[Pkg-freeipa-devel] [Git][freeipa-team/tomcatjss][upstream] 25 commits: Refactored JSSListener

Timo Aaltonen gitlab at salsa.debian.org
Tue Jul 28 18:18:04 BST 2020



Timo Aaltonen pushed to branch upstream at FreeIPA packaging / tomcatjss


Commits:
47c4124a by Endi S. Dewata at 2019-04-29T12:24:44-05:00
Refactored JSSListener

The methods that loads JSS configuration has been moved from
JSSListener into TomcatJSS class for reusability.

- - - - -
a8b99c61 by Alexander Scheel at 2019-05-07T09:23:53-04:00
Update to F30 in Travis, removing F28

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
d7222c2e by Endi S. Dewata at 2019-06-12T13:15:09-05:00
Updated version number to 7.4.1-1

- - - - -
fb11bcd4 by Alexander Scheel at 2019-06-24T11:29:38-04:00
Use JSSKeyManager and JSSTrustManager from JSS

With jss-pr#159 merged, we've added a KeyManager and TrustManager to the
JSS default provider that we should use instead of the instances
in-tree.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
f229c673 by Dinesh Prasanth M K at 2019-08-08T17:24:05-04:00
Spec update

Bumping min requirement for jss to 4.6.0

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
35a49037 by Endi S. Dewata at 2019-08-21T18:39:25-05:00
Removed conflict with tomcat-native

The spec file has been modified to remove the conflict with
tomcat-native since it can be avoided by specifying the
protocol class and sslImplementationName in the server.xml.

- - - - -
996721df by Alexander Scheel at 2020-04-02T13:28:20-04:00
Update Travis CI to use Fedora 31

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
88e33c42 by Alexander Scheel at 2020-04-02T16:07:47-04:00
Support JSS-based SSLEngine

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
4b557785 by Alexander Scheel at 2020-04-30T10:24:00-04:00
Bump JSS dependency for SSLEngine

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
8e93fb8a by Alexander Scheel at 2020-04-30T10:24:00-04:00
Simplify cipher and protocol support

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
d91b1381 by Alexander Scheel at 2020-04-30T10:24:00-04:00
Bump TomcatJSS version to 7.5.0 alpha 1

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
cc7d3b28 by Alexander Scheel at 2020-04-30T10:38:55-04:00
Add GitHub actions CI

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
c929379b by Alexander Scheel at 2020-04-30T10:38:55-04:00
Remove legacy travis CI

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
385291c4 by Alexander Scheel at 2020-04-30T13:27:59-04:00
Make protocols, ciphers unmodifiable

Also move initialization out of the constructor; JSSUtil's super
(SSLBaseUtil) calls getSupportedProtocols/getSupportedCiphers.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
f7129436 by Alexander Scheel at 2020-04-30T16:07:57-04:00
Make protocols, cipher suites static

Because of the way initialization happens in Java, the previous method
wouldn't work because they got initialized AFTER the super's constructor
had executed. Making them static ensures they get executed prior to
super's constructor executing.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
6761d9dc by Alexander Scheel at 2020-05-05T15:46:03-04:00
Make TomcatJSS use both SunJSSE and Mozilla-JSS

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
5b5f8723 by Alexander Scheel at 2020-05-05T17:35:08-04:00
Only set certificate on JSSEngine

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
a51952ba by Alexander Scheel at 2020-05-07T13:00:45-04:00
Add %license for LICENSE file

See: https://pagure.io/packaging-committee/issue/411
See: https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
2df0785c by Alexander Scheel at 2020-05-18T14:36:31-04:00
Fix Cipher, Protocol list for JSSE SSLEngines

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
23655272 by Alexander Scheel at 2020-05-18T14:36:31-04:00
Fix JSSEngine usage

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
ea539175 by Endi S. Dewata at 2020-05-26T21:39:57-05:00
Updated version number to 7.5.0-0.1 (alpha 1)

- - - - -
54e26482 by Alexander Scheel at 2020-06-25T14:05:45-04:00
Use factory for JSSKeyManager, JSSTrustManager

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
2d69238a by Endi S. Dewata at 2020-07-02T15:54:48-05:00
Updated build.sh to generate UTC timestamp

The build.sh has been modified to generate UTC timestamp such
that it is consistent across different time zones.

- - - - -
1b3c9c04 by Alexander Scheel at 2020-07-06T09:49:05-04:00
Updated version number to 7.5.0-0.4 (beta 2)

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
34a0993b by Endi S. Dewata at 2020-07-09T13:58:38-05:00
Updated version number to 7.5.0-1

- - - - -


12 changed files:

- + .github/workflows/required.yml
- − .travis.yml
- build.sh
- build.xml
- src/org/apache/tomcat/util/net/jss/TomcatJSS.java
- − src/org/dogtagpki/tomcat/JSSKeyManager.java
- src/org/dogtagpki/tomcat/JSSListener.java
- − src/org/dogtagpki/tomcat/JSSTrustManager.java
- + tomcat-8.5/src/org/dogtagpki/tomcat/JSSContext.java
- tomcat-8.5/src/org/dogtagpki/tomcat/JSSImplementation.java
- tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java
- tomcatjss.spec


Changes:

=====================================
.github/workflows/required.yml
=====================================
@@ -0,0 +1,20 @@
+name: Required Tests
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    container: ${{ matrix.image }}
+    strategy:
+      matrix:
+        image: ['fedora:30', 'fedora:31']
+    steps:
+    - run: dnf install -y dnf-plugins-core gcc make rpm-build git
+    - name: Clone the repository
+      uses: actions/checkout at v2
+    - run: dnf copr -y enable ${TOMCATJSS_7_4_REPO:- at pki/master}
+    - run: dnf builddep -y --spec tomcatjss.spec
+    - run: dnf remove -y tomcat-native
+    - run: ./build.sh --with-timestamp --with-commit-id --work-dir=../packages rpm
+    - run: rpm -Uvh ../packages/RPMS/*


