[Bug 67675] Tomcat and/or Java do not read encrypted private keys with DES-EDE3-CBC generated by openssl-req(1)
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675 --- Comment #22 from ggar --- (In reply to Mark Thomas from comment #21) > The algorithm is being read as the pseudo random function and failing. > > I need to see if I can find (or build) an OpenSSL 1.0.2 binary. Mark, there are several links to precompiled ones on the OpenSSL wiki (https://wiki.openssl.org/index.php/Binaries). I was able to reproduce the issue with the ones at https://indy.fulgan.com/SSL/. Not sure if you can use those. I saw that you reopened this bug, should I create a new one as Michael suggested or there's no need? And I agree with what Michael said - 1.0.2 is very old and maybe not worth supporting. We already started moving towards something newer but since we might have people out there with the "broken" certs we wanted to make sure this change was here to stay. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 67675] Tomcat and/or Java do not read encrypted private keys with DES-EDE3-CBC generated by openssl-req(1)
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675 --- Comment #23 from Mark Thomas --- Tomcat ships OpenSSL binaries are part of the Tomcat Native distribution. I need to go back a bit but we have 1.0.2 binaries. For now, this looks like a regression so I'm happy handling it here. While 1.0.2 has been EOL for a while it would not surprise me at all to find lots of 1.0.2 generated keys and certs still in use. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch main updated: Sync OpenSSL jextract
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 601586edd7 Sync OpenSSL jextract
601586edd7 is described below
commit 601586edd7beaf65ec8495714a207eec8bf85a77
Author: remm
AuthorDate: Thu Dec 14 11:11:07 2023 +0100
Sync OpenSSL jextract
---
.../openssl/SSL_CTX_set_alpn_select_cb$cb.java | 13 +-
.../SSL_CTX_set_cert_verify_callback$cb.java | 13 +-
.../openssl/SSL_CTX_set_default_passwd_cb$cb.java | 21 +-
.../openssl/SSL_CTX_set_tmp_dh_callback$dh.java| 14 +-
.../util/openssl/SSL_CTX_set_verify$callback.java | 11 +-
.../util/openssl/SSL_set_info_callback$cb.java | 13 +-
.../util/openssl/SSL_set_verify$callback.java | 11 +-
.../org/apache/tomcat/util/openssl/openssl_h.java | 781 -
.../tomcat/util/openssl/openssl_h_Macros.java | 293
9 files changed, 657 insertions(+), 513 deletions(-)
diff --git
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_alpn_select_cb$cb.java
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_alpn_select_cb$cb.java
index 1ace09bee7..b871ecf568 100644
---
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_alpn_select_cb$cb.java
+++
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_alpn_select_cb$cb.java
@@ -19,9 +19,11 @@
package org.apache.tomcat.util.openssl;
+import java.lang.foreign.Arena;
+import java.lang.foreign.FunctionDescriptor;
+import java.lang.foreign.Linker;
+import java.lang.foreign.MemorySegment;
import java.lang.invoke.MethodHandle;
-import java.lang.foreign.*;
-import static java.lang.foreign.ValueLayout.*;
/**
* {@snippet lang = c
@@ -30,8 +32,8 @@ import static java.lang.foreign.ValueLayout.*;
*/
public interface SSL_CTX_set_alpn_select_cb$cb {
-FunctionDescriptor $DESC = FunctionDescriptor.of(JAVA_INT,
openssl_h.C_POINTER, openssl_h.C_POINTER,
-openssl_h.C_POINTER, openssl_h.C_POINTER, JAVA_INT,
openssl_h.C_POINTER);
+FunctionDescriptor $DESC = FunctionDescriptor.of(openssl_h.C_INT,
openssl_h.C_POINTER, openssl_h.C_POINTER,
+openssl_h.C_POINTER, openssl_h.C_POINTER, openssl_h.C_INT,
openssl_h.C_POINTER);
int apply(MemorySegment _x0, MemorySegment _x1, MemorySegment _x2,
MemorySegment _x3, int _x4, MemorySegment _x5);
@@ -54,4 +56,5 @@ public interface SSL_CTX_set_alpn_select_cb$cb {
}
};
}
-}
\ No newline at end of file
+}
+
diff --git
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_cert_verify_callback$cb.java
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_cert_verify_callback$cb.java
index 40f20e3c34..9c5d69e264 100644
---
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_cert_verify_callback$cb.java
+++
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_cert_verify_callback$cb.java
@@ -19,17 +19,19 @@
package org.apache.tomcat.util.openssl;
+import java.lang.foreign.Arena;
+import java.lang.foreign.FunctionDescriptor;
+import java.lang.foreign.Linker;
+import java.lang.foreign.MemorySegment;
import java.lang.invoke.MethodHandle;
-import java.lang.foreign.*;
-import static java.lang.foreign.ValueLayout.*;
/**
- * {@snippet lang = c : * int (*SSL_CTX_set_cert_verify_callback$cb)(struct
x509_store_ctx_st*,void*);
+ * {@snippet lang = c : * int
(*SSL_CTX_set_cert_verify_callback$cb)(X509_STORE_CTX*,void*);
* }
*/
public interface SSL_CTX_set_cert_verify_callback$cb {
-FunctionDescriptor $DESC = FunctionDescriptor.of(JAVA_INT,
openssl_h.C_POINTER, openssl_h.C_POINTER);
+FunctionDescriptor $DESC = FunctionDescriptor.of(openssl_h.C_INT,
openssl_h.C_POINTER, openssl_h.C_POINTER);
int apply(MemorySegment _x0, MemorySegment _x1);
@@ -51,4 +53,5 @@ public interface SSL_CTX_set_cert_verify_callback$cb {
}
};
}
-}
\ No newline at end of file
+}
+
diff --git
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_default_passwd_cb$cb.java
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_default_passwd_cb$cb.java
index 2d12398c98..c286929484 100644
---
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_default_passwd_cb$cb.java
+++
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_default_passwd_cb$cb.java
@@ -19,20 +19,22 @@
package org.apache.tomcat.util.openssl;
+import java.lang.foreign.Arena;
+import java.lang.foreign.FunctionDescriptor;
+import java.lang.foreign.Linker;
+import java.lang.foreign.MemorySegment;
import java.lang.invoke.Method
(tomcat) branch main updated: Sync cleanups
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 8569361da2 Sync cleanups
8569361da2 is described below
commit 8569361da23b1849adfc8e45d4306cacc319a17b
Author: remm
AuthorDate: Thu Dec 14 11:13:45 2023 +0100
Sync cleanups
---
.../util/net/openssl/panama/OpenSSLContext.java| 54 +++
.../util/net/openssl/panama/OpenSSLEngine.java | 166 ++---
2 files changed, 107 insertions(+), 113 deletions(-)
diff --git
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index 46c7a8ef39..a5aa2ea8a0 100644
---
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -100,6 +100,8 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1 |
SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2 |
SSL_PROTOCOL_TLSV1_3);
+static final int OPTIONAL_NO_CA = 3;
+
private static final String BEGIN_KEY = "-BEGIN PRIVATE KEY-\n";
private static final Object END_KEY = "\n-END PRIVATE KEY-";
@@ -136,8 +138,7 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
private final MemorySegment openSSLCallbackPassword;
private static final ConcurrentHashMap states = new
ConcurrentHashMap<>();
-
-static ContextState getState(MemorySegment ctx) {
+private static ContextState getState(MemorySegment ctx) {
return states.get(Long.valueOf(ctx.address()));
}
@@ -477,8 +478,6 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
return result;
}
-private static final int OPTIONAL_NO_CA = 3;
-
/**
* Setup the SSL_CTX.
