billbarker 2003/06/15 19:45:56
Modified: util/java/org/apache/tomcat/util/net/puretls
PureTLSSocketFactory.java PureTLSSupport.java
Log:
Fixes for CLIENT-CERT auth when using PureTLS
1) We need to set the rootFile always, since it is needed for CLIENT-CERT even when
clientAuth="false".
2) Fix off-by-one problem with generating the x509 certs.
Revision Changes Path
1.3 +9 -5
jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/puretls/PureTLSSocketFactory.java
Index: PureTLSSocketFactory.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/puretls/PureTLSSocketFactory.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- PureTLSSocketFactory.java 12 Jun 2003 04:30:41 -0000 1.2
+++ PureTLSSocketFactory.java 16 Jun 2003 02:45:56 -0000 1.3
@@ -160,11 +160,15 @@
}
}
- SSLContext tmpContext=new SSLContext();
- if(clientAuth){
- tmpContext.loadRootCertificates(rootFile);
- }
- tmpContext.loadEAYKeyFile(keyStoreFile,keyPass);
+ SSLContext tmpContext=new SSLContext();
+ try {
+ tmpContext.loadRootCertificates(rootFile);
+ } catch(IOException iex) {
+ if(logger.isDebugEnabled())
+ logger.debug("Error loading Client Root Store: " +
+ rootFile,iex);
+ }
+ tmpContext.loadEAYKeyFile(keyStoreFile,keyPass);
tmpContext.useRandomnessFile(randomFile,keyPass);
SSLPolicyInt policy=new SSLPolicyInt();
1.2 +16 -4
jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/puretls/PureTLSSupport.java
Index: PureTLSSupport.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/puretls/PureTLSSupport.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- PureTLSSupport.java 4 Oct 2002 20:03:10 -0000 1.1
+++ PureTLSSupport.java 16 Jun 2003 02:45:56 -0000 1.2
@@ -64,6 +64,7 @@
import java.net.*;
import java.util.Vector;
import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
import org.apache.tomcat.util.buf.HexUtils;
import COM.claymoresystems.sslg.*;
@@ -83,6 +84,9 @@
*/
class PureTLSSupport implements SSLSupport {
+ static org.apache.commons.logging.Log logger =
+ org.apache.commons.logging.LogFactory.getLog(PureTLSSupport.class);
+
private COM.claymoresystems.ptls.SSLSocket ssl;
PureTLSSupport(SSLSocket sock){
@@ -130,12 +134,16 @@
CertificateFactory.getInstance("X.509");
ByteArrayInputStream stream =
new ByteArrayInputStream(buffer);
-
- chain[i]=(java.security.cert.X509Certificate)
- cf.generateCertificate(stream);
+
+ X509Certificate xCert = (X509Certificate)cf.generateCertificate(stream);
+ chain[i-1]= xCert;
+ if(logger.isTraceEnabled()) {
+ logger.trace("Cert # " + i + " = " + xCert);
+ }
}
} catch (java.security.cert.CertificateException e) {
- throw new IOException("JDK's broken cert handling can't parse this
certificate (which PureTLS likes");
+ logger.info("JDK's broken cert handling can't parse this certificate
(which PureTLS likes)",e);
+ throw new IOException("JDK's broken cert handling can't parse this
certificate (which PureTLS likes)");
}
return chain;
}
@@ -168,6 +176,10 @@
}
}
+
+
+
+
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
