FileDocCategorySizeDatePackage
JSSE14Support.javaAPI DocGlassfish v2 API6371Fri May 04 22:33:16 BST 2007org.apache.tomcat.util.net.jsse

JSSE14Support

public class JSSE14Support extends JSSESupport

Fields Summary
private static com.sun.org.apache.commons.logging.Log
logger
Listener
listener
Constructors Summary
public JSSE14Support(SSLSocket sock)


      
        super(sock);
        sock.addHandshakeCompletedListener(listener);
    
public JSSE14Support(SSLEngine sslEngine)

        super(sslEngine);
    
Methods Summary
protected java.security.cert.X509Certificate[]getX509Certificates(javax.net.ssl.SSLSession session)
Return the X509certificates or null if we can't get them. XXX We should allow unverified certificates

        Certificate [] certs=null;
        try {
	    certs = session.getPeerCertificates();
        } catch( Throwable t ) {
            logger.debug("Error getting client certs",t);
            return null;
        }
        if( certs==null ) return null;
        
        X509Certificate [] x509Certs = new X509Certificate[certs.length];
	for(int i=0; i < certs.length; i++) {
	    if( certs[i] instanceof X509Certificate ) {
		// always currently true with the JSSE 1.1.x
		x509Certs[i] = (X509Certificate)certs[i];
	    } else {
		try {
		    byte [] buffer = certs[i].getEncoded();
		    CertificateFactory cf =
			CertificateFactory.getInstance("X.509");
		    ByteArrayInputStream stream =
			new ByteArrayInputStream(buffer);
		    x509Certs[i] = (X509Certificate)
			cf.generateCertificate(stream);
		} catch(Exception ex) { 
		    logger.info("Error translating cert " + certs[i], ex);
		    return null;
		}
	    }
	    if(logger.isTraceEnabled())
		logger.trace("Cert #" + i + " = " + x509Certs[i]);
	}
	if(x509Certs.length < 1)
	    return null;
	return x509Certs;
    
protected voidhandShake()

        ssl.setNeedClientAuth(true);
        synchronousHandshake(ssl);        
    
private voidsynchronousHandshake(javax.net.ssl.SSLSocket socket)
JSSE in JDK 1.4 has an issue/feature that requires us to do a read() to get the client-cert. As suggested by Andreas Sterbenz

        InputStream in = socket.getInputStream();
        int oldTimeout = socket.getSoTimeout();
        socket.setSoTimeout(1000);
        byte[] b = new byte[0];
        listener.reset();
        socket.startHandshake();
        int maxTries = 60; // 60 * 1000 = example 1 minute time out
        for (int i = 0; i < maxTries; i++) {
	    if(logger.isTraceEnabled())
		logger.trace("Reading for try #" +i);
            try {
                int x = in.read(b);
            } catch(SSLException sslex) {
                logger.info("SSL Error getting client Certs",sslex);
                throw sslex;
            } catch (IOException e) {
                // ignore - presumably the timeout
            }
            if (listener.completed) {
                break;
            }
        }
        socket.setSoTimeout(oldTimeout);
        if (listener.completed == false) {
            throw new SocketException("SSL Cert handshake timeout");
        }