billbarker 01/12/06 20:40:06
Modified: src/share/org/apache/tomcat/util/net
DefaultServerSocketFactory.java
PoolTcpEndpoint.java ServerSocketFactory.java
Added: src/share/org/apache/tomcat/util/net JSSEImplementation.java
JSSESocketFactory.java JSSESupport.java
PureTLSImplementation.java PureTLSSocket.java
PureTLSSocketFactory.java PureTLSSupport.java
SSLImplementation.java SSLSupport.java
Removed: src/share/org/apache/tomcat/util/net SSLSocketFactory.java
Log:
Adding support for PureTLS.
This is the main re-factoring of support for SSL.
Submitted by: Eric Rescorla [EMAIL PROTECTED]
Revision Changes Path
1.2 +16 -4
jakarta-tomcat/src/share/org/apache/tomcat/util/net/DefaultServerSocketFactory.java
Index: DefaultServerSocketFactory.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/net/DefaultServerSocketFactory.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- DefaultServerSocketFactory.java 2000/08/14 21:54:36 1.1
+++ DefaultServerSocketFactory.java 2001/12/07 04:40:06 1.2
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/net/DefaultServerSocketFactory.java,v
1.1 2000/08/14 21:54:36 costin Exp $
- * $Revision: 1.1 $
- * $Date: 2000/08/14 21:54:36 $
+ * $Header:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/net/DefaultServerSocketFactory.java,v
1.2 2001/12/07 04:40:06 billbarker Exp $
+ * $Revision: 1.2 $
+ * $Date: 2001/12/07 04:40:06 $
*
* ====================================================================
*
@@ -101,4 +101,16 @@
throws IOException {
return new ServerSocket (port, backlog, ifAddress);
}
-}
+
+ public Socket acceptSocket(ServerSocket socket)
+ throws IOException {
+ return socket.accept();
+ }
+
+ public void handshake(Socket sock)
+ throws IOException {
+ ; // NOOP
+ }
+
+
+ }
1.16 +19 -4
jakarta-tomcat/src/share/org/apache/tomcat/util/net/PoolTcpEndpoint.java
Index: PoolTcpEndpoint.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/net/PoolTcpEndpoint.java,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- PoolTcpEndpoint.java 2001/08/31 04:13:12 1.15
+++ PoolTcpEndpoint.java 2001/12/07 04:40:06 1.16
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/net/PoolTcpEndpoint.java,v
1.15 2001/08/31 04:13:12 costin Exp $
- * $Revision: 1.15 $
- * $Date: 2001/08/31 04:13:12 $
+ * $Header:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/net/PoolTcpEndpoint.java,v
1.16 2001/12/07 04:40:06 billbarker Exp $
+ * $Revision: 1.16 $
+ * $Date: 2001/12/07 04:40:06 $
*
* ====================================================================
*
@@ -191,6 +191,10 @@
this.factory=factory;
}
+ ServerSocketFactory getServerSocketFactory() {
+ return factory;
+ }
+
public void setConnectionHandler( TcpConnectionHandler handler ) {
this.handler=handler;
}
@@ -311,7 +315,12 @@
try {
if (running) {
if(null!= serverSocket) {
- accepted = serverSocket.accept();
+ if(factory==null){
+ accepted = serverSocket.accept();
+ }
+ else {
+ accepted = factory.acceptSocket(serverSocket);
+ }
if(!running) {
if(null != accepted) {
accepted.close(); // rude, but unlikely!
