|
|
4cd948 |
Index: src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java
|
|
|
4cd948 |
===================================================================
|
|
|
4cd948 |
--- src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java (revision 294)
|
|
|
4cd948 |
+++ src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java (revision 297)
|
|
|
4cd948 |
@@ -12,7 +12,7 @@
|
|
|
4cd948 |
* You should have received a copy of the GNU Lesser General Public
|
|
|
4cd948 |
* License along with this library; if not, write to the Free Software
|
|
|
4cd948 |
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
|
4cd948 |
- *
|
|
|
4cd948 |
+ *
|
|
|
4cd948 |
* Copyright (C) 2007 Red Hat, Inc.
|
|
|
4cd948 |
* All rights reserved.
|
|
|
4cd948 |
* END COPYRIGHT BLOCK */
|
|
|
4cd948 |
@@ -29,6 +29,7 @@
|
|
|
4cd948 |
import java.net.ServerSocket;
|
|
|
4cd948 |
import java.net.Socket;
|
|
|
4cd948 |
import java.net.SocketException;
|
|
|
4cd948 |
+import java.security.GeneralSecurityException;
|
|
|
4cd948 |
import java.text.SimpleDateFormat;
|
|
|
4cd948 |
import java.util.Date;
|
|
|
4cd948 |
import java.util.Enumeration;
|
|
|
4cd948 |
@@ -39,13 +40,20 @@
|
|
|
4cd948 |
import javax.net.ssl.SSLContext;
|
|
|
4cd948 |
import javax.net.ssl.TrustManager;
|
|
|
4cd948 |
|
|
|
4cd948 |
+import org.apache.commons.lang.StringUtils;
|
|
|
4cd948 |
// Imports required to "implement" Tomcat 7 Interface
|
|
|
4cd948 |
import org.apache.tomcat.util.net.AbstractEndpoint;
|
|
|
4cd948 |
+import org.mozilla.jss.CertDatabaseException;
|
|
|
4cd948 |
import org.mozilla.jss.CryptoManager;
|
|
|
4cd948 |
+import org.mozilla.jss.CryptoManager.NotInitializedException;
|
|
|
4cd948 |
+import org.mozilla.jss.KeyDatabaseException;
|
|
|
4cd948 |
+import org.mozilla.jss.NoSuchTokenException;
|
|
|
4cd948 |
import org.mozilla.jss.crypto.AlreadyInitializedException;
|
|
|
4cd948 |
import org.mozilla.jss.crypto.CryptoToken;
|
|
|
4cd948 |
+import org.mozilla.jss.crypto.TokenException;
|
|
|
4cd948 |
import org.mozilla.jss.ssl.SSLServerSocket;
|
|
|
4cd948 |
import org.mozilla.jss.ssl.SSLSocket;
|
|
|
4cd948 |
+import org.mozilla.jss.util.IncorrectPasswordException;
|
|
|
4cd948 |
import org.mozilla.jss.util.Password;
|
|
|
4cd948 |
|
|
|
4cd948 |
public class JSSSocketFactory implements
|
|
|
4cd948 |
@@ -322,6 +330,7 @@
|
|
|
4cd948 |
boolean debug = false;
|
|
|
4cd948 |
private IPasswordStore mPasswordStore = null;
|
|
|
4cd948 |
private boolean mStrictCiphers = false;
|
|
|
4cd948 |
+ private static final int MAX_PW_ATTEMPTS = 3;
|
|
|
4cd948 |
|
|
|
4cd948 |
public JSSSocketFactory(AbstractEndpoint endpoint) {
|
|
|
4cd948 |
this.endpoint = endpoint;
|
|
|
4cd948 |
@@ -336,8 +345,8 @@
|
|
|
4cd948 |
}
|
|
|
4cd948 |
|
|
|
4cd948 |
public void setSSLCiphers(String attr) throws SocketException, IOException {
|
|
|
4cd948 |
- String ciphers = (String) endpoint.getAttribute(attr);
|
|
|
4cd948 |
- if (ciphers == null || ciphers.equals("")) {
|
|
|
4cd948 |
+ String ciphers = getEndpointAttribute(attr);
|
|
|
4cd948 |
+ if (StringUtils.isEmpty(ciphers)) {
|
|
|
4cd948 |
debugWrite("JSSSocketFactory setSSLCiphers: " + attr + " not found");
|
|
|
4cd948 |
return;
|
|
|
4cd948 |
}
|
|
|
4cd948 |
@@ -409,7 +418,11 @@
|
|
|
4cd948 |
* parameter is ignored.
