Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@apache.org Received: (qmail 88829 invoked from network); 4 Oct 2002 20:03:48 -0000 Received: from unknown (HELO nagoya.betaversion.org) (192.18.49.131) by daedalus.apache.org with SMTP; 4 Oct 2002 20:03:48 -0000 Received: (qmail 24155 invoked by uid 97); 4 Oct 2002 20:04:03 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-dev@jakarta.apache.org Received: (qmail 24089 invoked by uid 97); 4 Oct 2002 20:04:03 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 24078 invoked by uid 97); 4 Oct 2002 20:04:02 -0000 X-Antivirus: nagoya (v4218 created Aug 14 2002) Date: 4 Oct 2002 20:03:11 -0000 Message-ID: <20021004200311.20861.qmail@icarus.apache.org> From: nacho@apache.org To: jakarta-tomcat-connectors-cvs@apache.org Subject: cvs commit: jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/puretls PureTLSImplementation.java PureTLSSocket.java PureTLSSocketFactory.java PureTLSSupport.java X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N nacho 2002/10/04 13:03:11 Modified: util/java/org/apache/tomcat/util/net SSLImplementation.java SSLSupport.java Added: util/java/org/apache/tomcat/util/net/jsse JSSEImplementation.java JSSESocketFactory.java JSSESupport.java util/java/org/apache/tomcat/util/net/puretls PureTLSImplementation.java PureTLSSocket.java PureTLSSocketFactory.java PureTLSSupport.java Removed: util/java/org/apache/tomcat/util/net JSSEImplementation.java JSSESocketFactory.java JSSESupport.java PureTLSImplementation.java PureTLSSocket.java PureTLSSocketFactory.java PureTLSSupport.java Log: Refactoring the SSL classes to his own packages, this should not harm anything and makes easy for tools to manage the depencies.. Revision Changes Path 1.1 jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java Index: JSSEImplementation.java =================================================================== /* * ==================================================================== * * The Apache Software License, Version 1.1 * * Copyright (c) 1999 The Apache Software Foundation. All rights * reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The end-user documentation included with the redistribution, if * any, must include the following acknowlegement: * "This product includes software developed by the * Apache Software Foundation (http://www.apache.org/)." * Alternately, this acknowlegement may appear in the software itself, * if and wherever such third-party acknowlegements normally appear. * * 4. The names "The Jakarta Project", "Tomcat", and "Apache Software * Foundation" must not be used to endorse or promote products derived * from this software without prior written permission. For written * permission, please contact apache@apache.org. * * 5. Products derived from this software may not be called "Apache" * nor may "Apache" appear in their names without prior written * permission of the Apache Group. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ==================================================================== * * This software consists of voluntary contributions made by many * individuals on behalf of the Apache Software Foundation. For more * information on the Apache Software Foundation, please see * . * * [Additional notices, if required by prior licensing conditions] * */ package org.apache.tomcat.util.net.jsse; import org.apache.tomcat.util.net.SSLImplementation; import org.apache.tomcat.util.net.SSLSupport; import org.apache.tomcat.util.net.ServerSocketFactory; import java.io.*; import java.net.*; import javax.net.ssl.SSLSocket; /* JSSEImplementation: Concrete implementation class for JSSE @author EKR */ public class JSSEImplementation extends SSLImplementation { public JSSEImplementation() throws ClassNotFoundException { // Check to see if JSSE is floating around somewhere Class.forName("javax.net.ssl.SSLServerSocketFactory"); } public String getImplementationName(){ return "JSSE"; } public ServerSocketFactory getServerSocketFactory() { return new JSSESocketFactory(); } public SSLSupport getSSLSupport(Socket s) { return new JSSESupport((SSLSocket)s); } } 1.1 jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java Index: JSSESocketFactory.java =================================================================== /* * ==================================================================== * * The Apache Software License, Version 1.1 * * Copyright (c) 1999 The Apache Software Foundation. All rights * reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The end-user documentation included with the redistribution, if * any, must include the following acknowlegement: * "This product includes software developed by the * Apache Software Foundation (http://www.apache.org/)." * Alternately, this acknowlegement may appear in the software itself, * if and wherever such third-party acknowlegements normally appear. * * 4. The names "The Jakarta Project", "Tomcat", and "Apache Software * Foundation" must not be used to endorse or promote products derived * from this software without prior written permission. For written * permission, please contact apache@apache.org. * * 5. Products derived from this software may not be called "Apache" * nor may "Apache" appear in their names without prior written * permission of the Apache Group. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ==================================================================== * * This software consists of voluntary contributions made by many * individuals on behalf of the Apache Software Foundation. For more * information on the Apache Software Foundation, please see * . * * [Additional notices, if required by prior licensing conditions] * */ package org.apache.tomcat.util.net.jsse; import java.io.*; import java.net.*; import java.security.KeyStore; import java.security.Security; import javax.net.ServerSocketFactory; import javax.net.ssl.SSLServerSocket; import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLException; import javax.net.ssl.SSLServerSocketFactory; import javax.net.ssl.HandshakeCompletedListener; import javax.net.ssl.HandshakeCompletedEvent; /* 1. Make the JSSE's jars available, either as an installed extension (copy them into jre/lib/ext) or by adding them to the Tomcat classpath. 2. keytool -genkey -alias tomcat -keyalg RSA Use "changeit" as password ( this is the default we use ) */ /** * SSL server socket factory. It _requires_ a valid RSA key and * JSSE. * * @author Harish Prabandham * @author Costin Manolache * @author Stefan Freyr Stefansson * @author EKR -- renamed to JSSESocketFactory */ public class JSSESocketFactory extends org.apache.tomcat.util.net.ServerSocketFactory { private String keystoreType; static String defaultKeystoreType = "JKS"; static String defaultProtocol = "TLS"; static String defaultAlgorithm = "SunX509"; static boolean defaultClientAuth = false; private boolean clientAuth = false; private SSLServerSocketFactory sslProxy = null; // defaults static String defaultKeystoreFile=System.getProperty("user.home") + "/.keystore"; static String defaultKeyPass="changeit"; public JSSESocketFactory () { } public ServerSocket createSocket (int port) throws IOException { if( sslProxy == null ) initProxy(); ServerSocket socket = sslProxy.createServerSocket(port); initServerSocket(socket); return socket; } public ServerSocket createSocket (int port, int backlog) throws IOException { if( sslProxy == null ) initProxy(); ServerSocket socket = sslProxy.createServerSocket(port, backlog); initServerSocket(socket); return socket; } public ServerSocket createSocket (int port, int backlog, InetAddress ifAddress) throws IOException { if( sslProxy == null ) initProxy(); ServerSocket socket = sslProxy.createServerSocket(port, backlog, ifAddress); initServerSocket(socket); return socket; } // -------------------- Internal methods /** Read the keystore, init the SSL socket factory */ private void initProxy() throws IOException { try { Security.addProvider (new sun.security.provider.Sun()); Security.addProvider (new com.sun.net.ssl.internal.ssl.Provider()); // Please don't change the name of the attribute - other // software may depend on it ( j2ee for sure ) String keystoreFile=(String)attributes.get("keystore"); if( keystoreFile==null) keystoreFile=defaultKeystoreFile; keystoreType=(String)attributes.get("keystoreType"); if( keystoreType==null) keystoreType=defaultKeystoreType; //determine whether we want client authentication // the presence of the attribute enables client auth String clientAuthStr=(String)attributes.get("clientauth"); if(clientAuthStr != null){ if(clientAuthStr.equals("true")){ clientAuth=true; } else if(clientAuthStr.equals("false")) { clientAuth=false; } else { throw new IOException("Invalid value '" + clientAuthStr + "' for 'clientauth' parameter:"); } } String keyPass=(String)attributes.get("keypass"); if( keyPass==null) keyPass=defaultKeyPass; String keystorePass=(String)attributes.get("keystorePass"); if( keystorePass==null) keystorePass=keyPass; //protocol for the SSL ie - TLS, SSL v3 etc. String protocol = (String)attributes.get("protocol"); if(protocol == null) protocol = defaultProtocol; //Algorithm used to encode the certificate ie - SunX509 String algorithm = (String)attributes.get("algorithm"); if(algorithm == null) algorithm = defaultAlgorithm; // You can't use ssl without