Move the truststore attributes to SSLHostConfig

Move as much of the default / fall-back code to SSLHostConfig rather than spreading it through JSSESocketFactory. This makes the defaults/fallbacks easier to read (in my view) and allowed some clean-up in JSSESocketFactory. git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1678097 13f79535-47bb-0310-9956-ffa450edef68
apache · May 6, 2015 · a5cb7cc · a5cb7cc
1 parent c8c9c1c
commit a5cb7cc
Show file tree

Hide file tree

Showing 6 changed files with 299 additions and 277 deletions.
diff --git a/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java b/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
@@ -28,29 +28,6 @@ public AbstractHttp11JsseProtocol(AbstractEndpoint<S> endpoint) {
     public String getSslProtocol() { return getEndpoint().getSslProtocol();}
     public void setSslProtocol(String s) { getEndpoint().setSslProtocol(s);}
 
-    public void setTruststoreFile(String f){ getEndpoint().setTruststoreFile(f);}
-    public String getTruststoreFile(){ return getEndpoint().getTruststoreFile();}
-
-    public void setTruststorePass(String p){ getEndpoint().setTruststorePass(p);}
-    public String getTruststorePass(){return getEndpoint().getTruststorePass();}
-
-    public void setTruststoreType(String t){ getEndpoint().setTruststoreType(t);}
-    public String getTruststoreType(){ return getEndpoint().getTruststoreType();}
-
-    public void setTruststoreProvider(String t){
-        getEndpoint().setTruststoreProvider(t);
-    }
-    public String getTruststoreProvider(){
-        return getEndpoint().getTruststoreProvider();
-    }
-
-    public void setTruststoreAlgorithm(String a){
-        getEndpoint().setTruststoreAlgorithm(a);
-    }
-    public String getTruststoreAlgorithm(){
-        return getEndpoint().getTruststoreAlgorithm();
-    }
-
     public void setSessionCacheSize(String s){getEndpoint().setSessionCacheSize(s);}
     public String getSessionCacheSize(){ return getEndpoint().getSessionCacheSize();}
 

diff --git a/java/org/apache/coyote/http11/AbstractHttp11Protocol.java b/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
@@ -476,6 +476,35 @@ public void setKeyAlias(String certificateKeyAlias) {
         defaultSSLHostConfig.setCertificateKeyAlias(certificateKeyAlias);
     }
 
+    public void setTruststoreAlgorithm(String truststoreAlgorithm){
+        registerDefaultSSLHostConfig();
+        defaultSSLHostConfig.setTruststoreAlgorithm(truststoreAlgorithm);
+    }
+
+
+    public void setTruststoreFile(String truststoreFile){
+        registerDefaultSSLHostConfig();
+        defaultSSLHostConfig.setTruststoreFile(truststoreFile);
+    }
+
+
+    public void setTruststorePass(String truststorePassword){
+        registerDefaultSSLHostConfig();
+        defaultSSLHostConfig.setTruststorePassword(truststorePassword);
+    }
+
+
+    public void setTruststoreType(String truststoreType){
+        registerDefaultSSLHostConfig();
+        defaultSSLHostConfig.setTruststoreType(truststoreType);
+    }
+
+
+    public void setTruststoreProvider(String truststoreProvider){
+        registerDefaultSSLHostConfig();
+        defaultSSLHostConfig.setTruststoreProvider(truststoreProvider);
+    }
+
 
     // ------------------------------------------------------------- Common code
 

diff --git a/java/org/apache/tomcat/util/net/AbstractEndpoint.java b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
@@ -16,7 +16,6 @@
  */
 package org.apache.tomcat.util.net;
 
-import java.io.File;
 import java.io.OutputStreamWriter;
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
@@ -890,24 +889,6 @@ public final void destroy() throws Exception {
     }
 
 
-    private String adjustRelativePath(String path, String relativeTo) {
-        // Empty or null path can't point to anything useful. The assumption is
-        // that the value is deliberately empty / null so leave it that way.
-        if (path == null || path.length() == 0) {
-            return path;
-        }
-        String newPath = path;
-        File f = new File(newPath);
-        if ( !f.isAbsolute()) {
-            newPath = relativeTo + File.separator + newPath;
-            f = new File(newPath);
-        }
-        if (!f.exists()) {
-            getLog().warn("configured file:["+newPath+"] does not exist.");
-        }
-        return newPath;
-    }
-
     protected abstract Log getLog();
 
     protected LimitLatch initializeConnectionLatch() {
@@ -986,45 +967,6 @@ public void setSslImplementationName(String s) {
     public String getSslProtocol() { return sslProtocol;}
     public void setSslProtocol(String s) { sslProtocol = s;}
 
