commons-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mt...@apache.org
Subject svn commit: r1170745 - in /commons/sandbox/runtime/trunk/src/main: java/org/apache/commons/runtime/ssl/ native/include/acr/ native/modules/openssl/
Date Wed, 14 Sep 2011 17:57:46 GMT
Author: mturk
Date: Wed Sep 14 17:57:45 2011
New Revision: 1170745

URL: http://svn.apache.org/viewvc?rev=1170745&view=rev
Log:
Add initial ssl verify api

Added:
    commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLVerifyClient.java
  (with props)
Modified:
    commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java
    commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h
    commons/sandbox/runtime/trunk/src/main/native/include/acr/stddefs.h
    commons/sandbox/runtime/trunk/src/main/native/include/acr/stdtypes.h
    commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c
    commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c
    commons/sandbox/runtime/trunk/src/main/native/modules/openssl/init.c

Modified: commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java?rev=1170745&r1=1170744&r2=1170745&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java
(original)
+++ commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java
Wed Sep 14 17:57:45 2011
@@ -17,6 +17,7 @@
 package org.apache.commons.runtime.ssl;
 
 import org.apache.commons.runtime.InvalidArgumentException;
+import org.apache.commons.runtime.OperationNotImplementedException;
 import org.apache.commons.runtime.Status;
 import org.apache.commons.runtime.SystemException;
 
@@ -26,6 +27,9 @@ import java.nio.ByteBuffer;
 /**
  * Contains the context structure for global default values for
  * multiple SSL connections and certificate verification information.
+ * <p>
+ * Each virtual host should have an unique context.
+ * </p>
  */
 public final class SSLContext extends NativePointer
 {
@@ -33,7 +37,9 @@ public final class SSLContext extends Na
     // Hide NativePointer
     private final long  pointer = 0L;
 
-    private static native long         new0(int protocol, int mode);
+    private static native long         new0(int protocol, int mode)
+        throws OperationNotImplementedException;
+    private static native void         setid0(long pointer, String id);
 
     private SSLContext()
     {
@@ -44,9 +50,20 @@ public final class SSLContext extends Na
      * Creates a new object instance.
      */
     public SSLContext(SSLProtocolMethod method, SSLProtocolMode mode)
+        throws OperationNotImplementedException
     {
         super.pointer = new0(method.valueOf(), mode.valueOf());
     }
 
+    /**
+     * Set session id context.
+     */
+    public void setSessionIdContext(String id)
+    {
+        if (id == null)
+            throw new NullPointerException();
+        setid0(super.pointer, id);
+    }
+
 }
 

Added: commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLVerifyClient.java
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLVerifyClient.java?rev=1170745&view=auto
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLVerifyClient.java
(added)
+++ commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLVerifyClient.java
Wed Sep 14 17:57:45 2011
@@ -0,0 +1,62 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.commons.runtime.ssl;
+
+/**
+ * Represents the SSL client verification mode.
+ */
+public enum SSLVerifyClient
+{
+
+    /**
+     * No verification.
+     */
+    NONE(            0),
+    /**
+     * Optional.
+     */
+    OPTIONAL(        1),
+    /**
+     * Optional.
+     */
+    OPTIONAL_NO_CA(  2),
+    /**
+     * Require client verification.
+     */
+    REQUIRE(         3);
+
+    private int value;
+    private SSLVerifyClient(int v)
+    {
+        value = v;
+    }
+
+    public int valueOf()
+    {
+        return value;
+    }
+
+    public static SSLVerifyClient valueOf(int value)
+    {
+        for (SSLVerifyClient e : values()) {
+            if (e.value == value)
+                return e;
+        }
+        return NONE;
+    }
+
+}

Propchange: commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLVerifyClient.java
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h?rev=1170745&r1=1170744&r2=1170745&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h (original)
+++ commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h Wed Sep 14 17:57:45 2011
@@ -168,14 +168,14 @@
 #define SSL_BIO_FLAG_RDONLY     1
 #define SSL_BIO_FLAG_CALLBACK   2
 #define SSL_DEFAULT_CACHE_SIZE  256
-#define SSL_DEFAULT_VHOST_NAME  "unknown:443"
+#define SSL_DEFAULT_VHOST_NAME  "_default_:443"
 #define SSL_MAX_STR_LEN         2048
 
