6084-1.diff
src/com/goldencode/p2j/main/ServerDriver.java 2022-06-24 15:06:06 +0000 | ||
---|---|---|
2 | 2 |
** Module : ServerDriver.java |
3 | 3 |
** Abstract : command line driver for the server |
4 | 4 |
** |
5 |
** Copyright (c) 2005-2021, Golden Code Development Corporation.
|
|
5 |
** Copyright (c) 2005-2022, Golden Code Development Corporation.
|
|
6 | 6 |
** |
7 | 7 |
** -#- -I- --Date-- --JPRM-- ----------------------------------Description----------------------------------- |
8 | 8 |
** 001 NVS 20050418 @20786 Repackaging net package. This file has been created as a |
... | ... | |
54 | 54 |
** IAS 20210827 Added BouncyCastle JCE/JSSE support |
55 | 55 |
** GES 20210827 Added driver name initialization and diagnostics output. |
56 | 56 |
** OM 20210923 Added -profile command line option for specifying the configuration profile. |
57 |
** IAS 20220624 Added support for the Conscrypt JCE/JSSE provider |
|
57 | 58 |
*/ |
58 | 59 | |
59 | 60 |
/* |
... | ... | |
460 | 461 |
protected void start(BootstrapConfig bc) |
461 | 462 |
throws Exception |
462 | 463 |
{ |
463 |
if (bc.getBoolean("security", "bouncycastle", "use", false) && BCProbe.bcFound) |
|
464 |
String provider = bc.getConfigItem("security", "provider", "name"); |
|
465 |
if ("bouncycastle".equals(provider) && BCProbe.bcFound) |
|
464 | 466 |
{ |
465 | 467 |
Security.insertProviderAt(BCHolder.JCE, 1); |
466 | 468 |
Security.insertProviderAt(BCHolder.JSSE, 2); |
... | ... | |
475 | 477 |
e.printStackTrace(); |
476 | 478 |
} |
477 | 479 |
} |
480 |
else if ("conscrypt".equals(provider) && CSProbe.csFound) |
|
481 |
{ |
|
482 |
Security.insertProviderAt(CSHolder.SSL, 1); |
|
483 |
} |
|
484 |
else if (provider != null) |
|
485 |
{ |
|
486 |
throw new IllegalStateException("Unknown security provider name: [" + provider + "]"); |
|
487 |
} |
|
478 | 488 |
|
479 | 489 |
boolean single = bc.getBoolean("process", "arch", "single", false); |
480 | 490 |
|
src/com/goldencode/p2j/net/SSL.java 2022-06-24 13:57:25 +0000 | ||
---|---|---|
2 | 2 |
** Module : SSL.java |
3 | 3 |
** Abstract : Implements abstract SSL FSM on the top of SSLEngine. |
4 | 4 |
** |
5 |
** Copyright (c) 2016-2021, Golden Code Development Corporation.
|
|
5 |
** Copyright (c) 2016-2022, Golden Code Development Corporation.
|
|
6 | 6 |
** |
7 | 7 |
** -#- -I- --Date-- ---------------------------------------Description--------------------------------------- |
8 | 8 |
** 001 IAS 20160805 Initial version |
... | ... | |
11 | 11 |
** IAS 20210323 Re-worked synchronization logic and added logging. |
12 | 12 |
** IAS 20210608 Provide more details on the unwrap() failure. |
13 | 13 |
** IAS 20210827 Fixed sporadic SSL failures |
14 |
** IAS 20220624 Added support for the Conscrypt JCE/JSSE provider |
|
14 | 15 |
*/ |
15 | 16 |
/* |
16 | 17 |
** This program is free software: you can redistribute it and/or modify |
... | ... | |
164 | 165 |
*/ |
165 | 166 |
public SSL(SSLEngine engine, ExecutorService fsmWorkers) |
166 | 167 |
{ |
168 |
int delta = engine.getClass().getName().startsWith("org.conscrypt") ? 0 : 50; |
|
169 |
// the wrap buffers' size adjustment and the value of delta where added |
|
170 |
// based on multiple experiments. |
|
167 | 171 |
SSLSession session = engine.getSession(); |
168 | 172 |
this.appBufferMax = session.getApplicationBufferSize(); |
169 | 173 |
this.netBufferMax = session.getPacketBufferSize(); |
170 | 174 |
LOG.log(Level.FINE, String.format("appBufferMax: %d, netBufferMax: %d \n", appBufferMax, netBufferMax)); |
171 |
this.outWrap = ByteBuffer.allocate(appBufferMax + 50);
