host=127.0.0.1
+name.static=static.cacert.local
+name.secure=secure.cacert.local
+name.www=www.cacert.local
port=443
#emailProvider=org.cacert.gigi.email.Sendmail
emailProvider=org.cacert.gigi.email.CommandlineEmailProvider
# ==== ALL ===
+name.static=static.cacert.local
+name.secure=secure.cacert.local
+name.www=www.cacert.local
sql.driver=com.mysql.jdbc.Driver
sql.url=jdbc:mysql://localhost:3306/cacert
sql.user=cacert
- download locales (util/ org.cacert.gigi.util.FetchLocales)
- write your sql connection properties: config/gigi.properties.template -> config/gigi.properties
+- install "hosts" entries for the hosts you entered in "gigi.properties"
+ (be aware if you change the default ones you need to change the CN given in the certificates)
+
- add the corresponding jdbc connector to your path.
- on unix-like systems: to securely run on privileged ports <= 1024 build the native setuid library (run the makefile in natives/).
openssl req -new -key $1.key -out $1.csr -subj "/CN=$1.cacert.local" -config selfsign.config
openssl ca -cert testca.crt -keyfile testca.key -in $1.csr -out $1.crt -days 356 -batch -config selfsign.config
-openssl pkcs12 -inkey $1.key -in $1.crt -name $1 -export -passout pass: -out $1.pkcs12
+openssl pkcs12 -inkey $1.key -in $1.crt -name $1 -export -passout pass:changeit -out $1.pkcs12
-keytool -importkeystore -noprompt -srckeystore $1.pkcs12 -destkeystore ../../config/keystore.pkcs12 -srcstoretype pkcs12 -deststoretype pkcs12 -srcstorepass "" -deststorepass ""
+keytool -importkeystore -noprompt -srckeystore $1.pkcs12 -destkeystore ../../config/keystore.pkcs12 -srcstoretype pkcs12 -deststoretype pkcs12 -srcstorepass "changeit" -deststorepass "changeit"
}
genserver static
genserver api
-keytool -list -keystore ../../config/keystore.pkcs12 -storetype pkcs12 -storepass ""
+keytool -list -keystore ../../config/keystore.pkcs12 -storetype pkcs12 -storepass "changeit"
keytool -importcert -keystore ../../config/cacerts.jks -file root.crt -alias root -storepass "changeit" $1
keytool -importcert -keystore ../../config/cacerts.jks -file class3.crt -alias class3 -storepass "changeit" $1
-keytool -importcert -keystore ../../config/cacerts.jks -file jetty.crt -alias own -storepass "changeit" $1
+keytool -importcert -keystore ../../config/cacerts.jks -file testca.crt -alias own -storepass "changeit" $1
keytool -list -keystore ../../config/cacerts.jks -storepass "changeit"
byte[] keystore = Files.readAllBytes(Paths
.get("config/keystore.pkcs12"));
- DevelLauncher.writeGigiConfig(dos, new byte[]{}, "changeit".getBytes(),
- mainProps, cacerts, keystore);
+ DevelLauncher.writeGigiConfig(dos, "changeit".getBytes(),
+ "changeit".getBytes(), mainProps, cacerts, keystore);
dos.flush();
InputStream oldin = System.in;
System.setIn(new ByteArrayInputStream(chunkConfig.toByteArray()));
import org.cacert.gigi.pages.account.MyDetails;
import org.cacert.gigi.pages.main.RegisterPage;
import org.cacert.gigi.pages.wot.AssurePage;
+import org.cacert.gigi.util.ServerConstants;
import org.eclipse.jetty.util.log.Log;
public class Gigi extends HttpServlet {
hsr.addHeader("Access-Control-Allow-Origin",
"http://cacert.org https://localhost");
hsr.addHeader("Access-Control-Max-Age", "60");
- hsr.addHeader("Content-Security-Policy",
- "default-src 'self' https://www.cacert.org/*;frame-ancestors 'none'");
+ hsr.addHeader("Content-Security-Policy", "default-src 'self' https://"
+ + ServerConstants.getStaticHostNamePort()
+ + " https://www.cacert.org/*;frame-ancestors 'none'");
// ;report-uri https://felix.dogcraft.de/report.php
}
ks1.load(new ByteArrayInputStream(cacerts), truststorepw);
return ks1;
}
+ public String getPrivateStorePw() {
+ return new String(keystorpw);
+ }
}
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
+import java.util.List;
import java.util.Properties;
+import javax.net.ssl.ExtendedSSLSession;
+import javax.net.ssl.SNIHostName;
+import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
-import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.SSLSession;
+
import org.cacert.gigi.natives.SetUID;
import org.cacert.gigi.util.CipherInfo;
+import org.cacert.gigi.util.ServerConstants;
+import org.eclipse.jetty.http.HttpVersion;
import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.Handler;