|
|
|
4cd948 |
*/
|
|
|
4cd948 |
public void setSSLOptions() throws SocketException, IOException {
|
|
|
4cd948 |
- String options = (String) endpoint.getAttribute("sslOptions");
|
|
|
4cd948 |
+ String options = getEndpointAttribute("sslOptions");
|
|
|
4cd948 |
+ if (StringUtils.isEmpty(options)) {
|
|
|
4cd948 |
+ debugWrite("no sslOptions specified");
|
|
|
4cd948 |
+ return;
|
|
|
4cd948 |
+ }
|
|
|
4cd948 |
StringTokenizer st = new StringTokenizer(options, ",");
|
|
|
4cd948 |
while (st.hasMoreTokens()) {
|
|
|
4cd948 |
String option = st.nextToken();
|
|
|
4cd948 |
@@ -460,10 +473,10 @@
|
|
|
4cd948 |
/*
|
|
|
4cd948 |
* setSSLVersionRangeDefault sets the range of allowed ssl versions. This
|
|
|
4cd948 |
* replaces the obsolete SSL_Option* API
|
|
|
4cd948 |
- *
|
|
|
4cd948 |
+ *
|
|
|
4cd948 |
* @param protoVariant indicates whether this setting is for type "stream"
|
|
|
4cd948 |
* or "datagram"
|
|
|
4cd948 |
- *
|
|
|
4cd948 |
+ *
|
|
|
4cd948 |
* @param sslVersionRange_s takes on the form of "min:max" where min/max
|
|
|
4cd948 |
* values can be "ssl3, tls1_0, tls1_1, or tls1_2" ssl2 is not supported for
|
|
|
4cd948 |
* tomcatjss via this interface The format is "sslVersionRange=min:max"
|
|
|
4cd948 |
@@ -516,105 +529,54 @@
|
|
|
4cd948 |
return -1;
|
|
|
4cd948 |
}
|
|
|
4cd948 |
|
|
|
4cd948 |
- void init() throws IOException {
|
|
|
4cd948 |
+ String getEndpointAttribute(String tag) {
|
|
|
4cd948 |
try {
|
|
|
4cd948 |
- String deb = (String) endpoint.getAttribute("debug");
|
|
|
4cd948 |
- if (deb.equals("true")) {
|
|
|
4cd948 |
- debug = true;
|
|
|
4cd948 |
- debugFile = new FileWriter("/tmp/tomcatjss.log", true);
|
|
|
4cd948 |
- debugWrite("JSSSocketFactory init - debug is on\n");
|
|
|
4cd948 |
- }
|
|
|
4cd948 |
+ return (String) endpoint.getAttribute(tag);
|
|
|
4cd948 |
} catch (Exception e) {
|
|
|
4cd948 |
- // System.out.println("no tomcatjss debugging");
|
|
|
4cd948 |
+ // old tomcat throws an exception if the parameter does not exist
|
|
|
4cd948 |
}
|
|
|
4cd948 |
+ return null;
|
|
|
4cd948 |
+ }
|
|
|
4cd948 |
|
|
|
4cd948 |
- try {
|
|
|
4cd948 |
- try {
|
|
|
4cd948 |
- mPwdPath = (String) endpoint.getAttribute("passwordFile");
|
|
|
4cd948 |
- mPwdClass = (String) endpoint.getAttribute("passwordClass");
|
|
|
4cd948 |
- if (mPwdClass != null) {
|
|
|
4cd948 |
- mPasswordStore = (IPasswordStore) Class.forName(mPwdClass)
|
|
|
4cd948 |
- .newInstance();
|
|
|
4cd948 |
- mPasswordStore.init(mPwdPath);
|
|
|
4cd948 |
- debugWrite("JSSSocketFactory init - password reader initialized\n");
|
|
|
4cd948 |
- }
|
|
|
4cd948 |
- } catch (Exception e) {
|
|
|
4cd948 |
- debugWrite("JSSSocketFactory init - Exception caught: "
|
|
|
4cd948 |
- + e.toString() + "\n");
|
|
|
4cd948 |
- if (debugFile != null)
|
|
|
4cd948 |
- debugFile.close();
|
|
|
4cd948 |
- throw new IOException(
|
|
|
4cd948 |
- "JSSSocketFactory: no passwordFilePath defined");
|
|
|
4cd948 |
- }
|
|
|
4cd948 |
+ String getEndpointAttribute(String tag, String defaultValue) {
|
|
|
4cd948 |
+ String value = getEndpointAttribute(tag);
|
|
|
4cd948 |
+ if (value == null) {
|
|
|
4cd948 |
+ return defaultValue;
|
|
|
4cd948 |
+ }
|
|
|
4cd948 |
+ return value;
|
|
|
4cd948 |
+ }
|
|
|
4cd948 |
|
|
|
4cd948 |
- String certDir = (String) endpoint.getAttribute("certdbDir");
|
|
|
4cd948 |
+ void init() throws IOException {
|
|
|
4cd948 |
+ // debug enabled?
