61497 – JKS Keystore Handling regression

Bug 61497 - JKS Keystore Handling regression

Summary: JKS Keystore Handling regression

Status:	RESOLVED DUPLICATE of bug 61451

Alias:	None

Product:	Tomcat 8
Classification:	Unclassified
Component:	Connectors (show other bugs)
Version:	8.5.20
Hardware:	PC All

Importance:	P2 regression (vote)
Target Milestone:	----
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-09-06 15:08 UTC by gmilewski
Modified:	2017-09-06 18:57 UTC (History)
CC List:	0 users

Attachments
Zip containing key, cert, chain, and keystore. (13.77 KB, application/x-zip-compressed) 2017-09-06 15:08 UTC, gmilewski	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description gmilewski 2017-09-06 15:08:22 UTC

Created attachment 35302 [details]
Zip containing key, cert, chain, and keystore.

Attached are throwaway key/cert/keystore

Configuring a Tomcat instance with an internal CA and Java Keystore in Tomcat 8.5.16 works without issue.  Migrating the same install to 8.5.19 or 8.5.20 results in "java.security.KeyStoreException: Cannot store non-PrivateKeys", failing to create the SSL port.

Taking the SAME keystore, extracting to PKCS12 via keytool.exe, then to PEM through OpenSSL, then configuring server.xml to use PEM results in a working/trusted SSL port in 8.5.20, however we need the keystore method.

Keystore password is: 6d454df3d881bf61ccc0540d36cff1a5

8.5.16 KEYSTORE:

06-Sep-2017 10:12:46.247 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library [1.2.12] using APR version [1.5.2].
06-Sep-2017 10:12:46.247 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
06-Sep-2017 10:12:46.247 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
06-Sep-2017 10:12:46.966 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.0.2k  26 Jan 2017]
06-Sep-2017 10:12:47.153 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"]
06-Sep-2017 10:12:47.294 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read
06-Sep-2017 10:12:47.310 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio-8443"]
06-Sep-2017 10:12:47.591 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read
06-Sep-2017 10:12:47.591 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-127.0.0.1-8009"]
06-Sep-2017 10:12:47.591 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read
06-Sep-2017 10:12:47.591 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 1882 ms

8.5.20 KEYSTORE:


06-Sep-2017 10:15:44.562 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library [1.2.12] using APR version [1.5.2].
06-Sep-2017 10:15:44.562 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
06-Sep-2017 10:15:44.562 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
06-Sep-2017 10:15:45.345 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.0.2k  26 Jan 2017]
06-Sep-2017 10:15:45.579 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"]
06-Sep-2017 10:15:45.720 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read
06-Sep-2017 10:15:45.735 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio-8443"]
06-Sep-2017 10:15:46.014 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["https-openssl-nio-8443"]
 java.lang.IllegalArgumentException: java.security.KeyStoreException: Cannot store non-PrivateKeys
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
	at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
	at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244)
	at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620)
	at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
	at org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:630)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys
	at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:258)
	at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56)
	at sun.security.provider.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:117)
	at sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetKeyEntry(JavaKeyStore.java:70)
	at java.security.KeyStore.setKeyEntry(KeyStore.java:1140)
	at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:226)
	at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:79)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
	... 20 more

06-Sep-2017 10:15:46.030 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8443]]
 org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
	at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:630)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
	at org.apache.catalina.connector.Connector.initInternal(Connector.java:999)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	... 12 more
Caused by: java.lang.IllegalArgumentException: java.security.KeyStoreException: Cannot store non-PrivateKeys
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
	at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
	at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244)
	at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620)
	at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
	at org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
	... 13 more
Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys
	at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:258)
	at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56)
	at sun.security.provider.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:117)
	at sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetKeyEntry(JavaKeyStore.java:70)
	at java.security.KeyStore.setKeyEntry(KeyStore.java:1140)
	at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:226)
	at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:79)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
	... 20 more

06-Sep-2017 10:15:46.030 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-127.0.0.1-8009"]
06-Sep-2017 10:15:46.030 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read
06-Sep-2017 10:15:46.030 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 2099 ms


8.5.20 PEM FILES:

06-Sep-2017 10:28:35.271 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library [1.2.12] using APR version [1.5.2].
06-Sep-2017 10:28:35.271 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
06-Sep-2017 10:28:35.271 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
06-Sep-2017 10:28:36.052 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.0.2k  26 Jan 2017]
06-Sep-2017 10:28:36.271 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"]
06-Sep-2017 10:28:36.427 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read
06-Sep-2017 10:28:36.427 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio-8443"]
06-Sep-2017 10:28:36.442 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read
06-Sep-2017 10:28:36.442 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-127.0.0.1-8009"]
06-Sep-2017 10:28:36.442 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read
06-Sep-2017 10:28:36.458 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 1768 ms

Comment 1 Mark Thomas 2017-09-06 18:43:42 UTC


*** This bug has been marked as a duplicate of bug 61451 ***

Comment 2 gmilewski 2017-09-06 18:57:13 UTC

Thank you kindly - search did not turn up that bug, nor the autosearch, sorry!