[Pkg-freeipa-devel] [Git][freeipa-team/tomcatjss][master] 19 commits: Updated version number to 7.4.0-0.1 (alpha 1)

Timo Aaltonen gitlab at salsa.debian.org
Thu Apr 25 14:15:42 BST 2019



Timo Aaltonen pushed to branch master at FreeIPA packaging / tomcatjss


Commits:
11ec64db by Endi S. Dewata at 2019-02-20T19:05:25Z
Updated version number to 7.4.0-0.1 (alpha 1)

- - - - -
e6bf7ec9 by Endi S. Dewata at 2019-02-21T22:39:37Z
Added default values

The TomcatJSS class has been modified to provide default values
for certain configuration parameters.

- - - - -
201b0fa0 by Endi S. Dewata at 2019-02-21T22:52:44Z
Updated Travis CI for Tomcat JSS 7.4

- - - - -
e574683a by Endi S. Dewata at 2019-02-21T22:58:05Z
Added JSSListener

A LifecycleListener has been added to initialize JSS in Tomcat
with the configuration stored in server.xml.

- - - - -
79edc655 by Endi S. Dewata at 2019-02-21T22:58:05Z
Updated JSSListener

The JSSListener has been modified to support a separate
configuration file (e.g. jss.conf).

- - - - -
847c4660 by Endi S. Dewata at 2019-02-22T14:28:46Z
Updated Tomcat dependency

- - - - -
61d7e1b1 by Endi S. Dewata at 2019-03-04T17:57:39Z
Added JSSTrustManager

The PKITrustManager from PKI has been added into Tomcat JSS as
JSSTrustManager for reusability.

- - - - -
e5d8445c by Endi S. Dewata at 2019-03-04T17:57:39Z
Updated JSSImplementation for Tomcat 8.5

The JSSImplementation for Tomcat 8.5 has been updated to extend
from JSSEImplementation and to provide a JSSTrustManager and a
JSSKeyManager. The JSSKeyManager currently only implements the
methods actually used by Tomcat.

- - - - -
2f68f71e by Endi S. Dewata at 2019-03-04T17:57:39Z
Updated JSS dependency

- - - - -
1353ed71 by Endi S. Dewata at 2019-03-06T17:40:56Z
Added .copr/Makefile

- - - - -
0c10e98f by Dinesh Prasanth M K at 2019-03-29T16:41:36Z
Add timestamp and commit-id for automated COPR builds

To aid in copr automated builds, this patch creates
NVR based on timestamp and commit-id

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
ebba3a97 by Dinesh Prasanth M K at 2019-04-01T18:18:16Z
Fixing minor issue with COPR automated builds

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
04a163ea by Dinesh Prasanth M K at 2019-04-03T17:31:20Z
Fix included COPR version

COPR @pki/10.7 doesn't exist. As a result Travis
throws an error.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
1c5e0f91 by Endi S. Dewata at 2019-04-25T02:19:54Z
Updated version number to 7.4.0-1

- - - - -
c3937253 by Timo Aaltonen at 2019-04-25T12:38:53Z
Merge branch 'upstream'

- - - - -
8d3c6ac8 by Timo Aaltonen at 2019-04-25T12:42:57Z
bump the version

- - - - -
ae655c44 by Timo Aaltonen at 2019-04-25T13:05:38Z
control: Bump libjss-java build-dep.

- - - - -
350d9345 by Timo Aaltonen at 2019-04-25T13:09:11Z
rules: Speficy where to find catalina.jar and tomcat-api.jar.

- - - - -
d4e2040e by Timo Aaltonen at 2019-04-25T13:09:25Z
releasing package tomcatjss version 7.4.0-1

- - - - -


15 changed files:

- .classpath
- + .copr/Makefile
- .travis.yml
- build.xml
- debian/changelog
- debian/control
- debian/rules
- src/org/apache/tomcat/util/net/jss/TomcatJSS.java
- + src/org/dogtagpki/tomcat/JSSKeyManager.java
- + src/org/dogtagpki/tomcat/JSSListener.java
- + src/org/dogtagpki/tomcat/JSSTrustManager.java
- − tomcat-8.5/src/org/apache/tomcat/util/net/jss/JSSSupport.java
- tomcat-8.5/src/org/apache/tomcat/util/net/jss/JSSImplementation.java → tomcat-8.5/src/org/dogtagpki/tomcat/JSSImplementation.java
- tomcat-8.5/src/org/apache/tomcat/util/net/jss/JSSUtil.java → tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java
- tomcatjss.spec


Changes:

=====================================
.classpath
=====================================
@@ -10,5 +10,7 @@
 	<classpathentry kind="lib" path="/usr/share/java/tomcat/tomcat-juli.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/tomcat/tomcat-util.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/slf4j/slf4j-api.jar"/>
+	<classpathentry kind="lib" path="/usr/share/java/tomcat/catalina.jar"/>
+	<classpathentry kind="lib" path="/usr/share/java/tomcat/tomcat-api.jar"/>
 	<classpathentry kind="output" path="bin"/>
 </classpath>


