Endi S. Dewata · Endi S. Dewata · Endi S. Dewata · Endi S. Dewata · Endi S. Dewata · Endi S. Dewata
--- a/.classpath
+++ b/.classpath
@@ -10,5 +10,7 @@
 	<classpathentry kind="lib" path="/usr/share/java/tomcat/tomcat-juli.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/tomcat/tomcat-util.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/slf4j/slf4j-api.jar"/>
+	<classpathentry kind="lib" path="/usr/share/java/tomcat/catalina.jar"/>
+	<classpathentry kind="lib" path="/usr/share/java/tomcat/tomcat-api.jar"/>
 	<classpathentry kind="output" path="bin"/>
 </classpath>
--- a/.copr/Makefile
+++ b/.copr/Makefile
+srpm:
+	dnf install -y git
+	./build.sh --with-timestamp --with-commit-id srpm
+	if [[ "${outdir}" != "" ]]; then \
+	    mv ${HOME}/build/tomcatjss/SRPMS/* ${outdir}; \
+	fi
--- a/.travis.yml
+++ b/.travis.yml
@@ -7,8 +7,8 @@ services:
  - docker
 env:
-  - FEDORA=27
  - FEDORA=28
+  - FEDORA=29
 install:
  - docker pull registry.fedoraproject.org/fedora:$FEDORA
@@ -19,7 +19,7 @@ install:
      -v $(pwd):/root/tomcatjss
      registry.fedoraproject.org/fedora:$FEDORA
  - docker exec container dnf install -y dnf-plugins-core gcc make rpm-build
-  - docker exec container dnf copr -y enable ${TOMCATJSS_7_3_REPO:-@pki/10.6}
+  - docker exec container dnf copr -y enable ${TOMCATJSS_7_4_REPO:-@pki/master}
  - docker exec container dnf builddep -y --spec /root/tomcatjss/tomcatjss.spec
  - docker exec container dnf remove -y tomcat-native
  - docker exec container /root/tomcatjss/build.sh --with-timestamp --with-commit-id rpm

--- a/build.xml
+++ b/build.xml
@@ -102,6 +102,8 @@
  <property name="slf4j-api.jar" value="${jar.home}/slf4j/slf4j-api.jar" />
  <property name="tomcat.home" value="/usr/share/tomcat" />
+  <property name="catalina.jar" value="${tomcat.home}/lib/catalina.jar" />
+  <property name="tomcat-api.jar" value="${tomcat.home}/lib/tomcat-api.jar" />
  <property name="tomcat-coyote.jar" value="${tomcat.home}/lib/tomcat-coyote.jar" />
  <property name="tomcat-juli.jar" value="${tomcat.home}/bin/tomcat-juli.jar" />
@@ -116,6 +118,8 @@
  -->
  <path id="classpath">
    <pathelement location="${jss.jar}"/>
+    <pathelement location="${catalina.jar}"/>
+    <pathelement location="${tomcat-api.jar}"/>
    <pathelement location="${tomcat-coyote.jar}"/>
    <pathelement location="${tomcat-juli.jar}"/>
    <pathelement location="${commons-logging.jar}"/>

--- a/src/org/apache/tomcat/util/net/jss/TomcatJSS.java
+++ b/src/org/apache/tomcat/util/net/jss/TomcatJSS.java
@@ -19,6 +19,7 @@
 package org.apache.tomcat.util.net.jss;
+import java.io.File;
 import java.io.IOException;
 import java.net.SocketException;
 import java.nio.file.Files;
@@ -298,25 +299,30 @@ public class TomcatJSS implements SSLSocketListener {
        logger.info("TomcatJSS: initialization");
-        logger.debug("certdbDir: " + certdbDir);
-        logger.debug("passwordClass: " + passwordClass);
-        logger.debug("passwordFile: " + passwordFile);
-        logger.debug("serverCertNickFile: " + serverCertNickFile);
        if (certdbDir == null) {
-            throw new Exception("Missing certdbDir");
+            certdbDir = System.getProperty("catalina.base") + File.separator + "alias";
        }
+        logger.debug("TomcatJSS: certdbDir: " + certdbDir);
        if (passwordClass == null) {
-            throw new Exception("Missing passwordClass");
+            passwordClass = PlainPasswordFile.class.getName();
        }
-        if (serverCertNickFile == null) {
+        logger.debug("TomcatJSS: passwordClass: " + passwordClass);
-            throw new Exception("Missing serverCertNickFile");
+        if (passwordFile == null) {
+            passwordFile = System.getProperty("catalina.base") + File.separator +
+                    "conf" + File.separator + "password.conf";
        }
-        InitializationValues vals = new InitializationValues(
+        logger.debug("TomcatJSS: passwordFile: " + passwordFile);
-                certdbDir, "", "", "secmod.db");
+        if (serverCertNickFile != null) {
+            logger.debug("TomcatJSS: serverCertNickFile: " + serverCertNickFile);
+        }
+        InitializationValues vals = new InitializationValues(certdbDir);
