diff options
Diffstat (limited to 'BKUWebStart/src/main/java/at')
4 files changed, 137 insertions, 85 deletions
diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java index bef2246b..923a70d9 100644 --- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java +++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java @@ -56,7 +56,7 @@ public class Configurator { * configurations with less than this (major) version will be backuped and updated * allowed: MAJOR[.MINOR[.X[-SNAPSHOT]]] */ - public static final String MIN_CONFIG_VERSION = "1.0.9"; + public static final String MIN_CONFIG_VERSION = "1.2.4-SNAPSHOT"; public static final String CONFIG_DIR = ".mocca/conf/"; public static final String CERTS_DIR = ".mocca/certs/"; public static final String VERSION_FILE = ".version"; diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java index 08a0808a..3bf74d3c 100644 --- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java +++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java @@ -2,9 +2,11 @@ package at.gv.egiz.bku.webstart; import at.gv.egiz.bku.utils.StreamUtil;
import java.awt.AWTPermission;
+import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.BufferedReader;
import java.io.File;
+import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.FilePermission;
@@ -15,8 +17,12 @@ import java.io.OutputStream; import java.lang.reflect.ReflectPermission;
import java.net.NetPermission;
import java.net.SocketPermission;
+import java.security.AllPermission;
+import java.security.KeyStore;
import java.security.Permissions;
import java.security.SecurityPermission;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
import java.util.PropertyPermission;
import javax.smartcardio.CardPermission;
import org.apache.commons.logging.Log;
@@ -32,8 +38,9 @@ public class Container { public static final String HTTP_PORT_PROPERTY = "mocca.http.port";
public static final String HTTPS_PORT_PROPERTY = "mocca.http.port";
-
+ public static final String SERVER_CA_CERTIFICATE_ATTRIBUTE = "mocca.tls.server.ca.certificate";
private static Log log = LogFactory.getLog(Container.class);
+
static {
if (log.isDebugEnabled()) {
//Jetty log INFO and WARN, include ignored exceptions
@@ -43,7 +50,6 @@ public class Container { //System.setProperty("DEBUG", "true");
}
}
-
private Server server;
public void init() throws IOException {
@@ -75,63 +81,98 @@ public class Container { }
log.debug("loading MOCCA keystore from " + keystoreFile.getAbsolutePath());
sslConnector.setKeystore(keystoreFile.getAbsolutePath());
- File passwdFile = new File(configDir, Configurator.PASSWD_FILE);
- BufferedReader reader = new BufferedReader(new FileReader(passwdFile));
- String pwd;
- while ((pwd = reader.readLine()) != null) {
- sslConnector.setPassword(pwd);
- sslConnector.setKeyPassword(pwd);
- }
- reader.close();
-
+ String passwd = readPassword(new File(configDir, Configurator.PASSWD_FILE));
+ sslConnector.setPassword(passwd);
+ sslConnector.setKeyPassword(passwd);
+
//avoid jetty's ClassCastException: iaik.security.ecc.ecdsa.ECPublicKey cannot be cast to java.security.interfaces.ECPublicKey
- String[] RFC4492CipherSuites = new String[] {
+ String[] RFC4492CipherSuites = new String[]{
"TLS_ECDH_ECDSA_WITH_NULL_SHA",
- "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
- "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
- "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
- "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
-
- "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
- "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
- "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
- "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
- "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
-
- "TLS_ECDH_RSA_WITH_NULL_SHA",
- "TLS_ECDH_RSA_WITH_RC4_128_SHA",
- "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
- "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
- "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
-
- "TLS_ECDHE_RSA_WITH_NULL_SHA",
- "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
- "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
- "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
-
- "TLS_ECDH_anon_WITH_NULL_SHA",
- "TLS_ECDH_anon_WITH_RC4_128_SHA",
- "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
- "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
- "TLS_ECDH_anon_WITH_AES_256_CBC_SHA"
+ "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+ "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
+ "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
+ "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
+ "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
+ "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+ "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
+ "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+ "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+ "TLS_ECDH_RSA_WITH_NULL_SHA",
+ "TLS_ECDH_RSA_WITH_RC4_128_SHA",
+ "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
+ "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
+ "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
+ "TLS_ECDHE_RSA_WITH_NULL_SHA",
+ "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+ "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+ "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+ "TLS_ECDH_anon_WITH_NULL_SHA",
+ "TLS_ECDH_anon_WITH_RC4_128_SHA",
+ "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
+ "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
+ "TLS_ECDH_anon_WITH_AES_256_CBC_SHA"
};
sslConnector.setExcludeCipherSuites(RFC4492CipherSuites);
- server.setConnectors(new Connector[] { connector, sslConnector });
-
+ server.setConnectors(new Connector[]{connector, sslConnector});
+
WebAppContext webapp = new WebAppContext();
webapp.setLogUrlOnStart(true);
webapp.setContextPath("/");
- webapp.setExtractWAR(true);
+ webapp.setExtractWAR(true);
webapp.setParentLoaderPriority(false);
+ try {
+ // no way to get certificate from within the servlet (SSLEngine/Jetty SSLSocketConnector/SSLContext?)
