!10 [sync] PR-9: Remove conflicts tomcat-native
Merge pull request !10 from openeuler-sync-bot/sync-pr9-openEuler-21.09-to-openEuler-22.03-LTS-Next
This commit is contained in:
openeuler-ci-bot
Gitee
commit
b4d69efdcc
387
Use-JSSKeyManager-and-JSSTrustManager-from-JSS.patch
Normal file
387
Use-JSSKeyManager-and-JSSTrustManager-from-JSS.patch
Normal file
@ -0,0 +1,387 @@
|
||||
From fb11bcd42aed364f77cd1b07a0d3139496817dea Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Fri, 31 May 2019 15:20:46 -0400
|
||||
Subject: [PATCH] Use JSSKeyManager and JSSTrustManager from JSS
|
||||
|
||||
With jss-pr#159 merged, we've added a KeyManager and TrustManager to the
|
||||
JSS default provider that we should use instead of the instances
|
||||
in-tree.
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
src/org/dogtagpki/tomcat/JSSKeyManager.java | 146 -------------
|
||||
src/org/dogtagpki/tomcat/JSSTrustManager.java | 197 ------------------
|
||||
.../src/org/dogtagpki/tomcat/JSSUtil.java | 3 +
|
||||
3 files changed, 3 insertions(+), 343 deletions(-)
|
||||
delete mode 100644 src/org/dogtagpki/tomcat/JSSKeyManager.java
|
||||
delete mode 100644 src/org/dogtagpki/tomcat/JSSTrustManager.java
|
||||
|
||||
diff --git a/src/org/dogtagpki/tomcat/JSSKeyManager.java b/src/org/dogtagpki/tomcat/JSSKeyManager.java
|
||||
deleted file mode 100644
|
||||
index 1f94260..0000000
|
||||
--- a/src/org/dogtagpki/tomcat/JSSKeyManager.java
|
||||
+++ /dev/null
|
||||
@@ -1,146 +0,0 @@
|
||||
-/* BEGIN COPYRIGHT BLOCK
|
||||
- * This library is free software; you can redistribute it and/or
|
||||
- * modify it under the terms of the GNU Lesser General Public
|
||||
- * License as published by the Free Software Foundation; either
|
||||
- * version 2.1 of the License, or (at your option) any later version.
|
||||
- *
|
||||
- * This library is distributed in the hope that it will be useful,
|
||||
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
- * Lesser General Public License for more details.
|
||||
- *
|
||||
- * You should have received a copy of the GNU Lesser General Public
|
||||
- * License along with this library; if not, write to the Free Software
|
||||
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
- *
|
||||
- * Copyright (C) 2017 Red Hat, Inc.
|
||||
- * All rights reserved.
|
||||
- * END COPYRIGHT BLOCK */
|
||||
-
|
||||
-package org.dogtagpki.tomcat;
|
||||
-
|
||||
-import java.net.Socket;
|
||||
-import java.security.Principal;
|
||||
-import java.security.PrivateKey;
|
||||
-import java.security.cert.X509Certificate;
|
||||
-import java.util.ArrayList;
|
||||
-import java.util.Collection;
|
||||
-
|
||||
-import javax.net.ssl.X509KeyManager;
|
||||
-
|
||||
-import org.mozilla.jss.CryptoManager;
|
||||
-import org.mozilla.jss.crypto.ObjectNotFoundException;
|
||||
-import org.slf4j.Logger;
|
||||
-import org.slf4j.LoggerFactory;
|
||||
-
|
||||
-import sun.security.x509.X509CertImpl;
|
||||
-
|
||||
-public class JSSKeyManager implements X509KeyManager {
|
||||
-
|
||||
- final static Logger logger = LoggerFactory.getLogger(JSSKeyManager.class);
|
||||
-
|
||||
- @Override
|
||||
- public String chooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket) {
|
||||
- logger.debug("JSSKeyManager: chooseClientAlias()");
|
||||
-
|
||||
- logger.debug("JSSKeyManager: key types:");
|
||||
- for (String keyType : keyTypes) {
|
||||
- logger.debug("JSSKeyManager: - " + keyType);
|
||||
- }
|
||||
-
|
||||
- logger.debug("JSSKeyManager: issuers:");
|
||||
- for (Principal issuer : issuers) {
|
||||
- logger.debug("JSSKeyManager: - " + issuer.getName());
|
||||
- }
|
||||
-
|
||||
- return null; // not implemented
|
||||
- }
|
||||
-
|
||||
- @Override
|
||||
