From 8fad457887d396317c4004f3cca3cc58a9a5f070 Mon Sep 17 00:00:00 2001 From: tkellner Date: Wed, 16 Apr 2014 14:26:56 +0000 Subject: Add GCM variants to disabled ciphersuites git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@1310 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../java/at/gv/egiz/bku/webstart/Container.java | 370 +++++++++++---------- .../gv/egiz/bku/spring/SSLSocketFactoryBean.java | 8 + 2 files changed, 197 insertions(+), 181 deletions(-) diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java index 3769629e..1e553c21 100644 --- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java +++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java @@ -22,8 +22,8 @@ */ -package at.gv.egiz.bku.webstart; - +package at.gv.egiz.bku.webstart; + import iaik.utils.StreamCopier; import java.io.BufferedInputStream; @@ -51,28 +51,28 @@ import org.mortbay.jetty.webapp.WebAppContext; import org.mortbay.thread.QueuedThreadPool; import org.slf4j.Logger; import org.slf4j.LoggerFactory; - -public class Container { - - public static final String HTTP_PORT_PROPERTY = "mocca.http.port"; + +public class Container { + + public static final String HTTP_PORT_PROPERTY = "mocca.http.port"; public static final String HTTPS_PORT_PROPERTY = "mocca.https.port"; private static final String JETTY_TEMP_CLEANER_CLASSNAME = "JettyTempCleaner"; - - private static Logger log = LoggerFactory.getLogger(Container.class); - + + private static Logger log = LoggerFactory.getLogger(Container.class); + static { - if (log.isDebugEnabled()) { - //Jetty log INFO and WARN, include ignored exceptions - //jetty logging may be further restricted by setting level in log4j.properties - System.setProperty("VERBOSE", "true"); - //do not set Jetty DEBUG logging, produces loads of output - //System.setProperty("DEBUG", "true"); - } - } - private Server server; + if (log.isDebugEnabled()) { + //Jetty log INFO and WARN, include ignored exceptions + //jetty logging may be further restricted by setting level in log4j.properties + System.setProperty("VERBOSE", "true"); + //do not set Jetty DEBUG logging, produces loads of output + //System.setProperty("DEBUG", "true"); + } + } + private Server server; private WebAppContext webapp; - private WebappErrorHandler errorHandler; + private WebappErrorHandler errorHandler; private Certificate caCertificate; private File tempDir; @@ -82,128 +82,136 @@ public class Container { this.locale = locale; init(); } - - public void init() throws IOException { -// System.setProperty("DEBUG", "true"); - server = new Server(); - QueuedThreadPool qtp = new QueuedThreadPool(); - qtp.setMaxThreads(5); - qtp.setMinThreads(2); - qtp.setLowThreads(0); - server.setThreadPool(qtp); - server.setStopAtShutdown(true); - server.setGracefulShutdown(3000); - - SelectChannelConnector connector = new SelectChannelConnector(); - connector.setPort(Integer.getInteger(HTTP_PORT_PROPERTY, 3495).intValue()); - connector.setAcceptors(1); - connector.setConfidentialPort(Integer.getInteger(HTTPS_PORT_PROPERTY, 3496).intValue()); - connector.setHost("127.0.0.1"); - - SslSocketConnector sslConnector = new SslSocketConnector(); - sslConnector.setPort(Integer.getInteger(HTTPS_PORT_PROPERTY, 3496).intValue()); - sslConnector.setAcceptors(1); - sslConnector.setHost("127.0.0.1"); - File configDir = new File(System.getProperty("user.home") + "/" + Configurator.CONFIG_DIR); - File keystoreFile = new File(configDir, Configurator.KEYSTORE_FILE); - if (!keystoreFile.canRead()) { - log.error("MOCCA keystore file not readable: " + keystoreFile.getAbsolutePath()); - throw new FileNotFoundException("MOCCA keystore file not readable: " + keystoreFile.getAbsolutePath()); - } - log.debug("loading MOCCA keystore from " + keystoreFile.getAbsolutePath()); - sslConnector.setKeystore(keystoreFile.getAbsolutePath()); - String passwd = readPassword(new File(configDir, Configurator.PASSWD_FILE)); - sslConnector.setPassword(passwd); - sslConnector.setKeyPassword(passwd); - - //avoid jetty's ClassCastException: iaik.security.ecc.ecdsa.ECPublicKey cannot be cast to java.security.interfaces.ECPublicKey - String[] RFC4492CipherSuites = new String[] { - "TLS_ECDH_ECDSA_WITH_NULL_SHA", - "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", - "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_NULL_SHA", - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", - "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_ECDH_RSA_WITH_NULL_SHA", - "TLS_ECDH_RSA_WITH_RC4_128_SHA", - "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_RSA_WITH_NULL_SHA", - "TLS_ECDHE_RSA_WITH_RC4_128_SHA", - "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDH_anon_WITH_NULL_SHA", - "TLS_ECDH_anon_WITH_RC4_128_SHA", - "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDH_anon_WITH_AES_128_CBC_SHA", - "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" - }; - - sslConnector.setExcludeCipherSuites(RFC4492CipherSuites); - - server.setConnectors(new Connector[]{connector, sslConnector}); - - webapp = new WebAppContext(); - webapp.setLogUrlOnStart(true); - webapp.setContextPath("/"); - webapp.setExtractWAR(true); + + public void init() throws