You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2015/05/28 17:28:35 UTC
svn commit: r1682261 - in /tomcat/trunk/java/org/apache/tomcat/util/net:
AbstractJsseEndpoint.java jsse/JSSEKeyManager.java
jsse/JSSESocketFactory.java jsse/NioX509KeyManager.java
Author: markt
Date: Thu May 28 15:28:34 2015
New Revision: 1682261
URL: http://svn.apache.org/r1682261
Log:
JSSEKeyManager and NioX509KeyManager were doing exactly the same thing and we were wrapping KeyManager instances twice. Remove the NioX509KeyManager completely and only wrap once. Also remove unnecessary duplicated Javadoc comments.
Removed:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/NioX509KeyManager.java
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEKeyManager.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java?rev=1682261&r1=1682260&r2=1682261&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java Thu May 28 15:28:34 2015
@@ -16,16 +16,11 @@
*/
package org.apache.tomcat.util.net;
-import java.util.Locale;
-
-import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSessionContext;
-import javax.net.ssl.X509KeyManager;
import org.apache.tomcat.util.net.SSLHostConfig.Type;
-import org.apache.tomcat.util.net.jsse.NioX509KeyManager;
public abstract class AbstractJsseEndpoint<S> extends AbstractEndpoint<S> {
@@ -72,9 +67,9 @@ public abstract class AbstractJsseEndpoi
for (SSLHostConfig sslHostConfig : sslHostConfigs.values()) {
SSLUtil sslUtil = sslImplementation.getSSLUtil(sslHostConfig);
+
SSLContext sslContext = sslUtil.createSSLContext();
- sslContext.init(wrap(sslUtil.getKeyManagers(), sslHostConfig),
- sslUtil.getTrustManagers(), null);
+ sslContext.init(sslUtil.getKeyManagers(), sslUtil.getTrustManagers(), null);
SSLSessionContext sessionContext = sslContext.getServerSessionContext();
if (sessionContext != null) {
@@ -130,26 +125,6 @@ public abstract class AbstractJsseEndpoi
}
- private KeyManager[] wrap(KeyManager[] managers, SSLHostConfig sslHostConfig) {
- if (managers==null) return null;
- KeyManager[] result = new KeyManager[managers.length];
- for (int i=0; i<result.length; i++) {
- if (managers[i] instanceof X509KeyManager &&
- sslHostConfig.getCertificateKeyAlias() != null) {
- String keyAlias = sslHostConfig.getCertificateKeyAlias();
- // JKS keystores always convert the alias name to lower case
- if ("jks".equalsIgnoreCase(sslHostConfig.getCertificateKeystoreType())) {
- keyAlias = keyAlias.toLowerCase(Locale.ENGLISH);
- }
- result[i] = new NioX509KeyManager((X509KeyManager) managers[i], keyAlias);
- } else {
- result[i] = managers[i];
- }
- }
- return result;
- }
-
-
private static class SSLContextWrapper {
private final SSLContext sslContext;
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEKeyManager.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEKeyManager.java?rev=1682261&r1=1682260&r2=1682261&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEKeyManager.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEKeyManager.java Thu May 28 15:28:34 2015
@@ -38,6 +38,7 @@ public final class JSSEKeyManager extend
private X509KeyManager delegate;
private String serverKeyAlias;
+
/**
* Constructor.
*
@@ -51,137 +52,72 @@ public final class JSSEKeyManager extend
this.serverKeyAlias = serverKeyAlias;
}
+
/**
- * Choose an alias to authenticate the client side of a secure socket,
- * given the public key type and the list of certificate issuer authorities
- * recognized by the peer (if any).
- *
- * @param keyType The key algorithm type name(s), ordered with the
- * most-preferred key type first
- * @param issuers The list of acceptable CA issuer subject names, or null
- * if it does not matter which issuers are used
- * @param socket The socket to be used for this connection. This parameter
- * can be null, in which case this method will return the most generic
- * alias to use
- *
- * @return The alias name for the desired key, or null if there are no
- * matches
+ * Returns the server key alias that was provided in the constructor or the
+ * result from {@link X509KeyManager#chooseServerAlias(String, Principal[],
+ * Socket)} for the delegate if no alias is specified.
*/
@Override
- public String chooseClientAlias(String[] keyType, Principal[] issuers,
- Socket socket) {
- return delegate.chooseClientAlias(keyType, issuers, socket);
+ public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
+ if (serverKeyAlias != null) {
+ return serverKeyAlias;
+ }
+
+ return delegate.chooseServerAlias(keyType, issuers, socket);
}
+
/**
- * Returns this key manager's server key alias that was provided in the
- * constructor.
