;
18 import javax.net.ssl.SNIServerName;
19 import javax.net.ssl.SSLEngine;
20 import javax.net.ssl.SSLParameters;
21 import javax.net.ssl.SSLSession;
22
23 import org.cacert.gigi.api.GigiAPI;
24 import org.cacert.gigi.email.EmailProvider;
25 import org.cacert.gigi.natives.SetUID;
26 import org.cacert.gigi.util.CipherInfo;
27 import org.cacert.gigi.util.ServerConstants;
28 import org.eclipse.jetty.http.HttpVersion;
29 import org.eclipse.jetty.server.Connector;
30 import org.eclipse.jetty.server.Handler;
31 import org.eclipse.jetty.server.HttpConfiguration;
32 import org.eclipse.jetty.server.HttpConnectionFactory;
33 import org.eclipse.jetty.server.SecureRequestCustomizer;
34 import org.eclipse.jetty.server.Server;
35 import org.eclipse.jetty.server.ServerConnector;
36 import org.eclipse.jetty.server.SessionManager;
37 import org.eclipse.jetty.server.SslConnectionFactory;
38 import org.eclipse.jetty.server.handler.ContextHandler;
39 import org.eclipse.jetty.server.handler.HandlerList;
40 import org.eclipse.jetty.server.handler.HandlerWrapper;
41 import org.eclipse.jetty.server.handler.ResourceHandler;
42 import org.eclipse.jetty.servlet.ErrorPageErrorHandler;
43 import org.eclipse.jetty.servlet.ServletContextHandler;
44 import org.eclipse.jetty.servlet.ServletHolder;
45 import org.eclipse.jetty.util.log.Log;
46 import org.eclipse.jetty.util.ssl.SslContextFactory;
47
48 public class Launcher {
49
50     public static void main(String[] args) throws Exception {
51         System.setProperty("jdk.tls.ephemeralDHKeySize", "4096");
52         boot();
53     }
54
55     public static void boot() throws Exception {
56         Locale.setDefault(Locale.ENGLISH);
57         TimeZone.setDefault(TimeZone.getTimeZone("UTC"));
58
59         GigiConfig conf = GigiConfig.parse(System.in);
60         ServerConstants.init(conf.getMainProps());
61         initEmails(conf);
62
63         Server s = new Server();
64         HttpConfiguration httpsConfig = createHttpConfiguration();
65
66         // for client-cert auth
67         httpsConfig.addCustomizer(new SecureRequestCustomizer());
68
69         HttpConfiguration httpConfig = createHttpConfiguration();
70
71         s.setConnectors(new Connector[] {
72                 createConnector(conf, s, httpsConfig, true), createConnector(conf, s, httpConfig, false)
73         });
74
75         HandlerList hl = new HandlerList();
76         hl.setHandlers(new Handler[] {
77                 generateStaticContext(), generateGigiContexts(conf.getMainProps(), conf.getTrustStore()), generateAPIContext()
78         });
79         s.setHandler(hl);
80         s.start();
81         if ((ServerConstants.getSecurePort() <= 1024 || ServerConstants.getPort() <= 1024) && !System.getProperty("os.name").toLowerCase().contains("win")) {
82             SetUID uid = new SetUID();
83             if ( !uid.setUid(65536 - 2, 65536 - 2).getSuccess()) {
84                 Log.getLogger(Launcher.class).warn("Couldn't set uid!");
85             }
86         }
87         if (conf.getMainProps().containsKey("testrunner")) {
88             DevelLauncher.addDevelPage();
89         }
90     }
91
92     private static ServerConnector createConnector(GigiConfig conf, Server s, HttpConfiguration httpConfig, boolean doHttps) throws GeneralSecurityException, IOException {
93         ServerConnector connector;
94         if (doHttps) {
95             connector = new ServerConnector(s, createConnectionFactory(conf), new HttpConnectionFactory(httpConfig));
96         } else {
97             connector = new ServerConnector(s, new HttpConnectionFactory(httpConfig));
98         }
99         connector.setHost(conf.getMainProps().getProperty("host"));
100         if (doHttps) {
101             connector.setPort(ServerConstants.getSecurePort());
102         } else {
103             connector.setPort(ServerConstants.getPort());
104         }
105         connector.setAcceptQueueSize(100);
106         return connector;
107     }
108
109     private static HttpConfiguration createHttpConfiguration() {
110         // SSL HTTP Configuration
111         HttpConfiguration httpsConfig = new HttpConfiguration();
112         httpsConfig.setSendServerVersion(false);
113         httpsConfig.setSendXPoweredBy(false);
114         return httpsConfig;
115     }
116
117     private static void initEmails(GigiConfig conf) throws GeneralSecurityException, IOException, KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException {
118         KeyStore privateStore = conf.getPrivateStore();
119         Certificate mail = privateStore.getCertificate("mail");
120         Key k = privateStore.getKey("mail", conf.getPrivateStorePw().toCharArray());
121         EmailProvider.initSystem(conf.getMainProps(), mail, k);
122     }
123
124     private static SslConnectionFactory createConnectionFactory(GigiConfig conf) throws GeneralSecurityException, IOException {
125         final SslContextFactory sslContextFactory = generateSSLContextFactory(conf, "www");
126         final SslContextFactory secureContextFactory = generateSSLContextFactory(conf, "secure");
127         secureContextFactory.setWantClientAuth(true);
128         secureContextFactory.setNeedClientAuth(false);
129         final SslContextFactory staticContextFactory = generateSSLContextFactory(conf, "static");
130         final SslContextFactory apiContextFactory = generateSSLContextFactory(conf, "api");
131         try {
132             secureContextFactory.start();
133             staticContextFactory.start();
134             apiContextFactory.start();
135         } catch (Exception e) {
136             e.printStackTrace();
137         }
138         return new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()) {
139
140             @Override
141             public boolean shouldRestartSSL() {
142                 return true;
143             }
144
145             @Override
146             public SSLEngine restartSSL(SSLSession sslSession) {
147                 SSLEngine e2 = null;
148                 if (sslSession instanceof ExtendedSSLSession) {
149                     ExtendedSSLSession es = (ExtendedSSLSession) sslSession;
150                     List<SNIServerName> names = es.getRequestedServerNames();
151                     for (SNIServerName sniServerName : names) {
152                         if (sniServerName instanceof SNIHostName) {
153                             SNIHostName host = (SNIHostName) sniServerName;
154                             String hostname = host.getAsciiName();
155                             if (hostname.equals(ServerConstants.getWwwHostName())) {
156                                 e2 = sslContextFactory.newSSLEngine();
157                             } else if (hostname.equals(ServerConstants.getStaticHostName())) {
158                                 e2 = staticContextFactory.newSSLEngine();
159                             } else if (hostname.equals(ServerConstants.getSecureHostName())) {
160                                 e2 = secureContextFactory.newSSLEngine();
161                             } else if (hostname.equals(ServerConstants.getApiHostName())) {
162                                 e2 = apiContextFactory.newSSLEngine();
163                             }
164                             break;
165                         }
166                     }
167                 }
168                 if (e2 == null) {
169                     e2 = sslContextFactory.newSSLEngine(sslSession.getPeerHost(), sslSession.getPeerPort());
170                 }
171                 e2.setUseClientMode(false);
172                 return e2;
173             }
174         };
175     }
176
177     private static Handler generateGigiContexts(Properties conf, KeyStore trust) {
178         ServletHolder webAppServlet = new ServletHolder(new Gigi(conf, trust));
179
180         ContextHandler ch = generateGigiServletContext(webAppServlet);
181         ch.setVirtualHosts(new String[] {
182             ServerConstants.getWwwHostName()
183         });
184         ContextHandler chSecure = generateGigiServletContext(webAppServlet);
185         chSecure.setVirtualHosts(new String[] {
186             ServerConstants.getSecureHostName()
187         });
188
189         HandlerList hl = new HandlerList();
190         hl.setHandlers(new Handler[] {
191                 ch, chSecure
192         });
193         return hl;
194     }
195
196     private static ContextHandler generateGigiServletContext(ServletHolder webAppServlet) {
197         final ResourceHandler rh = new ResourceHandler();
198         rh.setResourceBase("static/www");
199
200         HandlerWrapper hw = new PolicyRedirector();
201         hw.setHandler(rh);
202
203         ServletContextHandler servlet = new ServletContextHandler(ServletContextHandler.SESSIONS);
204         servlet.setInitParameter(SessionManager.__SessionCookieProperty, "CACert-Session");
205         servlet.addServlet(webAppServlet, "/*");
206         ErrorPageErrorHandler epeh = new ErrorPageErrorHandler();
207         epeh.addErrorPage(404, "/error");
208         servlet.setErrorHandler(epeh);
209
210         HandlerList hl = new HandlerList();
211         hl.setHandlers(new Handler[] {
212                 hw, servlet
213         });
214
215         ContextHandler ch = new ContextHandler();
216         ch.setHandler(hl);
217         return ch;
218     }
219
220     private static Handler generateStaticContext() {
221         final ResourceHandler rh = new ResourceHandler();
222         rh.setResourceBase("static/static");
223
224         ContextHandler ch = new ContextHandler();
225         ch.setHandler(rh);
226         ch.setVirtualHosts(new String[] {
227             ServerConstants.getStaticHostName()
228         });
229
230         return ch;
231     }
232
233     private static Handler generateAPIContext() {
234         ServletContextHandler sch = new ServletContextHandler();
235
236         sch.addVirtualHosts(new String[] {
237             ServerConstants.getApiHostName()
238         });
239         sch.addServlet(new ServletHolder(new GigiAPI()), "/*");
240         return sch;
241     }
242
243     private static SslContextFactory generateSSLContextFactory(GigiConfig conf, String alias) throws GeneralSecurityException, IOException {
244         SslContextFactory scf = new SslContextFactory() {
245
246             String[] ciphers = null;
247
248             @Override
249             public void customize(SSLEngine sslEngine) {
250                 super.customize(sslEngine);
251
252                 SSLParameters ssl = sslEngine.getSSLParameters();
253                 ssl.setUseCipherSuitesOrder(true);
254                 if (ciphers == null) {
255                     ciphers = CipherInfo.filter(sslEngine.getSupportedCipherSuites());
256                 }
257
258                 ssl.setCipherSuites(ciphers);
259                 sslEngine.setSSLParameters(ssl);
260
261             }
262
263         };
264         scf.setRenegotiationAllowed(false);
265
266         scf.setProtocol("TLS");
267         scf.setIncludeProtocols("TLSv1", "TLSv1.1", "TLSv1.2");
268         scf.setTrustStore(conf.getTrustStore());
269         KeyStore privateStore = conf.getPrivateStore();
270         scf.setKeyStorePassword(conf.getPrivateStorePw());
271         scf.setKeyStore(privateStore);
272         scf.setCertAlias(alias);
273         return scf;
274     }
275 }
WPIA Certificate Web Issuance Platform