[Pkg-freeipa-devel] [Git][freeipa-team/tomcatjss][upstream] 14 commits: Updated version number to 7.4.0-0.1 (alpha 1)
Timo Aaltonen
gitlab at salsa.debian.org
Thu Apr 25 14:15:45 BST 2019
Timo Aaltonen pushed to branch upstream at FreeIPA packaging / tomcatjss
Commits:
11ec64db by Endi S. Dewata at 2019-02-20T19:05:25Z
Updated version number to 7.4.0-0.1 (alpha 1)
- - - - -
e6bf7ec9 by Endi S. Dewata at 2019-02-21T22:39:37Z
Added default values
The TomcatJSS class has been modified to provide default values
for certain configuration parameters.
- - - - -
201b0fa0 by Endi S. Dewata at 2019-02-21T22:52:44Z
Updated Travis CI for Tomcat JSS 7.4
- - - - -
e574683a by Endi S. Dewata at 2019-02-21T22:58:05Z
Added JSSListener
A LifecycleListener has been added to initialize JSS in Tomcat
with the configuration stored in server.xml.
- - - - -
79edc655 by Endi S. Dewata at 2019-02-21T22:58:05Z
Updated JSSListener
The JSSListener has been modified to support a separate
configuration file (e.g. jss.conf).
- - - - -
847c4660 by Endi S. Dewata at 2019-02-22T14:28:46Z
Updated Tomcat dependency
- - - - -
61d7e1b1 by Endi S. Dewata at 2019-03-04T17:57:39Z
Added JSSTrustManager
The PKITrustManager from PKI has been added into Tomcat JSS as
JSSTrustManager for reusability.
- - - - -
e5d8445c by Endi S. Dewata at 2019-03-04T17:57:39Z
Updated JSSImplementation for Tomcat 8.5
The JSSImplementation for Tomcat 8.5 has been updated to extend
from JSSEImplementation and to provide a JSSTrustManager and a
JSSKeyManager. The JSSKeyManager currently only implements the
methods actually used by Tomcat.
- - - - -
2f68f71e by Endi S. Dewata at 2019-03-04T17:57:39Z
Updated JSS dependency
- - - - -
1353ed71 by Endi S. Dewata at 2019-03-06T17:40:56Z
Added .copr/Makefile
- - - - -
0c10e98f by Dinesh Prasanth M K at 2019-03-29T16:41:36Z
Add timestamp and commit-id for automated COPR builds
To aid in copr automated builds, this patch creates
NVR based on timestamp and commit-id
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
ebba3a97 by Dinesh Prasanth M K at 2019-04-01T18:18:16Z
Fixing minor issue with COPR automated builds
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
04a163ea by Dinesh Prasanth M K at 2019-04-03T17:31:20Z
Fix included COPR version
COPR @pki/10.7 doesn't exist. As a result Travis
throws an error.
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
1c5e0f91 by Endi S. Dewata at 2019-04-25T02:19:54Z
Updated version number to 7.4.0-1
- - - - -
12 changed files:
- .classpath
- + .copr/Makefile
- .travis.yml
- build.xml
- src/org/apache/tomcat/util/net/jss/TomcatJSS.java
- + src/org/dogtagpki/tomcat/JSSKeyManager.java
- + src/org/dogtagpki/tomcat/JSSListener.java
- + src/org/dogtagpki/tomcat/JSSTrustManager.java
- − tomcat-8.5/src/org/apache/tomcat/util/net/jss/JSSSupport.java
- tomcat-8.5/src/org/apache/tomcat/util/net/jss/JSSImplementation.java → tomcat-8.5/src/org/dogtagpki/tomcat/JSSImplementation.java
- tomcat-8.5/src/org/apache/tomcat/util/net/jss/JSSUtil.java → tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java
- tomcatjss.spec
Changes:
=====================================
.classpath
=====================================
@@ -10,5 +10,7 @@
<classpathentry kind="lib" path="/usr/share/java/tomcat/tomcat-juli.jar"/>
<classpathentry kind="lib" path="/usr/share/java/tomcat/tomcat-util.jar"/>
<classpathentry kind="lib" path="/usr/share/java/slf4j/slf4j-api.jar"/>
+ <classpathentry kind="lib" path="/usr/share/java/tomcat/catalina.jar"/>
+ <classpathentry kind="lib" path="/usr/share/java/tomcat/tomcat-api.jar"/>
<classpathentry kind="output" path="bin"/>
</classpath>
=====================================
.copr/Makefile
=====================================
@@ -0,0 +1,6 @@
+srpm:
+ dnf install -y git
+ ./build.sh --with-timestamp --with-commit-id srpm
+ if [[ "${outdir}" != "" ]]; then \
+ mv ${HOME}/build/tomcatjss/SRPMS/* ${outdir}; \
+ fi
=====================================
.travis.yml
=====================================
@@ -7,8 +7,8 @@ services:
- docker
env:
- - FEDORA=27
- FEDORA=28
+ - FEDORA=29
install:
- docker pull registry.fedoraproject.org/fedora:$FEDORA
