The duplicate code for configuring default SSL version ranges has been merged into reusable methods in CryptoUtil.
Pushed to master under trivial rule. -- Endi S. Dewata
>From 4d6e6d05d5270a0e81ae12e2583cae9c49667c88 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <edew...@redhat.com> Date: Fri, 17 Mar 2017 02:01:20 +0100 Subject: [PATCH] Removed duplicate code to configure SSL version ranges. The duplicate code for configuring default SSL version ranges has been merged into reusable methods in CryptoUtil. --- .../com/netscape/certsrv/client/PKIConnection.java | 27 ++------ .../admin/certsrv/connection/JSSConnection.java | 73 ++++++++++++---------- .../src/com/netscape/cmstools/HttpClient.java | 24 ++----- .../com/netscape/cmsutil/crypto/CryptoUtil.java | 24 +++++++ 4 files changed, 74 insertions(+), 74 deletions(-) diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java index 301c4c69b5e14181dae3471156d046b643727d54..2c979eac22db32036b2653a510a561e0a979d7a9 100644 --- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java +++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java @@ -84,7 +84,7 @@ import org.mozilla.jss.ssl.SSLSocket; import com.netscape.certsrv.base.PKIException; import com.netscape.cmsutil.crypto.CryptoUtil; - +import com.netscape.cmsutil.crypto.CryptoUtil.SSLVersion; public class PKIConnection { @@ -332,24 +332,8 @@ public class PKIConnection { localAddr = localAddress.getAddress(); } - org.mozilla.jss.ssl.SSLSocket.SSLVersionRange stream_range = - new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange( - org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, - org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); - - SSLSocket.setSSLVersionRangeDefault( - org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.STREAM, - stream_range); - - org.mozilla.jss.ssl.SSLSocket.SSLVersionRange datagram_range = - new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange( - org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_1, - org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); - - SSLSocket.setSSLVersionRangeDefault( - org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.DATA_GRAM, - datagram_range); - + CryptoUtil.setSSLStreamVersionRange(SSLVersion.TLS_1_0, SSLVersion.TLS_1_2); + CryptoUtil.setSSLDatagramVersionRange(SSLVersion.TLS_1_1, SSLVersion.TLS_1_2); CryptoUtil.setClientCiphers(); SSLSocket socket; @@ -364,8 +348,9 @@ public class PKIConnection { } else { socket = new SSLSocket(sock, hostName, callback, null); } -// setSSLVersionRange needs to be exposed in jss -// socket.setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); + + // SSLSocket.setSSLVersionRange() needs to be exposed in JSS + // socket.setSSLVersionRange(SSLVersionRange.tls1_0, SSLVersionRange.tls1_2); String certNickname = config.getCertNickname(); if (certNickname != null) { diff --git a/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java b/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java index 6908ed992154ef3bd04124cc2ba116e49bb865cf..8678b537886bc28b1ec81f9f61be8337b2f8c00f 100644 --- a/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java +++ b/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java @@ -17,24 +17,45 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.admin.certsrv.connection; -import java.util.*; -import java.net.*; -import java.io.*; +import java.awt.Container; +import java.awt.GridBagConstraints; +import java.awt.GridBagLayout; +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.io.PrintStream; +import java.net.SocketException; +import java.net.UnknownHostException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; -import com.netscape.admin.certsrv.*; -import com.netscape.certsrv.common.*; -import com.netscape.management.client.util.Debug; -import com.netscape.management.client.util.*; -import org.mozilla.jss.ssl.*; -import org.mozilla.jss.*; -import org.mozilla.jss.util.*; -import org.mozilla.jss.crypto.*; -import org.mozilla.jss.pkcs11.*; -import javax.swing.*; -import java.awt.*; +import java.util.Enumeration; +import java.util.ResourceBundle; +import java.util.Vector; +import javax.swing.JComboBox; +import javax.swing.JFrame; +import javax.swing.JLabel; + +import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.crypto.CryptoToken; +import org.mozilla.jss.crypto.InternalCertificate; +import org.mozilla.jss.ssl.SSLCertificateApprovalCallback; +import org.mozilla.jss.ssl.SSLClientCertificateSelectionCallback; +import org.mozilla.jss.ssl.SSLSocket; +import org.mozilla.jss.util.Password; +import org.mozilla.jss.util.PasswordCallback; +import org.mozilla.jss.util.PasswordCallbackInfo; + +import com.netscape.admin.certsrv.CMSAdminResources; import com.netscape.cmsutil.crypto.CryptoUtil; +import com.netscape.cmsutil.crypto.CryptoUtil.SSLVersion; +import com.netscape.management.client.util.AbstractDialog; +import com.netscape.management.client.util.Debug; +import com.netscape.management.client.util.GridBagUtil; +import com.netscape.management.client.util.MultilineLabel; +import com.netscape.management.client.util.SingleBytePasswordField; +import com.netscape.management.client.util.UtilConsoleGlobals; /** * JSSConnection deals with establishing a connection to @@ -98,24 +119,8 @@ public class JSSConnection implements IConnection, SSLCertificateApprovalCallbac } catch (Exception