This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 8e1dcfe9c5 Fix BZ 66635 Correctly log PEM based keys/certificates
8e1dcfe9c5 is described below
commit 8e1dcfe9c5d7bdab8679e45ce684cc8e6dcb7d58
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jun 13 17:18:52 2023 +0100
Fix BZ 66635 Correctly log PEM based keys/certificates
https://bz.apache.org/bugzilla/show_bug.cgi?id=66635
---
.../apache/tomcat/util/net/AbstractEndpoint.java | 25 +++++++++++++++-------
.../apache/tomcat/util/net/LocalStrings.properties | 4 +++-
.../tomcat/util/net/LocalStrings_fr.properties | 3 ++-
.../tomcat/util/net/LocalStrings_ja.properties | 1 -
.../tomcat/util/net/SSLHostConfigCertificate.java | 17 +++++++++------
webapps/docs/changelog.xml | 6 ++++++
6 files changed, 38 insertions(+), 18 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/AbstractEndpoint.java
b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
index 89739fa2c6..ee704bd1f3 100644
--- a/java/org/apache/tomcat/util/net/AbstractEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
@@ -50,6 +50,7 @@ import org.apache.tomcat.util.buf.HexUtils;
import org.apache.tomcat.util.collections.SynchronizedStack;
import org.apache.tomcat.util.modeler.Registry;
import org.apache.tomcat.util.net.Acceptor.AcceptorState;
+import org.apache.tomcat.util.net.SSLHostConfigCertificate.StoreType;
import org.apache.tomcat.util.res.StringManager;
import org.apache.tomcat.util.threads.LimitLatch;
import org.apache.tomcat.util.threads.ResizableExecutor;
@@ -374,14 +375,22 @@ public abstract class AbstractEndpoint<S,U> {
protected void logCertificate(SSLHostConfigCertificate certificate) {
SSLHostConfig sslHostConfig = certificate.getSSLHostConfig();
- String certificateSource = certificate.getCertificateKeystoreFile();
- if (certificateSource == null) {
- certificateSource = certificate.getCertificateKeyFile();
- }
+ String certificateInfo;
- String keyAlias = certificate.getCertificateKeyAlias();
- if (keyAlias == null) {
- keyAlias = SSLUtilBase.DEFAULT_KEY_ALIAS;
+ if (certificate.getStoreType() == StoreType.PEM) {
+ // PEM file based
+ String keySource = certificate.getCertificateKeystoreFile();
+ keySource = certificate.getCertificateKeyFile();
+ certificateInfo = sm.getString("endpoint.tls.info.cert.pem",
keySource, certificate.getCertificateFile(),
+ certificate.getCertificateChainFile());
+ } else {
+ // Keystore based
+ String keyStore = certificate.getCertificateKeystoreFile();
+ String keyAlias = certificate.getCertificateKeyAlias();
+ if (keyAlias == null) {
+ keyAlias = SSLUtilBase.DEFAULT_KEY_ALIAS;
+ }
+ certificateInfo = sm.getString("endpoint.tls.info.cert.keystore",
keyStore, keyAlias);
}
String trustStoreSource = sslHostConfig.getTruststoreFile();
@@ -393,7 +402,7 @@ public abstract class AbstractEndpoint<S,U> {
}
getLogCertificate().info(sm.getString("endpoint.tls.info", getName(),
sslHostConfig.getHostName(),
- certificate.getType(), certificateSource, keyAlias,
trustStoreSource));
+ certificate.getType(), certificateInfo, trustStoreSource));
if (getLogCertificate().isDebugEnabled()) {
String alias = certificate.getCertificateKeyAlias();
diff --git a/java/org/apache/tomcat/util/net/LocalStrings.properties
b/java/org/apache/tomcat/util/net/LocalStrings.properties
index 6b466f3078..5b1affe783 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings.properties
@@ -130,7 +130,9 @@ endpoint.socketOptionsError=Error setting socket options
endpoint.timeout.err=Error processing socket timeout
endpoint.tls.cert.encodingError=Certificate fingerprints not available
endpoint.tls.cert.noCerts=Certificate details not available as the certificate
chain returned from the SSLContext was empty
-endpoint.tls.info=Connector [{0}], TLS virtual host [{1}], certificate type
[{2}] configured from [{3}] using alias [{4}] and with trust store [{5}]
+endpoint.tls.info=Connector [{0}], TLS virtual host [{1}], certificate type
[{2}] configured from {3} with trust store [{4}]
+endpoint.tls.info.cert.pem=key [{0}], certificate [{1}] and certificate chain
[{2}]
+endpoint.tls.info.cert.keystore=keystore [{0}] using alias [{1}]
endpoint.unknownSslHostName=The SSL host name [{0}] is not recognised for this
endpoint
endpoint.warn.executorShutdown=The executor associated with thread pool [{0}]
has not fully shutdown. Some application threads may still be running.
endpoint.warn.incorrectConnectionCount=Incorrect connection count, multiple
calls to socket.close for the same socket.
