[Bug 62507] Insufficient control over keystore loading to support DKS-keystores

bugzilla Mon, 02 Jul 2018 03:02:45 -0700

https://bz.apache.org/bugzilla/show_bug.cgi?id=62507


--- Comment #4 from Andy Wilkinson <awilkin...@pivotal.io> ---
I've built trunk and the DKS keystore is now being handled specially but it
doesn't appear to be working correctly:

org.apache.catalina.LifecycleException: Protocol handler start failed
        at
org.apache.catalina.connector.Connector.startInternal(Connector.java:960)
~[tomcat-embed-core.jar:9.0.11-dev]
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
~[tomcat-embed-core.jar:9.0.11-dev]
        at
org.apache.catalina.core.StandardService.addConnector(StandardService.java:225)
[tomcat-embed-core.jar:9.0.11-dev]
        at
org.springframework.boot.web.embedded.tomcat.TomcatWebServer.addPreviouslyRemovedConnectors(TomcatWebServer.java:256)
[classes/:na]
        at
org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:198)
[classes/:na]
        at
org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.startWebServer(ServletWebServerApplicationContext.java:300)
[classes/:na]
        at
org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.finishRefresh(ServletWebServerApplicationContext.java:162)
[classes/:na]
        at
org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:553)
[spring-context-5.1.0.BUILD-SNAPSHOT.jar:5.1.0.BUILD-SNAPSHOT]
        at
org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:140)
[classes/:na]
        at
org.springframework.boot.SpringApplication.refresh(SpringApplication.java:769)
[classes/:na]
        at
org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:405)
[classes/:na]
        at
org.springframework.boot.SpringApplication.run(SpringApplication.java:334)
[classes/:na]
        at
org.springframework.boot.SpringApplication.run(SpringApplication.java:1252)
[classes/:na]
        at
org.springframework.boot.SpringApplication.run(SpringApplication.java:1240)
[classes/:na]
        at
sample.tomcat.ssl.SampleTomcatSslApplication.main(SampleTomcatSslApplication.java:26)
[classes/:na]
Caused by: java.lang.IllegalArgumentException: Error setting key entry for
'app1 spring-boot-ssl-sample'
        at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
~[tomcat-embed-core.jar:9.0.11-dev]
        at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
~[tomcat-embed-core.jar:9.0.11-dev]
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:224)
~[tomcat-embed-core.jar:9.0.11-dev]
        at
org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1107)
~[tomcat-embed-core.jar:9.0.11-dev]
        at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:550)
~[tomcat-embed-core.jar:9.0.11-dev]
        at
org.apache.catalina.connector.Connector.startInternal(Connector.java:957)
~[tomcat-embed-core.jar:9.0.11-dev]
        ... 14 common frames omitted
Caused by: java.security.KeyStoreException: Error setting key entry for 'app1
spring-boot-ssl-sample'
        at
sun.security.provider.DomainKeyStore.engineSetKeyEntry(DomainKeyStore.java:269)
~[na:1.8.0_151]
        at
sun.security.provider.DomainKeyStore$DKS.engineSetKeyEntry(DomainKeyStore.java:68)
~[na:1.8.0_151]
        at java.security.KeyStore.setKeyEntry(KeyStore.java:1140)
~[na:1.8.0_151]
        at
org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:257)
~[tomcat-embed-core.jar:9.0.11-dev]
        at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
~[tomcat-embed-core.jar:9.0.11-dev]
        ... 19 common frames omitted

This error is occurring because DomainKeyStore$DKS.getKeyStoreForWriting is
being called with 'app1 spring-boot-ssl-sample' and returning null. The passed
in String is split on space and the first component, app1, is used as the key
for a map lookup. The map only contains a single entry with the key
iostream1 so it returns null when asked for app1. The iostream1 entry is
written as a result of the ksUsed.load(null,  null) call on line 256 of
JSSEUtil.getKeyManagers(). Prior to the call to load, the map is empty. By
contrast to ksUsed, at this point the map within ks contains a single entry
named app1. In short, it appears that the switch to an in-memory store for a
PKSC#8 key does not work.

I'm insufficiently experienced with DKS to know if the above is expected
behaviour. If it is expected, the diagnostics could be approved as I could
only determine the above by stepping through in the debugger.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 62507] Insufficient control over keystore loading to support DKS-keystores

Reply via email to