@@ -19,7 +19,7 @@ install:
-v $(pwd):/root/tomcatjss
registry.fedoraproject.org/fedora:$FEDORA
- docker exec container dnf install -y dnf-plugins-core gcc make rpm-build
- - docker exec container dnf copr -y enable ${TOMCATJSS_7_3_REPO:- at pki/10.6}
+ - docker exec container dnf copr -y enable ${TOMCATJSS_7_4_REPO:- at pki/master}
- docker exec container dnf builddep -y --spec /root/tomcatjss/tomcatjss.spec
- docker exec container dnf remove -y tomcat-native
- docker exec container /root/tomcatjss/build.sh --with-timestamp --with-commit-id rpm
=====================================
build.xml
=====================================
@@ -102,6 +102,8 @@
<property name="slf4j-api.jar" value="${jar.home}/slf4j/slf4j-api.jar" />
<property name="tomcat.home" value="/usr/share/tomcat" />
+ <property name="catalina.jar" value="${tomcat.home}/lib/catalina.jar" />
+ <property name="tomcat-api.jar" value="${tomcat.home}/lib/tomcat-api.jar" />
<property name="tomcat-coyote.jar" value="${tomcat.home}/lib/tomcat-coyote.jar" />
<property name="tomcat-juli.jar" value="${tomcat.home}/bin/tomcat-juli.jar" />
@@ -116,6 +118,8 @@
-->
<path id="classpath">
<pathelement location="${jss.jar}"/>
+ <pathelement location="${catalina.jar}"/>
+ <pathelement location="${tomcat-api.jar}"/>
<pathelement location="${tomcat-coyote.jar}"/>
<pathelement location="${tomcat-juli.jar}"/>
<pathelement location="${commons-logging.jar}"/>
=====================================
src/org/apache/tomcat/util/net/jss/TomcatJSS.java
=====================================
@@ -19,6 +19,7 @@
package org.apache.tomcat.util.net.jss;
+import java.io.File;
import java.io.IOException;
import java.net.SocketException;
import java.nio.file.Files;
@@ -298,25 +299,30 @@ public class TomcatJSS implements SSLSocketListener {
logger.info("TomcatJSS: initialization");
- logger.debug("certdbDir: " + certdbDir);
- logger.debug("passwordClass: " + passwordClass);
- logger.debug("passwordFile: " + passwordFile);
- logger.debug("serverCertNickFile: " + serverCertNickFile);
-
if (certdbDir == null) {
- throw new Exception("Missing certdbDir");
+ certdbDir = System.getProperty("catalina.base") + File.separator + "alias";
}
+ logger.debug("TomcatJSS: certdbDir: " + certdbDir);
+
if (passwordClass == null) {
- throw new Exception("Missing passwordClass");
+ passwordClass = PlainPasswordFile.class.getName();
+ }
+
+ logger.debug("TomcatJSS: passwordClass: " + passwordClass);
+
+ if (passwordFile == null) {
+ passwordFile = System.getProperty("catalina.base") + File.separator +
+ "conf" + File.separator + "password.conf";
}
- if (serverCertNickFile == null) {
- throw new Exception("Missing serverCertNickFile");
+ logger.debug("TomcatJSS: passwordFile: " + passwordFile);
+
+ if (serverCertNickFile != null) {
+ logger.debug("TomcatJSS: serverCertNickFile: " + serverCertNickFile);
}
- InitializationValues vals = new InitializationValues(
- certdbDir, "", "", "secmod.db");
+ InitializationValues vals = new InitializationValues(certdbDir);
vals.removeSunProvider = false;
vals.installJSSProvider = true;
@@ -335,8 +341,10 @@ public class TomcatJSS implements SSLSocketListener {
login();
- serverCertNick = new String(Files.readAllBytes(Paths.get(serverCertNickFile))).trim();
- logger.debug("serverCertNick: " + serverCertNick);
+ if (serverCertNickFile != null) {
+ serverCertNick = new String(Files.readAllBytes(Paths.get(serverCertNickFile))).trim();
+ logger.debug("serverCertNick: " + serverCertNick);
+ }
logger.debug("clientAuth: " + clientAuth);
if (clientAuth.equalsIgnoreCase("true")) {
@@ -500,7 +508,7 @@ public class TomcatJSS implements SSLSocketListener {
}
logger.debug("ocspResponderURL: " + ocspResponderURL);
-
+
if (StringUtils.isEmpty(ocspResponderURL)) {
ocspResponderURL = null;
}
=====================================
src/org/dogtagpki/tomcat/JSSKeyManager.java
=====================================
@@ -0,0 +1,146 @@
+/* BEGIN COPYRIGHT BLOCK
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ *
+ * Copyright (C) 2017 Red Hat, Inc.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK */
+
