Bug 62526

Summary: Tomcat fails in a strange way when PKCS12 key store password is the empty string
Product: Tomcat 8 Reporter: Fabrice Bacchella <fabrice.bacchella>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 8.5.32   
Target Milestone: ----   
Hardware: PC   
OS: Mac OS X 10.1   

Description Fabrice Bacchella 2018-07-09 20:37:44 UTC
I defined a keystore with no password and a password for the key.

I then run the following code:

    SSLHostConfig shc = new SSLHostConfig();
    shc.setProtocols("TLSv1.2");
    shc.setCertificateKeystoreFile("file:testenv/conf/keystore.p12");
    shc.setCertificateKeystorePassword("");
    shc.setCertificateKeystoreType("PKCS12");
    shc.setCertificateKeyPassword("azerty");
    shc.setHostName("_default_");
    NioEndpoint v = new NioEndpoint();
    v.setSSLEnabled(true);
    v.addSslHostConfig(shc);
    v.bind();

I'm getting this stack:
java.lang.IllegalArgumentException: Private key must be accompanied by certificate chain
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsse
...
Caused by: java.lang.IllegalArgumentException: Private key must be accompanied by certificate chain
	at java.security.KeyStore.setKeyEntry(KeyStore.java:1136)
	at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:257)
	at 

If a define a password for both or the password is defined only for the keystore, it works. If keystore without password is not allowed, a better message should be provided.
Comment 1 Mark Thomas 2018-07-10 20:19:09 UTC
This looks like a malformed key store.

Steps to reproduce (or at least to create the keystore) please.
Comment 2 Fabrice Bacchella 2018-07-10 20:40:11 UTC
I generated this key store using http://keystore-explorer.org.

I switched many times between empty password, defined password for store or the key. From the 4 possible configurations, only the one where certificateKeystorePassword is defined works. As soon as I remove it, I got this exception. When I put it back, it's ok.
Comment 3 Mark Thomas 2018-07-10 21:00:03 UTC
Which version of Java are you running Tomcat with?
Comment 4 Fabrice Bacchella 2018-07-10 21:08:38 UTC
Oracle 1.8.0_162
Comment 5 Mark Thomas 2018-07-10 21:20:53 UTC
Thanks. I can now see what is happening.

In Java 6 and earlier, the KeyStore implementation didn't support the empty String as a valid password. Tomcat therefore converted it to null. KeyStore doesn't return certificates if null is provided for the KeyStore password.

As of Java 7 (the latest version at least), KeyStore does support empty passwords. We need to make some changes to allow empty passwords to be used. For 8.5.x onwards it should be fairly easy since they require Java 7 as a minimum. 7.0.x will be a little trickier as it has a minimum requirement of Java 6.
Comment 6 Mark Thomas 2018-07-11 11:10:14 UTC
Fixed in:
- trunk for 9.0.11 onwards
- 8.5.x for 8.5.33 onwards
- 7.0.x for 7.0.91 onwards