I'm trying to look at integrating ServiceMix security in Geronimo. Security in ServiceMix has several different aspects, but one of them is to be able to encrypt / decrypt, sign messages using WS-Security. I have defined in ServiceMix a Crypto [1] implementation [2] (used by wss4j) on top of a servicemix KeystoreInstance [3] (which is quite the same as the Geronimo one). The main differences are 2 new methods (getCertificateChain and getCertificateAlias) and the fact that the methods do not need the keystore password in the parameters.
I had a close look at the Geronimo KeystoreInstance and found that nearly all methods are called from the console only. The only real methods used inside the server are when an SSLSocketFactory is created. So I'm wondering what is the best way to go. I can easily add the two new methods to the KeystoreInstance, but the need to give the password for all the calls is a bit disturbing. I need to access the following methods: * listPrivateKeys * listTrustCertificates * getCertificate * getCertificateAlias * getCertificateChain * getPrivateKey Would it be possible from the FileKeystoreInstance to use the keystorePassword attribute instead of passing the password in the parameters ? I do understand that this may be a security hole, as the private keys would be available to everyone inside the server, so I'm willing to find a better way ... Any ideas ? [1] http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html [2] http://svn.apache.org/viewvc/incubator/servicemix/trunk/servicemix-soap/src/main/java/org/apache/servicemix/soap/handlers/security/KeystoreInstanceCrypto.java?view=markup [3] http://svn.apache.org/viewvc/incubator/servicemix/trunk/servicemix-core/src/main/java/org/apache/servicemix/jbi/security/keystore/KeystoreInstance.java?view=markup -- Cheers, Guillaume Nodet
