source: josm/trunk/src/org/openstreetmap/josm/io/remotecontrol/RemoteControlHttpsServer.java@ 7402

Last change on this file since 7402 was 7402, checked in by Don-vip, 10 years ago

fix some Sonar issues
File size: 18.4 KB
Line 
1// License: GPL. For details, see LICENSE file.
2package org.openstreetmap.josm.io.remotecontrol;
3
4import static org.openstreetmap.josm.tools.I18n.marktr;
5import static org.openstreetmap.josm.tools.I18n.tr;
6
7import java.io.IOException;
8import java.io.InputStream;
9import java.math.BigInteger;
10import java.net.BindException;
11import java.net.InetAddress;
12import java.net.ServerSocket;
13import java.net.Socket;
14import java.net.SocketException;
15import java.nio.file.Files;
16import java.nio.file.Path;
17import java.nio.file.Paths;
18import java.nio.file.StandardOpenOption;
19import java.security.GeneralSecurityException;
20import java.security.KeyPair;
21import java.security.KeyPairGenerator;
22import java.security.KeyStore;
23import java.security.KeyStoreException;
24import java.security.NoSuchAlgorithmException;
25import java.security.PrivateKey;
26import java.security.SecureRandom;
27import java.security.cert.Certificate;
28import java.security.cert.CertificateException;
29import java.security.cert.X509Certificate;
30import java.util.Arrays;
31import java.util.Date;
32import java.util.Enumeration;
33import java.util.Vector;
34
35import javax.net.ssl.KeyManagerFactory;
36import javax.net.ssl.SSLContext;
37import javax.net.ssl.SSLServerSocket;
38import javax.net.ssl.SSLServerSocketFactory;
39import javax.net.ssl.SSLSocket;
40import javax.net.ssl.TrustManagerFactory;
41
42import org.openstreetmap.josm.Main;
43import org.openstreetmap.josm.data.preferences.StringProperty;
44
45import sun.security.util.ObjectIdentifier;
46import sun.security.x509.AlgorithmId;
47import sun.security.x509.BasicConstraintsExtension;
48import sun.security.x509.CertificateAlgorithmId;
49import sun.security.x509.CertificateExtensions;
50import sun.security.x509.CertificateIssuerName;
51import sun.security.x509.CertificateSerialNumber;
52import sun.security.x509.CertificateSubjectName;
53import sun.security.x509.CertificateValidity;
54import sun.security.x509.CertificateVersion;
55import sun.security.x509.CertificateX509Key;
56import sun.security.x509.ExtendedKeyUsageExtension;
57import sun.security.x509.GeneralName;
58import sun.security.x509.GeneralNameInterface;
59import sun.security.x509.GeneralNames;
60import sun.security.x509.IPAddressName;
61import sun.security.x509.OIDName;
62import sun.security.x509.SubjectAlternativeNameExtension;
63import sun.security.x509.URIName;
64import sun.security.x509.X500Name;
65import sun.security.x509.X509CertImpl;
66import sun.security.x509.X509CertInfo;
67
68/**
69 * Simple HTTPS server that spawns a {@link RequestProcessor} for every secure connection.
70 *
71 * @since 6941
72 */
73public class RemoteControlHttpsServer extends Thread {
74
75 /** The server socket */
76 private ServerSocket server;
77
78 private static RemoteControlHttpsServer instance;
79 private boolean initOK = false;
80 private SSLContext sslContext;
81
82 private static final int HTTPS_PORT = 8112;
83
84 /**
85 * JOSM keystore file name.
86 * @since 7337
87 */
88 public static final String KEYSTORE_FILENAME = "josm.keystore";
89
90 /**
91 * Preference for keystore password (automatically generated by JOSM).
92 * @since 7335
93 */
94 public static final StringProperty KEYSTORE_PASSWORD = new StringProperty("remotecontrol.https.keystore.password", "");
95
96 /**
97 * Preference for certificate password (automatically generated by JOSM).
98 * @since 7335
99 */
100 public static final StringProperty KEYENTRY_PASSWORD = new StringProperty("remotecontrol.https.keyentry.password", "");
101
102 /**
103 * Unique alias used to store JOSM localhost entry, both in JOSM keystore and system/browser keystores.
104 * @since 7343
105 */
106 public static final String ENTRY_ALIAS = "josm_localhost";
107
108 /**
109 * Creates a GeneralName object from known types.
110 * @param t one of 4 known types
111 * @param v value
112 * @return which one
113 * @throws IOException
114 */
115 private static GeneralName createGeneralName(String t, String v) throws IOException {
116 GeneralNameInterface gn;
117 switch (t.toLowerCase()) {
118 case "uri": gn = new URIName(v); break;
119 case "dns": gn = new DNSName(v); break;
120 case "ip": gn = new IPAddressName(v); break;
121 default: gn = new OIDName(v);
122 }
123 return new GeneralName(gn);
124 }
125
126 /**
127 * Create a self-signed X.509 Certificate.
