You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2023/06/13 16:28:26 UTC
[tomcat] branch 10.1.x updated: Fix BZ 66635 Correctly log PEM based keys/certificates
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 46645ef4af Fix BZ 66635 Correctly log PEM based keys/certificates
46645ef4af is described below
commit 46645ef4af866859acd158a43c69604589f07cc8
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jun 13 17:18:52 2023 +0100
Fix BZ 66635 Correctly log PEM based keys/certificates
https://bz.apache.org/bugzilla/show_bug.cgi?id=66635
---
.../apache/tomcat/util/net/AbstractEndpoint.java | 25 +++++++++++++++-------
.../apache/tomcat/util/net/LocalStrings.properties | 4 +++-
.../tomcat/util/net/LocalStrings_fr.properties | 3 ++-
.../tomcat/util/net/LocalStrings_ja.properties | 1 -
.../tomcat/util/net/SSLHostConfigCertificate.java | 17 +++++++++------
webapps/docs/changelog.xml | 6 ++++++
6 files changed, 38 insertions(+), 18 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/AbstractEndpoint.java b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
index 6aa878788a..3f0862286b 100644
--- a/java/org/apache/tomcat/util/net/AbstractEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
@@ -52,6 +52,7 @@ import org.apache.tomcat.util.buf.HexUtils;
import org.apache.tomcat.util.collections.SynchronizedStack;
import org.apache.tomcat.util.modeler.Registry;
import org.apache.tomcat.util.net.Acceptor.AcceptorState;
+import org.apache.tomcat.util.net.SSLHostConfigCertificate.StoreType;
import org.apache.tomcat.util.res.StringManager;
import org.apache.tomcat.util.threads.LimitLatch;
import org.apache.tomcat.util.threads.ResizableExecutor;
@@ -366,14 +367,22 @@ public abstract class AbstractEndpoint<S,U> {
protected void logCertificate(SSLHostConfigCertificate certificate) {
SSLHostConfig sslHostConfig = certificate.getSSLHostConfig();
- String certificateSource = certificate.getCertificateKeystoreFile();
- if (certificateSource == null) {
- certificateSource = certificate.getCertificateKeyFile();
- }
+ String certificateInfo;
- String keyAlias = certificate.getCertificateKeyAlias();
- if (keyAlias == null) {
- keyAlias = SSLUtilBase.DEFAULT_KEY_ALIAS;
+ if (certificate.getStoreType() == StoreType.PEM) {
+ // PEM file based
+ String keySource = certificate.getCertificateKeystoreFile();
+ keySource = certificate.getCertificateKeyFile();
+ certificateInfo = sm.getString("endpoint.tls.info.cert.pem", keySource, certificate.getCertificateFile(),
+ certificate.getCertificateChainFile());
+ } else {
+ // Keystore based
+ String keyStore = certificate.getCertificateKeystoreFile();
+ String keyAlias = certificate.getCertificateKeyAlias();
+ if (keyAlias == null) {
+ keyAlias = SSLUtilBase.DEFAULT_KEY_ALIAS;
+ }
+ certificateInfo = sm.getString("endpoint.tls.info.cert.keystore", keyStore, keyAlias);
}
String trustStoreSource = sslHostConfig.getTruststoreFile();
@@ -385,7 +394,7 @@ public abstract class AbstractEndpoint<S,U> {
}
getLogCertificate().info(sm.getString("endpoint.tls.info", getName(), sslHostConfig.getHostName(),
- certificate.getType(), certificateSource, keyAlias, trustStoreSource));
+ certificate.getType(), certificateInfo, trustStoreSource));
if (getLogCertificate().isDebugEnabled()) {
String alias = certificate.getCertificateKeyAlias();
diff --git a/java/org/apache/tomcat/util/net/LocalStrings.properties b/java/org/apache/tomcat/util/net/LocalStrings.properties
index 8e845821bd..43146c2c16 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings.properties
@@ -116,7 +116,9 @@ endpoint.socketOptionsError=Error setting socket options
endpoint.timeout.err=Error processing socket timeout
endpoint.tls.cert.encodingError=Certificate fingerprints not available
endpoint.tls.cert.noCerts=Certificate details not available as the certificate chain returned from the SSLContext was empty
-endpoint.tls.info=Connector [{0}], TLS virtual host [{1}], certificate type [{2}] configured from [{3}] using alias [{4}] and with trust store [{5}]
+endpoint.tls.info=Connector [{0}], TLS virtual host [{1}], certificate type [{2}] configured from {3} with trust store [{4}]
+endpoint.tls.info.cert.pem=key [{0}], certificate [{1}] and certificate chain [{2}]
+endpoint.tls.info.cert.keystore=keystore [{0}] using alias [{1}]
endpoint.unknownSslHostName=The SSL host name [{0}] is not recognised for this endpoint
endpoint.warn.executorShutdown=The executor associated with thread pool [{0}] has not fully shutdown. Some application threads may still be running.
endpoint.warn.incorrectConnectionCount=Incorrect connection count, multiple calls to socket.close for the same socket.
