From 145003155c05e915b900989a27cef1271398164b Mon Sep 17 00:00:00 2001 From: clemenso Date: Wed, 26 Aug 2009 17:31:32 +0000 Subject: MOCCA TLS Server CA cert installation servlet removed help.jsp (and jsp dependencies in jetty) moved html pages to src/main/webapp (encoding problem?) switch to BASIC download protocol in BKUWebStart (no jnlpDownloadServlet required, see template.xml) git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@474 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../java/at/gv/egiz/bku/webstart/Configurator.java | 2 +- .../java/at/gv/egiz/bku/webstart/Container.java | 210 +++++++++++++-------- .../java/at/gv/egiz/bku/webstart/Launcher.java | 7 +- .../java/at/gv/egiz/bku/webstart/TLSServerCA.java | 3 +- 4 files changed, 137 insertions(+), 85 deletions(-) (limited to 'BKUWebStart/src/main/java/at') diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java index bef2246b..923a70d9 100644 --- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java +++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java @@ -56,7 +56,7 @@ public class Configurator { * configurations with less than this (major) version will be backuped and updated * allowed: MAJOR[.MINOR[.X[-SNAPSHOT]]] */ - public static final String MIN_CONFIG_VERSION = "1.0.9"; + public static final String MIN_CONFIG_VERSION = "1.2.4-SNAPSHOT"; public static final String CONFIG_DIR = ".mocca/conf/"; public static final String CERTS_DIR = ".mocca/certs/"; public static final String VERSION_FILE = ".version"; diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java index 08a0808a..3bf74d3c 100644 --- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java +++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java @@ -2,9 +2,11 @@ package at.gv.egiz.bku.webstart; import at.gv.egiz.bku.utils.StreamUtil; import java.awt.AWTPermission; +import java.io.BufferedInputStream; import java.io.BufferedOutputStream; import java.io.BufferedReader; import java.io.File; +import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.FileOutputStream; import java.io.FilePermission; @@ -15,8 +17,12 @@ import java.io.OutputStream; import java.lang.reflect.ReflectPermission; import java.net.NetPermission; import java.net.SocketPermission; +import java.security.AllPermission; +import java.security.KeyStore; import java.security.Permissions; import java.security.SecurityPermission; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; import java.util.PropertyPermission; import javax.smartcardio.CardPermission; import org.apache.commons.logging.Log; @@ -32,8 +38,9 @@ public class Container { public static final String HTTP_PORT_PROPERTY = "mocca.http.port"; public static final String HTTPS_PORT_PROPERTY = "mocca.http.port"; - + public static final String SERVER_CA_CERTIFICATE_ATTRIBUTE = "mocca.tls.server.ca.certificate"; private static Log log = LogFactory.getLog(Container.class); + static { if (log.isDebugEnabled()) { //Jetty log INFO and WARN, include ignored exceptions @@ -43,7 +50,6 @@ public class Container { //System.setProperty("DEBUG", "true"); } } - private Server server; public void init() throws IOException { @@ -75,63 +81,98 @@ public class Container { } log.debug("loading MOCCA keystore from " + keystoreFile.getAbsolutePath()); sslConnector.setKeystore(keystoreFile.getAbsolutePath()); - File passwdFile = new File(configDir, Configurator.PASSWD_FILE); - BufferedReader reader = new BufferedReader(new FileReader(passwdFile)); - String pwd; - while ((pwd = reader.readLine()) != null) { - sslConnector.setPassword(pwd); - sslConnector.setKeyPassword(pwd); - } - reader.close(); - + String passwd = readPassword(new File(configDir, Configurator.PASSWD_FILE)); + sslConnector.setPassword(passwd); + sslConnector.setKeyPassword(passwd); + //avoid jetty's ClassCastException: iaik.security.ecc.ecdsa.ECPublicKey cannot be cast to java.security.interfaces.ECPublicKey - String[] RFC4492CipherSuites = new String[] { + String[] RFC4492CipherSuites = new String[]{ "TLS_ECDH_ECDSA_WITH_NULL_SHA", - "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", - "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", - - "TLS_ECDHE_ECDSA_WITH_NULL_SHA", - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", - "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - - "TLS_ECDH_RSA_WITH_NULL_SHA", - "TLS_ECDH_RSA_WITH_RC4_128_SHA", - "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", - - "TLS_ECDHE_RSA_WITH_NULL_SHA", - "TLS_ECDHE_RSA_WITH_RC4_128_SHA", - "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - - "TLS_ECDH_anon_WITH_NULL_SHA", - "TLS_ECDH_anon_WITH_RC4_128_SHA", - "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDH_anon_WITH_AES_128_CBC_SHA", - "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" + "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", + "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_NULL_SHA", + "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", + "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", + "TLS_ECDH_RSA_WITH_NULL_SHA", + "TLS_ECDH_RSA_WITH_RC4_128_SHA", + "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_RSA_WITH_NULL_SHA", + "TLS_ECDHE_RSA_WITH_RC4_128_SHA", + "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDH_anon_WITH_NULL_SHA", + "TLS_ECDH_anon_WITH_RC4_128_SHA", + "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDH_anon_WITH_AES_128_CBC_SHA", + "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" }; sslConnector.setExcludeCipherSuites(RFC4492CipherSuites); - server.setConnectors(new