tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mt...@apache.org
Subject cvs commit: jakarta-tomcat-connectors/jni/native/src ssl.c sslcontext.c sslutils.c
Date Thu, 02 Jun 2005 07:44:39 GMT
mturk       2005/06/02 00:44:39

  Modified:    jni/java/org/apache/tomcat/jni SSLContext.java
               jni/native/include ssl_private.h
               jni/native/src ssl.c sslcontext.c sslutils.c
  Log:
  Add more configuration directives to SSL Context.
  
  Revision  Changes    Path
  1.9       +126 -1    jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSLContext.java
  
  Index: SSLContext.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSLContext.java,v
  retrieving revision 1.8
  retrieving revision 1.9
  diff -u -r1.8 -r1.9
  --- SSLContext.java	1 Jun 2005 12:36:24 -0000	1.8
  +++ SSLContext.java	2 Jun 2005 07:44:38 -0000	1.9
  @@ -118,4 +118,129 @@
        */
       public static native void setQuietShutdown(long ctx, boolean mode);
   
  +    /**
  +     * Cipher Suite available for negotiation in SSL handshake.
  +     * <br />
  +     * This complex directive uses a colon-separated cipher-spec string consisting
  +     * of OpenSSL cipher specifications to configure the Cipher Suite the client
  +     * is permitted to negotiate in the SSL handshake phase. Notice that this
  +     * directive can be used both in per-server and per-directory context.
  +     * In per-server context it applies to the standard SSL handshake when a
  +     * connection is established. In per-directory context it forces a SSL
  +     * renegotation with the reconfigured Cipher Suite after the HTTP request
  +     * was read but before the HTTP response is sent.
  +     * @param ctx Server or Client context to use.
  +     * @param ciphers An SSL cipher specification.
  +     */
  +    public static native boolean setCipherSuite(long ctx, String ciphers);
  +
  +    /**
  +     * Set Directory of PEM-encoded CA Certificates for Client Auth
  +     * <br />
  +     * This directive sets the directory where you keep the Certificates of
  +     * Certification Authorities (CAs) whose clients you deal with. These are
  +     * used to verify the client certificate on Client Authentication.
  +     * <br />
  +     * The files in this directory have to be PEM-encoded and are accessed through
  +     * hash filenames. So usually you can't just place the Certificate files there:
  +     * you also have to create symbolic links named hash-value.N. And you should
  +     * always make sure this directory contains the appropriate symbolic links.
  +     * Use the Makefile which comes with mod_ssl to accomplish this task.
  +     * @param ctx Server or Client context to use.
  +     * @param path Directory of PEM-encoded CA Certificates for Client Auth.
  +     */
  +    public static native boolean setCARevocationPath(long ctx, String path);
  +
  +    /**
  +     * Set File of concatenated PEM-encoded CA CRLs for Client Auth
  +     * <br />
  +     * This directive sets the all-in-one file where you can assemble the
  +     * Certificate Revocation Lists (CRL) of Certification Authorities (CA)
  +     * whose clients you deal with. These are used for Client Authentication.
  +     * Such a file is simply the concatenation of the various PEM-encoded CRL
  +     * files, in order of preference. This can be used alternatively and/or
  +     * additionally to <code>setCARevocationPath</code>.
  +     * @param ctx Server or Client context to use.
  +     * @param file File of concatenated PEM-encoded CA CRLs for Client Auth.
  +     */
  +    public static native boolean setCARevocationFile(long ctx, String file);
  +
  +    /**
  +     * Set File of PEM-encoded Server CA Certificates
  +     * <br />
  +     * This directive sets the optional all-in-one file where you can assemble the
  +     * certificates of Certification Authorities (CA) which form the certificate
  +     * chain of the server certificate. This starts with the issuing CA certificate
  +     * of of the server certificate and can range up to the root CA certificate.
  +     * Such a file is simply the concatenation of the various PEM-encoded CA
  +     * Certificate files, usually in certificate chain order.
  +     * <br />
  +     * But be careful: Providing the certificate chain works only if you are using
  +     * a single (either RSA or DSA) based server certificate. If you are using a
  +     * coupled RSA+DSA certificate pair, this will work only if actually both
  +     * certificates use the same certificate chain. Else the browsers will be
  +     * confused in this situation.
  +     * @param ctx Server or Client context to use.
  +     * @param file File of PEM-encoded Server CA Certificates.
  +     */
  +    public static native boolean setCertificateChainFile(long ctx, String file);
  +
  +    /**
  +     * Set Server Certificate
  +     * <br />
  +     * Point setCertificateFile at a PEM encoded certificate.  If
  +     * the certificate is encrypted, then you will be prompted for a
  +     * pass phrase.  Note that a kill -HUP will prompt again. A test
  +     * certificate can be generated with `make certificate' under
  +     * built time. Keep in mind that if you've both a RSA and a DSA
  +     * certificate you can configure both in parallel (to also allow
  +     * the use of DSA ciphers, etc.)
  +     * @param ctx Server or Client context to use.
  +     * @param file Certificate file.
  +     */
  +    public static native boolean setCertificateFile(long ctx, String file);
  +
  +    /**
  +     * Set Server Private Key
  +     * <br />
  +     * If the key is not combined with the certificate, use this
  +     * directive to point at the key file.  Keep in mind that if
  +     * you've both a RSA and a DSA private key you can configure
  +     * both in parallel (to also allow the use of DSA ciphers, etc.)
  +     * @param ctx Server or Client context to use.
  +     * @param file Server Private Key file.
  +     */
  +    public static native boolean setCertificateKeyFile(long ctx, String file);
  +
  +    /**
  +     * Set File of concatenated PEM-encoded CA Certificates for Client Auth
  +     * <br />
  +     * This directive sets the all-in-one file where you can assemble the
  +     * Certificates of Certification Authorities (CA) whose clients you deal with.
  +     * These are used for Client Authentication. Such a file is simply the
  +     * concatenation of the various PEM-encoded Certificate files, in order of
  +     * preference. This can be used alternatively and/or additionally to
  +     * <code>setCACertificatePath</code>.
  +     * @param ctx Server or Client context to use.
  +     * @param file File of concatenated PEM-encoded CA Certificates for Client Auth.
  +     */
  +    public static native boolean setCACertificateFile(long ctx, String file);
  +
  +    /**
  +     * Set Directory of PEM-encoded CA Certificates for Client Auth
  +     * <br />
  +     * This directive sets the directory where you keep the Certificates of
  +     * Certification Authorities (CAs) whose clients you deal with. These are used
  +     * to verify the client certificate on Client Authentication.
  +     * <br />
  +     * The files in this directory have to be PEM-encoded and are accessed through
  +     * hash filenames. So usually you can't just place the Certificate files there:
  +     * you also have to create symbolic links named hash-value.N. And you should always
  +     * make sure this directory contains the appropriate symbolic links.
  +     * Use the Makefile which comes with mod_ssl to accomplish this task.
  +     * @param ctx Server or Client context to use.
  +     * @param path Directory of PEM-encoded CA Certificates for Client Auth.
  +     */
  +    public static native boolean setCACertificatePath(long ctx, String path);
  +
   }
  
