summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortkellner <tkellner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>2014-04-16 14:26:56 +0000
committertkellner <tkellner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>2014-04-16 14:26:56 +0000
commit8fad457887d396317c4004f3cca3cc58a9a5f070 (patch)
treeb8c5520cab78559fccd03cee4755cacc29ee5097
parent80e3cf38ac1541e1f2033b16b47a5a91b34cff4a (diff)
downloadmocca-8fad457887d396317c4004f3cca3cc58a9a5f070.tar.gz
mocca-8fad457887d396317c4004f3cca3cc58a9a5f070.tar.bz2
mocca-8fad457887d396317c4004f3cca3cc58a9a5f070.zip
Add GCM variants to disabled ciphersuites
git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@1310 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
-rw-r--r--BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java370
-rw-r--r--bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java8
2 files changed, 197 insertions, 181 deletions
diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java
index 3769629e..1e553c21 100644
--- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java
+++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java
@@ -22,8 +22,8 @@
*/
-package at.gv.egiz.bku.webstart;
-
+package at.gv.egiz.bku.webstart;
+
import iaik.utils.StreamCopier;
import java.io.BufferedInputStream;
@@ -51,28 +51,28 @@ import org.mortbay.jetty.webapp.WebAppContext;
import org.mortbay.thread.QueuedThreadPool;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-
-public class Container {
-
- public static final String HTTP_PORT_PROPERTY = "mocca.http.port";
+
+public class Container {
+
+ public static final String HTTP_PORT_PROPERTY = "mocca.http.port";
public static final String HTTPS_PORT_PROPERTY = "mocca.https.port";
private static final String JETTY_TEMP_CLEANER_CLASSNAME = "JettyTempCleaner";
-
- private static Logger log = LoggerFactory.getLogger(Container.class);
-
+
+ private static Logger log = LoggerFactory.getLogger(Container.class);
+
static {
- if (log.isDebugEnabled()) {
- //Jetty log INFO and WARN, include ignored exceptions
- //jetty logging may be further restricted by setting level in log4j.properties
- System.setProperty("VERBOSE", "true");
- //do not set Jetty DEBUG logging, produces loads of output
- //System.setProperty("DEBUG", "true");
- }
- }
- private Server server;
+ if (log.isDebugEnabled()) {
+ //Jetty log INFO and WARN, include ignored exceptions
+ //jetty logging may be further restricted by setting level in log4j.properties
+ System.setProperty("VERBOSE", "true");
+ //do not set Jetty DEBUG logging, produces loads of output
+ //System.setProperty("DEBUG", "true");
+ }
+ }
+ private Server server;
private WebAppContext webapp;
- private WebappErrorHandler errorHandler;
+ private WebappErrorHandler errorHandler;
private Certificate caCertificate;
private File tempDir;
@@ -82,128 +82,136 @@ public class Container {
this.locale = locale;
init();
}
-
- public void init() throws IOException {
-// System.setProperty("DEBUG", "true");
- server = new Server();
- QueuedThreadPool qtp = new QueuedThreadPool();
- qtp.setMaxThreads(5);
- qtp.setMinThreads(2);
- qtp.setLowThreads(0);
- server.setThreadPool(qtp);
- server.setStopAtShutdown(true);
- server.setGracefulShutdown(3000);
-
- SelectChannelConnector connector = new SelectChannelConnector();
- connector.setPort(Integer.getInteger(HTTP_PORT_PROPERTY, 3495).intValue());
- connector.setAcceptors(1);
- connector.setConfidentialPort(Integer.getInteger(HTTPS_PORT_PROPERTY, 3496).intValue());
- connector.setHost("127.0.0.1");
-
- SslSocketConnector sslConnector = new SslSocketConnector();
- sslConnector.setPort(Integer.getInteger(HTTPS_PORT_PROPERTY, 3496).intValue());
- sslConnector.setAcceptors(1);
- sslConnector.setHost("127.0.0.1");
- File configDir = new File(System.getProperty("user.home") + "/" + Configurator.CONFIG_DIR);
- File keystoreFile = new File(configDir, Configurator.KEYSTORE_FILE);
- if (!keystoreFile.canRead()) {
- log.error("MOCCA keystore file not readable: " + keystoreFile.getAbsolutePath());
- throw new FileNotFoundException("MOCCA keystore file not readable: " + keystoreFile.getAbsolutePath());
- }
- log.debug("loading MOCCA keystore from " + keystoreFile.getAbsolutePath());
- sslConnector.setKeystore(keystoreFile.getAbsolutePath());
