RE: achieving a clients (browsers) certificate in a webapp

[Jay Garala]

Oh I've done this before!!!

In your SSL section in httd.conf


// Change accordingly
#       SSLVerifyClient require
#       SSLVerifyDepth 1
##    SSLOptions +StdEnvVars +ExportCertData 
#    
##      
#       JkOptions +ForwardKeySize +ForwardURICompat 
##      JkExtractSSL On
#       JkHTTPSIndicator HTTPS
###     JkSESSIONIndicator SSL_SESSION_ID
#       JkCIPHERIndicator SSL_CIPHER
#       JkCERTSIndicator SSL_CLIENT_CERT    
// NEED THIS
#       JkEnvVar SSL_CLIENT_CERT   SSL_CLIENT_CERT

then in ur Servlet do:

String apacheClientCert = (String) request.getAttribute("SSL_CLIENT_CERT");
java.security.cert.CertificateFactory cf =
CertificateFactory.getInstance("X.509");
String cert = removePEMData(apacheClientCert);
sun.misc.BASE64Decoder dec = new sun.misc.BASE64Decoder();
byte[] bcert = dec.decodeBuffer(cert);
ByteArrayInputStream bais = new ByteArrayInputStream(bcert);
X509Certificate x509 = (X509Certificate) cf.generateCertificate(bais);
bais.close();

... Now you got your Client cert... if you want the server cert
add JkEnvVar SSL_SERVER_CERT SSL_SERVER_CERT in httpd and mirror changes in
servlet

 public String removePEMData(String cert)
  {
    String begin = "-----BEGIN CERTIFICATE-----";
    String end = "-----END CERTIFICATE-----";
    int s = cert.indexOf(begin);
    if (s >= 0)
      cert = cert.substring( s+begin.length(),cert.indexOf(end));
    return cert;
  }

-----Original Message-----
From: Karli Christoph (CSE) [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 22, 2003 11:53 AM
To: 'Tomcat Users List'
Subject: RE: achieving a clients (browsers) certificate in a webapp


that's the point..

with the following code

String certAttribute = "javax.servlet.request.X509Certificate";
X509Certificate certificate[] = (java.security.cert.X509Certificate[])
request.getAttribute(certAttribute);

for (Enumeration e = request.getAttributeNames(); e.hasMoreElements();) {
  System.out.println("attribute: " + e.nextElement());
}



we just can achieve the following attributes:

attribute: javax.servlet.include.servlet_path
attribute: javax.servlet.include.context_path
attribute: javax.servlet.request.cipher_suite
attribute: javax.servlet.request.key_size
attribute: javax.servlet.include.request_uri

any other ideas?


-----Original Message-----
From: Bodycombe, Andrew [mailto:[EMAIL PROTECTED] 
Sent: Dienstag, 22. Juli 2003 17:39
To: 'Tomcat Users List'
Subject: RE: achieving a clients (browsers) certificate in a webapp


The 'javax.servlet.request.X509Certificate' request property will give you
the client certificate chain. It contains an array of
java.security.cert.X509Certificate Objects. Element [0] is the client
certificate, Element [1] is the CA for the client certificate etc.



-----Original Message-----
From: Karli Christoph (CSE) [mailto:[EMAIL PROTECTED] 
Sent: 22 July 2003 16:04
To: 'Tomcat Users List'
Subject: achieving a clients (browsers) certificate in a webapp


now this seems like a big task!

we've been trying to achieve a clients certificate from the request-object,
which
failed because there is no parameter for achieving the x509Certificate
installed
in the browser of the client out of the request-object
(javax.servlet.ServletRequest).

the certification of the server works fine, except the fact that the
server-name
on the certificate doesn't match the actual server-name of the webserver
(we're about
to change the server-name)

anyway, we've spend the whole day - but we had no chance to figure out where
the
problem's hidden.

what we use:
jdk 1.3
apache 2.0.45 with openssl
tomcat 4.1.24
mod_jk connector


other hint:
 - https connection works on the webapp
 

important parts of the configuration files:

******* configuration of ssl.conf looks like this:
<IfDefine SSL>
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLPassPhraseDialog  builtin

SSLSessionCache         dbm:logs/ssl_scache
SSLSessionCacheTimeout  300

SSLMutex  file:logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

<VirtualHost _default_:443>
DocumentRoot "/opt/httpd-2.0.45/htdocs"
#ServerName new.host.name:443
ServerName servername.is.ok:443
ServerAdmin [EMAIL PROTECTED]
ErrorLog logs/error_log
TransferLog logs/access_log

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile /opt/httpd-2.0.45/conf/ssl.crt/server.crt

SSLCertificateKeyFile /opt/httpd-2.0.45/conf/ssl.key/server.key

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/opt/httpd-2.0.45/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>                                  
</IfDefine>


******* configuration of httpd.conf looks like this:
...
#
# Bring in additional module-specific configurations
#
<IfModule mod_ssl.c>
    Include conf/ssl.conf
</IfModule>
...

JkWorkersFile /opt/jakarta/conf/jk/workers.properties
JkLogFile /opt/jakarta/logs/mod_jk.log

JkLogLevel debug

JkMount /examples ajp13
JkMount /examples/* ajp13
...


******* configuration of server.xml looks like this:
...
    <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
    
    <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
               port="8443" minProcessors="5" maxProcessors="75"
               enableLookups="true"
               acceptCount="10" debug="0" scheme="https" secure="true"
               useURIValidationHack="false"> 
      <Factory
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
               clientAuth="false" protocol="TLS" 
               keystoreFile=".keystore" keystorePass="xxxxx" />
    </Connector>

    <!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
    <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
               port="8009" minProcessors="5" maxProcessors="75"
               enableLookups="true" redirectPort="8443"
               acceptCount="10" debug="0" connectionTimeout="0"
               useURIValidationHack="false"
 
protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
...

******* just anyone?

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]