001: package com.sun.portal.util;
002:
003: import java.io.BufferedReader;
004: import java.io.ByteArrayInputStream;
005: import java.io.File;
006: import java.io.FileInputStream;
007: import java.io.InputStreamReader;
008: import java.net.SocketException;
009: import java.security.cert.CertificateEncodingException;
010: import java.security.cert.CertificateException;
011: import java.security.cert.CertificateExpiredException;
012: import java.security.cert.CertificateFactory;
013: import java.util.logging.Level;
014: import java.util.logging.Logger;
015:
016: import org.mozilla.jss.CertDatabaseException;
017: import org.mozilla.jss.CryptoManager;
018: import org.mozilla.jss.KeyDatabaseException;
019: import org.mozilla.jss.CryptoManager.NotInitializedException;
020: import org.mozilla.jss.crypto.ObjectNotFoundException;
021: import org.mozilla.jss.crypto.TokenException;
022: import org.mozilla.jss.crypto.X509Certificate;
023: import org.mozilla.jss.ssl.SSLSocket;
024:
025: import com.sun.portal.cli.cert.JSSUtil;
026: import com.sun.portal.cli.cert.SRADecoderException;
027: import com.sun.portal.log.common.PortalLogger;
028: import com.sun.portal.rproxy.cert.CertAdminPasswordCallback;
029:
030: public class GWNSSInit {
031: public static String nickname = "server-cert";
032:
033: // static Logger logger = Logger.getLogger("com.sun.portal.sra.rproxy");
034: private static Logger logger = PortalLogger
035: .getLogger(GWNSSInit.class);
036:
037: /*
038: * Bug 4477488 Presently portal allows to allow/disable 40 bit browser
039: * connections(In admin console, Gateway Management>Manage Gateway
040: * Profile>Allow 40 bit browser connections check box). But customer wants
041: * to allow only 128 bit browser connections. If we disable 40 bit browser
042: * connections still 56 bit browsers are allowed. Customer would like to
043: * have an option only to allow 128 bit encryption.
044: */
045: /*
046: * private static final int cipherSuites[] = {
047: * SSLSocket.SSL2_DES_64_CBC_WITH_MD5, SSLSocket.SSL2_RC2_128_CBC_WITH_MD5,
048: * SSLSocket.SSL2_RC4_128_WITH_MD5,
049: * SSLSocket.SSL3_RSA_WITH_3DES_EDE_CBC_SHA,
050: * SSLSocket.SSL3_RSA_WITH_DES_CBC_SHA, SSLSocket.SSL3_RSA_WITH_NULL_MD5,
051: * SSLSocket.SSL3_RSA_WITH_RC4_128_MD5, SSLSocket.SSL3_RSA_WITH_RC4_128_SHA,
052: * 0 };
053: *
054: * public static final int cipherSuites40Bit[] = {
055: * SSLSocket.SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,
056: * SSLSocket.SSL2_RC4_128_EXPORT40_WITH_MD5,
057: * SSLSocket.SSL3_RSA_EXPORT_WITH_RC4_40_MD5,
058: * SSLSocket.SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5, 0 };
059: *
060: * private static final int cipherSuitesNotSupported[] = {
061: * SSLSocket.SSL2_DES_192_EDE3_CBC_WITH_MD5,
062: * SSLSocket.SSL3_FORTEZZA_DMS_WITH_NULL_SHA,
063: * SSLSocket.SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,
064: * SSLSocket.SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,
065: * SSLSocket.SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
066: * SSLSocket.SSL_RSA_FIPS_WITH_DES_CBC_SHA,
067: * SSLSocket.TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
068: * SSLSocket.TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, //
069: * SSLSocket.TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, //
070: * SSLSocket.TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
071: * SSLSocket.TLS_DHE_DSS_WITH_RC4_128_SHA, 0 };
072: */
073:
074: public static final int cipherSuites128BitSSL2[] = {
075: SSLSocket.SSL2_DES_192_EDE3_CBC_WITH_MD5,
076: SSLSocket.SSL2_RC2_128_CBC_WITH_MD5,
077: SSLSocket.SSL2_RC4_128_WITH_MD5 };
078:
079: public static final int cipherSuites128BitSSL3[] = {
080: SSLSocket.SSL3_RSA_WITH_3DES_EDE_CBC_SHA,
081: SSLSocket.SSL3_RSA_WITH_RC4_128_MD5,
082: SSLSocket.SSL3_RSA_WITH_RC4_128_SHA,
083: SSLSocket.SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA };
084:
085: public static final int cipherSuites40BitSSL2[] = {
086: SSLSocket.SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,
087: SSLSocket.SSL2_RC4_128_EXPORT40_WITH_MD5 };
088:
089: public static final int cipherSuites40BitSSL3[] = {
090: SSLSocket.SSL3_RSA_EXPORT_WITH_RC4_40_MD5,
091: SSLSocket.SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
092: // //SSLSocket.SSL3_RSA_EXPORT_WITH_DES40_CBC_SHA
093: };
094:
095: public static final int cipherSuitesOthersSSL2[] = { SSLSocket.SSL2_DES_64_CBC_WITH_MD5 };
096:
097: public static final int cipherSuitesOthersSSL3[] = {
098: SSLSocket.SSL3_RSA_WITH_DES_CBC_SHA,
099: SSLSocket.SSL_RSA_FIPS_WITH_DES_CBC_SHA
100: // //SSLSocket.SSL3_RSA_WITH_IDEA_CBC_SHA
101: // SSLSocket.SSL3_RSA_WITH_NULL_MD5
102: // SSLSocket.SSL3_RSA_WITH_NULL_SHA
103: };
104:
105: public static final int cipherSuitesSSL3Null[] = { SSLSocket.SSL3_RSA_WITH_NULL_MD5 };
106:
107: /*
108: * PRD 3.8 - Certificate Administration The gateway should support TLS
109: * ciphers.
