You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by lu...@apache.org on 2003/08/11 20:12:29 UTC
cvs commit: jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse JSSEKeyManager.java JSSE14SocketFactory.java
luehe 2003/08/11 11:12:29
Modified: util/java/org/apache/tomcat/util/net/jsse
JSSE14SocketFactory.java
Added: util/java/org/apache/tomcat/util/net/jsse
JSSEKeyManager.java
Log:
Added support for specifying alias name for server keypair and cert
chain, to be used by the server to authenticate itself to SSL clients
Revision Changes Path
1.8 +30 -12 jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14SocketFactory.java
Index: JSSE14SocketFactory.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14SocketFactory.java,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- JSSE14SocketFactory.java 9 Aug 2003 17:17:17 -0000 1.7
+++ JSSE14SocketFactory.java 11 Aug 2003 18:12:29 -0000 1.8
@@ -56,6 +56,7 @@
* [Additional notices, if required by prior licensing conditions]
*
*/
+
package org.apache.tomcat.util.net.jsse;
import java.io.*;
@@ -64,6 +65,7 @@
import java.security.SecureRandom;
import javax.net.ssl.SSLContext;
import javax.net.ssl.KeyManager;
+import javax.net.ssl.X509KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
@@ -84,6 +86,7 @@
* @author Costin Manolache
* @author Stefan Freyr Stefansson
* @author EKR -- renamed to JSSESocketFactory
+ * @author Jan Luehe
*/
public class JSSE14SocketFactory extends JSSESocketFactory {
@@ -97,27 +100,32 @@
void init() throws IOException {
try {
- String clientAuthStr = (String)attributes.get("clientauth");
+ String clientAuthStr = (String) attributes.get("clientauth");
if (clientAuthStr != null){
clientAuth = Boolean.valueOf(clientAuthStr).booleanValue();
}
// SSL protocol variant (e.g., TLS, SSL v3, etc.)
- String protocol = (String)attributes.get("protocol");
- if (protocol == null) protocol = defaultProtocol;
+ String protocol = (String) attributes.get("protocol");
+ if (protocol == null) {
+ protocol = defaultProtocol;
+ }
// Certificate encoding algorithm (e.g., SunX509)
- String algorithm = (String)attributes.get("algorithm");
- if (algorithm == null) algorithm = defaultAlgorithm;
+ String algorithm = (String) attributes.get("algorithm");
+ if (algorithm == null) {
+ algorithm = defaultAlgorithm;
+ }
- String keystoreType = (String)attributes.get("keystoreType");
+ String keystoreType = (String) attributes.get("keystoreType");
if (keystoreType == null) {
keystoreType = defaultKeystoreType;
}
// Create and init SSLContext
SSLContext context = SSLContext.getInstance(protocol);
- context.init(getKeyManagers(keystoreType, algorithm),
+ context.init(getKeyManagers(keystoreType, algorithm,
+ (String) attributes.get("keyAlias")),
getTrustManagers(keystoreType),
new SecureRandom());
@@ -138,16 +146,26 @@
* Gets the initialized key managers.
*/
protected KeyManager[] getKeyManagers(String keystoreType,
- String algorithm)
+ String algorithm,
+ String keyAlias)
throws Exception {
+ KeyManager[] kms = null;
+
String keystorePass = getKeystorePassword();
KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm);
kmf.init(getKeystore(keystoreType, keystorePass),
keystorePass.toCharArray());
- return kmf.getKeyManagers();
+ kms = kmf.getKeyManagers();
+ if (keyAlias != null) {
+ for(int i=0; i<kms.length; i++) {
+ kms[i] = new JSSEKeyManager((X509KeyManager)kms[i], keyAlias);
+ }
+ }
+
+ return kms;
}
/**
@@ -156,15 +174,15 @@
protected TrustManager[] getTrustManagers(String keystoreType)
throws Exception {
- TrustManager[] tm = null;
+ TrustManager[] tms = null;
KeyStore trustStore = getTrustStore(keystoreType);
if (trustStore != null) {
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(trustStore);
- tm = tmf.getTrustManagers();
+ tms = tmf.getTrustManagers();
}
- return tm;
+ return tms;
}
}
1.1 jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSEKeyManager.java
Index: JSSEKeyManager.java
===================================================================
/*
* ====================================================================
*
* The Apache Software License, Version 1.1
*
* Copyright (c) 1999 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. The end-user documentation included with the redistribution, if
* any, must include the following acknowlegement:
* "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowlegement may appear in the software itself,
* if and wherever such third-party acknowlegements normally appear.
