View | Details | Raw Unified | Return to bug 34868
Collapse All | Expand All

(-)http11/src/java/org/apache/coyote/http11/Http11Processor.java (+4 lines)
Lines 1048-1053 Link Here
1048
                    if (sslO != null)
1048
                    if (sslO != null)
1049
                        request.setAttribute
1049
                        request.setAttribute
1050
                            (SSLSupport.SESSION_ID_KEY, sslO);
1050
                            (SSLSupport.SESSION_ID_KEY, sslO);
1051
                    sslO = sslSupport.isClientCertificateTrusted();
1052
                    if (sslO != null) {
1053
                    	request.setAttribute(SSLSupport.CLIENT_CERTIFICATE_TRUSTED,sslO);
1054
                    }
1051
                }
1055
                }
1052
            } catch (Exception e) {
1056
            } catch (Exception e) {
1053
                log.warn(sm.getString("http11processor.socket.ssl"), e);
1057
                log.warn(sm.getString("http11processor.socket.ssl"), e);
(-)util/java/org/apache/tomcat/util/net/jsse/JSSE13Factory.java (-2 / +5 lines)
Lines 30-43 Link Here
30
30
31
class JSSE13Factory implements JSSEFactory {
31
class JSSE13Factory implements JSSEFactory {
32
32
33
    JSSE13AllTrustingX509TrustManager atm;
34
33
    JSSE13Factory() {
35
    JSSE13Factory() {
36
    	atm = new JSSE13AllTrustingX509TrustManager();
34
    }
37
    }
35
38
36
    public ServerSocketFactory getSocketFactory() {
39
    public ServerSocketFactory getSocketFactory() {
37
        return new JSSE13SocketFactory();
40
        return new JSSE13SocketFactory(atm);
38
    }
41
    }
39
42
40
    public SSLSupport getSSLSupport(Socket socket) {
43
    public SSLSupport getSSLSupport(Socket socket) {
41
        return new JSSESupport((SSLSocket)socket);
44
        return new JSSE13Support((SSLSocket)socket,atm);
42
    }
45
    }
43
}
46
}
(-)util/java/org/apache/tomcat/util/net/jsse/JSSESupport.java (-1 / +2 lines)
Lines 40-46 Link Here
40
   Parts cribbed from CertificatesValve
40
   Parts cribbed from CertificatesValve
41
*/
41
*/
42
42
43
class JSSESupport implements SSLSupport {
43
abstract class JSSESupport implements SSLSupport {
44
    private static org.apache.commons.logging.Log log =
44
    private static org.apache.commons.logging.Log log =
45
	org.apache.commons.logging.LogFactory.getLog(JSSESupport.class);
45
	org.apache.commons.logging.LogFactory.getLog(JSSESupport.class);
46
46
Lines 173-178 Link Here
173
        return buf.toString();
173
        return buf.toString();
174
    }
174
    }
175
175
176
    public abstract Boolean isClientCertificateTrusted() throws IOException;
176
177
177
}
178
}
178
179
(-)util/java/org/apache/tomcat/util/net/jsse/JSSE14Factory.java (-2 / +5 lines)
Lines 30-43 Link Here
30
30
31
class JSSE14Factory implements JSSEFactory {
31
class JSSE14Factory implements JSSEFactory {
32
32
33
    protected JSSE14AllTrustingX509TrustManager atm;
34
33
    JSSE14Factory() {
35
    JSSE14Factory() {
36
    	atm = new JSSE14AllTrustingX509TrustManager();
34
    }
37
    }
35
38
36
    public ServerSocketFactory getSocketFactory() {
39
    public ServerSocketFactory getSocketFactory() {
37
	return new JSSE14SocketFactory();
40
    	return new JSSE14SocketFactory(atm);
38
    }
41
    }
39
42
40
    public SSLSupport getSSLSupport(Socket socket) {
43
    public SSLSupport getSSLSupport(Socket socket) {
41
	return new JSSE14Support((SSLSocket)socket);
44
    	return new JSSE14Support((SSLSocket)socket,atm);
42
    }
45
    }
43
}
46
}
(-)util/java/org/apache/tomcat/util/net/jsse/JSSE15Factory.java (-1 / +1 lines)
Lines 35-41 Link Here
35
    }
35
    }
36
36
37
    public ServerSocketFactory getSocketFactory() {
37
    public ServerSocketFactory getSocketFactory() {
38
        return new JSSE15SocketFactory();
38
        return new JSSE15SocketFactory(atm);
39
    }
39
    }
40
40
41
}
41
}
(-)util/java/org/apache/tomcat/util/net/jsse/JSSE13Support.java (+43 lines)
Line 0 Link Here
1
/*
2
 *  Copyright 1999-2004 The Apache Software Foundation
3
 *
4
 *  Licensed under the Apache License, Version 2.0 (the "License");
5
 *  you may not use this file except in compliance with the License.
6
 *  You may obtain a copy of the License at
7
 *
8
 *      http://www.apache.org/licenses/LICENSE-2.0
9
 *
10
 *  Unless required by applicable law or agreed to in writing, software
11
 *  distributed under the License is distributed on an "AS IS" BASIS,
12
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
 *  See the License for the specific language governing permissions and
14
 *  limitations under the License.
15
 */
16
17
package org.apache.tomcat.util.net.jsse;
18
19
import java.io.IOException;
20
import java.security.cert.X509Certificate;
21
22
import javax.net.ssl.SSLSocket;
23
24
public class JSSE13Support extends JSSESupport {
25
26
    protected JSSE13AllTrustingX509TrustManager atm;
27
28
    public JSSE13Support(SSLSocket sock,JSSE13AllTrustingX509TrustManager atm) {
29
        super(sock);
30
        this.atm = atm;
31
    }
32
33
    public Boolean isClientCertificateTrusted() throws IOException {
34
        if (atm.isInitialized()) {
35
            X509Certificate[] chain = (X509Certificate[]) this.getPeerCertificateChain();
36
            if (chain != null && chain.length >= 1) {
37
            	return new Boolean(atm.isClientTrusted(chain));
38
            }
39
        }
40
        return null;
41
    }
42
43
}
(-)util/java/org/apache/tomcat/util/net/jsse/JSSE14Support.java (-1 / +23 lines)
Lines 21-26 Link Here
21
import java.io.InputStream;
21
import java.io.InputStream;
22
import java.net.SocketException;
22
import java.net.SocketException;
23
import java.security.cert.Certificate;
23
import java.security.cert.Certificate;
24
import java.security.cert.CertificateException;
24
import java.security.cert.CertificateFactory;
25
import java.security.cert.CertificateFactory;
25
import java.security.cert.X509Certificate;
26
import java.security.cert.X509Certificate;
26
27
Lines 52-59 Link Here
52
53
53
    Listener listener = new Listener();
54
    Listener listener = new Listener();
54
55
55
    public JSSE14Support(SSLSocket sock){
56
    protected JSSE14AllTrustingX509TrustManager atm;
57
58
    public JSSE14Support(SSLSocket sock,JSSE14AllTrustingX509TrustManager atm){
56
        super(sock);
59
        super(sock);
60
        this.atm = atm;
57
        sock.addHandshakeCompletedListener(listener);
61
        sock.addHandshakeCompletedListener(listener);
58
    }
62
    }
59
63
Lines 143-148 Link Here
143
	return x509Certs;
147
	return x509Certs;
144
    }
148
    }
145
149
150
    public Boolean isClientCertificateTrusted() throws IOException {
151
        if (atm.isInitialized()) {
152
            try {
153
                X509Certificate[] chain = (X509Certificate[]) this.getPeerCertificateChain();
154
                // get the authentication type from the client certificate
155
                if (chain != null && chain.length > 0) {
156
                    String authType = chain[0].getPublicKey().getAlgorithm();
157
                    atm.forceCheckClientTrusted(chain,authType);
158
                } else {
159
                    return null;
160
                }
161
            } catch (CertificateException ce) {
162
                return new Boolean(false);
163
            }
164
            return new Boolean(true);
165
        }
166
        return null;
167
    }
146
168
147
    private static class Listener implements HandshakeCompletedListener {
169
    private static class Listener implements HandshakeCompletedListener {
148
        volatile boolean completed = false;
170
        volatile boolean completed = false;
(-)util/java/org/apache/tomcat/util/net/jsse/JSSE13SocketFactory.java (-1 / +35 lines)
Lines 49-57 Link Here
49
     * Flag for client authentication
49
     * Flag for client authentication
50
     */
50
     */
51
    protected boolean clientAuth = false;
51
    protected boolean clientAuth = false;
52
    