@@ -462,6 +471,10 @@
endpoint.tp.runIt(this);
try {
+ if(endpoint.getServerSocketFactory()!=null) {
+ endpoint.getServerSocketFactory().handshake(s);
+ }
+
if( usePool ) {
con=(TcpConnection)connectionCache.get();
if( con == null )
@@ -475,6 +488,8 @@
con.setSocket(s);
endpoint.setSocketOptions( s );
endpoint.getConnectionHandler().processConnection(con, perThrData);
+ } catch (IOException e){
+ endpoint.log("Handshake failed",e,Log.ERROR);
} finally {
con.recycle();
if( usePool && con != null ) connectionCache.put(con);
1.3 +18 -0
jakarta-tomcat/src/share/org/apache/tomcat/util/net/ServerSocketFactory.java
Index: ServerSocketFactory.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/net/ServerSocketFactory.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- ServerSocketFactory.java 2001/11/07 13:36:42 1.2
+++ ServerSocketFactory.java 2001/12/07 04:40:06 1.3
@@ -191,5 +191,23 @@
public void initSocket( Socket s ) {
}
+
+ /**
+ Wrapper function for accept(). This allows us to trap and
+ translate exceptions if necessary
+
+ @exception IOException;
+ */
+ public abstract Socket acceptSocket(ServerSocket socket)
+ throws IOException;
+
+ /**
+ Extra function to initiate the handshake. Sometimes necessary
+ for SSL
+
+ @exception IOException;
+ */
+ public abstract void handshake(Socket sock)
+ throws IOException;
}
1.1
jakarta-tomcat/src/share/org/apache/tomcat/util/net/JSSEImplementation.java
Index: JSSEImplementation.java
===================================================================
/*
* ====================================================================
*
* The Apache Software License, Version 1.1
*
* Copyright (c) 1999 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. The end-user documentation included with the redistribution, if
* any, must include the following acknowlegement:
* "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowlegement may appear in the software itself,
* if and wherever such third-party acknowlegements normally appear.
*
* 4. The names "The Jakarta Project", "Tomcat", and "Apache Software
* Foundation" must not be used to endorse or promote products derived
* from this software without prior written permission. For written
* permission, please contact [EMAIL PROTECTED]
*
* 5. Products derived from this software may not be called "Apache"
* nor may "Apache" appear in their names without prior written
* permission of the Apache Group.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
* [Additional notices, if required by prior licensing conditions]
*
*/
package org.apache.tomcat.util.net;
import java.io.*;
import java.net.*;
import javax.net.ssl.SSLSocket;
/* JSSEImplementation:
Concrete implementation class for JSSE
@author EKR
*/
class JSSEImplementation extends SSLImplementation
{
JSSEImplementation() throws ClassNotFoundException {
// Check to see if JSSE is floating around somewhere
Class.forName("javax.net.ssl.SSLServerSocketFactory");
}
public String getImplementationName(){
return "JSSE";
}
public ServerSocketFactory getServerSocketFactory()
{
return new JSSESocketFactory();
}
public SSLSupport getSSLSupport(Socket s)
{
return new JSSESupport((SSLSocket)s);
}
}
1.1
jakarta-tomcat/src/share/org/apache/tomcat/util/net/JSSESocketFactory.java
Index: JSSESocketFactory.java
===================================================================
/*
* ====================================================================
*
* The Apache Software License, Version 1.1
*
* Copyright (c) 1999 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. The end-user documentation included with the redistribution, if
* any, must include the following acknowlegement:
* "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowlegement may appear in the software itself,
* if and wherever such third-party acknowlegements normally appear.
*
* 4. The names "The Jakarta Project", "Tomcat", and "Apache Software
* Foundation" must not be used to endorse or promote products derived
* from this software without prior written permission. For written
* permission, please contact [EMAIL PROTECTED]
*
* 5. Products derived from this software may not be called "Apache"
* nor may "Apache" appear in their names without prior written
* permission of the Apache Group.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
* [Additional notices, if required by prior licensing conditions]
*
*/
package org.apache.tomcat.util.net;
import java.io.*;
import java.net.*;
import java.security.KeyStore;
import java.security.Security;
import javax.net.ServerSocketFactory;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.HandshakeCompletedListener;
import javax.net.ssl.HandshakeCompletedEvent;
/*
1. Make the JSSE's jars available, either as an installed
extension (copy them into jre/lib/ext) or by adding
them to the Tomcat classpath.
2. keytool -genkey -alias tomcat -keyalg RSA
Use "changeit" as password ( this is the default we use )
*/
/**
* SSL server socket factory. It _requires_ a valid RSA key and
* JSSE.