=====================================
.copr/Makefile
=====================================
@@ -0,0 +1,6 @@
+srpm:
+	dnf install -y git
+	./build.sh --with-timestamp --with-commit-id srpm
+	if [[ "${outdir}" != "" ]]; then \
+	    mv ${HOME}/build/tomcatjss/SRPMS/* ${outdir}; \
+	fi


=====================================
.travis.yml
=====================================
@@ -7,8 +7,8 @@ services:
   - docker
 
 env:
-  - FEDORA=27
   - FEDORA=28
+  - FEDORA=29
 
 install:
   - docker pull registry.fedoraproject.org/fedora:$FEDORA
@@ -19,7 +19,7 @@ install:
       -v $(pwd):/root/tomcatjss
       registry.fedoraproject.org/fedora:$FEDORA
   - docker exec container dnf install -y dnf-plugins-core gcc make rpm-build
-  - docker exec container dnf copr -y enable ${TOMCATJSS_7_3_REPO:- at pki/10.6}
+  - docker exec container dnf copr -y enable ${TOMCATJSS_7_4_REPO:- at pki/master}
   - docker exec container dnf builddep -y --spec /root/tomcatjss/tomcatjss.spec
   - docker exec container dnf remove -y tomcat-native
   - docker exec container /root/tomcatjss/build.sh --with-timestamp --with-commit-id rpm


=====================================
build.xml
=====================================
@@ -102,6 +102,8 @@
   <property name="slf4j-api.jar" value="${jar.home}/slf4j/slf4j-api.jar" />
 
   <property name="tomcat.home" value="/usr/share/tomcat" />
+  <property name="catalina.jar" value="${tomcat.home}/lib/catalina.jar" />
+  <property name="tomcat-api.jar" value="${tomcat.home}/lib/tomcat-api.jar" />
   <property name="tomcat-coyote.jar" value="${tomcat.home}/lib/tomcat-coyote.jar" />
   <property name="tomcat-juli.jar" value="${tomcat.home}/bin/tomcat-juli.jar" />
 
@@ -116,6 +118,8 @@
   -->
   <path id="classpath">
     <pathelement location="${jss.jar}"/>
+    <pathelement location="${catalina.jar}"/>
+    <pathelement location="${tomcat-api.jar}"/>
     <pathelement location="${tomcat-coyote.jar}"/>
     <pathelement location="${tomcat-juli.jar}"/>
     <pathelement location="${commons-logging.jar}"/>


=====================================
debian/changelog
=====================================
@@ -1,3 +1,11 @@
+tomcatjss (7.4.0-1) experimental; urgency=medium
+
+  * New upstream release.
+  * control: Bump libjss-java build-dep.
+  * rules: Speficy where to find catalina.jar and tomcat-api.jar.
+
+ -- Timo Aaltonen <tjaalton at debian.org>  Thu, 25 Apr 2019 16:09:13 +0300
+
 tomcatjss (7.3.6-2) unstable; urgency=medium
 
   * control, rules: Migrate to tomcat9.


=====================================
debian/control
=====================================
@@ -9,7 +9,7 @@ Build-Depends:
  default-jdk,
  javahelper,
  libcommons-lang-java,
- libjss-java (>= 4.5.0),
+ libjss-java (>= 4.5.3),
  libslf4j-java,
  libtomcat9-java,
 Standards-Version: 4.1.4


=====================================
debian/rules
=====================================
@@ -10,6 +10,8 @@ override_dh_auto_build:
 	ant \
 		-Dant.build.javac.source=1.8 -Dant.build.javac.target=1.8 \
 		-Dsrc.dir=tomcat-8.5 \
+		-Dcatalina.jar=/usr/share/java/tomcat9-catalina.jar \
+		-Dtomcat-api.jar=/usr/share/java/tomcat9-api.jar \
 		-Dtomcat-coyote.jar=/usr/share/java/tomcat9-coyote.jar \
 		-Dtomcat-juli.jar=/usr/share/java/tomcat9-juli.jar \
 		-Dinstall.doc.dir=build/usr/share/doc/tomcatjss \


=====================================
src/org/apache/tomcat/util/net/jss/TomcatJSS.java
=====================================
@@ -19,6 +19,7 @@
 
 package org.apache.tomcat.util.net.jss;
 
+import java.io.File;
 import java.io.IOException;
 import java.net.SocketException;
 import java.nio.file.Files;
@@ -298,25 +299,30 @@ public class TomcatJSS implements SSLSocketListener {
 
         logger.info("TomcatJSS: initialization");
 
-        logger.debug("certdbDir: " + certdbDir);
-        logger.debug("passwordClass: " + passwordClass);
-        logger.debug("passwordFile: " + passwordFile);
-        logger.debug("serverCertNickFile: " + serverCertNickFile);
-
         if (certdbDir == null) {
-            throw new Exception("Missing certdbDir");
+            certdbDir = System.getProperty("catalina.base") + File.separator + "alias";
         }
 
+        logger.debug("TomcatJSS: certdbDir: " + certdbDir);
+
         if (passwordClass == null) {
-            throw new Exception("Missing passwordClass");
+            passwordClass = PlainPasswordFile.class.getName();
+        }
+
+        logger.debug("TomcatJSS: passwordClass: " + passwordClass);
+
+        if (passwordFile == null) {
+            passwordFile = System.getProperty("catalina.base") + File.separator +
+                    "conf" + File.separator + "password.conf";
         }
 
