This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new bf7e120 Fix BZ 65767 - add support for certs with PBES2 protected keys
bf7e120 is described below
commit bf7e120b85b6e1c04cf9b46b054538730b56c243
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Jan 6 22:58:13 2022 +0000
Fix BZ 65767 - add support for certs with PBES2 protected keys
Based on a PR by xiezhaokun
---
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 27 +++++++++++++++++++++--
webapps/docs/changelog.xml | 4 ++++
2 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index ee62c25..ca030cf 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -23,6 +23,7 @@ import java.io.InputStream;
import java.io.InputStreamReader;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
+import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
@@ -60,6 +61,8 @@ public class PEMFile {
private static final byte[] OID_EC_PUBLIC_KEY =
new byte[] { 0x06, 0x07, 0x2A, (byte) 0x86, 0x48, (byte) 0xCE,
0x3D, 0x02, 0x01 };
+ private static final String OID_PKCS5_PBES2 = "1.2.840.113549.1.5.13";
+
public static String toPEM(X509Certificate certificate) throws
CertificateEncodingException {
StringBuilder result = new StringBuilder();
result.append(Part.BEGIN_BOUNDARY + Part.CERTIFICATE +
Part.FINISH_BOUNDARY);
@@ -181,10 +184,11 @@ public class PEMFile {
}
} else {
EncryptedPrivateKeyInfo privateKeyInfo = new
EncryptedPrivateKeyInfo(decode());
- SecretKeyFactory secretKeyFactory =
SecretKeyFactory.getInstance(privateKeyInfo.getAlgName());
+ String pbeAlgorithm = getPBEAlgorithm(privateKeyInfo);
+ SecretKeyFactory secretKeyFactory =
SecretKeyFactory.getInstance(pbeAlgorithm);
SecretKey secretKey = secretKeyFactory.generateSecret(new
PBEKeySpec(password.toCharArray()));
- Cipher cipher =
Cipher.getInstance(privateKeyInfo.getAlgName());
+ Cipher cipher = Cipher.getInstance(pbeAlgorithm);
cipher.init(Cipher.DECRYPT_MODE, secretKey,
privateKeyInfo.getAlgParameters());
keySpec = privateKeyInfo.getKeySpec(cipher);
@@ -211,6 +215,25 @@ public class PEMFile {
}
+ private String getPBEAlgorithm(EncryptedPrivateKeyInfo privateKeyInfo)
{
+ AlgorithmParameters parameters = privateKeyInfo.getAlgParameters();
+ if (parameters != null &&
OID_PKCS5_PBES2.equals(privateKeyInfo.getAlgName())) {
+ /*
+ * This should be "PBEWith<prf>And<encryption>".
+ * Relying on the toString() implementation is potentially
+ * fragile but acceptable in this case since the JRE depends on
+ * the toString() implementation as well.
+ * In the future, if necessary, we can parse the value of
+ * paremeters.getEncoded() but the associated complexity and
+ * unlikeliness of the JRE implementation changing means that
+ * Tomcat will use to toString() approach for now.
+ */
+ return parameters.toString();
+ }
+ return privateKeyInfo.getAlgName();
+ }
+
+
/*
* RFC5915: SEQ
* INT value = 1
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 7c3de4e..bc9a896 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -197,6 +197,10 @@
Avoid a potential deadlock during the concurrent processing of incoming
HTTP/2 frames for a stream and that stream being reset. (markt)
</fix>
+ <add>
+ <bug>65767</bug>: Add support for certificates that use keys encrypted
+ using PBES2. Based on a pull request provided by xiezhaokun. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
