svn commit: r884964 - in /tomcat/tc5.5.x/trunk: ./ connectors/http11/src/java/org/apache/coyote/http11/ connectors/jni/java/org/apache/tomcat/jni/ container/catalina/src/share/org/apache/catalina/core/ container/webapps/docs/

Fri, 27 Nov 2009 11:16:16 -0800 

Author: markt
Date: Fri Nov 27 19:15:50 2009
New Revision: 884964

URL: http://svn.apache.org/viewvc?rev=884964&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=46950
Adds support for SSL renegotiation when CLIENT-CERT auth is required due to a 
security constraint

Modified:
    tomcat/tc5.5.x/trunk/STATUS.txt
    
tomcat/tc5.5.x/trunk/connectors/http11/src/java/org/apache/coyote/http11/Http11AprProcessor.java
    
tomcat/tc5.5.x/trunk/connectors/jni/java/org/apache/tomcat/jni/SSLSocket.java
    
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/core/AprLifecycleListener.java
    tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml

Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=884964&r1=884963&r2=884964&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/STATUS.txt (original)
+++ tomcat/tc5.5.x/trunk/STATUS.txt Fri Nov 27 19:15:50 2009
@@ -147,20 +147,11 @@
   +1: kkolinko
   -1:
 
-
 * Include root cause exception into the one produced by 
ApplicationContextFacade#doPrivileged()
   http://svn.apache.org/viewvc?rev=831819&view=rev
   +1: kkolinko, markt
   -1:
 
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=46950
-  Adds support for SSL renegotiation when CLIENT-CERT auth is required due to a
-  security constraint
-  Backport of http://svn.apache.org/viewvc?rev=832222&view=rev
-  
http://people.apache.org/~rjung/patches/tc5.5.x-backport-BZ46950-r815418-20091102.patch
-  +1: rjung, markt, mturk
-  -1:
-
 * Fix CVE-2009-3548 - Windows installer uses insecure default password
   http://svn.apache.org/viewvc?rev=834047&view=rev
   +1: markt, mturk

Modified: 
tomcat/tc5.5.x/trunk/connectors/http11/src/java/org/apache/coyote/http11/Http11AprProcessor.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/connectors/http11/src/java/org/apache/coyote/http11/Http11AprProcessor.java?rev=884964&r1=884963&r2=884964&view=diff
==============================================================================
--- 
tomcat/tc5.5.x/trunk/connectors/http11/src/java/org/apache/coyote/http11/Http11AprProcessor.java
 (original)
+++ 
tomcat/tc5.5.x/trunk/connectors/http11/src/java/org/apache/coyote/http11/Http11AprProcessor.java
 Fri Nov 27 19:15:50 2009
@@ -1098,13 +1098,14 @@
                         request.setAttribute(AprEndpoint.CIPHER_SUITE_KEY, 
sslO);
                     }
                     // Get client certificate and the certificate chain if 
present
+                    // certLength == -1 indicates an error
                     int certLength = SSLSocket.getInfoI(socket, 
SSL.SSL_INFO_CLIENT_CERT_CHAIN);
                     byte[] clientCert = SSLSocket.getInfoB(socket, 
SSL.SSL_INFO_CLIENT_CERT);
                     X509Certificate[] certs = null;
-                    if (clientCert != null) {
+                    if (clientCert != null  && certLength > -1) {
                         certs = new X509Certificate[certLength + 1];
                         CertificateFactory cf = 
CertificateFactory.getInstance("X.509");
-                        certs[0] = (X509Certificate) 
cf.generateCertificate(new ByteArrayInputStream(clientCert));                   
 
+                        certs[0] = (X509Certificate) 
cf.generateCertificate(new ByteArrayInputStream(clientCert));
                         for (int i = 0; i < certLength; i++) {
                             byte[] data = SSLSocket.getInfoB(socket, 
SSL.SSL_INFO_CLIENT_CERT_CHAIN + i);
                             certs[i+1] = (X509Certificate) 
cf.generateCertificate(new ByteArrayInputStream(data));
@@ -1131,29 +1132,35 @@
         } else if (actionCode == ActionCode.ACTION_REQ_SSL_CERTIFICATE) {
 
             if (ssl && (socket != 0)) {
-                 // Consume and buffer the request body, so that it does not
-                 // interfere with the client's handshake messages
+                // Consume and buffer the request body, so that it does not
+                // interfere with the client's handshake messages
                 InputFilter[] inputFilters = inputBuffer.getFilters();
                 ((BufferedInputFilter) 
inputFilters[Constants.BUFFERED_FILTER]).setLimit(maxSavePostSize);
                 
