Add GCM variants to disabled ciphersuites

git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@1310 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4

1 files changed, 189 insertions, 181 deletions

diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java
index 3769629e..1e553c21 100644
--- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java
+++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java
@@ -22,8 +22,8 @@
  */
 
 
-package at.gv.egiz.bku.webstart;

-

+package at.gv.egiz.bku.webstart;
+
 import iaik.utils.StreamCopier;
 
 import java.io.BufferedInputStream;
@@ -51,28 +51,28 @@ import org.mortbay.jetty.webapp.WebAppContext;
 import org.mortbay.thread.QueuedThreadPool;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-

-public class Container {

-

-  public static final String HTTP_PORT_PROPERTY = "mocca.http.port";

+
+public class Container {
+
+  public static final String HTTP_PORT_PROPERTY = "mocca.http.port";
   public static final String HTTPS_PORT_PROPERTY = "mocca.https.port";
 
   private static final String JETTY_TEMP_CLEANER_CLASSNAME = "JettyTempCleaner";
-

-  private static Logger log = LoggerFactory.getLogger(Container.class);

-

+
+  private static Logger log = LoggerFactory.getLogger(Container.class);
+
   static {
-    if (log.isDebugEnabled()) {

-      //Jetty log INFO and WARN, include ignored exceptions

-      //jetty logging may be further restricted by setting level in log4j.properties

-      System.setProperty("VERBOSE", "true");

-      //do not set Jetty DEBUG logging, produces loads of output

-      //System.setProperty("DEBUG", "true");

-    }

-  }

-  private Server server;

+    if (log.isDebugEnabled()) {
+      //Jetty log INFO and WARN, include ignored exceptions
+      //jetty logging may be further restricted by setting level in log4j.properties
+      System.setProperty("VERBOSE", "true");
+      //do not set Jetty DEBUG logging, produces loads of output
+      //System.setProperty("DEBUG", "true");
+    }
+  }
+  private Server server;
   private WebAppContext webapp;
-  private WebappErrorHandler errorHandler;

+  private WebappErrorHandler errorHandler;
   private Certificate caCertificate;
   private File tempDir;
 
@@ -82,128 +82,136 @@ public class Container {
     this.locale = locale;
     init();
   }
-

-  public void init() throws IOException {

-//    System.setProperty("DEBUG", "true");

-    server = new Server();

-    QueuedThreadPool qtp = new QueuedThreadPool();

-    qtp.setMaxThreads(5);

-    qtp.setMinThreads(2);

-    qtp.setLowThreads(0);

-    server.setThreadPool(qtp);

-    server.setStopAtShutdown(true);

-    server.setGracefulShutdown(3000);

-

-    SelectChannelConnector connector = new SelectChannelConnector();

-    connector.setPort(Integer.getInteger(HTTP_PORT_PROPERTY, 3495).intValue());

-    connector.setAcceptors(1);

-    connector.setConfidentialPort(Integer.getInteger(HTTPS_PORT_PROPERTY, 3496).intValue());

-    connector.setHost("127.0.0.1");

-

-    SslSocketConnector sslConnector = new SslSocketConnector();

-    sslConnector.setPort(Integer.getInteger(HTTPS_PORT_PROPERTY, 3496).intValue());

-    sslConnector.setAcceptors(1);

-    sslConnector.setHost("127.0.0.1");

-    File configDir = new File(System.getProperty("user.home") + "/" + Configurator.CONFIG_DIR);

-    File keystoreFile = new File(configDir, Configurator.KEYSTORE_FILE);

-    if (!keystoreFile.canRead()) {

-      log.error("MOCCA keystore file not readable: " + keystoreFile.getAbsolutePath());

-      throw new FileNotFoundException("MOCCA keystore file not readable: " + keystoreFile.getAbsolutePath());

-    }

-    log.debug("loading MOCCA keystore from " + keystoreFile.getAbsolutePath());

-    sslConnector.setKeystore(keystoreFile.getAbsolutePath());

-    String passwd = readPassword(new File(configDir, Configurator.PASSWD_FILE));

