Skip to content
Commits on Source (14)
Hide whitespace changes
Inline Side-by-side
.classpath
View file @ 1c5e0f91
......@@ -10,5 +10,7 @@
<classpathentry kind="lib" path="/usr/share/java/tomcat/tomcat-juli.jar"/>
<classpathentry kind="lib" path="/usr/share/java/tomcat/tomcat-util.jar"/>
<classpathentry kind="lib" path="/usr/share/java/slf4j/slf4j-api.jar"/>
<classpathentry kind="lib" path="/usr/share/java/tomcat/catalina.jar"/>
<classpathentry kind="lib" path="/usr/share/java/tomcat/tomcat-api.jar"/>
<classpathentry kind="output" path="bin"/>
</classpath>
.copr/Makefile 0 → 100644
View file @ 1c5e0f91
srpm:
dnf install -y git
./build.sh --with-timestamp --with-commit-id srpm
if [[ "${outdir}" != "" ]]; then \
mv ${HOME}/build/tomcatjss/SRPMS/* ${outdir}; \
fi
.travis.yml
View file @ 1c5e0f91
......@@ -7,8 +7,8 @@ services:
- docker
env:
- FEDORA=27
- FEDORA=28
- FEDORA=29
install:
- docker pull registry.fedoraproject.org/fedora:$FEDORA
......@@ -19,7 +19,7 @@ install:
-v $(pwd):/root/tomcatjss
registry.fedoraproject.org/fedora:$FEDORA
- docker exec container dnf install -y dnf-plugins-core gcc make rpm-build
- docker exec container dnf copr -y enable ${TOMCATJSS_7_3_REPO:-@pki/10.6}
- docker exec container dnf copr -y enable ${TOMCATJSS_7_4_REPO:-@pki/master}
- docker exec container dnf builddep -y --spec /root/tomcatjss/tomcatjss.spec
- docker exec container dnf remove -y tomcat-native
- docker exec container /root/tomcatjss/build.sh --with-timestamp --with-commit-id rpm
......
build.xml
View file @ 1c5e0f91
......@@ -102,6 +102,8 @@
<property name="slf4j-api.jar" value="${jar.home}/slf4j/slf4j-api.jar" />
<property name="tomcat.home" value="/usr/share/tomcat" />
<property name="catalina.jar" value="${tomcat.home}/lib/catalina.jar" />
<property name="tomcat-api.jar" value="${tomcat.home}/lib/tomcat-api.jar" />
<property name="tomcat-coyote.jar" value="${tomcat.home}/lib/tomcat-coyote.jar" />
<property name="tomcat-juli.jar" value="${tomcat.home}/bin/tomcat-juli.jar" />
......@@ -116,6 +118,8 @@
-->
<path id="classpath">
<pathelement location="${jss.jar}"/>
<pathelement location="${catalina.jar}"/>
<pathelement location="${tomcat-api.jar}"/>
<pathelement location="${tomcat-coyote.jar}"/>
<pathelement location="${tomcat-juli.jar}"/>
<pathelement location="${commons-logging.jar}"/>
......