53
    protected JSSE13AllTrustingX509TrustManager atm;
52
54
53
    public JSSE13SocketFactory () {
55
    public JSSE13SocketFactory (JSSE13AllTrustingX509TrustManager atm) {
54
        super();
56
        super();
57
        this.atm = atm;
55
    }
58
    }
56
59
57
    /**
60
    /**
Lines 89-94 Link Here
89
            // Certificate encoding algorithm (e.g., SunX509)
92
            // Certificate encoding algorithm (e.g., SunX509)
90
            String algorithm = (String)attributes.get("algorithm");
93
            String algorithm = (String)attributes.get("algorithm");
91
            if (algorithm == null) algorithm = defaultAlgorithm;
94
            if (algorithm == null) algorithm = defaultAlgorithm;
95
            
96
            String acceptUntrustedCertStr = (String)attributes.get("acceptUntrustedCertificates");
97
            boolean acceptUntrustedCert = false;
98
            if ("true".equals(acceptUntrustedCertStr) ||
99
            	"yes".equals(acceptUntrustedCertStr)) {
100
            	acceptUntrustedCert = true;
101
            }
92
102
93
            // Set up KeyManager, which will extract server key
103
            // Set up KeyManager, which will extract server key
94
            com.sun.net.ssl.KeyManagerFactory kmf = 
104
            com.sun.net.ssl.KeyManagerFactory kmf = 
Lines 114-119 Link Here
114
                tmf.init(trustStore);
124
                tmf.init(trustStore);
115
                tm = tmf.getTrustManagers();
125
                tm = tmf.getTrustManagers();
116
            }
126
            }
127
            
128
            if (acceptUntrustedCert) {
129
            
130
                /*
131
                 * Get the first instance of an com.sun.net.ssl.X509TrustManager and wrap the
132
                 * JSSE13PlugableX509TrustManager around it.
133
                 * Depends on the current implementation of SSLContext, which
134
                 * only supports X509TrustManagers.
135
                 */
136
                if (tm == null) {
137
                    com.sun.net.ssl.TrustManagerFactory tmf = com.sun.net.ssl.TrustManagerFactory.getInstance("SunX509");
138
                    tmf.init((KeyStore) null);
139
                    tm = tmf.getTrustManagers();
140
                }
141
                if (tm != null) {
142
                    for (int i = 0; i < tm.length;i++) {
143
                        if (tm[i] instanceof com.sun.net.ssl.X509TrustManager) {
144
                            atm.init((com.sun.net.ssl.X509TrustManager) tm[i]);
145
                            tm[i] = atm;
146
                            break;
147
                        }
148
                    }
149
                }
150
            }
117
151
118
            // Create and init SSLContext
152
            // Create and init SSLContext
119
            com.sun.net.ssl.SSLContext context = 
153
            com.sun.net.ssl.SSLContext context = 
(-)util/java/org/apache/tomcat/util/net/jsse/JSSE14SocketFactory.java (-3 / +40 lines)
Lines 29-34 Link Here
29
import javax.net.ssl.TrustManager;
29
import javax.net.ssl.TrustManager;
30
import javax.net.ssl.TrustManagerFactory;
30
import javax.net.ssl.TrustManagerFactory;
31
import javax.net.ssl.X509KeyManager;
31
import javax.net.ssl.X509KeyManager;
32
import javax.net.ssl.X509TrustManager;
32
33
33
import org.apache.tomcat.util.res.StringManager;
34
import org.apache.tomcat.util.res.StringManager;
34
35
Lines 65-72 Link Here
65
     */
66
     */
66
    protected boolean wantClientAuth    = false;
67
    protected boolean wantClientAuth    = false;
67
68
68
    public JSSE14SocketFactory () {
69
    JSSE14AllTrustingX509TrustManager atm;
69
        super();
70
71
    public JSSE14SocketFactory (JSSE14AllTrustingX509TrustManager atm) {
72
        this.atm = atm;
70
    }
73
    }
71
74
72
    /**
75
    /**
Lines 104-114 Link Here
104
	    if( trustAlgorithm == null ) {
107
	    if( trustAlgorithm == null ) {
105
		trustAlgorithm = algorithm;
108
		trustAlgorithm = algorithm;
106
	    }
109
	    }
110
111
            String acceptUntrustedCertStr = (String)attributes.get("acceptUntrustedCertificates");
112
            boolean acceptUntrustedCert = false;
113
            if ("true".equals(acceptUntrustedCertStr) ||
114
            	"yes".equals(acceptUntrustedCertStr)) {
115
            	acceptUntrustedCert = true;
116
            }
117
118
            TrustManager[] tms = getTrustManagers(keystoreType, trustAlgorithm);
119
120
            if (acceptUntrustedCert) {
121
122
            	/*
123
            	 * Get the first instance of an X509TrustManager and wrap the
124
            	 * JSSE14PlugableX509TrustManager around it.
125
            	 * Depends on the current implementation of SSLContext, which
126
            	 * only supports X509TrustManagers.
127
            	 */
128
            	if (tms == null) {
129
		    TrustManagerFactory tmf = TrustManagerFactory.getInstance(trustAlgorithm);
130
		    tmf.init((KeyStore) null);
131
		    tms = tmf.getTrustManagers();
132
            	}
133
            	if (tms != null) {
134
		    for (int i = 0; i < tms.length;i++) {
135
			if (tms[i] instanceof X509TrustManager) {
136
			    atm.init((javax.net.ssl.X509TrustManager) tms[i]);
137
			    tms[i] = atm;
138
			    break;
139
			}
140
		    }
141
            	}
142
            }
143
107
            // Create and init SSLContext
144
            // Create and init SSLContext
108
            SSLContext context = SSLContext.getInstance(protocol); 
145
            SSLContext context = SSLContext.getInstance(protocol); 
109
            context.init(getKeyManagers(keystoreType, algorithm,
146
            context.init(getKeyManagers(keystoreType, algorithm,
110
                                        (String) attributes.get("keyAlias")),
147
                                        (String) attributes.get("keyAlias")),
111
                         getTrustManagers(keystoreType, trustAlgorithm),
148
                         tms,
112
                         new SecureRandom());
149
                         new SecureRandom());
113
150
114
            // create proxy
151
            // create proxy
(-)util/java/org/apache/tomcat/util/net/jsse/JSSE15SocketFactory.java (-2 / +2 lines)
Lines 49-56 Link Here
49
    private static org.apache.commons.logging.Log log =
49
    private static org.apache.commons.logging.Log log =
50
        org.apache.commons.logging.LogFactory.getLog(JSSE15SocketFactory.class);
50
        org.apache.commons.logging.LogFactory.getLog(JSSE15SocketFactory.class);
51
51
52
    public JSSE15SocketFactory() {
52
    public JSSE15SocketFactory(JSSE14AllTrustingX509TrustManager atm) {
53
        super();
53
        super(atm);
54
    }
54
    }
55
55
56
56
(-)util/java/org/apache/tomcat/util/net/jsse/JSSE13AllTrustingX509TrustManager.java (+68 lines)
Line 0 Link Here
1
/*
2
 *  Copyright 1999-2004 The Apache Software Foundation
3
 *
4
 *  Licensed under the Apache License, Version 2.0 (the "License");
5
 *  you may not use this file except in compliance with the License.
6
 *  You may obtain a copy of the License at
7
 *
8
 *      http://www.apache.org/licenses/LICENSE-2.0
9
 *
10
 *  Unless required by applicable law or agreed to in writing, software
11
 *  distributed under the License is distributed on an "AS IS" BASIS,
12