        vals.removeSunProvider = false;
        vals.installJSSProvider = true;
@@ -335,8 +341,10 @@ public class TomcatJSS implements SSLSocketListener {
        login();
+        if (serverCertNickFile != null) {
            serverCertNick = new String(Files.readAllBytes(Paths.get(serverCertNickFile))).trim();
            logger.debug("serverCertNick: " + serverCertNick);
+        }
        logger.debug("clientAuth: " + clientAuth);
        if (clientAuth.equalsIgnoreCase("true")) {

--- a/src/org/dogtagpki/tomcat/JSSKeyManager.java
+++ b/src/org/dogtagpki/tomcat/JSSKeyManager.java
+/* BEGIN COPYRIGHT BLOCK
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * Copyright (C) 2017 Red Hat, Inc.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK */
+package org.dogtagpki.tomcat;
+import java.net.Socket;
+import java.security.Principal;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collection;
+import javax.net.ssl.X509KeyManager;
+import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.crypto.ObjectNotFoundException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import sun.security.x509.X509CertImpl;
+public class JSSKeyManager implements X509KeyManager {
+    final static Logger logger = LoggerFactory.getLogger(JSSKeyManager.class);
+    @Override
+    public String chooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket) {
+        logger.debug("JSSKeyManager: chooseClientAlias()");
+        logger.debug("JSSKeyManager: key types:");
+        for (String keyType : keyTypes) {
+            logger.debug("JSSKeyManager: - " + keyType);
+        }
+        logger.debug("JSSKeyManager: issuers:");
+        for (Principal issuer : issuers) {
+            logger.debug("JSSKeyManager: - " + issuer.getName());
+        }
+        return null;  // not implemented
+    }
+    @Override
+    public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
+        logger.debug("JSSKeyManager: chooseServerAlias()");
+        logger.debug("JSSKeyManager: key type: " + keyType);
+        logger.debug("JSSKeyManager: issuers:");
+        for (Principal issuer : issuers) {
+            logger.debug("JSSKeyManager: - " + issuer.getName());
+        }
+        return null;  // not implemented
+    }
+    @Override
+    public X509Certificate[] getCertificateChain(String alias) {
+        logger.debug("JSSKeyManager: getCertificateChain(" + alias + ")");
+        try {
+            CryptoManager cm = CryptoManager.getInstance();
+            org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(alias);
+            org.mozilla.jss.crypto.X509Certificate[] chain = cm.buildCertificateChain(cert);
+            logger.debug("JSSKeyManager: cert chain:");
+            Collection<X509Certificate> list = new ArrayList<>();
+            for (org.mozilla.jss.crypto.X509Certificate c : chain) {
+                logger.debug("JSSKeyManager: - " + c.getSubjectDN());
+                list.add(new X509CertImpl(c.getEncoded()));
+            }
+            return list.toArray(new X509Certificate[list.size()]);
+        } catch (Throwable e) {
+            logger.error(e.getMessage(), e);
+            throw new RuntimeException(e);
+        }
+    }
+    @Override
+    public String[] getClientAliases(String keyType, Principal[] issuers) {
+        logger.debug("JSSKeyManager: getClientAliases()");
+        logger.debug("JSSKeyManager: key type: " + keyType);
+        logger.debug("JSSKeyManager: issuers:");
+        for (Principal issuer : issuers) {
+            logger.debug("JSSKeyManager: - " + issuer.getName());
+        }
+        return null;  // not implemented
+    }
+    @Override
+    public PrivateKey getPrivateKey(String alias) {
+        logger.debug("JSSKeyManager: getPrivateKey(" + alias + ")");
+        try {
+            CryptoManager cm = CryptoManager.getInstance();
+            org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(alias);
+            PrivateKey privateKey = cm.findPrivKeyByCert(cert);
+            logger.debug("JSSKeyManager: key found: " + alias);
+            return privateKey;
+        } catch (ObjectNotFoundException e) {
+            logger.debug("JSSKeyManager: key not found: " + alias);
