Author: markt
Date: Fri Jun 19 19:11:11 2015
New Revision: 1686483
URL: http://svn.apache.org/r1686483
Log:
Some more plumbing to support multiple certificates per virtual host
Added:
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
(with props)
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
tomcat/trunk/java/org/apache/tomcat/util/net/SSLImplementation.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLImplementation.java
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
tomcat/trunk/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java?rev=1686483&r1=1686482&r2=1686483&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java Fri
Jun 19 19:11:11 2015
@@ -74,17 +74,19 @@ public abstract class AbstractJsseEndpoi
sslImplementation =
SSLImplementation.getInstance(getSslImplementationName());
for (SSLHostConfig sslHostConfig : sslHostConfigs.values()) {
- SSLUtil sslUtil = sslImplementation.getSSLUtil(sslHostConfig);
+ for (SSLHostConfigCertificate certificate :
sslHostConfig.getCertificates(true)) {
+ SSLUtil sslUtil =
sslImplementation.getSSLUtil(sslHostConfig, certificate);
- SSLContext sslContext = sslUtil.createSSLContext();
- sslContext.init(sslUtil.getKeyManagers(),
sslUtil.getTrustManagers(), null);
+ SSLContext sslContext = sslUtil.createSSLContext();
+ sslContext.init(sslUtil.getKeyManagers(),
sslUtil.getTrustManagers(), null);
- SSLSessionContext sessionContext =
sslContext.getServerSessionContext();
- if (sessionContext != null) {
- sslUtil.configureSessionContext(sessionContext);
+ SSLSessionContext sessionContext =
sslContext.getServerSessionContext();
+ if (sessionContext != null) {
+ sslUtil.configureSessionContext(sessionContext);
+ }
+ SSLContextWrapper sslContextWrapper = new
SSLContextWrapper(sslContext, sslUtil);
+ sslHostConfig.setSslContext(sslContextWrapper);
}
- SSLContextWrapper sslContextWrapper = new
SSLContextWrapper(sslContext, sslUtil);
- sslHostConfig.setSslContext(sslContextWrapper);
}
}
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1686483&r1=1686482&r2=1686483&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Fri Jun 19
19:11:11 2015
@@ -368,179 +368,181 @@ public class AprEndpoint extends Abstrac
if (isSSLEnabled()) {
for (SSLHostConfig sslHostConfig : sslHostConfigs.values()) {
- if
(SSLHostConfig.adjustRelativePath(sslHostConfig.getCertificateFile()) == null) {
- // This is required
- throw new
Exception(sm.getString("endpoint.apr.noSslCertFile"));
- }
-
- // SSL protocol
- int value = SSL.SSL_PROTOCOL_NONE;
- if (sslHostConfig.getProtocols().size() == 0) {
- // Native fallback used if protocols=""
- value = SSL.SSL_PROTOCOL_ALL;
- } else {
- for (String protocol : sslHostConfig.getProtocols()) {
- if
(Constants.SSL_PROTO_SSLv2Hello.equalsIgnoreCase(protocol)) {
- // NO-OP. OpenSSL always supports SSLv2Hello
- } else if
(Constants.SSL_PROTO_SSLv2.equalsIgnoreCase(protocol)) {
- value |= SSL.SSL_PROTOCOL_SSLV2;
- } else if
(Constants.SSL_PROTO_SSLv3.equalsIgnoreCase(protocol)) {
- value |= SSL.SSL_PROTOCOL_SSLV3;
- } else if
(Constants.SSL_PROTO_TLSv1.equalsIgnoreCase(protocol)) {
- value |= SSL.SSL_PROTOCOL_TLSV1;
- } else if
(Constants.SSL_PROTO_TLSv1_1.equalsIgnoreCase(protocol)) {
- value |= SSL.SSL_PROTOCOL_TLSV1_1;
- } else if
(Constants.SSL_PROTO_TLSv1_2.equalsIgnoreCase(protocol)) {
- value |= SSL.SSL_PROTOCOL_TLSV1_2;
- } else {
- // Protocol not recognized, fail to start as it is
safer than
- // continuing with the default which might enable
more than the
- // is required
- throw new Exception(sm.getString(
- "endpoint.apr.invalidSslProtocol",
protocol));
+ for (SSLHostConfigCertificate certificate :
sslHostConfig.getCertificates(true)) {
+ if
