svn commit: r1835622 - in /tomcat/trunk: java/org/apache/tomcat/util/net/SSLUtilBase.java webapps/docs/changelog.xml

Wed, 11 Jul 2018 03:24:10 -0700 

Author: markt
Date: Wed Jul 11 10:24:02 2018
New Revision: 1835622

URL: http://svn.apache.org/viewvc?rev=1835622&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=62526
Correctly handle PKCS12 format key stores when the key store password is 
configured to be the empty string.

Modified:
    tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java?rev=1835622&r1=1835621&r2=1835622&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java Wed Jul 11 
10:24:02 2018
@@ -133,14 +133,28 @@ public abstract class SSLUtilBase implem
                 URI uri = ConfigFileLoader.getURI(path);
                 ks.load(new DomainLoadStoreParameter(uri, 
Collections.emptyMap()));
             } else {
+                // Some key store types (e.g. hardware) expect the InputStream
+                // to be null
                 if(!("PKCS11".equalsIgnoreCase(type) ||
                         "".equalsIgnoreCase(path)) ||
                         "NONE".equalsIgnoreCase(path)) {
                     istream = ConfigFileLoader.getInputStream(path);
                 }
 
+                // The digester cannot differentiate between null and "".
+                // Unfortunately, some key stores behave differently with null
+                // and "".
+                // JKS key stores treat null and "" interchangeably.
+                // PKCS12 key stores (Java 8 onwards) don't return the cert if
+                // null is used.
+                // Key stores that do not use passwords expect null
+                // Therefore:
+                // - generally use null if pass is null or ""
+                // - for JKS or PKCS12 only use null if pass is null
+                //   (because JKS will auto-switch to PKCS12)
                 char[] storePass = null;
-                if (pass != null && !"".equals(pass)) {
+                if (pass != null && (!"".equals(pass) ||
+                        "JKS".equalsIgnoreCase(type) || 
"PKCS12".equalsIgnoreCase(type))) {
                     storePass = pass.toCharArray();
                 }
                 ks.load(istream, storePass);

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1835622&r1=1835621&r2=1835622&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Wed Jul 11 10:24:02 2018
@@ -105,6 +105,10 @@
         process only to be dropped as stop completes. In this scenario new
         connections will now be refused immediately. (markt)
       </fix>
+      <fix>
+        <bug>62526</bug>: Correctly handle PKCS12 format key stores when the 
key
+        store password is configured to be the empty string. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to