cvs commit: jakarta-tomcat-connectors/jni/native/src sslcontext.c

Thu, 02 Jun 2005 03:19:56 -0700 

mturk       2005/06/02 03:19:32

  Modified:    jni/java/org/apache/tomcat/jni SSLContext.java
               jni/native/src sslcontext.c
  Log:
  Add functions for Certificate verification level and depth
  for the Client Authentication.
  
  Revision  Changes    Path
  1.11      +50 -1     
jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSLContext.java
  
  Index: SSLContext.java
  ===================================================================
  RCS file: 
/home/cvs/jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSLContext.java,v
  retrieving revision 1.10
  retrieving revision 1.11
  diff -u -r1.10 -r1.11
  --- SSLContext.java   2 Jun 2005 09:52:46 -0000       1.10
  +++ SSLContext.java   2 Jun 2005 10:19:32 -0000       1.11
  @@ -295,4 +295,53 @@
        */
       public static native boolean setCADNRequestPath(long ctx, String path);
   
  +    /**
  +     * Set Maximum depth of CA Certificates in Client Certificate 
verification
  +     * <br />
  +     * This directive sets how deeply mod_ssl should verify before deciding 
that
  +     * the clients don't have a valid certificate. Notice that this 
directive can
  +     * be used both in per-server and per-directory context. In per-server 
context
  +     * it applies to the client authentication process used in the standard 
SSL
  +     * handshake when a connection is established. In per-directory context 
it forces
  +     * a SSL renegotation with the reconfigured client verification depth 
after the
  +     * HTTP request was read but before the HTTP response is sent.
  +     * <br />
  +     * The depth actually is the maximum number of intermediate certificate 
issuers,
  +     * i.e. the number of CA certificates which are max allowed to be 
followed while
  +     * verifying the client certificate. A depth of 0 means that self-signed 
client
  +     * certificates are accepted only, the default depth of 1 means the 
client
  +     * certificate can be self-signed or has to be signed by a CA which is 
directly
  +     * known to the server (i.e. the CA's certificate is under
  +     * <code>setCACertificatePath</code>), etc.
  +     * @param ctx Server or Client context to use.
  +     * @param depth Maximum depth of CA Certificates in Client Certificate
  +     *              verification.
  +     */
  +    public static native void setVerifyDepth(long ctx, int depth);
  +
  +    /**
  +     * Set Type of Client Certificate verification
  +     * <br />
  +     * This directive sets the Certificate verification level for the Client
  +     * Authentication. Notice that this directive can be used both in 
per-server
  +     * and per-directory context. In per-server context it applies to the 
client
  +     * authentication process used in the standard SSL handshake when a 
connection
  +     * is established. In per-directory context it forces a SSL renegotation 
with
  +     * the reconfigured client verification level after the HTTP request was 
read
  +     * but before the HTTP response is sent.
  +     * <br />
  +     * The following levels are available for level:
  +     * <PRE>
  +     * SSL_CVERIFY_NONE           - No client Certificate is required at all
  +     * SSL_CVERIFY_OPTIONAL       - The client may present a valid 
Certificate
  +     * SSL_CVERIFY_REQUIRE        - The client has to present a valid 
Certificate
  +     * SSL_CVERIFY_OPTIONAL_NO_CA - The client may present a valid 
Certificate
  +     *                              but it need not to be (successfully) 
verifiable
  +     * </PRE>
  +     * <code>setCACertificatePath</code>), etc.
  +     * @param ctx Server or Client context to use.
  +     * @param level Type of Client Certificate verification.
  +     */
  +    public static native boolean setVerifyClient(long ctx, int level);
  +
   }
  
  
  
  1.17      +29 -2     jakarta-tomcat-connectors/jni/native/src/sslcontext.c
  
  Index: sslcontext.c
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslcontext.c,v
  retrieving revision 1.16
  retrieving revision 1.17
  diff -u -r1.16 -r1.17
  --- sslcontext.c      2 Jun 2005 09:52:46 -0000       1.16
  +++ sslcontext.c      2 Jun 2005 10:19:32 -0000       1.17
  @@ -183,7 +183,12 @@
   
       SSL_CTX_set_tmp_rsa_callback(c->ctx, SSL_callback_tmp_RSA);
       SSL_CTX_set_tmp_dh_callback(c->ctx,  SSL_callback_tmp_DH);
  -
  +    
  +    /* Set default Certificate verification level 
  +     * and depth for the Client Authentication
  +     */
  +    c->verify_depth = 1;
  +    c->verify_mode  = SSL_CVERIFY_UNSET;
       /*
        * Let us cleanup the ssl context when the pool is destroyed
        */
  @@ -546,6 +551,28 @@
       return rv;
   }
   
  +TCN_IMPLEMENT_CALL(void, SSLContext, setVerifyDepth)(TCN_STDARGS, jlong ctx,
  +                                                     jint depth)
  +{
  +    tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
  +
  +    UNREFERENCED_STDARGS;
  +    TCN_ASSERT(ctx != 0);
  +    c->verify_depth = depth;
  +}
  +
  +TCN_IMPLEMENT_CALL(jboolean, SSLContext, setVerifyClient)(TCN_STDARGS, jlong 
ctx,
  +                                                          jint level)
  +{
  +    tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
  +
  +    UNREFERENCED_STDARGS;
  +    TCN_ASSERT(ctx != 0);
  +    c->verify_mode = level;
  +    /* TODO: Add verification code callback */
  +    return JNI_TRUE;
  +}
  +
   #else
   /* OpenSSL is not supported
    * If someday we make OpenSSL optional
  
  
  

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to