- public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
|
||||
- logger.debug("JSSKeyManager: chooseServerAlias()");
|
||||
- logger.debug("JSSKeyManager: key type: " + keyType);
|
||||
-
|
||||
- logger.debug("JSSKeyManager: issuers:");
|
||||
- for (Principal issuer : issuers) {
|
||||
- logger.debug("JSSKeyManager: - " + issuer.getName());
|
||||
- }
|
||||
-
|
||||
- return null; // not implemented
|
||||
- }
|
||||
-
|
||||
- @Override
|
||||
- public X509Certificate[] getCertificateChain(String alias) {
|
||||
-
|
||||
- logger.debug("JSSKeyManager: getCertificateChain(" + alias + ")");
|
||||
-
|
||||
- try {
|
||||
- CryptoManager cm = CryptoManager.getInstance();
|
||||
- org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(alias);
|
||||
-
|
||||
- org.mozilla.jss.crypto.X509Certificate[] chain = cm.buildCertificateChain(cert);
|
||||
- logger.debug("JSSKeyManager: cert chain:");
|
||||
-
|
||||
- Collection<X509Certificate> list = new ArrayList<>();
|
||||
- for (org.mozilla.jss.crypto.X509Certificate c : chain) {
|
||||
- logger.debug("JSSKeyManager: - " + c.getSubjectDN());
|
||||
- list.add(new X509CertImpl(c.getEncoded()));
|
||||
- }
|
||||
-
|
||||
- return list.toArray(new X509Certificate[list.size()]);
|
||||
-
|
||||
- } catch (Throwable e) {
|
||||
- logger.error(e.getMessage(), e);
|
||||
- throw new RuntimeException(e);
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- @Override
|
||||
- public String[] getClientAliases(String keyType, Principal[] issuers) {
|
||||
- logger.debug("JSSKeyManager: getClientAliases()");
|
||||
- logger.debug("JSSKeyManager: key type: " + keyType);
|
||||
-
|
||||
- logger.debug("JSSKeyManager: issuers:");
|
||||
- for (Principal issuer : issuers) {
|
||||
- logger.debug("JSSKeyManager: - " + issuer.getName());
|
||||
- }
|
||||
-
|
||||
- return null; // not implemented
|
||||
- }
|
||||
-
|
||||
- @Override
|
||||
- public PrivateKey getPrivateKey(String alias) {
|
||||
-
|
||||
- logger.debug("JSSKeyManager: getPrivateKey(" + alias + ")");
|
||||
-
|
||||
- try {
|
||||
- CryptoManager cm = CryptoManager.getInstance();
|
||||
- org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(alias);
|
||||
- PrivateKey privateKey = cm.findPrivKeyByCert(cert);
|
||||
-
|
||||
- logger.debug("JSSKeyManager: key found: " + alias);
|
||||
- return privateKey;
|
||||
-
|
||||
- } catch (ObjectNotFoundException e) {
|
||||
- logger.debug("JSSKeyManager: key not found: " + alias);
|
||||
- return null;
|
||||
-
|
||||
- } catch (Throwable e) {
|
||||
- logger.error(e.getMessage(), e);
|
||||
- throw new RuntimeException(e);
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- @Override
|
||||
- public String[] getServerAliases(String keyType, Principal[] issuers) {
|
||||
- logger.debug("JSSKeyManager: getServerAliases()");
|
||||
- logger.debug("JSSKeyManager: key type: " + keyType);
|
||||
-
|
||||
- logger.debug("JSSKeyManager: issuers:");
|
||||
- for (Principal issuer : issuers) {
|
||||
- logger.debug("JSSKeyManager: - " + issuer.getName());
|
||||
- }
|
||||
-
|
||||
- return null; // not implemented
|
||||
- }
|
||||
-}
|
||||
diff --git a/src/org/dogtagpki/tomcat/JSSTrustManager.java b/src/org/dogtagpki/tomcat/JSSTrustManager.java
|
||||
deleted file mode 100644
|
||||
index 87c7bdd..0000000
|
||||
--- a/src/org/dogtagpki/tomcat/JSSTrustManager.java
|
||||
+++ /dev/null
|
||||
@@ -1,197 +0,0 @@
|
||||
-/* BEGIN COPYRIGHT BLOCK
|
||||
- * This library is free software; you can redistribute it and/or
|
||||
- * modify it under the terms of the GNU Lesser General Public
|
||||
- * License as published by the Free Software Foundation; either
|
||||
- * version 2.1 of the License, or (at your option) any later version.
