X-Git-Url: https://code.wpia.club/?p=gigi.git;a=blobdiff_plain;f=src%2Forg%2Fcacert%2Fgigi%2FLauncher.java;h=87c215cc3b87d0b31084e1f51f9c051c5aa21040;hp=56306a98ba28d0d86c6cc1c0b3343bffca57a1db;hb=fc2fcf0b35bf4cde8f4a9c7243de3306e8b4b55b;hpb=f92f284f3a80e1f8fd87d2cc63288e1f1bbfeb9d diff --git a/src/org/cacert/gigi/Launcher.java b/src/org/cacert/gigi/Launcher.java index 56306a98..87c215cc 100644 --- a/src/org/cacert/gigi/Launcher.java +++ b/src/org/cacert/gigi/Launcher.java @@ -1,19 +1,22 @@ package org.cacert.gigi; -import java.io.FileInputStream; -import java.io.FileNotFoundException; import java.io.IOException; +import java.security.GeneralSecurityException; import java.security.KeyStore; -import java.security.KeyStoreException; -import java.security.NoSuchAlgorithmException; -import java.security.cert.CertificateException; +import java.util.List; +import java.util.Properties; +import javax.net.ssl.ExtendedSSLSession; +import javax.net.ssl.SNIHostName; +import javax.net.ssl.SNIServerName; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLParameters; -import javax.net.ssl.TrustManager; -import javax.net.ssl.TrustManagerFactory; +import javax.net.ssl.SSLSession; +import org.cacert.gigi.api.GigiAPI; import org.cacert.gigi.natives.SetUID; import org.cacert.gigi.util.CipherInfo; +import org.cacert.gigi.util.ServerConstants; +import org.eclipse.jetty.http.HttpVersion; import org.eclipse.jetty.server.Connector; import org.eclipse.jetty.server.Handler; import org.eclipse.jetty.server.HttpConfiguration; @@ -21,9 +24,11 @@ import org.eclipse.jetty.server.HttpConnectionFactory; import org.eclipse.jetty.server.SecureRequestCustomizer; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.ServerConnector; +import org.eclipse.jetty.server.SessionManager; import org.eclipse.jetty.server.SslConnectionFactory; import org.eclipse.jetty.server.handler.ContextHandler; import org.eclipse.jetty.server.handler.HandlerList; +import org.eclipse.jetty.server.handler.HandlerWrapper; import org.eclipse.jetty.server.handler.ResourceHandler; import org.eclipse.jetty.servlet.ServletContextHandler; import org.eclipse.jetty.servlet.ServletHolder; @@ -32,6 +37,9 @@ import org.eclipse.jetty.util.ssl.SslContextFactory; public class Launcher { public static void main(String[] args) throws Exception { + GigiConfig conf = GigiConfig.parse(System.in); + ServerConstants.init(conf.getMainProps()); + Server s = new Server(); // === SSL HTTP Configuration === HttpConfiguration https_config = new HttpConfiguration(); @@ -42,50 +50,129 @@ public class Launcher { https_config.addCustomizer(new SecureRequestCustomizer()); ServerConnector connector = new ServerConnector(s, - new SslConnectionFactory(generateSSLContextFactory(), - "http/1.1"), new HttpConnectionFactory(https_config)); - connector.setHost("127.0.0.1"); - connector.setPort(443); + createConnectionFactory(conf), new HttpConnectionFactory( + https_config)); + connector.setHost(conf.getMainProps().getProperty("host")); + connector.setPort(Integer.parseInt(conf.getMainProps().getProperty( + "port"))); s.setConnectors(new Connector[]{connector}); HandlerList hl = new HandlerList(); hl.setHandlers(new Handler[]{generateStaticContext(), - generateGigiContext()}); + generateGigiContext(conf.getMainProps()), generateAPIContext()}); s.setHandler(hl); s.start(); if (connector.getPort() <= 1024 && !System.getProperty("os.name").toLowerCase().contains("win")) { SetUID uid = new SetUID(); - if (!uid.setUid(-2, -2).getSuccess()) { + if (!uid.setUid(65536 - 2, 65536 - 2).getSuccess()) { Log.getLogger(Launcher.class).warn("Couldn't set uid!"); } } } - private static ServletContextHandler generateGigiContext() { + private static SslConnectionFactory createConnectionFactory(GigiConfig conf) + throws GeneralSecurityException, IOException { + final SslContextFactory sslContextFactory = generateSSLContextFactory( + conf, "www"); + final SslContextFactory secureContextFactory = generateSSLContextFactory( + conf, "secure"); + secureContextFactory.setNeedClientAuth(true); + final SslContextFactory staticContextFactory = generateSSLContextFactory( + conf, "static"); + final