Summary: | Regression in PKCS11 keystores - incorrect alias being used | ||
---|---|---|---|
Product: | Tomcat 8 | Reporter: | Daniel Ruggeri <DRuggeri> |
Component: | Connectors | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | DRuggeri, jfclere |
Priority: | P2 | ||
Version: | 8.5.23 | ||
Target Milestone: | ---- | ||
Hardware: | PC | ||
OS: | Linux |
Description
Daniel Ruggeri
2017-10-03 14:30:02 UTC
Also, as a side comment, I would be happy to help produce tests to catch these during release. I'm not sure where to start, but am motivated to assist. It is true the alias setting will now only work if the key type is PKCS8. After investigating, it would seem r1800874 has to be partially reverted since we cannot put the non PKCS8 key in the in memory keystore and may have to use the JSSEKeyManager wrapper instead. Unless it is always possible to do the memory keystore creation with other types [and go with putting the key there], in which case the condition "PKCS#8".equalsIgnoreCase(k.getFormat()) can simply be removed. Unfortunately, no test case here to make sure I don't do anything wrong. Sure, understood. If you can provide a jar, I can do testing to verify the change before committing. Thinking about the ability to test this ongoing, I *think* that the Oracle PKCS11 provider works in software on Solaris, Linux and Windows. I can try putting together some test code if you think it would be worth doing. I agree with Rémy's analysis. Since I messed this up, I'm happy to take a look at getting it fixed. First step will be setting up a software PKCS11 keystore for testing. Any pointers appreciated. I think I have fixed this. Snapshot build available here: http://people.apache.org/~markt/dev/v8.5.24-dev/ If you could test and provide feedback that will be great. Note: This is a snapshot, not an official release. It is intended for testing this issue only. If your server catches fire when you install it you are on your own, etc. Hi, Mark; I can confirm that the preview build you shared corrects the problem... and I even detected no smoke! For testing, I was mistaken. The SunPKCS11 Provider does, indeed, ship on all Solaris, Windows and Linux builds but does not include a backing PKCS11 implementation - that's still separate. Can you help me understand what flexibility exists in the testing infrastructure for Tomcat? The way I test this in our environment is with NSS which is free, provides a PCKS11 implementation and is available on RedHat and Debian derivatives. If you have a Windows or Linux VM to do said testing, I can provide scripts that will generate the stores. I could also throw together a Dockerfile if docker is a thing for you. All of our testing is based around JUnit. Some variation of the unit tests in o.a.tomcat.util.net is probably required. Making them optional depending on the presence of NSS is probably the way to go. You should be able to re-use the keys/certs in that location. |