tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "István Viczián" <viczian.ist...@gmail.com>
Subject Two keystore, invalid password
Date Mon, 10 Sep 2007 10:40:08 GMT
Hello,

I hope this is the right forum to take my question.
I found a very interesting problem with Tomcat 5.5.23, that not
appears in Tomcat 5.5.17 (boundled with NetBeans 5.5.1).
Imagine, that your web application acts as web-service server, and web
service client, too. You need SSL client certificate authentication
both for server and cliens side. So, you need two keys, one for the
SSL connector, and one for the web-service client. Put the case that
you cannot package two keys in one keystore.
The tomcat.keystore.jks contains the server key for the server side,
configured in server.xml in the SSL HTTP/1.1 Connector section, like
this:

<Connector ... scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS"                keystorePass="tomcat.keystore.pass"
keystoreFile="tomcat.keystore.jks" />

The keystore.jks contains the client key for the client side,
configured with command line parameters:

-Djavax.net.ssl.keyStore=keystore.jks
-Djavax.net.ssl.keyStorePassword=keystore.pass

In this case, the Tomcat cannot open the tomcat.keystore.jks file, the
error message is:
java.io.IOException: Keystore was tampered with, or password was incorrect

So lets see the Bug 38774
(http://issues.apache.org/bugzilla/show_bug.cgi?id=38774), and the
source code of the the
org.apache.tomcat.util.net.jsse.JSSESocketFactory class and the
getKeystorePassword() method.

    protected String getKeystorePassword() {
        String keyPass = (String)attributes.get("keypass");
        if (keyPass == null) {
            keyPass = defaultKeyPass;
        }
        String keystorePass = (String)attributes.get("keystorePass");
        if (keystorePass == null) {
            // Bugzilla 38774:
http://issues.apache.org/bugzilla/show_bug.cgi?id=38774
            keystorePass = System.getProperty("javax.net.ssl.keyStorePassword");
            if (keystorePass == null ) {
                keystorePass = keyPass;
            }
        }
        return keystorePass;
    }

It tries to get the keystorePass attribute (this is null, because the
keystorePass attribute come from the server.xml as "keypass"
property), then tries to get the system property. And if both are
null, gets the keypass property - this is the good one.

So, the Tomcat tries to open the tomcat.keystore.jks file with
keystore.pass password, which is the password (set as command line
parameter) of the keystore.jks file.

So I think the right way to check the system property in the last
step, when the keystorePass and the keyPass are both null.

    protected String getKeystorePassword() {
        String keyPass = (String)attributes.get("keypass");
        if (keyPass == null) {
            keyPass = defaultKeyPass;
        }
        String keystorePass = (String)attributes.get("keystorePass");
        if (keystorePass == null) {
        	keystorePass = keyPass;
            if (keystorePass == null ) {
            	// Bugzilla 38774:
http://issues.apache.org/bugzilla/show_bug.cgi?id=38774
            	keystorePass =
System.getProperty("javax.net.ssl.keyStorePassword");
            }
        }
        return keystorePass;
    }

My application works with this patch.

Istvan Viczian

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message