--- java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (revision 1032477)
+++ java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (working copy)
@@ -266,7 +266,15 @@
if (keystoreFile == null)
keystoreFile = defaultKeystoreFile;
- return getStore(type, provider, keystoreFile, pass);
+ try {
+ return getStore(type, provider, keystoreFile, pass);
+ } catch (FileNotFoundException fnfe) {
+ throw fnfe;
+ } catch (IOException ioe) {
+ log.error(sm.getString("jsse.keystore_load_failed", type,
+ keystoreFile, ioe.getMessage()), ioe);
+ throw ioe;
+ }
}
/*
@@ -316,9 +324,33 @@
log.debug("trustProvider = " + truststoreProvider);
}
- if (truststoreFile != null && truststorePassword != null){
- trustStore = getStore(truststoreType, truststoreProvider,
- truststoreFile, truststorePassword);
+ if (truststoreFile != null) {
+ try {
+ trustStore = getStore(truststoreType, truststoreProvider,
+ truststoreFile, truststorePassword);
+ } catch (FileNotFoundException fnfe) {
+ throw fnfe;
+ } catch (IOException ioe) {
+ // Log a warning that we had a password issue
+ // and re-try, unless the password is null already
+ if (truststorePassword != null) {
+ log.warn(sm.getString("jsse.invalid_truststore_password"),
+ ioe);
+ try {
+ trustStore = getStore(truststoreType,
+ truststoreProvider, truststoreFile, null);
+ ioe = null;
+ } catch (IOException ioe2) {
+ ioe = ioe2;
+ }
+ }
+ if (ioe != null) {
+ log.error(sm.getString("jsse.keystore_load_failed",
+ truststoreType, truststoreFile, ioe.getMessage()),
+ ioe);
+ throw ioe;
+ }
+ }
}
return trustStore;
@@ -347,15 +379,19 @@
istream = new FileInputStream(keyStoreFile);
}
- ks.load(istream, pass.toCharArray());
+ char[] storePass = null;
+ if (pass != null && !"".equals(pass)) {
+ storePass = pass.toCharArray();
+ }
+ ks.load(istream, storePass);
} catch (FileNotFoundException fnfe) {
log.error(sm.getString("jsse.keystore_load_failed", type, path,
fnfe.getMessage()), fnfe);
throw fnfe;
} catch (IOException ioe) {
- log.error(sm.getString("jsse.keystore_load_failed", type, path,
- ioe.getMessage()), ioe);
- throw ioe;
+ // May be expected when working with a trust store
+ // Re-throw. Caller will catch and log as required
+ throw ioe;
} catch(Exception ex) {
String msg = sm.getString("jsse.keystore_load_failed", type, path,
ex.getMessage());
--- java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties (revision 1032477)
+++ java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties (working copy)
@@ -15,3 +15,4 @@
jsse.alias_no_key_entry=Alias name {0} does not identify a key entry
jsse.keystore_load_failed=Failed to load keystore type {0} with path {1} due to {2}
+jsse.invalid_truststore_password=The provided trust store password could not be used to unlock and/or validate the trust store. Retrying to access the trust store with a null password which will skip validation.
--- webapps/docs/config/http.xml (revision 1032477)
+++ webapps/docs/config/http.xml (working copy)
@@ -738,8 +738,12 @@
The password to access the trust store. The default is the value of the
javax.net.ssl.trustStorePassword system property. If that
property is null, the value of keystorePass is used as the
- default. If neither this attribute, the default system property nor
- keystorePassis set, no trust store will be configured.
+ default. If an invalid trust store password is specified, a warning will
+ be logged and an attempt will be made to access the trust store without a
+ password which will skip validation of the trust store contents. If the
+ trust store password is defined as "" then no
+ password will be used to access the store which will also skip validation
+ of the trust store contents.