Bug 53911 - JmeterKeystore does not allow for key down the list of certificate
JmeterKeystore does not allow for key down the list of certificate
Status: RESOLVED FIXED
Product: JMeter
Classification: Unclassified
Component: Main
2.7
All All
: P2 regression (vote)
: ---
Assigned To: JMeter issues mailing list
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2012-09-21 08:12 UTC by testers3n3
Modified: 2012-09-27 21:01 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description testers3n3 2012-09-21 08:12:22 UTC
When the keyStore contains trustedCertEntry entries alongside the PrivateKeyEntry and the PrivateKeyEntry is not the 1st entry in the keyStore, Jmeter 2.7's JmeterKeystore.load cannot find the key. It throws an exception which accompanying message reads "No key(s) found".

The reason lies in the implementation of the load method. Its skeleton when scanning the aliases is:

         if (null != is){ // is is the InputStream
            PrivateKey _key = null;
            int index = 0;
            Enumeration<String> aliases = store.aliases();
            while (aliases.hasMoreElements()) {
                String alias = aliases.nextElement();
                if (store.isKeyEntry(alias)) {
                    if ((index >= startIndex && index <= endIndex)) {
                        _key = (PrivateKey) store.getKey(alias,...);
                        if (null == _key) {
                            throw new Exception(...);
                        }
                        ...
                        v_names.add(alias);
                        ...
                    }
                }
                index++;
            }

            if (null == _key) { // Defect: source of problem
               throw new Exception("No key(s) found");
            }
        }
        int v_size = v_names.size();
        ...

So:
- The location test of _key itself would be a problem because _key would always be the last entry read in the keyStore, which might not be the private key.
- But the fact that startIndex and endIndex are 0 (default initialisation values of implicitly initialised arguments, see SSLManager.java) implies that the private key would be found only if it was the 1st entry in the keystore. I didn't find any hint that this is a JSSE requirement.

Assuming that only 1 key can be loaded (another source file states that no provision has been made to allow the user to specify one key amongst many) I think that:
- the "if ((index >= startIndex && index <= endIndex))" condition gets in the way;
- the validation that a key does exist in the keystore would be better done by asserting that "v_size != 0".

Note that JMeter 2.4 was loading the keystore along the lines I'm suggesting, which is no surprise since I located the problem by investigating how JMeter 2.4 was getting it right when 2.7 was failing (on the same keystore).
Comment 1 testers3n3 2012-09-21 08:50:55 UTC
There is a mistake in my explanation of the problem. The core of it in the current implementation (official release of 2.7) is the condition around the index variable.

Were that condition removed, _key would be set if one private key had been found, even if it is not the 1st entry in the keystore.

Sorry to the hasty confusing initial description.
Comment 2 Philippe Mouawad 2012-09-25 11:51:20 UTC
Can you attach a keystore file showing the issue ?
And also can you explain what issue you are facing.

I agree there is a problem, but I want to know the impacts for you and what exactly is your test case.
Thank you
Comment 3 Philippe Mouawad 2012-09-27 20:15:43 UTC
Date: Thu Sep 27 20:14:28 2012
New Revision: 1391197

URL: http://svn.apache.org/viewvc?rev=1391197&view=rev
Log:
Bug 53911 - JmeterKeystore does not allow for key down the list of certificate

Modified:
    jmeter/trunk/src/core/org/apache/jmeter/util/keystore/JmeterKeyStore.java
    jmeter/trunk/xdocs/changes.xml
Comment 4 Philippe Mouawad 2012-09-27 21:01:35 UTC
Issue has been fixed but it would be very kind of you to make a test on nightly build to ensure it is for you and give us some feedback.

See:
http://jmeter.apache.org/nightly.html