You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Doug Barnes <cm...@io.com> on 2001/04/19 19:27:34 UTC
[PATCH] Bug #1400:
The keystore file format allows (and keytool encourages) multiple keys in a
keystore file, with each key encrypted with a different password. It should
be
possible to specify an SSLServerSocketFactory that deals with a keystore
file
that has these properties (currently, it just uses the first key in the file
no matter what.)
This patch adds support for multiple keys in a single keystore, each
encrypted
seperately, by adding the parameters keyAlias and keyPass. In addition, I've
changed the example server.xml to show the new parameters.
If there's only one key, it ignores keyAlias; if keyPass doesn't work, it
tries keystorePass.
This addresses my personal confusion with trying to get this to work with an
existing keystore. It appears to work.
Cheers,
D
Index: SSLServerSocketFactory.java
===================================================================
RCS file:
/home/cvspublic/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/ne
t/SSLServerSocketFactory.java,v
retrieving revision 1.3
diff -u -r1.3 SSLServerSocketFactory.java
--- SSLServerSocketFactory.java 2000/11/08 01:18:54 1.3
+++ SSLServerSocketFactory.java 2001/04/19 17:08:16
@@ -61,6 +61,7 @@
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
+import java.util.Enumeration;
import java.net.InetAddress;
import java.net.ServerSocket;
import java.security.KeyStore;
@@ -95,6 +96,10 @@
* loaded. ["./keystore" in the user home directory]</li>
* <li><strong>keystorePass</strong> - Password for the Key Store file to
be
* loaded. ["changeit"]</li>
+ * <li><strong>keyAlias</strong> - Alias for the key to use in Key Store
+ * file (if multiple keys). ["tomcat"]</li>
+ * <li><strong>keyPass</strong> - Password for the Key to be
+ * loaded. ["changeit"]</li>
* <li><strong>keystoreType</strong> - Type of the Key Store file to be
* loaded. ["JKS"]</li>
* <li><strong>protocol</strong> - SSL protocol to use. [TLS]</li>
@@ -211,9 +216,37 @@
}
+ /**
+ * Alias for the key to use (if multiple keys in KeystoreFile)
+ */
+ private String keyAlias = "tomcat";
+
+ public String getKeyAlias() {
+ return (this.keyAlias);
+ }
+
+ public void setKeyAlias(String keyAlias) {
+ this.keyAlias = keyAlias;
+ }
+
+
/**
- * Storeage type of the key store file to be used.
+ * Password for accessing a particular key
*/
+ private String keyPass = "changeit";
+
+ public String getKeyPass() {
+ return (this.keyPass);
+ }
+
+ public void setKeyPass(String keyPass) {
+ this.keyPass = keyPass;
+ }
+
+
+ /**
+ * Storage type of the key store file to be used.
+ */
private String keystoreType = "JKS";
public String getKeystoreType() {
@@ -384,10 +417,29 @@
// Create an SSL context used to create an SSL socket factory
SSLContext context = SSLContext.getInstance(protocol);
+ // If multiple entries in keyStore, and specified alias is
+ // in keyStore, delete all but keyAlias (otherwise use first
+ // entry in keyStore.)
