Hi Willem,
Sounds like an over-sight that the SSL{Client|Server}Policy schemas
include a KeystorePassword but not a TruststorePassword. So unless
anyone else knows a specific reason why this wasn't included in the
first place, I'd say go ahead and add it.
I think the use of a null TrustManager[] in JettySslConnectorFactory
derives from a short-coming in the old Jetty5 SslListener, whuch didn't
include anything like the Jetty6 SslSocketConnector.setTrust*() APIs.
Now that the Jetty6 allows the truststore parameters to be set, these
new APIs should be used.
/Eoghan
> -----Original Message-----
> From: Willem Jiang [mailto:[EMAIL PROTECTED]
> Sent: 16 May 2007 05:14
> To: [email protected]
> Subject: HttpConduitTest failed when Jetty upgraded to 6.1.3
>
> Hi
>
> I found the HttpConduitTest failed in Systest when I upgraded
> the Jetty version from 6.1.2rc0 to 6.1.3.
> I checked the Jetty's SslSocketConnector change log, and
> found that the errors are related with the different
> trustManager setting on the Server and Client side. In
> another words,CXF now does not support to load the cert with password.
>
> Current CXF JettySslConnectorFactory doesn't do any
> trustManager setting, and the jetty will set the
> trustManagers to null, if there is no setting for the _truststore.
> But after Jetty 6.1.2rc5, the TrustManager will be initiated
> whether you do the trustManager setting or not.
>
> [*Server side*]
>
> Here is the Jetty SslSocketConnector TrustManagers Code, the
> trustStore load the with a _trustPassword which can't be null.
>
> >>> after 6.1.2rc5
> if (_truststore==null)
> {
> _truststore=_keystore;
> _truststoreType=_keystoreType;
> }
> >>>>
> ......
> TrustManager[] trustManagers = null;
> if (_truststore != null)
> {
> KeyStore trustStore =
> KeyStore.getInstance(_truststoreType);
>
> trustStore.load(Resource.newResource(_truststore).getInputStream(),
> _trustPassword.toString().toCharArray());
>
> TrustManagerFactory trustManagerFactory =
> TrustManagerFactory.getInstance(_sslTrustManagerFactoryAlgorithm);
> trustManagerFactory.init(trustStore);
> trustManagers = trustManagerFactory.getTrustManagers();
> }
>
> [*Client side*]
> CXF SSLUtil is responsible for the creation of the
> TrustManager, but it just load the cert with null password.
> protected static TrustManager[] getTrustStoreManagers( ...
> KeyStore trustedCertStore =
> KeyStore.getInstance(trustStoreType);
> ......
> trustedCertStore.load(new
> FileInputStream(trustStoreLocation), null);
> ......
> I went through The SSLClientPolicy and SSLServerPolicy ,
> there is no attribute for the TrustStorePassword.
>
> I also check the KeyStore.loadload(InputStream stream, char[]
> password) API *the password used to check the integrity of
> the keystore, the password used to unlock the keystore, or
> <code>null</code> *
>
> This issue can be solved from two side.
> One is let Jetty SslSocketConnector support calling the
> trustStore.load with the password to be null.
> The other is we still need CXF SSL{Client|Server}Policy
> support TrustStorePassword attribute.
>
> IMO, we need to add the TrustStorePassword attribute to the
> SSL{Client|Server}Policy.
>
> Any thoughts?
>
> Cheers,
> Willem.
>
>
