You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2015/05/01 20:52:24 UTC
svn commit: r1677206 - in /tomcat/trunk: java/org/apache/coyote/http11/
java/org/apache/tomcat/util/net/ java/org/apache/tomcat/util/net/jsse/
webapps/docs/config/
Author: markt
Date: Fri May 1 18:52:24 2015
New Revision: 1677206
URL: http://svn.apache.org/r1677206
Log:
More migration to SSLHostConfig
keyPass/SSLPassword -> certificateKeyPassword
keystorePass -> certificateKeystorePassword
Modified:
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/trunk/webapps/docs/config/http.xml
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java?rev=1677206&r1=1677205&r2=1677206&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java Fri May 1 18:52:24 2015
@@ -25,9 +25,6 @@ public abstract class AbstractHttp11Jsse
super(endpoint);
}
- public String getKeystorePass() { return getEndpoint().getKeystorePass();}
- public void setKeystorePass(String s ) { getEndpoint().setKeystorePass(s);}
-
public String getKeystoreType() { return getEndpoint().getKeystoreType();}
public void setKeystoreType(String s ) { getEndpoint().setKeystoreType(s);}
@@ -44,9 +41,6 @@ public abstract class AbstractHttp11Jsse
public String getKeyAlias() { return getEndpoint().getKeyAlias();}
public void setKeyAlias(String s ) { getEndpoint().setKeyAlias(s);}
- public String getKeyPass() { return getEndpoint().getKeyPass();}
- public void setKeyPass(String s ) { getEndpoint().setKeyPass(s);}
-
public void setTruststoreFile(String f){ getEndpoint().setTruststoreFile(f);}
public String getTruststoreFile(){ return getEndpoint().getTruststoreFile();}
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java?rev=1677206&r1=1677205&r2=1677206&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java Fri May 1 18:52:24 2015
@@ -430,6 +430,21 @@ public abstract class AbstractHttp11Prot
defaultSSLHostConfig.setCiphers(ciphers);
}
+ public void setKeystorePass(String certificateKeystorePassword) {
+ registerDefaultSSLHostConfig();
+ defaultSSLHostConfig.setCertificateKeystorePassword(certificateKeystorePassword);
+ }
+
+ public void setKeyPass(String certificateKeyPassword) {
+ registerDefaultSSLHostConfig();
+ defaultSSLHostConfig.setCertificateKeyPassword(certificateKeyPassword);
+ }
+ public void setSSLPassword(String certificateKeyPassword) {
+ registerDefaultSSLHostConfig();
+ defaultSSLHostConfig.setCertificateKeyPassword(certificateKeyPassword);
+ }
+
+
// ------------------------------------------------------------- Common code
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1677206&r1=1677205&r2=1677206&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java Fri May 1 18:52:24 2015
@@ -73,14 +73,6 @@ public class Http11AprProtocol extends A
// -------------------- SSL related properties --------------------
/**
- * SSL password (if a cert is encrypted, and no password has been provided, a callback
- * will ask for a password).
- */
- public String getSSLPassword() { return ((AprEndpoint)getEndpoint()).getSSLPassword(); }
- public void setSSLPassword(String SSLPassword) { ((AprEndpoint)getEndpoint()).setSSLPassword(SSLPassword); }
-
-
- /**
* SSL certificate chain file.
