Author: markt
Date: Wed Aug 24 21:37:39 2016
New Revision: 1757578

URL: http://svn.apache.org/viewvc?rev=1757578&view=rev
Log:
Refactor the JSSE client certificate validation so that the effectiveness of 
the certificateVerificationDepth configuration attribute does not depend on the 
presence of a certificate revokation list.
Modified:
    tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
    tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java?rev=1757578&r1=1757577&r2=1757578&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java Wed Aug 24 
21:37:39 2016
@@ -241,9 +241,6 @@ public class JSSEUtil extends SSLUtilBas
 
     @Override
     public TrustManager[] getTrustManagers() throws Exception {
-        String algorithm = sslHostConfig.getTruststoreAlgorithm();
-
-        String crlf = sslHostConfig.getCertificateRevocationListFile();
 
         String className = sslHostConfig.getTrustManagerClassName();
         if(className != null && className.length() > 0) {
@@ -261,17 +258,24 @@ public class JSSEUtil extends SSLUtilBas
         TrustManager[] tms = null;
 
         KeyStore trustStore = sslHostConfig.getTruststore();
-        if (trustStore != null || className != null) {
-            if (crlf == null) {
+        if (trustStore != null) {
+            String algorithm = sslHostConfig.getTruststoreAlgorithm();
+            String crlf = sslHostConfig.getCertificateRevocationListFile();
+
+            if ("PKIX".equalsIgnoreCase(algorithm)) {
                 TrustManagerFactory tmf = 
TrustManagerFactory.getInstance(algorithm);
-                tmf.init(trustStore);
+                CertPathParameters params = getParameters(crlf, trustStore);
+                ManagerFactoryParameters mfp = new 
CertPathTrustManagerParameters(params);
+                tmf.init(mfp);
                 tms = tmf.getTrustManagers();
             } else {
                 TrustManagerFactory tmf = 
TrustManagerFactory.getInstance(algorithm);
-                CertPathParameters params = getParameters(algorithm, crlf, 
trustStore);
-                ManagerFactoryParameters mfp = new 
CertPathTrustManagerParameters(params);
-                tmf.init(mfp);
+                tmf.init(trustStore);
                 tms = tmf.getTrustManagers();
+                if (crlf != null && crlf.length() > 0) {
+                    throw new 
CRLException(sm.getString("jsseUtil.noCrlSupport", algorithm));
+                }
+                log.warn(sm.getString("jsseUtil.noVerificationDepth"));
             }
         }
 
@@ -289,28 +293,26 @@ public class JSSEUtil extends SSLUtilBas
      * Return the initialization parameters for the TrustManager.
      * Currently, only the default <code>PKIX</code> is supported.
      *
-     * @param algorithm The algorithm to get parameters for.
      * @param crlf The path to the CRL file.
      * @param trustStore The configured TrustStore.
      * @return The parameters including the CRLs and TrustStore.
      * @throws Exception An error occurred
      */
-    protected CertPathParameters getParameters(String algorithm, String crlf,
-            KeyStore trustStore) throws Exception {
+    protected CertPathParameters getParameters(String crlf, KeyStore 
trustStore) throws Exception {
 
-        if("PKIX".equalsIgnoreCase(algorithm)) {
-            PKIXBuilderParameters xparams =
-                    new PKIXBuilderParameters(trustStore, new 
X509CertSelector());
+        PKIXBuilderParameters xparams =
+                new PKIXBuilderParameters(trustStore, new X509CertSelector());
+        if (crlf != null && crlf.length() > 0) {
             Collection<? extends CRL> crls = getCRLs(crlf);
             CertStoreParameters csp = new CollectionCertStoreParameters(crls);
             CertStore store = CertStore.getInstance("Collection", csp);
             xparams.addCertStore(store);
             xparams.setRevocationEnabled(true);
-            
xparams.setMaxPathLength(sslHostConfig.getCertificateVerificationDepth());
-            return xparams;
         } else {
-            throw new CRLException("CRLs not supported for type: "+algorithm);
+            xparams.setRevocationEnabled(false);
         }
+        
xparams.setMaxPathLength(sslHostConfig.getCertificateVerificationDepth());
+        return xparams;
     }
 
 

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties?rev=1757578&r1=1757577&r2=1757578&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties 
Wed Aug 24 21:37:39 2016
@@ -32,3 +32,6 @@ jsseSupport.serverRenegDisabled=SSL serv
 jsseSupport.unexpectedData=Unexpected data read from input stream
 jsse.openssl.unknownElement=Unknown element in cipher string: {0}
 jsse.openssl.effectiveCiphers=Ciphers used: {0}
+
+jsseUtil.noCrlSupport=The truststoreProvider [{0}] does not support the 
certificateRevocationFile configuration option
+jsseUtil.noVerificationDepth=The truststoreProvider [{0}] does not support the 
certificateVerificationDepth configuration option
\ No newline at end of file

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1757578&r1=1757577&r2=1757578&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Wed Aug 24 21:37:39 2016
@@ -211,6 +211,12 @@
         <bug>60030</bug>: Correct a potential infinite loop in the SNI parsing
         code triggered by failing to handle an end of stream condition. (markt)
       </fix>
+      <fix>
+        Refactor the JSSE client certificate validation so that the
+        effectiveness of the <code>certificateVerificationDepth</code>
+        configuration attribute does not depend on the presence of a 
certificate
+        revokation list. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to