]> WPIA git - gigi.git/blob - src/org/cacert/gigi/Launcher.java
projects / gigi.git / blob
? search:


41b09ffb6a4a04736bf6316fe4ad1c89dd6ba666
[gigi.git] / src / org / cacert / gigi / Launcher.java
1 package org.cacert.gigi;
2 import java.io.IOException;
3 import java.security.GeneralSecurityException;
4 import java.security.KeyStore;
5 import java.util.List;
6 import java.util.Properties;
7
8 import javax.net.ssl.ExtendedSSLSession;
9 import javax.net.ssl.SNIHostName;
10 import javax.net.ssl.SNIServerName;
11 import javax.net.ssl.SSLEngine;
12 import javax.net.ssl.SSLParameters;
13 import javax.net.ssl.SSLSession;
14
15 import org.cacert.gigi.natives.SetUID;
16 import org.cacert.gigi.util.CipherInfo;
17 import org.cacert.gigi.util.ServerConstants;
18 import org.eclipse.jetty.http.HttpVersion;
19 import org.eclipse.jetty.server.Connector;
20 import org.eclipse.jetty.server.Handler;
21 import org.eclipse.jetty.server.HttpConfiguration;
22 import org.eclipse.jetty.server.HttpConnectionFactory;
23 import org.eclipse.jetty.server.SecureRequestCustomizer;
24 import org.eclipse.jetty.server.Server;
25 import org.eclipse.jetty.server.ServerConnector;
26 import org.eclipse.jetty.server.SessionManager;
27 import org.eclipse.jetty.server.SslConnectionFactory;
28 import org.eclipse.jetty.server.handler.ContextHandler;
29 import org.eclipse.jetty.server.handler.HandlerList;
30 import org.eclipse.jetty.server.handler.HandlerWrapper;
31 import org.eclipse.jetty.server.handler.ResourceHandler;
32 import org.eclipse.jetty.servlet.ServletContextHandler;
33 import org.eclipse.jetty.servlet.ServletHolder;
34 import org.eclipse.jetty.util.log.Log;
35 import org.eclipse.jetty.util.ssl.SslContextFactory;
36
37 public class Launcher {
38         public static void main(String[] args) throws Exception {
39                 GigiConfig conf = GigiConfig.parse(System.in);
40                 ServerConstants.init(conf.getMainProps());
41
42                 Server s = new Server();
43                 // === SSL HTTP Configuration ===
44                 HttpConfiguration https_config = new HttpConfiguration();
45                 https_config.setSendServerVersion(false);
46                 https_config.setSendXPoweredBy(false);
47
48                 // for client-cert auth
49                 https_config.addCustomizer(new SecureRequestCustomizer());
50
51                 ServerConnector connector = new ServerConnector(s,
52                                 createConnectionFactory(conf), new HttpConnectionFactory(
53                                                 https_config));
54                 connector.setHost(conf.getMainProps().getProperty("host"));
55                 connector.setPort(Integer.parseInt(conf.getMainProps().getProperty(
56                                 "port")));
57                 s.setConnectors(new Connector[]{connector});
58
59                 HandlerList hl = new HandlerList();
60                 hl.setHandlers(new Handler[]{generateStaticContext(),
61                                 generateGigiContext(conf.getMainProps())});
62                 s.setHandler(hl);
63                 s.start();
64                 if (connector.getPort() <= 1024
65                                 && !System.getProperty("os.name").toLowerCase().contains("win")) {
66                         SetUID uid = new SetUID();
67                         if (!uid.setUid(65536 - 2, 65536 - 2).getSuccess()) {
68                                 Log.getLogger(Launcher.class).warn("Couldn't set uid!");
69                         }
70                 }
71         }
72
73         private static SslConnectionFactory createConnectionFactory(GigiConfig conf)
74                         throws GeneralSecurityException, IOException {
75                 final SslContextFactory sslContextFactory = generateSSLContextFactory(
76                                 conf, "www");
77                 final SslContextFactory secureContextFactory = generateSSLContextFactory(
78                                 conf, "secure");
79                 secureContextFactory.setNeedClientAuth(true);
80                 final SslContextFactory staticContextFactory = generateSSLContextFactory(
81                                 conf, "static");
82                 try {
83                         secureContextFactory.start();
84                         staticContextFactory.start();
85                 } catch (Exception e) {
86                         e.printStackTrace();
87                 }
88                 return new SslConnectionFactory(sslContextFactory,
89                                 HttpVersion.HTTP_1_1.asString()) {
90                         @Override
91                         public boolean shouldRestartSSL() {
92                                 return true;
93                         }
94                         @Override
95                         public SSLEngine restartSSL(SSLSession sslSession) {
96                                 SSLEngine e2 = null;
97                                 if (sslSession instanceof ExtendedSSLSession) {
