packages/tomcatjss
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
tomcatjss/Use-JSSKeyManager-and-JSSTrustManager-from-JSS.patch
wk333 2a214a3faf Remove conflicts tomcat-native 
(cherry picked from commit 41038d9e4c3f3ca911db5498a80181efb25505b2)
2022-02-08 14:10:21 +08:00

388 lines
14 KiB
Diff
Raw Blame History

From fb11bcd42aed364f77cd1b07a0d3139496817dea Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 31 May 2019 15:20:46 -0400
Subject: [PATCH] Use JSSKeyManager and JSSTrustManager from JSS
With jss-pr#159 merged, we've added a KeyManager and TrustManager to the
JSS default provider that we should use instead of the instances
in-tree.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
src/org/dogtagpki/tomcat/JSSKeyManager.java | 146 -------------
src/org/dogtagpki/tomcat/JSSTrustManager.java | 197 ------------------
.../src/org/dogtagpki/tomcat/JSSUtil.java | 3 +
3 files changed, 3 insertions(+), 343 deletions(-)
delete mode 100644 src/org/dogtagpki/tomcat/JSSKeyManager.java
delete mode 100644 src/org/dogtagpki/tomcat/JSSTrustManager.java
diff --git a/src/org/dogtagpki/tomcat/JSSKeyManager.java b/src/org/dogtagpki/tomcat/JSSKeyManager.java
deleted file mode 100644
index 1f94260..0000000
--- a/src/org/dogtagpki/tomcat/JSSKeyManager.java
+++ /dev/null
@@ -1,146 +0,0 @@
-/* BEGIN COPYRIGHT BLOCK
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- *
- * Copyright (C) 2017 Red Hat, Inc.
- * All rights reserved.
- * END COPYRIGHT BLOCK */
-
-package org.dogtagpki.tomcat;
-
-import java.net.Socket;
-import java.security.Principal;
-import java.security.PrivateKey;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Collection;
-
-import javax.net.ssl.X509KeyManager;
-
-import org.mozilla.jss.CryptoManager;
-import org.mozilla.jss.crypto.ObjectNotFoundException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import sun.security.x509.X509CertImpl;
-
-public class JSSKeyManager implements X509KeyManager {
-
- final static Logger logger = LoggerFactory.getLogger(JSSKeyManager.class);
-
- @Override
- public String chooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket) {
- logger.debug("JSSKeyManager: chooseClientAlias()");
-
- logger.debug("JSSKeyManager: key types:");
- for (String keyType : keyTypes) {
- logger.debug("JSSKeyManager: - " + keyType);
- }
-
- logger.debug("JSSKeyManager: issuers:");
- for (Principal issuer : issuers) {
- logger.debug("JSSKeyManager: - " + issuer.getName());
- }
-
- return null; // not implemented
- }
-
- @Override
- public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
- logger.debug("JSSKeyManager: chooseServerAlias()");
- logger.debug("JSSKeyManager: key type: " + keyType);
-
- logger.debug("JSSKeyManager: issuers:");
- for (Principal issuer : issuers) {
- logger.debug("JSSKeyManager: - " + issuer.getName());
- }
-
- return null; // not implemented
- }
-
- @Override
- public X509Certificate[] getCertificateChain(String alias) {
-
- logger.debug("JSSKeyManager: getCertificateChain(" + alias + ")");
-
- try {
- CryptoManager cm = CryptoManager.getInstance();
- org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(alias);
-
- org.mozilla.jss.crypto.X509Certificate[] chain = cm.buildCertificateChain(cert);
- logger.debug("JSSKeyManager: cert chain:");
-
- Collection<X509Certificate> list = new ArrayList<>();
- for (org.mozilla.jss.crypto.X509Certificate c : chain) {
- logger.debug("JSSKeyManager: - " + c.getSubjectDN());
- list.add(new X509CertImpl(c.getEncoded()));
- }
-
- return list.toArray(new X509Certificate[list.size()]);
-
- } catch (Throwable e) {
- logger.error(e.getMessage(), e);
- throw new RuntimeException(e);
- }
- }
-
- @Override
- public String[] getClientAliases(String keyType, Principal[] issuers) {
