tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mt...@apache.org
Subject cvs commit: jakarta-tomcat-connectors/jni/native/src sslcontext.c sslutils.c
Date Thu, 02 Jun 2005 11:07:07 GMT
mturk       2005/06/02 04:07:07

  Modified:    jni/native/include ssl_private.h
               jni/native/src sslcontext.c sslutils.c
  Log:
  Implement Client Authentication verify callback and CA initialization.
  
  Revision  Changes    Path
  1.11      +12 -1     jakarta-tomcat-connectors/jni/native/include/ssl_private.h
  
  Index: ssl_private.h
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/include/ssl_private.h,v
  retrieving revision 1.10
  retrieving revision 1.11
  diff -u -r1.10 -r1.11
  --- ssl_private.h	2 Jun 2005 07:44:38 -0000	1.10
  +++ ssl_private.h	2 Jun 2005 11:07:06 -0000	1.11
  @@ -88,6 +88,14 @@
   #define SSL_DEFAULT_CACHE_SIZE  (256)
   #define SSL_DEFAULT_VHOST_NAME  ("_default_:443")
   #define SSL_MAX_STR_LEN         2048
  +
  +#define SSL_CVERIFY_UNSET           (-1)
  +#define SSL_CVERIFY_NONE            (0)
  +#define SSL_CVERIFY_OPTIONAL        (1)
  +#define SSL_CVERIFY_REQUIRE         (2)
  +#define SSL_CVERIFY_OPTIONAL_NO_CA  (3)
  +#define SSL_VERIFY_PEER_STRICT      (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
  +
   /* public cert/private key */
   typedef struct {
       /*
  @@ -167,5 +175,8 @@
   RSA        *SSL_callback_tmp_RSA(SSL *, int, int);
   DH         *SSL_callback_tmp_DH(SSL *, int, int);
   void        SSL_vhost_algo_id(const unsigned char *, unsigned char *, int);
  +int         SSL_callback_SSL_verify(int, X509_STORE_CTX *);
  +STACK_OF(X509_NAME)
  +            *SSL_init_findCAList(tcn_ssl_ctxt_t *, const char *, const char *);
   
   #endif /* SSL_PRIVATE_H */
  
  
  
  1.18      +66 -4     jakarta-tomcat-connectors/jni/native/src/sslcontext.c
  
  Index: sslcontext.c
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslcontext.c,v
  retrieving revision 1.17
  retrieving revision 1.18
  diff -u -r1.17 -r1.18
  --- sslcontext.c	2 Jun 2005 10:19:32 -0000	1.17
  +++ sslcontext.c	2 Jun 2005 11:07:06 -0000	1.18
  @@ -183,8 +183,8 @@
   
       SSL_CTX_set_tmp_rsa_callback(c->ctx, SSL_callback_tmp_RSA);
       SSL_CTX_set_tmp_dh_callback(c->ctx,  SSL_callback_tmp_DH);
  -    
  -    /* Set default Certificate verification level 
  +
  +    /* Set default Certificate verification level
        * and depth for the Client Authentication
        */
       c->verify_depth = 1;
  @@ -565,11 +565,73 @@
                                                             jint level)
   {
       tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
  +    int verify = SSL_VERIFY_NONE;
  +    STACK_OF(X509_NAME) *ca_list;
   
       UNREFERENCED_STDARGS;
       TCN_ASSERT(ctx != 0);
       c->verify_mode = level;
  -    /* TODO: Add verification code callback */
  +
  +    if (c->verify_mode == SSL_CVERIFY_UNSET)
  +        c->verify_mode = SSL_CVERIFY_NONE;
  +
  +    /*
  +     *  Configure callbacks for SSL context
  +     */
  +    if (c->verify_mode == SSL_CVERIFY_REQUIRE)
  +        verify |= SSL_VERIFY_PEER_STRICT;
  +    if ((c->verify_mode == SSL_CVERIFY_OPTIONAL) ||
  +        (c->verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
  +        verify |= SSL_VERIFY_PEER;
  +
  +    SSL_CTX_set_verify(c->ctx, verify, SSL_callback_SSL_verify);
  +   /*
  +     * Configure Client Authentication details
  +     */
  +    if (c->ca_cert_file || c->ca_cert_path) {
  +        if (!SSL_CTX_load_verify_locations(c->ctx,
  +                         c->ca_cert_file,
  +                         c->ca_cert_path)) {
  +            BIO_printf(c->bio_os, "[ERROR] "
  +                       "Unable to configure verify locations "
  +                       "for client authentication");
  +            return JNI_FALSE;
  +        }
  +
  +        if (c->mode && (c->pk.s.ca_name_file || c->pk.s.ca_name_path))
{
  +            ca_list = SSL_init_findCAList(c,
  +                                          c->pk.s.ca_name_file,
  +                                          c->pk.s.ca_name_path);
  +        }
  +        else {
  +            ca_list = SSL_init_findCAList(c,
  +                                          c->ca_cert_file,
  +                                          c->ca_cert_path);
  +        }
  +        if (!ca_list) {
  +            BIO_printf(c->bio_os, "[ERROR] "
  +                       "Unable to determine list of acceptable "
  +                       "CA certificates for client authentication");
  +            return JNI_FALSE;
  +        }
  +        SSL_CTX_set_client_CA_list(c->ctx, (STACK *)ca_list);
  +    }
  +
  +    /*
  +     * Give a warning when no CAs were configured but client authentication
  +     * should take place. This cannot work.
  +     */
  +    if (c->verify_mode == SSL_CVERIFY_REQUIRE) {
  +        ca_list = (STACK_OF(X509_NAME) *)SSL_CTX_get_client_CA_list(c->ctx);
  +
  +        if (sk_X509_NAME_num(ca_list) == 0) {
  +            BIO_printf(c->bio_os,
  +                       "[WARN] Oops, you want to request client "
  +                       "authentication, but no CAs are known for "
  +                       "verification!?  [Hint: setCACertificate*]");
  +        }
  +    }
  +
       return JNI_TRUE;
   }
   
