Index: src/org/apache/tomcat/util/net/jss/IJSSFactory.java
===================================================================
--- src/org/apache/tomcat/util/net/jss/IJSSFactory.java (revision 229)
+++ src/org/apache/tomcat/util/net/jss/IJSSFactory.java (working copy)
@@ -24,6 +24,6 @@
import java.net.*;
interface IJSSFactory {
- public ServerSocketFactory getSocketFactory();
+ public ServerSocketFactory getSocketFactory(AbstractEndpoint endpoint);
public SSLSupport getSSLSupport(Socket socket);
}
Index: src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java
===================================================================
--- src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java (revision 229)
+++ src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java (working copy)
@@ -31,8 +31,15 @@
import java.net.*;
import java.io.*;
+// Imports required to "implement" Tomcat 7 Interface
+import org.apache.tomcat.util.net.AbstractEndpoint;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+
public class JSSSocketFactory
- extends org.apache.tomcat.util.net.ServerSocketFactory {
+ implements org.apache.tomcat.util.net.ServerSocketFactory,
+ org.apache.tomcat.util.net.SSLUtil {
private static HashMap cipherMap = new HashMap();
static {
@@ -157,6 +164,8 @@
eccCipherMap.put(SSLSocket.TLS_ECDH_ECDSA_WITH_NULL_SHA, "TLS_ECDH_ECDSA_WITH_NULL_SHA");
}
+ private AbstractEndpoint endpoint;
+
static org.apache.commons.logging.Log log =
org.apache.commons.logging.LogFactory.getLog(JSSSocketFactory.class);
@@ -176,8 +185,8 @@
private IPasswordStore mPasswordStore = null;
private boolean mStrictCiphers = false;
- public JSSSocketFactory() {
- super();
+ public JSSSocketFactory (AbstractEndpoint endpoint) {
+ this.endpoint = endpoint;
}
private void debugWrite(String m) throws IOException {
@@ -190,7 +199,7 @@
public void setSSLCiphers(String attr) throws SocketException
{
- String ciphers = (String)attributes.get(attr);
+ String ciphers = (String)endpoint.getAttribute(attr);
StringTokenizer st = new StringTokenizer(ciphers, ",");
while (st.hasMoreTokens()) {
String cipherstr = st.nextToken();
@@ -250,7 +259,7 @@
public void setSSLOptions() throws SocketException
{
- String options = (String)attributes.get("sslOptions");
+ String options = (String)endpoint.getAttribute("sslOptions");
StringTokenizer st = new StringTokenizer(options, ",");
while (st.hasMoreTokens()) {
String option = st.nextToken();
@@ -301,7 +310,7 @@
void init() throws IOException {
try {
- String deb = (String)attributes.get("debug");
+ String deb = (String)endpoint.getAttribute("debug");
if (deb.equals("true")) {
debug = true;
debugFile = new FileWriter("/tmp/tomcatjss.log", true);
@@ -313,8 +322,8 @@
try {
try {
- mPwdPath = (String)attributes.get("passwordFile");
- mPwdClass = (String)attributes.get("passwordClass");
+ mPwdPath = (String)endpoint.getAttribute("passwordFile");
+ mPwdClass = (String)endpoint.getAttribute("passwordClass");
if (mPwdClass != null) {
mPasswordStore = (IPasswordStore)Class.forName(mPwdClass).newInstance();
mPasswordStore.init(mPwdPath);
@@ -328,7 +337,7 @@
throw new IOException("JSSSocketFactory: no passwordFilePath defined");
}
- String certDir = (String)attributes.get("certdbDir");
+ String certDir = (String)endpoint.getAttribute("certdbDir");
CryptoManager.InitializationValues vals =
new CryptoManager.InitializationValues(certDir,
@@ -355,7 +364,7 @@
String st = (String) en.nextElement();
debugWrite("JSSSocketFactory init - tag name="+st+"\n");
pwd = mPasswordStore.getPassword(st);