|
|
|
4cd948 |
+ String deb = getEndpointAttribute("debug");
|
|
|
4cd948 |
+ if (StringUtils.equals(deb, "true")) {
|
|
|
4cd948 |
+ debug = true;
|
|
|
4cd948 |
+ debugFile = new FileWriter("/tmp/tomcatjss.log", true);
|
|
|
4cd948 |
+ debugWrite("JSSSocketFactory init - debug is on\n");
|
|
|
4cd948 |
+ }
|
|
|
4cd948 |
|
|
|
4cd948 |
- CryptoManager.InitializationValues vals = new CryptoManager.InitializationValues(
|
|
|
4cd948 |
- certDir, "", "", "secmod.db");
|
|
|
4cd948 |
+ try {
|
|
|
4cd948 |
+ initializePasswordStore();
|
|
|
4cd948 |
|
|
|
4cd948 |
- vals.removeSunProvider = false;
|
|
|
4cd948 |
- vals.installJSSProvider = true;
|
|
|
4cd948 |
- try {
|
|
|
4cd948 |
- CryptoManager.initialize(vals);
|
|
|
4cd948 |
- } catch (AlreadyInitializedException ee) {
|
|
|
4cd948 |
- // do nothing
|
|
|
4cd948 |
- }
|
|
|
4cd948 |
- CryptoManager manager = CryptoManager.getInstance();
|
|
|
4cd948 |
+ CryptoManager manager = getCryptoManager();
|
|
|
4cd948 |
|
|
|
4cd948 |
// JSSSocketFactory init - handle crypto tokens
|
|
|
4cd948 |
debugWrite("JSSSocketFactory init - about to handle crypto unit logins\n");
|
|
|
4cd948 |
|
|
|
4cd948 |
- if (mPasswordStore != null) {
|
|
|
4cd948 |
- Enumeration en = mPasswordStore.getTags();
|
|
|
4cd948 |
- while (en.hasMoreElements()) {
|
|
|
4cd948 |
- String pwd = "";
|
|
|
4cd948 |
- Password pw = null;
|
|
|
4cd948 |
- String tokenName = "";
|
|
|
4cd948 |
- String st = (String) en.nextElement();
|
|
|
4cd948 |
- debugWrite("JSSSocketFactory init - tag name=" + st + "\n");
|
|
|
4cd948 |
- pwd = mPasswordStore.getPassword(st);
|
|
|
4cd948 |
+ //log into tokens
|
|
|
4cd948 |
+ Enumeration<String> tags = mPasswordStore.getTags();
|
|
|
4cd948 |
+ while (tags.hasMoreElements()) {
|
|
|
4cd948 |
+ String tag = tags.nextElement();
|
|
|
4cd948 |
+ if (tag.equals("internal") || (tag.startsWith("hardware-"))) {
|
|
|
4cd948 |
+ debugWrite("JSSSocketFactory init - tag name=" + tag + "\n");
|
|
|
4cd948 |
+ logIntoToken(manager, tag);
|
|
|
4cd948 |
+ }
|
|
|
4cd948 |
+ }
|
|
|
4cd948 |
+ debugWrite("JSSSocketFactory init - tokens initialized/logged in\n");
|
|
|
4cd948 |
|
|
|
4cd948 |
- if (pwd != null) {
|
|
|
4cd948 |
- debugWrite("JSSSocketFactory init - got password\n");
|
|
|
4cd948 |
- pw = new Password(pwd.toCharArray());
|
|
|
4cd948 |
- } else {
|
|
|
4cd948 |
- debugWrite("JSSSocketFactory init - no pwd found in password.conf\n");
|
|
|
4cd948 |
- continue;
|
|
|
4cd948 |
- }
|
|
|
4cd948 |
-
|
|
|
4cd948 |
- CryptoToken token = null;
|
|
|
4cd948 |
- if (st.equals("internal")) {
|
|
|
4cd948 |
- debugWrite("JSSSocketFactory init - got internal software token\n");
|
|
|
4cd948 |
- token = manager.getInternalKeyStorageToken();
|
|
|
4cd948 |
- } else if (st.startsWith("hardware-")) {
|
|
|
4cd948 |
- debugWrite("JSSSocketFactory init - got hardware\n");
|
|
|
4cd948 |
-
|
|
|
4cd948 |
- tokenName = st.substring(9);
|
|
|
4cd948 |
- debugWrite("JSSSocketFactory init - tokenName="
|
|
|
4cd948 |
- + tokenName + "\n");
|
|
|
4cd948 |
-
|
|
|
4cd948 |
- // find the hsm and log in
|
|
|
4cd948 |
- token = manager.getTokenByName(tokenName);
|
|
|
4cd948 |
- } else {
|
|
|
4cd948 |
- // non-token entries
|
|
|
4cd948 |
- }
|
|
|
4cd948 |
- if (token != null) {
|
|
|
4cd948 |
- if (!token.isLoggedIn()) {
|
|
|
4cd948 |
- debugWrite("JSSSocketFactory init -not logged in...about to log in\n");
|
|
|
4cd948 |
- token.login(pw);
|
|
|
4cd948 |
- } else {
|
|
|
4cd948 |
- debugWrite("JSSSocketFactory init - already logged in\n");
|
|
|
4cd948 |
- }
|
|
|
4cd948 |
- }
|
|
|
4cd948 |
- } // while
|
|
|
4cd948 |
- debugWrite("JSSSocketFactory init - tokens initialized/logged in\n");
|
|
|
4cd948 |
- } else {
|
|
|
4cd948 |
- debugWrite("JSSSocketFactory init - no login done\n");
|
|
|
4cd948 |
- } // mPasswordStore not null
|
|
|
4cd948 |
-
|
|
|
4cd948 |
// MUST look for "clientauth" (ALL lowercase) since "clientAuth"
