Skip to content

Commit

Permalink
Import Tomcat JSS project
Browse files Browse the repository at this point in the history
To simplify package maintenance, the code from Tomcat JSS master
branch has been imported into tomcat and tomcat-9.0 modules which
will be distributed as jss-tomcat RPM package.

Later PKI will need to be updated to depend on jss-tomcat instead
of tomcatjss, then tomcatjss can be deprecated.
  • Loading branch information
edewata committed Aug 1, 2023
1 parent 14754b4 commit b0052eb
Show file tree
Hide file tree
Showing 14 changed files with 1,481 additions and 12 deletions.
6 changes: 6 additions & 0 deletions .classpath
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@
<classpathentry kind="src" path="base/src/test/java"/>
<classpathentry kind="src" path="base/src/broken_test/java"/>
<classpathentry kind="src" path="examples/src/main/java"/>
<classpathentry kind="src" path="tomcat/src/main/java"/>
<classpathentry kind="src" path="tomcat-9.0/src/main/java"/>
<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER">
<attributes>
<attribute name="module" value="true"/>
Expand All @@ -12,6 +14,10 @@
<classpathentry kind="lib" path="/usr/share/java/slf4j/slf4j-api.jar"/>
<classpathentry kind="lib" path="/usr/share/java/slf4j/slf4j-simple.jar"/>
<classpathentry kind="lib" path="/usr/share/java/apache-commons-lang3.jar"/>
<classpathentry kind="lib" path="/usr/share/java/tomcat/catalina.jar"/>
<classpathentry kind="lib" path="/usr/share/java/tomcat/tomcat-coyote.jar"/>
<classpathentry kind="lib" path="/usr/share/java/tomcat/tomcat-juli.jar"/>
<classpathentry kind="lib" path="/usr/share/java/tomcat/tomcat-util.jar"/>
<classpathentry kind="lib" path="/usr/share/java/opentest4j/opentest4j.jar"/>
<classpathentry kind="lib" path="/usr/share/java/junit5/junit-platform-testkit.jar"/>
<classpathentry kind="lib" path="/usr/share/java/junit5/junit-platform-suite-commons.jar"/>
Expand Down
10 changes: 10 additions & 0 deletions docs/changes/v5.5.0/Packaging-Changes.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
= Packaging Changes =

== New jss-tomcat RPM package ==

A new `jss-tomcat` RPM package has been added to provide a JSS Connector for Tomcat.
This package will replace Tomcat JSS with the following changes:

* All classes are moved into `org.dogtagpki.jss.tomcat` package.
* Generic Tomcat classes are packaged into `jss-tomcat.jar`.
* Tomcat 9.0 classes are packaged into `jss-tomcat-9.0.jar`.
50 changes: 38 additions & 12 deletions jss.spec
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,24 @@ Java Security Services (JSS) is a java native interface which provides a bridge
for java-based applications to use native Network Security Services (NSS).
This only works with gcj. Other JREs require that JCE providers be signed.

################################################################################
%package -n %{product_id}-tomcat
################################################################################

Summary: Java Security Services (JSS) Connector for Tomcat

# Tomcat
BuildRequires: mvn(org.apache.tomcat:tomcat-catalina)
BuildRequires: mvn(org.apache.tomcat:tomcat-coyote)
BuildRequires: mvn(org.apache.tomcat:tomcat-juli)

Requires: %{product_id} = %{version}-%{release}

%description -n %{product_id}-tomcat
JSS Connector for Tomcat is a Java Secure Socket Extension (JSSE)
module for Apache Tomcat that uses Java Security Services (JSS),
a Java interface to Network Security Services (NSS).

%if %{with javadoc}
################################################################################
%package -n %{product_id}-javadoc
Expand All @@ -149,6 +167,20 @@ This package contains the API documentation for JSS.

