This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new a6487a88ba Fix BZ 69866 - Use separate CertificateVerifier class to
avoid strong JNI reference to OpenSSLContexts
a6487a88ba is described below
commit a6487a88ba50f3f98910de3692947382b6d2839e
Author: Aaron Ogburn <[email protected]>
AuthorDate: Mon Oct 27 17:32:43 2025 -0400
Fix BZ 69866 - Use separate CertificateVerifier class to avoid strong
JNI reference to OpenSSLContexts
---
.../net/openssl/OpenSSLCertificateVerifier.java | 60 ++++++++++++++++++++++
.../tomcat/util/net/openssl/OpenSSLContext.java | 25 +--------
webapps/docs/changelog.xml | 4 ++
3 files changed, 65 insertions(+), 24 deletions(-)
diff --git
a/java/org/apache/tomcat/util/net/openssl/OpenSSLCertificateVerifier.java
b/java/org/apache/tomcat/util/net/openssl/OpenSSLCertificateVerifier.java
new file mode 100644
index 0000000000..04b000ec54
--- /dev/null
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLCertificateVerifier.java
@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.net.openssl;
+
+import java.security.cert.X509Certificate;
+
+import javax.net.ssl.X509TrustManager;
+
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.jni.CertificateVerifier;
+import org.apache.tomcat.util.res.StringManager;
+
+public class OpenSSLCertificateVerifier implements CertificateVerifier {
+
+ private static final Log log =
LogFactory.getLog(OpenSSLCertificateVerifier.class);
+ private static final StringManager sm =
StringManager.getManager(OpenSSLCertificateVerifier.class);
+
+ private final X509TrustManager x509TrustManager;
+
+ public OpenSSLCertificateVerifier(X509TrustManager x509TrustManager) {
+ this.x509TrustManager = x509TrustManager;
+ }
+
+ @Override
+ public boolean verify(long ssl, byte[][] chain, String auth) {
+ X509Certificate[] peerCerts = certificates(chain);
+ try {
+ x509TrustManager.checkClientTrusted(peerCerts, auth);
+ return true;
+ } catch (Exception e) {
+ if (log.isDebugEnabled()) {
+
log.debug(sm.getString("openssl.certificateVerificationFailed"), e);
+ }
+ }
+ return false;
+ }
+
+ private static X509Certificate[] certificates(byte[][] chain) {
+ X509Certificate[] peerCerts = new X509Certificate[chain.length];
+ for (int i = 0; i < peerCerts.length; i++) {
+ peerCerts[i] = new OpenSSLX509Certificate(chain[i]);
+ }
+ return peerCerts;
+ }
+}
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
index 2702f9025f..03197b1ced 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
@@ -45,7 +45,6 @@ import javax.net.ssl.X509TrustManager;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
-import org.apache.tomcat.jni.CertificateVerifier;
import org.apache.tomcat.jni.Library;
import org.apache.tomcat.jni.Pool;
import org.apache.tomcat.jni.SSL;
@@ -360,21 +359,7 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
if (tms != null) {
// Client certificate verification based on custom trust
managers
x509TrustManager = chooseTrustManager(tms);
- SSLContext.setCertVerifyCallback(ctx, new
CertificateVerifier() {
- @Override
- public boolean verify(long ssl, byte[][] chain, String
auth) {
- X509Certificate[] peerCerts = certificates(chain);
- try {
- x509TrustManager.checkClientTrusted(peerCerts,
auth);
- return true;
- } catch (Exception e) {
- if (log.isDebugEnabled()) {
-
log.debug(sm.getString("openssl.certificateVerificationFailed"), e);
- }
- }
- return false;
- }
- });
+ SSLContext.setCertVerifyCallback(ctx, new
OpenSSLCertificateVerifier(x509TrustManager));
// Pass along the DER encoded certificates of the accepted
client
// certificate issuers, so that their subjects can be presented
// by the server during the handshake to allow the client
choosing
@@ -565,14 +550,6 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
throw new
IllegalStateException(sm.getString("openssl.trustManagerMissing"));
}
- private static X509Certificate[] certificates(byte[][] chain) {
- X509Certificate[] peerCerts = new X509Certificate[chain.length];
- for (int i = 0; i < peerCerts.length; i++) {
- peerCerts[i] = new OpenSSLX509Certificate(chain[i]);
- }
- return peerCerts;
- }
-
long getSSLContextID() {
return ctx;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index c26caf0970..a10499ad80 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -119,6 +119,10 @@
<fix>
Graceful failure for OCSP on BoringSSL in the FFM code. (remm)
</fix>
+ <fix>
+ <bug>69866</bug>: Fix a memory leak when using a trust store with the
+ OpenSSL provider. Pull request <pr>912</pr> by aogburn. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
