You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2015/01/30 10:36:11 UTC
svn commit: r1655972 - in /tomcat/trunk/java/org/apache: coyote/http11/
tomcat/util/net/ tomcat/util/net/jsse/
Author: markt
Date: Fri Jan 30 09:36:10 2015
New Revision: 1655972
URL: http://svn.apache.org/r1655972
Log:
Push the remaining action down to the SocketWrapper
Modified:
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java
tomcat/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java
tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Processor.java
tomcat/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/SocketWrapperBase.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java?rev=1655972&r1=1655971&r2=1655972&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java Fri Jan 30 09:36:10 2015
@@ -980,8 +980,25 @@ public abstract class AbstractHttp11Proc
}
break;
}
- default: {
- actionInternal(actionCode, param);
+ case REQ_SSL_CERTIFICATE: {
+ if (sslSupport != null && socketWrapper.getSocket() != null) {
+ // Consume and buffer the request body, so that it does not
+ // interfere with the client's handshake messages
+ InputFilter[] inputFilters = getInputBuffer().getFilters();
+ ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER]).setLimit(
+ maxSavePostSize);
+ getInputBuffer().addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]);
+
+ try {
+ socketWrapper.doClientAuth(sslSupport);
+ Object sslO = sslSupport.getPeerCertificateChain();
+ if (sslO != null) {
+ request.setAttribute(SSLSupport.CERTIFICATE_KEY, sslO);
+ }
+ } catch (IOException ioe) {
+ getLog().warn(sm.getString("http11processor.socket.ssl"), ioe);
+ }
+ }
break;
}
}
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java?rev=1655972&r1=1655971&r2=1655972&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java Fri Jan 30 09:36:10 2015
@@ -16,19 +16,10 @@
*/
package org.apache.coyote.http11;
-import java.io.ByteArrayInputStream;
-import java.security.cert.CertificateFactory;
-import java.security.cert.X509Certificate;
-
import org.apache.coyote.ActionCode;
-import org.apache.coyote.http11.filters.BufferedInputFilter;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
-import org.apache.tomcat.jni.SSL;
-import org.apache.tomcat.jni.SSLSocket;
import org.apache.tomcat.util.net.AbstractEndpoint;
-import org.apache.tomcat.util.net.AprEndpoint;
-import org.apache.tomcat.util.net.SSLSupport;
/**
@@ -64,50 +55,7 @@ public class Http11AprProcessor extends
* @param param Action parameter
*/
@Override
- @SuppressWarnings("incomplete-switch") // Other cases are handled by action()
public void actionInternal(ActionCode actionCode, Object param) {
-
- long socketRef = socketWrapper.getSocket().longValue();
-
- switch (actionCode) {
- case REQ_SSL_CERTIFICATE: {
- if (endpoint.isSSLEnabled() && (socketRef != 0)) {
- // Consume and buffer the request body, so that it does not
- // interfere with the client's handshake messages
- InputFilter[] inputFilters = getInputBuffer().getFilters();
- ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER]).setLimit(maxSavePostSize);
- getInputBuffer().addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]);
- try {
- // Configure connection to require a certificate
- SSLSocket.setVerify(socketRef, SSL.SSL_CVERIFY_REQUIRE,
- ((AprEndpoint)endpoint).getSSLVerifyDepth());
- // Renegotiate certificates
- if (SSLSocket.renegotiate(socketRef) == 0) {
- // Don't look for certs unless we know renegotiation worked.
