Thanks to some help from Toby, I've managed to get 2-way authentication
working.
However, it was not quite as simple as I expected. The problem is in
the way the simple extension is handling keystores.
Usually, you have two keystores - one that contains all of the
certificates that you trust (called a trust store), and one that
contains the certificate and private keys used to sign things (called a
key store). Most security policies require that the two stores be
separate files. In particular, a keystore should only ever have one
entry in it, while a trust store will have many entries (one per root
cert that is trusted).
The simple extension, however, is using the same keystore file for both
the trust store as well as the keystore:
KeyStore keyStore = KeyStore.getInstance(getKeystoreType());
FileInputStream fis = new FileInputStream(getKeystorePath());
keyStore.load(fis, getKeystorePassword().toCharArray());
KeyManagerFactory keyManagerFactory = KeyManagerFactory
.getInstance(getCertAlgorithm());
keyManagerFactory.init(keyStore,
getKeyPassword().toCharArray());
TrustManagerFactory trustManagerFactory = TrustManagerFactory
.getInstance(getCertAlgorithm());
trustManagerFactory.init(keyStore);
I was able to get this to work by putting everything into a single jks
file, but, as I said above, this violates most security policies (at
least those of current my project and those in the US Dept of Defense)
This needs to be changed so that two separate files can be used - one
for trust and one for keys. Something along the lines of (this is
untested, so dont copy and paste):
KeyStore keyStore = KeyStore.getInstance(getKeystoreType());
FileInputStream fis = new FileInputStream(getKeystorePath());
keyStore.load(fis, getKeystorePassword().toCharArray());
KeyManagerFactory keyManagerFactory = KeyManagerFactory
.getInstance(getCertAlgorithm());
keyManagerFactory.init(keyStore,
getKeyPassword().toCharArray());
KeyStore trustStore = KeyStore.getInstance(getTruststoreType());
fis = new FileInputStream(getTruststorePath());
trustStore.load(fis, getTruststorePassword().toCharArray());
TrustManagerFactory trustManagerFactory = TrustManagerFactory
.getInstance(getCertAlgorithm());
trustManagerFactory.init(trustStore);
which also would require the following additional properties to be
defined:
truststorePath
truststorePassword
truststoreType
Thanks.
--Chuck
------------------------------------
Chuck Hinson
Gestalt LLC
phone: 610.994.2833
IM: chucking24 (Yahoo)
