You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2010/11/25 17:01:16 UTC
svn commit: r1039080 - in /tomcat/tc6.0.x/trunk: STATUS.txt
java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
webapps/docs/changelog.xml webapps/docs/config/http.xml
Author: markt
Date: Thu Nov 25 16:01:16 2010
New Revision: 1039080
URL: http://svn.apache.org/viewvc?rev=1039080&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48545
Truststores don't have to have passwords
Based on a patch by 'smmwpf54'
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1039080&r1=1039079&r2=1039080&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Thu Nov 25 16:01:16 2010
@@ -45,13 +45,6 @@ PATCHES PROPOSED TO BACKPORT:
and fix it later if needed? I think that actually nobody besides the release manager
uses this, so I am letting this pass.
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48545
- Truststores don't have to have passwords
- Based on a patch by 'smmwpf54'
- https://issues.apache.org/bugzilla/attachment.cgi?id=26268
- +1: kkolinko, markt, jfclere
- -1:
-
* Configure Tomcat to use HttpOnly for session cookies by default
http://people.apache.org/~kkolinko/patches/2010-04-21_tc6_context_httpOnly.patch
+1: kkolinko
Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1039080&r1=1039079&r2=1039080&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java Thu Nov 25 16:01:16 2010
@@ -266,7 +266,15 @@ public class JSSESocketFactory
if (keystoreFile == null)
keystoreFile = defaultKeystoreFile;
- return getStore(type, provider, keystoreFile, pass);
+ try {
+ return getStore(type, provider, keystoreFile, pass);
+ } catch (FileNotFoundException fnfe) {
+ throw fnfe;
+ } catch (IOException ioe) {
+ log.error(sm.getString("jsse.keystore_load_failed", type,
+ keystoreFile, ioe.getMessage()), ioe);
+ throw ioe;
+ }
}
/*
@@ -316,9 +324,33 @@ public class JSSESocketFactory
log.debug("trustProvider = " + truststoreProvider);
}
- if (truststoreFile != null && truststorePassword != null){
- trustStore = getStore(truststoreType, truststoreProvider,
- truststoreFile, truststorePassword);
+ if (truststoreFile != null) {
+ try {
+ trustStore = getStore(truststoreType, truststoreProvider,
+ truststoreFile, truststorePassword);
+ } catch (FileNotFoundException fnfe) {
+ throw fnfe;
+ } catch (IOException ioe) {
+ // Log a warning that we had a password issue
+ // and re-try, unless the password is null already
+ if (truststorePassword != null) {
+ log.warn(sm.getString("jsse.invalid_truststore_password"),
+ ioe);
+ try {
+ trustStore = getStore(truststoreType,
+ truststoreProvider, truststoreFile, null);
+ ioe = null;
+ } catch (IOException ioe2) {
+ ioe = ioe2;
+ }
+ }
+ if (ioe != null) {
+ log.error(sm.getString("jsse.keystore_load_failed",
+ truststoreType, truststoreFile, ioe.getMessage()),
+ ioe);
+ throw ioe;
+ }
+ }
}
return trustStore;
@@ -347,15 +379,19 @@ public class JSSESocketFactory
istream = new FileInputStream(keyStoreFile);
}
- ks.load(istream, pass.toCharArray());
+ char[] storePass = null;
+ if (pass != null && !"".equals(pass)) {
+ storePass = pass.toCharArray();
+ }
+ ks.load(istream, storePass);
} catch (FileNotFoundException fnfe) {
log.error(sm.getString("jsse.keystore_load_failed", type, path,
fnfe.getMessage()), fnfe);
throw fnfe;
} catch (IOException ioe) {
- log.error(sm.getString("jsse.keystore_load_failed", type, path,
- ioe.getMessage()), ioe);
- throw ioe;
+ // May be expected when working with a trust store
+ // Re-throw. Caller will catch and log as required
+ throw ioe;
} catch(Exception ex) {
String msg = sm.getString("jsse.keystore_load_failed", type, path,
ex.getMessage());
Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties?rev=1039080&r1=1039079&r2=1039080&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties Thu Nov 25 16:01:16 2010
@@ -15,3 +15,4 @@
jsse.alias_no_key_entry=Alias name {0} does not identify a key entry
jsse.keystore_load_failed=Failed to load keystore type {0} with path {1} due to {2}
+jsse.invalid_truststore_password=The provided trust store password could not be used to unlock and/or validate the trust store. Retrying to access the trust store with a null password which will skip validation.
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1039080&r1=1039079&r2=1039080&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Thu Nov 25 16:01:16 2010
@@ -172,6 +172,10 @@
(mturk)
</fix>
<add>
+ <bug>48545</bug>: Allow JSSE trust stores to be used without providing
+ a password. Based on a patch by smmwpf54. (kkolinko)
+ </add>
+ <add>
<bug>48738</bug>: Add support for flushing gzipped output. Based on a
patch by Jiong Wang. (markt)
</add>
Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml?rev=1039080&r1=1039079&r2=1039080&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml Thu Nov 25 16:01:16 2010
@@ -738,8 +738,12 @@
<p>The password to access the trust store. The default is the value of the
<code>javax.net.ssl.trustStorePassword</code> system property. If that
property is null, the value of <code>keystorePass</code> is used as the
- default. If neither this attribute, the default system property nor
- <code>keystorePass</code>is set, no trust store will be configured.</p>
+ default. If an invalid trust store password is specified, a warning will
+ be logged and an attempt will be made to access the trust store without a
+ password which will skip validation of the trust store contents. If the
+ trust store password is defined as <code>""</code> then no
+ password will be used to access the store which will also skip validation
+ of the trust store contents.</p>
</attribute>
<attribute name="truststoreType" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org