128 * @param dn the X.509 Distinguished Name, eg "CN=localhost, OU=JOSM, O=OpenStreetMap"
129 * @param pair the KeyPair
130 * @param days how many days from now the Certificate is valid for
131 * @param algorithm the signing algorithm, eg "SHA256withRSA"
132 * @param san SubjectAlternativeName extension (optional)
133 */
134 private static X509Certificate generateCertificate(String dn, KeyPair pair, int days, String algorithm, String san) throws GeneralSecurityException, IOException {
135 PrivateKey privkey = pair.getPrivate();
136 X509CertInfo info = new X509CertInfo();
137 Date from = new Date();
138 Date to = new Date(from.getTime() + days * 86400000L);
139 CertificateValidity interval = new CertificateValidity(from, to);
140 BigInteger sn = new BigInteger(64, new SecureRandom());
141 X500Name owner = new X500Name(dn);
142
143 info.set(X509CertInfo.VALIDITY, interval);
144 info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
145
146 // Change of behaviour in JDK8:
147 // https://bugs.openjdk.java.net/browse/JDK-8040820
148 // https://bugs.openjdk.java.net/browse/JDK-7198416
149 String version = System.getProperty("java.version");
150 if (version == null || version.matches("^(1\\.)?[7].*")) {
151 // Java 7 code. To remove with Java 8 migration
152 info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
153 info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
154 } else {
155 // Java 8 and later code
156 info.set(X509CertInfo.SUBJECT, owner);
157 info.set(X509CertInfo.ISSUER, owner);
158 }
159
160 info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
161 info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
162 AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
163 info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));
164
165 CertificateExtensions ext = new CertificateExtensions();
166 // Critical: Not CA, max path len 0
167 ext.set(BasicConstraintsExtension.NAME, new BasicConstraintsExtension(true, false, 0));
168 // Critical: only allow TLS ("serverAuth" = 1.3.6.1.5.5.7.3.1)
169 ext.set(ExtendedKeyUsageExtension.NAME, new ExtendedKeyUsageExtension(true,
170 new Vector<ObjectIdentifier>(Arrays.asList(new ObjectIdentifier("1.3.6.1.5.5.7.3.1")))));
171
172 if (san != null) {
173 int colonpos;
174 String[] ps = san.split(",");
175 GeneralNames gnames = new GeneralNames();
176 for(String item: ps) {
177 colonpos = item.indexOf(':');
178 if (colonpos < 0) {
179 throw new IllegalArgumentException("Illegal item " + item + " in " + san);
180 }
181 String t = item.substring(0, colonpos);
182 String v = item.substring(colonpos+1);
183 gnames.add(createGeneralName(t, v));
184 }
185 // Non critical
186 ext.set(SubjectAlternativeNameExtension.NAME, new SubjectAlternativeNameExtension(false, gnames));
187 }
188
189 info.set(X509CertInfo.EXTENSIONS, ext);
190
191 // Sign the cert to identify the algorithm that's used.
192 X509CertImpl cert = new X509CertImpl(info);
193 cert.sign(privkey, algorithm);
194
195 // Update the algorithm, and resign.
196 algo = (AlgorithmId)cert.get(X509CertImpl.SIG_ALG);
197 info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo);
198 cert = new X509CertImpl(info);
199 cert.sign(privkey, algorithm);
200 return cert;
201 }
202
203 /**
204 * Setup the JOSM internal keystore, used to store HTTPS certificate and private key.