  
  
  1.10      +7 -5      jakarta-tomcat-connectors/jni/native/include/ssl_private.h
  
  Index: ssl_private.h
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/include/ssl_private.h,v
  retrieving revision 1.9
  retrieving revision 1.10
  diff -u -r1.9 -r1.10
  --- ssl_private.h	1 Jun 2005 15:20:14 -0000	1.9
  +++ ssl_private.h	2 Jun 2005 07:44:38 -0000	1.10
  @@ -86,7 +86,8 @@
   #define SSL_BIO_FLAG_RDONLY     (1<<0)
   #define SSL_BIO_FLAG_CALLBACK   (1<<1)
   #define SSL_DEFAULT_CACHE_SIZE  (256)
  -
  +#define SSL_DEFAULT_VHOST_NAME  ("_default_:443")
  +#define SSL_MAX_STR_LEN         2048
   /* public cert/private key */
   typedef struct {
       /*
  @@ -128,8 +129,6 @@
   
       const char      *cert_chain;
       /* certificate revocation list */
  -    const char      *crl_path;
  -    const char      *crl_file;
       X509_STORE      *crl;
   
       /* known/trusted CAs */
  @@ -151,6 +150,9 @@
   
   typedef struct tcn_ssl_conn tcn_ssl_conn_t;
   
  +#define SSL_CTX_get_extra_certs(ctx)       (ctx->extra_certs)
  +#define SSL_CTX_set_extra_certs(ctx,value) {ctx->extra_certs = value;}
  +
   /*
    *  Additional Functions
    */
  @@ -164,6 +166,6 @@
   DH         *SSL_dh_get_param_from_file(const char *);
   RSA        *SSL_callback_tmp_RSA(SSL *, int, int);
   DH         *SSL_callback_tmp_DH(SSL *, int, int);
  -
  +void        SSL_vhost_algo_id(const unsigned char *, unsigned char *, int);
   
   #endif /* SSL_PRIVATE_H */
  
  
  
  1.17      +11 -4     jakarta-tomcat-connectors/jni/native/src/ssl.c
  
  Index: ssl.c
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/ssl.c,v
  retrieving revision 1.16
  retrieving revision 1.17
  diff -u -r1.16 -r1.17
  --- ssl.c	1 Jun 2005 10:45:03 -0000	1.16
  +++ ssl.c	2 Jun 2005 07:44:39 -0000	1.17
  @@ -26,6 +26,7 @@
   #include "apr_thread_mutex.h"
   #include "apr_strings.h"
   #include "apr_atomic.h"
  +#include "apr_hash.h"
   
   #include "tcn.h"
   
  @@ -36,6 +37,9 @@
   extern apr_pool_t *tcn_global_pool;
   ENGINE *tcn_ssl_engine = NULL;
   
  +apr_hash_t  *tcn_private_keys = NULL;
  +apr_hash_t  *tcn_public_certs = NULL;
  +
   TCN_IMPLEMENT_CALL(jint, SSL, version)(TCN_STDARGS)
   {
       UNREFERENCED_STDARGS;
  @@ -172,7 +176,7 @@
       CRYPTO_set_locking_callback(ssl_thread_lock);
   
       apr_pool_cleanup_register(p, NULL, ssl_thread_cleanup,
  -                                       apr_pool_cleanup_null);
  +                              apr_pool_cleanup_null);
   }
   
   static int ssl_rand_choosenum(int l, int h)
  @@ -353,7 +357,10 @@
       ssl_rand_seed(NULL);
       /* For SSL_get_app_data2() at request time */
       SSL_init_app_data2_idx();
  -
  +    
  +    /* Create tables for global private keys and certs */
  +    tcn_private_keys = apr_hash_make(tcn_global_pool);
  +    tcn_public_certs = apr_hash_make(tcn_global_pool);
       /*
        * Let us cleanup the ssl library when the library is unloaded
        */
  @@ -555,7 +562,7 @@
   
   static BIO_METHOD jbs_methods = {
       BIO_TYPE_FILE,
  -    "JavaString Stream",
  +    "Java Callback",
       jbs_write,
       jbs_read,
       jbs_puts,
  
  
  
  1.15      +218 -5    jakarta-tomcat-connectors/jni/native/src/sslcontext.c
  
  Index: sslcontext.c
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslcontext.c,v
  retrieving revision 1.14
  retrieving revision 1.15
  diff -u -r1.14 -r1.15
  --- sslcontext.c	1 Jun 2005 15:20:14 -0000	1.14
  +++ sslcontext.c	2 Jun 2005 07:44:39 -0000	1.15
  @@ -175,7 +175,11 @@
        */
       SSL_CTX_set_options(c->ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
   #endif
  +    /* Default vhost id and cache size */
       SSL_CTX_sess_set_cache_size(c->ctx, SSL_DEFAULT_CACHE_SIZE);
  +    MD5((const unsigned char *)SSL_DEFAULT_VHOST_NAME,
  +        (unsigned long)(sizeof(SSL_DEFAULT_VHOST_NAME) - 1),
  +        &(c->vhost_id[0]));
   
