Author: markt Date: Fri Feb 22 18:44:37 2019 New Revision: 1854165 URL: http://svn.apache.org/viewvc?rev=1854165&view=rev Log: Refactor with a view to using this with AprEndpoint where we'll want to add multiple certificates to a single context (unlike JSSE where we need one context per certificate)
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java Modified: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1854165&r1=1854164&r2=1854165&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java Fri Feb 22 18:44:37 2019 @@ -245,42 +245,12 @@ public class OpenSSLContext implements o // List the ciphers that the client is permitted to negotiate SSLContext.setCipherSuite(ctx, sslHostConfig.getCiphers()); - // Load Server key and certificate - if (certificate.getCertificateFile() != null) { - // Set certificate - SSLContext.setCertificate(ctx, - SSLHostConfig.adjustRelativePath(certificate.getCertificateFile()), - SSLHostConfig.adjustRelativePath(certificate.getCertificateKeyFile()), - certificate.getCertificateKeyPassword(), SSL.SSL_AIDX_RSA); - // Set certificate chain file - SSLContext.setCertificateChainFile(ctx, - SSLHostConfig.adjustRelativePath(certificate.getCertificateChainFile()), false); - // Set revocation - SSLContext.setCARevocation(ctx, - SSLHostConfig.adjustRelativePath( - sslHostConfig.getCertificateRevocationListFile()), - SSLHostConfig.adjustRelativePath( - sslHostConfig.getCertificateRevocationListPath())); - } else { + if (certificate.getCertificateFile() == null) { x509KeyManager = chooseKeyManager(kms); - String alias = certificate.getCertificateKeyAlias(); - if (alias == null) { - alias = "tomcat"; - } - X509Certificate[] chain = x509KeyManager.getCertificateChain(alias); - if (chain == null) { - alias = findAlias(x509KeyManager, certificate); - chain = x509KeyManager.getCertificateChain(alias); - } - PrivateKey key = x509KeyManager.getPrivateKey(alias); - StringBuilder sb = new StringBuilder(BEGIN_KEY); - sb.append(Base64.getMimeEncoder(64, new byte[] {'\n'}).encodeToString(key.getEncoded())); - sb.append(END_KEY); - SSLContext.setCertificateRaw(ctx, chain[0].getEncoded(), sb.toString().getBytes(StandardCharsets.US_ASCII), SSL.SSL_AIDX_RSA); - for (int i = 1; i < chain.length; i++) { - SSLContext.addChainCertificateRaw(ctx, chain[i].getEncoded()); - } } + + addCertificate(certificate); + // Client certificate verification int value = 0; switch (sslHostConfig.getCertificateVerification()) { @@ -404,6 +374,46 @@ public class OpenSSLContext implements o } } + + public void addCertificate(SSLHostConfigCertificate certificate) throws Exception { + // Load Server key and certificate + if (certificate.getCertificateFile() != null) { + // Set certificate + SSLContext.setCertificate(ctx, + SSLHostConfig.adjustRelativePath(certificate.getCertificateFile()), + SSLHostConfig.adjustRelativePath(certificate.getCertificateKeyFile()), + certificate.getCertificateKeyPassword(), SSL.SSL_AIDX_RSA); + // Set certificate chain file + SSLContext.setCertificateChainFile(ctx, + SSLHostConfig.adjustRelativePath(certificate.getCertificateChainFile()), false); + // Set revocation + SSLContext.setCARevocation(ctx, + SSLHostConfig.adjustRelativePath( + sslHostConfig.getCertificateRevocationListFile()), + SSLHostConfig.adjustRelativePath( + sslHostConfig.getCertificateRevocationListPath())); + } else { + String alias = certificate.getCertificateKeyAlias(); + if (alias == null) { + alias = "tomcat"; + } + X509Certificate[] chain = x509KeyManager.getCertificateChain(alias); + if (chain == null) { + alias = findAlias(x509KeyManager, certificate); + chain = x509KeyManager.getCertificateChain(alias); + } + PrivateKey key = x509KeyManager.getPrivateKey(alias); + StringBuilder sb = new StringBuilder(BEGIN_KEY); + sb.append(Base64.getMimeEncoder(64, new byte[] {'\n'}).encodeToString(key.getEncoded())); + sb.append(END_KEY); + SSLContext.setCertificateRaw(ctx, chain[0].getEncoded(), sb.toString().getBytes(StandardCharsets.US_ASCII), SSL.SSL_AIDX_RSA); + for (int i = 1; i < chain.length; i++) { + SSLContext.addChainCertificateRaw(ctx, chain[i].getEncoded()); + } + } + } + + /* * Find a valid alias when none was specified in the config. */ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org