]> WPIA git - gigi.git/blob - src/org/cacert/gigi/ping/SSLPinger.java
projects / gigi.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
dbg: test-output for pinging
[gigi.git] / src / org / cacert / gigi / ping / SSLPinger.java
1 package org.cacert.gigi.ping;
2
3 import java.io.IOException;
4 import java.io.InputStream;
5 import java.io.OutputStream;
6 import java.math.BigInteger;
7 import java.net.InetSocketAddress;
8 import java.net.Socket;
9 import java.nio.ByteBuffer;
10 import java.nio.channels.SocketChannel;
11 import java.security.KeyManagementException;
12 import java.security.KeyStore;
13 import java.security.KeyStoreException;
14 import java.security.NoSuchAlgorithmException;
15 import java.security.SecureRandom;
16 import java.util.Arrays;
17
18 import javax.net.ssl.SNIHostName;
19 import javax.net.ssl.SNIServerName;
20 import javax.net.ssl.SSLContext;
21 import javax.net.ssl.SSLEngine;
22 import javax.net.ssl.SSLEngineResult.HandshakeStatus;
23 import javax.net.ssl.SSLEngineResult.Status;
24 import javax.net.ssl.SSLException;
25 import javax.net.ssl.SSLParameters;
26 import javax.net.ssl.TrustManagerFactory;
27 import javax.security.cert.X509Certificate;
28
29 import org.cacert.gigi.dbObjects.Certificate;
30 import org.cacert.gigi.dbObjects.Domain;
31 import org.cacert.gigi.dbObjects.User;
32
33 public class SSLPinger extends DomainPinger {
34
35     public static final String[] TYPES = new String[] {
36             "xmpp", "server-xmpp", "smtp", "imap"
37     };
38
39     private KeyStore truststore;
40
41     public SSLPinger(KeyStore truststore) {
42         this.truststore = truststore;
43     }
44
45     @Override
46     public String ping(Domain domain, String configuration, User u) {
47         try (SocketChannel sch = SocketChannel.open()) {
48             sch.socket().setSoTimeout(5000);
49             String[] parts = configuration.split(":", 2);
50             sch.socket().connect(new InetSocketAddress(domain.getSuffix(), Integer.parseInt(parts[0])), 5000);
51             if (parts.length == 2) {
52                 switch (parts[1]) {
53                 case "xmpp":
54                     startXMPP(sch, false, domain.getSuffix());
55                     break;
56                 case "server-xmpp":
57                     startXMPP(sch, true, domain.getSuffix());
58                     break;
59                 case "smtp":
60                     startSMTP(sch);
61                     break;
62                 case "imap":
63                     startIMAP(sch);
64                     break;
65
66                 }
67             }
68             return test(sch, domain.getSuffix(), u);
69         } catch (IOException e) {
70             return "Connecton failed";
71         }
72
73     }
74
75     private void startIMAP(SocketChannel sch) throws IOException {
76         Socket s = sch.socket();
77         InputStream is = s.getInputStream();
78         OutputStream os = s.getOutputStream();
79         scanFor(is, "\n");
80         os.write("ENABLE STARTTLS\r\n".getBytes("UTF-8"));
81         os.flush();
82         scanFor(is, "\n");
83     }
84
85     private void startXMPP(SocketChannel sch, boolean server, String domain) throws IOException {
86         Socket s = sch.socket();
87         InputStream is = s.getInputStream();
88         OutputStream os = s.getOutputStream();
89         os.write(("<stream:stream to=\"" + domain + "\" xmlns=\"jabber:" + (server ? "server" : "client") + "\"" + " xmlns:stream=\"http://etherx.jabber.org/streams\" version=\"1.0\">").getBytes("UTF-8"));
90         os.flush();
91         os.write("<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\"/>".getBytes("UTF-8"));
92         os.flush();
93         scanFor(is, "<proceed");
94         scanFor(is, ">");
95
96     }
97
98     private void scanFor(InputStream is, String scanFor) throws IOException {
99         int pos = 0;
100         while (pos < scanFor.length()) {
101             if (is.read() == scanFor.charAt(pos)) {
102                 pos++;
103             } else {
104                 pos = 0;
105             }
106         }
107     }
108
109     private void startSMTP(SocketChannel sch) throws IOException {
110         Socket s = sch.socket();
111         InputStream is = s.getInputStream();
112         readSMTP(is);
113         s.getOutputStream().write("EHLO ssl.pinger\r\n".getBytes("UTF-8"));
114         s.getOutputStream().flush();
115         readSMTP(is);
116         s.getOutputStream().write("HELP\r\n".getBytes("UTF-8"));
117         s.getOutputStream().flush();
118         readSMTP(is);
119         s.getOutputStream().write("STARTTLS\r\n".getBytes("UTF-8"));
120         s.getOutputStream().flush();