IOException { +// System.setProperty("DEBUG", "true"); + server = new Server(); + QueuedThreadPool qtp = new QueuedThreadPool(); + qtp.setMaxThreads(5); + qtp.setMinThreads(2); + qtp.setLowThreads(0); + server.setThreadPool(qtp); + server.setStopAtShutdown(true); + server.setGracefulShutdown(3000); + + SelectChannelConnector connector = new SelectChannelConnector(); + connector.setPort(Integer.getInteger(HTTP_PORT_PROPERTY, 3495).intValue()); + connector.setAcceptors(1); + connector.setConfidentialPort(Integer.getInteger(HTTPS_PORT_PROPERTY, 3496).intValue()); + connector.setHost("127.0.0.1"); + + SslSocketConnector sslConnector = new SslSocketConnector(); + sslConnector.setPort(Integer.getInteger(HTTPS_PORT_PROPERTY, 3496).intValue()); + sslConnector.setAcceptors(1); + sslConnector.setHost("127.0.0.1"); + File configDir = new File(System.getProperty("user.home") + "/" + Configurator.CONFIG_DIR); + File keystoreFile = new File(configDir, Configurator.KEYSTORE_FILE); + if (!keystoreFile.canRead()) { + log.error("MOCCA keystore file not readable: " + keystoreFile.getAbsolutePath()); + throw new FileNotFoundException("MOCCA keystore file not readable: " + keystoreFile.getAbsolutePath()); + } + log.debug("loading MOCCA keystore from " + keystoreFile.getAbsolutePath()); + sslConnector.setKeystore(keystoreFile.getAbsolutePath()); + String passwd = readPassword(new File(configDir, Configurator.PASSWD_FILE)); + sslConnector.setPassword(passwd); + sslConnector.setKeyPassword(passwd); + + //avoid jetty's ClassCastException: iaik.security.ecc.ecdsa.ECPublicKey cannot be cast to java.security.interfaces.ECPublicKey + String[] RFC4492CipherSuites = new String[] { + "TLS_ECDH_ECDSA_WITH_NULL_SHA", + "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", + "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", + "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_NULL_SHA", + "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", + "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDH_RSA_WITH_NULL_SHA", + "TLS_ECDH_RSA_WITH_RC4_128_SHA", + "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_NULL_SHA", + "TLS_ECDHE_RSA_WITH_RC4_128_SHA", + "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDH_anon_WITH_NULL_SHA", + "TLS_ECDH_anon_WITH_RC4_128_SHA", + "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDH_anon_WITH_AES_128_CBC_SHA", + "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" + }; + + sslConnector.setExcludeCipherSuites(RFC4492CipherSuites); + + server.setConnectors(new Connector[]{connector, sslConnector}); + + webapp = new WebAppContext(); + webapp.setLogUrlOnStart(true); + webapp.setContextPath("/"); + webapp.setExtractWAR(true); webapp.setParentLoaderPriority(false); errorHandler = new WebappErrorHandler(locale); - webapp.setErrorHandler(errorHandler); - - tempDir = webapp.getTempDirectory(); - webapp.setWar(copyWebapp(tempDir)); -// webapp.setPermissions(getPermissions(tempDir)); - - server.setHandler(webapp); - server.setGracefulShutdown(1000 * 3); - - loadCACertificate(keystoreFile, passwd.toCharArray()); - } - - /** - * @return The first valid (not empty, no comment) line of the passwd file - * @throws IOException - */ - protected static String readPassword(File passwdFile) throws IOException { - if (passwdFile.exists() && passwdFile.canRead()) { - BufferedReader passwdReader = null; - try { - passwdReader = new BufferedReader(new FileReader(passwdFile)); - String passwd; - while ((passwd = passwdReader.readLine().trim()) != null) { - if (passwd.length() > 0 && !passwd.startsWith("#")) { - return passwd; - } - } - } catch (IOException ex) { - log.error("failed to read password from " + passwdFile, ex); - throw ex; - } finally { - try { - passwdReader.close(); - } catch (IOException ex) { - } - } - } - throw new IOException(passwdFile + " not readable"); - } - - private String copyWebapp(File webappDir) throws IOException { - File webapp = new File(webappDir, "BKULocal.war"); - log.debug("copying BKULocal classpath resource to " + webapp); - InputStream is = getClass().getClassLoader().getResourceAsStream("BKULocal.war"); - OutputStream os = new BufferedOutputStream(new FileOutputStream(webapp)); - new StreamCopier(is, os).copyStream(); - os.close(); - return webapp.getPath(); + webapp.setErrorHandler(errorHandler); + + tempDir = webapp.getTempDirectory(); + webapp.setWar(copyWebapp(tempDir)); +// webapp.setPermissions(getPermissions(tempDir)); + + server.setHandler(webapp); + server.setGracefulShutdown(1000 * 3); + + loadCACertificate(keystoreFile, passwd.toCharArray()); + } + + /** + * @return The first valid (not empty, no comment) line of the passwd file + * @throws IOException + */ + protected static String readPassword(File passwdFile) throws IOException { + if (passwdFile.exists() && passwdFile.canRead()) { + BufferedReader passwdReader = null; + try { + passwdReader = new BufferedReader(new FileReader(passwdFile)); + String passwd; + while ((passwd = passwdReader.readLine().trim()) != null) { + if (passwd.length() > 0 && !passwd.startsWith("#")) { + return passwd; + } + } + } catch (IOException ex) { + log.error("failed to read password from " + passwdFile, ex); + throw ex; + } finally { + try { + passwdReader.close(); + } catch (IOException ex) { + } + } + } + throw new IOException(passwdFile + " not readable"); + } + + private String copyWebapp(File webappDir) throws IOException { + File webapp = new File(webappDir, "BKULocal.war"); + log.debug("copying BKULocal classpath resource to " + webapp); + InputStream is = getClass().getClassLoader().getResourceAsStream("BKULocal.war"); + OutputStream os = new BufferedOutputStream(new FileOutputStream(webapp)); + new StreamCopier(is, os).copyStream(); + os.close(); + return webapp.getPath(); } private void copyCleaner(File dir) throws IOException { @@ -242,54 +250,54 @@ public class Container { } } - /** - * grant all permissions, since we need read/write access to save signature data files anywhere (JFileChooser) in the local filesystem - * and Jetty does not allow declare (webapp) permissions on a codeBase basis. - * @param webappDir - * @return - */ -// private Permissions getPermissions(File webappDir) { -// Permissions perms = new Permissions(); -// perms.add(new AllPermission()); -//// perms.add(new FilePermission(new File(System.getProperty("user.home")).getAbsolutePath(), "read, write")); -//// perms.add(new FilePermission(new File(System.getProperty("user.home") + "/-").getAbsolutePath(), "read, write")); -//// perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/logs/*").getAbsolutePath(), "read, write,delete")); -//// perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/certs/-").getAbsolutePath(), "read, write,delete")); -// -//// perms.add(new FilePermission("<>", "read, write")); -// -// return perms; -// } - - public void start() throws Exception { - server.start(); - File caCertFile = new File(webapp.getTempDirectory(), "webapp/ca.crt"); - BufferedOutputStream bos = new BufferedOutputStream(new FileOutputStream(caCertFile)); - bos.write(caCertificate.getEncoded()); - bos.flush(); - bos.close(); - } - - public boolean isRunning() { - return server.isRunning(); - } - + /** + * grant all permissions, since we need read/write access to save signature data files anywhere (JFileChooser) in the local filesystem + * and Jetty does not allow declare (webapp) permissions on a codeBase basis. + * @param webappDir + * @return + */ +// private Permissions getPermissions(File webappDir) { +// Permissions perms = new Permissions(); +// perms.add(new AllPermission()); +//// perms.add(new FilePermission(new File(System.getProperty("user.home")).getAbsolutePath(), "read, write")); +//// perms.add(new FilePermission(new File(System.getProperty("user.home") + "/-").getAbsolutePath(), "read, write")); +//// perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/logs/*").getAbsolutePath(), "read, write,delete")); +//// perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/certs/-").getAbsolutePath(), "read, write,delete")); +// +//// perms.add(new FilePermission("<>", "read, write")); +// +// return perms; +// } + + public void start() throws Exception { + server.start(); + File caCertFile = new File(webapp.getTempDirectory(), "webapp/ca.crt"); + BufferedOutputStream bos = new BufferedOutputStream(new FileOutputStream(caCertFile)); + bos.write(caCertificate.getEncoded()); + bos.flush(); + bos.close(); + } + + public boolean isRunning() { + return server.isRunning(); + } + public void stop() throws Exception { server.stop(); cleanupJettyTemp(); - } - - public void destroy() { - server.destroy(); + } + + public void destroy() { + server.destroy(); cleanupJettyTemp(); -} - - public void join() throws InterruptedException { - server.join(); - } - +} + + public void join() throws InterruptedException { + server.join(); + } + private void loadCACertificate(File keystoreFile, char[] passwd) { caCertificate = getCACertificate(keystoreFile, passwd); if (caCertificate == null) @@ -312,4 +320,4 @@ public class Container { return null; } } -} +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java b/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java index 702212bc..c3758a47 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java @@ -56,21 +56,29 @@ public class SSLSocketFactoryBean implements FactoryBean { "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," + "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + + "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," + + "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384," + "TLS_ECDHE_ECDSA_WITH_NULL_SHA," + "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA," + "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384," + "TLS_ECDH_RSA_WITH_NULL_SHA," + "TLS_ECDH_RSA_WITH_RC4_128_SHA," + "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," + "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + + "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256," + + "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384," + "TLS_ECDHE_RSA_WITH_NULL_SHA," + "TLS_ECDHE_RSA_WITH_RC4_128_SHA," + "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," + "TLS_ECDH_anon_WITH_NULL_SHA," + "TLS_ECDH_anon_WITH_RC4_128_SHA," + "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA," + -- cgit v1.2.3