[tomcat] branch main updated: Rename Maven artifact
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 423757e Rename Maven artifact 423757e is described below commit 423757e6e2912c4ab5b5591c5a823c4713238a6c Author: remm AuthorDate: Thu Jan 6 11:43:29 2022 +0100 Rename Maven artifact The new name tomcat-coyote-openssl-java17 is more consistent with the jars in lib (it is an extension for tomcat-coyote). --- modules/openssl-java17/README.md | 4 ++-- modules/openssl-java17/pom.xml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/openssl-java17/README.md b/modules/openssl-java17/README.md index 07f0a68..8e6e44a 100644 --- a/modules/openssl-java17/README.md +++ b/modules/openssl-java17/README.md @@ -16,7 +16,7 @@ The module uses the OpenSSL 1.1 API. It requires an API compatible version of OpenSSL or a compatible alternative library, that can be loaded from the JVM library path. -Copy `openssl-java17-1.0.jar` to the Apache Tomcat `lib` folder. +Copy `tomcat-coyote-openssl-java17-1.0.jar` to the Apache Tomcat `lib` folder. Remove `AprLifecycleListener` from `server.xml`. The `org.apache.tomcat.util.net.openssl.panama.OpenSSLLifecycleListener` can be @@ -68,7 +68,7 @@ index dc1260b..dd9fba9 100644 -+ ++ diff --git a/modules/openssl-java17/pom.xml b/modules/openssl-java17/pom.xml index 733efa1..43e846d 100644 --- a/modules/openssl-java17/pom.xml +++ b/modules/openssl-java17/pom.xml @@ -25,7 +25,7 @@ org.apache.tomcat -openssl-java17 +tomcat-coyote-openssl-java17 Apache Tomcat OpenSSL support for Java 17 OpenSSL support using the Panama JEP 412 API included in Java 17 0.1-SNAPSHOT - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65785] New: HTTP/2.0 non US-ASCII header names should be rejected
https://bz.apache.org/bugzilla/show_bug.cgi?id=65785 Bug ID: 65785 Summary: HTTP/2.0 non US-ASCII header names should be rejected Product: Tomcat 9 Version: 9.0.x Hardware: Macintosh OS: Mac OS X 10.1 Status: NEW Severity: normal Priority: P2 Component: Connectors Assignee: dev@tomcat.apache.org Reporter: renaud.n...@gmail.com Target Milestone: - Issue summary = Tomcat does not follows HTTP/2.0 header name specification : Header names should be US-ASCII encoded but Tomcat : - does not check their encoding, - allows non US-ASCII encoded - corrupts non US-ASCII characters by suffixing them with "0xff", example : "0xf0" -> "0xf0 0xff" Expected behaviour would be : to reject the HTTP/2.0 request as ill-formatted with a HTTP 400 error code. The specifications == HTTP/2.0 The HTTP/2.0 specification (https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2) says: > Just as in HTTP/1.x, header field names are strings of ASCII > characters that are compared in a case-insensitive fashion. However, > header field names MUST be converted to lowercase prior to their > encoding in HTTP/2. A request or response containing uppercase > header field names MUST be treated as malformed (Section 8.1.2.6). HTTP/1.1 The HTTP/1.1 specification () says : > A recipient MUST parse an HTTP message as a sequence of octets in an > encoding that is a superset of US-ASCII [USASCII]. Parsing an HTTP > message as a stream of Unicode characters, without regard for the > specific encoding, creates security vulnerabilities due to the > varying ways that string processing libraries handle invalid > multibyte character sequences that contain the octet LF (%x0A). HPACK - HPACK specification (https://www.rfc-editor.org/rfc/rfc7541.html#section-1.1) says: > The format defined in this specification treats a list of header > fields as an ordered collection of name-value pairs that can include > duplicate pairs. Names and values are considered to be opaque > sequences of octets, and the order of header fields is preserved > after being compressed and decompressed. Problem description === Tomcat does not reject non-ascii HTTP/2.0 header names, and its HPACK implementation casts the received bytes into chars so that "0xf0" becomes "0xf0 0xff". It looks like the HPACK algorithm corrupts the header name, and the HTTP/2.0 implementation is then not able to reject this invalid header value (an US-ASCII character is coded with 7 bits, so the first bit MUST be always 0 and obviously "0xf0" has its first bit to 1). As seen in the previous parts, HPACK algorithm should treat its input as "opaque sequence of octets" and thus should not try to convert them to String directly without knowing their encoding. Then the HTTP/2.0 implementation should verify that the header names bytes are using only 7 bits (and thus can be safely decoded as ASCII characters). HTTP/1.1 comparison === Tomcat handles an invalid HTTP/1.1 header correctly, returning a HTTP 400 with this message : "The HTTP header line [0xf0: aa] does not conform to RFC 7230 and has been ignored." Comparison with other products == - Netty (tested with 4.1.72) handles it badly too, but the header name "0xf0" is corrupted into "0x00 0xf0" (which is different from what tomcat does : "0xf0 0xff") Reproducer == - A fresh install of Tomcat (tested with 9 but I guess it will work out with any version of tomcat handling HTTP/2.0) - the HTTP/2.0 connector configured (``) - A simple servlet - run this command : `$ curl -v http://localhost:8080/static --http2-prior-knowledge -H "😱: aa"` The request should be rejected with HTTP 400 error because the header name is not US-ASCII encoded. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Async timeout and paused connector/endpoint