+package org.dogtagpki.tomcat;
+
+import java.net.Socket;
+import java.security.Principal;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collection;
+
+import javax.net.ssl.X509KeyManager;
+
+import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.crypto.ObjectNotFoundException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import sun.security.x509.X509CertImpl;
+
+public class JSSKeyManager implements X509KeyManager {
+
+ final static Logger logger = LoggerFactory.getLogger(JSSKeyManager.class);
+
+ @Override
+ public String chooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket) {
+ logger.debug("JSSKeyManager: chooseClientAlias()");
+
+ logger.debug("JSSKeyManager: key types:");
+ for (String keyType : keyTypes) {
+ logger.debug("JSSKeyManager: - " + keyType);
+ }
+
+ logger.debug("JSSKeyManager: issuers:");
+ for (Principal issuer : issuers) {
+ logger.debug("JSSKeyManager: - " + issuer.getName());
+ }
+
+ return null; // not implemented
+ }
+
+ @Override
+ public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
+ logger.debug("JSSKeyManager: chooseServerAlias()");
+ logger.debug("JSSKeyManager: key type: " + keyType);
+
+ logger.debug("JSSKeyManager: issuers:");
+ for (Principal issuer : issuers) {
+ logger.debug("JSSKeyManager: - " + issuer.getName());
+ }
+
+ return null; // not implemented
+ }
+
+ @Override
+ public X509Certificate[] getCertificateChain(String alias) {
+
+ logger.debug("JSSKeyManager: getCertificateChain(" + alias + ")");
+
+ try {
+ CryptoManager cm = CryptoManager.getInstance();
+ org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(alias);
+
+ org.mozilla.jss.crypto.X509Certificate[] chain = cm.buildCertificateChain(cert);
+ logger.debug("JSSKeyManager: cert chain:");
+
+ Collection<X509Certificate> list = new ArrayList<>();
+ for (org.mozilla.jss.crypto.X509Certificate c : chain) {
+ logger.debug("JSSKeyManager: - " + c.getSubjectDN());
+ list.add(new X509CertImpl(c.getEncoded()));
+ }
+
+ return list.toArray(new X509Certificate[list.size()]);
+
+ } catch (Throwable e) {
+ logger.error(e.getMessage(), e);
+ throw new RuntimeException(e);
+ }
+ }
+
+ @Override
+ public String[] getClientAliases(String keyType, Principal[] issuers) {
+ logger.debug("JSSKeyManager: getClientAliases()");
+ logger.debug("JSSKeyManager: key type: " + keyType);
+
+ logger.debug("JSSKeyManager: issuers:");
+ for (Principal issuer : issuers) {
+ logger.debug("JSSKeyManager: - " + issuer.getName());
+ }
+
+ return null; // not implemented
+ }
+
+ @Override
+ public PrivateKey getPrivateKey(String alias) {
+
+ logger.debug("JSSKeyManager: getPrivateKey(" + alias + ")");
+
+ try {
+ CryptoManager cm = CryptoManager.getInstance();
+ org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(alias);
+ PrivateKey privateKey = cm.findPrivKeyByCert(cert);
+
+ logger.debug("JSSKeyManager: key found: " + alias);
+ return privateKey;
+
+ } catch (ObjectNotFoundException e) {
+ logger.debug("JSSKeyManager: key not found: " + alias);
+ return null;
+
+ } catch (Throwable e) {
+ logger.error(e.getMessage(), e);
+ throw new RuntimeException(e);
+ }
+ }
+
+ @Override
+ public String[] getServerAliases(String keyType, Principal[] issuers) {
+ logger.debug("JSSKeyManager: getServerAliases()");
+ logger.debug("JSSKeyManager: key type: " + keyType);
+
+ logger.debug("JSSKeyManager: issuers:");
+ for (Principal issuer : issuers) {
+ logger.debug("JSSKeyManager: - " + issuer.getName());
+ }
+
+ return null; // not implemented
+ }
+}
=====================================
src/org/dogtagpki/tomcat/JSSListener.java
=====================================
@@ -0,0 +1,260 @@
+/* BEGIN COPYRIGHT BLOCK
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ *
+ * Copyright (C) 2019 Red Hat, Inc.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK */
+
+package org.dogtagpki.tomcat;
+
+import java.io.File;
+import java.io.FileReader;
+import java.util.Properties;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathFactory;
+
+import org.apache.catalina.Lifecycle;
+import org.apache.catalina.LifecycleEvent;
+import org.apache.catalina.LifecycleListener;
