You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/03/31 10:56:08 UTC

svn commit: r1737201 - in /tomcat/tc8.5.x/trunk: ./ java/org/apache/tomcat/jni/SSLContext.java java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java

Author: markt
Date: Thu Mar 31 08:56:08 2016
New Revision: 1737201

URL: http://svn.apache.org/viewvc?rev=1737201&view=rev
Log:
Add hooks ready for new tc-native so cert chain can be set from keystore

Modified:
    tomcat/tc8.5.x/trunk/   (props changed)
    tomcat/tc8.5.x/trunk/java/org/apache/tomcat/jni/SSLContext.java
    tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java

Propchange: tomcat/tc8.5.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Mar 31 08:56:08 2016
@@ -1 +1 @@
-/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120
+/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157

Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/jni/SSLContext.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/jni/SSLContext.java?rev=1737201&r1=1737200&r2=1737201&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/jni/SSLContext.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/jni/SSLContext.java Thu Mar 31 08:56:08 2016
@@ -549,4 +549,17 @@ public final class SSLContext {
      * @return {@code true} if success, {@code false} otherwise.
      */
     public static native boolean setCertificateRaw(long ctx, byte[] cert, byte[] key, int sslAidxRsa);
+
+    /**
+     * Add a certificate to the certificate chain. Certs should be added in
+     * order starting with the issuer of the host certs and working up the
+     * certificate chain to the CA.
+     *
+     * <br>
+     * Use keystore a certificate chain to fill the BIOP
+     * @param ctx Server or Client context to use.
+     * @param cert Byte array with the certificate in DER encoding.
+     * @return {@code true} if success, {@code false} otherwise.
+     */
+    public static native boolean addChainCertificateRaw(long ctx, byte[] cert);
 }

Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1737201&r1=1737200&r2=1737201&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java Thu Mar 31 08:56:08 2016
@@ -324,7 +324,7 @@ public class OpenSSLContext implements o
             } else {
                 X509KeyManager keyManager = chooseKeyManager(kms);
                 String alias = certificate.getCertificateKeyAlias();
-                X509Certificate certificate = keyManager.getCertificateChain(alias)[0];
+                X509Certificate[] chain = keyManager.getCertificateChain(alias);
                 PrivateKey key = keyManager.getPrivateKey(alias);
                 StringBuilder sb = new StringBuilder(BEGIN_KEY);
                 String encoded = BASE64_ENCODER.encodeToString(key.getEncoded());
@@ -333,7 +333,15 @@ public class OpenSSLContext implements o
                 }
                 sb.append(encoded);
                 sb.append(END_KEY);
-                SSLContext.setCertificateRaw(ctx, certificate.getEncoded(), sb.toString().getBytes(StandardCharsets.US_ASCII), SSL.SSL_AIDX_RSA);
+                SSLContext.setCertificateRaw(ctx, chain[0].getEncoded(), sb.toString().getBytes(StandardCharsets.US_ASCII), SSL.SSL_AIDX_RSA);
+                /*
+                 * Uncomment the code block below once there has been a tc-native
+                 * release with this method and the minimum tc-native version
+                 * has been incremented.
+                for (int i = 1; i < chain.length; i++) {
+                    SSLContext.addChainCertificateRaw(ctx, chain[i].getEncoded());
+                }
+                */
             }
             // Client certificate verification
             int value = 0;



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org