Hi, The Spring Boot team has pinged me regarding this issue: https://github.com/spring-projects/spring-boot/issues/29266 I've done some debugging and what it comes down is that when a Connector/Endpoint is paused, we also pause checking the async timeout for requests associated with that Connector/Endpoint. The code has been like this since it was first implemented some 12 years ago. I am wondering if this makes sense. I've always thought of "pause" as pausing new incoming connections, disabling keep-alive (i.e. existing connections terminate when the current request completes) and disabling new streams on multiplexed connections but that existing requests would continue. Is my understanding / expectation of pause (and resume) correct? Looking at the code there are a few things happening when a connection is paused that don't immediately make sense to me. Assuming my understanding/expectation is correct then I'm thinking of a patch (or possible patches) along the following lines: - keep the async timeout task active when the associated connector/endpoint is paused - don't pause sendfile when the associated connector/endpoint is paused - continue to return recycled objects to caches when the associated connector/endpoint is paused - review use of SocketWrapperBase.getSocket().free() to ensure it is called when necessary - for example the embedded case where a connector is repeatedly started and stopped. This may be a separate patch as it isn't really related to the original issue. Thoughts? Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Async timeout and paused connector/endpoint
On Thu, Jan 6, 2022 at 1:01 PM Mark Thomas wrote: > > Hi, > > The Spring Boot team has pinged me regarding this issue: > https://github.com/spring-projects/spring-boot/issues/29266 > > I've done some debugging and what it comes down is that when a > Connector/Endpoint is paused, we also pause checking the async timeout > for requests associated with that Connector/Endpoint. > > The code has been like this since it was first implemented some 12 years > ago. > > I am wondering if this makes sense. I've always thought of "pause" as > pausing new incoming connections, disabling keep-alive (i.e. existing > connections terminate when the current request completes) and disabling > new streams on multiplexed connections but that existing requests would > continue. > > Is my understanding / expectation of pause (and resume) correct? > > Looking at the code there are a few things happening when a connection > is paused that don't immediately make sense to me. > > Assuming my understanding/expectation is correct then I'm thinking of a > patch (or possible patches) along the following lines: > > - keep the async timeout task active when the associated >connector/endpoint is paused > > - don't pause sendfile when the associated connector/endpoint is paused > > - continue to return recycled objects to caches when the associated >connector/endpoint is paused > > - review use of SocketWrapperBase.getSocket().free() to ensure it is >called when necessary - for example the embedded case where a >connector is repeatedly started and stopped. This may be a separate >patch as it isn't really related to the original issue. > > Thoughts? Yes, this feature was about not accepting new requests, while finishing the current ones properly. So this makes sense but it needs quite a few improvements in that case. Rémy > > Mark > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Fix BZ 65763 - improve handling of timeout during message write
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 16d8754 Fix BZ 65763 - improve handling of timeout during message
write
16d8754 is described below
commit 16d8754189808e771b8d6f0ad7dbd227aa5b9ef0
Author: Mark Thomas
AuthorDate: Thu Jan 6 14:12:49 2022 +
Fix BZ 65763 - improve handling of timeout during message write
https://bz.apache.org/bugzilla/show_bug.cgi?id=65763
---
java/org/apache/tomcat/websocket/WsSession.java | 3 +--
webapps/docs/changelog.xml | 4
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/tomcat/websocket/WsSession.java
b/java/org/apache/tomcat/websocket/WsSession.java
index 2f3d7d3..91201d2 100644
--- a/java/org/apache/tomcat/websocket/WsSession.java
+++ b/java/org/apache/tomcat/websocket/WsSession.java
@@ -19,7 +19,6 @@ package org.apache.tomcat.websocket;
import java.io.IOException;
import java.net.URI;
import java.nio.ByteBuffer;
-import java.nio.channels.WritePendingException;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
import java.util.Collections;
@@ -721,7 +720,7 @@ public class WsSession implements Session {
msg.flip();
try {
wsRemoteEndpoint.sendMessageBlock(Constants.OPCODE_CLOSE, msg,
true);
-} catch (IOException | WritePendingException e) {
+} catch (IOException | IllegalStateException e) {
// Failed to send close message. Close the socket and let the
caller
// deal with the Exception
if (log.isDebugEnabled()) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 683a49d..3538dbe 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -196,6 +196,10 @@
Add support for the WebSocket 2.1 client-side API for configuring TLS
connection for wss client connections. (markt)
+
+65763: Improve handling of WebSocket connection close if a
+message write times out before the message is fully written. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.0.x updated: Fix BZ 65763 - improve handling of timeout during message write
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.0.x by this push:
new a370955 Fix BZ 65763 - improve handling of timeout during message
write
a370955 is described below
commit a3709550e04738cc80515d9508d2fa956e4609e9
Author: Mark Thomas
AuthorDate: Thu Jan 6 14:12:49 2022 +
Fix BZ 65763 - improve handling of timeout during message write
https://bz.apache.org/bugzilla/show_bug.cgi?id=65763
---
java/org/apache/tomcat/websocket/WsSession.java | 3 +--
webapps/docs/changelog.xml | 4
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/tomcat/websocket/WsSession.java
b/java/org/apache/tomcat/websocket/WsSession.java
index ae39d8c..a2e8768 100644
--- a/java/org/apache/tomcat/websocket/WsSession.java
+++ b/java/org/apache/tomcat/websocket/WsSession.java
@@ -19,7 +19,6 @@ package org.apache.tomcat.websocket;
import java.io.IOException;
import java.net.URI;
import java.nio.ByteBuffer;
-import java.nio.channels.WritePendingException;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
import java.util.Collections;
@@ -815,7 +814,7 @@ public class WsSession implements Session {
msg.flip();
try {
wsRemoteEndpoint.sendMessageBlock(Constants.OPCODE_CLOSE, msg,
true);
-} catch (IOException | WritePendingException e) {
+} catch (IOException | IllegalStateException e) {
// Failed to send close message. Close the socket and let the
caller
// deal with the Exception
if (log.isDebugEnabled()) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 52005e4..38e10aa 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -166,6 +166,10 @@
that allows applications to opt to upgrade an HTTP connection to
WebSocket. (markt)
+
+65763: Improve handling of WebSocket connection close if a
+message write times out before the message is fully written. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Fix BZ 65763 - improve handling of timeout during message write
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new c3b4fd0 Fix BZ 65763 - improve handling of timeout during message
write
c3b4fd0 is described below
commit c3b4fd06410c4d77f5d25d6dd2030d45c0bcbfd7
Author: Mark Thomas
AuthorDate: Thu Jan 6 14:12:49 2022 +
Fix BZ 65763 - improve handling of timeout during message write
https://bz.apache.org/bugzilla/show_bug.cgi?id=65763
---
java/org/apache/tomcat/websocket/WsSession.java | 3 +--
webapps/docs/changelog.xml | 4
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/tomcat/websocket/WsSession.java
b/java/org/apache/tomcat/websocket/WsSession.java
index b728d51..dc952c1 100644
--- a/java/org/apache/tomcat/websocket/WsSession.java
+++ b/java/org/apache/tomcat/websocket/WsSession.java
@@ -19,7 +19,6 @@ package org.apache.tomcat.websocket;
import java.io.IOException;
import java.net.URI;
import java.nio.ByteBuffer;
-import java.nio.channels.WritePendingException;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
import java.util.Collections;
@@ -814,7 +813,7 @@ public class WsSession implements Session {
msg.flip();
try {
wsRemoteEndpoint.sendMessageBlock(Constants.OPCODE_CLOSE, msg,
true);
-} catch (IOException | WritePendingException e) {
+} catch (IOException | IllegalStateException e) {
// Failed to send close message. Close the socket and let the
caller
// deal with the Exception
if (log.isDebugEnabled()) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 35a4abb..687323f 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -166,6 +166,10 @@
that allows applications to opt to upgrade an HTTP connection to
WebSocket. (markt)
+
+65763: Improve handling of WebSocket connection close if a
+message write times out before the message is fully written. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Fix BZ 65763 - improve handling of timeout during message write