*
@@ -564,9 +563,8 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
}
// Set int verify_callback(int preverify_ok, X509_STORE_CTX
*x509_ctx) callback
-// Leave this just in case but in Tomcat this is always set again
by the engine
SSL_CTX_set_verify(state.sslCtx, value,
-SSL_CTX_set_verify$callback.allocate(new VerifyCallback(),
contextArena));
+SSL_CTX_set_verify$callback.allocate(new
OpenSSLEngine.VerifyCallback(), contextArena));
// Trust and certificate verification
if (tms != null) {
@@ -710,8 +708,7 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
// DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength)
private static class TmpDHCallback implements
SSL_CTX_set_tmp_dh_callback$dh {
@Override
-public MemorySegment apply(MemorySegment ssl,
@SuppressWarnings("unused") int isExport,
-@SuppressWarnings("unused") int keylength) {
+public MemorySegment apply(MemorySegment ssl, int isExport, int
keylength) {
var pkey = SSL_get_privatekey(ssl);
int type = (MemorySegment.NULL.equals(pkey)) ? EVP_PKEY_NONE() :
EVP_PKEY_base_id(pkey);
/*
@@ -743,7 +740,7 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
//const unsigned char *in, unsigned int inlen, void *arg)
private static class ALPNSelectCallback implements
SSL_CTX_set_alpn_select_cb$cb {
@Override
-public int apply(@SuppressWarnings("unused") MemorySegment ssl,
MemorySegment out,
+public int apply(MemorySegment ssl, MemorySegment out,
MemorySegment outlen, MemorySegment in, int inlen,
MemorySegment arg) {
ContextState state = getState(arg);
if (state == null) {
@@ -779,14 +776,6 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
}
-private static class VerifyCallback implements SSL_CTX_set_verify$callback
{
-@Override
-public int apply(int preverify_ok, MemorySegment /*X509_STORE_CTX*/
x509ctx) {
-return OpenSSLEngine.openSSLCallbackVerify(preverify_ok, x509ctx);
-}
-}
-
-
private static class CertVerifyCallback implements
SSL_CTX_set_cert_verify_callback$cb {
@Override
public int apply(MemorySegment /*X509_STORE_CTX*/ x509_ctx,
MemorySegment param) {
@@ -920,8 +909,7 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
private static class PasswordCallback implements
SSL_CTX_set_default_passwd_cb$cb {
@Override
-public int
(tomcat) branch 10.1.x updated (488934245b -> 625f3c166b)
This is an automated email from the ASF dual-hosted git repository. remm pushed a change to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git from 488934245b Add release date for 10.1.17. new c04f072339 Sync OpenSSL jextract new 625f3c166b Sync cleanups The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../util/net/openssl/panama/OpenSSLContext.java| 54 +- .../util/net/openssl/panama/OpenSSLEngine.java | 166 +++-- .../openssl/SSL_CTX_set_alpn_select_cb$cb.java | 13 +- .../SSL_CTX_set_cert_verify_callback$cb.java | 13 +- .../openssl/SSL_CTX_set_default_passwd_cb$cb.java | 21 +- .../openssl/SSL_CTX_set_tmp_dh_callback$dh.java| 14 +- .../util/openssl/SSL_CTX_set_verify$callback.java | 11 +- .../util/openssl/SSL_set_info_callback$cb.java | 13 +- .../util/openssl/SSL_set_verify$callback.java | 11 +- .../org/apache/tomcat/util/openssl/openssl_h.java | 781 - .../tomcat/util/openssl/openssl_h_Macros.java | 293 11 files changed, 764 insertions(+), 626 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) 02/02: Sync cleanups
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 625f3c166b46f00661e7a6ac4f0a95c485962ffe
Author: remm
AuthorDate: Thu Dec 14 11:13:45 2023 +0100
Sync cleanups
---
.../util/net/openssl/panama/OpenSSLContext.java| 54 +++
.../util/net/openssl/panama/OpenSSLEngine.java | 166 ++---
2 files changed, 107 insertions(+), 113 deletions(-)
diff --git
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index ba0c1b2d39..12da6c00c7 100644
---
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -99,6 +99,8 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1 |
SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2 |
SSL_PROTOCOL_TLSV1_3);
+static final int OPTIONAL_NO_CA = 3;
+
private static final String BEGIN_KEY = "-BEGIN PRIVATE KEY-\n";
private static final Object END_KEY = "\n-END PRIVATE KEY-";
@@ -135,8 +137,7 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
private final MemorySegment openSSLCallbackPassword;
private static final ConcurrentHashMap states = new
ConcurrentHashMap<>();
-
-static ContextState getState(MemorySegment ctx) {
+private static ContextState getState(MemorySegment ctx) {
return states.get(Long.valueOf(ctx.address()));
}
@@ -476,8 +477,6 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
return result;
}
-private static final int OPTIONAL_NO_CA = 3;
-
/**
* Setup the SSL_CTX.