205 * @return Path to the (initialized) JOSM keystore
206 * @throws IOException if an I/O error occurs
207 * @throws GeneralSecurityException if a security error occurs
208 * @since 7343
209 */
210 public static Path setupJosmKeystore() throws IOException, GeneralSecurityException {
211
212 char[] storePassword = KEYSTORE_PASSWORD.get().toCharArray();
213 char[] entryPassword = KEYENTRY_PASSWORD.get().toCharArray();
214
215 Path dir = Paths.get(RemoteControl.getRemoteControlDir());
216 Path path = dir.resolve(KEYSTORE_FILENAME);
217 Files.createDirectories(dir);
218
219 if (!Files.exists(path)) {
220 Main.debug("No keystore found, creating a new one");
221
222 // Create new keystore like previous one generated with JDK keytool as follows:
223 // keytool -genkeypair -storepass josm_ssl -keypass josm_ssl -alias josm_localhost -dname "CN=localhost, OU=JOSM, O=OpenStreetMap"
224 // -ext san=ip:127.0.0.1 -keyalg RSA -validity 1825
225
226 KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
227 generator.initialize(2048);
228 KeyPair pair = generator.generateKeyPair();
229
230 X509Certificate cert = generateCertificate("CN=localhost, OU=JOSM, O=OpenStreetMap", pair, 1825, "SHA256withRSA",
231 // see #10033#comment:20: All browsers respect "ip" in SAN, except IE which only understands DNS entries:
232 // https://connect.microsoft.com/IE/feedback/details/814744/the-ie-doesnt-trust-a-san-certificate-when-connecting-to-ip-address
233 "dns:localhost,ip:127.0.0.1,dns:127.0.0.1,ip:::1,uri:https://127.0.0.1:"+HTTPS_PORT+",uri:https://::1:"+HTTPS_PORT);
234
235 KeyStore ks = KeyStore.getInstance("JKS");
236 ks.load(null, null);
237
238 // Generate new passwords. See https://stackoverflow.com/a/41156/2257172
239 SecureRandom random = new SecureRandom();
240 KEYSTORE_PASSWORD.put(new BigInteger(130, random).toString(32));
241 KEYENTRY_PASSWORD.put(new BigInteger(130, random).toString(32));
242
243 storePassword = KEYSTORE_PASSWORD.get().toCharArray();
244 entryPassword = KEYENTRY_PASSWORD.get().toCharArray();
245
246 ks.setKeyEntry(ENTRY_ALIAS, pair.getPrivate(), entryPassword, new Certificate[]{cert});
247 ks.store(Files.newOutputStream(path, StandardOpenOption.CREATE), storePassword);
248 }
249 return path;
250 }
251
252 /**
253 * Loads the JOSM keystore.
254 * @return the (initialized) JOSM keystore
255 * @throws IOException if an I/O error occurs
256 * @throws GeneralSecurityException if a security error occurs
257 * @since 7343
258 */
259 public static KeyStore loadJosmKeystore() throws IOException, GeneralSecurityException {
260 try (InputStream in = Files.newInputStream(setupJosmKeystore())) {
261 KeyStore ks = KeyStore.getInstance("JKS");
262 ks.load(in, KEYSTORE_PASSWORD.get().toCharArray());
263
264 if (Main.isDebugEnabled()) {
265 for (Enumeration<String> aliases = ks.aliases(); aliases.hasMoreElements();) {
266 Main.debug("Alias in JOSM keystore: "+aliases.nextElement());
267 }
268 }
269 return ks;
270 }
271 }
272
273 private void initialize() {
274 if (!initOK) {
275 try {
276 KeyStore ks = loadJosmKeystore();
277
278 KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
279 kmf.init(ks, KEYENTRY_PASSWORD.get().toCharArray());
280
281 TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
282 tmf.init(ks);
283
284 sslContext = SSLContext.getInstance("TLS");
285 sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
286
287 if (Main.isTraceEnabled()) {
288 Main.trace("SSL Context protocol: " + sslContext.getProtocol());
289 Main.trace("SSL Context provider: " + sslContext.getProvider());
290 }
291
292 setupPlatform(ks);
293
294 initOK = true;
295 } catch (IOException | GeneralSecurityException e) {
296 Main.error(e);
297 }
298 }
299 }
300
301 /**
302 * Setup the platform-dependant certificate stuff.
303 * @param josmKs The JOSM keystore, containing localhost certificate and private key.
304 * @return {@code true} if something has changed as a result of the call (certificate installation, etc.)
305 * @throws KeyStoreException if the keystore has not been initialized (loaded)
306 * @throws NoSuchAlgorithmException in case of error
307 * @throws CertificateException in case of error
308 * @throws IOException in case of error
309 * @since 7343
310 */
311 public static boolean setupPlatform(KeyStore josmKs) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
312 Enumeration<String> aliases = josmKs.aliases();
313 if (aliases.hasMoreElements()) {
314 return Main.platform.setupHttpsCertificate(ENTRY_ALIAS,
315 new KeyStore.TrustedCertificateEntry(josmKs.getCertificate(aliases.nextElement())));
316 }
317 return false;
318 }
319
320 /**
321 * Starts or restarts the HTTPS server
322 */
323 public static void restartRemoteControlHttpsServer() {
324 int port = Main.pref.getInteger("remote.control.https.port", HTTPS_PORT);
325 try {
326 stopRemoteControlHttpsServer();
327
328 if (RemoteControl.PROP_REMOTECONTROL_HTTPS_ENABLED.get()) {
329 instance = new RemoteControlHttpsServer(port);
330 if (instance.initOK) {
331 instance.start();
332 }
333 }
334 } catch (BindException ex) {
335 Main.warn(marktr("Cannot start remotecontrol https server on port {0}: {1}"),
336 Integer.toString(port), ex.getLocalizedMessage());
337 } catch (IOException ioe) {
338 Main.error(ioe);
339 } catch (NoSuchAlgorithmException e) {
340 Main.error(e);
341 }
342 }
343
344 /**
345 * Stops the HTTPS server
346 */
347 public static void stopRemoteControlHttpsServer() {
348 if (instance != null) {
349 try {
350 instance.stopServer();
351 instance = null;
352 } catch (IOException ioe) {
353 Main.error(ioe);
354 }
355 }
356 }
357
358 /**
359 * Constructs a new {@code RemoteControlHttpsServer}.
