This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push: new 55443d3 Implement more of the TLS env in rewrite resolver 55443d3 is described below commit 55443d317da37d6c6bc1ee1f81078e1d9dea91c7 Author: remm <r...@apache.org> AuthorDate: Thu Jun 4 23:13:36 2020 +0200 Implement more of the TLS env in rewrite resolver --- .../catalina/valves/rewrite/ResolverImpl.java | 78 +++++++++++++++++----- .../catalina/valves/rewrite/TestResolverSSL.java | 20 +++--- 2 files changed, 75 insertions(+), 23 deletions(-) diff --git a/java/org/apache/catalina/valves/rewrite/ResolverImpl.java b/java/org/apache/catalina/valves/rewrite/ResolverImpl.java index 51566f0..dfa0ebd 100644 --- a/java/org/apache/catalina/valves/rewrite/ResolverImpl.java +++ b/java/org/apache/catalina/valves/rewrite/ResolverImpl.java @@ -19,9 +19,15 @@ package org.apache.catalina.valves.rewrite; import java.io.IOException; import java.nio.charset.Charset; import java.security.cert.CertificateEncodingException; +import java.security.cert.CertificateParsingException; import java.security.cert.X509Certificate; +import java.util.ArrayList; import java.util.Calendar; +import java.util.Collection; +import java.util.HashMap; +import java.util.List; import java.util.Set; +import java.util.StringTokenizer; import java.util.concurrent.TimeUnit; import org.apache.catalina.WebResource; @@ -145,18 +151,22 @@ public class ResolverImpl extends Resolver { public String resolveSsl(String key) { SSLSupport sslSupport = (SSLSupport) request.getAttribute(SSLSupport.SESSION_MGR); try { - // FIXME SSL_SESSION_RESUMED in SSLHostConfig - // FIXME SSL_SECURE_RENEG in SSLHostConfig - // FIXME SSL_COMPRESS_METHOD in SSLHostConfig - // FIXME SSL_TLS_SNI from handshake - // FIXME SSL_SRP_USER - // FIXME SSL_SRP_USERINFO + // SSL_SRP_USER: no planned support for SRP + // SSL_SRP_USERINFO: no planned support for SRP if (key.equals("HTTPS")) { return String.valueOf(sslSupport != null); } else if (key.equals("SSL_PROTOCOL")) { return sslSupport.getProtocol(); } else if (key.equals("SSL_SESSION_ID")) { return sslSupport.getSessionId(); + } else if (key.equals("SSL_SESSION_RESUMED")) { + // FIXME session resumption state, not available anywhere + } else if (key.equals("SSL_SECURE_RENEG")) { + // FIXME available from SSLHostConfig + } else if (key.equals("SSL_COMPRESS_METHOD")) { + // FIXME available from SSLHostConfig + } else if (key.equals("SSL_TLS_SNI")) { + // FIXME from handshake SNI processing } else if (key.equals("SSL_CIPHER")) { return sslSupport.getCipherSuite(); } else if (key.equals("SSL_CIPHER_EXPORT")) { @@ -188,12 +198,13 @@ public class ResolverImpl extends Resolver { if (result != null) { return result; } else if (key.startsWith("SAN_OTHER_msUPN_")) { + // Type otherName, which is 0 key = key.substring("SAN_OTHER_msUPN_".length()); - // FIXME return certificates[0].getSubjectAlternativeNames() + // FIXME OID from resolveAlternateName } else if (key.equals("CERT_RFC4523_CEA")) { - // FIXME return certificates[0] + // FIXME return certificate[0] format CertificateExactAssertion in RFC4523 } else if (key.equals("VERIFY")) { - // FIXME return verification state + // FIXME return verification state, not available anywhere } } } else if (key.startsWith("SSL_SERVER_")) { @@ -204,8 +215,9 @@ public class ResolverImpl extends Resolver { if (result != null) { return result; } else if (key.startsWith("SAN_OTHER_dnsSRV_")) { + // Type otherName, which is 0 key = key.substring("SAN_OTHER_dnsSRV_".length()); - // FIXME return certificates[0].getSubjectAlternativeNames() + // FIXME OID from resolveAlternateName } } } @@ -224,18 +236,20 @@ public class ResolverImpl extends Resolver { return certificates[0].getSubjectDN().getName(); } else if (key.startsWith("S_DN_")) { key = key.substring("S_DN_".length()); - // FIXME would need access to X500Name from X500Principal + return resolveComponent(certificates[0].getSubjectX500Principal().getName(), key); } else if (key.startsWith("SAN_Email_")) { + // Type rfc822Name, which is 1 key = key.substring("SAN_Email_".length()); - // FIXME return certificates[0].getSubjectAlternativeNames() + return