summaryrefslogtreecommitdiffstats
path: root/src/main/java/com/gitblit/GitblitSslContextFactory.java
blob: 2a4735e69bf260f9123bd0f20bfd3a66cfde78fc (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
/*
 * Copyright 2012 gitblit.com.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.gitblit;

import java.io.File;
import java.security.KeyStore;
import java.security.cert.CRL;
import java.util.Collection;

import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;

import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import com.gitblit.utils.StringUtils;

/**
 * Special SSL context factory that configures Gitblit GO and replaces the
 * primary trustmanager with a GitblitTrustManager.
 *
 * @author James Moger
 */
public class GitblitSslContextFactory extends SslContextFactory {

	private static final Logger logger = LoggerFactory.getLogger(GitblitSslContextFactory.class);

	private final File caRevocationList;

	public GitblitSslContextFactory(String certAlias, File keyStore, File clientTrustStore,
			String storePassword, File caRevocationList) {
		super(keyStore.getAbsolutePath());

		this.caRevocationList = caRevocationList;

		// disable renegotiation unless this is a patched JVM
		boolean allowRenegotiation = false;
		String v = System.getProperty("java.version");
		if (v.startsWith("1.7")) {
			allowRenegotiation = true;
		} else if (v.startsWith("1.6")) {
			// 1.6.0_22 was first release with RFC-5746 implemented fix.
			if (v.indexOf('_') > -1) {
				String b = v.substring(v.indexOf('_') + 1);
				if (Integer.parseInt(b) >= 22) {
					allowRenegotiation = true;
				}
			}
		}
		if (allowRenegotiation) {
			logger.info("   allowing SSL renegotiation on Java " + v);
			setAllowRenegotiate(allowRenegotiation);
		}


		if (!StringUtils.isEmpty(certAlias)) {
			logger.info("   certificate alias = " + certAlias);
			setCertAlias(certAlias);
		}
		setKeyStorePassword(storePassword);
		setTrustStore(clientTrustStore.getAbsolutePath());
		setTrustStorePassword(storePassword);

		logger.info("   keyStorePath   = " + keyStore.getAbsolutePath());
		logger.info("   trustStorePath = " + clientTrustStore.getAbsolutePath());
		logger.info("   crlPath        = " + caRevocationList.getAbsolutePath());
	}

	@Override
	protected TrustManager[] getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls)
			throws Exception {
		TrustManager[] managers = super.getTrustManagers(trustStore, crls);
		X509TrustManager delegate = (X509TrustManager) managers[0];
		GitblitTrustManager root = new GitblitTrustManager(delegate, caRevocationList);

		// replace first manager with the GitblitTrustManager
		managers[0] = root;
		return managers;
	}
}