[Pki-devel] [Patch] Port 'tomcatjss' from Tomcat 6 to Tomcat 7 . . .
Matthew Harmsen
mharmsen at redhat.com
Fri Jul 6 19:04:58 UTC 2012
This is a request for code review of the following:
* https://fedorahosted.org/pki/ticket/205: Branch 'tomcatjss' and port
it from using Tomcat 6 to using Tomcat 7 . . .
* *Bugzilla Bug #819554*
<https://bugzilla.redhat.com/show_bug.cgi?id=819554> -tomcatjss:
Please migrate from tomcat6 to tomcat7
These changes are intended for the upstream 'tomcatjss' project.
Note that due to an API change from Tomcat 6 to Tomcat 7, it was
necessary to branch the upstream 'tomcatjss' source (svn list
svn+ssh://svn.fedorahosted.org/svn/tomcatjss/branches):
* TOMCATJSS_FOR_TOMCAT_6_ERRATA_BRANCH (to be used for 'tomcatjss'
maintenance releases slated for Tomcat 6)
Once these changes have been approved, the trunk of the upstream
'tomcatjss' repository will be utilized for Tomcat 7 exclusively (svn
list svn+ssh://svn.fedorahosted.org/svn/tomcatjss/trunk).
Additionally, these changes will NOT be immediately committed to
'Rawhide' in Fedora, as these changes would conflict with some current
known testing taking place within Rawhide. As such, the 'official' build
of 'tomcatjss' 7 to 'rawhide' will be postponed until it can be safely
built and injected into 'rawhide'.
-- Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120706/d23aa264/attachment.htm>
-------------- next part --------------
Index: src/org/apache/tomcat/util/net/jss/IJSSFactory.java
===================================================================
--- src/org/apache/tomcat/util/net/jss/IJSSFactory.java (revision 229)
+++ src/org/apache/tomcat/util/net/jss/IJSSFactory.java (working copy)
@@ -24,6 +24,6 @@
import java.net.*;
interface IJSSFactory {
- public ServerSocketFactory getSocketFactory();
+ public ServerSocketFactory getSocketFactory(AbstractEndpoint endpoint);
public SSLSupport getSSLSupport(Socket socket);
}
Index: src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java
===================================================================
--- src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java (revision 229)
+++ src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java (working copy)
@@ -31,8 +31,15 @@
import java.net.*;
import java.io.*;
+// Imports required to "implement" Tomcat 7 Interface
+import org.apache.tomcat.util.net.AbstractEndpoint;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+
public class JSSSocketFactory
- extends org.apache.tomcat.util.net.ServerSocketFactory {
+ implements org.apache.tomcat.util.net.ServerSocketFactory,
+ org.apache.tomcat.util.net.SSLUtil {
private static HashMap cipherMap = new HashMap();
static {
@@ -157,6 +164,8 @@
eccCipherMap.put(SSLSocket.TLS_ECDH_ECDSA_WITH_NULL_SHA, "TLS_ECDH_ECDSA_WITH_NULL_SHA");
}
+ private AbstractEndpoint endpoint;
+
static org.apache.commons.logging.Log log =
org.apache.commons.logging.LogFactory.getLog(JSSSocketFactory.class);
@@ -176,8 +185,8 @@
private IPasswordStore mPasswordStore = null;
private boolean mStrictCiphers = false;
- public JSSSocketFactory() {
- super();
+ public JSSSocketFactory (AbstractEndpoint endpoint) {
+ this.endpoint = endpoint;
}
private void debugWrite(String m) throws IOException {
@@ -190,7 +199,7 @@
public void setSSLCiphers(String attr) throws SocketException
{
- String ciphers = (String)attributes.get(attr);
+ String ciphers = (String)endpoint.getAttribute(attr);
StringTokenizer st = new StringTokenizer(ciphers, ",");
while (st.hasMoreTokens()) {
String cipherstr = st.nextToken();
