packages/tomcatjss
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Upgrade to version 8.1.0

Browse Source
This commit is contained in:
wk333 2022-10-17 14:37:50 +08:00
parent 8b50012856
commit 3becd2220f
5 changed files with 101 additions and 404 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
0001-add-abstract-method-for-class-JSSUtil.patch Normal file
View File

@ -0,0 +1,70 @@
From 2921cf92d8968fef21d3459523f0c469ac64089a Mon Sep 17 00:00:00 2001
From: wang--ge <wang__ge@126.com>
Date: Wed, 25 May 2022 16:47:46 +0800
Subject: [PATCH] add abstract method for class JSSUtil
---
.../main/java/org/dogtagpki/tomcat/JSSUtil.java | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/tomcat-9.0/src/main/java/org/dogtagpki/tomcat/JSSUtil.java b/tomcat-9.0/src/main/java/org/dogtagpki/tomcat/JSSUtil.java
index 8370370..9c3326d 100644
--- a/tomcat-9.0/src/main/java/org/dogtagpki/tomcat/JSSUtil.java
+++ b/tomcat-9.0/src/main/java/org/dogtagpki/tomcat/JSSUtil.java
@@ -19,6 +19,8 @@
package org.dogtagpki.tomcat;
+import java.security.NoSuchAlgorithmException;
+
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
@@ -28,6 +30,7 @@ import java.util.Set;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
@@ -48,6 +51,7 @@ public class JSSUtil extends SSLUtilBase {
private Set<String> protocols;
private Set<String> ciphers;
+
public JSSUtil(SSLHostConfigCertificate cert) {
super(cert);
@@ -95,13 +99,11 @@ public class JSSUtil extends SSLUtilBase {
return new TrustManager[] { new JSSNativeTrustManager() };
}
- @Override
public SSLContext createSSLContextInternal(List<String> negotiableProtocols) throws Exception {
logger.debug("JSSUtil createSSLContextInternal(...) keyAlias=" + keyAlias);
return new JSSContext(keyAlias);
}
- @Override
public boolean isTls13RenegAuthAvailable() {
logger.debug("JSSUtil: isTls13RenegAuthAvailable()");
return true;
@@ -127,4 +129,14 @@ public class JSSUtil extends SSLUtilBase {
return ciphers;
}
+
+ @Override
+ public void configureSessionContext(SSLSessionContext sslSessionContext) {
+ logger.debug("JSSUtil: configureSessionContext");
+ }
+
+ @Override
+ public SSLContext createSSLContext(List<String> negotiableProtocols) throws NoSuchAlgorithmException {
+ return new JSSContext(keyAlias);
+ }
}
--
2.27.0

