Author: markt Date: Fri Jan 30 09:36:10 2015 New Revision: 1655972 URL: http://svn.apache.org/r1655972 Log: Push the remaining action down to the SocketWrapper
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java tomcat/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Processor.java tomcat/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java tomcat/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java tomcat/trunk/java/org/apache/tomcat/util/net/SocketWrapperBase.java tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java?rev=1655972&r1=1655971&r2=1655972&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java (original) +++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java Fri Jan 30 09:36:10 2015 @@ -980,8 +980,25 @@ public abstract class AbstractHttp11Proc } break; } - default: { - actionInternal(actionCode, param); + case REQ_SSL_CERTIFICATE: { + if (sslSupport != null && socketWrapper.getSocket() != null) { + // Consume and buffer the request body, so that it does not + // interfere with the client's handshake messages + InputFilter[] inputFilters = getInputBuffer().getFilters(); + ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER]).setLimit( + maxSavePostSize); + getInputBuffer().addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]); + + try { + socketWrapper.doClientAuth(sslSupport); + Object sslO = sslSupport.getPeerCertificateChain(); + if (sslO != null) { + request.setAttribute(SSLSupport.CERTIFICATE_KEY, sslO); + } + } catch (IOException ioe) { + getLog().warn(sm.getString("http11processor.socket.ssl"), ioe); + } + } break; } } Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java?rev=1655972&r1=1655971&r2=1655972&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java (original) +++ tomcat/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java Fri Jan 30 09:36:10 2015 @@ -16,19 +16,10 @@ */ package org.apache.coyote.http11; -import java.io.ByteArrayInputStream; -import java.security.cert.CertificateFactory; -import java.security.cert.X509Certificate; - import org.apache.coyote.ActionCode; -import org.apache.coyote.http11.filters.BufferedInputFilter; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; -import org.apache.tomcat.jni.SSL; -import org.apache.tomcat.jni.SSLSocket; import org.apache.tomcat.util.net.AbstractEndpoint; -import org.apache.tomcat.util.net.AprEndpoint; -import org.apache.tomcat.util.net.SSLSupport; /** @@ -64,50 +55,7 @@ public class Http11AprProcessor extends * @param param Action parameter */ @Override - @SuppressWarnings("incomplete-switch") // Other cases are handled by action() public void actionInternal(ActionCode actionCode, Object param) { - - long socketRef = socketWrapper.getSocket().longValue(); - - switch (actionCode) { - case REQ_SSL_CERTIFICATE: { - if (endpoint.isSSLEnabled() && (socketRef != 0)) { - // Consume and buffer the request body, so that it does not - // interfere with the client's handshake messages - InputFilter[] inputFilters = getInputBuffer().getFilters(); - ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER]).setLimit(maxSavePostSize); - getInputBuffer().addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]); - try { - // Configure connection to require a certificate - SSLSocket.setVerify(socketRef, SSL.SSL_CVERIFY_REQUIRE, - ((AprEndpoint)endpoint).getSSLVerifyDepth()); - // Renegotiate certificates - if (SSLSocket.renegotiate(socketRef) == 0) { - // Don't look for certs unless we know renegotiation worked. - // Get client certificate and the certificate chain if present - // certLength == -1 indicates an error - int certLength = SSLSocket.getInfoI(socketRef,SSL.SSL_INFO_CLIENT_CERT_CHAIN); - byte[] clientCert = SSLSocket.getInfoB(socketRef, SSL.SSL_INFO_CLIENT_CERT); - X509Certificate[] certs = null; - if (clientCert != null && certLength > -1) { - certs = new X509Certificate[certLength + 1]; - CertificateFactory cf = CertificateFactory.getInstance("X.509"); - certs[0] = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(clientCert)); - for (int i = 0; i < certLength; i++) { - byte[] data = SSLSocket.getInfoB(socketRef, SSL.SSL_INFO_CLIENT_CERT_CHAIN + i); - certs[i+1] = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(data)); - } - } - if (certs != null) { - request.setAttribute(SSLSupport.CERTIFICATE_KEY, certs); - } - } - } catch (Exception e) { - log.warn(sm.getString("http11processor.socket.ssl"), e); - } - } - break; - } - } + // Unused } } Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Processor.