Author: markt
Date: Thu Feb 21 18:44:51 2019
New Revision: 1854079
URL: http://svn.apache.org/viewvc?rev=1854079&view=rev
Log:
Refactor with the aim (several commits in the future) of enabling the
AprEndpoint to use JSSE style configuration
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java?rev=1854079&r1=1854078&r2=1854079&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java Thu Feb 21
18:44:51 2019
@@ -22,12 +22,33 @@ import java.io.InputStream;
import java.net.URI;
import java.security.DomainLoadStoreParameter;
import java.security.KeyStore;
+import java.security.cert.CRL;
+import java.security.cert.CRLException;
+import java.security.cert.CertPathParameters;
+import java.security.cert.CertStore;
+import java.security.cert.CertStoreParameters;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.CollectionCertStoreParameters;
+import java.security.cert.PKIXBuilderParameters;
+import java.security.cert.X509CertSelector;
+import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
+import java.util.Date;
+import java.util.Enumeration;
import java.util.List;
import java.util.Set;
+import javax.net.ssl.CertPathTrustManagerParameters;
+import javax.net.ssl.ManagerFactoryParameters;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.file.ConfigFileLoader;
@@ -42,6 +63,7 @@ public abstract class SSLUtilBase implem
private static final Log log = LogFactory.getLog(SSLUtilBase.class);
private static final StringManager sm =
StringManager.getManager(SSLUtilBase.class);
+ protected final SSLHostConfig sslHostConfig;
protected final SSLHostConfigCertificate certificate;
private final String[] enabledProtocols;
@@ -55,7 +77,7 @@ public abstract class SSLUtilBase implem
protected SSLUtilBase(SSLHostConfigCertificate certificate, boolean
warnTls13) {
this.certificate = certificate;
- SSLHostConfig sslHostConfig = certificate.getSSLHostConfig();
+ this.sslHostConfig = certificate.getSSLHostConfig();
// Calculate the enabled protocols
Set<String> configuredProtocols = sslHostConfig.getProtocols();
@@ -215,11 +237,153 @@ public abstract class SSLUtilBase implem
return enabledProtocols;
}
+
@Override
public String[] getEnabledCiphers() {
return enabledCiphers;
}
+
+ @Override
+ public TrustManager[] getTrustManagers() throws Exception {
+
+ String className = sslHostConfig.getTrustManagerClassName();
+ if(className != null && className.length() > 0) {
+ ClassLoader classLoader = getClass().getClassLoader();
+ Class<?> clazz = classLoader.loadClass(className);
+ if(!(TrustManager.class.isAssignableFrom(clazz))){
+ throw new InstantiationException(sm.getString(
+ "jsse.invalidTrustManagerClassName", className));
+ }
+ Object trustManagerObject = clazz.getConstructor().newInstance();
+ TrustManager trustManager = (TrustManager) trustManagerObject;
+ return new TrustManager[]{ trustManager };
+ }
+
+ TrustManager[] tms = null;
+
+ KeyStore trustStore = sslHostConfig.getTruststore();
+ if (trustStore != null) {
+ checkTrustStoreEntries(trustStore);
+ String algorithm = sslHostConfig.getTruststoreAlgorithm();
+ String crlf = sslHostConfig.getCertificateRevocationListFile();