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 03e7f73 Fix BZ 65763 - improve handling of timeout during message
write
03e7f73 is described below
commit 03e7f73bfa170e696672210082a818dcf8718fb9
Author: Mark Thomas
AuthorDate: Thu Jan 6 14:12:49 2022 +
Fix BZ 65763 - improve handling of timeout during message write
https://bz.apache.org/bugzilla/show_bug.cgi?id=65763
---
java/org/apache/tomcat/websocket/WsSession.java | 3 +--
webapps/docs/changelog.xml | 4
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/tomcat/websocket/WsSession.java
b/java/org/apache/tomcat/websocket/WsSession.java
index b728d51..dc952c1 100644
--- a/java/org/apache/tomcat/websocket/WsSession.java
+++ b/java/org/apache/tomcat/websocket/WsSession.java
@@ -19,7 +19,6 @@ package org.apache.tomcat.websocket;
import java.io.IOException;
import java.net.URI;
import java.nio.ByteBuffer;
-import java.nio.channels.WritePendingException;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
import java.util.Collections;
@@ -814,7 +813,7 @@ public class WsSession implements Session {
msg.flip();
try {
wsRemoteEndpoint.sendMessageBlock(Constants.OPCODE_CLOSE, msg,
true);
-} catch (IOException | WritePendingException e) {
+} catch (IOException | IllegalStateException e) {
// Failed to send close message. Close the socket and let the
caller
// deal with the Exception
if (log.isDebugEnabled()) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index b9f71f5..7c3de4e 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -222,6 +222,10 @@
that allows applications to opt to upgrade an HTTP connection to
WebSocket. (markt)
+
+65763: Improve handling of WebSocket connection close if a
+message write times out before the message is fully written. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65763] WsRemoteEndpointImplBase#sendMessageBlock cannot close session properly when have TimeoutException
https://bz.apache.org/bugzilla/show_bug.cgi?id=65763 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #3 from Mark Thomas --- Thanks for the report and the analysis. After reviewing the code, I think catching IllegalStateException is the way to handle this. Fixed in: - 10.1.x for 10.1.0-M9 onwards - 10.0.x for 10.0.15 onwards - 9.0.x for 9.0.57 onwards - 8.5.x for 8.5.74 onwards -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65767] Add support for password-based encryption scheme 2 params (PBES2)
https://bz.apache.org/bugzilla/show_bug.cgi?id=65767 --- Comment #8 from Mark Thomas --- PR https://github.com/apache/tomcat/pull/462 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat-jakartaee-migration] ChristopherSchultz commented on issue #24: Copyright and Derived Works
ChristopherSchultz commented on issue #24: URL: https://github.com/apache/tomcat-jakartaee-migration/issues/24#issuecomment-1006739580 > So also the dependencies in a WAR are updated? I mean the JARS in WEB-INF/lib. Of course they are. If you have a library that reads data from `HttpServletRequest` and `HttpServletRequest` has moved from the `javax.servlet.http` package to the `jakarta.servlet.http`, then the library had better be updated along with your code. Otherwise, your application wouldn't work. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat-jakartaee-migration] rmaucher commented on issue #24: Copyright and Derived Works
rmaucher commented on issue #24: URL: https://github.com/apache/tomcat-jakartaee-migration/issues/24#issuecomment-1006765487 You could be able to combine the migration tool (carefully avoiding to convert the proprietary library JARs) with the classloading transformer (which is normally not good since it doesn't do EE API relocations and annotations, as I've found out, but for a library it's likely better). After all there's no rule against using both. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf commented on a change in pull request #462: Add support for password-based encryption scheme 2 params (PBES2)
markt-asf commented on a change in pull request #462:
URL: https://github.com/apache/tomcat/pull/462#discussion_r779920656
##
File path: java/org/apache/tomcat/util/net/jsse/PEMFile.java
##
@@ -210,6 +214,14 @@ public PrivateKey toPrivateKey(String password, String
keyAlgorithm, Format form
throw exception;
}
+private String getPBEAlgorithm(EncryptedPrivateKeyInfo privateKeyInfo)
{
+AlgorithmParameters parameters = privateKeyInfo.getAlgParameters();
+if(parameters != null &&
OID_PKCS5_PBES2.equals(privateKeyInfo.getAlgName())) {
+return parameters.toString();
Review comment:
Having looked at the complexity of extracting the algorithm name from
from encoded parameters, and given that the JRE depends on the toString()
implementation as well in places, I think it is reasonable to use toString()
for now. We'll always have the option of parsing the parameters directly if we
discover problems with the toString() approach in the future.
