-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Rémy,
On 5/29/20 11:25, r...@apache.org wrote: > This is an automated email from the ASF dual-hosted git > repository. > > remm pushed a commit to branch 8.5.x in repository > https://gitbox.apache.org/repos/asf/tomcat.git > > commit ddc3027029dae386221d355686278dde608c60ee Author: remm > <r...@apache.org> AuthorDate: Thu May 28 16:28:19 2020 +0200 > > WIP for more TLS env resolution > > Make explicit each missing env value, to help eventual > documenting. --- .../catalina/valves/rewrite/ResolverImpl.java > | 107 +++++++++++++++++++-- 1 file changed, 97 insertions(+), 10 > deletions(-) > > diff --git > a/java/org/apache/catalina/valves/rewrite/ResolverImpl.java > b/java/org/apache/catalina/valves/rewrite/ResolverImpl.java index > 8c108ab..b9749e0 100644 --- > a/java/org/apache/catalina/valves/rewrite/ResolverImpl.java +++ > b/java/org/apache/catalina/valves/rewrite/ResolverImpl.java @@ > -16,10 +16,12 @@ */ package org.apache.catalina.valves.rewrite; > > +import java.io.IOException; import java.nio.charset.Charset; > +import java.security.cert.X509Certificate; import > java.util.Calendar; +import java.util.concurrent.TimeUnit; > > -import org.apache.catalina.Globals; import > org.apache.catalina.WebResource; import > org.apache.catalina.WebResourceRoot; import > org.apache.catalina.connector.Request; @@ -135,16 +137,101 @@ > public class ResolverImpl extends Resolver { > > @Override public String resolveSsl(String key) { - if > (key.equals("SSL_PROTOCOL")) { - return > String.valueOf(request.getAttribute(SSLSupport.PROTOCOL_VERSION_KEY)); > > - - } else if (key.equals("SSL_SESSION_ID")) { > - return > String.valueOf(request.getAttribute(Globals.SSL_SESSION_ID_ATTR)); > - } else if (key.equals("SSL_CIPHER")) { - return > String.valueOf(request.getAttribute(Globals.CIPHER_SUITE_ATTR)); - > } else if (key.equals("SSL_CIPHER_USEKEYSIZE")) { - > return > String.valueOf(request.getAttribute(Globals.KEY_SIZE_ATTR)); + > SSLSupport sslSupport = (SSLSupport) > request.getAttribute(SSLSupport.SESSION_MGR); + try { + > // FIXME SSL_SESSION_RESUMED + // FIXME > SSL_SECURE_RENEG + // FIXME SSL_CIPHER_EXPORT + > // FIXME SSL_CIPHER_ALGKEYSIZE + // FIXME > SSL_COMPRESS_METHOD + // FIXME SSL_SRP_USER + > // FIXME SSL_SRP_USERINFO + // FIXME SSL_TLS_SNI + > if (key.equals("SSL_PROTOCOL")) { + return > sslSupport.getProtocol(); + } else if > (key.equals("SSL_SESSION_ID")) { + return > sslSupport.getSessionId(); + } else if > (key.equals("SSL_CIPHER")) { + return > sslSupport.getCipherSuite(); + } else if > (key.equals("SSL_CIPHER_USEKEYSIZE")) { + return > sslSupport.getKeySize().toString(); These above lines are now within the try/catch block which reduces performance somewhat for the attributes that don't need try/catch. Any reason to bring them under the try/catch? In fact... which exceptions can actually be thrown, here? Or is the issue that Java might parse the certificates at this stage in the pipeline instead of already having been done (because it's rewrite, it might be "early"). - -chris > + } else if (key.startsWith("SSL_CLIENT_")) { + > X509Certificate[] certificates = > sslSupport.getPeerCertificateChain(); + if > (certificates != null && certificates.length > 0) { + > key = key.substring("SSL_CLIENT_".length()); + > String result = resolveSslCertificates(key, certificates); + > if (result != null) { + return result; + > } else if (key.startsWith("SAN_OTHER_msUPN_")) { + > key = key.substring("SAN_OTHER_msUPN_".length()); + > // FIXME return certificates[0].getSubjectAlternativeNames() + > } else if (key.equals("CERT_RFC4523_CEA")) { + > // FIXME return certificates[0]; + } else if > (key.equals("VERIFY")) { + // FIXME return > certificates[0]; + } + } + > } else if (key.startsWith("SSL_SERVER_")) { + > X509Certificate[] certificates = > sslSupport.getLocalCertificateChain(); + if > (certificates != null && certificates.length > 0) { + > key = key.substring("SSL_SERVER_".length()); + > String result = resolveSslCertificates(key, certificates); + > if (result != null) { + return result; + > } else if (key.startsWith("SAN_OTHER_dnsSRV_")) { + > key = key.substring("SAN_OTHER_dnsSRV_".length()); + > // FIXME return certificates[0].getSubjectAlternativeNames() + > } + } + } + } catch (IOException > e) { + // TLS access error + } + return > null; + } + + private String resolveSslCertificates(String > key, X509Certificate[] certificates) { + if > (key.equals("M_VERSION")) { + return > String.valueOf(certificates[0].getVersion()); + } else if > (key.equals("M_SERIAL")) { + return > certificates[0].getSerialNumber().toString(); + } else if > (key.equals("S_DN")) { + return > certificates[0].getSubjectDN().getName(); + } else if > (key.startsWith("S_DN_")) { + key = > key.substring("S_DN_".length()); + // FIXME return > certificates[0].getSubjectX500Principal().?; + } else if > (key.startsWith("SAN_Email_")) { + key = > key.substring("SAN_Email_".length()); + // FIXME return > certificates[0].getSubjectAlternativeNames() + } else if > (key.startsWith("SAN_DNS_")) { + key = > key.substring("SAN_DNS_".length()); + // FIXME return > certificates[0].getSubjectAlternativeNames() + } else if > (key.equals("I_DN")) { + return > certificates[0].getIssuerDN().getName(); + } else if > (key.startsWith("I_DN_")) { + key = > key.substring("I_DN_".length()); + // FIXME return > certificates[0].getIssuerX500Principal().?; + } else if > (key.equals("V_START")) { + return > String.valueOf(certificates[0].getNotBefore().getTime()); + > } else if (key.equals("V_END")) { + return > String.valueOf(certificates[0].getNotAfter().getTime()); + } > else if (key.equals("V_REMAIN")) { + long remain = > certificates[0].getNotAfter().getTime() - > System.currentTimeMillis(); + if (remain < 0) { + > remain = 0L; + } + // Return remaining days + > return String.valueOf(TimeUnit.MILLISECONDS.toDays(remain)); + > } else if (key.equals("A_SIG")) { + return > certificates[0].getSigAlgName(); + } else if > (key.equals("A_KEY")) { + return > certificates[0].getPublicKey().getAlgorithm(); + } else if > (key.equals("CERT")) { + // FIXME return certificates[0] > to pem + } else if (key.startsWith("CERT_CHAIN_")) { + > key = key.substring("CERT_CHAIN_".length()); + // FIXME > return certificates[n] to pem } - // FIXME: Implement other > SSL environment variables when possible return null; } > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7TqMcACgkQHPApP6U8 pFithQ/9F6M+P/JZUskwIe9Uk7P4AohAyn71uM4FScziqPOb4CyplSVZLMi0Xv2R 7i406BTv/KfmPTSKfPUVAdsEp0LRlT8Rxj/SiB00NwfYeN0Hn9O/Fk7ap0lmnBhN M0hajxvKgXZjCDq3kE6uQs4a2QKwjZDeDzMC8mNLmbSgX6Wvaj/LmL+5QkYC4Gbi 2ihPVfjUdgq7pSd2hT/FeGswyZ0/t1VDZ+b5AJcnsq/H2rrkjesI7/j32thcAoUq ZN+2yphU6lOMAog4y9y8WqBtMdAML6Uh8KJiX4qvM1XIWiaAgMPHPGT4t3ymectD IA3nWf1778ECXbi4KiaFtHE9Q1YWokzSmuSKOhvykjO57oVuervL2+0tBOcE5Pgn kxwMnswEbSlAov0vaIRt6EXqC8OuykwTgG92EAQzPuNbmvYTIjhZUksiV2VYXP2p Cz8Rv1CEOISHVYtXWF9tlBcw1ezwYW47tX5jPDWObKDK4sYoC5HNMWOs5C7BtAG4 OVG5UKQLiu0eLLr0zydRBzoHn2aJqwUqb6reGoRtLUQqPQ+SpzDHk1PnX1YvX57t HlqwQqSVk7cSuMh9S7iRIf/RIBZe8feqBgw5rm5e00PoYEjoScRoE6ojbp34Sj11 fmJA3XJkzlwJoc79a1zStAIsR1ovdbrp+oWYGRw7+UXoUFIvCvw= =Gap0 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