a server certificate. // Create a KeyStore ( to get server certs ) KeyStore kstore = initKeyStore( keystoreFile, keystorePass ); // Create a SSLContext ( to create the ssl factory ) // This is the only way to use server sockets with JSSE 1.0.1 com.sun.net.ssl.SSLContext context = com.sun.net.ssl.SSLContext.getInstance(protocol); //SSL // Key manager will extract the server key com.sun.net.ssl.KeyManagerFactory kmf = com.sun.net.ssl.KeyManagerFactory.getInstance(algorithm); kmf.init( kstore, keyPass.toCharArray()); // set up TrustManager com.sun.net.ssl.TrustManager[] tm = null; String trustStoreFile = System.getProperty("javax.net.ssl.trustStore"); String trustStorePassword = System.getProperty("javax.net.ssl.trustStorePassword"); if ( trustStoreFile != null && trustStorePassword != null ){ KeyStore trustStore = initKeyStore( trustStoreFile, trustStorePassword); com.sun.net.ssl.TrustManagerFactory tmf = com.sun.net.ssl.TrustManagerFactory.getInstance("SunX509"); tmf.init(trustStore); tm = tmf.getTrustManagers(); } // init context with the key managers context.init(kmf.getKeyManagers(), tm, new java.security.SecureRandom()); // create proxy sslProxy = context.getServerSocketFactory(); return; } catch(Exception e) { if( e instanceof IOException ) throw (IOException)e; throw new IOException(e.getMessage()); } } public Socket acceptSocket(ServerSocket socket) throws IOException { SSLSocket asock = null; try { asock = (SSLSocket)socket.accept(); asock.setNeedClientAuth(clientAuth); } catch (SSLException e){ throw new SocketException("SSL handshake error" + e.toString()); } return asock; } /** Set server socket properties ( accepted cipher suites, etc) */ private void initServerSocket(ServerSocket ssocket) { SSLServerSocket socket=(SSLServerSocket)ssocket; // We enable all cipher suites when the socket is // connected - XXX make this configurable String cipherSuites[] = socket.getSupportedCipherSuites(); socket.setEnabledCipherSuites(cipherSuites); // we don't know if client auth is needed - // after parsing the request we may re-handshake socket.setNeedClientAuth(clientAuth); } private KeyStore initKeyStore( String keystoreFile, String keyPass) throws IOException { InputStream istream = null; try { KeyStore kstore=KeyStore.getInstance( keystoreType ); istream = new FileInputStream(keystoreFile); kstore.load(istream, keyPass.toCharArray()); return kstore; } catch (FileNotFoundException fnfe) { throw fnfe; } catch (IOException ioe) { throw ioe; } catch(Exception ex) { ex.printStackTrace(); throw new IOException( "Exception trying to load keystore " + keystoreFile + ": " + ex.getMessage() ); } } public void handshake(Socket sock) throws IOException { ((SSLSocket)sock).startHandshake(); } } 1.1 jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESupport.java Index: JSSESupport.java =================================================================== /* * ==================================================================== * * The Apache Software License, Version 1.1 * * Copyright (c) 1999 The Apache Software Foundation. All rights * reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The end-user documentation included with the redistribution, if * any, must include the following acknowlegement: * "This product includes software developed by the * Apache Software Foundation (http://www.apache.org/)." * Alternately, this acknowlegement may appear in the software itself, * if and wherever such third-party acknowlegements normally appear. * * 4. The names "The Jakarta Project", "Tomcat", and "Apache Software * Foundation" must not be used to endorse or promote products derived * from this software without prior written permission. For written * permission, please contact apache@apache.org. * * 5. Products derived from this software may not be called "Apache" * nor may "Apache" appear in their names without prior written * permission of the Apache Group. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ==================================================================== * * This software consists of voluntary contributions made by many * individuals on behalf of the Apache Software Foundation. For more * information on the Apache Software Foundation, please see * . * * [Additional notices, if required by prior licensing conditions] * */ package org.apache.tomcat.util.net.jsse; import org.apache.tomcat.util.net.SSLSupport; import java.io.*; import java.net.