[Bug 61583] New: Regression in PKCS11 keystores - incorrect alias being used

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=61583

            Bug ID: 61583
           Summary: Regression in PKCS11 keystores - incorrect alias being
                    used
           Product: Tomcat 8
           Version: 8.5.23
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
          Assignee: dev@tomcat.apache.org
          Reporter: drugg...@primary.net
  Target Milestone: ----

After upgrading from 8.5.16 to 8.5.20, PKCS11 support was broken due to #61451.
Upon receiving release announcement for 8.5.23 and testing (somehow missed
8.5.21), PKCS11 support still appears broken because it does not honor the key
alias set on the connector. I have verified that 8.5.21 also displays the same
behavior.

The testing configuration uses a single PKCS11 keystore (backed by NSS) with
three keys inside: admin, server and client. The testing suite configures
Tomcat with two connectors, one for administrative access and a second for
"business" access. Upon running the test suite, Tomcat consistently uses the
client certificate for both the server and administrative connectors. When
examining the keystore with a java program, the client certificate is the first
key in the store.

Example connector:
    <Connector name="https"
               enableLookups="false"
               xpoweredBy="false"
               address="192.168.40.216"
               scheme="https"
               server="server"
               port="25004"
               secure="true"
               maxHttpHeaderSize="8192"
               SSLEnabled="true"
               clientAuth="false"
               sslProtocol="TLS"
               sslEnabledProtocols="SSLv2Hello,TLSv1.1,TLSv1.2"
              
ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"
               keyAlias="tomcatserver"
               keystoreFile="/tmp/pkcs11.0.cfg"
               keystorePass="nss"
               keystoreType="PKCS11"
               truststoreFile="/tmp/trust.jks"
               truststoreType="JKS"
               />


Store contents of NSS database:
$ certutil -d /tmp/pkcs11 -K
certutil: Checking token "NSS FIPS 140-2 Certificate DB" in slot "NSS FIPS
140-2 User Private Key Services"
Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":
< 0> rsa      40261c884934d113672666784953129ea53a6492   NSS FIPS 140-2
Certificate DB:tomcatadmin
< 1> rsa      dba317a2b93e771032c0b5fafb019649229dcc7c   NSS FIPS 140-2
Certificate DB:tomcatserver
< 2> rsa      6ed07ff1e609c5daa965bf152004e1212177a87f   NSS FIPS 140-2
Certificate DB:tomcatclient

Viewed as a KeyStore object and iterating over the keys:
x509 test application
Keystore loaded
Certificate: tomcatclient (key entry)
Certificate: tomcatserver (key entry)
Certificate: tomcatadmin (key entry)

If there is any debug logging information I can provide, please let me know.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org