On 21/08/17 22:54, Jesse Schulman wrote: > I'm pretty sure this is a bug/regression related to a recent change by > markt: http://svn.apache.org/viewvc?view=revision&revision=1800868 > > I think the issue was there before but we weren't hitting it, because the > logic of taking the first alias from the keystore (even if it does not > alias a key) was already there, but only after this change did we start to > hit that code. > > We have worked around the issue with a "getFirstKeyAlias" method that we > use to set the certificateKeyAlias in our SSLHostConfigCertificate: > > private String getFirstKeyAlias(KeyStore keyStore) { > try { > Enumeration<String> aliases = keyStore.aliases(); > while(aliases.hasMoreElements()) { > String alias = aliases.nextElement(); > if (keyStore.isKeyEntry(alias)) > return alias; > } > } catch (KeyStoreException e) { > LOGGER.error("Failed to find first key alias in keystore", e); > } > > return null; > } > > I think that something like this should around line 219 of JSSEUtil, where > currently it looks like this: > > Enumeration<String> aliases = ks.aliases(); > if (!aliases.hasMoreElements()) { > throw new IOException(sm.getString("jsse.noKeys")); > } > keyAlias = aliases.nextElement(); > > > Should I send this to the dev list instead?
If you could create a Bugzilla issue for it, that would be great. Thanks, Mark > > Thanks! > Jesse > > On Wed, Aug 16, 2017 at 3:02 PM Jesse Schulman <je...@dreamtsoft.com> wrote: > >> We use tomcat-embed and we have a test that is breaking with an upgrade >> from 8.5.12 to 8.5.20, it seems due to the fact that we do not set the >> certificateKeyAlias when we configure an SSLHostConfigCertificate. >> >> The documentation for certificateKeyAlias states "If not specified, the >> first *key* read from the keystore will be used." >> >> It seems that the first alias is being used and there is no check that it >> references a key. >> >> The result is that in JSSEUtil.getKeyManagers there is a call to >> KeyStore.getKey(keyAlias, keyPassArray) where keyAlias is actually an alias >> for a certificate, which leads to inMemoryKeyStore.setKeyEntry being passed >> null for the Key argument and eventually a KeyStoreException("Cannot store >> non-PrivateKeys"). >> >> This worked previously with certificatekeyAlias being null. I can confirm >> that this works just fine if I set that with the alias used when creating >> the KeyStore but I would rather not pass that alias around our code when I >> did not previously need to. >> >> Thanks! >> Jesse >> >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org