OpenSSL security announcement - do we need a Tomcat Native release?
Hi all, OpenSSL have published a security announcement alongside the latest release: https://www.openssl.org/news/secadv/20210824.txt I'm trying to figure out if Tomcat Native is affected by these. For CVE-2021-3711 it isn't clear to me if the issue relates to just stand-alone decryption or if any use of SM2 - including in a TLS cipher - is affected. For CVE-2021-3712 I can't find any references in the Tomcat Native code to any of the functions named as potential ways to construct an ASN1_STRING without the NUL terminators. Can anyone shed more light on CVE-2021-3711? We do have one fix related to building with OpenSSL 3.0.0 so it might be simpler to just do a release anyway. Thoughts? Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
OT: Parsing EC private keys in PEM format
All, I'm trying to do this without looking at the code which is in Tomcat because I'd like to release it separately and not have to worry about figuring out hos to get permission, etc. I'm working on a piece of code which can load the following types of PEM-encoded DER files with private keys in them. Each is a different flavor of terrible. BEGIN PRIVATE KEY (pkcs8, pretty easy) BEGIN RSA PRIVATE KEY (RFC 3447/pkcs1, requires ASN.1) BEGIN RSA PRIVATE KEY (with encryption) BEGIN EC PRIVATE KEY (RFC 5915, requires ASN.1) BEGIN ENCRYPTED PRIVATE KEY (also pkcs8) I have completed the work on these: BEGIN PRIVATE KEY BEGIN RSA PRIVATE KEY BEGIN RSA PRIVATE KEY (with encryption) I'm now working on: BEGIN EC PRIVATE KEY I think I can get everything I need out of the ASN.1 structure of the file, but I'm getting caught up in the Java API for EC crypto. In order to create an RSA private key, one need only assemble the various values required for the RSA key (e, n, etc.) and stick them into an RSAPrivateKeySpec object, then generate the key from the KeySpec. For EC, however, you need what appears to be a whole menagerie of classes, many of which it's not clear how to construct. Is there an easier way to do this? Shortcuts are fine: I'm not married to the idea of manually-parsing the ASN.1 structure and manually-building the Java objects required if the API already supports some sort of shortcut. If there is *not* an easier way to do this, I'm wondering how to construct the following objects. Here is the code I have so far: String algorithm = "EC"; // I know this from the file type byte[] keybytes = ...; // These come from the ASN.1 structure String curveOID = ...; // This comes from the ASN.1 stucture byte[] paramBits = ...; // This also comes from the ASN.1 structure Curve curve = getCurve(curveOID); // I have this, at least for the one curve I'm working with at the moment ECField ecField = ???; // This should be a part of the curve definition? EllipticCurve curve = new EllipticCurve(ecField, curve.getA(), curve.getB()); ECParameterSpec paramSpec = ???; // How to convert paramBits to this? // This is the easy part PrivateKey key = KeyFactory.getInstance(algorithm).generatePrivate(new ECPrivateKeySpec(new BigInteger(keybytes), paramSpec)); Is there a better way to get the curve definition (from e.g. the OID) than manually-building the ECField and EllipticCurve objects? Thanks, -chris - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: OT: Parsing EC private keys in PEM format
On 25/08/2021 15:10, Christopher Schultz wrote: All, I'm trying to do this without looking at the code which is in Tomcat because I'd like to release it separately and not have to worry about figuring out hos to get permission, etc. It is ALv2 so the requirements are pretty minimal. You just need to include a copy of the ALv2, note you based it on Apache Tomcat and don;t use any ASF trademarks in your product name. I'm working on a piece of code which can load the following types of PEM-encoded DER files with private keys in them. Each is a different flavor of terrible. BEGIN PRIVATE KEY (pkcs8, pretty easy) BEGIN RSA PRIVATE KEY (RFC 3447/pkcs1, requires ASN.1) BEGIN RSA PRIVATE KEY (with encryption) BEGIN EC PRIVATE KEY (RFC 5915, requires ASN.1) BEGIN ENCRYPTED PRIVATE KEY (also pkcs8) I have completed