6084-1.diff
| src/com/goldencode/p2j/main/ServerDriver.java 2022-06-24 15:06:06 +0000 | ||
|---|---|---|
| 2 | 2 |
** Module : ServerDriver.java |
| 3 | 3 |
** Abstract : command line driver for the server |
| 4 | 4 |
** |
| 5 |
** Copyright (c) 2005-2021, Golden Code Development Corporation.
|
|
| 5 |
** Copyright (c) 2005-2022, Golden Code Development Corporation.
|
|
| 6 | 6 |
** |
| 7 | 7 |
** -#- -I- --Date-- --JPRM-- ----------------------------------Description----------------------------------- |
| 8 | 8 |
** 001 NVS 20050418 @20786 Repackaging net package. This file has been created as a |
| ... | ... | |
| 54 | 54 |
** IAS 20210827 Added BouncyCastle JCE/JSSE support |
| 55 | 55 |
** GES 20210827 Added driver name initialization and diagnostics output. |
| 56 | 56 |
** OM 20210923 Added -profile command line option for specifying the configuration profile. |
| 57 |
** IAS 20220624 Added support for the Conscrypt JCE/JSSE provider |
|
| 57 | 58 |
*/ |
| 58 | 59 | |
| 59 | 60 |
/* |
| ... | ... | |
| 460 | 461 |
protected void start(BootstrapConfig bc) |
| 461 | 462 |
throws Exception |
| 462 | 463 |
{
|
| 463 |
if (bc.getBoolean("security", "bouncycastle", "use", false) && BCProbe.bcFound)
|
|
| 464 |
String provider = bc.getConfigItem("security", "provider", "name");
|
|
| 465 |
if ("bouncycastle".equals(provider) && BCProbe.bcFound)
|
|
| 464 | 466 |
{
|
| 465 | 467 |
Security.insertProviderAt(BCHolder.JCE, 1); |
| 466 | 468 |
Security.insertProviderAt(BCHolder.JSSE, 2); |
| ... | ... | |
| 475 | 477 |
e.printStackTrace(); |
| 476 | 478 |
} |
| 477 | 479 |
} |
| 480 |
else if ("conscrypt".equals(provider) && CSProbe.csFound)
|
|
| 481 |
{
|
|
| 482 |
Security.insertProviderAt(CSHolder.SSL, 1); |
|
| 483 |
} |
|
| 484 |
else if (provider != null) |
|
| 485 |
{
|
|
| 486 |
throw new IllegalStateException("Unknown security provider name: [" + provider + "]");
|
|
| 487 |
} |
|
| 478 | 488 |
|
| 479 | 489 |
boolean single = bc.getBoolean("process", "arch", "single", false);
|
| 480 | 490 |
|
| src/com/goldencode/p2j/net/SSL.java 2022-06-24 13:57:25 +0000 | ||
|---|---|---|
| 2 | 2 |
** Module : SSL.java |
| 3 | 3 |
** Abstract : Implements abstract SSL FSM on the top of SSLEngine. |
| 4 | 4 |
** |
| 5 |
** Copyright (c) 2016-2021, Golden Code Development Corporation.
|
|
| 5 |
** Copyright (c) 2016-2022, Golden Code Development Corporation.
|
|
| 6 | 6 |
** |
| 7 | 7 |
** -#- -I- --Date-- ---------------------------------------Description--------------------------------------- |
| 8 | 8 |
** 001 IAS 20160805 Initial version |
| ... | ... | |
| 11 | 11 |
** IAS 20210323 Re-worked synchronization logic and added logging. |
| 12 | 12 |
** IAS 20210608 Provide more details on the unwrap() failure. |
| 13 | 13 |
** IAS 20210827 Fixed sporadic SSL failures |
| 14 |
** IAS 20220624 Added support for the Conscrypt JCE/JSSE provider |
|
| 14 | 15 |
*/ |
| 15 | 16 |
/* |
| 16 | 17 |
** This program is free software: you can redistribute it and/or modify |
| ... | ... | |
| 164 | 165 |
*/ |
| 165 | 166 |
public SSL(SSLEngine engine, ExecutorService fsmWorkers) |
| 166 | 167 |
{
|
| 168 |
int delta = engine.getClass().getName().startsWith("org.conscrypt") ? 0 : 50;
|
|
| 169 |
// the wrap buffers' size adjustment and the value of delta where added |
|
| 170 |
// based on multiple experiments. |
|
| 167 | 171 |
SSLSession session = engine.getSession(); |
| 168 | 172 |
this.appBufferMax = session.getApplicationBufferSize(); |
| 169 | 173 |
this.netBufferMax = session.getPacketBufferSize(); |
| 170 | 174 |
LOG.log(Level.FINE, String.format("appBufferMax: %d, netBufferMax: %d \n", appBufferMax, netBufferMax));
|
| 171 |
this.outWrap = ByteBuffer.allocate(appBufferMax + 50);
|
|