- *
- * @param keyType Ignored
- * @param issuers Ignored
- * @param socket Ignored
- *
- * @return Alias name for the desired key
+ * Returns the server key alias that was provided in the constructor or the
+ * result from {@link X509ExtendedKeyManager#chooseEngineServerAlias(String,
+ * Principal[], SSLEngine)} for the delegate if no alias is specified.
*/
@Override
- public String chooseServerAlias(String keyType, Principal[] issuers,
+ public String chooseEngineServerAlias(String keyType, Principal[] issuers,
+ SSLEngine engine) {
+ if (serverKeyAlias!=null) {
+ return serverKeyAlias;
+ }
+
+ return super.chooseEngineServerAlias(keyType, issuers, engine);
+ }
+
+
+ @Override
+ public String chooseClientAlias(String[] keyType, Principal[] issuers,
Socket socket) {
- return serverKeyAlias;
+ return delegate.chooseClientAlias(keyType, issuers, socket);
}
- /**
- * Returns the certificate chain associated with the given alias.
- *
- * @param alias The alias name
- *
- * @return Certificate chain (ordered with the user's certificate first
- * and the root certificate authority last), or null if the alias can't be
- * found
- */
+
@Override
public X509Certificate[] getCertificateChain(String alias) {
return delegate.getCertificateChain(alias);
}
- /**
- * Get the matching aliases for authenticating the client side of a secure
- * socket, given the public key type and the list of certificate issuer
- * authorities recognized by the peer (if any).
- *
- * @param keyType The key algorithm type name
- * @param issuers The list of acceptable CA issuer subject names, or null
- * if it does not matter which issuers are used
- *
- * @return Array of the matching alias names, or null if there were no
- * matches
- */
+
@Override
public String[] getClientAliases(String keyType, Principal[] issuers) {
return delegate.getClientAliases(keyType, issuers);
}
- /**
- * Get the matching aliases for authenticating the server side of a secure
- * socket, given the public key type and the list of certificate issuer
- * authorities recognized by the peer (if any).
- *
- * @param keyType The key algorithm type name
- * @param issuers The list of acceptable CA issuer subject names, or null
- * if it does not matter which issuers are used
- *
- * @return Array of the matching alias names, or null if there were no
- * matches
- */
+
@Override
public String[] getServerAliases(String keyType, Principal[] issuers) {
return delegate.getServerAliases(keyType, issuers);
}
- /**
- * Returns the key associated with the given alias.
- *
- * @param alias The alias name
- *
- * @return The requested key, or null if the alias can't be found
- */
+
@Override
public PrivateKey getPrivateKey(String alias) {
return delegate.getPrivateKey(alias);
}
- /**
- * Choose an alias to authenticate the client side of a secure socket,
- * given the public key type and the list of certificate issuer authorities
- * recognized by the peer (if any).
- *
- * @param keyType The key algorithm type name(s), ordered with the
- * most-preferred key type first
- * @param issuers The list of acceptable CA issuer subject names, or null
- * if it does not matter which issuers are used
- * @param engine Ignored
- *
- * @return The alias name for the desired key, or null if there are no
- * matches
- */
+
@Override
public String chooseEngineClientAlias(String[] keyType, Principal[] issuers,
SSLEngine engine) {
return delegate.chooseClientAlias(keyType, issuers, null);
}
-
- /**
- * Returns this key manager's server key alias that was provided in the
- * constructor.
- *
- * @param keyType Ignored
- * @param issuers Ignored
- * @param engine Ignored
- *
- * @return Alias name for the desired key
- */
- @Override
- public String chooseEngineServerAlias(String keyType, Principal[] issuers,
- SSLEngine engine) {
- return serverKeyAlias;
- }
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1682261&r1=1682260&r2=1682261&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java Thu May 28 15:28:34 2015
@@ -284,12 +284,17 @@ public class JSSESocketFactory implement
kmf.init(ks, keyPass.toCharArray());
kms = kmf.getKeyManagers();
+ if (kms == null) {
+ return kms;
+ }
+
if (keyAlias != null) {
String alias = keyAlias;
+ // JKS keystores always convert the alias name to lower case
if ("JKS".equals(keystoreType)) {
alias = alias.toLowerCase(Locale.ENGLISH);
}
- for(int i=0; i<kms.length; i++) {
+ for(int i = 0; i < kms.length; i++) {
kms[i] = new JSSEKeyManager((X509KeyManager)kms[i], alias);
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org