You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by re...@apache.org on 2020/05/28 14:37:40 UTC
[tomcat] 01/02: Expose the local certificate through SSLSupport
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 21419a185c457d3b2b76573a56f85f92138b504b
Author: remm <re...@apache.org>
AuthorDate: Thu May 28 16:21:35 2020 +0200
Expose the local certificate through SSLSupport
To be used for more TLS env support in the rewrite resolver, it cannot
hurt.
Using a default since it's an API change and not there with OpenSSL.
---
java/org/apache/tomcat/util/net/SSLSupport.java | 11 +++++++++++
java/org/apache/tomcat/util/net/jsse/JSSESupport.java | 15 +++++++++++++++
webapps/docs/changelog.xml | 4 ++++
3 files changed, 30 insertions(+)
diff --git a/java/org/apache/tomcat/util/net/SSLSupport.java b/java/org/apache/tomcat/util/net/SSLSupport.java
index 75740f9..f46d266 100644
--- a/java/org/apache/tomcat/util/net/SSLSupport.java
+++ b/java/org/apache/tomcat/util/net/SSLSupport.java
@@ -85,6 +85,17 @@ public interface SSLSupport {
public X509Certificate[] getPeerCertificateChain() throws IOException;
/**
+ * The server certificate chain (if any) that were sent to the peer.
+ *
+ * @return The certificate chain sent with the server
+ * certificate first, followed by those of any certificate
+ * authorities
+ */
+ default public X509Certificate[] getLocalCertificateChain() {
+ return null;
+ }
+
+ /**
* Get the keysize.
*
* What we're supposed to put here is ill-defined by the
diff --git a/java/org/apache/tomcat/util/net/jsse/JSSESupport.java b/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
index 98c6eb9..0ca7ba7 100644
--- a/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
+++ b/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
@@ -21,6 +21,7 @@ import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Map;
@@ -87,6 +88,14 @@ public class JSSESupport implements SSLSupport, SSLSessionManager {
}
@Override
+ public X509Certificate[] getLocalCertificateChain() {
+ if (session == null) {
+ return null;
+ }
+ return convertCertificates(session.getLocalCertificates());
+ }
+
+ @Override
public java.security.cert.X509Certificate[] getPeerCertificateChain() throws IOException {
// Look up the current SSLSession
if (session == null)
@@ -99,6 +108,12 @@ public class JSSESupport implements SSLSupport, SSLSessionManager {
log.debug(sm.getString("jsseSupport.clientCertError"), t);
return null;
}
+
+ return convertCertificates(certs);
+ }
+
+
+ private static java.security.cert.X509Certificate[] convertCertificates(Certificate[] certs) {
if( certs==null ) return null;
java.security.cert.X509Certificate [] x509Certs =
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 4f160b4..94f6836 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -83,6 +83,10 @@
<bug>64467</bug>: Improve performance of closing idle HTTP/2 streams.
(markt)
</fix>
+ <update>
+ Expose server certificate through the <code>SSLSupport</code>
+ interface. (remm)
+ </update>
</changelog>
</subsection>
<subsection name="WebSocket">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org