[Bug 67626] multipart request parts require Content-Disposition: form-data, even when another multipart-subtype is used
https://bz.apache.org/bugzilla/show_bug.cgi?id=67626 Michael Osipov changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |INFORMATIONPROVIDED --- Comment #8 from Michael Osipov --- Information has been provided. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Update with the current classnames
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 0290c90916 Update with the current classnames 0290c90916 is described below commit 0290c90916bffb0fdfbee9e8e6ffcbc8f0afba96 Author: remm AuthorDate: Tue Oct 24 09:57:42 2023 +0200 Update with the current classnames --- res/checkstyle/checkstyle.xml | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/res/checkstyle/checkstyle.xml b/res/checkstyle/checkstyle.xml index 4e8b76c358..2817223348 100644 --- a/res/checkstyle/checkstyle.xml +++ b/res/checkstyle/checkstyle.xml @@ -59,9 +59,16 @@ - + + + + + + + + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Add jextract support tooling
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 0180dca753 Add jextract support tooling 0180dca753 is described below commit 0180dca75365f16d7829721c5274f18d0c2eb33d Author: remm AuthorDate: Tue Oct 24 10:20:50 2023 +0200 Add jextract support tooling --- res/openssl/README.md | 42 + res/openssl/addlicense.sh | 22 +++ res/openssl/license.header | 17 ++ res/openssl/openssl-tomcat.conf | 365 res/openssl/openssl.h | 31 5 files changed, 477 insertions(+) diff --git a/res/openssl/README.md b/res/openssl/README.md new file mode 100644 index 00..5fd1eba39e --- /dev/null +++ b/res/openssl/README.md @@ -0,0 +1,42 @@ +# OpenSSL support for Apache Tomcat + +## Building + +The OpenSSL API support classes can be built using jextract from Java 22+. + +jextract is now available in its own standalone repository. Clone +`https://github.com/openjdk/jextract` in some location and +checkout the branch that supports Java 22. Please refer to the +instructions from the repository for building. It should be the +`panama` branch. + +This step is only useful to be able to use additional native APIs from OpenSSL +or stdlib. + +Find include paths using `gcc -xc -E -v -`, on Fedora it is +`/usr/lib/gcc/x86_64-redhat-linux/12/include`. Edit `openssl-tomcat.conf` +accordingly to set the appropriate path. + +``` +export JEXTRACT_HOME=/jextract/build/jextract +$JEXTRACT_HOME/bin/jextract @openssl-tomcat.conf openssl.h +``` +Note: The build path for the JDK will be different on other platforms. + +The code included was generated using OpenSSL 3.0. As long as things remain +API compatible, the generated code will still work. + +The `openssl-tomcat.conf` will generate a trimmed down OpenSSL API. When +developing new features, the full API can be generated instead using: +``` +$JEXTRACT_HOME/bin/jextract --source -t org.apache.tomcat.util.openssl -lssl -I /usr/lib/gcc/x86_64-redhat-linux/12/include openssl.h --output src/main/java +``` + +The `openssl.conf` file lists all the API calls and constants that can be +generated using jextract, as a reference to what is available. Some macros are +not supported and have to be reproduced in code. + +Before committing updated generated files, they need to have the license header +added. The `addlicense.sh` script can do that and process all Java source files +in the `src/main/java/org/apache/tomcat/util/openssl` directory. + diff --git a/res/openssl/addlicense.sh b/res/openssl/addlicense.sh new file mode 100755 index 00..6349703675 --- /dev/null +++ b/res/openssl/addlicense.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +for generated in src/main/java/org/apache/tomcat/util/openssl/*.java; do +cat license.header $generated >> $generated.$$ +mv $generated.$$ $generated +echo Updated $generated +done diff --git a/res/openssl/license.header b/res/openssl/license.header new file mode 100644 index 00..4b326ae5c2 --- /dev/null +++ b/res/openssl/license.header @@ -0,0 +1,17 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + diff --git a/res/openssl/openssl-tomcat.conf b/res/openssl/openssl-tomcat.conf new file mode 100644 index 00..5fab9dc305 --- /d
[tomcat] branch main updated: Add OpenSSL bean status
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 3cf18c5c72 Add OpenSSL bean status
3cf18c5c72 is described below
commit 3cf18c5c72cc231dba9cb92909a56309022aa58f
Author: remm
AuthorDate: Tue Oct 24 10:27:11 2023 +0200
Add OpenSSL bean status
Similar to AprStatus. Not in core package though since the init code has
to live in Java, so has to be accessible from the util.net package.
---
.../tomcat/util/net/openssl/OpenSSLStatus.java | 60 ++
1 file changed, 60 insertions(+)
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLStatus.java
b/java/org/apache/tomcat/util/net/openssl/OpenSSLStatus.java
new file mode 100644
index 00..c6beb712bb
--- /dev/null
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLStatus.java
@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.net.openssl;
+
+/**
+ * Holds OpenSSL status without the need to load other classes.
+ */
+public class OpenSSLStatus {
+private static volatile boolean libraryInitialized = false;
+private static volatile boolean initialized = false;
+private static volatile boolean available = false;
+private static volatile boolean instanceCreated = false;
+
+
+public static boolean isLibraryInitialized() {
+return libraryInitialized;
+}
+
+public static boolean isInitialized() {
+return initialized;
+}
+
+public static boolean isAvailable() {
+return available;
+}
+
+public static boolean isInstanceCreated() {
+return instanceCreated;
+}
+
+public static void setLibraryInitialized(boolean libraryInitialized) {
+OpenSSLStatus.libraryInitialized = libraryInitialized;
+}
+
+public static void setInitialized(boolean initialized) {
+OpenSSLStatus.initialized = initialized;
+}
+
+public static void setAvailable(boolean available) {
+OpenSSLStatus.available = available;
+}
+
+public static void setInstanceCreated(boolean instanceCreated) {
+OpenSSLStatus.instanceCreated = instanceCreated;
+}
+}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Update packaging for FFM packages
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new ee1f16a323 Update packaging for FFM packages
ee1f16a323 is described below
commit ee1f16a323d5e07b59f0de7a3b17cb495896f3e7
Author: remm
AuthorDate: Tue Oct 24 10:35:45 2023 +0200
Update packaging for FFM packages
Add check for Java 22 for release targets.
Add a conditional compilation for the new packages.
Remove the previous separate OpenSSL JAR.
---
build.properties.default | 12 ---
build.xml| 56
2 files changed, 37 insertions(+), 31 deletions(-)
diff --git a/build.properties.default b/build.properties.default
index b5af5f53c6..55be3deb60 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -304,18 +304,6 @@
migration-lib.home=${base.path}/migration-${migration-lib.version}
migration-lib.jar=${migration-lib.home}/jakartaee-migration-${migration-lib.version}-shaded.jar
migration-lib.loc=${base-maven.loc}/org/apache/tomcat/jakartaee-migration/${migration-lib.version}/jakartaee-migration-${migration-lib.version}-shaded.jar
-# - Tomcat OpenSSL -
-openssl-lib.version=0.1
-
-# checksums for tomcat-coyote-openssl-java17-0.1.jar
-openssl-lib.checksum.enabled=true
-openssl-lib.checksum.algorithm=MD5|SHA-1
-openssl-lib.checksum.value=xxx|xxx
-
-openssl-lib.home=${base.path}/tomcat-coyote-openssl-java17-${openssl-lib.version}
-openssl-lib.jar=${openssl-lib.home}/tomcat-coyote-openssl-java17-${openssl-lib.version}.jar
-openssl-lib.loc=${base-maven.loc}/org/apache/tomcat/tomcat-coyote-openssl-java17/${openssl-lib.version}/tomcat-coyote-openssl-java17-${openssl-lib.version}.jar
-
# - JSign, version 4.1 or later -
jsign.version=5.0
diff --git a/build.xml b/build.xml
index 6db53e552c..e1d7df31cc 100644
--- a/build.xml
+++ b/build.xml
@@ -108,6 +108,7 @@
+
@@ -246,7 +247,6 @@
-
@@ -449,6 +449,7 @@
+
@@ -533,6 +534,7 @@
+
@@ -744,6 +746,7 @@
+
@@ -883,6 +886,7 @@
+
@@ -1001,6 +1005,26 @@
-->
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1536,19 +1560,6 @@
-
-
-
@@ -1984,9 +1995,8 @@
-
-
-
+
+
@@ -2637,6 +2647,14 @@ skip.installer property in build.properties" />
+
+
+
+
+
+
+
+
@@ -2651,7 +2669,7 @@ skip.installer property in build.properties" />
-
#
-
@@ -2778,7 +2796,7 @@ asf.ldap.username=${release.asfusername}
-
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Fix bz67675 [tomcat]
michael-o commented on PR #674: URL: https://github.com/apache/tomcat/pull/674#issuecomment-1776767268 Built from your branch and I can confirm that this works with a selfsigned and one issued by our enterprise CA. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Buildbot failure in on tomcat-11.0.x
Build status: BUILD FAILED: failed compile (failure) Worker used: bb_worker2_ubuntu URL: https://ci2.apache.org/#builders/112/builds/701 Blamelist: remm Build Text: failed compile (failure) Status Detected: new failure Build Source Stamp: [branch main] ee1f16a323d5e07b59f0de7a3b17cb495896f3e7 Steps: worker_preparation: 0 git: 0 shell: 0 shell_1: 0 shell_2: 0 shell_3: 0 shell_4: 0 shell_5: 0 compile: 2 -- ASF Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Fix bz67675 [tomcat]
markt-asf commented on PR #674: URL: https://github.com/apache/tomcat/pull/674#issuecomment-1776785906 Added a test key using AES128 (test passed without additional code changes). Fixed typo. Removed debug code that wasn't intended to be part of the commit. I might be persuaded to include Kerby ASN.1 although I'm not a fan of additional dependencies. We'd need to shade it if we did. Something to consider alongside the whether we want to change how we handle the Commons packages. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Buildbot failure in on tomcat-11.0.x
This was triggered by the switch to Java 22. I'm going to need to update the CI. The Tomcat 11 builds are going to fail until I get that done. Mark On 24/10/2023 09:45, build...@apache.org wrote: Build status: BUILD FAILED: failed compile (failure) Worker used: bb_worker2_ubuntu URL: https://ci2.apache.org/#builders/112/builds/701 Blamelist: remm Build Text: failed compile (failure) Status Detected: new failure Build Source Stamp: [branch main] ee1f16a323d5e07b59f0de7a3b17cb495896f3e7 Steps: worker_preparation: 0 git: 0 shell: 0 shell_1: 0 shell_2: 0 shell_3: 0 shell_4: 0 shell_5: 0 compile: 2 -- ASF Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Fix bz67675 [tomcat]
michael-o commented on PR #674: URL: https://github.com/apache/tomcat/pull/674#issuecomment-1776796215 Yes, through shading only to make them private. Looking at the vast amount of code you have written already I bet that ther are also others which would like to use such a PEM to Java Keystore converter. I consider it a pain everytime to have the tripe of key, cert and password and them being forced just for Java to convert it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Disable release Java version check for now
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new d9e8cc5cef Disable release Java version check for now d9e8cc5cef is described below commit d9e8cc5cef71c006e19e73a9675fa1c13d2f0529 Author: remm AuthorDate: Tue Oct 24 10:59:27 2023 +0200 Disable release Java version check for now I forgot CI was using the release target. --- build.xml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/build.xml b/build.xml index e1d7df31cc..12c720846e 100644 --- a/build.xml +++ b/build.xml @@ -2648,11 +2648,12 @@ skip.installer property in build.properties" /> - + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Avoid testsuite failures
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 853e49b670 Avoid testsuite failures
853e49b670 is described below
commit 853e49b67041fe57183f4d55e1eaf50e20c12b49
Author: remm
AuthorDate: Tue Oct 24 11:01:16 2023 +0200
Avoid testsuite failures
Class version checks produce errors.
---
test/org/apache/tomcat/util/net/TesterSupport.java | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/test/org/apache/tomcat/util/net/TesterSupport.java
b/test/org/apache/tomcat/util/net/TesterSupport.java
index 03eb1d9bb9..716f1798d6 100644
--- a/test/org/apache/tomcat/util/net/TesterSupport.java
+++ b/test/org/apache/tomcat/util/net/TesterSupport.java
@@ -240,8 +240,8 @@ public final class TesterSupport {
public static void configureSSLImplementation(Tomcat tomcat, String
sslImplementationName) {
try {
Class.forName(sslImplementationName);
-} catch (Exception e) {
-Assume.assumeNoException(e);
+} catch (Throwable t) {
+Assume.assumeNoException(t);
}
Assert.assertTrue(tomcat.getConnector().setProperty("sslImplementationName",
sslImplementationName));
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Buildbot failure in on tomcat-11.0.x
On Tue, Oct 24, 2023 at 10:51 AM Mark Thomas wrote: > > This was triggered by the switch to Java 22. > > I'm going to need to update the CI. The Tomcat 11 builds are going to > fail until I get that done. That was not intended, I simply forgot this CI was using the release target (the github one does not, it uses deploy). Disabling the check for now is easier until CI can reasonably have Java 22 available. Sorry for the trouble ... Rémy > Mark > > > On 24/10/2023 09:45, build...@apache.org wrote: > > Build status: BUILD FAILED: failed compile (failure) > > Worker used: bb_worker2_ubuntu > > URL: https://ci2.apache.org/#builders/112/builds/701 > > Blamelist: remm > > Build Text: failed compile (failure) > > Status Detected: new failure > > Build Source Stamp: [branch main] ee1f16a323d5e07b59f0de7a3b17cb495896f3e7 > > > > > > Steps: > > > >worker_preparation: 0 > > > >git: 0 > > > >shell: 0 > > > >shell_1: 0 > > > >shell_2: 0 > > > >shell_3: 0 > > > >shell_4: 0 > > > >shell_5: 0 > > > >compile: 2 > > > > > > -- ASF Buildbot > > > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: dev-h...@tomcat.apache.org > > > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Add message when not using Java 22 for release
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 1185ad1154 Add message when not using Java 22 for release 1185ad1154 is described below commit 1185ad1154cdbb8003efd29eeb1ccf95c87bdc56 Author: remm AuthorDate: Tue Oct 24 11:15:44 2023 +0200 Add message when not using Java 22 for release Filter out packages with FFM API from javadoc. --- build.xml | 6 ++ 1 file changed, 6 insertions(+) diff --git a/build.xml b/build.xml index 12c720846e..e3cca8f964 100644 --- a/build.xml +++ b/build.xml @@ -2366,6 +2366,8 @@ + + @@ -2654,6 +2656,10 @@ skip.installer property in build.properties" /> --> + + + + JAVA VERSION 22 OR NEWER IS REQUIRED FOR RELEASE - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Update coyote package with the new classes
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new e6a9c554e8 Update coyote package with the new classes e6a9c554e8 is described below commit e6a9c554e852f5b5c533513587386e5614d161b5 Author: remm AuthorDate: Tue Oct 24 11:23:17 2023 +0200 Update coyote package with the new classes --- res/bnd/tomcat-coyote.jar.tmp.bnd | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/res/bnd/tomcat-coyote.jar.tmp.bnd b/res/bnd/tomcat-coyote.jar.tmp.bnd index 0f9314adf3..9900a31ccc 100644 --- a/res/bnd/tomcat-coyote.jar.tmp.bnd +++ b/res/bnd/tomcat-coyote.jar.tmp.bnd @@ -37,7 +37,9 @@ Export-Package: \ org.apache.tomcat.util.net,\ org.apache.tomcat.util.net.jsse,\ org.apache.tomcat.util.net.openssl,\ -org.apache.tomcat.util.net.openssl.ciphers +org.apache.tomcat.util.net.openssl.ciphers,\ +org.apache.tomcat.util.net.openssl.panama,\ +org.apache.tomcat.util.openssl -includepackage: \ org.apache.tomcat.util.bcel,\ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Tab police
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new d6f0a0b9d5 Tab police d6f0a0b9d5 is described below commit d6f0a0b9d53993f272dcf68d1ea927524889b687 Author: remm AuthorDate: Tue Oct 24 11:30:44 2023 +0200 Tab police --- build.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/build.xml b/build.xml index e3cca8f964..435fe88c9e 100644 --- a/build.xml +++ b/build.xml @@ -2650,8 +2650,8 @@ skip.installer property in build.properties" /> -
[tomcat] branch main updated: Add lifecycle listener for OpenSSL
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 081ef1674c Add lifecycle listener for OpenSSL
081ef1674c is described below
commit 081ef1674cfbbc62f737a159deb8f7c1a3a9f9ca
Author: remm
AuthorDate: Tue Oct 24 11:35:02 2023 +0200
Add lifecycle listener for OpenSSL
Using reflection unfortunately.
Add the switch to OpenSSL if loaded in the connector, similar to the APR
switch.
---
java/org/apache/catalina/connector/Connector.java | 12 +-
.../apache/catalina/core/LocalStrings.properties | 5 +
.../catalina/core/OpenSSLLifecycleListener.java| 191 +
webapps/docs/config/listeners.xml | 54 ++
4 files changed, 261 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/connector/Connector.java
b/java/org/apache/catalina/connector/Connector.java
index 9202c0aa8b..5ef50ca140 100644
--- a/java/org/apache/catalina/connector/Connector.java
+++ b/java/org/apache/catalina/connector/Connector.java
@@ -41,8 +41,10 @@ import org.apache.tomcat.util.IntrospectionUtils;
import org.apache.tomcat.util.buf.B2CConverter;
import org.apache.tomcat.util.buf.CharsetUtil;
import org.apache.tomcat.util.buf.EncodedSolidusHandling;
+import org.apache.tomcat.util.compat.JreCompat;
import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.openssl.OpenSSLImplementation;
+import org.apache.tomcat.util.net.openssl.OpenSSLStatus;
import org.apache.tomcat.util.res.StringManager;
@@ -1006,7 +1008,15 @@ public class Connector extends LifecycleMBeanBase {
setParseBodyMethods(getParseBodyMethods());
}
-if (AprStatus.isAprAvailable() && AprStatus.getUseOpenSSL() &&
+if (JreCompat.isJre22Available() && OpenSSLStatus.isAvailable()
+&& protocolHandler instanceof AbstractHttp11Protocol) {
+AbstractHttp11Protocol jsseProtocolHandler =
(AbstractHttp11Protocol) protocolHandler;
+if (jsseProtocolHandler.isSSLEnabled() &&
jsseProtocolHandler.getSslImplementationName() == null) {
+// OpenSSL is compatible with the JSSE configuration, so use
it if it is available
+jsseProtocolHandler.setSslImplementationName
+
("org.apache.tomcat.util.net.openssl.panama.OpenSSLImplementation");
+}
+} else if (AprStatus.isAprAvailable() && AprStatus.getUseOpenSSL() &&
protocolHandler instanceof AbstractHttp11Protocol) {
AbstractHttp11Protocol jsseProtocolHandler =
(AbstractHttp11Protocol) protocolHandler;
if (jsseProtocolHandler.isSSLEnabled() &&
jsseProtocolHandler.getSslImplementationName() == null) {
diff --git a/java/org/apache/catalina/core/LocalStrings.properties
b/java/org/apache/catalina/core/LocalStrings.properties
index e737d23ff8..d4c6acb2e7 100644
--- a/java/org/apache/catalina/core/LocalStrings.properties
+++ b/java/org/apache/catalina/core/LocalStrings.properties
@@ -160,6 +160,11 @@ naming.wsdlFailed=Failed to find wsdl file: [{0}]
noPluggabilityServletContext.notAllowed=Section 4.4 of the Servlet 3.0
specification does not permit this method to be called from a
ServletContextListener that was not defined in web.xml, a web-fragment.xml file
nor annotated with @WebListener
+openssllistener.destroy=Failed shutdown of OpenSSL
+openssllistener.initializeFIPSFailed=Failed to enter FIPS mode
+openssllistener.java22=Tomcat OpenSSL support requires the FFM API which is
available in Java 22 and newer, tomcat-native should be used instead
+openssllistener.sslInit=Failed to initialize the SSLEngine.
