View | Details | Raw Unified | Return to bug 50887
Collapse All | Expand All

(-)java/org/apache/catalina/valves/LocalStrings.properties (+2 lines)
Lines 44-49 Link Here
44
# Remote IP valve
44
# Remote IP valve
45
remoteIpValve.syntax=Invalid regular expressions [{0}] provided.
45
remoteIpValve.syntax=Invalid regular expressions [{0}] provided.
46
46
47
sslValve.invalidProvider=The SSL provider specified on the connector associated with this request of [{0}] is invalid. The certificate data could not be processed.
48
47
# HTTP status reports
49
# HTTP status reports
48
http.100=The client may continue ({0}).
50
http.100=The client may continue ({0}).
49
http.101=The server is switching protocols according to the "Upgrade" header ({0}).
51
http.101=The server is switching protocols according to the "Upgrade" header ({0}).
(-)java/org/apache/catalina/valves/SSLValve.java (-4 / +19 lines)
Lines 20-25 Link Here
20
import java.io.IOException;
20
import java.io.IOException;
21
import java.io.ByteArrayInputStream;
21
import java.io.ByteArrayInputStream;
22
22
23
import java.security.NoSuchProviderException;
23
import java.security.cert.CertificateFactory;
24
import java.security.cert.CertificateFactory;
24
import java.security.cert.X509Certificate;
25
import java.security.cert.X509Certificate;
25
26
Lines 28-34 Link Here
28
import org.apache.catalina.valves.ValveBase;
29
import org.apache.catalina.valves.ValveBase;
29
import org.apache.catalina.connector.Request;
30
import org.apache.catalina.connector.Request;
30
import org.apache.catalina.connector.Response;
31
import org.apache.catalina.connector.Response;
31
import org.apache.catalina.util.StringManager;
32
import org.apache.juli.logging.Log;
33
import org.apache.juli.logging.LogFactory;
32
34
33
/*
35
/*
34
 * Valve to fill the SSL informations in the request
36
 * Valve to fill the SSL informations in the request
Lines 46-53 Link Here
46
 * @version $Id$
48
 * @version $Id$
47
 */
49
 */
48
50
49
public class SSLValve
51
public class SSLValve extends ValveBase {
50
    extends ValveBase {
52
53
    private static final Log log = LogFactory.getLog(SSLValve.class);
54
51
/*
55
/*
52
    private static final String info =
56
    private static final String info =
53
        "SSLValve/1.0";
57
        "SSLValve/1.0";
Lines 87-100 Link Here
87
            // ByteArrayInputStream bais = new ByteArrayInputStream(strcerts.getBytes("UTF-8"));
91
            // ByteArrayInputStream bais = new ByteArrayInputStream(strcerts.getBytes("UTF-8"));
88
            ByteArrayInputStream bais = new ByteArrayInputStream(strcerts.getBytes());
92
            ByteArrayInputStream bais = new ByteArrayInputStream(strcerts.getBytes());
89
            X509Certificate jsseCerts[] = null;
93
            X509Certificate jsseCerts[] = null;
94
            String providerName = (String) request.getConnector().getProperty(
95
                    "clientCertProvider");
90
            try {
96
            try {
91
                CertificateFactory cf = CertificateFactory.getInstance("X.509");
97
                CertificateFactory cf;
98
                if (providerName == null) {
99
                    cf = CertificateFactory.getInstance("X.509");
100
                } else {
101
                    cf = CertificateFactory.getInstance("X.509", providerName);
102
                }
92
                X509Certificate cert = (X509Certificate) cf.generateCertificate(bais);
103
                X509Certificate cert = (X509Certificate) cf.generateCertificate(bais);
93
                jsseCerts = new X509Certificate[1];
104
                jsseCerts = new X509Certificate[1];
94
                jsseCerts[0] = cert;
105
                jsseCerts[0] = cert;
95
            } catch (java.security.cert.CertificateException e) {
106
            } catch (java.security.cert.CertificateException e) {
96
                System.out.println("SSLValve failed " + strcerts);
107
                System.out.println("SSLValve failed " + strcerts);
97
                System.out.println("SSLValve failed " + e);
108
                System.out.println("SSLValve failed " + e);
109
            } catch (NoSuchProviderException e) {
110
                log.error(sm.getString(
111
                        "sslValve.invalidProvider", providerName), e);
112
98
            }
113
            }
99
            request.setAttribute("javax.servlet.request.X509Certificate", jsseCerts);
114
            request.setAttribute("javax.servlet.request.X509Certificate", jsseCerts);
100
        }
115
        }
(-)java/org/apache/coyote/ajp/AjpAprProcessor.java (-2 / +25 lines)
Lines 22-27 Link Here
22
import java.io.InterruptedIOException;
22
import java.io.InterruptedIOException;
23
import java.net.InetAddress;
23
import java.net.InetAddress;
24
import java.nio.ByteBuffer;
24
import java.nio.ByteBuffer;
25
import java.security.NoSuchProviderException;
25
import java.security.cert.CertificateFactory;
26
import java.security.cert.CertificateFactory;
26
import java.security.cert.X509Certificate;
27
import java.security.cert.X509Certificate;
27
28
Lines 334-339 Link Here
334
    public void setRequiredSecret(String requiredSecret) { this.requiredSecret = requiredSecret; }
335
    public void setRequiredSecret(String requiredSecret) { this.requiredSecret = requiredSecret; }
335
336
336
337
338
    /**
339
     * When client certificate information is presented in a form other than
340
     * instances of {@link java.security.cert.X509Certificate} it needs to be
341
     * converted before it can be used and this property controls which JSSE
342
     * provider is used to perform the conversion. For example it is used with
343
     * the AJP connectors, the HTTP APR connector and with the
344
     * {@link org.apache.catalina.valves.SSLValve}. If not specified, the
345
     * default provider will be used. 
346
     */
347
    protected String clientCertProvider = null;
348
    public String getClientCertProvider() { return clientCertProvider; }
349
    public void setClientCertProvider(String s) { this.clientCertProvider = s; }
350
351
    