+import org.apache.commons.lang.StringUtils;
+import org.apache.tomcat.util.net.jss.TomcatJSS;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+public class JSSListener implements LifecycleListener {
+
+ final static Logger logger = LoggerFactory.getLogger(JSSListener.class);
+
+ public String configFile;
+
+ public String getConfigFile() {
+ return configFile;
+ }
+
+ public void setConfigFile(String configFile) {
+ this.configFile = configFile;
+ }
+
+ @Override
+ public void lifecycleEvent(LifecycleEvent event) {
+
+ String type = event.getType();
+
+ if (type.equals(Lifecycle.BEFORE_INIT_EVENT)) {
+ initJSS();
+ }
+ }
+
+ public void initJSS() {
+
+ logger.info("JSSListener: Initializing JSS");
+ logger.info("JSSListener: Config: " + configFile);
+
+ try {
+ if (configFile != null) {
+ loadJSSConfig();
+ } else {
+ loadServerXml();
+ }
+
+ TomcatJSS tomcatjss = TomcatJSS.getInstance();
+ tomcatjss.init();
+
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ }
+
+ public void loadJSSConfig() throws Exception {
+
+ Properties properties = new Properties();
+ properties.load(new FileReader(configFile));
+
+ TomcatJSS tomcatjss = TomcatJSS.getInstance();
+
+ String certDb = properties.getProperty("certdbDir");
+ if (certDb != null)
+ tomcatjss.setCertdbDir(certDb);
+
+ String passwordClass = properties.getProperty("passwordClass");
+ if (passwordClass != null)
+ tomcatjss.setPasswordClass(passwordClass);
+
+ String passwordFile = properties.getProperty("passwordFile");
+ if (passwordFile != null)
+ tomcatjss.setPasswordFile(passwordFile);
+
+ String enableOCSP = properties.getProperty("enableOCSP");
+ if (enableOCSP != null)
+ tomcatjss.setEnableOCSP(Boolean.parseBoolean(enableOCSP));
+
+ String ocspResponderURL = properties.getProperty("ocspResponderURL");
+ if (ocspResponderURL != null)
+ tomcatjss.setOcspResponderURL(ocspResponderURL);
+
+ String ocspResponderCertNickname = properties.getProperty("ocspResponderCertNickname");
+ if (ocspResponderCertNickname != null)
+ tomcatjss.setOcspResponderCertNickname(ocspResponderCertNickname);
+
+ String ocspCacheSize = properties.getProperty("ocspCacheSize");
+ if (StringUtils.isNotEmpty(ocspCacheSize))
+ tomcatjss.setOcspCacheSize(Integer.parseInt(ocspCacheSize));
+
+ String ocspMinCacheEntryDuration = properties.getProperty("ocspMinCacheEntryDuration");
+ if (StringUtils.isNotEmpty(ocspMinCacheEntryDuration))
+ tomcatjss.setOcspMinCacheEntryDuration(Integer.parseInt(ocspMinCacheEntryDuration));
+
+ String ocspMaxCacheEntryDuration = properties.getProperty("ocspMaxCacheEntryDuration");
+ if (StringUtils.isNotEmpty(ocspMaxCacheEntryDuration))
+ tomcatjss.setOcspMaxCacheEntryDuration(Integer.parseInt(ocspMaxCacheEntryDuration));
+
+ String ocspTimeout = properties.getProperty("ocspTimeout");
+ if (StringUtils.isNotEmpty(ocspTimeout))
+ tomcatjss.setOcspTimeout(Integer.parseInt(ocspTimeout));
+
+ String strictCiphers = properties.getProperty("strictCiphers");
+ if (strictCiphers != null)
+ tomcatjss.setStrictCiphers(strictCiphers);
+
+ String sslVersionRangeStream = properties.getProperty("sslVersionRangeStream");
+ if (sslVersionRangeStream != null)
+ tomcatjss.setSslVersionRangeStream(sslVersionRangeStream);
+
+ String sslVersionRangeDatagram = properties.getProperty("sslVersionRangeDatagram");
+ if (sslVersionRangeDatagram != null)
+ tomcatjss.setSslVersionRangeDatagram(sslVersionRangeDatagram);
+
+ String sslRangeCiphers = properties.getProperty("sslRangeCiphers");
+ if (sslRangeCiphers != null)
+ tomcatjss.setSslRangeCiphers(sslRangeCiphers);
+
+ String sslOptions = properties.getProperty("sslOptions");
+ if (sslOptions != null)
+ tomcatjss.setSslOptions(sslOptions);
+
+ String ssl2Ciphers = properties.getProperty("ssl2Ciphers");
+ if (ssl2Ciphers != null)
+ tomcatjss.setSsl2Ciphers(ssl2Ciphers);
+
+ String ssl3Ciphers = properties.getProperty("ssl3Ciphers");
+ if (ssl3Ciphers != null)
+ tomcatjss.setSsl3Ciphers(ssl3Ciphers);
+
+ String tlsCiphers = properties.getProperty("tlsCiphers");
+ if (tlsCiphers != null)
+ tomcatjss.setTlsCiphers(tlsCiphers);
+ }
+
+ public void loadServerXml() throws Exception {