+
propertiesRoleMappingListener.roleMappingFileNull=Role mapping file cannot be
null
propertiesRoleMappingListener.roleMappingFileEmpty=Role mapping file cannot be
empty
propertiesRoleMappingListener.roleMappingFileFail=Failed to load role mapping
file [{0}]
diff --git a/java/org/apache/catalina/core/OpenSSLLifecycleListener.java
b/java/org/apache/catalina/core/OpenSSLLifecycleListener.java
new file mode 100644
index 00..c5bb8f7e6f
--- /dev/null
+++ b/java/org/apache/catalina/core/OpenSSLLifecycleListener.java
@@ -0,0 +1,191 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BAS
[tomcat] branch main updated: Use FFM to resolve OpenSSL profiles
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new d96ab437d6 Use FFM to resolve OpenSSL profiles
d96ab437d6 is described below
commit d96ab437d6be7fffdc07817ff2b1c988d74be1c2
Author: remm
AuthorDate: Tue Oct 24 11:53:48 2023 +0200
Use FFM to resolve OpenSSL profiles
---
java/org/apache/tomcat/util/net/SSLUtilBase.java| 4 ++--
.../ciphers/OpenSSLCipherConfigurationParser.java | 21 +++--
2 files changed, 17 insertions(+), 8 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/SSLUtilBase.java
b/java/org/apache/tomcat/util/net/SSLUtilBase.java
index 70735293eb..410a80c5d8 100644
--- a/java/org/apache/tomcat/util/net/SSLUtilBase.java
+++ b/java/org/apache/tomcat/util/net/SSLUtilBase.java
@@ -59,6 +59,7 @@ import javax.net.ssl.X509KeyManager;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.compat.JreCompat;
import org.apache.tomcat.util.file.ConfigFileLoader;
import org.apache.tomcat.util.net.jsse.JSSEKeyManager;
import org.apache.tomcat.util.net.jsse.PEMFile;
@@ -124,9 +125,8 @@ public abstract class SSLUtilBase implements SSLUtil {
sslHostConfig.setTls13RenegotiationAvailable(isTls13RenegAuthAvailable());
// Calculate the enabled ciphers
-if (/*!JreCompat.isJre22Available() &&
*/sslHostConfig.getCiphers().startsWith("PROFILE=")) {
+if (!JreCompat.isJre22Available() &&
sslHostConfig.getCiphers().startsWith("PROFILE=")) {
// OpenSSL profiles cannot be resolved without Java 22
-// TODO: sslHostConfig should query that with Panama if possible
this.enabledCiphers = new String[0];
} else {
boolean warnOnSkip =
!sslHostConfig.getCiphers().equals(SSLHostConfig.DEFAULT_TLS_CIPHERS);
diff --git
a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
index 2599bf24c2..917f72074a 100644
---
a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
+++
b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
@@ -30,7 +30,10 @@ import java.util.Set;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.ExceptionUtils;
+import org.apache.tomcat.util.compat.JreCompat;
import org.apache.tomcat.util.net.Constants;
+import org.apache.tomcat.util.net.openssl.OpenSSLStatus;
import org.apache.tomcat.util.res.StringManager;
/**
@@ -714,13 +717,20 @@ public class OpenSSLCipherConfigurationParser {
String[] elements = expression.split(SEPARATOR);
// Handle PROFILE= using OpenSSL (if present, otherwise warn), then
replace elements with that
if (elements.length == 1 && elements[0].startsWith("PROFILE=")) {
-// Only use with Panama and if OpenSSL has been successfully
loaded before
-/* FIXME: Merge OpenSSL Panama code
+// Only use with Java 22 and if OpenSSL has been successfully
loaded before
if (JreCompat.isJre22Available()) {
if (OpenSSLStatus.isLibraryInitialized()) {
-List cipherList =
OpenSSLLibrary.findCiphers(elements[0]);
-// Replace the original list with the profile contents
-elements = cipherList.toArray(new String[0]);
+try {
+Class openSSLLibraryClass =
Class.forName("org.apache.tomcat.util.net.openssl.panama.OpenSSLLibrary");
+@SuppressWarnings("unchecked")
+List cipherList = (List)
openSSLLibraryClass.getMethod("findCiphers").invoke(null, elements[0]);
+// Replace the original list with the profile contents
+elements = cipherList.toArray(new String[0]);
+} catch (Throwable t) {
+t = ExceptionUtils.unwrapInvocationTargetException(t);
+ExceptionUtils.handleThrowable(t);
+
log.error(sm.getString("opensslCipherConfigurationParser.unknownProfile",
elements[0]), t);
+}
} else {
// OpenSSL is not available
log.error(sm.getString("opensslCipherConfigurationParser.unknownProfile",
elements[0]));
@@ -730,7 +740,6 @@ public class OpenSSLCipherConfigurationParser {
// but it might still work if using tomcat-native
log.info(sm.getString("opensslCipherConfigurationParser.unknownProfile",
elements[0]));
}
-*/
}
LinkedHashSet ciphers = new LinkedHashSet
Buildbot success in on tomcat-11.0.x
Build status: Build succeeded! Worker used: bb_worker2_ubuntu URL: https://ci2.apache.org/#builders/112/builds/704 Blamelist: remm Build Text: build successful Status Detected: restored build Build Source Stamp: [branch main] 1185ad1154cdbb8003efd29eeb1ccf95c87bdc56 Steps: worker_preparation: 0 git: 0 shell: 0 shell_1: 0 shell_2: 0 shell_3: 0 shell_4: 0 shell_5: 0 compile: 1 shell_6: 0 shell_7: 0 shell_8: 0 shell_9: 0 Rsync docs to nightlies.apache.org: 0 shell_10: 0 Rsync RAT to nightlies.apache.org: 0 compile_1: 1 shell_11: 0 Rsync Logs to nightlies.apache.org: 0 -- ASF Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Buildbot failure in on tomcat-11.0.x
On 24/10/2023 10:04, Rémy Maucherat wrote: On Tue, Oct 24, 2023 at 10:51 AM Mark Thomas wrote: This was triggered by the switch to Java 22. I'm going to need to update the CI. The Tomcat 11 builds are going to fail until I get that done. That was not intended, I simply forgot this CI was using the release target (the github one does not, it uses deploy). Disabling the check for now is easier until CI can reasonably have Java 22 available. Sorry for the trouble ... No problem. I've filed INFRA-25120 to make the Java 22 EA 20 available on the buildbot nodes. Once it is, I'll update the CI build and report back. I'll also switch Gump to Java 22. Mark Rémy Mark On 24/10/2023 09:45, build...@apache.org wrote: Build status: BUILD FAILED: failed compile (failure) Worker used: bb_worker2_ubuntu URL: https://ci2.apache.org/#builders/112/builds/701 Blamelist: remm Build Text: failed compile (failure) Status Detected: new failure Build Source Stamp: [branch main] ee1f16a323d5e07b59f0de7a3b17cb495896f3e7 Steps: worker_preparation: 0 git: 0 shell: 0 shell_1: 0 shell_2: 0 shell_3: 0 shell_4: 0 shell_5: 0 compile: 2 -- ASF Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Add changelog entry for OpenSSL FFM
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 2c7dfdaf12 Add changelog entry for OpenSSL FFM 2c7dfdaf12 is described below commit 2c7dfdaf12c6e6e9a025b1b5a5ad518d83578804 Author: remm AuthorDate: Tue Oct 24 13:43:27 2023 +0200 Add changelog entry for OpenSSL FFM --- webapps/docs/changelog.xml | 7 +++ 1 file changed, 7 insertions(+) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 3b927d8e04..1407c192ca 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -139,6 +139,13 @@ automatically call setCertificateKeystoreType(ks.getType()). (markt) + +Add OpenSSL integration using the FFM API rather than Tomcat Native. +OpenSSL support may be enabled by adding the +org.apache.catalina.core.OpenSSLLifecycleListener +listener on the Server element when using Java 22 +or later. (remm) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Improve library path to do both
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 69bb6ac2b1 Improve library path to do both 69bb6ac2b1 is described below commit 69bb6ac2b192c66768340a57cc1c3e16bffa8b8a Author: remm AuthorDate: Tue Oct 24 14:31:01 2023 +0200 Improve library path to do both --- build.xml | 11 +-- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/build.xml b/build.xml index 435fe88c9e..0e04b2c0f0 100644 --- a/build.xml +++ b/build.xml @@ -1971,11 +1971,6 @@ extension=".NIO2" /> - - - - @@ -1994,11 +1989,7 @@ - - - - - + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Added option to use custom SSLContext [tomcat]
Hakky54 commented on PR #673: URL: https://github.com/apache/tomcat/pull/673#issuecomment-1777163986 I am not sure whether you would consider to have this option at all. Would you prefer me to close the issue? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Fix paths
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 233385f400 Fix paths 233385f400 is described below commit 233385f4008f90a2e2d2d9ca38101abbc0e05095 Author: remm AuthorDate: Tue Oct 24 16:56:17 2023 +0200 Fix paths --- res/openssl/addlicense.sh | 2 +- res/openssl/openssl-tomcat.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/res/openssl/addlicense.sh b/res/openssl/addlicense.sh index 6349703675..4ab5e3894b 100755 --- a/res/openssl/addlicense.sh +++ b/res/openssl/addlicense.sh @@ -15,7 +15,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -for generated in src/main/java/org/apache/tomcat/util/openssl/*.java; do +for generated in ../../java/org/apache/tomcat/util/openssl/*.java; do cat license.header $generated >> $generated.$$ mv $generated.$$ $generated echo Updated $generated diff --git a/res/openssl/openssl-tomcat.conf b/res/openssl/openssl-tomcat.conf index 5fab9dc305..9aabb7914b 100644 --- a/res/openssl/openssl-tomcat.conf +++ b/res/openssl/openssl-tomcat.conf @@ -18,7 +18,7 @@ -lssl # Configure include path -I /usr/lib/gcc/x86_64-redhat-linux/12/include ---output src/main/java +--output ../../java Extracted from: /usr/include/openssl/asn1.h - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: JDK 21 Is Now GA, a New VS Code Extension, and an Annotation Processing Heads-up
On 20/10/2023 10:41, David Delabassee wrote: Needless to say, that Java 21 is an important release, so may I ask you to send me a brief email with the Java 21 support status of your project(s): Already supported - Plan to support short-term - Don't plan to support short-term ? Java 21 (and virtual threads) already supported for all current Tomcat versions (8.5.x, 9.0.x, 10.1.x and 11.0.x) Kind regards, Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Update RAT excludes
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 1735458339 Update RAT excludes 1735458339 is described below commit 173545833905e8c59c76fc8e3a34069e61671473 Author: Mark Thomas AuthorDate: Tue Oct 24 17:33:27 2023 +0100 Update RAT excludes Mainly Javadoc generation changes. Some new test files. --- res/rat/rat-excludes.txt | 24 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/res/rat/rat-excludes.txt b/res/rat/rat-excludes.txt index dffcc1bcef..b200c22a2a 100644 --- a/res/rat/rat-excludes.txt +++ b/res/rat/rat-excludes.txt @@ -69,14 +69,23 @@ output/deployer/deployer-howto.html **/MANIFEST.MF **/*.manifest +output/dist/webapps/docs/*/copy.svg output/dist/webapps/docs/*/element-list output/dist/webapps/docs/*/jquery/** +output/dist/webapps/docs/*/legal/** output/dist/webapps/docs/*/member-search-index.js +output/dist/webapps/docs/*/module-search-index.js output/dist/webapps/docs/*/package-search-index.js +output/dist/webapps/docs/*/script.js +output/dist/webapps/docs/*/script-dir/** output/dist/webapps/docs/*/search.js +output/dist/webapps/docs/*/search-page.js +output/dist/webapps/docs/*/tag-search-index.js output/dist/webapps/docs/*/type-search-index.js -output/dist/webapps/docs/*/script.js +output/dist/src/test/org/apache/tomcat/util/net/jsse/key-password +output/dist/src/test/org/apache/tomcat/util/net/key-password +output/dist/src/test/org/apache/tomcat/util/net/keystore-password output/dist/src/test/webapp/404.html output/dist/src/test/webapp/index.html.br output/dist/src/test/webapp/bug49nnn/bug49464-cp1252.txt @@ -86,10 +95,15 @@ output/dist/src/test/webapp/bug49nnn/bug49464-utf-8-bom.txt output/dist/src/test/webapp/bug49nnn/bug49464-utf-8.txt output/dist/src/test/webapp/bug53257/*.txt output/dist/src/test/webapp/bug53257/foo bar/foobar.txt +output/dist/src/test/webapp/bug66609/a&a.txt +output/dist/src/test/webapp/bug66609/b'b.txt output/dist/src/test/webapp-fragments/WEB-INF/classes/*.txt output/dist/src/test/webresources/dir1/d1/d1-f1.txt output/dist/src/test/webresources/dir1/d2/d2-f1.txt output/dist/src/test/webresources/dir1/*.txt +test/org/apache/tomcat/util/net/jsse/key-password +test/org/apache/tomcat/util/net/key-password +test/org/apache/tomcat/util/net/keystore-password test/webapp/404.html test/webapp/index.html.br test/webapp/bug49nnn/bug49464-cp1252.txt @@ -99,6 +113,8 @@ test/webapp/bug49nnn/bug49464-utf-8-bom.txt test/webapp/bug49nnn/bug49464-utf-8.txt test/webapp/bug53257/*.txt test/webapp/bug53257/foo bar/foobar.txt +test/webapp/bug66609/a&a.txt +test/webapp/bug66609/b'b.txt test/webapp-fragments/WEB-INF/classes/*.txt test/webresources/dir1/d1/d1-f1.txt test/webresources/dir1/d2/d2-f1.txt @@ -110,9 +126,9 @@ test/webresources/dir1/*.txt build.properties res/maven/mvn.properties -output/dist/confinstall/tomcat-users_2.xml -output/dist/src/res/confinstall/tomcat-users_2.xml -res/confinstall/tomcat-users_2.xml +output/dist/src/res/install-win/tomcat-users_2.xml +output/dist/tomcat-users_2.xml +res/install-win/tomcat-users_2.xml java/jakarta/servlet/resources/javaee_5.xsd java/jakarta/servlet/resources/javaee_6.xsd - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.1.x updated: Update RAT excludes
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new dd1a3379bb Update RAT excludes dd1a3379bb is described below commit dd1a3379bb7f090191fb14d3e20c0a5e2bca024d Author: Mark Thomas AuthorDate: Tue Oct 24 17:33:27 2023 +0100 Update RAT excludes Mainly Javadoc generation changes. Some new test files. --- res/rat/rat-excludes.txt | 24 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/res/rat/rat-excludes.txt b/res/rat/rat-excludes.txt index 4b69f950ca..d17c73d62f 100644 --- a/res/rat/rat-excludes.txt +++ b/res/rat/rat-excludes.txt @@ -69,14 +69,23 @@ output/deployer/deployer-howto.html **/MANIFEST.MF **/*.manifest +output/dist/webapps/docs/*/copy.svg output/dist/webapps/docs/*/element-list output/dist/webapps/docs/*/jquery/** +output/dist/webapps/docs/*/legal/** output/dist/webapps/docs/*/member-search-index.js +output/dist/webapps/docs/*/module-search-index.js output/dist/webapps/docs/*/package-search-index.js +output/dist/webapps/docs/*/script.js +output/dist/webapps/docs/*/script-dir/** output/dist/webapps/docs/*/search.js +output/dist/webapps/docs/*/search-page.js +output/dist/webapps/docs/*/tag-search-index.js output/dist/webapps/docs/*/type-search-index.js -output/dist/webapps/docs/*/script.js +output/dist/src/test/org/apache/tomcat/util/net/jsse/key-password +output/dist/src/test/org/apache/tomcat/util/net/key-password +output/dist/src/test/org/apache/tomcat/util/net/keystore-password output/dist/src/test/webapp/404.html output/dist/src/test/webapp/index.html.br output/dist/src/test/webapp/bug49nnn/bug49464-cp1252.txt @@ -86,10 +95,15 @@ output/dist/src/test/webapp/bug49nnn/bug49464-utf-8-bom.txt output/dist/src/test/webapp/bug49nnn/bug49464-utf-8.txt output/dist/src/test/webapp/bug53257/*.txt output/dist/src/test/webapp/bug53257/foo bar/foobar.txt +output/dist/src/test/webapp/bug66609/a&a.txt +output/dist/src/test/webapp/bug66609/b'b.txt output/dist/src/test/webapp-fragments/WEB-INF/classes/*.txt output/dist/src/test/webresources/dir1/d1/d1-f1.txt output/dist/src/test/webresources/dir1/d2/d2-f1.txt output/dist/src/test/webresources/dir1/*.txt +test/org/apache/tomcat/util/net/jsse/key-password +test/org/apache/tomcat/util/net/key-password +test/org/apache/tomcat/util/net/keystore-password test/webapp/404.html test/webapp/index.html.br test/webapp/bug49nnn/bug49464-cp1252.txt @@ -99,6 +113,8 @@ test/webapp/bug49nnn/bug49464-utf-8-bom.txt test/webapp/bug49nnn/bug49464-utf-8.txt test/webapp/bug53257/*.txt test/webapp/bug53257/foo bar/foobar.txt +test/webapp/bug66609/a&a.txt +test/webapp/bug66609/b'b.txt test/webapp-fragments/WEB-INF/classes/*.txt test/webresources/dir1/d1/d1-f1.txt test/webresources/dir1/d2/d2-f1.txt @@ -110,9 +126,9 @@ test/webresources/dir1/*.txt build.properties res/maven/mvn.properties -output/dist/confinstall/tomcat-users_2.xml -output/dist/src/res/confinstall/tomcat-users_2.xml -res/confinstall/tomcat-users_2.xml +output/dist/src/res/install-win/tomcat-users_2.xml +output/dist/tomcat-users_2.xml +res/install-win/tomcat-users_2.xml java/jakarta/servlet/resources/javaee_5.xsd java/jakarta/servlet/resources/javaee_6.xsd - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Update RAT excludes
