Hi Bruno, [...]
> 1. I can't find which properties need to be used for setting the > keystores and truststores used by the clients. Did I miss something? > I've had to use -Djavax.net.ssl.keyStore, and similar VM parameters. No those parameters are indeed missing :-/ > 2. As Chuck Hinson pointed out as part of Issue 281, keystore and > truststore should be separate. Could we add "truststore*" parameters? If they are not present, we could fall back on current behavior, reusing matching "keystore*" parameters. > 3. The implementation that uses the keystore seem to rely on the fact > that these keystores are always files (at least in the Jetty > and Grizzly > helpers, the Simple helper can handle a null keystorePath). However, > this is not always true. Some keystores are not file-based: PKCS#11 > tokens and the Apple KeychainStore. OK. To be honest, I wasn't aware of this subtelety :) Would it be hard to provide support for configuring these additional keystore types? > 4. There doesn't seem to be a provider parameter for a given > keystore. > This could be useful, if someone would like to use > KeyStore.getInstance(type,provider), in particular for PKCS#11. OK > I'd be interested in seeing these issues fixed, and I could > have a go at > it. The way I'm thinking of doing it would be to create more > parameters: > serverKeystorePath, serverKeystoreProvider, serverKeystoreType, > serverKeystorePassword, serverKeyPassword, serverTruststorePath, > serverTruststoreProvider, serverTruststoreType, > serverTruststorePassword, serverCertAlgorithm + another set > of these for > client*. Sure, that sounds good. Would be keep the current parameters in case we want to use the same stores for both client and server certificates? > I could see some more complex scenarios where it would be > useful to have > a CallbackHandler to input the password (especially on the > client side), but... one thing at a time. Yes, let's consider this as a separate issue, it may have broader impact on the Restlet API we need to consider. > Does this make sense? Should I try to address these problems? Any > suggestions? Please go ahead, you seem to have a good handle on this sensitive topic! Best regards, Jerome