*
* @author Harish Prabandham
* @author Costin Manolache
* @author Stefan Freyr Stefansson
* @author EKR -- renamed to JSSESocketFactory
*/
public class JSSESocketFactory
extends org.apache.tomcat.util.net.ServerSocketFactory
{
private String keystoreType;
static String defaultKeystoreType = "JKS";
static String defaultProtocol = "TLS";
static String defaultAlgorithm = "SunX509";
static boolean defaultClientAuth = false;
private boolean clientAuth = false;
private SSLServerSocketFactory sslProxy = null;
// defaults
static String defaultKeystoreFile=System.getProperty("user.home") +
"/.keystore";
static String defaultKeyPass="changeit";
public JSSESocketFactory () {
}
public ServerSocket createSocket (int port)
throws IOException
{
if( sslProxy == null ) initProxy();
ServerSocket socket =
sslProxy.createServerSocket(port);
initServerSocket(socket);
return socket;
}
public ServerSocket createSocket (int port, int backlog)
throws IOException
{
if( sslProxy == null ) initProxy();
ServerSocket socket =
sslProxy.createServerSocket(port, backlog);
initServerSocket(socket);
return socket;
}
public ServerSocket createSocket (int port, int backlog,
InetAddress ifAddress)
throws IOException
{
if( sslProxy == null ) initProxy();
ServerSocket socket =
sslProxy.createServerSocket(port, backlog, ifAddress);
initServerSocket(socket);
return socket;
}
// -------------------- Internal methods
/** Read the keystore, init the SSL socket factory
*/
private void initProxy() throws IOException {
try {
Security.addProvider (new sun.security.provider.Sun());
Security.addProvider (new com.sun.net.ssl.internal.ssl.Provider());
// Please don't change the name of the attribute - other
// software may depend on it ( j2ee for sure )
String keystoreFile=(String)attributes.get("keystore");
if( keystoreFile==null) keystoreFile=defaultKeystoreFile;
keystoreType=(String)attributes.get("keystoreType");
if( keystoreType==null) keystoreType=defaultKeystoreType;
//determine whether we want client authentication
// the presence of the attribute enables client auth
clientAuth = null != (String)attributes.get("clientauth");
String keyPass=(String)attributes.get("keypass");
if( keyPass==null) keyPass=defaultKeyPass;
//protocol for the SSL ie - TLS, SSL v3 etc.
String protocol = (String)attributes.get("protocol");
if(protocol == null) protocol = defaultProtocol;
//Algorithm used to encode the certificate ie - SunX509
String algorithm = (String)attributes.get("algorithm");
if(algorithm == null) algorithm = defaultAlgorithm;
// You can't use ssl without a server certificate.
// Create a KeyStore ( to get server certs )
KeyStore kstore = initKeyStore( keystoreFile, keyPass );
// Create a SSLContext ( to create the ssl factory )
// This is the only way to use server sockets with JSSE 1.0.1
com.sun.net.ssl.SSLContext context =
com.sun.net.ssl.SSLContext.getInstance(protocol); //SSL
// Key manager will extract the server key
com.sun.net.ssl.KeyManagerFactory kmf =
com.sun.net.ssl.KeyManagerFactory.getInstance(algorithm);
kmf.init( kstore, keyPass.toCharArray());
// If client authentication is needed, set up TrustManager
com.sun.net.ssl.TrustManager[] tm = null;
if( clientAuth) {
com.sun.net.ssl.TrustManagerFactory tmf =
com.sun.net.ssl.TrustManagerFactory.getInstance("SunX509");
tmf.init(kstore);
tm = tmf.getTrustManagers();
}
// init context with the key managers
context.init(kmf.getKeyManagers(), tm,
new java.security.SecureRandom());
// create proxy
sslProxy = context.getServerSocketFactory();
return;
} catch(Exception e) {
if( e instanceof IOException )
throw (IOException)e;
throw new IOException(e.getMessage());
}
}
public Socket acceptSocket(ServerSocket socket)
throws IOException
{
try {
return socket.accept();
} catch (SSLException e){
throw new SocketException("SSL handshake error" + e.toString());
}
}
/** Set server socket properties ( accepted cipher suites, etc)
*/
private void initServerSocket(ServerSocket ssocket) {
SSLServerSocket socket=(SSLServerSocket)ssocket;
// We enable all cipher suites when the socket is
// connected - XXX make this configurable
String cipherSuites[] = socket.getSupportedCipherSuites();
socket.setEnabledCipherSuites(cipherSuites);
// we don't know if client auth is needed -
// after parsing the request we may re-handshake
socket.setNeedClientAuth(clientAuth);
}
private KeyStore initKeyStore( String keystoreFile,
String keyPass)
throws IOException
{
InputStream istream = null;
try {
KeyStore kstore=KeyStore.getInstance( keystoreType );
istream = new FileInputStream(keystoreFile);
kstore.load(istream, keyPass.toCharArray());
return kstore;
}
catch (FileNotFoundException fnfe) {
throw fnfe;
}
catch (IOException ioe) {
throw ioe;
}
catch(Exception ex) {
ex.printStackTrace();
throw new IOException( "Exception trying to load keystore " +
keystoreFile + ": " + ex.getMessage() );
}
}
public void handshake(Socket sock)
throws IOException
{
((SSLSocket)sock).startHandshake();
}
}
1.1
jakarta-tomcat/src/share/org/apache/tomcat/util/net/JSSESupport.java
Index: JSSESupport.java
===================================================================
/*
* ====================================================================
*
* The Apache Software License, Version 1.1
*
* Copyright (c) 1999 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. The end-user documentation included with the redistribution, if
* any, must include the following acknowlegement:
* "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowlegement may appear in the software itself,
* if and wherever such third-party acknowlegements normally appear.
