]> WPIA git - gigi.git/blob - src/org/cacert/gigi/Launcher.java
projects / gigi.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Split session validity context between "www" and "secure"
[gigi.git] / src / org / cacert / gigi / Launcher.java
1 package org.cacert.gigi;
2
3 import java.io.IOException;
4 import java.security.GeneralSecurityException;
5 import java.security.KeyStore;
6 import java.util.List;
7 import java.util.Properties;
8
9 import javax.net.ssl.ExtendedSSLSession;
10 import javax.net.ssl.SNIHostName;
11 import javax.net.ssl.SNIServerName;
12 import javax.net.ssl.SSLEngine;
13 import javax.net.ssl.SSLParameters;
14 import javax.net.ssl.SSLSession;
15
16 import org.cacert.gigi.api.GigiAPI;
17 import org.cacert.gigi.natives.SetUID;
18 import org.cacert.gigi.util.CipherInfo;
19 import org.cacert.gigi.util.ServerConstants;
20 import org.eclipse.jetty.http.HttpVersion;
21 import org.eclipse.jetty.server.Connector;
22 import org.eclipse.jetty.server.Handler;
23 import org.eclipse.jetty.server.HttpConfiguration;
24 import org.eclipse.jetty.server.HttpConnectionFactory;
25 import org.eclipse.jetty.server.SecureRequestCustomizer;
26 import org.eclipse.jetty.server.Server;
27 import org.eclipse.jetty.server.ServerConnector;
28 import org.eclipse.jetty.server.SessionManager;
29 import org.eclipse.jetty.server.SslConnectionFactory;
30 import org.eclipse.jetty.server.handler.ContextHandler;
31 import org.eclipse.jetty.server.handler.HandlerList;
32 import org.eclipse.jetty.server.handler.HandlerWrapper;
33 import org.eclipse.jetty.server.handler.ResourceHandler;
34 import org.eclipse.jetty.servlet.ErrorPageErrorHandler;
35 import org.eclipse.jetty.servlet.ServletContextHandler;
36 import org.eclipse.jetty.servlet.ServletHolder;
37 import org.eclipse.jetty.util.log.Log;
38 import org.eclipse.jetty.util.ssl.SslContextFactory;
39
40 public class Launcher {
41         public static void main(String[] args) throws Exception {
42                 GigiConfig conf = GigiConfig.parse(System.in);
43                 ServerConstants.init(conf.getMainProps());
44
45                 Server s = new Server();
46                 // === SSL HTTP Configuration ===
47                 HttpConfiguration https_config = new HttpConfiguration();
48                 https_config.setSendServerVersion(false);
49                 https_config.setSendXPoweredBy(false);
50
51                 // for client-cert auth
52                 https_config.addCustomizer(new SecureRequestCustomizer());
53
54                 ServerConnector connector = new ServerConnector(s, createConnectionFactory(conf), new HttpConnectionFactory(
55                         https_config));
56                 connector.setHost(conf.getMainProps().getProperty("host"));
57                 connector.setPort(Integer.parseInt(conf.getMainProps().getProperty("port")));
58                 s.setConnectors(new Connector[] { connector });
59
60                 HandlerList hl = new HandlerList();
61                 hl.setHandlers(new Handler[] { generateStaticContext(), generateGigiContexts(conf.getMainProps()),
62                                 generateAPIContext() });
63                 s.setHandler(hl);
64                 s.start();
65                 if (connector.getPort() <= 1024 && !System.getProperty("os.name").toLowerCase().contains("win")) {
66                         SetUID uid = new SetUID();
67                         if (!uid.setUid(65536 - 2, 65536 - 2).getSuccess()) {
68                                 Log.getLogger(Launcher.class).warn("Couldn't set uid!");
69                         }
70                 }
71         }
72
73         private static SslConnectionFactory createConnectionFactory(GigiConfig conf) throws GeneralSecurityException,
74                 IOException {
75                 final SslContextFactory sslContextFactory = generateSSLContextFactory(conf, "www");
76                 final SslContextFactory secureContextFactory = generateSSLContextFactory(conf, "secure");
77                 secureContextFactory.setWantClientAuth(true);
78                 secureContextFactory.setNeedClientAuth(false);
79                 final SslContextFactory staticContextFactory = generateSSLContextFactory(conf, "static");
80                 final SslContextFactory apiContextFactory = generateSSLContextFactory(conf, "api");
81                 try {
82                         secureContextFactory.start();
83                         staticContextFactory.start();
84                         apiContextFactory.start();
85                 } catch (Exception e) {
86                         e.printStackTrace();
87                 }
88                 return new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()) {
89                         @Override
90                         public boolean shouldRestartSSL() {
91                                 return true;
92                         }
93
94                         @Override
95                         public SSLEngine restartSSL(SSLSession sslSession) {
96                                 SSLEngine e2 = null;
97                                 if (sslSession instanceof ExtendedSSLSession) {
98                                         ExtendedSSLSession es = (ExtendedSSLSession) sslSession;
99                                         List<SNIServerName> names = es.getRequestedServerNames();
100                                         for (SNIServerName sniServerName : names) {
101                                                 if (sniServerName instanceof SNIHostName) {
102                                                         SNIHostName host = (SNIHostName) sniServerName;
103                                                         String hostname = host.getAsciiName();
