Re: Client certificate using tomcat native

2008-06-30 Thread jean-frederic clere

Brian Hawkins wrote:

I've finally been able to get the client certificate while using tomcat
native for my SSL connections.  This is using Tomcat 5.5.25.


Could you open a bugzilla on this one...

Cheers

Jean-Frederic



Here is what doesn't work:
Calling request.getAttribute("javax.servlet.request.X509Certificate") is
supposed to return the client certificate chain.  This attribute is
populated by a call, down in the depths of the native code, to
SSL_get_peer_cert_chain().  The openssl documentation for
SSL_get_peer_cert_chain (
http://www.openssl.org/docs/ssl/SSL_get_peer_cert_chain.html) says:

SSL_get_peer_cert_chain() returns a pointer to STACKOF(X509) certificates
forming the certificate chain of the peer. If called on the client side, the
stack also contains the peer's certificate; if called on the server side,
the peer's certificate must be obtained separately using
SSL_get_peer_certificate(3).
If the peer did not present a certificate, NULL is returned.

So according to that it only returns the CA chain and not the actual client
cert.  I'm not sure what the client chain is worth without the client cert.

The fix to this problem can be made in Http11AprProcessor in the action()
method under the ACTION_REQ_SSL_ATTRIBUTE if block by adding the following
code:

// Client certificate
byte[] certdata = SSLSocket.getInfoB(socket, SSL.SSL_INFO_CLIENT_CERT);
if (certdata != null)
{
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream stream = new ByteArrayInputStream(certdata);
request.setAttribute("ClientCert", cf.generateCertificate(stream));
}

Personally I think the attribute name should be
"javax.servlet.request.X509Certificate" but I'll let the list decide that
one.

Brian




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Client certificate using tomcat native

2008-06-27 Thread Brian Hawkins
I've finally been able to get the client certificate while using tomcat
native for my SSL connections.  This is using Tomcat 5.5.25.

Here is what doesn't work:
Calling request.getAttribute("javax.servlet.request.X509Certificate") is
supposed to return the client certificate chain.  This attribute is
populated by a call, down in the depths of the native code, to
SSL_get_peer_cert_chain().  The openssl documentation for
SSL_get_peer_cert_chain (
http://www.openssl.org/docs/ssl/SSL_get_peer_cert_chain.html) says:

SSL_get_peer_cert_chain() returns a pointer to STACKOF(X509) certificates
forming the certificate chain of the peer. If called on the client side, the
stack also contains the peer's certificate; if called on the server side,
the peer's certificate must be obtained separately using
SSL_get_peer_certificate(3).
If the peer did not present a certificate, NULL is returned.

So according to that it only returns the CA chain and not the actual client
cert.  I'm not sure what the client chain is worth without the client cert.

The fix to this problem can be made in Http11AprProcessor in the action()
method under the ACTION_REQ_SSL_ATTRIBUTE if block by adding the following
code:

// Client certificate
byte[] certdata = SSLSocket.getInfoB(socket, SSL.SSL_INFO_CLIENT_CERT);
if (certdata != null)
{
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream stream = new ByteArrayInputStream(certdata);
request.setAttribute("ClientCert", cf.generateCertificate(stream));
}

Personally I think the attribute name should be
"javax.servlet.request.X509Certificate" but I'll let the list decide that
one.

Brian