src/org/apache/tomcat/util/net/jss/TomcatJSS.java
View file @ 1c5e0f91
......@@ -19,6 +19,7 @@
package org.apache.tomcat.util.net.jss;
import java.io.File;
import java.io.IOException;
import java.net.SocketException;
import java.nio.file.Files;
......@@ -298,25 +299,30 @@ public class TomcatJSS implements SSLSocketListener {
logger.info("TomcatJSS: initialization");
logger.debug("certdbDir: " + certdbDir);
logger.debug("passwordClass: " + passwordClass);
logger.debug("passwordFile: " + passwordFile);
logger.debug("serverCertNickFile: " + serverCertNickFile);
if (certdbDir == null) {
throw new Exception("Missing certdbDir");
certdbDir = System.getProperty("catalina.base") + File.separator + "alias";
}
logger.debug("TomcatJSS: certdbDir: " + certdbDir);
if (passwordClass == null) {
throw new Exception("Missing passwordClass");
passwordClass = PlainPasswordFile.class.getName();
}
logger.debug("TomcatJSS: passwordClass: " + passwordClass);
if (passwordFile == null) {
passwordFile = System.getProperty("catalina.base") + File.separator +
"conf" + File.separator + "password.conf";
}
if (serverCertNickFile == null) {
throw new Exception("Missing serverCertNickFile");
logger.debug("TomcatJSS: passwordFile: " + passwordFile);
if (serverCertNickFile != null) {
logger.debug("TomcatJSS: serverCertNickFile: " + serverCertNickFile);
}
InitializationValues vals = new InitializationValues(
certdbDir, "", "", "secmod.db");
InitializationValues vals = new InitializationValues(certdbDir);
vals.removeSunProvider = false;
vals.installJSSProvider = true;
......@@ -335,8 +341,10 @@ public class TomcatJSS implements SSLSocketListener {
login();
serverCertNick = new String(Files.readAllBytes(Paths.get(serverCertNickFile))).trim();
logger.debug("serverCertNick: " + serverCertNick);
if (serverCertNickFile != null) {
serverCertNick = new String(Files.readAllBytes(Paths.get(serverCertNickFile))).trim();
logger.debug("serverCertNick: " + serverCertNick);
}
logger.debug("clientAuth: " + clientAuth);
if (clientAuth.equalsIgnoreCase("true")) {
......@@ -500,7 +508,7 @@ public class TomcatJSS implements SSLSocketListener {
}
logger.debug("ocspResponderURL: " + ocspResponderURL);
if (StringUtils.isEmpty(ocspResponderURL)) {
ocspResponderURL = null;
}
......
src/org/dogtagpki/tomcat/JSSKeyManager.java 0 → 100644
View file @ 1c5e0f91
/* BEGIN COPYRIGHT BLOCK
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
* Copyright (C) 2017 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK */
package org.dogtagpki.tomcat;
import java.net.Socket;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import javax.net.ssl.X509KeyManager;
import org.mozilla.jss.CryptoManager;
import org.mozilla.jss.crypto.ObjectNotFoundException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sun.security.x509.X509CertImpl;
public class JSSKeyManager implements X509KeyManager {
final static Logger logger = LoggerFactory.getLogger(JSSKeyManager.class);
@Override
public String chooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket) {
logger.debug("JSSKeyManager: chooseClientAlias()");
logger.debug("JSSKeyManager: key types:");
for (String keyType : keyTypes) {
logger.debug("JSSKeyManager: - " + keyType);
}
logger.debug("JSSKeyManager: issuers:");
for (Principal issuer : issuers) {
logger.debug("JSSKeyManager: - " + issuer.getName());
}
return null; // not implemented
}
@Override
public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
logger.debug("JSSKeyManager: chooseServerAlias()");
logger.debug("JSSKeyManager: key type: " + keyType);
logger.debug("JSSKeyManager: issuers:");
