From 8a6ae2173c23a639148e9eacbcf79cf2c9ff1755 Mon Sep 17 00:00:00 2001
From: markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Date: Tue, 15 Mar 2011 22:51:10 +0000
Subject: [PATCH] Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50928
 Don't ignore keyPass attribute

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1081969 13f79535-47bb-0310-9956-ffa450edef68
---
 .../tomcat/util/net/jsse/JSSESocketFactory.java    |   6 ++++-
 test/org/apache/tomcat/util/net/TestSsl.java       |  18 +++++++++++++
 test/org/apache/tomcat/util/net/TesterSupport.java |  24 ++++++++++++++----
 test/org/apache/tomcat/util/net/keystore-info.txt  |  28 +++++++++++++++++++++
 .../org/apache/tomcat/util/net/localhost-copy1.jks | Bin 0 -> 2198 bytes
 webapps/docs/changelog.xml                         |   4 +++
 6 files changed, 74 insertions(+), 6 deletions(-)
 create mode 100644 test/org/apache/tomcat/util/net/keystore-info.txt
 create mode 100644 test/org/apache/tomcat/util/net/localhost-copy1.jks

diff --git a/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java b/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
index cecf04190..2484b0d19 100644
--- a/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
+++ b/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
@@ -565,7 +565,11 @@ public class JSSESocketFactory implements ServerSocketFactory, SSLUtil {
         }
 
         KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm);
-        kmf.init(ks, keystorePass.toCharArray());
+        String keyPass = endpoint.getKeyPass();
+        if (keyPass == null) {
+            keyPass = keystorePass;
+        }
+        kmf.init(ks, keyPass.toCharArray());
 
         kms = kmf.getKeyManagers();
         if (keyAlias != null) {
diff --git a/test/org/apache/tomcat/util/net/TestSsl.java b/test/org/apache/tomcat/util/net/TestSsl.java
index ee5850541..37c5e931d 100644
--- a/test/org/apache/tomcat/util/net/TestSsl.java
+++ b/test/org/apache/tomcat/util/net/TestSsl.java
@@ -57,6 +57,24 @@ public class TestSsl extends TomcatBaseTest {
         assertTrue(res.toString().indexOf("<h1>Hello World!</h1>") > 0);
     }
 
+    public void testKeyPass() throws Exception {
+        TesterSupport.configureClientSsl();
+        
+        Tomcat tomcat = getTomcatInstance();
+
+        File appDir = new File(getBuildDirectory(), "webapps/examples");
+        tomcat.addWebapp(null, "/examples", appDir.getAbsolutePath());
+        
+        TesterSupport.initSsl(tomcat, "localhost-copy1.jks", "changeit",
+                "tomcatpass");
+
+        tomcat.start();
+        ByteChunk res = getUrl("https://localhost:" + getPort() +
+            "/examples/servlets/servlet/HelloWorldExample");
+        assertTrue(res.toString().indexOf("<h1>Hello World!</h1>") > 0);
+    }
+
+
     boolean handshakeDone = false;
     
     public void testRenegotiateFail() throws Exception {
diff --git a/test/org/apache/tomcat/util/net/TesterSupport.java b/test/org/apache/tomcat/util/net/TesterSupport.java
index ee133425b..d918367a6 100644
--- a/test/org/apache/tomcat/util/net/TesterSupport.java
+++ b/test/org/apache/tomcat/util/net/TesterSupport.java
@@ -40,6 +40,7 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.apache.catalina.Context;
 import org.apache.catalina.authenticator.SSLAuthenticator;
+import org.apache.catalina.connector.Connector;
 import org.apache.catalina.deploy.LoginConfig;
 import org.apache.catalina.deploy.SecurityCollection;
 import org.apache.catalina.deploy.SecurityConstraint;
@@ -73,17 +74,30 @@ public final class TesterSupport {
     }
 