+
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilder builder = factory.newDocumentBuilder();
+
+ String catalinaBase = System.getProperty("catalina.base");
+ File file = new File(catalinaBase + "/conf/server.xml");
+ Document doc = builder.parse(file);
+
+ XPathFactory xPathfactory = XPathFactory.newInstance();
+ XPath xpath = xPathfactory.newXPath();
+
+ Element connector = (Element) xpath.evaluate(
+ "/Server/Service[@name='Catalina']/Connector[@SSLEnabled='true']",
+ doc, XPathConstants.NODE);
+
+ TomcatJSS tomcatjss = TomcatJSS.getInstance();
+
+ String certDb = connector.getAttribute("certdbDir");
+ if (certDb != null)
+ tomcatjss.setCertdbDir(certDb);
+
+ String passwordClass = connector.getAttribute("passwordClass");
+ if (passwordClass != null)
+ tomcatjss.setPasswordClass(passwordClass);
+
+ String passwordFile = connector.getAttribute("passwordFile");
+ if (passwordFile != null)
+ tomcatjss.setPasswordFile(passwordFile);
+
+ String serverCertNickFile = connector.getAttribute("serverCertNickFile");
+ if (serverCertNickFile != null)
+ tomcatjss.setServerCertNickFile(serverCertNickFile);
+
+ String enableOCSP = connector.getAttribute("enableOCSP");
+ if (enableOCSP != null)
+ tomcatjss.setEnableOCSP(Boolean.parseBoolean(enableOCSP));
+
+ String ocspResponderURL = connector.getAttribute("ocspResponderURL");
+ if (ocspResponderURL != null)
+ tomcatjss.setOcspResponderURL(ocspResponderURL);
+
+ String ocspResponderCertNickname = connector.getAttribute("ocspResponderCertNickname");
+ if (ocspResponderCertNickname != null)
+ tomcatjss.setOcspResponderCertNickname(ocspResponderCertNickname);
+
+ String ocspCacheSize = connector.getAttribute("ocspCacheSize");
+ if (StringUtils.isNotEmpty(ocspCacheSize))
+ tomcatjss.setOcspCacheSize(Integer.parseInt(ocspCacheSize));
+
+ String ocspMinCacheEntryDuration = connector.getAttribute("ocspMinCacheEntryDuration");
+ if (StringUtils.isNotEmpty(ocspMinCacheEntryDuration))
+ tomcatjss.setOcspMinCacheEntryDuration(Integer.parseInt(ocspMinCacheEntryDuration));
+
+ String ocspMaxCacheEntryDuration = connector.getAttribute("ocspMaxCacheEntryDuration");
+ if (StringUtils.isNotEmpty(ocspMaxCacheEntryDuration))
+ tomcatjss.setOcspMaxCacheEntryDuration(Integer.parseInt(ocspMaxCacheEntryDuration));
+
+ String ocspTimeout = connector.getAttribute("ocspTimeout");
+ if (StringUtils.isNotEmpty(ocspTimeout))
+ tomcatjss.setOcspTimeout(Integer.parseInt(ocspTimeout));
+
+ String strictCiphers = connector.getAttribute("strictCiphers");
+ if (strictCiphers != null)
+ tomcatjss.setStrictCiphers(strictCiphers);
+
+ String sslVersionRangeStream = connector.getAttribute("sslVersionRangeStream");
+ if (sslVersionRangeStream != null)
+ tomcatjss.setSslVersionRangeStream(sslVersionRangeStream);
+
+ String sslVersionRangeDatagram = connector.getAttribute("sslVersionRangeDatagram");
+ if (sslVersionRangeDatagram != null)
+ tomcatjss.setSslVersionRangeDatagram(sslVersionRangeDatagram);
+
+ String sslRangeCiphers = connector.getAttribute("sslRangeCiphers");
+ if (sslRangeCiphers != null)
+ tomcatjss.setSslRangeCiphers(sslRangeCiphers);
+
+ String sslOptions = connector.getAttribute("sslOptions");
+ if (sslOptions != null)
+ tomcatjss.setSslOptions(sslOptions);
+
+ String ssl2Ciphers = connector.getAttribute("ssl2Ciphers");
+ if (ssl2Ciphers != null)
+ tomcatjss.setSsl2Ciphers(ssl2Ciphers);
+
+ String ssl3Ciphers = connector.getAttribute("ssl3Ciphers");
+ if (ssl3Ciphers != null)
+ tomcatjss.setSsl3Ciphers(ssl3Ciphers);
+
+ String tlsCiphers = connector.getAttribute("tlsCiphers");
+ if (tlsCiphers != null)
+ tomcatjss.setTlsCiphers(tlsCiphers);
+ }
+}
=====================================
src/org/dogtagpki/tomcat/JSSTrustManager.java
=====================================
@@ -0,0 +1,197 @@
+/* BEGIN COPYRIGHT BLOCK
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ *
+ * Copyright (C) 2017 Red Hat, Inc.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK */
+
+package org.dogtagpki.tomcat;
+
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+
+import javax.net.ssl.X509TrustManager;
+