+            return null;
+        } catch (Throwable e) {
+            logger.error(e.getMessage(), e);
+            throw new RuntimeException(e);
+        }
+    }
+    @Override
+    public String[] getServerAliases(String keyType, Principal[] issuers) {
+        logger.debug("JSSKeyManager: getServerAliases()");
+        logger.debug("JSSKeyManager: key type: " + keyType);
+        logger.debug("JSSKeyManager: issuers:");
+        for (Principal issuer : issuers) {
+            logger.debug("JSSKeyManager: - " + issuer.getName());
+        }
+        return null;  // not implemented
+    }
+}
--- a/src/org/dogtagpki/tomcat/JSSListener.java
+++ b/src/org/dogtagpki/tomcat/JSSListener.java
+/* BEGIN COPYRIGHT BLOCK
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * Copyright (C) 2019 Red Hat, Inc.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK */
+package org.dogtagpki.tomcat;
+import java.io.File;
+import java.io.FileReader;
+import java.util.Properties;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathFactory;
+import org.apache.catalina.Lifecycle;
+import org.apache.catalina.LifecycleEvent;
+import org.apache.catalina.LifecycleListener;
+import org.apache.commons.lang.StringUtils;
+import org.apache.tomcat.util.net.jss.TomcatJSS;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+public class JSSListener implements LifecycleListener {
+    final static Logger logger = LoggerFactory.getLogger(JSSListener.class);
+    public String configFile;
+    public String getConfigFile() {
+        return configFile;
+    }
+    public void setConfigFile(String configFile) {
+        this.configFile = configFile;
+    }
+    @Override
+    public void lifecycleEvent(LifecycleEvent event) {
+        String type = event.getType();
+        if (type.equals(Lifecycle.BEFORE_INIT_EVENT)) {
+            initJSS();
+        }
+    }
+    public void initJSS() {
+        logger.info("JSSListener: Initializing JSS");
+        logger.info("JSSListener: Config: " + configFile);
+        try {
+            if (configFile != null) {
+                loadJSSConfig();
+            } else {
+                loadServerXml();
+            }
+            TomcatJSS tomcatjss = TomcatJSS.getInstance();
+            tomcatjss.init();
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+    public void loadJSSConfig() throws Exception {
+        Properties properties = new Properties();
+        properties.load(new FileReader(configFile));
+        TomcatJSS tomcatjss = TomcatJSS.getInstance();
+        String certDb = properties.getProperty("certdbDir");
+        if (certDb != null)
+            tomcatjss.setCertdbDir(certDb);
+        String passwordClass = properties.getProperty("passwordClass");
+        if (passwordClass != null)
+            tomcatjss.setPasswordClass(passwordClass);
+        String passwordFile = properties.getProperty("passwordFile");
+        if (passwordFile != null)
+            tomcatjss.setPasswordFile(passwordFile);
+        String enableOCSP = properties.getProperty("enableOCSP");
+        if (enableOCSP != null)
+            tomcatjss.setEnableOCSP(Boolean.parseBoolean(enableOCSP));
+        String ocspResponderURL = properties.getProperty("ocspResponderURL");
+        if (ocspResponderURL != null)
+            tomcatjss.setOcspResponderURL(ocspResponderURL);
+        String ocspResponderCertNickname = properties.getProperty("ocspResponderCertNickname");
+        if (ocspResponderCertNickname != null)
+            tomcatjss.setOcspResponderCertNickname(ocspResponderCertNickname);
+        String ocspCacheSize = properties.getProperty("ocspCacheSize");
+        if (StringUtils.isNotEmpty(ocspCacheSize))
+            tomcatjss.setOcspCacheSize(Integer.parseInt(ocspCacheSize));
+        String ocspMinCacheEntryDuration = properties.getProperty("ocspMinCacheEntryDuration");
+        if (StringUtils.isNotEmpty(ocspMinCacheEntryDuration))
+            tomcatjss.setOcspMinCacheEntryDuration(Integer.parseInt(ocspMinCacheEntryDuration));
+        String ocspMaxCacheEntryDuration = properties.getProperty("ocspMaxCacheEntryDuration");
+        if (StringUtils.isNotEmpty(ocspMaxCacheEntryDuration))
