You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Rémy Maucherat <re...@apache.org> on 2019/03/07 11:47:48 UTC
Re: svn commit: r1854025 - in /tomcat/trunk/java/org/apache/tomcat/util/net:
AbstractJsseEndpoint.java SSLUtilBase.java jsse/JSSEUtil.java openssl/OpenSSLUtil.java
On Thu, Feb 21, 2019 at 10:29 AM <ma...@apache.org> wrote:
> Author: markt
> Date: Thu Feb 21 09:29:29 2019
> New Revision: 1854025
>
> URL: http://svn.apache.org/viewvc?rev=1854025&view=rev
> Log:
> Refactor creation of SSLContext to include configuration
>
There's probably an issue with that strategy. I have one of my test
configurations which uses a plain (old) dumb pkcs1 certificate file - the
private key uses BEGIN RSA PRIVATE KEY - with OpenSSL. Predictably it
doesn't work with this addition + sslContext.init(getKeyManagers(),
getTrustManagers(), null); as it calls getKeyManagers().
The OpenSSLContext should probably override getKeyManagers() to work around
the issue, right ? [like, actually avoid using a real keystore at all in
that case] Beyond that point, I'm pretty sure it would work fine.
The exception is:
org.apache.catalina.LifecycleException: Protocol handler initialization
failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:983)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:535)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1055)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:585)
at org.apache.catalina.startup.Catalina.load(Catalina.java:608)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: Cannot store non-PrivateKeys
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:158)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1103)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1116)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:557)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
... 13 more
Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys
at
sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:261)
at
sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56)
at
sun.security.provider.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:117)
at
sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetKeyEntry(JavaKeyStore.java:70)
at java.security.KeyStore.setKeyEntry(KeyStore.java:1140)
at
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:313)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:239)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
... 20 more
Rémy
>
> Modified:
> tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
> tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java
> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
> tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
>
> Modified:
> tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
> URL:
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java?rev=1854025&r1=1854024&r2=1854025&view=diff
>
> ==============================================================================
> --- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
> (original)
> +++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
> Thu Feb 21 09:29:29 2019
> @@ -109,7 +109,6 @@ public abstract class AbstractJsseEndpoi
> SSLContext sslContext;
> try {
> sslContext =
> sslUtil.createSSLContext(negotiableProtocols);
> - sslContext.init(sslUtil.getKeyManagers(),
> sslUtil.getTrustManagers(), null);
> } catch (Exception e) {
> throw new IllegalArgumentException(e.getMessage(), e);
> }
>
> Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java
> URL:
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java?rev=1854025&r1=1854024&r2=1854025&view=diff
>
> ==============================================================================
> --- tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java
> (original)
> +++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java Thu Feb
> 21 09:29:29 2019
> @@ -203,6 +203,14 @@ public abstract class SSLUtilBase implem
>
>
> @Override
> + public final SSLContext createSSLContext(List<String>
> negotiableProtocols) throws Exception {
> + SSLContext sslContext =
> createSSLContextInternal(negotiableProtocols);
> + sslContext.init(getKeyManagers(), getTrustManagers(), null);
> + return sslContext;
> + }
> +
> +
> + @Override
> public String[] getEnabledProtocols() {
> return enabledProtocols;
> }
> @@ -217,4 +225,5 @@ public abstract class SSLUtilBase implem
> protected abstract Log getLog();
> protected abstract boolean isTls13Available();
> protected abstract boolean isTls13RenegAuthAvailable();
> + protected abstract SSLContext createSSLContextInternal(List<String>
> negotiableProtocols) throws Exception;
> }
>
> Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
> URL:
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java?rev=1854025&r1=1854024&r2=1854025&view=diff
>
> ==============================================================================
> --- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
> (original)
> +++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java Thu
> Feb 21 09:29:29 2019
> @@ -184,7 +184,8 @@ public class JSSEUtil extends SSLUtilBas
>
>
> @Override
> - public SSLContext createSSLContext(List<String> negotiableProtocols)
> throws NoSuchAlgorithmException {
> + public SSLContext createSSLContextInternal(List<String>
> negotiableProtocols)
> + throws NoSuchAlgorithmException {
> return new JSSESSLContext(sslHostConfig.getSslProtocol());
> }
>
>
> Modified:
> tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
> URL:
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java?rev=1854025&r1=1854024&r2=1854025&view=diff
>
> ==============================================================================
> --- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
> (original)
> +++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
> Thu Feb 21 09:29:29 2019
> @@ -84,10 +84,11 @@ public class OpenSSLUtil extends SSLUtil
>
>
> @Override
> - public SSLContext createSSLContext(List<String> negotiableProtocols)
> throws Exception {
> + public SSLContext createSSLContextInternal(List<String>
> negotiableProtocols) throws Exception {
> return new OpenSSLContext(certificate, negotiableProtocols);
> }
>
> +
> @Override
> public KeyManager[] getKeyManagers() throws Exception {
> if (jsseUtil != null) {
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>