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 8a67ad52da Update RAT excludes 8a67ad52da is described below commit 8a67ad52da8e3a63f9de4a062a7723e317dd44eb Author: Mark Thomas AuthorDate: Tue Oct 24 17:33:27 2023 +0100 Update RAT excludes Mainly Javadoc generation changes. Some new test files. --- res/rat/rat-excludes.txt | 31 ++- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/res/rat/rat-excludes.txt b/res/rat/rat-excludes.txt index 617ffde5eb..46e813807b 100644 --- a/res/rat/rat-excludes.txt +++ b/res/rat/rat-excludes.txt @@ -69,9 +69,23 @@ output/deployer/deployer-howto.html **/MANIFEST.MF **/*.manifest -output/dist/webapps/docs/*/package-list +output/dist/webapps/docs/*/copy.svg +output/dist/webapps/docs/*/element-list +output/dist/webapps/docs/*/jquery/** +output/dist/webapps/docs/*/legal/** +output/dist/webapps/docs/*/member-search-index.js +output/dist/webapps/docs/*/module-search-index.js +output/dist/webapps/docs/*/package-search-index.js output/dist/webapps/docs/*/script.js - +output/dist/webapps/docs/*/script-dir/** +output/dist/webapps/docs/*/search.js +output/dist/webapps/docs/*/search-page.js +output/dist/webapps/docs/*/tag-search-index.js +output/dist/webapps/docs/*/type-search-index.js + +output/dist/src/test/org/apache/tomcat/util/net/jsse/key-password +output/dist/src/test/org/apache/tomcat/util/net/key-password +output/dist/src/test/org/apache/tomcat/util/net/keystore-password output/dist/src/test/webapp/404.html output/dist/src/test/webapp/index.html.br output/dist/src/test/webapp/bug49nnn/bug49464-cp1252.txt @@ -81,10 +95,15 @@ output/dist/src/test/webapp/bug49nnn/bug49464-utf-8-bom.txt output/dist/src/test/webapp/bug49nnn/bug49464-utf-8.txt output/dist/src/test/webapp/bug53257/*.txt output/dist/src/test/webapp/bug53257/foo bar/foobar.txt +output/dist/src/test/webapp/bug66609/a&a.txt +output/dist/src/test/webapp/bug66609/b'b.txt output/dist/src/test/webapp-fragments/WEB-INF/classes/*.txt output/dist/src/test/webresources/dir1/d1/d1-f1.txt output/dist/src/test/webresources/dir1/d2/d2-f1.txt output/dist/src/test/webresources/dir1/*.txt +test/org/apache/tomcat/util/net/jsse/key-password +test/org/apache/tomcat/util/net/key-password +test/org/apache/tomcat/util/net/keystore-password test/webapp/404.html test/webapp/index.html.br test/webapp/bug49nnn/bug49464-cp1252.txt @@ -94,6 +113,8 @@ test/webapp/bug49nnn/bug49464-utf-8-bom.txt test/webapp/bug49nnn/bug49464-utf-8.txt test/webapp/bug53257/*.txt test/webapp/bug53257/foo bar/foobar.txt +test/webapp/bug66609/a&a.txt +test/webapp/bug66609/b'b.txt test/webapp-fragments/WEB-INF/classes/*.txt test/webresources/dir1/d1/d1-f1.txt test/webresources/dir1/d2/d2-f1.txt @@ -105,9 +126,9 @@ test/webresources/dir1/*.txt build.properties res/maven/mvn.properties -output/dist/confinstall/tomcat-users_2.xml -output/dist/src/res/confinstall/tomcat-users_2.xml -res/confinstall/tomcat-users_2.xml +output/dist/src/res/install-win/tomcat-users_2.xml +output/dist/tomcat-users_2.xml +res/install-win/tomcat-users_2.xml java/javax/servlet/resources/javaee_5.xsd java/javax/servlet/resources/javaee_6.xsd - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Update RAT excludes
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 9867f363cf Update RAT excludes 9867f363cf is described below commit 9867f363cf8ae03955688e68987a7299d7a51b9d Author: Mark Thomas AuthorDate: Tue Oct 24 17:33:27 2023 +0100 Update RAT excludes Mainly Javadoc generation changes. Some new test files. --- res/rat/rat-excludes.txt | 31 ++- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/res/rat/rat-excludes.txt b/res/rat/rat-excludes.txt index a033c97c0f..8304edcbf2 100644 --- a/res/rat/rat-excludes.txt +++ b/res/rat/rat-excludes.txt @@ -69,9 +69,23 @@ output/deployer/deployer-howto.html **/MANIFEST.MF **/*.manifest -output/dist/webapps/docs/*/package-list +output/dist/webapps/docs/*/copy.svg +output/dist/webapps/docs/*/element-list +output/dist/webapps/docs/*/jquery/** +output/dist/webapps/docs/*/legal/** +output/dist/webapps/docs/*/member-search-index.js +output/dist/webapps/docs/*/module-search-index.js +output/dist/webapps/docs/*/package-search-index.js output/dist/webapps/docs/*/script.js - +output/dist/webapps/docs/*/script-dir/** +output/dist/webapps/docs/*/search.js +output/dist/webapps/docs/*/search-page.js +output/dist/webapps/docs/*/tag-search-index.js +output/dist/webapps/docs/*/type-search-index.js + +output/dist/src/test/org/apache/tomcat/util/net/jsse/key-password +output/dist/src/test/org/apache/tomcat/util/net/key-password +output/dist/src/test/org/apache/tomcat/util/net/keystore-password output/dist/src/test/webapp/404.html output/dist/src/test/webapp/index.html.br output/dist/src/test/webapp/bug49nnn/bug49464-cp1252.txt @@ -81,10 +95,15 @@ output/dist/src/test/webapp/bug49nnn/bug49464-utf-8-bom.txt output/dist/src/test/webapp/bug49nnn/bug49464-utf-8.txt output/dist/src/test/webapp/bug53257/*.txt output/dist/src/test/webapp/bug53257/foo bar/foobar.txt +output/dist/src/test/webapp/bug66609/a&a.txt +output/dist/src/test/webapp/bug66609/b'b.txt output/dist/src/test/webapp-fragments/WEB-INF/classes/*.txt output/dist/src/test/webresources/dir1/d1/d1-f1.txt output/dist/src/test/webresources/dir1/d2/d2-f1.txt output/dist/src/test/webresources/dir1/*.txt +test/org/apache/tomcat/util/net/jsse/key-password +test/org/apache/tomcat/util/net/key-password +test/org/apache/tomcat/util/net/keystore-password test/webapp/404.html test/webapp/index.html.br test/webapp/bug49nnn/bug49464-cp1252.txt @@ -94,6 +113,8 @@ test/webapp/bug49nnn/bug49464-utf-8-bom.txt test/webapp/bug49nnn/bug49464-utf-8.txt test/webapp/bug53257/*.txt test/webapp/bug53257/foo bar/foobar.txt +test/webapp/bug66609/a&a.txt +test/webapp/bug66609/b'b.txt test/webapp-fragments/WEB-INF/classes/*.txt test/webresources/dir1/d1/d1-f1.txt test/webresources/dir1/d2/d2-f1.txt @@ -105,9 +126,9 @@ test/webresources/dir1/*.txt build.properties res/maven/mvn.properties -output/dist/confinstall/tomcat-users_2.xml -output/dist/src/res/confinstall/tomcat-users_2.xml -res/confinstall/tomcat-users_2.xml +output/dist/src/res/install-win/tomcat-users_2.xml +output/dist/tomcat-users_2.xml +res/install-win/tomcat-users_2.xml java/javax/servlet/resources/javaee_5.xsd java/javax/servlet/resources/javaee_6.xsd - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Fix bz67675 [tomcat]
markt-asf merged PR #674: URL: https://github.com/apache/tomcat/pull/674 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/03: Differentiate between IV and salt (the IV is re-used as salt)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 6f239ca39aad47d7010506c9ec3d5e1ab1918006
Author: Mark Thomas
AuthorDate: Fri Oct 20 08:51:36 2023 +0100
Differentiate between IV and salt (the IV is re-used as salt)
---
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index 7bed5bddbd..b8705c4aab 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -286,6 +286,7 @@ public class PEMFile {
}
byte[] iv = fromHex(ivHex);
+// The IV is also used as salt for the password generation
byte[] key = deriveKey(keyLength, password, iv);
SecretKey secretKey = new SecretKeySpec(key,
secretKeyAlgorithm);
Cipher cipher = Cipher.getInstance(cipherTransformation);
@@ -337,7 +338,7 @@ public class PEMFile {
}
-private byte[] deriveKey(int keyLength, String password, byte[] iv)
throws NoSuchAlgorithmException {
+private byte[] deriveKey(int keyLength, String password, byte[] salt)
throws NoSuchAlgorithmException {
// PBKDF1-MD5 as specified by PKCS#5
byte[] key = new byte[keyLength];
@@ -348,7 +349,7 @@ public class PEMFile {
while (insertPosition < keyLength) {
digest.update(pw);
-digest.update(iv, 0, 8);
+digest.update(salt, 0, 8);
byte[] round = digest.digest();
digest.update(round);
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated (1735458339 -> 0f70d313da)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
from 1735458339 Update RAT excludes
new 6f239ca39a Differentiate between IV and salt (the IV is re-used as
salt)
new bd7ff6e3c5 Fix BZ 67675 - Expand the PBKDF2 and cipher combinations
supported
new 0f70d313da Format
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
java/org/apache/tomcat/util/buf/Asn1Parser.java| 48 ++-
.../tomcat/util/net/jsse/LocalStrings.properties | 5 +
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 395 +++--
.../apache/tomcat/util/net/jsse/TestPEMFile.java | 20 +-
.../key-encrypted-pkcs8-hmacsha256-aes-128-cbc.pem | 54 +++
...key-encrypted-pkcs8-hmacsha256-aes-256-cbc.pem} | 0
...key-encrypted-pkcs8-hmacsha256-des-ede3-cbc.pem | 54 +++
7 files changed, 462 insertions(+), 114 deletions(-)
create mode 100644
test/org/apache/tomcat/util/net/jsse/key-encrypted-pkcs8-hmacsha256-aes-128-cbc.pem
rename test/org/apache/tomcat/util/net/jsse/{key-encrypted-pkcs8.pem =>
key-encrypted-pkcs8-hmacsha256-aes-256-cbc.pem} (100%)
create mode 100644
test/org/apache/tomcat/util/net/jsse/key-encrypted-pkcs8-hmacsha256-des-ede3-cbc.pem
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/03: Fix BZ 67675 - Expand the PBKDF2 and cipher combinations supported
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit bd7ff6e3c513bd437bac993121dd6bcd62f229c1
Author: Mark Thomas
AuthorDate: Fri Oct 20 15:54:33 2023 +0100
Fix BZ 67675 - Expand the PBKDF2 and cipher combinations supported
Java only directly supports a sub-set of the possible combinations.
Process the PBKDF2 configuration and cipher configuration
separately thereby increasing the range or supported combinations.
---
java/org/apache/tomcat/util/buf/Asn1Parser.java| 48 ++-
.../tomcat/util/net/jsse/LocalStrings.properties | 5 +
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 324 -
.../apache/tomcat/util/net/jsse/TestPEMFile.java | 20 +-
.../key-encrypted-pkcs8-hmacsha256-aes-128-cbc.pem | 54
...key-encrypted-pkcs8-hmacsha256-aes-256-cbc.pem} | 0
...key-encrypted-pkcs8-hmacsha256-des-ede3-cbc.pem | 54
7 files changed, 430 insertions(+), 75 deletions(-)
diff --git a/java/org/apache/tomcat/util/buf/Asn1Parser.java
b/java/org/apache/tomcat/util/buf/Asn1Parser.java
index e32e71886f..92d13c02a8 100644
--- a/java/org/apache/tomcat/util/buf/Asn1Parser.java
+++ b/java/org/apache/tomcat/util/buf/Asn1Parser.java
@@ -30,6 +30,13 @@ public class Asn1Parser {
private static final StringManager sm =
StringManager.getManager(Asn1Parser.class);
+public static final int TAG_INTEGER = 0x02;
+public static final int TAG_OCTET_STRING = 0x04;
+public static final int TAG_NULL = 0x05;
+public static final int TAG_OID = 0x06;
+public static final int TAG_SEQUENCE = 0x30;
+public static final int TAG_ATTRIBUTE_BASE = 0xA0;
+
private final byte[] source;
private int pos = 0;
@@ -50,6 +57,11 @@ public class Asn1Parser {
}
+public void parseTagSequence() {
+parseTag(TAG_SEQUENCE);
+}
+
+
public void parseTag(int tag) {
int value = next();
if (value != tag) {
@@ -83,15 +95,41 @@ public class Asn1Parser {
public BigInteger parseInt() {
-parseTag(0x02);
-int len = parseLength();
-byte[] val = new byte[len];
-System.arraycopy(source, pos, val, 0, len);
-pos += len;
+byte[] val = parseBytes(TAG_INTEGER);
return new BigInteger(val);
}
+public byte[] parseOctetString() {
+return parseBytes(TAG_OCTET_STRING);
+}
+
+
+public void parseNull() {
+parseBytes(TAG_NULL);
+}
+
+
+public byte[] parseOIDAsBytes() {
+return parseBytes(TAG_OID);
+}
+
+
+public byte[] parseAttributeAsBytes(int index) {
+return parseBytes(TAG_ATTRIBUTE_BASE + index);
+}
+
+
+private byte[] parseBytes(int tag) {
+parseTag(tag);
+int len = parseLength();
+byte[] result = new byte[len];
+System.arraycopy(source, pos, result, 0, result.length);
+pos += result.length;
+return result;
+}
+
+
public void parseBytes(byte[] dest) {
System.arraycopy(source, pos, dest, 0, dest.length);
pos += dest.length;
diff --git a/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
b/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
index b276db95ab..888a2a6761 100644
--- a/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
@@ -21,4 +21,9 @@ jsseUtil.noDefaultProtocols=Unable to determine a default for
sslEnabledProtocol
pemFile.noMultiPrimes=The PKCS#1 certificate is in multi-prime format and Java
does not provide an API for constructing an RSA private key object from that
format
pemFile.notValidRFC5915=The provided key file does not conform to RFC 5915
+pemFile.notPbkdf2=The OID [{0}] is not the correct OID for PKBDF2 which is the
only permitted KDF for PBES2
pemFile.parseError=Unable to parse the key from [{0}]
+pemFile.unknownEncryptedFormat=The format [{0}] is not a recognised encrypted
PEM file format
+pemFile.unknownEncryptionAlgorithm=The encryption algorithm with DER encoded
OID of [{0}] was not recognised
+pemFile.unknownPrfAlgorithm=The pseudo random function with DER encoded OID of
[{0}] was not recognised
+pemFile.unknownPkcs8Algorithm=The PKCS#8 encryption algorithm with DER encoded
OID of [{0}] was not recognised
\ No newline at end of file
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index b8705c4aab..2785f9761c 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -23,7 +23,6 @@ import java.io.InputStream;
import java.io.InputStreamReader;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
-import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.Inv
[tomcat] 03/03: Format
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 0f70d313da8c145587aea832204145654ed2d667
Author: Mark Thomas
AuthorDate: Mon Oct 23 18:47:44 2023 +0100
Format
---
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 80 ++-
1 file changed, 36 insertions(+), 44 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index 2785f9761c..b051c539ea 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -130,16 +130,16 @@ public class PEMFile {
this(filename, password, null);
}
-public PEMFile(String filename, String password, String keyAlgorithm)
-throws IOException, GeneralSecurityException {
+public PEMFile(String filename, String password, String keyAlgorithm)
throws IOException, GeneralSecurityException {
this(filename,
ConfigFileLoader.getSource().getResource(filename).getInputStream(), password,
keyAlgorithm);
}
public PEMFile(String filename, String password, String passwordFilename,
String keyAlgorithm)
throws IOException, GeneralSecurityException {
-this(filename,
ConfigFileLoader.getSource().getResource(filename).getInputStream(), password,
- passwordFilename, passwordFilename != null ?
ConfigFileLoader.getSource().getResource(passwordFilename).getInputStream() :
null,
- keyAlgorithm);
+this(filename,
ConfigFileLoader.getSource().getResource(filename).getInputStream(), password,
passwordFilename,
+passwordFilename != null ?
ConfigFileLoader.getSource().getResource(passwordFilename).getInputStream() :
+null,
+keyAlgorithm);
}
public PEMFile(String filename, InputStream fileStream, String password,
String keyAlgorithm)
@@ -148,28 +148,28 @@ public class PEMFile {
}
/**
- * @param filename the filename to mention in error messages, not used for
anything else.
- * @param fileStream the stream containing the pem(s).
- * @param password password to load the pem objects.
- * @param passwordFilename the password filename to mention in error
messages, not used for anything else.
+ * @param filename the filename to mention in error messages,
not used for anything else.
+ * @param fileStream the stream containing the pem(s).
+ * @param password password to load the pem objects.
+ * @param passwordFilename the password filename to mention in error
messages, not used for anything else.
* @param passwordFileStream stream containing the password to load the
pem objects.
- * @param keyAlgorithm the algorithm to help to know how to load the
objects (guessed if null).
- * @throws IOException if input can't be read.
+ * @param keyAlgorithm the algorithm to help to know how to load the
objects (guessed if null).
+ *
+ * @throws IOException if input can't be read.
* @throws GeneralSecurityException if input can't be parsed/loaded.
*/
public PEMFile(String filename, InputStream fileStream, String password,
String passwordFilename,
- InputStream passwordFileStream, String keyAlgorithm)
-throws IOException, GeneralSecurityException {
+InputStream passwordFileStream, String keyAlgorithm) throws
IOException, GeneralSecurityException {
List parts = new ArrayList<>();
-try (BufferedReader reader =
- new BufferedReader(new InputStreamReader(fileStream,
StandardCharsets.US_ASCII))) {
+try (BufferedReader reader = new BufferedReader(new
InputStreamReader(fileStream, StandardCharsets.US_ASCII))) {
Part part = null;
String line;
while ((line = reader.readLine()) != null) {
if (line.startsWith(Part.BEGIN_BOUNDARY)) {
part = new Part();
-part.type = line.substring(Part.BEGIN_BOUNDARY.length(),
-line.length() -
Part.FINISH_BOUNDARY.length()).trim();
+part.type =
+line.substring(Part.BEGIN_BOUNDARY.length(),
line.length() - Part.FINISH_BOUNDARY.length())
+.trim();
} else if (line.startsWith(Part.END_BOUNDARY)) {
parts.add(part);
part = null;
@@ -229,7 +229,7 @@ public class PEMFile {
private static class Part {
public static final String BEGIN_BOUNDARY = "-BEGIN ";
-public static final String END_BOUNDARY = "-END ";
+public static final String END_BOUNDARY = "-END ";
public static final String FINISH_BOUNDARY = "-";
[tomcat] branch 10.1.x updated (dd1a3379bb -> a96f1499b4)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
from dd1a3379bb Update RAT excludes
new f18304c30f Differentiate between IV and salt (the IV is re-used as
salt)
new e3222ae8ba Fix BZ 67675 - Expand the PBKDF2 and cipher combinations
supported
new a96f1499b4 Format
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
java/org/apache/tomcat/util/buf/Asn1Parser.java| 48 ++-
.../tomcat/util/net/jsse/LocalStrings.properties | 5 +
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 397 +++--
.../apache/tomcat/util/net/jsse/TestPEMFile.java | 20 +-
.../key-encrypted-pkcs8-hmacsha256-aes-128-cbc.pem | 54 +++
...key-encrypted-pkcs8-hmacsha256-aes-256-cbc.pem} | 0
...key-encrypted-pkcs8-hmacsha256-des-ede3-cbc.pem | 54 +++
7 files changed, 462 insertions(+), 116 deletions(-)
create mode 100644
test/org/apache/tomcat/util/net/jsse/key-encrypted-pkcs8-hmacsha256-aes-128-cbc.pem
rename test/org/apache/tomcat/util/net/jsse/{key-encrypted-pkcs8.pem =>
key-encrypted-pkcs8-hmacsha256-aes-256-cbc.pem} (100%)
create mode 100644
test/org/apache/tomcat/util/net/jsse/key-encrypted-pkcs8-hmacsha256-des-ede3-cbc.pem
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/03: Fix BZ 67675 - Expand the PBKDF2 and cipher combinations supported
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit e3222ae8bac52e8b3c0be8c66d98f13b58551fc1
Author: Mark Thomas
AuthorDate: Fri Oct 20 15:54:33 2023 +0100
Fix BZ 67675 - Expand the PBKDF2 and cipher combinations supported
Java only directly supports a sub-set of the possible combinations.