Connector[] { connector, sslConnector }); - + server.setConnectors(new Connector[]{connector, sslConnector}); + WebAppContext webapp = new WebAppContext(); webapp.setLogUrlOnStart(true); webapp.setContextPath("/"); - webapp.setExtractWAR(true); + webapp.setExtractWAR(true); webapp.setParentLoaderPriority(false); + try { + // no way to get certificate from within the servlet (SSLEngine/Jetty SSLSocketConnector/SSLContext?) + if (log.isTraceEnabled()) { + log.trace("local ca certificate from " + keystoreFile + " in webapp context at " + SERVER_CA_CERTIFICATE_ATTRIBUTE); + } + BufferedInputStream bis = new BufferedInputStream(new FileInputStream(keystoreFile)); + KeyStore sslKeyStore = KeyStore.getInstance("JKS"); + sslKeyStore.load(bis, passwd.toCharArray()); + Certificate[] sslChain = sslKeyStore.getCertificateChain(TLSServerCA.MOCCA_TLS_SERVER_ALIAS); + webapp.setAttribute(SERVER_CA_CERTIFICATE_ATTRIBUTE, sslChain[sslChain.length - 1]); + bis.close(); + } catch (Exception ex) { + log.error("Failed to load local ca certificate", ex); + log.warn("automated web certificate installation will not be available"); + } + webapp.setWar(copyWebapp(webapp.getTempDirectory())); webapp.setPermissions(getPermissions(webapp.getTempDirectory())); - + server.setHandler(webapp); - server.setGracefulShutdown(1000*3); + server.setGracefulShutdown(1000 * 3); + } + + /** + * @return The first valid (not empty, no comment) line of the passwd file + * @throws IOException + */ + protected static String readPassword(File passwdFile) throws IOException { + if (passwdFile.exists() && passwdFile.canRead()) { + BufferedReader passwdReader = null; + try { + passwdReader = new BufferedReader(new FileReader(passwdFile)); + String passwd; + while ((passwd = passwdReader.readLine().trim()) != null) { + if (passwd.length() > 0 && !passwd.startsWith("#")) { + return passwd; + } + } + } catch (IOException ex) { + log.error("failed to read password from " + passwdFile, ex); + throw ex; + } finally { + try { + passwdReader.close(); + } catch (IOException ex) { + } + } + } + throw new IOException(passwdFile + " not readable"); } private String copyWebapp(File webappDir) throws IOException { @@ -146,43 +187,48 @@ public class Container { private Permissions getPermissions(File webappDir) { Permissions perms = new Permissions(); + perms.add(new AllPermission()); + + + if (false) { + + // jetty-webstart (spring?) + perms.add(new RuntimePermission("getClassLoader")); + + // standard permissions + perms.add(new PropertyPermission("*", "read,write")); + perms.add(new RuntimePermission("accessDeclaredMembers")); + perms.add(new RuntimePermission("accessClassInPackage.*")); + perms.add(new RuntimePermission("defineClassInPackage.*")); + perms.add(new RuntimePermission("setFactory")); + perms.add(new RuntimePermission("getProtectionDomain")); + perms.add(new RuntimePermission("modifyThread")); + perms.add(new RuntimePermission("modifyThreadGroup")); + perms.add(new RuntimePermission("setFactory")); + perms.add(new ReflectPermission("suppressAccessChecks")); + + // MOCCA specific + perms.add(new SocketPermission("*", "connect,resolve")); + perms.add(new NetPermission("specifyStreamHandler")); + perms.add(new SecurityPermission("insertProvider.*")); + perms.add(new SecurityPermission("putProviderProperty.*")); + perms.add(new SecurityPermission("removeProvider.*")); + perms.add(new CardPermission("*", "*")); + perms.add(new AWTPermission("*")); + + perms.add(new FilePermission(webappDir.getAbsolutePath() + "/-", "read")); + perms.add(new FilePermission(new File(System.getProperty("java.home") + "/lib/xalan.properties").getAbsolutePath(), "read")); + perms.add(new FilePermission(new File(System.getProperty("java.home") + "/lib/xerces.properties").getAbsolutePath(), "read")); + perms.add(new FilePermission(new File(System.getProperty("user.home")).getAbsolutePath(), "read, write")); + perms.add(new FilePermission(new File(System.getProperty("user.home") + "/-").getAbsolutePath(), "read, write")); + perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/logs/*").getAbsolutePath(), "read, write,delete")); + perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/certs/-").getAbsolutePath(), "read, write,delete")); + + //TODO +// log.trace("granting file read/write permission to MOCCA local"); +// perms.add(new FilePermission("<>", "read, write")); - // jetty-webstart (spring?) - perms.add(new RuntimePermission("getClassLoader")); - - // standard permissions - perms.add(new PropertyPermission("*", "read,write")); - perms.add(new RuntimePermission("accessDeclaredMembers")); - perms.add(new RuntimePermission("accessClassInPackage.