tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Hawkins" <brianh...@gmail.com>
Subject Client certificate using tomcat native
Date Fri, 27 Jun 2008 18:05:34 GMT
I've finally been able to get the client certificate while using tomcat
native for my SSL connections.  This is using Tomcat 5.5.25.

Here is what doesn't work:
Calling request.getAttribute("javax.servlet.request.X509Certificate") is
supposed to return the client certificate chain.  This attribute is
populated by a call, down in the depths of the native code, to
SSL_get_peer_cert_chain().  The openssl documentation for
SSL_get_peer_cert_chain (
http://www.openssl.org/docs/ssl/SSL_get_peer_cert_chain.html) says:

SSL_get_peer_cert_chain() returns a pointer to STACKOF(X509) certificates
forming the certificate chain of the peer. If called on the client side, the
stack also contains the peer's certificate; if called on the server side,
the peer's certificate must be obtained separately using
SSL_get_peer_certificate(3)<http://www.openssl.org/docs/ssl/SSL_get_peer_certificate.html#>.
If the peer did not present a certificate, NULL is returned.

So according to that it only returns the CA chain and not the actual client
cert.  I'm not sure what the client chain is worth without the client cert.

The fix to this problem can be made in Http11AprProcessor in the action()
method under the ACTION_REQ_SSL_ATTRIBUTE if block by adding the following
code:

// Client certificate
byte[] certdata = SSLSocket.getInfoB(socket, SSL.SSL_INFO_CLIENT_CERT);
if (certdata != null)
{
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream stream = new ByteArrayInputStream(certdata);
request.setAttribute("ClientCert", cf.generateCertificate(stream));
}

Personally I think the attribute name should be
"javax.servlet.request.X509Certificate" but I'll let the list decide that
one.

Brian

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message