From 4af1d0a0d6fb6f4784067d320e42504922710788 Mon Sep 17 00:00:00 2001 From: tkellner Date: Mon, 11 Nov 2013 20:52:36 +0000 Subject: Allow to disable certain ciphersuites for SSL connections git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@1213 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../egiz/bku/spring/InternalSSLSocketFactory.java | 83 ++++++++++++++++++++++ .../gv/egiz/bku/spring/SSLSocketFactoryBean.java | 66 +++++++++++++---- 2 files changed, 134 insertions(+), 15 deletions(-) create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/spring/InternalSSLSocketFactory.java diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/spring/InternalSSLSocketFactory.java b/bkucommon/src/main/java/at/gv/egiz/bku/spring/InternalSSLSocketFactory.java new file mode 100644 index 00000000..a9e96126 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/spring/InternalSSLSocketFactory.java @@ -0,0 +1,83 @@ +package at.gv.egiz.bku.spring; + +import java.io.IOException; +import java.net.InetAddress; +import java.net.Socket; +import java.net.UnknownHostException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; + +import javax.net.ssl.SSLSocket; +import javax.net.ssl.SSLSocketFactory; + +public class InternalSSLSocketFactory extends SSLSocketFactory { + + private SSLSocketFactory proxy; + private String[] suites; + + public InternalSSLSocketFactory(SSLSocketFactory socketFactory, + String[] disabledSuites) { + this.proxy = socketFactory; + List dSuites = Arrays.asList(disabledSuites); + List suites = new ArrayList(Arrays.asList(proxy.getDefaultCipherSuites())); + suites.removeAll(dSuites); + this.suites = suites.toArray(new String[suites.size()]); + } + + @Override + public Socket createSocket(Socket s, String host, int port, + boolean autoClose) throws IOException { + Socket socket = proxy.createSocket(s, host, port, autoClose); + setCipherSuites(socket); + return socket; + } + + @Override + public String[] getDefaultCipherSuites() { + return suites; + } + + @Override + public String[] getSupportedCipherSuites() { + return proxy.getSupportedCipherSuites(); + } + + @Override + public Socket createSocket(String host, int port) throws IOException, + UnknownHostException { + Socket socket = proxy.createSocket(host, port); + setCipherSuites(socket); + return socket; + } + + @Override + public Socket createSocket(InetAddress host, int port) throws IOException { + Socket socket = proxy.createSocket(host, port); + setCipherSuites(socket); + return socket; + } + + @Override + public Socket createSocket(String host, int port, InetAddress localHost, + int localPort) throws IOException, UnknownHostException { + Socket socket = proxy.createSocket(host, port, localHost, + localPort); + setCipherSuites(socket); + return socket; + } + + @Override + public Socket createSocket(InetAddress address, int port, + InetAddress localAddress, int localPort) throws IOException { + Socket socket = proxy.createSocket(address, port, localAddress, + localPort); + setCipherSuites(socket); + return socket; + } + + private void setCipherSuites(Socket socket) { + if (socket instanceof SSLSocket) + ((SSLSocket) socket).setEnabledCipherSuites(suites); + } +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java b/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java index 2ace91d2..702212bc 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java @@ -37,30 +37,65 @@ import org.springframework.beans.factory.FactoryBean; import at.gv.egiz.bku.conf.MoccaConfigurationFacade; public class SSLSocketFactoryBean implements FactoryBean { - + protected PKIProfile pkiProfile; - + /** * The configuration facade. */ protected final ConfigurationFacade configurationFacade = new ConfigurationFacade(); - + public class ConfigurationFacade implements MoccaConfigurationFacade { - + private Configuration configuration; - + + //avoid ClassCastException: iaik.security.ecc.ecdsa.ECPublicKey cannot be cast to java.security.interfaces.ECPublicKey + private final String DEFAULT_DISABLED_CIPHER_SUITES = + "TLS_ECDH_ECDSA_WITH_NULL_SHA," + + "TLS_ECDH_ECDSA_WITH_RC4_128_SHA," + + "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," + + "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + + "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + + "TLS_ECDHE_ECDSA_WITH_NULL_SHA," + + "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA," + + "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + + "TLS_ECDH_RSA_WITH_NULL_SHA," + + "TLS_ECDH_RSA_WITH_RC4_128_SHA," + + "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," + + "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + + "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + + "TLS_ECDHE_RSA_WITH_NULL_SHA," + + "TLS_ECDHE_RSA_WITH_RC4_128_SHA," + + "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + + "TLS_ECDH_anon_WITH_NULL_SHA," + + "TLS_ECDH_anon_WITH_RC4_128_SHA," + + "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA," + + "TLS_ECDH_anon_WITH_AES_128_CBC_SHA," + + "TLS_ECDH_anon_WITH_AES_256_CBC_SHA"; + public static final String SSL_PROTOCOL = "SSL.sslProtocol"; - - public static final String SSL_DISSABLE_ALL_CHECKS = "SSL.disableAllChecks"; - + + public static final String SSL_DISABLE_ALL_CHECKS = "SSL.disableAllChecks"; + + public static final String SSL_DISABLED_CIPHER_SUITES = "SSL.disabledCipherSuites"; + public String getSslProtocol() { return configuration.getString(SSL_PROTOCOL, "TLS"); } - + public boolean disableAllSslChecks() { - return configuration.getBoolean(SSL_DISSABLE_ALL_CHECKS, false); + return configuration.getBoolean(SSL_DISABLE_ALL_CHECKS, false); + } + + public String[] getDisabledCipherSuites() { + String suites = configuration.getString(SSL_DISABLED_CIPHER_SUITES, + DEFAULT_DISABLED_CIPHER_SUITES); + return suites.split(","); } - } /** @@ -93,15 +128,16 @@ public class SSLSocketFactoryBean implements FactoryBean { @Override public Object getObject() throws Exception { - PKITrustManager pkiTrustManager = new PKITrustManager(); pkiTrustManager.setConfiguration(configurationFacade.configuration); pkiTrustManager.setPkiProfile(pkiProfile); - + SSLContext sslContext = SSLContext.getInstance(configurationFacade.getSslProtocol()); sslContext.init(null, new TrustManager[] {pkiTrustManager}, null); - - return sslContext.getSocketFactory(); + + SSLSocketFactory ssf = sslContext.getSocketFactory(); + + return new InternalSSLSocketFactory(ssf, configurationFacade.getDisabledCipherSuites()); } @Override -- cgit v1.2.3