|
|
|
4cd948 |
// (camel case) has already been processed by Tomcat 7
|
|
|
4cd948 |
- String clientAuthStr = (String) endpoint.getAttribute("clientauth");
|
|
|
4cd948 |
+ String clientAuthStr = getEndpointAttribute("clientauth");
|
|
|
4cd948 |
if (clientAuthStr == null) {
|
|
|
4cd948 |
debugWrite("JSSSocketFactory init - \"clientauth\" not found, default to want.");
|
|
|
4cd948 |
clientAuthStr = "want";
|
|
|
4cd948 |
@@ -621,8 +583,10 @@
|
|
|
4cd948 |
}
|
|
|
4cd948 |
File file = null;
|
|
|
4cd948 |
try {
|
|
|
4cd948 |
- mServerCertNickPath = (String) endpoint
|
|
|
4cd948 |
- .getAttribute("serverCertNickFile");
|
|
|
4cd948 |
+ mServerCertNickPath = getEndpointAttribute("serverCertNickFile");
|
|
|
4cd948 |
+ if (mServerCertNickPath == null) {
|
|
|
4cd948 |
+ throw new IOException("serverCertNickFile not specified");
|
|
|
4cd948 |
+ }
|
|
|
4cd948 |
debugWrite("JSSSocketFactory init - got serverCertNickFile"
|
|
|
4cd948 |
+ mServerCertNickPath + "\n");
|
|
|
4cd948 |
file = new File(mServerCertNickPath);
|
|
|
4cd948 |
@@ -651,13 +615,11 @@
|
|
|
4cd948 |
} catch (Exception e) {
|
|
|
4cd948 |
debugWrite("JSSSocketFactory init - Exception caught: "
|
|
|
4cd948 |
+ e.toString() + "\n");
|
|
|
4cd948 |
- if (debugFile != null)
|
|
|
4cd948 |
- debugFile.close();
|
|
|
4cd948 |
throw new IOException(
|
|
|
4cd948 |
"JSSSocketFactory: no serverCertNickFile defined");
|
|
|
4cd948 |
}
|
|
|
4cd948 |
|
|
|
4cd948 |
- // serverCertNick = (String)endpoint.getAttribute("serverCert");
|
|
|
4cd948 |
+ // serverCertNick = (String)getEndpointAttribute("serverCert");
|
|
|
4cd948 |
if (clientAuthStr.equalsIgnoreCase("true")
|
|
|
4cd948 |
|| clientAuthStr.equalsIgnoreCase("yes")) {
|
|
|
4cd948 |
requireClientAuth = true;
|
|
|
4cd948 |
@@ -671,10 +633,9 @@
|
|
|
4cd948 |
&& ocspConfigured == false) {
|
|
|
4cd948 |
debugWrite("JSSSocketFactory init - checking for OCSP settings. \n");
|
|
|
4cd948 |
boolean enableOCSP = false;
|
|
|
4cd948 |
- String doOCSP = (String) endpoint.getAttribute("enableOCSP");
|
|
|
4cd948 |
+ String doOCSP = getEndpointAttribute("enableOCSP");
|
|
|
4cd948 |
|
|
|
4cd948 |
- debugWrite("JSSSocketFactory init - doOCSP flag:" + doOCSP
|
|
|
4cd948 |
- + " \n");
|
|
|
4cd948 |
+ debugWrite("JSSSocketFactory init - doOCSP flag:" + doOCSP + " \n");
|
|
|
4cd948 |
|
|
|
4cd948 |
if (doOCSP != null && doOCSP.equalsIgnoreCase("true")) {
|
|
|
4cd948 |
enableOCSP = true;
|
|
|
4cd948 |
@@ -684,17 +645,15 @@
|
|
|
4cd948 |
+ "\n");
|
|
|
4cd948 |
|
|
|
4cd948 |
if (enableOCSP == true) {
|
|
|
4cd948 |
- String ocspResponderURL = (String) endpoint
|
|
|
4cd948 |
- .getAttribute("ocspResponderURL");
|
|
|
4cd948 |
+ String ocspResponderURL = getEndpointAttribute("ocspResponderURL");
|
|
|
4cd948 |
debugWrite("JSSSocketFactory init - ocspResponderURL "
|
|
|
4cd948 |
+ ocspResponderURL + "\n");
|
|
|
4cd948 |
- String ocspResponderCertNickname = (String) endpoint
|
|
|
4cd948 |
- .getAttribute("ocspResponderCertNickname");
|
|
|
4cd948 |
+ String ocspResponderCertNickname = getEndpointAttribute(
|
|
|
4cd948 |
+ "ocspResponderCertNickname");
|
|
|
4cd948 |
debugWrite("JSSSocketFactory init - ocspResponderCertNickname"
|
|
|
4cd948 |
+ ocspResponderCertNickname + "\n");
|
|
|
4cd948 |
- if ((ocspResponderURL != null && ocspResponderURL.length() > 0)
|
|
|
4cd948 |
- && (ocspResponderCertNickname != null && ocspResponderCertNickname
|
|
|
4cd948 |
- .length() > 0)) {
|
|
|
4cd948 |
+ if (StringUtils.isNotEmpty(ocspResponderURL) &&
|
|
|
4cd948 |
+ StringUtils.isNotEmpty(ocspResponderCertNickname)) {
|
|
|
4cd948 |
|
|
|
4cd948 |
ocspConfigured = true;
|
|
|
4cd948 |
try {
|
|
|
4cd948 |
@@ -704,12 +663,9 @@
|
|
|
4cd948 |
int ocspMinCacheEntryDuration_i = 3600;
|
|
|
4cd948 |
int ocspMaxCacheEntryDuration_i = 86400;
|
|
|
4cd948 |
|
|
|
4cd948 |
- String ocspCacheSize = (String) endpoint
|
|
|
4cd948 |