import org.eclipse.jetty.server.HttpConfiguration;
public class Launcher {
public static void main(String[] args) throws Exception {
GigiConfig conf = GigiConfig.parse(System.in);
+ ServerConstants.init(conf.getMainProps());
Server s = new Server();
// === SSL HTTP Configuration ===
https_config.addCustomizer(new SecureRequestCustomizer());
ServerConnector connector = new ServerConnector(s,
- new SslConnectionFactory(generateSSLContextFactory(conf),
- "http/1.1"), new HttpConnectionFactory(https_config));
+ createConnectionFactory(conf), new HttpConnectionFactory(
+ https_config));
connector.setHost(conf.getMainProps().getProperty("host"));
connector.setPort(Integer.parseInt(conf.getMainProps().getProperty(
"port")));
}
}
- private static ServletContextHandler generateGigiContext(Properties conf) {
+ private static SslConnectionFactory createConnectionFactory(GigiConfig conf)
+ throws GeneralSecurityException, IOException {
+ final SslContextFactory sslContextFactory = generateSSLContextFactory(
+ conf, "www");
+ final SslContextFactory secureContextFactory = generateSSLContextFactory(
+ conf, "secure");
+ secureContextFactory.setNeedClientAuth(true);
+ final SslContextFactory staticContextFactory = generateSSLContextFactory(
+ conf, "static");
+ try {
+ secureContextFactory.start();
+ staticContextFactory.start();
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ return new SslConnectionFactory(sslContextFactory,
+ HttpVersion.HTTP_1_1.asString()) {
+ @Override
+ public boolean shouldRestartSSL() {
+ return true;
+ }
+ @Override
+ public SSLEngine restartSSL(SSLSession sslSession) {
+ SSLEngine e2 = null;
+ if (sslSession instanceof ExtendedSSLSession) {
+ ExtendedSSLSession es = (ExtendedSSLSession) sslSession;
+ List<SNIServerName> names = es.getRequestedServerNames();
+ for (SNIServerName sniServerName : names) {
+ if (sniServerName instanceof SNIHostName) {
+ SNIHostName host = (SNIHostName) sniServerName;
+ String hostname = host.getAsciiName();
+ if (hostname.equals("www.cacert.local")) {
+ e2 = sslContextFactory.newSSLEngine();
+ } else if (hostname.equals("static.cacert.local")) {
+ e2 = staticContextFactory.newSSLEngine();
+ } else if (hostname.equals("secure.cacert.local")) {
+ e2 = secureContextFactory.newSSLEngine();
+ }
+ break;
+ }
+ }
+ }
+ if (e2 == null) {
+ e2 = sslContextFactory.newSSLEngine(
+ sslSession.getPeerHost(), sslSession.getPeerPort());
+ }
+ e2.setUseClientMode(false);
+ return e2;
+ }
+ };
+ }
+
+ private static ContextHandler generateGigiContext(Properties conf) {
+ final ResourceHandler rh = new ResourceHandler();
+ rh.setResourceBase("static/www");
+
+ HandlerWrapper hw = new PolicyRedirector();
+ hw.setHandler(rh);
+
ServletContextHandler servlet = new ServletContextHandler(
ServletContextHandler.SESSIONS);
servlet.setInitParameter(SessionManager.__SessionCookieProperty,
"CACert-Session");
servlet.addServlet(new ServletHolder(new Gigi(conf)), "/*");
- return servlet;
+
+ HandlerList hl = new HandlerList();
+ hl.setHandlers(new Handler[]{servlet, hw});
+
+ ContextHandler ch = new ContextHandler();
+ ch.setVirtualHosts(new String[]{ServerConstants.getWwwHostName(),
+ ServerConstants.getSecureHostName()});
+ ch.setHandler(hl);
+
+ return ch;
}
private static Handler generateStaticContext() {
final ResourceHandler rh = new ResourceHandler();
- rh.setResourceBase("static");
- HandlerWrapper hw = new PolicyRedirector();
- hw.setHandler(rh);
+ rh.setResourceBase("static/static");
ContextHandler ch = new ContextHandler();
- ch.setContextPath("/static");
- ch.setHandler(hw);
+ ch.setHandler(rh);
+ ch.setVirtualHosts(new String[]{ServerConstants.getStaticHostName()});
return ch;
}
- private static SslContextFactory generateSSLContextFactory(GigiConfig conf)
- throws GeneralSecurityException, IOException {
- TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("PKIX");
- tmFactory.init((KeyStore) null);
-
+ private static SslContextFactory generateSSLContextFactory(GigiConfig conf,
+ String alias) throws GeneralSecurityException, IOException {
SslContextFactory scf = new SslContextFactory() {
String[] ciphers = null;
};
scf.setRenegotiationAllowed(false);
- scf.setWantClientAuth(true);
scf.setProtocol("TLS");
scf.setTrustStore(conf.getTrustStore());
- scf.setKeyStore(conf.getPrivateStore());
