src/org/cacert/gigi/Launcher.java

   1 package org.cacert.gigi;
   2
   3 import java.io.IOException;
   4 import java.security.GeneralSecurityException;
   5 import java.security.Key;
   6 import java.security.KeyStore;
   7 import java.security.KeyStoreException;
   8 import java.security.NoSuchAlgorithmException;
   9 import java.security.UnrecoverableKeyException;
  10 import java.security.cert.Certificate;
  11 import java.util.List;
  12 import java.util.Properties;
  13
  14 import javax.net.ssl.ExtendedSSLSession;
  15 import javax.net.ssl.SNIHostName;
  16 import javax.net.ssl.SNIServerName;
  17 import javax.net.ssl.SSLEngine;
  18 import javax.net.ssl.SSLParameters;
  19 import javax.net.ssl.SSLSession;
  20
  21 import org.cacert.gigi.api.GigiAPI;
  22 import org.cacert.gigi.email.EmailProvider;
  23 import org.cacert.gigi.natives.SetUID;
  24 import org.cacert.gigi.util.CipherInfo;
  25 import org.cacert.gigi.util.ServerConstants;
  26 import org.eclipse.jetty.http.HttpVersion;
  27 import org.eclipse.jetty.server.Connector;
  28 import org.eclipse.jetty.server.Handler;
  29 import org.eclipse.jetty.server.HttpConfiguration;
  30 import org.eclipse.jetty.server.HttpConnectionFactory;
  31 import org.eclipse.jetty.server.SecureRequestCustomizer;
  32 import org.eclipse.jetty.server.Server;
  33 import org.eclipse.jetty.server.ServerConnector;
  34 import org.eclipse.jetty.server.SessionManager;
  35 import org.eclipse.jetty.server.SslConnectionFactory;
  36 import org.eclipse.jetty.server.handler.ContextHandler;
  37 import org.eclipse.jetty.server.handler.HandlerList;
  38 import org.eclipse.jetty.server.handler.HandlerWrapper;
  39 import org.eclipse.jetty.server.handler.ResourceHandler;
  40 import org.eclipse.jetty.servlet.ErrorPageErrorHandler;
  41 import org.eclipse.jetty.servlet.ServletContextHandler;
  42 import org.eclipse.jetty.servlet.ServletHolder;
  43 import org.eclipse.jetty.util.log.Log;
  44 import org.eclipse.jetty.util.ssl.SslContextFactory;
  45
  46 public class Launcher {
  47
  48     public static void main(String[] args) throws Exception {
  49         GigiConfig conf = GigiConfig.parse(System.in);
  50         ServerConstants.init(conf.getMainProps());
  51         initEmails(conf);
  52
  53         Server s = new Server();
  54         // === SSL HTTP Configuration ===
  55         HttpConfiguration https_config = new HttpConfiguration();
  56         https_config.setSendServerVersion(false);
  57         https_config.setSendXPoweredBy(false);
  58
  59         // for client-cert auth
  60         https_config.addCustomizer(new SecureRequestCustomizer());
  61
  62         ServerConnector connector = new ServerConnector(s, createConnectionFactory(conf), new HttpConnectionFactory(https_config));
  63         connector.setHost(conf.getMainProps().getProperty("host"));
  64         connector.setPort(Integer.parseInt(conf.getMainProps().getProperty("port")));
  65         connector.setAcceptQueueSize(100);
  66         s.setConnectors(new Connector[] {
  67             connector
  68         });
  69
  70         HandlerList hl = new HandlerList();
  71         hl.setHandlers(new Handler[] {
  72                 generateStaticContext(), generateGigiContexts(conf.getMainProps()), generateAPIContext()
  73         });
  74         s.setHandler(hl);
  75         s.start();
  76         if (connector.getPort() <= 1024 && !System.getProperty("os.name").toLowerCase().contains("win")) {
  77             SetUID uid = new SetUID();
  78             if ( !uid.setUid(65536 - 2, 65536 - 2).getSuccess()) {
  79                 Log.getLogger(Launcher.class).warn("Couldn't set uid!");
  80             }
  81         }
  82     }
  83
  84     private static void initEmails(GigiConfig conf) throws GeneralSecurityException, IOException, KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException {
  85         KeyStore privateStore = conf.getPrivateStore();
  86         Certificate mail = privateStore.getCertificate("mail");
  87         Key k = privateStore.getKey("mail", conf.getPrivateStorePw().toCharArray());
  88         EmailProvider.initSystem(conf.getMainProps(), mail, k);
  89     }
  90
  91     private static SslConnectionFactory createConnectionFactory(GigiConfig conf) throws GeneralSecurityException, IOException {
  92         final SslContextFactory sslContextFactory = generateSSLContextFactory(conf, "www");
  93         final SslContextFactory secureContextFactory = generateSSLContextFactory(conf, "secure");
  94         secureContextFactory.setWantClientAuth(true);
  95         secureContextFactory.setNeedClientAuth(false);
  96         final SslContextFactory staticContextFactory = generateSSLContextFactory(conf, "static");
  97         final SslContextFactory apiContextFactory = generateSSLContextFactory(conf, "api");
  98         try {
  99             secureContextFactory.start();
 100             staticContextFactory.start();
 101             apiContextFactory.start();
 102         } catch (Exception e) {
 103             e.printStackTrace();
 104         }
 105         return new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()) {
 106
 107             @Override
 108             public boolean shouldRestartSSL() {
 109                 return true;
 110             }
 111
 112             @Override
 113             public SSLEngine restartSSL(SSLSession sslSession) {
 114                 SSLEngine e2 = null;