 #define SSL_CVERIFY_UNSET          (-1)
 #define SSL_CVERIFY_NONE            0
 #define SSL_CVERIFY_OPTIONAL        1
-#define SSL_CVERIFY_REQUIRE         2
-#define SSL_CVERIFY_OPTIONAL_NO_CA  3
+#define SSL_CVERIFY_OPTIONAL_NO_CA  2
+#define SSL_CVERIFY_REQUIRE         3
 #define SSL_VERIFY_PEER_STRICT      (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
 
 #define SSL_SHUTDOWN_TYPE_UNSET     0
@@ -235,6 +235,12 @@
 
 #define SSL_INFO_CLIENT_CERT_CHAIN          0x0400
 
+
+#define SSL_ENABLED_UNSET                   UNSET
+#define SSL_ENABLED_FALSE                   0
+#define SSL_ENABLED_TRUE                    1
+#define SSL_ENABLED_OPTIONAL                3
+
 #define SSL_VERIFY_ERROR_IS_OPTIONAL(errnum) \
    ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \
     || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \
@@ -293,19 +299,19 @@ typedef struct acr_ssl_ctxt_t {
     int              verify_mode;
 #ifdef HAVE_OCSP_STAPLING
     /** OCSP stapling options */
-    int              stapling_enabled;
+    BOOL             stapling_enabled;
     long             stapling_resptime_skew;
     long             stapling_resp_maxage;
     int              stapling_cache_timeout;
-    int              stapling_return_errors;
-    int              stapling_fake_trylater;
+    BOOL             stapling_return_errors;
+    BOOL             stapling_fake_trylater;
     int              stapling_errcache_timeout;
     acr_time_t       stapling_responder_timeout;
     char            *stapling_force_url;
 #endif
 
-    int              ocsp_enabled;       /* true if OCSP verification enabled */
-    int              ocsp_force_default; /* true if the default responder URL is
+    BOOL             ocsp_enabled;       /* true if OCSP verification enabled */
+    BOOL             ocsp_force_default; /* true if the default responder URL is
                                           * used regardless of per-cert URL
                                           */
     char            *ocsp_responder;     /* default responder URL */

Modified: commons/sandbox/runtime/trunk/src/main/native/include/acr/stddefs.h
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/include/acr/stddefs.h?rev=1170745&r1=1170744&r2=1170745&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/include/acr/stddefs.h (original)
+++ commons/sandbox/runtime/trunk/src/main/native/include/acr/stddefs.h Wed Sep 14 17:57:45
2011
@@ -314,4 +314,14 @@
 #define UNUSED_SOURCE_FILE(F)   \
 const char __provided_##F [] = "Using system provided " #F "()"
 
+#if !defined(FALSE)
+# define FALSE          (0)
+#endif
+#if !defined(TRUE)
+# define TRUE           (!FALSE)
+#endif
+#if !defined(UNSET)
+# define UNSET          (-1)
+#endif
+
 #endif /* _ACR_STDDEFS_H_ */

Modified: commons/sandbox/runtime/trunk/src/main/native/include/acr/stdtypes.h
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/include/acr/stdtypes.h?rev=1170745&r1=1170744&r2=1170745&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/include/acr/stdtypes.h (original)
+++ commons/sandbox/runtime/trunk/src/main/native/include/acr/stdtypes.h Wed Sep 14 17:57:45
2011
@@ -173,4 +173,26 @@ typedef struct acr_buf_t {
     acr_size_t  use;
 } acr_buf_t;
 
+/**
+ * Provide reasonable defines for some types
+ */
+#if !defined(BOOL)
+# define BOOL           int
+#endif
+#if !defined(UCHAR)
+# define UCHAR          unsigned char
+#endif
+#if !defined(UINT)
+# define UINT           unsigned int
+#endif
+#if !defined(ULONG)
+# define ULONG          unsigned long
+#endif
+#if !defined(LPSTR)
+# define LPSTR          char*
+#endif
+#if !defined(LPCSTR)
+# define LPCSTR         const char*
+#endif
+
 #endif /* _ACR_STDTYPES_H_ */

