DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43094>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ·
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43094

           Summary: Allowing non-file based keystore and other providers
           Product: Tomcat 6
           Version: 6.0.13
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
        AssignedTo: [EMAIL PROTECTED]
        ReportedBy: [EMAIL PROTECTED]


Hello,

I would like to use the MacOSX Keychain store for providing my 
certificates to Tomcat. Generally speaking, this can be done by loading the
KeyStore like this:

  KeyStore keyStore = KeyStore.getInstance("KeychainStore","Apple");
  keyStore.load(null, null);
  
In fact, it seems to work without specifying the "Apple" provider too.
However, similarly to PKCS11, this type does not require an input file.

The problem is that org.apache.tomcat.util.net.jsse.JSSESocketFactory
always tries to load a file, except when the type is PKCS11.

Not specifying a keystoreFile or truststoreFile parameter defaults to
trying to load ~/.keystore. I would like to suggest the following patch
which allows to specify an empty value, indicating the no file needs to
be loaded:

--- JSSESocketFactory.java.old  2007-08-11 22:58:24.000000000 +0200
+++ JSSESocketFactory.java      2007-08-11 23:24:53.000000000 +0200
@@ -307,7 +307,7 @@
         InputStream istream = null;
         try {
             ks = KeyStore.getInstance(type);
-            if(! "PKCS11".equalsIgnoreCase(type) ) {
+            if(! "".equalsIgnoreCase(path) ) {
                 File keyStoreFile = new File(path);
                 if (!keyStoreFile.isAbsolute()) {
                     keyStoreFile = new 
File(System.getProperty("catalina.base"),
                     
                     
This way, not having to load a file is not limited to PKCS11, but could be 
used by other keystore types.
Using this patch, the following configuration works fine with keys and
certificates stored in the Apple Keychain (for some reason, the KeychainStore 
requires a non-empty password; it seems to work whatever the password is, 
since it may be asked interactively by the Keychain utility, depending on 
how it is set up)

<Connector SSLEnabled="true" clientAuth="want"
        keystoreFile="" keystorePass="-"
        keystoreType="KeychainStore" maxThreads="150" port="8443"
        keyAlias="myhost.mydomain.tld"
        protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"
        truststoreFile=""
        truststorePass="-" truststoreType="KeychainStore" />
                        

Regards,

Bruno.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to