*/
public String getSSLCertificateChainFile() { return ((AprEndpoint)getEndpoint()).getSSLCertificateChainFile(); }
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=1677206&r1=1677205&r2=1677206&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java Fri May 1 18:52:24 2015
@@ -982,10 +982,6 @@ public abstract class AbstractEndpoint<S
this.sslImplementationName = s;
}
- private String keystorePass = null;
- public String getKeystorePass() { return keystorePass;}
- public void setKeystorePass(String s ) { this.keystorePass = s;}
-
private String keystoreType = "JKS";
public String getKeystoreType() { return keystoreType;}
public void setKeystoreType(String s ) { this.keystoreType = s;}
@@ -1002,10 +998,6 @@ public abstract class AbstractEndpoint<S
public String getKeyAlias() { return keyAlias;}
public void setKeyAlias(String s ) { keyAlias = s;}
- private String keyPass = null;
- public String getKeyPass() { return keyPass;}
- public void setKeyPass(String s ) { this.keyPass = s;}
-
private String truststoreFile = System.getProperty("javax.net.ssl.trustStore");
public String getTruststoreFile() {return truststoreFile;}
public void setTruststoreFile(String s) {
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1677206&r1=1677205&r2=1677206&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Fri May 1 18:52:24 2015
@@ -209,15 +209,6 @@ public class AprEndpoint extends Abstrac
/**
- * SSL password (if a cert is encrypted, and no password has been provided, a callback
- * will ask for a password).
- */
- protected String SSLPassword = null;
- public String getSSLPassword() { return SSLPassword; }
- public void setSSLPassword(String SSLPassword) { this.SSLPassword = SSLPassword; }
-
-
- /**
* SSL certificate chain file.
*/
protected String SSLCertificateChainFile = null;
@@ -566,7 +557,8 @@ public class AprEndpoint extends Abstrac
SSLContext.setCipherSuite(ctx, sslHostConfig.getCiphers());
// Load Server key and certificate
SSLContext.setCertificate(ctx, sslHostConfig.getCertificateFile(),
- sslHostConfig.getCertificateKeyFile(), SSLPassword, SSL.SSL_AIDX_RSA);
+ sslHostConfig.getCertificateKeyFile(),
+ sslHostConfig.getCertificateKeyPassword(), SSL.SSL_AIDX_RSA);
// Set certificate chain file
SSLContext.setCertificateChainFile(ctx, SSLCertificateChainFile, false);
// Support Client Certificates
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1677206&r1=1677205&r2=1677206&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Fri May 1 18:52:24 2015
@@ -45,6 +45,7 @@ public class SSLHostConfig {
// Configuration properties
// Common
+ private String certificateKeyPassword = null;
private CertificateVerification certificateVerification = CertificateVerification.NONE;
private int certificateVerificationDepth = 10;
private String ciphers = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
@@ -52,6 +53,7 @@ public class SSLHostConfig {
private Set<String> protocols = new HashSet<>();
// JSSE
+ private String certificateKeystorePassword = "changeit";
private String certificateKeystoreFile = System.getProperty("user.home")+"/.keystore";
private String keyManagerAlgorithm = KeyManagerFactory.getDefaultAlgorithm();
// OpenSSL
@@ -105,6 +107,16 @@ public class SSLHostConfig {
// ----------------------------------------- Common configuration properties
+ public void setCertificateKeyPassword(String certificateKeyPassword) {
+ this.certificateKeyPassword = certificateKeyPassword;
+ }
+
+
+ public String getCertificateKeyPassword() {
+ return certificateKeyPassword;
+ }
+
+
public void setCertificateVerification(String certificateVerification) {
this.certificateVerification = CertificateVerification.fromString(certificateVerification);
}
@@ -207,14 +219,13 @@ public class SSLHostConfig {
// ---------------------------------- JSSE specific configuration properties
- public void setKeyManagerAlgorithm(String keyManagerAlgorithm) {
- setProperty("keyManagerAlgorithm", Type.JSSE);
- this.keyManagerAlgorithm = keyManagerAlgorithm;
+ public void setCertificateKeystorePassword(String certificateKeystorePassword) {
+ this.certificateKeystorePassword = certificateKeystorePassword;
}
- public String getKeyManagerAlgorithm() {
- return keyManagerAlgorithm;
+ public String getCertificateKeystorePassword() {
+ return certificateKeystorePassword;
}
@@ -229,6 +240,17 @@ public class SSLHostConfig {
}
+ public void setKeyManagerAlgorithm(String keyManagerAlgorithm) {
+ setProperty("keyManagerAlgorithm", Type.JSSE);
+ this.keyManagerAlgorithm = keyManagerAlgorithm;
+ }
+
+
+ public String getKeyManagerAlgorithm() {
+ return keyManagerAlgorithm;
+ }
+
+
// ------------------------------- OpenSSL specific configuration properties
public void setCertificateFile(String certificateFile) {
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1677206&r1=1677205&r2=1677206&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java Fri May 1 18:52:24 2015
@@ -186,20 +186,6 @@ public class JSSESocketFactory implement
}
/*
- * Gets the SSL server's keystore password.