       SSL_CTX_set_tmp_rsa_callback(c->ctx, SSL_callback_tmp_RSA);
       SSL_CTX_set_tmp_dh_callback(c->ctx,  SSL_callback_tmp_DH);
  @@ -252,8 +256,11 @@
        */
       SSL_CTX_set_options(c->ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
   #endif
  -
  +    /* Default vhost id and cache size */
       SSL_CTX_sess_set_cache_size(c->ctx, SSL_DEFAULT_CACHE_SIZE);
  +    MD5((const unsigned char *)SSL_DEFAULT_VHOST_NAME,
  +        (unsigned long)(sizeof(SSL_DEFAULT_VHOST_NAME) - 1),
  +        &(c->vhost_id[0]));
       /*
        * Let us cleanup the ssl context when the pool is destroyed
        */
  @@ -283,10 +290,11 @@
   
       TCN_ASSERT(ctx != 0);
       UNREFERENCED(o);
  -    if (J2S(id))
  -        MD5((const unsigned char *)J2S(id), (unsigned long)strlen(J2S(id)),
  +    if (J2S(id)) {
  +        MD5((const unsigned char *)J2S(id),
  +            (unsigned long)strlen(J2S(id)),
               &(c->vhost_id[0]));
  -
  +    }
       TCN_FREE_CSTRING(id);
   }
   
  @@ -333,6 +341,211 @@
       SSL_CTX_set_quiet_shutdown(c->ctx, mode ? 1 : 0);
   }
   
