This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 9a03cbc0c86438979e644942c0443857f37b86c1 Author: Mark Thomas <ma...@apache.org> AuthorDate: Fri Jul 12 16:18:17 2019 +0100 Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63524 part 1 of 2 Adding a key to the in-memory key store is required for private keys. Improve the handling of the case when it is not present. --- .../util/net/openssl/LocalStrings.properties | 1 + .../tomcat/util/net/openssl/OpenSSLUtil.java | 22 ++++++++++++++++------ 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties index 1dca2b5..eb037b9 100644 --- a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties +++ b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties @@ -51,6 +51,7 @@ openssl.errorSSLCtxInit=Error initializing SSL context openssl.keyManagerMissing=No key manager found openssl.makeConf=Creating OpenSSLConf context openssl.nonJsseCertficate=The certificate [{0}] or its private key [{1}] could not be processed using a JSSE key manager and will be given directly to OpenSSL +openssl.nonJsseChain=The certificate chain [{0}] was not specified or was not valid and JSSE requires a valid certificate chain so attempting to use OpenSSL directly openssl.trustManagerMissing=No trust manager found opensslconf.applyCommand=OpenSSLConf applying command (name [{0}], value [{1}]) diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java index e8f0b9b..fada2ca 100644 --- a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java +++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java @@ -96,16 +96,26 @@ public class OpenSSLUtil extends SSLUtilBase { public KeyManager[] getKeyManagers() throws Exception { try { return super.getKeyManagers(); + } catch (IllegalArgumentException e) { + // No (or invalid?) certificate chain was provided for the cert + String msg = sm.getString("openssl.nonJsseChain", certificate.getCertificateChainFile()); + if (log.isDebugEnabled()) { + log.info(msg, e); + } else { + log.info(msg); + } + return null; } catch (KeyStoreException | IOException e) { - // Depending on what is presented, JSSE may throw either of the - // above exceptions if it doesn't understand the provided file. + // Depending on what is presented, JSSE may also throw + // KeyStoreException or IOException if it doesn't understand the + // provided file. if (certificate.getCertificateFile() != null) { + String msg = sm.getString("openssl.nonJsseCertficate", + certificate.getCertificateFile(), certificate.getCertificateKeyFile()); if (log.isDebugEnabled()) { - log.info(sm.getString("openssl.nonJsseCertficate", - certificate.getCertificateFile(), certificate.getCertificateKeyFile()), e); + log.info(msg, e); } else { - log.info(sm.getString("openssl.nonJsseCertficate", - certificate.getCertificateFile(), certificate.getCertificateKeyFile())); + log.info(msg); } // Assume JSSE processing of the certificate failed, try again with OpenSSL // without a key manager --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org