From: markt Date: Tue, 8 Mar 2011 15:19:19 +0000 (+0000) Subject: Align SSL init for BIO and NIO. X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=c9c965de068070db793fb357d4b33c8af3a316ae;p=tomcat7.0 Align SSL init for BIO and NIO. Fixes https://issues.apache.org/bugzilla/show_bug.cgi?id=48208 for NIO. Adds support for keyPass, truststoreProvider & keystoreProvider git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1079387 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/java/org/apache/tomcat/util/net/NioEndpoint.java b/java/org/apache/tomcat/util/net/NioEndpoint.java index d60f04b80..0d751e75f 100644 --- a/java/org/apache/tomcat/util/net/NioEndpoint.java +++ b/java/org/apache/tomcat/util/net/NioEndpoint.java @@ -31,7 +31,6 @@ import java.nio.channels.Selector; import java.nio.channels.ServerSocketChannel; import java.nio.channels.SocketChannel; import java.nio.channels.WritableByteChannel; -import java.security.KeyStore; import java.util.Iterator; import java.util.Set; import java.util.concurrent.ConcurrentLinkedQueue; @@ -42,11 +41,9 @@ import java.util.concurrent.atomic.AtomicInteger; import java.util.concurrent.atomic.AtomicLong; import javax.net.ssl.KeyManager; -import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLSessionContext; -import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509KeyManager; import org.apache.juli.logging.Log; @@ -55,7 +52,6 @@ import org.apache.tomcat.util.ExceptionUtils; import org.apache.tomcat.util.IntrospectionUtils; import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState; import org.apache.tomcat.util.net.SecureNioChannel.ApplicationBufferHandler; -import org.apache.tomcat.util.net.jsse.JSSESocketFactory; import org.apache.tomcat.util.net.jsse.NioX509KeyManager; /** @@ -94,8 +90,6 @@ public class NioEndpoint extends AbstractEndpoint { */ protected ServerSocketChannel serverSock = null; - protected SSLUtil sslUtil = null; - /** * use send file */ @@ -479,68 +473,16 @@ public class NioEndpoint extends AbstractEndpoint { // Initialize SSL if needed if (isSSLEnabled()) { - if (sslUtil == null) { - sslUtil = handler.getSslImplementation().getSSLUtil(this); - } - // Initialize SSL - String keystorePass = getKeystorePass(); - if (keystorePass == null) { - keystorePass = JSSESocketFactory.DEFAULT_KEY_PASS; - } - char[] passphrase = keystorePass.toCharArray(); + SSLUtil sslUtil = handler.getSslImplementation().getSSLUtil(this); - char[] tpassphrase = (getTruststorePass()!=null)?getTruststorePass().toCharArray():passphrase; - String ttype = (getTruststoreType()!=null)?getTruststoreType():getKeystoreType(); - - KeyStore ks = KeyStore.getInstance(getKeystoreType()); - FileInputStream fisKeyStore = null; - try { - fisKeyStore = new FileInputStream(getKeystoreFile()); - ks.load(fisKeyStore, passphrase); - } finally { - if (fisKeyStore != null) { - try { - fisKeyStore.close(); - } catch (IOException ioe) {/*Ignore*/} - } - } - KeyStore ts = null; - if (getTruststoreFile()==null) { - //no op, same as for BIO connector - }else { - ts = KeyStore.getInstance(ttype); - FileInputStream fisTrustStore = null; - try { - fisTrustStore = new FileInputStream(getTruststoreFile()); - ts.load(fisTrustStore, tpassphrase); - } finally { - if (fisTrustStore != null) { - try { - fisTrustStore.close(); - } catch (IOException ioe) {/*Ignore*/} - } - } - } + sslContext = sslUtil.createSSLContext(); + sslContext.init(wrap(sslUtil.getKeyManagers()), + sslUtil.getTrustManagers(), null); - KeyManagerFactory kmf = KeyManagerFactory.getInstance(getAlgorithm()); - kmf.init(ks, passphrase); - - TrustManagerFactory tmf = TrustManagerFactory.getInstance(getAlgorithm()); - tmf.init(ts); - - sslContext = SSLContext.getInstance(getSslProtocol()); - sslContext.init(wrap(kmf.getKeyManagers()), tmf.getTrustManagers(), null); SSLSessionContext sessionContext = sslContext.getServerSessionContext(); if (sessionContext != null) { - if (getSessionCacheSize() != null) { - sessionContext.setSessionCacheSize( - Integer.parseInt(getSessionCacheSize())); - } - if (getSessionTimeout() != null) { - sessionContext.setSessionTimeout( - Integer.parseInt(getSessionTimeout())); - } + sslUtil.configureSessionContext(sessionContext); } } diff --git a/java/org/apache/tomcat/util/net/SSLUtil.java b/java/org/apache/tomcat/util/net/SSLUtil.java index 04f551b69..01fca48f1 100644 --- a/java/org/apache/tomcat/util/net/SSLUtil.java +++ b/java/org/apache/tomcat/util/net/SSLUtil.java @@ -16,6 +16,18 @@ */ package org.apache.tomcat.util.net; +import