=====================================
.travis.yml deleted
=====================================
@@ -1,28 +0,0 @@
-# BEGIN COPYRIGHT BLOCK
-# (C) 2018 Red Hat, Inc.
-# All rights reserved.
-# END COPYRIGHT BLOCK
-
-services:
-  - docker
-
-env:
-  - FEDORA=28
-  - FEDORA=29
-
-install:
-  - docker pull registry.fedoraproject.org/fedora:$FEDORA
-  - docker run
-      --name=container
-      --detach
-      -i
-      -v $(pwd):/root/tomcatjss
-      registry.fedoraproject.org/fedora:$FEDORA
-  - docker exec container dnf install -y dnf-plugins-core gcc make rpm-build
-  - docker exec container dnf copr -y enable ${TOMCATJSS_7_4_REPO:- at pki/master}
-  - docker exec container dnf builddep -y --spec /root/tomcatjss/tomcatjss.spec
-  - docker exec container dnf remove -y tomcat-native
-  - docker exec container /root/tomcatjss/build.sh --with-timestamp --with-commit-id rpm
-
-script:
-  - docker exec container rpm -Uvh /root/build/tomcatjss/RPMS/*


=====================================
build.sh
=====================================
@@ -226,7 +226,7 @@ if [ "$DEBUG" = true ] ; then
 fi
 
 if [ "$WITH_TIMESTAMP" = true ] ; then
-    TIMESTAMP="`date +"%Y%m%d%H%M%S"`"
+    TIMESTAMP="$(date -u +"%Y%m%d%H%M%S%Z")"
     _TIMESTAMP=".$TIMESTAMP"
 fi
 


=====================================
build.xml
=====================================
@@ -37,8 +37,8 @@
 
   <property name="Name" value="Tomcat JSS"/>
   <property name="name" value="tomcatjss"/>
-  <property name="version" value="7.3.0"/>
-  <property name="manifest-version" value="${version}"/>
+  <property name="version" value="7.5.0"/>
+  <property name="manifest-version" value="${version}-a1"/>
 
   <!--
     Set the properties that control various build options


=====================================
src/org/apache/tomcat/util/net/jss/TomcatJSS.java
=====================================
@@ -20,6 +20,7 @@
 package org.apache.tomcat.util.net.jss;
 
 import java.io.File;
+import java.io.FileReader;
 import java.io.IOException;
 import java.net.SocketException;
 import java.nio.file.Files;
@@ -27,8 +28,15 @@ import java.nio.file.Paths;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Enumeration;
+import java.util.Properties;
 import java.util.StringTokenizer;
 
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathFactory;
+
 import org.apache.commons.lang.StringUtils;
 import org.mozilla.jss.CryptoManager;
 import org.mozilla.jss.InitializationValues;
@@ -48,6 +56,8 @@ import org.mozilla.jss.util.IncorrectPasswordException;
 import org.mozilla.jss.util.Password;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
 
 public class TomcatJSS implements SSLSocketListener {
 
@@ -291,6 +301,194 @@ public class TomcatJSS implements SSLSocketListener {
         this.tlsCiphers = tlsCiphers;
     }
 