|
||||
- *
|
||||
- * This library is distributed in the hope that it will be useful,
|
||||
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
- * Lesser General Public License for more details.
|
||||
- *
|
||||
- * You should have received a copy of the GNU Lesser General Public
|
||||
- * License along with this library; if not, write to the Free Software
|
||||
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
- *
|
||||
- * Copyright (C) 2017 Red Hat, Inc.
|
||||
- * All rights reserved.
|
||||
- * END COPYRIGHT BLOCK */
|
||||
-
|
||||
-package org.dogtagpki.tomcat;
|
||||
-
|
||||
-import java.security.cert.CertificateException;
|
||||
-import java.security.cert.X509Certificate;
|
||||
-import java.util.ArrayList;
|
||||
-import java.util.Arrays;
|
||||
-import java.util.Collection;
|
||||
-import java.util.List;
|
||||
-
|
||||
-import javax.net.ssl.X509TrustManager;
|
||||
-
|
||||
-import org.mozilla.jss.CryptoManager;
|
||||
-import org.mozilla.jss.NotInitializedException;
|
||||
-import org.mozilla.jss.netscape.security.util.Cert;
|
||||
-import org.slf4j.Logger;
|
||||
-import org.slf4j.LoggerFactory;
|
||||
-
|
||||
-import sun.security.x509.X509CertImpl;
|
||||
-
|
||||
-public class JSSTrustManager implements X509TrustManager {
|
||||
-
|
||||
- final static Logger logger = LoggerFactory.getLogger(JSSTrustManager.class);
|
||||
-
|
||||
- final static String SERVER_AUTH_OID = "1.3.6.1.5.5.7.3.1";
|
||||
- final static String CLIENT_AUTH_OID = "1.3.6.1.5.5.7.3.2";
|
||||
-
|
||||
- public void checkCertChain(X509Certificate[] certChain, String keyUsage) throws Exception {
|
||||
-
|
||||
- logger.debug("JSSTrustManager: checkCertChain(" + keyUsage + ")");
|
||||
-
|
||||
- // sort cert chain from root to leaf
|
||||
- certChain = Cert.sortCertificateChain(certChain);
|
||||
-
|
||||
- for (X509Certificate cert : certChain) {
|
||||
- logger.debug("JSSTrustManager: - " + cert.getSubjectDN());
|
||||
- }
|
||||
-
|
||||
- // get CA certs
|
||||
- X509Certificate[] caCerts = getAcceptedIssuers();
|
||||
-
|
||||
- // validating cert chain from root to leaf
|
||||
- for (int i = 0; i < certChain.length; i++) {
|
||||
-
|
||||
- X509Certificate cert = certChain[i];
|
||||
-
|
||||
- // validating key usage on leaf cert only
|
||||
- String usage;
|
||||
- if (i == certChain.length - 1) {
|
||||
- usage = keyUsage;
|
||||
- } else {
|
||||
- usage = null;
|
||||
- }
|
||||
-
|
||||
- checkCert(cert, caCerts, usage);
|
||||
-
|
||||
- // use the current cert as the CA cert for the next cert in the chain
|
||||
- caCerts = new X509Certificate[] { cert };
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- public void checkCert(X509Certificate cert, X509Certificate[] caCerts, String keyUsage) throws Exception {
|
||||
-
|
||||
- logger.debug("JSSTrustManager: checkCert(" + cert.getSubjectDN() + "):");
|
||||
-
|
||||
- boolean[] aki = cert.getIssuerUniqueID();
|
||||
- logger.debug("JSSTrustManager: cert AKI: " + Arrays.toString(aki));
