/*
* JBoss, Home of Professional Open Source.
* Copyright 2014 Red Hat, Inc., and individual contributors
* as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package io.undertow.servlet.handlers.security;
import java.io.ByteArrayInputStream;
import java.security.cert.X509Certificate;
import javax.servlet.ServletRequest;
import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.server.SSLSessionInfo;
import io.undertow.servlet.handlers.ServletRequestContext;
Handler that associates SSL metadata with request
cipher suite - javax.servlet.request.cipher_suite String
bit size of the algorithm - javax.servlet.request.key_size Integer
SSL session id - javax.servlet.request.ssl_session_id String
Author: Tomaz Cerar (c) 2013 Red Hat Inc.
/**
* Handler that associates SSL metadata with request
* <p>
* cipher suite - javax.servlet.request.cipher_suite String
* bit size of the algorithm - javax.servlet.request.key_size Integer
* SSL session id - javax.servlet.request.ssl_session_id String
*
* @author <a href="mailto:tomaz.cerar@redhat.com">Tomaz Cerar</a> (c) 2013 Red Hat Inc.
*/
public class SSLInformationAssociationHandler implements HttpHandler {
private final HttpHandler next;
public SSLInformationAssociationHandler(final HttpHandler next) {
this.next = next;
}
Given the name of a TLS/SSL cipher suite, return an int representing it effective stream
cipher key strength. i.e. How much entropy material is in the key material being fed into the
encryption routines.
http://www.thesprawl.org/research/tls-and-ssl-cipher-suites/
Params: - cipherSuite – String name of the TLS cipher suite.
Returns: int indicating the effective key entropy bit-length.
/**
* Given the name of a TLS/SSL cipher suite, return an int representing it effective stream
* cipher key strength. i.e. How much entropy material is in the key material being fed into the
* encryption routines.
* <p>
* http://www.thesprawl.org/research/tls-and-ssl-cipher-suites/
* </p>
*
* @param cipherSuite String name of the TLS cipher suite.
* @return int indicating the effective key entropy bit-length.
*/
public static int getKeyLength(String cipherSuite) {
// Roughly ordered from most common to least common.
if (cipherSuite == null) {
return 0;
} else if (cipherSuite.contains("WITH_AES_256_")) {
return 256;
} else if (cipherSuite.contains("WITH_RC4_128_")) {
return 128;
} else if (cipherSuite.contains("WITH_AES_128_")) {
return 128;
} else if (cipherSuite.contains("WITH_RC4_40_")) {
return 40;
} else if (cipherSuite.contains("WITH_3DES_EDE_CBC_")) {
return 168;
} else if (cipherSuite.contains("WITH_IDEA_CBC_")) {
return 128;
} else if (cipherSuite.contains("WITH_RC2_CBC_40_")) {
return 40;
} else if (cipherSuite.contains("WITH_DES40_CBC_")) {
return 40;
} else if (cipherSuite.contains("WITH_DES_CBC_")) {
return 56;
} else {
return 0;
}
}
/* ------------------------------------------------------------ */
Return the chain of X509 certificates used to negotiate the SSL Session.
We convert JSSE's javax.security.cert.X509Certificate[] to servlet's java.security.cert.X509Certificate[]
Params: - session – the javax.net.ssl.SSLSession to use as the source of the cert chain.
Returns: the chain of java.security.cert.X509Certificates used to
negotiate the SSL connection.
Will be null if the chain is missing or empty.
/**
* Return the chain of X509 certificates used to negotiate the SSL Session.
* <p>
* We convert JSSE's javax.security.cert.X509Certificate[] to servlet's java.security.cert.X509Certificate[]
*
* @param session the javax.net.ssl.SSLSession to use as the source of the cert chain.
* @return the chain of java.security.cert.X509Certificates used to
* negotiate the SSL connection. <br>
* Will be null if the chain is missing or empty.
*/
private X509Certificate[] getCerts(SSLSessionInfo session) {
try {
javax.security.cert.X509Certificate[] javaxCerts = session.getPeerCertificateChain();
if (javaxCerts == null || javaxCerts.length == 0) {
return null;
}
X509Certificate[] javaCerts = new X509Certificate[javaxCerts.length];
java.security.cert.CertificateFactory cf = java.security.cert.CertificateFactory.getInstance("X.509");
for (int i = 0; i < javaxCerts.length; i++) {
byte[] bytes = javaxCerts[i].getEncoded();
ByteArrayInputStream stream = new ByteArrayInputStream(bytes);
javaCerts[i] = (X509Certificate) cf.generateCertificate(stream);
}
return javaCerts;
} catch (Exception e) {
return null;
}
}
@Override
public void handleRequest(HttpServerExchange exchange) throws Exception {
ServletRequest request = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY).getServletRequest();
SSLSessionInfo ssl = exchange.getConnection().getSslSessionInfo();
if (ssl != null) {
String cipherSuite = ssl.getCipherSuite();
request.setAttribute("javax.servlet.request.cipher_suite", cipherSuite);
request.setAttribute("javax.servlet.request.key_size", getKeyLength(cipherSuite));
request.setAttribute("javax.servlet.request.ssl_session_id", ssl.getSessionId());
X509Certificate[] certs = getCerts(ssl);
if (certs != null) {
request.setAttribute("javax.servlet.request.X509Certificate", certs);
}
}
next.handleRequest(exchange);
}
}