-        if (serverCertNickFile == null) {
-            throw new Exception("Missing serverCertNickFile");
+        logger.debug("TomcatJSS: passwordFile: " + passwordFile);
+
+        if (serverCertNickFile != null) {
+            logger.debug("TomcatJSS: serverCertNickFile: " + serverCertNickFile);
         }
 
-        InitializationValues vals = new InitializationValues(
-                certdbDir, "", "", "secmod.db");
+        InitializationValues vals = new InitializationValues(certdbDir);
 
         vals.removeSunProvider = false;
         vals.installJSSProvider = true;
@@ -335,8 +341,10 @@ public class TomcatJSS implements SSLSocketListener {
 
         login();
 
-        serverCertNick = new String(Files.readAllBytes(Paths.get(serverCertNickFile))).trim();
-        logger.debug("serverCertNick: " + serverCertNick);
+        if (serverCertNickFile != null) {
+            serverCertNick = new String(Files.readAllBytes(Paths.get(serverCertNickFile))).trim();
+            logger.debug("serverCertNick: " + serverCertNick);
+        }
 
         logger.debug("clientAuth: " + clientAuth);
         if (clientAuth.equalsIgnoreCase("true")) {
@@ -500,7 +508,7 @@ public class TomcatJSS implements SSLSocketListener {
         }
 
         logger.debug("ocspResponderURL: " + ocspResponderURL);
- 
+
         if (StringUtils.isEmpty(ocspResponderURL)) {
             ocspResponderURL = null;
         }


=====================================
src/org/dogtagpki/tomcat/JSSKeyManager.java
=====================================
@@ -0,0 +1,146 @@
+/* BEGIN COPYRIGHT BLOCK
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * Copyright (C) 2017 Red Hat, Inc.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK */
+
+package org.dogtagpki.tomcat;
+
+import java.net.Socket;
+import java.security.Principal;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collection;
+
+import javax.net.ssl.X509KeyManager;
+
+import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.crypto.ObjectNotFoundException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import sun.security.x509.X509CertImpl;
+
+public class JSSKeyManager implements X509KeyManager {
+
+    final static Logger logger = LoggerFactory.getLogger(JSSKeyManager.class);
+
+    @Override
+    public String chooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket) {
+        logger.debug("JSSKeyManager: chooseClientAlias()");
+
+        logger.debug("JSSKeyManager: key types:");
+        for (String keyType : keyTypes) {
+            logger.debug("JSSKeyManager: - " + keyType);
+        }
+
+        logger.debug("JSSKeyManager: issuers:");
+        for (Principal issuer : issuers) {
+            logger.debug("JSSKeyManager: - " + issuer.getName());
+        }
+
+        return null;  // not implemented
+    }
+
+    @Override
+    public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
+        logger.debug("JSSKeyManager: chooseServerAlias()");
+        logger.debug("JSSKeyManager: key type: " + keyType);
+
+        logger.debug("JSSKeyManager: issuers:");
+        for (Principal issuer : issuers) {
+            logger.debug("JSSKeyManager: - " + issuer.getName());
+        }
+
+        return null;  // not implemented
+    }
+
+    @Override
+    public X509Certificate[] getCertificateChain(String alias) {
+
+        logger.debug("JSSKeyManager: getCertificateChain(" + alias + ")");
+
+        try {
+            CryptoManager cm = CryptoManager.getInstance();
+            org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(alias);
+
+            org.mozilla.jss.crypto.X509Certificate[] chain = cm.buildCertificateChain(cert);
+            logger.debug("JSSKeyManager: cert chain:");
+
+            Collection<X509Certificate> list = new ArrayList<>();
+            for (org.mozilla.jss.crypto.X509Certificate c : chain) {
+                logger.debug("JSSKeyManager: - " + c.getSubjectDN());
+                list.add(new X509CertImpl(c.getEncoded()));
+            }
+
+            return list.toArray(new X509Certificate[list.size()]);
+
+        } catch (Throwable e) {
+            logger.error(e.getMessage(), e);
+            throw new RuntimeException(e);
+        }
+    }
+
+    @Override
+    public String[] getClientAliases(String keyType, Principal[] issuers) {
+        logger.debug("JSSKeyManager: getClientAliases()");
+        logger.debug("JSSKeyManager: key type: " + keyType);
+
+        logger.debug("JSSKeyManager: issuers:");
+        for (Principal issuer : issuers) {
+            logger.debug("JSSKeyManager: - " + issuer.getName());
+        }
+
+        return null;  // not implemented
+    }
+
+    @Override
+    public PrivateKey getPrivateKey(String alias) {
+
+        logger.debug("JSSKeyManager: getPrivateKey(" + alias + ")");
+
+        try {
+            CryptoManager cm = CryptoManager.getInstance();
+            org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(alias);
+            PrivateKey privateKey = cm.findPrivKeyByCert(cert);
+
+            logger.debug("JSSKeyManager: key found: " + alias);
+            return privateKey;
+
+        } catch (ObjectNotFoundException e) {
+            logger.debug("JSSKeyManager: key not found: " + alias);
+            return null;
+
+        } catch (Throwable e) {
+            logger.error(e.getMessage(), e);
+            throw new RuntimeException(e);
+        }
+    }
+
+    @Override
+    public String[] getServerAliases(String keyType, Principal[] issuers) {
+        logger.debug("JSSKeyManager: getServerAliases()");
+        logger.debug("JSSKeyManager: key type: " + keyType);
+
+        logger.debug("JSSKeyManager: issuers:");
+        for (Principal issuer : issuers) {
+            logger.debug("JSSKeyManager: - " + issuer.getName());
+        }
+
+        return null;  // not implemented
+    }
+}