*; import java.util.Vector; import java.security.cert.CertificateFactory; import javax.net.ssl.SSLSession; import javax.net.ssl.SSLSocket; import java.security.cert.CertificateFactory; import javax.security.cert.X509Certificate; /* JSSESupport Concrete implementation class for JSSE Support classes. This will only work with JDK 1.2 and up since it depends on JDK 1.2's certificate support @author EKR @author Craig R. McClanahan Parts cribbed from JSSECertCompat Parts cribbed from CertificatesValve */ class JSSESupport implements SSLSupport { private SSLSocket ssl; JSSESupport(SSLSocket sock){ ssl=sock; } public String getCipherSuite() throws IOException { // Look up the current SSLSession SSLSession session = ssl.getSession(); if (session == null) return null; return session.getCipherSuite(); } public Object[] getPeerCertificateChain() throws IOException { return getPeerCertificateChain(false); } public Object[] getPeerCertificateChain(boolean force) throws IOException { // Look up the current SSLSession SSLSession session = ssl.getSession(); if (session == null) return null; // Convert JSSE's certificate format to the ones we need X509Certificate jsseCerts[] = null; java.security.cert.X509Certificate x509Certs[] = null; try { try { jsseCerts = session.getPeerCertificateChain(); } catch(Exception bex) { // ignore. } if (jsseCerts == null) jsseCerts = new X509Certificate[0]; if(jsseCerts.length <= 0 && force) { session.invalidate(); ssl.setNeedClientAuth(true); ssl.startHandshake(); session = ssl.getSession(); jsseCerts = session.getPeerCertificateChain(); if(jsseCerts == null) jsseCerts = new X509Certificate[0]; } x509Certs = new java.security.cert.X509Certificate[jsseCerts.length]; for (int i = 0; i < x509Certs.length; i++) { byte buffer[] = jsseCerts[i].getEncoded(); CertificateFactory cf = CertificateFactory.getInstance("X.509"); ByteArrayInputStream stream = new ByteArrayInputStream(buffer); x509Certs[i] = (java.security.cert.X509Certificate) cf.generateCertificate(stream); } } catch (Throwable t) { return null; } if ((x509Certs == null) || (x509Certs.length < 1)) return null; return x509Certs; } /** * Copied from org.apache.catalina.valves.CertificateValve */ public Integer getKeySize() throws IOException { // Look up the current SSLSession SSLSession session = ssl.getSession(); SSLSupport.CipherData c_aux[]=ciphers; if (session == null) return null; Integer keySize = (Integer) session.getValue(KEY_SIZE_KEY); if (keySize == null) { int size = 0; String cipherSuite = session.getCipherSuite(); for (int i = 0; i < c_aux.length; i++) { if (cipherSuite.indexOf(c_aux[i].phrase) >= 0) { size = c_aux[i].keySize; break; } } keySize = new Integer(size); session.putValue(KEY_SIZE_KEY, keySize); } return keySize; } public String getSessionId() throws IOException { // Look up the current SSLSession SSLSession session = ssl.getSession(); if (session == null) return null; // Expose ssl_session (getId) byte [] ssl_session = session.getId(); if ( ssl_session == null) return null; StringBuffer buf=new StringBuffer(""); for(int x=0; x2) digit=digit.substring(digit.length()-2); buf.append(digit); } return buf.toString(); } } 1.2 +3 -3 jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/SSLImplementation.java Index: SSLImplementation.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/SSLImplementation.java,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- SSLImplementation.java 5 Apr 2002 17:43:33 -0000 1.1 +++ SSLImplementation.java 4 Oct 2002 20:03:10 -0000 1.2 @@ -71,9 +71,9 @@ abstract public class SSLImplementation { // The default implementations in our search path private static final String PureTLSImplementationClass= - "org.apache.tomcat.util.net.PureTLSImplementation"; + "org.apache.tomcat.util.net.puretls.PureTLSImplementation"; private static final String JSSEImplementationClass= - "org.apache.tomcat.util.net.JSSEImplementation"; + "org.apache.tomcat.util.net.jsse.JSSEImplementation"; private static final String[] implementations= { @@ -89,7 +89,7 @@ getInstance(implementations[i]); return impl; } catch (Exception e) { - // Ignore + //e.printStackTrace(); } } 1.5 +19 -20 jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/SSLSupport.java Index: SSLSupport.