SslContextFactory apiContextFactory = generateSSLContextFactory( + conf, "api"); + try { + secureContextFactory.start(); + staticContextFactory.start(); + apiContextFactory.start(); + } catch (Exception e) { + e.printStackTrace(); + } + return new SslConnectionFactory(sslContextFactory, + HttpVersion.HTTP_1_1.asString()) { + @Override + public boolean shouldRestartSSL() { + return true; + } + @Override + public SSLEngine restartSSL(SSLSession sslSession) { + SSLEngine e2 = null; + if (sslSession instanceof ExtendedSSLSession) { + ExtendedSSLSession es = (ExtendedSSLSession) sslSession; + List names = es.getRequestedServerNames(); + for (SNIServerName sniServerName : names) { + if (sniServerName instanceof SNIHostName) { + SNIHostName host = (SNIHostName) sniServerName; + String hostname = host.getAsciiName(); + if (hostname.equals("www.cacert.local")) { + e2 = sslContextFactory.newSSLEngine(); + } else if (hostname.equals("static.cacert.local")) { + e2 = staticContextFactory.newSSLEngine(); + } else if (hostname.equals("secure.cacert.local")) { + e2 = secureContextFactory.newSSLEngine(); + } else if (hostname.equals("api.cacert.local")) { + e2 = apiContextFactory.newSSLEngine(); + } + break; + } + } + } + if (e2 == null) { + e2 = sslContextFactory.newSSLEngine( + sslSession.getPeerHost(), sslSession.getPeerPort()); + } + e2.setUseClientMode(false); + return e2; + } + }; + } + + private static ContextHandler generateGigiContext(Properties conf) { + final ResourceHandler rh = new ResourceHandler(); + rh.setResourceBase("static/www"); + + HandlerWrapper hw = new PolicyRedirector(); + hw.setHandler(rh); + ServletContextHandler servlet = new ServletContextHandler( ServletContextHandler.SESSIONS); - servlet.addServlet(new ServletHolder(new Gigi()), "/*"); - return servlet; + servlet.setInitParameter(SessionManager.__SessionCookieProperty, + "CACert-Session"); + servlet.addServlet(new ServletHolder(new Gigi(conf)), "/*"); + + HandlerList hl = new HandlerList(); + hl.setHandlers(new Handler[]{servlet, hw}); + + ContextHandler ch = new ContextHandler(); + ch.setVirtualHosts(new String[]{ServerConstants.getWwwHostName(), + ServerConstants.getSecureHostName()}); + ch.setHandler(hl); + + return ch; } - private static ContextHandler generateStaticContext() { - ResourceHandler rh = new ResourceHandler(); - rh.setResourceBase("static"); + private static Handler generateStaticContext() { + final ResourceHandler rh = new ResourceHandler(); + rh.setResourceBase("static/static"); + ContextHandler ch = new ContextHandler(); ch.setHandler(rh); - ch.setContextPath("/static"); + ch.setVirtualHosts(new String[]{ServerConstants.getStaticHostName()}); + return ch; } - private static SslContextFactory generateSSLContextFactory() - throws NoSuchAlgorithmException, KeyStoreException, IOException, - CertificateException, FileNotFoundException { - TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("PKIX"); - tmFactory.init((KeyStore) null); + private static Handler generateAPIContext() { + ServletContextHandler sch = new ServletContextHandler(); - final TrustManager[] tm = tmFactory.getTrustManagers(); + sch.addVirtualHosts(new String[]{ServerConstants.getApiHostName()}); + sch.addServlet(new ServletHolder(new GigiAPI()), "/*"); + return sch; + } + private static SslContextFactory generateSSLContextFactory(GigiConfig conf, + String alias) throws GeneralSecurityException, IOException { SslContextFactory scf = new SslContextFactory() { String[] ciphers = null; @@ -107,14 +194,14 @@ public class Launcher { } }; - scf.setWantClientAuth(true); - KeyStore ks1 = KeyStore.getInstance("pkcs12"); - ks1.load(new FileInputStream("config/keystore.pkcs12"), - "".toCharArray()); - scf.setTrustStorePath("config/cacerts.jks"); - scf.setTrustStorePassword("changeit"); + scf.setRenegotiationAllowed(false); + scf.setProtocol("TLS"); - scf.setKeyStore(ks1); + scf.setTrustStore(conf.getTrustStore()); + KeyStore privateStore = conf.getPrivateStore(); + scf.setKeyStorePassword(conf.getPrivateStorePw()); + scf.setKeyStore(privateStore); + scf.setCertAlias(alias); return scf; } }