%autosetup -n jss-%{version}%{?phase:-}%{?phase} -p 1

# disable native modules since they will be built by CMake
%pom_disable_module native
%pom_disable_module symkey

# do not ship examples
%pom_disable_module examples

# flatten-maven-plugin is not available in RPM
%pom_remove_plugin org.codehaus.mojo:flatten-maven-plugin

# assign Maven artifacts to RPM packages
%mvn_package org.dogtagpki.jss:jss-parent jss-base
%mvn_package org.dogtagpki.jss:jss-tomcat-9.0 jss-tomcat

################################################################################
%build
################################################################################
Expand All @@ -169,18 +201,8 @@ export CFLAGS
# Check if we're in FIPS mode
modutil -dbdir /etc/pki/nssdb -chkfips true | grep -q enabled && export FIPS_ENABLED=1

# disable native modules since they will be built by CMake
%pom_disable_module native
%pom_disable_module symkey

# do not ship examples
%pom_disable_module examples

# flatten-maven-plugin is not available in RPM
%pom_remove_plugin org.codehaus.mojo:flatten-maven-plugin

# build Java code, run Java tests, and build Javadoc with Maven
%mvn_build %{!?with_tests:-f} %{!?with_javadoc:-j}
%mvn_build -s %{!?with_tests:-f} %{!?with_javadoc:-j}

# create links to Maven-built classes for CMake
mkdir -p %{_vpath_builddir}/classes/jss
Expand Down Expand Up @@ -255,7 +277,7 @@ ln -sf ../../..%{_javadir}/jss/jss.jar %{buildroot}%{_libdir}/jss/jss.jar
install

################################################################################
%files -n %{product_id} -f .mfiles
%files -n %{product_id} -f .mfiles-jss-base
################################################################################

%doc jss.html
Expand All @@ -266,6 +288,10 @@ ln -sf ../../..%{_javadir}/jss/jss.jar %{buildroot}%{_libdir}/jss/jss.jar
%{_libdir}/jss/libjss.so
%{_libdir}/jss/libjss-symkey.so

################################################################################
%files -n %{product_id}-tomcat -f .mfiles-jss-tomcat
################################################################################

%if %{with javadoc}
################################################################################
%files -n %{product_id}-javadoc -f .mfiles-javadoc
Expand Down
2 changes: 2 additions & 0 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@
<module>native</module>
<module>symkey</module>
<module>examples</module>
<module>tomcat</module>
<module>tomcat-9.0</module>
</modules>

<build>
Expand Down
53 changes: 53 additions & 0 deletions tomcat-9.0/pom.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

<modelVersion>4.0.0</modelVersion>

<parent>
<groupId>org.dogtagpki.jss</groupId>
<artifactId>jss-parent</artifactId>
<version>5.5.0-SNAPSHOT</version>
</parent>

<artifactId>jss-tomcat-9.0</artifactId>
<packaging>jar</packaging>

<dependencies>

<dependency>
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-juli</artifactId>
<version>9.0.50</version>
</dependency>

<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>jss-base</artifactId>
<version>${project.version}</version>
</dependency>

<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>jss-tomcat</artifactId>
<version>${project.version}</version>
</dependency>

</dependencies>

<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.8.1</version>
<configuration>
<release>17</release>
</configuration>
</plugin>
</plugins>
<finalName>jss-tomcat-9.0</finalName>
</build>

</project>
123 changes: 123 additions & 0 deletions tomcat-9.0/src/main/java/org/dogtagpki/jss/tomcat/JSSContext.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
package org.dogtagpki.jss.tomcat;

import java.security.KeyManagementException;
import java.security.SecureRandom;

import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;

import org.mozilla.jss.JSSProvider;
import org.mozilla.jss.provider.javax.crypto.JSSKeyManager;
import org.mozilla.jss.provider.javax.crypto.JSSTrustManager;
import org.mozilla.jss.ssl.javax.JSSEngine;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class JSSContext implements org.apache.tomcat.util.net.SSLContext {
public static Logger logger = LoggerFactory.getLogger(JSSContext.class);

private javax.net.ssl.SSLContext ctx;
private String alias;

private JSSKeyManager jkm;
private JSSTrustManager jtm;

public JSSContext(String alias) {
logger.debug("JSSContext(" + alias + ")");
this.alias = alias;

/* These KeyManagers and TrustManagers aren't used with the SSLEngine;
* they're only used to implement certain function calls below. */
try {
KeyManagerFactory kmf = KeyManagerFactory.getInstance("NssX509", "Mozilla-JSS");
jkm = (JSSKeyManager) kmf.getKeyManagers()[0];

