DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=43094>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43094 Summary: Allowing non-file based keystore and other providers Product: Tomcat 6 Version: 6.0.13 Platform: Other OS/Version: other Status: NEW Severity: normal Priority: P2 Component: Connectors AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Hello, I would like to use the MacOSX Keychain store for providing my certificates to Tomcat. Generally speaking, this can be done by loading the KeyStore like this: KeyStore keyStore = KeyStore.getInstance("KeychainStore","Apple"); keyStore.load(null, null); In fact, it seems to work without specifying the "Apple" provider too. However, similarly to PKCS11, this type does not require an input file. The problem is that org.apache.tomcat.util.net.jsse.JSSESocketFactory always tries to load a file, except when the type is PKCS11. Not specifying a keystoreFile or truststoreFile parameter defaults to trying to load ~/.keystore. I would like to suggest the following patch which allows to specify an empty value, indicating the no file needs to be loaded: --- JSSESocketFactory.java.old 2007-08-11 22:58:24.000000000 +0200 +++ JSSESocketFactory.java 2007-08-11 23:24:53.000000000 +0200 @@ -307,7 +307,7 @@ InputStream istream = null; try { ks = KeyStore.getInstance(type); - if(! "PKCS11".equalsIgnoreCase(type) ) { + if(! "".equalsIgnoreCase(path) ) { File keyStoreFile = new File(path); if (!keyStoreFile.isAbsolute()) { keyStoreFile = new File(System.getProperty("catalina.base"), This way, not having to load a file is not limited to PKCS11, but could be used by other keystore types. Using this patch, the following configuration works fine with keys and certificates stored in the Apple Keychain (for some reason, the KeychainStore requires a non-empty password; it seems to work whatever the password is, since it may be asked interactively by the Keychain utility, depending on how it is set up) <Connector SSLEnabled="true" clientAuth="want" keystoreFile="" keystorePass="-" keystoreType="KeychainStore" maxThreads="150" port="8443" keyAlias="myhost.mydomain.tld" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS" truststoreFile="" truststorePass="-" truststoreType="KeychainStore" /> Regards, Bruno. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