110: */
111: public static final int cipherSuites128BitTLS[] = {
112: // SSLSocket.TLS_DHE_DSS_WITH_RC4_128_SHA
113: // SSLSocket.TLS_RSA_WITH_AES_128_CBC_SHA,
114: // SSLSocket.TLS_RSA_WITH_AES_256_CBC_SHA
115: };
116:
117: public static final int cipherSuitesOthersTLS[] = {
118: SSLSocket.TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
119: SSLSocket.TLS_RSA_EXPORT1024_WITH_RC4_56_SHA };
120:
121: /*
122: * private static final int cipherSuitesNotSupported[] = {
123: * SSLSocket.SSL2_DES_192_EDE3_CBC_WITH_MD5,
124: * SSLSocket.SSL3_FORTEZZA_DMS_WITH_NULL_SHA,
125: * SSLSocket.SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,
126: * SSLSocket.SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,
127: * SSLSocket.SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
128: * SSLSocket.SSL_RSA_FIPS_WITH_DES_CBC_SHA,
129: * SSLSocket.TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
130: * SSLSocket.TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
131: * SSLSocket.TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
132: * SSLSocket.TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
133: * SSLSocket.TLS_DHE_DSS_WITH_RC4_128_SHA };
134: */
135:
136: private static final int cipherSuitesNotSupported[] = {
137: // SSLSocket.SSL2_DES_192_EDE3_CBC_WITH_MD5,
138: // SSLSocket.SSL3_FORTEZZA_DMS_WITH_NULL_SHA,
139: // SSLSocket.SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,
140: // SSLSocket.SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,
141: // SSLSocket.SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
142: // SSLSocket.SSL_RSA_FIPS_WITH_DES_CBC_SHA,
143: SSLSocket.TLS_DHE_DSS_WITH_RC4_128_SHA,
144: /*
145: * //Added from JSS .2 //SSLSocket.TLS_RSA_WITH_AES_128_CBC_SHA,
146: * //SSLSocket.TLS_RSA_WITH_AES_256_CBC_SHA,
147: * //SSLSocket.TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
148: * //SSLSocket.TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
149: * SSLSocket.TLS_DHE_DSS_WITH_RC4_128_SHA,
150: * //SSLSocket.TLS_DH_DSS_WITH_AES_128_CBC_SHA,
151: * //SSLSocket.TLS_DH_RSA_WITH_AES_128_CBC_SHA,
152: * SSLSocket.TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
153: * SSLSocket.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
154: * //SSLSocket.TLS_DH_ANON_WITH_AES_128_CBC_SHA,
155: * //SSLSocket.TLS_DH_DSS_WITH_AES_256_CBC_SHA,
156: * //SSLSocket.TLS_DH_RSA_WITH_AES_256_CBC_SHA,
157: * SSLSocket.TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
158: * SSLSocket.TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
159: * //SSLSocket.TLS_DH_ANON_WITH_AES_256_CBC_SHA
160: */
161: };
162:
163: // end of code change for PRD 3.8 - Certificate Administration
164:
165: public static void enableAllCiphers() throws SocketException {
166: enableCipher(cipherSuites40BitSSL2);
167: enableCipher(cipherSuites40BitSSL3);
168: enableCipher(cipherSuitesOthersSSL2);
169: enableCipher(cipherSuitesOthersSSL3);
170: enableCipher(cipherSuites128BitSSL2);
171: enableCipher(cipherSuites128BitSSL3);
172: /*
173: * PRD 3.8 - Certificate Administration The gateway should support TLS
174: * ciphers.
