The duplicate code for configuring default SSL version ranges has
been merged into reusable methods in CryptoUtil.
Pushed to master under trivial rule.
--
Endi S. Dewata
>From 4d6e6d05d5270a0e81ae12e2583cae9c49667c88 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edew...@redhat.com>
Date: Fri, 17 Mar 2017 02:01:20 +0100
Subject: [PATCH] Removed duplicate code to configure SSL version ranges.
The duplicate code for configuring default SSL version ranges has
been merged into reusable methods in CryptoUtil.
---
.../com/netscape/certsrv/client/PKIConnection.java | 27 ++------
.../admin/certsrv/connection/JSSConnection.java | 73 ++++++++++++----------
.../src/com/netscape/cmstools/HttpClient.java | 24 ++-----
.../com/netscape/cmsutil/crypto/CryptoUtil.java | 24 +++++++
4 files changed, 74 insertions(+), 74 deletions(-)
diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java
index 301c4c69b5e14181dae3471156d046b643727d54..2c979eac22db32036b2653a510a561e0a979d7a9 100644
--- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java
+++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java
@@ -84,7 +84,7 @@ import org.mozilla.jss.ssl.SSLSocket;
import com.netscape.certsrv.base.PKIException;
import com.netscape.cmsutil.crypto.CryptoUtil;
-
+import com.netscape.cmsutil.crypto.CryptoUtil.SSLVersion;
public class PKIConnection {
@@ -332,24 +332,8 @@ public class PKIConnection {
localAddr = localAddress.getAddress();
}
- org.mozilla.jss.ssl.SSLSocket.SSLVersionRange stream_range =
- new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(
- org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0,
- org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
-
- SSLSocket.setSSLVersionRangeDefault(
- org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.STREAM,
- stream_range);
-
- org.mozilla.jss.ssl.SSLSocket.SSLVersionRange datagram_range =
- new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(
- org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_1,
- org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
-
- SSLSocket.setSSLVersionRangeDefault(
- org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.DATA_GRAM,
- datagram_range);
-
+ CryptoUtil.setSSLStreamVersionRange(SSLVersion.TLS_1_0, SSLVersion.TLS_1_2);
+ CryptoUtil.setSSLDatagramVersionRange(SSLVersion.TLS_1_1, SSLVersion.TLS_1_2);
CryptoUtil.setClientCiphers();
SSLSocket socket;
@@ -364,8 +348,9 @@ public class PKIConnection {
} else {
socket = new SSLSocket(sock, hostName, callback, null);
}
-// setSSLVersionRange needs to be exposed in jss
-// socket.setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
+
+ // SSLSocket.setSSLVersionRange() needs to be exposed in JSS
+ // socket.setSSLVersionRange(SSLVersionRange.tls1_0, SSLVersionRange.tls1_2);
String certNickname = config.getCertNickname();
if (certNickname != null) {
diff --git a/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java b/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java
index 6908ed992154ef3bd04124cc2ba116e49bb865cf..8678b537886bc28b1ec81f9f61be8337b2f8c00f 100644
--- a/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java
+++ b/base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java
@@ -17,24 +17,45 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.admin.certsrv.connection;
-import java.util.*;
-import java.net.*;
-import java.io.*;
+import java.awt.Container;
+import java.awt.GridBagConstraints;
+import java.awt.GridBagLayout;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.PrintStream;
+import java.net.SocketException;
+import java.net.UnknownHostException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
-import com.netscape.admin.certsrv.*;
-import com.netscape.certsrv.common.*;
-import com.netscape.management.client.util.Debug;
-import com.netscape.management.client.util.*;
-import org.mozilla.jss.ssl.*;
-import org.mozilla.jss.*;
-import org.mozilla.jss.util.*;
-import org.mozilla.jss.crypto.*;
-import org.mozilla.jss.pkcs11.*;
-import javax.swing.*;
-import java.awt.*;
+import java.util.Enumeration;
+import java.util.ResourceBundle;
+import java.util.Vector;
+import javax.swing.JComboBox;
+import javax.swing.JFrame;
+import javax.swing.JLabel;
+
+import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.crypto.CryptoToken;
+import org.mozilla.jss.crypto.InternalCertificate;
+import org.mozilla.jss.ssl.SSLCertificateApprovalCallback;
+import org.mozilla.jss.ssl.SSLClientCertificateSelectionCallback;
+import org.mozilla.jss.ssl.SSLSocket;
+import org.mozilla.jss.util.Password;
+import org.mozilla.jss.util.PasswordCallback;
+import org.mozilla.jss.util.PasswordCallbackInfo;
+
+import com.netscape.admin.certsrv.CMSAdminResources;
import com.netscape.cmsutil.crypto.CryptoUtil;
+import com.netscape.cmsutil.crypto.CryptoUtil.SSLVersion;
+import com.netscape.management.client.util.AbstractDialog;
+import com.netscape.management.client.util.Debug;
+import com.netscape.management.client.util.GridBagUtil;
+import com.netscape.management.client.util.MultilineLabel;
+import com.netscape.management.client.util.SingleBytePasswordField;
+import com.netscape.management.client.util.UtilConsoleGlobals;
/**
* JSSConnection deals with establishing a connection to
@@ -98,24 +119,8 @@ public class JSSConnection implements IConnection, SSLCertificateApprovalCallbac