Modified: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c?rev=1170745&r1=1170744&r2=1170745&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c (original)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c Wed Sep 14 17:57:45
2011
@@ -157,6 +157,9 @@ struct SSLAPIst {
     void                (*fpSSL_CTX_free)(SSL_CTX *);
     void                (*fpSSL_CTX_set_tmp_rsa_callback)(SSL_CTX *, RSA *(*)(SSL *, int,
int));
     void                (*fpSSL_CTX_set_tmp_dh_callback)(SSL_CTX *, DH *(*)(SSL *, int, int));
+    X509_STORE*         (*fpSSL_CTX_get_cert_store)(const SSL_CTX *);
+    int                 (*fpSSL_CTX_set_default_verify_paths)(SSL_CTX *);
+    void                (*fpSSL_CTX_set_verify)(SSL_CTX *, int, int (*)(int, X509_STORE_CTX
*));
 
     /*** SSL      ***/
     void*               (*fpSSL_get_ex_data)(const SSL *, int);
@@ -193,11 +196,12 @@ struct SSLAPIst {
     /*** X509     ***/
     void                (*fpX509_free)(X509 *);
     void                (*fpX509_STORE_free)(X509_STORE *);
-    void                (*fpNULL)(void);
+    int                 (*fpX509_STORE_set_flags)(X509_STORE *, unsigned long);
 
     /*** _STACK   ***/
     void                (*fpsk_pop_free)(SSLAPI_STACK *, void (*)(void *));
 
+    void                (*fpNULL)(void);    
 };
 
 struct SSLOPTst {
@@ -289,7 +293,9 @@ ACR_JNI_EXPORT(jboolean, Native, ldopens
     LIBSSL_FPLOAD(SSL_CTX_set_default_passwd_cb_userdata);
     LIBSSL_FPLOAD(SSL_CTX_set_tmp_dh_callback);
     LIBSSL_FPLOAD(SSL_CTX_set_tmp_rsa_callback);
-
+    LIBSSL_FPLOAD(SSL_CTX_get_cert_store);
+    LIBSSL_FPLOAD(SSL_CTX_set_default_verify_paths);
+    LIBSSL_FPLOAD(SSL_CTX_set_verify);
 
     /*** BIO      ***/
     CRYPTO_FPLOAD(BIO_ctrl);
@@ -358,6 +364,8 @@ ACR_JNI_EXPORT(jboolean, Native, ldopens
 
     /*** X509     ***/
     CRYPTO_FPLOAD(X509_free);
+    CRYPTO_FPLOAD(X509_STORE_free);
+    CRYPTO_FPLOAD(X509_STORE_set_flags);
 
     /*** _STACK   ***/
     CRYPTO_FPLOAD(sk_pop_free);
@@ -755,6 +763,22 @@ void SSL_CTX_set_tmp_dh_callback(SSL_CTX
     SSLAPI_CALL(SSL_CTX_set_tmp_dh_callback)(ctx, cb);
 }
 
+X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx)
+{
+    return SSLAPI_CALL(SSL_CTX_get_cert_store)(ctx);
+}
+
+int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
+{
+    return SSLAPI_CALL(SSL_CTX_set_default_verify_paths)(ctx);
+}
+
+void SSL_CTX_set_verify(SSL_CTX *ctx, int mode,
+                        int (*callback)(int, X509_STORE_CTX *))
+{
+    SSLAPI_CALL(SSL_CTX_set_verify)(ctx, mode, callback);
+}
+
 void *SSL_get_ex_data(const SSL *ssl, int idx)
 {
     return SSLAPI_CALL(SSL_get_ex_data)(ssl, idx);
@@ -848,6 +872,11 @@ void X509_STORE_free(X509_STORE *v)
     SSLAPI_CALL(X509_STORE_free)(v);
 }
 
