summaryrefslogtreecommitdiff
path: root/bkucommon
diff options
context:
space:
mode:
authortkellner <tkellner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>2013-11-11 20:52:36 +0000
committertkellner <tkellner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>2013-11-11 20:52:36 +0000
commit4af1d0a0d6fb6f4784067d320e42504922710788 (patch)
tree6cdb6232d5b326b49362a84a1d7b0e5b851e12b2 /bkucommon
parente409be78733ceb5a8f2cb98f774269ecc89dcfa1 (diff)
downloadmocca-4af1d0a0d6fb6f4784067d320e42504922710788.tar.gz
mocca-4af1d0a0d6fb6f4784067d320e42504922710788.tar.bz2
mocca-4af1d0a0d6fb6f4784067d320e42504922710788.zip
Allow to disable certain ciphersuites for SSL connections
git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@1213 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
Diffstat (limited to 'bkucommon')
-rw-r--r--bkucommon/src/main/java/at/gv/egiz/bku/spring/InternalSSLSocketFactory.java83
-rw-r--r--bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java66
2 files changed, 134 insertions, 15 deletions
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/spring/InternalSSLSocketFactory.java b/bkucommon/src/main/java/at/gv/egiz/bku/spring/InternalSSLSocketFactory.java
new file mode 100644
index 00000000..a9e96126
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/spring/InternalSSLSocketFactory.java
@@ -0,0 +1,83 @@
+package at.gv.egiz.bku.spring;
+
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.Socket;
+import java.net.UnknownHostException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+
+public class InternalSSLSocketFactory extends SSLSocketFactory {
+
+ private SSLSocketFactory proxy;
+ private String[] suites;
+
+ public InternalSSLSocketFactory(SSLSocketFactory socketFactory,
+ String[] disabledSuites) {
+ this.proxy = socketFactory;
+ List<String> dSuites = Arrays.asList(disabledSuites);
+ List<String> suites = new ArrayList<String>(Arrays.asList(proxy.getDefaultCipherSuites()));
+ suites.removeAll(dSuites);
+ this.suites = suites.toArray(new String[suites.size()]);
+ }
+
+ @Override
+ public Socket createSocket(Socket s, String host, int port,
+ boolean autoClose) throws IOException {
+ Socket socket = proxy.createSocket(s, host, port, autoClose);
+ setCipherSuites(socket);
+ return socket;
+ }
+
+ @Override
+ public String[] getDefaultCipherSuites() {
+ return suites;
+ }
+
+ @Override
+ public String[] getSupportedCipherSuites() {
+ return proxy.getSupportedCipherSuites();
+ }
+
+ @Override
+ public Socket createSocket(String host, int port) throws IOException,
+ UnknownHostException {
+ Socket socket = proxy.createSocket(host, port);
+ setCipherSuites(socket);
+ return socket;
+ }
+
+ @Override
+ public Socket createSocket(InetAddress host, int port) throws IOException {
+ Socket socket = proxy.createSocket(host, port);
+ setCipherSuites(socket);
+ return socket;
+ }
+
+ @Override
+ public Socket createSocket(String host, int port, InetAddress localHost,
+ int localPort) throws IOException, UnknownHostException {
+ Socket socket = proxy.createSocket(host, port, localHost,
+ localPort);
+ setCipherSuites(socket);
+ return socket;
+ }
+
+ @Override
+ public Socket createSocket(InetAddress address, int port,
+ InetAddress localAddress, int localPort) throws IOException {
+ Socket socket = proxy.createSocket(address, port, localAddress,
+ localPort);
+ setCipherSuites(socket);
+ return socket;
+ }
+
+ private void setCipherSuites(Socket socket) {
+ if (socket instanceof SSLSocket)
+ ((SSLSocket) socket).setEnabledCipherSuites(suites);
+ }
+}
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java b/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java
index 2ace91d2..702212bc 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java
@@ -37,30 +37,65 @@ import org.springframework.beans.factory.FactoryBean;
import at.gv.egiz.bku.conf.MoccaConfigurationFacade;
public class SSLSocketFactoryBean implements FactoryBean {
-
+
protected PKIProfile pkiProfile;
-
+
/**
* The configuration facade.
*/
protected final ConfigurationFacade configurationFacade = new ConfigurationFacade();
-
+
public class ConfigurationFacade implements MoccaConfigurationFacade {
-
+
private Configuration configuration;
-
+
+ //avoid ClassCastException: iaik.security.ecc.ecdsa.ECPublicKey cannot be cast to java.security.interfaces.ECPublicKey
+ private final String DEFAULT_DISABLED_CIPHER_SUITES =
+ "TLS_ECDH_ECDSA_WITH_NULL_SHA," +
+ "TLS_ECDH_ECDSA_WITH_RC4_128_SHA," +
+ "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," +
+ "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," +
+ "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," +
+ "TLS_ECDHE_ECDSA_WITH_NULL_SHA," +
+ "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA," +
+ "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," +
+ "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," +
+ "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," +
+ "TLS_ECDH_RSA_WITH_NULL_SHA," +
+ "TLS_ECDH_RSA_WITH_RC4_128_SHA," +
+ "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," +
+ "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," +
+ "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," +
+ "TLS_ECDHE_RSA_WITH_NULL_SHA," +
+ "TLS_ECDHE_RSA_WITH_RC4_128_SHA," +
+ "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," +
+ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," +
+ "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," +
+ "TLS_ECDH_anon_WITH_NULL_SHA," +
+ "TLS_ECDH_anon_WITH_RC4_128_SHA," +
+ "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA," +
+ "TLS_ECDH_anon_WITH_AES_128_CBC_SHA," +
+ "TLS_ECDH_anon_WITH_AES_256_CBC_SHA";
+
public static final String SSL_PROTOCOL = "SSL.sslProtocol";
-
- public static final String SSL_DISSABLE_ALL_CHECKS = "SSL.disableAllChecks";
-
+
+ public static final String SSL_DISABLE_ALL_CHECKS = "SSL.disableAllChecks";
+
+ public static final String SSL_DISABLED_CIPHER_SUITES = "SSL.disabledCipherSuites";
+
public String getSslProtocol() {
return configuration.getString(SSL_PROTOCOL, "TLS");
}
-
+
public boolean disableAllSslChecks() {
- return configuration.getBoolean(SSL_DISSABLE_ALL_CHECKS, false);
+ return configuration.getBoolean(SSL_DISABLE_ALL_CHECKS, false);
+ }
+
+ public String[] getDisabledCipherSuites() {
+ String suites = configuration.getString(SSL_DISABLED_CIPHER_SUITES,
+ DEFAULT_DISABLED_CIPHER_SUITES);
+ return suites.split(",");
}
-
}
/**
@@ -93,15 +128,16 @@ public class SSLSocketFactoryBean implements FactoryBean {
@Override
public Object getObject() throws Exception {
-
PKITrustManager pkiTrustManager = new PKITrustManager();
pkiTrustManager.setConfiguration(configurationFacade.configuration);
pkiTrustManager.setPkiProfile(pkiProfile);
-
+
SSLContext sslContext = SSLContext.getInstance(configurationFacade.getSslProtocol());
sslContext.init(null, new TrustManager[] {pkiTrustManager}, null);
-
- return sslContext.getSocketFactory();
+
+ SSLSocketFactory ssf = sslContext.getSocketFactory();
+
+ return new InternalSSLSocketFactory(ssf, configurationFacade.getDisabledCipherSuites());
}
@Override