337
    // --------------------------------------------------------- Public Methods
352
    // --------------------------------------------------------- Public Methods
338
353
339
354
Lines 555-562 Link Here
555
                            certData.getLength());
570
                            certData.getLength());
556
                // Fill the  elements.
571
                // Fill the  elements.
557
                try {
572
                try {
558
                    CertificateFactory cf =
573
                    CertificateFactory cf;
559
                        CertificateFactory.getInstance("X.509");
574
                    if (clientCertProvider == null) {
575
                        cf = CertificateFactory.getInstance("X.509");
576
                    } else {
577
                        cf = CertificateFactory.getInstance("X.509",
578
                                clientCertProvider);
579
                    }
560
                    while(bais.available() > 0) {
580
                    while(bais.available() > 0) {
561
                        X509Certificate cert = (X509Certificate)
581
                        X509Certificate cert = (X509Certificate)
562
                            cf.generateCertificate(bais);
582
                            cf.generateCertificate(bais);
Lines 573-578 Link Here
573
                } catch (java.security.cert.CertificateException e) {
593
                } catch (java.security.cert.CertificateException e) {
574
                    log.error(sm.getString("ajpprocessor.certs.fail"), e);
594
                    log.error(sm.getString("ajpprocessor.certs.fail"), e);
575
                    return;
595
                    return;
596
                } catch (NoSuchProviderException e) {
597
                    log.error(sm.getString("ajpprocessor.certs.fail"), e);
598
                    return;
576
                }
599
                }
577
                request.setAttribute(AprEndpoint.CERTIFICATE_KEY, jsseCerts);
600
                request.setAttribute(AprEndpoint.CERTIFICATE_KEY, jsseCerts);
578
            }
601
            }
(-)java/org/apache/coyote/ajp/AjpAprProtocol.java (+16 lines)
Lines 315-320 Link Here
315
    public void setPollerSize(int pollerSize) { endpoint.setPollerSize(pollerSize); }
315
    public void setPollerSize(int pollerSize) { endpoint.setPollerSize(pollerSize); }
316
    public int getPollerSize() { return endpoint.getPollerSize(); }
316
    public int getPollerSize() { return endpoint.getPollerSize(); }
317
317
318
    