  +TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCipherSuite)(TCN_STDARGS, jlong ctx,
  +                                                         jstring ciphers)
  +{
  +    tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
  +    TCN_ALLOC_CSTRING(ciphers);
  +    jboolean rv = JNI_TRUE;
  +
  +    UNREFERENCED(o);
  +    TCN_ASSERT(ctx != 0);
  +    if (!J2S(ciphers))
  +        return JNI_FALSE;
  +
  +    if (!SSL_CTX_set_cipher_list(c->ctx, J2S(ciphers))) {
  +        BIO_printf(c->bio_os,
  +                   "[ERROR] Unable to configure permitted SSL ciphers");
  +        rv = JNI_FALSE;
  +    }
  +    TCN_FREE_CSTRING(ciphers);
  +    return rv;
  +}
  +
  +TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCARevocationFile)(TCN_STDARGS, jlong ctx,
  +                                                              jstring file)
  +{
  +    tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
  +    TCN_ALLOC_CSTRING(file);
  +    jboolean rv = JNI_FALSE;
  +    X509_LOOKUP *lookup;
  +
  +    UNREFERENCED(o);
  +    TCN_ASSERT(ctx != 0);
  +    if (!J2S(file))
  +        return JNI_FALSE;
  +
  +    if (!c->crl) {
  +        if ((c->crl = X509_STORE_new()) == NULL)
  +            goto cleanup;
  +    }
  +    lookup = X509_STORE_add_lookup(c->crl, X509_LOOKUP_file());
  +    if (lookup == NULL) {
  +        X509_STORE_free(c->crl);
  +        c->crl = NULL;
  +        goto cleanup;
  +    }
  +    X509_LOOKUP_load_file(lookup, J2S(file), X509_FILETYPE_PEM);
  +    rv = JNI_TRUE;
  +cleanup:
  +    TCN_FREE_CSTRING(file);
  +    return rv;
  +}
  +
  +TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCARevocationPath)(TCN_STDARGS, jlong ctx,
  +                                                              jstring path)
  +{
  +    tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
  +    TCN_ALLOC_CSTRING(path);
  +    jboolean rv = JNI_FALSE;
  +    X509_LOOKUP *lookup;
  +
  +    UNREFERENCED(o);
  +    TCN_ASSERT(ctx != 0);
  +    if (!J2S(path))
  +        return JNI_FALSE;
  +
  +    if (!c->crl) {
  +        if ((c->crl = X509_STORE_new()) == NULL)
  +            goto cleanup;
  +    }
  +    lookup = X509_STORE_add_lookup(c->crl, X509_LOOKUP_hash_dir());
  +    if (lookup == NULL) {
  +        X509_STORE_free(c->crl);
  +        c->crl = NULL;
  +        goto cleanup;
  +    }
  +    X509_LOOKUP_add_dir(lookup, J2S(path), X509_FILETYPE_PEM);
  +    rv = JNI_TRUE;
  +cleanup:
  +    TCN_FREE_CSTRING(path);
  +    return rv;
  +}
  +
  +TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificateChainFile)(TCN_STDARGS, jlong ctx,
  +                                                                  jstring file)
  +{
  +    tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
  +    jboolean rv = JNI_TRUE;
  +
  +    UNREFERENCED(o);
  +    TCN_ASSERT(ctx != 0);
  +    if (!file)
  +        return JNI_FALSE;
  +    if ((c->cert_chain = tcn_pstrdup(e, file, c->pool)) == NULL)
  +        rv = JNI_FALSE;
  +
  +    return rv;
  +}
  +
  +TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificateFile)(TCN_STDARGS, jlong ctx,
  +                                                             jstring file)
  +{
  +    tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
  +    int i;
  +
  +    UNREFERENCED(o);
  +    TCN_ASSERT(ctx != 0);
