[Bug 61450] New: issue when certificateKeyAlias is not set

Tue, 22 Aug 2017 10:03:29 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=61450

            Bug ID: 61450
           Summary: issue when certificateKeyAlias is not set
           Product: Tomcat 8
           Version: 8.5.20
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Util
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ----

We use tomcat-embed and we have a test that is breaking with an upgrade from
8.5.12 to 8.5.20, it seems due to the fact that we do not set the
certificateKeyAlias when we configure an SSLHostConfigCertificate.

The documentation for certificateKeyAlias states "If not specified, the first
key read from the keystore will be used."  

It seems that the first alias is being used and there is no check that it
references a key.

The result is that in JSSEUtil.getKeyManagers there is a call to
KeyStore.getKey(keyAlias, keyPassArray) where keyAlias is actually an alias for
a certificate, which leads to inMemoryKeyStore.setKeyEntry being passed null
for the Key argument and eventually a KeyStoreException("Cannot store
non-PrivateKeys").

This worked previously with certificatekeyAlias being null.  I can confirm that
this works just fine if I set that with the alias used when creating the
KeyStore but I would rather not pass that alias around our code when I did not
previously need to.

We have worked around the issue with a "getFirstKeyAlias" method that we use to
set the certificateKeyAlias in our SSLHostConfigCertificate:

   private String getFirstKeyAlias(KeyStore keyStore) {
      try {
         Enumeration<String> aliases = keyStore.aliases();
         while(aliases.hasMoreElements()) {
            String alias = aliases.nextElement();
            if (keyStore.isKeyEntry(alias))
               return alias;
            }
      } catch (KeyStoreException e) {
          LOGGER.error("Failed to find first key alias in keystore", e);
      }

      return null;
   }

I think that something like this should around line 219 of JSSEUtil, where
currently it looks like this:

                Enumeration<String> aliases = ks.aliases();
                if (!aliases.hasMoreElements()) {
                    throw new IOException(sm.getString("jsse.noKeys"));
                }
                keyAlias = aliases.nextElement();

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to