*
* 4. The names "The Jakarta Project", "Tomcat", and "Apache Software
* Foundation" must not be used to endorse or promote products derived
* from this software without prior written permission. For written
* permission, please contact apache@apache.org.
*
* 5. Products derived from this software may not be called "Apache"
* nor may "Apache" appear in their names without prior written
* permission of the Apache Group.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
* [Additional notices, if required by prior licensing conditions]
*
*/
package org.apache.tomcat.util.net.jsse;
import java.net.Socket;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import javax.net.ssl.X509KeyManager;
/**
* X509KeyManager which allows selection of a specific keypair and certificate
* chain (identified by their keystore alias name) to be used by the server to
* authenticate itself to SSL clients.
*
* @author Jan Luehe
*/
public final class JSSEKeyManager implements X509KeyManager {
private X509KeyManager delegate;
private String serverKeyAlias;
/**
* Constructor.
*
* @param mgr The X509KeyManager used as a delegate
* @param serverKeyAlias The alias name of the server's keypair and
* supporting certificate chain
*/
public JSSEKeyManager(X509KeyManager mgr, String serverKeyAlias) {
this.delegate = mgr;
this.serverKeyAlias = serverKeyAlias;
}
/**
* Choose an alias to authenticate the client side of a secure socket,
* given the public key type and the list of certificate issuer authorities
* recognized by the peer (if any).
*
* @param keyType The key algorithm type name(s), ordered with the
* most-preferred key type first
* @param issuers The list of acceptable CA issuer subject names, or null
* if it does not matter which issuers are used
* @param socket The socket to be used for this connection. This parameter
* can be null, in which case this method will return the most generic
* alias to use
*
* @return The alias name for the desired key, or null if there are no
* matches
*/
public String chooseClientAlias(String[] keyType, Principal[] issuers,
Socket socket) {
return delegate.chooseClientAlias(keyType, issuers, socket);
}
/**
* Returns this key manager's server key alias that was provided in the
* constructor.
*
* @param keyType The key algorithm type name (ignored)
* @param issuers The list of acceptable CA issuer subject names, or null
* if it does not matter which issuers are used (ignored)
* @param socket The socket to be used for this connection. This parameter
* can be null, in which case this method will return the most generic
* alias to use (ignored)
*
* @return Alias name for the desired key
*/
public String chooseServerAlias(String keyType, Principal[] issuers,
Socket socket) {
return serverKeyAlias;
}
/**
* Returns the certificate chain associated with the given alias.
*
* @param alias The alias name
*
* @return Certificate chain (ordered with the user's certificate first
* and the root certificate authority last), or null if the alias can't be
* found
*/
public X509Certificate[] getCertificateChain(String alias) {
return delegate.getCertificateChain(alias);
}
/**
* Get the matching aliases for authenticating the client side of a secure
* socket, given the public key type and the list of certificate issuer
* authorities recognized by the peer (if any).
*
* @param keyType The key algorithm type name
* @param issuers The list of acceptable CA issuer subject names, or null
* if it does not matter which issuers are used
*
* @return Array of the matching alias names, or null if there were no
* matches
*/
public String[] getClientAliases(String keyType, Principal[] issuers) {
return delegate.getClientAliases(keyType, issuers);
}
/**
* Get the matching aliases for authenticating the server side of a secure
* socket, given the public key type and the list of certificate issuer
* authorities recognized by the peer (if any).
*
* @param keyType The key algorithm type name
* @param issuers The list of acceptable CA issuer subject names, or null
* if it does not matter which issuers are used
*
* @return Array of the matching alias names, or null if there were no
* matches
*/
public String[] getServerAliases(String keyType, Principal[] issuers) {
return delegate.getServerAliases(keyType, issuers);
}
/**
* Returns the key associated with the given alias.
*
* @param alias The alias name
*
* @return The requested key, or null if the alias can't be found
*/
public PrivateKey getPrivateKey(String alias) {
return delegate.getPrivateKey(alias);
}
}