for (Principal issuer : issuers) {
logger.debug("JSSKeyManager: - " + issuer.getName());
}
return null; // not implemented
}
@Override
public X509Certificate[] getCertificateChain(String alias) {
logger.debug("JSSKeyManager: getCertificateChain(" + alias + ")");
try {
CryptoManager cm = CryptoManager.getInstance();
org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(alias);
org.mozilla.jss.crypto.X509Certificate[] chain = cm.buildCertificateChain(cert);
logger.debug("JSSKeyManager: cert chain:");
Collection<X509Certificate> list = new ArrayList<>();
for (org.mozilla.jss.crypto.X509Certificate c : chain) {
logger.debug("JSSKeyManager: - " + c.getSubjectDN());
list.add(new X509CertImpl(c.getEncoded()));
}
return list.toArray(new X509Certificate[list.size()]);
} catch (Throwable e) {
logger.error(e.getMessage(), e);
throw new RuntimeException(e);
}
}
@Override
public String[] getClientAliases(String keyType, Principal[] issuers) {
logger.debug("JSSKeyManager: getClientAliases()");
logger.debug("JSSKeyManager: key type: " + keyType);
logger.debug("JSSKeyManager: issuers:");
for (Principal issuer : issuers) {
logger.debug("JSSKeyManager: - " + issuer.getName());
}
return null; // not implemented
}
@Override
public PrivateKey getPrivateKey(String alias) {
logger.debug("JSSKeyManager: getPrivateKey(" + alias + ")");
try {
CryptoManager cm = CryptoManager.getInstance();
org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(alias);
PrivateKey privateKey = cm.findPrivKeyByCert(cert);
logger.debug("JSSKeyManager: key found: " + alias);
return privateKey;
} catch (ObjectNotFoundException e) {
logger.debug("JSSKeyManager: key not found: " + alias);
return null;
} catch (Throwable e) {
logger.error(e.getMessage(), e);
throw new RuntimeException(e);
}
}
@Override
public String[] getServerAliases(String keyType, Principal[] issuers) {
logger.debug("JSSKeyManager: getServerAliases()");
logger.debug("JSSKeyManager: key type: " + keyType);
logger.debug("JSSKeyManager: issuers:");
for (Principal issuer : issuers) {
logger.debug("JSSKeyManager: - " + issuer.getName());
}
return null; // not implemented
}
}
src/org/dogtagpki/tomcat/JSSListener.java 0 → 100644
View file @ 1c5e0f91
/* BEGIN COPYRIGHT BLOCK
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
* Copyright (C) 2019 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK */
package org.dogtagpki.tomcat;
import java.io.File;
import java.io.FileReader;
import java.util.Properties;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathFactory;
import org.apache.catalina.Lifecycle;
import org.apache.catalina.LifecycleEvent;
import org.apache.catalina.LifecycleListener;
import org.apache.commons.lang.StringUtils;
import org.apache.tomcat.util.net.jss.TomcatJSS;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
public class JSSListener implements LifecycleListener {
final static Logger logger = LoggerFactory.getLogger(JSSListener.class);
public String configFile;
public String getConfigFile() {
return configFile;
}
public void setConfigFile(String configFile) {
this.configFile = configFile;
}
@Override
public void lifecycleEvent(LifecycleEvent event) {
String type = event.getType();
if (type.equals(Lifecycle.BEFORE_INIT_EVENT)) {
initJSS();
}
}
public void initJSS() {
logger.info("JSSListener: Initializing JSS");
logger.info("JSSListener: Config: " + configFile);
try {
if (configFile != null) {
loadJSSConfig();
} else {
loadServerXml();
}
TomcatJSS tomcatjss = TomcatJSS.getInstance();
tomcatjss.init();
} catch (Exception e) {
throw new RuntimeException(e);
}
}
public void loadJSSConfig() throws Exception {
