Bug 60450 - Setting keystore type shouldn't override the truststore type
Summary: Setting keystore type shouldn't override the truststore type
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Util (show other bugs)
Version: 8.5.x-trunk
Hardware: PC All
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2016-12-07 12:36 UTC by Axel Fontaine
Modified: 2016-12-09 09:29 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Axel Fontaine 2016-12-07 12:36:24 UTC
Say I have a keystore in PKCS12 format and a truststore in the default JKS format.

By setting the keystore type (PKCS12) and NOT explicitly overriding the default truststore type (JKS), the truststore type now also gets changed to PKCS12 and fails to load.

This line is the issue: https://github.com/apache/tomcat/blob/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java#L585

This behavior is currently very unintuitive and not documented anywhere. I strongly believe change the keystore type should not secretly alter the truststore type.
Comment 1 Mark Thomas 2016-12-07 12:56:02 UTC
From the 8.5.x documentation:

JSSE only.

The type of key store used for the trust store. The default is the value of the javax.net.ssl.trustStoreType system property. If that property is null, the value of keystoreType is used as the default.

Those docs could do with an update to make clear it is the key store type of the default certificate that is used.

PKCS12 is somewhat of a special case since the trust store is unlikely to be in the same format as the key store.

I'm currently leaning towards WONTFIX for the original request in this report since the behaviour is documented and makes sense for key store types other than PKCS12.

A possible enhancement could be for the trust store type to default to JKS if the keys store type is PKCS12. However, that would add complexity.
Comment 2 Axel Fontaine 2016-12-07 13:07:58 UTC
Or couldn't this whole setting simply default to autodetection? After all we can now simply set it to  JKS and this will autodetect both PKCS12 and JKS (see https://bugs.openjdk.java.net/browse/JDK-8062552)

Therefore I believe a default of JKS should be a fine one, instead of the current behavior where setting the keystore type to PKCS12 without overriding the default truststore type almost invariably results in a cryptic and hard to debug failure.
Comment 3 Mark Thomas 2016-12-09 09:29:46 UTC
Auto detection is not an option. Tomcat 8.x has a minimum Java requirement of 7 where that feature is not (yet?) available. Tomcat 9 needs to run on any Java 8 version so requiring a minimum point release to support PKCS12 via auto detection is not acceptable. Finally, not everyone uses Oracle's JSSE implementation and we need to support all of those as well.

While looking into this I discovered that Tomcat wasn't consistently using the key store type as the default trust store type so this needs fixing too.

I've now fixed the inconsistencies in using the key store type as the default, ensured PKCS12 won't be used as the default and updated the docs to make clear how the default is selected.

Fixed in:
- trunk for 9.0.0.M15 onwards
- 8.5.x for 8.5.10 onwards