I'd be happy to contribute a patch, though I don't know how one submits such a thing or in what format it should be submitted.
--Chuck -----Original Message----- From: Jerome Louvel [mailto:[EMAIL PROTECTED] Sent: Monday, June 04, 2007 3:35 PM To: [email protected] Subject: RE: 2-way ssl Hi Chuck, This sounds good. If you have time to contribute a patch that would help. Otherwise, I'll get back to this a bit later. I've updated the issue with your suggestion: http://restlet.tigris.org/issues/show_bug.cgi?id=281 Best regards, Jerome > -----Message d'origine----- > De : Chuck Hinson [mailto:[EMAIL PROTECTED] Envoyé : lundi 4 > juin 2007 20:38 À : [email protected] Objet : 2-way ssl > > Thanks to some help from Toby, I've managed to get 2-way > authentication working. > > However, it was not quite as simple as I expected. The problem is in > the way the simple extension is handling keystores. > > Usually, you have two keystores - one that contains all of the > certificates that you trust (called a trust store), and one that > contains the certificate and private keys used to sign things (called > a key store). Most security policies require that the two stores be > separate files. In particular, a keystore should only ever have one > entry in it, while a trust store will have many entries (one per root > cert that is trusted). > > The simple extension, however, is using the same keystore file for > both the trust store as well as the keystore: > > KeyStore keyStore = KeyStore.getInstance(getKeystoreType()); > FileInputStream fis = new FileInputStream(getKeystorePath()); > keyStore.load(fis, getKeystorePassword().toCharArray()); > > KeyManagerFactory keyManagerFactory = KeyManagerFactory > .getInstance(getCertAlgorithm()); > keyManagerFactory.init(keyStore, > getKeyPassword().toCharArray()); > > TrustManagerFactory trustManagerFactory = TrustManagerFactory > .getInstance(getCertAlgorithm()); > trustManagerFactory.init(keyStore); > > I was able to get this to work by putting everything into a single jks > file, but, as I said above, this violates most security policies (at > least those of current my project and those in the US Dept of Defense) > > This needs to be changed so that two separate files can be used - one > for trust and one for keys. Something along the lines of (this is > untested, so dont copy and paste): > > > KeyStore keyStore = KeyStore.getInstance(getKeystoreType()); > FileInputStream fis = new FileInputStream(getKeystorePath()); > keyStore.load(fis, getKeystorePassword().toCharArray()); > > KeyManagerFactory keyManagerFactory = KeyManagerFactory > .getInstance(getCertAlgorithm()); > keyManagerFactory.init(keyStore, > getKeyPassword().toCharArray()); > > KeyStore trustStore = > KeyStore.getInstance(getTruststoreType()); > fis = new FileInputStream(getTruststorePath()); > trustStore.load(fis, getTruststorePassword().toCharArray()); > > TrustManagerFactory trustManagerFactory = TrustManagerFactory > .getInstance(getCertAlgorithm()); > trustManagerFactory.init(trustStore); > > which also would require the following additional properties to be > defined: > truststorePath > truststorePassword > truststoreType > > Thanks. > > --Chuck > > ------------------------------------ > Chuck Hinson > Gestalt LLC > phone: 610.994.2833 > IM: chucking24 (Yahoo) >