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/SSLSupport.java,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- SSLSupport.java 21 Sep 2002 04:39:33 -0000 1.4 +++ SSLSupport.java 4 Oct 2002 20:03:10 -0000 1.5 @@ -148,25 +148,24 @@ */ public String getSessionId() throws IOException; -} -// ------------------------------------------------------------ Private Classes - - -/** - * Simple data class that represents the cipher being used, along with the - * corresponding effective key size. The specified phrase must appear in the - * name of the cipher suite to be recognized. - */ - -final class CipherData { - - String phrase = null; - - int keySize = 0; - - public CipherData(String phrase, int keySize) { - this.phrase = phrase; - this.keySize = keySize; + /** + * Simple data class that represents the cipher being used, along with the + * corresponding effective key size. The specified phrase must appear in the + * name of the cipher suite to be recognized. + */ + + final class CipherData { + + public String phrase = null; + + public int keySize = 0; + + public CipherData(String phrase, int keySize) { + this.phrase = phrase; + this.keySize = keySize; + } + } - + } + 1.1 jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/puretls/PureTLSImplementation.java Index: PureTLSImplementation.java =================================================================== /* * ==================================================================== * * The Apache Software License, Version 1.1 * * Copyright (c) 1999 The Apache Software Foundation. All rights * reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The end-user documentation included with the redistribution, if * any, must include the following acknowlegement: * "This product includes software developed by the * Apache Software Foundation (http://www.apache.org/)." * Alternately, this acknowlegement may appear in the software itself, * if and wherever such third-party acknowlegements normally appear. * * 4. The names "The Jakarta Project", "Tomcat", and "Apache Software * Foundation" must not be used to endorse or promote products derived * from this software without prior written permission. For written * permission, please contact apache@apache.org. * * 5. Products derived from this software may not be called "Apache" * nor may "Apache" appear in their names without prior written * permission of the Apache Group. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ==================================================================== * * This software consists of voluntary contributions made by many * individuals on behalf of the Apache Software Foundation. For more * information on the Apache Software Foundation, please see * . * * [Additional notices, if required by prior licensing conditions] * */ package org.apache.tomcat.util.net.puretls; import org.apache.tomcat.util.net.SSLImplementation; import org.apache.tomcat.util.net.SSLSupport; import org.apache.tomcat.util.net.ServerSocketFactory; import java.io.*; import java.net.*; import COM.claymoresystems.sslg.*; import COM.claymoresystems.ptls.*; import COM.claymoresystems.cert.*; /* PureTLSImplementation: Concrete implementation class for PureTLS @author EKR */ public class PureTLSImplementation extends SSLImplementation { public PureTLSImplementation() throws ClassNotFoundException { // Check to see if PureTLS is floating around somewhere Class.forName("COM.claymoresystems.ptls.SSLContext"); } public String getImplementationName(){ return "PureTLS"; } public ServerSocketFactory getServerSocketFactory() { return new PureTLSSocketFactory(); } public SSLSupport getSSLSupport(Socket s) { return new PureTLSSupport((SSLSocket)s); } } 1.1 jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/puretls/PureTLSSocket.java Index: PureTLSSocket.java =================================================================== /* * ==================================================================== * * The Apache Software License, Version 1.1 * * Copyright (c) 1999 The Apache Software Foundation. All rights * reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The end-user documentation included with the redistribution, if * any, must include the following acknowlegement: * "This product includes software developed by the * Apache Software Foundation (http://www.apache.org/)." * Alternately, this acknowlegement may appear in the software itself, * if and wherever such third-party acknowlegements normally appear. * * 4. The names "The Jakarta Project", "Tomcat", and "Apache Software * Foundation" must not be used to endorse or promote products derived * from this software without prior written permission. For written * permission, please contact apache@apache.org. * * 5. Products derived from this software may not be called "Apache" * nor may "Apache" appear in their names without prior written * permission of the Apache Group. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ==================================================================== * * This software consists of voluntary contributions made by many * individuals on behalf of the Apache Software Foundation. For more * information on the Apache Software Foundation, please see * . * * [Additional notices, if required by prior licensing conditions] * */ package org.apache.tomcat.util.net.puretls; import java.io.