+import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.NotInitializedException;
+import org.mozilla.jss.netscape.security.util.Cert;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import sun.security.x509.X509CertImpl;
+
+public class JSSTrustManager implements X509TrustManager {
+
+ final static Logger logger = LoggerFactory.getLogger(JSSTrustManager.class);
+
+ final static String SERVER_AUTH_OID = "1.3.6.1.5.5.7.3.1";
+ final static String CLIENT_AUTH_OID = "1.3.6.1.5.5.7.3.2";
+
+ public void checkCertChain(X509Certificate[] certChain, String keyUsage) throws Exception {
+
+ logger.debug("JSSTrustManager: checkCertChain(" + keyUsage + ")");
+
+ // sort cert chain from root to leaf
+ certChain = Cert.sortCertificateChain(certChain);
+
+ for (X509Certificate cert : certChain) {
+ logger.debug("JSSTrustManager: - " + cert.getSubjectDN());
+ }
+
+ // get CA certs
+ X509Certificate[] caCerts = getAcceptedIssuers();
+
+ // validating cert chain from root to leaf
+ for (int i = 0; i < certChain.length; i++) {
+
+ X509Certificate cert = certChain[i];
+
+ // validating key usage on leaf cert only
+ String usage;
+ if (i == certChain.length - 1) {
+ usage = keyUsage;
+ } else {
+ usage = null;
+ }
+
+ checkCert(cert, caCerts, usage);
+
+ // use the current cert as the CA cert for the next cert in the chain
+ caCerts = new X509Certificate[] { cert };
+ }
+ }
+
+ public void checkCert(X509Certificate cert, X509Certificate[] caCerts, String keyUsage) throws Exception {
+
+ logger.debug("JSSTrustManager: checkCert(" + cert.getSubjectDN() + "):");
+
+ boolean[] aki = cert.getIssuerUniqueID();
+ logger.debug("JSSTrustManager: cert AKI: " + Arrays.toString(aki));
+
+ X509Certificate issuer = null;
+ for (X509Certificate caCert : caCerts) {
+
+ boolean[] ski = caCert.getSubjectUniqueID();
+ logger.debug("JSSTrustManager: SKI of " + caCert.getSubjectDN() + ": " + Arrays.toString(ski));
+
+ try {
+ cert.verify(caCert.getPublicKey(), "Mozilla-JSS");
+ issuer = caCert;
+ break;
+ } catch (Exception e) {
+ logger.debug("JSSTrustManager: invalid certificate: " + e);
+ }
+ }
+
+ if (issuer == null) {
+ throw new CertificateException("Unable to validate signature: " + cert.getSubjectDN());
+ }
+
+ logger.debug("JSSTrustManager: cert signed by " + issuer.getSubjectDN());
+
+ logger.debug("JSSTrustManager: checking validity range:");
+ logger.debug("JSSTrustManager: - not before: " + cert.getNotBefore());
+ logger.debug("JSSTrustManager: - not after: " + cert.getNotAfter());
+ cert.checkValidity();
+
+ if (keyUsage != null) {
+
+ List<String> extendedKeyUsages = cert.getExtendedKeyUsage();
+ logger.debug("JSSTrustManager: checking extended key usages:");
+
+ for (String extKeyUsage : extendedKeyUsages) {
+ logger.debug("JSSTrustManager: - " + extKeyUsage);
+ }
+
+ if (extendedKeyUsages.contains(keyUsage)) {
+ logger.debug("JSSTrustManager: extended key usage found: " + keyUsage);
+ } else {
+ throw new CertificateException("Missing extended key usage: " + keyUsage);
+ }
+ }
+ }
+
+ @Override
+ public void checkClientTrusted(X509Certificate[] certChain, String authType) throws CertificateException {
+
+ logger.debug("JSSTrustManager: checkClientTrusted(" + authType + "):");
+
+ try {
+ checkCertChain(certChain, CLIENT_AUTH_OID);
+ logger.debug("JSSTrustManager: SSL client certificate is valid");
+
+ } catch (CertificateException e) {
+ logger.warn("JSSTrustManager: Invalid SSL client certificate: " + e);
+ throw e;
+
+ } catch (Exception e) {
+ logger.warn("JSSTrustManager: Unable to validate certificate: " + e);
+ throw new CertificateException(e);
+ }
+ }
+
+ @Override
+ public void checkServerTrusted(X509Certificate[] certChain, String authType) throws CertificateException {
+
+ logger.debug("JSSTrustManager: checkServerTrusted(" + certChain.length + ", " + authType + "):");
+
+ try {
+ checkCertChain(certChain, SERVER_AUTH_OID);
+ logger.debug("JSSTrustManager: SSL server certificate is valid");
+
+ } catch (CertificateException e) {
+ logger.warn("JSSTrustManager: Invalid SSL server certificate: " + e);
+ throw e;
+
+ } catch (Exception e) {
+ logger.warn("JSSTrustManager: Unable to validate SSL server certificate: " + e);