-    private String truststoreFile = System.getProperty("javax.net.ssl.trustStore");
-    public String getTruststoreFile() {return truststoreFile;}
-    public void setTruststoreFile(String s) {
-        truststoreFile = adjustRelativePath(s,
-                System.getProperty(Constants.CATALINA_BASE_PROP));
-    }
-
-    private String truststorePass =
-        System.getProperty("javax.net.ssl.trustStorePassword");
-    public String getTruststorePass() {return truststorePass;}
-    public void setTruststorePass(String truststorePass) {
-        this.truststorePass = truststorePass;
-    }
-
-    private String truststoreType =
-        System.getProperty("javax.net.ssl.trustStoreType");
-    public String getTruststoreType() {return truststoreType;}
-    public void setTruststoreType(String truststoreType) {
-        this.truststoreType = truststoreType;
-    }
-
-    private String truststoreProvider = null;
-    public String getTruststoreProvider() {return truststoreProvider;}
-    public void setTruststoreProvider(String truststoreProvider) {
-        this.truststoreProvider = truststoreProvider;
-    }
-
-    private String truststoreAlgorithm = null;
-    public String getTruststoreAlgorithm() {return truststoreAlgorithm;}
-    public void setTruststoreAlgorithm(String truststoreAlgorithm) {
-        this.truststoreAlgorithm = truststoreAlgorithm;
-    }
-
-    private String trustManagerClassName = null;
-    public String getTrustManagerClassName() {return trustManagerClassName;}
-    public void setTrustManagerClassName(String trustManagerClassName) {
-        this.trustManagerClassName = trustManagerClassName;
-    }
-
     private String sessionCacheSize = null;
     public String getSessionCacheSize() { return sessionCacheSize;}
     public void setSessionCacheSize(String s) { sessionCacheSize = s;}

diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java b/java/org/apache/tomcat/util/net/SSLHostConfig.java
@@ -16,18 +16,23 @@
  */
 package org.apache.tomcat.util.net;
 
+import java.io.File;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 
 import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.TrustManagerFactory;
 
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 import org.apache.tomcat.util.net.jsse.openssl.OpenSSLCipherConfigurationParser;
 import org.apache.tomcat.util.res.StringManager;
 
+/**
+ * Represents the TLS configuration for a virtual host.
+ */
 public class SSLHostConfig {
 
     private static final Log log = LogFactory.getLog(SSLHostConfig.class);
@@ -46,19 +51,26 @@ public class SSLHostConfig {
 
     // Common
     private String certificateKeyPassword = null;
+    private String certificateRevocationListFile;
     private CertificateVerification certificateVerification = CertificateVerification.NONE;
     private int certificateVerificationDepth = 10;
     private String ciphers = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
     private boolean honorCipherOrder = false;
     private Set<String> protocols = new HashSet<>();
-    private String certificateRevocationListFile;
     // JSSE
     private String certificateKeyAlias;
     private String certificateKeystorePassword = "changeit";
     private String certificateKeystoreFile = System.getProperty("user.home")+"/.keystore";
-    private String certificateKeystoreProvider;
-    private String certificateKeystoreType = "JKS";
+    private String certificateKeystoreProvider = System.getProperty("javax.net.ssl.keyStoreProvider");
+    private String certificateKeystoreType = System.getProperty("javax.net.ssl.keyStoreType");
     private String keyManagerAlgorithm = KeyManagerFactory.getDefaultAlgorithm();
+    private String trustManagerClassName;
+    private String truststoreAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
+    private String truststoreFile = System.getProperty("javax.net.ssl.trustStore");
+    private String truststorePassword = System.getProperty("javax.net.ssl.trustStorePassword");
+    private String truststoreProvider = System.getProperty("javax.net.ssl.trustStoreProvider");
+    private String truststoreType = System.getProperty("javax.net.ssl.trustStoreType");
+
     // OpenSSL
     private String certificateFile;
     private String certificateKeyFile;
@@ -67,6 +79,10 @@ public class SSLHostConfig {
     public SSLHostConfig() {
         // Set defaults that can't be (easily) set when defining the fields.
         setProtocols("all");
+        // Configure fall-back defaults if system property is not set.
+        if (certificateKeystoreType == null) {
+            certificateKeystoreType = "JKS";
+        }
     }
 
 
@@ -122,7 +138,7 @@ public String getCertificateKeyPassword() {
 
 
     public void setCertificateRevocationListFile(String certificateRevocationListFile) {
-        this.certificateRevocationListFile = certificateRevocationListFile;
+        this.certificateRevocationListFile = adjustRelativePath(certificateRevocationListFile);
     }
 