  +    if (!file)
  +        return JNI_FALSE;
  +    for (i = 0; i < SSL_AIDX_MAX; i++) {
  +        if (!c->pk.s.cert_files[i]) {
  +            c->pk.s.cert_files[i] = tcn_pstrdup(e, file, c->pool);
  +            return JNI_TRUE;
  +        }
  +    }
  +    BIO_printf(c->bio_os, "[ERROR] Only up to %d "
  +               "different certificates per virtual host allowed",
  +               SSL_AIDX_MAX);
  +    return JNI_FALSE;
  +}
  +
  +TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificateKeyFile)(TCN_STDARGS, jlong ctx,
  +                                                                jstring file)
  +{
  +    tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
  +    int i;
  +
  +    UNREFERENCED(o);
  +    TCN_ASSERT(ctx != 0);
  +    if (!file)
  +        return JNI_FALSE;
  +    for (i = 0; i < SSL_AIDX_MAX; i++) {
  +        if (!c->pk.s.key_files[i]) {
  +            c->pk.s.key_files[i] = tcn_pstrdup(e, file, c->pool);
  +            return JNI_TRUE;
  +        }
  +    }
  +    BIO_printf(c->bio_os, "[ERROR] Only up to %d "
  +               "different private keys per virtual host allowed",
  +               SSL_AIDX_MAX);
  +    return JNI_FALSE;
  +}
  +
  +TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCACertificateFile)(TCN_STDARGS, jlong ctx,
  +                                                               jstring file)
  +{
  +    tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
  +    jboolean rv = JNI_TRUE;
  +
  +    UNREFERENCED(o);
  +    TCN_ASSERT(ctx != 0);
  +    if (!file)
  +        return JNI_FALSE;
  +    if ((c->ca_cert_file = tcn_pstrdup(e, file, c->pool)) == NULL)
  +        rv = JNI_FALSE;
  +
  +    return rv;
  +}
  +
  +TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCACertificatePath)(TCN_STDARGS, jlong ctx,
  +                                                               jstring path)
  +{
  +    tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
  +    jboolean rv = JNI_TRUE;
  +
  +    UNREFERENCED(o);
  +    TCN_ASSERT(ctx != 0);
  +    if (!path)
  +        return JNI_FALSE;
  +    if ((c->ca_cert_path = tcn_pstrdup(e, path, c->pool)) == NULL)
  +        rv = JNI_FALSE;
  +
  +    return rv;
  +}
  +
  +TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCANDRCertificateFile)(TCN_STDARGS, jlong ctx,
  +                                                                  jstring file)
  +{
  +    tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
  +    jboolean rv = JNI_TRUE;
  +
  +    UNREFERENCED(o);
  +    TCN_ASSERT(ctx != 0);
  +    if (!file)
  +        return JNI_FALSE;
  +    if ((c->pk.s.ca_name_file = tcn_pstrdup(e, file, c->pool)) == NULL)
  +        rv = JNI_FALSE;
  +
  +    return rv;
  +}
  +
  +TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCANDRCertificatePath)(TCN_STDARGS, jlong ctx,
  +                                                                  jstring path)
  +{
  +    tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
  +    jboolean rv = JNI_TRUE;
  +
  +    UNREFERENCED(o);
  +    TCN_ASSERT(ctx != 0);
  +    if (!path)
  +        return JNI_FALSE;
  +    if ((c->pk.s.ca_name_path = tcn_pstrdup(e, path, c->pool)) == NULL)
  +        rv = JNI_FALSE;
  +
  +    return rv;
  +}
  +
   #else
   /* OpenSSL is not supported
    * If someday we make OpenSSL optional
  