360 * @param port The port this server will listen on
361 * @throws IOException when connection errors
362 * @throws NoSuchAlgorithmException if the JVM does not support TLS (can not happen)
363 */
364 public RemoteControlHttpsServer(int port) throws IOException, NoSuchAlgorithmException {
365 super("RemoteControl HTTPS Server");
366 this.setDaemon(true);
367
368 initialize();
369
370 if (!initOK) {
371 Main.error(tr("Unable to initialize Remote Control HTTPS Server"));
372 return;
373 }
374
375 // Create SSL Server factory
376 SSLServerSocketFactory factory = sslContext.getServerSocketFactory();
377 if (Main.isTraceEnabled()) {
378 Main.trace("SSL factory - Supported Cipher suites: "+Arrays.toString(factory.getSupportedCipherSuites()));
379 }
380
381 // Start the server socket with only 1 connection.
382 // Also make sure we only listen
383 // on the local interface so nobody from the outside can connect!
384 // NOTE: On a dual stack machine with old Windows OS this may not listen on both interfaces!
385 this.server = factory.createServerSocket(port, 1,
386 InetAddress.getByName(Main.pref.get("remote.control.host", "localhost")));
387
388 if (Main.isTraceEnabled() && server instanceof SSLServerSocket) {
389 SSLServerSocket sslServer = (SSLServerSocket) server;
390 Main.trace("SSL server - Enabled Cipher suites: "+Arrays.toString(sslServer.getEnabledCipherSuites()));
391 Main.trace("SSL server - Enabled Protocols: "+Arrays.toString(sslServer.getEnabledProtocols()));
392 Main.trace("SSL server - Enable Session Creation: "+sslServer.getEnableSessionCreation());
393 Main.trace("SSL server - Need Client Auth: "+sslServer.getNeedClientAuth());
394 Main.trace("SSL server - Want Client Auth: "+sslServer.getWantClientAuth());
395 Main.trace("SSL server - Use Client Mode: "+sslServer.getUseClientMode());
396 }
397 }
398
399 /**
400 * The main loop, spawns a {@link RequestProcessor} for each connection.
401 */
402 @Override
403 public void run() {
404 Main.info(marktr("RemoteControl::Accepting secure connections on port {0}"),
405 Integer.toString(server.getLocalPort()));
406 while (true) {
407 try {
408 @SuppressWarnings("resource")
409 Socket request = server.accept();
410 if (Main.isTraceEnabled() && request instanceof SSLSocket) {
411 SSLSocket sslSocket = (SSLSocket) request;
412 Main.trace("SSL socket - Enabled Cipher suites: "+Arrays.toString(sslSocket.getEnabledCipherSuites()));
413 Main.trace("SSL socket - Enabled Protocols: "+Arrays.toString(sslSocket.getEnabledProtocols()));
414 Main.trace("SSL socket - Enable Session Creation: "+sslSocket.getEnableSessionCreation());
415 Main.trace("SSL socket - Need Client Auth: "+sslSocket.getNeedClientAuth());
416 Main.trace("SSL socket - Want Client Auth: "+sslSocket.getWantClientAuth());
417 Main.trace("SSL socket - Use Client Mode: "+sslSocket.getUseClientMode());
418 Main.trace("SSL socket - Session: "+sslSocket.getSession());
419 }
420 RequestProcessor.processRequest(request);
421 } catch (SocketException se) {
422 if (!server.isClosed()) {
423 Main.error(se);
424 }
425 } catch (IOException ioe) {
426 Main.error(ioe);
427 }
428 }
429 }
430
431 /**
432 * Stops the HTTPS server.
433 *
434 * @throws IOException if any I/O error occurs
435 */
436 public void stopServer() throws IOException {
437 if (server != null) {
438 server.close();
439 Main.info(marktr("RemoteControl::Server (https) stopped."));
440 }
441 }
442}
Note: See TracBrowser for help on using the repository browser.