This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 21419a185c457d3b2b76573a56f85f92138b504b Author: remm <r...@apache.org> AuthorDate: Thu May 28 16:21:35 2020 +0200 Expose the local certificate through SSLSupport To be used for more TLS env support in the rewrite resolver, it cannot hurt. Using a default since it's an API change and not there with OpenSSL. --- java/org/apache/tomcat/util/net/SSLSupport.java | 11 +++++++++++ java/org/apache/tomcat/util/net/jsse/JSSESupport.java | 15 +++++++++++++++ webapps/docs/changelog.xml | 4 ++++ 3 files changed, 30 insertions(+) diff --git a/java/org/apache/tomcat/util/net/SSLSupport.java b/java/org/apache/tomcat/util/net/SSLSupport.java index 75740f9..f46d266 100644 --- a/java/org/apache/tomcat/util/net/SSLSupport.java +++ b/java/org/apache/tomcat/util/net/SSLSupport.java @@ -85,6 +85,17 @@ public interface SSLSupport { public X509Certificate[] getPeerCertificateChain() throws IOException; /** + * The server certificate chain (if any) that were sent to the peer. + * + * @return The certificate chain sent with the server + * certificate first, followed by those of any certificate + * authorities + */ + default public X509Certificate[] getLocalCertificateChain() { + return null; + } + + /** * Get the keysize. * * What we're supposed to put here is ill-defined by the diff --git a/java/org/apache/tomcat/util/net/jsse/JSSESupport.java b/java/org/apache/tomcat/util/net/jsse/JSSESupport.java index 98c6eb9..0ca7ba7 100644 --- a/java/org/apache/tomcat/util/net/jsse/JSSESupport.java +++ b/java/org/apache/tomcat/util/net/jsse/JSSESupport.java @@ -21,6 +21,7 @@ import java.io.ByteArrayInputStream; import java.io.IOException; import java.security.cert.Certificate; import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; import java.util.HashMap; import java.util.Map; @@ -87,6 +88,14 @@ public class JSSESupport implements SSLSupport, SSLSessionManager { } @Override + public X509Certificate[] getLocalCertificateChain() { + if (session == null) { + return null; + } + return convertCertificates(session.getLocalCertificates()); + } + + @Override public java.security.cert.X509Certificate[] getPeerCertificateChain() throws IOException { // Look up the current SSLSession if (session == null) @@ -99,6 +108,12 @@ public class JSSESupport implements SSLSupport, SSLSessionManager { log.debug(sm.getString("jsseSupport.clientCertError"), t); return null; } + + return convertCertificates(certs); + } + + + private static java.security.cert.X509Certificate[] convertCertificates(Certificate[] certs) { if( certs==null ) return null; java.security.cert.X509Certificate [] x509Certs = diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 4f160b4..94f6836 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -83,6 +83,10 @@ <bug>64467</bug>: Improve performance of closing idle HTTP/2 streams. (markt) </fix> + <update> + Expose server certificate through the <code>SSLSupport</code> + interface. (remm) + </update> </changelog> </subsection> <subsection name="WebSocket"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org