Bug 62526 - Tomcat fails in a strange way when PKCS12 key store password is the empty string
Summary: Tomcat fails in a strange way when PKCS12 key store password is the empty string
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 8.5.32
Hardware: PC Mac OS X 10.1
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-09 20:37 UTC by Fabrice Bacchella
Modified: 2018-07-11 11:10 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Fabrice Bacchella 2018-07-09 20:37:44 UTC
I defined a keystore with no password and a password for the key.

I then run the following code:

    SSLHostConfig shc = new SSLHostConfig();
    shc.setProtocols("TLSv1.2");
    shc.setCertificateKeystoreFile("file:testenv/conf/keystore.p12");
    shc.setCertificateKeystorePassword("");
    shc.setCertificateKeystoreType("PKCS12");
    shc.setCertificateKeyPassword("azerty");
    shc.setHostName("_default_");
    NioEndpoint v = new NioEndpoint();
    v.setSSLEnabled(true);
    v.addSslHostConfig(shc);
    v.bind();

I'm getting this stack:
java.lang.IllegalArgumentException: Private key must be accompanied by certificate chain
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsse
...
Caused by: java.lang.IllegalArgumentException: Private key must be accompanied by certificate chain
	at java.security.KeyStore.setKeyEntry(KeyStore.java:1136)
	at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:257)
	at 

If a define a password for both or the password is defined only for the keystore, it works. If keystore without password is not allowed, a better message should be provided.
Comment 1 Mark Thomas 2018-07-10 20:19:09 UTC
This looks like a malformed key store.

Steps to reproduce (or at least to create the keystore) please.
Comment 2 Fabrice Bacchella 2018-07-10 20:40:11 UTC
I generated this key store using http://keystore-explorer.org.

I switched many times between empty password, defined password for store or the key. From the 4 possible configurations, only the one where certificateKeystorePassword is defined works. As soon as I remove it, I got this exception. When I put it back, it's ok.
Comment 3 Mark Thomas 2018-07-10 21:00:03 UTC
Which version of Java are you running Tomcat with?
Comment 4 Fabrice Bacchella 2018-07-10 21:08:38 UTC
Oracle 1.8.0_162
Comment 5 Mark Thomas 2018-07-10 21:20:53 UTC
Thanks. I can now see what is happening.

In Java 6 and earlier, the KeyStore implementation didn't support the empty String as a valid password. Tomcat therefore converted it to null. KeyStore doesn't return certificates if null is provided for the KeyStore password.

As of Java 7 (the latest version at least), KeyStore does support empty passwords. We need to make some changes to allow empty passwords to be used. For 8.5.x onwards it should be fairly easy since they require Java 7 as a minimum. 7.0.x will be a little trickier as it has a minimum requirement of Java 6.
Comment 6 Mark Thomas 2018-07-11 11:10:14 UTC
Fixed in:
- trunk for 9.0.11 onwards
- 8.5.x for 8.5.33 onwards
- 7.0.x for 7.0.91 onwards