+            tomcatjss.setOcspMaxCacheEntryDuration(Integer.parseInt(ocspMaxCacheEntryDuration));
+        String ocspTimeout = properties.getProperty("ocspTimeout");
+        if (StringUtils.isNotEmpty(ocspTimeout))
+            tomcatjss.setOcspTimeout(Integer.parseInt(ocspTimeout));
+        String strictCiphers = properties.getProperty("strictCiphers");
+        if (strictCiphers != null)
+            tomcatjss.setStrictCiphers(strictCiphers);
+        String sslVersionRangeStream = properties.getProperty("sslVersionRangeStream");
+        if (sslVersionRangeStream != null)
+            tomcatjss.setSslVersionRangeStream(sslVersionRangeStream);
+        String sslVersionRangeDatagram = properties.getProperty("sslVersionRangeDatagram");
+        if (sslVersionRangeDatagram != null)
+            tomcatjss.setSslVersionRangeDatagram(sslVersionRangeDatagram);
+        String sslRangeCiphers = properties.getProperty("sslRangeCiphers");
+        if (sslRangeCiphers != null)
+            tomcatjss.setSslRangeCiphers(sslRangeCiphers);
+        String sslOptions = properties.getProperty("sslOptions");
+        if (sslOptions != null)
+            tomcatjss.setSslOptions(sslOptions);
+        String ssl2Ciphers = properties.getProperty("ssl2Ciphers");
+        if (ssl2Ciphers != null)
+            tomcatjss.setSsl2Ciphers(ssl2Ciphers);
+        String ssl3Ciphers = properties.getProperty("ssl3Ciphers");
+        if (ssl3Ciphers != null)
+            tomcatjss.setSsl3Ciphers(ssl3Ciphers);
+        String tlsCiphers = properties.getProperty("tlsCiphers");
+        if (tlsCiphers != null)
+            tomcatjss.setTlsCiphers(tlsCiphers);
+    }
+    public void loadServerXml() throws Exception {
+        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        DocumentBuilder builder = factory.newDocumentBuilder();
+        String catalinaBase = System.getProperty("catalina.base");
+        File file = new File(catalinaBase + "/conf/server.xml");
+        Document doc = builder.parse(file);
+        XPathFactory xPathfactory = XPathFactory.newInstance();
+        XPath xpath = xPathfactory.newXPath();
+        Element connector = (Element) xpath.evaluate(
+                "/Server/Service[@name='Catalina']/Connector[@SSLEnabled='true']",
+                doc, XPathConstants.NODE);
+        TomcatJSS tomcatjss = TomcatJSS.getInstance();
+        String certDb = connector.getAttribute("certdbDir");
+        if (certDb != null)
+            tomcatjss.setCertdbDir(certDb);
+        String passwordClass = connector.getAttribute("passwordClass");
+        if (passwordClass != null)
+            tomcatjss.setPasswordClass(passwordClass);
+        String passwordFile = connector.getAttribute("passwordFile");
+        if (passwordFile != null)
+            tomcatjss.setPasswordFile(passwordFile);
+        String serverCertNickFile = connector.getAttribute("serverCertNickFile");
+        if (serverCertNickFile != null)
+            tomcatjss.setServerCertNickFile(serverCertNickFile);
+        String enableOCSP = connector.getAttribute("enableOCSP");
+        if (enableOCSP != null)
+            tomcatjss.setEnableOCSP(Boolean.parseBoolean(enableOCSP));
+        String ocspResponderURL = connector.getAttribute("ocspResponderURL");
+        if (ocspResponderURL != null)
+            tomcatjss.setOcspResponderURL(ocspResponderURL);
+        String ocspResponderCertNickname = connector.getAttribute("ocspResponderCertNickname");
+        if (ocspResponderCertNickname != null)
+            tomcatjss.setOcspResponderCertNickname(ocspResponderCertNickname);
+        String ocspCacheSize = connector.getAttribute("ocspCacheSize");
+        if (StringUtils.isNotEmpty(ocspCacheSize))
+            tomcatjss.setOcspCacheSize(Integer.parseInt(ocspCacheSize));
+        String ocspMinCacheEntryDuration = connector.getAttribute("ocspMinCacheEntryDuration");
+        if (StringUtils.isNotEmpty(ocspMinCacheEntryDuration))
+            tomcatjss.setOcspMinCacheEntryDuration(Integer.parseInt(ocspMinCacheEntryDuration));
+        String ocspMaxCacheEntryDuration = connector.getAttribute("ocspMaxCacheEntryDuration");
