To make the CA Portlet (http://issues.apache.org/jira/browse/GERONIMO-2413) use a KeystoreInstance to store its keys, I have added a getCertificate() and getPrivateKey() methods.
Now coming to the methods you need, except for getPrivateKey(), it may be alright to provide methods in KeystoreInstance not to require keystore password and these would succeed only if the keystore is unlocked for "use". We should make getPrivateKey() method always require a keyPassword.
Vamsi
On 10/18/06, Guillaume Nodet <
[EMAIL PROTECTED]> wrote:
I'm trying to look at integrating ServiceMix
security in Geronimo. Security in ServiceMix
has several different aspects, but one of them
is to be able to encrypt / decrypt, sign messages
using WS-Security.
I have defined in ServiceMix a Crypto [1] implementation [2]
(used by wss4j) on top of a servicemix KeystoreInstance [3]
(which is quite the same as the Geronimo one).
The main differences are 2 new methods (getCertificateChain and
getCertificateAlias) and the fact that the methods do not need
the keystore password in the parameters.
I had a close look at the Geronimo KeystoreInstance and found
that nearly all methods are called from the console only. The only
real methods used inside the server are when an SSLSocketFactory
is created.
So I'm wondering what is the best way to go. I can easily add the two new
methods to the KeystoreInstance, but the need to give the password
for all the calls is a bit disturbing. I need to access the following methods:
* listPrivateKeys
* listTrustCertificates
* getCertificate
* getCertificateAlias
* getCertificateChain
* getPrivateKey
Would it be possible from the FileKeystoreInstance to use the
keystorePassword attribute instead of passing the password
in the parameters ? I do understand that this may be a security
hole, as the private keys would be available to everyone inside
the server, so I'm willing to find a better way ...
Any ideas ?
[1] http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html
[2] http://svn.apache.org/viewvc/incubator/servicemix/trunk/servicemix-soap/src/main/java/org/apache/servicemix/soap/handlers/security/KeystoreInstanceCrypto.java?view=markup
[3] http://svn.apache.org/viewvc/incubator/servicemix/trunk/servicemix-core/src/main/java/org/apache/servicemix/jbi/security/keystore/KeystoreInstance.java?view=markup
--
Cheers,
Guillaume Nodet