resolveAlternateName(certificates[0], 1, Integer.parseInt(key)); } else if (key.startsWith("SAN_DNS_")) { + // Type dNSName, which is 2 key = key.substring("SAN_DNS_".length()); - // FIXME return certificates[0].getSubjectAlternativeNames() + return resolveAlternateName(certificates[0], 2, Integer.parseInt(key)); } else if (key.equals("I_DN")) { return certificates[0].getIssuerDN().getName(); } else if (key.startsWith("I_DN_")) { key = key.substring("I_DN_".length()); - // FIXME would need access to X500Name from X500Principal + return resolveComponent(certificates[0].getIssuerX500Principal().getName(), key); } else if (key.equals("V_START")) { return String.valueOf(certificates[0].getNotBefore().getTime()); } else if (key.equals("V_END")) { @@ -260,13 +274,47 @@ public class ResolverImpl extends Resolver { key = key.substring("CERT_CHAIN_".length()); try { return toPEM(certificates[Integer.parseInt(key)]); - } catch (NumberFormatException | CertificateEncodingException e) { + } catch (NumberFormatException | ArrayIndexOutOfBoundsException + | CertificateEncodingException e) { // Ignore } } return null; } + private String resolveComponent(String fullDN, String component) { + HashMap<String, String> components = new HashMap<>(); + StringTokenizer tokenizer = new StringTokenizer(fullDN, ","); + while (tokenizer.hasMoreElements()) { + String token = tokenizer.nextToken().trim(); + int pos = token.indexOf("="); + if (pos > 0 && (pos + 1) < token.length()) { + components.put(token.substring(0, pos), token.substring(pos + 1)); + } + } + return components.get(component); + } + + private String resolveAlternateName(X509Certificate certificate, int type, int n) { + try { + Collection<List<?>> alternateNames = certificate.getSubjectAlternativeNames(); + if (alternateNames != null) { + List<String> elements = new ArrayList<>(); + for (List<?> alternateName : alternateNames) { + Integer alternateNameType = (Integer) alternateName.get(0); + if (alternateNameType.intValue() == type) { + elements.add(String.valueOf(alternateName.get(1))); + } + } + return elements.get(n); + } + } catch (NumberFormatException | ArrayIndexOutOfBoundsException + | CertificateParsingException e) { + // Ignore + } + return null; + } + private String toPEM(X509Certificate certificate) throws CertificateEncodingException { StringBuilder result = new StringBuilder(); result.append("-----BEGIN CERTIFICATE-----"); diff --git a/test/org/apache/catalina/valves/rewrite/TestResolverSSL.java b/test/org/apache/catalina/valves/rewrite/TestResolverSSL.java index 2930ae5..d4624a3 100644 --- a/test/org/apache/catalina/valves/rewrite/TestResolverSSL.java +++ b/test/org/apache/catalina/valves/rewrite/TestResolverSSL.java @@ -68,11 +68,13 @@ public class TestResolverSSL extends TomcatBaseTest { "SSL_CLIENT_S_DN_CN", // CN component "SSL_CLIENT_S_DN_O", // O component "SSL_CLIENT_S_DN_C", // C component - "SSL_CLIENT_SAN_Email_n", // FXIME: n - "SSL_CLIENT_SAN_DNS_n", // FXIME: n - "SSL_CLIENT_SAN_OTHER_msUPN_n", // FXIME: n + "SSL_CLIENT_SAN_Email_0", + "SSL_CLIENT_SAN_DNS_0", + "SSL_CLIENT_SAN_OTHER_msUPN_0", "SSL_CLIENT_I_DN", - "SSL_CLIENT_I_DN_x509", // FXIME: x509 + "SSL_CLIENT_I_DN_CN", // CN component + "SSL_CLIENT_I_DN_O", // O component + "SSL_CLIENT_I_DN_C", // C component "SSL_CLIENT_V_START", "SSL_CLIENT_V_END", "SSL_CLIENT_V_REMAIN", @@ -85,14 +87,16 @@ public class TestResolverSSL extends TomcatBaseTest { "SSL_SERVER_M_VERSION", "SSL_SERVER_M_SERIAL", "SSL_SERVER_S_DN", - "SSL_SERVER_SAN_Email_n", // FXIME: n - "SSL_SERVER_SAN_DNS_n", // FXIME: n - "SSL_SERVER_SAN_OTHER_dnsSRV_n", // FXIME: n + "SSL_SERVER_SAN_Email_0", + "SSL_SERVER_SAN_DNS_0", + "SSL_SERVER_SAN_OTHER_dnsSRV_0", "SSL_SERVER_S_DN_CN", // CN component "SSL_SERVER_S_DN_O", // O component "SSL_SERVER_S_DN_C", // C component "SSL_SERVER_I_DN", - "SSL_SERVER_I_DN_x509", // FXIME: x509 + "SSL_SERVER_I_DN_CN", // CN component + "SSL_SERVER_I_DN_O", // O component + "SSL_SERVER_I_DN_C", // C component "SSL_SERVER_V_START", "SSL_SERVER_V_END", "SSL_SERVER_A_SIG", --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org