the work on these: BEGIN PRIVATE KEY BEGIN RSA PRIVATE KEY BEGIN RSA PRIVATE KEY (with encryption) I'm now working on: BEGIN EC PRIVATE KEY I think I can get everything I need out of the ASN.1 structure of the file, but I'm getting caught up in the Java API for EC crypto. In order to create an RSA private key, one need only assemble the various values required for the RSA key (e, n, etc.) and stick them into an RSAPrivateKeySpec object, then generate the key from the KeySpec. For EC, however, you need what appears to be a whole menagerie of classes, many of which it's not clear how to construct. Is there an easier way to do this? Shortcuts are fine: I'm not married to the idea of manually-parsing the ASN.1 structure and manually-building the Java objects required if the API already supports some sort of shortcut. If there is *not* an easier way to do this, I'm wondering how to construct the following objects. Here is the code I have so far: String algorithm = "EC"; // I know this from the file type byte[] keybytes = ...; // These come from the ASN.1 structure String curveOID = ...; // This comes from the ASN.1 stucture byte[] paramBits = ...; // This also comes from the ASN.1 structure Curve curve = getCurve(curveOID); // I have this, at least for the one curve I'm working with at the moment ECField ecField = ???; // This should be a part of the curve definition? EllipticCurve curve = new EllipticCurve(ecField, curve.getA(), curve.getB()); ECParameterSpec paramSpec = ???; // How to convert paramBits to this? // This is the easy part PrivateKey key = KeyFactory.getInstance(algorithm).generatePrivate(new ECPrivateKeySpec(new BigInteger(keybytes), paramSpec)); Is there a better way to get the curve definition (from e.g. the OID) than manually-building the ECField and EllipticCurve objects? Sorry, I'd have to look at the Tomcat code to answer that. That isn't really any different to you looking yourself. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: OT: Parsing EC private keys in PEM format
Mark, On 8/25/21 10:28, Mark Thomas wrote: On 25/08/2021 15:10, Christopher Schultz wrote: All, I'm trying to do this without looking at the code which is in Tomcat because I'd like to release it separately and not have to worry about figuring out hos to get permission, etc. It is ALv2 so the requirements are pretty minimal. You just need to include a copy of the ALv2, note you based it on Apache Tomcat and don;t use any ASF trademarks in your product name. Hmm. I seem to recall asking someone if I could contribute your PEMFile stuff to the PostgreSQL JDBC driver project (they only support non-encrypted DER files directly) and the reply I got was something along the lines of "horrific copyright violation/IP theft/good luck finding all the original authors and getting their permission/etc." (paraphrasing). I'm working on a piece of code which can load the following types of PEM-encoded DER files with private keys in them. Each is a different flavor of terrible. BEGIN PRIVATE KEY (pkcs8, pretty easy) BEGIN RSA PRIVATE KEY (RFC 3447/pkcs1, requires ASN.1) BEGIN RSA PRIVATE KEY (with encryption) BEGIN EC PRIVATE KEY (RFC 5915, requires ASN.1) BEGIN ENCRYPTED PRIVATE KEY (also pkcs8) I have completed the work on these: BEGIN PRIVATE KEY BEGIN RSA PRIVATE KEY BEGIN RSA PRIVATE KEY (with encryption) I'm now working on: BEGIN EC PRIVATE KEY I think I can get everything I need out of the ASN.1 structure of the file, but I'm getting caught up in the Java API for EC crypto. In order to create an RSA private key, one need only assemble the various values required for the RSA key (e, n, etc.) and stick them into an RSAPrivateKeySpec object, then generate the key from the KeySpec. For EC, however, you need what appears to be a whole menagerie of classes, many of which it's not clear how to construct. Is there an easier way to do this? Shortcuts are fine: I'm not married to the idea of manually-parsing the ASN.1 structure and manually-building the Java objects required if the API already supports some sort of shortcut. If there is *not* an easier way to do this, I'm wondering how to construct the following objects. Here is the