| 175 |
this.outWrap = ByteBuffer.allocate(appBufferMax + delta);
|
|
| 172 | 176 |
this.inpWrap = ByteBuffer.allocateDirect(appBufferMax + 50); |
| 173 | 177 |
this.outUnwrap = ByteBuffer.allocate(2 * netBufferMax); |
| 174 | 178 |
this.inpUnwrap = ByteBuffer.allocate(2 * netBufferMax); |
| 175 | 179 |
this.outUnwrap.limit(0); |
| 176 | 180 |
this.outUnwrap.limit(0); |
| 177 | 181 | |
| 178 |
this.maxMessageSize = appBufferMax; |
|
| 182 |
this.maxMessageSize = appBufferMax - 50 + delta;
|
|
| 179 | 183 | |
| 180 | 184 |
this.engine = engine; |
| 181 | 185 |
this.fsmWorkers = fsmWorkers; |
| ... | ... | |
| 578 | 582 |
break; |
| 579 | 583 | |
| 580 | 584 |
case BUFFER_OVERFLOW: |
| 581 |
throw new IllegalStateException("failed to wrap");
|
|
| 585 |
throw new IllegalStateException("failed to wrap - buffer overflow");
|
|
| 582 | 586 | |
| 583 | 587 |
case CLOSED: |
| 584 | 588 |
this.onClosed(); |
| ... | ... | |
| 691 | 695 |
return false; |
| 692 | 696 | |
| 693 | 697 |
case BUFFER_OVERFLOW: |
| 694 |
throw new IllegalStateException("failed to unwrap");
|
|
| 698 |
throw new IllegalStateException("failed to unwrap - buffer overflow");
|
|
| 695 | 699 | |
| 696 | 700 |
case BUFFER_UNDERFLOW: |
| 697 | 701 |
return false; |
| src/com/goldencode/p2j/net/SessionManager.java 2022-06-24 09:35:27 +0000 | ||
|---|---|---|
| 2 | 2 |
** Module : SessionManager.java |
| 3 | 3 |
** Abstract : Abstract base class for session management |
| 4 | 4 |
** |
| 5 |
** Copyright (c) 2007-2021, Golden Code Development Corporation.
|
|
| 5 |
** Copyright (c) 2007-2022, Golden Code Development Corporation.
|
|
| 6 | 6 |
** |
| 7 | 7 |
** -#- -I- --Date-- --JPRM-- ---------------------------Description------------------------------- |
| 8 | 8 |
** 001 ECF 20071101 @35865 Created initial version. Abstract base class |
| ... | ... | |
| 88 | 88 |
** IAS 20210325 Added NIO configuration via BootstrapConfig |
| 89 | 89 |
** IAS 20210505 Changed exception thrown on failed shutdown. |
| 90 | 90 |
** IAS 20210827 Added allowed ciphers' filtering |
| 91 |
** IAS 20220624 Added support for the configurable JCE/JSSE provider |
|
| 91 | 92 |
*/ |
| 92 | 93 | |
| 93 | 94 |
/* |
| ... | ... | |
| 1194 | 1195 |
KeyStoreException, |
| 1195 | 1196 |
UnrecoverableKeyException, |
| 1196 | 1197 |
KeyManagementException, |
| 1197 |
ConfigurationException |
|
| 1198 |
ConfigurationException, |
|
| 1199 |
NoSuchProviderException |
|
| 1198 | 1200 |
{
|
| 1199 | 1201 |
// detect if we must use TLS (by default we don't use TLS) |
| 1200 | 1202 |
boolean secure = bc.getBoolean("net", "connection", "secure", false);
|
| src/com/goldencode/p2j/security/SecurityManager.java 2022-06-24 15:07:01 +0000 | ||
|---|---|---|
| 434 | 434 |
** CA 20220405 Added authentication and authorization for web requests. When this is enabled, |
| 435 | 435 |
** the target API call will be executed under the authenticated FWD context, and not |
| 436 | 436 |
** the agent's context. |
| 437 |
** IAS 20220624 Added support for the Conscrypt JCE/JSSE provider |
|
| 437 | 438 |
*/ |
| 438 | 439 | |
| 439 | 440 |
/* |
| ... | ... | |
| 508 | 509 | |
| 509 | 510 |
import org.bouncycastle.jce.provider.*; |
| 510 | 511 |
import org.bouncycastle.jsse.provider.*; |
| 512 |
import org.conscrypt.*; |
|
| 511 | 513 | |
| 512 | 514 |
import com.goldencode.expr.*; |
| 513 | 515 |
import com.goldencode.p2j.admin.*; |
| ... | ... | |
| 786 | 788 |
getSecureSocketContext(); |
| 787 | 789 |
} |
| 788 | 790 |
catch (UnrecoverableKeyException | KeyManagementException | NoSuchAlgorithmException |
| 789 |
| KeyStoreException | ConfigurationException e) |
|
| 791 |
| KeyStoreException | ConfigurationException | NoSuchProviderException e)
|
|
| 790 | 792 |
{
|
