From e71b14d28c8e8d9edaab159dee7f0e0f41077a6f Mon Sep 17 00:00:00 2001
From: Oleg Kalnichevski <olegk@apache.org>
Date: Fri, 3 May 2013 18:34:49 +0000
Subject: [PATCH] HTTPCLIENT-1349: SSLSocketFactory incorrectly identifies key
 passed with keystore as the keystore password Contributed by David Graff
 <djgraff209 at gmail.com>

git-svn-id: https://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk@1478903 13f79535-47bb-0310-9956-ffa450edef68
---
 RELEASE_NOTES.txt                             |   4 +++
 .../http/conn/ssl/SSLContextBuilder.java      |   4 +--
 .../http/conn/ssl/SSLSocketFactory.java       |  12 ++++----
 .../http/conn/ssl/TestSSLSocketFactory.java   |  26 ++++++++++++++++++
 .../test/resources/test-keypasswd.keystore    | Bin 0 -> 1378 bytes
 5 files changed, 38 insertions(+), 8 deletions(-)
 create mode 100644 httpclient/src/test/resources/test-keypasswd.keystore

diff --git a/RELEASE_NOTES.txt b/RELEASE_NOTES.txt
index 38ae88a33..5a3271e47 100644
--- a/RELEASE_NOTES.txt
+++ b/RELEASE_NOTES.txt
@@ -1,6 +1,10 @@
 Changes since release 4.3 BETA1
 -------------------
 
+* [HTTPCLIENT-1349] SSLSocketFactory incorrectly identifies key passed with keystore as 
+  the keystore password.
+  Contributed by David Graff <djgraff209 at gmail.com>
+
 * [HTTPCLIENT-1346] Ensure propagation of SSL handshake exceptions.
   Contributed by Pasi Eronen <pe at iki.fi>
 
diff --git a/httpclient/src/main/java/org/apache/http/conn/ssl/SSLContextBuilder.java b/httpclient/src/main/java/org/apache/http/conn/ssl/SSLContextBuilder.java
index cf2e3ef27..59f89569a 100644
--- a/httpclient/src/main/java/org/apache/http/conn/ssl/SSLContextBuilder.java
+++ b/httpclient/src/main/java/org/apache/http/conn/ssl/SSLContextBuilder.java
@@ -113,11 +113,11 @@ public class SSLContextBuilder {
 
