Client certificate using tomcat native

[Brian Hawkins <br...@gmail.com>]

I've finally been able to get the client certificate while using tomcat
native for my SSL connections.  This is using Tomcat 5.5.25.

Here is what doesn't work:
Calling request.getAttribute("javax.servlet.request.X509Certificate") is
supposed to return the client certificate chain.  This attribute is
populated by a call, down in the depths of the native code, to
SSL_get_peer_cert_chain().  The openssl documentation for
SSL_get_peer_cert_chain (
http://www.openssl.org/docs/ssl/SSL_get_peer_cert_chain.html) says:

SSL_get_peer_cert_chain() returns a pointer to STACKOF(X509) certificates
forming the certificate chain of the peer. If called on the client side, the
stack also contains the peer's certificate; if called on the server side,
the peer's certificate must be obtained separately using
SSL_get_peer_certificate(3)<http://www.openssl.org/docs/ssl/SSL_get_peer_certificate.html#>.
If the peer did not present a certificate, NULL is returned.

So according to that it only returns the CA chain and not the actual client
cert.  I'm not sure what the client chain is worth without the client cert.

The fix to this problem can be made in Http11AprProcessor in the action()
method under the ACTION_REQ_SSL_ATTRIBUTE if block by adding the following
code:

// Client certificate
byte[] certdata = SSLSocket.getInfoB(socket, SSL.SSL_INFO_CLIENT_CERT);
if (certdata != null)
{
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream stream = new ByteArrayInputStream(certdata);
request.setAttribute("ClientCert", cf.generateCertificate(stream));
}

Personally I think the attribute name should be
"javax.servlet.request.X509Certificate" but I'll let the list decide that
one.

Brian

Re: Client certificate using tomcat native

[jean-frederic clere <jf...@gmail.com>]

Brian Hawkins wrote:
> I've finally been able to get the client certificate while using tomcat
> native for my SSL connections.  This is using Tomcat 5.5.25.

Could you open a bugzilla on this one...

Cheers

Jean-Frederic

> 
> Here is what doesn't work:
> Calling request.getAttribute("javax.servlet.request.X509Certificate") is
> supposed to return the client certificate chain.  This attribute is
> populated by a call, down in the depths of the native code, to
> SSL_get_peer_cert_chain().  The openssl documentation for
> SSL_get_peer_cert_chain (
> http://www.openssl.org/docs/ssl/SSL_get_peer_cert_chain.html) says:
> 
> SSL_get_peer_cert_chain() returns a pointer to STACKOF(X509) certificates
> forming the certificate chain of the peer. If called on the client side, the
> stack also contains the peer's certificate; if called on the server side,
> the peer's certificate must be obtained separately using
> SSL_get_peer_certificate(3)<http://www.openssl.org/docs/ssl/SSL_get_peer_certificate.html#>.
> If the peer did not present a certificate, NULL is returned.
> 
> So according to that it only returns the CA chain and not the actual client
> cert.  I'm not sure what the client chain is worth without the client cert.
> 
> The fix to this problem can be made in Http11AprProcessor in the action()
> method under the ACTION_REQ_SSL_ATTRIBUTE if block by adding the following
> code:
> 
> // Client certificate
> byte[] certdata = SSLSocket.getInfoB(socket, SSL.SSL_INFO_CLIENT_CERT);
> if (certdata != null)
> {
> CertificateFactory cf = CertificateFactory.getInstance("X.509");
> ByteArrayInputStream stream = new ByteArrayInputStream(certdata);
> request.setAttribute("ClientCert", cf.generateCertificate(stream));
> }
> 
> Personally I think the attribute name should be
> "javax.servlet.request.X509Certificate" but I'll let the list decide that
> one.
> 
> Brian
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org