Author: markt Date: Wed Jul 11 11:09:51 2018 New Revision: 1835627 URL: http://svn.apache.org/viewvc?rev=1835627&view=rev Log: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=62526 Correctly handle PKCS12 format key stores when the key store password is configured to be the empty string.
Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1835627&r1=1835626&r2=1835627&view=diff ============================================================================== --- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (original) +++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java Wed Jul 11 11:09:51 2018 @@ -465,13 +465,33 @@ public class JSSESocketFactory implement } else { ks = KeyStore.getInstance(type, provider); } + // Some key store types (e.g. hardware) expect the InputStream + // to be null if(!("PKCS11".equalsIgnoreCase(type) || "".equalsIgnoreCase(path))) { istream = ConfigFileLoader.getInputStream(path); } + // The digester cannot differentiate between null and "". + // Unfortunately, some key stores behave differently with null + // and "". + // JKS key stores treat null and "" interchangeably. + // PKCS12 key stores (Java 7 onwards) don't return the cert if + // null is used. + // Key stores that do not use passwords expect null + // Therefore: + // - log an error of PKCS12 is used with an empty password + // (an exception will follow) + // - generally use null if pass is null or "" + // - for JKS or PKCS12 only use null if pass is null + // (because JKS will auto-switch to PKCS12) + if ("PKCS12".equalsIgnoreCase(type) && pass != null && pass.length() == 0 && + !JreCompat.isJre7Available()) { + log.error(sm.getString("jsse.java6.emptyPass")); + } char[] storePass = null; - if (pass != null && !"".equals(pass)) { + if (pass != null && (!"".equals(pass) || + "JKS".equalsIgnoreCase(type) || "PKCS12".equalsIgnoreCase(type))) { storePass = pass.toCharArray(); } ks.load(istream, storePass); Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties?rev=1835627&r1=1835626&r2=1835627&view=diff ============================================================================== --- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties (original) +++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties Wed Jul 11 11:09:51 2018 @@ -29,6 +29,7 @@ jsse.excludeDefaultProtocol=The SSL prot jsse.noDefaultCiphers=Unable to determine a default for ciphers for [{0}]. Set an explicit value to ensure the connector can start. jsse.noDefaultProtocols=Unable to determine a default for sslEnabledProtocols for [{0}]. Set an explicit value to ensure the connector can start. jsse.exceptionOnClose=Failure to close socket. +jsse.java6.emptyPass=The PKCS12 key store does not support the use of the empty string as a password on Java 6. jsseSupport.clientCertError=Error trying to obtain a certificate from the client jseeSupport.certTranslationError=Error translating certificate [{0}] jsseSupport.noCertWant=No client certificate sent for want Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1835627&r1=1835626&r2=1835627&view=diff ============================================================================== --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Wed Jul 11 11:09:51 2018 @@ -78,6 +78,12 @@ <code>Vary</code> HTTP response header to use a common utility method that addresses several additional edge cases. (markt) </fix> + <fix> + <bug>62526</bug>: Correctly handle PKCS12 format key stores when the key + store password is configured to be the empty string. Note that Java 6 + does not support PKCS12 key stores configured to use a store password of + the empty string. (markt) + </fix> </changelog> </subsection> <subsection name="Jasper"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org