- String passwd = readPassword(new File(configDir, Configurator.PASSWD_FILE));
- sslConnector.setPassword(passwd);
- sslConnector.setKeyPassword(passwd);
-
- //avoid jetty's ClassCastException: iaik.security.ecc.ecdsa.ECPublicKey cannot be cast to java.security.interfaces.ECPublicKey
- String[] RFC4492CipherSuites = new String[] {
- "TLS_ECDH_ECDSA_WITH_NULL_SHA",
- "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
- "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
- "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
- "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
- "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
- "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
- "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
- "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
- "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
- "TLS_ECDH_RSA_WITH_NULL_SHA",
- "TLS_ECDH_RSA_WITH_RC4_128_SHA",
- "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
- "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
- "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
- "TLS_ECDHE_RSA_WITH_NULL_SHA",
- "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
- "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
- "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
- "TLS_ECDH_anon_WITH_NULL_SHA",
- "TLS_ECDH_anon_WITH_RC4_128_SHA",
- "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
- "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
- "TLS_ECDH_anon_WITH_AES_256_CBC_SHA"
- };
-
- sslConnector.setExcludeCipherSuites(RFC4492CipherSuites);
-
- server.setConnectors(new Connector[]{connector, sslConnector});
-
- webapp = new WebAppContext();
- webapp.setLogUrlOnStart(true);
- webapp.setContextPath("/");
- webapp.setExtractWAR(true);
+
+ public void init() throws IOException {
+// System.setProperty("DEBUG", "true");
+ server = new Server();
+ QueuedThreadPool qtp = new QueuedThreadPool();
+ qtp.setMaxThreads(5);
+ qtp.setMinThreads(2);
+ qtp.setLowThreads(0);
+ server.setThreadPool(qtp);
+ server.setStopAtShutdown(true);
+ server.setGracefulShutdown(3000);
+
+ SelectChannelConnector connector = new SelectChannelConnector();
+ connector.setPort(Integer.getInteger(HTTP_PORT_PROPERTY, 3495).intValue());
+ connector.setAcceptors(1);
+ connector.setConfidentialPort(Integer.getInteger(HTTPS_PORT_PROPERTY, 3496).intValue());
+ connector.setHost("127.0.0.1");
+
+ SslSocketConnector sslConnector = new SslSocketConnector();
+ sslConnector.setPort(Integer.getInteger(HTTPS_PORT_PROPERTY, 3496).intValue());
+ sslConnector.setAcceptors(1);
+ sslConnector.setHost("127.0.0.1");
+ File configDir = new File(System.getProperty("user.home") + "/" + Configurator.CONFIG_DIR);
+ File keystoreFile = new File(configDir, Configurator.KEYSTORE_FILE);
+ if (!keystoreFile.canRead()) {
+ log.error("MOCCA keystore file not readable: " + keystoreFile.getAbsolutePath());
+ throw new FileNotFoundException("MOCCA keystore file not readable: " + keystoreFile.getAbsolutePath());
+ }
+ log.debug("loading MOCCA keystore from " + keystoreFile.getAbsolutePath());
+ sslConnector.setKeystore(keystoreFile.getAbsolutePath());
+ String passwd = readPassword(new File(configDir, Configurator.PASSWD_FILE));
+ sslConnector.setPassword(passwd);
+ sslConnector.setKeyPassword(passwd);
+
+ //avoid jetty's ClassCastException: iaik.security.ecc.ecdsa.ECPublicKey cannot be cast to java.security.interfaces.ECPublicKey
+ String[] RFC4492CipherSuites = new String[] {
+ "TLS_ECDH_ECDSA_WITH_NULL_SHA",
+ "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+ "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
+ "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
+ "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
+ "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
+ "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
+ "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+ "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
+ "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+ "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+ "TLS_ECDH_RSA_WITH_NULL_SHA",
+ "TLS_ECDH_RSA_WITH_RC4_128_SHA",
+ "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