175: */
176: enableCipher(cipherSuitesOthersTLS);
177: enableCipher(cipherSuites128BitTLS);
178: // end of code change for PRD 3.8 - Certificate Administration
179: enableCipher(cipherSuitesSSL3Null);
180: }
181:
182: public static void disableAllCiphers() throws SocketException {
183: disableCipher(GWNSSInit.cipherSuites40BitSSL2);
184: disableCipher(GWNSSInit.cipherSuites40BitSSL3);
185: disableCipher(GWNSSInit.cipherSuitesOthersSSL2);
186: disableCipher(GWNSSInit.cipherSuitesOthersSSL3);
187: disableCipher(GWNSSInit.cipherSuites128BitSSL2);
188: disableCipher(GWNSSInit.cipherSuites128BitSSL3);
189: /*
190: * PRD 3.8 - Certificate Administration The gateway should support TLS
191: * ciphers.
192: */
193: disableCipher(cipherSuitesOthersTLS);
194: disableCipher(cipherSuites128BitTLS);
195: // end of code change for PRD 3.8 - Certificate Administration
196: disableCipher(cipherSuitesSSL3Null);
197: }
198:
199: public static void enableCipher(int[] cipherSuites)
200: throws SocketException {
201: setCipherState(cipherSuites, true);
202: }
203:
204: public static void disableCipher(int[] cipherSuites)
205: throws SocketException {
206: setCipherState(cipherSuites, false);
207: }
208:
209: private static void setCipherState(int[] cipherSuites, boolean state)
210: throws SocketException {
211: for (int j = 0; j < cipherSuites.length; j++) {
212: SSLSocket
213: .setCipherPreferenceDefault(cipherSuites[j], state);
214: }
215: }
216:
217: // end of code change for Bug 4477488
218:
219: public static boolean initialize() throws SocketException {
220: /* JSS3.1.1 change - begin */
221: // if (!NSSInit.isInitialized()) {
222: /* JSS3.1.1 change - end */
223: String jssPassword;
224: String certdbDir;
225: String pwfile;
226: String nicknamefile;
227:
228: certdbDir = System.getProperty("gateway.keybase", System
229: .getProperty("SRAP_CONFIG_DIR", "/etc/opt/SUNWportal"));
230: // logger.info("GWNSSInit: certdbDir = " + certdbDir);
231: Object[] params0 = { certdbDir };
232: logger.log(Level.INFO, "PSSR_CSPU055", params0);
233: try {
234: JSSUtil.setDefaultDecoder(certdbDir);
235: } catch (SRADecoderException ex) {
236: // logger.severe("GWNSSInit: Unable to initialize the password
237: // encryption module : "+ex.getMessage());
238: Object[] params1 = { ex.getMessage() };
239: logger.log(Level.SEVERE, "PSSR_CSPU056", params1);
240: }
241:
242: nicknamefile = System.getProperty("gateway.nickname", System
243: .getProperty("SRAP_CONFIG_DIR", "/etc/opt/SUNWportal")
244: + File.separatorChar
245: + "cert"
246: + File.separatorChar
247: + ".nickname");
248: // logger.info("GWNSSInit: nicknamefile = " + nicknamefile);
249: Object[] params2 = { nicknamefile };
250: logger.log(Level.INFO, "PSSR_CSPU057", params2);
251:
252: if (nicknamefile != null) {
253: try {
254: FileInputStream fis = new FileInputStream(nicknamefile);
255: InputStreamReader isr = new InputStreamReader(fis);
256: BufferedReader br = new BufferedReader(isr);
257: nickname = br.readLine();
258: } catch (Exception ex) {
259: // logger.severe("GWNSSInit: Unable to read jss nickname from
260: // file " + nicknamefile);
261: Object[] params3 = { nicknamefile };
262: logger.log(Level.SEVERE, "PSSR_CSPU058", params3);
263: }
264: } else {
265: // logger.severe("GWNSSInit: Unable to get nickname file name");
266: logger.severe("PSSR_CSPU059");
267: }
268:
269: pwfile = System.getProperty("gateway.pass", System.getProperty(
270: "SRAP_CONFIG_DIR", "/etc/opt/SUNWportal")
271: + File.separatorChar
272: + "cert"
273: + File.separatorChar
274: + ".jsspass");
275: // logger.info("GWNSSInit: pwfile = " + pwfile);
276: Object[] params5 = { pwfile };
277: logger.log(Level.INFO, "PSSR_CSPU060", params5);
278:
279: if (pwfile != null) {
280: try {
