Author: markt Date: Thu Nov 25 16:01:16 2010 New Revision: 1039080 URL: http://svn.apache.org/viewvc?rev=1039080&view=rev Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48545 Truststores don't have to have passwords Based on a patch by 'smmwpf54'
Modified: tomcat/tc6.0.x/trunk/STATUS.txt tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1039080&r1=1039079&r2=1039080&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Thu Nov 25 16:01:16 2010 @@ -45,13 +45,6 @@ PATCHES PROPOSED TO BACKPORT: and fix it later if needed? I think that actually nobody besides the release manager uses this, so I am letting this pass. -* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48545 - Truststores don't have to have passwords - Based on a patch by 'smmwpf54' - https://issues.apache.org/bugzilla/attachment.cgi?id=26268 - +1: kkolinko, markt, jfclere - -1: - * Configure Tomcat to use HttpOnly for session cookies by default http://people.apache.org/~kkolinko/patches/2010-04-21_tc6_context_httpOnly.patch +1: kkolinko Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1039080&r1=1039079&r2=1039080&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java Thu Nov 25 16:01:16 2010 @@ -266,7 +266,15 @@ public class JSSESocketFactory if (keystoreFile == null) keystoreFile = defaultKeystoreFile; - return getStore(type, provider, keystoreFile, pass); + try { + return getStore(type, provider, keystoreFile, pass); + } catch (FileNotFoundException fnfe) { + throw fnfe; + } catch (IOException ioe) { + log.error(sm.getString("jsse.keystore_load_failed", type, + keystoreFile, ioe.getMessage()), ioe); + throw ioe; + } } /* @@ -316,9 +324,33 @@ public class JSSESocketFactory log.debug("trustProvider = " + truststoreProvider); } - if (truststoreFile != null && truststorePassword != null){ - trustStore = getStore(truststoreType, truststoreProvider, - truststoreFile, truststorePassword); + if (truststoreFile != null) { + try { + trustStore = getStore(truststoreType, truststoreProvider, + truststoreFile, truststorePassword); + } catch (FileNotFoundException fnfe) { + throw fnfe; + } catch (IOException ioe) { + // Log a warning that we had a password issue + // and re-try, unless the password is null already + if (truststorePassword != null) { + log.warn(sm.getString("jsse.invalid_truststore_password"), + ioe); + try { + trustStore = getStore(truststoreType, + truststoreProvider, truststoreFile, null); + ioe = null; + } catch (IOException ioe2) { + ioe = ioe2; + } + } + if (ioe != null) { + log.error(sm.getString("jsse.keystore_load_failed", + truststoreType, truststoreFile, ioe.getMessage()), + ioe); + throw ioe; + } + } } return trustStore; @@ -347,15 +379,19 @@ public class JSSESocketFactory istream = new FileInputStream(keyStoreFile); } - ks.load(istream, pass.toCharArray()); + char[] storePass = null; + if (pass != null && !"".equals(pass)) { + storePass = pass.toCharArray(); + } + ks.load(istream, storePass); } catch (FileNotFoundException fnfe) { log.error(sm.getString("jsse.keystore_load_failed", type, path, fnfe.getMessage()), fnfe); throw fnfe; } catch (IOException ioe) { - log.error(sm.getString("jsse.keystore_load_failed", type, path, - ioe.getMessage()), ioe); - throw ioe; + // May be expected when working with a trust store + // Re-throw. Caller will catch and log as required + throw ioe; } catch(Exception ex) { String msg = sm.getString("jsse.keystore_load_failed", type, path, ex.getMessage()); Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties?rev=1039080&r1=1039079&r2=1039080&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties Thu Nov 25 16:01:16 2010 @@ -15,3 +15,4 @@ jsse.alias_no_key_entry=Alias name {0} does not identify a key entry jsse.keystore_load_failed=Failed to load keystore type {0} with path {1} due to {2} +jsse.invalid_truststore_password=The provided trust store password could not be used to unlock and/or validate the trust store. Retrying to access the trust store with a null password which will skip validation. Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1039080&r1=1039079&r2=1039080&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Thu Nov 25 16:01:16 2010 @@ -172,6 +172,10 @@ (mturk) </fix> <add> + <bug>48545</bug>: Allow JSSE trust stores to be used without providing + a password. Based on a patch by smmwpf54. (kkolinko) + </add> + <add> <bug>48738</bug>: Add support for flushing gzipped output. Based on a patch by Jiong Wang. (markt) </add> Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml?rev=1039080&r1=1039079&r2=1039080&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml Thu Nov 25 16:01:16 2010 @@ -738,8 +738,12 @@ <p>The password to access the trust store. The default is the value of the <code>javax.net.ssl.trustStorePassword</code> system property. If that property is null, the value of <code>keystorePass</code> is used as the - default. If neither this attribute, the default system property nor - <code>keystorePass</code>is set, no trust store will be configured.</p> + default. If an invalid trust store password is specified, a warning will + be logged and an attempt will be made to access the trust store without a + password which will skip validation of the trust store contents. If the + trust store password is defined as <code>""</code> then no + password will be used to access the store which will also skip validation + of the trust store contents.</p> </attribute> <attribute name="truststoreType" required="false"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org