319
    /**
320
     * When client certificate information is presented in a form other than
321
     * instances of {@link java.security.cert.X509Certificate} it needs to be
322
     * converted before it can be used and this property controls which JSSE
323
     * provider is used to perform the conversion. For example it is used with
324
     * the AJP connectors, the HTTP APR connector and with the
325
     * {@link org.apache.catalina.valves.SSLValve}. If not specified, the
326
     * default provider will be used. 
327
     */
328
    protected String clientCertProvider = null;
329
    public String getClientCertProvider() { return clientCertProvider; }
330
    public void setClientCertProvider(String s) { this.clientCertProvider = s; }
331
332
318
    // --------------------------------------  AjpConnectionHandler Inner Class
333
    // --------------------------------------  AjpConnectionHandler Inner Class
319
334
320
335
Lines 421-426 Link Here
421
            processor.setAdapter(proto.adapter);
436
            processor.setAdapter(proto.adapter);
422
            processor.setTomcatAuthentication(proto.tomcatAuthentication);
437
            processor.setTomcatAuthentication(proto.tomcatAuthentication);
423
            processor.setRequiredSecret(proto.requiredSecret);
438
            processor.setRequiredSecret(proto.requiredSecret);
439
            processor.setClientCertProvider(proto.getClientCertProvider());
424
            register(processor);
440
            register(processor);
425
            return processor;
441
            return processor;
426
        }
442
        }
(-)java/org/apache/coyote/ajp/AjpProcessor.java (-2 / +25 lines)
Lines 24-29 Link Here
24
import java.io.OutputStream;
24
import java.io.OutputStream;
25
import java.net.InetAddress;
25
import java.net.InetAddress;
26
import java.net.Socket;
26
import java.net.Socket;
27
import java.security.NoSuchProviderException;
27
import java.security.cert.CertificateFactory;
28
import java.security.cert.CertificateFactory;
28
import java.security.cert.X509Certificate;
29
import java.security.cert.X509Certificate;
29
30
Lines 344-349 Link Here
344
    public void setKeepAliveTimeout(int timeout) { keepAliveTimeout = timeout; }
345
    public void setKeepAliveTimeout(int timeout) { keepAliveTimeout = timeout; }
345
346
346
347
348
    /**
349
     * When client certificate information is presented in a form other than
350
     * instances of {@link java.security.cert.X509Certificate} it needs to be
351
     * converted before it can be used and this property controls which JSSE
352
     * provider is used to perform the conversion. For example it is used with
353
     * the AJP connectors, the HTTP APR connector and with the
354
     * {@link org.apache.catalina.valves.SSLValve}. If not specified, the
355
     * default provider will be used. 
356
     */
357
    protected String clientCertProvider = null;
358
    public String getClientCertProvider() { return clientCertProvider; }
359
    public void setClientCertProvider(String s) { this.clientCertProvider = s; }
360
361
347
    // --------------------------------------------------------- Public Methods
362
    // --------------------------------------------------------- Public Methods
348
363
349
364
Lines 560-567 Link Here
560
                            certData.getLength());
575
                            certData.getLength());
561
                // Fill the elements.
576
                // Fill the elements.
562
                try {
577
                try {
563
                    CertificateFactory cf =
578
                    CertificateFactory cf;
564