Properties properties = new Properties();
properties.load(new FileReader(configFile));
TomcatJSS tomcatjss = TomcatJSS.getInstance();
String certDb = properties.getProperty("certdbDir");
if (certDb != null)
tomcatjss.setCertdbDir(certDb);
String passwordClass = properties.getProperty("passwordClass");
if (passwordClass != null)
tomcatjss.setPasswordClass(passwordClass);
String passwordFile = properties.getProperty("passwordFile");
if (passwordFile != null)
tomcatjss.setPasswordFile(passwordFile);
String enableOCSP = properties.getProperty("enableOCSP");
if (enableOCSP != null)
tomcatjss.setEnableOCSP(Boolean.parseBoolean(enableOCSP));
String ocspResponderURL = properties.getProperty("ocspResponderURL");
if (ocspResponderURL != null)
tomcatjss.setOcspResponderURL(ocspResponderURL);
String ocspResponderCertNickname = properties.getProperty("ocspResponderCertNickname");
if (ocspResponderCertNickname != null)
tomcatjss.setOcspResponderCertNickname(ocspResponderCertNickname);
String ocspCacheSize = properties.getProperty("ocspCacheSize");
if (StringUtils.isNotEmpty(ocspCacheSize))
tomcatjss.setOcspCacheSize(Integer.parseInt(ocspCacheSize));
String ocspMinCacheEntryDuration = properties.getProperty("ocspMinCacheEntryDuration");
if (StringUtils.isNotEmpty(ocspMinCacheEntryDuration))
tomcatjss.setOcspMinCacheEntryDuration(Integer.parseInt(ocspMinCacheEntryDuration));
String ocspMaxCacheEntryDuration = properties.getProperty("ocspMaxCacheEntryDuration");
if (StringUtils.isNotEmpty(ocspMaxCacheEntryDuration))
tomcatjss.setOcspMaxCacheEntryDuration(Integer.parseInt(ocspMaxCacheEntryDuration));
String ocspTimeout = properties.getProperty("ocspTimeout");
if (StringUtils.isNotEmpty(ocspTimeout))
tomcatjss.setOcspTimeout(Integer.parseInt(ocspTimeout));
String strictCiphers = properties.getProperty("strictCiphers");
if (strictCiphers != null)
tomcatjss.setStrictCiphers(strictCiphers);
String sslVersionRangeStream = properties.getProperty("sslVersionRangeStream");
if (sslVersionRangeStream != null)
tomcatjss.setSslVersionRangeStream(sslVersionRangeStream);
String sslVersionRangeDatagram = properties.getProperty("sslVersionRangeDatagram");
if (sslVersionRangeDatagram != null)
tomcatjss.setSslVersionRangeDatagram(sslVersionRangeDatagram);
String sslRangeCiphers = properties.getProperty("sslRangeCiphers");
if (sslRangeCiphers != null)
tomcatjss.setSslRangeCiphers(sslRangeCiphers);
String sslOptions = properties.getProperty("sslOptions");
if (sslOptions != null)
tomcatjss.setSslOptions(sslOptions);
String ssl2Ciphers = properties.getProperty("ssl2Ciphers");
if (ssl2Ciphers != null)
tomcatjss.setSsl2Ciphers(ssl2Ciphers);
String ssl3Ciphers = properties.getProperty("ssl3Ciphers");
if (ssl3Ciphers != null)
tomcatjss.setSsl3Ciphers(ssl3Ciphers);
String tlsCiphers = properties.getProperty("tlsCiphers");
if (tlsCiphers != null)
tomcatjss.setTlsCiphers(tlsCiphers);
}
public void loadServerXml() throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
DocumentBuilder builder = factory.newDocumentBuilder();
String catalinaBase = System.getProperty("catalina.base");
File file = new File(catalinaBase + "/conf/server.xml");
Document doc = builder.parse(file);
XPathFactory xPathfactory = XPathFactory.newInstance();
XPath xpath = xPathfactory.newXPath();
Element connector = (Element) xpath.evaluate(
"/Server/Service[@name='Catalina']/Connector[@SSLEnabled='true']",
doc, XPathConstants.NODE);
TomcatJSS tomcatjss = TomcatJSS.getInstance();
String certDb = connector.getAttribute("certdbDir");
if (certDb != null)
tomcatjss.setCertdbDir(certDb);