387
Use-JSSKeyManager-and-JSSTrustManager-from-JSS.patch
View File

@ -1,387 +0,0 @@
From fb11bcd42aed364f77cd1b07a0d3139496817dea Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 31 May 2019 15:20:46 -0400
Subject: [PATCH] Use JSSKeyManager and JSSTrustManager from JSS
With jss-pr#159 merged, we've added a KeyManager and TrustManager to the
JSS default provider that we should use instead of the instances
in-tree.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
src/org/dogtagpki/tomcat/JSSKeyManager.java | 146 -------------
src/org/dogtagpki/tomcat/JSSTrustManager.java | 197 ------------------
.../src/org/dogtagpki/tomcat/JSSUtil.java | 3 +
3 files changed, 3 insertions(+), 343 deletions(-)
delete mode 100644 src/org/dogtagpki/tomcat/JSSKeyManager.java
delete mode 100644 src/org/dogtagpki/tomcat/JSSTrustManager.java
diff --git a/src/org/dogtagpki/tomcat/JSSKeyManager.java b/src/org/dogtagpki/tomcat/JSSKeyManager.java
deleted file mode 100644
index 1f94260..0000000
--- a/src/org/dogtagpki/tomcat/JSSKeyManager.java
+++ /dev/null
@@ -1,146 +0,0 @@
-/* BEGIN COPYRIGHT BLOCK
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- *
- * Copyright (C) 2017 Red Hat, Inc.
- * All rights reserved.
- * END COPYRIGHT BLOCK */
-
-package org.dogtagpki.tomcat;
-
-import java.net.Socket;
-import java.security.Principal;
-import java.security.PrivateKey;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Collection;
-
-import javax.net.ssl.X509KeyManager;
-
-import org.mozilla.jss.CryptoManager;
-import org.mozilla.jss.crypto.ObjectNotFoundException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import sun.security.x509.X509CertImpl;
-
-public class JSSKeyManager implements X509KeyManager {
-
- final static Logger logger = LoggerFactory.getLogger(JSSKeyManager.class);
-
- @Override
- public String chooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket) {
- logger.debug("JSSKeyManager: chooseClientAlias()");
-
- logger.debug("JSSKeyManager: key types:");
- for (String keyType : keyTypes) {
- logger.debug("JSSKeyManager: - " + keyType);
- }
-
- logger.debug("JSSKeyManager: issuers:");
- for (Principal issuer : issuers) {
- logger.debug("JSSKeyManager: - " + issuer.getName());
- }
-
- return null; // not implemented
- }
-
- @Override
- public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
- logger.debug("JSSKeyManager: chooseServerAlias()");
- logger.debug("JSSKeyManager: key type: " + keyType);
-
- logger.debug("JSSKeyManager: issuers:");
- for (Principal issuer : issuers) {
- logger.debug("JSSKeyManager: - " + issuer.getName());
- }
-
- return null; // not implemented
- }
-
- @Override
- public X509Certificate[] getCertificateChain(String alias) {
-
- logger.debug("JSSKeyManager: getCertificateChain(" + alias + ")");
-
- try {
- CryptoManager cm = CryptoManager.getInstance();
- org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(alias);
-
- org.mozilla.jss.crypto.X509Certificate[] chain = cm.buildCertificateChain(cert);
- logger.debug("JSSKeyManager: cert chain:");
-
- Collection<X509Certificate> list = new ArrayList<>();
- for (org.mozilla.jss.crypto.X509Certificate c : chain) {
- logger.debug("JSSKeyManager: - " + c.getSubjectDN());
- list.add(new X509CertImpl(c.getEncoded()));
- }
-
- return list.toArray(new X509Certificate[list.size()]);
-
- } catch (Throwable e) {
- logger.error(e.getMessage(), e);
- throw new RuntimeException(e);
- }
- }
-
- @Override
- public String[] getClientAliases(String keyType, Principal[] issuers) {
- logger.debug("JSSKeyManager: getClientAliases()");
- logger.debug("JSSKeyManager: key type: " + keyType);
-
- logger.debug("JSSKeyManager: issuers:");
- for (Principal issuer : issuers) {
- logger.debug("JSSKeyManager: - " + issuer.getName());
- }
-
- return null; // not implemented
- }
-
- @Override
- public PrivateKey getPrivateKey(String alias) {
-
- logger.debug("JSSKeyManager: getPrivateKey(" + alias + ")");
-
- try {
- CryptoManager cm = CryptoManager.getInstance();
- org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(alias);
- PrivateKey privateKey = cm.findPrivKeyByCert(cert);
-
- logger.debug("JSSKeyManager: key found: " + alias);
- return privateKey;
-
- } catch (ObjectNotFoundException e) {
- logger.debug("JSSKeyManager: key not found: " + alias);
- return null;
-
- } catch (Throwable e) {
- logger.error(e.getMessage(), e);
- throw new RuntimeException(e);
- }
- }
-
- @Override
- public String[] getServerAliases(String keyType, Principal[] issuers) {
- logger.debug("JSSKeyManager: getServerAliases()");
- logger.debug("JSSKeyManager: key type: " + keyType);
-
- logger.debug("JSSKeyManager: issuers:");
- for (Principal issuer : issuers) {
- logger.debug("JSSKeyManager: - " + issuer.getName());
- }
-
- return null; // not implemented
- }
-}
diff --git a/src/org/dogtagpki/tomcat/JSSTrustManager.java b/src/org/dogtagpki/tomcat/JSSTrustManager.java
deleted file mode 100644
index 87c7bdd..0000000
--- a/src/org/dogtagpki/tomcat/JSSTrustManager.java
+++ /dev/null
@@ -1,197 +0,0 @@
-/* BEGIN COPYRIGHT BLOCK
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- *
- * Copyright (C) 2017 Red Hat, Inc.
- * All rights reserved.
- * END COPYRIGHT BLOCK */
-
-package org.dogtagpki.tomcat;
-
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.List;
-
-import javax.net.ssl.X509TrustManager;
-
-import org.mozilla.jss.CryptoManager;
-import org.mozilla.jss.NotInitializedException;
