src/org/cacert/gigi/Launcher.java

   1 package org.cacert.gigi;
   2 import java.io.IOException;
   3 import java.security.GeneralSecurityException;
   4 import java.security.KeyStore;
   5 import java.util.List;
   6 import java.util.Properties;
   7
   8 import javax.net.ssl.ExtendedSSLSession;
   9 import javax.net.ssl.SNIHostName;
  10 import javax.net.ssl.SNIServerName;
  11 import javax.net.ssl.SSLEngine;
  12 import javax.net.ssl.SSLParameters;
  13 import javax.net.ssl.SSLSession;
  14
  15 import org.cacert.gigi.api.GigiAPI;
  16 import org.cacert.gigi.natives.SetUID;
  17 import org.cacert.gigi.util.CipherInfo;
  18 import org.cacert.gigi.util.ServerConstants;
  19 import org.eclipse.jetty.http.HttpVersion;
  20 import org.eclipse.jetty.server.Connector;
  21 import org.eclipse.jetty.server.Handler;
  22 import org.eclipse.jetty.server.HttpConfiguration;
  23 import org.eclipse.jetty.server.HttpConnectionFactory;
  24 import org.eclipse.jetty.server.SecureRequestCustomizer;
  25 import org.eclipse.jetty.server.Server;
  26 import org.eclipse.jetty.server.ServerConnector;
  27 import org.eclipse.jetty.server.SessionManager;
  28 import org.eclipse.jetty.server.SslConnectionFactory;
  29 import org.eclipse.jetty.server.handler.ContextHandler;
  30 import org.eclipse.jetty.server.handler.HandlerList;
  31 import org.eclipse.jetty.server.handler.HandlerWrapper;
  32 import org.eclipse.jetty.server.handler.ResourceHandler;
  33 import org.eclipse.jetty.servlet.ServletContextHandler;
  34 import org.eclipse.jetty.servlet.ServletHolder;
  35 import org.eclipse.jetty.util.log.Log;
  36 import org.eclipse.jetty.util.ssl.SslContextFactory;
  37
  38 public class Launcher {
  39         public static void main(String[] args) throws Exception {
  40                 GigiConfig conf = GigiConfig.parse(System.in);
  41                 ServerConstants.init(conf.getMainProps());
  42
  43                 Server s = new Server();
  44                 // === SSL HTTP Configuration ===
  45                 HttpConfiguration https_config = new HttpConfiguration();
  46                 https_config.setSendServerVersion(false);
  47                 https_config.setSendXPoweredBy(false);
  48
  49                 // for client-cert auth
  50                 https_config.addCustomizer(new SecureRequestCustomizer());
  51
  52                 ServerConnector connector = new ServerConnector(s,
  53                                 createConnectionFactory(conf), new HttpConnectionFactory(
  54                                                 https_config));
  55                 connector.setHost(conf.getMainProps().getProperty("host"));
  56                 connector.setPort(Integer.parseInt(conf.getMainProps().getProperty(
  57                                 "port")));
  58                 s.setConnectors(new Connector[]{connector});
  59
  60                 HandlerList hl = new HandlerList();
  61                 hl.setHandlers(new Handler[]{generateStaticContext(),
  62                                 generateGigiContext(conf.getMainProps()), generateAPIContext()});
  63                 s.setHandler(hl);
  64                 s.start();
  65                 if (connector.getPort() <= 1024
  66                                 && !System.getProperty("os.name").toLowerCase().contains("win")) {
  67                         SetUID uid = new SetUID();
  68                         if (!uid.setUid(65536 - 2, 65536 - 2).getSuccess()) {
  69                                 Log.getLogger(Launcher.class).warn("Couldn't set uid!");
  70                         }
  71                 }
  72         }
  73
  74         private static SslConnectionFactory createConnectionFactory(GigiConfig conf)
  75                         throws GeneralSecurityException, IOException {
  76                 final SslContextFactory sslContextFactory = generateSSLContextFactory(
  77                                 conf, "www");
  78                 final SslContextFactory secureContextFactory = generateSSLContextFactory(
  79                                 conf, "secure");
  80                 secureContextFactory.setNeedClientAuth(true);
  81                 final SslContextFactory staticContextFactory = generateSSLContextFactory(
  82                                 conf, "static");
  83                 final SslContextFactory apiContextFactory = generateSSLContextFactory(
  84                                 conf, "api");
  85                 try {
  86                         secureContextFactory.start();
  87                         staticContextFactory.start();
  88                         apiContextFactory.start();
  89                 } catch (Exception e) {
  90                         e.printStackTrace();
  91                 }
  92                 return new SslConnectionFactory(sslContextFactory,
  93                                 HttpVersion.HTTP_1_1.asString()) {
  94                         @Override
  95                         public boolean shouldRestartSSL() {
  96                                 return true;
  97                         }
  98                         @Override
  99                         public SSLEngine restartSSL(SSLSession sslSession) {
 100                                 SSLEngine e2 = null;
 101                                 if (sslSession instanceof ExtendedSSLSession) {
 102                                         ExtendedSSLSession es = (ExtendedSSLSession) sslSession;
 103                                         List<SNIServerName> names = es.getRequestedServerNames();
 104                                         for (SNIServerName sniServerName : names) {
 105                                                 if (sniServerName instanceof SNIHostName) {
