[tomcat] branch 10.0.x updated: Fix regression that broke support for unencrypted PKCS#1 keys

Thu, 26 May 2022 00:18:25 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.0.x by this push:
     new 39c4f5ee74 Fix regression that broke support for unencrypted PKCS#1 
keys
39c4f5ee74 is described below

commit 39c4f5ee7412550a44ffe694f0bf2e3efa091212
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu May 26 08:18:01 2022 +0100

    Fix regression that broke support for unencrypted PKCS#1 keys
---
 java/org/apache/tomcat/util/net/jsse/PEMFile.java     | 8 +++++++-
 test/org/apache/tomcat/util/net/jsse/TestPEMFile.java | 6 ++++++
 webapps/docs/changelog.xml                            | 5 +++++
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java 
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index 80c585d3b8..03abf596d7 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -143,7 +143,13 @@ public class PEMFile {
                     privateKey = part.toPrivateKey(password, keyAlgorithm, 
Format.PKCS8);
                     break;
                 case Part.RSA_PRIVATE_KEY:
-                    privateKey = part.toPrivateKey(password, keyAlgorithm, 
Format.PKCS1);
+                    if (part.algorithm == null) {
+                        // If no encryption algorithm was detected, ignore any
+                        // (probably default) key password provided.
+                        privateKey = part.toPrivateKey(null, keyAlgorithm, 
Format.PKCS1);
+                    } else {
+                        privateKey = part.toPrivateKey(password, keyAlgorithm, 
Format.PKCS1);
+                    }
                     break;
                 case Part.CERTIFICATE:
                 case Part.X509_CERTIFICATE:
diff --git a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java 
b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java
index 7adba1d6ab..2ee54e26e1 100644
--- a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java
+++ b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java
@@ -40,6 +40,12 @@ public class TestPEMFile {
     }
 
 
+    @Test
+    public void testKeyPkcs1WithUnnecessaryPassword() throws Exception {
+        testKey(KEY_PKCS1, "ignore-me");
+    }
+
+
     @Test
     public void testKeyEncryptedPkcs1DesEde3Cbc() throws Exception {
         testKeyEncrypted(KEY_ENCRYPTED_PKCS1_DES_EDE3_CBC);
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index bf63f17215..299e68b331 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -137,6 +137,11 @@
         <bug>66084</bug>: Correctly calculate bytes written to a response. Pull
         request <pr>516</pr> provided by aooohan HanLi. (markt)
       </fix>
+      <add>
+        Correct a regression in the support added for encrypted PKCS#1 
formatted
+        private keys in the previous release that broke support for unencrypted
+        PKCS#1 formatted private keys. (jfclere/markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Jasper">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to