HttpConduitTest failed when Jetty upgraded to 6.1.3

Tue, 15 May 2007 21:15:03 -0700 

Hi
I found the HttpConduitTest failed in Systest when I upgraded the Jetty version from 6.1.2rc0 to 6.1.3. I checked the Jetty's SslSocketConnector change log, and found that the errors are related with the different trustManager setting on the Server and Client side. In another words,CXF now does not support to load the cert with password. 


Current CXF JettySslConnectorFactory doesn't do any trustManager 
setting, and the jetty will set the trustManagers to null,

if there is no setting for the _truststore.

But after Jetty 6.1.2rc5, the TrustManager will be initiated whether you 
do the trustManager setting or not.


[*Server side*]


Here is the Jetty SslSocketConnector TrustManagers Code, the trustStore 
load the  with a _trustPassword which can't be null.


>>> after 6.1.2rc5
       if (_truststore==null)
       {
           _truststore=_keystore;
           _truststoreType=_keystoreType;
       }
>>>>
      ......
      TrustManager[] trustManagers = null;
      if (_truststore != null)
       {
           KeyStore trustStore = KeyStore.getInstance(_truststoreType);

           
trustStore.load(Resource.newResource(_truststore).getInputStream(), 
_trustPassword.toString().toCharArray());
          
           TrustManagerFactory trustManagerFactory = 
TrustManagerFactory.getInstance(_sslTrustManagerFactoryAlgorithm);

           trustManagerFactory.init(trustStore);
           trustManagers = trustManagerFactory.getTrustManagers();
       }

[*Client side*]

CXF SSLUtil is responsible for the creation of  the TrustManager,  but 
it just load the cert with null password.

protected static TrustManager[] getTrustStoreManagers( ...
          KeyStore trustedCertStore = KeyStore.getInstance(trustStoreType);

 ......    
           trustedCertStore.load(new 
FileInputStream(trustStoreLocation), null);

 ......

I went through The SSLClientPolicy and SSLServerPolicy , there is no 
attribute for the TrustStorePassword.


I also check the KeyStore.loadload(InputStream stream, char[] password) API

*the password used to check the integrity of  the keystore, the 
password used to unlock the keystore,  or <code>null</code> *


This issue can be solved from two side.

One is let Jetty SslSocketConnector support calling the trustStore.load 
with the password to be null.
The other is we still need CXF SSL{Client|Server}Policy support 
TrustStorePassword attribute.



IMO, we need to add the TrustStorePassword attribute to the 
SSL{Client|Server}Policy.


Any thoughts?

Cheers,
Willem.























					Reply via email to