Re: svn commit: r1737154 - in /tomcat/native/trunk: native/src/sslcontext.c xdocs/miscellaneous/changelog.xml

Wed, 30 Mar 2016 13:42:07 -0700 

2016-03-30 22:27 GMT+03:00  <[email protected]>:
> Author: markt
> Date: Wed Mar 30 19:27:29 2016
> New Revision: 1737154
>
> URL: http://svn.apache.org/viewvc?rev=1737154&view=rev
> Log:
> Add support for obtaining the certificate chain from a Java keystore
>
> Modified:
>     tomcat/native/trunk/native/src/sslcontext.c
>     tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
>
> Modified: tomcat/native/trunk/native/src/sslcontext.c
> URL: 
> http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1737154&r1=1737153&r2=1737154&view=diff
> ==============================================================================
> --- tomcat/native/trunk/native/src/sslcontext.c (original)
> +++ tomcat/native/trunk/native/src/sslcontext.c Wed Mar 30 19:27:29 2016
> @@ -1051,7 +1051,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
>      certs = d2i_X509(NULL, &tmp, lengthOfCert);
>      if (certs == NULL) {
>          ERR_error_string(ERR_get_error(), err);
> -        tcn_Throw(e, "Error reading certificat (%s)", err);
> +        tcn_Throw(e, "Error reading certificate (%s)", err);
>          rv = JNI_FALSE;
>          goto cleanup;
>      }
> @@ -1119,6 +1119,50 @@ cleanup:
>      free(cert);
>      return rv;
>  }
> +
> +TCN_IMPLEMENT_CALL(jboolean, SSLContext, 
> addChainCertificateRaw)(TCN_STDARGS, jlong ctx,
> +                                                                 jbyteArray 
> javaCert)
> +{
> +    jsize lengthOfCert;
> +    unsigned char* cert;
> +    X509 * certs;
> +    EVP_PKEY * evp;
> +    const unsigned char *tmp;
> +    BIO * bio;

The "BIO" and "evp" variables are declared, but never used. Can be removed.

> +
> +    tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
> +    jboolean rv = JNI_TRUE;
> +    char err[256];
> +
> +    /* we get the cert contents into a byte array */
> +    jbyte* bufferPtr = (*e)->GetByteArrayElements(e, javaCert, NULL);
> +    lengthOfCert = (*e)->GetArrayLength(e, javaCert);
> +    cert = malloc(lengthOfCert);
> +    memcpy(cert, bufferPtr, lengthOfCert);
> +    (*e)->ReleaseByteArrayElements(e, javaCert, bufferPtr, 0);
> +
> +    UNREFERENCED(o);
> +    TCN_ASSERT(ctx != 0);
> +
> +    tmp = (const unsigned char *)cert;
> +    certs = d2i_X509(NULL, &tmp, lengthOfCert);
> +    if (certs == NULL) {
> +        ERR_error_string(ERR_get_error(), err);
> +        tcn_Throw(e, "Error reading certificate (%s)", err);
> +        rv = JNI_FALSE;
> +        goto cleanup;
> +    }
> +
> +    if (SSL_CTX_add0_chain_cert(c->ctx, certs) <= 0) {
> +        ERR_error_string(ERR_get_error(), err);
> +        tcn_Throw(e, "Error setting certificate (%s)", err);

"Error adding certificate"

> +        rv = JNI_FALSE;
> +    }
> +
> +cleanup:
> +    free(cert);
> +    return rv;
> +}
>


This implementation matches the code of setCertificateRaw(), I see no
obvious errors  (just high-level review comparing the two methods).

I wonder about "idx" argument in setCertificateRaw() - the case of
using several certificate types in parallel (RSA, DSA, ECC -- see
SSL_AIDX_DSA etc. in include/ssl_private.h  and Javadoc for this
method).

I think that each certificate has its own chain going up to different
root CA certificate.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to