Process the PBKDF2 configuration and cipher configuration
separately thereby increasing the range or supported combinations.
---
java/org/apache/tomcat/util/buf/Asn1Parser.java| 48 ++-
.../tomcat/util/net/jsse/LocalStrings.properties | 5 +
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 326 -
.../apache/tomcat/util/net/jsse/TestPEMFile.java | 20 +-
.../key-encrypted-pkcs8-hmacsha256-aes-128-cbc.pem | 54
...key-encrypted-pkcs8-hmacsha256-aes-256-cbc.pem} | 0
...key-encrypted-pkcs8-hmacsha256-des-ede3-cbc.pem | 54
7 files changed, 430 insertions(+), 77 deletions(-)
diff --git a/java/org/apache/tomcat/util/buf/Asn1Parser.java
b/java/org/apache/tomcat/util/buf/Asn1Parser.java
index e32e71886f..92d13c02a8 100644
--- a/java/org/apache/tomcat/util/buf/Asn1Parser.java
+++ b/java/org/apache/tomcat/util/buf/Asn1Parser.java
@@ -30,6 +30,13 @@ public class Asn1Parser {
private static final StringManager sm =
StringManager.getManager(Asn1Parser.class);
+public static final int TAG_INTEGER = 0x02;
+public static final int TAG_OCTET_STRING = 0x04;
+public static final int TAG_NULL = 0x05;
+public static final int TAG_OID = 0x06;
+public static final int TAG_SEQUENCE = 0x30;
+public static final int TAG_ATTRIBUTE_BASE = 0xA0;
+
private final byte[] source;
private int pos = 0;
@@ -50,6 +57,11 @@ public class Asn1Parser {
}
+public void parseTagSequence() {
+parseTag(TAG_SEQUENCE);
+}
+
+
public void parseTag(int tag) {
int value = next();
if (value != tag) {
@@ -83,15 +95,41 @@ public class Asn1Parser {
public BigInteger parseInt() {
-parseTag(0x02);
-int len = parseLength();
-byte[] val = new byte[len];
-System.arraycopy(source, pos, val, 0, len);
-pos += len;
+byte[] val = parseBytes(TAG_INTEGER);
return new BigInteger(val);
}
+public byte[] parseOctetString() {
+return parseBytes(TAG_OCTET_STRING);
+}
+
+
+public void parseNull() {
+parseBytes(TAG_NULL);
+}
+
+
+public byte[] parseOIDAsBytes() {
+return parseBytes(TAG_OID);
+}
+
+
+public byte[] parseAttributeAsBytes(int index) {
+return parseBytes(TAG_ATTRIBUTE_BASE + index);
+}
+
+
+private byte[] parseBytes(int tag) {
+parseTag(tag);
+int len = parseLength();
+byte[] result = new byte[len];
+System.arraycopy(source, pos, result, 0, result.length);
+pos += result.length;
+return result;
+}
+
+
public void parseBytes(byte[] dest) {
System.arraycopy(source, pos, dest, 0, dest.length);
pos += dest.length;
diff --git a/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
b/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
index b276db95ab..888a2a6761 100644
--- a/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
@@ -21,4 +21,9 @@ jsseUtil.noDefaultProtocols=Unable to determine a default for
sslEnabledProtocol
pemFile.noMultiPrimes=The PKCS#1 certificate is in multi-prime format and Java
does not provide an API for constructing an RSA private key object from that
format
pemFile.notValidRFC5915=The provided key file does not conform to RFC 5915
+pemFile.notPbkdf2=The OID [{0}] is not the correct OID for PKBDF2 which is the
only permitted KDF for PBES2
pemFile.parseError=Unable to parse the key from [{0}]
+pemFile.unknownEncryptedFormat=The format [{0}] is not a recognised encrypted
PEM file format
+pemFile.unknownEncryptionAlgorithm=The encryption algorithm with DER encoded
OID of [{0}] was not recognised
+pemFile.unknownPrfAlgorithm=The pseudo random function with DER encoded OID of
[{0}] was not recognised
+pemFile.unknownPkcs8Algorithm=The PKCS#8 encryption algorithm with DER encoded
OID of [{0}] was not recognised
\ No newline at end of file
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index d7f196bb3a..2785f9761c 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -23,7 +23,6 @@ import java.io.InputStream;
import java.io.InputStreamReader;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
-import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.I
[tomcat] 03/03: Format
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit a96f1499b466a94dc27c11587df7635dce28f8dc
Author: Mark Thomas
AuthorDate: Tue Oct 24 17:52:06 2023 +0100
Format
---
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 80 ++-
1 file changed, 36 insertions(+), 44 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index 2785f9761c..b051c539ea 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -130,16 +130,16 @@ public class PEMFile {
this(filename, password, null);
}
-public PEMFile(String filename, String password, String keyAlgorithm)
-throws IOException, GeneralSecurityException {
+public PEMFile(String filename, String password, String keyAlgorithm)
throws IOException, GeneralSecurityException {
this(filename,
ConfigFileLoader.getSource().getResource(filename).getInputStream(), password,
keyAlgorithm);
}
public PEMFile(String filename, String password, String passwordFilename,
String keyAlgorithm)
throws IOException, GeneralSecurityException {
-this(filename,
ConfigFileLoader.getSource().getResource(filename).getInputStream(), password,
- passwordFilename, passwordFilename != null ?
ConfigFileLoader.getSource().getResource(passwordFilename).getInputStream() :
null,
- keyAlgorithm);
+this(filename,
ConfigFileLoader.getSource().getResource(filename).getInputStream(), password,
passwordFilename,
+passwordFilename != null ?
ConfigFileLoader.getSource().getResource(passwordFilename).getInputStream() :
+null,
+keyAlgorithm);
}
public PEMFile(String filename, InputStream fileStream, String password,
String keyAlgorithm)
@@ -148,28 +148,28 @@ public class PEMFile {
}
/**
- * @param filename the filename to mention in error messages, not used for
anything else.
- * @param fileStream the stream containing the pem(s).
- * @param password password to load the pem objects.
- * @param passwordFilename the password filename to mention in error
messages, not used for anything else.
+ * @param filename the filename to mention in error messages,
not used for anything else.
+ * @param fileStream the stream containing the pem(s).
+ * @param password password to load the pem objects.
+ * @param passwordFilename the password filename to mention in error
messages, not used for anything else.
* @param passwordFileStream stream containing the password to load the
pem objects.
- * @param keyAlgorithm the algorithm to help to know how to load the
objects (guessed if null).
- * @throws IOException if input can't be read.
+ * @param keyAlgorithm the algorithm to help to know how to load the
objects (guessed if null).
+ *
+ * @throws IOException if input can't be read.
* @throws GeneralSecurityException if input can't be parsed/loaded.
*/
public PEMFile(String filename, InputStream fileStream, String password,
String passwordFilename,
- InputStream passwordFileStream, String keyAlgorithm)
-throws IOException, GeneralSecurityException {
+InputStream passwordFileStream, String keyAlgorithm) throws
IOException, GeneralSecurityException {
List parts = new ArrayList<>();
-try (BufferedReader reader =
- new BufferedReader(new InputStreamReader(fileStream,
StandardCharsets.US_ASCII))) {
+try (BufferedReader reader = new BufferedReader(new
InputStreamReader(fileStream, StandardCharsets.US_ASCII))) {
Part part = null;
String line;
while ((line = reader.readLine()) != null) {
if (line.startsWith(Part.BEGIN_BOUNDARY)) {
part = new Part();
-part.type = line.substring(Part.BEGIN_BOUNDARY.length(),
-line.length() -
Part.FINISH_BOUNDARY.length()).trim();
+part.type =
+line.substring(Part.BEGIN_BOUNDARY.length(),
line.length() - Part.FINISH_BOUNDARY.length())
+.trim();
} else if (line.startsWith(Part.END_BOUNDARY)) {
parts.add(part);
part = null;
@@ -229,7 +229,7 @@ public class PEMFile {
private static class Part {
public static final String BEGIN_BOUNDARY = "-BEGIN ";
-public static final String END_BOUNDARY = "-END ";
+public static final String END_BOUNDARY = "-END ";
public static final String FINISH_BOUNDARY = "-
[tomcat] 01/03: Differentiate between IV and salt (the IV is re-used as salt)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit f18304c30fd32ea06908e6b58f30477acf59b9d7
Author: Mark Thomas
AuthorDate: Fri Oct 20 08:51:36 2023 +0100
Differentiate between IV and salt (the IV is re-used as salt)
---
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index bd5ec514c4..d7f196bb3a 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -287,6 +287,7 @@ public class PEMFile {
}
byte[] iv = fromHex(ivHex);
+// The IV is also used as salt for the password generation
byte[] key = deriveKey(keyLength, password, iv);
SecretKey secretKey = new SecretKeySpec(key,
secretKeyAlgorithm);
Cipher cipher = Cipher.getInstance(cipherTransformation);
@@ -339,7 +340,7 @@ public class PEMFile {
}
-private byte[] deriveKey(int keyLength, String password, byte[] iv)
throws NoSuchAlgorithmException {
+private byte[] deriveKey(int keyLength, String password, byte[] salt)
throws NoSuchAlgorithmException {
// PBKDF1-MD5 as specified by PKCS#5
byte[] key = new byte[keyLength];
@@ -350,7 +351,7 @@ public class PEMFile {
while (insertPosition < keyLength) {
digest.update(pw);
-digest.update(iv, 0, 8);
+digest.update(salt, 0, 8);
byte[] round = digest.digest();
digest.update(round);
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated (8a67ad52da -> 7ccbf2bc15)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
from 8a67ad52da Update RAT excludes
new 3c4b69b766 Differentiate between IV and salt (the IV is re-used as
salt)
new ebf53c8ca2 Fix BZ 67675 - Expand the PBKDF2 and cipher combinations
supported
new 7ccbf2bc15 Format
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
java/org/apache/tomcat/util/buf/Asn1Parser.java| 48 ++-
.../tomcat/util/net/jsse/LocalStrings.properties | 5 +
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 397 +++--
.../apache/tomcat/util/net/jsse/TestPEMFile.java | 20 +-
.../key-encrypted-pkcs8-hmacsha256-aes-128-cbc.pem | 54 +++
...key-encrypted-pkcs8-hmacsha256-aes-256-cbc.pem} | 0
...key-encrypted-pkcs8-hmacsha256-des-ede3-cbc.pem | 54 +++
7 files changed, 462 insertions(+), 116 deletions(-)
create mode 100644
test/org/apache/tomcat/util/net/jsse/key-encrypted-pkcs8-hmacsha256-aes-128-cbc.pem
rename test/org/apache/tomcat/util/net/jsse/{key-encrypted-pkcs8.pem =>
key-encrypted-pkcs8-hmacsha256-aes-256-cbc.pem} (100%)
create mode 100644
test/org/apache/tomcat/util/net/jsse/key-encrypted-pkcs8-hmacsha256-des-ede3-cbc.pem
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/03: Fix BZ 67675 - Expand the PBKDF2 and cipher combinations supported
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit ebf53c8ca23176f4feee781e17685fdd4e58c8a0
Author: Mark Thomas
AuthorDate: Fri Oct 20 15:54:33 2023 +0100
Fix BZ 67675 - Expand the PBKDF2 and cipher combinations supported
Java only directly supports a sub-set of the possible combinations.
Process the PBKDF2 configuration and cipher configuration
separately thereby increasing the range or supported combinations.
---
java/org/apache/tomcat/util/buf/Asn1Parser.java| 48 ++-
.../tomcat/util/net/jsse/LocalStrings.properties | 5 +
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 326 -
.../apache/tomcat/util/net/jsse/TestPEMFile.java | 20 +-
.../key-encrypted-pkcs8-hmacsha256-aes-128-cbc.pem | 54
...key-encrypted-pkcs8-hmacsha256-aes-256-cbc.pem} | 0
...key-encrypted-pkcs8-hmacsha256-des-ede3-cbc.pem | 54
7 files changed, 430 insertions(+), 77 deletions(-)
diff --git a/java/org/apache/tomcat/util/buf/Asn1Parser.java
b/java/org/apache/tomcat/util/buf/Asn1Parser.java
index e32e71886f..92d13c02a8 100644
--- a/java/org/apache/tomcat/util/buf/Asn1Parser.java
+++ b/java/org/apache/tomcat/util/buf/Asn1Parser.java
@@ -30,6 +30,13 @@ public class Asn1Parser {
private static final StringManager sm =
StringManager.getManager(Asn1Parser.class);
+public static final int TAG_INTEGER = 0x02;
+public static final int TAG_OCTET_STRING = 0x04;
+public static final int TAG_NULL = 0x05;
+public static final int TAG_OID = 0x06;
+public static final int TAG_SEQUENCE = 0x30;
+public static final int TAG_ATTRIBUTE_BASE = 0xA0;
+
private final byte[] source;
private int pos = 0;
@@ -50,6 +57,11 @@ public class Asn1Parser {
}
+public void parseTagSequence() {
+parseTag(TAG_SEQUENCE);
+}
+
+
public void parseTag(int tag) {
int value = next();
if (value != tag) {
@@ -83,15 +95,41 @@ public class Asn1Parser {
public BigInteger parseInt() {
-parseTag(0x02);
-int len = parseLength();
-byte[] val = new byte[len];
-System.arraycopy(source, pos, val, 0, len);
-pos += len;
+byte[] val = parseBytes(TAG_INTEGER);
return new BigInteger(val);
}
+public byte[] parseOctetString() {
+return parseBytes(TAG_OCTET_STRING);
+}
+
+
+public void parseNull() {
+parseBytes(TAG_NULL);
+}
+
+
+public byte[] parseOIDAsBytes() {
+return parseBytes(TAG_OID);
+}
+
+
+public byte[] parseAttributeAsBytes(int index) {
+return parseBytes(TAG_ATTRIBUTE_BASE + index);
+}
+
+
+private byte[] parseBytes(int tag) {
+parseTag(tag);
+int len = parseLength();
+byte[] result = new byte[len];
+System.arraycopy(source, pos, result, 0, result.length);
+pos += result.length;
+return result;
+}
+
+
public void parseBytes(byte[] dest) {
System.arraycopy(source, pos, dest, 0, dest.length);
pos += dest.length;
diff --git a/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
b/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
index b276db95ab..888a2a6761 100644
--- a/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
@@ -21,4 +21,9 @@ jsseUtil.noDefaultProtocols=Unable to determine a default for
sslEnabledProtocol
pemFile.noMultiPrimes=The PKCS#1 certificate is in multi-prime format and Java
does not provide an API for constructing an RSA private key object from that
format
pemFile.notValidRFC5915=The provided key file does not conform to RFC 5915
+pemFile.notPbkdf2=The OID [{0}] is not the correct OID for PKBDF2 which is the
only permitted KDF for PBES2
pemFile.parseError=Unable to parse the key from [{0}]
+pemFile.unknownEncryptedFormat=The format [{0}] is not a recognised encrypted
PEM file format
+pemFile.unknownEncryptionAlgorithm=The encryption algorithm with DER encoded
OID of [{0}] was not recognised
+pemFile.unknownPrfAlgorithm=The pseudo random function with DER encoded OID of
[{0}] was not recognised
+pemFile.unknownPkcs8Algorithm=The PKCS#8 encryption algorithm with DER encoded
OID of [{0}] was not recognised
\ No newline at end of file
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index d7f196bb3a..2785f9761c 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -23,7 +23,6 @@ import java.io.InputStream;
import java.io.InputStreamReader;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
-import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.In
[tomcat] 03/03: Format
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 7ccbf2bc15b46853c1b1cca1e4ca994a98bbee49
Author: Mark Thomas
AuthorDate: Tue Oct 24 17:52:06 2023 +0100
Format
---
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 80 ++-
1 file changed, 36 insertions(+), 44 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index 2785f9761c..b051c539ea 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -130,16 +130,16 @@ public class PEMFile {
this(filename, password, null);
}
-public PEMFile(String filename, String password, String keyAlgorithm)
-throws IOException, GeneralSecurityException {
+public PEMFile(String filename, String password, String keyAlgorithm)
throws IOException, GeneralSecurityException {
this(filename,
ConfigFileLoader.getSource().getResource(filename).getInputStream(), password,
keyAlgorithm);
}
public PEMFile(String filename, String password, String passwordFilename,
String keyAlgorithm)
throws IOException, GeneralSecurityException {
-this(filename,
ConfigFileLoader.getSource().getResource(filename).getInputStream(), password,
- passwordFilename, passwordFilename != null ?
ConfigFileLoader.getSource().getResource(passwordFilename).getInputStream() :
null,
- keyAlgorithm);
+this(filename,
ConfigFileLoader.getSource().getResource(filename).getInputStream(), password,
passwordFilename,
+passwordFilename != null ?
ConfigFileLoader.getSource().getResource(passwordFilename).getInputStream() :
+null,
+keyAlgorithm);
}
public PEMFile(String filename, InputStream fileStream, String password,
String keyAlgorithm)
@@ -148,28 +148,28 @@ public class PEMFile {
}
/**
- * @param filename the filename to mention in error messages, not used for
anything else.
- * @param fileStream the stream containing the pem(s).
- * @param password password to load the pem objects.
- * @param passwordFilename the password filename to mention in error
messages, not used for anything else.
+ * @param filename the filename to mention in error messages,
not used for anything else.
+ * @param fileStream the stream containing the pem(s).
+ * @param password password to load the pem objects.
+ * @param passwordFilename the password filename to mention in error
messages, not used for anything else.
* @param passwordFileStream stream containing the password to load the
pem objects.
- * @param keyAlgorithm the algorithm to help to know how to load the
objects (guessed if null).
- * @throws IOException if input can't be read.
+ * @param keyAlgorithm the algorithm to help to know how to load the
objects (guessed if null).
+ *
+ * @throws IOException if input can't be read.
* @throws GeneralSecurityException if input can't be parsed/loaded.
