Merge "upd: remove 'browser install'" master
authorMarcus Mängel <m.maengel@inopiae.de>
Thu, 1 Oct 2020 06:48:52 +0000 (06:48 +0000)
committerGerrit Code Review <gigi-system@dogcraft.de>
Thu, 1 Oct 2020 06:48:52 +0000 (06:48 +0000)
config/generateTruststoreNRE.sh
links.txt
src/club/wpia/gigi/Gigi.java
src/club/wpia/gigi/Launcher.java
src/club/wpia/gigi/pages/PolicyPage.java [new file with mode: 0644]
src/club/wpia/gigi/pages/PolicyPage.templ [new file with mode: 0644]
src/club/wpia/gigi/util/CipherInfo.java [deleted file]

index 4955a1f9c08435f6dceb21c6b440c98463b637d2..3978d2d3459a5c4be200545f3b0079242f2d36bf 100755 (executable)
@@ -7,7 +7,7 @@ rm -f cacerts.jks
 
 function import(){
   name=$1
-  keytool -importcert -keystore ../config/cacerts.jks -file "$1.crt" -alias own -storepass "changeit" -alias "$(basename $name)" $2
+  keytool -importcert -keystore ../config/cacerts.jks -file "$1.crt" -storepass "changeit" -alias "$(basename $name)" $2
 }
 
 function importP(){
index 728e1ed64eb6174886aa4300a34a7b096f8f4106..86b20858ce959ed55e7c8976c7a796f90fd55adb 100644 (file)
--- a/links.txt
+++ b/links.txt
@@ -3,6 +3,10 @@
 /policy/ToS
 /policy/CPS
 /policy/verification
+/policy/raagent
+/policy/organisation
+/policy/ttp
+/policy/nucleus
 /kb/acceptableDocuments
 /kb/agentQualifyingChallenge
 /kb/gigi
index aa892a5d653bc657ac791445a80a6abcdb94db0e..6ddb54684e92f02c163c22fdb7d3b287f7a14d47 100644 (file)
@@ -51,6 +51,7 @@ import club.wpia.gigi.pages.MainPage;
 import club.wpia.gigi.pages.OneFormPage;
 import club.wpia.gigi.pages.Page;
 import club.wpia.gigi.pages.PasswordResetPage;
+import club.wpia.gigi.pages.PolicyPage;
 import club.wpia.gigi.pages.RootCertPage;
 import club.wpia.gigi.pages.StaticPage;
 import club.wpia.gigi.pages.Verify;
@@ -154,6 +155,7 @@ public final class Gigi extends HttpServlet {
             putPage("/roots", new RootCertPage(truststore), mainMenu);
             putPage(StatisticsRoles.PATH, new StatisticsRoles(), mainMenu);
             putPage("/about", new AboutPage(), mainMenu);
+            putPage("/policy", new PolicyPage(), mainMenu);
             putPage(RegisterPage.PATH, new RegisterPage(), mainMenu);
             putPage(CertStatusRequestPage.PATH, new CertStatusRequestPage(), mainMenu);
             putPage(KeyCompromisePage.PATH, new KeyCompromisePage(), mainMenu);
index fdcc739b7074112541dd161acf232b9331de39cf..c5e43ce62bce338b5791c3b80d2b13bd29bcbb12 100644 (file)
@@ -59,7 +59,6 @@ import club.wpia.gigi.api.GigiAPI;
 import club.wpia.gigi.email.EmailProvider;
 import club.wpia.gigi.natives.SetUID;
 import club.wpia.gigi.ocsp.OCSPResponder;
-import club.wpia.gigi.util.CipherInfo;
 import club.wpia.gigi.util.PEM;
 import club.wpia.gigi.util.ServerConstants;
 import club.wpia.gigi.util.ServerConstants.Host;
@@ -273,19 +272,12 @@ public class Launcher {
         private static SslContextFactory generateSSLContextFactory(GigiConfig conf, String alias) throws GeneralSecurityException, IOException {
             SslContextFactory scf = new SslContextFactory() {
 
-                String[] ciphers = null;
-
                 @Override
                 public void customize(SSLEngine sslEngine) {
                     super.customize(sslEngine);
 
                     SSLParameters ssl = sslEngine.getSSLParameters();
                     ssl.setUseCipherSuitesOrder(true);
-                    if (ciphers == null) {
-                        ciphers = CipherInfo.filter(sslEngine.getSupportedCipherSuites());
-                    }
-
