/**
* Initializes TLS (Transport Layer Security, predecessor of SSL, Secure Sockets Layer) connection
* related parameters. TLS expects RSA (Ron Rivest, Adi Shamir and Len Adleman) encoded keys and
* certificates.
*
* <p>Keys and certificates may be stored in PKCS #12 (Public Key Cryptography Standards) or JKS
* (Java Keystore) containers.
*
* <p>TSL is used to encrypt data during transmission, which is accomplished when the connection
* between the two partners A (normally the client) and B (normally the server) is established. If
* A asks B to send TSL encrypted data, both partners exchange some handshake information. In a
* first step B tries to authentify itself against A (server authentification, optional in TSL but
* implementet in this way in dcm4che). For that B presents its public key for A to accept or
* deny. If the authentification is accepted, A tries to authentify itself against B (client
* authentification, optional in TSL but implementet in this way in dcm4che).If B accepts the
* authentification A and B agree on a hash (symmetric key, which is independent of the
* private/public keys used for authentification) for the duration of their conversation, which is
* used to encrypt the data.
*
* <p>To be able to establish a TSL connection B needs a privat/public key pair, which identifies
* B unambiguously. For that the private key is generated first; than the root-public key is
* derived from that private key. To bind the root-public key with the identity of B a Certificate
* Authority (CA) is used: The root-public key is send to CA, which returns a certified-public
* key, which includes information about the CA as well as the root-public key. Optionally this
* process can be repeated several times so that the certified-public key contains a chain of
* certificates of different CA's.
*
* <p>The certified-public key of B is presented to A during server authentification. Partner A
* should accept this key, if it can match the last certificate in the chain with a
* root-certificat found in its local list of root-certificates of CA's. That means, that A does
* not check the identity of B, but "trusts" B because it was certified by an authority. The same
* happens for client authentification. Handling of authentification of the identity of the
* communication partner is subject of PS 3.15 - Security and System Management Profiles.
*
* <p>In the configuration files of this method the certified-public key is stored in the property
* "tls-key" and the root-certificates of the known CA's in "tls-cacerts".
*
* <p>Usually the certified-public keys of A and B are different, but they also may be the same.
* In this case the root-certificates are also the same.
*
* <p>It is possible to establish a TLS connection without using a CA: In this case both partners
* creates a individual container holding their private and root-public key. These containers
* could be used for certifying also, because the length of the certifying chain is one and
* therefore the root-public key is also the last certified-public key. Therefore the root-public
* key works in this scenario also as the root-certificate of the "certifying authoroty".
*
* <p>If no keystores are specified in the configuration properties, the not-certified
* default-keystore "resources/identityJava.jks" is used for "tls-key" and "tls-cacerts" when
* establishing the connection.
*
* @param cfg the configuration properties for this class.
* @throws ParseException
*/
private void initTLS(ConfigProperties cfg) throws ParseException {
char[] keystorepasswd;
char[] keypasswd;
char[] cacertspasswd;
URL keyURL;
URL cacertURL;
String value;
try {
// Cipher suites for protokoll:
// dicom = null
// dicom-tls = SSL_RSA_WITH_NULL_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
// SSL_RSA_WITH_3DES_EDE_CBC_SHA
// dicom-tls.3des = SSL_RSA_WITH_3DES_EDE_CBC_SHA
// dicom-tls.aes = TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA
// dicom-tls.nodes = SSL_RSA_WITH_NULL_SHA
cipherSuites = url.getCipherSuites();
if (cipherSuites == null) {
return;
}
// Get a new TLS context
tls = SSLContextAdapter.getInstance();
// >>>> Managing the keystore file containing the privat key and
// >>>> certified-public key to establish the communication
// Password of the keystore [default: secret]
keystorepasswd = cfg.getProperty("tls-keystore-passwd", "secret").toCharArray();
// Password of the private key [default: secret]
keypasswd = cfg.getProperty("tls-key-passwd", "secret").toCharArray();
// URL of the file containing the default-keystore
keyURL = CDimseService.class.getResource("/resources/identityJava.jks");
// If availabel, replace URL with the one specified in the configuration file
if ((value = cfg.getProperty("tls-key")) != null) {
try {
// Property specified, try to set to specified value
keyURL = ConfigProperties.fileRefToURL(CDimseService.class.getResource(""), value);
} catch (Exception e) {
log.warn("Wrong value for tls-key: " + value + ". tls-key was set to default value.");
}
}
// log.info("Key URL: " + keyURL.toString());
// Sets the key attribute of the SSLContextAdapter object
// API doc: SSLContextAdapter.loadKeyStore(java.net.URL url, char[] password)
// API doc: SSLContextAdapter.setKey(java.security.KeyStore key, char[] password)
tls.setKey(tls.loadKeyStore(keyURL, keystorepasswd), keypasswd);
// >>>> Managing the keystore containing the root-certificates of the Ceritifying Authorities
// >>>> used for signing the public key
// Password of the keystore [default: secret]
cacertspasswd = cfg.getProperty("tls-cacerts-passwd", "secret").toCharArray();
// URL of the file containing the default-keystore
cacertURL = CDimseService.class.getResource("/resources/identityJava.jks");
// If availabel, replace URL with the one specified in the configuration file
if ((value = cfg.getProperty("tls-cacerts")) != null) {
try {
// Property specified, try to set to specified value
cacertURL = ConfigProperties.fileRefToURL(CDimseService.class.getResource(""), value);
} catch (Exception e) {
log.warn(
"Wrong value for tls-cacerts: " + value + ". tls-cacerts was set to default value.");
}
}
// log.info("Root-certificat of CA URL: " + cacertURL.toString());
// Sets the trust attribute of the SSLContextAdapter object
// API doc: SSLContextAdapter.loadKeyStore(java.net.URL url, char[] password)
// API doc: SSLContextAdapter.setTrust(java.security.KeyStore cacerts)
tls.setTrust(tls.loadKeyStore(cacertURL, cacertspasswd));
// Init TLS context adapter
tls.init();
} catch (Exception ex) {
throw new ParseException("Could not initalize TLS configuration.", 0);
}
}
