src/org/cacert/gigi/Launcher.java

   1 package org.cacert.gigi;
   2 import java.io.IOException;
   3 import java.security.GeneralSecurityException;
   4 import java.security.KeyStore;
   5 import java.util.List;
   6 import java.util.Properties;
   7
   8 import javax.net.ssl.ExtendedSSLSession;
   9 import javax.net.ssl.SNIHostName;
  10 import javax.net.ssl.SNIServerName;
  11 import javax.net.ssl.SSLEngine;
  12 import javax.net.ssl.SSLParameters;
  13 import javax.net.ssl.SSLSession;
  14
  15 import org.cacert.gigi.api.GigiAPI;
  16 import org.cacert.gigi.natives.SetUID;
  17 import org.cacert.gigi.util.CipherInfo;
  18 import org.cacert.gigi.util.ServerConstants;
  19 import org.eclipse.jetty.http.HttpVersion;
  20 import org.eclipse.jetty.server.Connector;
  21 import org.eclipse.jetty.server.Handler;
  22 import org.eclipse.jetty.server.HttpConfiguration;
  23 import org.eclipse.jetty.server.HttpConnectionFactory;
  24 import org.eclipse.jetty.server.SecureRequestCustomizer;
  25 import org.eclipse.jetty.server.Server;
  26 import org.eclipse.jetty.server.ServerConnector;
  27 import org.eclipse.jetty.server.SessionManager;
  28 import org.eclipse.jetty.server.SslConnectionFactory;
  29 import org.eclipse.jetty.server.handler.ContextHandler;
  30 import org.eclipse.jetty.server.handler.HandlerList;
  31 import org.eclipse.jetty.server.handler.HandlerWrapper;
  32 import org.eclipse.jetty.server.handler.ResourceHandler;
  33 import org.eclipse.jetty.servlet.ServletContextHandler;
  34 import org.eclipse.jetty.servlet.ServletHolder;
  35 import org.eclipse.jetty.util.log.Log;
  36 import org.eclipse.jetty.util.ssl.SslContextFactory;
  37
  38 public class Launcher {
  39         public static void main(String[] args) throws Exception {
  40                 GigiConfig conf = GigiConfig.parse(System.in);
  41                 ServerConstants.init(conf.getMainProps());
  42
  43                 Server s = new Server();
  44                 // === SSL HTTP Configuration ===
  45                 HttpConfiguration https_config = new HttpConfiguration();
  46                 https_config.setSendServerVersion(false);
  47                 https_config.setSendXPoweredBy(false);
  48
  49                 // for client-cert auth
  50                 https_config.addCustomizer(new SecureRequestCustomizer());
  51
  52                 ServerConnector connector = new ServerConnector(s,
  53                                 createConnectionFactory(conf), new HttpConnectionFactory(
  54                                                 https_config));
  55                 connector.setHost(conf.getMainProps().getProperty("host"));
  56                 connector.setPort(Integer.parseInt(conf.getMainProps().getProperty(
  57                                 "port")));
  58                 s.setConnectors(new Connector[]{connector});
  59
  60                 HandlerList hl = new HandlerList();
  61                 hl.setHandlers(new Handler[]{generateStaticContext(),
  62                                 generateGigiContext(conf.getMainProps()), generateAPIContext()});
  63                 s.setHandler(hl);
  64                 s.start();
  65                 if (connector.getPort() <= 1024
  66                                 && !System.getProperty("os.name").toLowerCase().contains("win")) {
  67                         SetUID uid = new SetUID();
  68                         if (!uid.setUid(65536 - 2, 65536 - 2).getSuccess()) {
  69                                 Log.getLogger(Launcher.class).warn("Couldn't set uid!");
  70                         }
  71                 }
  72         }
  73
  74         private static SslConnectionFactory createConnectionFactory(GigiConfig conf)
  75                         throws GeneralSecurityException, IOException {
  76                 final SslContextFactory sslContextFactory = generateSSLContextFactory(
  77                                 conf, "www");
  78                 final SslContextFactory secureContextFactory = generateSSLContextFactory(
  79                                 conf, "secure");
  80                 secureContextFactory.setNeedClientAuth(true);
  81                 final SslContextFactory staticContextFactory = generateSSLContextFactory(
  82                                 conf, "static");
  83                 final SslContextFactory apiContextFactory = generateSSLContextFactory(
  84                                 conf, "api");
  85                 try {
  86                         secureContextFactory.start();
  87                         staticContextFactory.start();
  88                         apiContextFactory.start();
  89                 } catch (Exception e) {
  90                         e.printStackTrace();
  91                 }
  92                 return new SslConnectionFactory(sslContextFactory,
  93                                 HttpVersion.HTTP_1_1.asString()) {
  94                         @Override
  95                         public boolean shouldRestartSSL() {
  96                                 return true;
  97                         }
  98                         @Override
  99                         public SSLEngine restartSSL(SSLSession sslSession) {
 100                                 SSLEngine e2 = null;
 101                                 if (sslSession instanceof ExtendedSSLSession) {
 102                                         ExtendedSSLSession es = (ExtendedSSLSession) sslSession;
 103                                         List<SNIServerName> names = es.getRequestedServerNames();
