Mantis - Resin
Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
6233 minor always 04-28-19 21:03 04-29-19 17:24
Reporter: nam Platform:  
Assigned To: ferg OS:  
Priority: normal OS Version:  
Status: closed Product Version: 4.0.61  
Product Build: Resolution: fixed  
Projection: none      
ETA: none Fixed in Version: 4.0.62  
Summary: 0006233: JSSE KeyManagerFactory password can be different from KeyStore password for spring boot support
Description: com.caucho.vfs.JsseSSLFactory does not distinguish between:

1. java.security.KeyStore password
2. javax.net.ssl.KeyManagerFactory password


In JsseSSLFactory.create(), it's using the same password for KeyManagerFactory that it used for the KeyStore:

  public QServerSocket create(InetAddress host, int port)
    throws IOException, GeneralSecurityException
  {
    SSLServerSocketFactory factory = null;
    
    if (_keyStore != null) {
      SSLContext sslContext = SSLContext.getInstance(_sslContext);

      KeyManagerFactory kmf
        = KeyManagerFactory.getInstance(_keyManagerFactory);
    
      kmf.init(_keyStore, _password.toCharArray());
Steps To Reproduce:
Additional Information:
Relationships
Attached Files:

Notes
(0006887)
nam   
04-28-19 21:06   
The workaround is:

    JsseSSLFactory sslFactory = new JsseSSLFactory();
    sslFactory.setPassword(keyStorePassword);

    sslFactory.init();

    // set the password again after init for the KeyManagerFactory
    sslFactory.setPassword(keyManagerPassword);
(0006888)
nam   
04-29-19 01:08   
Workaround does NOT work if keyAlias is set.
(0006890)
ferg   
04-29-19 17:24   
network/0518