- .getAttribute("ocspCacheSize");
|
|
|
4cd948 |
- String ocspMinCacheEntryDuration = (String) endpoint
|
|
|
4cd948 |
- .getAttribute("ocspMinCacheEntryDuration");
|
|
|
4cd948 |
- String ocspMaxCacheEntryDuration = (String) endpoint
|
|
|
4cd948 |
- .getAttribute("ocspMaxCacheEntryDuration");
|
|
|
4cd948 |
+ String ocspCacheSize = getEndpointAttribute("ocspCacheSize");
|
|
|
4cd948 |
+ String ocspMinCacheEntryDuration = getEndpointAttribute("ocspMinCacheEntryDuration");
|
|
|
4cd948 |
+ String ocspMaxCacheEntryDuration = getEndpointAttribute("ocspMaxCacheEntryDuration");
|
|
|
4cd948 |
|
|
|
4cd948 |
if (ocspCacheSize != null
|
|
|
4cd948 |
|| ocspMinCacheEntryDuration != null
|
|
|
4cd948 |
@@ -718,20 +674,17 @@
|
|
|
4cd948 |
if (ocspCacheSize != null) {
|
|
|
4cd948 |
debugWrite("JSSSocketFactory init - ocspCacheSize= "
|
|
|
4cd948 |
+ ocspCacheSize + "\n");
|
|
|
4cd948 |
- ocspCacheSize_i = Integer
|
|
|
4cd948 |
- .parseInt(ocspCacheSize);
|
|
|
4cd948 |
+ ocspCacheSize_i = Integer.parseInt(ocspCacheSize);
|
|
|
4cd948 |
}
|
|
|
4cd948 |
if (ocspMinCacheEntryDuration != null) {
|
|
|
4cd948 |
debugWrite("JSSSocketFactory init - ocspMinCacheEntryDuration= "
|
|
|
4cd948 |
+ ocspMinCacheEntryDuration + "\n");
|
|
|
4cd948 |
- ocspMinCacheEntryDuration_i = Integer
|
|
|
4cd948 |
- .parseInt(ocspMinCacheEntryDuration);
|
|
|
4cd948 |
+ ocspMinCacheEntryDuration_i = Integer.parseInt(ocspMinCacheEntryDuration);
|
|
|
4cd948 |
}
|
|
|
4cd948 |
if (ocspMaxCacheEntryDuration != null) {
|
|
|
4cd948 |
debugWrite("JSSSocketFactory init - ocspMaxCacheEntryDuration= "
|
|
|
4cd948 |
+ ocspMaxCacheEntryDuration + "\n");
|
|
|
4cd948 |
- ocspMaxCacheEntryDuration_i = Integer
|
|
|
4cd948 |
- .parseInt(ocspMaxCacheEntryDuration);
|
|
|
4cd948 |
+ ocspMaxCacheEntryDuration_i = Integer.parseInt(ocspMaxCacheEntryDuration);
|
|
|
4cd948 |
}
|
|
|
4cd948 |
manager.OCSPCacheSettings(ocspCacheSize_i,
|
|
|
4cd948 |
ocspMinCacheEntryDuration_i,
|
|
|
4cd948 |
@@ -739,18 +692,14 @@
|
|
|
4cd948 |
}
|
|
|
4cd948 |
|
|
|
4cd948 |
// defualt to 60 seconds;
|
|
|
4cd948 |
- String ocspTimeout = (String) endpoint
|
|
|
4cd948 |
- .getAttribute("ocspTimeout");
|
|
|
4cd948 |
+ String ocspTimeout = getEndpointAttribute("ocspTimeout");
|
|
|
4cd948 |
if (ocspTimeout != null) {
|
|
|
4cd948 |
- debugWrite("JSSSocketFactory init - ocspTimeout= \n"
|
|
|
4cd948 |
- + ocspTimeout);
|
|
|
4cd948 |
- int ocspTimeout_i = Integer
|
|
|
4cd948 |
- .parseInt(ocspTimeout);
|
|
|
4cd948 |
+ debugWrite("JSSSocketFactory init - ocspTimeout= \n" + ocspTimeout);
|
|
|
4cd948 |
+ int ocspTimeout_i = Integer.parseInt(ocspTimeout);
|
|
|
4cd948 |
if (ocspTimeout_i < 0)
|
|
|
4cd948 |
ocspTimeout_i = 60;
|
|
|
4cd948 |
manager.setOCSPTimeout(ocspTimeout_i);
|
|
|
4cd948 |
}
|
|
|
4cd948 |
-
|
|
|
4cd948 |
} catch (java.security.GeneralSecurityException e) {
|
|
|
4cd948 |
ocspConfigured = false;
|
|
|
4cd948 |
debugWrite("JSSSocketFactory init - error initializing OCSP e: "
|
|
|
4cd948 |
@@ -774,10 +723,9 @@
|
|
|
4cd948 |
// 12 hours = 43200 seconds
|
|
|
4cd948 |
SSLServerSocket.configServerSessionIDCache(0, 43200, 43200, null);
|
|
|
4cd948 |
|
|
|
4cd948 |
- String strictCiphersStr = (String) endpoint
|
|
|
4cd948 |
- .getAttribute("strictCiphers");
|
|
|
4cd948 |
- if (strictCiphersStr.equalsIgnoreCase("true")
|
|
|
4cd948 |
- || strictCiphersStr.equalsIgnoreCase("yes")) {
|
|
|
4cd948 |
+ String strictCiphersStr = getEndpointAttribute("strictCiphers");
|
|
|
4cd948 |
+ if (StringUtils.equalsIgnoreCase(strictCiphersStr, "true")
|
|
|
4cd948 |
+ || StringUtils.equalsIgnoreCase(strictCiphersStr, "yes")) {
|
|
|
4cd948 |
mStrictCiphers = true;
|
|
|
4cd948 |
}
|
|
|
4cd948 |
if (mStrictCiphers == true) {
|
|
|
4cd948 |
@@ -788,8 +736,7 @@
|
|
|
4cd948 |
debugWrite("SSSocketFactory init - before setSSLCiphers, strictCiphers is false\n");
|
|
|
4cd948 |
}
|
|
|
4cd948 |
|
|
|
4cd948 |
