You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/03/31 10:56:08 UTC
svn commit: r1737201 - in /tomcat/tc8.5.x/trunk: ./
java/org/apache/tomcat/jni/SSLContext.java
java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
Author: markt
Date: Thu Mar 31 08:56:08 2016
New Revision: 1737201
URL: http://svn.apache.org/viewvc?rev=1737201&view=rev
Log:
Add hooks ready for new tc-native so cert chain can be set from keystore
Modified:
tomcat/tc8.5.x/trunk/ (props changed)
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/jni/SSLContext.java
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
Propchange: tomcat/tc8.5.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Mar 31 08:56:08 2016
@@ -1 +1 @@
-/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120
+/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157
Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/jni/SSLContext.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/jni/SSLContext.java?rev=1737201&r1=1737200&r2=1737201&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/jni/SSLContext.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/jni/SSLContext.java Thu Mar 31 08:56:08 2016
@@ -549,4 +549,17 @@ public final class SSLContext {
* @return {@code true} if success, {@code false} otherwise.
*/
public static native boolean setCertificateRaw(long ctx, byte[] cert, byte[] key, int sslAidxRsa);
+
+ /**
+ * Add a certificate to the certificate chain. Certs should be added in
+ * order starting with the issuer of the host certs and working up the
+ * certificate chain to the CA.
+ *
+ * <br>
+ * Use keystore a certificate chain to fill the BIOP
+ * @param ctx Server or Client context to use.
+ * @param cert Byte array with the certificate in DER encoding.
+ * @return {@code true} if success, {@code false} otherwise.
+ */
+ public static native boolean addChainCertificateRaw(long ctx, byte[] cert);
}
Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1737201&r1=1737200&r2=1737201&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java Thu Mar 31 08:56:08 2016
@@ -324,7 +324,7 @@ public class OpenSSLContext implements o
} else {
X509KeyManager keyManager = chooseKeyManager(kms);
String alias = certificate.getCertificateKeyAlias();
- X509Certificate certificate = keyManager.getCertificateChain(alias)[0];
+ X509Certificate[] chain = keyManager.getCertificateChain(alias);
PrivateKey key = keyManager.getPrivateKey(alias);
StringBuilder sb = new StringBuilder(BEGIN_KEY);
String encoded = BASE64_ENCODER.encodeToString(key.getEncoded());
@@ -333,7 +333,15 @@ public class OpenSSLContext implements o
}
sb.append(encoded);
sb.append(END_KEY);
- SSLContext.setCertificateRaw(ctx, certificate.getEncoded(), sb.toString().getBytes(StandardCharsets.US_ASCII), SSL.SSL_AIDX_RSA);
+ SSLContext.setCertificateRaw(ctx, chain[0].getEncoded(), sb.toString().getBytes(StandardCharsets.US_ASCII), SSL.SSL_AIDX_RSA);
+ /*
+ * Uncomment the code block below once there has been a tc-native
+ * release with this method and the minimum tc-native version
+ * has been incremented.
+ for (int i = 1; i < chain.length; i++) {
+ SSLContext.addChainCertificateRaw(ctx, chain[i].getEncoded());
+ }
+ */
}
// Client certificate verification
int value = 0;
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org