tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mt...@apache.org
Subject cvs commit: jakarta-tomcat-connectors/jni/native/src sslcontext.c
Date Thu, 02 Jun 2005 10:19:32 GMT
mturk       2005/06/02 03:19:32

  Modified:    jni/java/org/apache/tomcat/jni SSLContext.java
               jni/native/src sslcontext.c
  Log:
  Add functions for Certificate verification level and depth
  for the Client Authentication.
  
  Revision  Changes    Path
  1.11      +50 -1     jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSLContext.java
  
  Index: SSLContext.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSLContext.java,v
  retrieving revision 1.10
  retrieving revision 1.11
  diff -u -r1.10 -r1.11
  --- SSLContext.java	2 Jun 2005 09:52:46 -0000	1.10
  +++ SSLContext.java	2 Jun 2005 10:19:32 -0000	1.11
  @@ -295,4 +295,53 @@
        */
       public static native boolean setCADNRequestPath(long ctx, String path);
   
  +    /**
  +     * Set Maximum depth of CA Certificates in Client Certificate verification
  +     * <br />
  +     * This directive sets how deeply mod_ssl should verify before deciding that
  +     * the clients don't have a valid certificate. Notice that this directive can
  +     * be used both in per-server and per-directory context. In per-server context
  +     * it applies to the client authentication process used in the standard SSL
  +     * handshake when a connection is established. In per-directory context it forces
  +     * a SSL renegotation with the reconfigured client verification depth after the
  +     * HTTP request was read but before the HTTP response is sent.
  +     * <br />
  +     * The depth actually is the maximum number of intermediate certificate issuers,
  +     * i.e. the number of CA certificates which are max allowed to be followed while
  +     * verifying the client certificate. A depth of 0 means that self-signed client
  +     * certificates are accepted only, the default depth of 1 means the client
  +     * certificate can be self-signed or has to be signed by a CA which is directly
  +     * known to the server (i.e. the CA's certificate is under
  +     * <code>setCACertificatePath</code>), etc.
  +     * @param ctx Server or Client context to use.
  +     * @param depth Maximum depth of CA Certificates in Client Certificate
  +     *              verification.
  +     */
  +    public static native void setVerifyDepth(long ctx, int depth);
  +
  +    /**
  +     * Set Type of Client Certificate verification
  +     * <br />
  +     * This directive sets the Certificate verification level for the Client
  +     * Authentication. Notice that this directive can be used both in per-server
  +     * and per-directory context. In per-server context it applies to the client
  +     * authentication process used in the standard SSL handshake when a connection
  +     * is established. In per-directory context it forces a SSL renegotation with
  +     * the reconfigured client verification level after the HTTP request was read
  +     * but before the HTTP response is sent.
  +     * <br />
  +     * The following levels are available for level:
  +     * <PRE>
  +     * SSL_CVERIFY_NONE           - No client Certificate is required at all
  +     * SSL_CVERIFY_OPTIONAL       - The client may present a valid Certificate
  +     * SSL_CVERIFY_REQUIRE        - The client has to present a valid Certificate
  +     * SSL_CVERIFY_OPTIONAL_NO_CA - The client may present a valid Certificate
  +     *                              but it need not to be (successfully) verifiable
  +     * </PRE>
  +     * <code>setCACertificatePath</code>), etc.
  +     * @param ctx Server or Client context to use.
  +     * @param level Type of Client Certificate verification.
  +     */
  +    public static native boolean setVerifyClient(long ctx, int level);
  +
   }
  
  
  
  1.17      +29 -2     jakarta-tomcat-connectors/jni/native/src/sslcontext.c
  
  Index: sslcontext.c
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslcontext.c,v
  retrieving revision 1.16
  retrieving revision 1.17
  diff -u -r1.16 -r1.17
  --- sslcontext.c	2 Jun 2005 09:52:46 -0000	1.16
  +++ sslcontext.c	2 Jun 2005 10:19:32 -0000	1.17
  @@ -183,7 +183,12 @@
   
       SSL_CTX_set_tmp_rsa_callback(c->ctx, SSL_callback_tmp_RSA);
       SSL_CTX_set_tmp_dh_callback(c->ctx,  SSL_callback_tmp_DH);
  -
  +    
  +    /* Set default Certificate verification level 
  +     * and depth for the Client Authentication
  +     */
  +    c->verify_depth = 1;
  +    c->verify_mode  = SSL_CVERIFY_UNSET;
       /*
        * Let us cleanup the ssl context when the pool is destroyed
        */
  @@ -546,6 +551,28 @@
       return rv;
   }
   
  +TCN_IMPLEMENT_CALL(void, SSLContext, setVerifyDepth)(TCN_STDARGS, jlong ctx,
  +                                                     jint depth)
  +{
  +    tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
  +
  +    UNREFERENCED_STDARGS;
  +    TCN_ASSERT(ctx != 0);
  +    c->verify_depth = depth;
  +}
  +
  +TCN_IMPLEMENT_CALL(jboolean, SSLContext, setVerifyClient)(TCN_STDARGS, jlong ctx,
  +                                                          jint level)
  +{
  +    tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
  +
  +    UNREFERENCED_STDARGS;
  +    TCN_ASSERT(ctx != 0);
  +    c->verify_mode = level;
  +    /* TODO: Add verification code callback */
  +    return JNI_TRUE;
  +}
  +
   #else
   /* OpenSSL is not supported
    * If someday we make OpenSSL optional
  
  
  

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message