 115                 if (sslSession instanceof ExtendedSSLSession) {
 116                     ExtendedSSLSession es = (ExtendedSSLSession) sslSession;
 117                     List<SNIServerName> names = es.getRequestedServerNames();
 118                     for (SNIServerName sniServerName : names) {
 119                         if (sniServerName instanceof SNIHostName) {
 120                             SNIHostName host = (SNIHostName) sniServerName;
 121                             String hostname = host.getAsciiName();
 122                             if (hostname.equals(ServerConstants.getWwwHostName())) {
 123                                 e2 = sslContextFactory.newSSLEngine();
 124                             } else if (hostname.equals(ServerConstants.getStaticHostName())) {
 125                                 e2 = staticContextFactory.newSSLEngine();
 126                             } else if (hostname.equals(ServerConstants.getSecureHostName())) {
 127                                 e2 = secureContextFactory.newSSLEngine();
 128                             } else if (hostname.equals(ServerConstants.getApiHostName())) {
 129                                 e2 = apiContextFactory.newSSLEngine();
 130                             }
 131                             break;
 132                         }
 133                     }
 134                 }
 135                 if (e2 == null) {
 136                     e2 = sslContextFactory.newSSLEngine(sslSession.getPeerHost(), sslSession.getPeerPort());
 137                 }
 138                 e2.setUseClientMode(false);
 139                 return e2;
 140             }
 141         };
 142     }
 143
 144     private static Handler generateGigiContexts(Properties conf) {
 145         ServletHolder webAppServlet = new ServletHolder(new Gigi(conf));
 146
 147         ContextHandler ch = generateGigiServletContext(webAppServlet);
 148         ch.setVirtualHosts(new String[] {
 149             ServerConstants.getWwwHostName()
 150         });
 151         ContextHandler chSecure = generateGigiServletContext(webAppServlet);
 152         chSecure.setVirtualHosts(new String[] {
 153             ServerConstants.getSecureHostName()
 154         });
 155
 156         HandlerList hl = new HandlerList();
 157         hl.setHandlers(new Handler[] {
 158                 ch, chSecure
 159         });
 160         return hl;
 161     }
 162
 163     private static ContextHandler generateGigiServletContext(ServletHolder webAppServlet) {
 164         final ResourceHandler rh = new ResourceHandler();
 165         rh.setResourceBase("static/www");
 166
 167         HandlerWrapper hw = new PolicyRedirector();
 168         hw.setHandler(rh);
 169
 170         ServletContextHandler servlet = new ServletContextHandler(ServletContextHandler.SESSIONS);
 171         servlet.setInitParameter(SessionManager.__SessionCookieProperty, "CACert-Session");
 172         servlet.addServlet(webAppServlet, "/*");
 173         ErrorPageErrorHandler epeh = new ErrorPageErrorHandler();
 174         epeh.addErrorPage(404, "/error");
 175         servlet.setErrorHandler(epeh);
 176
 177         HandlerList hl = new HandlerList();
 178         hl.setHandlers(new Handler[] {
 179                 hw, servlet
 180         });
 181
 182         ContextHandler ch = new ContextHandler();
 183         ch.setHandler(hl);
 184         return ch;
 185     }
 186
 187     private static Handler generateStaticContext() {
 188         final ResourceHandler rh = new ResourceHandler();
 189         rh.setResourceBase("static/static");
 190
 191         ContextHandler ch = new ContextHandler();
 192         ch.setHandler(rh);
 193         ch.setVirtualHosts(new String[] {
 194             ServerConstants.getStaticHostName()
 195         });
 196
 197         return ch;
 198     }
 199
 200     private static Handler generateAPIContext() {
 201         ServletContextHandler sch = new ServletContextHandler();
 202
 203         sch.addVirtualHosts(new String[] {
 204             ServerConstants.getApiHostName()
 205         });
 206         sch.addServlet(new ServletHolder(new GigiAPI()), "/*");
 207         return sch;
 208     }
 209
 210     private static SslContextFactory generateSSLContextFactory(GigiConfig conf, String alias) throws GeneralSecurityException, IOException {
 211         SslContextFactory scf = new SslContextFactory() {
 212
 213             String[] ciphers = null;
 214
 215             @Override
 216             public void customize(SSLEngine sslEngine) {
 217                 super.customize(sslEngine);
 218
 219                 SSLParameters ssl = sslEngine.getSSLParameters();
 220                 ssl.setUseCipherSuitesOrder(true);
 221                 if (ciphers == null) {
 222                     ciphers = CipherInfo.filter(sslEngine.getSupportedCipherSuites());
 223                 }
 224
 225                 ssl.setCipherSuites(ciphers);
 226                 sslEngine.setSSLParameters(ssl);
 227
 228             }
 229
 230         };
 231         scf.setRenegotiationAllowed(false);
 232
 233         scf.setProtocol("TLS");
 234         scf.setTrustStore(conf.getTrustStore());
 235         KeyStore privateStore = conf.getPrivateStore();
 236         scf.setKeyStorePassword(conf.getPrivateStorePw());
 237         scf.setKeyStore(privateStore);
 238         scf.setCertAlias(alias);
 239         return scf;
 240     }
 241 }