[jetty-discuss] [jira] Created: (JETTY-456) SSL keystores that do not require an InputStream

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

SSL keystores that do not require an InputStream
------------------------------------------------

                 Key: JETTY-456
                 URL: http://jira.codehaus.org/browse/JETTY-456
             Project: Jetty
          Issue Type: Improvement
          Components: Security and SSL
    Affects Versions: 6.1.6rc0
         Environment: Mac OSX (10.4, not tried with 10.5), and perhaps other types of keystores (e.g. PKCS#11)
            Reporter: Bruno Harbulot
            Priority: Minor
         Attachments: SslSocketConnector.java.patch

Some types of keystores do not require a file or an InputStream to be used.
Indeed, Apple's KeychainStore is a keystore that can interact directly with the keychain in OSX. Other such keystores could be hardware tokens.

For example, the following statements will load the default keychain keystore and delegate the task of prompting for a password to the underlying security infrastructure of OSX:
KeyStore ks = KeyStore.getInstance("KeychainStore");
ks.load(null,null);

However, Jetty's SslSocketConnector considers a null keystore parameter (<Set name="keystore"></Set> in the connector configuration) as an absent keystore (it doesn't even try to get the instance and load it).

Here is a patch that should make possible to use a keystore that can have a null InputStream. It works on OSX (with the default keychain) using this configuration (in jetty-ssl.xml, for example):
        <Set name="keystoreType">KeychainStore</Set>
        <Set name="keystore"></Set>
        <Set name="password">-</Set>
        <Set name="keyPassword">-</Set>
        <Set name="truststoreType">KeychainStore</Set>
        <Set name="truststore"></Set>
        <Set name="trustPassword">-</Set>

For some reason I ignore, although the password are in fact asked by the keychain mechanism of OSX, empty or null passwords do not work for getting a private key. 
Both keyStore.getKey(alias, "-".toCharArray()) and keyStore.getKey(alias, "whateveryoulike".toCharArray())  work (irrespectively of the actual password), but keyStore.getKey(alias, null) or keyStore.getKey(alias, "".toCharArray()) will fail. Hence, the passwords in the configuration above use a dummy non-empty value.

(I submitted a similar patch for Tomcat if this may be relevant: http://issues.apache.org/bugzilla/show_bug.cgi?id=43094 )

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira