svn commit: r1772802 - in /tomcat/trunk: java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java webapps/docs/changelog.xml

Mon, 05 Dec 2016 12:58:32 -0800 

Author: markt
Date: Mon Dec  5 20:56:57 2016
New Revision: 1772802

URL: http://svn.apache.org/viewvc?rev=1772802&view=rev
Log:
Expand the search process for a server certificate when OpenSSL is used with a 
JSSE connector and an explicit alias has not been configured.

Modified:
    tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1772802&r1=1772801&r2=1772802&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java 
Mon Dec  5 20:56:57 2016
@@ -23,7 +23,9 @@ import java.security.cert.CertificateExc
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Base64;
+import java.util.Iterator;
 import java.util.List;
 import java.util.concurrent.atomic.AtomicInteger;
 
@@ -47,6 +49,7 @@ import org.apache.tomcat.util.net.Abstra
 import org.apache.tomcat.util.net.Constants;
 import org.apache.tomcat.util.net.SSLHostConfig;
 import org.apache.tomcat.util.net.SSLHostConfigCertificate;
+import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type;
 import org.apache.tomcat.util.net.jsse.JSSEKeyManager;
 import 
org.apache.tomcat.util.net.openssl.ciphers.OpenSSLCipherConfigurationParser;
 import org.apache.tomcat.util.res.StringManager;
@@ -271,6 +274,10 @@ public class OpenSSLContext implements o
                     alias = "tomcat";
                 }
                 X509Certificate[] chain = 
keyManager.getCertificateChain(alias);
+                if (chain == null) {
+                    alias = findAlias(keyManager, certificate);
+                    chain = keyManager.getCertificateChain(alias);
+                }
                 PrivateKey key = keyManager.getPrivateKey(alias);
                 StringBuilder sb = new StringBuilder(BEGIN_KEY);
                 sb.append(Base64.getMimeEncoder(64, new byte[] 
{'\n'}).encodeToString(key.getEncoded()));
@@ -333,6 +340,33 @@ public class OpenSSLContext implements o
         }
     }
 
+    /*
+     * Find a valid alias when none was specified in the config.
+     */
+    private static String findAlias(X509KeyManager keyManager,
+            SSLHostConfigCertificate certificate) {
+
+        Type type = certificate.getType();
+        String result = null;
+
+        List<Type> candidiateTypes = new ArrayList<>();
+        if (Type.UNDEFINED.equals(type)) {
+            // Try all types to find an suitable alias
+            candidiateTypes.addAll(Arrays.asList(Type.values()));
+            candidiateTypes.remove(Type.UNDEFINED);
+        } else {
+            // Look for the specific type to find a suitable alias
+            candidiateTypes.add(type);
+        }
+
+        Iterator<Type> iter = candidiateTypes.iterator();
+        while (result == null && iter.hasNext()) {
+            result = keyManager.chooseServerAlias(iter.next().toString(),  
null,  null);
+        }
+
+        return result;
+    }
+
     private static X509KeyManager chooseKeyManager(KeyManager[] managers) 
throws Exception {
         for (KeyManager manager : managers) {
             if (manager instanceof JSSEKeyManager) {

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1772802&r1=1772801&r2=1772802&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Mon Dec  5 20:56:57 2016
@@ -45,6 +45,15 @@
   issues do not "pop up" wrt. others).
 -->
 <section name="Tomcat 9.0.0.M16 (markt)" rtext="in development">
+  <subsection name="Coyote">
+    <changelog>
+      <fix>
+        Expand the search process for a server certificate when OpenSSL is used
+        with a JSSE connector and an explicit alias has not been configured.
+        (markt)
+      </fix>
+    </changelog>
+  </subsection>
 </section>
 <section name="Tomcat 9.0.0.M15 (markt)" rtext="release in progress">
   <subsection name="Other">



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to