You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2017/10/03 20:27:58 UTC
svn commit: r1811031 - in /tomcat/trunk:
java/org/apache/tomcat/util/net/jsse/JSSEKeyManager.java
java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
webapps/docs/changelog.xml
Author: markt
Date: Tue Oct 3 20:27:58 2017
New Revision: 1811031
URL: http://svn.apache.org/viewvc?rev=1811031&view=rev
Log:
Correct a further regression in the fix to enable the use of Java key stores that contained multiple keys that did not all have the same password. This fixes PKCS11 key store handling with multiple keys selected with an alias.
Added:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEKeyManager.java
- copied unchanged from r1800873, tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEKeyManager.java
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java?rev=1811031&r1=1811030&r2=1811031&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java Tue Oct 3 20:27:58 2017
@@ -53,6 +53,7 @@ import javax.net.ssl.ManagerFactoryParam
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509KeyManager;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
@@ -258,7 +259,23 @@ public class JSSEUtil extends SSLUtilBas
KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm);
kmf.init(ksUsed, keyPassArray);
- return kmf.getKeyManagers();
+ KeyManager[] kms = kmf.getKeyManagers();
+
+ // Only need to filter keys by alias if there are key managers to filter
+ // and the original key store was used. The in memory key stores only
+ // have a single key so don't need filtering
+ if (kms != null && ksUsed == ks) {
+ String alias = keyAlias;
+ // JKS keystores always convert the alias name to lower case
+ if ("JKS".equals(certificate.getCertificateKeystoreType())) {
+ alias = alias.toLowerCase(Locale.ENGLISH);
+ }
+ for(int i = 0; i < kms.length; i++) {
+ kms[i] = new JSSEKeyManager((X509KeyManager)kms[i], alias);
+ }
+ }
+
+ return kms;
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1811031&r1=1811030&r2=1811031&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java Tue Oct 3 20:27:58 2017
@@ -51,6 +51,7 @@ import org.apache.tomcat.util.net.Consta
import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type;
+import org.apache.tomcat.util.net.jsse.JSSEKeyManager;
import org.apache.tomcat.util.net.openssl.ciphers.OpenSSLCipherConfigurationParser;
import org.apache.tomcat.util.res.StringManager;
@@ -456,6 +457,11 @@ public class OpenSSLContext implements o
private static X509KeyManager chooseKeyManager(KeyManager[] managers) throws Exception {
for (KeyManager manager : managers) {
+ if (manager instanceof JSSEKeyManager) {
+ return (JSSEKeyManager) manager;
+ }
+ }
+ for (KeyManager manager : managers) {
if (manager instanceof X509KeyManager) {
return (X509KeyManager) manager;
}
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1811031&r1=1811030&r2=1811031&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue Oct 3 20:27:58 2017
@@ -45,6 +45,16 @@
issues do not "pop up" wrt. others).
-->
<section name="Tomcat 9.0.2 (markt)" rtext="in development">
+ <subsection name="Coyote">
+ <changelog>
+ <fix>
+ <bug>61583</bug>: Correct a further regression in the fix to enable the
+ use of Java key stores that contained multiple keys that did not all
+ have the same password. This fixes PKCS11 key store handling with
+ multiple keys selected with an alias. (markt)
+ </fix>
+ </changelog>
+ </subsection>
<subsection name="Web applications">
<changelog>
<fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org