/* * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.apache.tomcat.util.net.jsse; import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; import java.net.InetAddress; import java.net.ServerSocket; import java.net.Socket; import java.net.SocketException; import java.security.KeyStore; import java.security.SecureRandom; import java.security.cert.CRL; import java.security.cert.CRLException; import java.security.cert.CertPathParameters; import java.security.cert.CertStore; import java.security.cert.CertStoreParameters; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.CollectionCertStoreParameters; import java.security.cert.PKIXBuilderParameters; import java.security.cert.X509CertSelector; import java.util.Collection; import java.util.Vector; import javax.net.ssl.CertPathTrustManagerParameters; import javax.net.ssl.HandshakeCompletedEvent; import javax.net.ssl.HandshakeCompletedListener; import javax.net.ssl.KeyManager; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.ManagerFactoryParameters; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLException; import javax.net.ssl.SSLServerSocket; import javax.net.ssl.SSLServerSocketFactory; import javax.net.ssl.SSLSessionContext; import javax.net.ssl.SSLSocket; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509KeyManager; import org.apache.tomcat.util.res.StringManager; /* 1. Make the JSSE's jars available, either as an installed extension (copy them into jre/lib/ext) or by adding them to the Tomcat classpath. 2. keytool -genkey -alias tomcat -keyalg RSA Use "changeit" as password ( this is the default we use ) */ /** * SSL server socket factory. It _requires_ a valid RSA key and * JSSE. * * @author Harish Prabandham * @author Costin Manolache * @author Stefan Freyr Stefansson * @author EKR -- renamed to JSSESocketFactory * @author Jan Luehe * @author Bill Barker */ public class JSSESocketFactory extends org.apache.tomcat.util.net.ServerSocketFactory { private static StringManager sm = StringManager.getManager("org.apache.tomcat.util.net.jsse.res"); // defaults static String defaultProtocol = "TLS"; static boolean defaultClientAuth = false; static String defaultKeystoreType = "JKS"; private static final String defaultKeystoreFile = System.getProperty("user.home") + "/.keystore"; private static final String defaultKeyPass = "changeit"; private static final int defaultSessionCacheSize = 0; private static final int defaultSessionTimeout = 86400; static org.apache.juli.logging.Log log = org.apache.juli.logging.LogFactory.getLog(JSSESocketFactory.class); protected boolean initialized; protected String clientAuth = "false"; protected SSLServerSocketFactory sslProxy = null; protected String[] enabledCiphers; protected boolean allowUnsafeLegacyRenegotiation = false; /** * Flag to state that we require client authentication. */ protected boolean requireClientAuth = false; /** * Flag to state that we would like client authentication. */ protected boolean wantClientAuth = false; public JSSESocketFactory () { } public ServerSocket createSocket (int port) throws IOException { if (!initialized) init(); ServerSocket socket = sslProxy.createServerSocket(port); initServerSocket(socket); return socket; } public ServerSocket createSocket (int port, int backlog) throws IOException { if (!initialized) init(); ServerSocket socket = sslProxy.createServerSocket(port, backlog); initServerSocket(socket); return socket; } public ServerSocket createSocket (int port, int backlog, InetAddress ifAddress) throws IOException { if (!initialized) init(); ServerSocket socket = sslProxy.createServerSocket(port, backlog, ifAddress); initServerSocket(socket); return socket; } public Socket acceptSocket(ServerSocket socket) throws IOException { SSLSocket asock = null; try { asock = (SSLSocket)socket.accept(); if (!allowUnsafeLegacyRenegotiation) { asock.addHandshakeCompletedListener( new DisableSslRenegotiation()); } configureClientAuth(asock); } catch (SSLException e){ throw new SocketException("SSL handshake error" + e.toString()); } return asock; } private static class DisableSslRenegotiation implements HandshakeCompletedListener { private volatile boolean completed = false; public void