Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=61557

Correct a further regression in the fix to enable the use of Java key stores that contain multiple keys that do not all have the same password. The regression broke support for some FIPS compliant key stores.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1809263 13f79535-47bb-0310-9956-ffa450edef68

java/org/apache/tomcat/util/net/jsse/JSSEUtil.java

@@ -241,7 +241,13 @@ public KeyManager[] getKeyManagers() throws Exception {
             Key k = ks.getKey(keyAlias, keyPassArray);
             if (k != null && "PKCS#8".equalsIgnoreCase(k.getFormat())) {
                 // Switch to in-memory key store
-                ksUsed = KeyStore.getInstance("JKS");
+                String provider = certificate.getCertificateKeystoreProvider();
+                if (provider == null) {
+                    ksUsed = KeyStore.getInstance(certificate.getCertificateKeystoreType());
+                } else {
+                    ksUsed = KeyStore.getInstance(certificate.getCertificateKeystoreType(),
+                            provider);
+                }
                 ksUsed.load(null,  null);
                 ksUsed.setKeyEntry(keyAlias, k, keyPassArray, ks.getCertificateChain(keyAlias));
             }

webapps/docs/changelog.xml

@@ -89,6 +89,12 @@
       <update>
         Add a way to set the property source in embedded mode. (remm)
       </update>
+      <fix>
+        <bug>61557</bug>: Correct a further regression in the fix to enable the
+        use of Java key stores that contain multiple keys that do not all have
+        the same password. The regression broke support for some FIPS compliant
+        key stores. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Other">