(SSLHostConfig.adjustRelativePath(sslHostConfig.getCertificateFile()) == null) {
+ // This is required
+ throw new
Exception(sm.getString("endpoint.apr.noSslCertFile"));
+ }
+
+ // SSL protocol
+ int value = SSL.SSL_PROTOCOL_NONE;
+ if (sslHostConfig.getProtocols().size() == 0) {
+ // Native fallback used if protocols=""
+ value = SSL.SSL_PROTOCOL_ALL;
+ } else {
+ for (String protocol : sslHostConfig.getProtocols()) {
+ if
(Constants.SSL_PROTO_SSLv2Hello.equalsIgnoreCase(protocol)) {
+ // NO-OP. OpenSSL always supports SSLv2Hello
+ } else if
(Constants.SSL_PROTO_SSLv2.equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_SSLV2;
+ } else if
(Constants.SSL_PROTO_SSLv3.equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_SSLV3;
+ } else if
(Constants.SSL_PROTO_TLSv1.equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_TLSV1;
+ } else if
(Constants.SSL_PROTO_TLSv1_1.equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_TLSV1_1;
+ } else if
(Constants.SSL_PROTO_TLSv1_2.equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_TLSV1_2;
+ } else {
+ // Protocol not recognized, fail to start as
it is safer than
+ // continuing with the default which might
enable more than the
+ // is required
+ throw new Exception(sm.getString(
+ "endpoint.apr.invalidSslProtocol",
protocol));
+ }
}
}
- }
- // Create SSL Context
- long ctx = 0;
- try {
- ctx = SSLContext.make(rootPool, value,
SSL.SSL_MODE_SERVER);
- } catch (Exception e) {
- // If the sslEngine is disabled on the AprLifecycleListener
- // there will be an Exception here but there is no way to
check
- // the AprLifecycleListener settings from here
- throw new Exception(
- sm.getString("endpoint.apr.failSslContextMake"),
e);
- }
-
- boolean legacyRenegSupported = false;
- try {
- legacyRenegSupported =
SSL.hasOp(SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
- if (legacyRenegSupported)
- if (sslHostConfig.getInsecureRenegotiation()) {
- SSLContext.setOptions(ctx,
SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
- } else {
- SSLContext.clearOptions(ctx,
SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
- }
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
- if (!legacyRenegSupported) {
- // OpenSSL does not support unsafe legacy renegotiation.
- log.warn(sm.getString("endpoint.warn.noInsecureReneg",
- SSL.versionString()));
- }
-
- // Use server's preference order for ciphers (rather than
- // client's)
- boolean orderCiphersSupported = false;
- try {
- orderCiphersSupported =
SSL.hasOp(SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
- if (orderCiphersSupported) {
- if (sslHostConfig.getHonorCipherOrder()) {
- SSLContext.setOptions(ctx,
SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
- } else {
- SSLContext.clearOptions(ctx,
SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
+ // Create SSL Context
+ long ctx = 0;
+ try {
+ ctx = SSLContext.make(rootPool, value,
SSL.SSL_MODE_SERVER);
+ } catch (Exception e) {
+ // If the sslEngine is disabled on the
AprLifecycleListener
+ // there will be an Exception here but there is no way
to check
+ // the AprLifecycleListener settings from here
+ throw new Exception(
+
sm.getString("endpoint.apr.failSslContextMake"), e);
+ }
+
+ boolean legacyRenegSupported = false;
+ try {
+ legacyRenegSupported =
SSL.hasOp(SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+ if (legacyRenegSupported)
+ if (sslHostConfig.getInsecureRenegotiation()) {
+ SSLContext.setOptions(ctx,
SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+ } else {
+ SSLContext.clearOptions(ctx,
SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+ }
+ } catch (UnsatisfiedLinkError e) {
+ // Ignore
+ }
+ if (!legacyRenegSupported) {
+ // OpenSSL does not support unsafe legacy
renegotiation.