     protected static void initSsl(Tomcat tomcat) {
+        initSsl(tomcat, "localhost.jks", null, null);
+    }
+    
+    protected static void initSsl(Tomcat tomcat, String keystore,
+            String keystorePass, String keyPass) {
+
         String protocol = tomcat.getConnector().getProtocolHandlerClassName();
         if (protocol.indexOf("Apr") == -1) {
-            tomcat.getConnector().setProperty("sslProtocol", "tls");
-            File keystoreFile = new File(
-                    "test/org/apache/tomcat/util/net/localhost.jks");
-            tomcat.getConnector().setAttribute("keystoreFile",
+            Connector connector = tomcat.getConnector();
+            connector.setProperty("sslProtocol", "tls");
+            File keystoreFile =
+                new File("test/org/apache/tomcat/util/net/" + keystore);
+            connector.setAttribute("keystoreFile",
                     keystoreFile.getAbsolutePath());
             File truststoreFile = new File(
                     "test/org/apache/tomcat/util/net/ca.jks");
-            tomcat.getConnector().setAttribute("truststoreFile",
+            connector.setAttribute("truststoreFile",
                     truststoreFile.getAbsolutePath());
+            if (keystorePass != null) {
+                connector.setAttribute("keystorePass", keystorePass);
+            }
+            if (keyPass != null) {
+                connector.setAttribute("keyPass", keyPass);
+            }
         } else {
             File keystoreFile = new File(
                     "test/org/apache/tomcat/util/net/localhost-cert.pem");
diff --git a/test/org/apache/tomcat/util/net/keystore-info.txt b/test/org/apache/tomcat/util/net/keystore-info.txt
new file mode 100644
index 000000000..db9d36e3d
--- /dev/null
+++ b/test/org/apache/tomcat/util/net/keystore-info.txt
@@ -0,0 +1,28 @@
+================================================================================
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+================================================================================
+
+ca.jks (changeit)
+  ca        CN=ca-test.tomcat.apache.org
+
+localhost.jks (changeit)
+  tomcat    CN=ca-test.tomcat.apache.org
+
+localhost-copy1.jks (changeit)
+  tomcat    CN=ca-test.tomcat.apache.org (tomcatpass)
+
+user1.jks (changeit)
+  user1     CN=user1
diff --git a/test/org/apache/tomcat/util/net/localhost-copy1.jks b/test/org/apache/tomcat/util/net/localhost-copy1.jks
new file mode 100644
index 0000000000000000000000000000000000000000..256a64b494123ef8033dcd4d3de2958db98ad849
GIT binary patch
literal 2198
zcmY+Fc{tPy7sux}#xTZC7&VrZY|Z-{`@UuisV0(=nV1-fp-GXg2@_KyOW`8>zKaMG
zl9a84iA-GAGFd`I#dzKB`^SC%IDdT3d7kr}=X}reJ)9-Z5(EN)?gj8W;1vI>9t6rB
zVxH$EYe68~P>>4afP!#7RX6|xRG=aNzzu;>VPDQV?-nR(p?!81(uU8>Slw?jq+O?V
zjq4!C;NJ)9$s%6e+zTRGi$7SVsK;iheBHqg?3GLsJ<={$kZ+<WWjpxicDv;xMq<h1
zTz9<@p`RC~@V(;4x)vMnf4k4@JR!u1hj^3w9H~EZg{nryrMo@;xYBGE@1nvz`=K*n
zesDQs+pf4V616fk0^~NPqxf;D;n7I95<e%LXrK5^v6bb8&J$*7FYowaqRaTd)@{yD