     public SSLContextBuilder loadKeyMaterial(
             final KeyStore keystore,
-            final char[] keystorePassword)
+            final char[] keyPassword)
                 throws NoSuchAlgorithmException, KeyStoreException, UnrecoverableKeyException {
         final KeyManagerFactory kmfactory = KeyManagerFactory.getInstance(
                 KeyManagerFactory.getDefaultAlgorithm());
-        kmfactory.init(keystore, keystorePassword);
+        kmfactory.init(keystore, keyPassword);
         this.keymanagers =  kmfactory.getKeyManagers();
         return this;
     }
diff --git a/httpclient/src/main/java/org/apache/http/conn/ssl/SSLSocketFactory.java b/httpclient/src/main/java/org/apache/http/conn/ssl/SSLSocketFactory.java
index 6edf04eb5..612a35046 100644
--- a/httpclient/src/main/java/org/apache/http/conn/ssl/SSLSocketFactory.java
+++ b/httpclient/src/main/java/org/apache/http/conn/ssl/SSLSocketFactory.java
@@ -158,14 +158,14 @@ public class SSLSocketFactory implements LayeredConnectionSocketFactory, SchemeL
     public SSLSocketFactory(
             final String algorithm,
             final KeyStore keystore,
-            final String keystorePassword,
+            final String keyPassword,
             final KeyStore truststore,
             final SecureRandom random,
             final HostNameResolver nameResolver)
                 throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException {
         this(SSLContexts.custom()
                 .useProtocol(algorithm)
-                .loadKeyMaterial(keystore, keystorePassword != null ? keystorePassword.toCharArray() : null)
+                .loadKeyMaterial(keystore, keyPassword != null ? keyPassword.toCharArray() : null)
                 .loadTrustMaterial(truststore)
                 .build(),
                 nameResolver);
@@ -181,7 +181,7 @@ public class SSLSocketFactory implements LayeredConnectionSocketFactory, SchemeL
     public SSLSocketFactory(
             final String algorithm,
             final KeyStore keystore,
-            final String keystorePassword,
+            final String keyPassword,
             final KeyStore truststore,
             final SecureRandom random,
             final TrustStrategy trustStrategy,
@@ -189,7 +189,7 @@ public class SSLSocketFactory implements LayeredConnectionSocketFactory, SchemeL
                 throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException {
         this(SSLContexts.custom()
                 .useProtocol(algorithm)
-                .loadKeyMaterial(keystore, keystorePassword != null ? keystorePassword.toCharArray() : null)
+                .loadKeyMaterial(keystore, keyPassword != null ? keyPassword.toCharArray() : null)
                 .loadTrustMaterial(truststore, trustStrategy)
                 .build(),
                 hostnameVerifier);
@@ -205,14 +205,14 @@ public class SSLSocketFactory implements LayeredConnectionSocketFactory, SchemeL
     public SSLSocketFactory(
             final String algorithm,
             final KeyStore keystore,
-            final String keystorePassword,
+            final String keyPassword,
             final KeyStore truststore,
             final SecureRandom random,
             final X509HostnameVerifier hostnameVerifier)
                 throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException {
         this(SSLContexts.custom()
                 .useProtocol(algorithm)
-                .loadKeyMaterial(keystore, keystorePassword != null ? keystorePassword.toCharArray() : null)
+                .loadKeyMaterial(keystore, keyPassword != null ? keyPassword.toCharArray() : null)
                 .loadTrustMaterial(truststore)
                 .build(),
                 hostnameVerifier);
diff --git a/httpclient/src/test/java/org/apache/http/conn/ssl/TestSSLSocketFactory.java b/httpclient/src/test/java/org/apache/http/conn/ssl/TestSSLSocketFactory.java
index 4bb759738..c2d52bcee 100644
--- a/httpclient/src/test/java/org/apache/http/conn/ssl/TestSSLSocketFactory.java
+++ b/httpclient/src/test/java/org/apache/http/conn/ssl/TestSSLSocketFactory.java
@@ -32,6 +32,7 @@ import java.net.InetSocketAddress;
 import java.net.URL;
 import java.security.KeyStore;
 import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 
@@ -195,4 +196,29 @@ public class TestSSLSocketFactory extends LocalServerTestBase {
         socketFactory.connectSocket(0, socket, host, remoteAddress, null, context);
     }
 