- logger.debug("JSSKeyManager: getClientAliases()");
- logger.debug("JSSKeyManager: key type: " + keyType);
-
- logger.debug("JSSKeyManager: issuers:");
- for (Principal issuer : issuers) {
- logger.debug("JSSKeyManager: - " + issuer.getName());
- }
-
- return null; // not implemented
- }
-
- @Override
- public PrivateKey getPrivateKey(String alias) {
-
- logger.debug("JSSKeyManager: getPrivateKey(" + alias + ")");
-
- try {
- CryptoManager cm = CryptoManager.getInstance();
- org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(alias);
- PrivateKey privateKey = cm.findPrivKeyByCert(cert);
-
- logger.debug("JSSKeyManager: key found: " + alias);
- return privateKey;
-
- } catch (ObjectNotFoundException e) {
- logger.debug("JSSKeyManager: key not found: " + alias);
- return null;
-
- } catch (Throwable e) {
- logger.error(e.getMessage(), e);
- throw new RuntimeException(e);
- }
- }
-
- @Override
- public String[] getServerAliases(String keyType, Principal[] issuers) {
- logger.debug("JSSKeyManager: getServerAliases()");
- logger.debug("JSSKeyManager: key type: " + keyType);
-
- logger.debug("JSSKeyManager: issuers:");
- for (Principal issuer : issuers) {
- logger.debug("JSSKeyManager: - " + issuer.getName());
- }
-
- return null; // not implemented
- }
-}
diff --git a/src/org/dogtagpki/tomcat/JSSTrustManager.java b/src/org/dogtagpki/tomcat/JSSTrustManager.java
deleted file mode 100644
index 87c7bdd..0000000
--- a/src/org/dogtagpki/tomcat/JSSTrustManager.java
+++ /dev/null
@@ -1,197 +0,0 @@
-/* BEGIN COPYRIGHT BLOCK
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- *
- * Copyright (C) 2017 Red Hat, Inc.
- * All rights reserved.
- * END COPYRIGHT BLOCK */
-
-package org.dogtagpki.tomcat;
-
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.List;
-
-import javax.net.ssl.X509TrustManager;
-
-import org.mozilla.jss.CryptoManager;
-import org.mozilla.jss.NotInitializedException;
-import org.mozilla.jss.netscape.security.util.Cert;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import sun.security.x509.X509CertImpl;
-
-public class JSSTrustManager implements X509TrustManager {
-
- final static Logger logger = LoggerFactory.getLogger(JSSTrustManager.class);
-
- final static String SERVER_AUTH_OID = "1.3.6.1.5.5.7.3.1";
- final static String CLIENT_AUTH_OID = "1.3.6.1.5.5.7.3.2";
-
- public void checkCertChain(X509Certificate[] certChain, String keyUsage) throws Exception {
-
- logger.debug("JSSTrustManager: checkCertChain(" + keyUsage + ")");
-
- // sort cert chain from root to leaf
- certChain = Cert.sortCertificateChain(certChain);
-
- for (X509Certificate cert : certChain) {
- logger.debug("JSSTrustManager: - " + cert.getSubjectDN());
- }
-
- // get CA certs
- X509Certificate[] caCerts = getAcceptedIssuers();
-
- // validating cert chain from root to leaf
- for (int i = 0; i < certChain.length; i++) {
-
- X509Certificate cert = certChain[i];
-
- // validating key usage on leaf cert only
- String usage;
- if (i == certChain.length - 1) {
- usage = keyUsage;
- } else {
- usage = null;
- }
-
- checkCert(cert, caCerts, usage);
-
- // use the current cert as the CA cert for the next cert in the chain
- caCerts = new X509Certificate[] { cert };
- }
- }
-
- public void checkCert(X509Certificate cert, X509Certificate[] caCerts, String keyUsage) throws Exception {
-
- logger.debug("JSSTrustManager: checkCert(" + cert.getSubjectDN() + "):");
-
- boolean[] aki = cert.getIssuerUniqueID();
- logger.debug("JSSTrustManager: cert AKI: " + Arrays.toString(aki));
-
- X509Certificate issuer = null;
- for (X509Certificate caCert : caCerts) {
-
- boolean[] ski = caCert.getSubjectUniqueID();
- logger.debug("JSSTrustManager: SKI of " + caCert.getSubjectDN() + ": " + Arrays.toString(ski));
-
- try {
