Re: [tomcat] 01/04: WIP for more TLS env resolution

Sun, 31 May 2020 06:43:58 -0700 

On Sun, May 31, 2020 at 2:53 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Rémy,
>
> On 5/29/20 11:25, r...@apache.org wrote:
> > This is an automated email from the ASF dual-hosted git
> > repository.
> >
> > remm pushed a commit to branch 8.5.x in repository
> > https://gitbox.apache.org/repos/asf/tomcat.git
> >
> > commit ddc3027029dae386221d355686278dde608c60ee Author: remm
> > <r...@apache.org> AuthorDate: Thu May 28 16:28:19 2020 +0200
> >
> > WIP for more TLS env resolution
> >
> > Make explicit each missing env value, to help eventual
> > documenting. --- .../catalina/valves/rewrite/ResolverImpl.java
> > | 107 +++++++++++++++++++-- 1 file changed, 97 insertions(+), 10
> > deletions(-)
> >
> > diff --git
> > a/java/org/apache/catalina/valves/rewrite/ResolverImpl.java
> > b/java/org/apache/catalina/valves/rewrite/ResolverImpl.java index
> > 8c108ab..b9749e0 100644 ---
> > a/java/org/apache/catalina/valves/rewrite/ResolverImpl.java +++
> > b/java/org/apache/catalina/valves/rewrite/ResolverImpl.java @@
> > -16,10 +16,12 @@ */ package org.apache.catalina.valves.rewrite;
> >
> > +import java.io.IOException; import java.nio.charset.Charset;
> > +import java.security.cert.X509Certificate; import
> > java.util.Calendar; +import java.util.concurrent.TimeUnit;
> >
> > -import org.apache.catalina.Globals; import
> > org.apache.catalina.WebResource; import
> > org.apache.catalina.WebResourceRoot; import
> > org.apache.catalina.connector.Request; @@ -135,16 +137,101 @@
> > public class ResolverImpl extends Resolver {
> >
> > @Override public String resolveSsl(String key) { -        if
> > (key.equals("SSL_PROTOCOL")) { -            return
> > String.valueOf(request.getAttribute(SSLSupport.PROTOCOL_VERSION_KEY));
> >
> >
> - -        } else if (key.equals("SSL_SESSION_ID")) {
> > -            return
> > String.valueOf(request.getAttribute(Globals.SSL_SESSION_ID_ATTR));
> > -        } else if (key.equals("SSL_CIPHER")) { -            return
> > String.valueOf(request.getAttribute(Globals.CIPHER_SUITE_ATTR)); -
> > } else if (key.equals("SSL_CIPHER_USEKEYSIZE")) { -
> > return
> > String.valueOf(request.getAttribute(Globals.KEY_SIZE_ATTR)); +
> > SSLSupport sslSupport = (SSLSupport)
> > request.getAttribute(SSLSupport.SESSION_MGR); +        try { +
> > // FIXME SSL_SESSION_RESUMED +            // FIXME
> > SSL_SECURE_RENEG +            // FIXME SSL_CIPHER_EXPORT +
> > // FIXME SSL_CIPHER_ALGKEYSIZE +            // FIXME
> > SSL_COMPRESS_METHOD +            // FIXME SSL_SRP_USER +
> > // FIXME SSL_SRP_USERINFO +            // FIXME SSL_TLS_SNI +
> > if (key.equals("SSL_PROTOCOL")) { +                return
> > sslSupport.getProtocol(); +            } else if
> > (key.equals("SSL_SESSION_ID")) { +                return
> > sslSupport.getSessionId(); +            } else if
> > (key.equals("SSL_CIPHER")) { +                return
> > sslSupport.getCipherSuite(); +            } else if
> > (key.equals("SSL_CIPHER_USEKEYSIZE")) { +                return
> > sslSupport.getKeySize().toString();
>
> These above lines are now within the try/catch block which reduces
> performance somewhat for the attributes that don't need try/catch. Any
> reason to bring them under the try/catch?
>

I don't think there can be any measurable performance impact here,
everything is quite expensive. I'm just addressing some old FIXMEs here,
and looking at APIs I never used before, BTW.


>
> In fact... which exceptions can actually be thrown, here? Or is the
> issue that Java might parse the certificates at this stage in the
> pipeline instead of already having been done (because it's rewrite, it
> might be "early").
>

It's for APR's SSLSupport. Not sure overall, I don't really care much about
it.