=====================================
src/org/dogtagpki/tomcat/JSSListener.java
=====================================
@@ -0,0 +1,260 @@
+/* BEGIN COPYRIGHT BLOCK
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * Copyright (C) 2019 Red Hat, Inc.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK */
+
+package org.dogtagpki.tomcat;
+
+import java.io.File;
+import java.io.FileReader;
+import java.util.Properties;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathFactory;
+
+import org.apache.catalina.Lifecycle;
+import org.apache.catalina.LifecycleEvent;
+import org.apache.catalina.LifecycleListener;
+import org.apache.commons.lang.StringUtils;
+import org.apache.tomcat.util.net.jss.TomcatJSS;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+public class JSSListener implements LifecycleListener {
+
+    final static Logger logger = LoggerFactory.getLogger(JSSListener.class);
+
+    public String configFile;
+
+    public String getConfigFile() {
+        return configFile;
+    }
+
+    public void setConfigFile(String configFile) {
+        this.configFile = configFile;
+    }
+
+    @Override
+    public void lifecycleEvent(LifecycleEvent event) {
+
+        String type = event.getType();
+
+        if (type.equals(Lifecycle.BEFORE_INIT_EVENT)) {
+            initJSS();
+        }
+    }
+
+    public void initJSS() {
+
+        logger.info("JSSListener: Initializing JSS");
+        logger.info("JSSListener: Config: " + configFile);
+
+        try {
+            if (configFile != null) {
+                loadJSSConfig();
+            } else {
+                loadServerXml();
+            }
+
+            TomcatJSS tomcatjss = TomcatJSS.getInstance();
+            tomcatjss.init();
+
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    public void loadJSSConfig() throws Exception {
+
+        Properties properties = new Properties();
+        properties.load(new FileReader(configFile));
+
+        TomcatJSS tomcatjss = TomcatJSS.getInstance();
+
+        String certDb = properties.getProperty("certdbDir");
+        if (certDb != null)
+            tomcatjss.setCertdbDir(certDb);
+
+        String passwordClass = properties.getProperty("passwordClass");
+        if (passwordClass != null)
+            tomcatjss.setPasswordClass(passwordClass);
+
+        String passwordFile = properties.getProperty("passwordFile");
+        if (passwordFile != null)
+            tomcatjss.setPasswordFile(passwordFile);
+
+        String enableOCSP = properties.getProperty("enableOCSP");
+        if (enableOCSP != null)
+            tomcatjss.setEnableOCSP(Boolean.parseBoolean(enableOCSP));
+
+        String ocspResponderURL = properties.getProperty("ocspResponderURL");
+        if (ocspResponderURL != null)
+            tomcatjss.setOcspResponderURL(ocspResponderURL);
+
+        String ocspResponderCertNickname = properties.getProperty("ocspResponderCertNickname");
+        if (ocspResponderCertNickname != null)
+            tomcatjss.setOcspResponderCertNickname(ocspResponderCertNickname);
+
+        String ocspCacheSize = properties.getProperty("ocspCacheSize");
+        if (StringUtils.isNotEmpty(ocspCacheSize))
+            tomcatjss.setOcspCacheSize(Integer.parseInt(ocspCacheSize));
+
+        String ocspMinCacheEntryDuration = properties.getProperty("ocspMinCacheEntryDuration");
+        if (StringUtils.isNotEmpty(ocspMinCacheEntryDuration))
+            tomcatjss.setOcspMinCacheEntryDuration(Integer.parseInt(ocspMinCacheEntryDuration));
+
+        String ocspMaxCacheEntryDuration = properties.getProperty("ocspMaxCacheEntryDuration");
+        if (StringUtils.isNotEmpty(ocspMaxCacheEntryDuration))
+            tomcatjss.setOcspMaxCacheEntryDuration(Integer.parseInt(ocspMaxCacheEntryDuration));
+
+        String ocspTimeout = properties.getProperty("ocspTimeout");
+        if (StringUtils.isNotEmpty(ocspTimeout))
+            tomcatjss.setOcspTimeout(Integer.parseInt(ocspTimeout));
+
+        String strictCiphers = properties.getProperty("strictCiphers");
+        if (strictCiphers != null)
+            tomcatjss.setStrictCiphers(strictCiphers);
+
+        String sslVersionRangeStream = properties.getProperty("sslVersionRangeStream");
+        if (sslVersionRangeStream != null)
+            tomcatjss.setSslVersionRangeStream(sslVersionRangeStream);
+
+        String sslVersionRangeDatagram = properties.getProperty("sslVersionRangeDatagram");
+        if (sslVersionRangeDatagram != null)
+            tomcatjss.setSslVersionRangeDatagram(sslVersionRangeDatagram);
+
+        String sslRangeCiphers = properties.getProperty("sslRangeCiphers");
+        if (sslRangeCiphers != null)
+            tomcatjss.setSslRangeCiphers(sslRangeCiphers);
+
+        String sslOptions = properties.getProperty("sslOptions");