String passwordClass = connector.getAttribute("passwordClass");
if (passwordClass != null)
tomcatjss.setPasswordClass(passwordClass);
String passwordFile = connector.getAttribute("passwordFile");
if (passwordFile != null)
tomcatjss.setPasswordFile(passwordFile);
String serverCertNickFile = connector.getAttribute("serverCertNickFile");
if (serverCertNickFile != null)
tomcatjss.setServerCertNickFile(serverCertNickFile);
String enableOCSP = connector.getAttribute("enableOCSP");
if (enableOCSP != null)
tomcatjss.setEnableOCSP(Boolean.parseBoolean(enableOCSP));
String ocspResponderURL = connector.getAttribute("ocspResponderURL");
if (ocspResponderURL != null)
tomcatjss.setOcspResponderURL(ocspResponderURL);
String ocspResponderCertNickname = connector.getAttribute("ocspResponderCertNickname");
if (ocspResponderCertNickname != null)
tomcatjss.setOcspResponderCertNickname(ocspResponderCertNickname);
String ocspCacheSize = connector.getAttribute("ocspCacheSize");
if (StringUtils.isNotEmpty(ocspCacheSize))
tomcatjss.setOcspCacheSize(Integer.parseInt(ocspCacheSize));
String ocspMinCacheEntryDuration = connector.getAttribute("ocspMinCacheEntryDuration");
if (StringUtils.isNotEmpty(ocspMinCacheEntryDuration))
tomcatjss.setOcspMinCacheEntryDuration(Integer.parseInt(ocspMinCacheEntryDuration));
String ocspMaxCacheEntryDuration = connector.getAttribute("ocspMaxCacheEntryDuration");
if (StringUtils.isNotEmpty(ocspMaxCacheEntryDuration))
tomcatjss.setOcspMaxCacheEntryDuration(Integer.parseInt(ocspMaxCacheEntryDuration));
String ocspTimeout = connector.getAttribute("ocspTimeout");
if (StringUtils.isNotEmpty(ocspTimeout))
tomcatjss.setOcspTimeout(Integer.parseInt(ocspTimeout));
String strictCiphers = connector.getAttribute("strictCiphers");
if (strictCiphers != null)
tomcatjss.setStrictCiphers(strictCiphers);
String sslVersionRangeStream = connector.getAttribute("sslVersionRangeStream");
if (sslVersionRangeStream != null)
tomcatjss.setSslVersionRangeStream(sslVersionRangeStream);
String sslVersionRangeDatagram = connector.getAttribute("sslVersionRangeDatagram");
if (sslVersionRangeDatagram != null)
tomcatjss.setSslVersionRangeDatagram(sslVersionRangeDatagram);
String sslRangeCiphers = connector.getAttribute("sslRangeCiphers");
if (sslRangeCiphers != null)
tomcatjss.setSslRangeCiphers(sslRangeCiphers);
String sslOptions = connector.getAttribute("sslOptions");
if (sslOptions != null)
tomcatjss.setSslOptions(sslOptions);
String ssl2Ciphers = connector.getAttribute("ssl2Ciphers");
if (ssl2Ciphers != null)
tomcatjss.setSsl2Ciphers(ssl2Ciphers);
String ssl3Ciphers = connector.getAttribute("ssl3Ciphers");
if (ssl3Ciphers != null)
tomcatjss.setSsl3Ciphers(ssl3Ciphers);
String tlsCiphers = connector.getAttribute("tlsCiphers");
if (tlsCiphers != null)
tomcatjss.setTlsCiphers(tlsCiphers);
}
}
src/org/dogtagpki/tomcat/JSSTrustManager.java 0 → 100644
View file @ 1c5e0f91
/* BEGIN COPYRIGHT BLOCK
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
* Copyright (C) 2017 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK */
package org.dogtagpki.tomcat;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import javax.net.ssl.X509TrustManager;
import org.mozilla.jss.CryptoManager;
import org.mozilla.jss.NotInitializedException;
import org.mozilla.jss.netscape.security.util.Cert;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sun.security.x509.X509CertImpl;
public class JSSTrustManager implements X509TrustManager {
final static Logger logger = LoggerFactory.getLogger(JSSTrustManager.class);
final static String SERVER_AUTH_OID = "1.3.6.1.5.5.7.3.1";