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Processor.java?rev=1655972&r1=1655971&r2=1655972&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Processor.java (original) +++ tomcat/trunk/java/org/apache/coyote/http11/Http11Nio2Processor.java Fri Jan 30 09:36:10 2015 @@ -16,19 +16,11 @@ */ package org.apache.coyote.http11; -import java.io.IOException; - -import javax.net.ssl.SSLEngine; - import org.apache.coyote.ActionCode; -import org.apache.coyote.http11.filters.BufferedInputFilter; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; import org.apache.tomcat.util.net.AbstractEndpoint; import org.apache.tomcat.util.net.Nio2Channel; -import org.apache.tomcat.util.net.Nio2Endpoint; -import org.apache.tomcat.util.net.SSLSupport; -import org.apache.tomcat.util.net.SecureNio2Channel; /** @@ -61,48 +53,7 @@ public class Http11Nio2Processor extends * @param param Action parameter */ @Override - @SuppressWarnings("incomplete-switch") // Other cases are handled by action() public void actionInternal(ActionCode actionCode, Object param) { - - switch (actionCode) { - case REQ_SSL_CERTIFICATE: { - if (sslSupport != null && socketWrapper.getSocket() != null) { - /* - * Consume and buffer the request body, so that it does not - * interfere with the client's handshake messages - */ - InputFilter[] inputFilters = getInputBuffer().getFilters(); - ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER]) - .setLimit(maxSavePostSize); - getInputBuffer().addActiveFilter - (inputFilters[Constants.BUFFERED_FILTER]); - SecureNio2Channel sslChannel = (SecureNio2Channel) socketWrapper.getSocket(); - SSLEngine engine = sslChannel.getSslEngine(); - if (!engine.getNeedClientAuth()) { - // Need to re-negotiate SSL connection - engine.setNeedClientAuth(true); - try { - sslChannel.rehandshake(); - sslSupport = ((Nio2Endpoint)endpoint).getHandler() - .getSslImplementation().getSSLSupport( - engine.getSession()); - } catch (IOException ioe) { - log.warn(sm.getString("http11processor.socket.sslreneg"), ioe); - } - } - - try { - Object sslO = sslSupport.getPeerCertificateChain(); - if( sslO != null) { - request.setAttribute - (SSLSupport.CERTIFICATE_KEY, sslO); - } - } catch (Exception e) { - log.warn(sm.getString("http11processor.socket.ssl"), e); - } - } - break; - } - } + // Unused } } Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java?rev=1655972&r1=1655971&r2=1655972&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java (original) +++ tomcat/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java Fri Jan 30 09:36:10 2015 @@ -16,19 +16,11 @@ */ package org.apache.coyote.http11; -import java.io.IOException; - -import javax.net.ssl.SSLEngine; - import org.apache.coyote.ActionCode; -import org.apache.coyote.http11.filters.BufferedInputFilter; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; import org.apache.tomcat.util.net.AbstractEndpoint; import org.apache.tomcat.util.net.NioChannel; -import org.apache.tomcat.util.net.NioEndpoint; -import org.apache.tomcat.util.net.SSLSupport; -import org.apache.tomcat.util.net.SecureNioChannel; /** @@ -63,48 +55,7 @@ public class Http11NioProcessor extends * @param param Action parameter */ @Override - @SuppressWarnings("incomplete-switch") // Other cases are handled by action() public void actionInternal(ActionCode actionCode, Object param) { - - switch (actionCode) { - case REQ_SSL_CERTIFICATE: { - if (sslSupport != null) { - /* - * Consume and buffer the request body, so that it does not - * interfere with the client's handshake messages - */ - InputFilter[] inputFilters = getInputBuffer().getFilters(); - ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER]) - .setLimit(maxSavePostSize); - getInputBuffer().addActiveFilter - (inputFilters[Constants.BUFFERED_FILTER]); - SecureNioChannel sslChannel = (SecureNioChannel) socketWrapper.getSocket(); - SSLEngine engine = sslChannel.getSslEngine(); - if (!engine.getNeedClientAuth()) { - // Need to re-negotiate SSL connection - engine.setNeedClientAuth(true); - try { - sslChannel.rehandshake(endpoint.getSoTimeout()); - sslSupport = ((NioEndpoint)endpoint).getHandler() - .getSslImplementation().getSSLSupport( - engine.getSession()); - } catch (IOException ioe) { - log.warn(sm.getString("http11processor.socket.sslreneg",ioe)); - } - } - - try { - Object sslO = sslSupport.getPeerCertificateChain(); - if( sslO != null) { - request.setAttribute - (SSLSupport.CERTIFICATE_KEY, sslO); - } - } catch (Exception e) { - log.warn(sm.getString("http11processor.socket.ssl"), e); - } - } - break; - } - } + // Unused } } Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1655972&r1=1655971&r2=1655972&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Fri