- cert.verify(caCert.getPublicKey(), "Mozilla-JSS");
- issuer = caCert;
- break;
- } catch (Exception e) {
- logger.debug("JSSTrustManager: invalid certificate: " + e);
- }
- }
-
- if (issuer == null) {
- throw new CertificateException("Unable to validate signature: " + cert.getSubjectDN());
- }
-
- logger.debug("JSSTrustManager: cert signed by " + issuer.getSubjectDN());
-
- logger.debug("JSSTrustManager: checking validity range:");
- logger.debug("JSSTrustManager: - not before: " + cert.getNotBefore());
- logger.debug("JSSTrustManager: - not after: " + cert.getNotAfter());
- cert.checkValidity();
-
- if (keyUsage != null) {
-
- List<String> extendedKeyUsages = cert.getExtendedKeyUsage();
- logger.debug("JSSTrustManager: checking extended key usages:");
-
- for (String extKeyUsage : extendedKeyUsages) {
- logger.debug("JSSTrustManager: - " + extKeyUsage);
- }
-
- if (extendedKeyUsages.contains(keyUsage)) {
- logger.debug("JSSTrustManager: extended key usage found: " + keyUsage);
- } else {
- throw new CertificateException("Missing extended key usage: " + keyUsage);
- }
- }
- }
-
- @Override
- public void checkClientTrusted(X509Certificate[] certChain, String authType) throws CertificateException {
-
- logger.debug("JSSTrustManager: checkClientTrusted(" + authType + "):");
-
- try {
- checkCertChain(certChain, CLIENT_AUTH_OID);
- logger.debug("JSSTrustManager: SSL client certificate is valid");
-
- } catch (CertificateException e) {
- logger.warn("JSSTrustManager: Invalid SSL client certificate: " + e);
- throw e;
-
- } catch (Exception e) {
- logger.warn("JSSTrustManager: Unable to validate certificate: " + e);
- throw new CertificateException(e);
- }
- }
-
- @Override
- public void checkServerTrusted(X509Certificate[] certChain, String authType) throws CertificateException {
-
- logger.debug("JSSTrustManager: checkServerTrusted(" + certChain.length + ", " + authType + "):");
-
- try {
- checkCertChain(certChain, SERVER_AUTH_OID);
- logger.debug("JSSTrustManager: SSL server certificate is valid");
-
- } catch (CertificateException e) {
- logger.warn("JSSTrustManager: Invalid SSL server certificate: " + e);
- throw e;
-
- } catch (Exception e) {
- logger.warn("JSSTrustManager: Unable to validate SSL server certificate: " + e);
- throw new CertificateException(e);
- }
- }
-
- @Override
- public X509Certificate[] getAcceptedIssuers() {
-
- logger.debug("JSSTrustManager: getAcceptedIssuers():");
-
- Collection<X509Certificate> caCerts = new ArrayList<>();
-
- try {
- CryptoManager manager = CryptoManager.getInstance();
- for (org.mozilla.jss.crypto.X509Certificate cert : manager.getCACerts()) {
- logger.debug("JSSTrustManager: - " + cert.getSubjectDN());
-
- try {
- X509CertImpl caCert = new X509CertImpl(cert.getEncoded());
- caCert.checkValidity();
- caCerts.add(caCert);
-
- } catch (Exception e) {
- logger.debug("JSSTrustManager: invalid CA certificate: " + e);
- }
- }
-
- } catch (NotInitializedException e) {
- logger.error("JSSTrustManager: Unable to get CryptoManager: " + e, e);
- throw new RuntimeException(e);
- }
-
- return caCerts.toArray(new X509Certificate[caCerts.size()]);
- }
-}
diff --git a/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java b/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java
index 22c607d..a2e3cd5 100644
--- a/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java
+++ b/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java
@@ -28,6 +28,9 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.mozilla.jss.provider.javax.crypto.JSSKeyManager;
+import org.mozilla.jss.provider.javax.crypto.JSSTrustManager;
+
public class JSSUtil extends JSSEUtil {
public static Logger logger = LoggerFactory.getLogger(JSSUtil.class);
Reference in New Issue View Git Blame Copy Permalink