-
+
if (pwd != null) {
debugWrite("JSSSocketFactory init - got password\n");
pw = new Password(pwd.toCharArray());
@@ -393,10 +402,12 @@
debugWrite("JSSSocketFactory init - no login done\n");
} //mPasswordStore not null
- String clientAuthStr = (String)attributes.get("clientauth");
+ // MUST look for "clientauth" (ALL lowercase) since "clientAuth"
+ // (camel case) has already been processed by Tomcat 7
+ String clientAuthStr = (String)endpoint.getAttribute("clientauth");
File file = null;
try {
- mServerCertNickPath = (String)attributes.get("serverCertNickFile");
+ mServerCertNickPath = (String)endpoint.getAttribute("serverCertNickFile");
debugWrite("JSSSocketFactory init - got serverCertNickFile"+
mServerCertNickPath+"\n");
file = new File(mServerCertNickPath);
@@ -430,7 +441,7 @@
throw new IOException("JSSSocketFactory: no serverCertNickFile defined");
}
- //serverCertNick = (String)attributes.get("serverCert");
+ //serverCertNick = (String)endpoint.getAttribute("serverCert");
if (clientAuthStr.equalsIgnoreCase("true") ||
clientAuthStr.equalsIgnoreCase("yes")) {
requireClientAuth = true;
@@ -444,7 +455,7 @@
&& ocspConfigured == false ) {
debugWrite("JSSSocketFactory init - checking for OCSP settings. \n" );
boolean enableOCSP = false;
- String doOCSP = (String) attributes.get("enableOCSP");
+ String doOCSP = (String) endpoint.getAttribute("enableOCSP");
debugWrite("JSSSocketFactory init - doOCSP flag:"+
doOCSP+ " \n");
@@ -457,10 +468,10 @@
enableOCSP+ "\n");
if( enableOCSP == true ) {
- String ocspResponderURL = (String) attributes.get("ocspResponderURL");
+ String ocspResponderURL = (String) endpoint.getAttribute("ocspResponderURL");
debugWrite("JSSSocketFactory init - ocspResponderURL "+
ocspResponderURL+ "\n");
- String ocspResponderCertNickname = (String) attributes.get("ocspResponderCertNickname");
+ String ocspResponderCertNickname = (String) endpoint.getAttribute("ocspResponderCertNickname");
debugWrite("JSSSocketFactory init - ocspResponderCertNickname" + ocspResponderCertNickname + "\n");
if( (ocspResponderURL != null && ocspResponderURL.length() > 0) &&
(ocspResponderCertNickname != null &&
@@ -473,9 +484,9 @@
int ocspMinCacheEntryDuration_i = 3600;
int ocspMaxCacheEntryDuration_i = 86400;
- String ocspCacheSize = (String) attributes.get("ocspCacheSize");
- String ocspMinCacheEntryDuration = (String) attributes.get("ocspMinCacheEntryDuration");
- String ocspMaxCacheEntryDuration = (String) attributes.get("ocspMaxCacheEntryDuration");
+ String ocspCacheSize = (String) endpoint.getAttribute("ocspCacheSize");
+ String ocspMinCacheEntryDuration = (String) endpoint.getAttribute("ocspMinCacheEntryDuration");
+ String ocspMaxCacheEntryDuration = (String) endpoint.getAttribute("ocspMaxCacheEntryDuration");
if (ocspCacheSize != null ||
ocspMinCacheEntryDuration != null ||
@@ -498,7 +509,7 @@
}
// defualt to 60 seconds;
- String ocspTimeout = (String) attributes.get("ocspTimeout");
+ String ocspTimeout = (String) endpoint.getAttribute("ocspTimeout");
if (ocspTimeout != null) {
debugWrite("JSSSocketFactory init - ocspTimeout= \n" + ocspTimeout);
int ocspTimeout_i = Integer.parseInt(ocspTimeout);
@@ -525,7 +536,7 @@
// 12 hours = 43200 seconds
SSLServerSocket.configServerSessionIDCache(0, 43200, 43200, null);
- String strictCiphersStr = (String)attributes.get("strictCiphers");
+ String strictCiphersStr = (String)endpoint.getAttribute("strictCiphers");
if (strictCiphersStr.equalsIgnoreCase("true") ||
strictCiphersStr.equalsIgnoreCase("yes")) {
mStrictCiphers = true;
