svn commit: r982669 - in /tomcat/trunk: java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties webapps/docs/changelog.xml webapps/docs/config/http.xml

Thu, 05 Aug 2010 08:52:14 -0700 

Author: markt
Date: Thu Aug  5 15:50:50 2010
New Revision: 982669

URL: http://svn.apache.org/viewvc?rev=982669&view=rev
Log:
Extend fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=48545 to aid 
back-port to 6.0.x by better aligning behaviours

Modified:
    tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
    
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
    tomcat/trunk/webapps/docs/changelog.xml
    tomcat/trunk/webapps/docs/config/http.xml

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=982669&r1=982668&r2=982669&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 
Thu Aug  5 15:50:50 2010
@@ -28,6 +28,7 @@ import java.net.Socket;
 import java.net.SocketException;
 import java.security.KeyStore;
 import java.security.SecureRandom;
+import java.security.UnrecoverableKeyException;
 import java.security.cert.CRL;
 import java.security.cert.CRLException;
 import java.security.cert.CertPathParameters;
@@ -60,18 +61,12 @@ import javax.net.ssl.X509KeyManager;
 import org.apache.tomcat.util.net.AbstractEndpoint;
 import org.apache.tomcat.util.res.StringManager;
 
-/*
-  1. Make the JSSE's jars available, either as an installed
-     extension (copy them into jre/lib/ext) or by adding
-     them to the Tomcat classpath.
-  2. keytool -genkey -alias tomcat -keyalg RSA
-     Use "changeit" as password ( this is the default we use )
- */
-
 /**
- * SSL server socket factory. It _requires_ a valid RSA key and
- * JSSE. 
- *
+ * SSL server socket factory. It <b>requires</b> a valid RSA key and
+ * JSSE.<br/>
+ * keytool -genkey -alias tomcat -keyalg RSA</br>
+ * Use "changeit" as password (this is the default we use).
+ * 
  * @author Harish Prabandham
  * @author Costin Manolache
  * @author Stefan Freyr Stefansson
@@ -342,8 +337,23 @@ public class JSSESocketFactory
         }
 
         if (truststoreFile != null){
-            trustStore = getStore(truststoreType, truststoreProvider,
-                    truststoreFile, truststorePassword);
+            try {
+                trustStore = getStore(truststoreType, truststoreProvider,
+                        truststoreFile, truststorePassword);
+            } catch (IOException ioe) {
+                Throwable cause = ioe.getCause();
+                if (cause instanceof UnrecoverableKeyException) {
+                    // Log a warning we had a password issue
+                    log.warn(sm.getString("jsse.invalid_truststore_password"),
+                            cause);
+                    // Re-try
+                    trustStore = getStore(truststoreType, truststoreProvider,
+                            truststoreFile, null);
+                } else {
+                    // Something else went wrong - re-throw
+                    throw ioe;
+                }
+            }
         }
 
         return trustStore;
@@ -374,7 +384,7 @@ public class JSSESocketFactory
             }
             
             char[] storePass = null;
-            if (pass != null) {
+            if (pass != null && !"".equals(pass)) {
                 storePass = pass.toCharArray(); 
             }
             ks.load(istream, storePass);
@@ -383,9 +393,9 @@ public class JSSESocketFactory
                     fnfe.getMessage()), fnfe);
             throw fnfe;
         } catch (IOException ioe) {
-            log.error(sm.getString("jsse.keystore_load_failed", type, path,
-                    ioe.getMessage()), ioe);
-            throw ioe;      
+            // May be expected when working with a trust store
+            // Re-throw. Caller will catch and log as required
+            throw ioe;
         } catch(Exception ex) {
             String msg = sm.getString("jsse.keystore_load_failed", type, path,
                     ex.getMessage());

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties?rev=982669&r1=982668&r2=982669&view=diff
==============================================================================
--- 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties 
(original)
+++ 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties 
Thu Aug  5 15:50:50 2010
@@ -15,4 +15,5 @@
 
 jsse.alias_no_key_entry=Alias name {0} does not identify a key entry
 jsse.keystore_load_failed=Failed to load keystore type {0} with path {1} due 
to {2}
-jsse.invalid_ssl_conf=SSL configuration is invalid due to {0} 
+jsse.invalid_ssl_conf=SSL configuration is invalid due to {0}
+jsse.invalid_truststore_password=The provided trust store password could not 
be used to unlock and/or validate the trust store. Retrying to access the trust 
store with a null password which will skip validation.
\ No newline at end of file

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=982669&r1=982668&r2=982669&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Aug  5 15:50:50 2010
@@ -44,6 +44,14 @@
       </update>
     </changelog>
   </subsection>
+  <subsection name="Coyote">
+    <changelog>
+      <add>
+        Follow up to <bug>48545</bug>. Make JSSE connectors more tolerant of a
+        incorrect trust store password. (markt)
+      </add>
+    </changelog>
+  </subsection>
   <subsection name="Cluster">
     <changelog>
       <fix>

Modified: tomcat/trunk/webapps/docs/config/http.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=982669&r1=982668&r2=982669&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Thu Aug  5 15:50:50 2010
@@ -922,7 +922,10 @@
     <attribute name="truststorePass" required="false">
       <p>The password to access the trust store. The default is the value of 
the
       <code>javax.net.ssl.trustStorePassword</code> system property. If that
-      property is null, no trust store password will be configured.</p>
+      property is null, no trust store password will be configured. If an
+      invalid trust store password is specified, a warning will be logged and 
an
+      attempt will be made to access the trust store without a password which
+      will skip validation of the trust store contents.</p>
     </attribute>
 
     <attribute name="truststoreProvider" required="false">



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to