+    public void loadJSSConfig(String jssConf) throws Exception {
+        File configFile = new File(jssConf);
+        loadJSSConfig(configFile);
+    }
+
+    public void loadJSSConfig(File configFile) throws Exception {
+
+        Properties config = new Properties();
+        config.load(new FileReader(configFile));
+
+        loadJSSConfig(config);
+    }
+
+    public void loadJSSConfig(Properties config) throws Exception {
+
+        String certDb = config.getProperty("certdbDir");
+        if (certDb != null)
+            setCertdbDir(certDb);
+
+        String passwordClass = config.getProperty("passwordClass");
+        if (passwordClass != null)
+            setPasswordClass(passwordClass);
+
+        String passwordFile = config.getProperty("passwordFile");
+        if (passwordFile != null)
+            setPasswordFile(passwordFile);
+
+        String enableOCSP = config.getProperty("enableOCSP");
+        if (enableOCSP != null)
+            setEnableOCSP(Boolean.parseBoolean(enableOCSP));
+
+        String ocspResponderURL = config.getProperty("ocspResponderURL");
+        if (ocspResponderURL != null)
+            setOcspResponderURL(ocspResponderURL);
+
+        String ocspResponderCertNickname = config.getProperty("ocspResponderCertNickname");
+        if (ocspResponderCertNickname != null)
+            setOcspResponderCertNickname(ocspResponderCertNickname);
+
+        String ocspCacheSize = config.getProperty("ocspCacheSize");
+        if (StringUtils.isNotEmpty(ocspCacheSize))
+            setOcspCacheSize(Integer.parseInt(ocspCacheSize));
+
+        String ocspMinCacheEntryDuration = config.getProperty("ocspMinCacheEntryDuration");
+        if (StringUtils.isNotEmpty(ocspMinCacheEntryDuration))
+            setOcspMinCacheEntryDuration(Integer.parseInt(ocspMinCacheEntryDuration));
+
+        String ocspMaxCacheEntryDuration = config.getProperty("ocspMaxCacheEntryDuration");
+        if (StringUtils.isNotEmpty(ocspMaxCacheEntryDuration))
+            setOcspMaxCacheEntryDuration(Integer.parseInt(ocspMaxCacheEntryDuration));
+
+        String ocspTimeout = config.getProperty("ocspTimeout");
+        if (StringUtils.isNotEmpty(ocspTimeout))
+            setOcspTimeout(Integer.parseInt(ocspTimeout));
+
+        String strictCiphers = config.getProperty("strictCiphers");
+        if (strictCiphers != null)
+            setStrictCiphers(strictCiphers);
+
+        String sslVersionRangeStream = config.getProperty("sslVersionRangeStream");
+        if (sslVersionRangeStream != null)
+            setSslVersionRangeStream(sslVersionRangeStream);
+
+        String sslVersionRangeDatagram = config.getProperty("sslVersionRangeDatagram");
+        if (sslVersionRangeDatagram != null)
+            setSslVersionRangeDatagram(sslVersionRangeDatagram);
+
+        String sslRangeCiphers = config.getProperty("sslRangeCiphers");
+        if (sslRangeCiphers != null)
+            setSslRangeCiphers(sslRangeCiphers);
+
+        String sslOptions = config.getProperty("sslOptions");
+        if (sslOptions != null)
+            setSslOptions(sslOptions);
+
+        String ssl2Ciphers = config.getProperty("ssl2Ciphers");
+        if (ssl2Ciphers != null)
+            setSsl2Ciphers(ssl2Ciphers);
+
+        String ssl3Ciphers = config.getProperty("ssl3Ciphers");
+        if (ssl3Ciphers != null)
+            setSsl3Ciphers(ssl3Ciphers);
+
+        String tlsCiphers = config.getProperty("tlsCiphers");
+        if (tlsCiphers != null)
+            setTlsCiphers(tlsCiphers);
+    }
+
+    public void loadTomcatConfig(String serverXml) throws Exception {
+        File configFile = new File(serverXml);
+        loadTomcatConfig(configFile);
+    }
+
+    public void loadTomcatConfig(File configFile) throws Exception {
+
+        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        DocumentBuilder builder = factory.newDocumentBuilder();
+        Document document = builder.parse(configFile);
+
+        loadTomcatConfig(document);
+    }
+
+    public void loadTomcatConfig(Document document) throws Exception {
+
+        XPathFactory xPathfactory = XPathFactory.newInstance();
+        XPath xpath = xPathfactory.newXPath();
+
+        Element connector = (Element) xpath.evaluate(
+                "/Server/Service[@name='Catalina']/Connector[@SSLEnabled='true']",
+                document, XPathConstants.NODE);
+
+        String certDb = connector.getAttribute("certdbDir");
+        if (certDb != null)
+            setCertdbDir(certDb);
+
+        String passwordClass = connector.getAttribute("passwordClass");
+        if (passwordClass != null)
+            setPasswordClass(passwordClass);
+
+        String passwordFile = connector.getAttribute("passwordFile");
+        if (passwordFile != null)
+            setPasswordFile(passwordFile);
+
+        String serverCertNickFile = connector.getAttribute("serverCertNickFile");
+        if (serverCertNickFile != null)
+            setServerCertNickFile(serverCertNickFile);
+
+        String enableOCSP = connector.getAttribute("enableOCSP");
+        if (enableOCSP != null)
+            setEnableOCSP(Boolean.parseBoolean(enableOCSP));
+
+        String ocspResponderURL = connector.getAttribute("ocspResponderURL");
+        if (ocspResponderURL != null)
+            setOcspResponderURL(ocspResponderURL);
+
+        String ocspResponderCertNickname = connector.getAttribute("ocspResponderCertNickname");
+        if (ocspResponderCertNickname != null)
+            setOcspResponderCertNickname(ocspResponderCertNickname);
+
+        String ocspCacheSize = connector.getAttribute("ocspCacheSize");
+        if (StringUtils.isNotEmpty(ocspCacheSize))
+            setOcspCacheSize(Integer.parseInt(ocspCacheSize));
+
+        String ocspMinCacheEntryDuration = connector.getAttribute("ocspMinCacheEntryDuration");
+        if (StringUtils.isNotEmpty(ocspMinCacheEntryDuration))
+            setOcspMinCacheEntryDuration(Integer.parseInt(ocspMinCacheEntryDuration));
+
+        String ocspMaxCacheEntryDuration = connector.getAttribute("ocspMaxCacheEntryDuration");
+        if (StringUtils.isNotEmpty(ocspMaxCacheEntryDuration))
+            setOcspMaxCacheEntryDuration(Integer.parseInt(ocspMaxCacheEntryDuration));
+
+        String ocspTimeout = connector.getAttribute("ocspTimeout");
+        if (StringUtils.isNotEmpty(ocspTimeout))
+            setOcspTimeout(Integer.parseInt(ocspTimeout));
+
+        String strictCiphers = connector.getAttribute("strictCiphers");
+        if (strictCiphers != null)
+            setStrictCiphers(strictCiphers);
+
+        String sslVersionRangeStream = connector.getAttribute("sslVersionRangeStream");
+        if (sslVersionRangeStream != null)
+            setSslVersionRangeStream(sslVersionRangeStream);
+
+        String sslVersionRangeDatagram = connector.getAttribute("sslVersionRangeDatagram");
+        if (sslVersionRangeDatagram != null)
+            setSslVersionRangeDatagram(sslVersionRangeDatagram);
+
+        String sslRangeCiphers = connector.getAttribute("sslRangeCiphers");
+        if (sslRangeCiphers != null)
+            setSslRangeCiphers(sslRangeCiphers);
+
+        String sslOptions = connector.getAttribute("sslOptions");
+        if (sslOptions != null)
+            setSslOptions(sslOptions);
+
+        String ssl2Ciphers = connector.getAttribute("ssl2Ciphers");
+        if (ssl2Ciphers != null)
+            setSsl2Ciphers(ssl2Ciphers);
+
+        String ssl3Ciphers = connector.getAttribute("ssl3Ciphers");
+        if (ssl3Ciphers != null)
+            setSsl3Ciphers(ssl3Ciphers);
+
+        String tlsCiphers = connector.getAttribute("tlsCiphers");
+        if (tlsCiphers != null)
+            setTlsCiphers(tlsCiphers);
+    }
+
     public void init() throws Exception {
 