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
 *  See the License for the specific language governing permissions and
14
 *  limitations under the License.
15
 */
16
17
package org.apache.tomcat.util.net.jsse;
18
19
20
import java.security.cert.X509Certificate;
21
22
import com.sun.net.ssl.X509TrustManager;
23
24
/**
25
 * Wrapper for an X509TrustManager: Accepts all client certificates, even expired.
26
 * 
27
 * @author Armin Häberling
28
 */
29
public class JSSE13AllTrustingX509TrustManager implements X509TrustManager {
30
31
    protected X509TrustManager tm;
32
    protected boolean initialized = false;
33
34
    JSSE13AllTrustingX509TrustManager() {
35
    }
36
37
    void init(X509TrustManager tm) {
38
        this.tm = tm;
39
        initialized = true;
40
    }
41
42
    public boolean isInitialized() {
43
        return initialized;
44
    }
45
46
    public boolean isClientTrusted(X509Certificate[] chain) {
47
        return true;
48
    }
49
50
    public boolean isServerTrusted(X509Certificate[] chain) {
51
        if (tm != null) {
52
            return tm.isServerTrusted(chain);
53
        }
54
        return true;
55
    }
56
57
    public X509Certificate[] getAcceptedIssuers() {
58
        return new X509Certificate[0];
59
    }
60
61
    public boolean forceIsClientTrusted(X509Certificate[] chain) {
62
        if (tm != null) {
63
            return tm.isClientTrusted(chain);
64
        }
65
        return true;
66
    }
67
68
}
(-)util/java/org/apache/tomcat/util/net/jsse/JSSE14AllTrustingX509TrustManager.java (+69 lines)
Line 0 Link Here
1
/*
2
 *  Copyright 1999-2004 The Apache Software Foundation
3
 *
4
 *  Licensed under the Apache License, Version 2.0 (the "License");
5
 *  you may not use this file except in compliance with the License.
6
 *  You may obtain a copy of the License at
7
 *
8
 *      http://www.apache.org/licenses/LICENSE-2.0
9
 *
10
 *  Unless required by applicable law or agreed to in writing, software
11
 *  distributed under the License is distributed on an "AS IS" BASIS,
12
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
 *  See the License for the specific language governing permissions and
14
 *  limitations under the License.
15
 */
16
17
package org.apache.tomcat.util.net.jsse;
18
19
20
import java.security.cert.CertificateException;
21
import java.security.cert.X509Certificate;
22
23
import javax.net.ssl.X509TrustManager;
24
25
/**
26
 * Wrapper for an X509TrustManager: Accepts all client certificates, even expired.
27
 * 
28
 * @author Armin Häberling
29
 */
30
public class JSSE14AllTrustingX509TrustManager implements X509TrustManager {
31
32
    protected X509TrustManager tm;
33
    protected boolean initialized = false;
34
35
    JSSE14AllTrustingX509TrustManager() {
36
    }
37
38
    void init(X509TrustManager tm) {
39
        this.tm = tm;
40
        initialized = true;
41
    }
42
43
    public boolean isInitialized() {
44
        return initialized;
45
    }
46
47
    public void checkClientTrusted(X509Certificate[] chain, String authType)
48
        throws CertificateException {
49
    }
50
51
    public void checkServerTrusted(X509Certificate[] chain, String authType)
52
        throws CertificateException {
53
        if (tm != null) {
54
            tm.checkServerTrusted(chain,authType);
55
        }
56
    }
57
58
    public X509Certificate[] getAcceptedIssuers() {
59
        return new X509Certificate[0];
60
    }
61
62
    public void forceCheckClientTrusted(X509Certificate[] chain, String authType)
63
        throws CertificateException {
64
        if (tm != null) {
65
            tm.checkClientTrusted(chain,authType);
66
        }
67
    }
68
69
}
(-)util/java/org/apache/tomcat/util/net/puretls/PureTLSSupport.java (+4 lines)
Lines 133-138 Link Here
133
        return HexUtils.convert(ssl_session);
133
        return HexUtils.convert(ssl_session);
134
    }
134
    }
135
135
136
    public Boolean isClientCertificateTrusted() {
137
    	return null;
138
    }
139
136
}
140
}
137
141
138
142
(-)util/java/org/apache/tomcat/util/net/SSLSupport.java (+13 lines)
Lines 46-51 Link Here
46
     * This one is a Tomcat extension to the Servlet spec.
46
     * This one is a Tomcat extension to the Servlet spec.
47
     */
47
     */
48
    public static final String SESSION_ID_KEY = "javax.servlet.request.ssl_session";
48
    public static final String SESSION_ID_KEY = "javax.servlet.request.ssl_session";
49
    
50
    /**
51
     * The Request attribute key which returns if the client certificate is trusted
52
     * Only used if untrusted certificates are accepted
53
     */
54
    public static final String CLIENT_CERTIFICATE_TRUSTED = "javax.servlet.request.ClientCertificateTrusted";
49
55
50
    /**
56
    /**
51
     * A mapping table to determine the number of effective bits in the key
57
     * A mapping table to determine the number of effective bits in the key
Lines 104-110 Link Here
104
     */
110
     */
105
    public String getSessionId()
111
    public String getSessionId()
106
        throws IOException;
112
        throws IOException;
113
    
107
    /**
114
    /**
115
     * Check if the client certificate is trusted
116
     * @throws IOException
117
     */
118
    public Boolean isClientCertificateTrusted() throws IOException;
119
    
120
    /**
108
     * Simple data class that represents the cipher being used, along with the
121
     * Simple data class that represents the cipher being used, along with the
109
     * corresponding effective key size.  The specified phrase must appear in the
122
     * corresponding effective key size.  The specified phrase must appear in the
110
     * name of the cipher suite to be recognized.
123
     * name of the cipher suite to be recognized.

Return to bug 34868