+        if (sslOptions != null)
+            tomcatjss.setSslOptions(sslOptions);
+
+        String ssl2Ciphers = properties.getProperty("ssl2Ciphers");
+        if (ssl2Ciphers != null)
+            tomcatjss.setSsl2Ciphers(ssl2Ciphers);
+
+        String ssl3Ciphers = properties.getProperty("ssl3Ciphers");
+        if (ssl3Ciphers != null)
+            tomcatjss.setSsl3Ciphers(ssl3Ciphers);
+
+        String tlsCiphers = properties.getProperty("tlsCiphers");
+        if (tlsCiphers != null)
+            tomcatjss.setTlsCiphers(tlsCiphers);
+    }
+
+    public void loadServerXml() throws Exception {
+
+        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        DocumentBuilder builder = factory.newDocumentBuilder();
+
+        String catalinaBase = System.getProperty("catalina.base");
+        File file = new File(catalinaBase + "/conf/server.xml");
+        Document doc = builder.parse(file);
+
+        XPathFactory xPathfactory = XPathFactory.newInstance();
+        XPath xpath = xPathfactory.newXPath();
+
+        Element connector = (Element) xpath.evaluate(
+                "/Server/Service[@name='Catalina']/Connector[@SSLEnabled='true']",
+                doc, XPathConstants.NODE);
+
+        TomcatJSS tomcatjss = TomcatJSS.getInstance();
+
+        String certDb = connector.getAttribute("certdbDir");
+        if (certDb != null)
+            tomcatjss.setCertdbDir(certDb);
+
+        String passwordClass = connector.getAttribute("passwordClass");
+        if (passwordClass != null)
+            tomcatjss.setPasswordClass(passwordClass);
+
+        String passwordFile = connector.getAttribute("passwordFile");
+        if (passwordFile != null)
+            tomcatjss.setPasswordFile(passwordFile);
+
+        String serverCertNickFile = connector.getAttribute("serverCertNickFile");
+        if (serverCertNickFile != null)
+            tomcatjss.setServerCertNickFile(serverCertNickFile);
+
+        String enableOCSP = connector.getAttribute("enableOCSP");
+        if (enableOCSP != null)
+            tomcatjss.setEnableOCSP(Boolean.parseBoolean(enableOCSP));
+
+        String ocspResponderURL = connector.getAttribute("ocspResponderURL");
+        if (ocspResponderURL != null)
+            tomcatjss.setOcspResponderURL(ocspResponderURL);
+
+        String ocspResponderCertNickname = connector.getAttribute("ocspResponderCertNickname");
+        if (ocspResponderCertNickname != null)
+            tomcatjss.setOcspResponderCertNickname(ocspResponderCertNickname);
+
+        String ocspCacheSize = connector.getAttribute("ocspCacheSize");
+        if (StringUtils.isNotEmpty(ocspCacheSize))
+            tomcatjss.setOcspCacheSize(Integer.parseInt(ocspCacheSize));
+
+        String ocspMinCacheEntryDuration = connector.getAttribute("ocspMinCacheEntryDuration");
+        if (StringUtils.isNotEmpty(ocspMinCacheEntryDuration))
+            tomcatjss.setOcspMinCacheEntryDuration(Integer.parseInt(ocspMinCacheEntryDuration));
+
+        String ocspMaxCacheEntryDuration = connector.getAttribute("ocspMaxCacheEntryDuration");
+        if (StringUtils.isNotEmpty(ocspMaxCacheEntryDuration))
+            tomcatjss.setOcspMaxCacheEntryDuration(Integer.parseInt(ocspMaxCacheEntryDuration));
+
+        String ocspTimeout = connector.getAttribute("ocspTimeout");
+        if (StringUtils.isNotEmpty(ocspTimeout))
+            tomcatjss.setOcspTimeout(Integer.parseInt(ocspTimeout));
+
+        String strictCiphers = connector.getAttribute("strictCiphers");
+        if (strictCiphers != null)
+            tomcatjss.setStrictCiphers(strictCiphers);
+
+        String sslVersionRangeStream = connector.getAttribute("sslVersionRangeStream");
+        if (sslVersionRangeStream != null)
+            tomcatjss.setSslVersionRangeStream(sslVersionRangeStream);
+
+        String sslVersionRangeDatagram = connector.getAttribute("sslVersionRangeDatagram");
+        if (sslVersionRangeDatagram != null)
+            tomcatjss.setSslVersionRangeDatagram(sslVersionRangeDatagram);
+
+        String sslRangeCiphers = connector.getAttribute("sslRangeCiphers");
+        if (sslRangeCiphers != null)
+            tomcatjss.setSslRangeCiphers(sslRangeCiphers);
+
+        String sslOptions = connector.getAttribute("sslOptions");
+        if (sslOptions != null)
+            tomcatjss.setSslOptions(sslOptions);
+
+        String ssl2Ciphers = connector.getAttribute("ssl2Ciphers");
+        if (ssl2Ciphers != null)
+            tomcatjss.setSsl2Ciphers(ssl2Ciphers);
+
+        String ssl3Ciphers = connector.getAttribute("ssl3Ciphers");
+        if (ssl3Ciphers != null)
+            tomcatjss.setSsl3Ciphers(ssl3Ciphers);
+
+        String tlsCiphers = connector.getAttribute("tlsCiphers");
+        if (tlsCiphers != null)
+            tomcatjss.setTlsCiphers(tlsCiphers);
+    }
+}


