FIX: use better DH keylengths (4096)

[gigi.git] / src / org / cacert / gigi / Launcher.java

diff --git a/src/org/cacert/gigi/Launcher.java b/src/org/cacert/gigi/Launcher.java
index c2e11286a07414d6894e0d91b505c1184a2d84af..33511ba54826928ea72de54cfa8543a5674a4852 100644 (file)
--- a/src/org/cacert/gigi/Launcher.java
+++ b/src/org/cacert/gigi/Launcher.java
@@ -2,9 +2,16 @@ package org.cacert.gigi;
 
 import java.io.IOException;
 import java.security.GeneralSecurityException;
+import java.security.Key;
 import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.Certificate;
 import java.util.List;
+import java.util.Locale;
 import java.util.Properties;
+import java.util.TimeZone;
 
 import javax.net.ssl.ExtendedSSLSession;
 import javax.net.ssl.SNIHostName;
@@ -14,6 +21,7 @@ import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLSession;
 
 import org.cacert.gigi.api.GigiAPI;
+import org.cacert.gigi.email.EmailProvider;
 import org.cacert.gigi.natives.SetUID;
 import org.cacert.gigi.util.CipherInfo;
 import org.cacert.gigi.util.ServerConstants;
@@ -40,32 +48,33 @@ import org.eclipse.jetty.util.ssl.SslContextFactory;
 public class Launcher {
 
     public static void main(String[] args) throws Exception {
+        Locale.setDefault(Locale.ENGLISH);
+        TimeZone.setDefault(TimeZone.getTimeZone("UTC"));
+        System.setProperty("jdk.tls.ephemeralDHKeySize", "4096");
+
         GigiConfig conf = GigiConfig.parse(System.in);
         ServerConstants.init(conf.getMainProps());
+        initEmails(conf);
 
         Server s = new Server();
-        // === SSL HTTP Configuration ===
-        HttpConfiguration https_config = new HttpConfiguration();
-        https_config.setSendServerVersion(false);
-        https_config.setSendXPoweredBy(false);
+        HttpConfiguration httpsConfig = createHttpConfiguration();
 
         // for client-cert auth
-        https_config.addCustomizer(new SecureRequestCustomizer());
+        httpsConfig.addCustomizer(new SecureRequestCustomizer());
+
+        HttpConfiguration httpConfig = createHttpConfiguration();
 
-        ServerConnector connector = new ServerConnector(s, createConnectionFactory(conf), new HttpConnectionFactory(https_config));
-        connector.setHost(conf.getMainProps().getProperty("host"));
-        connector.setPort(Integer.parseInt(conf.getMainProps().getProperty("port")));
         s.setConnectors(new Connector[] {
-            connector
+                createConnector(conf, s, httpsConfig, true), createConnector(conf, s, httpConfig, false)
         });
 
         HandlerList hl = new HandlerList();
         hl.setHandlers(new Handler[] {
-                generateStaticContext(), generateGigiContexts(conf.getMainProps()), generateAPIContext()
+                generateStaticContext(), generateGigiContexts(conf.getMainProps(), conf.getTrustStore()), generateAPIContext()
         });
         s.setHandler(hl);
         s.start();
-        if (connector.getPort() <= 1024 && !System.getProperty("os.name").toLowerCase().contains("win")) {
+        if ((ServerConstants.getSecurePort() <= 1024 || ServerConstants.getPort() <= 1024) && !System.getProperty("os.name").toLowerCase().contains("win")) {
             SetUID uid = new SetUID();
             if ( !uid.setUid(65536 - 2, 65536 - 2).getSuccess()) {
                 Log.getLogger(Launcher.class).warn("Couldn't set uid!");
@@ -73,6 +82,38 @@ public class Launcher {
         }
     }
 
+    private static ServerConnector createConnector(GigiConfig conf, Server s, HttpConfiguration httpConfig, boolean doHttps) throws GeneralSecurityException, IOException {
+        ServerConnector connector;
+        if (doHttps) {
+            connector = new ServerConnector(s, createConnectionFactory(conf), new HttpConnectionFactory(httpConfig));
+        } else {
+            connector = new ServerConnector(s, new HttpConnectionFactory(httpConfig));
+        }
+        connector.setHost(conf.getMainProps().getProperty("host"));
+        if (doHttps) {
+            connector.setPort(ServerConstants.getSecurePort());
+        } else {
+            connector.setPort(ServerConstants.getPort());
+        }
+        connector.setAcceptQueueSize(100);
+        return connector;
+    }
+
+    private static HttpConfiguration createHttpConfiguration() {
+        // SSL HTTP Configuration
+        HttpConfiguration httpsConfig = new HttpConfiguration();
+        httpsConfig.setSendServerVersion(false);
+        httpsConfig.setSendXPoweredBy(false);
+        return httpsConfig;
+    }
+
+    private static void initEmails(GigiConfig conf) throws GeneralSecurityException, IOException, KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException {
+        KeyStore privateStore = conf.getPrivateStore();
+        Certificate mail = privateStore.getCertificate("mail");
+        Key k = privateStore.getKey("mail", conf.getPrivateStorePw().toCharArray());
+        EmailProvider.initSystem(conf.getMainProps(), mail, k);
+    }
+
     private static SslConnectionFactory createConnectionFactory(GigiConfig conf) throws GeneralSecurityException, IOException {
         final SslContextFactory sslContextFactory = generateSSLContextFactory(conf, "www");
         final SslContextFactory secureContextFactory = generateSSLContextFactory(conf, "secure");
@@ -126,8 +167,8 @@ public class Launcher {
         };
     }
 
-    private static Handler generateGigiContexts(Properties conf) {
-        ServletHolder webAppServlet = new ServletHolder(new Gigi(conf));
+    private static Handler generateGigiContexts(Properties conf, KeyStore trust) {
+        ServletHolder webAppServlet = new ServletHolder(new Gigi(conf, trust));
 
         ContextHandler ch = generateGigiServletContext(webAppServlet);
         ch.setVirtualHosts(new String[] {