+ log.warn(sm.getString("endpoint.warn.noInsecureReneg",
+ SSL.versionString()));
+ }
+
+ // Use server's preference order for ciphers (rather than
+ // client's)
+ boolean orderCiphersSupported = false;
+ try {
+ orderCiphersSupported =
SSL.hasOp(SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
+ if (orderCiphersSupported) {
+ if (sslHostConfig.getHonorCipherOrder()) {
+ SSLContext.setOptions(ctx,
SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
+ } else {
+ SSLContext.clearOptions(ctx,
SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
+ }
}
+ } catch (UnsatisfiedLinkError e) {
+ // Ignore
}
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
- if (!orderCiphersSupported) {
- // OpenSSL does not support ciphers ordering.
- log.warn(sm.getString("endpoint.warn.noHonorCipherOrder",
- SSL.versionString()));
- }
-
- // Disable compression if requested
- boolean disableCompressionSupported = false;
- try {
- disableCompressionSupported =
SSL.hasOp(SSL.SSL_OP_NO_COMPRESSION);
- if (disableCompressionSupported) {
- if (sslHostConfig.getDisableCompression()) {
- SSLContext.setOptions(ctx,
SSL.SSL_OP_NO_COMPRESSION);
- } else {
- SSLContext.clearOptions(ctx,
SSL.SSL_OP_NO_COMPRESSION);
+ if (!orderCiphersSupported) {
+ // OpenSSL does not support ciphers ordering.
+
log.warn(sm.getString("endpoint.warn.noHonorCipherOrder",
+ SSL.versionString()));
+ }
+
+ // Disable compression if requested
+ boolean disableCompressionSupported = false;
+ try {
+ disableCompressionSupported =
SSL.hasOp(SSL.SSL_OP_NO_COMPRESSION);
+ if (disableCompressionSupported) {
+ if (sslHostConfig.getDisableCompression()) {
+ SSLContext.setOptions(ctx,
SSL.SSL_OP_NO_COMPRESSION);
+ } else {
+ SSLContext.clearOptions(ctx,
SSL.SSL_OP_NO_COMPRESSION);
+ }
}
+ } catch (UnsatisfiedLinkError e) {
+ // Ignore
}
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
- if (!disableCompressionSupported) {
- // OpenSSL does not support ciphers ordering.
- log.warn(sm.getString("endpoint.warn.noDisableCompression",
- SSL.versionString()));
- }
-
- // Disable TLS Session Tickets (RFC4507) to protect perfect
forward secrecy
- boolean disableSessionTicketsSupported = false;
- try {
- disableSessionTicketsSupported =
SSL.hasOp(SSL.SSL_OP_NO_TICKET);
- if (disableSessionTicketsSupported) {
- if (sslHostConfig.getDisableSessionTickets()) {
- SSLContext.setOptions(ctx, SSL.SSL_OP_NO_TICKET);
- } else {
- SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_TICKET);
+ if (!disableCompressionSupported) {
+ // OpenSSL does not support ciphers ordering.
+
log.warn(sm.getString("endpoint.warn.noDisableCompression",
+ SSL.versionString()));
+ }
+
+ // Disable TLS Session Tickets (RFC4507) to protect
perfect forward secrecy
+ boolean disableSessionTicketsSupported = false;
+ try {
+ disableSessionTicketsSupported =
SSL.hasOp(SSL.SSL_OP_NO_TICKET);
+ if (disableSessionTicketsSupported) {
+ if (sslHostConfig.getDisableSessionTickets()) {
+ SSLContext.setOptions(ctx,
SSL.SSL_OP_NO_TICKET);
+ } else {
+ SSLContext.clearOptions(ctx,
SSL.SSL_OP_NO_TICKET);
+ }
}
+ } catch (UnsatisfiedLinkError e) {
+ // Ignore
}
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
- if (!disableSessionTicketsSupported) {
- // OpenSSL is too old to support TLS Session Tickets.
-
log.warn(sm.getString("endpoint.warn.noDisableSessionTickets",
- SSL.versionString()));
- }
-
- // List the ciphers that the client is permitted to negotiate
- SSLContext.setCipherSuite(ctx, sslHostConfig.getCiphers());
- // Load Server key and certificate
- SSLContext.setCertificate(ctx,
-
SSLHostConfig.adjustRelativePath(sslHostConfig.getCertificateFile()),
-
SSLHostConfig.adjustRelativePath(sslHostConfig.getCertificateKeyFile()),
- sslHostConfig.getCertificateKeyPassword(),
SSL.SSL_AIDX_RSA);
- // Support Client Certificates
- SSLContext.setCACertificate(ctx,
-
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()),
-
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()));
- // Set revocation
- SSLContext.setCARevocation(ctx,
- SSLHostConfig.adjustRelativePath(
-
sslHostConfig.getCertificateRevocationListFile()),
- SSLHostConfig.adjustRelativePath(
-
sslHostConfig.getCertificateRevocationListPath()));
- // Client certificate verification
- switch (sslHostConfig.getCertificateVerification()) {
- case NONE:
- value = SSL.SSL_CVERIFY_NONE;
- break;
- case OPTIONAL:
- value = SSL.SSL_CVERIFY_OPTIONAL;
- break;
- case OPTIONAL_NO_CA:
- value = SSL.SSL_CVERIFY_OPTIONAL_NO_CA;
- break;
- case REQUIRED:
- value = SSL.SSL_CVERIFY_REQUIRE;
- break;
- }
- SSLContext.setVerify(ctx, value,
sslHostConfig.getCertificateVerificationDepth());
- // For now, sendfile is not supported with SSL
- if (getUseSendfile()) {
- setUseSendfileInternal(false);
- if (useSendFileSet) {
-
log.warn(sm.getString("endpoint.apr.noSendfileWithSSL"));
+ if (!disableSessionTicketsSupported) {
+ // OpenSSL is too old to support TLS Session Tickets.
+
log.warn(sm.getString("endpoint.warn.noDisableSessionTickets",
+ SSL.versionString()));
+ }
+
+ // List the ciphers that the client is permitted to
negotiate
+ SSLContext.setCipherSuite(ctx, sslHostConfig.getCiphers());
+ // Load Server key and certificate
+ SSLContext.setCertificate(ctx,
+
SSLHostConfig.adjustRelativePath(sslHostConfig.getCertificateFile()),
+
SSLHostConfig.adjustRelativePath(sslHostConfig.getCertificateKeyFile()),
+ certificate.getCertificateKeyPassword(),
SSL.SSL_AIDX_RSA);
+ // Support Client Certificates
+ SSLContext.setCACertificate(ctx,
+
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()),
+
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()));
+ // Set revocation
+ SSLContext.setCARevocation(ctx,
+ SSLHostConfig.adjustRelativePath(
+
sslHostConfig.getCertificateRevocationListFile()),
+ SSLHostConfig.adjustRelativePath(
+
sslHostConfig.getCertificateRevocationListPath()));
+ // Client certificate verification
+ switch (sslHostConfig.getCertificateVerification()) {
+ case NONE:
+ value = SSL.SSL_CVERIFY_NONE;
+ break;
+ case OPTIONAL:
+ value = SSL.SSL_CVERIFY_OPTIONAL;
+ break;
+ case OPTIONAL_NO_CA:
+ value = SSL.SSL_CVERIFY_OPTIONAL_NO_CA;
+ break;
+ case REQUIRED:
+ value = SSL.SSL_CVERIFY_REQUIRE;
+ break;
+ }
+ SSLContext.setVerify(ctx, value,
sslHostConfig.getCertificateVerificationDepth());
+ // For now, sendfile is not supported with SSL
+ if (getUseSendfile()) {
+ setUseSendfileInternal(false);
+ if (useSendFileSet) {