*
@@ -563,9 +562,8 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
}
// Set int verify_callback(int preverify_ok, X509_STORE_CTX
*x509_ctx) callback
-// Leave this just in case but in Tomcat this is always set again
by the engine
SSL_CTX_set_verify(state.sslCtx, value,
-SSL_CTX_set_verify$callback.allocate(new VerifyCallback(),
contextArena));
+SSL_CTX_set_verify$callback.allocate(new
OpenSSLEngine.VerifyCallback(), contextArena));
// Trust and certificate verification
if (tms != null) {
@@ -709,8 +707,7 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
// DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength)
private static class TmpDHCallback implements
SSL_CTX_set_tmp_dh_callback$dh {
@Override
-public MemorySegment apply(MemorySegment ssl,
@SuppressWarnings("unused") int isExport,
-@SuppressWarnings("unused") int keylength) {
+public MemorySegment apply(MemorySegment ssl, int isExport, int
keylength) {
var pkey = SSL_get_privatekey(ssl);
int type = (MemorySegment.NULL.equals(pkey)) ? EVP_PKEY_NONE() :
EVP_PKEY_base_id(pkey);
/*
@@ -742,7 +739,7 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
//const unsigned char *in, unsigned int inlen, void *arg)
private static class ALPNSelectCallback implements
SSL_CTX_set_alpn_select_cb$cb {
@Override
-public int apply(@SuppressWarnings("unused") MemorySegment ssl,
MemorySegment out,
+public int apply(MemorySegment ssl, MemorySegment out,
MemorySegment outlen, MemorySegment in, int inlen,
MemorySegment arg) {
ContextState state = getState(arg);
if (state == null) {
@@ -778,14 +775,6 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
}
-private static class VerifyCallback implements SSL_CTX_set_verify$callback
{
-@Override
-public int apply(int preverify_ok, MemorySegment /*X509_STORE_CTX*/
x509ctx) {
-return OpenSSLEngine.openSSLCallbackVerify(preverify_ok, x509ctx);
-}
-}
-
-
private static class CertVerifyCallback implements
SSL_CTX_set_cert_verify_callback$cb {
@Override
public int apply(MemorySegment /*X509_STORE_CTX*/ x509_ctx,
MemorySegment param) {
@@ -919,8 +908,7 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
private static class PasswordCallback implements
SSL_CTX_set_default_passwd_cb$cb {
@Override
-public int apply(MemorySegment /*char **/ buf, int bufsiz,
-@SuppressWarnings("unused") int verify,
@SuppressWarnings("unused")
(tomcat) 01/02: Sync OpenSSL jextract
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit c04f072339e94e9b0ee16b2fe704fbd409daeea7
Author: remm
AuthorDate: Thu Dec 14 11:11:07 2023 +0100
Sync OpenSSL jextract
---
.../openssl/SSL_CTX_set_alpn_select_cb$cb.java | 13 +-
.../SSL_CTX_set_cert_verify_callback$cb.java | 13 +-
.../openssl/SSL_CTX_set_default_passwd_cb$cb.java | 21 +-
.../openssl/SSL_CTX_set_tmp_dh_callback$dh.java| 14 +-
.../util/openssl/SSL_CTX_set_verify$callback.java | 11 +-
.../util/openssl/SSL_set_info_callback$cb.java | 13 +-
.../util/openssl/SSL_set_verify$callback.java | 11 +-
.../org/apache/tomcat/util/openssl/openssl_h.java | 781 -
.../tomcat/util/openssl/openssl_h_Macros.java | 293
9 files changed, 657 insertions(+), 513 deletions(-)
diff --git
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_alpn_select_cb$cb.java
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_alpn_select_cb$cb.java
index 1ace09bee7..b871ecf568 100644
---
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_alpn_select_cb$cb.java
+++
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_alpn_select_cb$cb.java
@@ -19,9 +19,11 @@
package org.apache.tomcat.util.openssl;
+import java.lang.foreign.Arena;
+import java.lang.foreign.FunctionDescriptor;
+import java.lang.foreign.Linker;
+import java.lang.foreign.MemorySegment;
import java.lang.invoke.MethodHandle;
-import java.lang.foreign.*;
-import static java.lang.foreign.ValueLayout.*;
/**
* {@snippet lang = c
@@ -30,8 +32,8 @@ import static java.lang.foreign.ValueLayout.*;
*/
public interface SSL_CTX_set_alpn_select_cb$cb {
-FunctionDescriptor $DESC = FunctionDescriptor.of(JAVA_INT,
openssl_h.C_POINTER, openssl_h.C_POINTER,
-openssl_h.C_POINTER, openssl_h.C_POINTER, JAVA_INT,
openssl_h.C_POINTER);
+FunctionDescriptor $DESC = FunctionDescriptor.of(openssl_h.C_INT,
openssl_h.C_POINTER, openssl_h.C_POINTER,
+openssl_h.C_POINTER, openssl_h.C_POINTER, openssl_h.C_INT,
openssl_h.C_POINTER);
int apply(MemorySegment _x0, MemorySegment _x1, MemorySegment _x2,
MemorySegment _x3, int _x4, MemorySegment _x5);
@@ -54,4 +56,5 @@ public interface SSL_CTX_set_alpn_select_cb$cb {
}
};
}
-}
\ No newline at end of file
+}
+
diff --git
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_cert_verify_callback$cb.java
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_cert_verify_callback$cb.java
index 40f20e3c34..9c5d69e264 100644
---
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_cert_verify_callback$cb.java
+++
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_cert_verify_callback$cb.java
@@ -19,17 +19,19 @@
package org.apache.tomcat.util.openssl;
+import java.lang.foreign.Arena;
+import java.lang.foreign.FunctionDescriptor;
+import java.lang.foreign.Linker;
+import java.lang.foreign.MemorySegment;
import java.lang.invoke.MethodHandle;
-import java.lang.foreign.*;
-import static java.lang.foreign.ValueLayout.*;
/**
- * {@snippet lang = c : * int (*SSL_CTX_set_cert_verify_callback$cb)(struct
x509_store_ctx_st*,void*);
+ * {@snippet lang = c : * int
(*SSL_CTX_set_cert_verify_callback$cb)(X509_STORE_CTX*,void*);
* }
*/
public interface SSL_CTX_set_cert_verify_callback$cb {
-FunctionDescriptor $DESC = FunctionDescriptor.of(JAVA_INT,
openssl_h.C_POINTER, openssl_h.C_POINTER);
+FunctionDescriptor $DESC = FunctionDescriptor.of(openssl_h.C_INT,
openssl_h.C_POINTER, openssl_h.C_POINTER);
int apply(MemorySegment _x0, MemorySegment _x1);
@@ -51,4 +53,5 @@ public interface SSL_CTX_set_cert_verify_callback$cb {
}
};
}
-}
\ No newline at end of file
+}
+
diff --git
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_default_passwd_cb$cb.java
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_default_passwd_cb$cb.java
index 2d12398c98..c286929484 100644
---
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_default_passwd_cb$cb.java
+++
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_default_passwd_cb$cb.java
@@ -19,20 +19,22 @@
package org.apache.tomcat.util.openssl;
+import java.lang.foreign.Arena;
+import java.lang.foreign.FunctionDescriptor;
+import java.lang.foreign.Linker;
+import java.lang.foreign.MemorySegment;
import java.lang.invoke.MethodHandle;
-import java.lang.foreign.*;
-import static java.lang.foreign.ValueLayout.*;
/**
- * {@snippet lang = c : * int
(*SSL_CTX_set_de