+ if ((keyStore.size() > 1) &&
(keyStore.containsAlias(keyAlias))) {
+ for (Enumeration aliasList = keyStore.aliases();
+ aliasList.hasMoreElements();) {
+ String alias = (String) aliasList.nextElement();
+ if(! alias.equals(keyAlias)) {
+ keyStore.deleteEntry(alias);
+ }
+ }
+ }
+
// Create the key manager factory used to extract the server
key
KeyManagerFactory keyManagerFactory =
KeyManagerFactory.getInstance(algorithm);
- keyManagerFactory.init(keyStore, keystorePass.toCharArray());
+
+ try {
+ keyManagerFactory.init(keyStore, keyPass.toCharArray());
+ } catch (Exception e) {
+ System.out.println("Trying keystore key: " + keystorePass);
+ keyManagerFactory.init(keyStore,
keystorePass.toCharArray());
+ }
// Create the trust manager factory used for checking
certificates
/*
@@ -418,12 +470,13 @@
* @param ssocket The server socket to be configured
*/
private void initServerSocket(ServerSocket ssocket) {
+ String ciphers[] = {"SSL_RSA_EXPORT_WITH_RC4_40_MD5"};
SSLServerSocket socket = (SSLServerSocket) ssocket;
// Enable all available cipher suites when the socket is connected
String cipherSuites[] = socket.getSupportedCipherSuites();
- socket.setEnabledCipherSuites(cipherSuites);
+ socket.setEnabledCipherSuites(ciphers);
// Set client authentication if necessary
socket.setNeedClientAuth(clientAuth);
Index: SSLServerSocketFactory.java
===================================================================
RCS file:
/home/cvspublic/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/ne
t/SSLServerSocketFactory.java,v
retrieving revision 1.3
diff -u -r1.3 SSLServerSocketFactory.java
--- SSLServerSocketFactory.java 2000/11/08 01:18:54 1.3
+++ SSLServerSocketFactory.java 2001/04/19 17:11:10
@@ -61,6 +61,7 @@
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
+import java.util.Enumeration;
import java.net.InetAddress;
import java.net.ServerSocket;
import java.security.KeyStore;
@@ -95,6 +96,10 @@
* loaded. ["./keystore" in the user home directory]</li>
* <li><strong>keystorePass</strong> - Password for the Key Store file to
be
* loaded. ["changeit"]</li>
+ * <li><strong>keyAlias</strong> - Alias for the key to use in Key Store
+ * file (if multiple keys). ["tomcat"]</li>
+ * <li><strong>keyPass</strong> - Password for the Key to be
+ * loaded. ["changeit"]</li>
* <li><strong>keystoreType</strong> - Type of the Key Store file to be
* loaded. ["JKS"]</li>
* <li><strong>protocol</strong> - SSL protocol to use. [TLS]</li>
@@ -211,9 +216,37 @@
}
+ /**
+ * Alias for the key to use (if multiple keys in KeystoreFile)
+ */
+ private String keyAlias = "tomcat";
+
+ public String getKeyAlias() {
+ return (this.keyAlias);
+ }
+
+ public void setKeyAlias(String keyAlias) {
+ this.keyAlias = keyAlias;
+ }
+
+
/**
- * Storeage type of the key store file to be used.
+ * Password for accessing a particular key
*/
+ private String keyPass = "changeit";
+
+ public String getKeyPass() {
+ return (this.keyPass);
+ }
+
+ public void setKeyPass(String keyPass) {
+ this.keyPass = keyPass;
+ }
+
+
+ /**
+ * Storage type of the key store file to be used.
+ */
private String keystoreType = "JKS";
public String getKeystoreType() {
@@ -384,10 +417,29 @@
// Create an SSL context used to create an SSL socket factory
SSLContext context = SSLContext.getInstance(protocol);
+ // If multiple entries in keyStore, and specified alias is
+ // in keyStore, delete all but keyAlias (otherwise use first
+ // entry in keyStore.)
+ if ((keyStore.size() > 1) &&
(keyStore.containsAlias(keyAlias))) {
+ for (Enumeration aliasList = keyStore.aliases();
+ aliasList.hasMoreElements();) {
+ String alias = (String) aliasList.nextElement();
+ if(! alias.equals(keyAlias)) {
+ keyStore.deleteEntry(alias);
+ }
+ }
+ }
+
// Create the key manager factory used to extract the server
key
KeyManagerFactory keyManagerFactory =
KeyManagerFactory.getInstance(algorithm);
- keyManagerFactory.init(keyStore, keystorePass.toCharArray());
+
+ try {
+ keyManagerFactory.init(keyStore, keyPass.toCharArray());
+ } catch (Exception e) {
+ System.out.println("Trying keystore key: " + keystorePass);
+ keyManagerFactory.init(keyStore,
keystorePass.toCharArray());
+ }
// Create the trust manager factory used for checking
certificates
/*
Index: server.xml
===================================================================
RCS file: /home/cvspublic/jakarta-tomcat-4.0/catalina/src/conf/server.xml,v
retrieving revision 1.20
diff -u -r1.20 server.xml
--- server.xml 2001/04/12 01:06:11 1.20
+++ server.xml 2001/04/19 17:26:07
@@ -55,7 +55,7 @@
port="8443" minProcessors="5" maxProcessors="75"
acceptCount="10" debug="0" scheme="https" secure="true">
<Factory className="org.apache.catalina.net.SSLServerSocketFactory"
- clientAuth="false" protocol="TLS"/>
+ clientAuth="false" protocol="TLS" keyAlias="tomcat"
keyPass="cha
ngeit"/>
</Connector>
-->