Author: mturk
Date: Mon Sep 19 10:29:10 2011
New Revision: 1172559
URL: http://svn.apache.org/viewvc?rev=1172559&view=rev
Log:
Add CRL file/path config
Modified:
commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/LocalStrings.properties
commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLCARevocationCheckMode.java
commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLClientVerifyMode.java
commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java
commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c
Modified:
commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/LocalStrings.properties?rev=1172559&r1=1172558&r2=1172559&view=diff
==============================================================================
---
commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/LocalStrings.properties
(original)
+++
commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/LocalStrings.properties
Mon Sep 19 10:29:10 2011
@@ -18,3 +18,4 @@ fips.ENOTIMPL=FIPS was not available at
password.PROMPT=Some of your private key files are encrypted for security
reasons.\
\nIn order to read them you have to provide the pass phrases.\
\nEnter password :
+sslctx.ENOCRLLOC=At least one of CARevocationFile or CARevocationPath must be
configured.
Modified:
commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLCARevocationCheckMode.java
URL:
http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLCARevocationCheckMode.java?rev=1172559&r1=1172558&r2=1172559&view=diff
==============================================================================
---
commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLCARevocationCheckMode.java
(original)
+++
commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLCARevocationCheckMode.java
Mon Sep 19 10:29:10 2011
@@ -27,13 +27,13 @@ public enum SSLCARevocationCheckMode
*/
NONE( 0),
/**
- * Check the peer certificate.
+ * Limits the checks to the end-entity cert.
*/
- CHECK( 1),
+ LEEF( 1),
/**
- * Check the peer certificate.
+ * CRL checks are applied to all certificates in the chain.
*/
- CHECK_ALL( 2);
+ CHAING( 2);
private int value;
private SSLCARevocationCheckMode(int v)
Modified:
commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLClientVerifyMode.java
URL:
http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLClientVerifyMode.java?rev=1172559&r1=1172558&r2=1172559&view=diff
==============================================================================
---
commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLClientVerifyMode.java
(original)
+++
commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLClientVerifyMode.java
Mon Sep 19 10:29:10 2011
@@ -18,6 +18,12 @@ package org.apache.commons.runtime.ssl;
/**
* Represents the SSL client verification mode.
+ * <p>
+ * In practice only levels {@code NONE} and {@code REQUIRE} are really
+ * interesting, because level {@code OPTIONAL} doesn't work with all
+ * browsers and level {@code OPTIONAL_NO_CA} is actually against the
+ * idea of authentication (but can be used to establish SSL test pages, etc.)
+ * </p>
*/
public enum SSLClientVerifyMode
{
@@ -48,7 +54,11 @@ public enum SSLClientVerifyMode
*/
OPTIONAL( 1),
/**
- * Optional.
+ * Optional verification.
+ * <p>
+ * The client may present a valid Certificate but it need not to be
+ * (successfully) verifiable.
+ * </p>
*/
OPTIONAL_NO_CA( 2),
/**
Modified:
commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java
URL:
http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java?rev=1172559&r1=1172558&r2=1172559&view=diff
==============================================================================
---
commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java
(original)
+++
commons/sandbox/runtime/trunk/src/main/java/org/apache/commons/runtime/ssl/SSLContext.java
Mon Sep 19 10:29:10 2011
@@ -41,7 +41,8 @@ public final class SSLContext extends Na
private SSLKey[] keys;
private SSLCertificate[] cert;
-
+ private boolean has_crlset = false;
+
private static native long new0(int protocol, int mode)
throws OperationNotImplementedException;
private static native void free0(long key);
@@ -54,6 +55,10 @@ public final class SSLContext extends Na
throws SSLException;
private static native void setcapath0(long ctx, String caPath)
throws SSLException;
+ private static native void setcacrlfile0(long ctx, String caPath)
+ throws SSLException;
+ private static native void setcacrlpath0(long ctx, String caPath)
+ throws SSLException;
private static native void setvmode0(long ctx, int mode, int depth)
throws SSLException;
@@ -129,7 +134,7 @@ public final class SSLContext extends Na
{
if (super.pointer == 0L)
throw new IllegalStateException();
- if (path == 0)
+ if (path == null)
throw new NullPointerException();
setcafile0(super.pointer, path);
}
@@ -161,25 +166,73 @@ public final class SSLContext extends Na
{
if (super.pointer == 0L)
throw new IllegalStateException();
- if (path == 0)
+ if (path == null)
throw new NullPointerException();
setcapath0(super.pointer, path);
}
/**
+ * Sets the all-in-one file where you can assemble the Certificate
+ * Revocation Lists (CRL) of Certification Authorities (CA) whose
+ * clients you deal with.