Given PBES2 support is currently broken, the worst this change will do is
maintain the status quo. The more likely result is the PBES2 will be supported
for most (all?) use cases.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated (16d8754 -> d871a22)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git. from 16d8754 Fix BZ 65763 - improve handling of timeout during message write add d871a22 Fix BZ 65767 - add support for certs with PBES2 protected keys No new revisions were added by this update. Summary of changes: java/org/apache/tomcat/util/net/jsse/PEMFile.java | 27 +-- webapps/docs/changelog.xml| 4 2 files changed, 29 insertions(+), 2 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf closed pull request #462: Add support for password-based encryption scheme 2 params (PBES2)
markt-asf closed pull request #462: URL: https://github.com/apache/tomcat/pull/462 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf commented on pull request #462: Add support for password-based encryption scheme 2 params (PBES2)
markt-asf commented on pull request #462: URL: https://github.com/apache/tomcat/pull/462#issuecomment-1006996620 I've applied this PR manually so I could add an extended comment next to the use of toString() -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.0.x updated: Fix BZ 65767 - add support for certs with PBES2 protected keys
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.0.x by this push:
new 973623c Fix BZ 65767 - add support for certs with PBES2 protected keys
973623c is described below
commit 973623cbaaac237020e9aaf327bdb72b655fa7c8
Author: Mark Thomas
AuthorDate: Thu Jan 6 22:58:13 2022 +
Fix BZ 65767 - add support for certs with PBES2 protected keys
Based on a PR by xiezhaokun
---
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 27 +--
webapps/docs/changelog.xml| 4
2 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index 900bb91..5db30d9 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -23,6 +23,7 @@ import java.io.InputStream;
import java.io.InputStreamReader;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
+import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
@@ -60,6 +61,8 @@ public class PEMFile {
private static final byte[] OID_EC_PUBLIC_KEY =
new byte[] { 0x06, 0x07, 0x2A, (byte) 0x86, 0x48, (byte) 0xCE,
0x3D, 0x02, 0x01 };
+private static final String OID_PKCS5_PBES2 = "1.2.840.113549.1.5.13";
+
public static String toPEM(X509Certificate certificate) throws
CertificateEncodingException {
StringBuilder result = new StringBuilder();
result.append(Part.BEGIN_BOUNDARY + Part.CERTIFICATE +
Part.FINISH_BOUNDARY);
@@ -181,10 +184,11 @@ public class PEMFile {
}
} else {
EncryptedPrivateKeyInfo privateKeyInfo = new
EncryptedPrivateKeyInfo(decode());
-SecretKeyFactory secretKeyFactory =
SecretKeyFactory.getInstance(privateKeyInfo.getAlgName());
+String pbeAlgorithm = getPBEAlgorithm(privateKeyInfo);
+SecretKeyFactory secretKeyFactory =
SecretKeyFactory.getInstance(pbeAlgorithm);
SecretKey secretKey = secretKeyFactory.generateSecret(new
PBEKeySpec(password.toCharArray()));
-Cipher cipher =
Cipher.getInstance(privateKeyInfo.getAlgName());
+Cipher cipher = Cipher.getInstance(pbeAlgorithm);
cipher.init(Cipher.DECRYPT_MODE, secretKey,
privateKeyInfo.getAlgParameters());
keySpec = privateKeyInfo.getKeySpec(cipher);
@@ -211,6 +215,25 @@ public class PEMFile {
}
+private String getPBEAlgorithm(EncryptedPrivateKeyInfo privateKeyInfo)
{
+AlgorithmParameters parameters = privateKeyInfo.getAlgParameters();
+if (parameters != null &&
OID_PKCS5_PBES2.equals(privateKeyInfo.getAlgName())) {
+/*
+ * This should be "PBEWithAnd".