+
log.warn(sm.getString("endpoint.apr.noSendfileWithSSL"));
+ }
}
- }
- if (negotiableProtocols.size() > 0) {
- byte[] protocols = buildAlpnConfig(negotiableProtocols);
- if (SSLContext.setALPN(ctx, protocols, protocols.length)
!= 0) {
- log.warn(sm.getString("endpoint.alpn.fail",
negotiableProtocols));
+ if (negotiableProtocols.size() > 0) {
+ byte[] protocols =
buildAlpnConfig(negotiableProtocols);
+ if (SSLContext.setALPN(ctx, protocols,
protocols.length) != 0) {
+ log.warn(sm.getString("endpoint.alpn.fail",
negotiableProtocols));
+ }
}
+ sslHostConfig.setSslContext(Long.valueOf(ctx));
}
- sslHostConfig.setSslContext(Long.valueOf(ctx));
}
SSLHostConfig defaultSSLHostConfig =
sslHostConfigs.get(getDefaultSSLHostConfigName());
Long defaultSSLContext = (Long)
defaultSSLHostConfig.getSslContext();
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1686483&r1=1686482&r2=1686483&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Fri Jun 19
19:11:11 2015
@@ -63,8 +63,11 @@ public class SSLHostConfig {
// Configuration properties
+ // Nested
+ private SSLHostConfigCertificate defaultCertificate = null;
+ private Set<SSLHostConfigCertificate> certificates = new HashSet<>(4);
+
// Common
- private String certificateKeyPassword = null;
private String certificateRevocationListFile;
private CertificateVerification certificateVerification =
CertificateVerification.NONE;
private int certificateVerificationDepth = 10;
@@ -146,15 +149,56 @@ public class SSLHostConfig {
}
- // ----------------------------------------- Common configuration
properties
+ // ------------------------------------------- Nested configuration
elements
- public void setCertificateKeyPassword(String certificateKeyPassword) {
- this.certificateKeyPassword = certificateKeyPassword;
+ private void registerDefaultCertificate() {
+ if (defaultCertificate == null) {
+ defaultCertificate =
+ new
SSLHostConfigCertificate(SSLHostConfigCertificate.Type.UNDEFINED);
+ certificates.add(defaultCertificate);
+ }
+ }
+
+
+ public void addCertificate(SSLHostConfigCertificate certificate) {
+ // Need to make sure that if there is more than one certificate, none
of
+ // them have a type of undefined.
+ if (certificates.size() == 0) {
+ certificates.add(certificate);
+ return;
+ }
+
+ if (certificates.size() == 1 &&
+ certificates.iterator().next().getType() ==
SSLHostConfigCertificate.Type.UNDEFINED ||
+ certificate.getType() ==
SSLHostConfigCertificate.Type.UNDEFINED) {
+ // Invalid config
+ }
+
+ certificates.add(certificate);
}
- public String getCertificateKeyPassword() {
- return certificateKeyPassword;
+ public Set<SSLHostConfigCertificate> getCertificates() {
+ return getCertificates(false);
+ }
+
+
+ public Set<SSLHostConfigCertificate> getCertificates(boolean
createDefaultIfEmpty) {
+ if (certificates.size() == 0 && createDefaultIfEmpty) {
+ registerDefaultCertificate();
+ }
+ return certificates;
+ }
+
+
+ // ----------------------------------------- Common configuration
properties
+
+ // TODO: All of these SSL setters can be removed once it is no longer
+ // necessary to support the old configuration attributes (Tomcat 10?).