-                    ssl.setCipherSuites(ciphers);
                     sslEngine.setSSLParameters(ssl);
 
                 }
diff --git a/src/club/wpia/gigi/pages/PolicyPage.java b/src/club/wpia/gigi/pages/PolicyPage.java
new file mode 100644 (file)
index 0000000..9ca1024
--- /dev/null
@@ -0,0 +1,36 @@
+package club.wpia.gigi.pages;
+
+import java.io.IOException;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import club.wpia.gigi.util.AuthorizationContext;
+import club.wpia.gigi.util.ServerConstants;
+import club.wpia.gigi.util.TimeConditions;
+
+public class PolicyPage extends Page {
+
+    public PolicyPage() {
+        super("Policies");
+    }
+
+    @Override
+    public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+        Map<String, Object> vars = Page.getDefaultVars(req);
+        vars.put("appName", ServerConstants.getAppName());
+        vars.put("testValidMonths", TimeConditions.getInstance().getTestMonths());
+        vars.put("reverificationDays", TimeConditions.getInstance().getVerificationLimitDays());
+        vars.put("verificationFreshMonths", TimeConditions.getInstance().getVerificationMonths());
+        vars.put("verificationMaxAgeMonths", TimeConditions.getInstance().getVerificationMaxAgeMonths());
+        vars.put("emailPingMonths", TimeConditions.getInstance().getEmailPingMonths());
+        getDefaultTemplate().output(resp.getWriter(), getLanguage(req), vars);
+    }
+
+    @Override
+    public boolean isPermitted(AuthorizationContext ac) {
+        return true;
+    }
+
+}
diff --git a/src/club/wpia/gigi/pages/PolicyPage.templ b/src/club/wpia/gigi/pages/PolicyPage.templ
new file mode 100644 (file)
index 0000000..c55513e
--- /dev/null
@@ -0,0 +1,65 @@
+<p><?=_This page gives information on the most important policies for issuing and using certificates from ${appName} and the time restrictions defined in these policies.?></p>
+
+<table class="table">
+<tr><th>
+Policies
+</th></tr>
+<tr><td>
+<?=_!(/policy/CPS)CP!'</a>'?>
+</td></tr>
+<tr><td>
+<?=_!(/policy/verification)Verification Policy!'</a>' and the related sub policies?>
+</td></tr>
+<tr><td>
+<?=_!(/policy/raagent)Policy On Verification By RA Agent!'</a>'?>
+</td></tr>
+<tr><td>
+<?=_!(/policy/organisation)Organisation Verification Policy!'</a>'?>
+</td></tr>
+<tr><td>
+<?=_!(/policy/ttp)TTP Policy!'</a>'?>
+</td></tr>
+<tr><td>
+<?=_!(/policy/nucleus)Nucleus Policy!'</a>'?>
+</td></tr>
+<tr><td>
+<?=_All other policies can be viewed !(/policy)here!'</a>'?>
+</td></tr>
+</table>
+
+
+<table class="table">
+<tr><th colspan="2">
+Time settings on this server
+</th></tr>
+
+<tr><td>
+Time for valid knowledge challenge
+</td><td>
+<?=$testValidMonths?> months
+</td></tr>
+
+<tr><td>
+Minimum time between two verifications done by the same RA Agent for the same fellow
+</td><td>
+<?=$reverificationDays?> days
+</td></tr>
+
+<tr><td>
+Time that a verification is considered recent
+</td><td>
+<?=$verificationFreshMonths?> months
+</td></tr>
+
+<tr><td>
+Maximum time that a verification is accepted
+</td><td>
+<?=$verificationMaxAgeMonths?> months
+</td></tr>
+
+<tr><td>
+Maximum time before reping of email address needed
+</td><td>
+<?=$emailPingMonths?> months
+</td></tr>
+</table>
\ No newline at end of file
diff --git a/src/club/wpia/gigi/util/CipherInfo.java b/src/club/wpia/gigi/util/CipherInfo.java
deleted file mode 100644 (file)
index 9fda8ca..0000000
+++ /dev/null
@@ -1,332 +0,0 @@
-package club.wpia.gigi.util;
-
-import java.lang.reflect.Field;