+ * Relying on the toString() implementation is potentially
+ * fragile but acceptable in this case since the JRE depends on
+ * the toString() implementation as well.
+ * In the future, if necessary, we can parse the value of
+ * paremeters.getEncoded() but the associated complexity and
+ * unlikeliness of the JRE implementation changing means that
+ * Tomcat will use to toString() approach for now.
+ */
+return parameters.toString();
+}
+return privateKeyInfo.getAlgName();
+}
+
+
/*
* RFC5915: SEQ
* INT value = 1
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 38e10aa..301a28f 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -141,6 +141,10 @@
potential deadlock on some systems in non-default configurations.
(markt)
+
+65767: Add support for certificates that use keys encrypted
+using PBES2. Based on a pull request provided by xiezhaokun. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Fix BZ 65767 - add support for certs with PBES2 protected keys
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 7c49638 Fix BZ 65767 - add support for certs with PBES2 protected keys
7c49638 is described below
commit 7c496386e39b034e4f1a8a2caa2cf26a8f355d85
Author: Mark Thomas
AuthorDate: Thu Jan 6 22:58:13 2022 +
Fix BZ 65767 - add support for certs with PBES2 protected keys
Based on a PR by xiezhaokun
---
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 27 +--
webapps/docs/changelog.xml| 4
2 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index 900bb91..5db30d9 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -23,6 +23,7 @@ import java.io.InputStream;
import java.io.InputStreamReader;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
+import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
@@ -60,6 +61,8 @@ public class PEMFile {
private static final byte[] OID_EC_PUBLIC_KEY =
new byte[] { 0x06, 0x07, 0x2A, (byte) 0x86, 0x48, (byte) 0xCE,
0x3D, 0x02, 0x01 };
+private static final String OID_PKCS5_PBES2 = "1.2.840.113549.1.5.13";
+
public static String toPEM(X509Certificate certificate) throws
CertificateEncodingException {
StringBuilder result = new StringBuilder();
result.append(Part.BEGIN_BOUNDARY + Part.CERTIFICATE +
Part.FINISH_BOUNDARY);
@@ -181,10 +184,11 @@ public class PEMFile {
}
} else {
EncryptedPrivateKeyInfo privateKeyInfo = new
EncryptedPrivateKeyInfo(decode());
-SecretKeyFactory secretKeyFactory =
SecretKeyFactory.getInstance(privateKeyInfo.getAlgName());
+String pbeAlgorithm = getPBEAlgorithm(privateKeyInfo);
+SecretKeyFactory secretKeyFactory =
SecretKeyFactory.getInstance(pbeAlgorithm);
SecretKey secretKey = secretKeyFactory.generateSecret(new
PBEKeySpec(password.toCharArray()));
-Cipher cipher =
Cipher.getInstance(privateKeyInfo.getAlgName());
+Cipher cipher = Cipher.getInstance(pbeAlgorithm);
cipher.init(Cipher.DECRYPT_MODE, secretKey,
privateKeyInfo.getAlgParameters());
keySpec = privateKeyInfo.getKeySpec(cipher);
@@ -211,6 +215,25 @@ public class PEMFile {
}
+private String getPBEAlgorithm(EncryptedPrivateKeyInfo privateKeyInfo)
{
+AlgorithmParameters parameters = privateKeyInfo.getAlgParameters();
+if (parameters != null &&
OID_PKCS5_PBES2.equals(privateKeyInfo.getAlgName())) {
+/*
+ * This should be "PBEWithAnd".
+ * Relying on the toString() implementation is potentially
+ * fragile but acceptable in this case since the JRE depends on
+ * the toString() implementation as well.
+ * In the future, if necessary, we can parse the value of
+ * paremeters.getEncoded() but the associated complexity and
+ * unlikeliness of the JRE implementation changing means that
+ * Tomcat will use to toString() approach for now.
+ */
+return parameters.toString();
+}
+return privateKeyInfo.getAlgName();
+}
+
+
/*
* RFC5915: SEQ
* INT value = 1
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 687323f..51964e7 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -141,6 +141,10 @@
potential deadlock on some systems in non-default configurations.