=====================================
src/org/dogtagpki/tomcat/JSSTrustManager.java
=====================================
@@ -0,0 +1,197 @@
+/* BEGIN COPYRIGHT BLOCK
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * Copyright (C) 2017 Red Hat, Inc.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK */
+
+package org.dogtagpki.tomcat;
+
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+
+import javax.net.ssl.X509TrustManager;
+
+import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.NotInitializedException;
+import org.mozilla.jss.netscape.security.util.Cert;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import sun.security.x509.X509CertImpl;
+
+public class JSSTrustManager implements X509TrustManager {
+
+    final static Logger logger = LoggerFactory.getLogger(JSSTrustManager.class);
+
+    final static String SERVER_AUTH_OID = "1.3.6.1.5.5.7.3.1";
+    final static String CLIENT_AUTH_OID = "1.3.6.1.5.5.7.3.2";
+
+    public void checkCertChain(X509Certificate[] certChain, String keyUsage) throws Exception {
+
+        logger.debug("JSSTrustManager: checkCertChain(" + keyUsage + ")");
+
+        // sort cert chain from root to leaf
+        certChain = Cert.sortCertificateChain(certChain);
+
+        for (X509Certificate cert : certChain) {
+            logger.debug("JSSTrustManager:  - " + cert.getSubjectDN());
+        }
+
+        // get CA certs
+        X509Certificate[] caCerts = getAcceptedIssuers();
+
+        // validating cert chain from root to leaf
+        for (int i = 0; i < certChain.length; i++) {
+
+            X509Certificate cert = certChain[i];
+
+            // validating key usage on leaf cert only
+            String usage;
+            if (i == certChain.length - 1) {
+                usage = keyUsage;
+            } else {
+                usage = null;
+            }
+
+            checkCert(cert, caCerts, usage);
+
+            // use the current cert as the CA cert for the next cert in the chain
+            caCerts = new X509Certificate[] { cert };
+        }
+    }
+
+    public void checkCert(X509Certificate cert, X509Certificate[] caCerts, String keyUsage) throws Exception {
+
+        logger.debug("JSSTrustManager: checkCert(" + cert.getSubjectDN() + "):");
+
+        boolean[] aki = cert.getIssuerUniqueID();
+        logger.debug("JSSTrustManager: cert AKI: " + Arrays.toString(aki));
+
+        X509Certificate issuer = null;
+        for (X509Certificate caCert : caCerts) {
+
+            boolean[] ski = caCert.getSubjectUniqueID();
+            logger.debug("JSSTrustManager: SKI of " + caCert.getSubjectDN() + ": " + Arrays.toString(ski));
+
+            try {
+                cert.verify(caCert.getPublicKey(), "Mozilla-JSS");
+                issuer = caCert;
+                break;
+            } catch (Exception e) {
+                logger.debug("JSSTrustManager: invalid certificate: " + e);
+            }
+        }
+
+        if (issuer == null) {
+            throw new CertificateException("Unable to validate signature: " + cert.getSubjectDN());
+        }
+
+        logger.debug("JSSTrustManager: cert signed by " + issuer.getSubjectDN());
+
+        logger.debug("JSSTrustManager: checking validity range:");
+        logger.debug("JSSTrustManager:  - not before: " + cert.getNotBefore());
+        logger.debug("JSSTrustManager:  - not after: " + cert.getNotAfter());
+        cert.checkValidity();
+
+        if (keyUsage != null) {
+
+            List<String> extendedKeyUsages = cert.getExtendedKeyUsage();
+            logger.debug("JSSTrustManager: checking extended key usages:");
+
+            for (String extKeyUsage : extendedKeyUsages) {
+                logger.debug("JSSTrustManager:  - " + extKeyUsage);
+            }
+
+            if (extendedKeyUsages.contains(keyUsage)) {
+                logger.debug("JSSTrustManager: extended key usage found: " + keyUsage);
+            } else {
+                throw new CertificateException("Missing extended key usage: " + keyUsage);
+            }
+        }
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] certChain, String authType) throws CertificateException {
+
+        logger.debug("JSSTrustManager: checkClientTrusted(" + authType + "):");
+
+        try {
+            checkCertChain(certChain, CLIENT_AUTH_OID);
+            logger.debug("JSSTrustManager: SSL client certificate is valid");
+
+        } catch (CertificateException e) {
+            logger.warn("JSSTrustManager: Invalid SSL client certificate: " + e);
+            throw e;
+
+        } catch (Exception e) {
+            logger.warn("JSSTrustManager: Unable to validate certificate: " + e);
+            throw new CertificateException(e);
+        }
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] certChain, String authType) throws CertificateException {
+
+        logger.debug("JSSTrustManager: checkServerTrusted(" + certChain.length + ", " + authType + "):");
+
+        try {
+            checkCertChain(certChain, SERVER_AUTH_OID);
+            logger.debug("JSSTrustManager: SSL server certificate is valid");
+
+        } catch (CertificateException e) {
+            logger.warn("JSSTrustManager: Invalid SSL server certificate: " + e);
+            throw e;
+
+        } catch (Exception e) {
+            logger.warn("JSSTrustManager: Unable to validate SSL server certificate: " + e);
+            throw new CertificateException(e);
+        }
+    }
+
+    @Override
+    public X509Certificate[] getAcceptedIssuers() {
+
+        logger.debug("JSSTrustManager: getAcceptedIssuers():");
+
+        Collection<X509Certificate> caCerts = new ArrayList<>();
+
+        try {
+            CryptoManager manager = CryptoManager.getInstance();
+            for (org.mozilla.jss.crypto.X509Certificate cert : manager.getCACerts()) {
+                logger.debug("JSSTrustManager:  - " + cert.getSubjectDN());
+
+                try {
+                    X509CertImpl caCert = new X509CertImpl(cert.getEncoded());
+                    caCert.checkValidity();
+                    caCerts.add(caCert);
+
+                } catch (Exception e) {
+                    logger.debug("JSSTrustManager: invalid CA certificate: " + e);
+                }
+            }
+
+        } catch (NotInitializedException e) {
+            logger.error("JSSTrustManager: Unable to get CryptoManager: " + e, e);
+            throw new RuntimeException(e);
+        }
+
+        return caCerts.toArray(new X509Certificate[caCerts.size()]);
+    }
+}