-import java.lang.reflect.Method;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.HashMap;
-import java.util.TreeSet;
-
-import sun.security.ssl.SSLContextImpl;
-
-public class CipherInfo implements Comparable<CipherInfo> {
-
-    private static class CipherInfoGenerator {
-
-        private Class<?> cipherSuite;
-
-        private Field cipherSuiteNameMap;
-
-        private Field exchange;
-
-        private Field cipher;
-
-        private Field keySize;
-
-        private Field algortihm;
-
-        private Field transformation;
-
-        private HashMap<?, ?> names;
-
-        private Field macAlg;
-
-        private Field macName;
-
-        private Field macSize;
-
-        public CipherInfoGenerator() throws ReflectiveOperationException {
-            SSLContextImpl sc = new SSLContextImpl.TLS12Context();
-            Method m = SSLContextImpl.class.getDeclaredMethod("getSupportedCipherSuiteList");
-            m.setAccessible(true);
-            Object o = m.invoke(sc);
-            Class<?> cipherSuiteList = o.getClass();
-            Method collection = cipherSuiteList.getDeclaredMethod("collection");
-            collection.setAccessible(true);
-            Collection<?> suites = (Collection<?>) collection.invoke(o);
-            Object oneSuite = suites.iterator().next();
-            cipherSuite = oneSuite.getClass();
-            cipherSuiteNameMap = cipherSuite.getDeclaredField("nameMap");
-            cipherSuiteNameMap.setAccessible(true);
-            names = (HashMap<?, ?>) cipherSuiteNameMap.get(null);
-            exchange = cipherSuite.getDeclaredField("keyExchange");
-            exchange.setAccessible(true);
-            cipher = cipherSuite.getDeclaredField("cipher");
-            cipher.setAccessible(true);
-            Class<?> bulkCipher = cipher.getType();
-            keySize = bulkCipher.getDeclaredField("keySize");
-            keySize.setAccessible(true);
-            algortihm = bulkCipher.getDeclaredField("algorithm");
-            algortihm.setAccessible(true);
-            transformation = bulkCipher.getDeclaredField("transformation");
-            transformation.setAccessible(true);
-
-            macAlg = cipherSuite.getDeclaredField("macAlg");
-            macAlg.setAccessible(true);
-            Class<?> mac = macAlg.getType();
-            macName = mac.getDeclaredField("name");
-            macName.setAccessible(true);
-            macSize = mac.getDeclaredField("size");
-            macSize.setAccessible(true);
-        }
-
-        public CipherInfo generateInfo(String suiteName) throws IllegalArgumentException, IllegalAccessException {
-            Object suite = names.get(suiteName);
-            String keyExchange = exchange.get(suite).toString();
-            Object bulkCipher = cipher.get(suite);
-            Object mac = macAlg.get(suite);
-
-            String transform = (String) transformation.get(bulkCipher);
-            String[] transformationParts = transform.split("/");
-            int keysize = keySize.getInt(bulkCipher);
-
-            String macNam = (String) macName.get(mac);
-            int macSiz = macSize.getInt(mac);
-
-            String chaining = null;
-            String padding = null;
-            if (transformationParts.length > 1) {
-                chaining = transformationParts[1];
-                padding = transformationParts[2];
-            }
-
-            return new CipherInfo(suiteName, keyExchange, transformationParts[0], keysize * 8, chaining, padding, macNam, macSiz * 8);
-
-        }
-    }
-