+ boolean revocationEnabled = sslHostConfig.getRevocationEnabled();
+
+ if ("PKIX".equalsIgnoreCase(algorithm)) {
+ TrustManagerFactory tmf =
TrustManagerFactory.getInstance(algorithm);
+ CertPathParameters params = getParameters(crlf, trustStore,
revocationEnabled);
+ ManagerFactoryParameters mfp = new
CertPathTrustManagerParameters(params);
+ tmf.init(mfp);
+ tms = tmf.getTrustManagers();
+ } else {
+ TrustManagerFactory tmf =
TrustManagerFactory.getInstance(algorithm);
+ tmf.init(trustStore);
+ tms = tmf.getTrustManagers();
+ if (crlf != null && crlf.length() > 0) {
+ throw new
CRLException(sm.getString("jsseUtil.noCrlSupport", algorithm));
+ }
+ // Only warn if the attribute has been explicitly configured
+ if (sslHostConfig.isCertificateVerificationDepthConfigured()) {
+ log.warn(sm.getString("jsseUtil.noVerificationDepth",
algorithm));
+ }
+ }
+ }
+
+ return tms;
+ }
+
+
+ private void checkTrustStoreEntries(KeyStore trustStore) throws Exception {
+ Enumeration<String> aliases = trustStore.aliases();
+ if (aliases != null) {
+ Date now = new Date();
+ while (aliases.hasMoreElements()) {
+ String alias = aliases.nextElement();
+ if (trustStore.isCertificateEntry(alias)) {
+ Certificate cert = trustStore.getCertificate(alias);
+ if (cert instanceof X509Certificate) {
+ try {
+ ((X509Certificate) cert).checkValidity(now);
+ } catch (CertificateExpiredException |
CertificateNotYetValidException e) {
+ String msg =
sm.getString("jsseUtil.trustedCertNotValid", alias,
+ ((X509Certificate) cert).getSubjectDN(),
e.getMessage());
+ if (log.isDebugEnabled()) {
+ log.debug(msg, e);
+ } else {
+ log.warn(msg);
+ }
+ }
+ } else {
+ if (log.isDebugEnabled()) {
+
log.debug(sm.getString("jsseUtil.trustedCertNotChecked", alias));
+ }
+ }
+ }
+ }
+ }
+ }
+
+
+ /**
+ * Return the initialization parameters for the TrustManager.
+ * Currently, only the default <code>PKIX</code> is supported.
+ *
+ * @param crlf The path to the CRL file.
+ * @param trustStore The configured TrustStore.
+ * @param revocationEnabled Should the JSSE provider perform revocation
+ * checks? Ignored if {@code crlf} is non-null.
+ * Configuration of revocation checks are expected
+ * to be via proprietary JSSE provider methods.
+ * @return The parameters including the CRLs and TrustStore.
+ * @throws Exception An error occurred
+ */
+ private CertPathParameters getParameters(String crlf, KeyStore trustStore,
+ boolean revocationEnabled) throws Exception {
+
+ PKIXBuilderParameters xparams =
+ new PKIXBuilderParameters(trustStore, new X509CertSelector());
+ if (crlf != null && crlf.length() > 0) {
+ Collection<? extends CRL> crls = getCRLs(crlf);
+ CertStoreParameters csp = new CollectionCertStoreParameters(crls);
+ CertStore store = CertStore.getInstance("Collection", csp);
+ xparams.addCertStore(store);
+ xparams.setRevocationEnabled(true);
+ } else {
+ xparams.setRevocationEnabled(revocationEnabled);
+ }
+
xparams.setMaxPathLength(sslHostConfig.getCertificateVerificationDepth());
+ return xparams;
+ }
+
+
+ /**
+ * Load the collection of CRLs.
+ * @param crlf The path to the CRL file.