  
  
  
  1.10      +109 -1    jakarta-tomcat-connectors/jni/native/src/sslutils.c
  
  Index: sslutils.c
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslutils.c,v
  retrieving revision 1.9
  retrieving revision 1.10
  diff -u -r1.9 -r1.10
  --- sslutils.c	2 Jun 2005 07:44:39 -0000	1.9
  +++ sslutils.c	2 Jun 2005 11:07:07 -0000	1.10
  @@ -25,6 +25,7 @@
   #include "apr_portable.h"
   #include "apr_thread_mutex.h"
   #include "apr_hash.h"
  +#include "apr_strings.h"
   
   #include "tcn.h"
   
  @@ -431,6 +432,113 @@
       return n;
   }
   
  +static int ssl_init_X509NameCmp(X509_NAME **a, X509_NAME **b)
  +{
  +    return (X509_NAME_cmp(*a, *b));
  +}
  +
  +static void ssl_init_pushCAList(STACK_OF(X509_NAME) *ca_list,
  +                                const char *file)
  +{
  +    int n;
  +    STACK_OF(X509_NAME) *sk;
  +
  +    sk = (STACK_OF(X509_NAME) *)
  +             SSL_load_client_CA_file((char *)file);
  +
  +    if (!sk) {
  +        return;
  +    }
  +
  +    for (n = 0; n < sk_X509_NAME_num(sk); n++) {
  +        X509_NAME *name = sk_X509_NAME_value(sk, n);
  +        /*
  +         * note that SSL_load_client_CA_file() checks for duplicates,
  +         * but since we call it multiple times when reading a directory
  +         * we must also check for duplicates ourselves.
  +         */
  +
  +        if (sk_X509_NAME_find(ca_list, name) < 0) {
  +            /* this will be freed when ca_list is */
  +            sk_X509_NAME_push(ca_list, name);
  +        }
  +        else {
  +            /* need to free this ourselves, else it will leak */
  +            X509_NAME_free(name);
  +        }
  +    }
  +    sk_X509_NAME_free(sk);
  +}
  +
  +STACK_OF(X509_NAME) *SSL_init_findCAList(tcn_ssl_ctxt_t *c,
  +                                         const char *ca_file,
  +                                         const char *ca_path)
  +{
  +    STACK_OF(X509_NAME) *ca_list;
  +
  +    /*
  +     * Start with a empty stack/list where new
  +     * entries get added in sorted order.
  +     */
  +    ca_list = sk_X509_NAME_new(ssl_init_X509NameCmp);
  +
  +    /*
  +     * Process CA certificate bundle file
  +     */
  +    if (ca_file)
  +        ssl_init_pushCAList(ca_list, ca_file);
  +
  +    /*
  +     * Process CA certificate path files
  +     */
  +    if (ca_path) {
  +        apr_dir_t *dir;
  +        apr_finfo_t direntry;
  +        apr_int32_t finfo_flags = APR_FINFO_TYPE|APR_FINFO_NAME;
  +        apr_status_t rv;
  +        apr_pool_t *ptemp;
  +
  +        if ((apr_pool_create(&ptemp, c->pool)) != APR_SUCCESS)
  +            return NULL;
  +        if ((rv = apr_dir_open(&dir, ca_path, c->pool)) != APR_SUCCESS) {
  +            BIO_printf(c->bio_os, "[ERROR] "
  +                       "Failed to open Certificate Path `%s'",
  +                       ca_path);
  +            apr_pool_destroy(ptemp);
  +            return NULL;
  +        }
  +
  +        while ((apr_dir_read(&direntry, finfo_flags, dir)) == APR_SUCCESS) {
  +            const char *file;
  +            if (direntry.filetype == APR_DIR)
  +                continue; /* don't try to load directories */
  +            file = apr_pstrcat(ptemp, ca_path, "/", direntry.name, NULL);
  +            ssl_init_pushCAList(ca_list, file);
  +        }
  +
  +        apr_dir_close(dir);
  +        apr_pool_destroy(ptemp);
  +    }
  +
  +    /*
  +     * Cleanup
  +     */
  +    sk_X509_NAME_set_cmp_func(ca_list, NULL);
  +    return ca_list;
  +}
  +
  +
  +/*
  + * This OpenSSL callback function is called when OpenSSL
  + * does client authentication and verifies the certificate chain.
  + */
  +int SSL_callback_SSL_verify(int ok, X509_STORE_CTX *ctx)
  +{
  +
  +    /* TODO: Dummy function for now */
  +    return 1;
  +}
  +
   #else
   /* OpenSSL is not supported
    * If someday we make OpenSSL optional
  
  
  

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message