281: FileInputStream fis = new FileInputStream(pwfile);
282: InputStreamReader isr = new InputStreamReader(fis);
283: BufferedReader br = new BufferedReader(isr);
284: jssPassword = br.readLine();
285: com.sun.portal.cli.cert.Password pass = JSSUtil
286: .decryptPassword(jssPassword);
287: jssPassword = pass.getPassword();
288: if (pass.isEncrypted()) {
289: // logger.info("GWNSSInit: Found encrypted password");
290: logger.info("PSSR_CSPU061");
291: }
292: } catch (Exception ex) {
293: // logger.severe("GWNSSInit: Unable to read jss password from
294: // file " + pwfile);
295: Object[] params7 = { pwfile };
296: logger.log(Level.SEVERE, "PSSR_CSPU062", params7);
297: return false;
298: }
299: } else {
300: // logger.severe("GWNSSInit: Unable to get password file name");
301: logger.severe("PSSR_CSPU063");
302: return false;
303: }
304:
305: try {
306: /* JSS3.1.1 change - begin */
307: CryptoManager.InitializationValues vals = new CryptoManager.InitializationValues(
308: certdbDir); /*JSS3.1 change */
309: CryptoManager.initialize(vals);
310: CryptoManager.getInstance().setPasswordCallback(
311: new CertAdminPasswordCallback(jssPassword));
312:
313: checkCertificateValidity();
314:
315: // logger.info("GWNSSInit: NSSInit initialization done
316: // successfully");
317: logger.info("PSSR_CSPU064");
318: /* JSS3.1.1 change - end */
319: } catch (KeyDatabaseException kdbe) {
320: // logger.severe("GWNSSInit: Couldn't open the key database." +
321: // kdbe);
322: logger.log(Level.SEVERE, "PSSR_CSPU065", kdbe);
323: return false;
324: } catch (CertDatabaseException cdbe) {
325: // logger.severe("GWNSSInit: Couldn't open the certificate
326: // database." + cdbe);
327: logger.log(Level.SEVERE, "PSSR_CSPU066", cdbe);
328: return false;
329: }
330: /* JSS3.1.1 change - begin */
331: catch (org.mozilla.jss.crypto.AlreadyInitializedException aie) {
332: // initialization might be done during gateway Login, see
333: // gwutil/Login2.java
334: logger
335: .warning("GWNSSInit: CryptoManager already initialized."
336: + aie);
337: return true;
338: }
339: /* JSS3.1.1 change - end */
340: catch (Exception e) {
341: // logger.severe("GWNSSInit: Exception occurred: " +
342: // e.getMessage());
343: Object[] params12 = { e.getMessage() };
344: logger.log(Level.SEVERE, "PSSR_CSPU067", params12);
345: return false;
346: }
347: /*
348: * Bug 4477488
349: */
350:
351: /*
352: * for (int i = 0; cipherSuites[i] != 0; ++i) {
353: * SSLSocket.setCipherPreference( cipherSuites[i], true); } for (int j =
354: * 0; cipherSuites40Bit[j] != 0; ++j) { SSLSocket.setCipherPreference(
355: * cipherSuites40Bit[j], true); } for (int k = 0;
356: * cipherSuitesNotSupported[k] != 0; ++k) {
357: * SSLSocket.setCipherPreference( cipherSuitesNotSupported[k], false); }
358: */
359: disableCipher(cipherSuitesNotSupported);
360: enableAllCiphers();
361: // end of code change for Bug 4477488
362: // }
363: return true;
364: }
365:
366: private static void checkCertificateValidity()
367: throws ObjectNotFoundException, TokenException,
368: NotInitializedException, CertificateEncodingException,
369: CertificateException {
370: X509Certificate cert = CryptoManager.getInstance()
371: .findCertByNickname(nickname);
372: ByteArrayInputStream bais = new ByteArrayInputStream(cert
373: .getEncoded());
374: CertificateFactory cf = CertificateFactory.getInstance("X.509");
375: java.security.cert.X509Certificate jcert = (java.security.cert.X509Certificate) cf
376: .generateCertificate(bais);
377: try {
378: jcert.checkValidity();
379: } catch (CertificateExpiredException ex) {
380: Object[] params = { nickname };
381: logger.log(Level.INFO, "PSSR_CSPU102", params);
382: } catch (Exception ex) {
383: logger.log(Level.INFO, "PSSR_CSPU103", ex);
384: }
385: }
386: }
|