This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
     new af56ad1  Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=64614
af56ad1 is described below

commit af56ad143d92442835fe8c4d1d65a84d83dbcfc5
Author: Jean-Frederic Clere <jfcl...@gmail.com>
AuthorDate: Thu Aug 6 18:56:21 2020 +0200

    Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=64614
    
    Don't wrap FIPS keystores
---
 java/org/apache/tomcat/util/net/LocalStrings.properties |  1 +
 java/org/apache/tomcat/util/net/SSLUtilBase.java        | 11 ++++++++++-
 webapps/docs/changelog.xml                              |  6 ++++++
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/java/org/apache/tomcat/util/net/LocalStrings.properties 
b/java/org/apache/tomcat/util/net/LocalStrings.properties
index c3c54f2..70cad95 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings.properties
@@ -159,3 +159,4 @@ sslUtilBase.ssl3=SSLv3 has been explicitly enabled. This 
protocol is known to be
 sslUtilBase.tls13.auth=The JSSE TLS 1.3 implementation does not support 
authentication after the initial handshake and is therefore incompatible with 
optional client authentication
 sslUtilBase.trustedCertNotChecked=The validity dates of the trusted 
certificate with alias [{0}] were not checked as the certificate was of an 
unknown type
 sslUtilBase.trustedCertNotValid=The trusted certificate with alias [{0}] and 
DN [{1}] is not valid due to [{2}]. Certificates signed by this trusted 
certificate WILL be accepted
+sslUtilBase.alias_ignored=FIPS enabled so alias name [{0}] will be ignored. If 
there is more than one key in the key store, the key used will depend on the 
key store implementation
diff --git a/java/org/apache/tomcat/util/net/SSLUtilBase.java 
b/java/org/apache/tomcat/util/net/SSLUtilBase.java
index 0a829f9..7433ffe 100644
--- a/java/org/apache/tomcat/util/net/SSLUtilBase.java
+++ b/java/org/apache/tomcat/util/net/SSLUtilBase.java
@@ -295,6 +295,16 @@ public abstract class SSLUtilBase implements SSLUtil {
 
         char[] keyPassArray = keyPass.toCharArray();
 
+        KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm);
+        if (kmf.getProvider().getInfo().indexOf("FIPS") != -1) {
+            // FIPS doesn't like ANY wrapping nor key manipulation.
+            if (keyAlias != null) {
+                log.warn(sm.getString("sslUtilBase.alias_ignored", keyAlias));
+            }
+            kmf.init(ksUsed, keyPassArray);
+            return kmf.getKeyManagers();
+        }
+
         if (ks == null) {
             if (certificate.getCertificateFile() == null) {
                 throw new IOException(sm.getString("sslUtilBase.noCertFile"));
@@ -358,7 +368,6 @@ public abstract class SSLUtilBase implements SSLUtil {
         }
 
 
-        KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm);
         kmf.init(ksUsed, keyPassArray);
 
         KeyManager[] kms = kmf.getKeyManagers();
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 2337deb..f9fd67d 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -124,6 +124,12 @@
         return value, particularly when end of stream has been reached. (markt)
       </fix>
       <fix>
+        <bug>64614</bug>: Improve compatibility with FIPS keystores. When a 
FIPS
+        keystore is configured and the keystore contains multiple keys, the
+        alias attribute will be ignored and the key used will be implementation
+        dependent. (jfclere)
+      </fix>
+      <fix>
         <bug>64621</bug>: Improve handling HTTP/2 stream reset frames received
         from clients. (markt)
       </fix>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to