You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2015/01/29 22:01:07 UTC
svn commit: r1655859 - in /tomcat/trunk/java/org/apache: coyote/http11/
tomcat/util/net/ tomcat/util/net/jsse/
Author: markt
Date: Thu Jan 29 21:01:07 2015
New Revision: 1655859
URL: http://svn.apache.org/r1655859
Log:
getPeerCertificateChain(boolean) was always called with false so simplify.
Remove other unused code (now BIO has been removed) from JSSESupport.
Modified:
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java
tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Processor.java
tomcat/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java
tomcat/trunk/java/org/apache/tomcat/util/net/AprSSLSupport.java
tomcat/trunk/java/org/apache/tomcat/util/net/SSLSupport.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java?rev=1655859&r1=1655858&r2=1655859&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java Thu Jan 29 21:01:07 2015
@@ -958,7 +958,7 @@ public abstract class AbstractHttp11Proc
request.setAttribute
(SSLSupport.CIPHER_SUITE_KEY, sslO);
}
- sslO = sslSupport.getPeerCertificateChain(false);
+ sslO = sslSupport.getPeerCertificateChain();
if (sslO != null) {
request.setAttribute
(SSLSupport.CERTIFICATE_KEY, sslO);
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Processor.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Processor.java?rev=1655859&r1=1655858&r2=1655859&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Processor.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Processor.java Thu Jan 29 21:01:07 2015
@@ -92,9 +92,7 @@ public class Http11Nio2Processor extends
}
try {
- // use force=false since re-negotiation is handled above
- // (and it is a NO-OP for NIO anyway)
- Object sslO = sslSupport.getPeerCertificateChain(false);
+ Object sslO = sslSupport.getPeerCertificateChain();
if( sslO != null) {
request.setAttribute
(SSLSupport.CERTIFICATE_KEY, sslO);
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java?rev=1655859&r1=1655858&r2=1655859&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java Thu Jan 29 21:01:07 2015
@@ -94,9 +94,7 @@ public class Http11NioProcessor extends
}
try {
- // use force=false since re-negotiation is handled above
- // (and it is a NO-OP for NIO anyway)
- Object sslO = sslSupport.getPeerCertificateChain(false);
+ Object sslO = sslSupport.getPeerCertificateChain();
if( sslO != null) {
request.setAttribute
(SSLSupport.CERTIFICATE_KEY, sslO);
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprSSLSupport.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprSSLSupport.java?rev=1655859&r1=1655858&r2=1655859&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprSSLSupport.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprSSLSupport.java Thu Jan 29 21:01:07 2015
@@ -57,7 +57,7 @@ public class AprSSLSupport implements SS
@Override
- public X509Certificate[] getPeerCertificateChain(boolean force) throws IOException {
+ public X509Certificate[] getPeerCertificateChain() throws IOException {
long socketRef = socketWrapper.getSocket().longValue();
if (socketRef == 0) {
return null;
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLSupport.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLSupport.java?rev=1655859&r1=1655858&r2=1655859&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLSupport.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLSupport.java Thu Jan 29 21:01:07 2015
@@ -81,12 +81,8 @@ public interface SSLSupport {
/**
* The client certificate chain (if any).
- *
- * @param force If <code>true</code>, then re-negotiate the connection and
- * request a client certificate if a client certificate has not
- * already been requested.
*/
- public X509Certificate[] getPeerCertificateChain(boolean force) throws IOException;
+ public X509Certificate[] getPeerCertificateChain() throws IOException;
/**
* Get the keysize.
