|
 |
b0499a |
From c410c7a35b4aa78e7c35d11a72cc96ff932df982 Mon Sep 17 00:00:00 2001
|
|
|
b0499a |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
b0499a |
Date: Fri, 3 Mar 2017 09:19:58 +0100
|
|
|
b0499a |
Subject: [PATCH 1/2] Renamed getEndpointAttribute().
|
|
|
b0499a |
|
|
|
b0499a |
The getEndpointAttribute() in JSSSocketFactory has been renamed
|
|
|
b0499a |
to getProperty() for clarity.
|
|
|
b0499a |
---
|
|
|
b0499a |
.../tomcat/util/net/jss/JSSSocketFactory.java | 44 +++++++++++-----------
|
|
|
b0499a |
1 file changed, 22 insertions(+), 22 deletions(-)
|
|
|
b0499a |
|
|
|
b0499a |
diff --git a/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java b/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java
|
|
|
b0499a |
index ebf5505..bc096c1 100644
|
|
|
b0499a |
--- a/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java
|
|
|
b0499a |
+++ b/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java
|
|
|
b0499a |
@@ -377,7 +377,7 @@ public class JSSSocketFactory implements
|
|
|
b0499a |
}
|
|
|
b0499a |
|
|
|
b0499a |
public void setSSLCiphers(String attr) throws SocketException, IOException {
|
|
|
b0499a |
- String ciphers = getEndpointAttribute(attr);
|
|
|
b0499a |
+ String ciphers = getProperty(attr);
|
|
|
b0499a |
if (StringUtils.isEmpty(ciphers)) {
|
|
|
b0499a |
debugWrite("JSSSocketFactory setSSLCiphers: " + attr + " not found");
|
|
|
b0499a |
return;
|
|
|
b0499a |
@@ -451,7 +451,7 @@ public class JSSSocketFactory implements
|
|
|
b0499a |
* parameter is ignored.
|
|
|
b0499a |
*/
|
|
|
b0499a |
public void setSSLOptions() throws SocketException, IOException {
|
|
|
b0499a |
- String options = getEndpointAttribute("sslOptions");
|
|
|
b0499a |
+ String options = getProperty("sslOptions");
|
|
|
b0499a |
if (StringUtils.isEmpty(options)) {
|
|
|
b0499a |
debugWrite("no sslOptions specified");
|
|
|
b0499a |
return;
|
|
|
b0499a |
@@ -562,7 +562,7 @@ public class JSSSocketFactory implements
|
|
|
b0499a |
return -1;
|
|
|
b0499a |
}
|
|
|
b0499a |
|
|
|
b0499a |
- String getEndpointAttribute(String tag) {
|
|
|
b0499a |
+ String getProperty(String tag) {
|
|
|
b0499a |
|
|
|
b0499a |
// check <catalina.base>/conf/server.xml
|
|
|
b0499a |
String value = (String)endpoint.getAttribute(tag);
|
|
|
b0499a |
@@ -575,8 +575,8 @@ public class JSSSocketFactory implements
|
|
|
b0499a |
return value;
|
|
|
b0499a |
}
|
|
|
b0499a |
|
|
|
b0499a |
- String getEndpointAttribute(String tag, String defaultValue) {
|
|
|
b0499a |
- String value = getEndpointAttribute(tag);
|
|
|
b0499a |
+ String getProperty(String tag, String defaultValue) {
|
|
|
b0499a |
+ String value = getProperty(tag);
|
|
|
b0499a |
if (value == null) {
|
|
|
b0499a |
return defaultValue;
|
|
|
b0499a |
}
|
|
|
b0499a |
@@ -585,7 +585,7 @@ public class JSSSocketFactory implements
|
|
|
b0499a |
|
|
|
b0499a |
void init() throws IOException {
|
|
|
b0499a |
// debug enabled?