-import org.mozilla.jss.netscape.security.util.Cert;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import sun.security.x509.X509CertImpl;
-
-public class JSSTrustManager implements X509TrustManager {
-
- final static Logger logger = LoggerFactory.getLogger(JSSTrustManager.class);
-
- final static String SERVER_AUTH_OID = "1.3.6.1.5.5.7.3.1";
- final static String CLIENT_AUTH_OID = "1.3.6.1.5.5.7.3.2";
-
- public void checkCertChain(X509Certificate[] certChain, String keyUsage) throws Exception {
-
- logger.debug("JSSTrustManager: checkCertChain(" + keyUsage + ")");
-
- // sort cert chain from root to leaf
- certChain = Cert.sortCertificateChain(certChain);
-
- for (X509Certificate cert : certChain) {
- logger.debug("JSSTrustManager: - " + cert.getSubjectDN());
- }
-
- // get CA certs
- X509Certificate[] caCerts = getAcceptedIssuers();
-
- // validating cert chain from root to leaf
- for (int i = 0; i < certChain.length; i++) {
-
- X509Certificate cert = certChain[i];
-
- // validating key usage on leaf cert only
- String usage;
- if (i == certChain.length - 1) {
- usage = keyUsage;
- } else {
- usage = null;
- }
-
- checkCert(cert, caCerts, usage);
-
- // use the current cert as the CA cert for the next cert in the chain
- caCerts = new X509Certificate[] { cert };
- }
- }
-
- public void checkCert(X509Certificate cert, X509Certificate[] caCerts, String keyUsage) throws Exception {
-
- logger.debug("JSSTrustManager: checkCert(" + cert.getSubjectDN() + "):");
-
- boolean[] aki = cert.getIssuerUniqueID();
- logger.debug("JSSTrustManager: cert AKI: " + Arrays.toString(aki));
-
- X509Certificate issuer = null;
- for (X509Certificate caCert : caCerts) {
-
- boolean[] ski = caCert.getSubjectUniqueID();
- logger.debug("JSSTrustManager: SKI of " + caCert.getSubjectDN() + ": " + Arrays.toString(ski));
-
- try {
- cert.verify(caCert.getPublicKey(), "Mozilla-JSS");
- issuer = caCert;
- break;
- } catch (Exception e) {
- logger.debug("JSSTrustManager: invalid certificate: " + e);
- }
- }
-
- if (issuer == null) {
- throw new CertificateException("Unable to validate signature: " + cert.getSubjectDN());
- }
-
- logger.debug("JSSTrustManager: cert signed by " + issuer.getSubjectDN());
-
- logger.debug("JSSTrustManager: checking validity range:");
- logger.debug("JSSTrustManager: - not before: " + cert.getNotBefore());
- logger.debug("JSSTrustManager: - not after: " + cert.getNotAfter());
- cert.checkValidity();
-
- if (keyUsage != null) {
-
- List<String> extendedKeyUsages = cert.getExtendedKeyUsage();
- logger.debug("JSSTrustManager: checking extended key usages:");
-
- for (String extKeyUsage : extendedKeyUsages) {
- logger.debug("JSSTrustManager: - " + extKeyUsage);
- }
-
- if (extendedKeyUsages.contains(keyUsage)) {
- logger.debug("JSSTrustManager: extended key usage found: " + keyUsage);
- } else {
- throw new CertificateException("Missing extended key usage: " + keyUsage);
- }
- }
- }
-
- @Override
- public void checkClientTrusted(X509Certificate[] certChain, String authType) throws CertificateException {
-
- logger.debug("JSSTrustManager: checkClientTrusted(" + authType + "):");
-
- try {
- checkCertChain(certChain, CLIENT_AUTH_OID);
- logger.debug("JSSTrustManager: SSL client certificate is valid");
-
- } catch (CertificateException e) {
- logger.warn("JSSTrustManager: Invalid SSL client certificate: " + e);
- throw e;
-
- } catch (Exception e) {
- logger.warn("JSSTrustManager: Unable to validate certificate: " + e);
- throw new CertificateException(e);
- }
- }
-
- @Override
- public void checkServerTrusted(X509Certificate[] certChain, String authType) throws CertificateException {
-
- logger.debug("JSSTrustManager: checkServerTrusted(" + certChain.length + ", " + authType + "):");
-
- try {
- checkCertChain(certChain, SERVER_AUTH_OID);
- logger.debug("JSSTrustManager: SSL server certificate is valid");
-
- } catch (CertificateException e) {
- logger.warn("JSSTrustManager: Invalid SSL server certificate: " + e);
- throw e;
-
- } catch (Exception e) {
- logger.warn("JSSTrustManager: Unable to validate SSL server certificate: " + e);
- throw new CertificateException(e);
- }
- }
-
- @Override
- public X509Certificate[] getAcceptedIssuers() {
-
- logger.debug("JSSTrustManager: getAcceptedIssuers():");
-
- Collection<X509Certificate> caCerts = new ArrayList<>();
-
- try {
- CryptoManager manager = CryptoManager.getInstance();
- for (org.mozilla.jss.crypto.X509Certificate cert : manager.getCACerts()) {
- logger.debug("JSSTrustManager: - " + cert.getSubjectDN());
-
- try {
- X509CertImpl caCert = new X509CertImpl(cert.getEncoded());
- caCert.checkValidity();
- caCerts.add(caCert);
-
- } catch (Exception e) {
- logger.debug("JSSTrustManager: invalid CA certificate: " + e);
- }
- }
-
- } catch (NotInitializedException e) {
- logger.error("JSSTrustManager: Unable to get CryptoManager: " + e, e);
- throw new RuntimeException(e);
- }
-
- return caCerts.toArray(new X509Certificate[caCerts.size()]);
- }
-}
diff --git a/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java b/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java
index 22c607d..a2e3cd5 100644
--- a/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java
+++ b/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java
@@ -28,6 +28,9 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.mozilla.jss.provider.javax.crypto.JSSKeyManager;
+import org.mozilla.jss.provider.javax.crypto.JSSTrustManager;
+
public class JSSUtil extends JSSEUtil {
public static Logger logger = LoggerFactory.getLogger(JSSUtil.class);