@@ -250,7 +259,7 @@
public void setSSLOptions() throws SocketException
{
- String options = (String)attributes.get("sslOptions");
+ String options = (String)endpoint.getAttribute("sslOptions");
StringTokenizer st = new StringTokenizer(options, ",");
while (st.hasMoreTokens()) {
String option = st.nextToken();
@@ -301,7 +310,7 @@
void init() throws IOException {
try {
- String deb = (String)attributes.get("debug");
+ String deb = (String)endpoint.getAttribute("debug");
if (deb.equals("true")) {
debug = true;
debugFile = new FileWriter("/tmp/tomcatjss.log", true);
@@ -313,8 +322,8 @@
try {
try {
- mPwdPath = (String)attributes.get("passwordFile");
- mPwdClass = (String)attributes.get("passwordClass");
+ mPwdPath = (String)endpoint.getAttribute("passwordFile");
+ mPwdClass = (String)endpoint.getAttribute("passwordClass");
if (mPwdClass != null) {
mPasswordStore = (IPasswordStore)Class.forName(mPwdClass).newInstance();
mPasswordStore.init(mPwdPath);
@@ -328,7 +337,7 @@
throw new IOException("JSSSocketFactory: no passwordFilePath defined");
}
- String certDir = (String)attributes.get("certdbDir");
+ String certDir = (String)endpoint.getAttribute("certdbDir");
CryptoManager.InitializationValues vals =
new CryptoManager.InitializationValues(certDir,
@@ -355,7 +364,7 @@
String st = (String) en.nextElement();
debugWrite("JSSSocketFactory init - tag name="+st+"\n");
pwd = mPasswordStore.getPassword(st);
-
+
if (pwd != null) {
debugWrite("JSSSocketFactory init - got password\n");
pw = new Password(pwd.toCharArray());
@@ -393,10 +402,12 @@
debugWrite("JSSSocketFactory init - no login done\n");
} //mPasswordStore not null
- String clientAuthStr = (String)attributes.get("clientauth");
+ // MUST look for "clientauth" (ALL lowercase) since "clientAuth"
+ // (camel case) has already been processed by Tomcat 7
+ String clientAuthStr = (String)endpoint.getAttribute("clientauth");
File file = null;
try {
- mServerCertNickPath = (String)attributes.get("serverCertNickFile");
+ mServerCertNickPath = (String)endpoint.getAttribute("serverCertNickFile");
debugWrite("JSSSocketFactory init - got serverCertNickFile"+
mServerCertNickPath+"\n");
file = new File(mServerCertNickPath);
@@ -430,7 +441,7 @@
throw new IOException("JSSSocketFactory: no serverCertNickFile defined");
}
- //serverCertNick = (String)attributes.get("serverCert");
+ //serverCertNick = (String)endpoint.getAttribute("serverCert");
if (clientAuthStr.equalsIgnoreCase("true") ||
clientAuthStr.equalsIgnoreCase("yes")) {
requireClientAuth = true;
@@ -444,7 +455,7 @@
&& ocspConfigured == false ) {
debugWrite("JSSSocketFactory init - checking for OCSP settings. \n" );
boolean enableOCSP = false;
- String doOCSP = (String) attributes.get("enableOCSP");
+ String doOCSP = (String) endpoint.getAttribute("enableOCSP");
debugWrite("JSSSocketFactory init - doOCSP flag:"+
doOCSP+ " \n");
@@ -457,10 +468,10 @@
enableOCSP+ "\n");
if( enableOCSP == true ) {
- String ocspResponderURL = (String) attributes.get("ocspResponderURL");
+ String ocspResponderURL = (String) endpoint.getAttribute("ocspResponderURL");
debugWrite("JSSSocketFactory init - ocspResponderURL "+
ocspResponderURL+ "\n");
- String ocspResponderCertNickname = (String) attributes.get("ocspResponderCertNickname");
+ String ocspResponderCertNickname = (String) endpoint.getAttribute("ocspResponderCertNickname");
debugWrite("JSSSocketFactory init - ocspResponderCertNickname" + ocspResponderCertNickname + "\n");
if( (ocspResponderURL != null && ocspResponderURL.length() > 0) &&