- String sslVersionRangeStream = (String) endpoint
|
|
|
4cd948 |
- .getAttribute("sslVersionRangeStream");
|
|
|
4cd948 |
+ String sslVersionRangeStream = getEndpointAttribute("sslVersionRangeStream");
|
|
|
4cd948 |
if ((sslVersionRangeStream != null)
|
|
|
4cd948 |
&& !sslVersionRangeStream.equals("")) {
|
|
|
4cd948 |
debugWrite("SSSocketFactory init - calling setSSLVersionRangeDefault() for type STREAM\n");
|
|
|
4cd948 |
@@ -799,8 +746,7 @@
|
|
|
4cd948 |
debugWrite("SSSocketFactory init - after setSSLVersionRangeDefault() for type STREAM\n");
|
|
|
4cd948 |
}
|
|
|
4cd948 |
|
|
|
4cd948 |
- String sslVersionRangeDatagram = (String) endpoint
|
|
|
4cd948 |
- .getAttribute("sslVersionRangeDatagram");
|
|
|
4cd948 |
+ String sslVersionRangeDatagram = getEndpointAttribute("sslVersionRangeDatagram");
|
|
|
4cd948 |
if ((sslVersionRangeDatagram != null)
|
|
|
4cd948 |
&& !sslVersionRangeDatagram.equals("")) {
|
|
|
4cd948 |
debugWrite("SSSocketFactory init - calling setSSLVersionRangeDefault() for type DATA_GRAM\n");
|
|
|
4cd948 |
@@ -838,8 +784,6 @@
|
|
|
4cd948 |
+ ex.toString() + "\n");
|
|
|
4cd948 |
System.err.println("JSSSocketFactory init - exception thrown:"
|
|
|
4cd948 |
+ ex.toString() + "\n");
|
|
|
4cd948 |
- if (debugFile != null)
|
|
|
4cd948 |
- debugFile.close();
|
|
|
4cd948 |
// The idea is, if admin take the trouble to configure the
|
|
|
4cd948 |
// ocsp cache, and made a mistake, we want to make server
|
|
|
4cd948 |
// unavailable until they get it right
|
|
|
4cd948 |
@@ -846,11 +790,109 @@
|
|
|
4cd948 |
if ((ex instanceof java.security.GeneralSecurityException)
|
|
|
4cd948 |
|| (ex instanceof java.lang.NumberFormatException))
|
|
|
4cd948 |
throw new IOException(ex.toString());
|
|
|
4cd948 |
+ } finally {
|
|
|
4cd948 |
+ if (debugFile != null)
|
|
|
4cd948 |
+ debugFile.close();
|
|
|
4cd948 |
}
|
|
|
4cd948 |
- if (debugFile != null)
|
|
|
4cd948 |
- debugFile.close();
|
|
|
4cd948 |
}
|
|
|
4cd948 |
|
|
|
4cd948 |
+ private CryptoToken getToken(String tag, CryptoManager manager) throws IOException, NoSuchTokenException {
|
|
|
4cd948 |
+ CryptoToken token = null;
|
|
|
4cd948 |
+ if (tag.equals("internal")) {
|
|
|
4cd948 |
+ debugWrite("JSSSocketFactory init - got internal software token\n");
|
|
|
4cd948 |
+ token = manager.getInternalKeyStorageToken();
|
|
|
4cd948 |
+ } else if (tag.startsWith("hardware-")) {
|
|
|
4cd948 |
+ debugWrite("JSSSocketFactory init - got hardware\n");
|
|
|
4cd948 |
+
|
|
|
4cd948 |
+ String tokenName = tag.substring(9);
|
|
|
4cd948 |
+ debugWrite("JSSSocketFactory init - tokenName=" + tokenName + "\n");
|
|
|
4cd948 |
+
|
|
|
4cd948 |
+ // find the hsm and log in
|
|
|
4cd948 |
+ token = manager.getTokenByName(tokenName);
|
|
|
4cd948 |
+ } else {
|
|
|
4cd948 |
+ // non-token password entry
|
|
|
4cd948 |
+ }
|
|
|
4cd948 |
+ return token;
|
|
|
4cd948 |
+ }
|
|
|
4cd948 |
+
|
|
|
4cd948 |
+ private void initializePasswordStore() throws InstantiationException, IllegalAccessException,
|
|
|
4cd948 |
+ ClassNotFoundException, IOException {
|
|
|
4cd948 |
+ mPwdClass = getEndpointAttribute("passwordClass");
|
|
|
4cd948 |
+ if (mPwdClass == null) {
|
|
|
4cd948 |
+ throw new IOException("Misconfiguration: passwordClass is not defined");
|
|
|
4cd948 |
+ }
|
|
|
4cd948 |
+ mPwdPath = getEndpointAttribute("passwordFile");
|
|
|
4cd948 |
+
|
|
|
4cd948 |
+ mPasswordStore = (IPasswordStore) Class.forName(mPwdClass).newInstance();
|
|
|
4cd948 |
+ debugWrite("JSSSocketFactory init - password reader initialized\n");
|
|
|
4cd948 |
+
|
|
|
4cd948 |
+ // initialize the password store
|
|
|
4cd948 |
+ mPasswordStore.init(mPwdPath);
|
|
|
4cd948 |
+ }
|
|
|
4cd948 |
+
|
|
|
4cd948 |
+ private CryptoManager getCryptoManager() throws KeyDatabaseException, CertDatabaseException,
|
|
|
4cd948 |
+ GeneralSecurityException, NotInitializedException, IOException {
|
|
|
4cd948 |