-    sslConnector.setPassword(passwd);

-    sslConnector.setKeyPassword(passwd);

-

-    //avoid jetty's ClassCastException: iaik.security.ecc.ecdsa.ECPublicKey cannot be cast to java.security.interfaces.ECPublicKey

-    String[] RFC4492CipherSuites = new String[] {

-      "TLS_ECDH_ECDSA_WITH_NULL_SHA",

-      "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",

-      "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",

-      "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",

-      "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",

-      "TLS_ECDHE_ECDSA_WITH_NULL_SHA",

-      "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",

-      "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",

-      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",

-      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",

-      "TLS_ECDH_RSA_WITH_NULL_SHA",

-      "TLS_ECDH_RSA_WITH_RC4_128_SHA",

-      "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",

-      "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",

-      "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",

-      "TLS_ECDHE_RSA_WITH_NULL_SHA",

-      "TLS_ECDHE_RSA_WITH_RC4_128_SHA",

-      "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",

-      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",

-      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",

-      "TLS_ECDH_anon_WITH_NULL_SHA",

-      "TLS_ECDH_anon_WITH_RC4_128_SHA",

-      "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",

-      "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",

-      "TLS_ECDH_anon_WITH_AES_256_CBC_SHA"

-    };

-

-    sslConnector.setExcludeCipherSuites(RFC4492CipherSuites);

-

-    server.setConnectors(new Connector[]{connector, sslConnector});

-

-    webapp = new WebAppContext();

-    webapp.setLogUrlOnStart(true);

-    webapp.setContextPath("/");

-    webapp.setExtractWAR(true);

+
+  public void init() throws IOException {
+//    System.setProperty("DEBUG", "true");
+    server = new Server();
+    QueuedThreadPool qtp = new QueuedThreadPool();
+    qtp.setMaxThreads(5);
+    qtp.setMinThreads(2);
+    qtp.setLowThreads(0);
+    server.setThreadPool(qtp);
+    server.setStopAtShutdown(true);
+    server.setGracefulShutdown(3000);
+
+    SelectChannelConnector connector = new SelectChannelConnector();
+    connector.setPort(Integer.getInteger(HTTP_PORT_PROPERTY, 3495).intValue());
+    connector.setAcceptors(1);
+    connector.setConfidentialPort(Integer.getInteger(HTTPS_PORT_PROPERTY, 3496).intValue());
+    connector.setHost("127.0.0.1");
+
+    SslSocketConnector sslConnector = new SslSocketConnector();
+    sslConnector.setPort(Integer.getInteger(HTTPS_PORT_PROPERTY, 3496).intValue());
+    sslConnector.setAcceptors(1);
+    sslConnector.setHost("127.0.0.1");
+    File configDir = new File(System.getProperty("user.home") + "/" + Configurator.CONFIG_DIR);
+    File keystoreFile = new File(configDir, Configurator.KEYSTORE_FILE);
+    if (!keystoreFile.canRead()) {
+      log.error("MOCCA keystore file not readable: " + keystoreFile.getAbsolutePath());
+      throw new FileNotFoundException("MOCCA keystore file not readable: " + keystoreFile.getAbsolutePath());
+    }
+    log.debug("loading MOCCA keystore from " + keystoreFile.getAbsolutePath());
+    sslConnector.setKeystore(keystoreFile.getAbsolutePath());
+    String passwd = readPassword(new File(configDir, Configurator.PASSWD_FILE));
+    sslConnector.setPassword(passwd);
+    sslConnector.setKeyPassword(passwd);
+
+    //avoid jetty's ClassCastException: iaik.security.ecc.ecdsa.ECPublicKey cannot be cast to java.security.interfaces.ECPublicKey
+    String[] RFC4492CipherSuites = new String[] {
+      "TLS_ECDH_ECDSA_WITH_NULL_SHA",
+      "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+      "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
+      "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
+      "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
+      "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
+      "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
+      "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+      "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
+      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+      "TLS_ECDH_RSA_WITH_NULL_SHA",
+      "TLS_ECDH_RSA_WITH_RC4_128_SHA",
+      "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
+      "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
+      "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
+      "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
+      "TLS_ECDHE_RSA_WITH_NULL_SHA",
+      "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+      "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+      "TLS_ECDH_anon_WITH_NULL_SHA",
+      "TLS_ECDH_anon_WITH_RC4_128_SHA",
+      "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
+      "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
+      "TLS_ECDH_anon_WITH_AES_256_CBC_SHA"
+    };
+
+    sslConnector.setExcludeCipherSuites(RFC4492CipherSuites);
+
+    server.setConnectors(new Connector[]{connector, sslConnector});
+
+    webapp = new WebAppContext();
+    webapp.setLogUrlOnStart(true);
+    webapp.setContextPath("/");
+    webapp.setExtractWAR(true);
     webapp.setParentLoaderPriority(false);
 