  
  
  1.9       +81 -1     jakarta-tomcat-connectors/jni/native/src/sslutils.c
  
  Index: sslutils.c
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslutils.c,v
  retrieving revision 1.8
  retrieving revision 1.9
  diff -u -r1.8 -r1.9
  --- sslutils.c	1 Jun 2005 15:20:14 -0000	1.8
  +++ sslutils.c	2 Jun 2005 07:44:39 -0000	1.9
  @@ -24,12 +24,16 @@
   #include "apr_file_io.h"
   #include "apr_portable.h"
   #include "apr_thread_mutex.h"
  +#include "apr_hash.h"
   
   #include "tcn.h"
   
   #ifdef HAVE_OPENSSL
   #include "ssl_private.h"
   
  +extern apr_hash_t  *tcn_private_keys;
  +extern apr_hash_t  *tcn_public_certs;
  +
   
   /*  _________________________________________________________________
   **
  @@ -351,6 +355,82 @@
       return (DH *)conn->ctx->temp_keys[idx];
   }
   
  +void SSL_vhost_algo_id(const unsigned char *vhost_id, unsigned char *md, int algo)
  +{
  +    MD5_CTX c;
  +    MD5_Init(&c);
  +    MD5_Update(&c, vhost_id, MD5_DIGEST_LENGTH);
  +    switch (algo) {
  +        case SSL_ALGO_UNKNOWN:
  +            MD5_Update(&c, "UNKNOWN", 7);
  +        break;
  +        case SSL_ALGO_RSA:
  +            MD5_Update(&c, "RSA", 3);
  +        break;
  +        case SSL_ALGO_DSA:
  +            MD5_Update(&c, "DSA", 3);
  +        break;
  +    }
  +    MD5_Final(md, &c);
  +}
  +
  +/*
  + * Read a file that optionally contains the server certificate in PEM
  + * format, possibly followed by a sequence of CA certificates that
  + * should be sent to the peer in the SSL Certificate message.
  + */
  +int SSL_CTX_use_certificate_chain(SSL_CTX *ctx, char *file,
  +                                  int skipfirst)
  +{
  +    BIO *bio;
  +    X509 *x509;
  +    unsigned long err;
  +    int n;
  +    STACK *extra_certs;
  +
  +    if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
  +        return -1;
  +    if (BIO_read_filename(bio, file) <= 0) {
  +        BIO_free(bio);
  +        return -1;
  +    }
  +    /* optionally skip a leading server certificate */
  +    if (skipfirst) {
  +        if ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) == NULL) {
  +            BIO_free(bio);
  +            return -1;
  +        }
  +        X509_free(x509);
  +    }
  +    /* free a perhaps already configured extra chain */
  +    extra_certs=SSL_CTX_get_extra_certs(ctx);
  +    if (extra_certs != NULL) {
  +        sk_X509_pop_free((STACK_OF(X509) *)extra_certs, X509_free);
  +        SSL_CTX_set_extra_certs(ctx,NULL);
  +    }
  +    /* create new extra chain by loading the certs */
  +    n = 0;
  +    while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) {
  +        if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) {
  +            X509_free(x509);
  +            BIO_free(bio);
  +            return -1;
  +        }
  +        n++;
  +    }
  +    /* Make sure that only the error is just an EOF */
  +    if ((err = ERR_peek_error()) > 0) {
  +        if (!(   ERR_GET_LIB(err) == ERR_LIB_PEM
  +              && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
  +            BIO_free(bio);
  +            return -1;
  +        }
  +        while (ERR_get_error() > 0) ;
  +    }
  +    BIO_free(bio);
  +    return n;
  +}
  +
   #else
   /* OpenSSL is not supported
    * If someday we make OpenSSL optional
  
  
  

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message