(ocspResponderCertNickname != null &&
@@ -473,9 +484,9 @@
int ocspMinCacheEntryDuration_i = 3600;
int ocspMaxCacheEntryDuration_i = 86400;
- String ocspCacheSize = (String) attributes.get("ocspCacheSize");
- String ocspMinCacheEntryDuration = (String) attributes.get("ocspMinCacheEntryDuration");
- String ocspMaxCacheEntryDuration = (String) attributes.get("ocspMaxCacheEntryDuration");
+ String ocspCacheSize = (String) endpoint.getAttribute("ocspCacheSize");
+ String ocspMinCacheEntryDuration = (String) endpoint.getAttribute("ocspMinCacheEntryDuration");
+ String ocspMaxCacheEntryDuration = (String) endpoint.getAttribute("ocspMaxCacheEntryDuration");
if (ocspCacheSize != null ||
ocspMinCacheEntryDuration != null ||
@@ -498,7 +509,7 @@
}
// defualt to 60 seconds;
- String ocspTimeout = (String) attributes.get("ocspTimeout");
+ String ocspTimeout = (String) endpoint.getAttribute("ocspTimeout");
if (ocspTimeout != null) {
debugWrite("JSSSocketFactory init - ocspTimeout= \n" + ocspTimeout);
int ocspTimeout_i = Integer.parseInt(ocspTimeout);
@@ -525,7 +536,7 @@
// 12 hours = 43200 seconds
SSLServerSocket.configServerSessionIDCache(0, 43200, 43200, null);
- String strictCiphersStr = (String)attributes.get("strictCiphers");
+ String strictCiphersStr = (String)endpoint.getAttribute("strictCiphers");
if (strictCiphersStr.equalsIgnoreCase("true") ||
strictCiphersStr.equalsIgnoreCase("yes")) {
mStrictCiphers = true;
@@ -539,7 +550,6 @@
}
setSSLOptions();
- setSSLOptions();
debugWrite("SSSocketFactory init - after setSSLOptions\n");
} catch (Exception ex) {
debugWrite("JSSSocketFactory init - exception thrown:"+
@@ -627,4 +637,21 @@
} catch (Exception e) {
}
}
+
+ // Methods required to "implement" Tomcat 7 Interface
+ public SSLContext createSSLContext() throws Exception {
+ return null;
+ }
+
+ public KeyManager[] getKeyManagers() throws Exception {
+ return null;
+ }
+
+ public TrustManager[] getTrustManagers() throws Exception {
+ return null;
+ }
+
+ public void configureSessionContext(javax.net.ssl.SSLSessionContext sslSessionContext) {
+ return;
+ }
}
Index: src/org/apache/tomcat/util/net/jss/JSSImplementation.java
===================================================================
--- src/org/apache/tomcat/util/net/jss/JSSImplementation.java (revision 229)
+++ src/org/apache/tomcat/util/net/jss/JSSImplementation.java (working copy)
@@ -12,7 +12,7 @@
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- *
+ *
* Copyright (C) 2007 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK */
@@ -21,8 +21,10 @@
import java.net.Socket;
import java.io.*;
+import org.apache.tomcat.util.net.AbstractEndpoint;
import org.apache.tomcat.util.net.SSLImplementation;
import org.apache.tomcat.util.net.SSLSupport;
+import org.apache.tomcat.util.net.SSLUtil;
import org.apache.tomcat.util.net.ServerSocketFactory;
public class JSSImplementation extends SSLImplementation
@@ -38,7 +40,7 @@
public JSSImplementation() throws ClassNotFoundException {
Class.forName(SSLSocketClass);
-
+
try {
Class factcl = Class.forName(JSSFactory);
factory = (JSSFactory)factcl.newInstance();
@@ -52,8 +54,9 @@
return "JSS";
}
- public ServerSocketFactory getServerSocketFactory() {
- ServerSocketFactory ssf = factory.getSocketFactory();
+ public ServerSocketFactory getServerSocketFactory(AbstractEndpoint endpoint)
+ {
+ ServerSocketFactory ssf = factory.getSocketFactory(endpoint);
return ssf;
}
@@ -85,7 +88,13 @@
*
* Once this abstract method is removed from SSLImplementation in a
* future release we can remove this stub.