121         readSMTP(is);
122     }
123
124     private void readSMTP(InputStream is) throws IOException {
125         int counter = 0;
126         boolean finish = true;
127         while (true) {
128             char c = (char) is.read();
129             if (counter == 3) {
130                 if (c == ' ') {
131                     finish = true;
132                 } else if (c == '-') {
133                     finish = false;
134                 } else {
135                     throw new Error("Invalid smtp: " + c);
136                 }
137             }
138             if (c == '\n') {
139                 if (finish) {
140                     return;
141                 }
142                 counter = 0;
143             } else {
144                 counter++;
145             }
146         }
147     }
148
149     private String test(SocketChannel sch, String domain, User subject) {
150         try {
151             sch.socket().setSoTimeout(5000);
152             SSLContext sc = SSLContext.getInstance("SSL");
153             try {
154                 TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
155                 tmf.init(truststore);
156                 sc.init(null, tmf.getTrustManagers(), new SecureRandom());
157             } catch (KeyManagementException e) {
158                 e.printStackTrace();
159             } catch (KeyStoreException e) {
160                 e.printStackTrace();
161             }
162             SSLEngine se = sc.createSSLEngine();
163             ByteBuffer enc_in = ByteBuffer.allocate(se.getSession().getPacketBufferSize());
164             ByteBuffer enc_out = ByteBuffer.allocate(se.getSession().getPacketBufferSize());
165             ByteBuffer dec_in = ByteBuffer.allocate(se.getSession().getApplicationBufferSize());
166             ByteBuffer dec_out = ByteBuffer.allocate(se.getSession().getApplicationBufferSize());
167             se.setUseClientMode(true);
168             SSLParameters sp = se.getSSLParameters();
169             sp.setServerNames(Arrays.<SNIServerName>asList(new SNIHostName(domain)));
170             se.setSSLParameters(sp);
171             se.beginHandshake();
172             enc_in.limit(0);
173             while (se.getHandshakeStatus() != HandshakeStatus.FINISHED && se.getHandshakeStatus() != HandshakeStatus.NOT_HANDSHAKING) {
174                 switch (se.getHandshakeStatus()) {
175                 case NEED_WRAP:
176                     dec_out.limit(0);
177                     se.wrap(dec_out, enc_out);
178                     enc_out.flip();
179                     while (enc_out.remaining() > 0) {
180                         sch.write(enc_out);
181                     }
182                     enc_out.clear();
183                     break;
184                 case NEED_UNWRAP:
185                     if (enc_in.remaining() == 0) {
186                         enc_in.clear();
187                         sch.read(enc_in);
188                         enc_in.flip();
189                     }
190                     while (se.unwrap(enc_in, dec_in).getStatus() == Status.BUFFER_UNDERFLOW) {
191                         enc_in.position(enc_in.limit());
192                         enc_in.limit(enc_in.capacity());
193                         sch.read(enc_in);
194                         enc_in.flip();
195                     }
196                     enc_in.compact();
197                     enc_in.flip();
198                     break;
199                 case NEED_TASK:
200                     se.getDelegatedTask().run();
201                     break;
202                 case NOT_HANDSHAKING:
203                 case FINISHED:
204
205                 }
206
207             }
208             X509Certificate[] peerCertificateChain = se.getSession().getPeerCertificateChain();
209             X509Certificate first = peerCertificateChain[0];
210
211             BigInteger serial = first.getSerialNumber();
212             Certificate c = Certificate.getBySerial(serial.toString(16));
213             if (c.getOwner().getId() != subject.getId()) {
214                 return "Owner mismatch";
215             }
216             return PING_SUCCEDED;
217         } catch (NoSuchAlgorithmException e) {
218             // e.printStackTrace(); TODO log for user debugging?
219             return "Security failed";
220         } catch (SSLException e) {
221             // e.printStackTrace(); TODO log for user debugging?
222             return "Security failed";
223         } catch (IOException e) {
224             // e.printStackTrace(); TODO log for user debugging?
225             return "Connection closed";
226         }
227     }
228 }
WPIA Certificate Web Issuance Platform