Rémy


>
> - -chris
>
>
> > +            } else if (key.startsWith("SSL_CLIENT_")) { +
> > X509Certificate[] certificates =
> > sslSupport.getPeerCertificateChain(); +                if
> > (certificates != null && certificates.length > 0) { +
> > key = key.substring("SSL_CLIENT_".length()); +
> > String result = resolveSslCertificates(key, certificates); +
> > if (result != null) { +                        return result; +
> > } else if (key.startsWith("SAN_OTHER_msUPN_")) { +
> > key = key.substring("SAN_OTHER_msUPN_".length()); +
> > // FIXME return certificates[0].getSubjectAlternativeNames() +
> > } else if (key.equals("CERT_RFC4523_CEA")) { +
> > // FIXME return certificates[0]; +                    } else if
> > (key.equals("VERIFY")) { +                        // FIXME return
> > certificates[0]; +                    } +                } +
> > } else if (key.startsWith("SSL_SERVER_")) { +
> > X509Certificate[] certificates =
> > sslSupport.getLocalCertificateChain(); +                if
> > (certificates != null && certificates.length > 0) { +
> > key = key.substring("SSL_SERVER_".length()); +
> > String result = resolveSslCertificates(key, certificates); +
> > if (result != null) { +                        return result; +
> > } else if (key.startsWith("SAN_OTHER_dnsSRV_")) { +
> > key = key.substring("SAN_OTHER_dnsSRV_".length()); +
> > // FIXME return certificates[0].getSubjectAlternativeNames() +
> > } +                } +            } +        } catch (IOException
> > e) { +            // TLS access error +        } +        return
> > null; +    } + +    private String resolveSslCertificates(String
> > key, X509Certificate[] certificates) { +        if
> > (key.equals("M_VERSION")) { +            return
> > String.valueOf(certificates[0].getVersion()); +        } else if
> > (key.equals("M_SERIAL")) { +            return
> > certificates[0].getSerialNumber().toString(); +        } else if
> > (key.equals("S_DN")) { +            return
> > certificates[0].getSubjectDN().getName(); +        } else if
> > (key.startsWith("S_DN_")) { +            key =
> > key.substring("S_DN_".length()); +            // FIXME return
> > certificates[0].getSubjectX500Principal().?; +        } else if
> > (key.startsWith("SAN_Email_")) { +            key =
> > key.substring("SAN_Email_".length()); +            // FIXME return
> > certificates[0].getSubjectAlternativeNames() +        } else if
> > (key.startsWith("SAN_DNS_")) { +            key =
> > key.substring("SAN_DNS_".length()); +            // FIXME return
> > certificates[0].getSubjectAlternativeNames() +        } else if
> > (key.equals("I_DN")) { +            return
> > certificates[0].getIssuerDN().getName(); +        } else if
> > (key.startsWith("I_DN_")) { +            key =
> > key.substring("I_DN_".length()); +            // FIXME return
> > certificates[0].getIssuerX500Principal().?; +        } else if
> > (key.equals("V_START")) { +            return
> > String.valueOf(certificates[0].getNotBefore().getTime()); +
> > } else if (key.equals("V_END")) { +            return
> > String.valueOf(certificates[0].getNotAfter().getTime()); +        }
> > else if (key.equals("V_REMAIN")) { +            long remain =
> > certificates[0].getNotAfter().getTime() -
> > System.currentTimeMillis(); +            if (remain < 0) { +
> > remain = 0L; +            } +            // Return remaining days +
> > return String.valueOf(TimeUnit.MILLISECONDS.toDays(remain)); +
> > } else if (key.equals("A_SIG")) { +            return
> > certificates[0].getSigAlgName(); +        } else if
> > (key.equals("A_KEY")) { +            return
> > certificates[0].getPublicKey().getAlgorithm(); +        } else if
> > (key.equals("CERT")) { +            // FIXME return certificates[0]
> > to pem +        } else if (key.startsWith("CERT_CHAIN_")) { +
> > key = key.substring("CERT_CHAIN_".length()); +            // FIXME
> > return certificates[n] to pem } -        // FIXME: Implement other
> > SSL environment variables when possible return null; }
> >
> >
> >
> > ---------------------------------------------------------------------
> >
> >
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: dev-h...@tomcat.apache.org
> >
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7TqMcACgkQHPApP6U8
> pFithQ/9F6M+P/JZUskwIe9Uk7P4AohAyn71uM4FScziqPOb4CyplSVZLMi0Xv2R
> 7i406BTv/KfmPTSKfPUVAdsEp0LRlT8Rxj/SiB00NwfYeN0Hn9O/Fk7ap0lmnBhN
> M0hajxvKgXZjCDq3kE6uQs4a2QKwjZDeDzMC8mNLmbSgX6Wvaj/LmL+5QkYC4Gbi
> 2ihPVfjUdgq7pSd2hT/FeGswyZ0/t1VDZ+b5AJcnsq/H2rrkjesI7/j32thcAoUq
> ZN+2yphU6lOMAog4y9y8WqBtMdAML6Uh8KJiX4qvM1XIWiaAgMPHPGT4t3ymectD
> IA3nWf1778ECXbi4KiaFtHE9Q1YWokzSmuSKOhvykjO57oVuervL2+0tBOcE5Pgn
> kxwMnswEbSlAov0vaIRt6EXqC8OuykwTgG92EAQzPuNbmvYTIjhZUksiV2VYXP2p
> Cz8Rv1CEOISHVYtXWF9tlBcw1ezwYW47tX5jPDWObKDK4sYoC5HNMWOs5C7BtAG4
> OVG5UKQLiu0eLLr0zydRBzoHn2aJqwUqb6reGoRtLUQqPQ+SpzDHk1PnX1YvX57t
> HlqwQqSVk7cSuMh9S7iRIf/RIBZe8feqBgw5rm5e00PoYEjoScRoE6ojbp34Sj11
> fmJA3XJkzlwJoc79a1zStAIsR1ovdbrp+oWYGRw7+UXoUFIvCvw=
> =Gap0
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>

Reply via email to