|
|
175 |
this.outWrap = ByteBuffer.allocate(appBufferMax + delta);
|
|
172 | 176 |
this.inpWrap = ByteBuffer.allocateDirect(appBufferMax + 50); |
173 | 177 |
this.outUnwrap = ByteBuffer.allocate(2 * netBufferMax); |
174 | 178 |
this.inpUnwrap = ByteBuffer.allocate(2 * netBufferMax); |
175 | 179 |
this.outUnwrap.limit(0); |
176 | 180 |
this.outUnwrap.limit(0); |
177 | 181 | |
178 |
this.maxMessageSize = appBufferMax; |
|
182 |
this.maxMessageSize = appBufferMax - 50 + delta;
|
|
179 | 183 | |
180 | 184 |
this.engine = engine; |
181 | 185 |
this.fsmWorkers = fsmWorkers; |
... | ... | |
578 | 582 |
break; |
579 | 583 | |
580 | 584 |
case BUFFER_OVERFLOW: |
581 |
throw new IllegalStateException("failed to wrap"); |
|
585 |
throw new IllegalStateException("failed to wrap - buffer overflow");
|
|
582 | 586 | |
583 | 587 |
case CLOSED: |
584 | 588 |
this.onClosed(); |
... | ... | |
691 | 695 |
return false; |
692 | 696 | |
693 | 697 |
case BUFFER_OVERFLOW: |
694 |
throw new IllegalStateException("failed to unwrap"); |
|
698 |
throw new IllegalStateException("failed to unwrap - buffer overflow");
|
|
695 | 699 | |
696 | 700 |
case BUFFER_UNDERFLOW: |
697 | 701 |
return false; |
src/com/goldencode/p2j/net/SessionManager.java 2022-06-24 09:35:27 +0000 | ||
---|---|---|
2 | 2 |
** Module : SessionManager.java |
3 | 3 |
** Abstract : Abstract base class for session management |
4 | 4 |
** |
5 |
** Copyright (c) 2007-2021, Golden Code Development Corporation.
|
|
5 |
** Copyright (c) 2007-2022, Golden Code Development Corporation.
|
|
6 | 6 |
** |
7 | 7 |
** -#- -I- --Date-- --JPRM-- ---------------------------Description------------------------------- |
8 | 8 |
** 001 ECF 20071101 @35865 Created initial version. Abstract base class |
... | ... | |
88 | 88 |
** IAS 20210325 Added NIO configuration via BootstrapConfig |
89 | 89 |
** IAS 20210505 Changed exception thrown on failed shutdown. |
90 | 90 |
** IAS 20210827 Added allowed ciphers' filtering |
91 |
** IAS 20220624 Added support for the configurable JCE/JSSE provider |
|
91 | 92 |
*/ |
92 | 93 | |
93 | 94 |
/* |
... | ... | |
1194 | 1195 |
KeyStoreException, |
1195 | 1196 |
UnrecoverableKeyException, |
1196 | 1197 |
KeyManagementException, |
1197 |
ConfigurationException |
|
1198 |
ConfigurationException, |
|
1199 |
NoSuchProviderException |
|
1198 | 1200 |
{ |
1199 | 1201 |
// detect if we must use TLS (by default we don't use TLS) |
1200 | 1202 |
boolean secure = bc.getBoolean("net", "connection", "secure", false); |
src/com/goldencode/p2j/security/SecurityManager.java 2022-06-24 15:07:01 +0000 | ||
---|---|---|
434 | 434 |
** CA 20220405 Added authentication and authorization for web requests. When this is enabled, |
435 | 435 |
** the target API call will be executed under the authenticated FWD context, and not |
436 | 436 |
** the agent's context. |
437 |
** IAS 20220624 Added support for the Conscrypt JCE/JSSE provider |
|
437 | 438 |
*/ |
438 | 439 | |
439 | 440 |
/* |
... | ... | |
508 | 509 | |
509 | 510 |
import org.bouncycastle.jce.provider.*; |
510 | 511 |
import org.bouncycastle.jsse.provider.*; |
512 |
import org.conscrypt.*; |
|
511 | 513 | |
512 | 514 |
import com.goldencode.expr.*; |
513 | 515 |
import com.goldencode.p2j.admin.*; |
... | ... | |
786 | 788 |
getSecureSocketContext(); |
787 | 789 |
} |
788 | 790 |
catch (UnrecoverableKeyException | KeyManagementException | NoSuchAlgorithmException |
789 |
| KeyStoreException | ConfigurationException e) |
|
791 |
| KeyStoreException | ConfigurationException | NoSuchProviderException e)