-    String keyExchange;
-
-    String cipher;
-
-    int keySize;
-
-    String cipherChaining;
-
-    String cipherPadding;
-
-    String macName;
-
-    int macSize;
-
-    String suiteName;
-
-    private CipherInfo(String suiteName, String keyExchange, String cipher, int keySize, String cipherChaining, String cipherPadding, String macName, int macSize) {
-        this.suiteName = suiteName;
-        this.keyExchange = keyExchange;
-        this.cipher = cipher;
-        this.keySize = keySize;
-        this.cipherChaining = cipherChaining;
-        this.cipherPadding = cipherPadding;
-        this.macName = macName;
-        this.macSize = macSize;
-    }
-
-    static CipherInfoGenerator cig;
-    static {
-        try {
-            cig = new CipherInfoGenerator();
-        } catch (ReflectiveOperationException e) {
-            e.printStackTrace();
-        }
-    }
-
-    public static CipherInfo generateInfo(String name) {
-        if (cig == null) {
-            return null;
-        }
-        try {
-            return cig.generateInfo(name);
-        } catch (IllegalArgumentException e) {
-            e.printStackTrace();
-        } catch (IllegalAccessException e) {
-            e.printStackTrace();
-        }
-        return null;
-    }
-
-    public String getSuiteName() {
-        return suiteName;
-    }
-
-    /**
-     * 5: ECDHE, AES||CAMELLIA, keysize >=256 <br>
-     * 4: DHE, AES||CAMELLIA, keysize >= 256<br>
-     * 3: ECDHE|| DHE, AES||CAMELLIA<br>
-     * 2: ECDHE||DHE<br>
-     * 1: RSA||DSA <br>
-     * 0: Others
-     * 
-     * @return the strength
-     */
-    public int getStrength() {
-        if (cipher.equals("NULL") || cipher.equals("RC4") || cipher.contains("DES")) {
-            return 0;
-        }
-        boolean ecdhe = keyExchange.startsWith("ECDHE");
-        boolean dhe = keyExchange.startsWith("DHE");
-        boolean pfs = ecdhe || dhe;
-        boolean goodCipher = cipher.equals("AES") || cipher.equals("CAMELLIA");
-        if (ecdhe && goodCipher && keySize >= 256) {
-            return 5;
-        }
-        if (dhe && goodCipher && keySize >= 256) {
-            return 4;
-        }
-        if (pfs && goodCipher) {
-            return 3;
-        }
-        if (pfs) {
-            return 2;
-        }
-        if (keyExchange.equals("RSA") || keyExchange.equals("DSA")) {
-            return 1;
-        }
-        return 0;
-    }
-
-    private static final String[] CIPHER_RANKING = new String[] {
-            "CAMELLIA", "AES", "RC4", "3DES", "DES", "DES40"
-    };
-
-    @Override
-    public String toString() {
-        return "CipherInfo [keyExchange=" + keyExchange + ", cipher=" + cipher + ", keySize=" + keySize + ", cipherChaining=" + cipherChaining + ", cipherPadding=" + cipherPadding + ", macName=" + macName + ", macSize=" + macSize + "]";
-    }
-
-    /**
-     * ECDHE<br>
-     * GCM<br>
-     * Cipher {@link #CIPHER_RANKING}<br>
-     * Cipher {@link #keySize}<br>
-     * HMAC<br>
-     * HMAC size<br>
-     * 
-     * @return
-     */
-    @Override
-    public int compareTo(CipherInfo o) {
-        int myStrength = getStrength();
-        int oStrength = o.getStrength();
-        if (myStrength > oStrength) {
-            return -1;
-        }
-        if (myStrength < oStrength) {
-            return 1;
-        }
-        // TODO sort SSL/TLS
-        boolean myEcdhe = keyExchange.startsWith("ECDHE");
-        boolean oEcdhe = o.keyExchange.startsWith("ECDHE");
-        if (myEcdhe && !oEcdhe) {