- // Get client certificate and the certificate chain if present
- // certLength == -1 indicates an error
- int certLength = SSLSocket.getInfoI(socketRef,SSL.SSL_INFO_CLIENT_CERT_CHAIN);
- byte[] clientCert = SSLSocket.getInfoB(socketRef, SSL.SSL_INFO_CLIENT_CERT);
- X509Certificate[] certs = null;
- if (clientCert != null && certLength > -1) {
- certs = new X509Certificate[certLength + 1];
- CertificateFactory cf = CertificateFactory.getInstance("X.509");
- certs[0] = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(clientCert));
- for (int i = 0; i < certLength; i++) {
- byte[] data = SSLSocket.getInfoB(socketRef, SSL.SSL_INFO_CLIENT_CERT_CHAIN + i);
- certs[i+1] = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(data));
- }
- }
- if (certs != null) {
- request.setAttribute(SSLSupport.CERTIFICATE_KEY, certs);
- }
- }
- } catch (Exception e) {
- log.warn(sm.getString("http11processor.socket.ssl"), e);
- }
- }
- break;
- }
- }
+ // Unused
}
}
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Processor.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Processor.java?rev=1655972&r1=1655971&r2=1655972&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Processor.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Processor.java Fri Jan 30 09:36:10 2015
@@ -16,19 +16,11 @@
*/
package org.apache.coyote.http11;
-import java.io.IOException;
-
-import javax.net.ssl.SSLEngine;
-
import org.apache.coyote.ActionCode;
-import org.apache.coyote.http11.filters.BufferedInputFilter;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.net.AbstractEndpoint;
import org.apache.tomcat.util.net.Nio2Channel;
-import org.apache.tomcat.util.net.Nio2Endpoint;
-import org.apache.tomcat.util.net.SSLSupport;
-import org.apache.tomcat.util.net.SecureNio2Channel;
/**
@@ -61,48 +53,7 @@ public class Http11Nio2Processor extends
* @param param Action parameter
*/
@Override
- @SuppressWarnings("incomplete-switch") // Other cases are handled by action()
public void actionInternal(ActionCode actionCode, Object param) {
-
- switch (actionCode) {
- case REQ_SSL_CERTIFICATE: {
- if (sslSupport != null && socketWrapper.getSocket() != null) {
- /*
- * Consume and buffer the request body, so that it does not
- * interfere with the client's handshake messages
- */
- InputFilter[] inputFilters = getInputBuffer().getFilters();
- ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER])
- .setLimit(maxSavePostSize);
- getInputBuffer().addActiveFilter
- (inputFilters[Constants.BUFFERED_FILTER]);
- SecureNio2Channel sslChannel = (SecureNio2Channel) socketWrapper.getSocket();
- SSLEngine engine = sslChannel.getSslEngine();
- if (!engine.getNeedClientAuth()) {
- // Need to re-negotiate SSL connection
- engine.setNeedClientAuth(true);
- try {
- sslChannel.rehandshake();
- sslSupport = ((Nio2Endpoint)endpoint).getHandler()
- .getSslImplementation().getSSLSupport(
- engine.getSession());
- } catch (IOException ioe) {
- log.warn(sm.getString("http11processor.socket.sslreneg"), ioe);
- }
- }
-
- try {
- Object sslO = sslSupport.getPeerCertificateChain();
- if( sslO != null) {
- request.setAttribute
- (SSLSupport.CERTIFICATE_KEY, sslO);
- }
- } catch (Exception e) {
- log.warn(sm.getString("http11processor.socket.ssl"), e);
- }
- }
- break;
- }
- }
+ // Unused
}
}
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java?rev=1655972&r1=1655971&r2=1655972&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java Fri Jan 30 09:36:10 2015
@@ -16,19 +16,11 @@
*/
package org.apache.coyote.http11;
-import java.io.IOException;
-
-import javax.net.ssl.SSLEngine;
-
import org.apache.coyote.ActionCode;
-import org.apache.coyote.http11.filters.BufferedInputFilter;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.net.AbstractEndpoint;
import org.apache.tomcat.util.net.NioChannel;
-import org.apache.tomcat.util.net.NioEndpoint;
-import org.apache.tomcat.util.net.SSLSupport;
-import org.apache.tomcat.util.net.SecureNioChannel;
/**
@@ -63,48 +55,7 @@ public class Http11NioProcessor extends
* @param param Action parameter
*/
@Override
- @SuppressWarnings("incomplete-switch") // Other cases are handled by action()
public void actionInternal(ActionCode actionCode, Object param) {
-
- switch (actionCode) {
- case REQ_SSL_CERTIFICATE: {
- if (sslSupport != null) {
- /*
- * Consume and buffer the request body, so that it does not
- * interfere with the client's handshake messages
- */
- InputFilter[] inputFilters = getInputBuffer().getFilters();
- ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER])
- .setLimit(maxSavePostSize);
- getInputBuffer().addActiveFilter
- (inputFilters[Constants.BUFFERED_FILTER]);
- SecureNioChannel sslChannel = (SecureNioChannel) socketWrapper.getSocket();
- SSLEngine engine = sslChannel.getSslEngine();
- if (!engine.getNeedClientAuth()) {
- // Need to re-negotiate SSL connection
- engine.setNeedClientAuth(true);
- try {
- sslChannel.rehandshake(endpoint.getSoTimeout());
- sslSupport = ((NioEndpoint)endpoint).getHandler()
- .getSslImplementation().getSSLSupport(
