[tomcat] branch 10.1.x updated: Port Fix BZ 67666 - Fix PEM files and TLSCertificateReloadListener

remm Tue, 24 Oct 2023 15:19:24 -0700

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git



The following commit(s) were added to refs/heads/10.1.x by this push:
     new d64e92c8df Port Fix BZ 67666 - Fix PEM files and 
TLSCertificateReloadListener
d64e92c8df is described below

commit d64e92c8df04e2c9fec9a9d53ffb685903d7268c
Author: remm <r...@apache.org>
AuthorDate: Wed Oct 25 00:17:58 2023 +0200

    Port Fix BZ 67666 - Fix PEM files and TLSCertificateReloadListener
---
 .../tomcat/util/net/openssl/panama/OpenSSLContext.java      |  7 ++++---
 .../apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java  | 13 ++++++++++++-
 .../tomcat/util/net/openssl/panama/LocalStrings.properties  |  1 +
 3 files changed, 17 insertions(+), 4 deletions(-)

diff --git 
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
 
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index da8c8e1046..65de58247e 100644
--- 
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ 
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -575,9 +575,10 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
                 }
             }
 
-            if (certificate.getCertificateFile() == null) {
-                
certificate.setCertificateKeyManager(OpenSSLUtil.chooseKeyManager(kms));
-            }
+            // If there is no certificate file must be using a KeyStore so a 
KeyManager is required.
+            // If there is a certificate file a KeyManager is helpful but not 
strictly necessary.
+            certificate.setCertificateKeyManager(
+                    OpenSSLUtil.chooseKeyManager(kms, 
certificate.getCertificateFile() == null));
 
             success = addCertificate(certificate, localArena);
 
diff --git 
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
 
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
index 781dd4889a..8891ba839e 100644
--- 
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
+++ 
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
@@ -74,7 +74,13 @@ public class OpenSSLUtil extends SSLUtilBase {
     }
 
 
+    @Deprecated
     public static X509KeyManager chooseKeyManager(KeyManager[] managers) 
throws Exception {
+        return chooseKeyManager(managers, true);
+    }
+
+
+    public static X509KeyManager chooseKeyManager(KeyManager[] managers, 
boolean throwOnMissing) throws Exception {
         if (managers == null) {
             return null;
         }
@@ -88,7 +94,12 @@ public class OpenSSLUtil extends SSLUtilBase {
                 return (X509KeyManager) manager;
             }
         }
-        throw new 
IllegalStateException(sm.getString("openssl.keyManagerMissing"));
+        if (throwOnMissing) {
+            throw new 
IllegalStateException(sm.getString("openssl.keyManagerMissing"));
+        }
+
+        log.warn(sm.getString("openssl.keyManagerMissing.warn"));
+        return null;
     }
 
 
diff --git 
a/modules/openssl-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
 
b/modules/openssl-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
index 720877ef78..3b6ab4c80d 100644
--- 
a/modules/openssl-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
+++ 
b/modules/openssl-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
@@ -57,6 +57,7 @@ openssl.errorLoadingCertificateRevocationList=Error loading 
certificate revocati
 openssl.errorPrivateKeyCheck=Private key does not match the certificate public 
key: [{0}] 
 openssl.errorSSLCtxInit=Error initializing SSL context
 openssl.keyManagerMissing=No key manager found
+openssl.keyManagerMissing.warn=No key manager found. TLS will work but the 
certificate will not be visible to Tomcat so management/monitoring features 
will not work for this certificate
 openssl.makeConf=Creating OpenSSLConf context
 openssl.noCACerts=No CA certificates were configured
 openssl.nonJsseCertificate=The certificate [{0}] or its private key [{1}] 
could not be processed using a JSSE key manager and will be given directly to 
OpenSSL


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 10.1.x updated: Port Fix BZ 67666 - Fix PEM files and TLSCertificateReloadListener

Reply via email to