Author: mturk Date: Mon Mar 19 00:08:28 2007 New Revision: 519858 URL: http://svn.apache.org/viewvc?view=rev&rev=519858 Log: Add ForwardSSLCertChain JkOption.
Modified: tomcat/connectors/trunk/jk/java/org/apache/jk/common/JkInputStream.java tomcat/connectors/trunk/jk/java/org/apache/jk/core/MsgContext.java tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c tomcat/connectors/trunk/jk/native/apache-2.0/mod_jk.c tomcat/connectors/trunk/jk/native/common/jk_global.h tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml tomcat/connectors/trunk/jk/xdocs/reference/apache.xml Modified: tomcat/connectors/trunk/jk/java/org/apache/jk/common/JkInputStream.java URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/java/org/apache/jk/common/JkInputStream.java?view=diff&rev=519858&r1=519857&r2=519858 ============================================================================== --- tomcat/connectors/trunk/jk/java/org/apache/jk/common/JkInputStream.java (original) +++ tomcat/connectors/trunk/jk/java/org/apache/jk/common/JkInputStream.java Mon Mar 19 00:08:28 2007 @@ -128,6 +128,14 @@ mc.getSource().flush(outputMsg, mc); } + public void flushMessage() throws IOException { + outputMsg.reset(); + outputMsg.appendByte(AjpConstants.JK_AJP13_SEND_BODY_CHUNK); + outputMsg.appendInt(0); + outputMsg.appendByte(0); + mc.getSource().send(outputMsg, mc); + mc.getSource().flush(outputMsg, mc); + } // -------------------- OutputBuffer implementation -------------------- Modified: tomcat/connectors/trunk/jk/java/org/apache/jk/core/MsgContext.java URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/java/org/apache/jk/core/MsgContext.java?view=diff&rev=519858&r1=519857&r2=519858 ============================================================================== --- tomcat/connectors/trunk/jk/java/org/apache/jk/core/MsgContext.java (original) +++ tomcat/connectors/trunk/jk/java/org/apache/jk/core/MsgContext.java Mon Mar 19 00:08:28 2007 @@ -278,6 +278,7 @@ if( log.isDebugEnabled() ) log.debug("CLIENT_FLUSH " ); try { source.flush( null, this ); + jkIS.flushMessage(); } catch(IOException iex) { // This is logged elsewhere, so debug only here log.debug("Error during flush",iex); Modified: tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c?view=diff&rev=519858&r1=519857&r2=519858 ============================================================================== --- tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c (original) +++ tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c Mon Mar 19 00:08:28 2007 @@ -68,6 +68,7 @@ #define JK_ENV_CIPHER ("SSL_CIPHER") #define JK_ENV_SESSION ("SSL_SESSION_ID") #define JK_ENV_KEY_SIZE ("SSL_CIPHER_USEKEYSIZE") +#define JK_ENV_CERTCHAIN_PREFIX ("SSL_CLIENT_CERT_CHAIN_") #define JK_ENV_WORKER_NAME ("JK_WORKER_NAME") #define JK_NOTE_WORKER_NAME ("JK_WORKER_NAME") #define JK_NOTE_WORKER_TYPE ("JK_WORKER_TYPE") @@ -167,6 +168,7 @@ char *cipher_indicator; char *session_indicator; char *key_size_indicator; + char *certchain_prefix; /* Client certificate chain prefix */ /* * Jk Options @@ -648,8 +650,34 @@ s->ssl_cert = (char *)ap_table_get(r->subprocess_env, conf->certs_indicator); + + if (conf->options & JK_OPT_FWDCERTCHAIN) { + array_header *t = ap_table_elts(r->subprocess_env); + if (t && t->nelts) { + int i; + table_entry *elts = (table_entry *) t->elts; + array_header *certs = ap_make_array(r->pool, 1, + sizeof(char *)); + *(const char **)ap_push_array(certs) = s->ssl_cert; + for (i = 0; i < t->nelts; i++) { + if (!elts[i].key) + continue; + if (!strncasecmp(elts[i].key, + conf->certchain_prefix, + strlen(conf->certchain_prefix))) + *(const char **)ap_push_array(certs) = elts[i].val; + } + s->ssl_cert = ap_array_pstrcat(r->pool, certs, '\0'); + } + } + if (s->ssl_cert) { s->ssl_cert_len = strlen(s->ssl_cert); + if (JK_IS_DEBUG_LEVEL(conf->log)) { + jk_log(conf->log, JK_LOG_DEBUG, + "SSL client certificate (%d bytes):\n%s", + s->ssl_cert_len, s->ssl_cert); + } } /* Servlet 2.3 API */ s->ssl_cipher = @@ -1586,6 +1614,25 @@ } /* + * JkCERTCHAINPrefix Directive Handling + * + * JkCERTCHAINPrefix SSL_CLIENT_CERT_CHAIN_ + */ + +static const char *jk_set_certchain_prefix(cmd_parms * cmd, + void *dummy, const char *prefix) +{ + server_rec *s = cmd->server; + jk_server_conf_t *conf = + (jk_server_conf_t *) ap_get_module_config(s->module_config, + &jk_module); + + conf->certchain_prefix = ap_pstrdup(cmd->pool, prefix); + + return NULL; +} + +/* * JkSESSIONIndicator Directive Handling * * JkSESSIONIndicator SSL_SESSION_ID @@ -1631,6 +1678,8 @@ * ForwardURICompatUnparsed => Forward URI as unparsed, spec compliant but broke mod_rewrite (old TC) * ForwardURIEscaped => Forward URI escaped and Tomcat (3.3 rc2) stuff will do the decoding part * ForwardDirectories => Forward all directory requests with no index files to Tomcat + * +ForwardSSLCertChain => Forward SSL certificate chain + * -ForwardSSLCertChain => Don't forward SSL certificate chain */ const char *jk_set_options(cmd_parms * cmd, void *dummy, const char *line) @@ -1689,6 +1738,9 @@ else if (!strcasecmp(w, "DisableReuse")) { opt = JK_OPT_DISABLEREUSE; } + else if (!strcasecmp(w, "ForwardCertChain")) { + opt = JK_OPT_FWDCERTCHAIN; + } else return ap_pstrcat(cmd->pool, "JkOptions: Illegal option '", w, "'", NULL); @@ -1874,6 +1926,8 @@ "Name of the Apache environment that contains SSL client certificates"}, {"JkCIPHERIndicator", jk_set_cipher_indicator, NULL, RSRC_CONF, TAKE1, "Name of the Apache environment that contains SSL client cipher"}, + {"JkCERTCHAINPrefix", jk_set_certchain_prefix, NULL, RSRC_CONF, TAKE1, + "Name of the Apache environment (prefix) that contains SSL client chain certificates"}, {"JkSESSIONIndicator", jk_set_session_indicator, NULL, RSRC_CONF, TAKE1, "Name of the Apache environment that contains SSL session"}, {"JkKEYSIZEIndicator", jk_set_key_size_indicator, NULL, RSRC_CONF, TAKE1, @@ -1889,6 +1943,8 @@ * ForwardURICompat => Forward URI normally, less spec compliant but mod_rewrite compatible (old TC) * ForwardURICompatUnparsed => Forward URI as unparsed, spec compliant but broke mod_rewrite (old TC) * ForwardURIEscaped => Forward URI escaped and Tomcat (3.3 rc2) stuff will do the decoding part + * +ForwardSSLCertChain => Forward SSL certificate chain + * -ForwardSSLCertChain => Don't forward SSL certificate chain */ {"JkOptions", jk_set_options, NULL, RSRC_CONF, RAW_ARGS, "Set one of more options to configure the mod_jk module"}, @@ -2156,6 +2212,7 @@ c->https_indicator = NULL; c->certs_indicator = NULL; c->cipher_indicator = NULL; + c->certchain_prefix = NULL; c->session_indicator = NULL; c->key_size_indicator = NULL; c->strip_session = JK_UNSET; @@ -2176,6 +2233,7 @@ c->https_indicator = JK_ENV_HTTPS; c->certs_indicator = JK_ENV_CERTS; c->cipher_indicator = JK_ENV_CIPHER; + c->certchain_prefix = JK_ENV_CERTCHAIN_PREFIX; c->session_indicator = JK_ENV_SESSION; c->key_size_indicator = JK_ENV_KEY_SIZE; c->strip_session = JK_FALSE; @@ -2245,6 +2303,8 @@ overrides->certs_indicator = base->certs_indicator; if (!overrides->cipher_indicator) overrides->cipher_indicator = base->cipher_indicator; + if (!overrides->certchain_prefix) + overrides->certchain_prefix = base->certchain_prefix; if (!overrides->session_indicator) overrides->session_indicator = base->session_indicator; if (!overrides->key_size_indicator) Modified: tomcat/connectors/trunk/jk/native/apache-2.0/mod_jk.c URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/native/apache-2.0/mod_jk.c?view=diff&rev=519858&r1=519857&r2=519858 ============================================================================== --- tomcat/connectors/trunk/jk/native/apache-2.0/mod_jk.c (original) +++ tomcat/connectors/trunk/jk/native/apache-2.0/mod_jk.c Mon Mar 19 00:08:28 2007 @@ -116,6 +116,7 @@ #define JK_ENV_CIPHER ("SSL_CIPHER") #define JK_ENV_SESSION ("SSL_SESSION_ID") #define JK_ENV_KEY_SIZE ("SSL_CIPHER_USEKEYSIZE") +#define JK_ENV_CERTCHAIN_PREFIX ("SSL_CLIENT_CERT_CHAIN_") #define JK_ENV_WORKER_NAME ("JK_WORKER_NAME") #define JK_NOTE_WORKER_NAME ("JK_WORKER_NAME") #define JK_NOTE_WORKER_TYPE ("JK_WORKER_TYPE") @@ -204,6 +205,7 @@ char *cipher_indicator; char *session_indicator; /* Servlet API 2.3 requirement */ char *key_size_indicator; /* Servlet API 2.3 requirement */ + char *certchain_prefix; /* Client certificate chain prefix */ /* * Jk Options @@ -677,8 +679,32 @@ s->ssl_cert = (char *)apr_table_get(r->subprocess_env, conf->certs_indicator); + + if (conf->options & JK_OPT_FWDCERTCHAIN) { + const apr_array_header_t *t = apr_table_elts(r->subprocess_env); + if (t && t->nelts) { + int i; + const apr_table_entry_t *elts = (const apr_table_entry_t *) t->elts; + apr_array_header_t *certs = apr_array_make(r->pool, 1, sizeof(char *)); + *(const char **)apr_array_push(certs) = s->ssl_cert; + for (i = 0; i < t->nelts; i++) { + if (!elts[i].key) + continue; + if (!strncasecmp(elts[i].key, conf->certchain_prefix, + strlen(conf->certchain_prefix))) + *(const char **)apr_array_push(certs) = elts[i].val; + } + s->ssl_cert = apr_array_pstrcat(r->pool, certs, '\0'); + } + } + if (s->ssl_cert) { s->ssl_cert_len = strlen(s->ssl_cert); + if (JK_IS_DEBUG_LEVEL(conf->log)) { + jk_log(conf->log, JK_LOG_DEBUG, + "SSL client certificate (%d bytes):\n%s", + s->ssl_cert_len, s->ssl_cert); + } } /* Servlet 2.3 API */ s->ssl_cipher = @@ -696,6 +722,8 @@ if (ssl_temp) s->ssl_key_size = atoi(ssl_temp); } + + } } @@ -1614,6 +1642,25 @@ } /* + * JkCERTCHAINPrefix Directive Handling + * + * JkCERTCHAINPrefix SSL_CLIENT_CERT_CHAIN_ + */ + +static const char *jk_set_certchain_prefix(cmd_parms * cmd, + void *dummy, const char *prefix) +{ + server_rec *s = cmd->server; + jk_server_conf_t *conf = + (jk_server_conf_t *) ap_get_module_config(s->module_config, + &jk_module); + + conf->certchain_prefix = apr_pstrdup(cmd->pool, prefix); + + return NULL; +} + +/* * JkSESSIONIndicator Directive Handling * * JkSESSIONIndicator SSL_SESSION_ID @@ -1663,6 +1710,8 @@ * ForwardURICompatUnparsed => Forward URI as unparsed, spec compliant but broke mod_rewrite (old TC) * ForwardURIEscaped => Forward URI escaped and Tomcat (3.3 rc2) stuff will do the decoding part * ForwardDirectories => Forward all directory requests with no index files to Tomcat + * +ForwardSSLCertChain => Forward SSL Cert Chain + * -ForwardSSLCertChain => Don't Forward SSL Cert Chain (default) */ static const char *jk_set_options(cmd_parms * cmd, void *dummy, @@ -1722,6 +1771,9 @@ else if (!strcasecmp(w, "DisableReuse")) { opt = JK_OPT_DISABLEREUSE; } + else if (!strcasecmp(w, "ForwardCertChain")) { + opt = JK_OPT_FWDCERTCHAIN; + } else return apr_pstrcat(cmd->pool, "JkOptions: Illegal option '", w, "'", NULL); @@ -1925,6 +1977,8 @@ AP_INIT_TAKE1("JkKEYSIZEIndicator", jk_set_key_size_indicator, NULL, RSRC_CONF, "Name of the Apache environment that contains SSL key size in use"), + AP_INIT_TAKE1("JkCERTCHAINPrefix", jk_set_certchain_prefix, NULL, RSRC_CONF, + "Name of the Apache environment (prefix) that contains SSL client chain certificates"), AP_INIT_FLAG("JkExtractSSL", jk_set_enable_ssl, NULL, RSRC_CONF, "Turns on SSL processing and information gathering by mod_jk"), @@ -1936,6 +1990,8 @@ * ForwardURICompat => Forward URI normally, less spec compliant but mod_rewrite compatible (old TC) * ForwardURICompatUnparsed => Forward URI as unparsed, spec compliant but broke mod_rewrite (old TC) * ForwardURIEscaped => Forward URI escaped and Tomcat (3.3 rc2) stuff will do the decoding part + * +ForwardSSLCertChain => Forward SSL certificate chain + * -ForwardSSLCertChain => Don't forward SSL certificate chain */ AP_INIT_RAW_ARGS("JkOptions", jk_set_options, NULL, RSRC_CONF, "Set one of more options to configure the mod_jk module"), @@ -2280,6 +2336,7 @@ c->https_indicator = NULL; c->certs_indicator = NULL; c->cipher_indicator = NULL; + c->certchain_prefix = NULL; c->session_indicator = NULL; c->key_size_indicator = NULL; c->strip_session = JK_UNSET; @@ -2300,6 +2357,7 @@ c->https_indicator = JK_ENV_HTTPS; c->certs_indicator = JK_ENV_CERTS; c->cipher_indicator = JK_ENV_CIPHER; + c->certchain_prefix = JK_ENV_CERTCHAIN_PREFIX; c->session_indicator = JK_ENV_SESSION; c->key_size_indicator = JK_ENV_KEY_SIZE; c->strip_session = JK_FALSE; @@ -2375,6 +2433,8 @@ overrides->certs_indicator = base->certs_indicator; if (!overrides->cipher_indicator) overrides->cipher_indicator = base->cipher_indicator; + if (!overrides->certchain_prefix) + overrides->certchain_prefix = base->certchain_prefix; if (!overrides->session_indicator) overrides->session_indicator = base->session_indicator; if (!overrides->key_size_indicator) @@ -2794,7 +2854,7 @@ &jk_module); if (conf) { - const char *worker; + const char *worker; if ((r->handler != NULL) && (!strcmp(r->handler, JK_HANDLER))) { /* Somebody already set the handler, probably manual config * or "native" configuration, no need for extra overhead Modified: tomcat/connectors/trunk/jk/native/common/jk_global.h URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/native/common/jk_global.h?view=diff&rev=519858&r1=519857&r2=519858 ============================================================================== --- tomcat/connectors/trunk/jk/native/common/jk_global.h (original) +++ tomcat/connectors/trunk/jk/native/common/jk_global.h Mon Mar 19 00:08:28 2007 @@ -249,6 +249,7 @@ #define JK_OPT_FLUSHPACKETS 0x0020 #define JK_OPT_FLUSHEADER 0x0040 #define JK_OPT_DISABLEREUSE 0x0080 +#define JK_OPT_FWDCERTCHAIN 0x0100 /* Check for EBCDIC systems */ Modified: tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml?view=diff&rev=519858&r1=519857&r2=519858 ============================================================================== --- tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml (original) +++ tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml Mon Mar 19 00:08:28 2007 @@ -26,6 +26,10 @@ <br /> <subsection name="Native"> <changelog> + <update> + Apache. Add ForwardSSLCertChain JkOption. + Contributed by Patrik Schnellmann. (mturk) + </update> <fix> IIS. Do not forbid access to web-inf or meta-inf if there is no mapped worker. This allows to have resource with those names Modified: tomcat/connectors/trunk/jk/xdocs/reference/apache.xml URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/reference/apache.xml?view=diff&rev=519858&r1=519857&r2=519858 ============================================================================== --- tomcat/connectors/trunk/jk/xdocs/reference/apache.xml (original) +++ tomcat/connectors/trunk/jk/xdocs/reference/apache.xml Mon Mar 19 00:08:28 2007 @@ -188,6 +188,12 @@ <br/> The default value is "SSL_CIPHER". </p></attribute> +<attribute name="JkCERTCHAINPrefix" required="false"><p> +Name of the Apache environment (prefix) that contains SSL client chain certificates. +<br/> +The default value is "SSL_CLIENT_CERT_CHAIN_". +</p></attribute> +</p></attribute> <attribute name="JkSESSIONIndicator" required="false"><p> Name of the Apache environment variable that contains SSL session. <br/> @@ -576,6 +582,25 @@ <source> JkOptions +ForwardKeySize +</source> + +<br/> +<br/> +</p> + +<p> +JkOptions <b>ForwardSSLCertChain</b>, you ask mod_jk, when using ajp13, +to Forward SSL certificate chain (off by default). +Mod_jk only passes the <code>SSL_CLIENT_CERT</code> to the AJP connector. This is not a +problem with self-signed certificates or certificates directly signed by the +root CA certificate. However, there's a large number of certificates signed by +an intermediate CA certificate, where this is a significant problem: A servlet +will not have the possibility to validate the client certificate on its own. The +bug would be fixed by passing on the <code>SSL_CLIENT_CERT_CHAIN</code> to Tomcat via the AJP connector. +<br/> +This directive exists only since version 1.2.22. +<source> + JkOptions +ForwardSSLCertChain </source> <br/> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]