+ if (log.isTraceEnabled()) {
+ log.trace("local ca certificate from " + keystoreFile + " in webapp context at " + SERVER_CA_CERTIFICATE_ATTRIBUTE);
+ }
+ BufferedInputStream bis = new BufferedInputStream(new FileInputStream(keystoreFile));
+ KeyStore sslKeyStore = KeyStore.getInstance("JKS");
+ sslKeyStore.load(bis, passwd.toCharArray());
+ Certificate[] sslChain = sslKeyStore.getCertificateChain(TLSServerCA.MOCCA_TLS_SERVER_ALIAS);
+ webapp.setAttribute(SERVER_CA_CERTIFICATE_ATTRIBUTE, sslChain[sslChain.length - 1]);
+ bis.close();
+ } catch (Exception ex) {
+ log.error("Failed to load local ca certificate", ex);
+ log.warn("automated web certificate installation will not be available");
+ }
+
webapp.setWar(copyWebapp(webapp.getTempDirectory()));
webapp.setPermissions(getPermissions(webapp.getTempDirectory()));
-
+
server.setHandler(webapp);
- server.setGracefulShutdown(1000*3);
+ server.setGracefulShutdown(1000 * 3);
+ }
+
+ /**
+ * @return The first valid (not empty, no comment) line of the passwd file
+ * @throws IOException
+ */
+ protected static String readPassword(File passwdFile) throws IOException {
+ if (passwdFile.exists() && passwdFile.canRead()) {
+ BufferedReader passwdReader = null;
+ try {
+ passwdReader = new BufferedReader(new FileReader(passwdFile));
+ String passwd;
+ while ((passwd = passwdReader.readLine().trim()) != null) {
+ if (passwd.length() > 0 && !passwd.startsWith("#")) {
+ return passwd;
+ }
+ }
+ } catch (IOException ex) {
+ log.error("failed to read password from " + passwdFile, ex);
+ throw ex;
+ } finally {
+ try {
+ passwdReader.close();
+ } catch (IOException ex) {
+ }
+ }
+ }
+ throw new IOException(passwdFile + " not readable");
}
private String copyWebapp(File webappDir) throws IOException {
@@ -146,43 +187,48 @@ public class Container { private Permissions getPermissions(File webappDir) {
Permissions perms = new Permissions();
+ perms.add(new AllPermission());
+
+
+ if (false) {
+
+ // jetty-webstart (spring?)
+ perms.add(new RuntimePermission("getClassLoader"));
+
+ // standard permissions
+ perms.add(new PropertyPermission("*", "read,write"));
+ perms.add(new RuntimePermission("accessDeclaredMembers"));
+ perms.add(new RuntimePermission("accessClassInPackage.*"));
+ perms.add(new RuntimePermission("defineClassInPackage.*"));
+ perms.add(new RuntimePermission("setFactory"));
+ perms.add(new RuntimePermission("getProtectionDomain"));
+ perms.add(new RuntimePermission("modifyThread"));
+ perms.add(new RuntimePermission("modifyThreadGroup"));
+ perms.add(new RuntimePermission("setFactory"));
+ perms.add(new ReflectPermission("suppressAccessChecks"));
+
+ // MOCCA specific
+ perms.add(new SocketPermission("*", "connect,resolve"));
+ perms.add(new NetPermission("specifyStreamHandler"));
+ perms.add(new SecurityPermission("insertProvider.*"));
+ perms.add(new SecurityPermission("putProviderProperty.*"));
+ perms.add(new SecurityPermission("removeProvider.*"));
+ perms.add(new CardPermission("*", "*"));
+ perms.add(new AWTPermission("*"));
+
+ perms.add(new FilePermission(webappDir.getAbsolutePath() + "/-", "read"));
+ perms.add(new FilePermission(new File(System.getProperty("java.home") + "/lib/xalan.properties").getAbsolutePath(), "read"));
+ perms.add(new FilePermission(new File(System.getProperty("java.home") + "/lib/xerces.properties").getAbsolutePath(), "read"));
+ perms.add(new FilePermission(new File(System.getProperty("user.home")).getAbsolutePath(), "read, write"));
+ perms.add(new FilePermission(new File(System.getProperty("user.home") + "/-").getAbsolutePath(), "read, write"));
+ perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/logs/*").getAbsolutePath(), "read, write,delete"));
+ perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/certs/-").getAbsolutePath(), "read, write,delete"));
+
+ //TODO
+// log.trace("granting file read/write permission to MOCCA local");
+// perms.add(new FilePermission("<<ALL FILES>>", "read, write"));
- // jetty-webstart (spring?)
