tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 37869] - Cannot obtain client certificate with SSL / client certificate authentication using APR components
Date Sun, 21 Jan 2007 23:49:00 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=37869>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=37869





------- Additional Comments From marcin.burdyk@aigcredit.pl  2007-01-21 15:49 -------
(From update of attachment 19425)
>Index: connectors/http11/src/java/org/apache/coyote/http11/Http11AprProcessor.java
>===================================================================
>--- Http11AprProcessor.java	(revision 496746)
>+++ Http11AprProcessor.java	(working copy)
>@@ -1095,16 +1095,29 @@
>                             (AprEndpoint.CIPHER_SUITE_KEY, sslO);
>                     }
>                     // Client certificate chain if present
>+                    //////////////////////////////////////////////////
>+                    // CP: does not include client certificate, only CA certificates
>+                    // see documentation of SSL_get_peer_cert_chain() in openssl and
sslinfo.c in native APR code
>+                    // SSL_get_peer_cert_chain() returns a pointer to STACKOF(X509) certificates
forming the certificate chain of the peer.
>+                    // If called on the client side, the stack also contains the peer's
certificate;
>+                    // if called on the server side, the peer's certificate must be obtained
separately using SSL_get_peer_certificate(3).
>+                    // If the peer did not present a certificate, NULL is returned.
>+                    //
>                     int certLength = SSLSocket.getInfoI(socket, SSL.SSL_INFO_CLIENT_CERT_CHAIN);
>+                    // retrieve client certificate
>+                    byte[] clientCert = SSLSocket.getInfoB(socket, SSL.SSL_INFO_CLIENT_CERT);
>                     X509Certificate[] certs = null;
>-                    if (certLength > 0) {
>-                        certs = new X509Certificate[certLength];
>+                    if (clientCert != null) {
>+                        certs = new X509Certificate[certLength+1]; // add one for the
client certificate
>+
>+                        CertificateFactory cf =
>+                        CertificateFactory.getInstance("X.509");
>+
>+                        certs[0] = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(clientCert));
>+
>                         for (int i = 0; i < certLength; i++) {
>                             byte[] data = SSLSocket.getInfoB(socket, SSL.SSL_INFO_CLIENT_CERT_CHAIN
+ i);
>-                            CertificateFactory cf =
>-                                CertificateFactory.getInstance("X.509");
>-                            ByteArrayInputStream stream = new ByteArrayInputStream(data);
>-                            certs[i] = (X509Certificate) cf.generateCertificate(stream);
>+                            certs[i+1] = (X509Certificate) cf.generateCertificate(new
ByteArrayInputStream(data));
>                         }
>                     }
>                     if (certs != null) {
>@@ -1142,16 +1155,29 @@
>                     // Renegociate certificates
>                     SSLSocket.renegotiate(socket);
>                     // Client certificate chain if present
>+                    //////////////////////////////////////////////////
>+                    // CP: does not include client certificate, only CA certificates
>+                    // see documentation of SSL_get_peer_cert_chain() in openssl and
sslinfo.c in native APR code
>+                    // SSL_get_peer_cert_chain() returns a pointer to STACKOF(X509) certificates
forming the certificate chain of the peer.
>+                    // If called on the client side, the stack also contains the peer's
certificate;
>+                    // if called on the server side, the peer's certificate must be obtained
separately using SSL_get_peer_certificate(3).
>+                    // If the peer did not present a certificate, NULL is returned.
>+                    //
>                     int certLength = SSLSocket.getInfoI(socket, SSL.SSL_INFO_CLIENT_CERT_CHAIN);
>+                    // retrieve client certificate
>+                    byte[] clientCert = SSLSocket.getInfoB(socket, SSL.SSL_INFO_CLIENT_CERT);
>                     X509Certificate[] certs = null;
>-                    if (certLength > 0) {
>-                        certs = new X509Certificate[certLength];
>+                    if (clientCert != null) {
>+                        certs = new X509Certificate[certLength+1]; // add one for the
client certificate
>+
>+                        CertificateFactory cf =
>+                        CertificateFactory.getInstance("X.509");
>+
>+                        certs[0] = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(clientCert));
>+
>                         for (int i = 0; i < certLength; i++) {
>                             byte[] data = SSLSocket.getInfoB(socket, SSL.SSL_INFO_CLIENT_CERT_CHAIN
+ i);
>-                            CertificateFactory cf =
>-                                CertificateFactory.getInstance("X.509");
>-                            ByteArrayInputStream stream = new ByteArrayInputStream(data);
>-                            certs[i] = (X509Certificate) cf.generateCertificate(stream);
>+							certs[i+1] = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(data));
>                         }
>                     }
>                     if (certs != null) {


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message