Author: markt
Date: Thu Jul 16 20:42:08 2009
New Revision: 794846
URL: http://svn.apache.org/viewvc?rev=794846&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=39637
AJP connectors do not handle certificate chains
Patch by Patrik Schnellmann
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java
tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java
tomcat/tc6.0.x/trunk/java/org/apache/jk/core/MsgContext.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=794846&r1=794845&r2=794846&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Thu Jul 16 20:42:08 2009
@@ -156,13 +156,6 @@
+1: fhanik
-1:
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=39637
- AJP connectors do not handle certificate chains
- Patch by Patrik Schnellmann
- https://issues.apache.org/bugzilla/attachment.cgi?id=23951
- +1: markt, rjung, kkolinko
- -1:
-
* Correct errorlevel handling in setclasspath.bat
http://svn.apache.org/viewvc?rev=793669&view=rev
+1: rjung, kkolinko, markt
Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java?rev=794846&r1=794845&r2=794846&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java Thu
Jul 16 20:42:08 2009
@@ -550,19 +550,28 @@
new ByteArrayInputStream(certData.getBytes(),
certData.getStart(),
certData.getLength());
- // Fill the first element.
+ // Fill the elements.
try {
CertificateFactory cf =
CertificateFactory.getInstance("X.509");
- X509Certificate cert = (X509Certificate)
- cf.generateCertificate(bais);
- jsseCerts = new X509Certificate[1];
- jsseCerts[0] = cert;
- request.setAttribute(AprEndpoint.CERTIFICATE_KEY,
jsseCerts);
+ while(bais.available() > 0) {
+ X509Certificate cert = (X509Certificate)
+ cf.generateCertificate(bais);
+ if(jsseCerts == null) {
+ jsseCerts = new X509Certificate[1];
+ jsseCerts[0] = cert;
+ } else {
+ X509Certificate [] temp = new
X509Certificate[jsseCerts.length+1];
+
System.arraycopy(jsseCerts,0,temp,0,jsseCerts.length);
+ temp[jsseCerts.length] = cert;
+ jsseCerts = temp;
+ }
+ }
} catch (java.security.cert.CertificateException e) {
log.error(sm.getString("ajpprocessor.certs.fail"), e);
return;
}
+ request.setAttribute(AprEndpoint.CERTIFICATE_KEY, jsseCerts);
}
} else if (actionCode == ActionCode.ACTION_REQ_HOST_ATTRIBUTE) {
Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java?rev=794846&r1=794845&r2=794846&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java Thu Jul
16 20:42:08 2009
@@ -555,19 +555,28 @@
new ByteArrayInputStream(certData.getBytes(),
certData.getStart(),
certData.getLength());
- // Fill the first element.
+ // Fill the elements.
try {
CertificateFactory cf =
CertificateFactory.getInstance("X.509");
- X509Certificate cert = (X509Certificate)
- cf.generateCertificate(bais);
- jsseCerts = new X509Certificate[1];
- jsseCerts[0] = cert;
- request.setAttribute(JIoEndpoint.CERTIFICATE_KEY,
jsseCerts);
+ while(bais.available() > 0) {
+ X509Certificate cert = (X509Certificate)
+ cf.generateCertificate(bais);
+ if(jsseCerts == null) {
+ jsseCerts = new X509Certificate[1];
+ jsseCerts[0] = cert;
+ } else {
+ X509Certificate [] temp = new
X509Certificate[jsseCerts.length+1];
+
System.arraycopy(jsseCerts,0,temp,0,jsseCerts.length);
+ temp[jsseCerts.length] = cert;
+ jsseCerts = temp;
+ }
+ }
} catch (java.security.cert.CertificateException e) {
log.error(sm.getString("ajpprocessor.certs.fail"), e);
return;
}
+ request.setAttribute(JIoEndpoint.CERTIFICATE_KEY, jsseCerts);
}
} else if (actionCode == ActionCode.ACTION_REQ_HOST_ATTRIBUTE) {
Modified: tomcat/tc6.0.x/trunk/java/org/apache/jk/core/MsgContext.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/jk/core/MsgContext.java?rev=794846&r1=794845&r2=794846&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/jk/core/MsgContext.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/jk/core/MsgContext.java Thu Jul 16
20:42:08 2009
@@ -324,15 +324,27 @@
certData.getStart(),
certData.getLength());
- // Fill the first element.
+ // Fill all elements.
X509Certificate jsseCerts[] = null;
try {
CertificateFactory cf =
CertificateFactory.getInstance("X.509");
- X509Certificate cert = (X509Certificate)
- cf.generateCertificate(bais);
- jsseCerts = new X509Certificate[1];
- jsseCerts[0] = cert;
+ int i = 0;
+ while (bais.available() > 0) {
+ X509Certificate cert = (X509Certificate)
+ cf.generateCertificate(bais);
+ if (jsseCerts == null) {
+ jsseCerts = new X509Certificate[1];
+ } else {
+ X509Certificate tmpJsseCerts[] =
+ new X509Certificate[jsseCerts.length + 1];
+ System.arraycopy(jsseCerts, 0,
+ tmpJsseCerts, 0,
+ jsseCerts.length);
+ jsseCerts = tmpJsseCerts;
+ }
+ jsseCerts[i++] = cert;
+ }
} catch(java.security.cert.CertificateException e) {
log.error("Certificate convertion failed" , e );
return;
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=794846&r1=794845&r2=794846&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Thu Jul 16 20:42:08 2009
@@ -138,6 +138,10 @@
<subsection name="Coyote">
<changelog>
<fix>
+ <bug>39637</bug>: Enable the AJP connectors to correctly handle client
+ certificate chains. Patch by Patrik Schnellmann. (markt)
+ </fix>
+ <fix>
<bug>46985</bug>: Clean up code and remove impossible condition.
(markt/kkolinko)
</fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
