This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new 739d2e6 Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=64614
739d2e6 is described below
commit 739d2e6a1d81bdc34dd6b3db70b4913f782cdaf2
Author: Jean-Frederic Clere <jfcl...@gmail.com>
AuthorDate: Thu Aug 6 18:56:21 2020 +0200
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=64614
Don't wrap FIPS keystores
---
java/org/apache/tomcat/util/net/LocalStrings.properties | 1 +
java/org/apache/tomcat/util/net/SSLUtilBase.java | 11 ++++++++++-
webapps/docs/changelog.xml | 6 ++++++
3 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/net/LocalStrings.properties
b/java/org/apache/tomcat/util/net/LocalStrings.properties
index 350d6b0..e2a16b9 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings.properties
@@ -176,3 +176,4 @@ sslUtilBase.ssl3=SSLv3 has been explicitly enabled. This
protocol is known to be
sslUtilBase.tls13.auth=The JSSE TLS 1.3 implementation does not support
authentication after the initial handshake and is therefore incompatible with
optional client authentication
sslUtilBase.trustedCertNotChecked=The validity dates of the trusted
certificate with alias [{0}] were not checked as the certificate was of an
unknown type
sslUtilBase.trustedCertNotValid=The trusted certificate with alias [{0}] and
DN [{1}] is not valid due to [{2}]. Certificates signed by this trusted
certificate WILL be accepted
+sslUtilBase.alias_ignored=FIPS enabled so alias name [{0}] will be ignored. If
there is more than one key in the key store, the key used will depend on the
key store implementation
diff --git a/java/org/apache/tomcat/util/net/SSLUtilBase.java
b/java/org/apache/tomcat/util/net/SSLUtilBase.java
index dd5f99a..143b2d2 100644
--- a/java/org/apache/tomcat/util/net/SSLUtilBase.java
+++ b/java/org/apache/tomcat/util/net/SSLUtilBase.java
@@ -296,6 +296,16 @@ public abstract class SSLUtilBase implements SSLUtil {
char[] keyPassArray = keyPass.toCharArray();
+ KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm);
+ if (kmf.getProvider().getInfo().indexOf("FIPS") != -1) {
+ // FIPS doesn't like ANY wrapping nor key manipulation.
+ if (keyAlias != null) {
+ log.warn(sm.getString("sslUtilBase.alias_ignored", keyAlias));
+ }
+ kmf.init(ksUsed, keyPassArray);
+ return kmf.getKeyManagers();
+ }
+
if (ks == null) {
if (certificate.getCertificateFile() == null) {
throw new IOException(sm.getString("sslUtilBase.noCertFile"));
@@ -358,7 +368,6 @@ public abstract class SSLUtilBase implements SSLUtil {
}
- KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm);
kmf.init(ksUsed, keyPassArray);
KeyManager[] kms = kmf.getKeyManagers();
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index f55163a..3a37a26 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -143,6 +143,12 @@
(markt)
</fix>
<fix>
+ <bug>64614</bug>: Improve compatibility with FIPS keystores. When a
FIPS
+ keystore is configured and the keystore contains multiple keys, the
+ alias attribute will be ignored and the key used will be implementation
+ dependent. (jfclere)
+ </fix>
+ <fix>
<bug>64621</bug>: Improve handling HTTP/2 stream reset frames received
from clients. (markt)
</fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
