commons-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mt...@apache.org
Subject svn commit: r1172559 - in /commons/sandbox/runtime/trunk/src/main: java/org/apache/commons/runtime/ssl/ native/modules/openssl/
Date Mon, 19 Sep 2011 10:29:10 GMT
Author: mturk
Date: Mon Sep 19 10:29:10 2011
New Revision: 1172559

URL: http://svn.apache.org/viewvc?rev=1172559&view=rev
Log:
Add CRL file/path config

Modified:
    commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/LocalStrings.properties
    commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLCARevocationCheckMode.java
    commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLClientVerifyMode.java
    commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java
    commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c

Modified: commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/LocalStrings.properties
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/LocalStrings.properties?rev=1172559&r1=1172558&r2=1172559&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/LocalStrings.properties
(original)
+++ commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/LocalStrings.properties
Mon Sep 19 10:29:10 2011
@@ -18,3 +18,4 @@ fips.ENOTIMPL=FIPS was not available at 
 password.PROMPT=Some of your private key files are encrypted for security reasons.\
 \nIn order to read them you have to provide the pass phrases.\
 \nEnter password :
+sslctx.ENOCRLLOC=At least one of CARevocationFile or CARevocationPath must be configured.

Modified: commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLCARevocationCheckMode.java
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLCARevocationCheckMode.java?rev=1172559&r1=1172558&r2=1172559&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLCARevocationCheckMode.java
(original)
+++ commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLCARevocationCheckMode.java
Mon Sep 19 10:29:10 2011
@@ -27,13 +27,13 @@ public enum SSLCARevocationCheckMode
      */
     NONE(            0),
     /**
-     * Check the peer certificate.
+     * Limits the checks to the end-entity cert.
      */
-    CHECK(           1),
+    LEEF(           1),
     /**
-     * Check the peer certificate.
+     * CRL checks are applied to all certificates in the chain.
      */
-    CHECK_ALL(       2);
+    CHAING(         2);
 
     private int value;
     private SSLCARevocationCheckMode(int v)

Modified: commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLClientVerifyMode.java
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLClientVerifyMode.java?rev=1172559&r1=1172558&r2=1172559&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLClientVerifyMode.java
(original)
+++ commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLClientVerifyMode.java
Mon Sep 19 10:29:10 2011
@@ -18,6 +18,12 @@ package org.apache.commons.runtime.ssl;
 
 /**
  * Represents the SSL client verification mode.
+ * <p>
+ * In practice only levels {@code NONE} and {@code REQUIRE} are really
+ * interesting, because level {@code OPTIONAL} doesn't work with all
+ * browsers and level {@code OPTIONAL_NO_CA} is actually against the
+ * idea of authentication (but can be used to establish SSL test pages, etc.)
+ * </p>
  */
 public enum SSLClientVerifyMode
 {
@@ -48,7 +54,11 @@ public enum SSLClientVerifyMode
      */
     OPTIONAL(        1),
     /**
-     * Optional.
+     * Optional verification.
+     * <p>
+     * The client may present a valid Certificate but it need not to be
+     * (successfully) verifiable.
+     * </p>
      */
     OPTIONAL_NO_CA(  2),
     /**

Modified: commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java?rev=1172559&r1=1172558&r2=1172559&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java
(original)
+++ commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java
Mon Sep 19 10:29:10 2011
@@ -41,7 +41,8 @@ public final class SSLContext extends Na
 
     private SSLKey[]             keys;
     private SSLCertificate[]     cert;
-    
+    private boolean              has_crlset = false;
+
     private static native long         new0(int protocol, int mode)
         throws OperationNotImplementedException;
     private static native void         free0(long key);
@@ -54,6 +55,10 @@ public final class SSLContext extends Na
         throws SSLException;
     private static native void         setcapath0(long ctx, String caPath)
         throws SSLException;
+    private static native void         setcacrlfile0(long ctx, String caPath)
+        throws SSLException;
+    private static native void         setcacrlpath0(long ctx, String caPath)
+        throws SSLException;
     private static native void         setvmode0(long ctx, int mode, int depth)
         throws SSLException;
 
@@ -129,7 +134,7 @@ public final class SSLContext extends Na
     {
         if (super.pointer == 0L)
             throw new IllegalStateException();
-        if (path == 0)
+        if (path == null)
             throw new NullPointerException();
         setcafile0(super.pointer, path);
     }
@@ -161,25 +166,73 @@ public final class SSLContext extends Na
     {
         if (super.pointer == 0L)
             throw new IllegalStateException();
-        if (path == 0)
+        if (path == null)
             throw new NullPointerException();
         setcapath0(super.pointer, path);
     }
 
