src/org/cacert/gigi/Launcher.java

   1 package org.cacert.gigi;
   2
   3 import java.io.IOException;
   4 import java.security.GeneralSecurityException;
   5 import java.security.KeyStore;
   6 import java.util.List;
   7 import java.util.Properties;
   8
   9 import javax.net.ssl.ExtendedSSLSession;
  10 import javax.net.ssl.SNIHostName;
  11 import javax.net.ssl.SNIServerName;
  12 import javax.net.ssl.SSLEngine;
  13 import javax.net.ssl.SSLParameters;
  14 import javax.net.ssl.SSLSession;
  15
  16 import org.cacert.gigi.api.GigiAPI;
  17 import org.cacert.gigi.natives.SetUID;
  18 import org.cacert.gigi.util.CipherInfo;
  19 import org.cacert.gigi.util.ServerConstants;
  20 import org.eclipse.jetty.http.HttpVersion;
  21 import org.eclipse.jetty.server.Connector;
  22 import org.eclipse.jetty.server.Handler;
  23 import org.eclipse.jetty.server.HttpConfiguration;
  24 import org.eclipse.jetty.server.HttpConnectionFactory;
  25 import org.eclipse.jetty.server.SecureRequestCustomizer;
  26 import org.eclipse.jetty.server.Server;
  27 import org.eclipse.jetty.server.ServerConnector;
  28 import org.eclipse.jetty.server.SessionManager;
  29 import org.eclipse.jetty.server.SslConnectionFactory;
  30 import org.eclipse.jetty.server.handler.ContextHandler;
  31 import org.eclipse.jetty.server.handler.HandlerList;
  32 import org.eclipse.jetty.server.handler.HandlerWrapper;
  33 import org.eclipse.jetty.server.handler.ResourceHandler;
  34 import org.eclipse.jetty.servlet.ErrorPageErrorHandler;
  35 import org.eclipse.jetty.servlet.ServletContextHandler;
  36 import org.eclipse.jetty.servlet.ServletHolder;
  37 import org.eclipse.jetty.util.log.Log;
  38 import org.eclipse.jetty.util.ssl.SslContextFactory;
  39
  40 public class Launcher {
  41         public static void main(String[] args) throws Exception {
  42                 GigiConfig conf = GigiConfig.parse(System.in);
  43                 ServerConstants.init(conf.getMainProps());
  44
  45                 Server s = new Server();
  46                 // === SSL HTTP Configuration ===
  47                 HttpConfiguration https_config = new HttpConfiguration();
  48                 https_config.setSendServerVersion(false);
  49                 https_config.setSendXPoweredBy(false);
  50
  51                 // for client-cert auth
  52                 https_config.addCustomizer(new SecureRequestCustomizer());
  53
  54                 ServerConnector connector = new ServerConnector(s, createConnectionFactory(conf), new HttpConnectionFactory(
  55                         https_config));
  56                 connector.setHost(conf.getMainProps().getProperty("host"));
  57                 connector.setPort(Integer.parseInt(conf.getMainProps().getProperty("port")));
  58                 s.setConnectors(new Connector[] { connector });
  59
  60                 HandlerList hl = new HandlerList();
  61                 hl.setHandlers(new Handler[] { generateStaticContext(), generateGigiContext(conf.getMainProps()),
  62                                 generateAPIContext() });
  63                 s.setHandler(hl);
  64                 s.start();
  65                 if (connector.getPort() <= 1024 && !System.getProperty("os.name").toLowerCase().contains("win")) {
  66                         SetUID uid = new SetUID();
  67                         if (!uid.setUid(65536 - 2, 65536 - 2).getSuccess()) {
  68                                 Log.getLogger(Launcher.class).warn("Couldn't set uid!");
  69                         }
  70                 }
  71         }
  72
  73         private static SslConnectionFactory createConnectionFactory(GigiConfig conf) throws GeneralSecurityException,
  74                 IOException {
  75                 final SslContextFactory sslContextFactory = generateSSLContextFactory(conf, "www");
  76                 final SslContextFactory secureContextFactory = generateSSLContextFactory(conf, "secure");
  77                 secureContextFactory.setWantClientAuth(true);
  78                 secureContextFactory.setNeedClientAuth(false);
  79                 final SslContextFactory staticContextFactory = generateSSLContextFactory(conf, "static");
  80                 final SslContextFactory apiContextFactory = generateSSLContextFactory(conf, "api");
  81                 try {
  82                         secureContextFactory.start();
  83                         staticContextFactory.start();
  84                         apiContextFactory.start();
  85                 } catch (Exception e) {
  86                         e.printStackTrace();
  87                 }
  88                 return new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()) {
  89                         @Override
  90                         public boolean shouldRestartSSL() {
  91                                 return true;
  92                         }
  93
  94                         @Override
  95                         public SSLEngine restartSSL(SSLSession sslSession) {
  96                                 SSLEngine e2 = null;
  97                                 if (sslSession instanceof ExtendedSSLSession) {
  98                                         ExtendedSSLSession es = (ExtendedSSLSession) sslSession;
  99                                         List<SNIServerName> names = es.getRequestedServerNames();
 100                                         for (SNIServerName sniServerName : names) {