+        if (StringUtils.isNotEmpty(ocspMaxCacheEntryDuration))
+            tomcatjss.setOcspMaxCacheEntryDuration(Integer.parseInt(ocspMaxCacheEntryDuration));
+        String ocspTimeout = connector.getAttribute("ocspTimeout");
+        if (StringUtils.isNotEmpty(ocspTimeout))
+            tomcatjss.setOcspTimeout(Integer.parseInt(ocspTimeout));
+        String strictCiphers = connector.getAttribute("strictCiphers");
+        if (strictCiphers != null)
+            tomcatjss.setStrictCiphers(strictCiphers);
+        String sslVersionRangeStream = connector.getAttribute("sslVersionRangeStream");
+        if (sslVersionRangeStream != null)
+            tomcatjss.setSslVersionRangeStream(sslVersionRangeStream);
+        String sslVersionRangeDatagram = connector.getAttribute("sslVersionRangeDatagram");
+        if (sslVersionRangeDatagram != null)
+            tomcatjss.setSslVersionRangeDatagram(sslVersionRangeDatagram);
+        String sslRangeCiphers = connector.getAttribute("sslRangeCiphers");
+        if (sslRangeCiphers != null)
+            tomcatjss.setSslRangeCiphers(sslRangeCiphers);
+        String sslOptions = connector.getAttribute("sslOptions");
+        if (sslOptions != null)
+            tomcatjss.setSslOptions(sslOptions);
+        String ssl2Ciphers = connector.getAttribute("ssl2Ciphers");
+        if (ssl2Ciphers != null)
+            tomcatjss.setSsl2Ciphers(ssl2Ciphers);
+        String ssl3Ciphers = connector.getAttribute("ssl3Ciphers");
+        if (ssl3Ciphers != null)
+            tomcatjss.setSsl3Ciphers(ssl3Ciphers);
+        String tlsCiphers = connector.getAttribute("tlsCiphers");
+        if (tlsCiphers != null)
+            tomcatjss.setTlsCiphers(tlsCiphers);
+    }
+}
--- a/src/org/dogtagpki/tomcat/JSSTrustManager.java
+++ b/src/org/dogtagpki/tomcat/JSSTrustManager.java
+/* BEGIN COPYRIGHT BLOCK
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * Copyright (C) 2017 Red Hat, Inc.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK */
+package org.dogtagpki.tomcat;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+import javax.net.ssl.X509TrustManager;
+import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.NotInitializedException;
+import org.mozilla.jss.netscape.security.util.Cert;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import sun.security.x509.X509CertImpl;
+public class JSSTrustManager implements X509TrustManager {
+    final static Logger logger = LoggerFactory.getLogger(JSSTrustManager.class);
+    final static String SERVER_AUTH_OID = "1.3.6.1.5.5.7.3.1";
+    final static String CLIENT_AUTH_OID = "1.3.6.1.5.5.7.3.2";
+    public void checkCertChain(X509Certificate[] certChain, String keyUsage) throws Exception {
+        logger.debug("JSSTrustManager: checkCertChain(" + keyUsage + ")");
+        // sort cert chain from root to leaf
+        certChain = Cert.sortCertificateChain(certChain);
+        for (X509Certificate cert : certChain) {
+            logger.debug("JSSTrustManager:  - " + cert.getSubjectDN());
+        }
+        // get CA certs
+        X509Certificate[] caCerts = getAcceptedIssuers();
+        // validating cert chain from root to leaf
+        for (int i = 0; i < certChain.length; i++) {
+            X509Certificate cert = certChain[i];
+            // validating key usage on leaf cert only
+            String usage;
+            if (i == certChain.length - 1) {
+                usage = keyUsage;
+            } else {
+                usage = null;
+            }
+            checkCert(cert, caCerts, usage);
+            // use the current cert as the CA cert for the next cert in the chain
+            caCerts = new X509Certificate[] { cert };
+        }
+    }
+    public void checkCert(X509Certificate cert, X509Certificate[] caCerts, String keyUsage) throws Exception {
+        logger.debug("JSSTrustManager: checkCert(" + cert.getSubjectDN() + "):");
+        boolean[] aki = cert.getIssuerUniqueID();
+        logger.debug("JSSTrustManager: cert AKI: " + Arrays.toString(aki));
+        X509Certificate issuer = null;
+        for (X509Certificate caCert : caCerts) {
+            boolean[] ski = caCert.getSubjectUniqueID();