|
|
790 | 792 |
{ |
791 | 793 |
throw new ConfigurationException("getSecureSocketContext()", e); |
792 | 794 |
} |
... | ... | |
2252 | 2254 |
KeyStoreException, |
2253 | 2255 |
UnrecoverableKeyException, |
2254 | 2256 |
KeyManagementException, |
2255 |
ConfigurationException |
|
2257 |
ConfigurationException, |
|
2258 |
NoSuchProviderException |
|
2256 | 2259 |
{ |
2257 | 2260 |
return getSecureSocketContext(cfg); |
2258 | 2261 |
} |
... | ... | |
2272 | 2275 |
KeyStoreException, |
2273 | 2276 |
UnrecoverableKeyException, |
2274 | 2277 |
KeyManagementException, |
2275 |
ConfigurationException |
|
2278 |
ConfigurationException, |
|
2279 |
NoSuchProviderException |
|
2276 | 2280 |
{ |
2277 | 2281 |
SSLContext ctx; |
2278 |
if (config.getBoolean("security", "bouncycastle", "use", false) && BCProbe.bcFound) |
|
2282 |
String provider = config.getConfigItem("security", "provider", "name"); |
|
2283 | ||
2284 |
if ("bouncycastle".equals(provider) && BCProbe.bcFound) |
|
2279 | 2285 |
{ |
2280 | 2286 |
Security.insertProviderAt(BCHolder.JCE, 1); |
2281 | 2287 |
Security.insertProviderAt(BCHolder.JSSE, 2); |
2282 | 2288 |
ctx = SSLContext.getInstance("TLS", BCHolder.JSSE); |
2283 | 2289 |
} |
2290 |
else if ("conscrypt".equals(provider) && CSProbe.csFound) |
|
2291 |
{ |
|
2292 |
Security.insertProviderAt(CSHolder.SSL, 1); |
|
2293 |
ctx = SSLContext.getInstance("TLS", "Conscrypt"); |
|
2294 |
} |
|
2295 |
else if (provider != null) |
|
2296 |
{ |
|
2297 |
throw new IllegalStateException("Unknown security provider name: [" + provider + "]"); |
|
2298 |
} |
|
2284 | 2299 |
else |
2285 | 2300 |
{ |
2301 |
// Use default provider(s) |
|
2286 | 2302 |
ctx = SSLContext.getInstance("TLS"); |
2287 | 2303 |
} |
2288 | 2304 |
// configure the SSL environment with our custom keys/certs |
... | ... | |
9745 | 9761 |
} |
9746 | 9762 | |
9747 | 9763 |
/** |
9764 |
* Conscrypt provider holder. Will be initialized only when referenced. |
|
9765 |
*/ |
|
9766 |
public static class CSHolder |
|
9767 |
{ |
|
9768 |
/** provider */ |
|
9769 |
public static final Provider SSL = new OpenSSLProvider(); |
|
9770 |
} |
|
9771 | ||
9772 |
/** |
|
9748 | 9773 |
* BouncyCastle presence flag holder holder. Will be initialized only when referenced. |
9749 | 9774 |
*/ |
9750 | 9775 |
public static class BCProbe |
... | ... | |
9776 | 9801 |
} |
9777 | 9802 |
|
9778 | 9803 |
/** |
9804 |
* Conscrypt presence flag holder holder. Will be initialized only when referenced. |
|
9805 |
*/ |
|
9806 |
public static class CSProbe |
|
9807 |
{ |
|
9808 |
/** Logger */ |
|
9809 |
private static final Logger LOG = LogHelper.getLogger(BCProbe.class.getName()); |
|
9810 |
/** BouncyCastle presence flag */ |
|
9811 |
public static final boolean csFound = isCSFound(); |
|
9812 |
|
|
9813 |
/** |
|
9814 |
* Check if BouncyCastle JCE/JSSE present in the classpath |
|
9815 |
* |
|
9816 |
* @return <code>true</code> if BouncyCastle JCE/JSSE found in the classpath |
|
9817 |
*/ |
|
9818 |
private static boolean isCSFound() |
|
9819 |
{ |
|
9820 |
try |
|
9821 |
{ |
|
9822 |
Class.forName("org.conscrypt.OpenSSLProvider"); |
|
9823 |
return true; |
|
9824 |
} |
|
9825 |
catch (ClassNotFoundException e) |
|
9826 |
{ |
|
9827 |
LOG.warning("Conscrypt SSL provider not found. Default one will be used"); |
|
9828 |
return false; |
|
9829 |
} |
|
9830 |
} |
|
9831 |
} |
|
9832 | ||
9833 |
/** |
|
9779 | 9834 |
* A thread inheriting the FWD server context, used to perform authentication and authorization work for |
9780 | 9835 |
* web requests. |
9781 | 9836 |
*/ |