473321 - Overriding SSL context KeyStoreType requires explicit override of TrustStoreType

2015-08-05 14:58:08 +10:00 · 2015-08-05 14:58:08 +10:00 · 4939854893
parent a0a2c64f6a
commit 4939854893
3 changed files with 41 additions and 20 deletions
--- a/jetty-server/src/main/config/etc/jetty-ssl-context.xml
+++ b/jetty-server/src/main/config/etc/jetty-ssl-context.xml
@ -11,8 +11,8 @@
  <Set name="KeyStoreProvider"><Property name="jetty.sslContext.keyStoreProvider"/></Set>
  <Set name="KeyManagerPassword"><Property name="jetty.sslContext.keyManagerPassword" deprecated="jetty.keymanager.password" default="OBF:1u2u1wml1z7s1z7a1wnl1u2g"/></Set>
  <Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.sslContext.trustStorePath" deprecated="jetty.truststore" default="etc/keystore"/></Set>
-  <Set name="TrustStorePassword"><Property name="jetty.sslContext.trustStorePassword" deprecated="jetty.truststore.password" default="OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"/></Set>
-  <Set name="TrustStoreType"><Property name="jetty.sslContext.trustStoreType" default="JKS"/></Set>
+  <Set name="TrustStorePassword"><Property name="jetty.sslContext.trustStorePassword" deprecated="jetty.truststore.password"/></Set>
+  <Set name="TrustStoreType"><Property name="jetty.sslContext.trustStoreType"/></Set>
  <Set name="TrustStoreProvider"><Property name="jetty.sslContext.trustStoreProvider"/></Set>
  <Set name="EndpointIdentificationAlgorithm"></Set>
  <Set name="NeedClientAuth"><Property name="jetty.sslContext.needClientAuth" deprecated="jetty.ssl.needClientAuth" default="false"/></Set>
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
@ -803,49 +803,68 @@ public class SslContextFactory extends AbstractLifeCycle

    /**
     * @param password
-     *            The password for the key store.  If null is passed then
+     *            The password for the key store.  If null is passed and
+     *            a keystore is set, then
     *            the {@link Password#getPassword(String, String, String)} is used to
-     *            obtain a password either from the "org.eclipse.jetty.ssl.password"
+     *            obtain a password either from the {@value #PASSWORD_PROPERTY} 
     *            System property or by prompting for manual entry.
     */
    public void setKeyStorePassword(String password)
    {
        checkNotStarted();
-
-        _keyStorePassword = password==null
-            ?Password.getPassword(PASSWORD_PROPERTY,null,null)
-            :new Password(password);
+        if (password==null)
+        {
+            if (_keyStoreResource!=null)
+                _keyStorePassword=Password.getPassword(PASSWORD_PROPERTY,null,null);
+            else
+                _keyStorePassword=null;
+        }
+        else
+            _keyStorePassword = new Password(password);
    }

    /**
     * @param password
     *            The password (if any) for the specific key within the key store.
-     *            If null is passed then
-     *            the {@link Password#getPassword(String, String, String)} is used to
-     *            obtain a password either from the "org.eclipse.jetty.ssl.keypassword"
-     *            System property or by prompting for manual entry.
+     *            If null is passed and the {@value #KEYPASSWORD_PROPERTY} system property is set, 
+     *            then the {@link Password#getPassword(String, String, String)} is used to
+     *            obtain a password from the {@value #KEYPASSWORD_PROPERTY}  system property.
     */
    public void setKeyManagerPassword(String password)
    {
        checkNotStarted();
-        _keyManagerPassword = password==null
-            ?Password.getPassword(KEYPASSWORD_PROPERTY,null,null)
-            :new Password(password);
+        if (password==null)
+        {
+            if (System.getProperty(KEYPASSWORD_PROPERTY)!=null)
+                _keyManagerPassword = Password.getPassword(KEYPASSWORD_PROPERTY,null,null);
+            else
+                _keyManagerPassword = null;
+        }
+        else
+            _keyManagerPassword = new Password(password);
    }

    /**
     * @param password
-     *            The password for the trust store. If null is passed then
+     *            The password for the trust store. If null is passed and a truststore is set
+     *            that is different from the keystore, then
     *            the {@link Password#getPassword(String, String, String)} is used to
-     *            obtain a password either from the "org.eclipse.jetty.ssl.password"
+     *            obtain a password either from the {@value #PASSWORD_PROPERTY}
     *            System property or by prompting for manual entry.
     */
    public void setTrustStorePassword(String password)
    {
        checkNotStarted();
-        _trustStorePassword = password==null
-            ?Password.getPassword(PASSWORD_PROPERTY,null,null)
-            :new Password(password);
+        if (password==null)
+        {
+            // Do we need a truststore password?
+            if (_trustStoreResource!=null && !_trustStoreResource.equals(_keyStoreResource))
+                _trustStorePassword = Password.getPassword(PASSWORD_PROPERTY,null,null);
+            else
+                _trustStorePassword = null;
+        }
+        else
+            _trustStorePassword=new Password(password);
    }

    /**
--- a/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java
+++ b/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java
@ -100,6 +100,8 @@ public class SslContextFactoryTest
        cf.setKeyStoreResource(keystoreResource);
        cf.setKeyStorePassword("storepwd");
        cf.setKeyManagerPassword("keypwd");
+        cf.setTrustStoreResource(keystoreResource);
+        cf.setTrustStorePassword(null);

        cf.start();