final static String CLIENT_AUTH_OID = "1.3.6.1.5.5.7.3.2";
public void checkCertChain(X509Certificate[] certChain, String keyUsage) throws Exception {
logger.debug("JSSTrustManager: checkCertChain(" + keyUsage + ")");
// sort cert chain from root to leaf
certChain = Cert.sortCertificateChain(certChain);
for (X509Certificate cert : certChain) {
logger.debug("JSSTrustManager: - " + cert.getSubjectDN());
}
// get CA certs
X509Certificate[] caCerts = getAcceptedIssuers();
// validating cert chain from root to leaf
for (int i = 0; i < certChain.length; i++) {
X509Certificate cert = certChain[i];
// validating key usage on leaf cert only
String usage;
if (i == certChain.length - 1) {
usage = keyUsage;
} else {
usage = null;
}
checkCert(cert, caCerts, usage);
// use the current cert as the CA cert for the next cert in the chain
caCerts = new X509Certificate[] { cert };
}
}
public void checkCert(X509Certificate cert, X509Certificate[] caCerts, String keyUsage) throws Exception {
logger.debug("JSSTrustManager: checkCert(" + cert.getSubjectDN() + "):");
boolean[] aki = cert.getIssuerUniqueID();
logger.debug("JSSTrustManager: cert AKI: " + Arrays.toString(aki));
X509Certificate issuer = null;
for (X509Certificate caCert : caCerts) {
boolean[] ski = caCert.getSubjectUniqueID();
logger.debug("JSSTrustManager: SKI of " + caCert.getSubjectDN() + ": " + Arrays.toString(ski));
try {
cert.verify(caCert.getPublicKey(), "Mozilla-JSS");
issuer = caCert;
break;
} catch (Exception e) {
logger.debug("JSSTrustManager: invalid certificate: " + e);
}
}
if (issuer == null) {
throw new CertificateException("Unable to validate signature: " + cert.getSubjectDN());
}
logger.debug("JSSTrustManager: cert signed by " + issuer.getSubjectDN());
logger.debug("JSSTrustManager: checking validity range:");
logger.debug("JSSTrustManager: - not before: " + cert.getNotBefore());
logger.debug("JSSTrustManager: - not after: " + cert.getNotAfter());
cert.checkValidity();
if (keyUsage != null) {
List<String> extendedKeyUsages = cert.getExtendedKeyUsage();
logger.debug("JSSTrustManager: checking extended key usages:");
for (String extKeyUsage : extendedKeyUsages) {
logger.debug("JSSTrustManager: - " + extKeyUsage);
}
if (extendedKeyUsages.contains(keyUsage)) {
logger.debug("JSSTrustManager: extended key usage found: " + keyUsage);
} else {
throw new CertificateException("Missing extended key usage: " + keyUsage);
}
}
}
@Override
public void checkClientTrusted(X509Certificate[] certChain, String authType) throws CertificateException {
logger.debug("JSSTrustManager: checkClientTrusted(" + authType + "):");
try {
checkCertChain(certChain, CLIENT_AUTH_OID);
logger.debug("JSSTrustManager: SSL client certificate is valid");
} catch (CertificateException e) {
logger.warn("JSSTrustManager: Invalid SSL client certificate: " + e);
throw e;
} catch (Exception e) {
logger.warn("JSSTrustManager: Unable to validate certificate: " + e);
throw new CertificateException(e);
}
}
@Override
public void checkServerTrusted(X509Certificate[] certChain, String authType) throws CertificateException {
logger.debug("JSSTrustManager: checkServerTrusted(" + certChain.length + ", " + authType + "):");
try {
checkCertChain(certChain, SERVER_AUTH_OID);
logger.debug("JSSTrustManager: SSL server certificate is valid");
} catch (CertificateException e) {
logger.warn("JSSTrustManager: Invalid SSL server certificate: " + e);
throw e;
} catch (Exception e) {
logger.warn("JSSTrustManager: Unable to validate SSL server certificate: " + e);
throw new CertificateException(e);
}
}
@Override
public X509Certificate[] getAcceptedIssuers() {