diff --git a/java/org/apache/tomcat/util/net/LocalStrings_fr.properties
b/java/org/apache/tomcat/util/net/LocalStrings_fr.properties
index f9cc05150a..07822afba9 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings_fr.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings_fr.properties
@@ -126,7 +126,8 @@ endpoint.socketOptionsError=Erreur en définissant les
options du socket
endpoint.timeout.err=Erreur en traitant le dépassement de temps d'attente du
socket
endpoint.tls.cert.encodingError=Les empreintes du certificat ne sont pas
disponibles
endpoint.tls.cert.noCerts=Les détails du certificat ne sont pas disponibles
car la chaîne de certificats retournée par le SSLContext est vide
-endpoint.tls.info=Connecteur [{0}], hôte virtuel TLS [{1}], type de certificat
[{2}] configuré depuis [{3}] avec l''alias [{4}] et la trust store [{5}]
+endpoint.tls.info=Connecteur [{0}], hôte virtuel TLS [{1}], type de certificat
[{2}] configuré depuis {3} et la trust store [{4}]
+endpoint.tls.info.cert.keystore=[{0}] avec l''alias [{1}]
endpoint.unknownSslHostName=Le nom d''hôte SSL [{0}] n''est pas reconnu pour
cette terminaison
endpoint.warn.executorShutdown=L''exécuteur associé au pool de threads [{0}]
n''est pas complètement arrêté, certains threads d''application peuvent
toujours être en cours d''exécution
endpoint.warn.incorrectConnectionCount=Le décompte du nombre de connections
est incorrect, la méthode de fermeture d'un même socket a été appelée plusieurs
fois
diff --git a/java/org/apache/tomcat/util/net/LocalStrings_ja.properties
b/java/org/apache/tomcat/util/net/LocalStrings_ja.properties
index 80c292074f..313b55fad9 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings_ja.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings_ja.properties
@@ -126,7 +126,6 @@ endpoint.socketOptionsError=ソケットオプション設定中のエラー
endpoint.timeout.err=ソケットタイムアウト処理中のエラー
endpoint.tls.cert.encodingError=証明書のフィンガープリントが利用できません
endpoint.tls.cert.noCerts=SSLContext から返された証明書チェーンが空だったため、証明書の詳細を利用できません
-endpoint.tls.info=コネクタ [{0}]、TLS 仮想ホスト [{1}]、証明書タイプ [{2}] は、エイリアス [{4}]
を使用し、トラスト ストア [{5}] を使用して [{3}] から構成されました
endpoint.unknownSslHostName=SSL ホスト名 [{0}] はこのエンドポイントから認識されていません。
endpoint.warn.executorShutdown=スレッドプール [{0}]
と関連付けられたエグゼキューターは完全に停止できませんでした。いくつかのアプリケーションスレッドはまだ動作し続けている可能性があります。
endpoint.warn.incorrectConnectionCount=不正なコネクション数。複数のsocket.closeが同じソケットで呼び出されました。
diff --git a/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
b/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
index d1f4cc4a25..0ef6ca0a7d 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
@@ -40,10 +40,10 @@ public class SSLHostConfigCertificate implements
Serializable {
public static final Type DEFAULT_TYPE = Type.UNDEFINED;
- static final String DEFAULT_KEYSTORE_PROVIDER =
- System.getProperty("javax.net.ssl.keyStoreProvider");
- static final String DEFAULT_KEYSTORE_TYPE =
- System.getProperty("javax.net.ssl.keyStoreType", "JKS");
+ static final String DEFAULT_KEYSTORE_PROVIDER =
System.getProperty("javax.net.ssl.keyStoreProvider");
+ static final String DEFAULT_KEYSTORE_TYPE =
System.getProperty("javax.net.ssl.keyStoreType", "JKS");
+ private static final String DEFAULT_KEYSTORE_FILE =
System.getProperty("user.home")+"/.keystore";
+ private static final String DEFAULT_KEYSTORE_PASSWORD = "changeit";
// Internal
private ObjectName oname;
@@ -60,8 +60,8 @@ public class SSLHostConfigCertificate implements Serializable
{
// JSSE
private String certificateKeyAlias;
- private String certificateKeystorePassword = "changeit";
- private String certificateKeystoreFile =
System.getProperty("user.home")+"/.keystore";
+ private String certificateKeystorePassword = DEFAULT_KEYSTORE_PASSWORD;
+ private String certificateKeystoreFile = DEFAULT_KEYSTORE_FILE;
private String certificateKeystoreProvider = DEFAULT_KEYSTORE_PROVIDER;
private String certificateKeystoreType = DEFAULT_KEYSTORE_TYPE;
private transient KeyStore certificateKeystore = null;
@@ -267,7 +267,10 @@ public class SSLHostConfigCertificate implements
Serializable {
}
}
- // Nested types
+ StoreType getStoreType() {
+ return storeType;
+ }
+
public enum Type {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 01f022789f..e532d18f2d 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -127,6 +127,12 @@
original content rather than reflecting the most recent conversion.
(markt)
</fix>
+ <fix>
+ <bug>66635</bug>: Correct certificate logging on start-up so it
+ differentiates between keystore based keys/certificates and PEM file
+ based keys/certificates and logs the relevant information for each.
+ (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="WebSocket">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