|
|
|
b0499a |
- String deb = getEndpointAttribute("debug");
|
|
|
b0499a |
+ String deb = getProperty("debug");
|
|
|
b0499a |
if (StringUtils.equals(deb, "true")) {
|
|
|
b0499a |
debug = true;
|
|
|
b0499a |
debugFile = new FileWriter("/tmp/tomcatjss.log", true);
|
|
|
b0499a |
@@ -613,14 +613,14 @@ public class JSSSocketFactory implements
|
|
|
b0499a |
|
|
|
b0499a |
// MUST look for "clientauth" (ALL lowercase) since "clientAuth"
|
|
|
b0499a |
// (camel case) has already been processed by Tomcat 7
|
|
|
b0499a |
- String clientAuthStr = getEndpointAttribute("clientauth");
|
|
|
b0499a |
+ String clientAuthStr = getProperty("clientauth");
|
|
|
b0499a |
if (clientAuthStr == null) {
|
|
|
b0499a |
debugWrite("JSSSocketFactory init - \"clientauth\" not found, default to want.");
|
|
|
b0499a |
clientAuthStr = "want";
|
|
|
b0499a |
}
|
|
|
b0499a |
File file = null;
|
|
|
b0499a |
try {
|
|
|
b0499a |
- mServerCertNickPath = getEndpointAttribute("serverCertNickFile");
|
|
|
b0499a |
+ mServerCertNickPath = getProperty("serverCertNickFile");
|
|
|
b0499a |
if (mServerCertNickPath == null) {
|
|
|
b0499a |
throw new IOException("serverCertNickFile not specified");
|
|
|
b0499a |
}
|
|
|
b0499a |
@@ -656,7 +656,7 @@ public class JSSSocketFactory implements
|
|
|
b0499a |
"JSSSocketFactory: no serverCertNickFile defined");
|
|
|
b0499a |
}
|
|
|
b0499a |
|
|
|
b0499a |
- // serverCertNick = (String)getEndpointAttribute("serverCert");
|
|
|
b0499a |
+ // serverCertNick = (String)getProperty("serverCert");
|
|
|
b0499a |
if (clientAuthStr.equalsIgnoreCase("true")
|
|
|
b0499a |
|| clientAuthStr.equalsIgnoreCase("yes")) {
|
|
|
b0499a |
requireClientAuth = true;
|
|
|
b0499a |
@@ -670,7 +670,7 @@ public class JSSSocketFactory implements
|
|
|
b0499a |
&& ocspConfigured == false) {
|
|
|
b0499a |
debugWrite("JSSSocketFactory init - checking for OCSP settings. \n");
|
|
|
b0499a |
boolean enableOCSP = false;
|
|
|
b0499a |
- String doOCSP = getEndpointAttribute("enableOCSP");
|
|
|
b0499a |
+ String doOCSP = getProperty("enableOCSP");
|
|
|
b0499a |
|
|
|
b0499a |
debugWrite("JSSSocketFactory init - doOCSP flag:" + doOCSP + " \n");
|
|
|
b0499a |
|
|
|
b0499a |
@@ -682,10 +682,10 @@ public class JSSSocketFactory implements
|
|
|
b0499a |
+ "\n");
|
|
|
b0499a |
|
|
|
b0499a |
if (enableOCSP == true) {
|
|
|
b0499a |
- String ocspResponderURL = getEndpointAttribute("ocspResponderURL");
|
|
|
b0499a |
+ String ocspResponderURL = getProperty("ocspResponderURL");
|
|
|
b0499a |
debugWrite("JSSSocketFactory init - ocspResponderURL "
|
|
|
b0499a |
+ ocspResponderURL + "\n");
|
|
|
b0499a |
- String ocspResponderCertNickname = getEndpointAttribute(
|
|
|
b0499a |
+ String ocspResponderCertNickname = getProperty(
|
|
|
b0499a |
"ocspResponderCertNickname");
|
|
|
b0499a |
debugWrite("JSSSocketFactory init - ocspResponderCertNickname"
|
|
|
b0499a |
+ ocspResponderCertNickname + "\n");
|
|
|
b0499a |
@@ -700,9 +700,9 @@ public class JSSSocketFactory implements
|
|
|
b0499a |
int ocspMinCacheEntryDuration_i = 3600;
|
|
|
b0499a |
int ocspMaxCacheEntryDuration_i = 86400;
|
|
|
b0499a |
|
|
|
b0499a |
- String ocspCacheSize = getEndpointAttribute("ocspCacheSize");
|
|
|
b0499a |
- String ocspMinCacheEntryDuration = getEndpointAttribute("ocspMinCacheEntryDuration");