logger.debug("JSSTrustManager: getAcceptedIssuers():");
Collection<X509Certificate> caCerts = new ArrayList<>();
try {
CryptoManager manager = CryptoManager.getInstance();
for (org.mozilla.jss.crypto.X509Certificate cert : manager.getCACerts()) {
logger.debug("JSSTrustManager: - " + cert.getSubjectDN());
try {
X509CertImpl caCert = new X509CertImpl(cert.getEncoded());
caCert.checkValidity();
caCerts.add(caCert);
} catch (Exception e) {
logger.debug("JSSTrustManager: invalid CA certificate: " + e);
}
}
} catch (NotInitializedException e) {
logger.error("JSSTrustManager: Unable to get CryptoManager: " + e, e);
throw new RuntimeException(e);
}
return caCerts.toArray(new X509Certificate[caCerts.size()]);
}
}
tomcat-8.5/src/org/apache/tomcat/util/net/jss/JSSSupport.java deleted 100644 → 0
View file @ a84bdfcc
/* BEGIN COPYRIGHT BLOCK
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
* Copyright (C) 2018 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK */
package org.apache.tomcat.util.net.jss;
import java.io.IOException;
import java.security.cert.X509Certificate;
import org.apache.tomcat.util.net.SSLSupport;
public class JSSSupport implements SSLSupport {
@Override
public String getCipherSuite() throws IOException {
return null;
}
@Override
public Integer getKeySize() throws IOException {
return null;
}
@Override
public X509Certificate[] getPeerCertificateChain() throws IOException {
return null;
}
@Override
public String getProtocol() throws IOException {
return null;
}
@Override
public String getSessionId() throws IOException {
return null;
}
}
tomcat-8.5/src/org/apache/tomcat/util/net/jss/JSSImplementation.java tomcat-8.5/src/org/dogtagpki/tomcat/JSSImplementation.java
View file @ 1c5e0f91
......@@ -13,34 +13,38 @@
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
* Copyright (C) 2018 Red Hat, Inc.
* Copyright (C) 2007 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK */
package org.apache.tomcat.util.net.jss;
import javax.net.ssl.SSLSession;
package org.dogtagpki.tomcat;
import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.apache.tomcat.util.net.SSLImplementation;
import org.apache.tomcat.util.net.SSLSupport;
import org.apache.tomcat.util.net.SSLUtil;
import org.apache.tomcat.util.net.jsse.JSSEImplementation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class JSSImplementation extends SSLImplementation {
public class JSSImplementation extends JSSEImplementation {
@Override
public SSLSupport getSSLSupport(SSLSession session) {
return new JSSSupport();
public static Logger logger = LoggerFactory.getLogger(JSSUtil.class);
public JSSImplementation() {
logger.debug("JSSImplementation: instance created");
}
@Override
public SSLUtil getSSLUtil(SSLHostConfigCertificate cert) {
return new JSSUtil();
}
logger.debug("JSSImplementation: getSSLUtil()");
logger.debug("JSSImplementation: key alias: " + cert.getCertificateKeyAlias());
logger.debug("JSSImplementation: keystore provider: " + cert.getCertificateKeystoreProvider());
@Override
public boolean isAlpnSupported() {
return false;
}
SSLHostConfig hostConfig = cert.getSSLHostConfig();
logger.debug("JSSImplementation: key manager alg: " + hostConfig.getKeyManagerAlgorithm());
logger.debug("JSSImplementation: truststore alg: " + hostConfig.getTruststoreAlgorithm());
logger.debug("JSSImplementation: truststore provider: " + hostConfig.getTruststoreProvider());
return new JSSUtil(cert);
}
}
tomcat-8.5/src/org/apache/tomcat/util/net/jss/JSSUtil.java tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java
View file @ 1c5e0f91
......@@ -17,45 +17,37 @@
* All rights reserved.
