billbarker 2003/03/16 20:04:08
Modified: util/java/org/apache/tomcat/util/net/jsse
JSSEImplementation.java JSSESupport.java
Added: util/java/org/apache/tomcat/util/net/jsse JSSE14Support.java
Log:
Having made the mistake of updating the build, I can't test this stuff anymore.
Further re-factoring for JSSE 1.1.x. However, there is almost no functional
difference from the old behavior with this commit. Just moving code around.
Revision Changes Path
1.5 +29 -2
jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
Index: JSSEImplementation.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- JSSEImplementation.java 15 Mar 2003 07:29:03 -0000 1.4
+++ JSSEImplementation.java 17 Mar 2003 04:04:07 -0000 1.5
@@ -65,6 +65,7 @@
import org.apache.tomcat.util.net.ServerSocketFactory;
import java.io.*;
import java.net.*;
+import java.lang.reflect.Constructor;
import javax.net.ssl.SSLSocket;
/* JSSEImplementation:
@@ -77,7 +78,13 @@
public class JSSEImplementation extends SSLImplementation
{
static final String JSSE14SocketFactory =
- "org.apache.tomcat.net.jsse.JSSE14SocketFactory";
+ "org.apache.tomcat.util.net.jsse.JSSE14SocketFactory";
+ static final String JSSE14Support =
+ "org.apache.tomcat.util.net.jsse.JSSE14Support";
+
+ static org.apache.commons.logging.Log logger =
+ org.apache.commons.logging.LogFactory.getLog(JSSEImplementation.class);
+
public JSSEImplementation() throws ClassNotFoundException {
// Check to see if JSSE is floating around somewhere
Class.forName("javax.net.ssl.SSLServerSocketFactory");
@@ -96,6 +103,8 @@
Class ssfCl = Class.forName(JSSE14SocketFactory);
ssf =(ServerSocketFactory)ssfCl.newInstance();
} catch(Exception ex) {
+ if(logger.isDebugEnabled())
+ logger.debug("Error finding " + JSSE14SocketFactory, ex);
ssf = new JSSESocketFactory();
}
} else {
@@ -106,7 +115,25 @@
public SSLSupport getSSLSupport(Socket s)
{
- return new JSSESupport((SSLSocket)s);
+ SSLSupport ssls = null;
+ if( JdkCompat.isJava14() ) {
+ try {
+ Class sslsCl = Class.forName(JSSE14Support);
+ Class [] cparams = new Class[1];
+ cparams[0] = SSLSocket.class;
+ Constructor sslc = sslsCl.getConstructor(cparams);
+ Object [] params = new Object[1];
+ params[0] = s;
+ ssls = (SSLSupport)sslc.newInstance(params);
+ } catch(Exception ex) {
+ if(logger.isDebugEnabled())
+ logger.debug("Unable to get " + JSSE14Support, ex);
+ ssls = new JSSESupport((SSLSocket)s);
+ }
+ } else {
+ ssls = new JSSESupport((SSLSocket)s);
+ }
+ return ssls;
}
1.4 +23 -63
jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
Index: JSSESupport.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESupport.java,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- JSSESupport.java 9 Oct 2002 15:03:21 -0000 1.3
+++ JSSESupport.java 17 Mar 2003 04:04:07 -0000 1.4
@@ -66,8 +66,6 @@
import java.security.cert.CertificateFactory;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
-import javax.net.ssl.HandshakeCompletedListener;
-import javax.net.ssl.HandshakeCompletedEvent;
import java.security.cert.CertificateFactory;
import javax.security.cert.X509Certificate;
@@ -87,7 +85,7 @@
class JSSESupport implements SSLSupport {
- private SSLSocket ssl;
+ protected SSLSocket ssl;
JSSESupport(SSLSocket sock){
@@ -103,12 +101,12 @@
}
public Object[] getPeerCertificateChain()
- throws IOException {
- return getPeerCertificateChain(false);
+ throws IOException {
+ return getPeerCertificateChain(false);
}
public Object[] getPeerCertificateChain(boolean force)
- throws IOException {
+ throws IOException {
// Look up the current SSLSession
SSLSession session = ssl.getSession();
if (session == null)
@@ -118,25 +116,21 @@
X509Certificate jsseCerts[] = null;
java.security.cert.X509Certificate x509Certs[] = null;
try {
- try {
- jsseCerts = session.getPeerCertificateChain();
- } catch(Exception bex) {
- // ignore.
- }
+ try {
+ jsseCerts = session.getPeerCertificateChain();
+ } catch(Exception bex) {
+ // ignore.