} catch (Exception e) {
}
- org.mozilla.jss.ssl.SSLSocket.SSLVersionRange stream_range =
- new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(
- org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0,
- org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
-
- SSLSocket.setSSLVersionRangeDefault(
- org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.STREAM,
- stream_range);
-
- org.mozilla.jss.ssl.SSLSocket.SSLVersionRange datagram_range =
- new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(
- org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_1,
- org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
-
- SSLSocket.setSSLVersionRangeDefault(
- org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.DATA_GRAM,
- datagram_range);
-
+ CryptoUtil.setSSLStreamVersionRange(SSLVersion.TLS_1_0, SSLVersion.TLS_1_2);
+ CryptoUtil.setSSLDatagramVersionRange(SSLVersion.TLS_1_1, SSLVersion.TLS_1_2);
CryptoUtil.setClientCiphers();
s = new SSLSocket(host, port, null, 0, this, this);
@@ -509,8 +514,8 @@ public class JSSConnection implements IConnection, SSLCertificateApprovalCallbac
private boolean endOfHeader(byte[] hdr, int available) {
if (available == 2) {
- int c1 = (int)hdr[0];
- int c2 = (int)hdr[1];
+ int c1 = hdr[0];
+ int c2 = hdr[1];
//System.out.println("C1= " + c1);
//System.out.println("C2= " + c2);
diff --git a/base/java-tools/src/com/netscape/cmstools/HttpClient.java b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
index 6a008bf2cba32d5b66c4ade8741fa58d8290b9e8..aa3bd174385c4fa6a04ac5ce330a5a0d54b6973a 100644
--- a/base/java-tools/src/com/netscape/cmstools/HttpClient.java
+++ b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
@@ -41,6 +41,7 @@ import org.mozilla.jss.ssl.SSLSocket;
import org.mozilla.jss.util.Password;
import com.netscape.cmsutil.crypto.CryptoUtil;
+import com.netscape.cmsutil.crypto.CryptoUtil.SSLVersion;
import com.netscape.cmsutil.util.Utils;
/**
@@ -122,29 +123,14 @@ public class HttpClient {
token.login(pass);
SSLHandshakeCompletedListener listener = new ClientHandshakeCB(this);
- org.mozilla.jss.ssl.SSLSocket.SSLVersionRange stream_range =
- new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(
- org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0,
- org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
-
- SSLSocket.setSSLVersionRangeDefault(
- org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.STREAM,
- stream_range);
-
- org.mozilla.jss.ssl.SSLSocket.SSLVersionRange datagram_range =
- new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(
- org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_1,
- org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
-
- SSLSocket.setSSLVersionRangeDefault(
- org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.DATA_GRAM,
- datagram_range);
+ CryptoUtil.setSSLStreamVersionRange(SSLVersion.TLS_1_0, SSLVersion.TLS_1_2);
+ CryptoUtil.setSSLDatagramVersionRange(SSLVersion.TLS_1_1, SSLVersion.TLS_1_2);
CryptoUtil.setClientCiphers();
sslSocket = new SSLSocket(_host, _port);
- // setSSLVersionRange needs to be exposed in jss
- // sslSocket.setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
+ // SSLSocket.setSSLVersionRange() needs to be exposed in JSS
+ // sslSocket.setSSLVersionRange(SSLVersionRange.tls1_0, SSLVersionRange.tls1_2);
sslSocket.addHandshakeCompletedListener(listener);
CryptoToken tt = cm.getThreadToken();
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index de1ac442cd4187b8dc2af5a58ab103cc1c240ca7..f7395308ddb2beb9a93b8d66af1f2a5ceaea7507 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -99,6 +99,8 @@ import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier;
import org.mozilla.jss.pkix.primitive.Name;
import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo;
import org.mozilla.jss.ssl.SSLSocket;
+import org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant;
+import org.mozilla.jss.ssl.SSLSocket.SSLVersionRange;
import org.mozilla.jss.util.Base64OutputStream;
import org.mozilla.jss.util.Password;
@@ -135,6 +137,19 @@ import netscape.security.x509.X509Key;
@SuppressWarnings("serial")
public class CryptoUtil {
+ public static enum SSLVersion {
+ SSL_3_0(SSLVersionRange.ssl3),
+ TLS_1_0(SSLVersionRange.tls1_0),
+ TLS_1_1(SSLVersionRange.tls1_1),
+ TLS_1_2(SSLVersionRange.tls1_2);
+
+ public int value;
+
+ SSLVersion(int value) {
+ this.value = value;
+ }
+ }
+
public final static String INTERNAL_TOKEN_NAME = "internal";
public final static String INTERNAL_TOKEN_FULL_NAME = "Internal Key Storage Token";
@@ -700,6 +715,15 @@ public class CryptoUtil {
return pair;
}
+ public static void setSSLStreamVersionRange(SSLVersion min, SSLVersion max) throws SocketException {
+ SSLVersionRange range = new SSLVersionRange(min.value, max.value);
+ SSLSocket.setSSLVersionRangeDefault(SSLProtocolVariant.STREAM, range);
+ }
+
+ public static void setSSLDatagramVersionRange(SSLVersion min, SSLVersion max) throws SocketException {
+ SSLVersionRange range = new SSLVersionRange(min.value, max.value);
+ SSLSocket.setSSLVersionRangeDefault(SSLProtocolVariant.DATA_GRAM, range);
+ }
private static HashMap<String, Integer> cipherMap = new HashMap<String, Integer>();
static {
--
2.9.3
_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