BIN
tomcatjss-7.4.1.tar.gz
View File

Binary file not shown.

48
tomcatjss.spec
View File

@ -3,33 +3,44 @@ Summary: Apache Tomcat of JSS Connector
URL: http://www.dogtagpki.org/wiki/TomcatJSS URL: http://www.dogtagpki.org/wiki/TomcatJSS
License: LGPLv2+ License: LGPLv2+
BuildArch: noarch BuildArch: noarch
Version: 7.4.1 Version: 8.1.0
Release: 5 Release: 1
Source: https://github.com/dogtagpki/tomcatjss/archive/v%{version}%{?_phase}/tomcatjss-%{version}%{?_phase}.tar.gz Source: https://github.com/dogtagpki/tomcatjss/archive/refs/tags/v8.1.0.tar.gz
Patch0: Use-JSSKeyManager-and-JSSTrustManager-from-JSS.patch BuildRequires: ant apache-commons-lang3 java-latest-openjdk-devel slf4j
BuildRequires: git ant apache-commons-lang java-devel jpackage-utils >= 0:1.7.5-15 slf4j
BuildRequires: slf4j-jdk14 jss >= 4.6.0 tomcat >= 1:9.0.7 BuildRequires: slf4j-jdk14 jss >= 4.6.0 tomcat >= 1:9.0.7
Requires: apache-commons-lang java-headless jpackage-utils >= 0:1.7.5-15 slf4j jss >= 4.6.0 tomcat >= 1:9.0.7 Requires: apache-commons-lang3 java-latest-openjdk-headless jpackage-utils >= 0:1.7.5-15 slf4j slf4j-jdk14 jss >= 4.6.0 tomcat >= 1:9.0.7
Conflicts: pki-base < 10.6.5 Conflicts: pki-base < 10.6.5
%define _sharedstatedir /var/lib %define _sharedstatedir /var/lib
Patch0: 0001-add-abstract-method-for-class-JSSUtil.patch
%description %description
Apache Tomcat of JSS Connector. Apache Tomcat of JSS Connector.
%prep %prep
%autosetup -n tomcatjss-%{version} -p 1 -S git %autosetup -n tomcatjss-%{version} -p 1
%build
home_path=`ls /usr/lib/jvm | grep java-18-openjdk-18`
export JAVA_HOME=/usr/lib/jvm/${home_path}
./build.sh \
%{?_verbose:-v} \
--work-dir=%{_vpath_builddir} \
--version=%{version} \
--jni-dir=%{_jnidir} \
dist
%install %install
tomcat_version=`/usr/sbin/tomcat version | sed -n 's/Server number: *\([0-9]\+\.[0-9]\+\).*/\1/p'` home_path=`ls /usr/lib/jvm | grep java-18-openjdk-18`
export JAVA_HOME=/usr/lib/jvm/${home_path}
if [ $tomcat_version == "9.0" ]; then ./build.sh \
app_server=tomcat-8.5 %{?_verbose:-v} \
else --work-dir=%{_vpath_builddir} \
app_server=tomcat-$tomcat_version --version=%{version} \
fi --java-dir=%{_javadir} \
--doc-dir=%{_docdir} \
ant -f build.xml -Dversion=%{version} -Dsrc.dir=$app_server -Djnidir=%{_jnidir} -Dinstall.doc.dir=%{buildroot}%{_docdir}/%{name} \ --install-dir=%{buildroot} \
-Dinstall.jar.dir=%{buildroot}%{_javadir} install install
%files %files
%defattr(-,root,root) %defattr(-,root,root)
@ -37,6 +48,9 @@ ant -f build.xml -Dversion=%{version} -Dsrc.dir=$app_server -Djnidir=%{_jnidir}
%{_javadir}/* %{_javadir}/*
%changelog %changelog
* Mon Oct 17 2022 wangkai <wangkai385@h-partners.com> - 8.1.0-1
- Upgrade to version 8.1.0
* Wed Feb 09 2022 caodongxia <caodongxia@huawei.com> - 7.4.1-5 * Wed Feb 09 2022 caodongxia <caodongxia@huawei.com> - 7.4.1-5
- Remove conflicts tomcat-native - Remove conflicts tomcat-native

BIN
v8.1.0.tar.gz Normal file
View File

Binary file not shown.