Tomcat 8.5.16 - can't use Java keystore with multiple entries having different keypass for each entry?

Fri, 30 Jun 2017 05:44:10 -0700 

Hi all,

while playing with some ssl setups i stumbled upon the following behaviour that 
seems like bug to me ?
As long as all keyentries in a keystore have the same password all is fine. 
Using entries with different password tomcat doesnt startup.

For testing:
At first create 2 different keystores (same.jks and different.jks) having each 
2 entries:

# create 2 entries with same keypass for each entry
keytool -genkeypair -alias tomcat1 -storepass storepass  -keystore same.jks  
-keyalg RSA -keypass keypass  -ext san=dns:tomcat1 -dname CN=tomcat1
keytool -genkeypair -alias tomcat2 -storepass storepass  -keystore same.jks  
-keyalg RSA -keypass keypass  -ext san=dns:tomcat2 -dname CN=tomcat2

# create 2 entries with different keypass for each entry
keytool -genkeypair -alias tomcat1 -storepass storepass  -keystore 
different.jks  -keyalg RSA -keypass tomcat1  -ext san=dns:tomcat1 -dname 
CN=tomcat1
keytool -genkeypair -alias tomcat2 -storepass storepass  -keystore 
different.jks  -keyalg RSA -keypass tomcat2  -ext san=dns:tomcat2 -dname 
CN=tomcat2

setup a SSL Connector to use that keystore:

<Connector
  port="443"
  URIEncoding="UTF-8"
  scheme="https" 
  secure="true" 
  SSLEnabled="true"
 >
                
<SSLHostConfig  
  ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA" 
  protocols="all">

<!-- doesn't work, use keypass for alias tomcat2 -->
<Certificate 
  certificateKeystoreFile="different.jks"
  certificateKeystorePassword="storepass"
  certificateKeyAlias="tomcat2"
  certificateKeystoreType="JKS"
  certificateKeyPassword="tomcat2"
  type="RSA"
/>

<!-- working config -->
<!--
<Certificate 
  certificateKeystoreFile="same.jks"
  certificateKeystorePassword="storepass"
  certificateKeyAlias="tomcat2"
  certificateKeystoreType="JKS"
  certificateKeyPassword="keypass"
  type="RSA"
/>
-->
</SSLHostConfig>

using the config snippet tomcat fails on startup with the following excpetion:
java.lang.IllegalArgumentException: java.security.UnrecoverableKeyException: 
Cannot recover key
        at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
        at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
        at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982)
        at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620)
        at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
        at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:630)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
        at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
        at 
sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:146)
        at 
sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56)
        at 
sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
        at 
sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)
        at java.security.KeyStore.getKey(KeyStore.java:1023)
        at 
sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)
        at 
sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
        at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
        at 
org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:216)
        at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
        ... 20 more
                

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to