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java?rev=1655859&r1=1655858&r2=1655859&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java Thu Jan 29 21:01:07 2015
@@ -19,19 +19,12 @@ package org.apache.tomcat.util.net.jsse;
import java.io.ByteArrayInputStream;
import java.io.IOException;
-import java.io.InputStream;
-import java.net.SocketException;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.util.Map;
import java.util.WeakHashMap;
-import javax.net.ssl.HandshakeCompletedEvent;
-import javax.net.ssl.HandshakeCompletedListener;
-import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSession;
-import javax.net.ssl.SSLSocket;
-import javax.security.cert.X509Certificate;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
@@ -60,19 +53,10 @@ class JSSESupport implements SSLSupport,
private static final StringManager sm =
StringManager.getManager("org.apache.tomcat.util.net.jsse.res");
- private static final Map<SSLSession,Integer> keySizeCache =
- new WeakHashMap<>();
+ private static final Map<SSLSession,Integer> keySizeCache = new WeakHashMap<>();
- protected SSLSocket ssl;
protected SSLSession session;
- Listener listener = new Listener();
-
- JSSESupport(SSLSocket sock){
- ssl=sock;
- session = sock.getSession();
- sock.addHandshakeCompletedListener(listener);
- }
JSSESupport(SSLSession session) {
this.session = session;
@@ -86,8 +70,12 @@ class JSSESupport implements SSLSupport,
return session.getCipherSuite();
}
- protected java.security.cert.X509Certificate [] getX509Certificates(
- SSLSession session) {
+ @Override
+ public java.security.cert.X509Certificate[] getPeerCertificateChain() throws IOException {
+ // Look up the current SSLSession
+ if (session == null)
+ return null;
+
Certificate [] certs=null;
try {
certs = session.getPeerCertificates();
@@ -126,81 +114,6 @@ class JSSESupport implements SSLSupport,
return x509Certs;
}
- @Override
- public java.security.cert.X509Certificate[] getPeerCertificateChain(boolean force)
- throws IOException {
- // Look up the current SSLSession
- if (session == null)
- return null;
-
- // Convert JSSE's certificate format to the ones we need
- X509Certificate [] jsseCerts = null;
- try {
- jsseCerts = session.getPeerCertificateChain();
- } catch(Exception bex) {
- // ignore.
- }
- if (jsseCerts == null)
- jsseCerts = new X509Certificate[0];
- if(jsseCerts.length <= 0 && force && ssl != null) {
- session.invalidate();
- handShake();
- session = ssl.getSession();
- }
- return getX509Certificates(session);
- }
-
- protected void handShake() throws IOException {
- if( ssl.getWantClientAuth() ) {
- log.debug(sm.getString("jsseSupport.noCertWant"));
- } else {
- ssl.setNeedClientAuth(true);
- }
-
- if (ssl.getEnabledCipherSuites().length == 0) {
- // Handshake is never going to be successful.
- // Assume this is because handshakes are disabled
- log.warn(sm.getString("jsseSupport.serverRenegDisabled"));
- session.invalidate();
- ssl.close();
- return;
- }
-
- InputStream in = ssl.getInputStream();
- int oldTimeout = ssl.getSoTimeout();
- ssl.setSoTimeout(1000);
- byte[] b = new byte[1];
- listener.reset();
- ssl.startHandshake();
- int maxTries = 60; // 60 * 1000 = example 1 minute time out
- for (int i = 0; i < maxTries; i++) {
- if (log.isTraceEnabled())
- log.trace("Reading for try #" + i);
- try {
- int read = in.read(b);
- if (read > 0) {
- // Shouldn't happen as all input should have been swallowed
- // before trying to do the handshake. If it does, something
- // went wrong so lets bomb out now.
- throw new SSLException(
- sm.getString("jsseSupport.unexpectedData"));
- }
- } catch(SSLException sslex) {
- log.info(sm.getString("jsseSupport.clientCertError"), sslex);
- throw sslex;
- } catch (IOException e) {
- // ignore - presumably the timeout
- }
- if (listener.completed) {
- break;
- }
- }
- ssl.setSoTimeout(oldTimeout);
- if (listener.completed == false) {
- throw new SocketException("SSL Cert handshake timeout");
- }
-
- }
/**
* Copied from <code>org.apache.catalina.valves.CertificateValve</code>
@@ -256,17 +169,6 @@ class JSSESupport implements SSLSupport,
}
- private static class Listener implements HandshakeCompletedListener {
- volatile boolean completed = false;
- @Override
- public void handshakeCompleted(HandshakeCompletedEvent event) {
- completed = true;
- }
- void reset() {
- completed = false;
- }
- }
-
/**
* Invalidate the session this support object is associated with.
*/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org