Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Merge pull request #16 from TorstenS73/master
[FIXED JENKINS-23665] Parameter to select alias ...
  • Loading branch information
kohsuke committed Sep 17, 2014
2 parents 52e94ad + 81aad8f commit a9cd712
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 6 deletions.
32 changes: 26 additions & 6 deletions src/java/winstone/HttpsConnectorFactory.java
Expand Up @@ -184,10 +184,28 @@ private static PrivateKey readPEMRSAPrivateKey(Reader reader) throws IOException
*/
SslContextFactory getSSLContext(Map args) {
try {
// Check the key manager factory
String privateKeyPassword;

// There are many legacy setups in which the KeyStore password and the
// key password are identical and people will not even be aware that these
// are two different things
// Therefore if no httpsPrivateKeyPassword is explicitely set we try to
// use the KeyStore password also for the key password not to break
// backward compatibility
// Otherwise the following code will completely break the startup of
// Jenkins in case the --httpsPrivateKeyPassword parameter is not set
privateKeyPassword = Option.HTTPS_PRIVATE_KEY_PASSWORD.get(args)!=null ?
Option.HTTPS_PRIVATE_KEY_PASSWORD.get(args) :
Option.HTTPS_KEY_STORE_PASSWORD.get(args);

// Dump the content of the keystore if log level is FULL_DEBUG
// Note: The kmf is instantiated here only to access the keystore,
// the SslContextFactory will instantiate its own KeyManager
KeyManagerFactory kmf = KeyManagerFactory.getInstance(Option.HTTPS_KEY_MANAGER_TYPE.get(args));

kmf.init(keystore, password);
// In case the KeyStore password and the KeyPassword are not the same,
// the KeyManagerFactory needs the KeyPassword because it will access the individual key(s)
kmf.init(keystore, privateKeyPassword.toCharArray());
Logger.log(Logger.FULL_DEBUG, SSL_RESOURCES,
"HttpsListener.KeyCount", keystore.size() + "");
for (Enumeration e = keystore.aliases(); e.hasMoreElements();) {
Expand All @@ -197,12 +215,14 @@ SslContextFactory getSSLContext(Map args) {
keystore.getCertificate(alias) + "");
}

SSLContext context = SSLContext.getInstance("SSL");
context.init(kmf.getKeyManagers(), null, null);

SslContextFactory ssl = new SslContextFactory();
ssl.setSslContext(context);

ssl.setKeyStore(keystore);
ssl.setKeyStorePassword(Option.HTTPS_KEY_STORE_PASSWORD.get(args));
ssl.setKeyManagerPassword(privateKeyPassword);
ssl.setSslKeyManagerFactoryAlgorithm(Option.HTTPS_KEY_MANAGER_TYPE.get(args));
ssl.setCertAlias(Option.HTTPS_CERTIFICATE_ALIAS.get(args));

/**
* If true, request the client certificate ala "SSLVerifyClient require" Apache directive.
* If false, which is the default, don't do so.
Expand Down
2 changes: 2 additions & 0 deletions src/java/winstone/cmdline/Option.java
Expand Up @@ -67,9 +67,11 @@ public static List<Option<?>> all(Class<?> clazz) {
public static final OInt HTTPS_KEEP_ALIVE_TIMEOUT=integer("https" + _KEEP_ALIVE_TIMEOUT, _KEEP_ALIVE_TIMEOUT.defaultValue);
public static final OFile HTTPS_KEY_STORE=file("httpsKeyStore");
public static final OString HTTPS_KEY_STORE_PASSWORD=string("httpsKeyStorePassword");
public static final OString HTTPS_PRIVATE_KEY_PASSWORD=string("httpsPrivateKeyPassword");
public static final OString HTTPS_KEY_MANAGER_TYPE=string("httpsKeyManagerType","SunX509");
public static final OBoolean HTTPS_VERIFY_CLIENT=bool("httpsVerifyClient",false);
public static final OFile HTTPS_CERTIFICATE=file("httpsCertificate");
public static final OString HTTPS_CERTIFICATE_ALIAS=string("httpsCertificateAlias");
public static final OFile HTTPS_PRIVATE_KEY=file("httpsPrivateKey");
public static final OBoolean HTTPS_SPDY=bool("spdy",false);

Expand Down

0 comments on commit a9cd712

Please sign in to comment.