tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1039080 - in /tomcat/tc6.0.x/trunk: STATUS.txt java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties webapps/docs/changelog.xml webapps/docs/config/http.xml
Date Thu, 25 Nov 2010 16:01:16 GMT
Author: markt
Date: Thu Nov 25 16:01:16 2010
New Revision: 1039080

URL: http://svn.apache.org/viewvc?rev=1039080&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48545
Truststores don't have to have passwords
Based on a patch by 'smmwpf54'

Modified:
    tomcat/tc6.0.x/trunk/STATUS.txt
    tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
    tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
    tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1039080&r1=1039079&r2=1039080&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Thu Nov 25 16:01:16 2010
@@ -45,13 +45,6 @@ PATCHES PROPOSED TO BACKPORT:
       and fix it later if needed? I think that actually nobody besides the release manager
       uses this, so I am letting this pass.
 
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48545
-  Truststores don't have to have passwords
-  Based on a patch by 'smmwpf54'
-  https://issues.apache.org/bugzilla/attachment.cgi?id=26268
-  +1: kkolinko, markt, jfclere
-  -1:
-
 * Configure Tomcat to use HttpOnly for session cookies by default
   http://people.apache.org/~kkolinko/patches/2010-04-21_tc6_context_httpOnly.patch
   +1: kkolinko

Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1039080&r1=1039079&r2=1039080&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java Thu Nov
25 16:01:16 2010
@@ -266,7 +266,15 @@ public class JSSESocketFactory
         if (keystoreFile == null)
             keystoreFile = defaultKeystoreFile;
 
-        return getStore(type, provider, keystoreFile, pass);
+        try {
+            return getStore(type, provider, keystoreFile, pass);
+        } catch (FileNotFoundException fnfe) {
+            throw fnfe;
+        } catch (IOException ioe) {
+            log.error(sm.getString("jsse.keystore_load_failed", type,
+                    keystoreFile, ioe.getMessage()), ioe);
+            throw ioe;
+        }
     }
 
     /*
@@ -316,9 +324,33 @@ public class JSSESocketFactory
             log.debug("trustProvider = " + truststoreProvider);
         }
 
-        if (truststoreFile != null && truststorePassword != null){
-            trustStore = getStore(truststoreType, truststoreProvider,
-                    truststoreFile, truststorePassword);
+        if (truststoreFile != null) {
+            try {
+                trustStore = getStore(truststoreType, truststoreProvider,
+                        truststoreFile, truststorePassword);
+            } catch (FileNotFoundException fnfe) {
+                throw fnfe;
+            } catch (IOException ioe) {
+                // Log a warning that we had a password issue
+                // and re-try, unless the password is null already
+                if (truststorePassword != null) {
+                    log.warn(sm.getString("jsse.invalid_truststore_password"),
+                            ioe);
+                    try {
+                        trustStore = getStore(truststoreType,
+                                truststoreProvider, truststoreFile, null);
+                        ioe = null;
+                    } catch (IOException ioe2) {
+                        ioe = ioe2;
+                    }
+                }
+                if (ioe != null) {
+                    log.error(sm.getString("jsse.keystore_load_failed",
+                            truststoreType, truststoreFile, ioe.getMessage()),
+                            ioe);
+                    throw ioe;
+                }
+            }
         }
 
         return trustStore;
@@ -347,15 +379,19 @@ public class JSSESocketFactory
                 istream = new FileInputStream(keyStoreFile);
             }
 
-            ks.load(istream, pass.toCharArray());
+            char[] storePass = null;
+            if (pass != null && !"".equals(pass)) {
+                storePass = pass.toCharArray();
+            }
+            ks.load(istream, storePass);
         } catch (FileNotFoundException fnfe) {
             log.error(sm.getString("jsse.keystore_load_failed", type, path,
                     fnfe.getMessage()), fnfe);
             throw fnfe;
         } catch (IOException ioe) {
-            log.error(sm.getString("jsse.keystore_load_failed", type, path,
-                    ioe.getMessage()), ioe);
-            throw ioe;      
+            // May be expected when working with a trust store
+            // Re-throw. Caller will catch and log as required
+            throw ioe;
         } catch(Exception ex) {
             String msg = sm.getString("jsse.keystore_load_failed", type, path,
                     ex.getMessage());

Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties?rev=1039080&r1=1039079&r2=1039080&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
Thu Nov 25 16:01:16 2010
@@ -15,3 +15,4 @@
 
 jsse.alias_no_key_entry=Alias name {0} does not identify a key entry
 jsse.keystore_load_failed=Failed to load keystore type {0} with path {1} due to {2}
+jsse.invalid_truststore_password=The provided trust store password could not be used to unlock
and/or validate the trust store. Retrying to access the trust store with a null password which
will skip validation.

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1039080&r1=1039079&r2=1039080&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Thu Nov 25 16:01:16 2010
@@ -172,6 +172,10 @@
         (mturk)
       </fix>
       <add>
+        <bug>48545</bug>: Allow JSSE trust stores to be used without providing
+        a password. Based on a patch by smmwpf54. (kkolinko)
+      </add>
+      <add>
         <bug>48738</bug>: Add support for flushing gzipped output. Based on a
         patch by Jiong Wang. (markt)
       </add>

Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml?rev=1039080&r1=1039079&r2=1039080&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml Thu Nov 25 16:01:16 2010
@@ -738,8 +738,12 @@
       <p>The password to access the trust store. The default is the value of the
       <code>javax.net.ssl.trustStorePassword</code> system property. If that
       property is null, the value of <code>keystorePass</code> is used as the
-      default. If neither this attribute, the default system property nor
-      <code>keystorePass</code>is set, no trust store will be configured.</p>
+      default. If an invalid trust store password is specified, a warning will
+      be logged and an attempt will be made to access the trust store without a
+      password which will skip validation of the trust store contents. If the
+      trust store password is defined as <code>&quot;&quot;</code> then
no
+      password will be used to access the store which will also skip validation
+      of the trust store contents.</p>
     </attribute>
 
     <attribute name="truststoreType" required="false">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message