You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Fred Dushin (JIRA)" <ji...@apache.org> on 2007/10/01 23:20:50 UTC
[jira] Created: (CXF-1085) EnhReq: Add support for TrustStores in
PEM format
EnhReq: Add support for TrustStores in PEM format
-------------------------------------------------
Key: CXF-1085
URL: https://issues.apache.org/jira/browse/CXF-1085
Project: CXF
Issue Type: New Feature
Components: Configuration
Affects Versions: 2.0.2
Reporter: Fred Dushin
Fix For: 2.0.3
Currently, we support config for key and trust stores along the lines of:
{{{
<http:tls(Client|Server)Parameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="pkcs12" password="password"
file="src/test/java/org/apache/cxf/systest/http/resources/server.p12"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="password"
file="src/test/java/org/apache/cxf/systest/http/resources/truststore.jks"/>
</sec:trustManagers>
</http:tls(Client|Server)Parameters>
}}}
I propose a new element [1], sec:pemStore, which can be added to a sec:trustManagers element [2] (but obviously not a sec:keyManagers element), along the lines of:
{{{
<http:tls(Client|Server)Parameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="pkcs12" password="password"
file="src/test/java/org/apache/cxf/systest/http/resources/server.p12"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:pemStore
file="src/test/java/org/apache/cxf/systest/http/resources/truststore.pem"/>
</sec:trustManagers>
</http:tls(Client|Server)Parameters>
}}}
The sec:pemStore element also supports the url and resource attributes, analogously to the sec:keyStore element.
The certificates in a pemStore are assumed to be sequence of catenated X.509 certificates, in PEM format.
Patch to follow shortly.
[1] I'd considered overloading the meaning of the "type" attribute in the KeyStoreType schema definition, but this is really an abuse of semantics -- the type attribute really means "keystore encoding".
[2] We use an xs:choice here, to avoid any ambiguity in config
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CXF-1085) EnhReq: Add support for TrustStores in
PEM format
Posted by "Fred Dushin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-1085?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Fred Dushin updated CXF-1085:
-----------------------------
Attachment: cxf-1085.patch
The patch adds support for a certStore schama type to configuration, supports the processing of this type, and exercises this code in the existing https system test.
I will add the binary PKCS12 files needed for this patch to this ticket, as well, as I believe the patch does not include them. I'll include relative paths to where these files need to be added.
> EnhReq: Add support for TrustStores in PEM format
> -------------------------------------------------
>
> Key: CXF-1085
> URL: https://issues.apache.org/jira/browse/CXF-1085
> Project: CXF
> Issue Type: New Feature
> Components: Configuration
> Affects Versions: 2.0.2
> Reporter: Fred Dushin
> Fix For: 2.0.3
>
> Attachments: cxf-1085.patch
>
>
> Currently, we support config for key and trust stores along the lines of:
> {{{
> <http:tls(Client|Server)Parameters>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="pkcs12" password="password"
> file="src/test/java/org/apache/cxf/systest/http/resources/server.p12"/>
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="password"
> file="src/test/java/org/apache/cxf/systest/http/resources/truststore.jks"/>
> </sec:trustManagers>
> </http:tls(Client|Server)Parameters>
> }}}
> I propose a new element [1], sec:pemStore, which can be added to a sec:trustManagers element [2] (but obviously not a sec:keyManagers element), along the lines of:
> {{{
> <http:tls(Client|Server)Parameters>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="pkcs12" password="password"
> file="src/test/java/org/apache/cxf/systest/http/resources/server.p12"/>
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:pemStore
> file="src/test/java/org/apache/cxf/systest/http/resources/truststore.pem"/>
> </sec:trustManagers>
> </http:tls(Client|Server)Parameters>
> }}}
> The sec:pemStore element also supports the url and resource attributes, analogously to the sec:keyStore element.
> The certificates in a pemStore are assumed to be sequence of catenated X.509 certificates, in PEM format.
> Patch to follow shortly.
> [1] I'd considered overloading the meaning of the "type" attribute in the KeyStoreType schema definition, but this is really an abuse of semantics -- the type attribute really means "keystore encoding".
> [2] We use an xs:choice here, to avoid any ambiguity in config
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (CXF-1085) EnhReq: Add support for TrustStores in
PEM format
Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-1085?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Kulp resolved CXF-1085.
------------------------------
Resolution: Fixed
> EnhReq: Add support for TrustStores in PEM format
> -------------------------------------------------
>
> Key: CXF-1085
> URL: https://issues.apache.org/jira/browse/CXF-1085
> Project: CXF
> Issue Type: New Feature
> Components: Configuration
> Affects Versions: 2.0.2
> Reporter: Fred Dushin
> Assignee: Daniel Kulp
> Fix For: 2.0.3
>
> Attachments: Bethal.p12, cxf-1085.patch, Morpit.p12
>
>
> Currently, we support config for key and trust stores along the lines of:
> {{{
> <http:tls(Client|Server)Parameters>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="pkcs12" password="password"
> file="src/test/java/org/apache/cxf/systest/http/resources/server.p12"/>
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="password"
> file="src/test/java/org/apache/cxf/systest/http/resources/truststore.jks"/>
> </sec:trustManagers>
> </http:tls(Client|Server)Parameters>
> }}}
> I propose a new element [1], sec:pemStore, which can be added to a sec:trustManagers element [2] (but obviously not a sec:keyManagers element), along the lines of:
> {{{
> <http:tls(Client|Server)Parameters>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="pkcs12" password="password"
> file="src/test/java/org/apache/cxf/systest/http/resources/server.p12"/>
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:certStore
> file="src/test/java/org/apache/cxf/systest/http/resources/truststore.pem"/>
> </sec:trustManagers>
> </http:tls(Client|Server)Parameters>
> }}}
> The sec:pemStore element also supports the url and resource attributes, analogously to the sec:keyStore element.
> The certificates in a pemStore are assumed to be sequence of catenated X.509 certificates, in PEM format.
> Patch to follow shortly.
> [1] I'd considered overloading the meaning of the "type" attribute in the KeyStoreType schema definition, but this is really an abuse of semantics -- the type attribute really means "keystore encoding".
> [2] We use an xs:choice here, to avoid any ambiguity in config
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CXF-1085) EnhReq: Add support for TrustStores in
PEM format
Posted by "Fred Dushin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-1085?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Fred Dushin updated CXF-1085:
-----------------------------
Attachment: Bethal.p12
Add this binary file to:
.../trunk/systests/src/test/java/org/apache/cxf/systest/http/resources/Bethal.p12
> EnhReq: Add support for TrustStores in PEM format
> -------------------------------------------------
>
> Key: CXF-1085
> URL: https://issues.apache.org/jira/browse/CXF-1085
> Project: CXF
> Issue Type: New Feature
> Components: Configuration
> Affects Versions: 2.0.2
> Reporter: Fred Dushin
> Fix For: 2.0.3
>
> Attachments: Bethal.p12, cxf-1085.patch, Morpit.p12
>
>
> Currently, we support config for key and trust stores along the lines of:
> {{{
> <http:tls(Client|Server)Parameters>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="pkcs12" password="password"
> file="src/test/java/org/apache/cxf/systest/http/resources/server.p12"/>
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="password"
> file="src/test/java/org/apache/cxf/systest/http/resources/truststore.jks"/>
> </sec:trustManagers>
> </http:tls(Client|Server)Parameters>
> }}}
> I propose a new element [1], sec:pemStore, which can be added to a sec:trustManagers element [2] (but obviously not a sec:keyManagers element), along the lines of:
> {{{
> <http:tls(Client|Server)Parameters>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="pkcs12" password="password"
> file="src/test/java/org/apache/cxf/systest/http/resources/server.p12"/>
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:pemStore
> file="src/test/java/org/apache/cxf/systest/http/resources/truststore.pem"/>
> </sec:trustManagers>
> </http:tls(Client|Server)Parameters>
> }}}
> The sec:pemStore element also supports the url and resource attributes, analogously to the sec:keyStore element.
> The certificates in a pemStore are assumed to be sequence of catenated X.509 certificates, in PEM format.
> Patch to follow shortly.
> [1] I'd considered overloading the meaning of the "type" attribute in the KeyStoreType schema definition, but this is really an abuse of semantics -- the type attribute really means "keystore encoding".
> [2] We use an xs:choice here, to avoid any ambiguity in config
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CXF-1085) EnhReq: Add support for TrustStores in
PEM format
Posted by "Fred Dushin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-1085?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Fred Dushin updated CXF-1085:
-----------------------------
Attachment: Morpit.p12
Add this binary file to:
.../trunk/systests/src/test/java/org/apache/cxf/systest/http/resources/Morpit.p12
> EnhReq: Add support for TrustStores in PEM format
> -------------------------------------------------
>
> Key: CXF-1085
> URL: https://issues.apache.org/jira/browse/CXF-1085
> Project: CXF
> Issue Type: New Feature
> Components: Configuration
> Affects Versions: 2.0.2
> Reporter: Fred Dushin
> Fix For: 2.0.3
>
> Attachments: Bethal.p12, cxf-1085.patch, Morpit.p12
>
>
> Currently, we support config for key and trust stores along the lines of:
> {{{
> <http:tls(Client|Server)Parameters>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="pkcs12" password="password"
> file="src/test/java/org/apache/cxf/systest/http/resources/server.p12"/>
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="password"
> file="src/test/java/org/apache/cxf/systest/http/resources/truststore.jks"/>
> </sec:trustManagers>
> </http:tls(Client|Server)Parameters>
> }}}
> I propose a new element [1], sec:pemStore, which can be added to a sec:trustManagers element [2] (but obviously not a sec:keyManagers element), along the lines of:
> {{{
> <http:tls(Client|Server)Parameters>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="pkcs12" password="password"
> file="src/test/java/org/apache/cxf/systest/http/resources/server.p12"/>
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:pemStore
> file="src/test/java/org/apache/cxf/systest/http/resources/truststore.pem"/>
> </sec:trustManagers>
> </http:tls(Client|Server)Parameters>
> }}}
> The sec:pemStore element also supports the url and resource attributes, analogously to the sec:keyStore element.
> The certificates in a pemStore are assumed to be sequence of catenated X.509 certificates, in PEM format.
> Patch to follow shortly.
> [1] I'd considered overloading the meaning of the "type" attribute in the KeyStoreType schema definition, but this is really an abuse of semantics -- the type attribute really means "keystore encoding".
> [2] We use an xs:choice here, to avoid any ambiguity in config
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CXF-1085) EnhReq: Add support for TrustStores in
PEM format
Posted by "Fred Dushin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-1085?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Fred Dushin updated CXF-1085:
-----------------------------
Description:
Currently, we support config for key and trust stores along the lines of:
{{{
<http:tls(Client|Server)Parameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="pkcs12" password="password"
file="src/test/java/org/apache/cxf/systest/http/resources/server.p12"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="password"
file="src/test/java/org/apache/cxf/systest/http/resources/truststore.jks"/>
</sec:trustManagers>
</http:tls(Client|Server)Parameters>
}}}
I propose a new element [1], sec:pemStore, which can be added to a sec:trustManagers element [2] (but obviously not a sec:keyManagers element), along the lines of:
{{{
<http:tls(Client|Server)Parameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="pkcs12" password="password"
file="src/test/java/org/apache/cxf/systest/http/resources/server.p12"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:certStore
file="src/test/java/org/apache/cxf/systest/http/resources/truststore.pem"/>
</sec:trustManagers>
</http:tls(Client|Server)Parameters>
}}}
The sec:pemStore element also supports the url and resource attributes, analogously to the sec:keyStore element.
The certificates in a pemStore are assumed to be sequence of catenated X.509 certificates, in PEM format.
Patch to follow shortly.
[1] I'd considered overloading the meaning of the "type" attribute in the KeyStoreType schema definition, but this is really an abuse of semantics -- the type attribute really means "keystore encoding".
[2] We use an xs:choice here, to avoid any ambiguity in config
was:
Currently, we support config for key and trust stores along the lines of:
{{{
<http:tls(Client|Server)Parameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="pkcs12" password="password"
file="src/test/java/org/apache/cxf/systest/http/resources/server.p12"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="password"
file="src/test/java/org/apache/cxf/systest/http/resources/truststore.jks"/>
</sec:trustManagers>
</http:tls(Client|Server)Parameters>
}}}
I propose a new element [1], sec:pemStore, which can be added to a sec:trustManagers element [2] (but obviously not a sec:keyManagers element), along the lines of:
{{{
<http:tls(Client|Server)Parameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="pkcs12" password="password"
file="src/test/java/org/apache/cxf/systest/http/resources/server.p12"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:pemStore
file="src/test/java/org/apache/cxf/systest/http/resources/truststore.pem"/>
</sec:trustManagers>
</http:tls(Client|Server)Parameters>
}}}
The sec:pemStore element also supports the url and resource attributes, analogously to the sec:keyStore element.
The certificates in a pemStore are assumed to be sequence of catenated X.509 certificates, in PEM format.
Patch to follow shortly.
[1] I'd considered overloading the meaning of the "type" attribute in the KeyStoreType schema definition, but this is really an abuse of semantics -- the type attribute really means "keystore encoding".
[2] We use an xs:choice here, to avoid any ambiguity in config
> EnhReq: Add support for TrustStores in PEM format
> -------------------------------------------------
>
> Key: CXF-1085
> URL: https://issues.apache.org/jira/browse/CXF-1085
> Project: CXF
> Issue Type: New Feature
> Components: Configuration
> Affects Versions: 2.0.2
> Reporter: Fred Dushin
> Fix For: 2.0.3
>
> Attachments: Bethal.p12, cxf-1085.patch, Morpit.p12
>
>
> Currently, we support config for key and trust stores along the lines of:
> {{{
> <http:tls(Client|Server)Parameters>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="pkcs12" password="password"
> file="src/test/java/org/apache/cxf/systest/http/resources/server.p12"/>
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="password"
> file="src/test/java/org/apache/cxf/systest/http/resources/truststore.jks"/>
> </sec:trustManagers>
> </http:tls(Client|Server)Parameters>
> }}}
> I propose a new element [1], sec:pemStore, which can be added to a sec:trustManagers element [2] (but obviously not a sec:keyManagers element), along the lines of:
> {{{
> <http:tls(Client|Server)Parameters>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="pkcs12" password="password"
> file="src/test/java/org/apache/cxf/systest/http/resources/server.p12"/>
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:certStore
> file="src/test/java/org/apache/cxf/systest/http/resources/truststore.pem"/>
> </sec:trustManagers>
> </http:tls(Client|Server)Parameters>
> }}}
> The sec:pemStore element also supports the url and resource attributes, analogously to the sec:keyStore element.
> The certificates in a pemStore are assumed to be sequence of catenated X.509 certificates, in PEM format.
> Patch to follow shortly.
> [1] I'd considered overloading the meaning of the "type" attribute in the KeyStoreType schema definition, but this is really an abuse of semantics -- the type attribute really means "keystore encoding".
> [2] We use an xs:choice here, to avoid any ambiguity in config
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (CXF-1085) EnhReq: Add support for TrustStores in
PEM format
Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-1085?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Kulp reassigned CXF-1085:
--------------------------------
Assignee: Daniel Kulp
> EnhReq: Add support for TrustStores in PEM format
> -------------------------------------------------
>
> Key: CXF-1085
> URL: https://issues.apache.org/jira/browse/CXF-1085
> Project: CXF
> Issue Type: New Feature
> Components: Configuration
> Affects Versions: 2.0.2
> Reporter: Fred Dushin
> Assignee: Daniel Kulp
> Fix For: 2.0.3
>
> Attachments: Bethal.p12, cxf-1085.patch, Morpit.p12
>
>
> Currently, we support config for key and trust stores along the lines of:
> {{{
> <http:tls(Client|Server)Parameters>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="pkcs12" password="password"
> file="src/test/java/org/apache/cxf/systest/http/resources/server.p12"/>
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="password"
> file="src/test/java/org/apache/cxf/systest/http/resources/truststore.jks"/>
> </sec:trustManagers>
> </http:tls(Client|Server)Parameters>
> }}}
> I propose a new element [1], sec:pemStore, which can be added to a sec:trustManagers element [2] (but obviously not a sec:keyManagers element), along the lines of:
> {{{
> <http:tls(Client|Server)Parameters>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="pkcs12" password="password"
> file="src/test/java/org/apache/cxf/systest/http/resources/server.p12"/>
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:certStore
> file="src/test/java/org/apache/cxf/systest/http/resources/truststore.pem"/>
> </sec:trustManagers>
> </http:tls(Client|Server)Parameters>
> }}}
> The sec:pemStore element also supports the url and resource attributes, analogously to the sec:keyStore element.
> The certificates in a pemStore are assumed to be sequence of catenated X.509 certificates, in PEM format.
> Patch to follow shortly.
> [1] I'd considered overloading the meaning of the "type" attribute in the KeyStoreType schema definition, but this is really an abuse of semantics -- the type attribute really means "keystore encoding".
> [2] We use an xs:choice here, to avoid any ambiguity in config
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.