Bug 63205 - Unable to load certificate store on openjdk
Summary: Unable to load certificate store on openjdk
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Util (show other bugs)
Version: unspecified
Hardware: Other other
: P2 normal (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2019-02-25 03:15 UTC by tompom
Modified: 2019-10-23 15:46 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description tompom 2019-02-25 03:15:38 UTC
See https://bugs.openjdk.java.net/browse/JDK-8157404

If key store is loaded non-locally, it is possible that initialisation fails with "not all indef len BER resolved". This is due to a limitation in openjdk where the whole contents need to be available in the stream when it is passed to the jdk keystore. 

Current workaround is to load the stream yourself into a bytearraystream and pass it through as an inputstream. Tested with tomcat 8.0.54, but the code is the same on 9.0.x

Stack trace:

stack trace for apache bug reporting

Faragó, Tamás
to me
0 minutes agoDetails
Caused by: java.io.IOException: not all indef len BER resolved

                at sun.security.util.DerIndefLenConverter.convert(DerIndefLenConverter.java:340)

                at sun.security.util.DerValue.init(DerValue.java:402)

                at sun.security.util.DerValue.<init>(DerValue.java:332)

                at sun.security.util.DerValue.<init>(DerValue.java:345)

               at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1938)

                at java.security.KeyStore.load(KeyStore.java:1445)

                at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:159)

                at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:204)

                at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:184)

               at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)

                ... 65 common frames omitted
Comment 1 Christopher Schultz 2019-02-25 14:22:56 UTC
While we generally don't work-around JVM bugs, this one was reported back in 2016 and doesn't look like there is much likleihood that it will be fixed.
Comment 2 Mark Thomas 2019-03-01 21:32:04 UTC
Hmm. It is a ~two line patch for us which we'd need to apply in 3 places (or provide a utility function which might even be more code).

I'll ping our Oracle contacts and see if we can get a fix for this bumped up the priority list.

I'll look into a patch
Comment 3 Mark Thomas 2019-03-01 22:32:25 UTC
Fixed in:
- trunk for 9.0.17 onwards
- 8.5.x for 8.5.39 onwards
- 7.0.x for 7.0.94 onwards
Comment 4 Mark Thomas 2019-04-05 11:08:07 UTC
Note: The Java fix is in JDK13 EA15 which means Tomcat will need a minimum Java version of 13 before this workaround can be removed.
Comment 5 Axel 2019-07-03 10:02:19 UTC
We are running Tomcat 8.5.38 on z/OS 2.3. Trying to update to Tomcat 8.5.42 leads to an error when starting up Tomcat. Usage of RACF Keyrings as Key- and Trusstore is to be broken. Seems to me that this workaround could be the reason.

Could you please help. Thx in advance.

Stack Trace:
[main] org.apache.tomcat.util.net.SSLUtilBase.getStore Failed to load keystore type [JCERACFKS] with path [safkeyring://ESRV01/ESRV01Keyring] due to [Array index out of range: 52954]
java.lang.ArrayIndexOutOfBoundsException: Array index out of range: 52954
	at java.lang.System.arraycopy(Native Method)
	at com.ibm.crypto.provider.RACFInputStream.read(Unknown Source)
	at com.ibm.crypto.provider.RACFInputStream.read(Unknown Source)
	at org.apache.tomcat.util.security.KeyStoreUtil.load(KeyStoreUtil.java:61)
	at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:217)
	at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:206)
	at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:280)
	at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:98)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72)
	at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
	at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1118)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:224)
	at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
	at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
	at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:639)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:662)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
	at java.lang.reflect.Method.invoke(Method.java:508)
	at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Comment 6 Mark Thomas 2019-07-03 21:02:25 UTC
Given the initial bug only affected PKCS12 keystores, we should be able to limit the work-around to those keystores.

Are you able to build Tomcat from source to test a fix?
Comment 7 Mark Thomas 2019-07-03 21:25:17 UTC
Regression fixed in:
- master for 9.0.22 onwards
- 8.5.x for 8.5.43 onwards
- 7.0.x for 7.0.95 onwards
Comment 8 Axel 2019-10-23 15:46:54 UTC
Sorry, haven't noticed your comment Mark because i waited for a notification from Bugzilla. Next time I'll do it better. 
Tested now with 8.5.47 and it works again using RACF Keyrings. Thank you very much. That's great, thank you.