changelog.xml

markt Wed, 11 Jul 2018 04:10:09 -0700

Author: markt
Date: Wed Jul 11 11:09:51 2018
New Revision: 1835627

URL: http://svn.apache.org/viewvc?rev=1835627&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=62526
Correctly handle PKCS12 format key stores when the key store password is 
configured to be the empty string.


Modified:
    
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
    
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
    tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml

Modified: 
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1835627&r1=1835626&r2=1835627&view=diff
==============================================================================
--- 
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
 (original)
+++ 
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
 Wed Jul 11 11:09:51 2018
@@ -465,13 +465,33 @@ public class JSSESocketFactory implement
             } else {
                 ks = KeyStore.getInstance(type, provider);
             }
+            // Some key store types (e.g. hardware) expect the InputStream
+            // to be null
             if(!("PKCS11".equalsIgnoreCase(type) ||
                     "".equalsIgnoreCase(path))) {
                 istream = ConfigFileLoader.getInputStream(path);
             }
 
+            // The digester cannot differentiate between null and "".
+            // Unfortunately, some key stores behave differently with null
+            // and "".
+            // JKS key stores treat null and "" interchangeably.
+            // PKCS12 key stores (Java 7 onwards) don't return the cert if
+            // null is used.
+            // Key stores that do not use passwords expect null
+            // Therefore:
+            // - log an error of PKCS12 is used with an empty password
+            //   (an exception will follow)
+            // - generally use null if pass is null or ""
+            // - for JKS or PKCS12 only use null if pass is null
+            //   (because JKS will auto-switch to PKCS12)
+            if ("PKCS12".equalsIgnoreCase(type) && pass != null && 
pass.length() == 0 &&
+                    !JreCompat.isJre7Available()) {
+                log.error(sm.getString("jsse.java6.emptyPass"));
+            }
             char[] storePass = null;
-            if (pass != null && !"".equals(pass)) {
+            if (pass != null && (!"".equals(pass) ||
+                    "JKS".equalsIgnoreCase(type) || 
"PKCS12".equalsIgnoreCase(type))) {
                 storePass = pass.toCharArray();
             }
             ks.load(istream, storePass);

Modified: 
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties?rev=1835627&r1=1835626&r2=1835627&view=diff
==============================================================================
--- 
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
 (original)
+++ 
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
 Wed Jul 11 11:09:51 2018
@@ -29,6 +29,7 @@ jsse.excludeDefaultProtocol=The SSL prot
 jsse.noDefaultCiphers=Unable to determine a default for ciphers for [{0}]. Set 
an explicit value to ensure the connector can start.
 jsse.noDefaultProtocols=Unable to determine a default for sslEnabledProtocols 
for [{0}]. Set an explicit value to ensure the connector can start.
 jsse.exceptionOnClose=Failure to close socket.
+jsse.java6.emptyPass=The PKCS12 key store does not support the use of the 
empty string as a password on Java 6.
 jsseSupport.clientCertError=Error trying to obtain a certificate from the 
client
 jseeSupport.certTranslationError=Error translating certificate [{0}]
 jsseSupport.noCertWant=No client certificate sent for want

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1835627&r1=1835626&r2=1835627&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Wed Jul 11 11:09:51 2018
@@ -78,6 +78,12 @@
         <code>Vary</code> HTTP response header to use a common utility method
         that addresses several additional edge cases. (markt)
       </fix>
+      <fix>
+        <bug>62526</bug>: Correctly handle PKCS12 format key stores when the 
key
+        store password is configured to be the empty string. Note that Java 6
+        does not support PKCS12 key stores configured to use a store password 
of
+        the empty string. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1835627 - in /tomcat/tc7.0.x/trunk: java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties webapps/docs/changelog.xml

Reply via email to