*/
public PEMFile(String filename, InputStream fileStream, String password,
String passwordFilename,
- InputStream passwordFileStream, String keyAlgorithm)
-throws IOException, GeneralSecurityException {
+InputStream passwordFileStream, String keyAlgorithm) throws
IOException, GeneralSecurityException {
List parts = new ArrayList<>();
-try (BufferedReader reader =
- new BufferedReader(new InputStreamReader(fileStream,
StandardCharsets.US_ASCII))) {
+try (BufferedReader reader = new BufferedReader(new
InputStreamReader(fileStream, StandardCharsets.US_ASCII))) {
Part part = null;
String line;
while ((line = reader.readLine()) != null) {
if (line.startsWith(Part.BEGIN_BOUNDARY)) {
part = new Part();
-part.type = line.substring(Part.BEGIN_BOUNDARY.length(),
-line.length() -
Part.FINISH_BOUNDARY.length()).trim();
+part.type =
+line.substring(Part.BEGIN_BOUNDARY.length(),
line.length() - Part.FINISH_BOUNDARY.length())
+.trim();
} else if (line.startsWith(Part.END_BOUNDARY)) {
parts.add(part);
part = null;
@@ -229,7 +229,7 @@ public class PEMFile {
private static class Part {
public static final String BEGIN_BOUNDARY = "-BEGIN ";
-public static final String END_BOUNDARY = "-END ";
+public static final String END_BOUNDARY = "-END ";
public static final String FINISH_BOUNDARY = "-"
[tomcat] 01/03: Differentiate between IV and salt (the IV is re-used as salt)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 3c4b69b7664b57f41c472b9385aa63baf10ccc02
Author: Mark Thomas
AuthorDate: Fri Oct 20 08:51:36 2023 +0100
Differentiate between IV and salt (the IV is re-used as salt)
---
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index bd5ec514c4..d7f196bb3a 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -287,6 +287,7 @@ public class PEMFile {
}
byte[] iv = fromHex(ivHex);
+// The IV is also used as salt for the password generation
byte[] key = deriveKey(keyLength, password, iv);
SecretKey secretKey = new SecretKeySpec(key,
secretKeyAlgorithm);
Cipher cipher = Cipher.getInstance(cipherTransformation);
@@ -339,7 +340,7 @@ public class PEMFile {
}
-private byte[] deriveKey(int keyLength, String password, byte[] iv)
throws NoSuchAlgorithmException {
+private byte[] deriveKey(int keyLength, String password, byte[] salt)
throws NoSuchAlgorithmException {
// PBKDF1-MD5 as specified by PKCS#5
byte[] key = new byte[keyLength];
@@ -350,7 +351,7 @@ public class PEMFile {
while (insertPosition < keyLength) {
digest.update(pw);
-digest.update(iv, 0, 8);
+digest.update(salt, 0, 8);
byte[] round = digest.digest();
digest.update(round);
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/03: Differentiate between IV and salt (the IV is re-used as salt)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 8406102925f23235ed19ce8bb07cca6a6160de2d
Author: Mark Thomas
AuthorDate: Fri Oct 20 08:51:36 2023 +0100
Differentiate between IV and salt (the IV is re-used as salt)
---
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index e6fc76a1ce..9a83cd9bfb 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -287,6 +287,7 @@ public class PEMFile {
}
byte[] iv = fromHex(ivHex);
+// The IV is also used as salt for the password generation
byte[] key = deriveKey(keyLength, password, iv);
SecretKey secretKey = new SecretKeySpec(key,
secretKeyAlgorithm);
Cipher cipher = Cipher.getInstance(cipherTransformation);
@@ -339,7 +340,7 @@ public class PEMFile {
}
-private byte[] deriveKey(int keyLength, String password, byte[] iv)
throws NoSuchAlgorithmException {
+private byte[] deriveKey(int keyLength, String password, byte[] salt)
throws NoSuchAlgorithmException {
// PBKDF1-MD5 as specified by PKCS#5
byte[] key = new byte[keyLength];
@@ -350,7 +351,7 @@ public class PEMFile {
while (insertPosition < keyLength) {
digest.update(pw);
-digest.update(iv, 0, 8);
+digest.update(salt, 0, 8);
byte[] round = digest.digest();
digest.update(round);
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/03: Fix BZ 67675 - Expand the PBKDF2 and cipher combinations supported
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 80f21596d69ce6304eb3e40f450554d00308ff6c
Author: Mark Thomas
AuthorDate: Fri Oct 20 15:54:33 2023 +0100
Fix BZ 67675 - Expand the PBKDF2 and cipher combinations supported
Java only directly supports a sub-set of the possible combinations.
Process the PBKDF2 configuration and cipher configuration
separately thereby increasing the range or supported combinations.
---
java/org/apache/tomcat/util/buf/Asn1Parser.java| 48 ++-
.../tomcat/util/net/jsse/LocalStrings.properties | 5 +
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 326 -
.../apache/tomcat/util/net/jsse/TestPEMFile.java | 20 +-
.../key-encrypted-pkcs8-hmacsha256-aes-128-cbc.pem | 54
...key-encrypted-pkcs8-hmacsha256-aes-256-cbc.pem} | 0
...key-encrypted-pkcs8-hmacsha256-des-ede3-cbc.pem | 54
7 files changed, 430 insertions(+), 77 deletions(-)
diff --git a/java/org/apache/tomcat/util/buf/Asn1Parser.java
b/java/org/apache/tomcat/util/buf/Asn1Parser.java
index e32e71886f..92d13c02a8 100644
--- a/java/org/apache/tomcat/util/buf/Asn1Parser.java
+++ b/java/org/apache/tomcat/util/buf/Asn1Parser.java
@@ -30,6 +30,13 @@ public class Asn1Parser {
private static final StringManager sm =
StringManager.getManager(Asn1Parser.class);
+public static final int TAG_INTEGER = 0x02;
+public static final int TAG_OCTET_STRING = 0x04;
+public static final int TAG_NULL = 0x05;
+public static final int TAG_OID = 0x06;
+public static final int TAG_SEQUENCE = 0x30;
+public static final int TAG_ATTRIBUTE_BASE = 0xA0;
+
private final byte[] source;
private int pos = 0;
@@ -50,6 +57,11 @@ public class Asn1Parser {
}
+public void parseTagSequence() {
+parseTag(TAG_SEQUENCE);
+}
+
+
public void parseTag(int tag) {
int value = next();
if (value != tag) {
@@ -83,15 +95,41 @@ public class Asn1Parser {
public BigInteger parseInt() {
-parseTag(0x02);
-int len = parseLength();
-byte[] val = new byte[len];
-System.arraycopy(source, pos, val, 0, len);
-pos += len;
+byte[] val = parseBytes(TAG_INTEGER);
return new BigInteger(val);
}
+public byte[] parseOctetString() {
+return parseBytes(TAG_OCTET_STRING);
+}
+
+
+public void parseNull() {
+parseBytes(TAG_NULL);
+}
+
+
+public byte[] parseOIDAsBytes() {
+return parseBytes(TAG_OID);
+}
+
+
+public byte[] parseAttributeAsBytes(int index) {
+return parseBytes(TAG_ATTRIBUTE_BASE + index);
+}
+
+
+private byte[] parseBytes(int tag) {
+parseTag(tag);
+int len = parseLength();
+byte[] result = new byte[len];
+System.arraycopy(source, pos, result, 0, result.length);
+pos += result.length;
+return result;
+}
+
+
public void parseBytes(byte[] dest) {
System.arraycopy(source, pos, dest, 0, dest.length);
pos += dest.length;
diff --git a/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
b/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
index b276db95ab..888a2a6761 100644
--- a/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
@@ -21,4 +21,9 @@ jsseUtil.noDefaultProtocols=Unable to determine a default for
sslEnabledProtocol
pemFile.noMultiPrimes=The PKCS#1 certificate is in multi-prime format and Java
does not provide an API for constructing an RSA private key object from that
format
pemFile.notValidRFC5915=The provided key file does not conform to RFC 5915
+pemFile.notPbkdf2=The OID [{0}] is not the correct OID for PKBDF2 which is the
only permitted KDF for PBES2
pemFile.parseError=Unable to parse the key from [{0}]
+pemFile.unknownEncryptedFormat=The format [{0}] is not a recognised encrypted
PEM file format
+pemFile.unknownEncryptionAlgorithm=The encryption algorithm with DER encoded
OID of [{0}] was not recognised
+pemFile.unknownPrfAlgorithm=The pseudo random function with DER encoded OID of
[{0}] was not recognised
+pemFile.unknownPkcs8Algorithm=The PKCS#8 encryption algorithm with DER encoded
OID of [{0}] was not recognised
\ No newline at end of file
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index 9a83cd9bfb..2e68c1e49c 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -23,7 +23,6 @@ import java.io.InputStream;
import java.io.InputStreamReader;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
-import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.In
[tomcat] 03/03: Format
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 1e9fbf113a718969bfada6e4fa4cee8d1ec9c78d
Author: Mark Thomas
AuthorDate: Tue Oct 24 17:54:25 2023 +0100
Format
---
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 78 ++-
1 file changed, 34 insertions(+), 44 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index 2e68c1e49c..71db800680 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -130,16 +130,14 @@ public class PEMFile {
this(filename, password, null);
}
-public PEMFile(String filename, String password, String keyAlgorithm)
-throws IOException, GeneralSecurityException {
+public PEMFile(String filename, String password, String keyAlgorithm)
throws IOException, GeneralSecurityException {
this(filename, ConfigFileLoader.getInputStream(filename), password,
keyAlgorithm);
}
public PEMFile(String filename, String password, String passwordFilename,
String keyAlgorithm)
throws IOException, GeneralSecurityException {
-this(filename, ConfigFileLoader.getInputStream(filename), password,
- passwordFilename, passwordFilename != null ?
ConfigFileLoader.getInputStream(passwordFilename) : null,
- keyAlgorithm);
+this(filename, ConfigFileLoader.getInputStream(filename), password,
passwordFilename,
+passwordFilename != null ?
ConfigFileLoader.getInputStream(passwordFilename) : null, keyAlgorithm);
}
public PEMFile(String filename, InputStream fileStream, String password,
String keyAlgorithm)
@@ -148,28 +146,28 @@ public class PEMFile {
}
/**
- * @param filename the filename to mention in error messages, not used for
anything else.
- * @param fileStream the stream containing the pem(s).
- * @param password password to load the pem objects.
- * @param passwordFilename the password filename to mention in error
messages, not used for anything else.
+ * @param filename the filename to mention in error messages,
not used for anything else.
+ * @param fileStream the stream containing the pem(s).
+ * @param password password to load the pem objects.
+ * @param passwordFilename the password filename to mention in error
messages, not used for anything else.
* @param passwordFileStream stream containing the password to load the
pem objects.
- * @param keyAlgorithm the algorithm to help to know how to load the
objects (guessed if null).
- * @throws IOException if input can't be read.
+ * @param keyAlgorithm the algorithm to help to know how to load the
objects (guessed if null).
+ *
+ * @throws IOException if input can't be read.
* @throws GeneralSecurityException if input can't be parsed/loaded.
*/
public PEMFile(String filename, InputStream fileStream, String password,
String passwordFilename,
- InputStream passwordFileStream, String keyAlgorithm)
-throws IOException, GeneralSecurityException {
+InputStream passwordFileStream, String keyAlgorithm) throws
IOException, GeneralSecurityException {
List parts = new ArrayList<>();
-try (BufferedReader reader =
- new BufferedReader(new InputStreamReader(fileStream,
StandardCharsets.US_ASCII))) {
+try (BufferedReader reader = new BufferedReader(new
InputStreamReader(fileStream, StandardCharsets.US_ASCII))) {
Part part = null;
String line;
while ((line = reader.readLine()) != null) {
if (line.startsWith(Part.BEGIN_BOUNDARY)) {
part = new Part();
-part.type = line.substring(Part.BEGIN_BOUNDARY.length(),
-line.length() -
Part.FINISH_BOUNDARY.length()).trim();
+part.type =
+line.substring(Part.BEGIN_BOUNDARY.length(),
line.length() - Part.FINISH_BOUNDARY.length())
+.trim();
} else if (line.startsWith(Part.END_BOUNDARY)) {
parts.add(part);
part = null;
@@ -229,7 +227,7 @@ public class PEMFile {
private static class Part {
public static final String BEGIN_BOUNDARY = "-BEGIN ";
-public static final String END_BOUNDARY = "-END ";
+public static final String END_BOUNDARY = "-END ";
public static final String FINISH_BOUNDARY = "-";
public static final String PRIVATE_KEY = "PRIVATE KEY";
@@ -265,7 +263,8 @@ public class PEMFile {
*
* @throws GeneralSecurityException If ther
[tomcat] branch 8.5.x updated (9867f363cf -> 1e9fbf113a)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
from 9867f363cf Update RAT excludes
new 8406102925 Differentiate between IV and salt (the IV is re-used as
salt)
new 80f21596d6 Fix BZ 67675 - Expand the PBKDF2 and cipher combinations
supported
new 1e9fbf113a Format
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
java/org/apache/tomcat/util/buf/Asn1Parser.java| 48 ++-
.../tomcat/util/net/jsse/LocalStrings.properties | 5 +
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 395 +++--
.../apache/tomcat/util/net/jsse/TestPEMFile.java | 20 +-
.../key-encrypted-pkcs8-hmacsha256-aes-128-cbc.pem | 54 +++
...key-encrypted-pkcs8-hmacsha256-aes-256-cbc.pem} | 0
...key-encrypted-pkcs8-hmacsha256-des-ede3-cbc.pem | 54 +++
7 files changed, 460 insertions(+), 116 deletions(-)
create mode 100644
test/org/apache/tomcat/util/net/jsse/key-encrypted-pkcs8-hmacsha256-aes-128-cbc.pem
rename test/org/apache/tomcat/util/net/jsse/{key-encrypted-pkcs8.pem =>
key-encrypted-pkcs8-hmacsha256-aes-256-cbc.pem} (100%)
create mode 100644
test/org/apache/tomcat/util/net/jsse/key-encrypted-pkcs8-hmacsha256-des-ede3-cbc.pem
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 67675] Tomcat and/or Java do not read encrypted private keys with DES-EDE3-CBC generated by openssl-req(1)
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #17 from Mark Thomas --- Fixed in: - 11.0.x for 11.0.0-M14 onwards - 10.1.x for 10.1.16 onwards - 9.0.x for 9.0.83 onwards - 8.5.x for 8.5.96 onwards -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[PR] Update ssh key [tomcat-maven-plugin]
umar-sheik opened a new pull request, #41: URL: https://github.com/apache/tomcat-maven-plugin/pull/41 (no comment) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Update ssh key [tomcat-maven-plugin]
umar-sheik closed pull request #41: Update ssh key URL: https://github.com/apache/tomcat-maven-plugin/pull/41 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Fix an IDE warning
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new bb427575f0 Fix an IDE warning
bb427575f0 is described below
commit bb427575f0b95a2403c61836e5ff7fadd8eefdbd
Author: Mark Thomas
AuthorDate: Tue Oct 24 20:59:00 2023 +0100
Fix an IDE warning
Trivial change to trigger a CI build
---
java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index 644a21921c..ae58c89309 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -477,7 +477,7 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
try (var localArena = Arena.ofConfined()) {
// rc = SSLConf.apply(confCtx, name, value);
if (name.equals("NO_OCSP_CHECK")) {
-noOcspCheck = Boolean.valueOf(value);
+noOcspCheck = Boolean.parseBoolean(value);
rc = 1;
} else {
rc = SSL_CONF_cmd(state.confCtx,
localArena.allocateFrom(name),
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Buildbot failure in on tomcat-11.0.x
On 24/10/2023 12:34, Mark Thomas wrote: On 24/10/2023 10:04, Rémy Maucherat wrote: On Tue, Oct 24, 2023 at 10:51 AM Mark Thomas wrote: This was triggered by the switch to Java 22. I'm going to need to update the CI. The Tomcat 11 builds are going to fail until I get that done. That was not intended, I simply forgot this CI was using the release target (the github one does not, it uses deploy). Disabling the check for now is easier until CI can reasonably have Java 22 available. Sorry for the trouble ... No problem. I've filed INFRA-25120 to make the Java 22 EA 20 available on the buildbot nodes. Once it is, I'll update the CI build and report back. Buildbot should updated to use Java 22. What should I look for in the next build to check it is working as expected? Mark I'll also switch Gump to Java 22. Mark Rémy Mark On 24/10/2023 09:45, build...@apache.org wrote: Build status: BUILD FAILED: failed compile (failure) Worker used: bb_worker2_ubuntu URL: https://ci2.apache.org/#builders/112/builds/701 Blamelist: remm Build Text: failed compile (failure) Status Detected: new failure Build Source Stamp: [branch main] ee1f16a323d5e07b59f0de7a3b17cb495896f3e7 Steps: worker_preparation: 0 git: 0 shell: 0 shell_1: 0 shell_2: 0 shell_3: 0 shell_4: 0 shell_5: 0 compile: 2 -- ASF Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Buildbot failure in on tomcat-11.0.x
Build status: BUILD FAILED: failed compile (failure) Worker used: bb_worker2_ubuntu URL: https://ci2.apache.org/#builders/112/builds/710 Blamelist: Mark Thomas Build Text: failed compile (failure) Status Detected: new failure Build Source Stamp: [branch main] bb427575f0b95a2403c61836e5ff7fadd8eefdbd Steps: worker_preparation: 0 git: 0 shell: 0 shell_1: 0 shell_2: 0 shell_3: 0 shell_4: 0 shell_5: 0 compile: 1 shell_6: 0 shell_7: 0 shell_8: 0 shell_9: 0 Rsync docs to nightlies.apache.org: 0 shell_10: 0 Rsync RAT to nightlies.apache.org: 0 compile_1: 2 shell_11: 0 Rsync Logs to nightlies.apache.org: 0 -- ASF Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/02: Fix BND warning spotting in CI system
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit d7e6c58c444c93742bf53f7228181179ec663645
Author: Mark Thomas
AuthorDate: Tue Oct 24 21:58:01 2023 +0100
Fix BND warning spotting in CI system
---
res/bnd/websocket-api.jar.tmp.bnd| 2 +-
res/bnd/websocket-client-api.jar.tmp.bnd | 2 +-
webapps/docs/changelog.xml | 8
3 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/res/bnd/websocket-api.jar.tmp.bnd
b/res/bnd/websocket-api.jar.tmp.bnd
index 9f2b0606a5..0184c99bc5 100644
--- a/res/bnd/websocket-api.jar.tmp.bnd
+++ b/res/bnd/websocket-api.jar.tmp.bnd
@@ -35,7 +35,7 @@ Require-Capability: \
osgi.ee;\
filter:="(&(osgi.ee=JavaSE)(version=1.8))"
--namesection: jakarta/websocket*/;\
+-namesection: jakarta/websocket/server*/;\
Specification-Title=Jakarta WebSocket;\
Specification-Version=${websocket.spec.version}${websocket.revision};\
Specification-Vendor=Eclipse Foundation;\
diff --git a/res/bnd/websocket-client-api.jar.tmp.bnd
b/res/bnd/websocket-client-api.jar.tmp.bnd
index 500d14be57..492e495a18 100644
--- a/res/bnd/websocket-client-api.jar.tmp.bnd
+++ b/res/bnd/websocket-client-api.jar.tmp.bnd
@@ -29,7 +29,7 @@ Require-Capability: \
osgi.ee;\
filter:="(&(osgi.ee=JavaSE)(version=1.8))"
--namesection: jakarta/websocket/client*/;\
+-namesection: jakarta/websocket*/;\
Specification-Title=Jakarta WebSocket Client;\
Specification-Version=${websocket.spec.version}${websocket.revision};\
Specification-Vendor=Eclipse Foundation;\
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 1407c192ca..462ca4e17e 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -148,6 +148,14 @@
+
+
+
+Correct missing metadata int he MANIFEST of the for WebSocket client
API
+JAR file. (markt)
+
+
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated (bb427575f0 -> d7e6c58c44)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git from bb427575f0 Fix an IDE warning new df7823dc9c Remove unnecessary code new d7e6c58c44 Fix BND warning spotting in CI system The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: java/org/apache/catalina/filters/CorsFilter.java| 2 +- java/org/apache/catalina/manager/StatusTransformer.java | 4 ++-- res/bnd/websocket-api.jar.tmp.bnd | 2 +- res/bnd/websocket-client-api.jar.tmp.bnd| 2 +- webapps/docs/changelog.xml | 8 5 files changed, 13 insertions(+), 5 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/02: Remove unnecessary code
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit df7823dc9c7f213923d89096ff31f10622740192
Author: Mark Thomas
AuthorDate: Tue Oct 24 21:42:44 2023 +0100
Remove unnecessary code
---
java/org/apache/catalina/filters/CorsFilter.java| 2 +-
java/org/apache/catalina/manager/StatusTransformer.java | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/catalina/filters/CorsFilter.java
b/java/org/apache/catalina/filters/CorsFilter.java
index 33f5d9d59d..1f063aa4c4 100644
--- a/java/org/apache/catalina/filters/CorsFilter.java
+++ b/java/org/apache/catalina/filters/CorsFilter.java
@@ -324,7 +324,7 @@ public class CorsFilter extends GenericFilter {
if (!isAnyOriginAllowed()) {
// If only specific origins are allowed, the response will vary by
// origin
-ResponseUtil.addVaryFieldName(response,
CorsFilter.REQUEST_HEADER_ORIGIN);
+ResponseUtil.addVaryFieldName(response, REQUEST_HEADER_ORIGIN);
}
// Let request pass.
diff --git a/java/org/apache/catalina/manager/StatusTransformer.java
b/java/org/apache/catalina/manager/StatusTransformer.java
index 3aa7f3e922..3b02474605 100644
--- a/java/org/apache/catalina/manager/StatusTransformer.java
+++ b/java/org/apache/catalina/manager/StatusTransformer.java
@@ -282,8 +282,8 @@ public class StatusTransformer {
}
String name = objectName.getKeyProperty("name");
// use StatusTransformer to output status
-StatusTransformer.writeConnectorState(writer, objectName, name,
mBeanServer, globalRequestProcessors,
-requestProcessors, mode, args);
+writeConnectorState(
+writer, objectName, name, mBeanServer,
globalRequestProcessors, requestProcessors, mode, args);
}
if (mode == 2) {
writer.append(']').println();
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.1.x updated: Remove unnecessary code
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new b7bc7f3b66 Remove unnecessary code
b7bc7f3b66 is described below
commit b7bc7f3b6605caedb511dc28be437e70a0c72b42
Author: Mark Thomas
AuthorDate: Tue Oct 24 21:42:44 2023 +0100
Remove unnecessary code
---
java/org/apache/catalina/filters/CorsFilter.java| 2 +-
java/org/apache/catalina/manager/StatusTransformer.java | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/catalina/filters/CorsFilter.java
b/java/org/apache/catalina/filters/CorsFilter.java
index 33f5d9d59d..1f063aa4c4 100644
--- a/java/org/apache/catalina/filters/CorsFilter.java
+++ b/java/org/apache/catalina/filters/CorsFilter.java
@@ -324,7 +324,7 @@ public class CorsFilter extends GenericFilter {
if (!isAnyOriginAllowed()) {
// If only specific origins are allowed, the response will vary by
// origin
-ResponseUtil.addVaryFieldName(response,
CorsFilter.REQUEST_HEADER_ORIGIN);
+ResponseUtil.addVaryFieldName(response, REQUEST_HEADER_ORIGIN);
}
// Let request pass.
diff --git a/java/org/apache/catalina/manager/StatusTransformer.java
b/java/org/apache/catalina/manager/StatusTransformer.java
index 3aa7f3e922..3b02474605 100644
--- a/java/org/apache/catalina/manager/StatusTransformer.java
+++ b/java/org/apache/catalina/manager/StatusTransformer.java
@@ -282,8 +282,8 @@ public class StatusTransformer {
}
String name = objectName.getKeyProperty("name");
// use StatusTransformer to output status
-StatusTransformer.writeConnectorState(writer, objectName, name,
mBeanServer, globalRequestProcessors,
-requestProcessors, mode, args);
+writeConnectorState(
+writer, objectName, name, mBeanServer,
globalRequestProcessors, requestProcessors, mode, args);
}
if (mode == 2) {
writer.append(']').println();
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Remove unnecessary code
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 5462cf0e56 Remove unnecessary code
5462cf0e56 is described below
commit 5462cf0e569d62a9f3949800d14ec343d4766a0a
Author: Mark Thomas
AuthorDate: Tue Oct 24 21:42:44 2023 +0100
Remove unnecessary code
---
java/org/apache/catalina/filters/CorsFilter.java| 2 +-
java/org/apache/catalina/manager/StatusTransformer.java | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/catalina/filters/CorsFilter.java
b/java/org/apache/catalina/filters/CorsFilter.java
index 1aec15a43f..d6e294a1b7 100644
--- a/java/org/apache/catalina/filters/CorsFilter.java
+++ b/java/org/apache/catalina/filters/CorsFilter.java
@@ -324,7 +324,7 @@ public class CorsFilter extends GenericFilter {
if (!isAnyOriginAllowed()) {
// If only specific origins are allowed, the response will vary by
// origin
-ResponseUtil.addVaryFieldName(response,
CorsFilter.REQUEST_HEADER_ORIGIN);
+ResponseUtil.addVaryFieldName(response, REQUEST_HEADER_ORIGIN);
}
// Let request pass.
diff --git a/java/org/apache/catalina/manager/StatusTransformer.java
b/java/org/apache/catalina/manager/StatusTransformer.java
index 50761f0d1a..4dc1b210c0 100644
--- a/java/org/apache/catalina/manager/StatusTransformer.java
+++ b/java/org/apache/catalina/manager/StatusTransformer.java
@@ -348,8 +348,8 @@ public class StatusTransformer {
}
String name = objectName.getKeyProperty("name");
// use StatusTransformer to output status
-StatusTransformer.writeConnectorState(writer, objectName, name,
mBeanServer, globalRequestProcessors,
-requestProcessors, mode, args);
+writeConnectorState(
+writer, objectName, name, mBeanServer,
globalRequestProcessors, requestProcessors, mode, args);
}
if (mode == 2) {
writer.append(']').println();
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Remove unnecessary code
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 224945058f Remove unnecessary code
224945058f is described below
commit 224945058f5bd3edd41f7640c4dc2341c8b7c218
Author: Mark Thomas
AuthorDate: Tue Oct 24 21:42:44 2023 +0100
Remove unnecessary code
---
java/org/apache/catalina/filters/CorsFilter.java| 2 +-
java/org/apache/catalina/manager/StatusTransformer.java | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/catalina/filters/CorsFilter.java
b/java/org/apache/catalina/filters/CorsFilter.java
index 5e2414b446..ada5e9909a 100644
--- a/java/org/apache/catalina/filters/CorsFilter.java
+++ b/java/org/apache/catalina/filters/CorsFilter.java
@@ -326,7 +326,7 @@ public class CorsFilter implements Filter {
if (!isAnyOriginAllowed()) {
// If only specific origins are allowed, the response will vary by
// origin
-ResponseUtil.addVaryFieldName(response,
CorsFilter.REQUEST_HEADER_ORIGIN);
+ResponseUtil.addVaryFieldName(response, REQUEST_HEADER_ORIGIN);
}
// Let request pass.
diff --git a/java/org/apache/catalina/manager/StatusTransformer.java
b/java/org/apache/catalina/manager/StatusTransformer.java
index 8c7805fbc8..5c1b6b4a3c 100644
--- a/java/org/apache/catalina/manager/StatusTransformer.java
+++ b/java/org/apache/catalina/manager/StatusTransformer.java
@@ -348,8 +348,8 @@ public class StatusTransformer {
}
String name = objectName.getKeyProperty("name");
// use StatusTransformer to output status
-StatusTransformer.writeConnectorState(writer, objectName, name,
mBeanServer, globalRequestProcessors,
-requestProcessors, mode, args);
+writeConnectorState(
+writer, objectName, name, mBeanServer,
globalRequestProcessors, requestProcessors, mode, args);
}
if (mode == 2) {
writer.append(']').println();
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Buildbot failure in on tomcat-11.0.x
On Tue, Oct 24, 2023 at 10:00 PM Mark Thomas wrote: > > On 24/10/2023 12:34, Mark Thomas wrote: > > On 24/10/2023 10:04, Rémy Maucherat wrote: > >> On Tue, Oct 24, 2023 at 10:51 AM Mark Thomas wrote: > >>> > >>> This was triggered by the switch to Java 22. > >>> > >>> I'm going to need to update the CI. The Tomcat 11 builds are going to > >>> fail until I get that done. > >> > >> That was not intended, I simply forgot this CI was using the release > >> target (the github one does not, it uses deploy). Disabling the check > >> for now is easier until CI can reasonably have Java 22 available. > >> Sorry for the trouble ... > > > > No problem. I've filed INFRA-25120 to make the Java 22 EA 20 available > > on the buildbot nodes. Once it is, I'll update the CI build and report > > back. > > Buildbot should updated to use Java 22. What should I look for in the > next build to check it is working as expected? It's running on Java 22 now, there's a red warning at the top in the -release-java-check target otherwise. The check can be flipped back to fail if there's no Java 22 when trying a release (because the build would be incomplete). The OpenSSL tests with FFM are running but are all failing because OpenSSL is not loadable. I don't quite understand why right now since the regular OpenSSL tests are working. Rémy > Mark > > > > > > I'll also switch Gump to Java 22. > > > > Mark > > > >> > >> Rémy > >> > >>> Mark > >>> > >>> > >>> On 24/10/2023 09:45, build...@apache.org wrote: > Build status: BUILD FAILED: failed compile (failure) > Worker used: bb_worker2_ubuntu > URL: https://ci2.apache.org/#builders/112/builds/701 > Blamelist: remm > Build Text: failed compile (failure) > Status Detected: new failure > Build Source Stamp: [branch main] > ee1f16a323d5e07b59f0de7a3b17cb495896f3e7 > > > Steps: > > worker_preparation: 0 > > git: 0 > > shell: 0 > > shell_1: 0 > > shell_2: 0 > > shell_3: 0 > > shell_4: 0 > > shell_5: 0 > > compile: 2 > > > -- ASF Buildbot > > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > > >>> > >>> - > >>> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > >>> For additional commands, e-mail: dev-h...@tomcat.apache.org > >>> > >> > >> - > >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: dev-h...@tomcat.apache.org > >> > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: dev-h...@tomcat.apache.org > > > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Buildbot failure in on tomcat-11.0.x
On 24/10/2023 22:13, Rémy Maucherat wrote: It's running on Java 22 now, there's a red warning at the top in the -release-java-check target otherwise. The check can be flipped back to fail if there's no Java 22 when trying a release (because the build would be incomplete). The OpenSSL tests with FFM are running but are all failing because OpenSSL is not loadable. I don't quite understand why right now since the regular OpenSSL tests are working. Looks like an issue with java.library.path I'm looking at it now... Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Fix an IDE warning
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 55dba05007 Fix an IDE warning
55dba05007 is described below
commit 55dba05007233bef3ad0d70619e4d4baa4270a7a
Author: Mark Thomas
AuthorDate: Tue Oct 24 22:30:54 2023 +0100
Fix an IDE warning
Trivial change to trigger a CI build for testing purposes
---
java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index ae58c89309..aedac6c61f 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -1156,7 +1156,7 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
if (SSL_CTX_set0_tmp_dh_pkey(state.sslCtx, pkey)
<= 0) {
EVP_PKEY_free(pkey);
} else {
-
log.debug(sm.getString("openssl.setCustomDHParameters", numBits,
certificate.getCertificateFile()));
+
log.debug(sm.getString("openssl.setCustomDHParameters",
Integer.valueOf(numBits), certificate.getCertificateFile()));
}
} else {
SSL_CTX_ctrl(state.sslCtx, SSL_CTRL_SET_DH_AUTO(),
1, MemorySegment.NULL);
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Fix BZ 67666 - Fix PEM files and TLSCertificateReloadListener
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 768c62df1b Fix BZ 67666 - Fix PEM files and
TLSCertificateReloadListener
768c62df1b is described below
commit 768c62df1bfee0675b2987f2f334c85606dd5078
Author: Mark Thomas
AuthorDate: Tue Oct 24 22:47:50 2023 +0100
Fix BZ 67666 - Fix PEM files and TLSCertificateReloadListener
Most should now work. The few that do not will log a warning.
---
.../apache/tomcat/util/net/openssl/LocalStrings.properties | 1 +
.../org/apache/tomcat/util/net/openssl/OpenSSLContext.java | 7 ---
java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java | 14 --
webapps/docs/changelog.xml | 5 +
4 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
index 34ec880c41..db09d853fd 100644
--- a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
@@ -47,6 +47,7 @@ openssl.errCheckConf=Error during OpenSSLConf check
openssl.errMakeConf=Could not create OpenSSLConf context
openssl.errorSSLCtxInit=Error initializing SSL context
openssl.keyManagerMissing=No key manager found
+openssl.keyManagerMissing.warn=No key manager found. TLS will work but the
certificate will not be visible to Tomcat so management/monitoring features
will not work for this certificate
openssl.makeConf=Creating OpenSSLConf context
openssl.nonJsseCertificate=The certificate [{0}] or its private key [{1}]
could not be processed using a JSSE key manager and will be given directly to
OpenSSL
openssl.nonJsseChain=The certificate chain [{0}] was not specified or was not
valid and JSSE requires a valid certificate chain so attempting to use OpenSSL
directly
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
index 5d8ca84d6c..195f270f04 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
@@ -332,9 +332,10 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
// List the ciphers that the client is permitted to negotiate
SSLContext.setCipherSuite(ctx, sslHostConfig.getCiphers());
-if (certificate.getCertificateFile() == null) {
-
certificate.setCertificateKeyManager(OpenSSLUtil.chooseKeyManager(kms));
-}
+// If there is no certificate file must be using a KeyStore so a
KeyManager is required.
+// If there is a certificate file a KeyManager is helpful but not
strictly necessary.
+certificate.setCertificateKeyManager(
+OpenSSLUtil.chooseKeyManager(kms,
certificate.getCertificateFile() == null));
addCertificate(certificate);
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
index 8336ecf695..1e5edcd6fe 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
@@ -73,8 +73,13 @@ public class OpenSSLUtil extends SSLUtilBase {
return new OpenSSLContext(certificate, negotiableProtocols);
}
-
+@Deprecated
public static X509KeyManager chooseKeyManager(KeyManager[] managers)
throws Exception {
+return chooseKeyManager(managers, true);
+}
+
+
+public static X509KeyManager chooseKeyManager(KeyManager[] managers,
boolean throwOnMissing) throws Exception {
if (managers == null) {
return null;
}
@@ -88,7 +93,12 @@ public class OpenSSLUtil extends SSLUtilBase {
return (X509KeyManager) manager;
}
}
-throw new
IllegalStateException(sm.getString("openssl.keyManagerMissing"));
+if (throwOnMissing) {
+throw new
IllegalStateException(sm.getString("openssl.keyManagerMissing"));
+}
+
+log.warn(sm.getString("openssl.keyManagerMissing.warn"));
+return null;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 3f46719f49..35cf047197 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -134,6 +134,11 @@
automatically call
setCertificateKeystoreType(ks.getType()). (markt)
+
+67666: Ensure TLS connectors using PEM files either work
with
+the TLSCertificateReloadListener or, in the rare case that
+they do not, log a warning on Connector start. (markt)
+
---
[tomcat] branch 8.5.x updated: Fix BZ 67666 - Fix PEM files and TLSCertificateReloadListener
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new d7c5c771f4 Fix BZ 67666 - Fix PEM files and
TLSCertificateReloadListener
d7c5c771f4 is described below
commit d7c5c771f4fbe235a3bc38641a595e4f9589d09f
Author: Mark Thomas
AuthorDate: Tue Oct 24 22:47:50 2023 +0100
Fix BZ 67666 - Fix PEM files and TLSCertificateReloadListener
Most should now work. The few that do not will log a warning.
---
.../apache/tomcat/util/net/openssl/LocalStrings.properties | 1 +
.../org/apache/tomcat/util/net/openssl/OpenSSLContext.java | 7 ---
java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java | 14 --
webapps/docs/changelog.xml | 5 +
4 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
index 34ec880c41..db09d853fd 100644
--- a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
@@ -47,6 +47,7 @@ openssl.errCheckConf=Error during OpenSSLConf check
openssl.errMakeConf=Could not create OpenSSLConf context
openssl.errorSSLCtxInit=Error initializing SSL context
openssl.keyManagerMissing=No key manager found
+openssl.keyManagerMissing.warn=No key manager found. TLS will work but the
certificate will not be visible to Tomcat so management/monitoring features
will not work for this certificate
openssl.makeConf=Creating OpenSSLConf context
openssl.nonJsseCertificate=The certificate [{0}] or its private key [{1}]
could not be processed using a JSSE key manager and will be given directly to
OpenSSL
openssl.nonJsseChain=The certificate chain [{0}] was not specified or was not
valid and JSSE requires a valid certificate chain so attempting to use OpenSSL
directly
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
index 7f83a3bd75..0133c8da29 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
@@ -337,9 +337,10 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
// List the ciphers that the client is permitted to negotiate
SSLContext.setCipherSuite(ctx, sslHostConfig.getCiphers());
-if (certificate.getCertificateFile() == null) {
-
certificate.setCertificateKeyManager(OpenSSLUtil.chooseKeyManager(kms));
-}
+// If there is no certificate file must be using a KeyStore so a
KeyManager is required.
+// If there is a certificate file a KeyManager is helpful but not
strictly necessary.
+certificate.setCertificateKeyManager(
+OpenSSLUtil.chooseKeyManager(kms,
certificate.getCertificateFile() == null));
addCertificate(certificate);
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
index 8336ecf695..1e5edcd6fe 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
@@ -73,8 +73,13 @@ public class OpenSSLUtil extends SSLUtilBase {
return new OpenSSLContext(certificate, negotiableProtocols);
}
-
+@Deprecated
public static X509KeyManager chooseKeyManager(KeyManager[] managers)
throws Exception {
+return chooseKeyManager(managers, true);
+}
+
+
+public static X509KeyManager chooseKeyManager(KeyManager[] managers,
boolean throwOnMissing) throws Exception {
if (managers == null) {
return null;
}
@@ -88,7 +93,12 @@ public class OpenSSLUtil extends SSLUtilBase {
return (X509KeyManager) manager;
}
}
-throw new
IllegalStateException(sm.getString("openssl.keyManagerMissing"));
+if (throwOnMissing) {
+throw new
IllegalStateException(sm.getString("openssl.keyManagerMissing"));
+}
+
+log.warn(sm.getString("openssl.keyManagerMissing.warn"));
+return null;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 34724b54a9..764d815db0 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -134,6 +134,11 @@
automatically call
setCertificateKeystoreType(ks.getType()). (markt)
+
+67666: Ensure TLS connectors using PEM files either work
with
+the TLSCertificateReloadListener or, in the rare case that
+they do not, log a warning on Connector start. (markt)
+
---
[tomcat] branch main updated: Fix BZ 67666 - Fix PEM files and TLSCertificateReloadListener
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 355365599d Fix BZ 67666 - Fix PEM files and
TLSCertificateReloadListener
355365599d is described below
commit 355365599de06ee98e7bdec01e9d69f30f575fe0
Author: Mark Thomas
AuthorDate: Tue Oct 24 22:47:50 2023 +0100
Fix BZ 67666 - Fix PEM files and TLSCertificateReloadListener
Most should now work. The few that do not will log a warning.