code I have so far: String algorithm = "EC"; // I know this from the file type byte[] keybytes = ...; // These come from the ASN.1 structure String curveOID = ...; // This comes from the ASN.1 stucture byte[] paramBits = ...; // This also comes from the ASN.1 structure Curve curve = getCurve(curveOID); // I have this, at least for the one curve I'm working with at the moment ECField ecField = ???; // This should be a part of the curve definition? EllipticCurve curve = new EllipticCurve(ecField, curve.getA(), curve.getB()); ECParameterSpec paramSpec = ???; // How to convert paramBits to this? // This is the easy part PrivateKey key = KeyFactory.getInstance(algorithm).generatePrivate(new ECPrivateKeySpec(new BigInteger(keybytes), paramSpec)); Is there a better way to get the curve definition (from e.g. the OID) than manually-building the ECField and EllipticCurve objects? Sorry, I'd have to look at the Tomcat code to answer that. That isn't really any different to you looking yourself. Interesting. You parse the ASN.1 structure and re-write it into PKCS#8 ASN, then parse it as such. It occurs to me that, like Digester and possibly other components before it, Tomcat has some useful cryptographic functions that we might consider packaging separately. I think a component which can read a PEMFile in its many incarnations is a very valuable thing on its own. -chris - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Add available flag for UserDatabase
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 459cbf6 Add available flag for UserDatabase
459cbf6 is described below
commit 459cbf6bd96a0488f205f090efba34520186066e
Author: remm
AuthorDate: Wed Aug 25 22:36:17 2021 +0200
Add available flag for UserDatabase
Also avoid loading the whole database as MBeans, the behavior is fancy
but only makes sense for a memory user database.
---
java/org/apache/catalina/UserDatabase.java | 22 ++
.../mbeans/GlobalResourcesLifecycleListener.java | 5 +
.../apache/catalina/realm/UserDatabaseRealm.java | 6 ++
3 files changed, 33 insertions(+)
diff --git a/java/org/apache/catalina/UserDatabase.java
b/java/org/apache/catalina/UserDatabase.java
index 9242170..713cc1d 100644
--- a/java/org/apache/catalina/UserDatabase.java
+++ b/java/org/apache/catalina/UserDatabase.java
@@ -198,4 +198,26 @@ public interface UserDatabase {
public default void backgroundProcess() {
// NO-OP by default
}
+
+
+/**
+ * Is the database available.
+ *
+ * @return true
+ */
+public default boolean isAvailable() {
+return true;
+}
+
+
+/**
+ * Is the database data loaded on demand. This is used to avoid eager
+ * loading of the full database data, for example for JMX registration of
+ * all objects.
+ *
+ * @return false
+ */
+public default boolean isSparse() {
+return false;
+}
}
diff --git
a/java/org/apache/catalina/mbeans/GlobalResourcesLifecycleListener.java
b/java/org/apache/catalina/mbeans/GlobalResourcesLifecycleListener.java
index a86b486..bca1ed7 100644
--- a/java/org/apache/catalina/mbeans/GlobalResourcesLifecycleListener.java
+++ b/java/org/apache/catalina/mbeans/GlobalResourcesLifecycleListener.java
@@ -168,6 +168,11 @@ public class GlobalResourcesLifecycleListener implements
LifecycleListener {
throw new
IllegalArgumentException(sm.getString("globalResources.createError.userDatabase",
name), e);
}
+if (database.isSparse()) {
+// Avoid loading all the database as mbeans
+return;
+}
+
// Create the MBeans for each defined Role
Iterator roles = database.getRoles();
while (roles.hasNext()) {
diff --git a/java/org/apache/catalina/realm/UserDatabaseRealm.java
b/java/org/apache/catalina/realm/UserDatabaseRealm.java
index c13b706..477be7f 100644
--- a/java/org/apache/catalina/realm/UserDatabaseRealm.java
+++ b/java/org/apache/catalina/realm/UserDatabaseRealm.java
@@ -231,6 +231,12 @@ public class UserDatabaseRealm extends RealmBase {
}
+@Override
+public boolean isAvailable() {
+return (database == null) ? false : database.isAvailable();
+}
+
+
public static final class UserDatabasePrincipal extends GenericPrincipal {
private static final long serialVersionUID = 1L;
private final transient User user;
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