* END COPYRIGHT BLOCK */
package org.apache.tomcat.util.net.jss;
import java.util.List;
package org.dogtagpki.tomcat;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.TrustManager;
import org.apache.tomcat.util.net.SSLContext;
import org.apache.tomcat.util.net.SSLUtil;
public class JSSUtil implements SSLUtil {
@Override
public void configureSessionContext(SSLSessionContext arg0) {
}
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.apache.tomcat.util.net.jsse.JSSEKeyManager;
import org.apache.tomcat.util.net.jsse.JSSEUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@Override
public SSLContext createSSLContext(List<String> arg0) throws Exception {
return null;
}
public class JSSUtil extends JSSEUtil {
@Override
public String[] getEnabledCiphers() throws IllegalArgumentException {
return null;
}
public static Logger logger = LoggerFactory.getLogger(JSSUtil.class);
@Override
public String[] getEnabledProtocols() throws IllegalArgumentException {
return null;
public JSSUtil(SSLHostConfigCertificate cert) {
super(cert);
logger.debug("JSSUtil: instance created");
}
@Override
public KeyManager[] getKeyManagers() throws Exception {
return null;
logger.debug("JSSUtil: getKeyManagers()");
String keyAlias = certificate.getCertificateKeyAlias();
KeyManager keyManager = new JSSEKeyManager(new JSSKeyManager(), keyAlias);
return new KeyManager[] { keyManager };
}
@Override
public TrustManager[] getTrustManagers() throws Exception {
return null;
logger.debug("JSSUtil: getTrustManagers()");
return new TrustManager[] { new JSSTrustManager() };
}
}
tomcatjss.spec
View file @ 1c5e0f91
......@@ -7,7 +7,7 @@ URL: http://www.dogtagpki.org/wiki/TomcatJSS
License: LGPLv2+
BuildArch: noarch
Version: 7.3.6
Version: 7.4.0
Release: 1%{?_timestamp}%{?_commit_id}%{?dist}
# global _phase -a1
......@@ -57,7 +57,7 @@ BuildRequires: slf4j-jdk14
%if 0%{?rhel} && 0%{?rhel} <= 7
BuildRequires: jss >= 4.4.0-7
%else
BuildRequires: jss >= 4.5.0-1
BuildRequires: jss >= 4.5.3
%endif
# Tomcat
......@@ -70,10 +70,14 @@ BuildRequires: tomcat >= 8.0.49
%if 0%{?fedora} && 0%{?fedora} <= 28
BuildRequires: tomcat >= 1:8.5.23
%else
%if 0%{?rhel}
BuildRequires: pki-servlet-engine >= 1:9.0.7
%else
BuildRequires: tomcat >= 1:9.0.7
%endif
%endif
%endif
%endif
################################################################################
# Runtime Dependencies
......@@ -90,7 +94,7 @@ Requires: jpackage-utils >= 0:1.7.5-15
# SLF4J
Requires: slf4j
%if 0%{?rhel} && 0%{?rhel} <= 7
%if 0%{?rhel}
# no slf4j-jdk14
%else
Requires: slf4j-jdk14
......@@ -100,7 +104,7 @@ Requires: slf4j-jdk14
%if 0%{?rhel} && 0%{?rhel} <= 7
Requires: jss >= 4.4.0-7
%else
Requires: jss >= 4.5.0-1
Requires: jss >= 4.5.3
%endif
# Tomcat
......@@ -113,10 +117,14 @@ Requires: tomcat >= 8.0.49
%if 0%{?fedora} && 0%{?fedora} <= 28
Requires: tomcat >= 1:8.5.23
%else
%if 0%{?rhel}
Requires: pki-servlet-engine >= 1:9.0.7
%else
Requires: tomcat >= 1:9.0.7
%endif
%endif
%endif
%endif
# The 'tomcatjss' package conflicts with the 'tomcat-native' package
# because it uses an underlying NSS security model rather than the
......