 
@@ -246,7 +262,7 @@ public String getCertificateKeyAlias() {
 
     public void setCertificateKeystoreFile(String certificateKeystoreFile) {
         setProperty("certificateKeystoreFile", Type.JSSE);
-        this.certificateKeystoreFile = certificateKeystoreFile;
+        this.certificateKeystoreFile = adjustRelativePath(certificateKeystoreFile);
     }
 
 
@@ -299,11 +315,85 @@ public String getKeyManagerAlgorithm() {
     }
 
 
+    public void setTrustManagerClassName(String trustManagerClassName) {
+        setProperty("trustManagerClassName", Type.JSSE);
+        this.trustManagerClassName = trustManagerClassName;
+    }
+
+
+    public String getTrustManagerClassName() {
+        return trustManagerClassName;
+    }
+
+
+    public void setTruststoreAlgorithm(String truststoreAlgorithm) {
+        setProperty("truststoreAlgorithm", Type.JSSE);
+        this.truststoreAlgorithm = truststoreAlgorithm;
+    }
+
+
+    public String getTruststoreAlgorithm() {
+        return truststoreAlgorithm;
+    }
+
+
+    public void setTruststoreFile(String truststoreFile) {
+        setProperty("truststoreFile", Type.JSSE);
+        this.truststoreFile = adjustRelativePath(truststoreFile);
+    }
+
+
+    public String getTruststoreFile() {
+        return truststoreFile;
+    }
+
+
+    public void setTruststorePassword(String truststorePassword) {
+        setProperty("truststorePassword", Type.JSSE);
+        this.truststorePassword = truststorePassword;
+    }
+
+
+    public String getTruststorePassword() {
+        return truststorePassword;
+    }
+
+
+    public void setTruststoreProvider(String truststoreProvider) {
+        setProperty("truststoreProvider", Type.JSSE);
+        this.truststoreProvider = truststoreProvider;
+    }
+
+
+    public String getTruststoreProvider() {
+        if (truststoreProvider == null) {
+            return getCertificateKeystoreProvider();
+        } else {
+            return truststoreProvider;
+        }
+    }
+
+
+    public void setTruststoreType(String truststoreType) {
+        setProperty("truststoreType", Type.JSSE);
+        this.truststoreType = truststoreType;
+    }
+
+
+    public String getTruststoreType() {
+        if (truststoreType == null) {
+            return getCertificateKeystoreType();
+        } else {
+            return truststoreType;
+        }
+    }
+
+
     // ------------------------------- OpenSSL specific configuration properties
 
     public void setCertificateFile(String certificateFile) {
         setProperty("certificateFile", Type.OPENSSL);
-        this.certificateFile = certificateFile;
+        this.certificateFile = adjustRelativePath(certificateFile);
     }
 
 
@@ -314,7 +404,7 @@ public String getCertificateFile() {
 
     public void setCertificateKeyFile(String certificateKeyFile) {
         setProperty("certificateKeyFile", Type.OPENSSL);
-        this.certificateKeyFile = certificateKeyFile;
+        this.certificateKeyFile = adjustRelativePath(certificateKeyFile);
     }
 
 
@@ -325,7 +415,7 @@ public String getCertificateKeyFile() {
 
     public void setCertificateRevocationListPath(String certificateRevocationListPath) {
         setProperty("certificateRevocationListPath", Type.OPENSSL);
-        this.certificateRevocationListPath = certificateRevocationListPath;
+        this.certificateRevocationListPath = adjustRelativePath(certificateRevocationListPath);
     }
 
 
@@ -334,6 +424,28 @@ public String getCertificateRevocationListPath() {
     }
 
 
+    // --------------------------------------------------------- Support methods
+
+    private String adjustRelativePath(String path) {
+        // Empty or null path can't point to anything useful. The assumption is
+        // that the value is deliberately empty / null so leave it that way.
+        if (path == null || path.length() == 0) {
+            return path;
+        }
+        String newPath = path;
+        File f = new File(newPath);
+        if ( !f.isAbsolute()) {
+            newPath = System.getProperty(Constants.CATALINA_BASE_PROP) + File.separator + newPath;
+            f = new File(newPath);
+        }
+        if (!f.exists()) {
+            // TODO i18n, sm
+            log.warn("configured file:["+newPath+"] does not exist.");
+        }
+        return newPath;
+    }
+
+
     // ----------------------------------------------------------- Inner classes
 
     public static enum Type {