         if (initialized) {


=====================================
src/org/dogtagpki/tomcat/JSSKeyManager.java deleted
=====================================
@@ -1,146 +0,0 @@
-/* BEGIN COPYRIGHT BLOCK
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
- *
- * Copyright (C) 2017 Red Hat, Inc.
- * All rights reserved.
- * END COPYRIGHT BLOCK */
-
-package org.dogtagpki.tomcat;
-
-import java.net.Socket;
-import java.security.Principal;
-import java.security.PrivateKey;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Collection;
-
-import javax.net.ssl.X509KeyManager;
-
-import org.mozilla.jss.CryptoManager;
-import org.mozilla.jss.crypto.ObjectNotFoundException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import sun.security.x509.X509CertImpl;
-
-public class JSSKeyManager implements X509KeyManager {
-
-    final static Logger logger = LoggerFactory.getLogger(JSSKeyManager.class);
-
-    @Override
-    public String chooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket) {
-        logger.debug("JSSKeyManager: chooseClientAlias()");
-
-        logger.debug("JSSKeyManager: key types:");
-        for (String keyType : keyTypes) {
-            logger.debug("JSSKeyManager: - " + keyType);
-        }
-
-        logger.debug("JSSKeyManager: issuers:");
-        for (Principal issuer : issuers) {
-            logger.debug("JSSKeyManager: - " + issuer.getName());
-        }
-
-        return null;  // not implemented
-    }
-
-    @Override
-    public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
-        logger.debug("JSSKeyManager: chooseServerAlias()");
-        logger.debug("JSSKeyManager: key type: " + keyType);
-
-        logger.debug("JSSKeyManager: issuers:");
-        for (Principal issuer : issuers) {
-            logger.debug("JSSKeyManager: - " + issuer.getName());
-        }
-
-        return null;  // not implemented
-    }
-
-    @Override
-    public X509Certificate[] getCertificateChain(String alias) {
-
-        logger.debug("JSSKeyManager: getCertificateChain(" + alias + ")");
-
-        try {
-            CryptoManager cm = CryptoManager.getInstance();
-            org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(alias);
-
-            org.mozilla.jss.crypto.X509Certificate[] chain = cm.buildCertificateChain(cert);
-            logger.debug("JSSKeyManager: cert chain:");
-
-            Collection<X509Certificate> list = new ArrayList<>();
-            for (org.mozilla.jss.crypto.X509Certificate c : chain) {
-                logger.debug("JSSKeyManager: - " + c.getSubjectDN());
-                list.add(new X509CertImpl(c.getEncoded()));
-            }
-
-            return list.toArray(new X509Certificate[list.size()]);
-
-        } catch (Throwable e) {
-            logger.error(e.getMessage(), e);
-            throw new RuntimeException(e);
-        }
-    }
-
-    @Override
-    public String[] getClientAliases(String keyType, Principal[] issuers) {
-        logger.debug("JSSKeyManager: getClientAliases()");
-        logger.debug("JSSKeyManager: key type: " + keyType);
-
-        logger.debug("JSSKeyManager: issuers:");
-        for (Principal issuer : issuers) {
-            logger.debug("JSSKeyManager: - " + issuer.getName());
-        }
-
-        return null;  // not implemented
-    }
-
-    @Override
-    public PrivateKey getPrivateKey(String alias) {
-
-        logger.debug("JSSKeyManager: getPrivateKey(" + alias + ")");
-
-        try {
-            CryptoManager cm = CryptoManager.getInstance();
-            org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(alias);
-            PrivateKey privateKey = cm.findPrivKeyByCert(cert);
-
-            logger.debug("JSSKeyManager: key found: " + alias);
-            return privateKey;
-
-        } catch (ObjectNotFoundException e) {
-            logger.debug("JSSKeyManager: key not found: " + alias);
-            return null;
-
-        } catch (Throwable e) {
-            logger.error(e.getMessage(), e);
-            throw new RuntimeException(e);
-        }
-    }
-
-    @Override
-    public String[] getServerAliases(String keyType, Principal[] issuers) {
-        logger.debug("JSSKeyManager: getServerAliases()");
-        logger.debug("JSSKeyManager: key type: " + keyType);
-
-        logger.debug("JSSKeyManager: issuers:");
-        for (Principal issuer : issuers) {
-            logger.debug("JSSKeyManager: - " + issuer.getName());
-        }
-
-        return null;  // not implemented
-    }
-}


=====================================
src/org/dogtagpki/tomcat/JSSListener.java
=====================================
@@ -20,24 +20,13 @@
 package org.dogtagpki.tomcat;
 
 import java.io.File;
-import java.io.FileReader;
-import java.util.Properties;
-
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.xpath.XPath;
-import javax.xml.xpath.XPathConstants;
-import javax.xml.xpath.XPathFactory;
 
 import org.apache.catalina.Lifecycle;
 import org.apache.catalina.LifecycleEvent;
 import org.apache.catalina.LifecycleListener;
-import org.apache.commons.lang.StringUtils;
 import org.apache.tomcat.util.net.jss.TomcatJSS;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
 
 public class JSSListener implements LifecycleListener {
 
@@ -66,195 +55,28 @@ public class JSSListener implements LifecycleListener {
     public void initJSS() {
 
         logger.info("JSSListener: Initializing JSS");
-        logger.info("JSSListener: Config: " + configFile);
 
         try {
-            if (configFile != null) {
-                loadJSSConfig();
+            TomcatJSS tomcatjss = TomcatJSS.getInstance();
+
+            String catalinaBase = System.getProperty("catalina.base");
+            String jssConf = catalinaBase + "/conf/jss.conf";
+            File configFile = new File(jssConf);
+
+            if (configFile.exists()) {
+                logger.info("JSSListener: Loading JSS configuration from " + jssConf);
+                tomcatjss.loadJSSConfig(configFile);
+
             } else {
-                loadServerXml();
+                String serverXml = catalinaBase + "/conf/server.xml";
+                logger.info("JSSListener: Loading JSS configuration from " + serverXml);
+                tomcatjss.loadTomcatConfig(serverXml);
             }
 
-            TomcatJSS tomcatjss = TomcatJSS.getInstance();
             tomcatjss.init();
 