*
* 4. The names "The Jakarta Project", "Tomcat", and "Apache Software
* Foundation" must not be used to endorse or promote products derived
* from this software without prior written permission. For written
* permission, please contact [EMAIL PROTECTED]
*
* 5. Products derived from this software may not be called "Apache"
* nor may "Apache" appear in their names without prior written
* permission of the Apache Group.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
* [Additional notices, if required by prior licensing conditions]
*
*/
package org.apache.tomcat.util.net;
import java.io.*;
import java.net.*;
import java.util.Vector;
import java.security.cert.CertificateFactory;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import java.security.cert.CertificateFactory;
import javax.security.cert.X509Certificate;
/* JSSESupport
Concrete implementation class for JSSE
Support classes.
This will only work with JDK 1.2 and up since it
depends on JDK 1.2's certificate support
@author EKR
Parts cribbed from JSSECertCompat
*/
class JSSESupport implements SSLSupport {
private SSLSocket ssl;
JSSESupport(SSLSocket sock){
ssl=sock;
}
public String getCipherSuite() throws IOException {
return "Unknown";
}
public java.security.cert.Certificate[] getPeerCertificateChain()
throws IOException
{
// Look up the current SSLSession
SSLSession session = ssl.getSession();
if (session == null)
return null;
// Convert JSSE's certificate format to the ones we need
X509Certificate jsseCerts[] = null;
java.security.cert.X509Certificate x509Certs[] = null;
try {
jsseCerts = session.getPeerCertificateChain();
if (jsseCerts == null)
jsseCerts = new X509Certificate[0];
x509Certs =
new java.security.cert.X509Certificate[jsseCerts.length];
for (int i = 0; i < x509Certs.length; i++) {
byte buffer[] = jsseCerts[i].getEncoded();
CertificateFactory cf =
CertificateFactory.getInstance("X.509");
ByteArrayInputStream stream =
new ByteArrayInputStream(buffer);
x509Certs[i] = (java.security.cert.X509Certificate)
cf.generateCertificate(stream);
}
} catch (Throwable t) {
return null;
}
if ((x509Certs == null) || (x509Certs.length < 1))
return null;
return x509Certs;
}
}
1.1
jakarta-tomcat/src/share/org/apache/tomcat/util/net/PureTLSImplementation.java
Index: PureTLSImplementation.java
===================================================================
/*
* ====================================================================
*
* The Apache Software License, Version 1.1
*
* Copyright (c) 1999 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. The end-user documentation included with the redistribution, if
* any, must include the following acknowlegement:
* "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowlegement may appear in the software itself,
* if and wherever such third-party acknowlegements normally appear.
*
* 4. The names "The Jakarta Project", "Tomcat", and "Apache Software
* Foundation" must not be used to endorse or promote products derived
* from this software without prior written permission. For written
* permission, please contact [EMAIL PROTECTED]
*
* 5. Products derived from this software may not be called "Apache"
* nor may "Apache" appear in their names without prior written
* permission of the Apache Group.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
* [Additional notices, if required by prior licensing conditions]
*
*/
package org.apache.tomcat.util.net;
import java.io.*;
import java.net.*;
import COM.claymoresystems.sslg.*;
import COM.claymoresystems.ptls.*;
import COM.claymoresystems.cert.*;
/* PureTLSImplementation:
Concrete implementation class for PureTLS
@author EKR
*/
class PureTLSImplementation extends SSLImplementation
{
PureTLSImplementation() throws ClassNotFoundException {
// Check to see if PureTLS is floating around somewhere
Class.forName("COM.claymoresystems.ptls.SSLContext");
}
public String getImplementationName(){
return "PureTLS";
}
public ServerSocketFactory getServerSocketFactory()
{
return new PureTLSSocketFactory();
}
public SSLSupport getSSLSupport(Socket s)
{
return new PureTLSSupport((SSLSocket)s);
}
}
1.1
jakarta-tomcat/src/share/org/apache/tomcat/util/net/PureTLSSocket.java
Index: PureTLSSocket.java
===================================================================
/*
* ====================================================================
*
* The Apache Software License, Version 1.1
*
* Copyright (c) 1999 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. The end-user documentation included with the redistribution, if
* any, must include the following acknowlegement:
* "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowlegement may appear in the software itself,
* if and wherever such third-party acknowlegements normally appear.
*
* 4. The names "The Jakarta Project", "Tomcat", and "Apache Software
* Foundation" must not be used to endorse or promote products derived
* from this software without prior written permission. For written
* permission, please contact [EMAIL PROTECTED]
*
* 5. Products derived from this software may not be called "Apache"
* nor may "Apache" appear in their names without prior written
* permission of the Apache Group.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
* [Additional notices, if required by prior licensing conditions]
*
*/
package org.apache.tomcat.util.net;
import java.io.*;
import java.net.*;
import COM.claymoresystems.ptls.*;
import COM.claymoresystems.cert.*;
import COM.claymoresystems.sslg.*;
/*
* PureTLSSocket.java
*
* Wraps COM.claymoresystems.ptls.SSLSocket
*
* This class translates PureTLS's interfaces into those
* expected by Tomcat
*
* @author Eric Rescorla
*
*/
public class PureTLSSocket extends COM.claymoresystems.ptls.SSLSocket
{
// The only constructor we need here is the no-arg
// constructor since this class is only used with
// implAccept
public PureTLSSocket() throws IOException {
super();
}
}
1.1
jakarta-tomcat/src/share/org/apache/tomcat/util/net/PureTLSSocketFactory.java
Index: PureTLSSocketFactory.java
===================================================================
/*
* ====================================================================
*
* The Apache Software License, Version 1.1
*
* Copyright (c) 1999 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. The end-user documentation included with the redistribution, if
* any, must include the following acknowlegement:
* "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowlegement may appear in the software itself,
* if and wherever such third-party acknowlegements normally appear.
*
* 4. The names "The Jakarta Project", "Tomcat", and "Apache Software
* Foundation" must not be used to endorse or promote products derived
* from this software without prior written permission. For written
* permission, please contact [EMAIL PROTECTED]
*
* 5. Products derived from this software may not be called "Apache"
* nor may "Apache" appear in their names without prior written
* permission of the Apache Group.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
* [Additional notices, if required by prior licensing conditions]
*
*/
package org.apache.tomcat.util.net;
import java.io.*;
import java.net.*;
import COM.claymoresystems.ptls.*;
import COM.claymoresystems.cert.*;
import COM.claymoresystems.sslg.*;
/**
* SSL server socket factory--wraps PureTLS
*
* @author Eric Rescorla
*
* some sections of this file cribbed from SSLSocketFactory
* (the JSSE socket factory)
*
*/
public class PureTLSSocketFactory
extends org.apache.tomcat.util.net.ServerSocketFactory
{
static String defaultProtocol = "TLS";
static boolean defaultClientAuth = false;
static String defaultKeyStoreFile = "server.pem";
static String defaultKeyPass = "password";
static String defaultRootFile = "root.pem";
static String defaultRandomFile = "random.pem";
private SSLContext context=null;
public PureTLSSocketFactory() {
}
public ServerSocket createSocket(int port)
throws IOException
{
init();
return new SSLServerSocket(context,port);
}
public ServerSocket createSocket(int port, int backlog)
throws IOException
{
init();
ServerSocket tmp;
try {
tmp=new SSLServerSocket(context,port,backlog);
