This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit d5efbb15dfc252ced1415b2cf82fbaf6725522f6 Author: Aaron Ogburn <[email protected]> AuthorDate: Mon Oct 27 17:32:43 2025 -0400 Fix BZ 69866 - Use separate CertificateVerifier class to avoid strong JNI reference to OpenSSLContexts --- .../net/openssl/OpenSSLCertificateVerifier.java | 60 ++++++++++++++++++++++ .../tomcat/util/net/openssl/OpenSSLContext.java | 21 +------- webapps/docs/changelog.xml | 4 ++ 3 files changed, 65 insertions(+), 20 deletions(-) diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLCertificateVerifier.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLCertificateVerifier.java new file mode 100644 index 0000000000..04b000ec54 --- /dev/null +++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLCertificateVerifier.java @@ -0,0 +1,60 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.util.net.openssl; + +import java.security.cert.X509Certificate; + +import javax.net.ssl.X509TrustManager; + +import org.apache.juli.logging.Log; +import org.apache.juli.logging.LogFactory; +import org.apache.tomcat.jni.CertificateVerifier; +import org.apache.tomcat.util.res.StringManager; + +public class OpenSSLCertificateVerifier implements CertificateVerifier { + + private static final Log log = LogFactory.getLog(OpenSSLCertificateVerifier.class); + private static final StringManager sm = StringManager.getManager(OpenSSLCertificateVerifier.class); + + private final X509TrustManager x509TrustManager; + + public OpenSSLCertificateVerifier(X509TrustManager x509TrustManager) { + this.x509TrustManager = x509TrustManager; + } + + @Override + public boolean verify(long ssl, byte[][] chain, String auth) { + X509Certificate[] peerCerts = certificates(chain); + try { + x509TrustManager.checkClientTrusted(peerCerts, auth); + return true; + } catch (Exception e) { + if (log.isDebugEnabled()) { + log.debug(sm.getString("openssl.certificateVerificationFailed"), e); + } + } + return false; + } + + private static X509Certificate[] certificates(byte[][] chain) { + X509Certificate[] peerCerts = new X509Certificate[chain.length]; + for (int i = 0; i < peerCerts.length; i++) { + peerCerts[i] = new OpenSSLX509Certificate(chain[i]); + } + return peerCerts; + } +} diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java index be3ad8122c..76cf4f4f74 100644 --- a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java +++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java @@ -345,18 +345,7 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext { if (tms != null) { // Client certificate verification based on custom trust managers x509TrustManager = chooseTrustManager(tms); - SSLContext.setCertVerifyCallback(state.ctx, (ssl, chain, auth) -> { - X509Certificate[] peerCerts = certificates(chain); - try { - x509TrustManager.checkClientTrusted(peerCerts, auth); - return true; - } catch (Exception e) { - if (log.isDebugEnabled()) { - log.debug(sm.getString("openssl.certificateVerificationFailed"), e); - } - } - return false; - }); + SSLContext.setCertVerifyCallback(state.ctx, new OpenSSLCertificateVerifier(x509TrustManager)); // Pass along the DER encoded certificates of the accepted client // certificate issuers, so that their subjects can be presented // by the server during the handshake to allow the client choosing @@ -547,14 +536,6 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext { throw new IllegalStateException(sm.getString("openssl.trustManagerMissing")); } - private static X509Certificate[] certificates(byte[][] chain) { - X509Certificate[] peerCerts = new X509Certificate[chain.length]; - for (int i = 0; i < peerCerts.length; i++) { - peerCerts[i] = new OpenSSLX509Certificate(chain[i]); - } - return peerCerts; - } - long getSSLContextID() { return state.ctx; diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 2f83751732..97c23314ce 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -123,6 +123,10 @@ Fix use of <code>deferAccept</code> attribute in JMX, since it is normally only removed in Tomcat 11. (remm) </fix> + <fix> + <bug>69866</bug>: Fix a memory leak when using a trust store with the + OpenSSL provider. Pull request <pr>912</pr> by aogburn. (markt) + </fix> </changelog> </subsection> <subsection name="Jasper"> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