|
|
|
b0499a |
- String ocspMaxCacheEntryDuration = getEndpointAttribute("ocspMaxCacheEntryDuration");
|
|
|
b0499a |
+ String ocspCacheSize = getProperty("ocspCacheSize");
|
|
|
b0499a |
+ String ocspMinCacheEntryDuration = getProperty("ocspMinCacheEntryDuration");
|
|
|
b0499a |
+ String ocspMaxCacheEntryDuration = getProperty("ocspMaxCacheEntryDuration");
|
|
|
b0499a |
|
|
|
b0499a |
if (ocspCacheSize != null
|
|
|
b0499a |
|| ocspMinCacheEntryDuration != null
|
|
|
b0499a |
@@ -729,7 +729,7 @@ public class JSSSocketFactory implements
|
|
|
b0499a |
}
|
|
|
b0499a |
|
|
|
b0499a |
// defualt to 60 seconds;
|
|
|
b0499a |
- String ocspTimeout = getEndpointAttribute("ocspTimeout");
|
|
|
b0499a |
+ String ocspTimeout = getProperty("ocspTimeout");
|
|
|
b0499a |
if (ocspTimeout != null) {
|
|
|
b0499a |
debugWrite("JSSSocketFactory init - ocspTimeout= \n" + ocspTimeout);
|
|
|
b0499a |
int ocspTimeout_i = Integer.parseInt(ocspTimeout);
|
|
|
b0499a |
@@ -760,7 +760,7 @@ public class JSSSocketFactory implements
|
|
|
b0499a |
// 12 hours = 43200 seconds
|
|
|
b0499a |
SSLServerSocket.configServerSessionIDCache(0, 43200, 43200, null);
|
|
|
b0499a |
|
|
|
b0499a |
- String strictCiphersStr = getEndpointAttribute("strictCiphers");
|
|
|
b0499a |
+ String strictCiphersStr = getProperty("strictCiphers");
|
|
|
b0499a |
if (StringUtils.equalsIgnoreCase(strictCiphersStr, "true")
|
|
|
b0499a |
|| StringUtils.equalsIgnoreCase(strictCiphersStr, "yes")) {
|
|
|
b0499a |
mStrictCiphers = true;
|
|
|
b0499a |
@@ -773,7 +773,7 @@ public class JSSSocketFactory implements
|
|
|
b0499a |
debugWrite("SSSocketFactory init - before setSSLCiphers, strictCiphers is false\n");
|
|
|
b0499a |
}
|
|
|
b0499a |
|
|
|
b0499a |
- String sslVersionRangeStream = getEndpointAttribute("sslVersionRangeStream");
|
|
|
b0499a |
+ String sslVersionRangeStream = getProperty("sslVersionRangeStream");
|
|
|
b0499a |
if ((sslVersionRangeStream != null)
|
|
|
b0499a |
&& !sslVersionRangeStream.equals("")) {
|
|
|
b0499a |
debugWrite("SSSocketFactory init - calling setSSLVersionRangeDefault() for type STREAM\n");
|
|
|
b0499a |
@@ -783,7 +783,7 @@ public class JSSSocketFactory implements
|
|
|
b0499a |
debugWrite("SSSocketFactory init - after setSSLVersionRangeDefault() for type STREAM\n");
|
|
|
b0499a |
}
|
|
|
b0499a |
|
|
|
b0499a |
- String sslVersionRangeDatagram = getEndpointAttribute("sslVersionRangeDatagram");
|
|
|
b0499a |
+ String sslVersionRangeDatagram = getProperty("sslVersionRangeDatagram");
|
|
|
b0499a |
if ((sslVersionRangeDatagram != null)
|
|
|
b0499a |
&& !sslVersionRangeDatagram.equals("")) {
|
|
|
b0499a |
debugWrite("SSSocketFactory init - calling setSSLVersionRangeDefault() for type DATA_GRAM\n");
|
|
|
b0499a |
@@ -854,11 +854,11 @@ public class JSSSocketFactory implements
|
|
|
b0499a |
|
|
|
b0499a |
private void initializePasswordStore() throws InstantiationException, IllegalAccessException,
|
|
|
b0499a |
ClassNotFoundException, IOException {
|
|
|
b0499a |
- mPwdClass = getEndpointAttribute("passwordClass");
|
|
|
b0499a |
+ mPwdClass = getProperty("passwordClass");
|
|
|
b0499a |
if (mPwdClass == null) {
|
|
|
b0499a |
throw new IOException("Misconfiguration: passwordClass is not defined");
|
|
|
b0499a |
}
|
|
|
b0499a |