                        CertificateFactory.getInstance("X.509");
579
                    if (clientCertProvider == null) {
580
                        cf = CertificateFactory.getInstance("X.509");
581
                    } else {
582
                        cf = CertificateFactory.getInstance("X.509",
583
                                clientCertProvider);
584
                    }
565
                    while(bais.available() > 0) {
585
                    while(bais.available() > 0) {
566
                        X509Certificate cert = (X509Certificate)
586
                        X509Certificate cert = (X509Certificate)
567
                            cf.generateCertificate(bais);
587
                            cf.generateCertificate(bais);
Lines 578-583 Link Here
578
                } catch (java.security.cert.CertificateException e) {
598
                } catch (java.security.cert.CertificateException e) {
579
                    log.error(sm.getString("ajpprocessor.certs.fail"), e);
599
                    log.error(sm.getString("ajpprocessor.certs.fail"), e);
580
                    return;
600
                    return;
601
                } catch (NoSuchProviderException e) {
602
                    log.error(sm.getString("ajpprocessor.certs.fail"), e);
603
                    return;
581
                }
604
                }
582
                request.setAttribute(JIoEndpoint.CERTIFICATE_KEY, jsseCerts);
605
                request.setAttribute(JIoEndpoint.CERTIFICATE_KEY, jsseCerts);
583
            }
606
            }
(-)java/org/apache/coyote/ajp/AjpProtocol.java (+15 lines)
Lines 308-313 Link Here
308
    public void setKeepAliveTimeout(int timeout) { keepAliveTimeout = timeout; }
308
    public void setKeepAliveTimeout(int timeout) { keepAliveTimeout = timeout; }
309
309
310
310
311
    /**
312
     * When client certificate information is presented in a form other than
313
     * instances of {@link java.security.cert.X509Certificate} it needs to be
314
     * converted before it can be used and this property controls which JSSE
315
     * provider is used to perform the conversion. For example it is used with
316
     * the AJP connectors, the HTTP APR connector and with the
317
     * {@link org.apache.catalina.valves.SSLValve}. If not specified, the
318
     * default provider will be used. 
319
     */
320
    protected String clientCertProvider = null;
321
    public String getClientCertProvider() { return clientCertProvider; }
322
    public void setClientCertProvider(String s) { this.clientCertProvider = s; }
323
324
311
    // --------------------------------------  AjpConnectionHandler Inner Class
325
    // --------------------------------------  AjpConnectionHandler Inner Class
312
326
313
327
Lines 407-412 Link Here
407
            processor.setTomcatAuthentication(proto.tomcatAuthentication);
421
            processor.setTomcatAuthentication(proto.tomcatAuthentication);
408
            processor.setRequiredSecret(proto.requiredSecret);
422
            processor.setRequiredSecret(proto.requiredSecret);
409
            processor.setKeepAliveTimeout(proto.keepAliveTimeout);
423
            processor.setKeepAliveTimeout(proto.keepAliveTimeout);
424
            processor.setClientCertProvider(proto.getClientCertProvider());
410
            register(processor);
425
            register(processor);
411
            return processor;
426
            return processor;
412
        }
427
        }
(-)java/org/apache/coyote/http11/Http11AprProcessor.java (-1 / +20 lines)
Lines 320-327 Link Here
320
    protected String server = null;
320
    protected String server = null;
321
321
322
    
