You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2017/10/03 20:27:58 UTC

svn commit: r1811031 - in /tomcat/trunk: java/org/apache/tomcat/util/net/jsse/JSSEKeyManager.java java/org/apache/tomcat/util/net/jsse/JSSEUtil.java java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java webapps/docs/changelog.xml

Author: markt
Date: Tue Oct  3 20:27:58 2017
New Revision: 1811031

URL: http://svn.apache.org/viewvc?rev=1811031&view=rev
Log:
Correct a further regression in the fix to enable the use of Java key stores that contained multiple keys that did not all have the same password. This fixes PKCS11 key store handling with multiple keys selected with an alias.

Added:
    tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEKeyManager.java
      - copied unchanged from r1800873, tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEKeyManager.java
Modified:
    tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
    tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java?rev=1811031&r1=1811030&r2=1811031&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java Tue Oct  3 20:27:58 2017
@@ -53,6 +53,7 @@ import javax.net.ssl.ManagerFactoryParam
 import javax.net.ssl.SSLSessionContext;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509KeyManager;
 
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
@@ -258,7 +259,23 @@ public class JSSEUtil extends SSLUtilBas
         KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm);
         kmf.init(ksUsed, keyPassArray);
 
-        return kmf.getKeyManagers();
+        KeyManager[] kms = kmf.getKeyManagers();
+
+        // Only need to filter keys by alias if there are key managers to filter
+        // and the original key store was used. The in memory key stores only
+        // have a single key so don't need filtering
+        if (kms != null && ksUsed == ks) {
+            String alias = keyAlias;
+            // JKS keystores always convert the alias name to lower case
+            if ("JKS".equals(certificate.getCertificateKeystoreType())) {
+                alias = alias.toLowerCase(Locale.ENGLISH);
+            }
+            for(int i = 0; i < kms.length; i++) {
+                kms[i] = new JSSEKeyManager((X509KeyManager)kms[i], alias);
+            }
+        }
+
+        return kms;
     }
 
 

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1811031&r1=1811030&r2=1811031&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java Tue Oct  3 20:27:58 2017
@@ -51,6 +51,7 @@ import org.apache.tomcat.util.net.Consta
 import org.apache.tomcat.util.net.SSLHostConfig;
 import org.apache.tomcat.util.net.SSLHostConfigCertificate;
 import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type;
+import org.apache.tomcat.util.net.jsse.JSSEKeyManager;
 import org.apache.tomcat.util.net.openssl.ciphers.OpenSSLCipherConfigurationParser;
 import org.apache.tomcat.util.res.StringManager;
 
@@ -456,6 +457,11 @@ public class OpenSSLContext implements o
 
     private static X509KeyManager chooseKeyManager(KeyManager[] managers) throws Exception {
         for (KeyManager manager : managers) {
+            if (manager instanceof JSSEKeyManager) {
+                return (JSSEKeyManager) manager;
+            }
+        }
+        for (KeyManager manager : managers) {
             if (manager instanceof X509KeyManager) {
                 return (X509KeyManager) manager;
             }

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1811031&r1=1811030&r2=1811031&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue Oct  3 20:27:58 2017
@@ -45,6 +45,16 @@
   issues do not "pop up" wrt. others).
 -->
 <section name="Tomcat 9.0.2 (markt)" rtext="in development">
+  <subsection name="Coyote">
+    <changelog>
+      <fix>
+        <bug>61583</bug>: Correct a further regression in the fix to enable the
+        use of Java key stores that contained multiple keys that did not all
+        have the same password. This fixes PKCS11 key store handling with
+        multiple keys selected with an alias. (markt)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Web applications">
     <changelog>
       <fix>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org