+
+ public void setCertificateKeyPassword(String certificateKeyPassword) {
+ registerDefaultCertificate();
+ defaultCertificate.setCertificateKeyPassword(certificateKeyPassword);
}
Added:
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java?rev=1686483&view=auto
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
(added)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
Fri Jun 19 19:11:11 2015
@@ -0,0 +1,56 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.net;
+
+
+public class SSLHostConfigCertificate {
+
+ public static final Type DEFAULT_TYPE = Type.UNDEFINED;
+
+ // Common
+ private final Type type;
+ private String certificateKeyPassword = null;
+
+
+ public SSLHostConfigCertificate(Type type) {
+ this.type = type;
+ }
+
+
+ public Type getType() {
+ return type;
+ }
+
+
+ public String getCertificateKeyPassword() {
+ return certificateKeyPassword;
+ }
+
+
+ public void setCertificateKeyPassword(String certificateKeyPassword) {
+ this.certificateKeyPassword = certificateKeyPassword;
+ }
+
+
+ public static enum Type {
+ UNDEFINED,
+ RSA,
+ DSA,
+ EC,
+ DH
+ }
+}
Propchange:
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange:
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLImplementation.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLImplementation.java?rev=1686483&r1=1686482&r2=1686483&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLImplementation.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLImplementation.java Fri Jun
19 19:11:11 2015
@@ -71,5 +71,6 @@ public abstract class SSLImplementation
public abstract SSLSupport getSSLSupport(SSLSession session);
- public abstract SSLUtil getSSLUtil(SSLHostConfig sslHostConfig);
+ public abstract SSLUtil getSSLUtil(SSLHostConfig sslHostConfig,
+ SSLHostConfigCertificate certificate);
}
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java?rev=1686483&r1=1686482&r2=1686483&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
Fri Jun 19 19:11:11 2015
@@ -19,6 +19,7 @@ package org.apache.tomcat.util.net.jsse;
import javax.net.ssl.SSLSession;
import org.apache.tomcat.util.net.SSLHostConfig;
+import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.apache.tomcat.util.net.SSLImplementation;
import org.apache.tomcat.util.net.SSLSupport;
import org.apache.tomcat.util.net.SSLUtil;
@@ -50,7 +51,7 @@ public class JSSEImplementation extends
}
@Override
- public SSLUtil getSSLUtil(SSLHostConfig sslHostConfig) {
- return new JSSESocketFactory(sslHostConfig);
+ public SSLUtil getSSLUtil(SSLHostConfig sslHostConfig,
SSLHostConfigCertificate certificate) {
+ return new JSSESocketFactory(sslHostConfig, certificate);
}
}
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1686483&r1=1686482&r2=1686483&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Fri Jun 19 19:11:11 2015
@@ -56,6 +56,7 @@ import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.net.SSLContext;
import org.apache.tomcat.util.net.SSLHostConfig;
+import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.apache.tomcat.util.net.SSLUtil;
import
org.apache.tomcat.util.net.jsse.openssl.OpenSSLCipherConfigurationParser;
import org.apache.tomcat.util.res.StringManager;
@@ -78,12 +79,14 @@ public class JSSESocketFactory implement
private static final StringManager sm =
StringManager.getManager(JSSESocketFactory.class);
private final SSLHostConfig sslHostConfig;
+ private final SSLHostConfigCertificate certificate;
private final String[] defaultServerProtocols;
- public JSSESocketFactory (SSLHostConfig sslHostConfig) {
+ public JSSESocketFactory (SSLHostConfig sslHostConfig,
SSLHostConfigCertificate certificate) {
this.sslHostConfig = sslHostConfig;
+ this.certificate = certificate;
SSLContext context;
try {
@@ -266,7 +269,7 @@ public class JSSESocketFactory implement
String keystorePass = sslHostConfig.getCertificateKeystorePassword();
String keyAlias = sslHostConfig.getCertificateKeyAlias();
String algorithm = sslHostConfig.getKeyManagerAlgorithm();
- String keyPass = sslHostConfig.getCertificateKeyPassword();
+ String keyPass = certificate.getCertificateKeyPassword();
// This has to be here as it can't be moved to SSLHostConfig since the
// defaults vary between JSSE and OpenSSL.