322
    
323
    /**
324
     * When client certificate information is presented in a form other than
325
     * instances of {@link java.security.cert.X509Certificate} it needs to be
326
     * converted before it can be used and this property controls which JSSE
327
     * provider is used to perform the conversion. For example it is used with
328
     * the AJP connectors, the HTTP APR connector and with the
329
     * {@link org.apache.catalina.valves.SSLValve}. If not specified, the
330
     * default provider will be used. 
331
     */
332
    protected String clientCertProvider = null;
333
323
    // ------------------------------------------------------------- Properties
334
    // ------------------------------------------------------------- Properties
324
335
336
    public String getClientCertProvider() { return clientCertProvider; }
337
    public void setClientCertProvider(String s) { this.clientCertProvider = s; }
325
338
326
    /**
339
    /**
327
     * Return compression level.
340
     * Return compression level.
Lines 1151-1157 Link Here
1151
                    X509Certificate[] certs = null;
1164
                    X509Certificate[] certs = null;
1152
                    if (clientCert != null  && certLength > -1) {
1165
                    if (clientCert != null  && certLength > -1) {
1153
                        certs = new X509Certificate[certLength + 1];
1166
                        certs = new X509Certificate[certLength + 1];
1154
                        CertificateFactory cf = CertificateFactory.getInstance("X.509");
1167
                        CertificateFactory cf;
1168
                        if (clientCertProvider == null) {
1169
                            cf = CertificateFactory.getInstance("X.509"); 
1170
                        } else {
1171
                            cf = CertificateFactory.getInstance("X.509",
1172
                                    clientCertProvider); 
1173
                        }
1155
                        certs[0] = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(clientCert));
1174
                        certs[0] = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(clientCert));
1156
                        for (int i = 0; i < certLength; i++) {
1175
                        for (int i = 0; i < certLength; i++) {
1157
                            byte[] data = SSLSocket.getInfoB(socket, SSL.SSL_INFO_CLIENT_CERT_CHAIN + i);
1176
                            byte[] data = SSLSocket.getInfoB(socket, SSL.SSL_INFO_CLIENT_CERT_CHAIN + i);
(-)java/org/apache/coyote/http11/Http11AprProtocol.java (+16 lines)
Lines 470-476 Link Here
470
     */
470
     */
471
    public int getSSLVerifyDepth() { return endpoint.getSSLVerifyDepth(); }
471
    public int getSSLVerifyDepth() { return endpoint.getSSLVerifyDepth(); }
472
    public void setSSLVerifyDepth(int SSLVerifyDepth) { endpoint.setSSLVerifyDepth(SSLVerifyDepth); }
472
    public void setSSLVerifyDepth(int SSLVerifyDepth) { endpoint.setSSLVerifyDepth(SSLVerifyDepth); }
473
473
    
474
    
475
    /**
476
     * When client certificate information is presented in a form other than
477
     * instances of {@link java.security.cert.X509Certificate} it needs to be
478
     * converted before it can be used and this property controls which JSSE
479
     * provider is used to perform the conversion. For example it is used with
480
     * the AJP connectors, the HTTP APR connector and with the
481
     * {@link org.apache.catalina.valves.SSLValve}. If not specified, the
482
     * default provider will be used. 
483
     */
484
    protected String clientCertProvider = null;
485
    public String getClientCertProvider() { return clientCertProvider; }
486
    public void setClientCertProvider(String s) { this.clientCertProvider = s; }
487
488
474
    // --------------------  Connection handler --------------------
489
    // --------------------  Connection handler --------------------
475
490
476
    static class Http11ConnectionHandler implements Handler {
491
    static class Http11ConnectionHandler implements Handler {
Lines 628-633 Link Here
628
            processor.setSocketBuffer(proto.socketBuffer);
643
            processor.setSocketBuffer(proto.socketBuffer);
629
            processor.setMaxSavePostSize(proto.maxSavePostSize);
644
            processor.setMaxSavePostSize(proto.maxSavePostSize);
630
            processor.setServer(proto.server);
645
            processor.setServer(proto.server);
646
            processor.setClientCertProvider(proto.getClientCertProvider());
631
            register(processor);
647
            register(processor);
632
            return processor;
648
            return processor;
633
        }
649
        }
(-)java/org/apache/coyote/http11/Http11NioProtocol.java (-1 / +13 lines)
Lines 582-589 Link Here
582
    public boolean getSSLEnabled() { return ep.isSSLEnabled(); }
582
    public boolean getSSLEnabled() { return ep.isSSLEnabled(); }
583
    public void setSSLEnabled(boolean SSLEnabled) { ep.setSSLEnabled(SSLEnabled); }
583
    public void setSSLEnabled(boolean SSLEnabled) { ep.setSSLEnabled(SSLEnabled); }
584
    