(tomcat) branch 9.0.x updated (29323ed485 -> c73e6335f3)
This is an automated email from the ASF dual-hosted git repository. remm pushed a change to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git from 29323ed485 Improve verify-release new 4e9d600d38 Sync OpenSSL jextract new c73e6335f3 Sync cleanups The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../util/net/openssl/panama/OpenSSLContext.java| 54 +- .../util/net/openssl/panama/OpenSSLEngine.java | 166 +++-- .../openssl/SSL_CTX_set_alpn_select_cb$cb.java | 13 +- .../SSL_CTX_set_cert_verify_callback$cb.java | 13 +- .../openssl/SSL_CTX_set_default_passwd_cb$cb.java | 21 +- .../openssl/SSL_CTX_set_tmp_dh_callback$dh.java| 14 +- .../util/openssl/SSL_CTX_set_verify$callback.java | 11 +- .../util/openssl/SSL_set_info_callback$cb.java | 13 +- .../util/openssl/SSL_set_verify$callback.java | 11 +- .../org/apache/tomcat/util/openssl/openssl_h.java | 781 - .../tomcat/util/openssl/openssl_h_Macros.java | 293 11 files changed, 764 insertions(+), 626 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) 02/02: Sync cleanups
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit c73e6335f39c0d5de73fdd28a69b8699ed109941
Author: remm
AuthorDate: Thu Dec 14 11:13:45 2023 +0100
Sync cleanups
---
.../util/net/openssl/panama/OpenSSLContext.java| 54 +++
.../util/net/openssl/panama/OpenSSLEngine.java | 166 ++---
2 files changed, 107 insertions(+), 113 deletions(-)
diff --git
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index ba0c1b2d39..12da6c00c7 100644
---
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -99,6 +99,8 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1 |
SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2 |
SSL_PROTOCOL_TLSV1_3);
+static final int OPTIONAL_NO_CA = 3;
+
private static final String BEGIN_KEY = "-BEGIN PRIVATE KEY-\n";
private static final Object END_KEY = "\n-END PRIVATE KEY-";
@@ -135,8 +137,7 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
private final MemorySegment openSSLCallbackPassword;
private static final ConcurrentHashMap states = new
ConcurrentHashMap<>();
-
-static ContextState getState(MemorySegment ctx) {
+private static ContextState getState(MemorySegment ctx) {
return states.get(Long.valueOf(ctx.address()));
}
@@ -476,8 +477,6 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
return result;
}
-private static final int OPTIONAL_NO_CA = 3;
-
/**
* Setup the SSL_CTX.
*
@@ -563,9 +562,8 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
}
// Set int verify_callback(int preverify_ok, X509_STORE_CTX
*x509_ctx) callback
-// Leave this just in case but in Tomcat this is always set again
by the engine
SSL_CTX_set_verify(state.sslCtx, value,
-SSL_CTX_set_verify$callback.allocate(new VerifyCallback(),
contextArena));
+SSL_CTX_set_verify$callback.allocate(new
OpenSSLEngine.VerifyCallback(), contextArena));
// Trust and certificate verification
if (tms != null) {
@@ -709,8 +707,7 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
// DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength)
private static class TmpDHCallback implements
SSL_CTX_set_tmp_dh_callback$dh {
@Override
-public MemorySegment apply(MemorySegment ssl,
@SuppressWarnings("unused") int isExport,
-@SuppressWarnings("unused") int keylength) {
+public MemorySegment apply(MemorySegment ssl, int isExport, int
keylength) {
var pkey = SSL_get_privatekey(ssl);
int type = (MemorySegment.NULL.equals(pkey)) ? EVP_PKEY_NONE() :
EVP_PKEY_base_id(pkey);
/*
@@ -742,7 +739,7 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
//const unsigned char *in, unsigned int inlen, void *arg)
private static class ALPNSelectCallback implements
SSL_CTX_set_alpn_select_cb$cb {
@Override
-public int apply(@SuppressWarnings("unused") MemorySegment ssl,
MemorySegment out,
+public int apply(MemorySegment ssl, MemorySegment out,
MemorySegment outlen, MemorySegment in, int inlen,
MemorySegment arg) {
ContextState state = getState(arg);
if (state == null) {
@@ -778,14 +775,6 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
}
-private static class VerifyCallback implements SSL_CTX_set_verify$callback
{
-@Override
-public int apply(int preverify_ok, MemorySegment /*X509_STORE_CTX*/
x509ctx) {
-return OpenSSLEngine.openSSLCallbackVerify(preverify_ok, x509ctx);
-}
-}
-
-
private static class CertVerifyCallback implements
SSL_CTX_set_cert_verify_callback$cb {
@Override
public int apply(MemorySegment /*X509_STORE_CTX*/ x509_ctx,
MemorySegment param) {
@@ -919,8 +908,7 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
private static class PasswordCallback implements
SSL_CTX_set_default_passwd_cb$cb {
@Override
-public int apply(MemorySegment /*char **/ buf, int bufsiz,
-@SuppressWarnings("unused") int verify,
@SuppressWarnings("unused")
(tomcat) 01/02: Sync OpenSSL jextract
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 4e9d600d38f1f59826aeb0edaba299be1109f9ad
Author: remm
AuthorDate: Thu Dec 14 11:11:07 2023 +0100
Sync OpenSSL jextract
---
.../openssl/SSL_CTX_set_alpn_select_cb$cb.java | 13 +-
.../SSL_CTX_set_cert_verify_callback$cb.java | 13 +-
.../openssl/SSL_CTX_set_default_passwd_cb$cb.java | 21 +-
.../openssl/SSL_CTX_set_tmp_dh_callback$dh.java| 14 +-
.../util/openssl/SSL_CTX_set_verify$callback.java | 11 +-
.../util/openssl/SSL_set_info_callback$cb.java | 13 +-
.../util/openssl/SSL_set_verify$callback.java | 11 +-
.../org/apache/tomcat/util/openssl/openssl_h.java | 781 -
.../tomcat/util/openssl/openssl_h_Macros.java | 293
9 files changed, 657 insertions(+), 513 deletions(-)
diff --git
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_alpn_select_cb$cb.java
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_alpn_select_cb$cb.java
index 1ace09bee7..b871ecf568 100644
---
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_alpn_select_cb$cb.java
+++
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_alpn_select_cb$cb.java
@@ -19,9 +19,11 @@
package org.apache.tomcat.util.openssl;
+import java.lang.foreign.Arena;
+import java.lang.foreign.FunctionDescriptor;
+import java.lang.foreign.Linker;
+import java.lang.foreign.MemorySegment;
import java.lang.invoke.MethodHandle;
-import java.lang.foreign.*;
-import static java.lang.foreign.ValueLayout.*;
/**
* {@snippet lang = c
@@ -30,8 +32,8 @@ import static java.lang.foreign.ValueLayout.*;
*/
public interface SSL_CTX_set_alpn_select_cb$cb {
-FunctionDescriptor $DESC = FunctionDescriptor.of(JAVA_INT,
openssl_h.C_POINTER, openssl_h.C_POINTER,
-openssl_h.C_POINTER, openssl_h.C_POINTER, JAVA_INT,
openssl_h.C_POINTER);
+FunctionDescriptor $DESC = FunctionDescriptor.of(openssl_h.C_INT,
openssl_h.C_POINTER, openssl_h.C_POINTER,
