Since certs are public anyhow (not keys), here's the decoding done by
openssl -x509 -in ... -text:
On 20.11.2009 18:49, Rainer Jung wrote:
> The following line from you mod_jk log really shows what is being
> forwarded as an attribute to Tomcat. This is logged after retrieving the
> data from Apache but before sending it over the wire. At least we know
> we got the data from Apache and because it is three and not four certs
> it is likely, that the root will not be forwarded.
>
> On 20.11.2009 17:20, Christopher Schultz wrote:
> [Fri Nov 20 15:45:13.878 2009] [7826:3057286032] [debug]
> init_ws_service::mod_jk.c (867): SSL client certificate (3620 bytes):
> -----BEGIN CERTIFICATE-----
> MIIC+zCCAmSgAwIBAgICFEowDQYJKoZIhvcNAQEFBQAwgYAxCzAJBgNVBAYTAlVT
> MREwDwYDVQQIEwhNYXJ5bGFuZDEhMB8GA1UEChMYVG90YWwgQ2hpbGQgSGVhbHRo
> LCBJbmMuMQ8wDQYDVQQLEwZDSEFESVMxKjAoBgNVBAMTIUNIQURJUyBDbGllbnQg
> U2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0wOTExMTkyMTQ5MDVaFw0xMTExMTkyMTQ5
> MDVaMIGHMQswCQYDVQQGEwJVUzERMA8GA1UECBMITWFyeWxhbmQxITAfBgNVBAoT
> GFRvdGFsIENoaWxkIEhlYWx0aCwgSW5jLjEPMA0GA1UECxMGQ0hBRElTMTEwLwYD
> VQQDFChDSEFESVMvRnJhbmtsaW4gU3F1YXJlIEhvc3BpdGFsIFdpUGFkICMxMIGf
> MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+TezrUb2Bo889dnSHQ9CSal1Jw0S5
> eV/74IlGMNnDS9PYZ8ITtdJXj3h9B1Ob8PjWpsDJQ03rb0oQEfX51nt6tcjQgRoV
> h1UGPF0uWvyyRqmK3EvmyGdtRCpgEtknf/e7DV84yGyxLD9dS+DzB8NnDoGV+kZf
> Q+HxIMp7W+NKuwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1P
> cGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUL4u3oJ0I19j1
> j9FO7PmBZIKVqEwwHwYDVR0jBBgwFoAUqDuUvZYFkbiMwWdfjg2viJUd7f8wDQYJ
> KoZIhvcNAQEFBQADgYEAFXM0unMuvuf1ablBIhbgY3lJf1Mj3kk91ByUVrUDMZTf
> CWymm3dM4yoWX3XL67iatYNW5bNBcr+pOtPZB59vIC/kiadZY4jKqNmEeEZ3XHOn
> sEpUnvgA/a1JGGRRa4r47zepuPCDtg7RVTjiK+MlX8YkSkIuhyc51cApPHgPD8g=
> -----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5194 (0x144a)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Maryland, O=Total Child Health, Inc.,
OU=CHADIS, CN=CHADIS Client Signing Certificate
Validity
Not Before: Nov 19 21:49:05 2009 GMT
Not After : Nov 19 21:49:05 2011 GMT
Subject: C=US, ST=Maryland, O=Total Child Health, Inc.,
OU=CHADIS, CN=CHADIS/Franklin Square Hospital WiPad #1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:be:4d:ec:eb:51:bd:81:a3:cf:3d:76:74:87:43:
d0:92:6a:5d:49:c3:44:b9:79:5f:fb:e0:89:46:30:
d9:c3:4b:d3:d8:67:c2:13:b5:d2:57:8f:78:7d:07:
53:9b:f0:f8:d6:a6:c0:c9:43:4d:eb:6f:4a:10:11:
f5:f9:d6:7b:7a:b5:c8:d0:81:1a:15:87:55:06:3c:
5d:2e:5a:fc:b2:46:a9:8a:dc:4b:e6:c8:67:6d:44:
2a:60:12:d9:27:7f:f7:bb:0d:5f:38:c8:6c:b1:2c:
3f:5d:4b:e0:f3:07:c3:67:0e:81:95:fa:46:5f:43:
e1:f1:20:ca:7b:5b:e3:4a:bb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2F:8B:B7:A0:9D:08:D7:D8:F5:8F:D1:4E:EC:F9:81:64:82:95:A8:4C
X509v3 Authority Key Identifier:
keyid:A8:3B:94:BD:96:05:91:B8:8C:C1:67:5F:8E:0D:AF:88:95:1D:ED:FF
Signature Algorithm: sha1WithRSAEncryption
15:73:34:ba:73:2e:be:e7:f5:69:b9:41:22:16:e0:63:79:49:
7f:53:23:de:49:3d:d4:1c:94:56:b5:03:31:94:df:09:6c:a6:
9b:77:4c:e3:2a:16:5f:75:cb:eb:b8:9a:b5:83:56:e5:b3:41:
72:bf:a9:3a:d3:d9:07:9f:6f:20:2f:e4:89:a7:59:63:88:ca:
a8:d9:84:78:46:77:5c:73:a7:b0:4a:54:9e:f8:00:fd:ad:49:
18:64:51:6b:8a:f8:ef:37:a9:b8:f0:83:b6:0e:d1:55:38:e2:
2b:e3:25:5f:c6:24:4a:42:2e:87:27:39:d5:c0:29:3c:78:0f:
0f:c8
> -----BEGIN CERTIFICATE-----
> MIIDbzCCAtigAwIBAgICM0AwDQYJKoZIhvcNAQEFBQAwfjELMAkGA1UEBhMCVVMx
> ETAPBgNVBAgTCE1hcnlsYW5kMSEwHwYDVQQKExhUb3RhbCBDaGlsZCBIZWFsdGgs
> IEluYy4xDzANBgNVBAsTBkNIQURJUzEoMCYGA1UEAxMfQ0hBRElTIFJvb3QgU2ln
> bmluZyBDZXJ0aWZpY2F0ZTAeFw0wOTExMTkyMTQ4MzNaFw0xOTExMTcyMTQ4MzNa
> MIGAMQswCQYDVQQGEwJVUzERMA8GA1UECBMITWFyeWxhbmQxITAfBgNVBAoTGFRv
> dGFsIENoaWxkIEhlYWx0aCwgSW5jLjEPMA0GA1UECxMGQ0hBRElTMSowKAYDVQQD
> EyFDSEFESVMgQ2xpZW50IFNpZ25pbmcgQ2VydGlmaWNhdGUwgZ8wDQYJKoZIhvcN
> AQEBBQADgY0AMIGJAoGBALMWXLw/9nmrZwgl34YxKnPkC0lWAxlGAXAIfwOAPvSL
> NciE1RfDGgdSPIn1zy6xnK00Ul2lzQUIpau2+Cl4IL8YW9uhLbKL3MLWnfEkkb7K
> R8jFRK6QYzHwvvkD6LaCk0nwePNdsltyCt3o9zq49OKOxuwv9TlZDSCIPb5I0xHt
> AgMBAAGjgfgwgfUwHQYDVR0OBBYEFKg7lL2WBZG4jMFnX44Nr4iVHe3/MIG4BgNV
> HSMEgbAwga2AFChNal3wLZ2NXSnmDV20IB7Tks8GoYGQpIGNMIGKMQswCQYDVQQG
> EwJVUzERMA8GA1UECBMITWFyeWxhbmQxEjAQBgNVBAcTCUJhbHRpbW9yZTEhMB8G
> A1UEChMYVG90YWwgQ2hpbGQgSGVhbHRoLCBJbmMuMQ8wDQYDVQQLEwZDSEFESVMx
> IDAeBgNVBAMTF0NIQURJUyBSb290IENlcnRpZmljYXRlggIhXjAMBgNVHRMEBTAD
> AQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQUFAAOBgQBHd+pjS+Yzz0A3lOkR
> pwTJSssxQ4fJ/52LjEYvtrI5uDGBkF0/yXEaI4PBAzE79NiqhAEzkSApRbVhfNbs
> Ar6PD0T/COi3gU5dejzoiymZdzAgawagTASkP4UUKQVKBFkQtbmGB5LNNzcXsOea
> rkFU0ywatgSU5zCheaWkinfVzw==
> -----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 13120 (0x3340)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Maryland, O=Total Child Health, Inc.,
OU=CHADIS, CN=CHADIS Root Signing Certificate
Validity
Not Before: Nov 19 21:48:33 2009 GMT
Not After : Nov 17 21:48:33 2019 GMT
Subject: C=US, ST=Maryland, O=Total Child Health, Inc.,
OU=CHADIS, CN=CHADIS Client Signing Certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b3:16:5c:bc:3f:f6:79:ab:67:08:25:df:86:31:
2a:73:e4:0b:49:56:03:19:46:01:70:08:7f:03:80:
3e:f4:8b:35:c8:84:d5:17:c3:1a:07:52:3c:89:f5:
cf:2e:b1:9c:ad:34:52:5d:a5:cd:05:08:a5:ab:b6:
f8:29:78:20:bf:18:5b:db:a1:2d:b2:8b:dc:c2:d6:
9d:f1:24:91:be:ca:47:c8:c5:44:ae:90:63:31:f0:
be:f9:03:e8:b6:82:93:49:f0:78:f3:5d:b2:5b:72:
0a:dd:e8:f7:3a:b8:f4:e2:8e:c6:ec:2f:f5:39:59:
0d:20:88:3d:be:48:d3:11:ed
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
A8:3B:94:BD:96:05:91:B8:8C:C1:67:5F:8E:0D:AF:88:95:1D:ED:FF
X509v3 Authority Key Identifier:
keyid:28:4D:6A:5D:F0:2D:9D:8D:5D:29:E6:0D:5D:B4:20:1E:D3:92:CF:06
DirName:/C=US/ST=Maryland/L=Baltimore/O=Total Child
Health, Inc./OU=CHADIS/CN=CHADIS Root Certificate
serial:21:5E
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: sha1WithRSAEncryption
47:77:ea:63:4b:e6:33:cf:40:37:94:e9:11:a7:04:c9:4a:cb:
31:43:87:c9:ff:9d:8b:8c:46:2f:b6:b2:39:b8:31:81:90:5d:
3f:c9:71:1a:23:83:c1:03:31:3b:f4:d8:aa:84:01:33:91:20:
29:45:b5:61:7c:d6:ec:02:be:8f:0f:44:ff:08:e8:b7:81:4e:
5d:7a:3c:e8:8b:29:99:77:30:20:6b:06:a0:4c:04:a4:3f:85:
14:29:05:4a:04:59:10:b5:b9:86:07:92:cd:37:37:17:b0:e7:
9a:ae:41:54:d3:2c:1a:b6:04:94:e7:30:a1:79:a5:a4:8a:77:
d5:cf
> -----BEGIN CERTIFICATE-----
> MIIDgDCCAumgAwIBAgICIV4wDQYJKoZIhvcNAQEFBQAwgYoxCzAJBgNVBAYTAlVT
> MREwDwYDVQQIEwhNYXJ5bGFuZDESMBAGA1UEBxMJQmFsdGltb3JlMSEwHwYDVQQK
> ExhUb3RhbCBDaGlsZCBIZWFsdGgsIEluYy4xDzANBgNVBAsTBkNIQURJUzEgMB4G
> A1UEAxMXQ0hBRElTIFJvb3QgQ2VydGlmaWNhdGUwHhcNMDkxMTE5MjE0NzQ5WhcN
> MTkxMTE3MjE0NzQ5WjB+MQswCQYDVQQGEwJVUzERMA8GA1UECBMITWFyeWxhbmQx
> ITAfBgNVBAoTGFRvdGFsIENoaWxkIEhlYWx0aCwgSW5jLjEPMA0GA1UECxMGQ0hB
> RElTMSgwJgYDVQQDEx9DSEFESVMgUm9vdCBTaWduaW5nIENlcnRpZmljYXRlMIGf
> MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRH0fCILLYQ6GlYIPLKqSkB088eSOO
> e3a5WYPsM7+2hxZ/Cfhlo+kWHGTGV/hj5mNTNNOrzlYP/0dj5SPAxWb3rctI/tSv
> ng1OYHJDbuHPem4AUFu6J8bCWKx1VHRwEI+EOCASHsyTVx6zwzdGceTwdZOLJ0au
> h+DD504Hr/J0AwIDAQABo4H/MIH8MB0GA1UdDgQWBBQoTWpd8C2djV0p5g1dtCAe
> 05LPBjCBvwYDVR0jBIG3MIG0gBQ7YcI6LIrWzvdFGyUBmNDqnsj1UqGBkKSBjTCB
> ijELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE1hcnlsYW5kMRIwEAYDVQQHEwlCYWx0
> aW1vcmUxITAfBgNVBAoTGFRvdGFsIENoaWxkIEhlYWx0aCwgSW5jLjEPMA0GA1UE
> CxMGQ0hBRElTMSAwHgYDVQQDExdDSEFESVMgUm9vdCBDZXJ0aWZpY2F0ZYIJAN3k
> WK0VaBELMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBQUA
> A4GBAE6nIhSpGR36zuP70sqgOcui+KvtsC2oqJziEENrzSW9aaEdGifDX0/UeMY2
> 94X9b2DaUY4m1Zbi/ybTzENxkK+qwPZTgfsN5xkXwm8grXz/r8y1zT1Jkdl0EH5G
> ihpbqb5COIdhUiAq+cdqfa5sRe0CB1olxD8UqVlORDcikydH
> -----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8542 (0x215e)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Maryland, L=Baltimore, O=Total Child Health,
Inc., OU=CHADIS, CN=CHADIS Root Certificate
Validity
Not Before: Nov 19 21:47:49 2009 GMT
Not After : Nov 17 21:47:49 2019 GMT
Subject: C=US, ST=Maryland, O=Total Child Health, Inc.,
OU=CHADIS, CN=CHADIS Root Signing Certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d1:1f:47:c2:20:b2:d8:43:a1:a5:60:83:cb:2a:
a4:a4:07:4f:3c:79:23:8e:7b:76:b9:59:83:ec:33:
bf:b6:87:16:7f:09:f8:65:a3:e9:16:1c:64:c6:57:
f8:63:e6:63:53:34:d3:ab:ce:56:0f:ff:47:63:e5:
23:c0:c5:66:f7:ad:cb:48:fe:d4:af:9e:0d:4e:60:
72:43:6e:e1:cf:7a:6e:00:50:5b:ba:27:c6:c2:58:
ac:75:54:74:70:10:8f:84:38:20:12:1e:cc:93:57:
1e:b3:c3:37:46:71:e4:f0:75:93:8b:27:46:ae:87:
e0:c3:e7:4e:07:af:f2:74:03
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
28:4D:6A:5D:F0:2D:9D:8D:5D:29:E6:0D:5D:B4:20:1E:D3:92:CF:06
X509v3 Authority Key Identifier:
keyid:3B:61:C2:3A:2C:8A:D6:CE:F7:45:1B:25:01:98:D0:EA:9E:C8:F5:52
DirName:/C=US/ST=Maryland/L=Baltimore/O=Total Child
Health, Inc./OU=CHADIS/CN=CHADIS Root Certificate
serial:DD:E4:58:AD:15:68:11:0B
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: sha1WithRSAEncryption
4e:a7:22:14:a9:19:1d:fa:ce:e3:fb:d2:ca:a0:39:cb:a2:f8:
ab:ed:b0:2d:a8:a8:9c:e2:10:43:6b:cd:25:bd:69:a1:1d:1a:
27:c3:5f:4f:d4:78:c6:36:f7:85:fd:6f:60:da:51:8e:26:d5:
96:e2:ff:26:d3:cc:43:71:90:af:aa:c0:f6:53:81:fb:0d:e7:
19:17:c2:6f:20:ad:7c:ff:af:cc:b5:cd:3d:49:91:d9:74:10:
7e:46:8a:1a:5b:a9:be:42:38:87:61:52:20:2a:f9:c7:6a:7d:
ae:6c:45:ed:02:07:5a:25:c4:3f:14:a9:59:4e:44:37:22:93:
27:47
You expected
Root Cert <- Root Signing Cert <- Sub Signing Cert <- My Client Cert
and instead we see:
Issuer: C=US, ST=Maryland, O=Total Child Health, Inc., OU=CHADIS,
CN=CHADIS Client Signing Certificate
Subject: C=US, ST=Maryland, O=Total Child Health, Inc., OU=CHADIS,
CN=CHADIS/Franklin Square Hospital WiPad #1
Issuer: C=US, ST=Maryland, O=Total Child Health, Inc., OU=CHADIS,
CN=CHADIS Root Signing Certificate
Subject: C=US, ST=Maryland, O=Total Child Health, Inc., OU=CHADIS,
CN=CHADIS Client Signing Certificate
Issuer: C=US, ST=Maryland, L=Baltimore, O=Total Child Health, Inc.,
OU=CHADIS, CN=CHADIS Root Certificate
Subject: C=US, ST=Maryland, O=Total Child Health, Inc., OU=CHADIS,
CN=CHADIS Root Signing Certificate
So in fact the root is missing when sending the whole stuff. The native
code in Apache and mod_jk looks like sending the client cert and the
cert chain, and the cert chain is retrieved via
SSL_get_peer_cert_chain(), which is unfortunately not really documented
whether to include the root or not :(
OpenSSL Code looks like only returning the chain provided by the client,
and the client should not provide the root.
At the moment I see no way of getting the root CA which verified the
client chain from OpenSSL or Apache, so especially no way to forward it.
The root should really be available directly to Tomcat in some
certificate store and the client side of the chain received via mod_jk
and TC 5.5.28 should be verified against that locally available root.
Does that make sense?
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