104                                                         if (hostname.equals(ServerConstants.getWwwHostName())) {
105                                                                 e2 = sslContextFactory.newSSLEngine();
106                                                         } else if (hostname.equals(ServerConstants.getStaticHostName())) {
107                                                                 e2 = staticContextFactory.newSSLEngine();
108                                                         } else if (hostname.equals(ServerConstants.getSecureHostName())) {
109                                                                 e2 = secureContextFactory.newSSLEngine();
110                                                         } else if (hostname.equals(ServerConstants.getApiHostName())) {
111                                                                 e2 = apiContextFactory.newSSLEngine();
112                                                         }
113                                                         break;
114                                                 }
115                                         }
116                                 }
117                                 if (e2 == null) {
118                                         e2 = sslContextFactory.newSSLEngine(sslSession.getPeerHost(), sslSession.getPeerPort());
119                                 }
120                                 e2.setUseClientMode(false);
121                                 return e2;
122                         }
123                 };
124         }
125
126         private static Handler generateGigiContexts(Properties conf) {
127                 ServletHolder webAppServlet = new ServletHolder(new Gigi(conf));
128
129                 ContextHandler ch = generateGigiServletContext(webAppServlet);
130                 ch.setVirtualHosts(new String[] { ServerConstants.getWwwHostName() });
131                 ContextHandler chSecure = generateGigiServletContext(webAppServlet);
132                 chSecure.setVirtualHosts(new String[] { ServerConstants.getSecureHostName() });
133
134                 HandlerList hl = new HandlerList();
135                 hl.setHandlers(new Handler[] { ch, chSecure });
136                 return hl;
137         }
138
139         private static ContextHandler generateGigiServletContext(ServletHolder webAppServlet) {
140                 final ResourceHandler rh = new ResourceHandler();
141                 rh.setResourceBase("static/www");
142
143                 HandlerWrapper hw = new PolicyRedirector();
144                 hw.setHandler(rh);
145
146                 ServletContextHandler servlet = new ServletContextHandler(ServletContextHandler.SESSIONS);
147                 servlet.setInitParameter(SessionManager.__SessionCookieProperty, "CACert-Session");
148                 servlet.addServlet(webAppServlet, "/*");
149                 ErrorPageErrorHandler epeh = new ErrorPageErrorHandler();
150                 epeh.addErrorPage(404, "/error");
151                 servlet.setErrorHandler(epeh);
152
153                 HandlerList hl = new HandlerList();
154                 hl.setHandlers(new Handler[] { hw, servlet });
155
156                 ContextHandler ch = new ContextHandler();
157                 ch.setHandler(hl);
158                 return ch;
159         }
160
161         private static Handler generateStaticContext() {
162                 final ResourceHandler rh = new ResourceHandler();
163                 rh.setResourceBase("static/static");
164
165                 ContextHandler ch = new ContextHandler();
166                 ch.setHandler(rh);
167                 ch.setVirtualHosts(new String[] { ServerConstants.getStaticHostName() });
168
169                 return ch;
170         }
171
172         private static Handler generateAPIContext() {
173                 ServletContextHandler sch = new ServletContextHandler();
174
175                 sch.addVirtualHosts(new String[] { ServerConstants.getApiHostName() });
176                 sch.addServlet(new ServletHolder(new GigiAPI()), "/*");
177                 return sch;
178         }
179
180         private static SslContextFactory generateSSLContextFactory(GigiConfig conf, String alias)
181                 throws GeneralSecurityException, IOException {
182                 SslContextFactory scf = new SslContextFactory() {
183
184                         String[] ciphers = null;
185
186                         @Override
187                         public void customize(SSLEngine sslEngine) {
188                                 super.customize(sslEngine);
189
190                                 SSLParameters ssl = sslEngine.getSSLParameters();
191                                 ssl.setUseCipherSuitesOrder(true);
192                                 if (ciphers == null) {
193                                         ciphers = CipherInfo.filter(sslEngine.getSupportedCipherSuites());
194                                 }
195
196                                 ssl.setCipherSuites(ciphers);
197                                 sslEngine.setSSLParameters(ssl);
198
199                         }
200
201                 };
202                 scf.setRenegotiationAllowed(false);
203
204                 scf.setProtocol("TLS");
205                 scf.setTrustStore(conf.getTrustStore());
206                 KeyStore privateStore = conf.getPrivateStore();
207                 scf.setKeyStorePassword(conf.getPrivateStorePw());
208                 scf.setKeyStore(privateStore);
209                 scf.setCertAlias(alias);
210                 return scf;
211         }
212 }
WPIA Certificate Web Issuance Platform