+openssl_h.C_POINTER, openssl_h.C_POINTER, openssl_h.C_INT,
openssl_h.C_POINTER);
int apply(MemorySegment _x0, MemorySegment _x1, MemorySegment _x2,
MemorySegment _x3, int _x4, MemorySegment _x5);
@@ -54,4 +56,5 @@ public interface SSL_CTX_set_alpn_select_cb$cb {
}
};
}
-}
\ No newline at end of file
+}
+
diff --git
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_cert_verify_callback$cb.java
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_cert_verify_callback$cb.java
index 40f20e3c34..9c5d69e264 100644
---
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_cert_verify_callback$cb.java
+++
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_cert_verify_callback$cb.java
@@ -19,17 +19,19 @@
package org.apache.tomcat.util.openssl;
+import java.lang.foreign.Arena;
+import java.lang.foreign.FunctionDescriptor;
+import java.lang.foreign.Linker;
+import java.lang.foreign.MemorySegment;
import java.lang.invoke.MethodHandle;
-import java.lang.foreign.*;
-import static java.lang.foreign.ValueLayout.*;
/**
- * {@snippet lang = c : * int (*SSL_CTX_set_cert_verify_callback$cb)(struct
x509_store_ctx_st*,void*);
+ * {@snippet lang = c : * int
(*SSL_CTX_set_cert_verify_callback$cb)(X509_STORE_CTX*,void*);
* }
*/
public interface SSL_CTX_set_cert_verify_callback$cb {
-FunctionDescriptor $DESC = FunctionDescriptor.of(JAVA_INT,
openssl_h.C_POINTER, openssl_h.C_POINTER);
+FunctionDescriptor $DESC = FunctionDescriptor.of(openssl_h.C_INT,
openssl_h.C_POINTER, openssl_h.C_POINTER);
int apply(MemorySegment _x0, MemorySegment _x1);
@@ -51,4 +53,5 @@ public interface SSL_CTX_set_cert_verify_callback$cb {
}
};
}
-}
\ No newline at end of file
+}
+
diff --git
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_default_passwd_cb$cb.java
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_default_passwd_cb$cb.java
index 2d12398c98..c286929484 100644
---
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_default_passwd_cb$cb.java
+++
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/openssl/SSL_CTX_set_default_passwd_cb$cb.java
@@ -19,20 +19,22 @@
package org.apache.tomcat.util.openssl;
+import java.lang.foreign.Arena;
+import java.lang.foreign.FunctionDescriptor;
+import java.lang.foreign.Linker;
+import java.lang.foreign.MemorySegment;
import java.lang.invoke.MethodHandle;
-import java.lang.foreign.*;
-import static java.lang.foreign.ValueLayout.*;
/**
- * {@snippet lang = c : * int
(*SSL_CTX_set_def
[Bug 67675] Tomcat and/or Java do not read encrypted private keys with DES-EDE3-CBC generated by openssl-req(1)
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675 --- Comment #24 from Mark Thomas --- Confirmed. It is a regression. OpenSSL 1.0.2 doesn't specify the PRF so the default should apply. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 67675] Tomcat and/or Java do not read encrypted private keys with DES-EDE3-CBC generated by openssl-req(1)
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675 --- Comment #25 from Garo --- That was fast! Does this mean that it will be fixed in an upcoming release? By the way, thank you for being so responsive and reproducing this so quickly. (In reply to Mark Thomas from comment #24) > Confirmed. It is a regression. OpenSSL 1.0.2 doesn't specify the PRF so the > default should apply. That was fast! Does this mean that it will be fixed in an upcoming release? By the way, thank you for being so responsive and reproducing this so quickly. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 67675] Tomcat and/or Java do not read encrypted private keys with DES-EDE3-CBC generated by openssl-req(1)
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675 --- Comment #26 from Mark Thomas --- Yes, this should be fixed for the next release round which is currently scheduled for January. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 67675] Tomcat and/or Java do not read encrypted private keys with DES-EDE3-CBC generated by openssl-req(1)
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675 --- Comment #27 from Christopher Schultz --- (In reply to Mark Thomas from comment #23) > While 1.0.2 has been EOL for a while it would not surprise me at all to find > lots of 1.0.2 generated keys and certs still in use. +1 The issue is not whether or not anyone is still using OpenSSL 1.0.2 today, but whether or not anyone still have keys and certs when when they /were/ using it in the past. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 67675] Tomcat and/or Java do not read encrypted private keys with DES-EDE3-CBC generated by openssl-req(1)
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675 --- Comment #28 from Michael Osipov --- (In reply to Christopher Schultz from comment #27) > (In reply to Mark Thomas from comment #23) > > While 1.0.2 has been EOL for a while it would not surprise me at all to find > > lots of 1.0.2 generated keys and certs still in use. > > +1 > > The issue is not whether or not anyone is still using OpenSSL 1.0.2 today, > but whether or not anyone still have keys and certs when when they /were/ > using it in the past. That would also mean that they are years old and still valid... -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch main updated: Correct regression in fix for BZ 67675 - allow for default PRF
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new e8d5ac173d Correct regression in fix for BZ 67675 - allow for default
PRF
e8d5ac173d is described below
commit e8d5ac173da8a5b2cfbe1afdf2b1a55a6f0797d7
Author: Mark Thomas
AuthorDate: Thu Dec 14 16:09:01 2023 +
Correct regression in fix for BZ 67675 - allow for default PRF
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675#c24
---
java/org/apache/tomcat/util/buf/Asn1Parser.java| 41 +-
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 65 +-
.../apache/tomcat/util/net/jsse/TestPEMFile.java | 7 +++
...ncrypted-pkcs8-hmacsha1default-des-ede3-cbc.pem | 54 ++
webapps/docs/changelog.xml | 6 ++
5 files changed, 146 insertions(+), 27 deletions(-)
diff --git a/java/org/apache/tomcat/util/buf/Asn1Parser.java
b/java/org/apache/tomcat/util/buf/Asn1Parser.java
index 92d13c02a8..1d88b113d4 100644
--- a/java/org/apache/tomcat/util/buf/Asn1Parser.java
+++ b/java/org/apache/tomcat/util/buf/Asn1Parser.java
@@ -17,6 +17,8 @@
package org.apache.tomcat.util.buf;
import java.math.BigInteger;
+import java.util.ArrayDeque;
+import java.util.Deque;
import org.apache.tomcat.util.res.StringManager;
@@ -24,7 +26,7 @@ import org.apache.tomcat.util.res.StringManager;
* This is a very basic ASN.1 parser that provides the limited functionality
required by Tomcat. It is a long way from a
* complete parser.