98                                         ExtendedSSLSession es = (ExtendedSSLSession) sslSession;
99                                         List<SNIServerName> names = es.getRequestedServerNames();
100                                         for (SNIServerName sniServerName : names) {
101                                                 if (sniServerName instanceof SNIHostName) {
102                                                         SNIHostName host = (SNIHostName) sniServerName;
103                                                         String hostname = host.getAsciiName();
104                                                         if (hostname.equals("www.cacert.local")) {
105                                                                 e2 = sslContextFactory.newSSLEngine();
106                                                         } else if (hostname.equals("static.cacert.local")) {
107                                                                 e2 = staticContextFactory.newSSLEngine();
108                                                         } else if (hostname.equals("secure.cacert.local")) {
109                                                                 e2 = secureContextFactory.newSSLEngine();
110                                                         }
111                                                         break;
112                                                 }
113                                         }
114                                 }
115                                 if (e2 == null) {
116                                         e2 = sslContextFactory.newSSLEngine(
117                                                         sslSession.getPeerHost(), sslSession.getPeerPort());
118                                 }
119                                 e2.setUseClientMode(false);
120                                 return e2;
121                         }
122                 };
123         }
124
125         private static ContextHandler generateGigiContext(Properties conf) {
126                 final ResourceHandler rh = new ResourceHandler();
127                 rh.setResourceBase("static/www");
128
129                 HandlerWrapper hw = new PolicyRedirector();
130                 hw.setHandler(rh);
131
132                 ServletContextHandler servlet = new ServletContextHandler(
133                                 ServletContextHandler.SESSIONS);
134                 servlet.setInitParameter(SessionManager.__SessionCookieProperty,
135                                 "CACert-Session");
136                 servlet.addServlet(new ServletHolder(new Gigi(conf)), "/*");
137
138                 HandlerList hl = new HandlerList();
139                 hl.setHandlers(new Handler[]{servlet, hw});
140
141                 ContextHandler ch = new ContextHandler();
142                 ch.setVirtualHosts(new String[]{ServerConstants.getWwwHostName(),
143                                 ServerConstants.getSecureHostName()});
144                 ch.setHandler(hl);
145
146                 return ch;
147         }
148
149         private static Handler generateStaticContext() {
150                 final ResourceHandler rh = new ResourceHandler();
151                 rh.setResourceBase("static/static");
152
153                 ContextHandler ch = new ContextHandler();
154                 ch.setHandler(rh);
155                 ch.setVirtualHosts(new String[]{ServerConstants.getStaticHostName()});
156
157                 return ch;
158         }
159
160         private static SslContextFactory generateSSLContextFactory(GigiConfig conf,
161                         String alias) throws GeneralSecurityException, IOException {
162                 SslContextFactory scf = new SslContextFactory() {
163
164                         String[] ciphers = null;
165
166                         @Override
167                         public void customize(SSLEngine sslEngine) {
168                                 super.customize(sslEngine);
169
170                                 SSLParameters ssl = sslEngine.getSSLParameters();
171                                 ssl.setUseCipherSuitesOrder(true);
172                                 if (ciphers == null) {
173                                         ciphers = CipherInfo.filter(sslEngine
174                                                         .getSupportedCipherSuites());
175                                 }
176
177                                 ssl.setCipherSuites(ciphers);
178                                 sslEngine.setSSLParameters(ssl);
179
180                         }
181
182                 };
183                 scf.setRenegotiationAllowed(false);
184
185                 scf.setProtocol("TLS");
186                 scf.setTrustStore(conf.getTrustStore());
187                 KeyStore privateStore = conf.getPrivateStore();
188                 scf.setKeyStorePassword(conf.getPrivateStorePw());
189                 scf.setKeyStore(privateStore);
190                 scf.setCertAlias(alias);
191                 return scf;
192         }
193 }
WPIA Certificate Web Issuance Platform