svn commit: r1854165 - /tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java

Fri, 22 Feb 2019 10:45:09 -0800 

Author: markt
Date: Fri Feb 22 18:44:37 2019
New Revision: 1854165

URL: http://svn.apache.org/viewvc?rev=1854165&view=rev
Log:
Refactor with a view to using this with AprEndpoint where we'll want to add 
multiple certificates to a single context (unlike JSSE where we need one 
context per certificate)

Modified:
    tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1854165&r1=1854164&r2=1854165&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java 
Fri Feb 22 18:44:37 2019
@@ -245,42 +245,12 @@ public class OpenSSLContext implements o
             // List the ciphers that the client is permitted to negotiate
             SSLContext.setCipherSuite(ctx, sslHostConfig.getCiphers());
 
-            // Load Server key and certificate
-            if (certificate.getCertificateFile() != null) {
-                // Set certificate
-                SSLContext.setCertificate(ctx,
-                        
SSLHostConfig.adjustRelativePath(certificate.getCertificateFile()),
-                        
SSLHostConfig.adjustRelativePath(certificate.getCertificateKeyFile()),
-                        certificate.getCertificateKeyPassword(), 
SSL.SSL_AIDX_RSA);
-                // Set certificate chain file
-                SSLContext.setCertificateChainFile(ctx,
-                        
SSLHostConfig.adjustRelativePath(certificate.getCertificateChainFile()), false);
-                // Set revocation
-                SSLContext.setCARevocation(ctx,
-                        SSLHostConfig.adjustRelativePath(
-                                
sslHostConfig.getCertificateRevocationListFile()),
-                        SSLHostConfig.adjustRelativePath(
-                                
sslHostConfig.getCertificateRevocationListPath()));
-            } else {
+            if (certificate.getCertificateFile() == null) {
                 x509KeyManager = chooseKeyManager(kms);
-                String alias = certificate.getCertificateKeyAlias();
-                if (alias == null) {
-                    alias = "tomcat";
-                }
-                X509Certificate[] chain = 
x509KeyManager.getCertificateChain(alias);
-                if (chain == null) {
-                    alias = findAlias(x509KeyManager, certificate);
-                    chain = x509KeyManager.getCertificateChain(alias);
-                }
-                PrivateKey key = x509KeyManager.getPrivateKey(alias);
-                StringBuilder sb = new StringBuilder(BEGIN_KEY);
-                sb.append(Base64.getMimeEncoder(64, new byte[] 
{'\n'}).encodeToString(key.getEncoded()));
-                sb.append(END_KEY);
-                SSLContext.setCertificateRaw(ctx, chain[0].getEncoded(), 
sb.toString().getBytes(StandardCharsets.US_ASCII), SSL.SSL_AIDX_RSA);
-                for (int i = 1; i < chain.length; i++) {
-                    SSLContext.addChainCertificateRaw(ctx, 
chain[i].getEncoded());
-                }
             }
+
+            addCertificate(certificate);
+
             // Client certificate verification
             int value = 0;
             switch (sslHostConfig.getCertificateVerification()) {
@@ -404,6 +374,46 @@ public class OpenSSLContext implements o
         }
     }
 
+
+    public void addCertificate(SSLHostConfigCertificate certificate) throws 
Exception {
+        // Load Server key and certificate
+        if (certificate.getCertificateFile() != null) {
+            // Set certificate
+            SSLContext.setCertificate(ctx,
+                    
SSLHostConfig.adjustRelativePath(certificate.getCertificateFile()),
+                    
SSLHostConfig.adjustRelativePath(certificate.getCertificateKeyFile()),
+                    certificate.getCertificateKeyPassword(), SSL.SSL_AIDX_RSA);
+            // Set certificate chain file
+            SSLContext.setCertificateChainFile(ctx,
+                    
SSLHostConfig.adjustRelativePath(certificate.getCertificateChainFile()), false);
+            // Set revocation
+            SSLContext.setCARevocation(ctx,
+                    SSLHostConfig.adjustRelativePath(
+                            sslHostConfig.getCertificateRevocationListFile()),
+                    SSLHostConfig.adjustRelativePath(
+                            sslHostConfig.getCertificateRevocationListPath()));
+        } else {
+            String alias = certificate.getCertificateKeyAlias();
+            if (alias == null) {
+                alias = "tomcat";
+            }
+            X509Certificate[] chain = 
x509KeyManager.getCertificateChain(alias);
+            if (chain == null) {
+                alias = findAlias(x509KeyManager, certificate);
+                chain = x509KeyManager.getCertificateChain(alias);
+            }
+            PrivateKey key = x509KeyManager.getPrivateKey(alias);
+            StringBuilder sb = new StringBuilder(BEGIN_KEY);
+            sb.append(Base64.getMimeEncoder(64, new byte[] 
{'\n'}).encodeToString(key.getEncoded()));
+            sb.append(END_KEY);
+            SSLContext.setCertificateRaw(ctx, chain[0].getEncoded(), 
sb.toString().getBytes(StandardCharsets.US_ASCII), SSL.SSL_AIDX_RSA);
+            for (int i = 1; i < chain.length; i++) {
+                SSLContext.addChainCertificateRaw(ctx, chain[i].getEncoded());
+            }
+        }
+    }
+
+
     /*
      * Find a valid alias when none was specified in the config.
      */



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to