Author: markt Date: Wed Aug 24 21:37:39 2016 New Revision: 1757578 URL: http://svn.apache.org/viewvc?rev=1757578&view=rev Log: Refactor the JSSE client certificate validation so that the effectiveness of the certificateVerificationDepth configuration attribute does not depend on the presence of a certificate revokation list.
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java?rev=1757578&r1=1757577&r2=1757578&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java Wed Aug 24 21:37:39 2016 @@ -241,9 +241,6 @@ public class JSSEUtil extends SSLUtilBas @Override public TrustManager[] getTrustManagers() throws Exception { - String algorithm = sslHostConfig.getTruststoreAlgorithm(); - - String crlf = sslHostConfig.getCertificateRevocationListFile(); String className = sslHostConfig.getTrustManagerClassName(); if(className != null && className.length() > 0) { @@ -261,17 +258,24 @@ public class JSSEUtil extends SSLUtilBas TrustManager[] tms = null; KeyStore trustStore = sslHostConfig.getTruststore(); - if (trustStore != null || className != null) { - if (crlf == null) { + if (trustStore != null) { + String algorithm = sslHostConfig.getTruststoreAlgorithm(); + String crlf = sslHostConfig.getCertificateRevocationListFile(); + + if ("PKIX".equalsIgnoreCase(algorithm)) { TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm); - tmf.init(trustStore); + CertPathParameters params = getParameters(crlf, trustStore); + ManagerFactoryParameters mfp = new CertPathTrustManagerParameters(params); + tmf.init(mfp); tms = tmf.getTrustManagers(); } else { TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm); - CertPathParameters params = getParameters(algorithm, crlf, trustStore); - ManagerFactoryParameters mfp = new CertPathTrustManagerParameters(params); - tmf.init(mfp); + tmf.init(trustStore); tms = tmf.getTrustManagers(); + if (crlf != null && crlf.length() > 0) { + throw new CRLException(sm.getString("jsseUtil.noCrlSupport", algorithm)); + } + log.warn(sm.getString("jsseUtil.noVerificationDepth")); } } @@ -289,28 +293,26 @@ public class JSSEUtil extends SSLUtilBas * Return the initialization parameters for the TrustManager. * Currently, only the default <code>PKIX</code> is supported. * - * @param algorithm The algorithm to get parameters for. * @param crlf The path to the CRL file. * @param trustStore The configured TrustStore. * @return The parameters including the CRLs and TrustStore. * @throws Exception An error occurred */ - protected CertPathParameters getParameters(String algorithm, String crlf, - KeyStore trustStore) throws Exception { + protected CertPathParameters getParameters(String crlf, KeyStore trustStore) throws Exception { - if("PKIX".equalsIgnoreCase(algorithm)) { - PKIXBuilderParameters xparams = - new PKIXBuilderParameters(trustStore, new X509CertSelector()); + PKIXBuilderParameters xparams = + new PKIXBuilderParameters(trustStore, new X509CertSelector()); + if (crlf != null && crlf.length() > 0) { Collection<? extends CRL> crls = getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); - xparams.setMaxPathLength(sslHostConfig.getCertificateVerificationDepth()); - return xparams; } else { - throw new CRLException("CRLs not supported for type: "+algorithm); + xparams.setRevocationEnabled(false); } + xparams.setMaxPathLength(sslHostConfig.getCertificateVerificationDepth()); + return xparams; } Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties?rev=1757578&r1=1757577&r2=1757578&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties Wed Aug 24 21:37:39 2016 @@ -32,3 +32,6 @@ jsseSupport.serverRenegDisabled=SSL serv jsseSupport.unexpectedData=Unexpected data read from input stream jsse.openssl.unknownElement=Unknown element in cipher string: {0} jsse.openssl.effectiveCiphers=Ciphers used: {0} + +jsseUtil.noCrlSupport=The truststoreProvider [{0}] does not support the certificateRevocationFile configuration option +jsseUtil.noVerificationDepth=The truststoreProvider [{0}] does not support the certificateVerificationDepth configuration option \ No newline at end of file Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1757578&r1=1757577&r2=1757578&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Wed Aug 24 21:37:39 2016 @@ -211,6 +211,12 @@ <bug>60030</bug>: Correct a potential infinite loop in the SNI parsing code triggered by failing to handle an end of stream condition. (markt) </fix> + <fix> + Refactor the JSSE client certificate validation so that the + effectiveness of the <code>certificateVerificationDepth</code> + configuration attribute does not depend on the presence of a certificate + revokation list. (markt) + </fix> </changelog> </subsection> <subsection name="Jasper"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org