*; import java.net.*; import COM.claymoresystems.ptls.*; import COM.claymoresystems.cert.*; import COM.claymoresystems.sslg.*; /* * PureTLSSocket.java * * Wraps COM.claymoresystems.ptls.SSLSocket * * This class translates PureTLS's interfaces into those * expected by Tomcat * * @author Eric Rescorla * */ public class PureTLSSocket extends COM.claymoresystems.ptls.SSLSocket { // The only constructor we need here is the no-arg // constructor since this class is only used with // implAccept public PureTLSSocket() throws IOException { super(); } } 1.1 jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/puretls/PureTLSSocketFactory.java Index: PureTLSSocketFactory.java =================================================================== /* * ==================================================================== * * The Apache Software License, Version 1.1 * * Copyright (c) 1999 The Apache Software Foundation. All rights * reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The end-user documentation included with the redistribution, if * any, must include the following acknowlegement: * "This product includes software developed by the * Apache Software Foundation (http://www.apache.org/)." * Alternately, this acknowlegement may appear in the software itself, * if and wherever such third-party acknowlegements normally appear. * * 4. The names "The Jakarta Project", "Tomcat", and "Apache Software * Foundation" must not be used to endorse or promote products derived * from this software without prior written permission. For written * permission, please contact apache@apache.org. * * 5. Products derived from this software may not be called "Apache" * nor may "Apache" appear in their names without prior written * permission of the Apache Group. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ==================================================================== * * This software consists of voluntary contributions made by many * individuals on behalf of the Apache Software Foundation. For more * information on the Apache Software Foundation, please see * . * * [Additional notices, if required by prior licensing conditions] * */ package org.apache.tomcat.util.net.puretls; import java.io.*; import java.net.*; import COM.claymoresystems.ptls.*; import COM.claymoresystems.cert.*; import COM.claymoresystems.sslg.*; /** * SSL server socket factory--wraps PureTLS * * @author Eric Rescorla * * some sections of this file cribbed from SSLSocketFactory * (the JSSE socket factory) * */ public class PureTLSSocketFactory extends org.apache.tomcat.util.net.ServerSocketFactory { static String defaultProtocol = "TLS"; static boolean defaultClientAuth = false; static String defaultKeyStoreFile = "server.pem"; static String defaultKeyPass = "password"; static String defaultRootFile = "root.pem"; static String defaultRandomFile = "random.pem"; private COM.claymoresystems.ptls.SSLContext context=null; public PureTLSSocketFactory() { } public ServerSocket createSocket(int port) throws IOException { init(); return new SSLServerSocket(context,port); } public ServerSocket createSocket(int port, int backlog) throws IOException { init(); ServerSocket tmp; try { tmp=new SSLServerSocket(context,port,backlog); } catch (IOException e){ throw e; } return tmp; } public ServerSocket createSocket(int port, int backlog, InetAddress ifAddress) throws IOException { init(); return new SSLServerSocket(context,port,backlog,ifAddress); } private void init() throws IOException { if(context!=null) return; boolean clientAuth=defaultClientAuth; try { String keyStoreFile=(String)attributes.get("keystore"); if(keyStoreFile==null) keyStoreFile=defaultKeyStoreFile; String keyPass=(String)attributes.get("keypass"); if(keyPass==null) keyPass=defaultKeyPass; String rootFile=(String)attributes.get("rootfile"); if(rootFile==null) rootFile=defaultRootFile; String randomFile=(String)attributes.get("randomfile"); if(randomFile==null) randomFile=defaultRandomFile; String protocol=(String)attributes.get("protocol"); if(protocol==null) protocol=defaultProtocol; String clientAuthStr=(String)attributes.get("clientauth"); if(clientAuthStr != null){ if(clientAuthStr.equals("true")){ clientAuth=true; } else if(clientAuthStr.equals("false")) { clientAuth=false; } else { throw new IOException("Invalid value '" + clientAuthStr + "' for 'clientauth' parameter:"); } } SSLContext tmpContext=new SSLContext(); if(clientAuth){ tmpContext.loadRootCertificates(rootFile); } tmpContext.loadEAYKeyFile(keyStoreFile,keyPass); tmpContext.useRandomnessFile(randomFile,keyPass); SSLPolicyInt policy=new