e) { } - org.mozilla.jss.ssl.SSLSocket.SSLVersionRange stream_range = - new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange( - org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, - org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); - - SSLSocket.setSSLVersionRangeDefault( - org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.STREAM, - stream_range); - - org.mozilla.jss.ssl.SSLSocket.SSLVersionRange datagram_range = - new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange( - org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_1, - org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); - - SSLSocket.setSSLVersionRangeDefault( - org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.DATA_GRAM, - datagram_range); - + CryptoUtil.setSSLStreamVersionRange(SSLVersion.TLS_1_0, SSLVersion.TLS_1_2); + CryptoUtil.setSSLDatagramVersionRange(SSLVersion.TLS_1_1, SSLVersion.TLS_1_2); CryptoUtil.setClientCiphers(); s = new SSLSocket(host, port, null, 0, this, this); @@ -509,8 +514,8 @@ public class JSSConnection implements IConnection, SSLCertificateApprovalCallbac private boolean endOfHeader(byte[] hdr, int available) { if (available == 2) { - int c1 = (int)hdr[0]; - int c2 = (int)hdr[1]; + int c1 = hdr[0]; + int c2 = hdr[1]; //System.out.println("C1= " + c1); //System.out.println("C2= " + c2); diff --git a/base/java-tools/src/com/netscape/cmstools/HttpClient.java b/base/java-tools/src/com/netscape/cmstools/HttpClient.java index 6a008bf2cba32d5b66c4ade8741fa58d8290b9e8..aa3bd174385c4fa6a04ac5ce330a5a0d54b6973a 100644 --- a/base/java-tools/src/com/netscape/cmstools/HttpClient.java +++ b/base/java-tools/src/com/netscape/cmstools/HttpClient.java @@ -41,6 +41,7 @@ import org.mozilla.jss.ssl.SSLSocket; import org.mozilla.jss.util.Password; import com.netscape.cmsutil.crypto.CryptoUtil; +import com.netscape.cmsutil.crypto.CryptoUtil.SSLVersion; import com.netscape.cmsutil.util.Utils; /** @@ -122,29 +123,14 @@ public class HttpClient { token.login(pass); SSLHandshakeCompletedListener listener = new ClientHandshakeCB(this); - org.mozilla.jss.ssl.SSLSocket.SSLVersionRange stream_range = - new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange( - org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, - org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); - - SSLSocket.setSSLVersionRangeDefault( - org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.STREAM, - stream_range); - - org.mozilla.jss.ssl.SSLSocket.SSLVersionRange datagram_range = - new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange( - org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_1, - org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); - - SSLSocket.setSSLVersionRangeDefault( - org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.DATA_GRAM, - datagram_range); + CryptoUtil.setSSLStreamVersionRange(SSLVersion.TLS_1_0, SSLVersion.TLS_1_2); + CryptoUtil.setSSLDatagramVersionRange(SSLVersion.TLS_1_1, SSLVersion.TLS_1_2); CryptoUtil.setClientCiphers(); sslSocket = new SSLSocket(_host, _port); - // setSSLVersionRange needs to be exposed in jss - // sslSocket.setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); + // SSLSocket.setSSLVersionRange() needs to be exposed in JSS + // sslSocket.setSSLVersionRange(SSLVersionRange.tls1_0, SSLVersionRange.tls1_2); sslSocket.addHandshakeCompletedListener(listener); CryptoToken tt = cm.getThreadToken(); diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java index de1ac442cd4187b8dc2af5a58ab103cc1c240ca7..f7395308ddb2beb9a93b8d66af1f2a5ceaea7507 100644 --- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java @@ -99,6 +99,8 @@ import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier; import org.mozilla.jss.pkix.primitive.Name; import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; import org.mozilla.jss.ssl.SSLSocket; +import org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant; +import org.mozilla.jss.ssl.SSLSocket.SSLVersionRange; import org.mozilla.jss.util.Base64OutputStream; import org.mozilla.jss.util.Password; @@ -135,6 +137,19 @@ import netscape.security.x509.X509Key; @SuppressWarnings("serial") public class CryptoUtil { + public static enum SSLVersion { + SSL_3_0(SSLVersionRange.ssl3), + TLS_1_0(SSLVersionRange.tls1_0), + TLS_1_1(SSLVersionRange.tls1_1), + TLS_1_2(SSLVersionRange.tls1_2); + + public int value; + + SSLVersion(int value) { + this.value = value; + } + } + public final static String INTERNAL_TOKEN_NAME = "internal"; public final static String INTERNAL_TOKEN_FULL_NAME = "Internal Key Storage Token"; @@ -700,6 +715,15 @@ public class CryptoUtil { return pair; } + public static void setSSLStreamVersionRange(SSLVersion min, SSLVersion max) throws SocketException { + SSLVersionRange range = new SSLVersionRange(min.value, max.value); + SSLSocket.setSSLVersionRangeDefault(SSLProtocolVariant.STREAM, range); + } + + public static void setSSLDatagramVersionRange(SSLVersion min, SSLVersion max) throws SocketException { + SSLVersionRange range = new SSLVersionRange(min.value, max.value); + SSLSocket.setSSLVersionRangeDefault(SSLProtocolVariant.DATA_GRAM, range); + } private static HashMap<String, Integer> cipherMap = new HashMap<String, Integer>(); static { -- 2.9.3
_______________________________________________ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel