mturk 2005/06/02 02:52:46
Modified: jni/java/org/apache/tomcat/jni SSL.java SSLContext.java
jni/native/src ssl.c sslcontext.c
Log:
Add functions for defining acceptable CA names.
Revision Changes Path
1.8 +3 -1
jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSL.java
Index: SSL.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSL.java,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- SSL.java 1 Jun 2005 12:50:51 -0000 1.7
+++ SSL.java 2 Jun 2005 09:52:45 -0000 1.8
@@ -160,6 +160,8 @@
* If null the default file will be tested.
* The seed file is $RANDFILE if that environment variable is
* set, $HOME/.rnd otherwise.
+ * In case both files are unavailable builtin
+ * random seed generator is used.
*/
public static native boolean randLoad(String filename);
1.10 +56 -4
jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSLContext.java
Index: SSLContext.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSLContext.java,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- SSLContext.java 2 Jun 2005 07:44:38 -0000 1.9
+++ SSLContext.java 2 Jun 2005 09:52:46 -0000 1.10
@@ -222,7 +222,8 @@
* preference. This can be used alternatively and/or additionally to
* <code>setCACertificatePath</code>.
* @param ctx Server or Client context to use.
- * @param file File of concatenated PEM-encoded CA Certificates for
Client Auth.
+ * @param file File of concatenated PEM-encoded CA Certificates for
+ * Client Auth.
*/
public static native boolean setCACertificateFile(long ctx, String file);
@@ -235,12 +236,63 @@
* <br />
* The files in this directory have to be PEM-encoded and are accessed
through
* hash filenames. So usually you can't just place the Certificate files
there:
- * you also have to create symbolic links named hash-value.N. And you
should always
- * make sure this directory contains the appropriate symbolic links.
+ * you also have to create symbolic links named hash-value.N. And you
should
+ * always make sure this directory contains the appropriate symbolic
links.
* Use the Makefile which comes with mod_ssl to accomplish this task.
* @param ctx Server or Client context to use.
* @param path Directory of PEM-encoded CA Certificates for Client Auth.
*/
public static native boolean setCACertificatePath(long ctx, String path);
+ /**
+ * Set File of concatenated PEM-encoded CA Certificates for defining
+ * acceptable CA names
+ * <br />
+ * When a client certificate is requested by mod_ssl, a list of
acceptable
+ * Certificate Authority names is sent to the client in the SSL
handshake.
+ * These CA names can be used by the client to select an appropriate
client
+ * certificate out of those it has available.
+ * <br />
+ * If neither of the directives <code>setCADNRequestPath</code> or
+ * <code>setCADNRequestFile</code> are given, then the set of acceptable
+ * CA names sent to the client is the names of all the CA certificates
given
+ * by the <code>setCACertificateFile</code> and
+ * <code>setCACertificatePath</code> directives; in other words, the
names
+ * of the CAs which will actually be used to verify the client
certificate.
+ * <br />
+ * In some circumstances, it is useful to be able to send a set of
acceptable
+ * CA names which differs from the actual CAs used to verify the client
+ * certificate - for example, if the client certificates are signed by
+ * intermediate CAs. In such cases, CADNRequestPath and/or
CADNRequestFile
+ * can be used; the acceptable CA names are then taken from the complete
+ * set of certificates in the directory and/or file specified by
+ * this pair of directives.
+ * <br />
+ * setCADNRequestFile must specify an all-in-one file containing a
+ * concatenation of PEM-encoded CA certificates.
+ * @param ctx Server or Client context to use.
+ * @param file File of concatenated PEM-encoded CA Certificates for
defining
+ * acceptable CA names.
+ */
+ public static native boolean setCADNRequestFile(long ctx, String file);
+
+ /**
+ * Set Directory of PEM-encoded CA Certificates for defining acceptable
+ * CA names
+ * <br />
+ * This optional directive can be used to specify the set of acceptable
+ * CA names which will be sent to the client when a client certificate is
+ * requested. See the <code>setCADNRequestFile</code> directive for more
details.
+ * <br />
+ * The files in this directory have to be PEM-encoded and are accessed
through
+ * hash filenames. So usually you can't just place the Certificate files
there:
+ * you also have to create symbolic links named hash-value.N. And you
should
+ * always make sure this directory contains the appropriate symbolic
links.
+ * Use the Makefile which comes with mod_ssl to accomplish this task.
+ * @param ctx Server or Client context to use.
+ * @param path Directory of PEM-encoded CA Certificates for defining
+ * acceptable CA names.
+ */
+ public static native boolean setCADNRequestPath(long ctx, String path);
+
}
1.18 +7 -4 jakarta-tomcat-connectors/jni/native/src/ssl.c
Index: ssl.c
===================================================================
RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/ssl.c,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- ssl.c 2 Jun 2005 07:44:39 -0000 1.17
+++ ssl.c 2 Jun 2005 09:52:46 -0000 1.18
@@ -194,7 +194,7 @@
static int ssl_rand_load_file(const char *file)
{
- char buffer[200];
+ char buffer[APR_PATH_MAX];
int n;
if (file == NULL)
@@ -215,7 +215,7 @@
*/
static int ssl_rand_save_file(const char *file)
{
- char buffer[200];
+ char buffer[APR_PATH_MAX];
int n;
if (file == NULL)
@@ -353,7 +353,10 @@
tcn_ssl_engine = ee;
}
#endif
- /* Initialize PRNG */
+ /* Initialize PRNG
+ * This will in most cases call the builtin
+ * low entropy seed.
+ */
ssl_rand_seed(NULL);
/* For SSL_get_app_data2() at request time */
SSL_init_app_data2_idx();
1.16 +5 -5 jakarta-tomcat-connectors/jni/native/src/sslcontext.c
Index: sslcontext.c
===================================================================
RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslcontext.c,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- sslcontext.c 2 Jun 2005 07:44:39 -0000 1.15
+++ sslcontext.c 2 Jun 2005 09:52:46 -0000 1.16
@@ -514,8 +514,8 @@
return rv;
}
-TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCANDRCertificateFile)(TCN_STDARGS, jlong ctx,
- jstring
file)
+TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCADNRequestFile)(TCN_STDARGS,
jlong ctx,
+ jstring file)
{
tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
jboolean rv = JNI_TRUE;
@@ -530,8 +530,8 @@
return rv;
}
-TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCANDRCertificatePath)(TCN_STDARGS, jlong ctx,
- jstring
path)
+TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCADNRequestPath)(TCN_STDARGS,
jlong ctx,
+ jstring path)
{
tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
jboolean rv = JNI_TRUE;
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