         } catch (Exception e) {
             throw new RuntimeException(e);
         }
     }
-
-    public void loadJSSConfig() throws Exception {
-
-        Properties properties = new Properties();
-        properties.load(new FileReader(configFile));
-
-        TomcatJSS tomcatjss = TomcatJSS.getInstance();
-
-        String certDb = properties.getProperty("certdbDir");
-        if (certDb != null)
-            tomcatjss.setCertdbDir(certDb);
-
-        String passwordClass = properties.getProperty("passwordClass");
-        if (passwordClass != null)
-            tomcatjss.setPasswordClass(passwordClass);
-
-        String passwordFile = properties.getProperty("passwordFile");
-        if (passwordFile != null)
-            tomcatjss.setPasswordFile(passwordFile);
-
-        String enableOCSP = properties.getProperty("enableOCSP");
-        if (enableOCSP != null)
-            tomcatjss.setEnableOCSP(Boolean.parseBoolean(enableOCSP));
-
-        String ocspResponderURL = properties.getProperty("ocspResponderURL");
-        if (ocspResponderURL != null)
-            tomcatjss.setOcspResponderURL(ocspResponderURL);
-
-        String ocspResponderCertNickname = properties.getProperty("ocspResponderCertNickname");
-        if (ocspResponderCertNickname != null)
-            tomcatjss.setOcspResponderCertNickname(ocspResponderCertNickname);
-
-        String ocspCacheSize = properties.getProperty("ocspCacheSize");
-        if (StringUtils.isNotEmpty(ocspCacheSize))
-            tomcatjss.setOcspCacheSize(Integer.parseInt(ocspCacheSize));
-
-        String ocspMinCacheEntryDuration = properties.getProperty("ocspMinCacheEntryDuration");
-        if (StringUtils.isNotEmpty(ocspMinCacheEntryDuration))
-            tomcatjss.setOcspMinCacheEntryDuration(Integer.parseInt(ocspMinCacheEntryDuration));
-
-        String ocspMaxCacheEntryDuration = properties.getProperty("ocspMaxCacheEntryDuration");
-        if (StringUtils.isNotEmpty(ocspMaxCacheEntryDuration))
-            tomcatjss.setOcspMaxCacheEntryDuration(Integer.parseInt(ocspMaxCacheEntryDuration));
-
-        String ocspTimeout = properties.getProperty("ocspTimeout");
-        if (StringUtils.isNotEmpty(ocspTimeout))
-            tomcatjss.setOcspTimeout(Integer.parseInt(ocspTimeout));
-
-        String strictCiphers = properties.getProperty("strictCiphers");
-        if (strictCiphers != null)
-            tomcatjss.setStrictCiphers(strictCiphers);
-
-        String sslVersionRangeStream = properties.getProperty("sslVersionRangeStream");
-        if (sslVersionRangeStream != null)
-            tomcatjss.setSslVersionRangeStream(sslVersionRangeStream);
-
-        String sslVersionRangeDatagram = properties.getProperty("sslVersionRangeDatagram");
-        if (sslVersionRangeDatagram != null)
-            tomcatjss.setSslVersionRangeDatagram(sslVersionRangeDatagram);
-
-        String sslRangeCiphers = properties.getProperty("sslRangeCiphers");
-        if (sslRangeCiphers != null)
-            tomcatjss.setSslRangeCiphers(sslRangeCiphers);
-
-        String sslOptions = properties.getProperty("sslOptions");
-        if (sslOptions != null)
-            tomcatjss.setSslOptions(sslOptions);
-
-        String ssl2Ciphers = properties.getProperty("ssl2Ciphers");
-        if (ssl2Ciphers != null)
-            tomcatjss.setSsl2Ciphers(ssl2Ciphers);
-
-        String ssl3Ciphers = properties.getProperty("ssl3Ciphers");
-        if (ssl3Ciphers != null)
-            tomcatjss.setSsl3Ciphers(ssl3Ciphers);
-
-        String tlsCiphers = properties.getProperty("tlsCiphers");
-        if (tlsCiphers != null)
-            tomcatjss.setTlsCiphers(tlsCiphers);
-    }
-
-    public void loadServerXml() throws Exception {
-
-        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-        DocumentBuilder builder = factory.newDocumentBuilder();
-
-        String catalinaBase = System.getProperty("catalina.base");
-        File file = new File(catalinaBase + "/conf/server.xml");
-        Document doc = builder.parse(file);
-
-        XPathFactory xPathfactory = XPathFactory.newInstance();
-        XPath xpath = xPathfactory.newXPath();
-
-        Element connector = (Element) xpath.evaluate(
-                "/Server/Service[@name='Catalina']/Connector[@SSLEnabled='true']",
-                doc, XPathConstants.NODE);
-
-        TomcatJSS tomcatjss = TomcatJSS.getInstance();
-
-        String certDb = connector.getAttribute("certdbDir");
-        if (certDb != null)
-            tomcatjss.setCertdbDir(certDb);
-
-        String passwordClass = connector.getAttribute("passwordClass");
-        if (passwordClass != null)
-            tomcatjss.setPasswordClass(passwordClass);
-
-        String passwordFile = connector.getAttribute("passwordFile");
-        if (passwordFile != null)
-            tomcatjss.setPasswordFile(passwordFile);
-
-        String serverCertNickFile = connector.getAttribute("serverCertNickFile");
-        if (serverCertNickFile != null)
-            tomcatjss.setServerCertNickFile(serverCertNickFile);
-
-        String enableOCSP = connector.getAttribute("enableOCSP");
-        if (enableOCSP != null)
-            tomcatjss.setEnableOCSP(Boolean.parseBoolean(enableOCSP));
-
-        String ocspResponderURL = connector.getAttribute("ocspResponderURL");
-        if (ocspResponderURL != null)
-            tomcatjss.setOcspResponderURL(ocspResponderURL);
-
-        String ocspResponderCertNickname = connector.getAttribute("ocspResponderCertNickname");
-        if (ocspResponderCertNickname != null)
-            tomcatjss.setOcspResponderCertNickname(ocspResponderCertNickname);
-
-        String ocspCacheSize = connector.getAttribute("ocspCacheSize");
-        if (StringUtils.isNotEmpty(ocspCacheSize))
-            tomcatjss.setOcspCacheSize(Integer.parseInt(ocspCacheSize));
-
-        String ocspMinCacheEntryDuration = connector.getAttribute("ocspMinCacheEntryDuration");
-        if (StringUtils.isNotEmpty(ocspMinCacheEntryDuration))
-            tomcatjss.setOcspMinCacheEntryDuration(Integer.parseInt(ocspMinCacheEntryDuration));
-
-        String ocspMaxCacheEntryDuration = connector.getAttribute("ocspMaxCacheEntryDuration");
-        if (StringUtils.isNotEmpty(ocspMaxCacheEntryDuration))
-            tomcatjss.setOcspMaxCacheEntryDuration(Integer.parseInt(ocspMaxCacheEntryDuration));
-
-        String ocspTimeout = connector.getAttribute("ocspTimeout");
-        if (StringUtils.isNotEmpty(ocspTimeout))
-            tomcatjss.setOcspTimeout(Integer.parseInt(ocspTimeout));
-
-        String strictCiphers = connector.getAttribute("strictCiphers");
-        if (strictCiphers != null)
-            tomcatjss.setStrictCiphers(strictCiphers);
-
-        String sslVersionRangeStream = connector.getAttribute("sslVersionRangeStream");
-        if (sslVersionRangeStream != null)
-            tomcatjss.setSslVersionRangeStream(sslVersionRangeStream);
-
-        String sslVersionRangeDatagram = connector.getAttribute("sslVersionRangeDatagram");
-        if (sslVersionRangeDatagram != null)
-            tomcatjss.setSslVersionRangeDatagram(sslVersionRangeDatagram);
-
-        String sslRangeCiphers = connector.getAttribute("sslRangeCiphers");
-        if (sslRangeCiphers != null)
-            tomcatjss.setSslRangeCiphers(sslRangeCiphers);
-
-        String sslOptions = connector.getAttribute("sslOptions");
-        if (sslOptions != null)
-            tomcatjss.setSslOptions(sslOptions);
-
-        String ssl2Ciphers = connector.getAttribute("ssl2Ciphers");
-        if (ssl2Ciphers != null)
-            tomcatjss.setSsl2Ciphers(ssl2Ciphers);
-
-        String ssl3Ciphers = connector.getAttribute("ssl3Ciphers");
-        if (ssl3Ciphers != null)
-            tomcatjss.setSsl3Ciphers(ssl3Ciphers);
-
-        String tlsCiphers = connector.getAttribute("tlsCiphers");
-        if (tlsCiphers != null)
-            tomcatjss.setTlsCiphers(tlsCiphers);
-    }
 }


=====================================
src/org/dogtagpki/tomcat/JSSTrustManager.java deleted
=====================================
@@ -1,197 +0,0 @@
-/* BEGIN COPYRIGHT BLOCK
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
- *
- * Copyright (C) 2017 Red Hat, Inc.
- * All rights reserved.
- * END COPYRIGHT BLOCK */
-
-package org.dogtagpki.tomcat;
-
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.List;
-
-import javax.net.ssl.X509TrustManager;
-
-import org.mozilla.jss.CryptoManager;
-import org.mozilla.jss.NotInitializedException;
-import org.mozilla.jss.netscape.security.util.Cert;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import sun.security.x509.X509CertImpl;
-
-public class JSSTrustManager implements X509TrustManager {
-
-    final static Logger logger = LoggerFactory.getLogger(JSSTrustManager.class);
-
-    final static String SERVER_AUTH_OID = "1.3.6.1.5.5.7.3.1";
-    final static String CLIENT_AUTH_OID = "1.3.6.1.5.5.7.3.2";
-
-    public void checkCertChain(X509Certificate[] certChain, String keyUsage) throws Exception {
-
-        logger.debug("JSSTrustManager: checkCertChain(" + keyUsage + ")");
-
-        // sort cert chain from root to leaf
-        certChain = Cert.sortCertificateChain(certChain);
-
-        for (X509Certificate cert : certChain) {
-            logger.debug("JSSTrustManager:  - " + cert.getSubjectDN());
-        }
-
-        // get CA certs
-        X509Certificate[] caCerts = getAcceptedIssuers();
-
-        // validating cert chain from root to leaf
-        for (int i = 0; i < certChain.length; i++) {
-
-            X509Certificate cert = certChain[i];
-
-            // validating key usage on leaf cert only
-            String usage;
-            if (i == certChain.length - 1) {
-                usage = keyUsage;
-            } else {
-                usage = null;
-            }
-
-            checkCert(cert, caCerts, usage);
-
-            // use the current cert as the CA cert for the next cert in the chain
-            caCerts = new X509Certificate[] { cert };
-        }
-    }
-
-    public void checkCert(X509Certificate cert, X509Certificate[] caCerts, String keyUsage) throws Exception {
-
-        logger.debug("JSSTrustManager: checkCert(" + cert.getSubjectDN() + "):");
-
-        boolean[] aki = cert.getIssuerUniqueID();
-        logger.debug("JSSTrustManager: cert AKI: " + Arrays.toString(aki));
-
-        X509Certificate issuer = null;
-        for (X509Certificate caCert : caCerts) {
-
-            boolean[] ski = caCert.getSubjectUniqueID();
-            logger.debug("JSSTrustManager: SKI of " + caCert.getSubjectDN() + ": " + Arrays.toString(ski));
-
-            try {
-                cert.verify(caCert.getPublicKey(), "Mozilla-JSS");
-                issuer = caCert;
-                break;
-            } catch (Exception e) {
-                logger.debug("JSSTrustManager: invalid certificate: " + e);
-            }
-        }
-
-        if (issuer == null) {
-            throw new CertificateException("Unable to validate signature: " + cert.getSubjectDN());
-        }
-
-        logger.debug("JSSTrustManager: cert signed by " + issuer.getSubjectDN());
-
-        logger.debug("JSSTrustManager: checking validity range:");
-        logger.debug("JSSTrustManager:  - not before: " + cert.getNotBefore());
-        logger.debug("JSSTrustManager:  - not after: " + cert.getNotAfter());
-        cert.checkValidity();
-
-        if (keyUsage != null) {
-
-            List<String> extendedKeyUsages = cert.getExtendedKeyUsage();
-            logger.debug("JSSTrustManager: checking extended key usages:");
-
-            for (String extKeyUsage : extendedKeyUsages) {
-                logger.debug("JSSTrustManager:  - " + extKeyUsage);
-            }
-
-            if (extendedKeyUsages.contains(keyUsage)) {
-                logger.debug("JSSTrustManager: extended key usage found: " + keyUsage);
-            } else {
-                throw new CertificateException("Missing extended key usage: " + keyUsage);
-            }
-        }
-    }
-
-    @Override
-    public void checkClientTrusted(X509Certificate[] certChain, String authType) throws CertificateException {
-
-        logger.debug("JSSTrustManager: checkClientTrusted(" + authType + "):");
-
-        try {
-            checkCertChain(certChain, CLIENT_AUTH_OID);
-            logger.debug("JSSTrustManager: SSL client certificate is valid");
-
-        } catch (CertificateException e) {
-            logger.warn("JSSTrustManager: Invalid SSL client certificate: " + e);
-            throw e;
-
-        } catch (Exception e) {
-            logger.warn("JSSTrustManager: Unable to validate certificate: " + e);
-            throw new CertificateException(e);
-        }
-    }
-
-    @Override
-    public void checkServerTrusted(X509Certificate[] certChain, String authType) throws CertificateException {
-
-        logger.debug("JSSTrustManager: checkServerTrusted(" + certChain.length + ", " + authType + "):");
-
-        try {
-            checkCertChain(certChain, SERVER_AUTH_OID);
-            logger.debug("JSSTrustManager: SSL server certificate is valid");
-
-        } catch (CertificateException e) {
-            logger.warn("JSSTrustManager: Invalid SSL server certificate: " + e);
-            throw e;
-
-        } catch (Exception e) {
-            logger.warn("JSSTrustManager: Unable to validate SSL server certificate: " + e);
-            throw new CertificateException(e);
-        }
-    }
-
-    @Override
-    public X509Certificate[] getAcceptedIssuers() {
-
-        logger.debug("JSSTrustManager: getAcceptedIssuers():");
-
-        Collection<X509Certificate> caCerts = new ArrayList<>();
-
-        try {
-            CryptoManager manager = CryptoManager.getInstance();
-            for (org.mozilla.jss.crypto.X509Certificate cert : manager.getCACerts()) {
-                logger.debug("JSSTrustManager:  - " + cert.getSubjectDN());
-
-                try {
-                    X509CertImpl caCert = new X509CertImpl(cert.getEncoded());
-                    caCert.checkValidity();
-                    caCerts.add(caCert);
-
-                } catch (Exception e) {
-                    logger.debug("JSSTrustManager: invalid CA certificate: " + e);
-                }
-            }
-
-        } catch (NotInitializedException e) {
-            logger.error("JSSTrustManager: Unable to get CryptoManager: " + e, e);
-            throw new RuntimeException(e);
-        }
-
-        return caCerts.toArray(new X509Certificate[caCerts.size()]);
-    }
-}


=====================================
tomcat-8.5/src/org/dogtagpki/tomcat/JSSContext.java
=====================================
@@ -0,0 +1,117 @@
+package org.dogtagpki.tomcat;
+
+import java.security.Provider;
+import java.security.KeyManagementException;
+import java.security.SecureRandom;
+import java.security.Security;
+import java.util.List;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+
+import org.apache.tomcat.util.net.SSLContext;
+
+import org.mozilla.jss.JSSProvider;
+import org.mozilla.jss.provider.javax.crypto.JSSKeyManager;
+import org.mozilla.jss.provider.javax.crypto.JSSTrustManager;
+import org.mozilla.jss.ssl.javax.JSSEngine;
+import org.mozilla.jss.ssl.javax.JSSParameters;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class JSSContext implements org.apache.tomcat.util.net.SSLContext {
+    public static Logger logger = LoggerFactory.getLogger(JSSContext.class);
+
+    private javax.net.ssl.SSLContext ctx;
+    private String alias;
+
+    private JSSKeyManager jkm;
+    private JSSTrustManager jtm;
+
+    public JSSContext(String alias) {
+        logger.debug("JSSContext(" + alias + ")");
+        this.alias = alias;
+
+        /* These KeyManagers and TrustManagers aren't used with the SSLEngine;
+         * they're only used to implement certain function calls below. */
+        try {
+            KeyManagerFactory kmf = KeyManagerFactory.getInstance("NssX509", "Mozilla-JSS");
+            jkm = (JSSKeyManager) kmf.getKeyManagers()[0];
+
+            TrustManagerFactory tmf = TrustManagerFactory.getInstance("NssX509", "Mozilla-JSS");
+            jtm = (JSSTrustManager) tmf.getTrustManagers()[0];
+        } catch (Exception e) {
+            throw new RuntimeException(e.getMessage(), e);
+        }
+    }
+
+    public void init(KeyManager[] kms, TrustManager[] tms, SecureRandom sr) throws KeyManagementException {
+        logger.debug("JSSContext.init(...)");
+
+        try {
+            String provider = "SunJSSE";
+            if (JSSProvider.ENABLE_JSSENGINE) {
+                provider = "Mozilla-JSS";
+            }
+
+            ctx = javax.net.ssl.SSLContext.getInstance("TLS", provider);
+            ctx.init(kms, tms, sr);
+        } catch (Exception e) {
+            throw new KeyManagementException(e.getMessage(), e);
+        }
+    }
+
+    public javax.net.ssl.SSLEngine createSSLEngine() {
+        logger.debug("JSSContext.createSSLEngine()");
+        javax.net.ssl.SSLEngine eng = ctx.createSSLEngine();
+
+        if (eng instanceof JSSEngine) {
+            JSSEngine j_eng = (JSSEngine) eng;
+            j_eng.setCertFromAlias(alias);
+        }
+
+        return eng;
+    }
+
+    public javax.net.ssl.SSLSessionContext getServerSessionContext() {
+        logger.debug("JSSContext.getServerSessionContext()");
+        return ctx.getServerSessionContext();
+    }
+
+    public javax.net.ssl.SSLServerSocketFactory getServerSocketFactory() {
+        logger.debug("JSSContext.getServerSocketFactory()");
+        return ctx.getServerSocketFactory();
+    }
+
+    public javax.net.ssl.SSLParameters getSupportedSSLParameters() {
+        logger.debug("JSSContext.getSupportedSSLParameters()");
+        return ctx.getSupportedSSLParameters();
+    }
+
+    public java.security.cert.X509Certificate[] getCertificateChain(java.lang.String alias) {
+        logger.debug("JSSContext.getCertificateChain(" + alias + ")");
+
+        try {
+            return jkm.getCertificateChain(alias);
+        } catch (Exception e) {
+            throw new RuntimeException(e.getMessage(), e);
+        }
+    }
+
+    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
+        logger.debug("JSSContext.getAcceptedIssuers()");
+
+        try {
+            return jtm.getAcceptedIssuers();
+        } catch (Exception e) {
+            throw new RuntimeException(e.getMessage(), e);
+        }
+    }
+
+    public void destroy() {
+        logger.debug("JSSContext.destory()");
+    }
+}


=====================================
tomcat-8.5/src/org/dogtagpki/tomcat/JSSImplementation.java
=====================================
@@ -19,14 +19,19 @@
 
 package org.dogtagpki.tomcat;
 
+import javax.net.ssl.SSLSession;
+
+import org.apache.tomcat.util.net.jsse.JSSESupport;
 import org.apache.tomcat.util.net.SSLHostConfig;
 import org.apache.tomcat.util.net.SSLHostConfigCertificate;
+import org.apache.tomcat.util.net.SSLImplementation;
+import org.apache.tomcat.util.net.SSLSupport;
 import org.apache.tomcat.util.net.SSLUtil;
-import org.apache.tomcat.util.net.jsse.JSSEImplementation;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-public class JSSImplementation extends JSSEImplementation {
+public class JSSImplementation extends SSLImplementation {
 
     public static Logger logger = LoggerFactory.getLogger(JSSUtil.class);
 
@@ -34,6 +39,12 @@ public class JSSImplementation extends JSSEImplementation {
         logger.debug("JSSImplementation: instance created");
     }
 
+    @Override
+    public SSLSupport getSSLSupport(SSLSession session) {
+        logger.debug("JSSImplementation.getSSLSupport()");
+        return new JSSESupport(session);
+    }
+
     @Override
     public SSLUtil getSSLUtil(SSLHostConfigCertificate cert) {
         logger.debug("JSSImplementation: getSSLUtil()");
@@ -47,4 +58,10 @@ public class JSSImplementation extends JSSEImplementation {
 
         return new JSSUtil(cert);
     }
+
+    @Override
+    public boolean isAlpnSupported() {
+        // NSS supports ALPN but JSS doesn't yet support ALPN.
+        return false;
+    }
 }


=====================================
tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java
=====================================
@@ -19,35 +19,118 @@
 
 package org.dogtagpki.tomcat;
 
