Projects
openEuler:20.03:LTS:SP3:Epol
tomcatjss
_service:tar_scm_kernel_repo:Use-JSSKeyManager-...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm_kernel_repo:Use-JSSKeyManager-and-JSSTrustManager-from-JSS.patch of Package tomcatjss
From fb11bcd42aed364f77cd1b07a0d3139496817dea Mon Sep 17 00:00:00 2001 From: Alexander Scheel <ascheel@redhat.com> Date: Fri, 31 May 2019 15:20:46 -0400 Subject: [PATCH] Use JSSKeyManager and JSSTrustManager from JSS With jss-pr#159 merged, we've added a KeyManager and TrustManager to the JSS default provider that we should use instead of the instances in-tree. Signed-off-by: Alexander Scheel <ascheel@redhat.com> --- src/org/dogtagpki/tomcat/JSSKeyManager.java | 146 ------------- src/org/dogtagpki/tomcat/JSSTrustManager.java | 197 ------------------ .../src/org/dogtagpki/tomcat/JSSUtil.java | 3 + 3 files changed, 3 insertions(+), 343 deletions(-) delete mode 100644 src/org/dogtagpki/tomcat/JSSKeyManager.java delete mode 100644 src/org/dogtagpki/tomcat/JSSTrustManager.java diff --git a/src/org/dogtagpki/tomcat/JSSKeyManager.java b/src/org/dogtagpki/tomcat/JSSKeyManager.java deleted file mode 100644 index 1f94260..0000000 --- a/src/org/dogtagpki/tomcat/JSSKeyManager.java +++ /dev/null @@ -1,146 +0,0 @@ -/* BEGIN COPYRIGHT BLOCK - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 2.1 of the License, or (at your option) any later version. - * - * This library is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - * - * Copyright (C) 2017 Red Hat, Inc. - * All rights reserved. - * END COPYRIGHT BLOCK */ - -package org.dogtagpki.tomcat; - -import java.net.Socket; -import java.security.Principal; -import java.security.PrivateKey; -import java.security.cert.X509Certificate; -import java.util.ArrayList; -import java.util.Collection; - -import javax.net.ssl.X509KeyManager; - -import org.mozilla.jss.CryptoManager; -import org.mozilla.jss.crypto.ObjectNotFoundException; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import sun.security.x509.X509CertImpl; - -public class JSSKeyManager implements X509KeyManager { - - final static Logger logger = LoggerFactory.getLogger(JSSKeyManager.class); - - @Override - public String chooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket) { - logger.debug("JSSKeyManager: chooseClientAlias()"); - - logger.debug("JSSKeyManager: key types:"); - for (String keyType : keyTypes) { - logger.debug("JSSKeyManager: - " + keyType); - } - - logger.debug("JSSKeyManager: issuers:"); - for (Principal issuer : issuers) { - logger.debug("JSSKeyManager: - " + issuer.getName()); - } - - return null; // not implemented - } - - @Override - public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) { - logger.debug("JSSKeyManager: chooseServerAlias()"); - logger.debug("JSSKeyManager: key type: " + keyType); - - logger.debug("JSSKeyManager: issuers:"); - for (Principal issuer : issuers) { - logger.debug("JSSKeyManager: - " + issuer.getName()); - } - - return null; // not implemented - } - - @Override - public X509Certificate[] getCertificateChain(String alias) { - - logger.debug("JSSKeyManager: getCertificateChain(" + alias + ")"); - - try { - CryptoManager cm = CryptoManager.getInstance(); - org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(alias); - - org.mozilla.jss.crypto.X509Certificate[] chain = cm.buildCertificateChain(cert); - logger.debug("JSSKeyManager: cert chain:"); - - Collection<X509Certificate> list = new ArrayList<>(); - for (org.mozilla.jss.crypto.X509Certificate c : chain) { - logger.debug("JSSKeyManager: - " + c.getSubjectDN()); - list.add(new X509CertImpl(c.getEncoded())); - } - - return list.toArray(new X509Certificate[list.size()]); - - } catch (Throwable e) { - logger.error(e.getMessage(), e); - throw new RuntimeException(e); - } - } - - @Override - public String[] getClientAliases(String keyType, Principal[] issuers) { - logger.debug("JSSKeyManager: getClientAliases()"); - logger.debug("JSSKeyManager: key type: " + keyType); - - logger.debug("JSSKeyManager: issuers:"); - for (Principal issuer : issuers) { - logger.debug("JSSKeyManager: - " + issuer.getName()); - } - - return null; // not implemented - } - - @Override - public PrivateKey getPrivateKey(String alias) { - - logger.debug("JSSKeyManager: getPrivateKey(" + alias + ")"); - - try { - CryptoManager cm = CryptoManager.getInstance(); - org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(alias); - PrivateKey privateKey = cm.findPrivKeyByCert(cert); - - logger.debug("JSSKeyManager: key found: " + alias); - return privateKey; - - } catch (ObjectNotFoundException e) { - logger.debug("JSSKeyManager: key not found: " + alias); - return null; - - } catch (Throwable e) { - logger.error(e.getMessage(), e); - throw new RuntimeException(e); - } - } - - @Override - public String[] getServerAliases(String keyType, Principal[] issuers) { - logger.debug("JSSKeyManager: getServerAliases()"); - logger.debug("JSSKeyManager: key type: " + keyType); - - logger.debug("JSSKeyManager: issuers:"); - for (Principal issuer : issuers) { - logger.debug("JSSKeyManager: - " + issuer.getName()); - } - - return null; // not implemented - } -} diff --git a/src/org/dogtagpki/tomcat/JSSTrustManager.java b/src/org/dogtagpki/tomcat/JSSTrustManager.java deleted file mode 100644 index 87c7bdd..0000000 --- a/src/org/dogtagpki/tomcat/JSSTrustManager.java +++ /dev/null @@ -1,197 +0,0 @@ -/* BEGIN COPYRIGHT BLOCK - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 2.1 of the License, or (at your option) any later version. - * - * This library is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - * - * Copyright (C) 2017 Red Hat, Inc. - * All rights reserved. - * END COPYRIGHT BLOCK */ - -package org.dogtagpki.tomcat; - -import java.security.cert.CertificateException; -import java.security.cert.X509Certificate; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Collection; -import java.util.List; - -import javax.net.ssl.X509TrustManager; - -import org.mozilla.jss.CryptoManager; -import org.mozilla.jss.NotInitializedException; -import org.mozilla.jss.netscape.security.util.Cert; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import sun.security.x509.X509CertImpl; - -public class JSSTrustManager implements X509TrustManager { - - final static Logger logger = LoggerFactory.getLogger(JSSTrustManager.class); - - final static String SERVER_AUTH_OID = "1.3.6.1.5.5.7.3.1"; - final static String CLIENT_AUTH_OID = "1.3.6.1.5.5.7.3.2"; - - public void checkCertChain(X509Certificate[] certChain, String keyUsage) throws Exception { - - logger.debug("JSSTrustManager: checkCertChain(" + keyUsage + ")"); - - // sort cert chain from root to leaf - certChain = Cert.sortCertificateChain(certChain); - - for (X509Certificate cert : certChain) { - logger.debug("JSSTrustManager: - " + cert.getSubjectDN()); - } - - // get CA certs - X509Certificate[] caCerts = getAcceptedIssuers(); - - // validating cert chain from root to leaf - for (int i = 0; i < certChain.length; i++) { - - X509Certificate cert = certChain[i]; - - // validating key usage on leaf cert only - String usage; - if (i == certChain.length - 1) { - usage = keyUsage; - } else { - usage = null; - } - - checkCert(cert, caCerts, usage); - - // use the current cert as the CA cert for the next cert in the chain - caCerts = new X509Certificate[] { cert }; - } - } - - public void checkCert(X509Certificate cert, X509Certificate[] caCerts, String keyUsage) throws Exception { - - logger.debug("JSSTrustManager: checkCert(" + cert.getSubjectDN() + "):"); - - boolean[] aki = cert.getIssuerUniqueID(); - logger.debug("JSSTrustManager: cert AKI: " + Arrays.toString(aki)); - - X509Certificate issuer = null; - for (X509Certificate caCert : caCerts) { - - boolean[] ski = caCert.getSubjectUniqueID(); - logger.debug("JSSTrustManager: SKI of " + caCert.getSubjectDN() + ": " + Arrays.toString(ski)); - - try { - cert.verify(caCert.getPublicKey(), "Mozilla-JSS"); - issuer = caCert; - break; - } catch (Exception e) { - logger.debug("JSSTrustManager: invalid certificate: " + e); - } - } - - if (issuer == null) { - throw new CertificateException("Unable to validate signature: " + cert.getSubjectDN()); - } - - logger.debug("JSSTrustManager: cert signed by " + issuer.getSubjectDN()); - - logger.debug("JSSTrustManager: checking validity range:"); - logger.debug("JSSTrustManager: - not before: " + cert.getNotBefore()); - logger.debug("JSSTrustManager: - not after: " + cert.getNotAfter()); - cert.checkValidity(); - - if (keyUsage != null) { - - List<String> extendedKeyUsages = cert.getExtendedKeyUsage(); - logger.debug("JSSTrustManager: checking extended key usages:"); - - for (String extKeyUsage : extendedKeyUsages) { - logger.debug("JSSTrustManager: - " + extKeyUsage); - } - - if (extendedKeyUsages.contains(keyUsage)) { - logger.debug("JSSTrustManager: extended key usage found: " + keyUsage); - } else { - throw new CertificateException("Missing extended key usage: " + keyUsage); - } - } - } - - @Override - public void checkClientTrusted(X509Certificate[] certChain, String authType) throws CertificateException { - - logger.debug("JSSTrustManager: checkClientTrusted(" + authType + "):"); - - try { - checkCertChain(certChain, CLIENT_AUTH_OID); - logger.debug("JSSTrustManager: SSL client certificate is valid"); - - } catch (CertificateException e) { - logger.warn("JSSTrustManager: Invalid SSL client certificate: " + e); - throw e; - - } catch (Exception e) { - logger.warn("JSSTrustManager: Unable to validate certificate: " + e); - throw new CertificateException(e); - } - } - - @Override - public void checkServerTrusted(X509Certificate[] certChain, String authType) throws CertificateException { - - logger.debug("JSSTrustManager: checkServerTrusted(" + certChain.length + ", " + authType + "):"); - - try { - checkCertChain(certChain, SERVER_AUTH_OID); - logger.debug("JSSTrustManager: SSL server certificate is valid"); - - } catch (CertificateException e) { - logger.warn("JSSTrustManager: Invalid SSL server certificate: " + e); - throw e; - - } catch (Exception e) { - logger.warn("JSSTrustManager: Unable to validate SSL server certificate: " + e); - throw new CertificateException(e); - } - } - - @Override - public X509Certificate[] getAcceptedIssuers() { - - logger.debug("JSSTrustManager: getAcceptedIssuers():"); - - Collection<X509Certificate> caCerts = new ArrayList<>(); - - try { - CryptoManager manager = CryptoManager.getInstance(); - for (org.mozilla.jss.crypto.X509Certificate cert : manager.getCACerts()) { - logger.debug("JSSTrustManager: - " + cert.getSubjectDN()); - - try { - X509CertImpl caCert = new X509CertImpl(cert.getEncoded()); - caCert.checkValidity(); - caCerts.add(caCert); - - } catch (Exception e) { - logger.debug("JSSTrustManager: invalid CA certificate: " + e); - } - } - - } catch (NotInitializedException e) { - logger.error("JSSTrustManager: Unable to get CryptoManager: " + e, e); - throw new RuntimeException(e); - } - - return caCerts.toArray(new X509Certificate[caCerts.size()]); - } -} diff --git a/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java b/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java index 22c607d..a2e3cd5 100644 --- a/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java +++ b/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java @@ -28,6 +28,9 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.mozilla.jss.provider.javax.crypto.JSSKeyManager; +import org.mozilla.jss.provider.javax.crypto.JSSTrustManager; + public class JSSUtil extends JSSEUtil { public static Logger logger = LoggerFactory.getLogger(JSSUtil.class);
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.