From 493985489354045291e6e2ebf6d0ca53721d09fc Mon Sep 17 00:00:00 2001
From: Greg Wilkins <gregw@webtide.com>
Date: Wed, 5 Aug 2015 14:58:08 +1000
Subject: [PATCH] 473321 - Overriding SSL context KeyStoreType requires
 explicit override of TrustStoreType

---
 .../src/main/config/etc/jetty-ssl-context.xml |  4 +-
 .../jetty/util/ssl/SslContextFactory.java     | 55 +++++++++++++------
 .../jetty/util/ssl/SslContextFactoryTest.java |  2 +
 3 files changed, 41 insertions(+), 20 deletions(-)

diff --git a/jetty-server/src/main/config/etc/jetty-ssl-context.xml b/jetty-server/src/main/config/etc/jetty-ssl-context.xml
index be6632370a9..68b802c9c76 100644
--- a/jetty-server/src/main/config/etc/jetty-ssl-context.xml
+++ b/jetty-server/src/main/config/etc/jetty-ssl-context.xml
@@ -11,8 +11,8 @@
   <Set name="KeyStoreProvider"><Property name="jetty.sslContext.keyStoreProvider"/></Set>
   <Set name="KeyManagerPassword"><Property name="jetty.sslContext.keyManagerPassword" deprecated="jetty.keymanager.password" default="OBF:1u2u1wml1z7s1z7a1wnl1u2g"/></Set>
   <Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.sslContext.trustStorePath" deprecated="jetty.truststore" default="etc/keystore"/></Set>
-  <Set name="TrustStorePassword"><Property name="jetty.sslContext.trustStorePassword" deprecated="jetty.truststore.password" default="OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"/></Set>
-  <Set name="TrustStoreType"><Property name="jetty.sslContext.trustStoreType" default="JKS"/></Set>
+  <Set name="TrustStorePassword"><Property name="jetty.sslContext.trustStorePassword" deprecated="jetty.truststore.password"/></Set>
+  <Set name="TrustStoreType"><Property name="jetty.sslContext.trustStoreType"/></Set>
   <Set name="TrustStoreProvider"><Property name="jetty.sslContext.trustStoreProvider"/></Set>
   <Set name="EndpointIdentificationAlgorithm"></Set>
   <Set name="NeedClientAuth"><Property name="jetty.sslContext.needClientAuth" deprecated="jetty.ssl.needClientAuth" default="false"/></Set>
diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
index d0e75f7d0f4..378d2adcbda 100644
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
@@ -803,49 +803,68 @@ public class SslContextFactory extends AbstractLifeCycle
 
     /**
      * @param password
-     *            The password for the key store.  If null is passed then
+     *            The password for the key store.  If null is passed and
+     *            a keystore is set, then
      *            the {@link Password#getPassword(String, String, String)} is used to
-     *            obtain a password either from the "org.eclipse.jetty.ssl.password"
+     *            obtain a password either from the {@value #PASSWORD_PROPERTY} 
      *            System property or by prompting for manual entry.
      */
     public void setKeyStorePassword(String password)
     {
         checkNotStarted();
-
-        _keyStorePassword = password==null
-            ?Password.getPassword(PASSWORD_PROPERTY,null,null)
-            :new Password(password);
+        if (password==null)
+        {
+            if (_keyStoreResource!=null)
+                _keyStorePassword=Password.getPassword(PASSWORD_PROPERTY,null,null);
+            else
+                _keyStorePassword=null;
+        }
+        else
+            _keyStorePassword = new Password(password);
     }
 
     /**
      * @param password
      *            The password (if any) for the specific key within the key store.
-     *            If null is passed then
-     *            the {@link Password#getPassword(String, String, String)} is used to
-     *            obtain a password either from the "org.eclipse.jetty.ssl.keypassword"
-     *            System property or by prompting for manual entry.
+     *            If null is passed and the {@value #KEYPASSWORD_PROPERTY} system property is set, 
+     *            then the {@link Password#getPassword(String, String, String)} is used to
+     *            obtain a password from the {@value #KEYPASSWORD_PROPERTY}  system property.
      */
     public void setKeyManagerPassword(String password)
     {
         checkNotStarted();
-        _keyManagerPassword = password==null
-            ?Password.getPassword(KEYPASSWORD_PROPERTY,null,null)
-            :new Password(password);
+        if (password==null)
+        {
+            if (System.getProperty(KEYPASSWORD_PROPERTY)!=null)
+                _keyManagerPassword = Password.getPassword(KEYPASSWORD_PROPERTY,null,null);
+            else
+                _keyManagerPassword = null;
+        }
+        else
+            _keyManagerPassword = new Password(password);
     }
 
     /**
      * @param password
-     *            The password for the trust store. If null is passed then
+     *            The password for the trust store. If null is passed and a truststore is set
+     *            that is different from the keystore, then
      *            the {@link Password#getPassword(String, String, String)} is used to
-     *            obtain a password either from the "org.eclipse.jetty.ssl.password"
+     *            obtain a password either from the {@value #PASSWORD_PROPERTY}
      *            System property or by prompting for manual entry.
      */
     public void setTrustStorePassword(String password)
     {
         checkNotStarted();
-        _trustStorePassword = password==null
-            ?Password.getPassword(PASSWORD_PROPERTY,null,null)
-            :new Password(password);
+        if (password==null)
+        {
+            // Do we need a truststore password?
+            if (_trustStoreResource!=null && !_trustStoreResource.equals(_keyStoreResource))
+                _trustStorePassword = Password.getPassword(PASSWORD_PROPERTY,null,null);
+            else
+                _trustStorePassword = null;
+        }
+        else
+            _trustStorePassword=new Password(password);
     }
 
     /**
diff --git a/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java b/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java
index 81ecea8aff5..2ab480cf11f 100644
--- a/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java
+++ b/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java
@@ -100,6 +100,8 @@ public class SslContextFactoryTest
         cf.setKeyStoreResource(keystoreResource);
         cf.setKeyStorePassword("storepwd");
         cf.setKeyManagerPassword("keypwd");
+        cf.setTrustStoreResource(keystoreResource);
+        cf.setTrustStorePassword(null);
 
         cf.start();