+ }
if (jsseCerts == null)
jsseCerts = new X509Certificate[0];
- if(jsseCerts.length <= 0 && force) {
- session.invalidate();
- ssl.setNeedClientAuth(true);
- ssl.startHandshake();
- if ("1.4".equals(System.getProperty("java.specification.version"))) {
- synchronousHandshake(ssl);
- }
- session = ssl.getSession();
- jsseCerts = session.getPeerCertificateChain();
- if(jsseCerts == null)
- jsseCerts = new X509Certificate[0];
- }
+ if(jsseCerts.length <= 0 && force) {
+ session.invalidate();
+ handShake();
+ session = ssl.getSession();
+ jsseCerts = session.getPeerCertificateChain();
+ if(jsseCerts == null)
+ jsseCerts = new X509Certificate[0];
+ }
x509Certs =
new java.security.cert.X509Certificate[jsseCerts.length];
for (int i = 0; i < x509Certs.length; i++) {
@@ -148,8 +142,8 @@
x509Certs[i] = (java.security.cert.X509Certificate)
cf.generateCertificate(stream);
}
- } catch (Throwable t) {
- return null;
+ } catch (Throwable t) {
+ return null;
}
if ((x509Certs == null) || (x509Certs.length < 1))
@@ -158,6 +152,10 @@
return x509Certs;
}
+ protected void handShake() throws IOException {
+ ssl.setNeedClientAuth(true);
+ ssl.startHandshake();
+ }
/**
* Copied from <code>org.apache.catalina.valves.CertificateValve</code>
*/
@@ -204,44 +202,6 @@
return buf.toString();
}
- /**
- * JSSE in JDK 1.4 has an issue/feature that requires us to do a
- * read() to get the client-cert. As suggested by Andreas
- * Sterbenz
- */
- private static void synchronousHandshake(SSLSocket socket)
- throws IOException {
- InputStream in = socket.getInputStream();
- int oldTimeout = socket.getSoTimeout();
- socket.setSoTimeout(100);
- Listener listener = new Listener();
- socket.addHandshakeCompletedListener(listener);
- byte[] b = new byte[0];
- socket.startHandshake();
- int maxTries = 50; // 50 * 100 = example 5 second rehandshake timeout
- for (int i = 0; i < maxTries; i++) {
- try {
- int x = in.read(b);
- } catch (IOException e) {
- // ignore - presumably the timeout
- }
- if (listener.completed) {
- break;
- }
- }
- socket.removeHandshakeCompletedListener(listener);
- socket.setSoTimeout(oldTimeout);
- if (listener.completed == false) {
- throw new SocketException("SSL Cert handshake timeout");
- }
- }
-
- private static class Listener implements HandshakeCompletedListener {
- volatile boolean completed = false;
- public void handshakeCompleted(HandshakeCompletedEvent event) {
- completed = true;
- }
- }
}
1.1
jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14Support.java
Index: JSSE14Support.java
===================================================================
/*
* ====================================================================
*
* The Apache Software License, Version 1.1
*
* Copyright (c) 1999 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. The end-user documentation included with the redistribution, if
* any, must include the following acknowlegement:
* "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowlegement may appear in the software itself,
* if and wherever such third-party acknowlegements normally appear.
*
* 4. The names "The Jakarta Project", "Tomcat", and "Apache Software
* Foundation" must not be used to endorse or promote products derived
* from this software without prior written permission. For written
* permission, please contact [EMAIL PROTECTED]
*
* 5. Products derived from this software may not be called "Apache"
* nor may "Apache" appear in their names without prior written
* permission of the Apache Group.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
* [Additional notices, if required by prior licensing conditions]
*
*/
package org.apache.tomcat.util.net.jsse;
import org.apache.tomcat.util.net.SSLSupport;
import java.io.*;
import java.net.*;
import java.util.Vector;
import java.security.cert.CertificateFactory;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLException;
import javax.net.ssl.HandshakeCompletedListener;
import javax.net.ssl.HandshakeCompletedEvent;
import java.security.cert.CertificateFactory;
import javax.security.cert.X509Certificate;
/* JSSESupport
Concrete implementation class for JSSE
Support classes.
This will only work with JDK 1.2 and up since it
depends on JDK 1.2's certificate support
@author EKR
@author Craig R. McClanahan
Parts cribbed from JSSECertCompat
Parts cribbed from CertificatesValve
*/
class JSSE14Support extends JSSESupport {
private static org.apache.commons.logging.Log logger =
org.apache.commons.logging.LogFactory.getLog(JSSE14Support.class);
Listener listener = new Listener();
public JSSE14Support(SSLSocket sock){
super(sock);
sock.addHandshakeCompletedListener(listener);
}
protected void handShake() throws IOException {
ssl.setNeedClientAuth(true);
synchronousHandshake(ssl);
}
/**
* JSSE in JDK 1.4 has an issue/feature that requires us to do a
* read() to get the client-cert. As suggested by Andreas
* Sterbenz
*/
private void synchronousHandshake(SSLSocket socket)
throws IOException {
InputStream in = socket.getInputStream();
int oldTimeout = socket.getSoTimeout();
socket.setSoTimeout(100);
byte[] b = new byte[0];
listener.reset();
socket.startHandshake();
int maxTries = 50; // 50 * 100 = example 5 second rehandshake timeout
for (int i = 0; i < maxTries; i++) {
try {
int x = in.read(b);
} catch(SSLException sslex) {
logger.info("SSL Error getting client Certs",sslex);
throw sslex;
} catch (IOException e) {
// ignore - presumably the timeout
}
if (listener.completed) {
break;
}
}
socket.setSoTimeout(oldTimeout);
if (listener.completed == false) {
throw new SocketException("SSL Cert handshake timeout");
}
}
private static class Listener implements HandshakeCompletedListener {
volatile boolean completed = false;
public void handshakeCompleted(HandshakeCompletedEvent event) {
completed = true;
if(logger.isTraceEnabled())
logger.trace("SSL handshake done : Socket = " +
event.getSocket() );
}
void reset() {
completed = false;
}
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
