/**
* Initializes Association related parameters.
*
* @param cfg the configuration properties for this class.
* @param url the DcmURL of the communication partner.
*/
private final void initAssocParam(ConfigProperties cfg, DcmURL url) {
String callingAET = null;
// >>>> Get data for filling the Association object for establishing an
// >>>> active association from configuration file
acTimeout = Integer.parseInt(cfg.getProperty("ac-timeout", "5000"));
dimseTimeout = Integer.parseInt(cfg.getProperty("dimse-timeout", "0"));
soCloseDelay = Integer.parseInt(cfg.getProperty("so-close-delay", "500"));
// >>>> Fill the Association Request package (A-ASSOCIATE-RQ)
// Identifying the communication partner by an AET (Application Entity Title)
assocRQ.setCalledAET(url.getCalledAET());
// Identifying ourselves by an AET (Application Entity Title)
if (url.getCallingAET() != null) {
callingAET = url.getCallingAET();
} else {
callingAET = DEFAULT_CALLING_AET;
}
assocRQ.setCallingAET(callingAET);
// Maximum size of one PDU (Protocol Data Unit)
assocRQ.setMaxPDULength(Integer.parseInt(cfg.getProperty("max-pdu-len", "16352")));
// Defines possibilities for asynchron DIMSE communication. Noramly synchron DIMSE communication
// is used.
// API doc: AssociationFactory.newAsyncOpsWindow(int maxOpsInvoked, int maxOpsPerfomed)
// PS 3.7 - Annex D.3.3.3 ASYNCHRONOUS OPERATIONS WINDOW NEGOTIATION
// maxOpsInvoked: This field shall contain the Maximum-number-operationsinvoked as defined for
// the Association-requester
// maxOpsPerfomed: This field shall contain the Maximum-number-operationsperformed as defined
// for the Association-requester
assocRQ.setAsyncOpsWindow(
aFact.newAsyncOpsWindow(Integer.parseInt(cfg.getProperty("max-op-invoked", "0")), 1));
for (Enumeration it = cfg.keys(); it.hasMoreElements(); ) {
String key = (String) it.nextElement();
// Setup available transfer syntaces for storage SOP classes
// PS 3.4 - Annex B STORAGE SERVICE CLASS
// PS 3.4 - B.5 STANDARD SOP CLASSES
if (key.startsWith("pc.")) {
initPresContext(
Integer.parseInt(key.substring(3)),
cfg.tokenize(cfg.getProperty(key), new LinkedList()));
}
}
}
/**
* Starts a active association to a communication partner. See PS 3.8 - 7.1 A-ASSOCIATE SERVICE
*
* @return true, if association was successful established.
* @exception ConnectException
* @exception IOException
* @exception GeneralSecurityException
*/
public boolean aASSOCIATE() throws ConnectException, IOException, GeneralSecurityException {
// No association may be active
if (assoc != null) {
throw new ConnectException("Association already established");
}
// New Association object for establishing an active association
assoc = aFact.newRequestor(newSocket(url.getHost(), url.getPort()));
// >>>> Fill the Association object with relevant data
assoc.setAcTimeout(acTimeout);
assoc.setDimseTimeout(dimseTimeout);
assoc.setSoCloseDelay(soCloseDelay);
assoc.setPackPDVs(packPDVs);
// 1. Create an communication channel to the communication partner defined in the Association
// object
// 2. Send the A-ASSOCIATE-RQ package
// 3. Receive the aAssociation acknowlage/reject package from the communication partner as a PDU
// (Protocol Data Unit)
PDU assocAC = assoc.connect(assocRQ);
if (!(assocAC instanceof AAssociateAC)) {
// Acknowlage is A-ASSOCIATE-RJ
// Association rejected
assoc = null;
// Return aASSOCIATE faild
return false;
}
// Acknowlage is A-ASSOCIATE_AC
// Association accepted
// Start the accepted association
// API doc: AssociationFactory.newActiveAssociation(Association assoc, DcmServiceRegistry
// services)
aassoc = aFact.newActiveAssociation(assoc, null);
aassoc.start();
// Return successfull opened
return true;
}
/**
* Initializes TLS (Transport Layer Security, predecessor of SSL, Secure Sockets Layer) connection
* related parameters. TLS expects RSA (Ron Rivest, Adi Shamir and Len Adleman) encoded keys and
* certificates.
*
* <p>Keys and certificates may be stored in PKCS #12 (Public Key Cryptography Standards) or JKS
* (Java Keystore) containers.
*
* <p>TSL is used to encrypt data during transmission, which is accomplished when the connection
* between the two partners A (normally the client) and B (normally the server) is established. If
* A asks B to send TSL encrypted data, both partners exchange some handshake information. In a
* first step B tries to authentify itself against A (server authentification, optional in TSL but
* implementet in this way in dcm4che). For that B presents its public key for A to accept or
* deny. If the authentification is accepted, A tries to authentify itself against B (client
* authentification, optional in TSL but implementet in this way in dcm4che).If B accepts the
* authentification A and B agree on a hash (symmetric key, which is independent of the
* private/public keys used for authentification) for the duration of their conversation, which is
* used to encrypt the data.