}
catch (IOException e){
throw e;
}
return tmp;
}
public ServerSocket createSocket(int port, int backlog,
InetAddress ifAddress)
throws IOException
{
init();
return new SSLServerSocket(context,port,backlog,ifAddress);
}
private void init()
throws IOException
{
if(context!=null)
return;
boolean clientAuth=defaultClientAuth;
try {
String keyStoreFile=(String)attributes.get("keystore");
if(keyStoreFile==null) keyStoreFile=defaultKeyStoreFile;
String keyPass=(String)attributes.get("keypass");
if(keyPass==null) keyPass=defaultKeyPass;
String rootFile=(String)attributes.get("randomfile");
if(rootFile==null) rootFile=defaultRootFile;
String randomFile=(String)attributes.get("randomfile");
if(randomFile==null) randomFile=defaultRandomFile;
String protocol=(String)attributes.get("protocol");
if(protocol==null) protocol=defaultProtocol;
String clientAuthStr=(String)attributes.get("clientauth");
if(clientAuthStr != null){
if(clientAuthStr.equals("true")){
clientAuth=true;
} else if(clientAuthStr.equals("false")) {
clientAuth=false;
} else {
throw new IOException("Invalid value '" +
clientAuthStr +
"' for 'clientauth' parameter:");
}
}
SSLContext tmpContext=new SSLContext();
if(clientAuth){
tmpContext.loadRootCertificates(rootFile);
}
tmpContext.loadEAYKeyFile(keyStoreFile,keyPass);
tmpContext.useRandomnessFile(randomFile,keyPass);
SSLPolicyInt policy=new SSLPolicyInt();
policy.requireClientAuth(clientAuth);
policy.handshakeOnConnect(false);
policy.waitOnClose(false);
tmpContext.setPolicy(policy);
context=tmpContext;
} catch (Exception e){
throw new IOException(e.getMessage());
}
}
public Socket acceptSocket(ServerSocket socket)
throws IOException
{
try {
Socket sock=socket.accept();
return sock;
} catch (SSLException e){
throw new SocketException("SSL handshake error" + e.toString());
}
}
public void handshake(Socket sock)
throws IOException
{
((SSLSocket)sock).handshake();
}
}
1.1
jakarta-tomcat/src/share/org/apache/tomcat/util/net/PureTLSSupport.java
Index: PureTLSSupport.java
===================================================================
/*
* ====================================================================
*
* The Apache Software License, Version 1.1
*
* Copyright (c) 1999 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. The end-user documentation included with the redistribution, if
* any, must include the following acknowlegement:
* "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowlegement may appear in the software itself,
* if and wherever such third-party acknowlegements normally appear.
*
* 4. The names "The Jakarta Project", "Tomcat", and "Apache Software
* Foundation" must not be used to endorse or promote products derived
* from this software without prior written permission. For written
* permission, please contact [EMAIL PROTECTED]
*
* 5. Products derived from this software may not be called "Apache"
* nor may "Apache" appear in their names without prior written
* permission of the Apache Group.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
* [Additional notices, if required by prior licensing conditions]
*
*/
package org.apache.tomcat.util.net;
import java.io.*;
import java.net.*;
import java.util.Vector;
import java.security.cert.CertificateFactory;
import COM.claymoresystems.sslg.*;
import COM.claymoresystems.ptls.*;
import COM.claymoresystems.cert.*;
/* PureTLSSupport
Concrete implementation class for PureTLS
Support classes.
This will only work with JDK 1.2 and up since it
depends on JDK 1.2's certificate support
@author EKR
*/
class PureTLSSupport implements SSLSupport {
private SSLSocket ssl;
PureTLSSupport(SSLSocket sock){
ssl=sock;
}
public String getCipherSuite() throws IOException {
int cs=ssl.getCipherSuite();
return SSLPolicyInt.getCipherSuiteName(cs);
}
public java.security.cert.Certificate[] getPeerCertificateChain()
throws IOException
{
Vector v=ssl.getCertificateChain();
if(v==null)
return null;
java.security.cert.X509Certificate[] chain=
new java.security.cert.X509Certificate[v.size()];
try {
for(int i=1;i<=v.size();i++){
// PureTLS provides cert chains with the peer
// cert last but the Servlet 2.3 spec (S 4.7) requires
// the opposite order so we reverse the chain as we go
byte buffer[]=((X509Cert)v.elementAt(
v.size()-i)).getDER();
CertificateFactory cf =
CertificateFactory.getInstance("X.509");
ByteArrayInputStream stream =
new ByteArrayInputStream(buffer);
chain[i]=(java.security.cert.X509Certificate)
cf.generateCertificate(stream);
}
} catch (java.security.cert.CertificateException e) {
throw new IOException("JDK's broken cert handling can't parse this
certificate (which PureTLS likes");
}
return chain;
}
}
1.1
jakarta-tomcat/src/share/org/apache/tomcat/util/net/SSLImplementation.java
Index: SSLImplementation.java
===================================================================
/*
* ====================================================================
*
* The Apache Software License, Version 1.1
*
* Copyright (c) 1999 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. The end-user documentation included with the redistribution, if
* any, must include the following acknowlegement:
* "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowlegement may appear in the software itself,
* if and wherever such third-party acknowlegements normally appear.
