billbarker 2002/09/20 21:39:33 Modified: util/java/org/apache/tomcat/util/net JSSESupport.java PureTLSSupport.java SSLSupport.java Log: Initial support for forcing a client-cert renegotiation. Eric should probably review the PureTLS stuff. My commit is based on what I can see from the source. Revision Changes Path 1.4 +22 -6 jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/JSSESupport.java Index: JSSESupport.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/JSSESupport.java,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- JSSESupport.java 29 Apr 2002 00:05:32 -0000 1.3 +++ JSSESupport.java 21 Sep 2002 04:39:33 -0000 1.4 @@ -77,8 +77,9 @@ depends on JDK 1.2's certificate support @author EKR - + @author Craig R. McClanahan Parts cribbed from JSSECertCompat + Parts cribbed from CertificatesValve */ class JSSESupport implements SSLSupport { @@ -98,9 +99,13 @@ return session.getCipherSuite(); } - public Object[] getPeerCertificateChain() - throws IOException - { + public Object[] getPeerCertificateChain() + throws IOException { + return getPeerCertificateChain(false); + } + + public Object[] getPeerCertificateChain(boolean force) + throws IOException { // Look up the current SSLSession SSLSession session = ssl.getSession(); if (session == null) @@ -113,6 +118,15 @@ jsseCerts = session.getPeerCertificateChain(); if (jsseCerts == null) jsseCerts = new X509Certificate[0]; + if(jsseCerts.length <= 0 && force) { + session.invalidate(); + ssl.setNeedClientAuth(true); + ssl.startHandshake(); + session = ssl.getSession(); + jsseCerts = session.getPeerCertificateChain(); + if(jsseCerts == null) + jsseCerts = new X509Certificate[0]; + } x509Certs = new java.security.cert.X509Certificate[jsseCerts.length]; for (int i = 0; i < x509Certs.length; i++) { @@ -124,8 +138,10 @@ x509Certs[i] = (java.security.cert.X509Certificate) cf.generateCertificate(stream); } - } catch (Throwable t) { - return null; + } catch (IOException iex) { + throw iex; + } catch (Throwable t) { + return null; } if ((x509Certs == null) || (x509Certs.length < 1)) 1.5 +15 -2 jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/PureTLSSupport.java Index: PureTLSSupport.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/PureTLSSupport.java,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- PureTLSSupport.java 29 Apr 2002 00:05:32 -0000 1.4 +++ PureTLSSupport.java 21 Sep 2002 04:39:33 -0000 1.5 @@ -94,9 +94,22 @@ } public Object[] getPeerCertificateChain() - throws IOException - { + throws IOException { + return getPeerCertificateChain(false); + } + + public Object[] getPeerCertificateChain(boolean force) + throws IOException { Vector v=ssl.getCertificateChain(); + + if(v == null && force) { + SSLPolicyInt policy=new SSLPolicyInt(); + policy.requireClientAuth(true); + policy.handshakeOnConnect(false); + policy.waitOnClose(false); + ssl.renegotiate(policy); + v = ssl.getCertificateChain(); + } if(v==null) return null; 1.4 +8 -0 jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/SSLSupport.java Index: SSLSupport.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/SSLSupport.java,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- SSLSupport.java 29 Apr 2002 00:05:32 -0000 1.3 +++ SSLSupport.java 21 Sep 2002 04:39:33 -0000 1.4 @@ -119,6 +119,14 @@ throws IOException; /** + * The client certificate chain (if any). + * @param force If <code>true</code>, then re-negotiate the + * connection if necessary. + */ + public Object[] getPeerCertificateChain(boolean force) + throws IOException; + + /** * Get the keysize. * * What we're supposed to put here is ill-defined by the
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>