+ String certDir = getEndpointAttribute("certdbDir");
|
|
|
4cd948 |
+ if (certDir == null) {
|
|
|
4cd948 |
+ throw new IOException("Misconfiguration: certdir not defined");
|
|
|
4cd948 |
+ }
|
|
|
4cd948 |
+ CryptoManager.InitializationValues vals = new CryptoManager.InitializationValues(
|
|
|
4cd948 |
+ certDir, "", "", "secmod.db");
|
|
|
4cd948 |
+
|
|
|
4cd948 |
+ vals.removeSunProvider = false;
|
|
|
4cd948 |
+ vals.installJSSProvider = true;
|
|
|
4cd948 |
+ try {
|
|
|
4cd948 |
+ CryptoManager.initialize(vals);
|
|
|
4cd948 |
+ } catch (AlreadyInitializedException ee) {
|
|
|
4cd948 |
+ // do nothing
|
|
|
4cd948 |
+ }
|
|
|
4cd948 |
+ CryptoManager manager = CryptoManager.getInstance();
|
|
|
4cd948 |
+ return manager;
|
|
|
4cd948 |
+ }
|
|
|
4cd948 |
+
|
|
|
4cd948 |
+ private void logIntoToken(CryptoManager manager, String tag) throws IOException,
|
|
|
4cd948 |
+ TokenException {
|
|
|
4cd948 |
+ String pwd;
|
|
|
4cd948 |
+ Password pw = null;
|
|
|
4cd948 |
+ int iteration = 0;
|
|
|
4cd948 |
+
|
|
|
4cd948 |
+ CryptoToken token = null;
|
|
|
4cd948 |
+ try {
|
|
|
4cd948 |
+ token = getToken(tag, manager);
|
|
|
4cd948 |
+ } catch (NoSuchTokenException e) {
|
|
|
4cd948 |
+ debugWrite("token for " + tag + " not found by CryptoManager. Not logging in.");
|
|
|
4cd948 |
+ return;
|
|
|
4cd948 |
+ }
|
|
|
4cd948 |
+
|
|
|
4cd948 |
+ do {
|
|
|
4cd948 |
+ debugWrite("JSSSocketFactory init - iteration=" + iteration + "\n");
|
|
|
4cd948 |
+ pwd = mPasswordStore.getPassword(tag, iteration);
|
|
|
4cd948 |
+ if (pwd == null) {
|
|
|
4cd948 |
+ debugWrite("JSSSocketFactory init - no pwd gotten\n");
|
|
|
4cd948 |
+ return;
|
|
|
4cd948 |
+ }
|
|
|
4cd948 |
+
|
|
|
4cd948 |
+ pw = new Password(pwd.toCharArray());
|
|
|
4cd948 |
+
|
|
|
4cd948 |
+ if (!token.isLoggedIn()) {
|
|
|
4cd948 |
+ debugWrite("JSSSocketFactory init -not logged in...about to log in\n");
|
|
|
4cd948 |
+ try {
|
|
|
4cd948 |
+ token.login(pw);
|
|
|
4cd948 |
+ break;
|
|
|
4cd948 |
+ } catch (IncorrectPasswordException e) {
|
|
|
4cd948 |
+ debugWrite("Incorrect password received");
|
|
|
4cd948 |
+ iteration ++;
|
|
|
4cd948 |
+ if (iteration == MAX_PW_ATTEMPTS) {
|
|
|
4cd948 |
+ debugWrite("Failed to log into token:" + tag);
|
|
|
4cd948 |
+ }
|
|
|
4cd948 |
+ }
|
|
|
4cd948 |
+ } else {
|
|
|
4cd948 |
+ debugWrite("JSSSocketFactory init - already logged in\n");
|
|
|
4cd948 |
+ break;
|
|
|
4cd948 |
+ }
|
|
|
4cd948 |
+ } while (iteration < MAX_PW_ATTEMPTS);
|
|
|
4cd948 |
+ }
|
|
|
4cd948 |
+
|
|
|
4cd948 |
public Socket acceptSocket(ServerSocket socket) throws IOException {
|
|
|
4cd948 |
SSLSocket asock = null;
|
|
|
4cd948 |
try {
|
|
|
4cd948 |
@@ -892,10 +934,9 @@
|
|
|
4cd948 |
if (!initialized)
|
|
|
4cd948 |
init();
|
|
|
4cd948 |
SSLServerSocket socket = null;
|
|
|
4cd948 |
- socket = (SSLServerSocket) (new SSLServerSocket(port, backlog,
|
|
|
4cd948 |
- ifAddress, null, reuseAddr));
|
|
|
4cd948 |
+ socket = new SSLServerSocket(port, backlog, ifAddress, null, reuseAddr);
|
|
|
4cd948 |
initializeSocket(socket);
|
|
|
4cd948 |
- return (ServerSocket) socket;
|
|
|
4cd948 |
+ return socket;
|
|
|
4cd948 |
}
|
|
|
4cd948 |
|
|
|
4cd948 |
private void initializeSocket(SSLServerSocket s) {
|
|
|
4cd948 |
Index: src/org/apache/tomcat/util/net/jss/PlainPasswordFile.java
|
|
|
4cd948 |
===================================================================
|
|
|
4cd948 |
--- src/org/apache/tomcat/util/net/jss/PlainPasswordFile.java (revision 294)
|
|
|
4cd948 |
+++ src/org/apache/tomcat/util/net/jss/PlainPasswordFile.java (revision 297)
|
|
|
4cd948 |
@@ -12,7 +12,7 @@
|
|
|
4cd948 |
* You should have received a copy of the GNU Lesser General Public
|
|
|
4cd948 |
* License along with this library; if not, write to the Free Software
|
|
|
4cd948 |
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
|
4cd948 |
- *
|
|
|
4cd948 |
+ *
|
|
|
4cd948 |
* Copyright (C) 2007 Red Hat, Inc.
