This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push: new af56ad1 Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=64614 af56ad1 is described below commit af56ad143d92442835fe8c4d1d65a84d83dbcfc5 Author: Jean-Frederic Clere <jfcl...@gmail.com> AuthorDate: Thu Aug 6 18:56:21 2020 +0200 Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=64614 Don't wrap FIPS keystores --- java/org/apache/tomcat/util/net/LocalStrings.properties | 1 + java/org/apache/tomcat/util/net/SSLUtilBase.java | 11 ++++++++++- webapps/docs/changelog.xml | 6 ++++++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/java/org/apache/tomcat/util/net/LocalStrings.properties b/java/org/apache/tomcat/util/net/LocalStrings.properties index c3c54f2..70cad95 100644 --- a/java/org/apache/tomcat/util/net/LocalStrings.properties +++ b/java/org/apache/tomcat/util/net/LocalStrings.properties @@ -159,3 +159,4 @@ sslUtilBase.ssl3=SSLv3 has been explicitly enabled. This protocol is known to be sslUtilBase.tls13.auth=The JSSE TLS 1.3 implementation does not support authentication after the initial handshake and is therefore incompatible with optional client authentication sslUtilBase.trustedCertNotChecked=The validity dates of the trusted certificate with alias [{0}] were not checked as the certificate was of an unknown type sslUtilBase.trustedCertNotValid=The trusted certificate with alias [{0}] and DN [{1}] is not valid due to [{2}]. Certificates signed by this trusted certificate WILL be accepted +sslUtilBase.alias_ignored=FIPS enabled so alias name [{0}] will be ignored. If there is more than one key in the key store, the key used will depend on the key store implementation diff --git a/java/org/apache/tomcat/util/net/SSLUtilBase.java b/java/org/apache/tomcat/util/net/SSLUtilBase.java index 0a829f9..7433ffe 100644 --- a/java/org/apache/tomcat/util/net/SSLUtilBase.java +++ b/java/org/apache/tomcat/util/net/SSLUtilBase.java @@ -295,6 +295,16 @@ public abstract class SSLUtilBase implements SSLUtil { char[] keyPassArray = keyPass.toCharArray(); + KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm); + if (kmf.getProvider().getInfo().indexOf("FIPS") != -1) { + // FIPS doesn't like ANY wrapping nor key manipulation. + if (keyAlias != null) { + log.warn(sm.getString("sslUtilBase.alias_ignored", keyAlias)); + } + kmf.init(ksUsed, keyPassArray); + return kmf.getKeyManagers(); + } + if (ks == null) { if (certificate.getCertificateFile() == null) { throw new IOException(sm.getString("sslUtilBase.noCertFile")); @@ -358,7 +368,6 @@ public abstract class SSLUtilBase implements SSLUtil { } - KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm); kmf.init(ksUsed, keyPassArray); KeyManager[] kms = kmf.getKeyManagers(); diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 2337deb..f9fd67d 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -124,6 +124,12 @@ return value, particularly when end of stream has been reached. (markt) </fix> <fix> + <bug>64614</bug>: Improve compatibility with FIPS keystores. When a FIPS + keystore is configured and the keystore contains multiple keys, the + alias attribute will be ignored and the key used will be implementation + dependent. (jfclere) + </fix> + <fix> <bug>64621</bug>: Improve handling HTTP/2 stream reset frames received from clients. (markt) </fix> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org