diff --git a/java/org/apache/tomcat/util/net/LocalStrings_fr.properties b/java/org/apache/tomcat/util/net/LocalStrings_fr.properties
index 540e740ff0..e8eb7d3569 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings_fr.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings_fr.properties
@@ -116,7 +116,8 @@ endpoint.socketOptionsError=Erreur en définissant les options du socket
endpoint.timeout.err=Erreur en traitant le dépassement de temps d'attente du socket
endpoint.tls.cert.encodingError=Les empreintes du certificat ne sont pas disponibles
endpoint.tls.cert.noCerts=Les détails du certificat ne sont pas disponibles car la chaîne de certificats retournée par le SSLContext est vide
-endpoint.tls.info=Connecteur [{0}], hôte virtuel TLS [{1}], type de certificat [{2}] configuré depuis [{3}] avec l''alias [{4}] et la trust store [{5}]
+endpoint.tls.info=Connecteur [{0}], hôte virtuel TLS [{1}], type de certificat [{2}] configuré depuis {3} et la trust store [{4}]
+endpoint.tls.info.cert.keystore=[{0}] avec l''alias [{1}]
endpoint.unknownSslHostName=Le nom d''hôte SSL [{0}] n''est pas reconnu pour cette terminaison
endpoint.warn.executorShutdown=L''exécuteur associé au pool de threads [{0}] n''est pas complètement arrêté, certains threads d''application peuvent toujours être en cours d''exécution
endpoint.warn.incorrectConnectionCount=Le décompte du nombre de connections est incorrect, la méthode de fermeture d'un même socket a été appelée plusieurs fois
diff --git a/java/org/apache/tomcat/util/net/LocalStrings_ja.properties b/java/org/apache/tomcat/util/net/LocalStrings_ja.properties
index 21982f2a63..9cb9d5f74a 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings_ja.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings_ja.properties
@@ -116,7 +116,6 @@ endpoint.socketOptionsError=ソケットオプション設定中のエラー
endpoint.timeout.err=ソケットタイムアウト処理中のエラー
endpoint.tls.cert.encodingError=証明書のフィンガープリントが利用できません
endpoint.tls.cert.noCerts=SSLContext から返された証明書チェーンが空だったため、証明書の詳細を利用できません
-endpoint.tls.info=コネクタ [{0}]、TLS 仮想ホスト [{1}]、証明書タイプ [{2}] は、エイリアス [{4}] を使用し、トラスト ストア [{5}] を使用して [{3}] から構成されました
endpoint.unknownSslHostName=SSL ホスト名 [{0}] はこのエンドポイントから認識されていません。
endpoint.warn.executorShutdown=スレッドプール [{0}] と関連付けられたエグゼキューターは完全に停止できませんでした。いくつかのアプリケーションスレッドはまだ動作し続けている可能性があります。
endpoint.warn.incorrectConnectionCount=不正なコネクション数。複数のsocket.closeが同じソケットで呼び出されました。
diff --git a/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java b/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
index d1f4cc4a25..0ef6ca0a7d 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
@@ -40,10 +40,10 @@ public class SSLHostConfigCertificate implements Serializable {
public static final Type DEFAULT_TYPE = Type.UNDEFINED;
- static final String DEFAULT_KEYSTORE_PROVIDER =
- System.getProperty("javax.net.ssl.keyStoreProvider");
- static final String DEFAULT_KEYSTORE_TYPE =
- System.getProperty("javax.net.ssl.keyStoreType", "JKS");
+ static final String DEFAULT_KEYSTORE_PROVIDER = System.getProperty("javax.net.ssl.keyStoreProvider");
+ static final String DEFAULT_KEYSTORE_TYPE = System.getProperty("javax.net.ssl.keyStoreType", "JKS");
+ private static final String DEFAULT_KEYSTORE_FILE = System.getProperty("user.home")+"/.keystore";
+ private static final String DEFAULT_KEYSTORE_PASSWORD = "changeit";
// Internal
private ObjectName oname;
@@ -60,8 +60,8 @@ public class SSLHostConfigCertificate implements Serializable {
// JSSE
private String certificateKeyAlias;
- private String certificateKeystorePassword = "changeit";
- private String certificateKeystoreFile = System.getProperty("user.home")+"/.keystore";
+ private String certificateKeystorePassword = DEFAULT_KEYSTORE_PASSWORD;
+ private String certificateKeystoreFile = DEFAULT_KEYSTORE_FILE;
private String certificateKeystoreProvider = DEFAULT_KEYSTORE_PROVIDER;
private String certificateKeystoreType = DEFAULT_KEYSTORE_TYPE;
private transient KeyStore certificateKeystore = null;
@@ -267,7 +267,10 @@ public class SSLHostConfigCertificate implements Serializable {
}
}
- // Nested types
+ StoreType getStoreType() {
+ return storeType;
+ }
+
public enum Type {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index c6ea70d9ef..9508acf820 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -127,6 +127,12 @@
original content rather than reflecting the most recent conversion.
(markt)
</fix>
+ <fix>
+ <bug>66635</bug>: Correct certificate logging on start-up so it
+ differentiates between keystore based keys/certificates and PEM file
+ based keys/certificates and logs the relevant information for each.
+ (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="WebSocket">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org