TrustManagerFactory tmf = TrustManagerFactory.getInstance("NssX509", "Mozilla-JSS");
jtm = (JSSTrustManager) tmf.getTrustManagers()[0];
} catch (Exception e) {
throw new RuntimeException(e.getMessage(), e);
}
}

@Override
public void init(KeyManager[] kms, TrustManager[] tms, SecureRandom sr) throws KeyManagementException {
logger.debug("JSSContext.init(...)");

try {
String provider = "SunJSSE";
if (JSSProvider.ENABLE_JSSENGINE) {
provider = "Mozilla-JSS";
}

ctx = javax.net.ssl.SSLContext.getInstance("TLS", provider);
ctx.init(kms, tms, sr);
} catch (Exception e) {
throw new KeyManagementException(e.getMessage(), e);
}
}

@Override
public javax.net.ssl.SSLEngine createSSLEngine() {
logger.debug("JSSContext.createSSLEngine()");
javax.net.ssl.SSLEngine eng = ctx.createSSLEngine();

TomcatJSS instance = TomcatJSS.getInstance();

if (eng instanceof JSSEngine) {
JSSEngine j_eng = (JSSEngine) eng;
j_eng.setCertFromAlias(alias);
if(instance != null) {
j_eng.setListeners(instance.getSocketListeners());
}
}

return eng;
}

@Override
public javax.net.ssl.SSLSessionContext getServerSessionContext() {
logger.debug("JSSContext.getServerSessionContext()");
return ctx.getServerSessionContext();
}

@Override
public javax.net.ssl.SSLServerSocketFactory getServerSocketFactory() {
logger.debug("JSSContext.getServerSocketFactory()");
return ctx.getServerSocketFactory();
}

@Override
public javax.net.ssl.SSLParameters getSupportedSSLParameters() {
logger.debug("JSSContext.getSupportedSSLParameters()");
return ctx.getSupportedSSLParameters();
}

@Override
public java.security.cert.X509Certificate[] getCertificateChain(java.lang.String alias) {
logger.debug("JSSContext.getCertificateChain(" + alias + ")");

try {
return jkm.getCertificateChain(alias);
} catch (Exception e) {
throw new RuntimeException(e.getMessage(), e);
}
}

@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
logger.debug("JSSContext.getAcceptedIssuers()");

try {
return jtm.getAcceptedIssuers();
} catch (Exception e) {
throw new RuntimeException(e.getMessage(), e);
}
}

@Override
public void destroy() {
logger.debug("JSSContext.destroy()");
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
/* BEGIN COPYRIGHT BLOCK
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
* Copyright (C) 2007 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK */

package org.dogtagpki.jss.tomcat;

import javax.net.ssl.SSLSession;

import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.apache.tomcat.util.net.SSLImplementation;
import org.apache.tomcat.util.net.SSLSupport;
import org.apache.tomcat.util.net.SSLUtil;
import org.apache.tomcat.util.net.jsse.JSSESupport;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class JSSImplementation extends SSLImplementation {

public static final Logger logger = LoggerFactory.getLogger(JSSImplementation.class);

public JSSImplementation() {
logger.debug("JSSImplementation: instance created");
}

@Override
public SSLSupport getSSLSupport(SSLSession session) {
logger.debug("JSSImplementation.getSSLSupport()");
return new JSSESupport(session, null);
}

@Override
public SSLUtil getSSLUtil(SSLHostConfigCertificate cert) {
logger.debug("JSSImplementation: getSSLUtil()");
logger.debug("JSSImplementation: key alias: {}", cert.getCertificateKeyAlias());
logger.debug("JSSImplementation: keystore provider: {}", cert.getCertificateKeystoreProvider());

SSLHostConfig hostConfig = cert.getSSLHostConfig();
logger.debug("JSSImplementation: key manager alg: {}", hostConfig.getKeyManagerAlgorithm());
logger.debug("JSSImplementation: truststore alg: {}", hostConfig.getTruststoreAlgorithm());
logger.debug("JSSImplementation: truststore provider: {}", hostConfig.getTruststoreProvider());

return new JSSUtil(cert);
}

@Override
public boolean isAlpnSupported() {
// NSS supports ALPN but JSS doesn't yet support ALPN.
return false;
}
}
Loading

0 comments on commit b0052eb

Please sign in to comment.