- mPwdPath = getEndpointAttribute("passwordFile");
|
|
|
b0499a |
+ mPwdPath = getProperty("passwordFile");
|
|
|
b0499a |
|
|
|
b0499a |
mPasswordStore = (IPasswordStore) Class.forName(mPwdClass).newInstance();
|
|
|
b0499a |
debugWrite("JSSSocketFactory init - password reader initialized\n");
|
|
|
b0499a |
@@ -869,7 +869,7 @@ public class JSSSocketFactory implements
|
|
|
b0499a |
|
|
|
b0499a |
private CryptoManager getCryptoManager() throws KeyDatabaseException, CertDatabaseException,
|
|
|
b0499a |
GeneralSecurityException, NotInitializedException, IOException {
|
|
|
b0499a |
- String certDir = getEndpointAttribute("certdbDir");
|
|
|
b0499a |
+ String certDir = getProperty("certdbDir");
|
|
|
b0499a |
if (certDir == null) {
|
|
|
b0499a |
throw new IOException("Misconfiguration: certdir not defined");
|
|
|
b0499a |
}
|
|
|
b0499a |
--
|
|
|
b0499a |
1.8.3.1
|
|
|
b0499a |
|
|
|
b0499a |
|
|
|
b0499a |
From 7612272aa337c413ac4b96cd13d5a1384b80b5aa Mon Sep 17 00:00:00 2001
|
|
|
b0499a |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
b0499a |
Date: Fri, 27 Jan 2017 04:31:41 +0100
|
|
|
b0499a |
Subject: [PATCH 2/2] Added SSLSocketListener registry.
|
|
|
b0499a |
|
|
|
b0499a |
A new TomcatJSS class has been added as a mechanism to register
|
|
|
b0499a |
SSLSocketListeners for all SSLSockets created by TomcatJSS.
|
|
|
b0499a |
|
|
|
b0499a |
https://pagure.io/tomcatjss/issue/4
|
|
|
b0499a |
---
|
|
|
b0499a |
.../tomcat/util/net/jss/JSSSocketFactory.java | 4 ++
|
|
|
b0499a |
src/org/apache/tomcat/util/net/jss/TomcatJSS.java | 69 ++++++++++++++++++++++
|
|
|
b0499a |
2 files changed, 73 insertions(+)
|
|
|
b0499a |
create mode 100644 src/org/apache/tomcat/util/net/jss/TomcatJSS.java
|
|
|
b0499a |
|
|
|
b0499a |
diff --git a/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java b/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java
|
|
|
b0499a |
index bc096c1..4992600 100644
|
|
|
b0499a |
--- a/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java
|
|
|
b0499a |
+++ b/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java
|
|
|
b0499a |
@@ -934,6 +934,10 @@ public class JSSSocketFactory implements
|
|
|
b0499a |
SSLSocket asock = null;
|
|
|
b0499a |
try {
|
|
|
b0499a |
asock = (SSLSocket) socket.accept();
|
|
|
b0499a |
+
|
|
|
b0499a |
+ TomcatJSS tomcatjss = TomcatJSS.getInstance();
|
|
|
b0499a |
+ asock.addSocketListener(tomcatjss);
|
|
|
b0499a |
+
|
|
|
b0499a |
if (wantClientAuth || requireClientAuth) {
|
|
|
b0499a |
asock.requestClientAuth(true);
|
|
|
b0499a |
if (requireClientAuth == true) {
|
|
|
b0499a |
diff --git a/src/org/apache/tomcat/util/net/jss/TomcatJSS.java b/src/org/apache/tomcat/util/net/jss/TomcatJSS.java
|
|
|
b0499a |
new file mode 100644
|
|
|
b0499a |
index 0000000..9717921
|
|
|
b0499a |
--- /dev/null
|
|
|
b0499a |
+++ b/src/org/apache/tomcat/util/net/jss/TomcatJSS.java
|
|
|
b0499a |
@@ -0,0 +1,69 @@
|
|
|
b0499a |
+/* BEGIN COPYRIGHT BLOCK
|
|
|
b0499a |
+ * This library is free software; you can redistribute it and/or
|
|
|
b0499a |
+ * modify it under the terms of the GNU Lesser General Public
|
|
|
b0499a |
+ * License as published by the Free Software Foundation; either
|
|
|
b0499a |
+ * version 2.1 of the License, or (at your option) any later version.
