billbarker 2002/09/20 21:39:33
Modified: util/java/org/apache/tomcat/util/net JSSESupport.java
PureTLSSupport.java SSLSupport.java
Log:
Initial support for forcing a client-cert renegotiation.
Eric should probably review the PureTLS stuff. My commit is based on what I can see
from the source.
Revision Changes Path
1.4 +22 -6
jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/JSSESupport.java
Index: JSSESupport.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/JSSESupport.java,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- JSSESupport.java 29 Apr 2002 00:05:32 -0000 1.3
+++ JSSESupport.java 21 Sep 2002 04:39:33 -0000 1.4
@@ -77,8 +77,9 @@
depends on JDK 1.2's certificate support
@author EKR
-
+ @author Craig R. McClanahan
Parts cribbed from JSSECertCompat
+ Parts cribbed from CertificatesValve
*/
class JSSESupport implements SSLSupport {
@@ -98,9 +99,13 @@
return session.getCipherSuite();
}
- public Object[] getPeerCertificateChain()
- throws IOException
- {
+ public Object[] getPeerCertificateChain()
+ throws IOException {
+ return getPeerCertificateChain(false);
+ }
+
+ public Object[] getPeerCertificateChain(boolean force)
+ throws IOException {
// Look up the current SSLSession
SSLSession session = ssl.getSession();
if (session == null)
@@ -113,6 +118,15 @@
jsseCerts = session.getPeerCertificateChain();
if (jsseCerts == null)
jsseCerts = new X509Certificate[0];
+ if(jsseCerts.length <= 0 && force) {
+ session.invalidate();
+ ssl.setNeedClientAuth(true);
+ ssl.startHandshake();
+ session = ssl.getSession();
+ jsseCerts = session.getPeerCertificateChain();
+ if(jsseCerts == null)
+ jsseCerts = new X509Certificate[0];
+ }
x509Certs =
new java.security.cert.X509Certificate[jsseCerts.length];
for (int i = 0; i < x509Certs.length; i++) {
@@ -124,8 +138,10 @@
x509Certs[i] = (java.security.cert.X509Certificate)
cf.generateCertificate(stream);
}
- } catch (Throwable t) {
- return null;
+ } catch (IOException iex) {
+ throw iex;
+ } catch (Throwable t) {
+ return null;
}
if ((x509Certs == null) || (x509Certs.length < 1))
1.5 +15 -2
jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/PureTLSSupport.java
Index: PureTLSSupport.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/PureTLSSupport.java,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- PureTLSSupport.java 29 Apr 2002 00:05:32 -0000 1.4
+++ PureTLSSupport.java 21 Sep 2002 04:39:33 -0000 1.5
@@ -94,9 +94,22 @@
}
public Object[] getPeerCertificateChain()
- throws IOException
- {
+ throws IOException {
+ return getPeerCertificateChain(false);
+ }
+
+ public Object[] getPeerCertificateChain(boolean force)
+ throws IOException {
Vector v=ssl.getCertificateChain();
+
+ if(v == null && force) {
+ SSLPolicyInt policy=new SSLPolicyInt();
+ policy.requireClientAuth(true);
+ policy.handshakeOnConnect(false);
+ policy.waitOnClose(false);
+ ssl.renegotiate(policy);
+ v = ssl.getCertificateChain();
+ }
if(v==null)
return null;
1.4 +8 -0
jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/SSLSupport.java
Index: SSLSupport.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/SSLSupport.java,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- SSLSupport.java 29 Apr 2002 00:05:32 -0000 1.3
+++ SSLSupport.java 21 Sep 2002 04:39:33 -0000 1.4
@@ -119,6 +119,14 @@
throws IOException;
/**
+ * The client certificate chain (if any).
+ * @param force If <code>true</code>, then re-negotiate the
+ * connection if necessary.
+ */
+ public Object[] getPeerCertificateChain(boolean force)
+ throws IOException;
+
+ /**
* Get the keysize.
*
* What we're supposed to put here is ill-defined by the
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