SSLPolicyInt(); policy.requireClientAuth(clientAuth); policy.handshakeOnConnect(false); policy.waitOnClose(false); tmpContext.setPolicy(policy); context=tmpContext; } catch (Exception e){ throw new IOException(e.getMessage()); } } public Socket acceptSocket(ServerSocket socket) throws IOException { try { Socket sock=socket.accept(); return sock; } catch (SSLException e){ throw new SocketException("SSL handshake error" + e.toString()); } } public void handshake(Socket sock) throws IOException { ((SSLSocket)sock).handshake(); } } 1.1 jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/puretls/PureTLSSupport.java Index: PureTLSSupport.java =================================================================== /* * ==================================================================== * * The Apache Software License, Version 1.1 * * Copyright (c) 1999 The Apache Software Foundation. All rights * reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The end-user documentation included with the redistribution, if * any, must include the following acknowlegement: * "This product includes software developed by the * Apache Software Foundation (http://www.apache.org/)." * Alternately, this acknowlegement may appear in the software itself, * if and wherever such third-party acknowlegements normally appear. * * 4. The names "The Jakarta Project", "Tomcat", and "Apache Software * Foundation" must not be used to endorse or promote products derived * from this software without prior written permission. For written * permission, please contact apache@apache.org. * * 5. Products derived from this software may not be called "Apache" * nor may "Apache" appear in their names without prior written * permission of the Apache Group. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ==================================================================== * * This software consists of voluntary contributions made by many * individuals on behalf of the Apache Software Foundation. For more * information on the Apache Software Foundation, please see * . * * [Additional notices, if required by prior licensing conditions] * */ package org.apache.tomcat.util.net.puretls; import org.apache.tomcat.util.net.SSLSupport; import java.io.*; import java.net.*; import java.util.Vector; import java.security.cert.CertificateFactory; import org.apache.tomcat.util.buf.HexUtils; import COM.claymoresystems.sslg.*; import COM.claymoresystems.ptls.*; import COM.claymoresystems.cert.*; /* PureTLSSupport Concrete implementation class for PureTLS Support classes. This will only work with JDK 1.2 and up since it depends on JDK 1.2's certificate support @author EKR */ class PureTLSSupport implements SSLSupport { private COM.claymoresystems.ptls.SSLSocket ssl; PureTLSSupport(SSLSocket sock){ ssl=sock; } public String getCipherSuite() throws IOException { int cs=ssl.getCipherSuite(); return SSLPolicyInt.getCipherSuiteName(cs); } public Object[] getPeerCertificateChain() throws IOException { return getPeerCertificateChain(false); } public Object[] getPeerCertificateChain(boolean force) throws IOException { Vector v=ssl.getCertificateChain(); if(v == null && force) { SSLPolicyInt policy=new SSLPolicyInt(); policy.requireClientAuth(true); policy.handshakeOnConnect(false); policy.waitOnClose(false); ssl.renegotiate(policy); v = ssl.getCertificateChain(); } if(v==null) return null; java.security.cert.X509Certificate[] chain= new java.security.cert.X509Certificate[v.size()]; try { for(int i=1;i<=v.size();i++){ // PureTLS provides cert chains with the peer // cert last but the Servlet 2.3 spec (S 4.7) requires // the opposite order so we reverse the chain as we go byte buffer[]=((X509Cert)v.elementAt( v.size()-i)).getDER(); CertificateFactory cf = CertificateFactory.getInstance("X.509"); ByteArrayInputStream stream = new ByteArrayInputStream(buffer); chain[i]=(java.security.cert.X509Certificate) cf.generateCertificate(stream); } } catch (java.security.cert.CertificateException e) { throw new IOException("JDK's broken cert handling can't parse this certificate (which PureTLS likes"); } return chain; } /** * Lookup the symmetric key size. */ public Integer getKeySize() throws IOException { int cs=ssl.getCipherSuite(); String cipherSuite = SSLPolicyInt.getCipherSuiteName(cs); int size = 0; for (int i = 0; i < ciphers.length; i++) { if (cipherSuite.indexOf(ciphers[i].phrase) >= 0) { size = ciphers[i].keySize; break; } } Integer keySize = new Integer(size); return keySize; } public String getSessionId() throws IOException { byte [] ssl_session = ssl.getSessionID(); if(ssl_session == null) return null; return HexUtils.convert(ssl_session); } } -- To unsubscribe, e-mail: For additional commands, e-mail: