You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@camel.apache.org by dm...@gmx.de on 2012/09/02 10:33:43 UTC

Re: XMLSecurity key recovery fails when keystore and key use different passwords

Hi Rich,

Sorry for the delay. And thanks for the patch, that's exactly what I was looking for! I will give that I try soon.

Regards, Dominik

-------- Original-Nachricht --------
> Datum: Wed, 29 Aug 2012 01:16:41 -0400
> Von: Rich Newcomb <ri...@gmail.com>
> An: users@camel.apache.org
> Betreff: Re: XMLSecurity key recovery fails when keystore and key use different passwords

> Quick follow up.  I went ahead and created the patch to enable a
> "keyPassword" to be specified.  In the patch, the key password will only
> be
> used to retrieve a private key during the unmarshal action.
> 
> For example:
> 
> <unmarshal>
>   <secureXML
>      secureTag="//cheese:cheesesites/italy"
>      secureTagContents="true"
>      xmlCipherAlgorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"
>      keyCipherAlgorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
>      recipientKeyAlias="recipient"
>      keyOrTrustStoreParametersId="keyStoreParams"
>      keyPassword="keyPassword"/>
> 
> </unmarshal>
> 
> I'm not sure if the patch will be accepted straight away, but feel free to
> give it a try and provide comments as useful.
> 
> Thanks,
> Rich
> 
> On Tue, Aug 28, 2012 at 10:49 PM, Rich Newcomb
> <ri...@gmail.com>wrote:
> 
> > Hi Dominik,
> >
> > The example you provided is a little bit confusing.  The PUBLIC key of
> the
> > recipient is applied for asymmetric encryption.  So, there no need to
> > access a password-protected key when the data is being marshalled.
> >  However, the recipient will use a PRIVATE key from a key store to
> decrypt
> > / unmarshall the message.
> >
> > It is possible that the private key could have a password that is
> > different than the keystore password.  That feature is not currently
> > supported, but in my opinion it should be.
> >
> > I created a ticket for this:
> > https://issues.apache.org/jira/browse/CAMEL-5545
> >
> > I'll try to have a look at this in the next several days.
> >
> > -Rich
> >
> >
> > On Tue, Aug 28, 2012 at 6:18 PM, ychawla
> <pr...@yahoo.com>wrote:
> >
> >> Hi Dominik,
> >> I think this is the default behavior in Java.  Whenever I work with
> >> keystores, the keystore password must match the key password.
> >>
> >> This could be due to the KeyManagerFactory implementation:
> >>
> >>
> >>
> http://docs.oracle.com/javase/6/docs/api/javax/net/ssl/KeyManagerFactory.html#init%28java.security.KeyStore,%20char[]%29
> >>
> >> It only allows for a single password.
> >>
> >> Thanks,
> >> Yogesh
> >>
> >>
> >>
> >> --
> >> View this message in context:
> >>
> http://camel.465427.n5.nabble.com/XMLSecurity-key-recovery-fails-when-keystore-and-key-use-different-passwords-tp5718094p5718217.html
> >> Sent from the Camel - Users mailing list archive at Nabble.com.
> >>
> >
> >