You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2017/07/05 12:18:26 UTC
svn commit: r1800867 - in /tomcat/trunk:
java/org/apache/tomcat/util/net/jsse/JSSEUtil.java webapps/docs/changelog.xml
Author: markt
Date: Wed Jul 5 12:18:26 2017
New Revision: 1800867
URL: http://svn.apache.org/viewvc?rev=1800867&view=rev
Log:
Enable TLS connectors to use Java key stores that contain multiple keys where each key has a separate password.
Based on a patch by Frank Taffelt.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java?rev=1800867&r1=1800866&r2=1800867&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java Wed Jul 5 12:18:26 2017
@@ -185,12 +185,21 @@ public class JSSEUtil extends SSLUtilBas
KeyStore ks = certificate.getCertificateKeystore();
- if (ks == null) {
- // create an in-memory keystore and import the private key
- // and the certificate chain from the PEM files
- ks = KeyStore.getInstance("JKS");
- ks.load(null, null);
+ /*
+ * Always use an in memory key store.
+ * For PEM format keys and certificates, it allows them to be imported
+ * into the expected format.
+ * For Java key stores, it enables Tomcat to handle the case where
+ * multiple keys exist in the key store, each with a different password.
+ * The KeyManagerFactory can't handle that so using an in memory key
+ * store with just the required key works around that.
+ */
+ KeyStore inMemoryKeyStore = KeyStore.getInstance("JKS");
+ inMemoryKeyStore.load(null, null);
+
+ char[] keyPassArray = keyPass.toCharArray();
+ if (ks == null) {
PEMFile privateKeyFile = new PEMFile(SSLHostConfig.adjustRelativePath
(certificate.getCertificateKeyFile() != null ? certificate.getCertificateKeyFile() : certificate.getCertificateFile()),
keyPass);
@@ -206,15 +215,19 @@ public class JSSEUtil extends SSLUtilBas
if (keyAlias == null) {
keyAlias = "tomcat";
}
- ks.setKeyEntry(keyAlias, privateKeyFile.getPrivateKey(), keyPass.toCharArray(), chain.toArray(new Certificate[chain.size()]));
- }
+ inMemoryKeyStore.setKeyEntry(keyAlias, privateKeyFile.getPrivateKey(), keyPass.toCharArray(), chain.toArray(new Certificate[chain.size()]));
+ } else {
+ if (keyAlias != null && !ks.isKeyEntry(keyAlias)) {
+ throw new IOException(sm.getString("jsse.alias_no_key_entry", keyAlias));
+ }
- if (keyAlias != null && !ks.isKeyEntry(keyAlias)) {
- throw new IOException(sm.getString("jsse.alias_no_key_entry", keyAlias));
+ inMemoryKeyStore.setKeyEntry(keyAlias, ks.getKey(keyAlias, keyPassArray), keyPassArray,
+ ks.getCertificateChain(keyAlias));
}
+
KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm);
- kmf.init(ks, keyPass.toCharArray());
+ kmf.init(inMemoryKeyStore, keyPassArray);
kms = kmf.getKeyManagers();
if (kms == null) {
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1800867&r1=1800866&r2=1800867&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Wed Jul 5 12:18:26 2017
@@ -57,6 +57,15 @@
</add>
</changelog>
</subsection>
+ <subsection name="Coyote">
+ <changelog>
+ <fix>
+ Enable TLS connectors to use Java key stores that contain multiple keys
+ where each key has a separate password. Based on a patch by Frank
+ Taffelt. (markt)
+ </fix>
+ </changelog>
+ </subsection>
<subsection name="Jasper">
<changelog>
<add>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org