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+import java.util.Set;
+import java.util.HashSet;
+
 import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.SSLEngine;
 
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
 import org.apache.tomcat.util.net.SSLHostConfigCertificate;
 import org.apache.tomcat.util.net.jsse.JSSEKeyManager;
-import org.apache.tomcat.util.net.jsse.JSSEUtil;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+import org.apache.tomcat.util.net.SSLContext;
+import org.apache.tomcat.util.net.SSLUtil;
+import org.apache.tomcat.util.net.SSLUtilBase;
+
+import org.mozilla.jss.JSSProvider;
+import org.mozilla.jss.crypto.Policy;
+import org.mozilla.jss.provider.javax.crypto.JSSNativeTrustManager;
+import org.mozilla.jss.ssl.SSLCipher;
+import org.mozilla.jss.ssl.SSLVersion;
 
-public class JSSUtil extends JSSEUtil {
+public class JSSUtil extends SSLUtilBase {
+    public static Log logger = LogFactory.getLog(JSSUtil.class);
 
-    public static Logger logger = LoggerFactory.getLogger(JSSUtil.class);
+    private String keyAlias;
+
+    private SSLEngine engine;
+    private Set<String> protocols;
+    private Set<String> ciphers;
 
     public JSSUtil(SSLHostConfigCertificate cert) {
         super(cert);
+
+        keyAlias = certificate.getCertificateKeyAlias();
         logger.debug("JSSUtil: instance created");
     }
 
+    private void init() {
+        if (engine != null) {
+            return;
+        }
+
+        try {
+            JSSContext ctx = new JSSContext(null);
+            ctx.init(null, null, null);
+            engine = ctx.createSSLEngine();
+        } catch (Exception e) {
+            throw new RuntimeException(e.getMessage(), e);
+        }
+
+        protocols = Collections.unmodifiableSet(
+            new HashSet<String>(Arrays.asList(engine.getSupportedProtocols()))
+        );
+
+        ciphers = Collections.unmodifiableSet(
+            new HashSet<String>(Arrays.asList(engine.getSupportedCipherSuites()))
+        );
+    }
+
     @Override
     public KeyManager[] getKeyManagers() throws Exception {
         logger.debug("JSSUtil: getKeyManagers()");
-        String keyAlias = certificate.getCertificateKeyAlias();
-        KeyManager keyManager = new JSSEKeyManager(new JSSKeyManager(), keyAlias);
-        return new KeyManager[] { keyManager };
+        KeyManagerFactory jkm = KeyManagerFactory.getInstance("NssX509", "Mozilla-JSS");
+        return jkm.getKeyManagers();
     }
 
     @Override
     public TrustManager[] getTrustManagers() throws Exception {
         logger.debug("JSSUtil: getTrustManagers()");
-        return new TrustManager[] { new JSSTrustManager() };
+        if (!JSSProvider.ENABLE_JSSENGINE) {
+            TrustManagerFactory tmf = TrustManagerFactory.getInstance("NssX509");
+            return tmf.getTrustManagers();
+        }
+
+        return new TrustManager[] { new JSSNativeTrustManager() };
+    }
+
+    @Override
+    public SSLContext createSSLContextInternal(List<String> negotiableProtocols) throws Exception {
+        logger.debug("JSSUtil createSSLContextInternal(...) keyAlias=" + keyAlias);
+        return new JSSContext(keyAlias);
+    }
+
+    @Override
+    public boolean isTls13RenegAuthAvailable() {
+        logger.debug("JSSUtil: isTls13RenegAuthAvailable()");
+        return true;
+    }
+
+    @Override
+    public Log getLog() {
+        logger.debug("JSSUtil: getLog()");
+        return logger;
+    }
+
+    @Override
+    protected Set<String> getImplementedProtocols() {
+        logger.debug("JSSUtil: getImplementedProtocols()");
+        init();
+        return protocols;
+    }
+
+    @Override
+    protected Set<String> getImplementedCiphers() {
+        logger.debug("JSSUtil: getImplementedCiphers()");
+        init();
+
+        return ciphers;
     }
 }


=====================================
tomcatjss.spec
=====================================
@@ -7,9 +7,9 @@ URL:              http://www.dogtagpki.org/wiki/TomcatJSS
 License:          LGPLv2+
 BuildArch:        noarch
 
-Version:          7.4.0
+Version:          7.5.0
 Release:          1%{?_timestamp}%{?_commit_id}%{?dist}
-# global           _phase -a1
+#global           _phase -a1
 
 # To generate the source tarball:
 # $ git clone https://github.com/dogtagpki/tomcatjss.git
@@ -57,7 +57,7 @@ BuildRequires:    slf4j-jdk14
 %if 0%{?rhel} && 0%{?rhel} <= 7
 BuildRequires:    jss >= 4.4.0-7
 %else
-BuildRequires:    jss >= 4.5.3
+BuildRequires:    jss >= 4.7.0
 %endif
 
 # Tomcat
@@ -104,7 +104,7 @@ Requires:         slf4j-jdk14
 %if 0%{?rhel} && 0%{?rhel} <= 7
 Requires:         jss >= 4.4.0-7
 %else
-Requires:         jss >= 4.5.3
+Requires:         jss >= 4.7.0
 %endif
 
 # Tomcat
@@ -126,12 +126,6 @@ Requires:         tomcat >= 1:9.0.7
 %endif
 %endif
 
-# The 'tomcatjss' package conflicts with the 'tomcat-native' package
-# because it uses an underlying NSS security model rather than the
-# OpenSSL security model, so these two packages may not co-exist.
-# (see Bugzilla Bug #441974 for details)
-Conflicts:        tomcat-native
-
 # PKI
 Conflicts:        pki-base < 10.6.5
 
@@ -182,6 +176,8 @@ ant -f build.xml \
 %files
 ################################################################################
 
+%license LICENSE
+
 %defattr(-,root,root)
 %doc README
 %doc LICENSE



View it on GitLab: https://salsa.debian.org/freeipa-team/tomcatjss/-/compare/1c5e0f91c0ff7b228034dba89383633c7c413fd2...34a0993bb456f4450f1964941830fa1a85b4a107

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/tomcatjss/-/compare/1c5e0f91c0ff7b228034dba89383633c7c413fd2...34a0993bb456f4450f1964941830fa1a85b4a107
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20200728/496a8588/attachment-0001.html>


More information about the Pkg-freeipa-devel mailing list