[Bug 66089] New: Tomcat 9.0.63 won't start when used with a SSL certificate containing a RSA Private Key

Wed, 25 May 2022 07:35:49 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=66089

            Bug ID: 66089
           Summary: Tomcat 9.0.63 won't start when used with a SSL
                    certificate containing a RSA Private Key
           Product: Tomcat 9
           Version: 9.0.63
          Hardware: All
                OS: All
            Status: NEW
          Severity: blocker
          Priority: P2
         Component: Util
          Assignee: dev@tomcat.apache.org
          Reporter: d...@mitre.org
  Target Milestone: -----

Our tomcat 9 server has an existing SSL certificate (Entrust CA) which contains
a RSA Private Key. This SSL certificate worked fine when run with Tomcat 9.0.62
but won't work when Tomcat 9.0.63 is installed. I show the stack trace at the
end of this message.

Note that this only happens when starting the service with a SSL certificate
that contains a RSA Private Key. We've tested on other tomcat servers that have
a SSL certificate that contains a Private Key, and in this case tomcat 9.0.63
starts up fine.

I compared Tomcat source 9.0.62 vs. 9.0.63 and it looks there is a bug in
org/apache/tomcat/util/net/jsse/PEMFile.java:

- in tomcat 9.0.62 in PEMFile.java, on line 132 case 'Part.RSA_PRIVATE_KEY',
  the private key is constructed with this statement:
        privateKey = part.toPrivateKey(null, keyAlgorithm, Format.PKCS1);

- in tomcat 9.0.63 in PEMFile.java, on line 146 case Part.RSA_PRIVATE_KEY',
  the private key is constructed with this statement:
        privateKey = part.toPrivateKey(password, keyAlgorithm, Format.PKCS1);

Since our RSA private key doesn't have a password, passing password=null is the
correct option.

Tomcat 9.0.63 stack trace when a SSL certificate with a RSA Private Key is
shown here:


16-May-2022 18:52:30.849 SEVERE [main]
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
initialize component [Connector[HTTP/1.1-8443]]
        org.apache.catalina.LifecycleException: Protocol handler initialization
failed
                at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1049)
                at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
                at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
                at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
                at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1042)
                at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
                at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
                at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
                at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                at java.lang.reflect.Method.invoke(Method.java:498)
                at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
                at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
        Caused by: java.lang.IllegalArgumentException: overrun, bytes = 924
                at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
                at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
                at
org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:234)
                at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227)
                at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240)
                at
org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:603)
                at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)
                at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1046)
                ... 13 more
        Caused by: java.io.IOException: overrun, bytes = 924
                at
javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:95)
                at
org.apache.tomcat.util.net.jsse.PEMFile$Part.toPrivateKey(PEMFile.java:204)
                at
org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:146)
                at
org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:98)
                at
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:316)
                at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
                at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)
                ... 20 more

Tomcat build information is here:

16-May-2022 18:52:30.473 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server version name:  
Apache Tomcat/9.0.63
16-May-2022 18:52:30.477 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server built:         
May 11 2022 07:52:11 UTC

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to