+ *
+ * NOTE: This method has NOT yet been deprecated in Tomcat 7!
*/
return null;
}
+
+ public SSLUtil getSSLUtil(AbstractEndpoint endpoint) {
+ return null;
+ }
}
Index: src/org/apache/tomcat/util/net/jss/JSSFactory.java
===================================================================
--- src/org/apache/tomcat/util/net/jss/JSSFactory.java (revision 229)
+++ src/org/apache/tomcat/util/net/jss/JSSFactory.java (working copy)
@@ -27,8 +27,8 @@
JSSFactory() {
}
- public ServerSocketFactory getSocketFactory() {
- return new JSSSocketFactory();
+ public ServerSocketFactory getSocketFactory(AbstractEndpoint endpoint) {
+ return new JSSSocketFactory(endpoint);
}
public SSLSupport getSSLSupport(Socket socket) {
Index: README
===================================================================
--- README (revision 229)
+++ README (working copy)
@@ -3,7 +3,7 @@
tomcatjss defines a number of attributes for a Connector including:
-clientAuth: specify if client authentication is required in the connector (or
+clientauth: specify if client authentication is required in the connector (or
port), it can be true or false. If true then client authentication is required.
sslOptions: specify a comma-delimited list of ssl options to pass into the ssl
@@ -16,6 +16,9 @@
ssl3Ciphers: specifies a list of SSL3 ciphers that tomcatjss should accept
or reject from the client. You can use + to denote "accept", - means "reject".
+tlsCiphers: specifies a list of TLS ciphers that tomcatjss should accept
+or reject from the client. You can use + to denote "accept", - means "reject".
+
serverCertNickFile: a file in which specify the nickname of the
server certificate. The file should contain a single line that contains
the nickname.
@@ -30,29 +33,41 @@
sslProtocol: needs to be SSL
-SSLImplementation: Needs to be org.apache.tomcat.util.net.jss.JSSImplementation
+sslImplementationName: MUST be org.apache.tomcat.util.net.jss.JSSImplementation
in order to use the plugin
Here is an example of a secure connector:
-<Connector port="9443"
+<Connector port="8443"
+ protocol="HTTP/1.1"
+ SSLEnabled="true"
+ sslProtocol="SSL"
+ scheme="https"
+ secure="true"
+ keyStoreType="PKCS11"
maxHttpHeaderSize="8192"
+ acceptCount="100"
maxThreads="150"
minSpareThreads="25"
- maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
- acceptCount="100"
- scheme="https"
- secure="true"
- clientAuth="false"
- sslProtocol="SSL"
+ sslImplementationName="org.apache.tomcat.util.net.jss.JSSImplementation"
+ enableOCSP="false"
+ ocspResponderURL="http://pkilinux.sjc.redhat.com:9080/ca/ocsp"
+ ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
+ ocspCacheSize="1000"
+ ocspMinCacheEntryDuration="60"
+ ocspMaxCacheEntryDuration="120"
+ ocspTimeout="10"
+ strictCiphers="false"
+ clientAuth="agent"
+ clientauth="agent"
sslOptions="ssl2=true,ssl3=true,tls=true"
ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"
- ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
- SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
- serverCertNickFile="/var/lib/rhpki-ca/conf/serverCertNick.conf"
- passwordFile="/var/lib/rhpki-ca/conf/password.conf"
+ ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
+ tlsCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
+ serverCertNickFile="/var/lib/pki/redhat.com-foobar/conf/serverCertNick.conf"
+ passwordFile="/var/lib/pki/redhat.com-foobar/conf/password.conf"
passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
- certdbDir="/var/lib/rhpki-ca/alias"
+ certdbDir="/var/lib/pki/redhat.com-foobar/alias"
/>
Index: build.xml
===================================================================
--- build.xml (revision 229)
+++ build.xml (working copy)
@@ -37,8 +37,8 @@
<property name="Name" value="Tomcat JSS"/>
<property name="name" value="tomcatjss"/>
- <property name="version" value="6.0.2"/>
- <property name="manifest-version" value="6.0.2"/>
+ <property name="version" value="7.0.0"/>
+ <property name="manifest-version" value="7.0.0"/>
<!--
Set the properties that control various build options
@@ -98,7 +98,7 @@
-->
<property name="jar.home" value="/usr/share/java" />
<property name="commons-logging.jar" value="${jar.home}/commons-logging-api.jar" />
- <property name="tomcat.lib" value="${jar.home}/tomcat6" />
+ <property name="tomcat.lib" value="${jar.home}/tomcat" />
<property name="tomcat-coyote.jar" value="${tomcat.lib}/tomcat-coyote.jar" />
<property name="jss.home" value="${jnidir}" />
<!-- This property is set to '/dirsec' when built on rhel4 -->
Index: tomcatjss.spec
===================================================================
--- tomcatjss.spec (revision 229)
+++ tomcatjss.spec (working copy)
@@ -1,5 +1,5 @@
Name: tomcatjss
-Version: 6.0.2
+Version: 7.0.0
Release: 1%{?dist}
Summary: JSSE implementation using JSS for Tomcat
URL: http://pki.fedoraproject.org/
@@ -13,41 +13,17 @@
# jpackage-utils requires versioning to meet both build and runtime requirements
# jss requires versioning to meet both build and runtime requirements
-# tomcat6 requires versioning to meet both build and runtime requirements
+# tomcat requires versioning to meet both build and runtime requirements
BuildRequires: ant
-BuildRequires: java-devel >= 1:1.6.0
-%if 0%{?fedora} >= 16
-BuildRequires: jpackage-utils >= 0:1.7.5-10
-BuildRequires: jss >= 4.2.6-19.1
-BuildRequires: tomcat6 >= 6.0.32-16
-%else
-%if 0%{?fedora} >= 15
-BuildRequires: jpackage-utils
-BuildRequires: jss >= 4.2.6-17
-BuildRequires: tomcat6 >= 6.0.30-6
-%else
-BuildRequires: jpackage-utils
-BuildRequires: jss >= 4.2.6-17
-BuildRequires: tomcat6
-%endif
-%endif
+BuildRequires: java-devel
+BuildRequires: jpackage-utils >= 0:1.7.5-15
+BuildRequires: jss >= 4.2.6-24
+BuildRequires: tomcat >= 7.0.27
-Requires: java >= 1:1.6.0
-%if 0%{?fedora} >= 16
-Requires: jpackage-utils >= 0:1.7.5-10
-Requires: jss >= 4.2.6-19.1
-Requires: tomcat6 >= 6.0.32-16
-%else
-%if 0%{?fedora} >= 15
-Requires: jpackage-utils
-Requires: jss >= 4.2.6-17
-Requires: tomcat6 >= 6.0.30-6
-%else
-Requires: jpackage-utils
-Requires: jss >= 4.2.6-17
-Requires: tomcat6
-%endif
-%endif
+Requires: java
+BuildRequires: jpackage-utils >= 0:1.7.5-15
+BuildRequires: jss >= 4.2.6-24
+BuildRequires: tomcat >= 7.0.27
# The 'tomcatjss' package conflicts with the 'tomcat-native' package
# because it uses an underlying NSS security model rather than the
@@ -100,6 +76,9 @@
%{_javadir}/*
%changelog
+* Wed Jun 06 2012 Matthew Harmsen <mharmsen at redhat.com> 7.0.0-1
+- Bugzilla Bug #819554 - tomcatjss: Please migrate from tomcat6 to tomcat7
+
* Thu Sep 22 2011 Matthew Harmsen <mharmsen at redhat.com> 6.0.2-1
- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . (mharmsen)
- Bugzilla Bug #699809 - Convert CS to use systemd (alee)
More information about the Pki-devel
mailing list