inputBuffer.addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]);
                 try {
-                    // Renegociate certificates
-                    SSLSocket.renegotiate(socket);
-                    // Get client certificate and the certificate chain if 
present
-                    int certLength = SSLSocket.getInfoI(socket, 
SSL.SSL_INFO_CLIENT_CERT_CHAIN);
-                    byte[] clientCert = SSLSocket.getInfoB(socket, 
SSL.SSL_INFO_CLIENT_CERT);
-                    X509Certificate[] certs = null;
-                    if (clientCert != null) {
-                        certs = new X509Certificate[certLength + 1];
-                        CertificateFactory cf = 
CertificateFactory.getInstance("X.509");
-                        certs[0] = (X509Certificate) 
cf.generateCertificate(new ByteArrayInputStream(clientCert));
-                        for (int i = 0; i < certLength; i++) {
-                            byte[] data = SSLSocket.getInfoB(socket, 
SSL.SSL_INFO_CLIENT_CERT_CHAIN + i);
-                            certs[i+1] = (X509Certificate) 
cf.generateCertificate(new ByteArrayInputStream(data));
+                    // Configure connection to require a certificate
+                    SSLSocket.setVerify(socket, SSL.SSL_CVERIFY_REQUIRE,
+                            endpoint.getSSLVerifyDepth());
+                    // Renegotiate certificates
+                    if (SSLSocket.renegotiate(socket) == 0) {
+                        // Don't look for certs unless we know renegotiation 
worked.
+                        // Get client certificate and the certificate chain if 
present
+                        // certLength == -1 indicates an error 
+                        int certLength = 
SSLSocket.getInfoI(socket,SSL.SSL_INFO_CLIENT_CERT_CHAIN);
+                        byte[] clientCert = SSLSocket.getInfoB(socket, 
SSL.SSL_INFO_CLIENT_CERT);
+                        X509Certificate[] certs = null;
+                        if (clientCert != null && certLength > -1) {
+                            certs = new X509Certificate[certLength + 1];
+                            CertificateFactory cf = 
CertificateFactory.getInstance("X.509");
+                            certs[0] = (X509Certificate) 
cf.generateCertificate(new ByteArrayInputStream(clientCert));
+                            for (int i = 0; i < certLength; i++) {
+                                byte[] data = SSLSocket.getInfoB(socket, 
SSL.SSL_INFO_CLIENT_CERT_CHAIN + i);
+                                certs[i+1] = (X509Certificate) 
cf.generateCertificate(new ByteArrayInputStream(data));
+                            }
+                        }
+                        if (certs != null) {
+                            request.setAttribute(AprEndpoint.CERTIFICATE_KEY, 
certs);
                         }
-                    }
-                    if (certs != null) {
-                        request.setAttribute(AprEndpoint.CERTIFICATE_KEY, 
certs);
                     }
                 } catch (Exception e) {
                     log.warn(sm.getString("http11processor.socket.ssl"), e);

Modified: 
tomcat/tc5.5.x/trunk/connectors/jni/java/org/apache/tomcat/jni/SSLSocket.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/connectors/jni/java/org/apache/tomcat/jni/SSLSocket.java?rev=884964&r1=884963&r2=884964&view=diff
==============================================================================
--- 
tomcat/tc5.5.x/trunk/connectors/jni/java/org/apache/tomcat/jni/SSLSocket.java 
(original)
+++ 
tomcat/tc5.5.x/trunk/connectors/jni/java/org/apache/tomcat/jni/SSLSocket.java 
Fri Nov 27 19:15:50 2009
@@ -57,6 +57,29 @@
     public static native int renegotiate(long thesocket);
 
     /**
+     * Set Type of Client Certificate verification and Maximum depth of CA
+     * Certificates in Client Certificate verification.
+     * <br />
+     * This is used to change the verification level for a connection prior to
+     * starting a re-negotiation.
+     * <br />
+     * The following levels are available for level:
+     * <PRE>
+     * SSL_CVERIFY_NONE           - No client Certificate is required at all
+     * SSL_CVERIFY_OPTIONAL       - The client may present a valid Certificate
+     * SSL_CVERIFY_REQUIRE        - The client has to present a valid
+     *                              Certificate
+     * SSL_CVERIFY_OPTIONAL_NO_CA - The client may present a valid Certificate
+     *                              but it need not to be (successfully)
+     *                              verifiable
+     * </PRE>
+     * <br />
+     * @param sock  The socket to change.
+     * @param level Type of Client Certificate verification.
+     */
+    public static native void setVerify(long sock, int level, int depth);
+    
+    /**    
      * Return SSL Info parameter as byte array.
      *
      * @param sock The socket to read the data from.

Modified: 
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/core/AprLifecycleListener.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/core/AprLifecycleListener.java?rev=884964&r1=884963&r2=884964&view=diff
==============================================================================
--- 
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/core/AprLifecycleListener.java
 (original)
+++ 
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/core/AprLifecycleListener.java
 Fri Nov 27 19:15:50 2009
@@ -54,8 +54,8 @@
 
     protected static final int REQUIRED_MAJOR = 1;
     protected static final int REQUIRED_MINOR = 1;
-    protected static final int REQUIRED_PATCH = 3;
-    protected static final int RECOMMENDED_PV = 4;
+    protected static final int REQUIRED_PATCH = 17;
+    protected static final int RECOMMENDED_PV = 17;
 
 
     // ---------------------------------------------- LifecycleListener Methods

Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml?rev=884964&r1=884963&r2=884964&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml Fri Nov 27 
19:15:50 2009
@@ -90,6 +90,10 @@
   <subsection name="Coyote">
     <changelog>
       <fix>
+        <bug>46950</bug>: Support SSL renegotiation with APR/native connector.
+        Note that this requires APR/native 1.1.17 or later. (markt)
+      </fix>
+      <fix>
         <bug>47225</bug>: Fix error in calculation of a buffer length in the
         mapper. (markt)
       </fix>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to