Author: markt Date: Wed Jul 5 12:18:26 2017 New Revision: 1800867 URL: http://svn.apache.org/viewvc?rev=1800867&view=rev Log: Enable TLS connectors to use Java key stores that contain multiple keys where each key has a separate password. Based on a patch by Frank Taffelt.
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java?rev=1800867&r1=1800866&r2=1800867&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java Wed Jul 5 12:18:26 2017 @@ -185,12 +185,21 @@ public class JSSEUtil extends SSLUtilBas KeyStore ks = certificate.getCertificateKeystore(); - if (ks == null) { - // create an in-memory keystore and import the private key - // and the certificate chain from the PEM files - ks = KeyStore.getInstance("JKS"); - ks.load(null, null); + /* + * Always use an in memory key store. + * For PEM format keys and certificates, it allows them to be imported + * into the expected format. + * For Java key stores, it enables Tomcat to handle the case where + * multiple keys exist in the key store, each with a different password. + * The KeyManagerFactory can't handle that so using an in memory key + * store with just the required key works around that. + */ + KeyStore inMemoryKeyStore = KeyStore.getInstance("JKS"); + inMemoryKeyStore.load(null, null); + + char[] keyPassArray = keyPass.toCharArray(); + if (ks == null) { PEMFile privateKeyFile = new PEMFile(SSLHostConfig.adjustRelativePath (certificate.getCertificateKeyFile() != null ? certificate.getCertificateKeyFile() : certificate.getCertificateFile()), keyPass); @@ -206,15 +215,19 @@ public class JSSEUtil extends SSLUtilBas if (keyAlias == null) { keyAlias = "tomcat"; } - ks.setKeyEntry(keyAlias, privateKeyFile.getPrivateKey(), keyPass.toCharArray(), chain.toArray(new Certificate[chain.size()])); - } + inMemoryKeyStore.setKeyEntry(keyAlias, privateKeyFile.getPrivateKey(), keyPass.toCharArray(), chain.toArray(new Certificate[chain.size()])); + } else { + if (keyAlias != null && !ks.isKeyEntry(keyAlias)) { + throw new IOException(sm.getString("jsse.alias_no_key_entry", keyAlias)); + } - if (keyAlias != null && !ks.isKeyEntry(keyAlias)) { - throw new IOException(sm.getString("jsse.alias_no_key_entry", keyAlias)); + inMemoryKeyStore.setKeyEntry(keyAlias, ks.getKey(keyAlias, keyPassArray), keyPassArray, + ks.getCertificateChain(keyAlias)); } + KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm); - kmf.init(ks, keyPass.toCharArray()); + kmf.init(inMemoryKeyStore, keyPassArray); kms = kmf.getKeyManagers(); if (kms == null) { Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1800867&r1=1800866&r2=1800867&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Wed Jul 5 12:18:26 2017 @@ -57,6 +57,15 @@ </add> </changelog> </subsection> + <subsection name="Coyote"> + <changelog> + <fix> + Enable TLS connectors to use Java key stores that contain multiple keys + where each key has a separate password. Based on a patch by Frank + Taffelt. (markt) + </fix> + </changelog> + </subsection> <subsection name="Jasper"> <changelog> <add> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org