z%CDF2NIH}hTTZSR;_1B>$HMcsKM}$nhTT)zb<eJD63tN3Uk|u*S)6C?mDuscqOwL$
zUcR!Wga~^2%R%+F0LOwN6($gDN{_Q4q;t;h=)lb@^j2Z?CEr7p?>)a}z0VV@B?*4f
z`$qNbe%p#FMA^ggq%0jYrZcK}QcF0y(+H?;75iyTPV=8CpZuR>y`gnIl--vLSEwBt
zI(Ok}^;2$)f$`Wd@;Snpv=C>BDb2%W?!I1e%JV6Q#r7P{i)WKlx7I_g|ASW{vZ9N=
z5_A?OF41523VRFr@*^^>1M-_}G!)5M$Vbxq{N8i-KZ{+T6h)pKy?f+AtrtqYheGwC
z4+LlGw2po<6kHTvTZnqVF+jpQ7?2mu$f){)=GmPbmRZp4ynY$HX}^TAHp-_a$hrL-
zyN|}Et~{ZbI0jx`IGbSBV~<LuF`{qgjaSV{xXI76WUh;xbWchM7;%diKXk&Y+E_+O
z18?V4aVtA<tX3$UH12yhVaF&=PrC56QSw!_TIF-TuqhwNplYt^9X6rv8KwR1__F-R
zMb=%{eQj(Dp1J%46PZa`tb8z~&~;I>HvavjReg9;N>j5g(e+0*V4mCbKox)P{78K7
zX;|8-TKrh)L@FgxaO3(dZHE@#aN>{tZ+E;lO;{T-!Iq!%4Gr%NHblw+Gtm3EH-8yE
z`j`<tb@-0D<aSo?+m0K)(=EvnfmZSDgRjSDx^2xi99D04+-xfgnVZQ;cvRBT8dD&$
z|22&ni{AAQ#fK{j-8!NjJ<Eu68IC|-{D#d(h^5I$Bx0Gv(s+8ZY7F~NS^G(5ME>@`
zGnl#F+V|q}LlvG?`zY7jx?8dDj^Nz9M-(>FG#|$<y2ceQe}5zVfa$!o+?CapUWC_w
zDNlgU^1h|hFLL0xyv}2}vNGOgZRxEhT<W~K4dG4^-cC%-5I<7Xu0rd6!kxGe$-Edj
zQ<>`O&pJ?_f%)x6lG<do#H7UrezE7uj%r~FZs(l`7Hwp>1+G07LsE3&Nk9ed22)h|
zmw={M8M?VR`drnJk=4Av+%B(&QRtFAB{=Ow0MF*o-MAkvZt4%c{I?a{-$&x}l~cFE
z;QGlD`&(Jc2GLB=u1IHULwI^P%B@&n{UB;BKc{rf#2Yv`eoa_HC*;ZsjzUZ~UoKpS
zC#;&E4rM%Nhtw6-`dyEMs2&Z2@!)q#Lv|~|tX&3XYoQ07MY!u5M)O1iJ6}yc>2OG>
zx<~uPmw+Qjj5mhhS_3<EF0v#YyDw)si>tm|`?%~FmB0y2sh$eB(O71U|NI7%w%d7E
z(A-6;hQHP+GYE0wYRY*WLFa8t<C9)pCDWjbqiLtT*NAmZ$a|>bk>b!X)>CWM)nwx|
zLj}*>L*-^8*oYd=rq66ug1MaC_y>PD!$T|IHT%J2@BwUtwaRz1#NW=y?Sjz)^&k)~
z2aw8T3sRxjCtOef3WW+oKmj;HCB`OZQ((^<xgj7Hiv$sHE+-gV4C;i#9t7q71}-s_
z2jM7%c#VSj$7C@CGQq=}i182f0%arxuvk!CT~}QL3u<Y(?xDsW>iiEu`TuVz3JU+z
z65;FbLGbnVzeWM6z`=hHvgguVR6q!_m*<000RU1xO{Z?vP(Rkp&-3mW#)-e{%V}h8
zxg=Sg>9|sNno}83K+f_VknR38+R@=AB-L|S<z?L2H-Zk;$g2H{?23t$7}8(m_{^qC
zV(EuW11JiM|J-R@5Zz}Bh(>AKLpT1=t(9X~pxyZ^V_dxs5h*u*uJ^&R@4Z;N=*So!
z>wiC9c#3M;e~CZi;*jty+u@L&c!u4x>2h$1*?9Os*9AeDv!NCEW6i{?mWqGz=F0Zy
z4}`VM5EQ-`qpVgWwiIX7Uy)|MNL|8k6O(KeEJZrU><#K)9S{71WGlkeNDgzg1x9Bo
zBP54B9x%1fTUk`Kv?I13PdT<xymO6*<*`FhE&u}L-2#JuYl9YpK|u(p21npyY=D?8
zb3gzlD}i<-6a8>FdpT>OA2E<XA$rPL5CbWs%cQ-hNCeS)OGgXBBw*s&7tX9>60gp+
zOeA-2jXD9xH^cfs*}uyQFey+XQoP!rrRS%TyD>~Q!?&C6%>=5qjQ%ap-kt2p13<vx
zI-aAj!x^h`&l7Dw88N~S97O=MC!p#{j)A1+EA-D(FY2l`E)}x$8NQo5vyqCt@1oA<
zx$^t)utpTo?XgR7`_R(b{9@x}p%z-mj#nOq7PtFnPAl~-cMBNC=kOSW+U#<g(6Ccd
zN8bIamtknHel4NJ8r0a9kT0EIv7I}j-<#;qYmv`VT01~WK)AKu%s#x>U?0-|!7yj&
zg5gbAVx5-rZBKi`t;kAq&8hSp4MBxZK@8<Le(n9zEBgzdmVIhNvD2sh!<KU97#j)|
z_<q%3+Y{F!AY+9oRjZYAr&tkMWW3ui!WqqygCXHTw&d)&vQ^!p931Tz;h9MYHp)$^
Up88t5e<Epc;6Pz1`}pvG0ba7|>;M1&

literal 0
HcmV?d00001

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index b6275db21..240a4d792 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -87,6 +87,10 @@
         processed. Requests where processing has started will continue to
         completion. (markt) 
       </fix>
+      <fix>
+        <bug>50928</bug>: Don&apos;t ignore keyPass attribute for HTTP BIO and
+        NIO connectors. Based on a patch provided by sebb. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Web applications">
-- 
2.11.0