+    @Test
+    public void testKeyWithAlternatePassword() throws Exception {
+        String keystorePassword = "nopassword";
+        String keyPassword = "password";
+
+        ClassLoader cl = getClass().getClassLoader();
+        URL url = cl.getResource("test-keypasswd.keystore");
+        KeyStore keystore  = KeyStore.getInstance("jks");
+        keystore.load(url.openStream(), keystorePassword.toCharArray());
+
+        new SSLSocketFactory(keystore, keyPassword, keystore);
+    }
+
+    @Test(expected=UnrecoverableKeyException.class)
+    public void testKeyWithAlternatePasswordInvalid() throws Exception {
+        String keystorePassword = "nopassword";
+        String keyPassword = "!password";
+
+        ClassLoader cl = getClass().getClassLoader();
+        URL url = cl.getResource("test-keypasswd.keystore");
+        KeyStore keystore  = KeyStore.getInstance("jks");
+        keystore.load(url.openStream(), keystorePassword.toCharArray());
+
+        new SSLSocketFactory(keystore, keyPassword, keystore);
+    }
 }
diff --git a/httpclient/src/test/resources/test-keypasswd.keystore b/httpclient/src/test/resources/test-keypasswd.keystore
new file mode 100644
index 0000000000000000000000000000000000000000..01dd1bbee38cd0a2988d22cc90c5a805bc38fcf6
GIT binary patch
literal 1378
zcmezO_TO6u1_mY|W&~rQ;>_HFoK)S6l9B@5;?$zD)FPmiU3MAcTp-<V(8Snnz{kd=
z&Bn;WsKq46$jHjT(!^L^a9?QitIV=3C+`IuEX`jR-5$TGqMk4R-^u^8r)AA5S}1tn
z-oeVH#&cJ`xaj8Bv*!Jl2$4pSpnY<tX^fkyl0O{}J$U8857RK)0`a})o@ACc+*SzG
z@nDHr>fM&xzTA2iV_o23v1@s2n)c;cGR-M?d3v^m`iC~H?K{^kU1w-@YtPMExnp5r
zv5AvTEP3_po{Mb54Tr|UwZS`0v^H#D3Rh;GHPz=z_tyV?<vh2o-m>5PTzf|6M{3#;
z<xOorH+C1@(VstAe#W`~Z_OAt7e3w?p~19cwP4D^>%DR7<V{i@-F@@HxZ`ago6nUO
zr8ZMHe7aw_kK^x}nJtgw(w}f|pXPhXs+na@+7it>lh)PTd+c*=qUnat2@2<HXI`zn
zAG)VoU2n#;$l1<02U0(B#H@0zxUZ6+9r|z6!?VWcwH3|JuAkz;E%!ZX>X$d>hl-~3
zOXybJOHN3t6^i|TbwkAyb|wEGe5%u9@9#=<ZO`jTub)}OwdFu`(~n)#C7WIvf}@Nz
zLeJE|l7WG_!Jvt`28gW|Ff%bSF|njQSQ%iz&Bm_P=5fw~g_)JXpt0Xj02qDDp)72|
z?4fztdHLmeFcA(65q5-#vVkH<7niV<V?knaMyf(^ep*R+Vo|DsTYhO?N@7W7ex9M6
zfec6yx3DNwkq0mlIp^mV<maX4l@uEa83=&nnT0uX@{<#DGV+T{4CKUl4UG*<4U7%V
zjZI8VqrhAX14Afx5W2XDaXT;<=)i)N5y+8eYHVcqTOZsgTPma(bl+=^-kT@SzX@&+
zvU%^qa9Ga1VOyYDrfaN&QsD1M+un#@`;UIzW$^9v?9iO+jn)maCi$Pz61Hd03|P8k
z{`?m#)dEU~{CBUs{%`v+=^xhN&yTHGCd$w9yZPJYqjHCtOhbgD#3mYjEB(AqJMp^K
z`%g;Dl5;P5Fdk<TWtg52&@ZaYeP+|7olT2gw{U-mkogL7+V_VGTCdHvy?1)g>KL;f
z;X5m*tl$01>Q&Rva35}4_NMf}$nd^hS0eqN6|xI7Hf-?}D^z~rqah}|{XC~p&xvIZ
zZN#d&Luz_89xPrbr@eVu>BPLn_1wP{O_M(UPO4&5u|Bip<GvMv6FOHk-+vhObUxdp
z?zFgu>QL1bMjz{c=RLKU8(SEd8XKgNogA62Ef6<NocovGCiThWLm%Dk3eDOsNijaO
zddJweB2#AO1!i@dLm3701#US^y?9#TRQQ38GPAlU*?nOp)4E@Lzxvj8&EllgD`E|=
z&fGLRw=q+oXPSG%pPj5>e{(M#&@=fG^rGZ~lTc67cLDE@`PE_;8bJYK%=f0uba8V^
zU94yzZy*ayg0g%pVk{zClA7WYzU>VD+a0CwL0ff2gqa^3N_Jt^XE4xV67iKhz!>`D
zL1(~(`@GwV7x8?mYnsF);vKX&{=povPQeNCD%NV3f3&Web9)Z2#))_KdX~j1j}`bD
Lwq~DYHuwqvL$N2I

literal 0
HcmV?d00001