*
- * TODO: Consider extending this parser and refactoring the SpnegoTokenFixer
to use it.
+ * TODO: Consider extending/re-writing this parser and refactoring the
SpnegoTokenFixer to use it.
*/
public class Asn1Parser {
@@ -41,6 +43,15 @@ public class Asn1Parser {
private int pos = 0;
+/*
+ * This is somewhat of a hack to work around the simplified design of the
parsing API that could result in ambiguous
+ * results when nested sequences were optional. Checking the current
nesting level of sequence tags enables a user
+ * of the parser to determine if an optional sequence is present or not.
+ *
+ * See https://bz.apache.org/bugzilla/show_bug.cgi?id=67675#c24
+ */
+private Deque nestedSequenceEndPositions = new ArrayDeque<>();
+
public Asn1Parser(byte[] source) {
this.source = source;
@@ -58,7 +69,21 @@ public class Asn1Parser {
public void parseTagSequence() {
+/*
+ * Check to see if the parser has completely parsed, based on end
position for the sequence, any previous
+ * sequences and remove those sequences from the sequence nesting
tracking mechanism if they have been
+ * completely parsed.
+ */
+while (nestedSequenceEndPositions.size() > 0) {
+if (nestedSequenceEndPositions.peekLast().intValue() <= pos) {
+nestedSequenceEndPositions.pollLast();
+} else {
+break;
+}
+}
+// Add the new sequence to the sequence nesting tracking mechanism.
parseTag(TAG_SEQUENCE);
+nestedSequenceEndPositions.addLast(Integer.valueOf(-1));
}
@@ -90,6 +115,15 @@ public class Asn1Parser {
len = len + next();
}
}
+/*
+ * If this is the first length parsed after a sequence has been added
to the sequence nesting tracking mechansim
+ * it must be the length of the sequence so update the entry to record
the end position of the sequence. Note
+ * that position recorded is actually the start of the first element
after the sequence ends.
+ */
+if (nestedSequenceEndPositions.peekLast() != null &&
nestedSequenceEndPositions.peekLast().intValue() == -1) {
+nestedSequenceEndPositions.pollLast();
+nestedSequenceEndPositions.addLast(Integer.valueOf(pos + len));
+}
return len;
}
@@ -139,4 +173,9 @@ public class Asn1Parser {
private int next() {
return source[pos++] & 0xFF;
}
+
+
+public int getNestedSequenceLevel() {
+return nestedSequenceEndPositions.size();
+}
}
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index 5bef5b6f24..0185a62bcb 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -75,10 +75,13 @@ public class PEMFile {
private static final byte[] OID_PBKDF2 =
new byte[] { 0x2A, (byte) 0x86, 0x48, (byte) 0x86, (byte) 0xF7,
0x0D, 0x01, 0x05, 0x0C };
+// Default defined in RFC 8018
+private static final String DEFAULT_PRF = "HmacSHA1";
+
private static final Map OID_TO_PRF = new HashMap<>();
static {
// 1.2.840.
(tomcat) branch 10.1.x updated: Correct regression in fix for BZ 67675 - allow for default PRF
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new dd0689c911 Correct regression in fix for BZ 67675 - allow for default
PRF
dd0689c911 is described below
commit dd0689c91134748f2a7835ed7957133abed7bf7b
Author: Mark Thomas
AuthorDate: Thu Dec 14 16:09:01 2023 +
Correct regression in fix for BZ 67675 - allow for default PRF
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675#c24
---
java/org/apache/tomcat/util/buf/Asn1Parser.java| 41 +-
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 65 +-
.../apache/tomcat/util/net/jsse/TestPEMFile.java | 7 +++
...ncrypted-pkcs8-hmacsha1default-des-ede3-cbc.pem | 54 ++
webapps/docs/changelog.xml | 6 ++
5 files changed, 146 insertions(+), 27 deletions(-)
diff --git a/java/org/apache/tomcat/util/buf/Asn1Parser.java
b/java/org/apache/tomcat/util/buf/Asn1Parser.java
index 92d13c02a8..1d88b113d4 100644
--- a/java/org/apache/tomcat/util/buf/Asn1Parser.java
+++ b/java/org/apache/tomcat/util/buf/Asn1Parser.java
@@ -17,6 +17,8 @@
package org.apache.tomcat.util.buf;
import java.math.BigInteger;
+import java.util.ArrayDeque;
+import java.util.Deque;
import org.apache.tomcat.util.res.StringManager;
@@ -24,7 +26,7 @@ import org.apache.tomcat.util.res.StringManager;
* This is a very basic ASN.1 parser that provides the limited functionality
required by Tomcat. It is a long way from a
* complete parser.
*
- * TODO: Consider extending this parser and refactoring the SpnegoTokenFixer
to use it.
+ * TODO: Consider extending/re-writing this parser and refactoring the
SpnegoTokenFixer to use it.
*/
public class Asn1Parser {
@@ -41,6 +43,15 @@ public class Asn1Parser {
private int pos = 0;
+/*
+ * This is somewhat of a hack to work around the simplified design of the
parsing API that could result in ambiguous
+ * results when nested sequences were optional. Checking the current
nesting level of sequence tags enables a user
+ * of the parser to determine if an optional sequence is present or not.