 106                                                         SNIHostName host = (SNIHostName) sniServerName;
 107                                                         String hostname = host.getAsciiName();
 108                                                         if (hostname.equals(ServerConstants
 109                                                                         .getWwwHostName())) {
 110                                                                 e2 = sslContextFactory.newSSLEngine();
 111                                                         } else if (hostname.equals(ServerConstants
 112                                                                         .getStaticHostName())) {
 113                                                                 e2 = staticContextFactory.newSSLEngine();
 114                                                         } else if (hostname.equals(ServerConstants
 115                                                                         .getSecureHostName())) {
 116                                                                 e2 = secureContextFactory.newSSLEngine();
 117                                                         } else if (hostname.equals(ServerConstants
 118                                                                         .getApiHostName())) {
 119                                                                 e2 = apiContextFactory.newSSLEngine();
 120                                                         }
 121                                                         break;
 122                                                 }
 123                                         }
 124                                 }
 125                                 if (e2 == null) {
 126                                         e2 = sslContextFactory.newSSLEngine(
 127                                                         sslSession.getPeerHost(), sslSession.getPeerPort());
 128                                 }
 129                                 e2.setUseClientMode(false);
 130                                 return e2;
 131                         }
 132                 };
 133         }
 134
 135         private static ContextHandler generateGigiContext(Properties conf) {
 136                 final ResourceHandler rh = new ResourceHandler();
 137                 rh.setResourceBase("static/www");
 138
 139                 HandlerWrapper hw = new PolicyRedirector();
 140                 hw.setHandler(rh);
 141
 142                 ServletContextHandler servlet = new ServletContextHandler(
 143                                 ServletContextHandler.SESSIONS);
 144                 servlet.setInitParameter(SessionManager.__SessionCookieProperty,
 145                                 "CACert-Session");
 146                 servlet.addServlet(new ServletHolder(new Gigi(conf)), "/*");
 147
 148                 HandlerList hl = new HandlerList();
 149                 hl.setHandlers(new Handler[]{servlet, hw});
 150
 151                 ContextHandler ch = new ContextHandler();
 152                 ch.setVirtualHosts(new String[]{ServerConstants.getWwwHostName(),
 153                                 ServerConstants.getSecureHostName()});
 154                 ch.setHandler(hl);
 155
 156                 return ch;
 157         }
 158
 159         private static Handler generateStaticContext() {
 160                 final ResourceHandler rh = new ResourceHandler();
 161                 rh.setResourceBase("static/static");
 162
 163                 ContextHandler ch = new ContextHandler();
 164                 ch.setHandler(rh);
 165                 ch.setVirtualHosts(new String[]{ServerConstants.getStaticHostName()});
 166
 167                 return ch;
 168         }
 169
 170         private static Handler generateAPIContext() {
 171                 ServletContextHandler sch = new ServletContextHandler();
 172
 173                 sch.addVirtualHosts(new String[]{ServerConstants.getApiHostName()});
 174                 sch.addServlet(new ServletHolder(new GigiAPI()), "/*");
 175                 return sch;
 176         }
 177
 178         private static SslContextFactory generateSSLContextFactory(GigiConfig conf,
 179                         String alias) throws GeneralSecurityException, IOException {
 180                 SslContextFactory scf = new SslContextFactory() {
 181
 182                         String[] ciphers = null;
 183
 184                         @Override
 185                         public void customize(SSLEngine sslEngine) {
 186                                 super.customize(sslEngine);
 187
 188                                 SSLParameters ssl = sslEngine.getSSLParameters();
 189                                 ssl.setUseCipherSuitesOrder(true);
 190                                 if (ciphers == null) {
 191                                         ciphers = CipherInfo.filter(sslEngine
 192                                                         .getSupportedCipherSuites());
 193                                 }
 194
 195                                 ssl.setCipherSuites(ciphers);
 196                                 sslEngine.setSSLParameters(ssl);
 197
 198                         }
 199
 200                 };
 201                 scf.setRenegotiationAllowed(false);
 202
 203                 scf.setProtocol("TLS");
 204                 scf.setTrustStore(conf.getTrustStore());
 205                 KeyStore privateStore = conf.getPrivateStore();
 206                 scf.setKeyStorePassword(conf.getPrivateStorePw());
 207                 scf.setKeyStore(privateStore);
 208                 scf.setCertAlias(alias);
 209                 return scf;
 210         }
 211 }