()
| 308 | |
| 309 | |
| 310 | @Override |
| 311 | public KeyManager[] getKeyManagers() throws Exception { |
| 312 | String keyAlias = certificate.getCertificateKeyAlias(); |
| 313 | String algorithm = sslHostConfig.getKeyManagerAlgorithm(); |
| 314 | String keyPassFile = certificate.getCertificateKeyPasswordFile(); |
| 315 | String keyPass = certificate.getCertificateKeyPassword(); |
| 316 | // This has to be here as it can't be moved to SSLHostConfig since the |
| 317 | // defaults vary between JSSE and OpenSSL. |
| 318 | if (keyPassFile == null) { |
| 319 | keyPassFile = certificate.getCertificateKeystorePasswordFile(); |
| 320 | } |
| 321 | if (keyPass == null) { |
| 322 | keyPass = certificate.getCertificateKeystorePassword(); |
| 323 | } |
| 324 | |
| 325 | KeyStore ks = certificate.getCertificateKeystore(); |
| 326 | KeyStore ksUsed = ks; |
| 327 | |
| 328 | /* |
| 329 | * Use an in memory key store where possible. For PEM format keys and certificates, it allows them to be |
| 330 | * imported into the expected format. For Java key stores with PKCS8 encoded keys (e.g. JKS files), it enables |
| 331 | * Tomcat to handle the case where multiple keys exist in the key store, each with a different password. The |
| 332 | * KeyManagerFactory can't handle that so using an in memory key store with just the required key works around |
| 333 | * that. Other keys stores (hardware, MS, etc.) will be used as is. |
| 334 | */ |
| 335 | char[] keyPassArray = null; |
| 336 | String keyPassToUse = null; |
| 337 | if (keyPassFile != null) { |
| 338 | try (BufferedReader reader = new BufferedReader(new InputStreamReader( |
| 339 | ConfigFileLoader.getSource().getResource(keyPassFile).getInputStream(), StandardCharsets.UTF_8))) { |
| 340 | keyPassToUse = reader.readLine(); |
| 341 | } |
| 342 | } else { |
| 343 | keyPassToUse = keyPass; |
| 344 | } |
| 345 | |
| 346 | if (keyPassToUse != null) { |
| 347 | keyPassArray = keyPassToUse.toCharArray(); |
| 348 | } |
| 349 | |
| 350 | KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm); |
| 351 | if (kmf.getProvider().getInfo().contains("FIPS")) { |
| 352 | // FIPS doesn't like ANY wrapping nor key manipulation. |
| 353 | if (keyAlias != null) { |
| 354 | log.warn(sm.getString("sslUtilBase.aliasIgnored", keyAlias)); |
| 355 | } |
| 356 | kmf.init(ksUsed, keyPassArray); |
| 357 | return kmf.getKeyManagers(); |
| 358 | } |
| 359 | |
| 360 | if (ks == null) { |
| 361 | if (certificate.getCertificateFile() == null) { |
| 362 | throw new IOException(sm.getString("sslUtilBase.noCertFile")); |
| 363 | } |
| 364 | |
| 365 | PEMFile privateKeyFile = |
| 366 | new PEMFile(certificate.getCertificateKeyFile() != null ? certificate.getCertificateKeyFile() : |
| 367 | certificate.getCertificateFile(), keyPass, keyPassFile, null); |
no test coverage detected