Author: markt Date: Mon Dec 5 20:56:57 2016 New Revision: 1772802 URL: http://svn.apache.org/viewvc?rev=1772802&view=rev Log: Expand the search process for a server certificate when OpenSSL is used with a JSSE connector and an explicit alias has not been configured.
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1772802&r1=1772801&r2=1772802&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java Mon Dec 5 20:56:57 2016 @@ -23,7 +23,9 @@ import java.security.cert.CertificateExc import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.util.ArrayList; +import java.util.Arrays; import java.util.Base64; +import java.util.Iterator; import java.util.List; import java.util.concurrent.atomic.AtomicInteger; @@ -47,6 +49,7 @@ import org.apache.tomcat.util.net.Abstra import org.apache.tomcat.util.net.Constants; import org.apache.tomcat.util.net.SSLHostConfig; import org.apache.tomcat.util.net.SSLHostConfigCertificate; +import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type; import org.apache.tomcat.util.net.jsse.JSSEKeyManager; import org.apache.tomcat.util.net.openssl.ciphers.OpenSSLCipherConfigurationParser; import org.apache.tomcat.util.res.StringManager; @@ -271,6 +274,10 @@ public class OpenSSLContext implements o alias = "tomcat"; } X509Certificate[] chain = keyManager.getCertificateChain(alias); + if (chain == null) { + alias = findAlias(keyManager, certificate); + chain = keyManager.getCertificateChain(alias); + } PrivateKey key = keyManager.getPrivateKey(alias); StringBuilder sb = new StringBuilder(BEGIN_KEY); sb.append(Base64.getMimeEncoder(64, new byte[] {'\n'}).encodeToString(key.getEncoded())); @@ -333,6 +340,33 @@ public class OpenSSLContext implements o } } + /* + * Find a valid alias when none was specified in the config. + */ + private static String findAlias(X509KeyManager keyManager, + SSLHostConfigCertificate certificate) { + + Type type = certificate.getType(); + String result = null; + + List<Type> candidiateTypes = new ArrayList<>(); + if (Type.UNDEFINED.equals(type)) { + // Try all types to find an suitable alias + candidiateTypes.addAll(Arrays.asList(Type.values())); + candidiateTypes.remove(Type.UNDEFINED); + } else { + // Look for the specific type to find a suitable alias + candidiateTypes.add(type); + } + + Iterator<Type> iter = candidiateTypes.iterator(); + while (result == null && iter.hasNext()) { + result = keyManager.chooseServerAlias(iter.next().toString(), null, null); + } + + return result; + } + private static X509KeyManager chooseKeyManager(KeyManager[] managers) throws Exception { for (KeyManager manager : managers) { if (manager instanceof JSSEKeyManager) { Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1772802&r1=1772801&r2=1772802&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Mon Dec 5 20:56:57 2016 @@ -45,6 +45,15 @@ issues do not "pop up" wrt. others). --> <section name="Tomcat 9.0.0.M16 (markt)" rtext="in development"> + <subsection name="Coyote"> + <changelog> + <fix> + Expand the search process for a server certificate when OpenSSL is used + with a JSSE connector and an explicit alias has not been configured. + (markt) + </fix> + </changelog> + </subsection> </section> <section name="Tomcat 9.0.0.M15 (markt)" rtext="release in progress"> <subsection name="Other"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org