---
.../apache/tomcat/util/net/openssl/LocalStrings.properties | 1 +
.../org/apache/tomcat/util/net/openssl/OpenSSLContext.java | 7 ---
java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java | 14 --
webapps/docs/changelog.xml | 5 +
4 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
index 34ec880c41..db09d853fd 100644
--- a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
@@ -47,6 +47,7 @@ openssl.errCheckConf=Error during OpenSSLConf check
openssl.errMakeConf=Could not create OpenSSLConf context
openssl.errorSSLCtxInit=Error initializing SSL context
openssl.keyManagerMissing=No key manager found
+openssl.keyManagerMissing.warn=No key manager found. TLS will work but the
certificate will not be visible to Tomcat so management/monitoring features
will not work for this certificate
openssl.makeConf=Creating OpenSSLConf context
openssl.nonJsseCertificate=The certificate [{0}] or its private key [{1}]
could not be processed using a JSSE key manager and will be given directly to
OpenSSL
openssl.nonJsseChain=The certificate chain [{0}] was not specified or was not
valid and JSSE requires a valid certificate chain so attempting to use OpenSSL
directly
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
index a687e14571..cac88badf7 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
@@ -334,9 +334,10 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
// List the ciphers that the client is permitted to negotiate
SSLContext.setCipherSuite(state.ctx, sslHostConfig.getCiphers());
-if (certificate.getCertificateFile() == null) {
-
certificate.setCertificateKeyManager(OpenSSLUtil.chooseKeyManager(kms));
-}
+// If there is no certificate file must be using a KeyStore so a
KeyManager is required.
+// If there is a certificate file a KeyManager is helpful but not
strictly necessary.
+certificate.setCertificateKeyManager(
+OpenSSLUtil.chooseKeyManager(kms,
certificate.getCertificateFile() == null));
addCertificate(certificate);
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
index 8336ecf695..1e5edcd6fe 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
@@ -73,8 +73,13 @@ public class OpenSSLUtil extends SSLUtilBase {
return new OpenSSLContext(certificate, negotiableProtocols);
}
-
+@Deprecated
public static X509KeyManager chooseKeyManager(KeyManager[] managers)
throws Exception {
+return chooseKeyManager(managers, true);
+}
+
+
+public static X509KeyManager chooseKeyManager(KeyManager[] managers,
boolean throwOnMissing) throws Exception {
if (managers == null) {
return null;
}
@@ -88,7 +93,12 @@ public class OpenSSLUtil extends SSLUtilBase {
return (X509KeyManager) manager;
}
}
-throw new
IllegalStateException(sm.getString("openssl.keyManagerMissing"));
+if (throwOnMissing) {
+throw new
IllegalStateException(sm.getString("openssl.keyManagerMissing"));
+}
+
+log.warn(sm.getString("openssl.keyManagerMissing.warn"));
+return null;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 462ca4e17e..44040cb32b 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -146,6 +146,11 @@
listener on the Server element when using Java 22
or later. (remm)
+
+67666: Ensure TLS connectors using PEM files either work
with
+the TLSCertificateReloadListener or, in the rare case that
+they do not, log a warning on Connector start. (markt)
+
-
[tomcat] branch 10.1.x updated (b7bc7f3b66 -> 156fde61bf)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git from b7bc7f3b66 Remove unnecessary code new 3d0ce84c40 Fix BND warning spotting in CI system new 156fde61bf Fix BZ 67666 - Fix PEM files and TLSCertificateReloadListener The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../apache/tomcat/util/net/openssl/LocalStrings.properties | 1 + .../org/apache/tomcat/util/net/openssl/OpenSSLContext.java | 7 --- java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java | 14 -- res/bnd/websocket-api.jar.tmp.bnd | 2 +- res/bnd/websocket-client-api.jar.tmp.bnd | 2 +- webapps/docs/changelog.xml | 13 + 6 files changed, 32 insertions(+), 7 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/02: Fix BZ 67666 - Fix PEM files and TLSCertificateReloadListener
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 156fde61bff15925b2b7ac58dda8e467b0fc5ee1
Author: Mark Thomas
AuthorDate: Tue Oct 24 22:47:50 2023 +0100
Fix BZ 67666 - Fix PEM files and TLSCertificateReloadListener
Most should now work. The few that do not will log a warning.
---
.../apache/tomcat/util/net/openssl/LocalStrings.properties | 1 +
.../org/apache/tomcat/util/net/openssl/OpenSSLContext.java | 7 ---
java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java | 14 --
webapps/docs/changelog.xml | 5 +
4 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
index 34ec880c41..db09d853fd 100644
--- a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
@@ -47,6 +47,7 @@ openssl.errCheckConf=Error during OpenSSLConf check
openssl.errMakeConf=Could not create OpenSSLConf context
openssl.errorSSLCtxInit=Error initializing SSL context
openssl.keyManagerMissing=No key manager found
+openssl.keyManagerMissing.warn=No key manager found. TLS will work but the
certificate will not be visible to Tomcat so management/monitoring features
will not work for this certificate
openssl.makeConf=Creating OpenSSLConf context
openssl.nonJsseCertificate=The certificate [{0}] or its private key [{1}]
could not be processed using a JSSE key manager and will be given directly to
OpenSSL
openssl.nonJsseChain=The certificate chain [{0}] was not specified or was not
valid and JSSE requires a valid certificate chain so attempting to use OpenSSL
directly
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
index a687e14571..cac88badf7 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
@@ -334,9 +334,10 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
// List the ciphers that the client is permitted to negotiate
SSLContext.setCipherSuite(state.ctx, sslHostConfig.getCiphers());
-if (certificate.getCertificateFile() == null) {
-
certificate.setCertificateKeyManager(OpenSSLUtil.chooseKeyManager(kms));
-}
+// If there is no certificate file must be using a KeyStore so a
KeyManager is required.
+// If there is a certificate file a KeyManager is helpful but not
strictly necessary.
+certificate.setCertificateKeyManager(
+OpenSSLUtil.chooseKeyManager(kms,
certificate.getCertificateFile() == null));
addCertificate(certificate);
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
index 8336ecf695..1e5edcd6fe 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
@@ -73,8 +73,13 @@ public class OpenSSLUtil extends SSLUtilBase {
return new OpenSSLContext(certificate, negotiableProtocols);
}
-
+@Deprecated
public static X509KeyManager chooseKeyManager(KeyManager[] managers)
throws Exception {
+return chooseKeyManager(managers, true);
+}
+
+
+public static X509KeyManager chooseKeyManager(KeyManager[] managers,
boolean throwOnMissing) throws Exception {
if (managers == null) {
return null;
}
@@ -88,7 +93,12 @@ public class OpenSSLUtil extends SSLUtilBase {
return (X509KeyManager) manager;
}
}
-throw new
IllegalStateException(sm.getString("openssl.keyManagerMissing"));
+if (throwOnMissing) {
+throw new
IllegalStateException(sm.getString("openssl.keyManagerMissing"));
+}
+
+log.warn(sm.getString("openssl.keyManagerMissing.warn"));
+return null;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 3362b7536a..5463f44be2 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -134,6 +134,11 @@
automatically call
setCertificateKeystoreType(ks.getType()). (markt)
+
+67666: Ensure TLS connectors using PEM files either work
with
+the TLSCertificateReloadListener or, in the rare case that
+they do not, log a warning on Connector start. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/02: Fix BND warning spotting in CI system
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 3d0ce84c40ba48d27e46436b6c12dad2b5a23a3a
Author: Mark Thomas
AuthorDate: Tue Oct 24 21:58:01 2023 +0100
Fix BND warning spotting in CI system
---
res/bnd/websocket-api.jar.tmp.bnd| 2 +-
res/bnd/websocket-client-api.jar.tmp.bnd | 2 +-
webapps/docs/changelog.xml | 8
3 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/res/bnd/websocket-api.jar.tmp.bnd
b/res/bnd/websocket-api.jar.tmp.bnd
index 9f2b0606a5..0184c99bc5 100644
--- a/res/bnd/websocket-api.jar.tmp.bnd
+++ b/res/bnd/websocket-api.jar.tmp.bnd
@@ -35,7 +35,7 @@ Require-Capability: \
osgi.ee;\
filter:="(&(osgi.ee=JavaSE)(version=1.8))"
--namesection: jakarta/websocket*/;\
+-namesection: jakarta/websocket/server*/;\
Specification-Title=Jakarta WebSocket;\
Specification-Version=${websocket.spec.version}${websocket.revision};\
Specification-Vendor=Eclipse Foundation;\
diff --git a/res/bnd/websocket-client-api.jar.tmp.bnd
b/res/bnd/websocket-client-api.jar.tmp.bnd
index 500d14be57..492e495a18 100644
--- a/res/bnd/websocket-client-api.jar.tmp.bnd
+++ b/res/bnd/websocket-client-api.jar.tmp.bnd
@@ -29,7 +29,7 @@ Require-Capability: \
osgi.ee;\
filter:="(&(osgi.ee=JavaSE)(version=1.8))"
--namesection: jakarta/websocket/client*/;\
+-namesection: jakarta/websocket*/;\
Specification-Title=Jakarta WebSocket Client;\
Specification-Version=${websocket.spec.version}${websocket.revision};\
Specification-Vendor=Eclipse Foundation;\
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 5100bd9a16..3362b7536a 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -136,6 +136,14 @@
+
+
+
+Correct missing metadata int he MANIFEST of the for WebSocket client
API
+JAR file. (markt)
+
+
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 67666] TLSCertificateReloadListener does not detect all certificates to reload
https://bz.apache.org/bugzilla/show_bug.cgi?id=67666 --- Comment #2 from Mark Thomas --- The fix for BZ 67667 addressed most of the errors. The remaining issue has been fixed. Reloading isn't going to work for PEM files that are passed directly to OpenSSL although with BZ 67667 those should be few and far between. And we should be able to add handling for them once the PEM format (primarily the KDF and cipher) are known. When reloading isn't going to work, a warning will be logged as there are a few management/monitoring features that won't work. Fixed in: - main for 11.0.0-M13 and onwards - 10.1.x for 10.1.16 and onwards - 9.0.x for 9.0.83 and onwards - 8.5.x for 8.5.96 and onwards -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 67666] TLSCertificateReloadListener does not detect all certificates to reload
https://bz.apache.org/bugzilla/show_bug.cgi?id=67666 Mark Thomas changed: What|Removed |Added Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #3 from Mark Thomas --- Sorry, wrong bug reference. It was bug 67675. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.1.x updated: Add changelog entry for bug 67675.
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new 509aa2b971 Add changelog entry for bug 67675. 509aa2b971 is described below commit 509aa2b9716e0f2417228d4906453f55065bb4ec Author: Mark Thomas AuthorDate: Tue Oct 24 22:56:54 2023 +0100 Add changelog entry for bug 67675. --- webapps/docs/changelog.xml | 5 + 1 file changed, 5 insertions(+) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 5463f44be2..5f381fdfd3 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -139,6 +139,11 @@ the TLSCertificateReloadListener or, in the rare case that they do not, log a warning on Connector start. (markt) + +67675: Support a wider range of KDF and ciphers for PEM files +than the combinations supported by the JVM by default. Specifically, +support the OpenSSL default of HmacSHA256 and DES-EDE3-CBC. (markt) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Add changelog entry for bug 67675.
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 40ac19f76f Add changelog entry for bug 67675. 40ac19f76f is described below commit 40ac19f76f29f803986433207132f94ea72ad783 Author: Mark Thomas AuthorDate: Tue Oct 24 22:56:54 2023 +0100 Add changelog entry for bug 67675. --- webapps/docs/changelog.xml | 5 + 1 file changed, 5 insertions(+) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 44040cb32b..e44d6a32bd 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -151,6 +151,11 @@ the TLSCertificateReloadListener or, in the rare case that they do not, log a warning on Connector start. (markt) + +67675: Support a wider range of KDF and ciphers for PEM files +than the combinations supported by the JVM by default. Specifically, +support the OpenSSL default of HmacSHA256 and DES-EDE3-CBC. (markt) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Add changelog entry for bug 67675.
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new bada0eef0a Add changelog entry for bug 67675. bada0eef0a is described below commit bada0eef0a1859c80128c9a4fd21fa2c35154cdc Author: Mark Thomas AuthorDate: Tue Oct 24 22:56:54 2023 +0100 Add changelog entry for bug 67675. --- webapps/docs/changelog.xml | 5 + 1 file changed, 5 insertions(+) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 764d815db0..23f937a89e 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -139,6 +139,11 @@ the TLSCertificateReloadListener or, in the rare case that they do not, log a warning on Connector start. (markt) + +67675: Support a wider range of KDF and ciphers for PEM files +than the combinations supported by the JVM by default. Specifically, +support the OpenSSL default of HmacSHA256 and DES-EDE3-CBC. (markt) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Add changelog entry for bug 67675.
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new b09dad9569 Add changelog entry for bug 67675. b09dad9569 is described below commit b09dad9569bed6cd46ce507f28efa320d6b08a3f Author: Mark Thomas AuthorDate: Tue Oct 24 22:56:54 2023 +0100 Add changelog entry for bug 67675. --- webapps/docs/changelog.xml | 5 + 1 file changed, 5 insertions(+) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 35cf047197..868926f494 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -139,6 +139,11 @@ the TLSCertificateReloadListener or, in the rare case that they do not, log a warning on Connector start. (markt) + +67675: Support a wider range of KDF and ciphers for PEM files +than the combinations supported by the JVM by default. Specifically, +support the OpenSSL default of HmacSHA256 and DES-EDE3-CBC. (markt) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.1.x updated: Move to correct section
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new e8480037a7 Move to correct section e8480037a7 is described below commit e8480037a792261f1d681c697c8ffda2b3024226 Author: Mark Thomas AuthorDate: Tue Oct 24 22:58:40 2023 +0100 Move to correct section --- webapps/docs/changelog.xml | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 5f381fdfd3..e3842e92ff 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -107,10 +107,6 @@ - -66670: Add SSLHostConfig#certificateKeyPasswordFile and -SSLHostConfig#certificateKeystorePasswordFile. (michaelo) - 67667: TLSCertificateReloadListener prints unreadable rendering of X509Certificate#getNotAfter(). (michaelo) @@ -128,6 +124,10 @@ + +66670: Add SSLHostConfig#certificateKeyPasswordFile and +SSLHostConfig#certificateKeystorePasswordFile. (michaelo) + When calling SSLHostConfigCertificate.setCertificateKeystore(ks), - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Move to correct section
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new cb5e0377fa Move to correct section cb5e0377fa is described below commit cb5e0377fa3fb896594014845af9e31179d1838b Author: Mark Thomas AuthorDate: Tue Oct 24 22:58:40 2023 +0100 Move to correct section --- webapps/docs/changelog.xml | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 868926f494..43d91bcec3 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -107,10 +107,6 @@ - -66670: Add SSLHostConfig#certificateKeyPasswordFile and -SSLHostConfig#certificateKeystorePasswordFile. (michaelo) - 67667: TLSCertificateReloadListener prints unreadable rendering of X509Certificate#getNotAfter(). (michaelo) @@ -128,6 +124,10 @@ + +66670: Add SSLHostConfig#certificateKeyPasswordFile and +SSLHostConfig#certificateKeystorePasswordFile. (michaelo) + When calling SSLHostConfigCertificate.setCertificateKeystore(ks), - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Move to correct section
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 1ba41df12d Move to correct section 1ba41df12d is described below commit 1ba41df12dc1475ff5b39dc2103688e45f4f0720 Author: Mark Thomas AuthorDate: Tue Oct 24 22:58:40 2023 +0100 Move to correct section --- webapps/docs/changelog.xml | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 23f937a89e..162507e24f 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -107,10 +107,6 @@ - -66670: Add SSLHostConfig#certificateKeyPasswordFile and -SSLHostConfig#certificateKeystorePasswordFile. (michaelo) - 67667: TLSCertificateReloadListener prints unreadable rendering of X509Certificate#getNotAfter(). (michaelo) @@ -128,6 +124,10 @@ + +66670: Add SSLHostConfig#certificateKeyPasswordFile and +SSLHostConfig#certificateKeystorePasswordFile. (michaelo) + When calling SSLHostConfigCertificate.setCertificateKeystore(ks), - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Move to correct section
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 5e76618c4a Move to correct section 5e76618c4a is described below commit 5e76618c4acdb38a8136dee19883dd25fdbc1516 Author: Mark Thomas AuthorDate: Tue Oct 24 22:58:40 2023 +0100 Move to correct section --- webapps/docs/changelog.xml | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index e44d6a32bd..28205a2a7a 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -107,10 +107,6 @@ - -66670: Add SSLHostConfig#certificateKeyPasswordFile and -SSLHostConfig#certificateKeystorePasswordFile. (michaelo) - 67667: TLSCertificateReloadListener prints unreadable rendering of X509Certificate#getNotAfter(). (michaelo) @@ -133,6 +129,10 @@ + +66670: Add SSLHostConfig#certificateKeyPasswordFile and +SSLHostConfig#certificateKeystorePasswordFile. (michaelo) + When calling SSLHostConfigCertificate.setCertificateKeystore(ks), - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Port Fix BZ 67666 - Fix PEM files and TLSCertificateReloadListener
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new be499209a9 Port Fix BZ 67666 - Fix PEM files and
TLSCertificateReloadListener
be499209a9 is described below
commit be499209a90299371fc882d792ae313684d20858
Author: remm
AuthorDate: Wed Oct 25 00:09:47 2023 +0200
Port Fix BZ 67666 - Fix PEM files and TLSCertificateReloadListener
---
.../util/net/openssl/panama/OpenSSLContext.java | 8 +---
.../tomcat/util/net/openssl/panama/OpenSSLUtil.java | 20
2 files changed, 5 insertions(+), 23 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index aedac6c61f..3dfdfc1a6b 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -70,6 +70,7 @@ import
org.apache.tomcat.util.net.SSLHostConfigCertificate.Type;
import org.apache.tomcat.util.net.openssl.OpenSSLConf;
import org.apache.tomcat.util.net.openssl.OpenSSLConfCmd;
import org.apache.tomcat.util.net.openssl.OpenSSLStatus;
+import org.apache.tomcat.util.net.openssl.OpenSSLUtil;
import org.apache.tomcat.util.res.StringManager;
public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext {
@@ -576,9 +577,10 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
}
}
-if (certificate.getCertificateFile() == null) {
-
certificate.setCertificateKeyManager(OpenSSLUtil.chooseKeyManager(kms));
-}
+// If there is no certificate file must be using a KeyStore so a
KeyManager is required.
+// If there is a certificate file a KeyManager is helpful but not
strictly necessary.