|
||||
-
|
||||
- X509Certificate issuer = null;
|
||||
- for (X509Certificate caCert : caCerts) {
|
||||
-
|
||||
- boolean[] ski = caCert.getSubjectUniqueID();
|
||||
- logger.debug("JSSTrustManager: SKI of " + caCert.getSubjectDN() + ": " + Arrays.toString(ski));
|
||||
-
|
||||
- try {
|
||||
- cert.verify(caCert.getPublicKey(), "Mozilla-JSS");
|
||||
- issuer = caCert;
|
||||
- break;
|
||||
- } catch (Exception e) {
|
||||
- logger.debug("JSSTrustManager: invalid certificate: " + e);
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- if (issuer == null) {
|
||||
- throw new CertificateException("Unable to validate signature: " + cert.getSubjectDN());
|
||||
- }
|
||||
-
|
||||
- logger.debug("JSSTrustManager: cert signed by " + issuer.getSubjectDN());
|
||||
-
|
||||
- logger.debug("JSSTrustManager: checking validity range:");
|
||||
- logger.debug("JSSTrustManager: - not before: " + cert.getNotBefore());
|
||||
- logger.debug("JSSTrustManager: - not after: " + cert.getNotAfter());
|
||||
- cert.checkValidity();
|
||||
-
|
||||
- if (keyUsage != null) {
|
||||
-
|
||||
- List<String> extendedKeyUsages = cert.getExtendedKeyUsage();
|
||||
- logger.debug("JSSTrustManager: checking extended key usages:");
|
||||
-
|
||||
- for (String extKeyUsage : extendedKeyUsages) {
|
||||
- logger.debug("JSSTrustManager: - " + extKeyUsage);
|
||||
- }
|
||||
-
|
||||
- if (extendedKeyUsages.contains(keyUsage)) {
|
||||
- logger.debug("JSSTrustManager: extended key usage found: " + keyUsage);
|
||||
- } else {
|
||||
- throw new CertificateException("Missing extended key usage: " + keyUsage);
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- @Override
|
||||
- public void checkClientTrusted(X509Certificate[] certChain, String authType) throws CertificateException {
|
||||
-
|
||||
- logger.debug("JSSTrustManager: checkClientTrusted(" + authType + "):");
|
||||
-
|
||||
- try {
|
||||
- checkCertChain(certChain, CLIENT_AUTH_OID);
|
||||
- logger.debug("JSSTrustManager: SSL client certificate is valid");
|
||||
-
|
||||
- } catch (CertificateException e) {
|
||||
- logger.warn("JSSTrustManager: Invalid SSL client certificate: " + e);
|
||||
- throw e;
|
||||
-
|
||||
- } catch (Exception e) {
|
||||
- logger.warn("JSSTrustManager: Unable to validate certificate: " + e);
|
||||
- throw new CertificateException(e);
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- @Override
|
||||
- public void checkServerTrusted(X509Certificate[] certChain, String authType) throws CertificateException {
|
||||
-
|
||||
- logger.debug("JSSTrustManager: checkServerTrusted(" + certChain.length + ", " + authType + "):");
|
||||
-
|
||||
- try {
|
||||
- checkCertChain(certChain, SERVER_AUTH_OID);
|
||||
- logger.debug("JSSTrustManager: SSL server certificate is valid");
|
||||
-
|
||||
- } catch (CertificateException e) {
|
||||
- logger.warn("JSSTrustManager: Invalid SSL server certificate: " + e);
|
||||
- throw e;
|
||||
-