     errorHandler = new WebappErrorHandler(locale);
-    webapp.setErrorHandler(errorHandler);

-
-    tempDir = webapp.getTempDirectory();

-    webapp.setWar(copyWebapp(tempDir));

-//    webapp.setPermissions(getPermissions(tempDir));

-

-    server.setHandler(webapp);

-    server.setGracefulShutdown(1000 * 3);

-    

-    loadCACertificate(keystoreFile, passwd.toCharArray());

-  }

-

-  /**

-   * @return The first valid (not empty, no comment) line of the passwd file

-   * @throws IOException

-   */

-  protected static String readPassword(File passwdFile) throws IOException {

-    if (passwdFile.exists() && passwdFile.canRead()) {

-      BufferedReader passwdReader = null;

-      try {

-        passwdReader = new BufferedReader(new FileReader(passwdFile));

-        String passwd;

-        while ((passwd = passwdReader.readLine().trim()) != null) {

-          if (passwd.length() > 0 && !passwd.startsWith("#")) {

-            return passwd;

-          }

-        }

-      } catch (IOException ex) {

-        log.error("failed to read password from " + passwdFile, ex);

-        throw ex;

-      } finally {

-        try {

-          passwdReader.close();

-        } catch (IOException ex) {

-        }

-      }

-    }

-    throw new IOException(passwdFile + " not readable");

-  }

-

-  private String copyWebapp(File webappDir) throws IOException {

-    File webapp = new File(webappDir, "BKULocal.war");

-    log.debug("copying BKULocal classpath resource to " + webapp);

-    InputStream is = getClass().getClassLoader().getResourceAsStream("BKULocal.war");

-    OutputStream os = new BufferedOutputStream(new FileOutputStream(webapp));

-    new StreamCopier(is, os).copyStream();

-    os.close();

-    return webapp.getPath();

+    webapp.setErrorHandler(errorHandler);
+
+    tempDir = webapp.getTempDirectory();
+    webapp.setWar(copyWebapp(tempDir));
+//    webapp.setPermissions(getPermissions(tempDir));
+
+    server.setHandler(webapp);
+    server.setGracefulShutdown(1000 * 3);
+
+    loadCACertificate(keystoreFile, passwd.toCharArray());
+  }
+
+  /**
+   * @return The first valid (not empty, no comment) line of the passwd file
+   * @throws IOException
+   */
+  protected static String readPassword(File passwdFile) throws IOException {
+    if (passwdFile.exists() && passwdFile.canRead()) {
+      BufferedReader passwdReader = null;
+      try {
+        passwdReader = new BufferedReader(new FileReader(passwdFile));
+        String passwd;
+        while ((passwd = passwdReader.readLine().trim()) != null) {
+          if (passwd.length() > 0 && !passwd.startsWith("#")) {
+            return passwd;
+          }
+        }
+      } catch (IOException ex) {
+        log.error("failed to read password from " + passwdFile, ex);
+        throw ex;
+      } finally {
+        try {
+          passwdReader.close();
+        } catch (IOException ex) {
+        }
+      }
+    }
+    throw new IOException(passwdFile + " not readable");
+  }
+
+  private String copyWebapp(File webappDir) throws IOException {
+    File webapp = new File(webappDir, "BKULocal.war");
+    log.debug("copying BKULocal classpath resource to " + webapp);
+    InputStream is = getClass().getClassLoader().getResourceAsStream("BKULocal.war");
+    OutputStream os = new BufferedOutputStream(new FileOutputStream(webapp));
+    new StreamCopier(is, os).copyStream();
+    os.close();
+    return webapp.getPath();
   }
 