+            logger.debug("JSSTrustManager: SKI of " + caCert.getSubjectDN() + ": " + Arrays.toString(ski));
+            try {
+                cert.verify(caCert.getPublicKey(), "Mozilla-JSS");
+                issuer = caCert;
+                break;
+            } catch (Exception e) {
+                logger.debug("JSSTrustManager: invalid certificate: " + e);
+            }
+        }
+        if (issuer == null) {
+            throw new CertificateException("Unable to validate signature: " + cert.getSubjectDN());
+        }
+        logger.debug("JSSTrustManager: cert signed by " + issuer.getSubjectDN());
+        logger.debug("JSSTrustManager: checking validity range:");
+        logger.debug("JSSTrustManager:  - not before: " + cert.getNotBefore());
+        logger.debug("JSSTrustManager:  - not after: " + cert.getNotAfter());
+        cert.checkValidity();
+        if (keyUsage != null) {
+            List<String> extendedKeyUsages = cert.getExtendedKeyUsage();
+            logger.debug("JSSTrustManager: checking extended key usages:");
+            for (String extKeyUsage : extendedKeyUsages) {
+                logger.debug("JSSTrustManager:  - " + extKeyUsage);
+            }
+            if (extendedKeyUsages.contains(keyUsage)) {
+                logger.debug("JSSTrustManager: extended key usage found: " + keyUsage);
+            } else {
+                throw new CertificateException("Missing extended key usage: " + keyUsage);
+            }
+        }
+    }
+    @Override
+    public void checkClientTrusted(X509Certificate[] certChain, String authType) throws CertificateException {
+        logger.debug("JSSTrustManager: checkClientTrusted(" + authType + "):");
+        try {
+            checkCertChain(certChain, CLIENT_AUTH_OID);
+            logger.debug("JSSTrustManager: SSL client certificate is valid");
+        } catch (CertificateException e) {
+            logger.warn("JSSTrustManager: Invalid SSL client certificate: " + e);
+            throw e;
+        } catch (Exception e) {
+            logger.warn("JSSTrustManager: Unable to validate certificate: " + e);
+            throw new CertificateException(e);
+        }
+    }
+    @Override
+    public void checkServerTrusted(X509Certificate[] certChain, String authType) throws CertificateException {
+        logger.debug("JSSTrustManager: checkServerTrusted(" + certChain.length + ", " + authType + "):");
+        try {
+            checkCertChain(certChain, SERVER_AUTH_OID);
+            logger.debug("JSSTrustManager: SSL server certificate is valid");
+        } catch (CertificateException e) {
+            logger.warn("JSSTrustManager: Invalid SSL server certificate: " + e);
+            throw e;
+        } catch (Exception e) {
+            logger.warn("JSSTrustManager: Unable to validate SSL server certificate: " + e);
+            throw new CertificateException(e);
+        }
+    }
+    @Override
+    public X509Certificate[] getAcceptedIssuers() {
+        logger.debug("JSSTrustManager: getAcceptedIssuers():");
+        Collection<X509Certificate> caCerts = new ArrayList<>();
+        try {
+            CryptoManager manager = CryptoManager.getInstance();
+            for (org.mozilla.jss.crypto.X509Certificate cert : manager.getCACerts()) {
+                logger.debug("JSSTrustManager:  - " + cert.getSubjectDN());
+                try {
+                    X509CertImpl caCert = new X509CertImpl(cert.getEncoded());
+                    caCert.checkValidity();
+                    caCerts.add(caCert);
+                } catch (Exception e) {
+                    logger.debug("JSSTrustManager: invalid CA certificate: " + e);
+                }
+            }
+        } catch (NotInitializedException e) {
+            logger.error("JSSTrustManager: Unable to get CryptoManager: " + e, e);
+            throw new RuntimeException(e);
+        }
+        return caCerts.toArray(new X509Certificate[caCerts.size()]);
+    }
+}
--- a/tomcat-8.5/src/org/apache/tomcat/util/net/jss/JSSSupport.java
+++ b/tomcat-8.5/src/org/apache/tomcat/util/net/jss/JSSSupport.java
-/* BEGIN COPYRIGHT BLOCK
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
- *
- * Copyright (C) 2018 Red Hat, Inc.