584
    
585
    
585
    /**
586
     * When client certificate information is presented in a form other than
587
     * instances of {@link java.security.cert.X509Certificate} it needs to be
588
     * converted before it can be used and this property controls which JSSE
589
     * provider is used to perform the conversion. For example it is used with
590
     * the AJP connectors, the HTTP APR connector and with the
591
     * {@link org.apache.catalina.valves.SSLValve}. If not specified, the
592
     * default provider will be used. 
593
     */
594
    protected String clientCertProvider = null;
595
    public String getClientCertProvider() { return clientCertProvider; }
596
    public void setClientCertProvider(String s) { this.clientCertProvider = s; }
586
597
598
587
    // --------------------  Connection handler --------------------
599
    // --------------------  Connection handler --------------------
588
600
589
    static class Http11ConnectionHandler implements Handler {
601
    static class Http11ConnectionHandler implements Handler {
(-)java/org/apache/coyote/http11/Http11Protocol.java (+14 lines)
Lines 518-523 Link Here
518
        setAttribute("keyAlias", keyAlias);
518
        setAttribute("keyAlias", keyAlias);
519
    }
519
    }
520
520
521
    /**
522
     * When client certificate information is presented in a form other than
523
     * instances of {@link java.security.cert.X509Certificate} it needs to be
524
     * converted before it can be used and this property controls which JSSE
525
     * provider is used to perform the conversion. For example it is used with
526
     * the AJP connectors, the HTTP APR connector and with the
527
     * {@link org.apache.catalina.valves.SSLValve}. If not specified, the
528
     * default provider will be used. 
529
     */
530
    protected String clientCertProvider = null;
531
    public String getClientCertProvider() { return clientCertProvider; }
532
    public void setClientCertProvider(String s) { this.clientCertProvider = s; }
533
534
521
    // -----------------------------------  Http11ConnectionHandler Inner Class
535
    // -----------------------------------  Http11ConnectionHandler Inner Class
522
536
523
    protected static class Http11ConnectionHandler implements Handler {
537
    protected static class Http11ConnectionHandler implements Handler {
(-)webapps/docs/config/ajp.xml (+11 lines)
Lines 248-253 Link Here
248
         (i.e. buffering disabled)</p>
248
         (i.e. buffering disabled)</p>
249
    </attribute>
249
    </attribute>
250
250
251
    <attribute name="clientCertProvider" required="false">
252
      <p>When client certificate information is presented in a form other than
253
      instances of <code>java.security.cert.X509Certificate</code> it needs to
254
      be converted before it can be used and this property controls which JSSE
255
      provider is used to perform the conversion. For example it is used with
256
      the AJP connectors, the <a href="http.html">HTTP APR connector</a> and
257
      with the <a href="valve.html#SSL_Authenticator_Valve">
258
      org.apache.catalina.valves.SSLValve</a>.If not specified, the default
259
      provider will be used.</p>
260
    </attribute>
261
251
    <attribute name="connectionTimeout" required="false">
262
    <attribute name="connectionTimeout" required="false">
252
      <p>The number of milliseconds this <strong>Connector</strong> will wait,
263
      <p>The number of milliseconds this <strong>Connector</strong> will wait,
253
      after accepting a connection, for the request URI line to be
264
      after accepting a connection, for the request URI line to be
(-)webapps/docs/config/http.xml (+11 lines)
Lines 694-699 Link Here
694
      <a href="../ssl-howto.html">SSL HowTo</a> for an example.</p>
694
      <a href="../ssl-howto.html">SSL HowTo</a> for an example.</p>
695
    </attribute>
695
    </attribute>
696
696
697
    <attribute name="clientCertProvider" required="false">
698
      <p>When client certificate information is presented in a form other than
699
      instances of <code>java.security.cert.X509Certificate</code> it needs to
700
      be converted before it can be used and this property controls which JSSE
701
      provider is used to perform the conversion. For example it is used with
702
      the <a href="ajp.html">AJP connectors</a>, the HTTP APR connector and
703
      with the <a href="valve.html#SSL_Authenticator_Valve">
704
      org.apache.catalina.valves.SSLValve</a>. If not specified, the default
705
      provider will be used.</p>
706
    </attribute>
707
697
    <attribute name="keystoreFile" required="false">
708
    <attribute name="keystoreFile" required="false">
698
      <p>The pathname of the keystore file where you have stored the
709
      <p>The pathname of the keystore file where you have stored the
699
      server certificate to be loaded.  By default, the pathname is
710
      server certificate to be loaded.  By default, the pathname is

Return to bug 50887