handshakeCompleted(HandshakeCompletedEvent event) { if (completed) { try { log.warn("SSL renegotiation is disabled, closing connection"); event.getSession().invalidate(); event.getSocket().close(); } catch (IOException e) { // ignore } } completed = true; } } public void handshake(Socket sock) throws IOException { ((SSLSocket)sock).startHandshake(); } /* * Determines the SSL cipher suites to be enabled. * * @param requestedCiphers Comma-separated list of requested ciphers * @param supportedCiphers Array of supported ciphers * * @return Array of SSL cipher suites to be enabled, or null if none of the * requested ciphers are supported */ protected String[] getEnabledCiphers(String requestedCiphers, String[] supportedCiphers) { String[] enabledCiphers = null; if (requestedCiphers != null) { Vector vec = null; String cipher = requestedCiphers; int index = requestedCiphers.indexOf(','); if (index != -1) { int fromIndex = 0; while (index != -1) { cipher = requestedCiphers.substring(fromIndex, index).trim(); if (cipher.length() > 0) { /* * Check to see if the requested cipher is among the * supported ciphers, i.e., may be enabled */ for (int i=0; supportedCiphers != null && i 0) { /* * Check to see if the requested cipher is among the * supported ciphers, i.e., may be enabled */ for (int i=0; supportedCiphers != null && iPKIX is supported. * * @param algorithm The algorithm to get parameters for. * @param crlf The path to the CRL file. * @param trustStore The configured TrustStore. * @return The parameters including the CRLs and TrustStore. */ protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore) throws Exception { CertPathParameters params = null; if("PKIX".equalsIgnoreCase(algorithm)) { PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection crls = getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); String trustLength = (String)attributes.get("trustMaxCertLength"); if(trustLength != null) { try { xparams.setMaxPathLength(Integer.parseInt(trustLength)); } catch(Exception ex) { log.warn("Bad maxCertLength: "+trustLength); } } params = xparams; } else { throw new CRLException("CRLs not supported for type: "+algorithm); } return params; } /** * Load the collection of CRLs. * */ protected Collection getCRLs(String crlf) throws IOException, CRLException, CertificateException { File crlFile = new File(crlf); if( !crlFile.isAbsolute() ) { crlFile = new File(System.getProperty("catalina.base"), crlf); } Collection crls = null; InputStream is = null; try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); is = new FileInputStream(crlFile); crls = cf.generateCRLs(is); } catch(IOException iex) { throw iex; } catch(CRLException crle) { throw crle; } catch(CertificateException ce) { throw ce; } finally { if(is != null) { try{ is.close(); } catch(Exception ex) { } } } return crls; } /** * Set the SSL protocol variants to be enabled. * @param socket the SSLServerSocket. * @param protocols the protocols to use. */ protected void setEnabledProtocols(SSLServerSocket socket, String []protocols){ if (protocols != null) { socket.setEnabledProtocols(protocols); } } /** * Determines the SSL protocol variants to be enabled. * * @param socket The socket to get supported list from. * @param requestedProtocols Comma-separated list of requested SSL * protocol variants * * @return Array of SSL protocol variants to be enabled, or null if none of * the requested protocol variants are supported */ protected String[] getEnabledProtocols(SSLServerSocket socket, String requestedProtocols){ String[] supportedProtocols = socket.getSupportedProtocols(); String[] enabledProtocols = null; if (requestedProtocols != null) { Vector vec = null; String protocol = requestedProtocols; int index = requestedProtocols.indexOf(','); if (index != -1) { int fromIndex = 0; while (index != -1) { protocol = requestedProtocols.substring(fromIndex, index).trim(); if (protocol.length() > 0) { /* * Check to see if the requested protocol is among the * supported protocols, i.e., may be enabled */ for (int i=0; supportedProtocols != null && i 0) { /* * Check to see if the requested protocol is among the * supported protocols, i.e., may be enabled */ for (int i=0; supportedProtocols != null && i