+ "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
+ "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
+ "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
+ "TLS_ECDHE_RSA_WITH_NULL_SHA",
+ "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+ "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+ "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+ "TLS_ECDH_anon_WITH_NULL_SHA",
+ "TLS_ECDH_anon_WITH_RC4_128_SHA",
+ "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
+ "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
+ "TLS_ECDH_anon_WITH_AES_256_CBC_SHA"
+ };
+
+ sslConnector.setExcludeCipherSuites(RFC4492CipherSuites);
+
+ server.setConnectors(new Connector[]{connector, sslConnector});
+
+ webapp = new WebAppContext();
+ webapp.setLogUrlOnStart(true);
+ webapp.setContextPath("/");
+ webapp.setExtractWAR(true);
webapp.setParentLoaderPriority(false);
errorHandler = new WebappErrorHandler(locale);
- webapp.setErrorHandler(errorHandler);
-
- tempDir = webapp.getTempDirectory();
- webapp.setWar(copyWebapp(tempDir));
-// webapp.setPermissions(getPermissions(tempDir));
-
- server.setHandler(webapp);
- server.setGracefulShutdown(1000 * 3);
-
- loadCACertificate(keystoreFile, passwd.toCharArray());
- }
-
- /**
- * @return The first valid (not empty, no comment) line of the passwd file
- * @throws IOException
- */
- protected static String readPassword(File passwdFile) throws IOException {
- if (passwdFile.exists() && passwdFile.canRead()) {
- BufferedReader passwdReader = null;
- try {
- passwdReader = new BufferedReader(new FileReader(passwdFile));
- String passwd;
- while ((passwd = passwdReader.readLine().trim()) != null) {
- if (passwd.length() > 0 && !passwd.startsWith("#")) {
- return passwd;
- }
- }
- } catch (IOException ex) {
- log.error("failed to read password from " + passwdFile, ex);
- throw ex;
- } finally {
- try {
- passwdReader.close();
- } catch (IOException ex) {
- }
- }
- }
- throw new IOException(passwdFile + " not readable");
- }
-
- private String copyWebapp(File webappDir) throws IOException {
- File webapp = new File(webappDir, "BKULocal.war");
- log.debug("copying BKULocal classpath resource to " + webapp);
- InputStream is = getClass().getClassLoader().getResourceAsStream("BKULocal.war");
- OutputStream os = new BufferedOutputStream(new FileOutputStream(webapp));
- new StreamCopier(is, os).copyStream();
- os.close();
- return webapp.getPath();
+ webapp.setErrorHandler(errorHandler);
+
+ tempDir = webapp.getTempDirectory();
+ webapp.setWar(copyWebapp(tempDir));
+// webapp.setPermissions(getPermissions(tempDir));
+
+ server.setHandler(webapp);
+ server.setGracefulShutdown(1000 * 3);
+
+ loadCACertificate(keystoreFile, passwd.toCharArray());
+ }
+
+ /**
+ * @return The first valid (not empty, no comment) line of the passwd file
+ * @throws IOException
+ */
+ protected static String readPassword(File passwdFile) throws IOException {
+ if (passwdFile.exists() && passwdFile.canRead()) {
+ BufferedReader passwdReader = null;
+ try {
+ passwdReader = new BufferedReader(new FileReader(passwdFile));
+ String passwd;
+ while ((passwd = passwdReader.readLine().trim()) != null) {
+ if (passwd.length() > 0 && !passwd.startsWith("#")) {
+ return passwd;
+ }
+ }
+ } catch (IOException ex) {
+ log.error("failed to read password from " + passwdFile, ex);
+ throw ex;
+ } finally {
+ try {
+ passwdReader.close();
+ } catch (IOException ex) {
+ }
+ }
+ }
+ throw new IOException(passwdFile + " not readable");
+ }
+
+ private String copyWebapp(File webappDir) throws IOException {
+ File webapp = new File(webappDir, "BKULocal.war");
+ log.debug("copying BKULocal classpath resource to " + webapp);
+ InputStream is = getClass().getClassLoader().getResourceAsStream("BKULocal.war");
+ OutputStream os = new BufferedOutputStream(new FileOutputStream(webapp));
+ new StreamCopier(is, os).copyStream();
+ os.close();
+ return webapp.getPath();
}
private void copyCleaner(File dir) throws IOException {
@@ -242,54 +250,54 @@ public class Container {
}
}
- /**
- * grant all permissions, since we need read/write access to save signature data files anywhere (JFileChooser) in the local filesystem
- * and Jetty does not allow declare (webapp) permissions on a codeBase basis.