+ KeyStore privateStore = conf.getPrivateStore();
+ scf.setKeyStorePassword(conf.getPrivateStorePw());
+ scf.setKeyStore(privateStore);
+ scf.setCertAlias(alias);
return scf;
}
}
public void handle(String target, Request baseRequest,
HttpServletRequest request, HttpServletResponse response)
throws IOException, ServletException {
+ System.out.println("h1"+target);
if (target.startsWith("/policy/") && target.endsWith(".php")) {
target = target.replace(".php", ".html");
- response.sendRedirect("/static" + target);
+ response.sendRedirect(target);
baseRequest.setHandled(true);
return;
}
.translate(
req,
"Thanks for signing up with CAcert.org, below is the link you need to open to verify your account. Once your account is verified you will be able to start issuing certificates till your hearts' content!"));
- body.append("\n\n");
- body.append(ServerConstants.NORMAL_HOST_NAME);
+ body.append("\n\nhttps://");
+ body.append(ServerConstants.getWwwHostNamePort());
body.append("/verify?type=email&id=");
body.append(emailid);
body.append("&hash=");
package org.cacert.gigi.util;
+import java.util.Properties;
+
public class ServerConstants {
- public static final String NORMAL_HOST_NAME = "http://www.cacert.org";
+ private static String wwwHostName = "www.cacert.local";
+ private static String secureHostName = "secure.cacert.local";
+ private static String staticHostName = "static.cacert.local";
+ private static String port;
+ public static void init(Properties conf) {
+ port = "";
+ if (!conf.getProperty("port").equals("443")) {
+ port = ":" + conf.getProperty("port");
+ }
+ wwwHostName = conf.getProperty("name.www");
+ secureHostName = conf.getProperty("name.secure");
+ staticHostName = conf.getProperty("name.static");
+ }
+ public static String getSecureHostName() {
+ return secureHostName;
+ }
+ public static String getStaticHostName() {
+ return staticHostName;
+ }
+ public static String getWwwHostName() {
+ return wwwHostName;
+ }
+ public static String getSecureHostNamePort() {
+ return secureHostName + port;
+ }
+ public static String getStaticHostNamePort() {
+ return staticHostName + port;
+ }
+ public static String getWwwHostNamePort() {
+ return wwwHostName + port;
+ }
+
}
<html>
<head>
<title>$title$</title>
-<link rel="stylesheet" href="/static/default.css" type="text/css">
-<script src="/static/menu.js"></script>
+<link rel="stylesheet" href="https://static.cacert.local/default.css" type="text/css">
+<script src="https://static.cacert.local/menu.js"></script>
</head>
<body>
<div id="pagecell1">
registerUser("ab", "b", "correct" + uniq + "@email.de", "ap12UI.'");
TestMail tm = waitForMail();
String link = tm.extractLink();
- assertTrue(link, link.startsWith("http://"));
+ assertTrue(link, link.startsWith("https://"));
}
@Test
public void testNoFname() throws IOException {
Integer.parseInt(parts[1])));
return;
}
- url = "localhost:" + testProps.getProperty("serverPort");
+ url = testProps.getProperty("name.www") + ":"
+ + testProps.getProperty("serverPort");
gigi = Runtime.getRuntime().exec(testProps.getProperty("java"));
DataOutputStream toGigi = new DataOutputStream(
gigi.getOutputStream());
System.out.println("... starting server");
Properties mainProps = new Properties();
mainProps.setProperty("host", "127.0.0.1");
+ mainProps.setProperty("name.secure", "sec");
+ mainProps
+ .setProperty("name.www", testProps.getProperty("name.www"));
+ mainProps.setProperty("name.static", "stat");
+
mainProps.setProperty("port", testProps.getProperty("serverPort"));
mainProps.setProperty("emailProvider",
"org.cacert.gigi.email.TestEmailProvider");
byte[] keystore = Files.readAllBytes(Paths
.get("config/keystore.pkcs12"));
- DevelLauncher.writeGigiConfig(toGigi, new byte[]{},
+ DevelLauncher.writeGigiConfig(toGigi, "changeit".getBytes(),
"changeit".getBytes(), mainProps, cacerts, keystore);
toGigi.flush();
- // TODO wait for ready
- try {
- Thread.sleep(3000);
- } catch (InterruptedException e) {
- e.printStackTrace();
- }
+
final BufferedReader br = new BufferedReader(new InputStreamReader(
gigi.getErrorStream()));
String line;
return replyto;
}
public String extractLink() {
- Pattern link = Pattern.compile("http://[^\\s]+(?=\\s)");
+ Pattern link = Pattern.compile("https?://[^\\s]+(?=\\s)");
Matcher m = link.matcher(getMessage());
m.find();
return m.group(0);