Extend fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=48545 to aid back...

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@982669 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java b/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
index 3494155..d961284 100644 (file)
--- a/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
+++ b/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
@@ -28,6 +28,7 @@ import java.net.Socket;
 import java.net.SocketException;
 import java.security.KeyStore;
 import java.security.SecureRandom;
+import java.security.UnrecoverableKeyException;
 import java.security.cert.CRL;
 import java.security.cert.CRLException;
 import java.security.cert.CertPathParameters;
@@ -60,18 +61,12 @@ import javax.net.ssl.X509KeyManager;
 import org.apache.tomcat.util.net.AbstractEndpoint;
 import org.apache.tomcat.util.res.StringManager;
 
-/*
-  1. Make the JSSE's jars available, either as an installed
-     extension (copy them into jre/lib/ext) or by adding
-     them to the Tomcat classpath.
-  2. keytool -genkey -alias tomcat -keyalg RSA
-     Use "changeit" as password ( this is the default we use )
- */
-
 /**
- * SSL server socket factory. It _requires_ a valid RSA key and
- * JSSE. 
- *
+ * SSL server socket factory. It <b>requires</b> a valid RSA key and
+ * JSSE.<br/>
+ * keytool -genkey -alias tomcat -keyalg RSA</br>
+ * Use "changeit" as password (this is the default we use).
+ * 
  * @author Harish Prabandham
  * @author Costin Manolache
  * @author Stefan Freyr Stefansson
@@ -342,8 +337,23 @@ public class JSSESocketFactory
         }
 
         if (truststoreFile != null){
-            trustStore = getStore(truststoreType, truststoreProvider,
-                    truststoreFile, truststorePassword);
+            try {
+                trustStore = getStore(truststoreType, truststoreProvider,
+                        truststoreFile, truststorePassword);
+            } catch (IOException ioe) {
+                Throwable cause = ioe.getCause();
+                if (cause instanceof UnrecoverableKeyException) {
+                    // Log a warning we had a password issue
+                    log.warn(sm.getString("jsse.invalid_truststore_password"),
+                            cause);
+                    // Re-try
+                    trustStore = getStore(truststoreType, truststoreProvider,
+                            truststoreFile, null);
+                } else {
+                    // Something else went wrong - re-throw
+                    throw ioe;
+                }
+            }
         }
 
         return trustStore;
@@ -374,7 +384,7 @@ public class JSSESocketFactory
             }
             
             char[] storePass = null;
-            if (pass != null) {
+            if (pass != null && !"".equals(pass)) {
                 storePass = pass.toCharArray(); 
             }
             ks.load(istream, storePass);
@@ -383,9 +393,9 @@ public class JSSESocketFactory
                     fnfe.getMessage()), fnfe);
             throw fnfe;
         } catch (IOException ioe) {
-            log.error(sm.getString("jsse.keystore_load_failed", type, path,
-                    ioe.getMessage()), ioe);
-            throw ioe;      
+            // May be expected when working with a trust store
+            // Re-throw. Caller will catch and log as required
+            throw ioe;
         } catch(Exception ex) {
             String msg = sm.getString("jsse.keystore_load_failed", type, path,
                     ex.getMessage());

diff --git a/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties b/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
index 20a4d01..6930227 100644 (file)
--- a/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
@@ -15,4 +15,5 @@
 
 jsse.alias_no_key_entry=Alias name {0} does not identify a key entry
 jsse.keystore_load_failed=Failed to load keystore type {0} with path {1} due to {2}
-jsse.invalid_ssl_conf=SSL configuration is invalid due to {0} 
+jsse.invalid_ssl_conf=SSL configuration is invalid due to {0}
+jsse.invalid_truststore_password=The provided trust store password could not be used to unlock and/or validate the trust store. Retrying to access the trust store with a null password which will skip validation.
\ No newline at end of file

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 5b713f6..c91dc26 100644 (file)
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -44,6 +44,14 @@
       </update>
     </changelog>
   </subsection>
+  <subsection name="Coyote">
+    <changelog>
+      <add>
+        Follow up to <bug>48545</bug>. Make JSSE connectors more tolerant of a
+        incorrect trust store password. (markt)
+      </add>
+    </changelog>
+  </subsection>
   <subsection name="Cluster">
     <changelog>
       <fix>

diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index 48aa991..29c24e2 100644 (file)
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -922,7 +922,10 @@
     <attribute name="truststorePass" required="false">
       <p>The password to access the trust store. The default is the value of the
       <code>javax.net.ssl.trustStorePassword</code> system property. If that
-      property is null, no trust store password will be configured.</p>
+      property is null, no trust store password will be configured. If an
+      invalid trust store password is specified, a warning will be logged and an
+      attempt will be made to access the trust store without a password which
+      will skip validation of the trust store contents.</p>
     </attribute>
 
     <attribute name="truststoreProvider" required="false">