 101                                                 if (sniServerName instanceof SNIHostName) {
 102                                                         SNIHostName host = (SNIHostName) sniServerName;
 103                                                         String hostname = host.getAsciiName();
 104                                                         if (hostname.equals(ServerConstants.getWwwHostName())) {
 105                                                                 e2 = sslContextFactory.newSSLEngine();
 106                                                         } else if (hostname.equals(ServerConstants.getStaticHostName())) {
 107                                                                 e2 = staticContextFactory.newSSLEngine();
 108                                                         } else if (hostname.equals(ServerConstants.getSecureHostName())) {
 109                                                                 e2 = secureContextFactory.newSSLEngine();
 110                                                         } else if (hostname.equals(ServerConstants.getApiHostName())) {
 111                                                                 e2 = apiContextFactory.newSSLEngine();
 112                                                         }
 113                                                         break;
 114                                                 }
 115                                         }
 116                                 }
 117                                 if (e2 == null) {
 118                                         e2 = sslContextFactory.newSSLEngine(sslSession.getPeerHost(), sslSession.getPeerPort());
 119                                 }
 120                                 e2.setUseClientMode(false);
 121                                 return e2;
 122                         }
 123                 };
 124         }
 125
 126         private static ContextHandler generateGigiContext(Properties conf) {
 127                 final ResourceHandler rh = new ResourceHandler();
 128                 rh.setResourceBase("static/www");
 129
 130                 HandlerWrapper hw = new PolicyRedirector();
 131                 hw.setHandler(rh);
 132
 133                 ServletContextHandler servlet = new ServletContextHandler(ServletContextHandler.SESSIONS);
 134                 servlet.setInitParameter(SessionManager.__SessionCookieProperty, "CACert-Session");
 135                 servlet.addServlet(new ServletHolder(new Gigi(conf)), "/*");
 136                 ErrorPageErrorHandler epeh = new ErrorPageErrorHandler();
 137                 epeh.addErrorPage(404, "/error");
 138                 servlet.setErrorHandler(epeh);
 139
 140                 HandlerList hl = new HandlerList();
 141                 hl.setHandlers(new Handler[] { hw, servlet });
 142
 143                 ContextHandler ch = new ContextHandler();
 144                 ch.setVirtualHosts(new String[] { ServerConstants.getWwwHostName(), ServerConstants.getSecureHostName() });
 145                 ch.setHandler(hl);
 146
 147                 return ch;
 148         }
 149
 150         private static Handler generateStaticContext() {
 151                 final ResourceHandler rh = new ResourceHandler();
 152                 rh.setResourceBase("static/static");
 153
 154                 ContextHandler ch = new ContextHandler();
 155                 ch.setHandler(rh);
 156                 ch.setVirtualHosts(new String[] { ServerConstants.getStaticHostName() });
 157
 158                 return ch;
 159         }
 160
 161         private static Handler generateAPIContext() {
 162                 ServletContextHandler sch = new ServletContextHandler();
 163
 164                 sch.addVirtualHosts(new String[] { ServerConstants.getApiHostName() });
 165                 sch.addServlet(new ServletHolder(new GigiAPI()), "/*");
 166                 return sch;
 167         }
 168
 169         private static SslContextFactory generateSSLContextFactory(GigiConfig conf, String alias)
 170                 throws GeneralSecurityException, IOException {
 171                 SslContextFactory scf = new SslContextFactory() {
 172
 173                         String[] ciphers = null;
 174
 175                         @Override
 176                         public void customize(SSLEngine sslEngine) {
 177                                 super.customize(sslEngine);
 178
 179                                 SSLParameters ssl = sslEngine.getSSLParameters();
 180                                 ssl.setUseCipherSuitesOrder(true);
 181                                 if (ciphers == null) {
 182                                         ciphers = CipherInfo.filter(sslEngine.getSupportedCipherSuites());
 183                                 }
 184
 185                                 ssl.setCipherSuites(ciphers);
 186                                 sslEngine.setSSLParameters(ssl);
 187
 188                         }
 189
 190                 };
 191                 scf.setRenegotiationAllowed(false);
 192
 193                 scf.setProtocol("TLS");
 194                 scf.setTrustStore(conf.getTrustStore());
 195                 KeyStore privateStore = conf.getPrivateStore();
 196                 scf.setKeyStorePassword(conf.getPrivateStorePw());
 197                 scf.setKeyStore(privateStore);
 198                 scf.setCertAlias(alias);
 199                 return scf;
 200         }
 201 }