You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2017/02/14 12:50:06 UTC

svn commit: r1782956 - in /tomcat/trunk: java/org/apache/tomcat/util/net/SSLHostConfig.java java/org/apache/tomcat/util/net/jsse/JSSEUtil.java webapps/docs/changelog.xml webapps/docs/config/http.xml

Author: markt
Date: Tue Feb 14 12:50:05 2017
New Revision: 1782956

URL: http://svn.apache.org/viewvc?rev=1782956&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=60716
Add a new JSSE specific attribute, revocationEnabled, to SSLHostConfig to permit JSSE provider revocation checks to be enabled when no certificateRevocationListFile has been configured. The expectation is that configuration will be performed via a JSSE provider specific mechanisms.

Modified:
    tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
    tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
    tomcat/trunk/webapps/docs/changelog.xml
    tomcat/trunk/webapps/docs/config/http.xml

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1782956&r1=1782955&r2=1782956&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Tue Feb 14 12:50:05 2017
@@ -93,6 +93,7 @@ public class SSLHostConfig implements Se
     private Set<String> protocols = new HashSet<>();
     // JSSE
     private String keyManagerAlgorithm = KeyManagerFactory.getDefaultAlgorithm();
+    private boolean revocationEnabled = false;
     private int sessionCacheSize = 0;
     private int sessionTimeout = 86400;
     private String sslProtocol = Constants.SSL_PROTO_TLS;
@@ -475,6 +476,17 @@ public class SSLHostConfig implements Se
     }
 
 
+    public void setRevocationEnabled(boolean revocationEnabled) {
+        setProperty("revocationEnabled", Type.JSSE);
+        this.revocationEnabled = revocationEnabled;
+    }
+
+
+    public boolean getRevocationEnabled() {
+        return revocationEnabled;
+    }
+
+
     public void setSessionCacheSize(int sessionCacheSize) {
         setProperty("sessionCacheSize", Type.JSSE);
         this.sessionCacheSize = sessionCacheSize;

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java?rev=1782956&r1=1782955&r2=1782956&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java Tue Feb 14 12:50:05 2017
@@ -258,10 +258,11 @@ public class JSSEUtil extends SSLUtilBas
             checkTrustStoreEntries(trustStore);
             String algorithm = sslHostConfig.getTruststoreAlgorithm();
             String crlf = sslHostConfig.getCertificateRevocationListFile();
+            boolean revocationEnabled = sslHostConfig.getRevocationEnabled();
 
             if ("PKIX".equalsIgnoreCase(algorithm)) {
                 TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm);
-                CertPathParameters params = getParameters(crlf, trustStore);
+                CertPathParameters params = getParameters(crlf, trustStore, revocationEnabled);
                 ManagerFactoryParameters mfp = new CertPathTrustManagerParameters(params);
                 tmf.init(mfp);
                 tms = tmf.getTrustManagers();
@@ -324,10 +325,15 @@ public class JSSEUtil extends SSLUtilBas
      *
      * @param crlf The path to the CRL file.
      * @param trustStore The configured TrustStore.
+     * @param revocationEnabled Should the JSSE provider perform revocation
+     *                          checks? Ignored if {@code crlf} is non-null.
+     *                          Configuration of revocation checks are expected
+     *                          to be via proprietary JSSE provider methods.
      * @return The parameters including the CRLs and TrustStore.
      * @throws Exception An error occurred
      */
-    protected CertPathParameters getParameters(String crlf, KeyStore trustStore) throws Exception {
+    protected CertPathParameters getParameters(String crlf, KeyStore trustStore,
+            boolean revocationEnabled) throws Exception {
 
         PKIXBuilderParameters xparams =
                 new PKIXBuilderParameters(trustStore, new X509CertSelector());
@@ -338,7 +344,7 @@ public class JSSEUtil extends SSLUtilBas
             xparams.addCertStore(store);
             xparams.setRevocationEnabled(true);
         } else {
-            xparams.setRevocationEnabled(false);
+            xparams.setRevocationEnabled(revocationEnabled);
         }
         xparams.setMaxPathLength(sslHostConfig.getCertificateVerificationDepth());
         return xparams;

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1782956&r1=1782955&r2=1782956&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue Feb 14 12:50:05 2017
@@ -148,6 +148,14 @@
         Ensure that executor thread pools used with connectors pre-start the
         configured minimum number of idle threads. (markt)
       </fix>
+      <fix>
+        <bug>60716</bug>: Add a new JSSE specific attribute,
+        <code>revocationEnabled</code>, to <code>SSLHostConfig</code> to permit
+        JSSE provider revocation checks to be enabled when no
+        <code>certificateRevocationListFile</code> has been configured. The
+        expectation is that configuration will be performed via a JSSE provider
+        specific mechanisms. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

Modified: tomcat/trunk/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1782956&r1=1782955&r2=1782956&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Tue Feb 14 12:50:05 2017
@@ -1249,6 +1249,16 @@
       used.</p>
     </attribute>
 
+    <attribute name="revocationEnabled" required="false">
+      <p>JSSE only.</p>
+      <p>Should the JSSE provider enable certificate revocation checks? If
+      <strong>certificateRevocationListFile</strong> is set then this attribute
+      is ignored and revocation checks are always enabled. This attribute is
+      intended to enable revocation checks that have been configured for the
+      current JSSE provider via other means. If not specified, a default of
+      <code>false</code> is used.</p>
+    </attribute>
+
     <attribute name="sessionCacheSize" required="false">
       <p>JSSE only.</p>
       <p>The number of SSL sessions to maintain in the session cache. Use 0 to



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org