Bug 34868 - allow to register a trust store for a session that becomes effective before CLIENT-CERT auth is executed on requests
Summary: allow to register a trust store for a session that becomes effective before C...
Alias: None
Product: Tomcat 5
Classification: Unclassified
Component: Catalina (show other bugs)
Version: Nightly Build
Hardware: All All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2005-05-11 17:45 UTC by Ralf Hauser
Modified: 2011-04-08 17:52 UTC (History)
0 users

ssl-client-cert patch for the connectors module (12.87 KB, patch)
2005-12-30 15:41 UTC, Armin H
Details | Diff
ssl-client-cert patch for the catalina module (1.85 KB, patch)
2005-12-30 15:43 UTC, Armin H
Details | Diff
ssl-client-cert patch for the connectors module (19.06 KB, patch)
2005-12-30 16:03 UTC, Armin H
Details | Diff
client certificate authentication example (46.64 KB, application/octet-stream)
2005-12-30 16:58 UTC, Armin H

Note You need to log in before you can comment on or make changes to this bug.
Description Ralf Hauser 2005-05-11 17:45:22 UTC
see Bug 34643, item 3a
Comment 1 Ralf Hauser 2005-05-11 18:27:49 UTC
AFAIK, Bill's and Mario's LDAP-based trustStore will not do because I assume
their solution would be able to validate a self-signed certificate, but they'll
never receive a self-signed cert from the browser. But perhaps this is due to
the issue that Mario's implementation is rather a Realm than really a
Truststore, and Bill really had an implementation of a
javax.net.ssl.X509TrustManager in mind?
File appears to be rather file-oriented than ldap or JDBC oriented...
Comment 2 Ralf Hauser 2005-06-25 09:30:45 UTC
one option to avoid this scalability problem would be to add a few
no-questions-asked ca's such as http://www.black-helicopter.org/bh (not really
updated anymore) and perhaps http://cacert.org could do this
Comment 3 Ralf Hauser 2005-07-26 21:59:13 UTC
this issue might even receive academic attention:
Comment 4 Armin H 2005-12-30 15:37:18 UTC
I'would suggest a solution which uses a javax.net.ssl.X509TrustManager that
trusts all client certificates. So it is possible to accept untrusted
certificates and specially self-signed certifactes. The actual authentication
can then be done by a servlet.

I've implemented it such that the use of this AllTrustingX509TrustManager can be
configured in the server.xml by setting the attribute
"acceptUntrustedCertifcates" for the connector. If then attribute is set to
"true", then in the initialization of the JSSESocketFactory the actual
TrustManager will be wrapped in the AllTrustingX509TrustManager and the
SSLContext will be initialized with it.
Further I've added the new method isClientCertificateTrusted() to SSLSupport
which returns if the client certificate is trusted with respect to the actual
TrustManager. The method can be accessed from a servlet through the new Request
attribute "javax.servlet.request.ClientCertificateTrusted".

Created two patches for Tomcat 5.5.13. One for the connectors module and one for
the catalina module.
Comment 5 Armin H 2005-12-30 15:41:15 UTC
Created attachment 17296 [details]
ssl-client-cert patch for the connectors module
Comment 6 Armin H 2005-12-30 15:43:17 UTC
Created attachment 17297 [details]
ssl-client-cert patch for the catalina module
Comment 7 Armin H 2005-12-30 16:03:50 UTC
Created attachment 17298 [details]
ssl-client-cert patch for the connectors module

fixed: added the files missing in the last patch
Comment 8 Armin H 2005-12-30 16:58:12 UTC
Created attachment 17299 [details]
client certificate authentication example

minimum example showing how client certificate authentication can be done after
applying my patches (see above)
Comment 9 Ralf Hauser 2006-12-17 00:41:56 UTC
Wouldn't it be nice to be able overrule the global truststores by a trustStore
object in the session?
I guess this would only require to enhance the
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore() to check for this.
Comment 10 Thomas Leonard 2007-09-18 03:00:24 UTC
This looks really useful. We want to integrate tomcat with PBAC
(http://www.gria.org/documentation/manual/pbac-2-manual/overview) to check
client certificates at the SSL layer rather than only at the SOAP message layer.
Did this fix or an equivalent solution ever get added to tomcat?
Comment 11 Mark Thomas 2011-04-08 17:52:28 UTC
Per session trust managers can't possibly work since the SSL connection has to be established before the client can send any data that would identify the session in which to look for the trust manager. I am therefore resolving this as WONTFIX.

However, it is worth noting the Tomcat 7 (as a result of fixing bug 48208) now supports custom trust managers which should be sufficient to meet any requirement not meet by the standard trust manager.