+ * @return the CRLs collection
+ * @throws IOException Error reading CRL file
+ * @throws CRLException CRL error
+ * @throws CertificateException Error processing certificate
+ */
+ private Collection<? extends CRL> getCRLs(String crlf)
+ throws IOException, CRLException, CertificateException {
+
+ Collection<? extends CRL> crls = null;
+ try {
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+ try (InputStream is =
ConfigFileLoader.getSource().getResource(crlf).getInputStream()) {
+ crls = cf.generateCRLs(is);
+ }
+ } catch(IOException iex) {
+ throw iex;
+ } catch(CRLException crle) {
+ throw crle;
+ } catch(CertificateException ce) {
+ throw ce;
+ }
+ return crls;
+ }
+
+
protected abstract Set<String> getImplementedProtocols();
protected abstract Set<String> getImplementedCiphers();
protected abstract Log getLog();
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java?rev=1854079&r1=1854078&r2=1854079&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java Thu Feb 21
18:44:51 2019
@@ -17,52 +17,31 @@
package org.apache.tomcat.util.net.jsse;
import java.io.IOException;
-import java.io.InputStream;
import java.security.Key;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
-import java.security.cert.CRL;
-import java.security.cert.CRLException;
-import java.security.cert.CertPathParameters;
-import java.security.cert.CertStore;
-import java.security.cert.CertStoreParameters;
import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateExpiredException;
-import java.security.cert.CertificateFactory;
-import java.security.cert.CertificateNotYetValidException;
-import java.security.cert.CollectionCertStoreParameters;
-import java.security.cert.PKIXBuilderParameters;
-import java.security.cert.X509CertSelector;
-import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
-import java.util.Date;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Set;
-import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
-import javax.net.ssl.ManagerFactoryParameters;
import javax.net.ssl.SSLSessionContext;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509KeyManager;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.compat.JreVendor;
import org.apache.tomcat.util.compat.TLS;
-import org.apache.tomcat.util.file.ConfigFileLoader;
import org.apache.tomcat.util.net.Constants;
import org.apache.tomcat.util.net.SSLContext;
-import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.apache.tomcat.util.net.SSLUtilBase;
import org.apache.tomcat.util.res.StringManager;
@@ -138,9 +117,6 @@ public class JSSEUtil extends SSLUtilBas
}
- private final SSLHostConfig sslHostConfig;
-
-
public JSSEUtil (SSLHostConfigCertificate certificate) {
this(certificate, true);
}
@@ -148,7 +124,6 @@ public class JSSEUtil extends SSLUtilBas
public JSSEUtil (SSLHostConfigCertificate certificate, boolean warnOnSkip)
{
super(certificate, warnOnSkip);
- this.sslHostConfig = certificate.getSSLHostConfig();
}
@@ -305,148 +280,8 @@ public class JSSEUtil extends SSLUtilBas
@Override
- public TrustManager[] getTrustManagers() throws Exception {
-
- String className = sslHostConfig.getTrustManagerClassName();
- if(className != null && className.length() > 0) {
- ClassLoader classLoader = getClass().getClassLoader();
- Class<?> clazz = classLoader.loadClass(className);
- if(!(TrustManager.class.isAssignableFrom(clazz))){
- throw new InstantiationException(sm.getString(
- "jsse.invalidTrustManagerClassName", className));
- }
- Object trustManagerObject = clazz.getConstructor().newInstance();
- TrustManager trustManager = (TrustManager) trustManagerObject;
- return new TrustManager[]{ trustManager };
- }
-
- TrustManager[] tms = null;
-
- KeyStore trustStore = sslHostConfig.getTruststore();
- if (trustStore != null) {
- checkTrustStoreEntries(trustStore);
- String algorithm = sslHostConfig.getTruststoreAlgorithm();
- String crlf = sslHostConfig.getCertificateRevocationListFile();
- boolean revocationEnabled = sslHostConfig.getRevocationEnabled();
-
- if ("PKIX".equalsIgnoreCase(algorithm)) {
- TrustManagerFactory tmf =
TrustManagerFactory.getInstance(algorithm);
- CertPathParameters params = getParameters(crlf, trustStore,
revocationEnabled);
- ManagerFactoryParameters mfp = new
CertPathTrustManagerParameters(params);
- tmf.init(mfp);
- tms = tmf.getTrustManagers();
- } else {
- TrustManagerFactory tmf =
