This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new af56ad1 Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=64614
af56ad1 is described below
commit af56ad143d92442835fe8c4d1d65a84d83dbcfc5
Author: Jean-Frederic Clere <jfcl...@gmail.com>
AuthorDate: Thu Aug 6 18:56:21 2020 +0200
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=64614
Don't wrap FIPS keystores
---
java/org/apache/tomcat/util/net/LocalStrings.properties | 1 +
java/org/apache/tomcat/util/net/SSLUtilBase.java | 11 ++++++++++-
webapps/docs/changelog.xml | 6 ++++++
3 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/net/LocalStrings.properties
b/java/org/apache/tomcat/util/net/LocalStrings.properties
index c3c54f2..70cad95 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings.properties
@@ -159,3 +159,4 @@ sslUtilBase.ssl3=SSLv3 has been explicitly enabled. This
protocol is known to be
sslUtilBase.tls13.auth=The JSSE TLS 1.3 implementation does not support
authentication after the initial handshake and is therefore incompatible with
optional client authentication
sslUtilBase.trustedCertNotChecked=The validity dates of the trusted
certificate with alias [{0}] were not checked as the certificate was of an
unknown type
sslUtilBase.trustedCertNotValid=The trusted certificate with alias [{0}] and
DN [{1}] is not valid due to [{2}]. Certificates signed by this trusted
certificate WILL be accepted
+sslUtilBase.alias_ignored=FIPS enabled so alias name [{0}] will be ignored. If
there is more than one key in the key store, the key used will depend on the
key store implementation
diff --git a/java/org/apache/tomcat/util/net/SSLUtilBase.java
b/java/org/apache/tomcat/util/net/SSLUtilBase.java
index 0a829f9..7433ffe 100644
--- a/java/org/apache/tomcat/util/net/SSLUtilBase.java
+++ b/java/org/apache/tomcat/util/net/SSLUtilBase.java
@@ -295,6 +295,16 @@ public abstract class SSLUtilBase implements SSLUtil {
char[] keyPassArray = keyPass.toCharArray();
+ KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm);
+ if (kmf.getProvider().getInfo().indexOf("FIPS") != -1) {
+ // FIPS doesn't like ANY wrapping nor key manipulation.
+ if (keyAlias != null) {
+ log.warn(sm.getString("sslUtilBase.alias_ignored", keyAlias));
+ }
+ kmf.init(ksUsed, keyPassArray);
+ return kmf.getKeyManagers();
+ }
+
if (ks == null) {
if (certificate.getCertificateFile() == null) {
throw new IOException(sm.getString("sslUtilBase.noCertFile"));
@@ -358,7 +368,6 @@ public abstract class SSLUtilBase implements SSLUtil {
}
- KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm);
kmf.init(ksUsed, keyPassArray);
KeyManager[] kms = kmf.getKeyManagers();
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 2337deb..f9fd67d 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -124,6 +124,12 @@
return value, particularly when end of stream has been reached. (markt)
</fix>
<fix>
+ <bug>64614</bug>: Improve compatibility with FIPS keystores. When a
FIPS
+ keystore is configured and the keystore contains multiple keys, the
+ alias attribute will be ignored and the key used will be implementation
+ dependent. (jfclere)
+ </fix>
+ <fix>
<bug>64621</bug>: Improve handling HTTP/2 stream reset frames received
from clients. (markt)
</fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
