Re: [PR] KNOX-3315: Adds BCFKS as an option cert export [knox]

Wed, 06 May 2026 00:31:00 -0700 


smolnar82 commented on code in PR #1221:
URL: https://github.com/apache/knox/pull/1221#discussion_r3193733097


##########
gateway-service-metadata/src/main/java/org/apache/knox/gateway/service/metadata/KnoxMetadataResource.java:
##########
@@ -208,6 +212,17 @@ private void generateCertificateJks(Certificate[] 
certificateChain, GatewayConfi
     }
   }
 
+  private void generateCertificateBcfks(Certificate[] certificateChain, 
GatewayConfig gatewayConfig) {
+    try {
+      if (bcfksFilePath == null || !bcfksFilePath.toFile().exists()) {
+        bcfksFilePath = Paths.get(gatewayConfig.getGatewaySecurityDir(), 
"gateway-client-trust.bcfks");
+        X509CertificateUtil.writeCertificatesToKeyStore(certificateChain, 
bcfksFilePath.toFile(), "bcfks", null);

Review Comment:
   nit: ff we had that `writeCertificateToBcfks` I referred above, we could use 
it here.



##########
gateway-server/src/main/java/org/apache/knox/gateway/util/KnoxCLI.java:
##########
@@ -808,6 +808,9 @@ public void execute() throws Exception {
           } else if ("PKCS12".equalsIgnoreCase(type)) {
             X509CertificateUtil.writeCertificateToPkcs12(cert, new 
File(keyStoreDir + "gateway-client-trust.pkcs12"));
             out.println("Certificate gateway-identity has been successfully 
exported to: " + keyStoreDir + "gateway-client-trust.pkcs12");
+          } else if ("BCFKS".equalsIgnoreCase(type)) {
+            X509CertificateUtil.writeCertificatesToKeyStore(new Certificate[] 
{ cert }, new File(keyStoreDir + "gateway-client-trust.bcfks"), "bcfks", null);

Review Comment:
   nit:  there are some type-based methods in 
`org.apache.knox.gateway.util.X509CertificateUtil` such as 
`writeCertificateToJks`, etc.. 
   To follow the same pattern we may want to add a new one for BCFKS too.



##########
gateway-util-common/src/main/java/org/apache/knox/gateway/util/X509CertificateUtil.java:
##########
@@ -172,7 +172,7 @@ private static void writeCertificateToKeyStore(Certificate 
cert, final File file
   /*
    * Writes an arbitrary number of certificates into the given keystore file 
protected by the given password
    */
-  private static void writeCertificatesToKeyStore(Certificate[] certs, final 
File file, String type, String keystorePassword)
+  public static void writeCertificatesToKeyStore(Certificate[] certs, final 
File file, String type, String keystorePassword)

Review Comment:
   nit: this could remain `private`.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to