- engine.getSession());
- } catch (IOException ioe) {
- log.warn(sm.getString("http11processor.socket.sslreneg",ioe));
- }
- }
-
- try {
- Object sslO = sslSupport.getPeerCertificateChain();
- if( sslO != null) {
- request.setAttribute
- (SSLSupport.CERTIFICATE_KEY, sslO);
- }
- } catch (Exception e) {
- log.warn(sm.getString("http11processor.socket.ssl"), e);
- }
- }
- break;
- }
- }
+ // Unused
}
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1655972&r1=1655971&r2=1655972&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Fri Jan 30 09:36:10 2015
@@ -2749,5 +2749,15 @@ public class AprEndpoint extends Abstrac
log.warn(sm.getString("endpoint.warn.noLocalPort"), e);
}
}
+
+
+ @Override
+ public void doClientAuth(SSLSupport sslSupport) {
+ long socket = getSocket().longValue();
+ // Configure connection to require a certificate
+ SSLSocket.setVerify(socket, SSL.SSL_CVERIFY_REQUIRE,
+ ((AprEndpoint)getEndpoint()).getSSLVerifyDepth());
+ SSLSocket.renegotiate(socket);
+ }
}
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java?rev=1655972&r1=1655971&r2=1655972&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java Fri Jan 30 09:36:10 2015
@@ -54,6 +54,7 @@ import org.apache.tomcat.util.ExceptionU
import org.apache.tomcat.util.buf.ByteBufferHolder;
import org.apache.tomcat.util.collections.SynchronizedStack;
import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
+import org.apache.tomcat.util.net.jsse.JSSESupport;
import org.apache.tomcat.util.net.jsse.NioX509KeyManager;
/**
@@ -1416,6 +1417,23 @@ public class Nio2Endpoint extends Abstra
localPort = ((InetSocketAddress) socketAddress).getPort();
}
}
+
+
+ @Override
+ public void doClientAuth(SSLSupport sslSupport) {
+ SecureNio2Channel sslChannel = (SecureNio2Channel) getSocket();
+ SSLEngine engine = sslChannel.getSslEngine();
+ if (!engine.getNeedClientAuth()) {
+ // Need to re-negotiate SSL connection
+ engine.setNeedClientAuth(true);
+ try {
+ sslChannel.rehandshake();
+ ((JSSESupport) sslSupport).setSession(engine.getSession());
+ } catch (IOException ioe) {
+ log.warn(sm.getString("http11processor.socket.sslreneg"), ioe);
+ }
+ }
+ }
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java?rev=1655972&r1=1655971&r2=1655972&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java Fri Jan 30 09:36:10 2015
@@ -55,6 +55,7 @@ import org.apache.tomcat.util.Introspect
import org.apache.tomcat.util.collections.SynchronizedQueue;
import org.apache.tomcat.util.collections.SynchronizedStack;
import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
+import org.apache.tomcat.util.net.jsse.JSSESupport;
import org.apache.tomcat.util.net.jsse.NioX509KeyManager;
/**
@@ -1604,6 +1605,23 @@ public class NioEndpoint extends Abstrac
protected void populateLocalPort() {
localPort = getSocket().getIOChannel().socket().getLocalPort();
}
+
+
+ @Override
+ public void doClientAuth(SSLSupport sslSupport) {
+ SecureNioChannel sslChannel = (SecureNioChannel) getSocket();
+ SSLEngine engine = sslChannel.getSslEngine();
+ if (!engine.getNeedClientAuth()) {
+ // Need to re-negotiate SSL connection
+ engine.setNeedClientAuth(true);
+ try {
+ sslChannel.rehandshake(getEndpoint().getSoTimeout());
+ ((JSSESupport) sslSupport).setSession(engine.getSession());
+ } catch (IOException ioe) {
+ log.warn(sm.getString("http11processor.socket.sslreneg",ioe));
+ }
+ }
+ }
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SocketWrapperBase.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SocketWrapperBase.java?rev=1655972&r1=1655971&r2=1655972&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SocketWrapperBase.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SocketWrapperBase.java Fri Jan 30 09:36:10 2015
@@ -616,6 +616,15 @@ public abstract class SocketWrapperBase<
*/
public abstract SendfileState processSendfile(SendfileDataBase sendfileData);
+ /**
+ * Require the client to perform CLIENT-CERT authentication if it hasn't
+ * already done so.
+ *
+ * @param sslSupport The SSL/TLS support instance currently being used by
+ * the connection that may need updating after the client
+ * authentication
+ */
+ public abstract void doClientAuth(SSLSupport sslSupport);
// --------------------------------------------------------- Utility methods
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java?rev=1655972&r1=1655971&r2=1655972&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java Fri Jan 30 09:36:10 2015
@@ -45,8 +45,7 @@ import org.apache.tomcat.util.res.String
Parts cribbed from JSSECertCompat
Parts cribbed from CertificatesValve
*/
-
-class JSSESupport implements SSLSupport, SSLSessionManager {
+public class JSSESupport implements SSLSupport, SSLSessionManager {
private static final Log log = LogFactory.getLog(JSSESupport.class);
@@ -171,6 +170,11 @@ class JSSESupport implements SSLSupport,
}
+ public void setSession(SSLSession session) {
+ this.session = session;
+ }
+
+
/**
* Invalidate the session this support object is associated with.
*/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org