+ *
+ * See https://bz.apache.org/bugzilla/show_bug.cgi?id=67675#c24
+ */
+private Deque nestedSequenceEndPositions = new ArrayDeque<>();
+
public Asn1Parser(byte[] source) {
this.source = source;
@@ -58,7 +69,21 @@ public class Asn1Parser {
public void parseTagSequence() {
+/*
+ * Check to see if the parser has completely parsed, based on end
position for the sequence, any previous
+ * sequences and remove those sequences from the sequence nesting
tracking mechanism if they have been
+ * completely parsed.
+ */
+while (nestedSequenceEndPositions.size() > 0) {
+if (nestedSequenceEndPositions.peekLast().intValue() <= pos) {
+nestedSequenceEndPositions.pollLast();
+} else {
+break;
+}
+}
+// Add the new sequence to the sequence nesting tracking mechanism.
parseTag(TAG_SEQUENCE);
+nestedSequenceEndPositions.addLast(Integer.valueOf(-1));
}
@@ -90,6 +115,15 @@ public class Asn1Parser {
len = len + next();
}
}
+/*
+ * If this is the first length parsed after a sequence has been added
to the sequence nesting tracking mechansim
+ * it must be the length of the sequence so update the entry to record
the end position of the sequence. Note
+ * that position recorded is actually the start of the first element
after the sequence ends.
+ */
+if (nestedSequenceEndPositions.peekLast() != null &&
nestedSequenceEndPositions.peekLast().intValue() == -1) {
+nestedSequenceEndPositions.pollLast();
+nestedSequenceEndPositions.addLast(Integer.valueOf(pos + len));
+}
return len;
}
@@ -139,4 +173,9 @@ public class Asn1Parser {
private int next() {
return source[pos++] & 0xFF;
}
+
+
+public int getNestedSequenceLevel() {
+return nestedSequenceEndPositions.size();
+}
}
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index 5bef5b6f24..0185a62bcb 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -75,10 +75,13 @@ public class PEMFile {
private static final byte[] OID_PBKDF2 =
new byte[] { 0x2A, (byte) 0x86, 0x48, (byte) 0x86, (byte) 0xF7,
0x0D, 0x01, 0x05, 0x0C };
+// Default defined in RFC 8018
+private static final String DEFAULT_PRF = "HmacSHA1";
+
private static final Map OID_TO_PRF = new HashMap<>();
static {
// 1.2.
(tomcat) branch 9.0.x updated: Correct regression in fix for BZ 67675 - allow for default PRF
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new f3eee8e28c Correct regression in fix for BZ 67675 - allow for default
PRF
f3eee8e28c is described below
commit f3eee8e28cc0fd3adad534b7abf4375a6e1ea84c
Author: Mark Thomas
AuthorDate: Thu Dec 14 16:09:01 2023 +
Correct regression in fix for BZ 67675 - allow for default PRF
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675#c24
---
java/org/apache/tomcat/util/buf/Asn1Parser.java| 41 +-
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 65 +-
.../apache/tomcat/util/net/jsse/TestPEMFile.java | 7 +++
...ncrypted-pkcs8-hmacsha1default-des-ede3-cbc.pem | 54 ++
webapps/docs/changelog.xml | 6 ++
5 files changed, 146 insertions(+), 27 deletions(-)
diff --git a/java/org/apache/tomcat/util/buf/Asn1Parser.java
b/java/org/apache/tomcat/util/buf/Asn1Parser.java
index 92d13c02a8..1d88b113d4 100644
--- a/java/org/apache/tomcat/util/buf/Asn1Parser.java
+++ b/java/org/apache/tomcat/util/buf/Asn1Parser.java
@@ -17,6 +17,8 @@
package org.apache.tomcat.util.buf;
import java.math.BigInteger;
+import java.util.ArrayDeque;
+import java.util.Deque;
import org.apache.tomcat.util.res.StringManager;
@@ -24,7 +26,7 @@ import org.apache.tomcat.util.res.StringManager;
* This is a very basic ASN.1 parser that provides the limited functionality
required by Tomcat. It is a long way from a
* complete parser.
*
- * TODO: Consider extending this parser and refactoring the SpnegoTokenFixer
to use it.
+ * TODO: Consider extending/re-writing this parser and refactoring the
SpnegoTokenFixer to use it.
*/
public class Asn1Parser {
@@ -41,6 +43,15 @@ public class Asn1Parser {
private int pos = 0;
+/*
+ * This is somewhat of a hack to work around the simplified design of the
parsing API that could result in ambiguous
+ * results when nested sequences were optional. Checking the current
nesting level of sequence tags enables a user
+ * of the parser to determine if an optional sequence is present or not.
+ *
+ * See https://bz.apache.org/bugzilla/show_bug.cgi?id=67675#c24
+ */
+private Deque nestedSequenceEndPositions = new ArrayDeque<>();
+
public Asn1Parser(byte[] source) {
this.source = source;
@@ -58,7 +69,21 @@ public class Asn1Parser {
public void parseTagSequence() {
+/*
+ * Check to see if the parser has completely parsed, based on end
position for the sequence, any previous
+ * sequences and remove those sequences from the sequence nesting
tracking mechanism if they have been
+ * completely parsed.
+ */
+while (nestedSequenceEndPositions.size() > 0) {
+if (nestedSequenceEndPositions.peekLast().intValue() <= pos) {
+nestedSequenceEndPositions.pollLast();
+} else {
+break;
+}
+}
+// Add the new sequence to the sequence nesting tracking mechanism.
parseTag(TAG_SEQUENCE);
+nestedSequenceEndPositions.addLast(Integer.valueOf(-1));
}
@@ -90,6 +115,15 @@ public class Asn1Parser {
len = len + next();
}
}
+/*
+ * If this is the first length parsed after a sequence has been added
to the sequence nesting tracking mechansim
+ * it must be the length of the sequence so update the entry to record
the end position of the sequence. Note
+ * that position recorded is actually the start of the first element
after the sequence ends.