+ throw new CertificateException(e);
+ }
+ }
+
+ @Override
+ public X509Certificate[] getAcceptedIssuers() {
+
+ logger.debug("JSSTrustManager: getAcceptedIssuers():");
+
+ Collection<X509Certificate> caCerts = new ArrayList<>();
+
+ try {
+ CryptoManager manager = CryptoManager.getInstance();
+ for (org.mozilla.jss.crypto.X509Certificate cert : manager.getCACerts()) {
+ logger.debug("JSSTrustManager: - " + cert.getSubjectDN());
+
+ try {
+ X509CertImpl caCert = new X509CertImpl(cert.getEncoded());
+ caCert.checkValidity();
+ caCerts.add(caCert);
+
+ } catch (Exception e) {
+ logger.debug("JSSTrustManager: invalid CA certificate: " + e);
+ }
+ }
+
+ } catch (NotInitializedException e) {
+ logger.error("JSSTrustManager: Unable to get CryptoManager: " + e, e);
+ throw new RuntimeException(e);
+ }
+
+ return caCerts.toArray(new X509Certificate[caCerts.size()]);
+ }
+}
=====================================
tomcat-8.5/src/org/apache/tomcat/util/net/jss/JSSSupport.java deleted
=====================================
@@ -1,54 +0,0 @@
-/* BEGIN COPYRIGHT BLOCK
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- *
- * Copyright (C) 2018 Red Hat, Inc.
- * All rights reserved.
- * END COPYRIGHT BLOCK */
-
-package org.apache.tomcat.util.net.jss;
-
-import java.io.IOException;
-import java.security.cert.X509Certificate;
-
-import org.apache.tomcat.util.net.SSLSupport;
-
-public class JSSSupport implements SSLSupport {
-
- @Override
- public String getCipherSuite() throws IOException {
- return null;
- }
-
- @Override
- public Integer getKeySize() throws IOException {
- return null;
- }
-
- @Override
- public X509Certificate[] getPeerCertificateChain() throws IOException {
- return null;
- }
-
- @Override
- public String getProtocol() throws IOException {
- return null;
- }
-
- @Override
- public String getSessionId() throws IOException {
- return null;
- }
-
- }
=====================================
tomcat-8.5/src/org/apache/tomcat/util/net/jss/JSSImplementation.java → tomcat-8.5/src/org/dogtagpki/tomcat/JSSImplementation.java
=====================================
@@ -13,34 +13,38 @@
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
- * Copyright (C) 2018 Red Hat, Inc.
+ * Copyright (C) 2007 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK */
-package org.apache.tomcat.util.net.jss;
-
-import javax.net.ssl.SSLSession;
+package org.dogtagpki.tomcat;
+import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
-import org.apache.tomcat.util.net.SSLImplementation;
-import org.apache.tomcat.util.net.SSLSupport;
import org.apache.tomcat.util.net.SSLUtil;
+import org.apache.tomcat.util.net.jsse.JSSEImplementation;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
-public class JSSImplementation extends SSLImplementation {
+public class JSSImplementation extends JSSEImplementation {
- @Override
- public SSLSupport getSSLSupport(SSLSession session) {
- return new JSSSupport();
+ public static Logger logger = LoggerFactory.getLogger(JSSUtil.class);
+
+ public JSSImplementation() {
+ logger.debug("JSSImplementation: instance created");
}
@Override
public SSLUtil getSSLUtil(SSLHostConfigCertificate cert) {
- return new JSSUtil();
- }
+ logger.debug("JSSImplementation: getSSLUtil()");
+ logger.debug("JSSImplementation: key alias: " + cert.getCertificateKeyAlias());
+ logger.debug("JSSImplementation: keystore provider: " + cert.getCertificateKeystoreProvider());
- @Override
- public boolean isAlpnSupported() {
- return false;
- }
+ SSLHostConfig hostConfig = cert.getSSLHostConfig();
+ logger.debug("JSSImplementation: key manager alg: " + hostConfig.getKeyManagerAlgorithm());
+ logger.debug("JSSImplementation: truststore alg: " + hostConfig.getTruststoreAlgorithm());
+ logger.debug("JSSImplementation: truststore provider: " + hostConfig.getTruststoreProvider());
+ return new JSSUtil(cert);
+ }
}
=====================================
tomcat-8.5/src/org/apache/tomcat/util/net/jss/JSSUtil.java → tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java
=====================================
@@ -17,45 +17,37 @@
* All rights reserved.