 104                                         for (SNIServerName sniServerName : names) {
 105                                                 if (sniServerName instanceof SNIHostName) {
 106                                                         SNIHostName host = (SNIHostName) sniServerName;
 107                                                         String hostname = host.getAsciiName();
 108                                                         if (hostname.equals("www.cacert.local")) {
 109                                                                 e2 = sslContextFactory.newSSLEngine();
 110                                                         } else if (hostname.equals("static.cacert.local")) {
 111                                                                 e2 = staticContextFactory.newSSLEngine();
 112                                                         } else if (hostname.equals("secure.cacert.local")) {
 113                                                                 e2 = secureContextFactory.newSSLEngine();
 114                                                         } else if (hostname.equals("api.cacert.local")) {
 115                                                                 e2 = apiContextFactory.newSSLEngine();
 116                                                         }
 117                                                         break;
 118                                                 }
 119                                         }
 120                                 }
 121                                 if (e2 == null) {
 122                                         e2 = sslContextFactory.newSSLEngine(
 123                                                         sslSession.getPeerHost(), sslSession.getPeerPort());
 124                                 }
 125                                 e2.setUseClientMode(false);
 126                                 return e2;
 127                         }
 128                 };
 129         }
 130
 131         private static ContextHandler generateGigiContext(Properties conf) {
 132                 final ResourceHandler rh = new ResourceHandler();
 133                 rh.setResourceBase("static/www");
 134
 135                 HandlerWrapper hw = new PolicyRedirector();
 136                 hw.setHandler(rh);
 137
 138                 ServletContextHandler servlet = new ServletContextHandler(
 139                                 ServletContextHandler.SESSIONS);
 140                 servlet.setInitParameter(SessionManager.__SessionCookieProperty,
 141                                 "CACert-Session");
 142                 servlet.addServlet(new ServletHolder(new Gigi(conf)), "/*");
 143
 144                 HandlerList hl = new HandlerList();
 145                 hl.setHandlers(new Handler[]{servlet, hw});
 146
 147                 ContextHandler ch = new ContextHandler();
 148                 ch.setVirtualHosts(new String[]{ServerConstants.getWwwHostName(),
 149                                 ServerConstants.getSecureHostName()});
 150                 ch.setHandler(hl);
 151
 152                 return ch;
 153         }
 154
 155         private static Handler generateStaticContext() {
 156                 final ResourceHandler rh = new ResourceHandler();
 157                 rh.setResourceBase("static/static");
 158
 159                 ContextHandler ch = new ContextHandler();
 160                 ch.setHandler(rh);
 161                 ch.setVirtualHosts(new String[]{ServerConstants.getStaticHostName()});
 162
 163                 return ch;
 164         }
 165
 166         private static Handler generateAPIContext() {
 167                 ServletContextHandler sch = new ServletContextHandler();
 168
 169                 sch.addVirtualHosts(new String[]{ServerConstants.getApiHostName()});
 170                 sch.addServlet(new ServletHolder(new GigiAPI()), "/*");
 171                 return sch;
 172         }
 173
 174         private static SslContextFactory generateSSLContextFactory(GigiConfig conf,
 175                         String alias) throws GeneralSecurityException, IOException {
 176                 SslContextFactory scf = new SslContextFactory() {
 177
 178                         String[] ciphers = null;
 179
 180                         @Override
 181                         public void customize(SSLEngine sslEngine) {
 182                                 super.customize(sslEngine);
 183
 184                                 SSLParameters ssl = sslEngine.getSSLParameters();
 185                                 ssl.setUseCipherSuitesOrder(true);
 186                                 if (ciphers == null) {
 187                                         ciphers = CipherInfo.filter(sslEngine
 188                                                         .getSupportedCipherSuites());
 189                                 }
 190
 191                                 ssl.setCipherSuites(ciphers);
 192                                 sslEngine.setSSLParameters(ssl);
 193
 194                         }
 195
 196                 };
 197                 scf.setRenegotiationAllowed(false);
 198
 199                 scf.setProtocol("TLS");
 200                 scf.setTrustStore(conf.getTrustStore());
 201                 KeyStore privateStore = conf.getPrivateStore();
 202                 scf.setKeyStorePassword(conf.getPrivateStorePw());
 203                 scf.setKeyStore(privateStore);
 204                 scf.setCertAlias(alias);
 205                 return scf;
 206         }
 207 }