| 791 | 793 |
throw new ConfigurationException("getSecureSocketContext()", e);
|
| 792 | 794 |
} |
| ... | ... | |
| 2252 | 2254 |
KeyStoreException, |
| 2253 | 2255 |
UnrecoverableKeyException, |
| 2254 | 2256 |
KeyManagementException, |
| 2255 |
ConfigurationException |
|
| 2257 |
ConfigurationException, |
|
| 2258 |
NoSuchProviderException |
|
| 2256 | 2259 |
{
|
| 2257 | 2260 |
return getSecureSocketContext(cfg); |
| 2258 | 2261 |
} |
| ... | ... | |
| 2272 | 2275 |
KeyStoreException, |
| 2273 | 2276 |
UnrecoverableKeyException, |
| 2274 | 2277 |
KeyManagementException, |
| 2275 |
ConfigurationException |
|
| 2278 |
ConfigurationException, |
|
| 2279 |
NoSuchProviderException |
|
| 2276 | 2280 |
{
|
| 2277 | 2281 |
SSLContext ctx; |
| 2278 |
if (config.getBoolean("security", "bouncycastle", "use", false) && BCProbe.bcFound)
|
|
| 2282 |
String provider = config.getConfigItem("security", "provider", "name");
|
|
| 2283 | ||
| 2284 |
if ("bouncycastle".equals(provider) && BCProbe.bcFound)
|
|
| 2279 | 2285 |
{
|
| 2280 | 2286 |
Security.insertProviderAt(BCHolder.JCE, 1); |
| 2281 | 2287 |
Security.insertProviderAt(BCHolder.JSSE, 2); |
| 2282 | 2288 |
ctx = SSLContext.getInstance("TLS", BCHolder.JSSE);
|
| 2283 | 2289 |
} |
| 2290 |
else if ("conscrypt".equals(provider) && CSProbe.csFound)
|
|
| 2291 |
{
|
|
| 2292 |
Security.insertProviderAt(CSHolder.SSL, 1); |
|
| 2293 |
ctx = SSLContext.getInstance("TLS", "Conscrypt");
|
|
| 2294 |
} |
|
| 2295 |
else if (provider != null) |
|
| 2296 |
{
|
|
| 2297 |
throw new IllegalStateException("Unknown security provider name: [" + provider + "]");
|
|
| 2298 |
} |
|
| 2284 | 2299 |
else |
| 2285 | 2300 |
{
|
| 2301 |
// Use default provider(s) |
|
| 2286 | 2302 |
ctx = SSLContext.getInstance("TLS");
|
| 2287 | 2303 |
} |
| 2288 | 2304 |
// configure the SSL environment with our custom keys/certs |
| ... | ... | |
| 9745 | 9761 |
} |
| 9746 | 9762 | |
| 9747 | 9763 |
/** |
| 9764 |
* Conscrypt provider holder. Will be initialized only when referenced. |
|
| 9765 |
*/ |
|
| 9766 |
public static class CSHolder |
|
| 9767 |
{
|
|
| 9768 |
/** provider */ |
|
| 9769 |
public static final Provider SSL = new OpenSSLProvider(); |
|
| 9770 |
} |
|
| 9771 | ||
| 9772 |
/** |
|
| 9748 | 9773 |
* BouncyCastle presence flag holder holder. Will be initialized only when referenced. |
| 9749 | 9774 |
*/ |
| 9750 | 9775 |
public static class BCProbe |
| ... | ... | |
| 9776 | 9801 |
} |
| 9777 | 9802 |
|
| 9778 | 9803 |
/** |
| 9804 |
* Conscrypt presence flag holder holder. Will be initialized only when referenced. |
|
| 9805 |
*/ |
|
| 9806 |
public static class CSProbe |
|
| 9807 |
{
|
|
| 9808 |
/** Logger */ |
|
| 9809 |
private static final Logger LOG = LogHelper.getLogger(BCProbe.class.getName()); |
|
| 9810 |
/** BouncyCastle presence flag */ |
|
| 9811 |
public static final boolean csFound = isCSFound(); |
|
| 9812 |
|
|
| 9813 |
/** |
|
| 9814 |
* Check if BouncyCastle JCE/JSSE present in the classpath |
|
| 9815 |
* |
|
| 9816 |
* @return <code>true</code> if BouncyCastle JCE/JSSE found in the classpath |
|
| 9817 |
*/ |
|
| 9818 |
private static boolean isCSFound() |
|
| 9819 |
{
|
|
| 9820 |
try |
|
| 9821 |
{
|
|
| 9822 |
Class.forName("org.conscrypt.OpenSSLProvider");
|
|
| 9823 |
return true; |
|
| 9824 |
} |
|
| 9825 |
catch (ClassNotFoundException e) |
|
| 9826 |
{
|
|
| 9827 |
LOG.warning("Conscrypt SSL provider not found. Default one will be used");
|
|
| 9828 |
return false; |
|
| 9829 |
} |
|
| 9830 |
} |
|
| 9831 |
} |
|
| 9832 | ||
| 9833 |
/** |
|
| 9779 | 9834 |
* A thread inheriting the FWD server context, used to perform authentication and authorization work for |
| 9780 | 9835 |
* web requests. |
| 9781 | 9836 |
*/ |