+int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags)
+{
+    return SSLAPI_CALL(X509_STORE_set_flags)(ctx, flags);
+}
+
 void sk_pop_free(SSLAPI_STACK *st, void (*func)(void *))
 {
     SSLAPI_CALL(sk_pop_free)(st, func);

Modified: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c?rev=1170745&r1=1170744&r2=1170745&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c (original)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c Wed Sep 14 17:57:45
2011
@@ -134,7 +134,7 @@ ACR_SSL_EXPORT(jlong, SSLContext, new0)(
     }
     if (m == 0 || (c->ctx == SSL_CTX_new(m)) == 0) {
         AcrFree(c);
-        ACR_THROW(ACR_EX_EINVAL, 0);
+        ACR_THROW(ACR_EX_ENOTIMPL, 0);
         return 0;
     }
     if ((c->bio_os = BIO_new(BIO_s_file())) != 0)
@@ -144,7 +144,7 @@ ACR_SSL_EXPORT(jlong, SSLContext, new0)(
     /* Set default Certificate verification level
      * and depth for the Client Authentication
      */
-    c->verify_depth  = 1;
+    c->verify_depth  = UNSET;
     c->verify_mode   = SSL_CVERIFY_UNSET;
     c->shutdown_type = SSL_SHUTDOWN_TYPE_UNSET;
 
@@ -200,13 +200,13 @@ ACR_SSL_EXPORT(void, SSLContext, free0)(
         if (c->keys[i] != 0)
             EVP_PKEY_free(c->keys[i]);
     }
+    ssl_bio_close(c->bio_is);
+    ssl_bio_close(c->bio_os);
 #ifdef HAVE_OCSP_STAPLING
     AcrFree(c->stapling_force_url);
 #endif    
     AcrFree(c->ocsp_responder);
     AcrFree(c->rand_file);
-    ssl_bio_close(c->bio_is);
-    ssl_bio_close(c->bio_os);
     AcrFree(c);
 }
 
@@ -218,3 +218,34 @@ ACR_SSL_EXPORT(void, SSLContext, setid0)
         MD5((const unsigned char *)J2S(id), strlen(J2S(id)), c->context_id);
     } DONE_WITH_STR(id);
 }
+
+ACR_SSL_EXPORT(void, SSLContext, setverify0)(JNI_STDARGS, jlong ctx,
+                                             jint mode, jint depth)
+{
+    int verify = SSL_VERIFY_NONE;
+    acr_ssl_ctxt_t *c = J2P(ctx, acr_ssl_ctxt_t *);
+
+    if (depth > 0)
+        c->verify_depth = depth;
+    if (c->verify_depth == UNSET)
+        c->verify_depth = 1;
+    c->verify_mode = mode;
+    /*
+     *  Configure callbacks for SSL context
+     */
+    if (c->verify_mode == SSL_CVERIFY_REQUIRE)
+        verify |= SSL_VERIFY_PEER_STRICT;
+    if ((c->verify_mode == SSL_CVERIFY_OPTIONAL) ||
+        (c->verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
+        verify |= SSL_VERIFY_PEER;
+    if (c->store == 0) {
+        if (SSL_CTX_set_default_verify_paths(c->ctx)) {
+            c->store = SSL_CTX_get_cert_store(c->ctx);
+            X509_STORE_set_flags(c->store, 0);
+        }
+        else {
+            /* XXX: See if this is fatal */
+        }
+    }
+    SSL_CTX_set_verify(c->ctx, verify, 0 /* ssl_callback_ssl_verify */);
+}

Modified: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/init.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/init.c?rev=1170745&r1=1170744&r2=1170745&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/init.c (original)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/init.c Wed Sep 14 17:57:45
2011
@@ -70,6 +70,12 @@ struct CRYPTO_dynlock_value {
 
 static int ssl_tmp_key_init_rsa(int bits, int idx)
 {
+#ifdef HAVE_FIPS
+    if (FIPS_mode() && bits < 1024) {
+        acr_ssl_temp_keys[idx] = 0;
+        return 1;
+    }
+#endif
     if ((acr_ssl_temp_keys[idx] = RSA_generate_key(bits, RSA_F4, 0, 0)) == 0)
         return 1;
     else



Mime
View raw message