- * @param webappDir
- * @return
- */
-// private Permissions getPermissions(File webappDir) {
-// Permissions perms = new Permissions();
-// perms.add(new AllPermission());
-//// perms.add(new FilePermission(new File(System.getProperty("user.home")).getAbsolutePath(), "read, write"));
-//// perms.add(new FilePermission(new File(System.getProperty("user.home") + "/-").getAbsolutePath(), "read, write"));
-//// perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/logs/*").getAbsolutePath(), "read, write,delete"));
-//// perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/certs/-").getAbsolutePath(), "read, write,delete"));
-//
-//// perms.add(new FilePermission("<<ALL FILES>>", "read, write"));
-//
-// return perms;
-// }
-
- public void start() throws Exception {
- server.start();
- File caCertFile = new File(webapp.getTempDirectory(), "webapp/ca.crt");
- BufferedOutputStream bos = new BufferedOutputStream(new FileOutputStream(caCertFile));
- bos.write(caCertificate.getEncoded());
- bos.flush();
- bos.close();
- }
-
- public boolean isRunning() {
- return server.isRunning();
- }
-
+ /**
+ * grant all permissions, since we need read/write access to save signature data files anywhere (JFileChooser) in the local filesystem
+ * and Jetty does not allow declare (webapp) permissions on a codeBase basis.
+ * @param webappDir
+ * @return
+ */
+// private Permissions getPermissions(File webappDir) {
+// Permissions perms = new Permissions();
+// perms.add(new AllPermission());
+//// perms.add(new FilePermission(new File(System.getProperty("user.home")).getAbsolutePath(), "read, write"));
+//// perms.add(new FilePermission(new File(System.getProperty("user.home") + "/-").getAbsolutePath(), "read, write"));
+//// perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/logs/*").getAbsolutePath(), "read, write,delete"));
+//// perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/certs/-").getAbsolutePath(), "read, write,delete"));
+//
+//// perms.add(new FilePermission("<<ALL FILES>>", "read, write"));
+//
+// return perms;
+// }
+
+ public void start() throws Exception {
+ server.start();
+ File caCertFile = new File(webapp.getTempDirectory(), "webapp/ca.crt");
+ BufferedOutputStream bos = new BufferedOutputStream(new FileOutputStream(caCertFile));
+ bos.write(caCertificate.getEncoded());
+ bos.flush();
+ bos.close();
+ }
+
+ public boolean isRunning() {
+ return server.isRunning();
+ }
+
public void stop() throws Exception {
server.stop();
cleanupJettyTemp();
- }
-
- public void destroy() {
- server.destroy();
+ }
+
+ public void destroy() {
+ server.destroy();
cleanupJettyTemp();
-}
-
- public void join() throws InterruptedException {
- server.join();
- }
-
+}
+
+ public void join() throws InterruptedException {
+ server.join();
+ }
+
private void loadCACertificate(File keystoreFile, char[] passwd) {
caCertificate = getCACertificate(keystoreFile, passwd);
if (caCertificate == null)
@@ -312,4 +320,4 @@ public class Container {
return null;
}
}
-}
+}
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java b/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java
index 702212bc..c3758a47 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java
@@ -56,21 +56,29 @@ public class SSLSocketFactoryBean implements FactoryBean {
"TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," +
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," +
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," +
+ "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," +
+ "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384," +
"TLS_ECDHE_ECDSA_WITH_NULL_SHA," +
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA," +
"TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," +
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," +
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," +
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
+ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384," +
"TLS_ECDH_RSA_WITH_NULL_SHA," +
"TLS_ECDH_RSA_WITH_RC4_128_SHA," +
"TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," +
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," +
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," +
+ "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256," +
+ "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384," +
"TLS_ECDHE_RSA_WITH_NULL_SHA," +
"TLS_ECDHE_RSA_WITH_RC4_128_SHA," +
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," +
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," +
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," +
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," +
+ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," +
"TLS_ECDH_anon_WITH_NULL_SHA," +
"TLS_ECDH_anon_WITH_RC4_128_SHA," +
"TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA," +