|
|
|
b0499a |
+ *
|
|
|
b0499a |
+ * This library is distributed in the hope that it will be useful,
|
|
|
b0499a |
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
b0499a |
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
b0499a |
+ * Lesser General Public License for more details.
|
|
|
b0499a |
+ *
|
|
|
b0499a |
+ * You should have received a copy of the GNU Lesser General Public
|
|
|
b0499a |
+ * License along with this library; if not, write to the Free Software
|
|
|
b0499a |
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
|
b0499a |
+ *
|
|
|
b0499a |
+ * Copyright (C) 2017 Red Hat, Inc.
|
|
|
b0499a |
+ * All rights reserved.
|
|
|
b0499a |
+ * END COPYRIGHT BLOCK */
|
|
|
b0499a |
+
|
|
|
b0499a |
+package org.apache.tomcat.util.net.jss;
|
|
|
b0499a |
+
|
|
|
b0499a |
+import java.util.ArrayList;
|
|
|
b0499a |
+import java.util.Collection;
|
|
|
b0499a |
+
|
|
|
b0499a |
+import org.mozilla.jss.ssl.SSLAlertEvent;
|
|
|
b0499a |
+import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent;
|
|
|
b0499a |
+import org.mozilla.jss.ssl.SSLSocketListener;
|
|
|
b0499a |
+
|
|
|
b0499a |
+public class TomcatJSS implements SSLSocketListener {
|
|
|
b0499a |
+
|
|
|
b0499a |
+ public final static TomcatJSS INSTANCE = new TomcatJSS();
|
|
|
b0499a |
+
|
|
|
b0499a |
+ public static TomcatJSS getInstance() { return INSTANCE; }
|
|
|
b0499a |
+
|
|
|
b0499a |
+ Collection<SSLSocketListener> socketListeners = new ArrayList<SSLSocketListener>();
|
|
|
b0499a |
+
|
|
|
b0499a |
+ public void addSocketListener(SSLSocketListener listener) {
|
|
|
b0499a |
+ socketListeners.add(listener);
|
|
|
b0499a |
+ }
|
|
|
b0499a |
+
|
|
|
b0499a |
+ public void removeSocketListener(SSLSocketListener listener) {
|
|
|
b0499a |
+ socketListeners.remove(listener);
|
|
|
b0499a |
+ }
|
|
|
b0499a |
+
|
|
|
b0499a |
+ public Collection<SSLSocketListener> getSocketListeners() {
|
|
|
b0499a |
+ return socketListeners;
|
|
|
b0499a |
+ }
|
|
|
b0499a |
+
|
|
|
b0499a |
+ @Override
|
|
|
b0499a |
+ public void alertReceived(SSLAlertEvent event) {
|
|
|
b0499a |
+ for (SSLSocketListener listener : socketListeners) {
|
|
|
b0499a |
+ listener.alertReceived(event);
|
|
|
b0499a |
+ }
|
|
|
b0499a |
+ }
|
|
|
b0499a |
+
|
|
|
b0499a |
+ @Override
|
|
|
b0499a |
+ public void alertSent(SSLAlertEvent event) {
|
|
|
b0499a |
+ for (SSLSocketListener listener : socketListeners) {
|
|
|
b0499a |
+ listener.alertSent(event);
|
|
|
b0499a |
+ }
|
|
|
b0499a |
+ }
|
|
|
b0499a |
+
|
|
|
b0499a |
+ @Override
|
|
|
b0499a |
+ public void handshakeCompleted(SSLHandshakeCompletedEvent event) {
|
|
|
b0499a |
+ for (SSLSocketListener listener : socketListeners) {
|
|
|
b0499a |
+ listener.handshakeCompleted(event);
|
|
|
b0499a |
+ }
|
|
|
b0499a |
+ }
|
|
|
b0499a |
+}
|
|
|
b0499a |
--
|
|
|
b0499a |
1.8.3.1
|
|
|
b0499a |
|