+ */
+if (nestedSequenceEndPositions.peekLast() != null &&
nestedSequenceEndPositions.peekLast().intValue() == -1) {
+nestedSequenceEndPositions.pollLast();
+nestedSequenceEndPositions.addLast(Integer.valueOf(pos + len));
+}
return len;
}
@@ -139,4 +173,9 @@ public class Asn1Parser {
private int next() {
return source[pos++] & 0xFF;
}
+
+
+public int getNestedSequenceLevel() {
+return nestedSequenceEndPositions.size();
+}
}
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index 5bef5b6f24..0185a62bcb 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -75,10 +75,13 @@ public class PEMFile {
private static final byte[] OID_PBKDF2 =
new byte[] { 0x2A, (byte) 0x86, 0x48, (byte) 0x86, (byte) 0xF7,
0x0D, 0x01, 0x05, 0x0C };
+// Default defined in RFC 8018
+private static final String DEFAULT_PRF = "HmacSHA1";
+
private static final Map OID_TO_PRF = new HashMap<>();
static {
// 1.2.84
(tomcat) branch 8.5.x updated: Correct regression in fix for BZ 67675 - allow for default PRF
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 55d2fa3150 Correct regression in fix for BZ 67675 - allow for default
PRF
55d2fa3150 is described below
commit 55d2fa315032d029fa76e0af73ef60f81f7bc4a4
Author: Mark Thomas
AuthorDate: Thu Dec 14 16:09:01 2023 +
Correct regression in fix for BZ 67675 - allow for default PRF
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675#c24
---
java/org/apache/tomcat/util/buf/Asn1Parser.java| 41 +-
java/org/apache/tomcat/util/net/jsse/PEMFile.java | 65 +-
.../apache/tomcat/util/net/jsse/TestPEMFile.java | 7 +++
...ncrypted-pkcs8-hmacsha1default-des-ede3-cbc.pem | 54 ++
webapps/docs/changelog.xml | 6 ++
5 files changed, 146 insertions(+), 27 deletions(-)
diff --git a/java/org/apache/tomcat/util/buf/Asn1Parser.java
b/java/org/apache/tomcat/util/buf/Asn1Parser.java
index 92d13c02a8..1d88b113d4 100644
--- a/java/org/apache/tomcat/util/buf/Asn1Parser.java
+++ b/java/org/apache/tomcat/util/buf/Asn1Parser.java
@@ -17,6 +17,8 @@
package org.apache.tomcat.util.buf;
import java.math.BigInteger;
+import java.util.ArrayDeque;
+import java.util.Deque;
import org.apache.tomcat.util.res.StringManager;
@@ -24,7 +26,7 @@ import org.apache.tomcat.util.res.StringManager;
* This is a very basic ASN.1 parser that provides the limited functionality
required by Tomcat. It is a long way from a
* complete parser.
*
- * TODO: Consider extending this parser and refactoring the SpnegoTokenFixer
to use it.
+ * TODO: Consider extending/re-writing this parser and refactoring the
SpnegoTokenFixer to use it.
*/
public class Asn1Parser {
@@ -41,6 +43,15 @@ public class Asn1Parser {
private int pos = 0;
+/*
+ * This is somewhat of a hack to work around the simplified design of the
parsing API that could result in ambiguous
+ * results when nested sequences were optional. Checking the current
nesting level of sequence tags enables a user
+ * of the parser to determine if an optional sequence is present or not.
+ *
+ * See https://bz.apache.org/bugzilla/show_bug.cgi?id=67675#c24
+ */
+private Deque nestedSequenceEndPositions = new ArrayDeque<>();
+
public Asn1Parser(byte[] source) {
this.source = source;
@@ -58,7 +69,21 @@ public class Asn1Parser {
public void parseTagSequence() {
+/*
+ * Check to see if the parser has completely parsed, based on end
position for the sequence, any previous
+ * sequences and remove those sequences from the sequence nesting
tracking mechanism if they have been
+ * completely parsed.
+ */
+while (nestedSequenceEndPositions.size() > 0) {
+if (nestedSequenceEndPositions.peekLast().intValue() <= pos) {
+nestedSequenceEndPositions.pollLast();
+} else {
+break;
+}
+}
+// Add the new sequence to the sequence nesting tracking mechanism.
parseTag(TAG_SEQUENCE);
+nestedSequenceEndPositions.addLast(Integer.valueOf(-1));
}
@@ -90,6 +115,15 @@ public class Asn1Parser {
len = len + next();
}
}
+/*
+ * If this is the first length parsed after a sequence has been added
to the sequence nesting tracking mechansim
+ * it must be the length of the sequence so update the entry to record
the end position of the sequence. Note
+ * that position recorded is actually the start of the first element
after the sequence ends.
+ */
+if (nestedSequenceEndPositions.peekLast() != null &&
nestedSequenceEndPositions.peekLast().intValue() == -1) {
+nestedSequenceEndPositions.pollLast();
+nestedSequenceEndPositions.addLast(Integer.valueOf(pos + len));
+}
return len;
}
@@ -139,4 +173,9 @@ public class Asn1Parser {
private int next() {
return source[pos++] & 0xFF;
}
+
+
+public int getNestedSequenceLevel() {
+return nestedSequenceEndPositions.size();
+}
}
diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
index 2499beda79..a05ae6fdc6 100644
--- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java
+++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java
@@ -75,10 +75,13 @@ public class PEMFile {
private static final byte[] OID_PBKDF2 =
new byte[] { 0x2A, (byte) 0x86, 0x48, (byte) 0x86, (byte) 0xF7,
0x0D, 0x01, 0x05, 0x0C };
+// Default defined in RFC 8018
+private static final String DEFAULT_PRF = "HmacSHA1";
+
private static final Map OID_TO_PRF = new HashMap<>();
static {
// 1.2.84
[Bug 67675] Tomcat and/or Java do not read encrypted private keys with DES-EDE3-CBC generated by openssl-req(1)
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675 Mark Thomas changed: What|Removed |Added Resolution|--- |FIXED Status|REOPENED|RESOLVED --- Comment #29 from Mark Thomas --- If the keys were long to start with, it isn't impossible that they would still be in use. Regression fixed in: - 11.0.x for 11.0.0-M16 onwards - 10.1.x for 10.1.18 onwards - 9.0.x for 9.0.85 onwards - 8.5.x for 8.5.98 onwards -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 67675] Tomcat and/or Java do not read encrypted private keys with DES-EDE3-CBC generated by openssl-req(1)
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675 --- Comment #30 from Christopher Schultz --- (In reply to Michael Osipov from comment #28) > (In reply to Christopher Schultz from comment #27) > > The issue is not whether or not anyone is still using OpenSSL 1.0.2 today, > > but whether or not anyone still have keys and certs when when they /were/ > > using it in the past. > > That would also mean that they are years old and still valid... Sure, but there is nothing wrong with that. What if a CA used OpenSSL 1.0.2 in 2019 (the year of the last release in that line) to mint their most-recent intermediate certificate(s)? Intermediate certificates are typically valid for 10 years or so. On the other hand, I think this is only a problem for keys and not certificates, and it's very unlikely that Tomcat would be used to handle CA key material. Those keys ought to be in HSMs and only used for signing, not for typical web traffic. Since it's already fixed (thanks, Mark!) this is an academic conversation, but I do still think that supporting these types of files is reasonable. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