javax.net.ssl.KeyManager; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSessionContext; +import javax.net.ssl.TrustManager; + public interface SSLUtil { + public SSLContext createSSLContext() throws Exception; + + public KeyManager[] getKeyManagers() throws Exception; + + public TrustManager[] getTrustManagers() throws Exception; + + public void configureSessionContext(SSLSessionContext sslSessionContext); } diff --git a/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java b/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java index 6c3c945db..250281a12 100644 --- a/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java +++ b/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java @@ -444,58 +444,14 @@ public class JSSESocketFactory implements ServerSocketFactory, SSLUtil { wantClientAuth = true; } - // SSL protocol variant (e.g., TLS, SSL v3, etc.) - String protocol = endpoint.getSslProtocol(); - if (protocol == null) { - protocol = defaultProtocol; - } - - // Certificate encoding algorithm (e.g., SunX509) - String algorithm = endpoint.getAlgorithm(); - if (algorithm == null) { - algorithm = KeyManagerFactory.getDefaultAlgorithm(); - } - - String keystoreType = endpoint.getKeystoreType(); - if (keystoreType == null) { - keystoreType = defaultKeystoreType; - } - - String keystoreProvider = endpoint.getKeystoreProvider(); - - String trustAlgorithm = endpoint.getTruststoreAlgorithm(); - if( trustAlgorithm == null ) { - trustAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); - } - - // Create and init SSLContext - SSLContext context = SSLContext.getInstance(protocol); - context.init(getKeyManagers(keystoreType, keystoreProvider, - algorithm, - endpoint.getKeyAlias()), - getTrustManagers(keystoreType, keystoreProvider, - trustAlgorithm), - new SecureRandom()); + SSLContext context = createSSLContext(); + context.init(getKeyManagers(), getTrustManagers(), null); // Configure SSL session cache - int sessionCacheSize; - if (endpoint.getSessionCacheSize() != null) { - sessionCacheSize = Integer.parseInt( - endpoint.getSessionCacheSize()); - } else { - sessionCacheSize = defaultSessionCacheSize; - } - int sessionTimeout; - if (endpoint.getSessionTimeout() != null) { - sessionTimeout = Integer.parseInt(endpoint.getSessionTimeout()); - } else { - sessionTimeout = defaultSessionTimeout; - } SSLSessionContext sessionContext = context.getServerSessionContext(); if (sessionContext != null) { - sessionContext.setSessionCacheSize(sessionCacheSize); - sessionContext.setSessionTimeout(sessionTimeout); + configureSessionContext(sessionContext); } // create proxy @@ -519,6 +475,73 @@ public class JSSESocketFactory implements ServerSocketFactory, SSLUtil { } } + @Override + public SSLContext createSSLContext() throws Exception { + + // SSL protocol variant (e.g., TLS, SSL v3, etc.) + String protocol = endpoint.getSslProtocol(); + if (protocol == null) { + protocol = defaultProtocol; + } + + SSLContext context = SSLContext.getInstance(protocol); + + return context; + } + + @Override + public KeyManager[] getKeyManagers() throws Exception { + String keystoreType = endpoint.getKeystoreType(); + if (keystoreType == null) { + keystoreType = defaultKeystoreType; + } + + String algorithm = endpoint.getAlgorithm(); + if (algorithm == null) { + algorithm = KeyManagerFactory.getDefaultAlgorithm(); + } + + return getKeyManagers(keystoreType, endpoint.getKeystoreProvider(), + algorithm, endpoint.getKeyAlias()); + } + + @Override + public TrustManager[] getTrustManagers() throws Exception { + String keystoreType = endpoint.getKeystoreType(); + if (keystoreType == null) { + keystoreType = defaultKeystoreType; + } + + String algorithm = endpoint.getAlgorithm(); + if (algorithm == null) { + algorithm = KeyManagerFactory.getDefaultAlgorithm(); + } + + return getTrustManagers(keystoreType, endpoint.getKeystoreProvider(), + algorithm); + } + + @Override + public void configureSessionContext(SSLSessionContext sslSessionContext) { + int sessionCacheSize; + if (endpoint.getSessionCacheSize() != null) { + sessionCacheSize = Integer.parseInt( + endpoint.getSessionCacheSize()); + } else { + sessionCacheSize = defaultSessionCacheSize; + } + + int sessionTimeout; + if (endpoint.getSessionTimeout() != null) { + sessionTimeout = Integer.parseInt(endpoint.getSessionTimeout()); + } else { + sessionTimeout = defaultSessionTimeout; + } + + sslSessionContext.setSessionCacheSize(sessionCacheSize); + sslSessionContext.setSessionTimeout(sessionTimeout); + } + /** * Gets the initialized key managers. */