if (keyPass == null) {
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1686483&r1=1686482&r2=1686483&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
Fri Jun 19 19:11:11 2015
@@ -55,6 +55,7 @@ import org.apache.tomcat.jni.SSLContext;
import org.apache.tomcat.util.net.AbstractEndpoint;
import org.apache.tomcat.util.net.Constants;
import org.apache.tomcat.util.net.SSLHostConfig;
+import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import
org.apache.tomcat.util.net.jsse.openssl.OpenSSLCipherConfigurationParser;
import org.apache.tomcat.util.res.StringManager;
@@ -69,6 +70,7 @@ public class OpenSSLContext implements o
private static final String defaultProtocol = "TLS";
private final SSLHostConfig sslHostConfig;
+ private final SSLHostConfigCertificate certificate;
private OpenSSLServerSessionContext sessionContext;
private List<String> ciphers = new ArrayList<>();
@@ -105,8 +107,10 @@ public class OpenSSLContext implements o
}
}
- public OpenSSLContext(SSLHostConfig sslHostConfig) throws SSLException {
+ public OpenSSLContext(SSLHostConfig sslHostConfig,
SSLHostConfigCertificate certificate)
+ throws SSLException {
this.sslHostConfig = sslHostConfig;
+ this.certificate = certificate;
aprPool = Pool.create(0);
boolean success = false;
try {
@@ -305,7 +309,7 @@ public class OpenSSLContext implements o
SSLContext.setCertificate(ctx,
SSLHostConfig.adjustRelativePath(sslHostConfig.getCertificateFile()),
SSLHostConfig.adjustRelativePath(sslHostConfig.getCertificateKeyFile()),
- sslHostConfig.getCertificateKeyPassword(),
SSL.SSL_AIDX_RSA);
+ certificate.getCertificateKeyPassword(), SSL.SSL_AIDX_RSA);
// Support Client Certificates
SSLContext.setCACertificate(ctx,
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()),
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLImplementation.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLImplementation.java?rev=1686483&r1=1686482&r2=1686483&view=diff
==============================================================================
---
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLImplementation.java
(original)
+++
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLImplementation.java
Fri Jun 19 19:11:11 2015
@@ -19,6 +19,7 @@ package org.apache.tomcat.util.net.opens
import javax.net.ssl.SSLSession;
import org.apache.tomcat.util.net.SSLHostConfig;
+import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.apache.tomcat.util.net.SSLImplementation;
import org.apache.tomcat.util.net.SSLSupport;
import org.apache.tomcat.util.net.SSLUtil;
@@ -39,8 +40,8 @@ public class OpenSSLImplementation exten
}
@Override
- public SSLUtil getSSLUtil(SSLHostConfig sslHostConfig) {
- return new OpenSSLUtil(sslHostConfig);
+ public SSLUtil getSSLUtil(SSLHostConfig sslHostConfig,
SSLHostConfigCertificate certificate) {
+ return new OpenSSLUtil(sslHostConfig, certificate);
}
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java?rev=1686483&r1=1686482&r2=1686483&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java Fri
Jun 19 19:11:11 2015
@@ -24,22 +24,25 @@ import javax.net.ssl.TrustManager;
import org.apache.tomcat.util.net.SSLContext;
import org.apache.tomcat.util.net.SSLHostConfig;
+import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.apache.tomcat.util.net.SSLUtil;
public class OpenSSLUtil implements SSLUtil {
private final SSLHostConfig sslHostConfig;
+ private final SSLHostConfigCertificate certificate;
private String[] enabledProtocols = null;
private String[] enabledCiphers = null;
- public OpenSSLUtil(SSLHostConfig sslHostConfig) {
+ public OpenSSLUtil(SSLHostConfig sslHostConfig, SSLHostConfigCertificate
certificate) {
this.sslHostConfig = sslHostConfig;
+ this.certificate = certificate;
}
@Override
public SSLContext createSSLContext() throws Exception {
- return new OpenSSLContext(sslHostConfig);
+ return new OpenSSLContext(sslHostConfig, certificate);
}
@Override
Modified:
tomcat/trunk/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java?rev=1686483&r1=1686482&r2=1686483&view=diff
==============================================================================
---
tomcat/trunk/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java
(original)
+++
tomcat/trunk/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java
Fri Jun 19 19:11:11 2015
@@ -17,6 +17,7 @@
package org.apache.tomcat.util.net.jsse;
import org.apache.tomcat.util.net.SSLHostConfig;
+import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.apache.tomcat.util.net.SSLUtil;
public class TesterBug50640SslImpl extends JSSEImplementation {
@@ -26,11 +27,11 @@ public class TesterBug50640SslImpl exten
@Override
- public SSLUtil getSSLUtil(SSLHostConfig sslHostConfig) {
+ public SSLUtil getSSLUtil(SSLHostConfig sslHostConfig,
SSLHostConfigCertificate certificate) {
if (sslHostConfig.getProtocols().size() == 1 &&
sslHostConfig.getProtocols().contains(PROPERTY_VALUE)) {
sslHostConfig.setProtocols("TLSv1,TLSv1.1,TLSv1.2");
- return super.getSSLUtil(sslHostConfig);
+ return super.getSSLUtil(sslHostConfig, certificate);
} else {
return null;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