   private void copyCleaner(File dir) throws IOException {
@@ -242,54 +250,54 @@ public class Container {
     }
   }
 
-  /**

-   * grant all permissions, since we need read/write access to save signature data files anywhere (JFileChooser) in the local filesystem

-   * and Jetty does not allow declare (webapp) permissions on a codeBase basis.

-   * @param webappDir

-   * @return

-   */

-//  private Permissions getPermissions(File webappDir) {

-//    Permissions perms = new Permissions();

-//    perms.add(new AllPermission());

-////      perms.add(new FilePermission(new File(System.getProperty("user.home")).getAbsolutePath(), "read, write"));

-////      perms.add(new FilePermission(new File(System.getProperty("user.home") + "/-").getAbsolutePath(), "read, write"));

-////      perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/logs/*").getAbsolutePath(), "read, write,delete"));

-////      perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/certs/-").getAbsolutePath(), "read, write,delete"));

-//

-////    perms.add(new FilePermission("<<ALL FILES>>", "read, write"));

-//

-//    return perms;

-//  }

-

-  public void start() throws Exception {

-    server.start();

-    File caCertFile = new File(webapp.getTempDirectory(), "webapp/ca.crt");

-    BufferedOutputStream bos = new BufferedOutputStream(new FileOutputStream(caCertFile));

-    bos.write(caCertificate.getEncoded());

-    bos.flush();

-    bos.close();

-  }

-

-  public boolean isRunning() {

-    return server.isRunning();

-  }

-

+  /**
+   * grant all permissions, since we need read/write access to save signature data files anywhere (JFileChooser) in the local filesystem
+   * and Jetty does not allow declare (webapp) permissions on a codeBase basis.
+   * @param webappDir
+   * @return
+   */
+//  private Permissions getPermissions(File webappDir) {
+//    Permissions perms = new Permissions();
+//    perms.add(new AllPermission());
+////      perms.add(new FilePermission(new File(System.getProperty("user.home")).getAbsolutePath(), "read, write"));
+////      perms.add(new FilePermission(new File(System.getProperty("user.home") + "/-").getAbsolutePath(), "read, write"));
+////      perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/logs/*").getAbsolutePath(), "read, write,delete"));
+////      perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/certs/-").getAbsolutePath(), "read, write,delete"));
+//
+////    perms.add(new FilePermission("<<ALL FILES>>", "read, write"));
+//
+//    return perms;
+//  }
+
+  public void start() throws Exception {
+    server.start();
+    File caCertFile = new File(webapp.getTempDirectory(), "webapp/ca.crt");
+    BufferedOutputStream bos = new BufferedOutputStream(new FileOutputStream(caCertFile));
+    bos.write(caCertificate.getEncoded());
+    bos.flush();
+    bos.close();
+  }
+
+  public boolean isRunning() {
+    return server.isRunning();
+  }
+
   public void stop() throws Exception {
     server.stop();
 
     cleanupJettyTemp();
-  }

-

-  public void destroy() {

-    server.destroy();

+  }
+
+  public void destroy() {
+    server.destroy();
 
     cleanupJettyTemp();
-}

-

-  public void join() throws InterruptedException {

-    server.join();

-  }

-

+}
+
+  public void join() throws InterruptedException {
+    server.join();
+  }
+
   private void loadCACertificate(File keystoreFile, char[] passwd) {
     caCertificate = getCACertificate(keystoreFile, passwd);
     if (caCertificate == null)
@@ -312,4 +320,4 @@ public class Container {
       return null;
     }
   }
-}

+}