| commit | author | age | ||
| 6db426 | 1 | /* |
| JM | 2 | * Copyright 2012 gitblit.com. |
| 3 | * | |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); | |
| 5 | * you may not use this file except in compliance with the License. | |
| 6 | * You may obtain a copy of the License at | |
| 7 | * | |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 | |
| 9 | * | |
| 10 | * Unless required by applicable law or agreed to in writing, software | |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, | |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| 13 | * See the License for the specific language governing permissions and | |
| 14 | * limitations under the License. | |
| 15 | */ | |
| 16 | package com.gitblit; | |
| 17 | ||
| 18 | import java.io.File; | |
| 19 | import java.security.KeyStore; | |
| 20 | import java.security.cert.CRL; | |
| 21 | import java.util.Collection; | |
| 22 | ||
| 23 | import javax.net.ssl.TrustManager; | |
| 24 | import javax.net.ssl.X509TrustManager; | |
| 25 | ||
| 26 | import org.eclipse.jetty.util.ssl.SslContextFactory; | |
| 27 | import org.slf4j.Logger; | |
| 28 | import org.slf4j.LoggerFactory; | |
| 29 | ||
| 30 | import com.gitblit.utils.StringUtils; | |
| 31 | ||
| 32 | /** | |
| 33 | * Special SSL context factory that configures Gitblit GO and replaces the | |
| 34 | * primary trustmanager with a GitblitTrustManager. | |
| 35 | * | |
| 36 | * @author James Moger | |
| 37 | */ | |
| 38 | public class GitblitSslContextFactory extends SslContextFactory { | |
| 39 | ||
| 40 | private static final Logger logger = LoggerFactory.getLogger(GitblitSslContextFactory.class); | |
| 41 | ||
| 42 | private final File caRevocationList; | |
| 43 | ||
| 44 | public GitblitSslContextFactory(String certAlias, File keyStore, File clientTrustStore, | |
| 45 | String storePassword, File caRevocationList) { | |
| 46 | super(keyStore.getAbsolutePath()); | |
| 47 | ||
| 48 | this.caRevocationList = caRevocationList; | |
| 49 | ||
| 50 | // disable renegotiation unless this is a patched JVM | |
| 51 | boolean allowRenegotiation = false; | |
| 52 | String v = System.getProperty("java.version"); | |
| 53 | if (v.startsWith("1.7")) { | |
| 54 | allowRenegotiation = true; | |
| 55 | } else if (v.startsWith("1.6")) { | |
| 56 | // 1.6.0_22 was first release with RFC-5746 implemented fix. | |
| 57 | if (v.indexOf('_') > -1) { | |
| 58 | String b = v.substring(v.indexOf('_') + 1); | |
| 59 | if (Integer.parseInt(b) >= 22) { | |
| 60 | allowRenegotiation = true; | |
| 61 | } | |
| 62 | } | |
| 63 | } | |
| 64 | if (allowRenegotiation) { | |
| 65 | logger.info(" allowing SSL renegotiation on Java " + v); | |
| 66 | setAllowRenegotiate(allowRenegotiation); | |
| 67 | } | |
| 68 | ||
| 69 | ||
| 70 | if (!StringUtils.isEmpty(certAlias)) { | |
| 71 | logger.info(" certificate alias = " + certAlias); | |
| 72 | setCertAlias(certAlias); | |
| 73 | } | |
| 74 | setKeyStorePassword(storePassword); | |
| 75 | setTrustStore(clientTrustStore.getAbsolutePath()); | |
| 76 | setTrustStorePassword(storePassword); | |
| 77 | ||
| 78 | logger.info(" keyStorePath = " + keyStore.getAbsolutePath()); | |
| 79 | logger.info(" trustStorePath = " + clientTrustStore.getAbsolutePath()); | |
| 80 | logger.info(" crlPath = " + caRevocationList.getAbsolutePath()); | |
| 81 | } | |
| 82 | ||
| 83 | @Override | |
| 84 | protected TrustManager[] getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls) | |
| 85 | throws Exception { | |
| 86 | TrustManager[] managers = super.getTrustManagers(trustStore, crls); | |
| 87 | X509TrustManager delegate = (X509TrustManager) managers[0]; | |
| 88 | GitblitTrustManager root = new GitblitTrustManager(delegate, caRevocationList); | |
| 89 | ||
| 90 | // replace first manager with the GitblitTrustManager | |
| 91 | managers[0] = root; | |
| 92 | return managers; | |
| 93 | } | |
| 94 | } | |