- perms.add(new RuntimePermission("getClassLoader"));
-
- // standard permissions
- perms.add(new PropertyPermission("*", "read,write"));
- perms.add(new RuntimePermission("accessDeclaredMembers"));
- perms.add(new RuntimePermission("accessClassInPackage.*"));
- perms.add(new RuntimePermission("defineClassInPackage.*"));
- perms.add(new RuntimePermission("setFactory"));
- perms.add(new RuntimePermission("getProtectionDomain"));
- perms.add(new RuntimePermission("modifyThread"));
- perms.add(new RuntimePermission("modifyThreadGroup"));
- perms.add(new RuntimePermission("setFactory"));
- perms.add(new ReflectPermission("suppressAccessChecks"));
-
- // MOCCA specific
- perms.add(new SocketPermission("*", "connect,resolve"));
- perms.add(new NetPermission("specifyStreamHandler"));
- perms.add(new SecurityPermission("insertProvider.*"));
- perms.add(new SecurityPermission("putProviderProperty.*"));
- perms.add(new SecurityPermission("removeProvider.*"));
- perms.add(new CardPermission("*", "*"));
- perms.add(new AWTPermission("*"));
-
- perms.add(new FilePermission(webappDir.getAbsolutePath() + "/-", "read"));
- perms.add(new FilePermission(new File(System.getProperty("java.home") + "/lib/xalan.properties").getAbsolutePath(), "read"));
- perms.add(new FilePermission(new File(System.getProperty("java.home") + "/lib/xerces.properties").getAbsolutePath(), "read"));
- perms.add(new FilePermission(new File(System.getProperty("user.home")).getAbsolutePath(), "read, write"));
- perms.add(new FilePermission(new File(System.getProperty("user.home") + "/-").getAbsolutePath(), "read, write"));
- perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/logs/*").getAbsolutePath(), "read, write,delete"));
- perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/certs/-").getAbsolutePath(), "read, write,delete"));
-
- //TODO
- log.trace("granting file read/write permission to MOCCA local");
- perms.add(new FilePermission("<<ALL FILES>>", "read, write"));
-
+ }
return perms;
}
@@ -205,4 +251,4 @@ public class Container { public void join() throws InterruptedException {
server.join();
}
-}
\ No newline at end of file +}
diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Launcher.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Launcher.java index 0cfc14e5..0106de62 100644 --- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Launcher.java +++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Launcher.java @@ -27,6 +27,7 @@ import java.awt.event.WindowAdapter; import java.net.BindException;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
+import java.net.URI;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.util.jar.Attributes;
@@ -73,21 +74,25 @@ public class Launcher implements BKUControllerInterface, ActionListener { /** local bku uri */
public static final URL HTTP_SECURITY_LAYER_URL;
public static final URL HTTPS_SECURITY_LAYER_URL;
+ public static final URL INSTALL_CERT_URL;
public static final URL PIN_MANAGEMENT_URL;
static {
URL http = null;
URL https = null;
URL pin = null;
+ URL cert = null;
try {
http = new URL("http://localhost:" + Integer.getInteger(Container.HTTPS_PORT_PROPERTY, 3495).intValue());
https = new URL("https://localhost:" + Integer.getInteger(Container.HTTPS_PORT_PROPERTY, 3496).intValue());
pin = new URL(http, "/PINManagement");
+ cert = new URL(http, "/installCertificate");
} catch (MalformedURLException ex) {
log.error(ex);
} finally {
HTTP_SECURITY_LAYER_URL = http;
HTTPS_SECURITY_LAYER_URL = https;
PIN_MANAGEMENT_URL = pin;
+ INSTALL_CERT_URL = cert;
}
}
public static final String version;
@@ -273,7 +278,7 @@ public class Launcher implements BKUControllerInterface, ActionListener { Desktop desktop = Desktop.getDesktop();
if (desktop.isSupported(Desktop.Action.BROWSE)) {
try {
- desktop.browse(HTTPS_SECURITY_LAYER_URL.toURI());
+ desktop.browse(HTTP_SECURITY_LAYER_URL.toURI());
} catch (Exception ex) {
log.error("failed to open system browser, install TLS certificate manually: " + HTTPS_SECURITY_LAYER_URL, ex);
}
diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java index 97ca716b..fd94958e 100644 --- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java +++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java @@ -32,6 +32,7 @@ import org.apache.commons.logging.LogFactory; public class TLSServerCA {
public static final int CA_VALIDITY_Y = 3;
+ public static final String MOCCA_TLS_SERVER_ALIAS = "server";
public static final int SERVER_VALIDITY_Y = 3;
private final static Log log = LogFactory.getLog(TLSServerCA.class);
@@ -127,7 +128,7 @@ public class TLSServerCA { generateServerCert();
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(null, null);
- ks.setKeyEntry("server", serverKeyPair.getPrivate(), password, new X509Certificate[]{serverCert, caCert});
+ ks.setKeyEntry(MOCCA_TLS_SERVER_ALIAS, serverKeyPair.getPrivate(), password, new X509Certificate[]{serverCert, caCert});
return ks;
// } catch (Exception e) {
// log.error("Cannot generate certificate", e);
|