=====================================
tomcat-8.5/src/org/apache/tomcat/util/net/jss/JSSSupport.java deleted
=====================================
@@ -1,54 +0,0 @@
-/* BEGIN COPYRIGHT BLOCK
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
- *
- * Copyright (C) 2018 Red Hat, Inc.
- * All rights reserved.
- * END COPYRIGHT BLOCK */
-
-package org.apache.tomcat.util.net.jss;
-
-import java.io.IOException;
-import java.security.cert.X509Certificate;
-
-import org.apache.tomcat.util.net.SSLSupport;
-
-public class JSSSupport implements SSLSupport {
-
-    @Override
-    public String getCipherSuite() throws IOException {
-        return null;
-    }
-
-    @Override
-    public Integer getKeySize() throws IOException {
-        return null;
-    }
-
-    @Override
-    public X509Certificate[] getPeerCertificateChain() throws IOException {
-        return null;
-    }
-
-    @Override
-    public String getProtocol() throws IOException {
-        return null;
-    }
-
-    @Override
-    public String getSessionId() throws IOException {
-        return null;
-    }
-
- }


=====================================
tomcat-8.5/src/org/apache/tomcat/util/net/jss/JSSImplementation.java → tomcat-8.5/src/org/dogtagpki/tomcat/JSSImplementation.java
=====================================
@@ -13,34 +13,38 @@
  * License along with this library; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
  *
- * Copyright (C) 2018 Red Hat, Inc.
+ * Copyright (C) 2007 Red Hat, Inc.
  * All rights reserved.
  * END COPYRIGHT BLOCK */
 
-package org.apache.tomcat.util.net.jss;
-
-import javax.net.ssl.SSLSession;
+package org.dogtagpki.tomcat;
 
+import org.apache.tomcat.util.net.SSLHostConfig;
 import org.apache.tomcat.util.net.SSLHostConfigCertificate;
-import org.apache.tomcat.util.net.SSLImplementation;
-import org.apache.tomcat.util.net.SSLSupport;
 import org.apache.tomcat.util.net.SSLUtil;
+import org.apache.tomcat.util.net.jsse.JSSEImplementation;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
-public class JSSImplementation extends SSLImplementation {
+public class JSSImplementation extends JSSEImplementation {
 
-    @Override
-    public SSLSupport getSSLSupport(SSLSession session) {
-        return new JSSSupport();
+    public static Logger logger = LoggerFactory.getLogger(JSSUtil.class);
+
+    public JSSImplementation() {
+        logger.debug("JSSImplementation: instance created");
     }
 
     @Override
     public SSLUtil getSSLUtil(SSLHostConfigCertificate cert) {
-        return new JSSUtil();
-    }
+        logger.debug("JSSImplementation: getSSLUtil()");
+        logger.debug("JSSImplementation: key alias: " + cert.getCertificateKeyAlias());
+        logger.debug("JSSImplementation: keystore provider: " + cert.getCertificateKeystoreProvider());
 
-    @Override
-    public boolean isAlpnSupported() {
-        return false;
-    }
+        SSLHostConfig hostConfig = cert.getSSLHostConfig();
+        logger.debug("JSSImplementation: key manager alg: " + hostConfig.getKeyManagerAlgorithm());
+        logger.debug("JSSImplementation: truststore alg: " + hostConfig.getTruststoreAlgorithm());
+        logger.debug("JSSImplementation: truststore provider: " + hostConfig.getTruststoreProvider());
 
