0006257: JSSE keystore password can be different from key password for spring boot support

Viewing Issue Simple Details [ Jump to Notes ]

[ View Advanced ] [ Issue History ] [ Print ]

Category

Severity

Reproducibility

Date Submitted

Last Update

0006257

[Resin]

minor

always

06-08-19 14:36

06-09-19 14:35

Reporter

nam

View Status

public

Assigned To

nam

Priority

normal

Resolution

fixed

Status

closed

Product Version

4.0.62

Summary

0006257: JSSE keystore password can be different from key password for spring boot support

Description

If the keystore password is set and the key alias is set, then Resin will incorrectly use the keystore password for loading keys. For example:

    keyPassword = null
    keyStorePassword = "foo";

Resin should be using null in _keyStore.getKey(), but it is instead using the keyStorePassword.

In JsseSSLFactory:

    String password = _keyStorePassword;

    if (password == null) {
      password = _password;
    }

    InputStream is = _keyStoreFile.openRead();
    try {
      _keyStore.load(is, password.toCharArray());
    } finally {
      is.close();
    }

    if (_alias != null) {
      Key key = _keyStore.getKey(_alias, password.toCharArray());
      ...
    }

Additional Information

Attached Files

Relationships

Notes
(0006902) nam 06-09-19 14:35	network/051a network/051b

Issue History
Date Modified	Username	Field	Change
06-08-19 14:36	nam	New Issue
06-08-19 14:54	nam	Description Updated
06-08-19 14:55	nam	Description Updated
06-08-19 14:55	nam	Description Updated
06-09-19 00:25	nam	Status	new => assigned
06-09-19 00:25	nam	Assigned To	=> nam
06-09-19 14:35	nam	Note Added: 0006902
06-09-19 14:35	nam	Status	assigned => closed
06-09-19 14:35	nam	Resolution	open => fixed

Mantis 1.0.0rc3[^]

31 total queries executed.
25 unique queries executed.