     /**
+     * Sets the all-in-one file where you can assemble the Certificate
+     * Revocation Lists (CRL) of Certification Authorities (CA) whose
+     * clients you deal with.
+     * These are used for Client Authentication. Such a file is simply the
+     * concatenation of the various PEM-encoded CRL files, in order
+     * of preference. This can be used alternatively and/or additionally
+     * to {@code setCARevocationPath}.
+     *
+     * @param path file containg PEM-encoded CRL list.
+     * @throws IllegalStateException if context is invalid
+     * @throws SSLException if path cannot be set.
+     */
+    public synchronized void setCARevocationFile(String path)
+        throws SSLException, IllegalStateException
+    {
+        if (super.pointer == 0L)
+            throw new IllegalStateException();
+        if (path == null)
+            throw new NullPointerException();
+        setcacrlfile0(super.pointer, path);
+        has_crlset = true;
+    }
+
+    /**
+     * Sets the directory where you keep the Certificate Revocation Lists
+     * (CRL) of Certification Authorities (CAs) whose clients you deal with.
+     * These are used to revoke the client certificate on Client
+     * Authentication.
+     *
+     * @param path directory containg CRL list.
+     * @throws IllegalStateException if context is invalid
+     * @throws SSLException if path cannot be set.
+     */
+    public synchronized void setCARevocationPath(String path)
+        throws SSLException, IllegalStateException
+    {
+        if (super.pointer == 0L)
+            throw new IllegalStateException();
+        if (path == null)
+            throw new NullPointerException();
+        setcacrlpath0(super.pointer, path);
+        has_crlset = true;
+    }
+
+    /**
      * Enables certificate revocation list (CRL) checking.
      * <p>
-     * At least one of SSLCARevocationFile or SSLCARevocationPath
-     * must be configured. When set to chain (recommended setting),
-     * CRL checks are applied to all certificates in the chain, while
-     * setting it to leaf limits the checks to the end-entity cert.
+     * At least one of setCARevocationFile or setCARevocationPath
+     * must be configured before calling this method.
      * </p>
+     * @param mode revocation mode to set.
+     * @throws IllegalStateException if this context is invalid or if
+     *          neither setCARevocationFile or setCARevocationPath was set up.
      */
     public synchronized void setCARevocationCheck(SSLCARevocationCheckMode mode)
         throws IllegalStateException
     {
         if (super.pointer == 0L)
             throw new IllegalStateException();
+        if (!has_crlset)
+            throw new IllegalStateException(Local.sm.get("sslctx.ENOCRLLOC"));          
 
         setcrlcheck0(super.pointer, mode.valueOf());
     }
 

Modified: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c?rev=1172559&r1=1172558&r2=1172559&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c (original)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c Mon Sep 19 10:29:10
2011
@@ -299,6 +299,30 @@ ACR_SSL_EXPORT(void, SSLContext, setcapa
     } DONE_WITH_STR(capath);
 }
 
+ACR_SSL_EXPORT(void, SSLContext, setcacrlfile0)(JNI_STDARGS, jlong ctx,
+                                                jstring file)
+{
+    acr_ssl_ctx_t *c = J2P(ctx, acr_ssl_ctx_t *);
+    if (c->store == 0)
+        c->store = SSL_CTX_get_cert_store(c->ctx);
+    WITH_CSTR(file) {
+        if (!X509_STORE_load_locations(c->store, J2S(file), 0))
+            ssl_throw_errno(env, ACR_EX_ESSL);
+    } DONE_WITH_STR(file);
+}
+
+ACR_SSL_EXPORT(void, SSLContext, setcacrlpath0)(JNI_STDARGS, jlong ctx,
+                                                jstring path)
+{
+    acr_ssl_ctx_t *c = J2P(ctx, acr_ssl_ctx_t *);
+    if (c->store == 0)
+        c->store = SSL_CTX_get_cert_store(c->ctx);
+    WITH_CSTR(path) {
+        if (!X509_STORE_load_locations(c->store, 0, J2S(path)))
+            ssl_throw_errno(env, ACR_EX_ESSL);
+    } DONE_WITH_STR(path);
+}
+
 ACR_SSL_EXPORT(void, SSLContext, setcrlcheck0)(JNI_STDARGS, jlong ctx,
                                                jint ccmode)
 {



Mime
View raw message