Add an example jetty launcher with client certs
authorFelix Dörre <felix@dogcraft.de>
Thu, 19 Jun 2014 22:23:37 +0000 (00:23 +0200)
committerBenny Baumann <BenBE@geshi.org>
Fri, 20 Jun 2014 22:04:17 +0000 (00:04 +0200)
and an example for outputting information about client certs.

.settings/org.eclipse.core.runtime.prefs [new file with mode: 0644]
README.md
config/.gitignore [new file with mode: 0644]
doc/generateKeys.sh [new file with mode: 0644]
doc/selfsign.config [new file with mode: 0644]
src/org/cacert/gigi/Launcher.java [new file with mode: 0644]
src/org/cacert/gigi/TestServlet.java [new file with mode: 0644]

diff --git a/.settings/org.eclipse.core.runtime.prefs b/.settings/org.eclipse.core.runtime.prefs
new file mode 100644 (file)
index 0000000..5a0ad22
--- /dev/null
@@ -0,0 +1,2 @@
+eclipse.preferences.version=1
+line.separator=\n
index a4c3425267360a664f6b70b0cb5d479c252ace62..8f4be3bef366b165526c235b6e03e07ccd40a7e7 100644 (file)
--- a/README.md
+++ b/README.md
@@ -2,3 +2,6 @@ Gigi
 =================
 
 Webserver Module for CAcert
+
+
+Contains source from jetty 9.1.0.RC0
diff --git a/config/.gitignore b/config/.gitignore
new file mode 100644 (file)
index 0000000..2892772
--- /dev/null
@@ -0,0 +1,2 @@
+
+keystore.pkcs12
diff --git a/doc/generateKeys.sh b/doc/generateKeys.sh
new file mode 100644 (file)
index 0000000..bbeda4f
--- /dev/null
@@ -0,0 +1,11 @@
+# this script generates a simple self-signed keypair
+
+openssl genrsa -des3 -passout pass:1 -out jetty.pass.key 2048
+openssl rsa -passin pass:1 -in jetty.pass.key -out jetty.key
+rm jetty.pass.key
+openssl req -new -key jetty.key -out jetty.csr -subj "/CN=jetty" -config selfsign.config
+openssl x509 -req -days 365 -in jetty.csr -signkey jetty.key -out jetty.crt
+rm jetty.csr
+openssl pkcs12 -inkey jetty.key -in jetty.crt -passout pass: -export -out ../config/keystore.pkcs12
+rm jetty.key
+rm jetty.crt
diff --git a/doc/selfsign.config b/doc/selfsign.config
new file mode 100644 (file)
index 0000000..4962f72
--- /dev/null
@@ -0,0 +1,9 @@
+[req]
+distinguished_name=dn
+#req_extensions=ext
+
+[dn]
+commonName = cn
+
+[ext]
+subjectAltName=
diff --git a/src/org/cacert/gigi/Launcher.java b/src/org/cacert/gigi/Launcher.java
new file mode 100644 (file)
index 0000000..a64a8fa
--- /dev/null
@@ -0,0 +1,70 @@
+package org.cacert.gigi;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CRL;
+import java.security.cert.CertificateException;
+import java.util.Collection;
+
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+
+import org.eclipse.jetty.server.Connector;
+import org.eclipse.jetty.server.HttpConfiguration;
+import org.eclipse.jetty.server.HttpConnectionFactory;
+import org.eclipse.jetty.server.SecureRequestCustomizer;
+import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.server.ServerConnector;
+import org.eclipse.jetty.server.SslConnectionFactory;
+import org.eclipse.jetty.servlet.ServletContextHandler;
+import org.eclipse.jetty.servlet.ServletHolder;
+import org.eclipse.jetty.util.ssl.SslContextFactory;
+
+public class Launcher {
+       public static void main(String[] args) throws Exception {
+               Server s = new Server();
+
+               // === SSL HTTP Configuration ===
+               HttpConfiguration https_config = new HttpConfiguration();
+               // for client-cert auth
+               https_config.addCustomizer(new SecureRequestCustomizer());
+
+               ServerConnector connector = new ServerConnector(s,
+                               new SslConnectionFactory(generateSSLContextFactory(),
+                                               "http/1.1"), new HttpConnectionFactory(https_config));
+               connector.setHost("127.0.0.1");
+               connector.setPort(443);
+               s.setConnectors(new Connector[]{connector});
+               ServletContextHandler sh = new ServletContextHandler();
+               s.setHandler(sh);
+               sh.addServlet(new ServletHolder(new TestServlet()), "/");
+               s.start();
+       }
+
+       private static SslContextFactory generateSSLContextFactory()
+                       throws NoSuchAlgorithmException, KeyStoreException, IOException,
+                       CertificateException, FileNotFoundException {
+               TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("PKIX");
+               tmFactory.init((KeyStore) null);
+
+               final TrustManager[] tm = tmFactory.getTrustManagers();
+
+               SslContextFactory scf = new SslContextFactory() {
+                       @Override
+                       protected TrustManager[] getTrustManagers(KeyStore trustStore,
+                                       Collection<? extends CRL> crls) throws Exception {
+                               return tm;
+                       }
+               };
+               scf.setWantClientAuth(true);
+               KeyStore ks1 = KeyStore.getInstance("pkcs12");
+               ks1.load(new FileInputStream("config/keystore.pkcs12"),
+                               "".toCharArray());
+               scf.setKeyStore(ks1);
+               scf.setProtocol("TLSv1");
+               return scf;
+       }
+}
diff --git a/src/org/cacert/gigi/TestServlet.java b/src/org/cacert/gigi/TestServlet.java
new file mode 100644 (file)
index 0000000..82d8795
--- /dev/null
@@ -0,0 +1,48 @@
+package org.cacert.gigi;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.security.cert.X509Certificate;
+import java.util.Enumeration;
+
+import javax.net.ssl.SSLEngine;
+import javax.security.auth.x500.X500Principal;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.eclipse.jetty.io.EndPoint;
+import org.eclipse.jetty.server.HttpChannel;
+import org.eclipse.jetty.server.Request;
+
+public class TestServlet extends HttpServlet {
+       @Override
+       protected void doGet(HttpServletRequest req, HttpServletResponse resp)
+                       throws ServletException, IOException {
+               Request r = (Request) req;
+               HttpChannel<?> hc = r.getHttpChannel();
+               EndPoint ep = hc.getEndPoint();
+               SSLEngine se;
+               Enumeration<String> names = req.getAttributeNames();
+               X509Certificate[] cert = (X509Certificate[]) req
+                               .getAttribute("javax.servlet.request.X509Certificate");
+               int keySize = (Integer) req
+                               .getAttribute("javax.servlet.request.key_size");
+               String ciphers = (String) req
+                               .getAttribute("javax.servlet.request.cipher_suite");
+               String sid = (String) req
+                               .getAttribute("javax.servlet.request.ssl_session_id");
+               PrintWriter out = resp.getWriter();
+               out.println("KeySize: " + keySize);
+               out.println("cipher: " + ciphers);
+               X509Certificate c1 = cert[0];
+               out.println("Serial:" + c1.getSerialNumber());
+               X500Principal client = c1.getSubjectX500Principal();
+               out.println("Name " + client.getName());
+               out.println(client.getName(X500Principal.RFC1779));
+               out.println(client.getName(X500Principal.RFC2253));
+               out.println("signature: " + c1.getSigAlgName());
+               out.println("issuer: " + c1.getSubjectX500Principal());
+               out.println("certCount: " + cert.length);
+       }
+}