You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by jf...@apache.org on 2015/11/23 07:43:01 UTC
svn commit: r1715732 -
/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
Author: jfclere
Date: Mon Nov 23 06:43:01 2015
New Revision: 1715732
URL: http://svn.apache.org/viewvc?rev=1715732&view=rev
Log:
Add the JSSE one.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java?rev=1715732&r1=1715731&r2=1715732&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java Mon Nov 23 06:43:01 2015
@@ -16,11 +16,15 @@
*/
package org.apache.tomcat.util.net.openssl;
+import java.io.FileInputStream;
+import java.io.InputStream;
+import java.security.KeyStore;
import java.util.List;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
import org.apache.tomcat.util.net.SSLContext;
import org.apache.tomcat.util.net.SSLHostConfig;
@@ -54,10 +58,40 @@ public class OpenSSLUtil implements SSLU
return managers;
}
+ /* In fact we can use the JSSE one for the moment */
@Override
public TrustManager[] getTrustManagers() throws Exception {
- return null;
+ String storefile = System.getProperty("java.home") + "/lib/security/cacerts";
+ String password = "changeit";
+ String type = "jks";
+ String provider = null;
+ if (sslHostConfig.getTruststoreFile() != null) {
+ storefile = sslHostConfig.getTruststoreFile();
+ }
+ if (sslHostConfig.getTruststorePassword() != null) {
+ password = sslHostConfig.getTruststorePassword();
+ }
+ if (sslHostConfig.getTruststoreType() != null) {
+ type = sslHostConfig.getTruststoreType();
+ }
+ if (sslHostConfig.getTruststoreProvider() != null) {
+ provider = sslHostConfig.getTruststoreProvider();
+ }
+
+ TrustManagerFactory factory;
+ if (provider == null)
+ factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+ else
+ factory = TrustManagerFactory.getInstance(provider);
+
+ KeyStore keystore = KeyStore.getInstance(type);
+ InputStream stream = new FileInputStream(storefile);
+ keystore.load(stream, password.toCharArray());
+ factory.init(keystore);
+ TrustManager[] managers = factory.getTrustManagers();
+ return managers;
}
+
@Override
public void configureSessionContext(SSLSessionContext sslSessionContext) {
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1715732 -
/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
Posted by jean-frederic clere <jf...@gmail.com>.
On 11/23/2015 03:35 PM, Rémy Maucherat wrote:
> 2015-11-23 15:31 GMT+01:00 jean-frederic clere <jf...@gmail.com>:
>
>> On 11/23/2015 01:56 PM, Konstantin Kolinko wrote:
>>> TW, a changelog, documentation =?
>>
>> Here I have a small question. In fact it possible to mix open pem and
>> jsse keystore, is it something we want to support?
>>
>> I try it but removed it because I found it very confusing.
>>
>> Thanks for the review I will fix the code later today.
>>
>
> IMO you don't need to actively break it if it happens to work, but I would
> keep the configuration warning.
OK I will add some tests to check the mix to prevent nasty things.
Cheers
Jean-Frederic
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1715732 - /tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
Posted by Rémy Maucherat <re...@apache.org>.
2015-11-23 15:31 GMT+01:00 jean-frederic clere <jf...@gmail.com>:
> On 11/23/2015 01:56 PM, Konstantin Kolinko wrote:
> > TW, a changelog, documentation =?
>
> Here I have a small question. In fact it possible to mix open pem and
> jsse keystore, is it something we want to support?
>
> I try it but removed it because I found it very confusing.
>
> Thanks for the review I will fix the code later today.
>
IMO you don't need to actively break it if it happens to work, but I would
keep the configuration warning.
Rémy
Re: svn commit: r1715732 -
/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
Posted by jean-frederic clere <jf...@gmail.com>.
On 11/23/2015 01:56 PM, Konstantin Kolinko wrote:
> TW, a changelog, documentation =?
Here I have a small question. In fact it possible to mix open pem and
jsse keystore, is it something we want to support?
I try it but removed it because I found it very confusing.
Thanks for the review I will fix the code later today.
Cheers
Jean-Frederic
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1715732 - /tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
Posted by Konstantin Kolinko <kn...@gmail.com>.
2015-11-23 9:43 GMT+03:00 <jf...@apache.org>:
> Author: jfclere
> Date: Mon Nov 23 06:43:01 2015
> New Revision: 1715732
>
> URL: http://svn.apache.org/viewvc?rev=1715732&view=rev
> Log:
> Add the JSSE one.
>
> Modified:
> tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
>
> Modified: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java?rev=1715732&r1=1715731&r2=1715732&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java (original)
> +++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java Mon Nov 23 06:43:01 2015
> @@ -16,11 +16,15 @@
> */
> package org.apache.tomcat.util.net.openssl;
>
> +import java.io.FileInputStream;
> +import java.io.InputStream;
> +import java.security.KeyStore;
> import java.util.List;
>
> import javax.net.ssl.KeyManager;
> import javax.net.ssl.SSLSessionContext;
> import javax.net.ssl.TrustManager;
> +import javax.net.ssl.TrustManagerFactory;
>
> import org.apache.tomcat.util.net.SSLContext;
> import org.apache.tomcat.util.net.SSLHostConfig;
> @@ -54,10 +58,40 @@ public class OpenSSLUtil implements SSLU
> return managers;
> }
>
> + /* In fact we can use the JSSE one for the moment */
> @Override
> public TrustManager[] getTrustManagers() throws Exception {
> - return null;
> + String storefile = System.getProperty("java.home") + "/lib/security/cacerts";
> + String password = "changeit";
> + String type = "jks";
> + String provider = null;
> + if (sslHostConfig.getTruststoreFile() != null) {
> + storefile = sslHostConfig.getTruststoreFile();
> + }
> + if (sslHostConfig.getTruststorePassword() != null) {
> + password = sslHostConfig.getTruststorePassword();
> + }
> + if (sslHostConfig.getTruststoreType() != null) {
> + type = sslHostConfig.getTruststoreType();
> + }
> + if (sslHostConfig.getTruststoreProvider() != null) {
> + provider = sslHostConfig.getTruststoreProvider();
> + }
> +
> + TrustManagerFactory factory;
> + if (provider == null)
> + factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
> + else
> + factory = TrustManagerFactory.getInstance(provider);
Why "provider" on the above line?
I guess it should be sslHostConfig.getTruststoreAlgorithm()
For example: JSSESocketFactory.getTrustManagers()
> + KeyStore keystore = KeyStore.getInstance(type);
> + InputStream stream = new FileInputStream(storefile);
There is a new feature to allow random URLs as storefile.
The code will be
stream = ConfigFileLoader.getInputStream(storefile);
For example: JSSESocketFactory.getStore(...)
> + keystore.load(stream, password.toCharArray());
It also needs finally { if (stream != null) stream.close() }.
> + factory.init(keystore);
> + TrustManager[] managers = factory.getTrustManagers();
> + return managers;
> }
> +
>
> @Override
> public void configureSessionContext(SSLSessionContext sslSessionContext) {
BTW, a changelog, documentation =?
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org