@@ -539,7 +550,6 @@
}
setSSLOptions();
- setSSLOptions();
debugWrite("SSSocketFactory init - after setSSLOptions\n");
} catch (Exception ex) {
debugWrite("JSSSocketFactory init - exception thrown:"+
@@ -627,4 +637,21 @@
} catch (Exception e) {
}
}
+
+ // Methods required to "implement" Tomcat 7 Interface
+ public SSLContext createSSLContext() throws Exception {
+ return null;
+ }
+
+ public KeyManager[] getKeyManagers() throws Exception {
+ return null;
+ }
+
+ public TrustManager[] getTrustManagers() throws Exception {
+ return null;
+ }
+
+ public void configureSessionContext(javax.net.ssl.SSLSessionContext sslSessionContext) {
+ return;
+ }
}
Index: src/org/apache/tomcat/util/net/jss/JSSImplementation.java
===================================================================
--- src/org/apache/tomcat/util/net/jss/JSSImplementation.java (revision 229)
+++ src/org/apache/tomcat/util/net/jss/JSSImplementation.java (working copy)
@@ -12,7 +12,7 @@
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- *
+ *
* Copyright (C) 2007 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK */
@@ -21,8 +21,10 @@
import java.net.Socket;
import java.io.*;
+import org.apache.tomcat.util.net.AbstractEndpoint;
import org.apache.tomcat.util.net.SSLImplementation;
import org.apache.tomcat.util.net.SSLSupport;
+import org.apache.tomcat.util.net.SSLUtil;
import org.apache.tomcat.util.net.ServerSocketFactory;
public class JSSImplementation extends SSLImplementation
@@ -38,7 +40,7 @@
public JSSImplementation() throws ClassNotFoundException {
Class.forName(SSLSocketClass);
-
+
try {
Class factcl = Class.forName(JSSFactory);
factory = (JSSFactory)factcl.newInstance();
@@ -52,8 +54,9 @@
return "JSS";
}
- public ServerSocketFactory getServerSocketFactory() {
- ServerSocketFactory ssf = factory.getSocketFactory();
+ public ServerSocketFactory getServerSocketFactory(AbstractEndpoint endpoint)
+ {
+ ServerSocketFactory ssf = factory.getSocketFactory(endpoint);
return ssf;
}
@@ -85,7 +88,13 @@
*
* Once this abstract method is removed from SSLImplementation in a
* future release we can remove this stub.
+ *
+ * NOTE: This method has NOT yet been deprecated in Tomcat 7!
*/
return null;
}
+
+ public SSLUtil getSSLUtil(AbstractEndpoint endpoint) {
+ return null;
+ }
}
Index: src/org/apache/tomcat/util/net/jss/JSSFactory.java
===================================================================
--- src/org/apache/tomcat/util/net/jss/JSSFactory.java (revision 229)
+++ src/org/apache/tomcat/util/net/jss/JSSFactory.java (working copy)
@@ -27,8 +27,8 @@
JSSFactory() {
}
- public ServerSocketFactory getSocketFactory() {
- return new JSSSocketFactory();
+ public ServerSocketFactory getSocketFactory(AbstractEndpoint endpoint) {
+ return new JSSSocketFactory(endpoint);
}
public SSLSupport getSSLSupport(Socket socket) {
Index: README
===================================================================
--- README (revision 229)
+++ README (working copy)
@@ -3,7 +3,7 @@
tomcatjss defines a number of attributes for a Connector including:
-clientAuth: specify if client authentication is required in the connector (or
+clientauth: specify if client authentication is required in the connector (or
port), it can be true or false. If true then client authentication is required.
sslOptions: specify a comma-delimited list of ssl options to pass into the ssl
@@ -16,6 +16,9 @@
ssl3Ciphers: specifies a list of SSL3 ciphers that tomcatjss should accept
or reject from the client. You can use + to denote "accept", - means "reject".
