HTTPS <keystore> only supports trust stores and is confusing

alexouzounis / missing-link

Automatically exported from code.google.com/p/missing-link

1 stars 0 forks source link

HTTPS <keystore> only supports trust stores and is confusing #29

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago

The HTTPS <keystore> element only supports *trust stores*, not *key stores*. 
This is confusing and looks to have been caused by the JSSE storage object used 
by KeyManagerFactory and TrustManagerFactory being erroneously called KeyStore 
and that faulty abstraction leaking into Missing Link.

We have a HTTPS server that requires both a trust store *and* a key store. We 
will submit a patch soon that:

a) Renames the existing <keystore> element as <truststore>, as that is what it 
is
b) Introduce a new <keystore> element with the same properties - file and 
password, in case keystore and truststore are both used and do not share the 
same password
c) Change HttpClient under the hood to pass keystore and/or trust store into 
the JSSE SSLContext when establishing a HTTPS connection

Original issue reported on code.google.com by stephens...@googlemail.com on 22 Dec 2011 at 4:58

GoogleCodeExporter commented 9 years ago

Attached is a patch for the above. 

After this change is released, existing HTTPS users of Missing Link will need 
to change their <keystore/> to a <truststore/>, as that is what they were doing 
in the first place. :)

Original comment by stephens...@googlemail.com on 22 Dec 2011 at 5:10

Added labels: ****
Removed labels: ****

GoogleCodeExporter commented 9 years ago

Attached

Original comment by stephens...@googlemail.com on 22 Dec 2011 at 5:10

Added labels: ****
Removed labels: ****

Attachments:

ML29_HTTPS_keystore_only_supports_trust_stores_and_is_confusing.patch

GoogleCodeExporter commented 9 years ago

Thanks for this, I must have been drinking at the time that I named the XML 
node <keystore>, as you are absolutely correct.

Applying milestone 1.2.0 since its a incompatibility change, after testing it 
out locally I will publish a 1.2.0 build

Original comment by alex.she...@gmail.com on 22 Dec 2011 at 5:27

Added labels: Milestone-1.2.0
Removed labels: ****

GoogleCodeExporter commented 9 years ago

No worries, it was a JSSE-loving colleague that did most of the heavy lifting 
on this one. If ML 1.2.0 could also include my patch for #26 and my *updated* 
patch for #23, that would be great. Cheers Alex. Steve

Original comment by stephens...@googlemail.com on 22 Dec 2011 at 5:50

Added labels: ****
Removed labels: ****