From 86042b64658511619844153ccb1e0a4a26f6b45d Mon Sep 17 00:00:00 2001
From: fhanik <fhanik@13f79535-47bb-0310-9956-ffa450edef68>
Date: Tue, 1 Mar 2011 20:04:26 +0000
Subject: [PATCH] Implement renegotiation for SSL cert authentication

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1076008 13f79535-47bb-0310-9956-ffa450edef68
---
 java/org/apache/coyote/http11/Http11NioProcessor.java | 17 +++++++++++++++++
 test/org/apache/tomcat/util/net/TestClientCert.java   |  3 ---
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/java/org/apache/coyote/http11/Http11NioProcessor.java b/java/org/apache/coyote/http11/Http11NioProcessor.java
index daef7e7e2..6f6145c0c 100644
--- a/java/org/apache/coyote/http11/Http11NioProcessor.java
+++ b/java/org/apache/coyote/http11/Http11NioProcessor.java
@@ -23,6 +23,8 @@ import java.nio.channels.SelectionKey;
 import java.util.Locale;
 import java.util.concurrent.Executor;
 
+import javax.net.ssl.SSLEngine;
+
 import org.apache.coyote.ActionCode;
 import org.apache.coyote.Request;
 import org.apache.coyote.RequestInfo;
@@ -42,7 +44,9 @@ import org.apache.tomcat.util.net.NioChannel;
 import org.apache.tomcat.util.net.NioEndpoint;
 import org.apache.tomcat.util.net.NioEndpoint.KeyAttachment;
 import org.apache.tomcat.util.net.SSLSupport;
+import org.apache.tomcat.util.net.SecureNioChannel;
 import org.apache.tomcat.util.net.SocketStatus;
+import org.apache.tomcat.util.net.jsse.JSSEFactory;
 
 
 /**
@@ -625,6 +629,19 @@ public class Http11NioProcessor extends AbstractHttp11Processor {
                     .setLimit(maxSavePostSize);
                 inputBuffer.addActiveFilter
                     (inputFilters[Constants.BUFFERED_FILTER]);
+                SecureNioChannel sslChannel = (SecureNioChannel) socket;
+                SSLEngine engine = sslChannel.getSslEngine();
+                if (!engine.getNeedClientAuth()) {
+                    // Need to re-negotiate SSL connection
+                    engine.setNeedClientAuth(true);
+                    try {
+                        sslChannel.rehandshake(endpoint.getSoTimeout());
+                        sslSupport = (new JSSEFactory()).getSSLSupport(engine.getSession());
+                    } catch (IOException ioe) {
+                        log.warn(sm.getString("http11processor.socket.sslreneg",ioe));
+                    }
+                }
+
                 try {
                     Object sslO = sslSupport.getPeerCertificateChain(true);
                     if( sslO != null) {
diff --git a/test/org/apache/tomcat/util/net/TestClientCert.java b/test/org/apache/tomcat/util/net/TestClientCert.java
index 2835babaf..9fb465a7a 100644
--- a/test/org/apache/tomcat/util/net/TestClientCert.java
+++ b/test/org/apache/tomcat/util/net/TestClientCert.java
@@ -103,9 +103,6 @@ public class TestClientCert extends TomcatBaseTest {
         Tomcat tomcat = getTomcatInstance();
 
         String protocol = tomcat.getConnector().getProtocolHandlerClassName();
-        if (protocol.indexOf("Nio") != -1) {
-            return; // Not supported yet (2011-03-01)
-        }
         if (protocol.indexOf("Apr") != -1) {
             return; // Disabled by default in 1.1.20 windows binary (2010-07-27)
         }
-- 
2.11.0