TrustManagerFactory.getInstance(algorithm);
- tmf.init(trustStore);
- tms = tmf.getTrustManagers();
- if (crlf != null && crlf.length() > 0) {
- throw new
CRLException(sm.getString("jsseUtil.noCrlSupport", algorithm));
- }
- // Only warn if the attribute has been explicitly configured
- if (sslHostConfig.isCertificateVerificationDepthConfigured()) {
- log.warn(sm.getString("jsseUtil.noVerificationDepth",
algorithm));
- }
- }
- }
-
- return tms;
- }
-
-
- private void checkTrustStoreEntries(KeyStore trustStore) throws Exception {
- Enumeration<String> aliases = trustStore.aliases();
- if (aliases != null) {
- Date now = new Date();
- while (aliases.hasMoreElements()) {
- String alias = aliases.nextElement();
- if (trustStore.isCertificateEntry(alias)) {
- Certificate cert = trustStore.getCertificate(alias);
- if (cert instanceof X509Certificate) {
- try {
- ((X509Certificate) cert).checkValidity(now);
- } catch (CertificateExpiredException |
CertificateNotYetValidException e) {
- String msg =
sm.getString("jsseUtil.trustedCertNotValid", alias,
- ((X509Certificate) cert).getSubjectDN(),
e.getMessage());
- if (log.isDebugEnabled()) {
- log.debug(msg, e);
- } else {
- log.warn(msg);
- }
- }
- } else {
- if (log.isDebugEnabled()) {
-
log.debug(sm.getString("jsseUtil.trustedCertNotChecked", alias));
- }
- }
- }
- }
- }
- }
-
-
- @Override
public void configureSessionContext(SSLSessionContext sslSessionContext) {
sslSessionContext.setSessionCacheSize(sslHostConfig.getSessionCacheSize());
sslSessionContext.setSessionTimeout(sslHostConfig.getSessionTimeout());
}
-
-
- /**
- * Return the initialization parameters for the TrustManager.
- * Currently, only the default <code>PKIX</code> is supported.
- *
- * @param crlf The path to the CRL file.
- * @param trustStore The configured TrustStore.
- * @param revocationEnabled Should the JSSE provider perform revocation
- * checks? Ignored if {@code crlf} is non-null.
- * Configuration of revocation checks are expected
- * to be via proprietary JSSE provider methods.
- * @return The parameters including the CRLs and TrustStore.
- * @throws Exception An error occurred
- */
- protected CertPathParameters getParameters(String crlf, KeyStore
trustStore,
- boolean revocationEnabled) throws Exception {
-
- PKIXBuilderParameters xparams =
- new PKIXBuilderParameters(trustStore, new X509CertSelector());
- if (crlf != null && crlf.length() > 0) {
- Collection<? extends CRL> crls = getCRLs(crlf);
- CertStoreParameters csp = new CollectionCertStoreParameters(crls);
- CertStore store = CertStore.getInstance("Collection", csp);
- xparams.addCertStore(store);
- xparams.setRevocationEnabled(true);
- } else {
- xparams.setRevocationEnabled(revocationEnabled);
- }
-
xparams.setMaxPathLength(sslHostConfig.getCertificateVerificationDepth());
- return xparams;
- }
-
-
- /**
- * Load the collection of CRLs.
- * @param crlf The path to the CRL file.
- * @return the CRLs collection
- * @throws IOException Error reading CRL file
- * @throws CRLException CRL error
- * @throws CertificateException Error processing certificate
- */
- protected Collection<? extends CRL> getCRLs(String crlf)
- throws IOException, CRLException, CertificateException {
-
- Collection<? extends CRL> crls = null;
- try {
- CertificateFactory cf = CertificateFactory.getInstance("X.509");
- try (InputStream is =
ConfigFileLoader.getSource().getResource(crlf).getInputStream()) {
- crls = cf.generateCRLs(is);
- }
- } catch(IOException iex) {
- throw iex;
- } catch(CRLException crle) {
- throw crle;
- } catch(CertificateException ce) {
- throw ce;
- }
- return crls;
- }
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java?rev=1854079&r1=1854078&r2=1854079&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java Thu
Feb 21 18:44:51 2019
@@ -21,7 +21,6 @@ import java.util.Set;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLSessionContext;
-import javax.net.ssl.TrustManager;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
@@ -97,14 +96,6 @@ public class OpenSSLUtil extends SSLUtil
}
}
- @Override
- public TrustManager[] getTrustManagers() throws Exception {
- if (jsseUtil != null) {
- return jsseUtil.getTrustManagers();
- } else {
- return null;
- }
- }
@Override
public void configureSessionContext(SSLSessionContext sslSessionContext) {
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