+certificate.setCertificateKeyManager(
+OpenSSLUtil.chooseKeyManager(kms,
certificate.getCertificateFile() == null));
success = addCertificate(certificate, localArena);
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
index 781dd4889a..6080dfdfb4 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
@@ -22,14 +22,12 @@ import java.util.List;
import java.util.Set;
import javax.net.ssl.KeyManager;
-import javax.net.ssl.X509KeyManager;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.net.SSLContext;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.apache.tomcat.util.net.SSLUtilBase;
-import org.apache.tomcat.util.net.jsse.JSSEKeyManager;
import org.apache.tomcat.util.res.StringManager;
public class OpenSSLUtil extends SSLUtilBase {
@@ -74,24 +72,6 @@ public class OpenSSLUtil extends SSLUtilBase {
}
-public static X509KeyManager chooseKeyManager(KeyManager[] managers)
throws Exception {
-if (managers == null) {
-return null;
-}
-for (KeyManager manager : managers) {
-if (manager instanceof JSSEKeyManager) {
-return (JSSEKeyManager) manager;
-}
-}
-for (KeyManager manager : managers) {
-if (manager instanceof X509KeyManager) {
-return (X509KeyManager) manager;
-}
-}
-throw new
IllegalStateException(sm.getString("openssl.keyManagerMissing"));
-}
-
-
@Override
public KeyManager[] getKeyManagers() throws Exception {
try {
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Remove extra space
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new ab471feb0f Remove extra space ab471feb0f is described below commit ab471feb0ff972bd4f90a76e170fa3383165e7e3 Author: remm AuthorDate: Wed Oct 25 00:11:06 2023 +0200 Remove extra space --- webapps/docs/changelog.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 28205a2a7a..d5c18e7ccf 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -154,7 +154,7 @@ 67675: Support a wider range of KDF and ciphers for PEM files than the combinations supported by the JVM by default. Specifically, -support the OpenSSL default of HmacSHA256 and DES-EDE3-CBC. (markt) +support the OpenSSL default of HmacSHA256 and DES-EDE3-CBC. (markt) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.1.x updated: Remove extra space
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new 5fa6fba4be Remove extra space 5fa6fba4be is described below commit 5fa6fba4be1478058036e50f57f10025a85ad09d Author: remm AuthorDate: Wed Oct 25 00:11:06 2023 +0200 Remove extra space --- webapps/docs/changelog.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index e3842e92ff..4301e1fa40 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -142,7 +142,7 @@ 67675: Support a wider range of KDF and ciphers for PEM files than the combinations supported by the JVM by default. Specifically, -support the OpenSSL default of HmacSHA256 and DES-EDE3-CBC. (markt) +support the OpenSSL default of HmacSHA256 and DES-EDE3-CBC. (markt) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Remove extra space
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 1e3be67d60 Remove extra space 1e3be67d60 is described below commit 1e3be67d60b1a7fc7fb666984c0758bc6b558926 Author: remm AuthorDate: Wed Oct 25 00:11:06 2023 +0200 Remove extra space --- webapps/docs/changelog.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 162507e24f..72ea1e0402 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -142,7 +142,7 @@ 67675: Support a wider range of KDF and ciphers for PEM files than the combinations supported by the JVM by default. Specifically, -support the OpenSSL default of HmacSHA256 and DES-EDE3-CBC. (markt) +support the OpenSSL default of HmacSHA256 and DES-EDE3-CBC. (markt) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Remove extra space
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 72a3de06d3 Remove extra space 72a3de06d3 is described below commit 72a3de06d3d5f7d42cf0cfab3134db9772835c63 Author: remm AuthorDate: Wed Oct 25 00:11:06 2023 +0200 Remove extra space --- webapps/docs/changelog.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 43d91bcec3..b576cb62b7 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -142,7 +142,7 @@ 67675: Support a wider range of KDF and ciphers for PEM files than the combinations supported by the JVM by default. Specifically, -support the OpenSSL default of HmacSHA256 and DES-EDE3-CBC. (markt) +support the OpenSSL default of HmacSHA256 and DES-EDE3-CBC. (markt) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Port Fix BZ 67666 - Fix PEM files and TLSCertificateReloadListener
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 144cb84e1a Port Fix BZ 67666 - Fix PEM files and
TLSCertificateReloadListener
144cb84e1a is described below
commit 144cb84e1a9777ef63c30f6021b562cc04aa708d
Author: remm
AuthorDate: Wed Oct 25 00:17:58 2023 +0200
Port Fix BZ 67666 - Fix PEM files and TLSCertificateReloadListener
---
.../tomcat/util/net/openssl/panama/OpenSSLContext.java | 7 ---
.../apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java | 13 -
.../tomcat/util/net/openssl/panama/LocalStrings.properties | 1 +
3 files changed, 17 insertions(+), 4 deletions(-)
diff --git
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index da8c8e1046..65de58247e 100644
---
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -575,9 +575,10 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
}
}
-if (certificate.getCertificateFile() == null) {
-
certificate.setCertificateKeyManager(OpenSSLUtil.chooseKeyManager(kms));
-}
+// If there is no certificate file must be using a KeyStore so a
KeyManager is required.
+// If there is a certificate file a KeyManager is helpful but not
strictly necessary.
+certificate.setCertificateKeyManager(
+OpenSSLUtil.chooseKeyManager(kms,
certificate.getCertificateFile() == null));
success = addCertificate(certificate, localArena);
diff --git
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
index 781dd4889a..8891ba839e 100644
---
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
+++
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
@@ -74,7 +74,13 @@ public class OpenSSLUtil extends SSLUtilBase {
}
+@Deprecated
public static X509KeyManager chooseKeyManager(KeyManager[] managers)
throws Exception {
+return chooseKeyManager(managers, true);
+}
+
+
+public static X509KeyManager chooseKeyManager(KeyManager[] managers,
boolean throwOnMissing) throws Exception {
if (managers == null) {
return null;
}
@@ -88,7 +94,12 @@ public class OpenSSLUtil extends SSLUtilBase {
return (X509KeyManager) manager;
}
}
-throw new
IllegalStateException(sm.getString("openssl.keyManagerMissing"));
+if (throwOnMissing) {
+throw new
IllegalStateException(sm.getString("openssl.keyManagerMissing"));
+}
+
+log.warn(sm.getString("openssl.keyManagerMissing.warn"));
+return null;
}
diff --git
a/modules/openssl-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
b/modules/openssl-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
index 720877ef78..3b6ab4c80d 100644
---
a/modules/openssl-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
+++
b/modules/openssl-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
@@ -57,6 +57,7 @@ openssl.errorLoadingCertificateRevocationList=Error loading
certificate revocati
openssl.errorPrivateKeyCheck=Private key does not match the certificate public
key: [{0}]
openssl.errorSSLCtxInit=Error initializing SSL context
openssl.keyManagerMissing=No key manager found
+openssl.keyManagerMissing.warn=No key manager found. TLS will work but the
certificate will not be visible to Tomcat so management/monitoring features
will not work for this certificate
openssl.makeConf=Creating OpenSSLConf context
openssl.noCACerts=No CA certificates were configured
openssl.nonJsseCertificate=The certificate [{0}] or its private key [{1}]
could not be processed using a JSSE key manager and will be given directly to
OpenSSL
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.1.x updated: Port Fix BZ 67666 - Fix PEM files and TLSCertificateReloadListener
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new d64e92c8df Port Fix BZ 67666 - Fix PEM files and
TLSCertificateReloadListener
d64e92c8df is described below
commit d64e92c8df04e2c9fec9a9d53ffb685903d7268c
Author: remm
AuthorDate: Wed Oct 25 00:17:58 2023 +0200
Port Fix BZ 67666 - Fix PEM files and TLSCertificateReloadListener
---
.../tomcat/util/net/openssl/panama/OpenSSLContext.java | 7 ---
.../apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java | 13 -
.../tomcat/util/net/openssl/panama/LocalStrings.properties | 1 +
3 files changed, 17 insertions(+), 4 deletions(-)
diff --git
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index da8c8e1046..65de58247e 100644
---
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -575,9 +575,10 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
}
}
-if (certificate.getCertificateFile() == null) {
-
certificate.setCertificateKeyManager(OpenSSLUtil.chooseKeyManager(kms));
-}
+// If there is no certificate file must be using a KeyStore so a
KeyManager is required.
+// If there is a certificate file a KeyManager is helpful but not
strictly necessary.
+certificate.setCertificateKeyManager(
+OpenSSLUtil.chooseKeyManager(kms,
certificate.getCertificateFile() == null));
success = addCertificate(certificate, localArena);
diff --git
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
index 781dd4889a..8891ba839e 100644
---
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
+++
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
@@ -74,7 +74,13 @@ public class OpenSSLUtil extends SSLUtilBase {
}
+@Deprecated
public static X509KeyManager chooseKeyManager(KeyManager[] managers)
throws Exception {
+return chooseKeyManager(managers, true);
+}
+
+
+public static X509KeyManager chooseKeyManager(KeyManager[] managers,
boolean throwOnMissing) throws Exception {
if (managers == null) {
return null;
}
@@ -88,7 +94,12 @@ public class OpenSSLUtil extends SSLUtilBase {
return (X509KeyManager) manager;
}
}
-throw new
IllegalStateException(sm.getString("openssl.keyManagerMissing"));
+if (throwOnMissing) {
+throw new
IllegalStateException(sm.getString("openssl.keyManagerMissing"));
+}
+
+log.warn(sm.getString("openssl.keyManagerMissing.warn"));
+return null;
}
diff --git
a/modules/openssl-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
b/modules/openssl-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
index 720877ef78..3b6ab4c80d 100644
---
a/modules/openssl-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
+++
b/modules/openssl-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
@@ -57,6 +57,7 @@ openssl.errorLoadingCertificateRevocationList=Error loading
certificate revocati
openssl.errorPrivateKeyCheck=Private key does not match the certificate public
key: [{0}]
openssl.errorSSLCtxInit=Error initializing SSL context
openssl.keyManagerMissing=No key manager found
+openssl.keyManagerMissing.warn=No key manager found. TLS will work but the
certificate will not be visible to Tomcat so management/monitoring features
will not work for this certificate
openssl.makeConf=Creating OpenSSLConf context
openssl.noCACerts=No CA certificates were configured
openssl.nonJsseCertificate=The certificate [{0}] or its private key [{1}]
could not be processed using a JSSE key manager and will be given directly to
OpenSSL
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Port Fix BZ 67666 - Fix PEM files and TLSCertificateReloadListener
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 0effb1fc10 Port Fix BZ 67666 - Fix PEM files and
TLSCertificateReloadListener
0effb1fc10 is described below
commit 0effb1fc10ec52e4d7b114b434c4e72ab9f2fa47
Author: remm
AuthorDate: Wed Oct 25 00:17:58 2023 +0200
Port Fix BZ 67666 - Fix PEM files and TLSCertificateReloadListener
---
.../tomcat/util/net/openssl/panama/OpenSSLContext.java | 7 ---
.../apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java | 13 -
.../tomcat/util/net/openssl/panama/LocalStrings.properties | 1 +
3 files changed, 17 insertions(+), 4 deletions(-)
diff --git
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index da8c8e1046..65de58247e 100644
---
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -575,9 +575,10 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
}
}
-if (certificate.getCertificateFile() == null) {
-
certificate.setCertificateKeyManager(OpenSSLUtil.chooseKeyManager(kms));
-}
+// If there is no certificate file must be using a KeyStore so a
KeyManager is required.
+// If there is a certificate file a KeyManager is helpful but not
strictly necessary.
+certificate.setCertificateKeyManager(
+OpenSSLUtil.chooseKeyManager(kms,
certificate.getCertificateFile() == null));
success = addCertificate(certificate, localArena);
diff --git
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
index 781dd4889a..8891ba839e 100644
---
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
+++
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
@@ -74,7 +74,13 @@ public class OpenSSLUtil extends SSLUtilBase {
}
+@Deprecated
public static X509KeyManager chooseKeyManager(KeyManager[] managers)
throws Exception {
+return chooseKeyManager(managers, true);
+}
+
+
+public static X509KeyManager chooseKeyManager(KeyManager[] managers,
boolean throwOnMissing) throws Exception {
if (managers == null) {
return null;
}
@@ -88,7 +94,12 @@ public class OpenSSLUtil extends SSLUtilBase {
return (X509KeyManager) manager;
}
}
-throw new
IllegalStateException(sm.getString("openssl.keyManagerMissing"));
+if (throwOnMissing) {
+throw new
IllegalStateException(sm.getString("openssl.keyManagerMissing"));
+}
+
+log.warn(sm.getString("openssl.keyManagerMissing.warn"));
+return null;
}
diff --git
a/modules/openssl-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
b/modules/openssl-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
index 720877ef78..3b6ab4c80d 100644
---
a/modules/openssl-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
+++
b/modules/openssl-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
@@ -57,6 +57,7 @@ openssl.errorLoadingCertificateRevocationList=Error loading
certificate revocati
openssl.errorPrivateKeyCheck=Private key does not match the certificate public
key: [{0}]
openssl.errorSSLCtxInit=Error initializing SSL context
openssl.keyManagerMissing=No key manager found
+openssl.keyManagerMissing.warn=No key manager found. TLS will work but the
certificate will not be visible to Tomcat so management/monitoring features
will not work for this certificate
openssl.makeConf=Creating OpenSSLConf context
openssl.noCACerts=No CA certificates were configured
openssl.nonJsseCertificate=The certificate [{0}] or its private key [{1}]
could not be processed using a JSSE key manager and will be given directly to
OpenSSL
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Remove deprecated code
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 969e75b4c6 Remove deprecated code
969e75b4c6 is described below
commit 969e75b4c6d2742b8196fc5450578956d71d0fe4
Author: Mark Thomas
AuthorDate: Tue Oct 24 23:23:22 2023 +0100
Remove deprecated code
---
java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java | 5 -
1 file changed, 5 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
index 1e5edcd6fe..7a9ccf0feb 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
@@ -73,11 +73,6 @@ public class OpenSSLUtil extends SSLUtilBase {
return new OpenSSLContext(certificate, negotiableProtocols);
}
-@Deprecated
-public static X509KeyManager chooseKeyManager(KeyManager[] managers)
throws Exception {
-return chooseKeyManager(managers, true);
-}
-
public static X509KeyManager chooseKeyManager(KeyManager[] managers,
boolean throwOnMissing) throws Exception {
if (managers == null) {
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Hack special support for FFM
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 9de70887ed Hack special support for FFM
9de70887ed is described below
commit 9de70887ed7cedbfa31e5d1183123b488aa543b7
Author: remm
AuthorDate: Wed Oct 25 00:31:43 2023 +0200
Hack special support for FFM
---
test/org/apache/tomcat/util/net/TesterSupport.java | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/test/org/apache/tomcat/util/net/TesterSupport.java
b/test/org/apache/tomcat/util/net/TesterSupport.java
index 716f1798d6..008b9537ec 100644
--- a/test/org/apache/tomcat/util/net/TesterSupport.java
+++ b/test/org/apache/tomcat/util/net/TesterSupport.java
@@ -66,6 +66,7 @@ import
org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type;
import org.apache.tomcat.util.net.jsse.JSSEImplementation;
+import org.apache.tomcat.util.net.openssl.OpenSSLStatus;
public final class TesterSupport {
@@ -240,8 +241,16 @@ public final class TesterSupport {
public static void configureSSLImplementation(Tomcat tomcat, String
sslImplementationName) {
try {
Class.forName(sslImplementationName);
+if
("org.apache.tomcat.util.net.openssl.panama.OpenSSLImplementation".equals(sslImplementationName))
{
+Class openSSLLibraryClass =
Class.forName("org.apache.tomcat.util.net.openssl.panama.OpenSSLLibrary");
+openSSLLibraryClass.getMethod("init").invoke(null);
+Assume.assumeTrue(OpenSSLStatus.isAvailable());
+}
} catch (Throwable t) {
-Assume.assumeNoException(t);
+while (t.getCause() != null) {
+t = t.getCause();
+}
+Assume.assumeFalse(t.getMessage(), Boolean.TRUE);
}
Assert.assertTrue(tomcat.getConnector().setProperty("sslImplementationName",
sslImplementationName));
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Correct exception message.
This is an automated email from the ASF dual-hosted git repository.
lihan pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 76ac8d1b55 Correct exception message.
76ac8d1b55 is described below
commit 76ac8d1b55ba5c2ca08827d793bcf6e20d6c9e4e
Author: lihan
AuthorDate: Wed Oct 25 09:53:56 2023 +0800
Correct exception message.
---
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index b051c539ea..b3f60ce0db 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -406,7 +406,7 @@ public class PEMFile {
byte[] oidPRF = p.parseOIDAsBytes();
String prf = OID_TO_PRF.get(HexUtils.toHexString(oidPRF));
if (prf == null) {
-throw new
NoSuchAlgorithmException(sm.getString("pemFile.unknownPrfAlgorithm", prf));
+throw new
NoSuchAlgorithmException(sm.getString("pemFile.unknownPrfAlgorithm",
HexUtils.toHexString(oidPRF)));
}
p.parseNull();
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.1.x updated: Correct exception message.
This is an automated email from the ASF dual-hosted git repository.
lihan pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 9ced1b8edb Correct exception message.
9ced1b8edb is described below
commit 9ced1b8edbac631f47b976e2867b9c4e7d76534c
Author: lihan
AuthorDate: Wed Oct 25 09:53:56 2023 +0800
Correct exception message.
(cherry picked from commit 76ac8d1b55ba5c2ca08827d793bcf6e20d6c9e4e)
---
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index b051c539ea..b3f60ce0db 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -406,7 +406,7 @@ public class PEMFile {
byte[] oidPRF = p.parseOIDAsBytes();
String prf = OID_TO_PRF.get(HexUtils.toHexString(oidPRF));
if (prf == null) {
-throw new
NoSuchAlgorithmException(sm.getString("pemFile.unknownPrfAlgorithm", prf));
+throw new
NoSuchAlgorithmException(sm.getString("pemFile.unknownPrfAlgorithm",
HexUtils.toHexString(oidPRF)));
}
p.parseNull();
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Correct exception message.
This is an automated email from the ASF dual-hosted git repository.
lihan pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new bec7a51d7f Correct exception message.
bec7a51d7f is described below
commit bec7a51d7fc3fb913c755b258169d1816b77bea5
Author: lihan
AuthorDate: Wed Oct 25 09:53:56 2023 +0800
Correct exception message.
(cherry picked from commit 76ac8d1b55ba5c2ca08827d793bcf6e20d6c9e4e)
---
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index b051c539ea..b3f60ce0db 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -406,7 +406,7 @@ public class PEMFile {
byte[] oidPRF = p.parseOIDAsBytes();
String prf = OID_TO_PRF.get(HexUtils.toHexString(oidPRF));
if (prf == null) {
-throw new
NoSuchAlgorithmException(sm.getString("pemFile.unknownPrfAlgorithm", prf));
+throw new
NoSuchAlgorithmException(sm.getString("pemFile.unknownPrfAlgorithm",
HexUtils.toHexString(oidPRF)));
}
p.parseNull();
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Correct exception message.
This is an automated email from the ASF dual-hosted git repository.
lihan pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 9663a8fad0 Correct exception message.
9663a8fad0 is described below
commit 9663a8fad03790107e7ebce8f747270b2a508e1c
Author: lihan
AuthorDate: Wed Oct 25 09:53:56 2023 +0800
Correct exception message.
(cherry picked from commit 76ac8d1b55ba5c2ca08827d793bcf6e20d6c9e4e)
---
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index 71db800680..a136bef6a6 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -404,7 +404,7 @@ public class PEMFile {
byte[] oidPRF = p.parseOIDAsBytes();
String prf = OID_TO_PRF.get(HexUtils.toHexString(oidPRF));
if (prf == null) {
-throw new
NoSuchAlgorithmException(sm.getString("pemFile.unknownPrfAlgorithm", prf));
+throw new
NoSuchAlgorithmException(sm.getString("pemFile.unknownPrfAlgorithm",
HexUtils.toHexString(oidPRF)));
}
p.parseNull();
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