|
||||
- } catch (Exception e) {
|
||||
- logger.warn("JSSTrustManager: Unable to validate SSL server certificate: " + e);
|
||||
- throw new CertificateException(e);
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- @Override
|
||||
- public X509Certificate[] getAcceptedIssuers() {
|
||||
-
|
||||
- logger.debug("JSSTrustManager: getAcceptedIssuers():");
|
||||
-
|
||||
- Collection<X509Certificate> caCerts = new ArrayList<>();
|
||||
-
|
||||
- try {
|
||||
- CryptoManager manager = CryptoManager.getInstance();
|
||||
- for (org.mozilla.jss.crypto.X509Certificate cert : manager.getCACerts()) {
|
||||
- logger.debug("JSSTrustManager: - " + cert.getSubjectDN());
|
||||
-
|
||||
- try {
|
||||
- X509CertImpl caCert = new X509CertImpl(cert.getEncoded());
|
||||
- caCert.checkValidity();
|
||||
- caCerts.add(caCert);
|
||||
-
|
||||
- } catch (Exception e) {
|
||||
- logger.debug("JSSTrustManager: invalid CA certificate: " + e);
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- } catch (NotInitializedException e) {
|
||||
- logger.error("JSSTrustManager: Unable to get CryptoManager: " + e, e);
|
||||
- throw new RuntimeException(e);
|
||||
- }
|
||||
-
|
||||
- return caCerts.toArray(new X509Certificate[caCerts.size()]);
|
||||
- }
|
||||
-}
|
||||
diff --git a/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java b/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java
|
||||
index 22c607d..a2e3cd5 100644
|
||||
--- a/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java
|
||||
+++ b/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java
|
||||
@@ -28,6 +28,9 @@
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
+import org.mozilla.jss.provider.javax.crypto.JSSKeyManager;
|
||||
+import org.mozilla.jss.provider.javax.crypto.JSSTrustManager;
|
||||
+
|
||||
public class JSSUtil extends JSSEUtil {
|
||||
|
||||
public static Logger logger = LoggerFactory.getLogger(JSSUtil.class);
|
||||
@ -4,8 +4,9 @@ URL: http://www.dogtagpki.org/wiki/TomcatJSS
|
||||
License: LGPLv2+
|
||||
BuildArch: noarch
|
||||
Version: 7.4.1
|
||||
Release: 3
|
||||
Release: 4
|
||||
Source: https://github.com/dogtagpki/tomcatjss/archive/v%{version}%{?_phase}/tomcatjss-%{version}%{?_phase}.tar.gz
|
||||
Patch0: Use-JSSKeyManager-and-JSSTrustManager-from-JSS.patch
|
||||
BuildRequires: git ant apache-commons-lang java-devel jpackage-utils >= 0:1.7.5-15 slf4j
|
||||
BuildRequires: slf4j-jdk14 jss >= 4.6.0 tomcat >= 1:9.0.7
|
||||
Requires: apache-commons-lang java-headless jpackage-utils >= 0:1.7.5-15 slf4j jss >= 4.6.0 tomcat >= 1:9.0.7
|
||||
@ -36,5 +37,8 @@ ant -f build.xml -Dversion=%{version} -Dsrc.dir=$app_server -Djnidir=%{_jnidir}
|
||||
%{_javadir}/*
|
||||
|
||||
%changelog
|
||||
* Tue Dec 07 2021 wangkai <wangkai385@huawei.com> - 7.4.1-4
|
||||
- Remove conflicts tomcat-native
|
||||
|
||||
* Sun Apr 26 2020 wutao <wutao61@huawei.com> - 7.4.1-3
|
||||
- Package init
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user