From 4af1d0a0d6fb6f4784067d320e42504922710788 Mon Sep 17 00:00:00 2001
From: tkellner <tkellner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>
Date: Mon, 11 Nov 2013 20:52:36 +0000
Subject: Allow to disable certain ciphersuites for SSL connections

git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@1213 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
---
 .../egiz/bku/spring/InternalSSLSocketFactory.java  | 83 ++++++++++++++++++++++
 .../gv/egiz/bku/spring/SSLSocketFactoryBean.java   | 66 +++++++++++++----
 2 files changed, 134 insertions(+), 15 deletions(-)
 create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/spring/InternalSSLSocketFactory.java

(limited to 'bkucommon/src')

diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/spring/InternalSSLSocketFactory.java b/bkucommon/src/main/java/at/gv/egiz/bku/spring/InternalSSLSocketFactory.java
new file mode 100644
index 00000000..a9e96126
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/spring/InternalSSLSocketFactory.java
@@ -0,0 +1,83 @@
+package at.gv.egiz.bku.spring;
+
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.Socket;
+import java.net.UnknownHostException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+
+public class InternalSSLSocketFactory extends SSLSocketFactory {
+
+	private SSLSocketFactory proxy;
+	private String[] suites;
+
+	public InternalSSLSocketFactory(SSLSocketFactory socketFactory,
+			String[] disabledSuites) {
+		this.proxy = socketFactory;
+		List<String> dSuites = Arrays.asList(disabledSuites);
+		List<String> suites = new ArrayList<String>(Arrays.asList(proxy.getDefaultCipherSuites()));
+		suites.removeAll(dSuites);
+		this.suites = suites.toArray(new String[suites.size()]);
+	}
+
+	@Override
+	public Socket createSocket(Socket s, String host, int port,
+			boolean autoClose) throws IOException {
+		Socket socket = proxy.createSocket(s, host, port, autoClose);
+		setCipherSuites(socket);
+		return socket;
+	}
+
+	@Override
+	public String[] getDefaultCipherSuites() {
+		return suites;
+	}
+
+	@Override
+	public String[] getSupportedCipherSuites() {
+		return proxy.getSupportedCipherSuites();
+	}
+
+	@Override
+	public Socket createSocket(String host, int port) throws IOException,
+			UnknownHostException {
+		Socket socket = proxy.createSocket(host, port);
+		setCipherSuites(socket);
+		return socket;
+	}
+
+	@Override
+	public Socket createSocket(InetAddress host, int port) throws IOException {
+		Socket socket = proxy.createSocket(host, port);
+		setCipherSuites(socket);
+		return socket;
+	}
+
+	@Override
+	public Socket createSocket(String host, int port, InetAddress localHost,
+			int localPort) throws IOException, UnknownHostException {
+		Socket socket = proxy.createSocket(host, port, localHost,
+				localPort);
+		setCipherSuites(socket);
+		return socket;
+	}
+
+	@Override
+	public Socket createSocket(InetAddress address, int port,
+			InetAddress localAddress, int localPort) throws IOException {
+		Socket socket = proxy.createSocket(address, port, localAddress,
+				localPort);
+		setCipherSuites(socket);
+		return socket;
+	}
+
+	private void setCipherSuites(Socket socket) {
+		if (socket instanceof SSLSocket)
+			((SSLSocket) socket).setEnabledCipherSuites(suites);
+	}
+}
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java b/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java
index 2ace91d2..702212bc 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java
@@ -37,30 +37,65 @@ import org.springframework.beans.factory.FactoryBean;
 import at.gv.egiz.bku.conf.MoccaConfigurationFacade;
 
 public class SSLSocketFactoryBean implements FactoryBean {
-  
+
   protected PKIProfile pkiProfile;
-  
+
   /**
    * The configuration facade.
    */
   protected final ConfigurationFacade configurationFacade = new ConfigurationFacade();
-  
+
   public class ConfigurationFacade implements MoccaConfigurationFacade {
-    
+
     private Configuration configuration;
-    
+
+    //avoid ClassCastException: iaik.security.ecc.ecdsa.ECPublicKey cannot be cast to java.security.interfaces.ECPublicKey
+    private final String DEFAULT_DISABLED_CIPHER_SUITES =
+      "TLS_ECDH_ECDSA_WITH_NULL_SHA," +
+      "TLS_ECDH_ECDSA_WITH_RC4_128_SHA," +
+      "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," +
+      "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," +
+      "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," +
+      "TLS_ECDHE_ECDSA_WITH_NULL_SHA," +
+      "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA," +
+      "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," +
+      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," +
+      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," +
+      "TLS_ECDH_RSA_WITH_NULL_SHA," +
+      "TLS_ECDH_RSA_WITH_RC4_128_SHA," +
+      "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," +
+      "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," +
+      "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," +
+      "TLS_ECDHE_RSA_WITH_NULL_SHA," +
+      "TLS_ECDHE_RSA_WITH_RC4_128_SHA," +
+      "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," +
+      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," +
+      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," +
+      "TLS_ECDH_anon_WITH_NULL_SHA," +
+      "TLS_ECDH_anon_WITH_RC4_128_SHA," +
+      "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA," +
+      "TLS_ECDH_anon_WITH_AES_128_CBC_SHA," +
+      "TLS_ECDH_anon_WITH_AES_256_CBC_SHA";
+
     public static final String SSL_PROTOCOL = "SSL.sslProtocol";
-    
-    public static final String SSL_DISSABLE_ALL_CHECKS = "SSL.disableAllChecks";
-    
+
+    public static final String SSL_DISABLE_ALL_CHECKS = "SSL.disableAllChecks";
+
+    public static final String SSL_DISABLED_CIPHER_SUITES = "SSL.disabledCipherSuites";
+
     public String getSslProtocol() {
       return configuration.getString(SSL_PROTOCOL, "TLS");
     }
-    
+
     public boolean disableAllSslChecks() {
-      return configuration.getBoolean(SSL_DISSABLE_ALL_CHECKS, false);
+      return configuration.getBoolean(SSL_DISABLE_ALL_CHECKS, false);
+    }
+
+    public String[] getDisabledCipherSuites() {
+      String suites = configuration.getString(SSL_DISABLED_CIPHER_SUITES,
+            DEFAULT_DISABLED_CIPHER_SUITES);
+      return suites.split(",");
     }
-    
   }
 
   /**
@@ -93,15 +128,16 @@ public class SSLSocketFactoryBean implements FactoryBean {
   
   @Override
   public Object getObject() throws Exception {
-    
     PKITrustManager pkiTrustManager = new PKITrustManager();
     pkiTrustManager.setConfiguration(configurationFacade.configuration);
     pkiTrustManager.setPkiProfile(pkiProfile);
-    
+
     SSLContext sslContext = SSLContext.getInstance(configurationFacade.getSslProtocol());
     sslContext.init(null, new TrustManager[] {pkiTrustManager}, null);
-    
-    return sslContext.getSocketFactory();
+
+    SSLSocketFactory ssf = sslContext.getSocketFactory();
+
+    return new InternalSSLSocketFactory(ssf, configurationFacade.getDisabledCipherSuites());
   }
 
   @Override
-- 
cgit v1.2.3