*
* <p>To be able to establish a TSL connection B needs a privat/public key pair, which identifies
* B unambiguously. For that the private key is generated first; than the root-public key is
* derived from that private key. To bind the root-public key with the identity of B a Certificate
* Authority (CA) is used: The root-public key is send to CA, which returns a certified-public
* key, which includes information about the CA as well as the root-public key. Optionally this
* process can be repeated several times so that the certified-public key contains a chain of
* certificates of different CA's.
*
* <p>The certified-public key of B is presented to A during server authentification. Partner A
* should accept this key, if it can match the last certificate in the chain with a
* root-certificat found in its local list of root-certificates of CA's. That means, that A does
* not check the identity of B, but "trusts" B because it was certified by an authority. The same
* happens for client authentification. Handling of authentification of the identity of the
* communication partner is subject of PS 3.15 - Security and System Management Profiles.
*
* <p>In the configuration files of this method the certified-public key is stored in the property
* "tls-key" and the root-certificates of the known CA's in "tls-cacerts".
*
* <p>Usually the certified-public keys of A and B are different, but they also may be the same.
* In this case the root-certificates are also the same.
*
* <p>It is possible to establish a TLS connection without using a CA: In this case both partners
* creates a individual container holding their private and root-public key. These containers
* could be used for certifying also, because the length of the certifying chain is one and
* therefore the root-public key is also the last certified-public key. Therefore the root-public
* key works in this scenario also as the root-certificate of the "certifying authoroty".
*
* <p>If no keystores are specified in the configuration properties, the not-certified
* default-keystore "resources/identityJava.jks" is used for "tls-key" and "tls-cacerts" when
* establishing the connection.
*
* @param cfg the configuration properties for this class.
* @throws ParseException
*/
private void initTLS(ConfigProperties cfg) throws ParseException {
char[] keystorepasswd;
char[] keypasswd;
char[] cacertspasswd;
URL keyURL;
URL cacertURL;
String value;
try {
// Cipher suites for protokoll:
// dicom = null
// dicom-tls = SSL_RSA_WITH_NULL_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
// SSL_RSA_WITH_3DES_EDE_CBC_SHA
// dicom-tls.3des = SSL_RSA_WITH_3DES_EDE_CBC_SHA
// dicom-tls.aes = TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA
// dicom-tls.nodes = SSL_RSA_WITH_NULL_SHA
cipherSuites = url.getCipherSuites();
if (cipherSuites == null) {
return;
}
// Get a new TLS context
tls = SSLContextAdapter.getInstance();
// >>>> Managing the keystore file containing the privat key and
// >>>> certified-public key to establish the communication
// Password of the keystore [default: secret]
keystorepasswd = cfg.getProperty("tls-keystore-passwd", "secret").toCharArray();
// Password of the private key [default: secret]
keypasswd = cfg.getProperty("tls-key-passwd", "secret").toCharArray();
// URL of the file containing the default-keystore
keyURL = CDimseService.class.getResource("/resources/identityJava.jks");
// If availabel, replace URL with the one specified in the configuration file
if ((value = cfg.getProperty("tls-key")) != null) {
try {
// Property specified, try to set to specified value
keyURL = ConfigProperties.fileRefToURL(CDimseService.class.getResource(""), value);
} catch (Exception e) {
log.warn("Wrong value for tls-key: " + value + ". tls-key was set to default value.");
}
}
// log.info("Key URL: " + keyURL.toString());
// Sets the key attribute of the SSLContextAdapter object
// API doc: SSLContextAdapter.loadKeyStore(java.net.URL url, char[] password)
// API doc: SSLContextAdapter.setKey(java.security.KeyStore key, char[] password)
tls.setKey(tls.loadKeyStore(keyURL, keystorepasswd), keypasswd);
// >>>> Managing the keystore containing the root-certificates of the Ceritifying Authorities
// >>>> used for signing the public key
// Password of the keystore [default: secret]
cacertspasswd = cfg.getProperty("tls-cacerts-passwd", "secret").toCharArray();
// URL of the file containing the default-keystore
cacertURL = CDimseService.class.getResource("/resources/identityJava.jks");
// If availabel, replace URL with the one specified in the configuration file
if ((value = cfg.getProperty("tls-cacerts")) != null) {
try {
// Property specified, try to set to specified value
cacertURL = ConfigProperties.fileRefToURL(CDimseService.class.getResource(""), value);
} catch (Exception e) {
log.warn(
"Wrong value for tls-cacerts: " + value + ". tls-cacerts was set to default value.");
}
}
// log.info("Root-certificat of CA URL: " + cacertURL.toString());
// Sets the trust attribute of the SSLContextAdapter object
// API doc: SSLContextAdapter.loadKeyStore(java.net.URL url, char[] password)
// API doc: SSLContextAdapter.setTrust(java.security.KeyStore cacerts)
tls.setTrust(tls.loadKeyStore(cacertURL, cacertspasswd));
// Init TLS context adapter
tls.init();
} catch (Exception ex) {
throw new ParseException("Could not initalize TLS configuration.", 0);
}
}