+tlsCiphers: specifies a list of TLS ciphers that tomcatjss should accept
+or reject from the client. You can use + to denote "accept", - means "reject".
+
serverCertNickFile: a file in which specify the nickname of the
server certificate. The file should contain a single line that contains
the nickname.
@@ -30,29 +33,41 @@
sslProtocol: needs to be SSL
-SSLImplementation: Needs to be org.apache.tomcat.util.net.jss.JSSImplementation
+sslImplementationName: MUST be org.apache.tomcat.util.net.jss.JSSImplementation
in order to use the plugin
Here is an example of a secure connector:
-
Index: build.xml
===================================================================
--- build.xml (revision 229)
+++ build.xml (working copy)
@@ -37,8 +37,8 @@
-
-
+
+
-
+
Index: tomcatjss.spec
===================================================================
--- tomcatjss.spec (revision 229)
+++ tomcatjss.spec (working copy)
@@ -1,5 +1,5 @@
Name: tomcatjss
-Version: 6.0.2
+Version: 7.0.0
Release: 1%{?dist}
Summary: JSSE implementation using JSS for Tomcat
URL: http://pki.fedoraproject.org/
@@ -13,41 +13,17 @@
# jpackage-utils requires versioning to meet both build and runtime requirements
# jss requires versioning to meet both build and runtime requirements
-# tomcat6 requires versioning to meet both build and runtime requirements
+# tomcat requires versioning to meet both build and runtime requirements
BuildRequires: ant
-BuildRequires: java-devel >= 1:1.6.0
-%if 0%{?fedora} >= 16
-BuildRequires: jpackage-utils >= 0:1.7.5-10
-BuildRequires: jss >= 4.2.6-19.1
-BuildRequires: tomcat6 >= 6.0.32-16
-%else
-%if 0%{?fedora} >= 15
-BuildRequires: jpackage-utils
-BuildRequires: jss >= 4.2.6-17
-BuildRequires: tomcat6 >= 6.0.30-6
-%else
-BuildRequires: jpackage-utils
-BuildRequires: jss >= 4.2.6-17
-BuildRequires: tomcat6
-%endif
-%endif
+BuildRequires: java-devel
+BuildRequires: jpackage-utils >= 0:1.7.5-15
+BuildRequires: jss >= 4.2.6-24
+BuildRequires: tomcat >= 7.0.27
-Requires: java >= 1:1.6.0
-%if 0%{?fedora} >= 16
-Requires: jpackage-utils >= 0:1.7.5-10
-Requires: jss >= 4.2.6-19.1
-Requires: tomcat6 >= 6.0.32-16
-%else
-%if 0%{?fedora} >= 15
-Requires: jpackage-utils
-Requires: jss >= 4.2.6-17
-Requires: tomcat6 >= 6.0.30-6
-%else
-Requires: jpackage-utils
-Requires: jss >= 4.2.6-17
-Requires: tomcat6
-%endif
-%endif
+Requires: java
+BuildRequires: jpackage-utils >= 0:1.7.5-15
+BuildRequires: jss >= 4.2.6-24
+BuildRequires: tomcat >= 7.0.27
# The 'tomcatjss' package conflicts with the 'tomcat-native' package
# because it uses an underlying NSS security model rather than the
@@ -100,6 +76,9 @@
%{_javadir}/*
%changelog
+* Wed Jun 06 2012 Matthew Harmsen 7.0.0-1
+- Bugzilla Bug #819554 - tomcatjss: Please migrate from tomcat6 to tomcat7
+
* Thu Sep 22 2011 Matthew Harmsen 6.0.2-1
- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . (mharmsen)
- Bugzilla Bug #699809 - Convert CS to use systemd (alee)