Jan 30 09:36:10 2015 @@ -2749,5 +2749,15 @@ public class AprEndpoint extends Abstrac log.warn(sm.getString("endpoint.warn.noLocalPort"), e); } } + + + @Override + public void doClientAuth(SSLSupport sslSupport) { + long socket = getSocket().longValue(); + // Configure connection to require a certificate + SSLSocket.setVerify(socket, SSL.SSL_CVERIFY_REQUIRE, + ((AprEndpoint)getEndpoint()).getSSLVerifyDepth()); + SSLSocket.renegotiate(socket); + } } } Modified: tomcat/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java?rev=1655972&r1=1655971&r2=1655972&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java Fri Jan 30 09:36:10 2015 @@ -54,6 +54,7 @@ import org.apache.tomcat.util.ExceptionU import org.apache.tomcat.util.buf.ByteBufferHolder; import org.apache.tomcat.util.collections.SynchronizedStack; import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState; +import org.apache.tomcat.util.net.jsse.JSSESupport; import org.apache.tomcat.util.net.jsse.NioX509KeyManager; /** @@ -1416,6 +1417,23 @@ public class Nio2Endpoint extends Abstra localPort = ((InetSocketAddress) socketAddress).getPort(); } } + + + @Override + public void doClientAuth(SSLSupport sslSupport) { + SecureNio2Channel sslChannel = (SecureNio2Channel) getSocket(); + SSLEngine engine = sslChannel.getSslEngine(); + if (!engine.getNeedClientAuth()) { + // Need to re-negotiate SSL connection + engine.setNeedClientAuth(true); + try { + sslChannel.rehandshake(); + ((JSSESupport) sslSupport).setSession(engine.getSession()); + } catch (IOException ioe) { + log.warn(sm.getString("http11processor.socket.sslreneg"), ioe); + } + } + } } Modified: tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java?rev=1655972&r1=1655971&r2=1655972&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java Fri Jan 30 09:36:10 2015 @@ -55,6 +55,7 @@ import org.apache.tomcat.util.Introspect import org.apache.tomcat.util.collections.SynchronizedQueue; import org.apache.tomcat.util.collections.SynchronizedStack; import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState; +import org.apache.tomcat.util.net.jsse.JSSESupport; import org.apache.tomcat.util.net.jsse.NioX509KeyManager; /** @@ -1604,6 +1605,23 @@ public class NioEndpoint extends Abstrac protected void populateLocalPort() { localPort = getSocket().getIOChannel().socket().getLocalPort(); } + + + @Override + public void doClientAuth(SSLSupport sslSupport) { + SecureNioChannel sslChannel = (SecureNioChannel) getSocket(); + SSLEngine engine = sslChannel.getSslEngine(); + if (!engine.getNeedClientAuth()) { + // Need to re-negotiate SSL connection + engine.setNeedClientAuth(true); + try { + sslChannel.rehandshake(getEndpoint().getSoTimeout()); + ((JSSESupport) sslSupport).setSession(engine.getSession()); + } catch (IOException ioe) { + log.warn(sm.getString("http11processor.socket.sslreneg",ioe)); + } + } + } } Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SocketWrapperBase.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SocketWrapperBase.java?rev=1655972&r1=1655971&r2=1655972&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/SocketWrapperBase.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/SocketWrapperBase.java Fri Jan 30 09:36:10 2015 @@ -616,6 +616,15 @@ public abstract class SocketWrapperBase< */ public abstract SendfileState processSendfile(SendfileDataBase sendfileData); + /** + * Require the client to perform CLIENT-CERT authentication if it hasn't + * already done so. + * + * @param sslSupport The SSL/TLS support instance currently being used by + * the connection that may need updating after the client + * authentication + */ + public abstract void doClientAuth(SSLSupport sslSupport); // --------------------------------------------------------- Utility methods Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java?rev=1655972&r1=1655971&r2=1655972&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java Fri Jan 30 09:36:10 2015 @@ -45,8 +45,7 @@ import org.apache.tomcat.util.res.String Parts cribbed from JSSECertCompat Parts cribbed from CertificatesValve */ - -class JSSESupport implements SSLSupport, SSLSessionManager { +public class JSSESupport implements SSLSupport, SSLSessionManager { private static final Log log = LogFactory.getLog(JSSESupport.class); @@ -171,6 +170,11 @@ class JSSESupport implements SSLSupport, } + public void setSession(SSLSession session) { + this.session = session; + } + + /** * Invalidate the session this support object is associated with. */ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org