+        return new JSSUtil(cert);
+    }
 }


=====================================
tomcat-8.5/src/org/apache/tomcat/util/net/jss/JSSUtil.java → tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java
=====================================
@@ -17,45 +17,37 @@
  * All rights reserved.
  * END COPYRIGHT BLOCK */
 
-package org.apache.tomcat.util.net.jss;
-
-import java.util.List;
+package org.dogtagpki.tomcat;
 
 import javax.net.ssl.KeyManager;
-import javax.net.ssl.SSLSessionContext;
 import javax.net.ssl.TrustManager;
 
-import org.apache.tomcat.util.net.SSLContext;
-import org.apache.tomcat.util.net.SSLUtil;
-
-public class JSSUtil implements SSLUtil {
-
-    @Override
-    public void configureSessionContext(SSLSessionContext arg0) {
-    }
+import org.apache.tomcat.util.net.SSLHostConfigCertificate;
+import org.apache.tomcat.util.net.jsse.JSSEKeyManager;
+import org.apache.tomcat.util.net.jsse.JSSEUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
-    @Override
-    public SSLContext createSSLContext(List<String> arg0) throws Exception {
-        return null;
-    }
+public class JSSUtil extends JSSEUtil {
 
-    @Override
-    public String[] getEnabledCiphers() throws IllegalArgumentException {
-        return null;
-    }
+    public static Logger logger = LoggerFactory.getLogger(JSSUtil.class);
 
-    @Override
-    public String[] getEnabledProtocols() throws IllegalArgumentException {
-        return null;
+    public JSSUtil(SSLHostConfigCertificate cert) {
+        super(cert);
+        logger.debug("JSSUtil: instance created");
     }
 
     @Override
     public KeyManager[] getKeyManagers() throws Exception {
-        return null;
+        logger.debug("JSSUtil: getKeyManagers()");
+        String keyAlias = certificate.getCertificateKeyAlias();
+        KeyManager keyManager = new JSSEKeyManager(new JSSKeyManager(), keyAlias);
+        return new KeyManager[] { keyManager };
     }
 
     @Override
     public TrustManager[] getTrustManagers() throws Exception {
-        return null;
+        logger.debug("JSSUtil: getTrustManagers()");
+        return new TrustManager[] { new JSSTrustManager() };
     }
 }


=====================================
tomcatjss.spec
=====================================
@@ -7,7 +7,7 @@ URL:              http://www.dogtagpki.org/wiki/TomcatJSS
 License:          LGPLv2+
 BuildArch:        noarch
 
-Version:          7.3.6
+Version:          7.4.0
 Release:          1%{?_timestamp}%{?_commit_id}%{?dist}
 # global           _phase -a1
 
@@ -57,7 +57,7 @@ BuildRequires:    slf4j-jdk14
 %if 0%{?rhel} && 0%{?rhel} <= 7
 BuildRequires:    jss >= 4.4.0-7
 %else
-BuildRequires:    jss >= 4.5.0-1
+BuildRequires:    jss >= 4.5.3
 %endif
 
 # Tomcat
@@ -70,10 +70,14 @@ BuildRequires:    tomcat >= 8.0.49
 %if 0%{?fedora} && 0%{?fedora} <= 28
 BuildRequires:    tomcat >= 1:8.5.23
 %else
+%if 0%{?rhel}
+BuildRequires:    pki-servlet-engine >= 1:9.0.7
+%else
 BuildRequires:    tomcat >= 1:9.0.7
 %endif
 %endif
 %endif
+%endif
 
 ################################################################################
 # Runtime Dependencies
@@ -90,7 +94,7 @@ Requires:         jpackage-utils >= 0:1.7.5-15
 
 # SLF4J
 Requires:         slf4j
-%if 0%{?rhel} && 0%{?rhel} <= 7
+%if 0%{?rhel}
 # no slf4j-jdk14
 %else
 Requires:         slf4j-jdk14
@@ -100,7 +104,7 @@ Requires:         slf4j-jdk14
 %if 0%{?rhel} && 0%{?rhel} <= 7
 Requires:         jss >= 4.4.0-7
 %else
-Requires:         jss >= 4.5.0-1
+Requires:         jss >= 4.5.3
 %endif
 
 # Tomcat
@@ -113,10 +117,14 @@ Requires:         tomcat >= 8.0.49
 %if 0%{?fedora} && 0%{?fedora} <= 28
 Requires:         tomcat >= 1:8.5.23
 %else
+%if 0%{?rhel}
+Requires:         pki-servlet-engine >= 1:9.0.7
+%else
 Requires:         tomcat >= 1:9.0.7
 %endif
 %endif
 %endif
+%endif
 
 # The 'tomcatjss' package conflicts with the 'tomcat-native' package
 # because it uses an underlying NSS security model rather than the



View it on GitLab: https://salsa.debian.org/freeipa-team/tomcatjss/compare/d87df638fee601e958ebfc26df40947881cf47f1...d4e2040ecc5a81572820baf57c6cf7b78ec4f59f

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/tomcatjss/compare/d87df638fee601e958ebfc26df40947881cf47f1...d4e2040ecc5a81572820baf57c6cf7b78ec4f59f
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20190425/847a250d/attachment-0001.html>


More information about the Pkg-freeipa-devel mailing list