- */
- protected String getKeystorePassword() {
- String keystorePass = endpoint.getKeystorePass();
- if (keystorePass == null) {
- keystorePass = endpoint.getKeyPass();
- }
- if (keystorePass == null) {
- keystorePass = DEFAULT_KEY_PASS;
- }
- return keystorePass;
- }
-
- /*
* Gets the SSL server's keystore.
*/
protected KeyStore getKeystore(String type, String provider, String pass)
@@ -414,7 +400,7 @@ public class JSSESocketFactory implement
KeyManager[] kms = null;
- String keystorePass = getKeystorePassword();
+ String keystorePass = sslHostConfig.getCertificateKeystorePassword();
KeyStore ks = getKeystore(keystoreType, keystoreProvider, keystorePass);
if (keyAlias != null && !ks.isKeyEntry(keyAlias)) {
@@ -423,7 +409,7 @@ public class JSSESocketFactory implement
}
KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm);
- String keyPass = endpoint.getKeyPass();
+ String keyPass = sslHostConfig.getCertificateKeyPassword();
if (keyPass == null) {
keyPass = keystorePass;
}
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1677206&r1=1677205&r2=1677206&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Fri May 1 18:52:24 2015
@@ -1085,6 +1085,21 @@
file use <code>""</code> (empty string) for this parameter.</p>
</attribute>
+ <attribute name="certificateKeystorePassword" required="false">
+ <p>JSSE only.</p>
+ <p>The password to use to access the keystore containing the server's
+ private key and certificate. If not specified, a default of
+ <code>changeit</code> will be used.</p>
+ </attribute>
+
+ <attribute name="certificateKeyPassword" required="false">
+ <p>The password used to access the private key associated with the server
+ certificate from the specified file.</p>
+ <p>If not specified, the default behaviour for JSSE is to use the
+ <strong>certificateKeystorePassword</strong> for OpenSSL the default
+ behaviour is not to use a password.</p>
+ </attribute>
+
<attribute name="certificateVerification" required="false">
<p>Set to <code>required</code> if you want the SSL stack to require a
valid certificate chain from the client before accepting a connection.
@@ -1205,9 +1220,9 @@
</attribute>
<attribute name="keyPass" required="false">
- <p>The password used to access the server certificate from the
- specified keystore file. The default value is "<code>changeit</code>".
- </p>
+ <p>This is an alias for the <code>certificateKeyPassword</code> attribute
+ of the default <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
+ element.</p>
</attribute>
<attribute name="keystoreFile" required="false">
@@ -1217,9 +1232,9 @@
</attribute>
<attribute name="keystorePass" required="false">
- <p>The password used to access the specified keystore file. The default
- value is the value of the <code>keyPass</code> attribute.
- </p>
+ <p>This is an alias for the <code>certificateKeystorePassword</code>
+ attribute of the default
+ <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element.</p>
</attribute>
<attribute name="keystoreProvider" required="false">
@@ -1411,8 +1426,9 @@
</attribute>
<attribute name="SSLPassword" required="false">
- <p>Pass phrase for the encrypted private key. If "SSLPassword" is not
- provided, the callback function should prompt for the pass phrase.</p>
+ <p>This is an alias for the <code>certificateKeyPassword</code> attribute
+ of the default <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
+ element.</p>
</attribute>
<attribute name="SSLProtocol" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org