(markt)
+
+65767: Add support for certificates that use keys encrypted
+using PBES2. Based on a pull request provided by xiezhaokun. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Fix BZ 65767 - add support for certs with PBES2 protected keys
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new bf7e120 Fix BZ 65767 - add support for certs with PBES2 protected keys
bf7e120 is described below
commit bf7e120b85b6e1c04cf9b46b054538730b56c243
Author: Mark Thomas
AuthorDate: Thu Jan 6 22:58:13 2022 +
Fix BZ 65767 - add support for certs with PBES2 protected keys
Based on a PR by xiezhaokun
---
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 27 +--
webapps/docs/changelog.xml| 4
2 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index ee62c25..ca030cf 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -23,6 +23,7 @@ import java.io.InputStream;
import java.io.InputStreamReader;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
+import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
@@ -60,6 +61,8 @@ public class PEMFile {
private static final byte[] OID_EC_PUBLIC_KEY =
new byte[] { 0x06, 0x07, 0x2A, (byte) 0x86, 0x48, (byte) 0xCE,
0x3D, 0x02, 0x01 };
+private static final String OID_PKCS5_PBES2 = "1.2.840.113549.1.5.13";
+
public static String toPEM(X509Certificate certificate) throws
CertificateEncodingException {
StringBuilder result = new StringBuilder();
result.append(Part.BEGIN_BOUNDARY + Part.CERTIFICATE +
Part.FINISH_BOUNDARY);
@@ -181,10 +184,11 @@ public class PEMFile {
}
} else {
EncryptedPrivateKeyInfo privateKeyInfo = new
EncryptedPrivateKeyInfo(decode());
-SecretKeyFactory secretKeyFactory =
SecretKeyFactory.getInstance(privateKeyInfo.getAlgName());
+String pbeAlgorithm = getPBEAlgorithm(privateKeyInfo);
+SecretKeyFactory secretKeyFactory =
SecretKeyFactory.getInstance(pbeAlgorithm);
SecretKey secretKey = secretKeyFactory.generateSecret(new
PBEKeySpec(password.toCharArray()));
-Cipher cipher =
Cipher.getInstance(privateKeyInfo.getAlgName());
+Cipher cipher = Cipher.getInstance(pbeAlgorithm);
cipher.init(Cipher.DECRYPT_MODE, secretKey,
privateKeyInfo.getAlgParameters());
keySpec = privateKeyInfo.getKeySpec(cipher);
@@ -211,6 +215,25 @@ public class PEMFile {
}
+private String getPBEAlgorithm(EncryptedPrivateKeyInfo privateKeyInfo)
{
+AlgorithmParameters parameters = privateKeyInfo.getAlgParameters();
+if (parameters != null &&
OID_PKCS5_PBES2.equals(privateKeyInfo.getAlgName())) {
+/*
+ * This should be "PBEWithAnd".
+ * Relying on the toString() implementation is potentially
+ * fragile but acceptable in this case since the JRE depends on
+ * the toString() implementation as well.
+ * In the future, if necessary, we can parse the value of
+ * paremeters.getEncoded() but the associated complexity and
+ * unlikeliness of the JRE implementation changing means that
+ * Tomcat will use to toString() approach for now.
+ */
+return parameters.toString();
+}
+return privateKeyInfo.getAlgName();
+}
+
+
/*
* RFC5915: SEQ
* INT value = 1
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 7c3de4e..bc9a896 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -197,6 +197,10 @@
Avoid a potential deadlock during the concurrent processing of incoming
HTTP/2 frames for a stream and that stream being reset. (markt)
+
+65767: Add support for certificates that use keys encrypted
+using PBES2. Based on a pull request provided by xiezhaokun. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65767] Add support for password-based encryption scheme 2 params (PBES2)
https://bz.apache.org/bugzilla/show_bug.cgi?id=65767 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #9 from Mark Thomas --- Fixed in: - 10.1.x for 10.1.0-M9 onwards - 10.0.x for 10.0.15 onwards - 9.0.x for 9.0.57 onwards - 8.5.x for 8.5.74 onwards -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65763] WsRemoteEndpointImplBase#sendMessageBlock cannot close session properly when have TimeoutException
https://bz.apache.org/bugzilla/show_bug.cgi?id=65763 --- Comment #4 from alex --- (In reply to Mark Thomas from comment #3) > Thanks for the report and the analysis. > > After reviewing the code, I think catching IllegalStateException is the way > to handle this. > > Fixed in: > - 10.1.x for 10.1.0-M9 onwards > - 10.0.x for 10.0.15 onwards > - 9.0.x for 9.0.57 onwards > - 8.5.x for 8.5.74 onwards Yes, I agree with you. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