|
|
|
4cd948 |
* All rights reserved.
|
|
|
4cd948 |
* END COPYRIGHT BLOCK */
|
|
|
4cd948 |
@@ -43,9 +43,13 @@
|
|
|
4cd948 |
}
|
|
|
4cd948 |
|
|
|
4cd948 |
public String getPassword(String tag) {
|
|
|
4cd948 |
- return (String) mPwdStore.getProperty(tag);
|
|
|
4cd948 |
+ return getPassword(tag, 0);
|
|
|
4cd948 |
}
|
|
|
4cd948 |
|
|
|
4cd948 |
+ public String getPassword(String tag, int iteration) {
|
|
|
4cd948 |
+ return mPwdStore.getProperty(tag);
|
|
|
4cd948 |
+ }
|
|
|
4cd948 |
+
|
|
|
4cd948 |
// return an array of String-based tag
|
|
|
4cd948 |
@SuppressWarnings("unchecked")
|
|
|
4cd948 |
public Enumeration<String> getTags() {
|
|
|
4cd948 |
Index: src/org/apache/tomcat/util/net/jss/IPasswordStore.java
|
|
|
4cd948 |
===================================================================
|
|
|
4cd948 |
--- src/org/apache/tomcat/util/net/jss/IPasswordStore.java (revision 294)
|
|
|
4cd948 |
+++ src/org/apache/tomcat/util/net/jss/IPasswordStore.java (revision 297)
|
|
|
4cd948 |
@@ -12,7 +12,7 @@
|
|
|
4cd948 |
* You should have received a copy of the GNU Lesser General Public
|
|
|
4cd948 |
* License along with this library; if not, write to the Free Software
|
|
|
4cd948 |
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
|
4cd948 |
- *
|
|
|
4cd948 |
+ *
|
|
|
4cd948 |
* Copyright (C) 2007 Red Hat, Inc.
|
|
|
4cd948 |
* All rights reserved.
|
|
|
4cd948 |
* END COPYRIGHT BLOCK */
|
|
|
4cd948 |
@@ -25,6 +25,8 @@
|
|
|
4cd948 |
public interface IPasswordStore {
|
|
|
4cd948 |
public void init(String pwdPath) throws IOException;
|
|
|
4cd948 |
|
|
|
4cd948 |
+ public String getPassword(String tag, int iteration);
|
|
|
4cd948 |
+
|
|
|
4cd948 |
public String getPassword(String tag);
|
|
|
4cd948 |
|
|
|
4cd948 |
public Enumeration<String> getTags();
|
|
|
4cd948 |
Index: build.xml
|
|
|
4cd948 |
===================================================================
|
|
|
4cd948 |
--- build.xml (revision 294)
|
|
|
4cd948 |
+++ build.xml (revision 297)
|
|
|
4cd948 |
@@ -104,6 +104,7 @@
|
|
|
4cd948 |
|
|
|
4cd948 |
<property name="dirsec" value="" />
|
|
|
4cd948 |
<property name="jss.jar" value="${jss.home}${dirsec}/jss4.jar" />
|
|
|
4cd948 |
+ <property name="commons-lang.jar" value="${jar.home}/commons-lang.jar" />
|
|
|
4cd948 |
|
|
|
4cd948 |
|
|
|
4cd948 |
Classpath
|
|
|
4cd948 |
@@ -112,6 +113,7 @@
|
|
|
4cd948 |
<pathelement location="${jss.jar}"/>
|
|
|
4cd948 |
<pathelement location="${tomcat-coyote.jar}"/>
|
|
|
4cd948 |
<pathelement location="${commons-logging.jar}"/>
|
|
|
4cd948 |
+ <pathelement location="${commons-lang.jar}"/>
|
|
|
4cd948 |
</path>
|
|
|
4cd948 |
|
|
|
4cd948 |
|