-            return -1;
-        }
-        if ( !myEcdhe && oEcdhe) {
-            return 1;
-        }
-        boolean myGCM = "GCM".equals(cipherChaining);
-        boolean oGCM = "GCM".equals(o.cipherChaining);
-        if (myGCM && !oGCM) {
-            return -1;
-        }
-        if ( !myGCM && oGCM) {
-            return 1;
-        }
-        if ( !cipher.equals(o.cipher)) {
-
-            for (String testCipher : CIPHER_RANKING) {
-                if (cipher.equals(testCipher)) {
-                    return -1;
-                }
-                if (o.cipher.equals(testCipher)) {
-                    return 1;
-                }
-            }
-            if (cipher.equals("NULL")) {
-                return 1;
-            }
-            if (o.cipher.equals("NULL")) {
-                return -1;
-            }
-        }
-        if (keySize > o.keySize) {
-            return -1;
-        }
-        if (keySize < o.keySize) {
-            return 1;
-        }
-        boolean mySHA = macName.startsWith("SHA");
-        boolean oSHA = o.macName.startsWith("SHA");
-        if ( !mySHA && oSHA) {
-            return -1;
-        }
-        if (mySHA && !oSHA) {
-            return 1;
-        }
-        if (macSize > o.macSize) {
-            return -1;
-        }
-        if (macSize < o.macSize) {
-            return 1;
-        }
-
-        return suiteName.compareTo(o.suiteName);
-    }
-
-    @Override
-    public boolean equals(Object o) {
-        if (o instanceof CipherInfo) {
-            return 0 == this.compareTo((CipherInfo) o);
-        }
-
-        return false;
-    }
-
-    @Override
-    public int hashCode() {
-        final int prime = 31;
-        int result = 1;
-        result = prime * result + ((cipher == null) ? 0 : cipher.hashCode());
-        result = prime * result + ((cipherChaining == null) ? 0 : cipherChaining.hashCode());
-        result = prime * result + ((cipherPadding == null) ? 0 : cipherPadding.hashCode());
-        result = prime * result + ((keyExchange == null) ? 0 : keyExchange.hashCode());
-        result = prime * result + keySize;
-        result = prime * result + ((macName == null) ? 0 : macName.hashCode());
-        result = prime * result + macSize;
-        result = prime * result + ((suiteName == null) ? 0 : suiteName.hashCode());
-        return result;
-    }
-
-    static String[] cipherRanking = null;
-
-    public static String[] getCompleteRanking() {
-        if (cipherRanking == null) {
-            @SuppressWarnings("unchecked")
-            String[] ciphers = filterCiphers((Iterable<String>) cig.names.keySet());
-            cipherRanking = ciphers;
-        }
-        return cipherRanking;
-    }
-
-    private static String[] filterCiphers(Iterable<String> toFilter) {
-        TreeSet<CipherInfo> chosenCiphers = new TreeSet<CipherInfo>();
-        for (String o : toFilter) {
-            String s = o;
-            CipherInfo info = CipherInfo.generateInfo(s);
-            if (info != null) {
-                if (info.getStrength() > 1) {
-                    chosenCiphers.add(info);
-                }
-            }
-        }
-        String[] ciphers = new String[chosenCiphers.size()];
-        int counter = 0;
-        for (CipherInfo i : chosenCiphers) {
-            ciphers[counter++] = i.getSuiteName();
-        }
-        return ciphers;
-    }
-
-    public static String[] filter(String[] supportedCipherSuites) {
-        return filterCiphers(Arrays.asList(supportedCipherSuites));
-    }
-}