On 30/03/2016 21:41, Konstantin Kolinko wrote: > 2016-03-30 22:27 GMT+03:00 <ma...@apache.org>: >> Author: markt >> Date: Wed Mar 30 19:27:29 2016 >> New Revision: 1737154 >> >> URL: http://svn.apache.org/viewvc?rev=1737154&view=rev >> Log: >> Add support for obtaining the certificate chain from a Java keystore >> >> Modified: >> tomcat/native/trunk/native/src/sslcontext.c >> tomcat/native/trunk/xdocs/miscellaneous/changelog.xml >> >> Modified: tomcat/native/trunk/native/src/sslcontext.c >> URL: >> http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1737154&r1=1737153&r2=1737154&view=diff >> ============================================================================== >> --- tomcat/native/trunk/native/src/sslcontext.c (original) >> +++ tomcat/native/trunk/native/src/sslcontext.c Wed Mar 30 19:27:29 2016 >> @@ -1051,7 +1051,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, >> certs = d2i_X509(NULL, &tmp, lengthOfCert); >> if (certs == NULL) { >> ERR_error_string(ERR_get_error(), err); >> - tcn_Throw(e, "Error reading certificat (%s)", err); >> + tcn_Throw(e, "Error reading certificate (%s)", err); >> rv = JNI_FALSE; >> goto cleanup; >> } >> @@ -1119,6 +1119,50 @@ cleanup: >> free(cert); >> return rv; >> } >> + >> +TCN_IMPLEMENT_CALL(jboolean, SSLContext, >> addChainCertificateRaw)(TCN_STDARGS, jlong ctx, >> + jbyteArray >> javaCert) >> +{ >> + jsize lengthOfCert; >> + unsigned char* cert; >> + X509 * certs; >> + EVP_PKEY * evp; >> + const unsigned char *tmp; >> + BIO * bio; > > The "BIO" and "evp" variables are declared, but never used. Can be removed. > >> + >> + tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *); >> + jboolean rv = JNI_TRUE; >> + char err[256]; >> + >> + /* we get the cert contents into a byte array */ >> + jbyte* bufferPtr = (*e)->GetByteArrayElements(e, javaCert, NULL); >> + lengthOfCert = (*e)->GetArrayLength(e, javaCert); >> + cert = malloc(lengthOfCert); >> + memcpy(cert, bufferPtr, lengthOfCert); >> + (*e)->ReleaseByteArrayElements(e, javaCert, bufferPtr, 0); >> + >> + UNREFERENCED(o); >> + TCN_ASSERT(ctx != 0); >> + >> + tmp = (const unsigned char *)cert; >> + certs = d2i_X509(NULL, &tmp, lengthOfCert); >> + if (certs == NULL) { >> + ERR_error_string(ERR_get_error(), err); >> + tcn_Throw(e, "Error reading certificate (%s)", err); >> + rv = JNI_FALSE; >> + goto cleanup; >> + } >> + >> + if (SSL_CTX_add0_chain_cert(c->ctx, certs) <= 0) { >> + ERR_error_string(ERR_get_error(), err); >> + tcn_Throw(e, "Error setting certificate (%s)", err); > > "Error adding certificate" > >> + rv = JNI_FALSE; >> + } >> + >> +cleanup: >> + free(cert); >> + return rv; >> +} >> > > > This implementation matches the code of setCertificateRaw(), I see no > obvious errors (just high-level review comparing the two methods).
Thanks. I'll look at implementing these tomorrow. > I wonder about "idx" argument in setCertificateRaw() - the case of > using several certificate types in parallel (RSA, DSA, ECC -- see > SSL_AIDX_DSA etc. in include/ssl_private.h and Javadoc for this > method). > > I think that each certificate has its own chain going up to different > root CA certificate. No. They have to have the same chain. That is a 'feature' of OpenSSL. Cheers, Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