*")); - perms.add(new RuntimePermission("defineClassInPackage.*")); - perms.add(new RuntimePermission("setFactory")); - perms.add(new RuntimePermission("getProtectionDomain")); - perms.add(new RuntimePermission("modifyThread")); - perms.add(new RuntimePermission("modifyThreadGroup")); - perms.add(new RuntimePermission("setFactory")); - perms.add(new ReflectPermission("suppressAccessChecks")); - - // MOCCA specific - perms.add(new SocketPermission("*", "connect,resolve")); - perms.add(new NetPermission("specifyStreamHandler")); - perms.add(new SecurityPermission("insertProvider.*")); - perms.add(new SecurityPermission("putProviderProperty.*")); - perms.add(new SecurityPermission("removeProvider.*")); - perms.add(new CardPermission("*", "*")); - perms.add(new AWTPermission("*")); - - perms.add(new FilePermission(webappDir.getAbsolutePath() + "/-", "read")); - perms.add(new FilePermission(new File(System.getProperty("java.home") + "/lib/xalan.properties").getAbsolutePath(), "read")); - perms.add(new FilePermission(new File(System.getProperty("java.home") + "/lib/xerces.properties").getAbsolutePath(), "read")); - perms.add(new FilePermission(new File(System.getProperty("user.home")).getAbsolutePath(), "read, write")); - perms.add(new FilePermission(new File(System.getProperty("user.home") + "/-").getAbsolutePath(), "read, write")); - perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/logs/*").getAbsolutePath(), "read, write,delete")); - perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/certs/-").getAbsolutePath(), "read, write,delete")); - - //TODO - log.trace("granting file read/write permission to MOCCA local"); - perms.add(new FilePermission("<>", "read, write")); - + } return perms; } @@ -205,4 +251,4 @@ public class Container { public void join() throws InterruptedException { server.join(); } -} \ No newline at end of file +} diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Launcher.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Launcher.java index 0cfc14e5..0106de62 100644 --- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Launcher.java +++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Launcher.java @@ -27,6 +27,7 @@ import java.awt.event.WindowAdapter; import java.net.BindException; import java.net.HttpURLConnection; import java.net.MalformedURLException; +import java.net.URI; import java.net.URL; import java.security.GeneralSecurityException; import java.util.jar.Attributes; @@ -73,21 +74,25 @@ public class Launcher implements BKUControllerInterface, ActionListener { /** local bku uri */ public static final URL HTTP_SECURITY_LAYER_URL; public static final URL HTTPS_SECURITY_LAYER_URL; + public static final URL INSTALL_CERT_URL; public static final URL PIN_MANAGEMENT_URL; static { URL http = null; URL https = null; URL pin = null; + URL cert = null; try { http = new URL("http://localhost:" + Integer.getInteger(Container.HTTPS_PORT_PROPERTY, 3495).intValue()); https = new URL("https://localhost:" + Integer.getInteger(Container.HTTPS_PORT_PROPERTY, 3496).intValue()); pin = new URL(http, "/PINManagement"); + cert = new URL(http, "/installCertificate"); } catch (MalformedURLException ex) { log.error(ex); } finally { HTTP_SECURITY_LAYER_URL = http; HTTPS_SECURITY_LAYER_URL = https; PIN_MANAGEMENT_URL = pin; + INSTALL_CERT_URL = cert; } } public static final String version; @@ -273,7 +278,7 @@ public class Launcher implements BKUControllerInterface, ActionListener { Desktop desktop = Desktop.getDesktop(); if (desktop.isSupported(Desktop.Action.BROWSE)) { try { - desktop.browse(HTTPS_SECURITY_LAYER_URL.toURI()); + desktop.browse(HTTP_SECURITY_LAYER_URL.toURI()); } catch (Exception ex) { log.error("failed to open system browser, install TLS certificate manually: " + HTTPS_SECURITY_LAYER_URL, ex); } diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java index 97ca716b..fd94958e 100644 --- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java +++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java @@ -32,6 +32,7 @@ import org.apache.commons.logging.LogFactory; public class TLSServerCA { public static final int CA_VALIDITY_Y = 3; + public static final String MOCCA_TLS_SERVER_ALIAS = "server"; public static final int SERVER_VALIDITY_Y = 3; private final static Log log = LogFactory.getLog(TLSServerCA.class); @@ -127,7 +128,7 @@ public class TLSServerCA { generateServerCert(); KeyStore ks = KeyStore.getInstance("JKS"); ks.load(null, null); - ks.setKeyEntry("server", serverKeyPair.getPrivate(), password, new X509Certificate[]{serverCert, caCert}); + ks.setKeyEntry(MOCCA_TLS_SERVER_ALIAS, serverKeyPair.getPrivate(), password, new X509Certificate[]{serverCert, caCert}); return ks; // } catch (Exception e) { // log.error("Cannot generate certificate", e); -- cgit v1.2.3