+ * These are used for Client Authentication. Such a file is simply the
+ * concatenation of the various PEM-encoded CRL files, in order
+ * of preference. This can be used alternatively and/or additionally
+ * to {@code setCARevocationPath}.
+ *
+ * @param path file containg PEM-encoded CRL list.
+ * @throws IllegalStateException if context is invalid
+ * @throws SSLException if path cannot be set.
+ */
+ public synchronized void setCARevocationFile(String path)
+ throws SSLException, IllegalStateException
+ {
+ if (super.pointer == 0L)
+ throw new IllegalStateException();
+ if (path == null)
+ throw new NullPointerException();
+ setcacrlfile0(super.pointer, path);
+ has_crlset = true;
+ }
+
+ /**
+ * Sets the directory where you keep the Certificate Revocation Lists
+ * (CRL) of Certification Authorities (CAs) whose clients you deal with.
+ * These are used to revoke the client certificate on Client
+ * Authentication.
+ *
+ * @param path directory containg CRL list.
+ * @throws IllegalStateException if context is invalid
+ * @throws SSLException if path cannot be set.
+ */
+ public synchronized void setCARevocationPath(String path)
+ throws SSLException, IllegalStateException
+ {
+ if (super.pointer == 0L)
+ throw new IllegalStateException();
+ if (path == null)
+ throw new NullPointerException();
+ setcacrlpath0(super.pointer, path);
+ has_crlset = true;
+ }
+
+ /**
* Enables certificate revocation list (CRL) checking.
* <p>
- * At least one of SSLCARevocationFile or SSLCARevocationPath
- * must be configured. When set to chain (recommended setting),
- * CRL checks are applied to all certificates in the chain, while
- * setting it to leaf limits the checks to the end-entity cert.
+ * At least one of setCARevocationFile or setCARevocationPath
+ * must be configured before calling this method.
* </p>
+ * @param mode revocation mode to set.
+ * @throws IllegalStateException if this context is invalid or if
+ * neither setCARevocationFile or setCARevocationPath was set up.
*/
public synchronized void setCARevocationCheck(SSLCARevocationCheckMode
mode)
throws IllegalStateException
{
if (super.pointer == 0L)
throw new IllegalStateException();
+ if (!has_crlset)
+ throw new IllegalStateException(Local.sm.get("sslctx.ENOCRLLOC"));
setcrlcheck0(super.pointer, mode.valueOf());
}
Modified: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c
URL:
http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c?rev=1172559&r1=1172558&r2=1172559&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c
(original)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c Mon Sep
19 10:29:10 2011
@@ -299,6 +299,30 @@ ACR_SSL_EXPORT(void, SSLContext, setcapa
} DONE_WITH_STR(capath);
}
+ACR_SSL_EXPORT(void, SSLContext, setcacrlfile0)(JNI_STDARGS, jlong ctx,
+ jstring file)
+{
+ acr_ssl_ctx_t *c = J2P(ctx, acr_ssl_ctx_t *);
+ if (c->store == 0)
+ c->store = SSL_CTX_get_cert_store(c->ctx);
+ WITH_CSTR(file) {
+ if (!X509_STORE_load_locations(c->store, J2S(file), 0))
+ ssl_throw_errno(env, ACR_EX_ESSL);
+ } DONE_WITH_STR(file);
+}
+
+ACR_SSL_EXPORT(void, SSLContext, setcacrlpath0)(JNI_STDARGS, jlong ctx,
+ jstring path)
+{
+ acr_ssl_ctx_t *c = J2P(ctx, acr_ssl_ctx_t *);
+ if (c->store == 0)
+ c->store = SSL_CTX_get_cert_store(c->ctx);
+ WITH_CSTR(path) {
+ if (!X509_STORE_load_locations(c->store, 0, J2S(path)))
+ ssl_throw_errno(env, ACR_EX_ESSL);
+ } DONE_WITH_STR(path);
+}
+
ACR_SSL_EXPORT(void, SSLContext, setcrlcheck0)(JNI_STDARGS, jlong ctx,
jint ccmode)
{
