Author: markt
Date: Wed Aug 24 21:37:39 2016
New Revision: 1757578
URL: http://svn.apache.org/viewvc?rev=1757578&view=rev
Log:
Refactor the JSSE client certificate validation so that the effectiveness of
the certificateVerificationDepth configuration attribute does not depend on the
presence of a certificate revokation list.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java?rev=1757578&r1=1757577&r2=1757578&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java Wed Aug 24
21:37:39 2016
@@ -241,9 +241,6 @@ public class JSSEUtil extends SSLUtilBas
@Override
public TrustManager[] getTrustManagers() throws Exception {
- String algorithm = sslHostConfig.getTruststoreAlgorithm();
-
- String crlf = sslHostConfig.getCertificateRevocationListFile();
String className = sslHostConfig.getTrustManagerClassName();
if(className != null && className.length() > 0) {
@@ -261,17 +258,24 @@ public class JSSEUtil extends SSLUtilBas
TrustManager[] tms = null;
KeyStore trustStore = sslHostConfig.getTruststore();
- if (trustStore != null || className != null) {
- if (crlf == null) {
+ if (trustStore != null) {
+ String algorithm = sslHostConfig.getTruststoreAlgorithm();
+ String crlf = sslHostConfig.getCertificateRevocationListFile();
+
+ if ("PKIX".equalsIgnoreCase(algorithm)) {
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(algorithm);
- tmf.init(trustStore);
+ CertPathParameters params = getParameters(crlf, trustStore);
+ ManagerFactoryParameters mfp = new
CertPathTrustManagerParameters(params);
+ tmf.init(mfp);
tms = tmf.getTrustManagers();
} else {
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(algorithm);
- CertPathParameters params = getParameters(algorithm, crlf,
trustStore);
- ManagerFactoryParameters mfp = new
CertPathTrustManagerParameters(params);
- tmf.init(mfp);
+ tmf.init(trustStore);
tms = tmf.getTrustManagers();
+ if (crlf != null && crlf.length() > 0) {
+ throw new
CRLException(sm.getString("jsseUtil.noCrlSupport", algorithm));
+ }
+ log.warn(sm.getString("jsseUtil.noVerificationDepth"));
}
}
@@ -289,28 +293,26 @@ public class JSSEUtil extends SSLUtilBas
* Return the initialization parameters for the TrustManager.
* Currently, only the default <code>PKIX</code> is supported.
*
- * @param algorithm The algorithm to get parameters for.
* @param crlf The path to the CRL file.
* @param trustStore The configured TrustStore.
* @return The parameters including the CRLs and TrustStore.
* @throws Exception An error occurred
*/
- protected CertPathParameters getParameters(String algorithm, String crlf,
- KeyStore trustStore) throws Exception {
+ protected CertPathParameters getParameters(String crlf, KeyStore
trustStore) throws Exception {
- if("PKIX".equalsIgnoreCase(algorithm)) {
- PKIXBuilderParameters xparams =
- new PKIXBuilderParameters(trustStore, new
X509CertSelector());
+ PKIXBuilderParameters xparams =
+ new PKIXBuilderParameters(trustStore, new X509CertSelector());
+ if (crlf != null && crlf.length() > 0) {
Collection<? extends CRL> crls = getCRLs(crlf);
CertStoreParameters csp = new CollectionCertStoreParameters(crls);
CertStore store = CertStore.getInstance("Collection", csp);
xparams.addCertStore(store);
xparams.setRevocationEnabled(true);
-
xparams.setMaxPathLength(sslHostConfig.getCertificateVerificationDepth());
- return xparams;
} else {
- throw new CRLException("CRLs not supported for type: "+algorithm);
+ xparams.setRevocationEnabled(false);
}
+
xparams.setMaxPathLength(sslHostConfig.getCertificateVerificationDepth());
+ return xparams;
}
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties?rev=1757578&r1=1757577&r2=1757578&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
Wed Aug 24 21:37:39 2016
@@ -32,3 +32,6 @@ jsseSupport.serverRenegDisabled=SSL serv
jsseSupport.unexpectedData=Unexpected data read from input stream
jsse.openssl.unknownElement=Unknown element in cipher string: {0}
jsse.openssl.effectiveCiphers=Ciphers used: {0}
+
+jsseUtil.noCrlSupport=The truststoreProvider [{0}] does not support the
certificateRevocationFile configuration option
+jsseUtil.noVerificationDepth=The truststoreProvider [{0}] does not support the
certificateVerificationDepth configuration option
\ No newline at end of file
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1757578&r1=1757577&r2=1757578&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Wed Aug 24 21:37:39 2016
@@ -211,6 +211,12 @@
<bug>60030</bug>: Correct a potential infinite loop in the SNI parsing
code triggered by failing to handle an end of stream condition. (markt)
</fix>
+ <fix>
+ Refactor the JSSE client certificate validation so that the
+ effectiveness of the <code>certificateVerificationDepth</code>
+ configuration attribute does not depend on the presence of a
certificate
+ revokation list. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