*
* 4. The names "The Jakarta Project", "Tomcat", and "Apache Software
* Foundation" must not be used to endorse or promote products derived
* from this software without prior written permission. For written
* permission, please contact [EMAIL PROTECTED]
*
* 5. Products derived from this software may not be called "Apache"
* nor may "Apache" appear in their names without prior written
* permission of the Apache Group.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
* [Additional notices, if required by prior licensing conditions]
*
*/
package org.apache.tomcat.util.net;
import java.io.*;
import java.net.*;
/* SSLImplementation:
Abstract factory and base class for all SSL implementations.
@author EKR
*/
abstract public class SSLImplementation {
// The default implementations in our search path
private static final String PureTLSImplementationClass=
"org.apache.tomcat.util.net.PureTLSImplementation";
private static final String JSSEImplementationClass=
"org.apache.tomcat.util.net.JSSEImplementation";
private static final String[] implementations=
{
PureTLSImplementationClass,
JSSEImplementationClass
};
public static SSLImplementation getInstance() throws ClassNotFoundException
{
for(int i=0;i<implementations.length;i++){
try {
SSLImplementation impl=
getInstance(implementations[i]);
return impl;
} catch (Exception e) {
// Ignore
}
}
// If we can't instantiate any of these
throw new ClassNotFoundException("Can't find any SSL implementation");
}
public static SSLImplementation getInstance(String className)
throws ClassNotFoundException
{
if(className==null) return getInstance();
try {
Class clazz=Class.forName(className);
return (SSLImplementation)clazz.newInstance();
} catch (Exception e){
throw new ClassNotFoundException("Error loading SSL Implementation "
+className+ " :" +e.toString());
}
}
abstract public String getImplementationName();
abstract public ServerSocketFactory getServerSocketFactory();
abstract public SSLSupport getSSLSupport(Socket sock);
}
1.1
jakarta-tomcat/src/share/org/apache/tomcat/util/net/SSLSupport.java
Index: SSLSupport.java
===================================================================
/*
* ====================================================================
*
* The Apache Software License, Version 1.1
*
* Copyright (c) 1999 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. The end-user documentation included with the redistribution, if
* any, must include the following acknowlegement:
* "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowlegement may appear in the software itself,
* if and wherever such third-party acknowlegements normally appear.
*
* 4. The names "The Jakarta Project", "Tomcat", and "Apache Software
* Foundation" must not be used to endorse or promote products derived
* from this software without prior written permission. For written
* permission, please contact [EMAIL PROTECTED]
*
* 5. Products derived from this software may not be called "Apache"
* nor may "Apache" appear in their names without prior written
* permission of the Apache Group.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
* [Additional notices, if required by prior licensing conditions]
*
*/
package org.apache.tomcat.util.net;
import java.io.*;
import java.net.*;
/* SSLSupport
Interface for SSL-specific functions
@author EKR
*/
public interface SSLSupport {
public String getCipherSuite() throws IOException;
public java.security.cert.Certificate[] getPeerCertificateChain()
throws IOException;
/**
* Get the keysize.
*
* What we're supposed to put here is ill-defined by the
* Servlet spec (S 4.7 again). There are at least 4 potential
* values that might go here:
*
* (a) The size of the encryption key
* (b) The size of the MAC key
* (c) The size of the key-exchange key
* (d) The size of the signature key used by the server
*
* Unfortunately, all of these values are nonsensical.
**/
}
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