* END COPYRIGHT BLOCK */
-package org.apache.tomcat.util.net.jss;
-
-import java.util.List;
+package org.dogtagpki.tomcat;
import javax.net.ssl.KeyManager;
-import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.TrustManager;
-import org.apache.tomcat.util.net.SSLContext;
-import org.apache.tomcat.util.net.SSLUtil;
-
-public class JSSUtil implements SSLUtil {
-
- @Override
- public void configureSessionContext(SSLSessionContext arg0) {
- }
+import org.apache.tomcat.util.net.SSLHostConfigCertificate;
+import org.apache.tomcat.util.net.jsse.JSSEKeyManager;
+import org.apache.tomcat.util.net.jsse.JSSEUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
- @Override
- public SSLContext createSSLContext(List<String> arg0) throws Exception {
- return null;
- }
+public class JSSUtil extends JSSEUtil {
- @Override
- public String[] getEnabledCiphers() throws IllegalArgumentException {
- return null;
- }
+ public static Logger logger = LoggerFactory.getLogger(JSSUtil.class);
- @Override
- public String[] getEnabledProtocols() throws IllegalArgumentException {
- return null;
+ public JSSUtil(SSLHostConfigCertificate cert) {
+ super(cert);
+ logger.debug("JSSUtil: instance created");
}
@Override
public KeyManager[] getKeyManagers() throws Exception {
- return null;
+ logger.debug("JSSUtil: getKeyManagers()");
+ String keyAlias = certificate.getCertificateKeyAlias();
+ KeyManager keyManager = new JSSEKeyManager(new JSSKeyManager(), keyAlias);
+ return new KeyManager[] { keyManager };
}
@Override
public TrustManager[] getTrustManagers() throws Exception {
- return null;
+ logger.debug("JSSUtil: getTrustManagers()");
+ return new TrustManager[] { new JSSTrustManager() };
}
}
=====================================
tomcatjss.spec
=====================================
@@ -7,7 +7,7 @@ URL: http://www.dogtagpki.org/wiki/TomcatJSS
License: LGPLv2+
BuildArch: noarch
-Version: 7.3.6
+Version: 7.4.0
Release: 1%{?_timestamp}%{?_commit_id}%{?dist}
# global _phase -a1
@@ -57,7 +57,7 @@ BuildRequires: slf4j-jdk14
%if 0%{?rhel} && 0%{?rhel} <= 7
BuildRequires: jss >= 4.4.0-7
%else
-BuildRequires: jss >= 4.5.0-1
+BuildRequires: jss >= 4.5.3
%endif
# Tomcat
@@ -70,10 +70,14 @@ BuildRequires: tomcat >= 8.0.49
%if 0%{?fedora} && 0%{?fedora} <= 28
BuildRequires: tomcat >= 1:8.5.23
%else
+%if 0%{?rhel}
+BuildRequires: pki-servlet-engine >= 1:9.0.7
+%else
BuildRequires: tomcat >= 1:9.0.7
%endif
%endif
%endif
+%endif
################################################################################
# Runtime Dependencies
@@ -90,7 +94,7 @@ Requires: jpackage-utils >= 0:1.7.5-15
# SLF4J
Requires: slf4j
-%if 0%{?rhel} && 0%{?rhel} <= 7
+%if 0%{?rhel}
# no slf4j-jdk14
%else
Requires: slf4j-jdk14
@@ -100,7 +104,7 @@ Requires: slf4j-jdk14
%if 0%{?rhel} && 0%{?rhel} <= 7
Requires: jss >= 4.4.0-7
%else
-Requires: jss >= 4.5.0-1
+Requires: jss >= 4.5.3
%endif
# Tomcat
@@ -113,10 +117,14 @@ Requires: tomcat >= 8.0.49
%if 0%{?fedora} && 0%{?fedora} <= 28
Requires: tomcat >= 1:8.5.23
%else
+%if 0%{?rhel}
+Requires: pki-servlet-engine >= 1:9.0.7
+%else
Requires: tomcat >= 1:9.0.7
%endif
%endif
%endif
+%endif
# The 'tomcatjss' package conflicts with the 'tomcat-native' package
# because it uses an underlying NSS security model rather than the
View it on GitLab: https://salsa.debian.org/freeipa-team/tomcatjss/compare/a84bdfcc2416b73aa0dfa7c6cb4f43959cd33d04...1c5e0f91c0ff7b228034dba89383633c7c413fd2
--
View it on GitLab: https://salsa.debian.org/freeipa-team/tomcatjss/compare/a84bdfcc2416b73aa0dfa7c6cb4f43959cd33d04...1c5e0f91c0ff7b228034dba89383633c7c413fd2
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20190425/e6b166b8/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list