EnhReq: Add support for TrustStores in PEM format
-------------------------------------------------
Key: CXF-1085
URL: https://issues.apache.org/jira/browse/CXF-1085
Project: CXF
Issue Type: New Feature
Components: Configuration
Affects Versions: 2.0.2
Reporter: Fred Dushin
Fix For: 2.0.3
Currently, we support config for key and trust stores along the lines of:
{{{
<http:tls(Client|Server)Parameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="pkcs12" password="password"
file="src/test/java/org/apache/cxf/systest/http/resources/server.p12"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="password"
file="src/test/java/org/apache/cxf/systest/http/resources/truststore.jks"/>
</sec:trustManagers>
</http:tls(Client|Server)Parameters>
}}}
I propose a new element [1], sec:pemStore, which can be added to a
sec:trustManagers element [2] (but obviously not a sec:keyManagers element),
along the lines of:
{{{
<http:tls(Client|Server)Parameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="pkcs12" password="password"
file="src/test/java/org/apache/cxf/systest/http/resources/server.p12"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:pemStore
file="src/test/java/org/apache/cxf/systest/http/resources/truststore.pem"/>
</sec:trustManagers>
</http:tls(Client|Server)Parameters>
}}}
The sec:pemStore element also supports the url and resource attributes,
analogously to the sec:keyStore element.
The certificates in a pemStore are assumed to be sequence of catenated X.509
certificates, in PEM format.
Patch to follow shortly.
[1] I'd considered overloading the meaning of the "type" attribute in the
KeyStoreType schema definition, but this is really an abuse of semantics -- the
type attribute really means "keystore encoding".
[2] We use an xs:choice here, to avoid any ambiguity in config
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