- * All rights reserved.
- * END COPYRIGHT BLOCK */
-package org.apache.tomcat.util.net.jss;
-import java.io.IOException;
-import java.security.cert.X509Certificate;
-import org.apache.tomcat.util.net.SSLSupport;
-public class JSSSupport implements SSLSupport {
-    @Override
-    public String getCipherSuite() throws IOException {
-        return null;
-    }
-    @Override
-    public Integer getKeySize() throws IOException {
-        return null;
-    }
-    @Override
-    public X509Certificate[] getPeerCertificateChain() throws IOException {
-        return null;
-    }
-    @Override
-    public String getProtocol() throws IOException {
-        return null;
-    }
-    @Override
-    public String getSessionId() throws IOException {
-        return null;
-    }
- }
--- a/tomcat-8.5/src/org/apache/tomcat/util/net/jss/JSSImplementation.java
+++ b/tomcat-8.5/src/org/apache/tomcat/util/net/jss/JSSImplementation.java
@@ -13,34 +13,38 @@
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 *
- * Copyright (C) 2018 Red Hat, Inc.
+ * Copyright (C) 2007 Red Hat, Inc.
 * All rights reserved.
 * END COPYRIGHT BLOCK */
-package org.apache.tomcat.util.net.jss;
+package org.dogtagpki.tomcat;
-import javax.net.ssl.SSLSession;
+import org.apache.tomcat.util.net.SSLHostConfig;
 import org.apache.tomcat.util.net.SSLHostConfigCertificate;
-import org.apache.tomcat.util.net.SSLImplementation;
-import org.apache.tomcat.util.net.SSLSupport;
 import org.apache.tomcat.util.net.SSLUtil;
+import org.apache.tomcat.util.net.jsse.JSSEImplementation;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
-public class JSSImplementation extends SSLImplementation {
+public class JSSImplementation extends JSSEImplementation {
-    @Override
+    public static Logger logger = LoggerFactory.getLogger(JSSUtil.class);
-    public SSLSupport getSSLSupport(SSLSession session) {
-        return new JSSSupport();
+    public JSSImplementation() {
+        logger.debug("JSSImplementation: instance created");
    }
    @Override
    public SSLUtil getSSLUtil(SSLHostConfigCertificate cert) {
-        return new JSSUtil();
+        logger.debug("JSSImplementation: getSSLUtil()");
-    }
+        logger.debug("JSSImplementation: key alias: " + cert.getCertificateKeyAlias());
+        logger.debug("JSSImplementation: keystore provider: " + cert.getCertificateKeystoreProvider());
-    @Override
+        SSLHostConfig hostConfig = cert.getSSLHostConfig();
-    public boolean isAlpnSupported() {
+        logger.debug("JSSImplementation: key manager alg: " + hostConfig.getKeyManagerAlgorithm());
-        return false;
+        logger.debug("JSSImplementation: truststore alg: " + hostConfig.getTruststoreAlgorithm());
-    }
+        logger.debug("JSSImplementation: truststore provider: " + hostConfig.getTruststoreProvider());
+        return new JSSUtil(cert);
+    }
 }
--- a/tomcat-8.5/src/org/apache/tomcat/util/net/jss/JSSUtil.java
+++ b/tomcat-8.5/src/org/apache/tomcat/util/net/jss/JSSUtil.java
@@ -17,45 +17,37 @@
 * All rights reserved.
 * END COPYRIGHT BLOCK */
-package org.apache.tomcat.util.net.jss;
+package org.dogtagpki.tomcat;
-import java.util.List;
 import javax.net.ssl.KeyManager;
-import javax.net.ssl.SSLSessionContext;
 import javax.net.ssl.TrustManager;
-import org.apache.tomcat.util.net.SSLContext;
+import org.apache.tomcat.util.net.SSLHostConfigCertificate;
-import org.apache.tomcat.util.net.SSLUtil;
+import org.apache.tomcat.util.net.jsse.JSSEKeyManager;
+import org.apache.tomcat.util.net.jsse.JSSEUtil;
-public class JSSUtil implements SSLUtil {
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
-    @Override
-    public void configureSessionContext(SSLSessionContext arg0) {
-    }
-    @Override
+public class JSSUtil extends JSSEUtil {
-    public SSLContext createSSLContext(List<String> arg0) throws Exception {
-        return null;
-    }
-    @Override
+    public static Logger logger = LoggerFactory.getLogger(JSSUtil.class);
-    public String[] getEnabledCiphers() throws IllegalArgumentException {
-        return null;
-    }
-    @Override
+    public JSSUtil(SSLHostConfigCertificate cert) {
-    public String[] getEnabledProtocols() throws IllegalArgumentException {
+        super(cert);
-        return null;
+        logger.debug("JSSUtil: instance created");
    }
    @Override
    public KeyManager[] getKeyManagers() throws Exception {
-        return null;
+        logger.debug("JSSUtil: getKeyManagers()");
+        String keyAlias = certificate.getCertificateKeyAlias();
+        KeyManager keyManager = new JSSEKeyManager(new JSSKeyManager(), keyAlias);
+        return new KeyManager[] { keyManager };
    }
    @Override
    public TrustManager[] getTrustManagers() throws Exception {
-        return null;
+        logger.debug("JSSUtil: getTrustManagers()");
+        return new TrustManager[] { new JSSTrustManager() };
    }
 }
--- a/tomcatjss.spec
+++ b/tomcatjss.spec
@@ -7,7 +7,7 @@ URL:              http://www.dogtagpki.org/wiki/TomcatJSS
 License:          LGPLv2+
 BuildArch:        noarch
-Version:          7.3.6
+Version:          7.4.0
 Release:          1%{?_timestamp}%{?_commit_id}%{?dist}
 # global           _phase -a1
@@ -57,7 +57,7 @@ BuildRequires:    slf4j-jdk14
 %if 0%{?rhel} && 0%{?rhel} <= 7
 BuildRequires:    jss >= 4.4.0-7
 %else
-BuildRequires:    jss >= 4.5.0-1
+BuildRequires:    jss >= 4.5.3
 %endif
 # Tomcat
@@ -70,10 +70,14 @@ BuildRequires:    tomcat >= 8.0.49
 %if 0%{?fedora} && 0%{?fedora} <= 28
 BuildRequires:    tomcat >= 1:8.5.23
 %else
+%if 0%{?rhel}
+BuildRequires:    pki-servlet-engine >= 1:9.0.7
+%else
 BuildRequires:    tomcat >= 1:9.0.7
 %endif
 %endif
 %endif
+%endif
 ################################################################################
 # Runtime Dependencies
@@ -90,7 +94,7 @@ Requires:         jpackage-utils >= 0:1.7.5-15
 # SLF4J
 Requires:         slf4j
-%if 0%{?rhel} && 0%{?rhel} <= 7
+%if 0%{?rhel}
 # no slf4j-jdk14
 %else
 Requires:         slf4j-jdk14
@@ -100,7 +104,7 @@ Requires:         slf4j-jdk14
 %if 0%{?rhel} && 0%{?rhel} <= 7
 Requires:         jss >= 4.4.0-7
 %else
-Requires:         jss >= 4.5.0-1
+Requires:         jss >= 4.5.3
 %endif
 # Tomcat
@@ -113,10 +117,14 @@ Requires:         tomcat >= 8.0.49
 %if 0%{?fedora} && 0%{?fedora} <= 28
 Requires:         tomcat >= 1:8.5.23
 %else
+%if 0%{?rhel}
+Requires:         pki-servlet-engine >= 1:9.0.7
+%else
 Requires:         tomcat >= 1:9.0.7
 %endif
 %endif
 %endif
+%endif
 # The 'tomcatjss' package conflicts with the 'tomcat-native' package
 # because it uses an underlying NSS security model rather than the